网络相关的配置,操作等
常用命令
ifdown wan; ifup wan
cat /proc/net/nf_conntrack 查看链接
iptable
filter nat mangle raw security
iptables -t nat -L input_rule -n -v –line-numbers
iptables -D input_rule 2
iptables -F input_rule
iptables -t nat -A POSTROUTING -s 172.22.22.0/24 -d 192.168.1.0/24 -j MASQUERADE
iptables -I FORWARD 1 -s 192.168.1.100 -p udp –sport 30000:40000 -j DROP
tcpdump
tcpdump -i eth2
tcpdump -i eth2 host 172.22.22.235 -w test.pcap
tcpdump -i eth2 tcp / udp
rustdesk
服务
https://github.com/rustdesk/rustdesk-server
https://rustdesk.com/docs/en/self-host/
wireguard
1sudo apt install wireguard
2sudo sed -i 's/.*net\.ipv4\.ip_forward.*/net.ipv4.ip_forward = 1/' /etc/sysctl.conf
3sysctl -p
4cd /etc/wireguard
5wg genkey | tee server_privatekey | wg pubkey > server_publickey
6wg genkey | tee client_privatekey | wg pubkey > client_publickey
7
8echo "
9[Interface]
10PrivateKey = $(cat server_privatekey)
11Address = 10.0.8.1/24
12PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
13PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
14ListenPort = port
15# DNS = 1.1.1.1
16[Peer]
17PublicKey = $(cat client_publickey)
18AllowedIPs = 10.0.8.100/32 " > wg0.conf
19> eth0 根据情况适配
20
21sudo systemctl enable wg-quick@wg0
22# 启动WireGuard
23wg-quick up wg0
24# 停止WireGuard
25wg-quick down wg0
26# 查看wireguard服务端运行状态
27wg
28
29echo "
30[Interface]
31 PrivateKey = $(cat client_privatekey)
32 Address = 10.0.8.100/32
33 DNS = 1.1.1.1
34[Peer]
35 PublicKey = $(cat server_publickey)
36 Endpoint = ip:port
37 AllowedIPs = 10.0.8.0/24, 172.22.22.0/24
38 PersistentKeepalive = 25 " > client.conf
39
40
41sudo ufw allow port/udp
42sudo ufw allow ssh
43sudo ufw enable
44sudo ufw status
45
46# 测试端口
47nc -u IP port
48
49grep "Failed password" /var/log/auth.logopenwrt
1opkg install wireguard-tools kmod-wireguard luci-proto-wireguard luci-app-wireguard
2
3cat /etc/config/network
4config interface 'wg0'
5 option proto 'wireguard'
6 option private_key 'xxx'
7 list addresses '10.0.0.2/32'
8 list dns '1.1.1.1'
9
10config wireguard_wg0
11 option description '导入对端配置'
12 option public_key 'xxx'
13 list allowed_ips '10.0.0.0/24'
14 list allowed_ips '10.1.0.0/24'
15 option persistent_keepalive '25'
16 option endpoint_host 'domain.com'
17 option endpoint_port 'port'
18 option route_allowed_ips '1'
19
20cat /etc/config/firewall
21config zone
22 option name 'lan'
23 option input 'ACCEPT'
24 option output 'ACCEPT'
25 option forward 'ACCEPT'
26 list network 'lan'
27 list network 'wg0'
28
29# 防火墙配置all局域网设备通过 wg
30config zone
31 option name 'wg'
32 option input 'ACCEPT'
33 option output 'ACCEPT'
34 option forward 'REJECT'
35 option masq '1'
36 option mtu_fix '1'
37 list network 'wg0'
38
39config forwarding
40 option src 'lan'
41 option dest 'wg'
42
43# 防火墙配置部分设备通过 wg
44# https://openwrt.org/docs/guide-user/firewall/firewall_configuration
45
46config zone
47 option name 'wg'
48 option input 'ACCEPT'
49 option output 'ACCEPT'
50 option forward 'REJECT'
51 option masq '1'
52 option mtu_fix '1'
53 list network 'wg0'
54
55#config forwarding
56# option src 'lan'
57# option dest 'wg'
58
59config rule
60 option name 'allow_192_168_0_200/201_to_vpn'
61 option src 'lan'
62 option src_ip '192.168.0.200/31'
63 option dest 'wg'
64 option target 'ACCEPT'ddns
config.json
1{
2 "CFKEY":"xxxxxx",
3 "CFUSER":"[email protected]",
4 "CFDOMAIN":[
5 "xxx.yyy"
6 ]
7}ShellCrash
在线安装:只是引用的文件源不同
0 3 * * 3 /etc/ShellCrash/task/task.sh 104 在每周3的3点整更新订阅并重启服务
0 3 * * 5 /etc/ShellCrash/task/task.sh 113 在每周5的3点整自动更新数据库文件
meta内核
2-1 : 查看当前的内核
2-1-3 : Tproxy模式
2-1-7 : 3 劫持局域网+本机流量
2-2 : 1 fake-ip 3 mix混合模式
2-2-4 : 7 禁用DNS劫持,自定义dns服务器
2-9 : Fake-ip过滤列表 /etc/ShellCrash/configs/fake_ip_filter
4-1 : 允许ShellCrash开机启动
5-7 : 自动保存面板配置 周3的3点整更新订阅 自动同步ntp时间
6-1 : 订阅相关
6-6-2 : 自定义规则 /etc/ShellCrash/yamls/rules.yaml
9-4-2 : 面板 https://github.com/MetaCubeX/metacubexd ui面板
8-2 : 切换内核singbox
config
configs/ShellCrash.cfg
1#ShellCrash配置文件,不明勿动!
2versionsh_l=1.9.2beta4
3firewall_mod=iptables
4update_url=https://fastly.jsdelivr.net/gh/juewuy/ShellCrash@master
5userguide=1
6redir_mod=混合模式
7cn_ip_route=已开启
8dns_nameserver='https://223.5.5.5/dns-query, https://doh.pub/dns-query, tls://dns.rubyfish.cn:853'
9dns_fallback='https://223.5.5.5/dns-query, https://doh.pub/dns-query, tls://dns.rubyfish.cn:853'
10Https=
11Url='https://|https://'
12cpucore=armv7
13crashcore=meta
14core_v=v1.19.11
15geosite_v=20250707
16mrs_geosite_cn_v=20250707
17china_ip_list_v=20250707
18china_ipv6_list_v=20250707
19Country_v=
20cn_mini_v=20250707
21hostdir=':9999/ui'
22# exclude='免费|计费' url 编码
23exclude='%E8%AE%A1%E8%B4%B9%7C%E5%85%8D%E8%B4%B9'
24# 6-1-5 选取在线生成服务器
25server_link=1
26# 6-1-4 选取在线配置规则模版
27rule_link=1fakeip
configs/fake_ip_filter
1snapdrop.net
2canyouseeme.org
3*.*.gov.cnyamls
yamls/rules.yaml
1- DOMAIN,snapdrop.net,DIRECT
2- DOMAIN,stun.l.google.com,DIRECT
3- DOMAIN-SUFFIX,canyouseeme.org,DIRECT
4- DOMAIN-KEYWORD,spaceship,DIRECT
5- DOMAIN-KEYWORD,chatgpt,AiGpt
6- DOMAIN-KEYWORD,grok.com,AiGpt
7- DOMAIN-KEYWORD,reddit.com,AiGptyamls/proxy-groups.yaml
1 - name: AiGpt
2 type: fallback
3 url: 'https://chatgpt.com/favicon.ico' # 根据情况修改
4 interval: 300
5 proxies:
6 - 新加坡A02
7 - 新加坡A03 | IEPL | x2clashverge
https://www.clashverge.dev/friendship.html
ax1800 pro
scripts
优化
- /sbin/jd_online_upgrade.sh,disable upgrade
- jd-firmware 权限 0
- /etc/dropbear/authorized_keys, 600, ssh-rsa
- iptables -L MINIUPNPD -v -n –line-numbers -t nat
- /etc/config/upnpd 配置黑名单没生效,/tmp/upnp.leases
rc.local
1/usr/sbin/dropbear
2exit 0ax1800
ramips mt7621
- 拆机,底部三个螺丝
- 串口在有三颗螺丝的铝块散热器下面
- 波特率115200
串口
U-Boot SPL 2018.09 (Sep 06 2022 - 22:06:27 +0800) Trying to boot from NOR U-Boot 2018.09 (Sep 06 2022 - 22:06:27 +0800) CPU: MediaTek MT7621AT ver 1, eco 3 Clocks: CPU: 880MHz, DDR: 1200MHz, Bus: 220MHz, XTAL: 40MHz Model: MediaTek MT7621 reference board DRAM: 448 MiB MMC: mmc@1e130000: 0 Loading Environment from SPI Flash... SF: Detected whxx25q128 with page size 256 Bytes, erase size 64 KiB, total 16 MiB OK In: uartlite0@1e000c00 Out: uartlite0@1e000c00 Err: uartlite0@1e000c00 Net: Warning: eth@1e100000 (eth0) using random MAC address - 5e:69:c8:f8:cf:5b eth0: eth@1e100000 Saving Environment to SPI Flash... SF: Detected whxx25q128 with page size 256 Bytes, erase size 64 KiB, total 16 MiB Erasing SPI flash...Writing to SPI flash...done OK disabled console and autoboot in 0 seconds ++++++++++++++upgradeFlag=rest gpio value=0 (Low Level effective) clock is disabled (0Hz) selecting mode MMC legacy (freq : 0 MHz) clock is enabled (49019Hz) selecting mode MMC legacy (freq : 25 MHz) mmc: widths [8, 4, 1] modes [MMC legacy, MMC High Speed (26MHz), SD High Speed (50MHz), MMC High Speed (52MHz), MMC DDR52 (52MHz), HS200 (200MHz)] host: widths [4, 1] modes [MMC legacy, SD Legacy, MMC High Speed (26MHz), SD High Speed (50MHz)] clock is enabled (25000000Hz) trying mode MMC High Speed (26MHz) width 4 (at 26 MHz) selecting mode MMC High Speed (26MHz) (freq : 26 MHz) clock is enabled (25000000Hz) filename=backup.img ** Unable to read file backup.img ** fs_read backup.img failed copy_form_sd failed jdboot - goto jd boot Usage: jdboot => printenv baudrate=115200 bootcmd=jdboot bootcount=1 bootdelay=2 bootlimit=3 ipaddr=192.168.68.1 netmask=255.255.255.0 serverip=192.168.68.10 stderr=uartlite0@1e000c00 stdin=uartlite0@1e000c00 stdout=uartlite0@1e000c00 Environment size: 209/65532 bytes
连接ttl之后串口如上,无法输入命令,但是呢无法输入不代表不能进入uboot,按下reset之后上电即可在串口中输入命令, 完整操作过程如下:
降级解锁ssh
1=> mtkupgrade
2
3Available parts to be upgraded:
4 0 - Bootloader
5 1 - Bootloader (Advanced)
6 2 - Firmware
7
8Select a part: 2
9
10*** Upgrading Firmware ***
11
12Available load methods:
13 0 - TFTP client (Default)
14 1 - Xmodem
15 2 - Ymodem
16 3 - Kermit
17 4 - S-Record
18
19Select (enter for default): 0
20
21Input U-Boot's IP address: 192.168.68.1
22Input TFTP server's IP address: 192.168.68.10
23Input IP netmask: 255.255.255.0
24Input file name: JDCOS.bin
25
26Using eth@1e100000 device
27TFTP from server 192.168.68.10; our IP address is 192.168.68.1
28Filename 'JDCOS.bin'.
29Load address: 0x80010000
30Loading: T #################################################################
31 #################################################################
32 #################################################################
33 #################################################################
34 #################################################################
35 #################################################################
36 #################################################################
37 #################################################################
38 #################################################################
39 #################################################################
40 #################################################################
41 #################################################################
42 #################################################################
43 #################################################################
44 #################################################################
45 #######################################
46 1.6 MiB/s
47done
48Bytes transferred = 14877400 (e302d8 hex)
49
50*** Loaded 14877400 (0xe302d8) bytes at 0x80010000 ***
51
52SF: Detected whxx25q128 with page size 256 Bytes, erase size 64 KiB, total 16 MiB
53
54Erasing from 0x90000 to 0xecffff, size 0xe40000 ... OK
55Writting from 0x80010000 to 0x90000, size 0xe302d8 ... OK
56
57*** Firmware upgrade completed! ***先升级
JDCOS.bin(JDC03-3.1.1.r1911), 此版本网页登录解锁ssh,然后备份分区,刷写ubootu-boot-mt7621-68.bin
备份分区,刷uboot
$.ajax({
url: 'http://' + $.cookie("HostAddrIP") + '/jdcapi',
async: false,
data: JSON.stringify({
jsonrpc: "2.0",
id: 1,
method: "call",
params: [
$.cookie("sessionid"),
"service",
"set",
{
"name": "dropbear",
"instances": {"instance1": {"command": ["/usr/sbin/dropbear"]}}
}
]
}),
dataType: 'json',
type: 'POST'
})
root@JDBoxV3:/tmp/123# cat /proc/mtd
dev: size erasesize name
mtd0: 00040000 00010000 “Bootloader”
mtd1: 00010000 00010000 “Config”
mtd2: 00040000 00010000 “Factory”
mtd3: 00f70000 00010000 “firmware”
mtd4: 003c0000 00010000 “kernel”
mtd5: 00bb0000 00010000 “rootfs”
mtd6: 00140000 00010000 “rootfs_data”
dd if=/dev/mtd0 of=/tmp/123/mtd0_bk.bin
dd if=/dev/mtd1 of=/tmp/123/mtd1_bk.bin
dd if=/dev/mtd2 of=/tmp/123/mtd2_bk.bin
dd if=/dev/mtd3 of=/tmp/123/mtd3_bk.bin
dd if=/dev/mtd4 of=/tmp/123/mtd4_bk.bin
dd if=/dev/mtd5 of=/tmp/123/mtd5_bk.bin
dd if=/dev/mtd6 of=/tmp/123/mtd6_bk.bin
root@JDBoxV3:/tmp/123# mtd write u-boot-mt7621-68.bin /dev/mtd0
Unlocking /dev/mtd0 …
Writing from u-boot-mt7621-68.bin to /dev/mtd0 …
root@JDBoxV3:/tmp/123#
root@JDBoxV3:/tmp/123#reboot
刷openwrt
重新进入uboot,按键joy上电,进入uboot,网线直连lan口,打开192.168.68.1
然后选择sysupgrade.bin文件刷openwrt
刷原厂固件
- 直接进入uboot升级原厂固件,如JDC03-3.1.1.r1911
- 把之前备份的分区文件重新刷回
ipk下载
1# 版本架构
2uname -a
3opkg print-architecture
4cat /proc/cpuinfo
5
6# 根据需要修改版本架构等
7https://downloads.openwrt.org/releases/packages-23.05/mipsel_24kc/sha256sums
8
9https://downloads.openwrt.org/releases/17.01.1/targets/ramips/mt7621/packages/kmod-wireguard_4.4.61+0.0.20170115-1_mipsel_24kc.ipk
10https://downloads.openwrt.org/releases/17.01.1/packages/mipsel_24kc/base/iperf3_3.1.4-1_mipsel_24kc.ipk
11
12https://downloads.openwrt.org/snapshots/targets/
13
14https://dl.openwrt.ai/packages-23.05/mipsel_24kc/packages/定制固件 immortalwrt, 如型号:re-cp-02,版本:23.05.6
immortalwrt-23.05.6-bf550ba2533a-ramips-mt7621-jdcloud_re-cp-02-squashfs-sysupgrade.bin
/etc/distfeeds.conf
src/gz immortalwrt_core https://mirrors.vsean.net/openwrt/releases/23.05.6/targets/ramips/mt7621/packages src/gz immortalwrt_base https://mirrors.vsean.net/openwrt/releases/23.05.6/packages/mipsel_24kc/base src/gz immortalwrt_kmods https://mirrors.vsean.net/openwrt/releases/23.05.6/targets/ramips/mt7621/kmods/5.15.189-1-d57570949c8e4ee79b82936a52c330d9 src/gz immortalwrt_luci https://mirrors.vsean.net/openwrt/releases/23.05.6/packages/mipsel_24kc/luci src/gz immortalwrt_packages https://mirrors.vsean.net/openwrt/releases/23.05.6/packages/mipsel_24kc/packages src/gz immortalwrt_routing https://mirrors.vsean.net/openwrt/releases/23.05.6/packages/mipsel_24kc/routing src/gz immortalwrt_telephony https://mirrors.vsean.net/openwrt/releases/23.05.6/packages/mipsel_24kc/telephony校验关闭 /etc/opkg.conf 文件中删除 option check_signature
kernel依赖问题,可以通过升级kernel解决,但是lsmod可能还是找不到
FAQ
数据转发异常
分析配置port的流量,转发的ip是否正确,以及iptable的配置,数据流向是否正确
tcpdump -i any udp port 12345 iptables -t nat -L -n -v iptables -t nat -L PREROUTING -n -v iptables -t nat -L POSTROUTING -n -v
评论