From 3153ea1accdf73d24923020cf927740a9e58adca Mon Sep 17 00:00:00 2001
From: juewuy <juewuy@gmail.com>
Date: Thu, 25 Dec 2025 22:48:09 +0800
Subject: [PATCH] =?UTF-8?q?~=E4=BF=AE=E5=A4=8Diptables=E5=85=AC=E7=BD=91?=
 =?UTF-8?q?=E9=98=B2=E7=81=AB=E5=A2=99=E7=9A=84bug?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 scripts/starts/fw_iptables.sh |  7 +++++++
 scripts/starts/fw_nftables.sh | 13 +++++++------
 scripts/starts/fw_stop.sh     |  6 ++++++
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/scripts/starts/fw_iptables.sh b/scripts/starts/fw_iptables.sh
index 689af4c0..7402bb10 100644
--- a/scripts/starts/fw_iptables.sh
+++ b/scripts/starts/fw_iptables.sh
@@ -149,6 +149,13 @@ start_ipt_wan() { #iptables公网防火墙
 		ipt_wan_accept tcp
 		ipt_wan_accept udp
 	}
+	#局域网请求放行
+	for ip in $host_ipv4; do
+		$iptable -I INPUT -s $ip -j ACCEPT
+	done
+	ckcmd ip6tables && for ip in $host_ipv6; do
+		$ip6table -I INPUT -s $ip -j ACCEPT
+	done
 	#本机请求全放行
 	$iptable -I INPUT -i lo -j ACCEPT
 	ckcmd ip6tables && $ip6table -I INPUT -i lo -j ACCEPT
diff --git a/scripts/starts/fw_nftables.sh b/scripts/starts/fw_nftables.sh
index e4c084e5..23560e64 100644
--- a/scripts/starts/fw_nftables.sh
+++ b/scripts/starts/fw_nftables.sh
@@ -1,11 +1,14 @@
 #!/bin/sh
 # Copyright (C) Juewuy
 
+HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
+HOST_IP6=$(echo $host_ipv6 | sed 's/ /, /g')
+RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g')
+RESERVED_IP6=$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')
+
 start_nft_route() { #nftables-route通用工具
     #$1:name  $2:hook(prerouting/output)  $3:type(nat/mangle/filter)  $4:priority(-100/-150)
     [ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g')
-    RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g')
-    HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
     [ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
     [ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')"
     #添加新链
@@ -62,8 +65,6 @@ start_nft_route() { #nftables-route通用工具
     }
     #局域网ipv6支持
     if [ "$ipv6_redir" = "已开启" -a "$1" = 'prerouting' -a "$firewall_area" != 5 ]; then
-        RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')"
-        HOST_IP6="$(echo $host_ipv6 | sed 's/ /, /g')"
         #过滤保留地址及本机地址
         nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return
         #仅代理本机局域网网段流量
@@ -99,8 +100,6 @@ start_nft_route() { #nftables-route通用工具
     #nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug
 }
 start_nft_dns() { #nftables-dns
-    HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
-    HOST_IP6=$(echo $host_ipv6 | sed 's/ /, /g')
     [ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
     [ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')"
     nft add chain inet shellcrash "$1"_dns { type nat hook $2 priority -100 \; }
@@ -136,6 +135,8 @@ start_nft_wan() { #nftables公网防火墙
 	}
 	#端口拦截
 	reject_ports="{ $mix_port, $db_port, $dns_port }"
+	nft add rule inet shellcrash input ip saddr {$HOST_IP} accept
+	nft add rule inet shellcrash input ip6 saddr {$HOST_IP6} accept
 	nft add rule inet shellcrash input tcp dport $reject_ports reject
 	nft add rule inet shellcrash input udp dport $reject_ports reject
 }
diff --git a/scripts/starts/fw_stop.sh b/scripts/starts/fw_stop.sh
index b155f15c..6491eba9 100644
--- a/scripts/starts/fw_stop.sh
+++ b/scripts/starts/fw_stop.sh
@@ -48,6 +48,9 @@ ckcmd iptables && {
 	$iptable -D FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT 2>/dev/null
 	#公网访问
 	$iptable -D INPUT -i lo -j ACCEPT 2>/dev/null
+	for ip in $host_ipv4; do
+		$iptable -D INPUT -s $ip -j ACCEPT 2>/dev/null
+	done
 	$iptable -D INPUT -p tcp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null
 	$iptable -D INPUT -p udp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null
 	$iptable -D INPUT -p tcp -m multiport --dports "$mix_port,$db_port,$dns_port" -j REJECT 2>/dev/null
@@ -95,6 +98,9 @@ ckcmd ip6tables && {
 	$ip6table -D FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT 2>/dev/null
 	#公网访问
 	$ip6table -D INPUT -i lo -j ACCEPT 2>/dev/null
+	for ip in $host_ipv6; do
+		$ip6table -D INPUT -s $ip -j ACCEPT 2>/dev/null
+	done
 	$ip6table -D INPUT -p tcp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null
 	$ip6table -D INPUT -p udp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null
 	$ip6table -D INPUT -p tcp -m multiport --dports "$mix_port,$db_port,$dns_port" -j REJECT 2>/dev/null