趣研思

乐趣、研究、思考!

0%

openwrt使用natmap打洞及防火墙配置

发表于 分类于

在openwrt主路由上使用natmap来实现内网穿透,达到近乎公网IP的体验!

首先openwrt需要是NAT1环境才行,家宽几乎都是。

安装luci-app-natmap

从这个链接下载ipk文件安装,或者openwrt包管理器安装

luci-app-natmap下载链接(不一定适配所有机器)

创建通知脚本

创建一个shell脚本,实现需要的所有功能,如ddns,上传到substore,修改防火墙规则,发送通知等…

脚本位置可放在/root/ddns_natmap.sh

1
vi /root/ddns_natmap.sh

以下为脚本内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#!/bin/sh

# cloudflare ddns
AUTH='' # cf的授权token
DOMAIN='' # 主域名 eg:baidu.com
RECORD_NAME='' # 二级域名,这个才是实际IP更新的域名 eg:www.baidu.com   如果直接用主域名,那么直接填写主域名

IP4P=${3}

# 获取指定域名的Cloudflare区域ID
ZONE=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=${DOMAIN}" \
-H "Authorization: Bearer ${AUTH}" \
-H "Content-Type: application/json" | jq -r '.result[0].id')

# 获取指定域名的DNS记录ID
RECORD=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${ZONE}/dns_records?type=A&name=${RECORD_NAME}" \
-H "Authorization: Bearer ${AUTH}" \
-H "Content-Type: application/json" | jq -r .result[0].id)

while true; do
    curl -X PUT "https://api.cloudflare.com/client/v4/zones/${ZONE}/dns_records/${RECORD}" \
        -H "Authorization: Bearer ${AUTH}" \
        -H "Content-Type:application/json" \
        --data "{\"type\":\"AAAA\",\"name\":\"${RECORD_NAME}\",\"content\":\"${IP4P}\",\"ttl\":60,\"proxied\":false}" > /dev/null 2> /dev/null
    if [ $? -eq 0 ]; then
        break
    fi
done

# 修改openwrt防火墙
rule_name="natmap" #防火墙规则名称
dest_port="${4}"
if ! uci show firewall | grep -q "${rule_name}"; then
    uci add firewall rule
    uci set firewall.@rule[-1].name="${rule_name}"
    uci set firewall.@rule[-1].target='ACCEPT'
    uci set firewall.@rule[-1].src='wan'
    uci set firewall.@rule[-1].family='ipv4'
    uci set firewall.@rule[-1].dest_port="${dest_port}"

    uci commit firewall
    /etc/init.d/firewall reload
else
    rule_num=$(uci show firewall | grep ${rule_name} | awk -F'[][]' '{print $2}')
    uci set firewall.@rule[${rule_num}].dest_port="${dest_port}"

    uci commit firewall
    /etc/init.d/firewall reload
fi

# 上传到substore  可浏览器F12抓包直接获取curl (api示例)
curl --location --request PATCH 'http://192.168.1.100:3001/aaa/api/sub/natmap' \
--header 'Content-Type: application/json' \
--data '{
    "name": "natmap",
    "displayName": "",
    "mergeSources": "",
    "ignoreFailedRemoteSub": false,
    "icon": "",
    "process": [
        {
            "type": "Quick Setting Operator",
            "args": {
                "useless": "DISABLED",
                "udp": "DEFAULT",
                "scert": "DEFAULT",
                "tfo": "DEFAULT",
                "vmess aead": "DEFAULT"
            }
        }
    ],
    "source": "local",
    "url": "",
    "content": "home_ss_v4 = Shadowsocks,'"${1}"','"${2}"',aes-128-gcm,\"<uuid>\",fast-open=false,udp=true",
    "ua": "",
    "display-name": ""
}'

# 发送IP及端口信息到外部数据库存储 (api示例)
curl --location --request PUT 'https://<domain>/?token=aaa&key=bbb' \
--header 'Content-Type: application/json' \
--data '{
    "ip": "'"${1}"'",
    "port": "'"${2}"'"
}'

# 发送bark通知 (api示例)
curl https://api.day.app/<barkToken>/nat穿透信息已更改/${1}:${2}%0a${3}

创建完授予执行权限

1
chmod +x /root/ddns_natmap.sh

配置natmap

如图配置

image-20240805144503358

打洞成功,应能如下图显示!

image-20240805144628170

在网络-防火墙-通信规则中,应有如下规则

image-20240805152514192