Fix firewall redirection with destination IP

2025-02-12 18:41:51 +00:00 · 2023-07-21 21:40:54 +02:00 · 2023-07-21 21:40:54 +02:00 · 1b02c5f174
commit 1b02c5f174
parent b362091628
1 changed files with 24 additions and 0 deletions
--- a/openmptcprouter/files/etc/init.d/openmptcprouter-vps
+++ b/openmptcprouter/files/etc/init.d/openmptcprouter-vps
@ -956,6 +956,18 @@ _vps_firewall_redirect_port() {
 						[ -n "$src_dip" ] && {
 							comment=" to $src_dip"
 							$IPTABLESSAVE --counters | sed "s:-d $src_dip/32::g" | $IPTABLESRESTORE -w
+							[ -f /usr/sbin/nft ] && {
+								rule=$(nft -a list table inet fw4 | grep -m1 "ip daddr $src_dip")
+								[ -n "$rule" ] && {
+									handle=$(echo $rule | awk '{ print $NF }')
+									nft replace rule inet fw4 dstnat_lan handle ${handle} $(echo $rule | awk '{ sub(" comment.*$",""); print }' | sed "s/ip daddr ${src_dip}//") 2>&1 >/dev/null
+								}
+								rule=$(nft -a list table inet fw4 | grep -m1 "ip daddr $src_dip")
+								[ -n "$rule" ] && {
+									handle=$(echo $rule | awk '{ print $NF }')
+									nft replace rule inet fw4 dstnat_vpn handle $handle $(echo $rule | awk '{ sub(" comment.*$",""); print }' | sed "s/ip daddr ${src_dip}/meta nfproto ipv4/") 2>&1 >/dev/null
+								}
+							}
 						}
 						[ -n "$src_ip" ] && comment=" from $src_ip"
 						if [ "$target" = "ACCEPT" ]; then
@ -1038,6 +1050,18 @@ _vps_firewall_redirect_port() {
 						[ -n "$src_dip" ] && {
 							comment=" to $src_dip"
 							$IPTABLESSAVE --counters | sed "s:-d $src_dip/32::g" | $IPTABLESRESTORE -w
+							[ -f /usr/sbin/nft ] && {
+								rule=$(nft -a list table inet fw4 | grep -m1 "ip daddr $src_dip")
+								[ -n "$rule" ] && {
+									handle=$(echo $rule | awk '{ print $NF }')
+									nft replace rule inet fw4 dstnat_lan handle ${handle} $(echo $rule | awk '{ sub(" comment.*$",""); print }' | sed "s/ip daddr ${src_dip}//") 2>&1 >/dev/null
+								}
+								rule=$(nft -a list table inet fw4 | grep -m1 "ip daddr $src_dip")
+								[ -n "$rule" ] && {
+									handle=$(echo $rule | awk '{ print $NF }')
+									nft replace rule inet fw4 dstnat_vpn handle $handle $(echo $rule | awk '{ sub(" comment.*$",""); print }' | sed "s/ip daddr ${src_dip}/meta nfproto ipv4/") 2>&1 >/dev/null
+								}
+							}
 						}
 						[ -n "$src_ip" ] && comment=" from $src_ip"
 						checkfw=$(echo "$vpsfwlist" | grep "# OMR $username open router $src_dport port ${protoi}${comment} --- V2Ray to ${dest_ip}:${dest_port}")