diff --git a/shadowsocks-libev/files/ss-rules b/shadowsocks-libev/files/ss-rules
index 87973133f..e5e9892c7 100755
--- a/shadowsocks-libev/files/ss-rules
+++ b/shadowsocks-libev/files/ss-rules
@@ -276,7 +276,7 @@ ss_rules_iptchains_mkprerules() {
 	local proto="$1"
 
 	if [ -z "$o_ifnames" ]; then
-		echo "-I PREROUTING 1 -p $proto -j ssr_${rule}_pre_src"
+		echo "-A PREROUTING -p $proto -j ssr_${rule}_pre_src"
 	else
 		echo $o_ifnames \
 			| tr ' ' '\n' \
@@ -284,7 +284,19 @@ ss_rules_iptchains_mkprerules() {
 	fi
 }
 
+ss_rules_fw_drop() {
+	fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) printf "%s ",$i }' |
+	while IFS=$"\n" read -r c; do
+		iptables -t nat -A zone_lan_prerouting $(echo $c | sed 's/reject/REDIRECT --to-ports 65535/') 2>&1 >/dev/null
+	done
+	fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/-t filter/&&/-j drop/ {for(i=6; i<=NF; i++) printf "%s ",$i }' |
+	while IFS=$"\n" read -r c; do
+		iptables -t nat -A zone_lan_prerouting $(echo $c | sed 's/drop/REDIRECT --to-ports 65535/') 2>&1 >/dev/null
+	done
+}
+
 ss_rules_parse_args "$@"
 #ss_rules_flush
 ss_rules_ipset_init
 ss_rules_iptchains_init
+ss_rules_fw_drop
\ No newline at end of file
diff --git a/shadowsocks-libev/files/ss-rules6 b/shadowsocks-libev/files/ss-rules6
index 21e257b10..d8394cc64 100755
--- a/shadowsocks-libev/files/ss-rules6
+++ b/shadowsocks-libev/files/ss-rules6
@@ -149,11 +149,13 @@ ss_rules6_iptchains_init() {
 }
 
 ss_rules6_iptchains_init_mark() {
-	ip6tables-restore -w --noflush <<-EOF
-		*mangle
-		-A PREROUTING -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539
-		COMMIT
-	EOF
+	if [ "$(ip6tables -w -t mangle -L PREROUTING | grep ss_rules6_dst_bypass_all)" = "" ]; then
+		ip6tables-restore -w --noflush <<-EOF
+			*mangle
+			-A PREROUTING -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539
+			COMMIT
+		EOF
+	fi
 }
 
 
@@ -257,7 +259,7 @@ ss_rules6_iptchains_mkprerules() {
 	local proto="$1"
 
 	if [ -z "$o_ifnames" ]; then
-		echo "-I PREROUTING 1 -p $proto -j ssr6_${rule}_pre_src"
+		echo "-A PREROUTING -p $proto -j ssr6_${rule}_pre_src"
 	else
 		echo $o_ifnames \
 			| tr ' ' '\n' \
@@ -265,7 +267,20 @@ ss_rules6_iptchains_mkprerules() {
 	fi
 }
 
+
+ss_rules6_fw_drop() {
+	fw3 -6 print 2>/dev/null | awk '/ip6tables/&&/zone_lan_forward/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) printf "%s ",$i }' |
+	while IFS=$"\n" read -r c; do
+		ip6tables -t nat -A zone_lan_prerouting $(echo $c | sed 's/reject/REDIRECT --to-ports 65535/') 2>&1 >/dev/null
+	done
+	fw3 -6 print 2>/dev/null | awk '/ip6tables/&&/zone_lan_forward/&&/-t filter/&&/-j drop/ {for(i=6; i<=NF; i++) printf "%s ",$i }' |
+	while IFS=$"\n" read -r c; do
+		ip6tables -t nat -A zone_lan_prerouting $(echo $c | sed 's/drop/REDIRECT --to-ports 65535/') 2>&1 >/dev/null
+	done
+}
+
 ss_rules6_parse_args "$@"
 ss_rules6_flush
 ss_rules6_ipset_init
 ss_rules6_iptchains_init
+ss_rules6_fw_drop
\ No newline at end of file
diff --git a/v2ray-core/files/usr/bin/v2ray-rules b/v2ray-core/files/usr/bin/v2ray-rules
index 25f435cc9..695f2819d 100755
--- a/v2ray-core/files/usr/bin/v2ray-rules
+++ b/v2ray-core/files/usr/bin/v2ray-rules
@@ -283,7 +283,20 @@ v2r_rules_iptchains_mkprerules() {
 	fi
 }
 
+v2r_rules_fw_drop() {
+	fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) printf "%s ",$i }' |
+	while IFS=$"\n" read -r c; do
+		iptables -t nat -A zone_lan_prerouting $(echo $c | sed 's/reject/REDIRECT --to-ports 65535/') 2>&1 >/dev/null
+	done
+	fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/-t filter/&&/-j drop/ {for(i=6; i<=NF; i++) printf "%s ",$i }' |
+	while IFS=$"\n" read -r c; do
+		iptables -t nat -A zone_lan_prerouting $(echo $c | sed 's/drop/REDIRECT --to-ports 65535/') 2>&1 >/dev/null
+	done
+}
+
+
 v2r_rules_parse_args "$@"
 #v2r_rules_flush
 v2r_rules_ipset_init
 v2r_rules_iptchains_init
+v2r_rules_fw_drop
\ No newline at end of file
diff --git a/v2ray-core/files/usr/bin/v2ray-rules6 b/v2ray-core/files/usr/bin/v2ray-rules6
index c62b50ba0..952d64b04 100755
--- a/v2ray-core/files/usr/bin/v2ray-rules6
+++ b/v2ray-core/files/usr/bin/v2ray-rules6
@@ -274,7 +274,20 @@ v2ray_rules6_iptchains_mkprerules() {
 	fi
 }
 
+v2ray_rules6_fw_drop() {
+	fw3 -6 print 2>/dev/null | awk '/ip6tables/&&/zone_lan_forward/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) printf "%s ",$i }' |
+	while IFS=$"\n" read -r c; do
+		ip6tables -t nat -A zone_lan_prerouting $(echo $c | sed 's/reject/REDIRECT --to-ports 65535/') 2>&1 >/dev/null
+	done
+	fw3 -6 print 2>/dev/null | awk '/ip6tables/&&/zone_lan_forward/&&/-t filter/&&/-j drop/ {for(i=6; i<=NF; i++) printf "%s ",$i }' |
+	while IFS=$"\n" read -r c; do
+		ip6tables -t nat -A zone_lan_prerouting $(echo $c | sed 's/drop/REDIRECT --to-ports 65535/') 2>&1 >/dev/null
+	done
+}
+
+
 v2ray_rules6_parse_args "$@"
 v2ray_rules6_flush
 v2ray_rules6_ipset_init
 v2ray_rules6_iptchains_init
+v2ray_rules6_fw_drop
\ No newline at end of file