小米的AX3600路由器在某次更新后ipv6的防火墙默认是关闭的（不拦截WAN->LAN主动连接的包），感觉这样不太安全，查找了几篇文章后发现可以打开SSH服务后添加ip6table规则，重新开启防火墙。

参考的文章提到需要将固件降级后才能进行破解操作，但是实际上在没有降级的情况下仍然可以成功开启SSH服务（固件版本1.1.25）

操作步骤

以下的操作需要curl环境，在Windows下需要在cmd里操作，不要在 PowerShell 内执行。PowerShell 内置的 curl 命令格式与本文中所使用的不同。

<HOST>替换为路由器的地址，<TOKEN>替换为登录路由器管理页时地址栏中stok=，后面的值，这个值每次启动路由器都会有变化。

http://192.168.31.1/cgi-bin/luci/;stok=upu902u490u4h839hf43y89fh4e894u8/web/home#router
在登陆到管理页面后，浏览器地址栏会类似是上面那样，黄色部分为<HOST>，红色部分为<TOKEN>

curl -X GET "http://<HOST>/cgi-bin/luci/;stok=<TOKEN>/api/misystem/set_sys_time?time=2023-2-19%2023:4:47&timezone=CST-8"

curl -X POST "http://<HOST>/cgi-bin/luci/;stok=<TOKEN>/api/xqsmarthome/request_smartcontroller" -d "payload=%7B%22command%22%3A%22scene_setting%22%2C%22name%22%3A%22'%24(sed%20-i%20s%2Frelease%2FXXXXXX%2Fg%20%2Fetc%2Finit.d%2Fdropbear)'%22%2C%22action_list%22%3A%5B%7B%22thirdParty%22%3A%22xmrouter%22%2C%22delay%22%3A17%2C%22type%22%3A%22wan_block%22%2C%22payload%22%3A%7B%22command%22%3A%22wan_block%22%2C%22mac%22%3A%2200%3A00%3A00%3A00%3A00%3A00%22%7D%7D%5D%2C%22launch%22%3A%7B%22timer%22%3A%7B%22time%22%3A%223%3A1%22%2C%22repeat%22%3A%220%22%2C%22enabled%22%3Atrue%7D%7D%7D"

curl -X POST "http://<HOST>/cgi-bin/luci/;stok=<TOKEN>/api/xqsmarthome/request_smartcontroller" -d "payload=%7B%22command%22%3A%22scene_start_by_crontab%22%2C%22time%22%3A%223%3A1%22%2C%22week%22%3A0%7D"

curl -X POST "http://<HOST>/cgi-bin/luci/;stok=<TOKEN>/api/xqsmarthome/request_smartcontroller" -d "payload=%7B%22command%22%3A%22scene_setting%22%2C%22name%22%3A%22'%24(nvram%20set%20ssh_en%3D1)'%22%2C%22action_list%22%3A%5B%7B%22thirdParty%22%3A%22xmrouter%22%2C%22delay%22%3A17%2C%22type%22%3A%22wan_block%22%2C%22payload%22%3A%7B%22command%22%3A%22wan_block%22%2C%22mac%22%3A%2200%3A00%3A00%3A00%3A00%3A00%22%7D%7D%5D%2C%22launch%22%3A%7B%22timer%22%3A%7B%22time%22%3A%223%3A2%22%2C%22repeat%22%3A%220%22%2C%22enabled%22%3Atrue%7D%7D%7D"

curl -X POST "http://<HOST>/cgi-bin/luci/;stok=<TOKEN>/api/xqsmarthome/request_smartcontroller" -d "payload=%7B%22command%22%3A%22scene_start_by_crontab%22%2C%22time%22%3A%223%3A2%22%2C%22week%22%3A0%7D"

curl -X POST "http://<HOST>/cgi-bin/luci/;stok=<TOKEN>/api/xqsmarthome/request_smartcontroller" -d "payload=%7B%22command%22%3A%22scene_setting%22%2C%22name%22%3A%22'%24(nvram%20commit)'%22%2C%22action_list%22%3A%5B%7B%22thirdParty%22%3A%22xmrouter%22%2C%22delay%22%3A17%2C%22type%22%3A%22wan_block%22%2C%22payload%22%3A%7B%22command%22%3A%22wan_block%22%2C%22mac%22%3A%2200%3A00%3A00%3A00%3A00%3A00%22%7D%7D%5D%2C%22launch%22%3A%7B%22timer%22%3A%7B%22time%22%3A%223%3A3%22%2C%22repeat%22%3A%220%22%2C%22enabled%22%3Atrue%7D%7D%7D"

curl -X POST "http://<HOST>/cgi-bin/luci/;stok=<TOKEN>/api/xqsmarthome/request_smartcontroller" -d "payload=%7B%22command%22%3A%22scene_start_by_crontab%22%2C%22time%22%3A%223%3A3%22%2C%22week%22%3A0%7D"

curl -X POST "http://<HOST>/cgi-bin/luci/;stok=<TOKEN>/api/xqsmarthome/request_smartcontroller" -d "payload=%7B%22command%22%3A%22scene_setting%22%2C%22name%22%3A%22'%24(%2Fetc%2Finit.d%2Fdropbear%20enable)'%22%2C%22action_list%22%3A%5B%7B%22thirdParty%22%3A%22xmrouter%22%2C%22delay%22%3A17%2C%22type%22%3A%22wan_block%22%2C%22payload%22%3A%7B%22command%22%3A%22wan_block%22%2C%22mac%22%3A%2200%3A00%3A00%3A00%3A00%3A00%22%7D%7D%5D%2C%22launch%22%3A%7B%22timer%22%3A%7B%22time%22%3A%223%3A4%22%2C%22repeat%22%3A%220%22%2C%22enabled%22%3Atrue%7D%7D%7D"

curl -X POST "http://<HOST>/cgi-bin/luci/;stok=<TOKEN>/api/xqsmarthome/request_smartcontroller" -d "payload=%7B%22command%22%3A%22scene_start_by_crontab%22%2C%22time%22%3A%223%3A4%22%2C%22week%22%3A0%7D"

curl -X POST "http://<HOST>/cgi-bin/luci/;stok=<TOKEN>/api/xqsmarthome/request_smartcontroller" -d "payload=%7B%22command%22%3A%22scene_setting%22%2C%22name%22%3A%22'%24(%2Fetc%2Finit.d%2Fdropbear%20restart)'%22%2C%22action_list%22%3A%5B%7B%22thirdParty%22%3A%22xmrouter%22%2C%22delay%22%3A17%2C%22type%22%3A%22wan_block%22%2C%22payload%22%3A%7B%22command%22%3A%22wan_block%22%2C%22mac%22%3A%2200%3A00%3A00%3A00%3A00%3A00%22%7D%7D%5D%2C%22launch%22%3A%7B%22timer%22%3A%7B%22time%22%3A%223%3A5%22%2C%22repeat%22%3A%220%22%2C%22enabled%22%3Atrue%7D%7D%7D"

curl -X POST "http://<HOST>/cgi-bin/luci/;stok=<TOKEN>/api/xqsmarthome/request_smartcontroller" -d "payload=%7B%22command%22%3A%22scene_start_by_crontab%22%2C%22time%22%3A%223%3A5%22%2C%22week%22%3A0%7D"
//最后这一步好像有概率会失败，在执行的时候提示超时了，但是重新执行一次就成功了

接下来就可以登录ssh了，登录的命令是

ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa [email protected]

不能直接用ssh [email protected]来登录，会提示

Unable to negotiate with 192.168.31.1 port 22: no matching host key type found. Their offer: ssh-rsa

因为路由器上用的加密方式是过时的，现在的系统上会默认禁用不安全的加密方式。

小米路由器SSH root的密码可以在https://miwifi.dev/ssh这个网站输入路由器的SN码计算得出（SN码带斜杠）

然后就已经完成了SSH服务的开启，但是目前开启的SSH服务会在重启路由器后被关闭，需要固化SSH可以参考在文章最后给出的链接。

添加防火墙规则

主要添加了两条ipv6的防火墙规则，第一条的意思wan口主动连接到lan的包全部丢弃，第二条是wan口主动连接到lan特定端口的包放行。这里的端口可以根据实际需求进行修改。

ip6tables -I FORWARD -i pppoe-wan -o br-lan -j DROP
ip6tables -I FORWARD -i pppoe-wan -o br-lan -p udp --dport 51820 -j ACCEPT

这两条规则在添加后会马上生效，但是路由器重启后会失效，所以需要进行固化。这里选择将规则写入rc.local来进行固化。

首先打开rc.local文件

vi /etc/rc.local

写入对应的规则内容：

(sleep 10; ip6tables -I FORWARD -i pppoe-wan -o br-lan -p udp --dport 51820 -j ACCEPT; ip6tables -I FORWARD -i pppoe-wan -o br-lan -j DROP) &

不写sleep10，rc.local的规则有时候不会生效，估计是路由器在开机时防火墙需要几秒启动防火墙，太快启动规则会被启动防火墙的脚本覆盖。

参考：https://www.right.com.cn/forum/forum.php?mod=viewthread&tid=8348455&extra=page%3D1&page=1