~增加nftables公网访问防火墙
~增加nftables防回环
This commit is contained in:
juewuy
@@ -2054,7 +2054,6 @@ checkupdate(){
|
|||||||
[ "$?" = "0" ] && version_new=$(cat ${TMPDIR}/version_new | grep -oE 'versionsh=.*' | awk -F'=' '{ print $2 }')
|
[ "$?" = "0" ] && version_new=$(cat ${TMPDIR}/version_new | grep -oE 'versionsh=.*' | awk -F'=' '{ print $2 }')
|
||||||
if [ -n "$version_new" ];then
|
if [ -n "$version_new" ];then
|
||||||
source ${TMPDIR}/version_new 2>/dev/null
|
source ${TMPDIR}/version_new 2>/dev/null
|
||||||
cat ${TMPDIR}/version_new
|
|
||||||
else
|
else
|
||||||
echo -e "\033[31m检查更新失败!请尝试切换其他安装源!\033[0m"
|
echo -e "\033[31m检查更新失败!请尝试切换其他安装源!\033[0m"
|
||||||
setserver
|
setserver
|
||||||
|
|||||||
@@ -1167,7 +1167,34 @@ start_tun(){ #iptables-tun
|
|||||||
logger "iptables缺少-J MARK功能,放弃启动tun相关防火墙规则!" 31
|
logger "iptables缺少-J MARK功能,放弃启动tun相关防火墙规则!" 31
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
start_nft(){ #nftables-allinone
|
start_ipt_wan(){ #iptables公网防火墙
|
||||||
|
#获取局域网host地址
|
||||||
|
getlanip
|
||||||
|
if [ "$public_support" = "已开启" ];then
|
||||||
|
iptables -I INPUT -p tcp --dport $db_port -j ACCEPT
|
||||||
|
ckcmd ip6tables && ip6tables -I INPUT -p tcp --dport $db_port -j ACCEPT
|
||||||
|
else
|
||||||
|
#仅允许非公网设备访问面板
|
||||||
|
for ip in $reserve_ipv4;do
|
||||||
|
iptables -A INPUT -p tcp -s $ip --dport $db_port -j ACCEPT
|
||||||
|
done
|
||||||
|
iptables -A INPUT -p tcp --dport $db_port -j REJECT
|
||||||
|
ckcmd ip6tables && ip6tables -A INPUT -p tcp --dport $db_port -j REJECT
|
||||||
|
fi
|
||||||
|
if [ "$public_mixport" = "已开启" ];then
|
||||||
|
iptables -I INPUT -p tcp --dport $mix_port -j ACCEPT
|
||||||
|
ckcmd ip6tables && ip6tables -I INPUT -p tcp --dport $mix_port -j ACCEPT
|
||||||
|
else
|
||||||
|
#仅允许局域网设备访问混合端口
|
||||||
|
for ip in $reserve_ipv4;do
|
||||||
|
iptables -A INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT
|
||||||
|
done
|
||||||
|
iptables -A INPUT -p tcp --dport $mix_port -j REJECT
|
||||||
|
ckcmd ip6tables && ip6tables -A INPUT -p tcp --dport $mix_port -j REJECT
|
||||||
|
fi
|
||||||
|
iptables -I INPUT -p tcp -d 127.0.0.1 -j ACCEPT #本机请求全放行
|
||||||
|
}
|
||||||
|
start_nft(){ #nftables-all-in-one
|
||||||
table_type=$1
|
table_type=$1
|
||||||
[ -n "$2" ] && table=$2 || table=$1
|
[ -n "$2" ] && table=$2 || table=$1
|
||||||
[ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g')
|
[ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g')
|
||||||
@@ -1198,12 +1225,15 @@ start_nft(){ #nftables-allinone
|
|||||||
exit 1
|
exit 1
|
||||||
else
|
else
|
||||||
nft add chain inet shellcrash $table { type $chain_type hook $table_type priority mangle \; }
|
nft add chain inet shellcrash $table { type $chain_type hook $table_type priority mangle \; }
|
||||||
|
nft add rule inet shellcrash $table ip saddr 198.18.0.0/16 return #防止回环
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
[ "$firewall_area" = 5 ] && {
|
[ "$firewall_area" = 5 ] && {
|
||||||
nft add chain inet shellcrash $table { type $chain_type hook $table_type priority mangle \; }
|
nft add chain inet shellcrash $table { type $chain_type hook $table_type priority mangle \; }
|
||||||
nft add rule inet shellcrash $table ip daddr {$bypass_host} return
|
nft add rule inet shellcrash $table ip daddr {$bypass_host} return
|
||||||
}
|
}
|
||||||
|
#本机流量防回环
|
||||||
|
[ "$table_type" = 'output' ] && nft add rule inet shellcrash $table meta skgid 7890 return
|
||||||
#过滤局域网设备
|
#过滤局域网设备
|
||||||
[ -n "$(cat ${CRASHDIR}/configs/mac)" ] && {
|
[ -n "$(cat ${CRASHDIR}/configs/mac)" ] && {
|
||||||
MAC=$(awk '{printf "%s, ",$1}' ${CRASHDIR}/configs/mac)
|
MAC=$(awk '{printf "%s, ",$1}' ${CRASHDIR}/configs/mac)
|
||||||
@@ -1241,7 +1271,6 @@ start_nft(){ #nftables-allinone
|
|||||||
nft add rule inet shellcrash $table meta nfproto ipv6 return
|
nft add rule inet shellcrash $table meta nfproto ipv6 return
|
||||||
fi
|
fi
|
||||||
# nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug
|
# nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug
|
||||||
[ "$table_type" = 'output' ] && nft add rule inet shellcrash $table meta skgid 7890 return #本机流量防回环
|
|
||||||
[ "$redir_mod" = "Redir模式" ] && nft add rule inet shellcrash $table meta l4proto tcp redirect to $redir_port
|
[ "$redir_mod" = "Redir模式" ] && nft add rule inet shellcrash $table meta l4proto tcp redirect to $redir_port
|
||||||
[ "$redir_mod" = "混合模式" ] && {
|
[ "$redir_mod" = "混合模式" ] && {
|
||||||
nft add rule inet shellcrash $table meta l4proto udp mark set $fwmark
|
nft add rule inet shellcrash $table meta l4proto udp mark set $fwmark
|
||||||
@@ -1273,32 +1302,26 @@ start_nft_dns(){ #nftables-dns
|
|||||||
nft add rule inet shellcrash ${1}_dns udp dport 53 redirect to ${dns_port}
|
nft add rule inet shellcrash ${1}_dns udp dport 53 redirect to ${dns_port}
|
||||||
nft add rule inet shellcrash ${1}_dns tcp dport 53 redirect to ${dns_port}
|
nft add rule inet shellcrash ${1}_dns tcp dport 53 redirect to ${dns_port}
|
||||||
}
|
}
|
||||||
start_wan(){ #iptables公网访问防火墙
|
start_nft_wan(){ #nftables公网防火墙
|
||||||
#获取局域网host地址
|
#获取局域网host地址
|
||||||
getlanip
|
getlanip
|
||||||
|
HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
|
||||||
|
nft add chain inet shellcrash input { type filter hook input priority -100 \; }
|
||||||
|
nft add rule inet shellcrash input ip daddr 127.0.0.1 accept
|
||||||
if [ "$public_support" = "已开启" ];then
|
if [ "$public_support" = "已开启" ];then
|
||||||
iptables -I INPUT -p tcp --dport $db_port -j ACCEPT
|
nft add rule inet shellcrash input tcp dport $db_port accept
|
||||||
ckcmd ip6tables && ip6tables -I INPUT -p tcp --dport $db_port -j ACCEPT
|
|
||||||
else
|
else
|
||||||
#仅允许非公网设备访问面板
|
#仅允许非公网设备访问面板
|
||||||
for ip in $reserve_ipv4;do
|
nft add rule inet shellcrash input tcp dport $db_port ip saddr {$HOST_IP} accept
|
||||||
iptables -A INPUT -p tcp -s $ip --dport $db_port -j ACCEPT
|
nft add rule inet shellcrash input tcp dport $db_port reject
|
||||||
done
|
|
||||||
iptables -A INPUT -p tcp --dport $db_port -j REJECT
|
|
||||||
ckcmd ip6tables && ip6tables -A INPUT -p tcp --dport $db_port -j REJECT
|
|
||||||
fi
|
fi
|
||||||
if [ "$public_mixport" = "已开启" ];then
|
if [ "$public_mixport" = "已开启" ];then
|
||||||
iptables -I INPUT -p tcp --dport $mix_port -j ACCEPT
|
nft add rule inet shellcrash input tcp dport $mix_port accept
|
||||||
ckcmd ip6tables && ip6tables -I INPUT -p tcp --dport $mix_port -j ACCEPT
|
|
||||||
else
|
else
|
||||||
#仅允许局域网设备访问混合端口
|
#仅允许局域网设备访问混合端口
|
||||||
for ip in $reserve_ipv4;do
|
nft add rule inet shellcrash input tcp dport $mix_port ip saddr {$HOST_IP} accept
|
||||||
iptables -A INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT
|
nft add rule inet shellcrash input tcp dport $mix_port reject
|
||||||
done
|
|
||||||
iptables -A INPUT -p tcp --dport $mix_port -j REJECT
|
|
||||||
ckcmd ip6tables && ip6tables -A INPUT -p tcp --dport $mix_port -j REJECT
|
|
||||||
fi
|
fi
|
||||||
iptables -I INPUT -p tcp -d 127.0.0.1 -j ACCEPT #本机请求全放行
|
|
||||||
}
|
}
|
||||||
stop_firewall(){ #还原防火墙配置
|
stop_firewall(){ #还原防火墙配置
|
||||||
getconfig
|
getconfig
|
||||||
@@ -1748,7 +1771,9 @@ afstart(){ #启动后
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
ckcmd iptables && start_wan #本地防火墙
|
#启用公网访问防火墙
|
||||||
|
[ "$firewall_mod" = 'iptables' ] && start_ipt_wan
|
||||||
|
[ "$firewall_mod" = 'nftables' ] && start_nft_wan
|
||||||
mark_time #标记启动时间
|
mark_time #标记启动时间
|
||||||
[ -s ${CRASHDIR}/configs/web_save -o -s ${CRASHDIR}/configs/web_configs ] && web_restore >/dev/null 2>&1 & #后台还原面板配置
|
[ -s ${CRASHDIR}/configs/web_save -o -s ${CRASHDIR}/configs/web_configs ] && web_restore >/dev/null 2>&1 & #后台还原面板配置
|
||||||
{ sleep 5;logger ShellCrash服务已启动!;} & #推送日志
|
{ sleep 5;logger ShellCrash服务已启动!;} & #推送日志
|
||||||
|
|||||||
Reference in New Issue
Block a user