xm/ShellCrash
1
0
Fork 0
mirror of https://github.com/juewuy/ShellCrash.git synced 2026-03-12 16:31:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

~修复iptables公网防火墙的bug

Browse Source
This commit is contained in:
juewuy
2025-12-25 22:48:09 +08:00
parent d1c9bccfbe
commit 3153ea1acc
3 changed files with 20 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
scripts/starts/fw_iptables.sh
View File

@@ -149,6 +149,13 @@ start_ipt_wan() { #iptables公网防火墙
ipt_wan_accept tcp ipt_wan_accept tcp
ipt_wan_accept udp ipt_wan_accept udp
} }
#局域网请求放行
for ip in $host_ipv4; do
$iptable -I INPUT -s $ip -j ACCEPT
done
ckcmd ip6tables && for ip in $host_ipv6; do
$ip6table -I INPUT -s $ip -j ACCEPT
done
#本机请求全放行 #本机请求全放行
$iptable -I INPUT -i lo -j ACCEPT $iptable -I INPUT -i lo -j ACCEPT
ckcmd ip6tables && $ip6table -I INPUT -i lo -j ACCEPT ckcmd ip6tables && $ip6table -I INPUT -i lo -j ACCEPT

13
scripts/starts/fw_nftables.sh
View File

@@ -1,11 +1,14 @@
#!/bin/sh #!/bin/sh
# Copyright (C) Juewuy # Copyright (C) Juewuy
HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
HOST_IP6=$(echo $host_ipv6 | sed 's/ /, /g')
RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g')
RESERVED_IP6=$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')
start_nft_route() { #nftables-route通用工具 start_nft_route() { #nftables-route通用工具
#$1:name $2:hook(prerouting/output) $3:type(nat/mangle/filter) $4:priority(-100/-150) #$1:name $2:hook(prerouting/output) $3:type(nat/mangle/filter) $4:priority(-100/-150)
[ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g') [ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g')
RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g')
HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
[ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')" [ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
[ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')" [ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')"
#添加新链 #添加新链
@@ -62,8 +65,6 @@ start_nft_route() { #nftables-route通用工具
} }
#局域网ipv6支持 #局域网ipv6支持
if [ "$ipv6_redir" = "已开启" -a "$1" = 'prerouting' -a "$firewall_area" != 5 ]; then if [ "$ipv6_redir" = "已开启" -a "$1" = 'prerouting' -a "$firewall_area" != 5 ]; then
RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')"
HOST_IP6="$(echo $host_ipv6 | sed 's/ /, /g')"
#过滤保留地址及本机地址 #过滤保留地址及本机地址
nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return
#仅代理本机局域网网段流量 #仅代理本机局域网网段流量
@@ -99,8 +100,6 @@ start_nft_route() { #nftables-route通用工具
#nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug #nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug
} }
start_nft_dns() { #nftables-dns start_nft_dns() { #nftables-dns
HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
HOST_IP6=$(echo $host_ipv6 | sed 's/ /, /g')
[ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')" [ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
[ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')" [ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')"
nft add chain inet shellcrash "$1"_dns { type nat hook $2 priority -100 \; } nft add chain inet shellcrash "$1"_dns { type nat hook $2 priority -100 \; }
@@ -136,6 +135,8 @@ start_nft_wan() { #nftables公网防火墙
} }
#端口拦截 #端口拦截
reject_ports="{ $mix_port, $db_port, $dns_port }" reject_ports="{ $mix_port, $db_port, $dns_port }"
nft add rule inet shellcrash input ip saddr {$HOST_IP} accept
nft add rule inet shellcrash input ip6 saddr {$HOST_IP6} accept
nft add rule inet shellcrash input tcp dport $reject_ports reject nft add rule inet shellcrash input tcp dport $reject_ports reject
nft add rule inet shellcrash input udp dport $reject_ports reject nft add rule inet shellcrash input udp dport $reject_ports reject
} }

6
scripts/starts/fw_stop.sh
View File

@@ -48,6 +48,9 @@ ckcmd iptables && {
$iptable -D FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT 2>/dev/null $iptable -D FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT 2>/dev/null
#公网访问 #公网访问
$iptable -D INPUT -i lo -j ACCEPT 2>/dev/null $iptable -D INPUT -i lo -j ACCEPT 2>/dev/null
for ip in $host_ipv4; do
$iptable -D INPUT -s $ip -j ACCEPT 2>/dev/null
done
$iptable -D INPUT -p tcp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null $iptable -D INPUT -p tcp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null
$iptable -D INPUT -p udp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null $iptable -D INPUT -p udp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null
$iptable -D INPUT -p tcp -m multiport --dports "$mix_port,$db_port,$dns_port" -j REJECT 2>/dev/null $iptable -D INPUT -p tcp -m multiport --dports "$mix_port,$db_port,$dns_port" -j REJECT 2>/dev/null
@@ -95,6 +98,9 @@ ckcmd ip6tables && {
$ip6table -D FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT 2>/dev/null $ip6table -D FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT 2>/dev/null
#公网访问 #公网访问
$ip6table -D INPUT -i lo -j ACCEPT 2>/dev/null $ip6table -D INPUT -i lo -j ACCEPT 2>/dev/null
for ip in $host_ipv6; do
$ip6table -D INPUT -s $ip -j ACCEPT 2>/dev/null
done
$ip6table -D INPUT -p tcp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null $ip6table -D INPUT -p tcp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null
$ip6table -D INPUT -p udp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null $ip6table -D INPUT -p udp -m multiport --dports "$fw_wan_ports" -j ACCEPT 2>/dev/null
$ip6table -D INPUT -p tcp -m multiport --dports "$mix_port,$db_port,$dns_port" -j REJECT 2>/dev/null $ip6table -D INPUT -p tcp -m multiport --dports "$mix_port,$db_port,$dns_port" -j REJECT 2>/dev/null