From b46faf5adff5cdb99ac169efc1ace23a0025a0c6 Mon Sep 17 00:00:00 2001 From: juewuy Date: Sun, 16 Apr 2023 21:27:25 +0800 Subject: [PATCH] =?UTF-8?q?v1.7.5=20~=E5=A2=9E=E5=8A=A0=E5=B1=80=E5=9F=9F?= =?UTF-8?q?=E7=BD=91=E9=80=8F=E6=98=8E=E8=B7=AF=E7=94=B1=E8=87=AA=E5=AE=9A?= =?UTF-8?q?=E4=B9=89=E7=BD=91=E6=AE=B5=E5=8A=9F=E8=83=BD=20~=E5=A2=9E?= =?UTF-8?q?=E5=8A=A0=E8=87=AA=E5=AE=9A=E4=B9=89=E5=86=85=E6=A0=B8=E5=8A=9F?= =?UTF-8?q?=E8=83=BD=20~=E5=85=AC=E7=BD=91=E8=AE=BF=E9=97=AE=E5=8A=9F?= =?UTF-8?q?=E8=83=BD=E4=BC=98=E5=8C=96=20~=E9=83=A8=E5=88=86=E6=96=87?= =?UTF-8?q?=E6=9C=AC=E8=AF=B4=E6=98=8E=E4=BC=98=E5=8C=96=20~deamon?= =?UTF-8?q?=E6=8A=A5=E9=94=99=E6=8F=90=E7=A4=BA=E4=BF=AE=E5=A4=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/clash.sh | 196 +++++++++++++++++++++++++++++++---------------- scripts/start.sh | 29 +++---- 2 files changed, 144 insertions(+), 81 deletions(-) diff --git a/scripts/clash.sh b/scripts/clash.sh index 3f54b63..ad5f610 100644 --- a/scripts/clash.sh +++ b/scripts/clash.sh @@ -356,7 +356,7 @@ log_pusher(){ setport(){ source $CFG_PATH [ -z "$secret" ] && secret=未设置 - [ -z "$authentication" ] && authentication=未设置 + [ -z "$authentication" ] && auth=未设置 || auth=****** inputport(){ read -p "请输入端口号(1-65535) > " portx if [ -z "$portx" ]; then @@ -378,7 +378,7 @@ setport(){ } echo ----------------------------------------------- echo -e " 1 修改Http/Sock5端口: \033[36m$mix_port\033[0m" - echo -e " 2 设置Http/Sock5密码: \033[36m$authentication\033[0m" + echo -e " 2 设置Http/Sock5密码: \033[36m$auth\033[0m" echo -e " 3 修改静态路由端口: \033[36m$redir_port\033[0m" echo -e " 4 修改DNS监听端口: \033[36m$dns_port\033[0m" echo -e " 5 修改面板访问端口: \033[36m$db_port\033[0m" @@ -645,6 +645,82 @@ setipv6(){ ;; esac } +setfirewall(){ + set_cust_host_ipv4(){ + echo ----------------------------------------------- + echo -e "当前已自动设置透明路由的网段为: \033[32m$(ip a 2>&1 | grep -w 'inet' | grep 'global' | grep 'br' | grep -v 'iot' | grep -E ' 1(92|0|72)\.' | sed 's/.*inet.//g' | sed 's/br.*$//g' | tr '\n' ' ' && echo ) \033[0m" + echo -e "当前已添加的自定义网段为:\033[36m$cust_host_ipv4\033[0m" + echo ----------------------------------------------- + echo -e "\033[33m自定义网段不会覆盖自动获取的网段地址,无需重复添加\033[0m" + echo -e " 1 移除所有自定义网段" + echo -e " 0 返回上级菜单" + read -p "请输入需要额外添加的网段 > " text + case $text in + 1) + unset cust_host_ipv4 + setconfig cust_host_ipv4 + set_cust_host_ipv4 + ;; + 0) + ;; + *) + if [ -n "$(echo $text | grep -Eo '^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}'$)" -a -z "$(echo $cust_host_ipv4 | grep "$text")" ];then + cust_host_ipv4="$cust_host_ipv4 $text" + setconfig cust_host_ipv4 "\'$cust_host_ipv4\'" + else + echo ----------------------------------------------- + echo -e "\033[31m请输入正确的网段地址!\033[0m" + fi + sleep 1 + set_cust_host_ipv4 + ;; + esac + } + [ -z "$public_support" ] && public_support=未开启 + [ -z "$public_mixport" ] && public_mixport=未开启 + [ -z "$ipv6_dns" ] && ipv6_dns=已开启 + [ -z "$cn_ipv6_route" ] && cn_ipv6_route=未开启 + echo ----------------------------------------------- + echo -e " 1 公网访问Dashboard面板: \033[36m$public_support\033[0m" + echo -e " 2 公网访问Socks/Http代理: \033[36m$public_mixport\033[0m" + echo -e " 3 自定义透明路由ipv4网段: 适合vlan等复杂网络环境" + echo ----------------------------------------------- + read -p "请输入对应数字 > " num + case $num in + 1) + if [ "$public_support" = "未开启" ]; then + public_support=已开启 + else + public_support=未开启 + fi + setconfig public_support $public_support + setfirewall + ;; + 2) + if [ "$public_mixport" = "未开启" ]; then + if [ "$mix_port" = "7890" -o -z "$authentication" ];then + echo ----------------------------------------------- + echo -e "\033[33m为了安全考虑,请先修改默认Socks/Http端口并设置代理密码\033[0m" + sleep 1 + setport + else + public_mixport=已开启 + fi + else + public_mixport=未开启 + fi + setconfig public_mixport $public_mixport + setfirewall + ;; + 3) + set_cust_host_ipv4 + setfirewall + ;; + *) + errornum + ;; + esac +} checkport(){ for portx in $dns_port $mix_port $redir_port $db_port ;do if [ -n "$(netstat -ntul 2>&1 |grep '\:$portx ')" ];then @@ -1296,41 +1372,31 @@ clashadv(){ echo ----------------------------------------------- echo -e " 1 ipv6相关" #echo -e " 2 配置Meta特性" - echo -e " 3 启用节点绕过: \033[36m$proxies_bypass\033[0m ————用于防止多设备多重流量" + echo -e " 3 配置公网及局域网防火墙" echo -e " 4 启用域名嗅探: \033[36m$sniffer\033[0m ————用于流媒体及防DNS污染" - echo -e " 5 启用公网访问: \033[36m$public_support\033[0m ————需要路由拨号+公网IP" + echo -e " 5 启用节点绕过: \033[36m$proxies_bypass\033[0m ————用于防止多设备多重流量" echo -e " 6 配置内置DNS服务 \033[36m$dns_no\033[0m" echo -e " 7 使用自定义配置" - echo -e " 8 手动指定相关端口、秘钥及本机host" + echo -e " 8 手动指定相关端口、秘钥" echo ----------------------------------------------- echo -e " 9 \033[31m重置/备份/还原\033[0m脚本设置" echo -e " 0 返回上级菜单 \033[0m" echo ----------------------------------------------- read -p "请输入对应数字 > " num - if [ -z "$num" ]; then - errornum - elif [ "$num" = 0 ]; then - i= - - elif [ "$num" = 1 ]; then + case "$num" in + 1) setipv6 clashadv - - elif [ "$num" = 3 ]; then - echo ----------------------------------------------- - if [ "$proxies_bypass" = "未启用" ];then - proxies_bypass=已启用 - echo -e "\033[33m仅当ShellClash与子网络同类应用使用相同节点配置时方可生效!\033[0m" - sleep 1 - else - proxies_bypass=未启用 - fi - setconfig proxies_bypass $proxies_bypass - echo -e "\033[32m设置成功!\033[0m" - sleep 1 - clashadv - - elif [ "$num" = 4 ]; then + ;; + 2) + setmeta + clashadv + ;; + 3) + setfirewall + clashadv + ;; + 4) echo ----------------------------------------------- if [ "$sniffer" = "未启用" ];then if [ "$clashcore" = "clash" ];then @@ -1349,25 +1415,22 @@ clashadv(){ echo -e "\033[32m设置成功!\033[0m" sleep 1 clashadv - - elif [ "$num" = 5 ]; then - if [ "$public_support" = "未开启" ]; then - echo -e "\033[32m已开启公网访问Dashboard端口,安全起见建议设置面板访问密码!!\033[0m" - echo -e "\033[33m如需访问Http/Sock5代理,请在端口设置中修改默认端口并设置访问密码!\033[0m" - echo -e "\033[31m如未设置密码或仍使用默认端口,将自动拒绝连接!!!\033[0m" - public_support=已开启 - setconfig public_support $public_support - sleep 3 - else - echo -e "\033[32m已禁止公网访问Dashboard端口及Http/Sock5代理端口!!\033[0m" - echo -e "\033[33m如果你的防火墙默认放行公网流量,可能禁用失败!\033[0m" - public_support=未开启 - setconfig public_support $public_support + ;; + 5) + echo ----------------------------------------------- + if [ "$proxies_bypass" = "未启用" ];then + proxies_bypass=已启用 + echo -e "\033[33m仅当ShellClash与子网络同类应用使用相同节点配置时方可生效!\033[0m" sleep 1 + else + proxies_bypass=未启用 fi - clashadv - - elif [ "$num" = 6 ]; then + setconfig proxies_bypass $proxies_bypass + echo -e "\033[32m设置成功!\033[0m" + sleep 1 + clashadv + ;; + 6) source $CFG_PATH if [ "$dns_no" = "已禁用" ];then read -p "检测到内置DNS已被禁用,是否启用内置DNS?(1/0) > " res @@ -1379,23 +1442,8 @@ clashadv(){ setdns fi clashadv - - elif [ "$num" = 8 ]; then - source $CFG_PATH - if [ -n "$(pidof clash)" ];then - echo ----------------------------------------------- - echo -e "\033[33m检测到clash服务正在运行,需要先停止clash服务!\033[0m" - read -p "是否停止clash服务?(1/0) > " res - if [ "$res" = "1" ];then - $clashdir/start.sh stop - setport - fi - else - setport - fi - clashadv - - elif [ "$num" = 7 ]; then + ;; + 7) [ ! -f $clashdir/user.yaml ] && cat > $clashdir/user.yaml < " res + if [ "$res" = "1" ];then + $clashdir/start.sh stop + setport + fi + else + setport + fi + clashadv + ;; + 9) echo -e " 1 备份脚本设置" echo -e " 2 还原脚本设置" echo -e " 3 重置脚本设置" @@ -1463,10 +1526,9 @@ EOF fi echo -e "\033[33m请重新启动脚本!\033[0m" exit 0 - - else - errornum - fi + ;; + *) errornum ;; + esac } tools(){ ssh_tools(){ diff --git a/scripts/start.sh b/scripts/start.sh index bc13fc1..def306a 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -129,6 +129,8 @@ mark_time(){ getlanip(){ host_ipv4=$(ip a 2>&1 | grep -w 'inet' | grep 'global' | grep 'br' | grep -v 'iot' | grep -E ' 1(92|0|72)\.' | sed 's/.*inet.//g' | sed 's/br.*$//g' ) #ipv4局域网网段 host_ipv6=$(ip a 2>&1 | grep -w 'inet6' | grep -E 'global' | sed 's/.*inet6.//g' | sed 's/scope.*$//g' ) #ipv6公网地址段 + #添加自定义ipv4局域网网段 + host_ipv4="$host_ipv4$cust_host_ipv4" #缺省配置 [ -z "$host_ipv4" ] && host_ipv4='192.168.0.0/16 10.0.0.0/12 172.16.0.0/12' [ -z "$host_ipv6" ] && host_ipv6='fe80::/10 fd00::/8' @@ -870,29 +872,28 @@ start_nft_dns(){ start_wan(){ #获取局域网host地址 getlanip - [ "$mix_port" = "7890" -o -z "$authentication" ] && { - #仅允许局域网设备访问混合端口 - for ip in $host_ipv4 $local_ipv4;do - iptables -A INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT - done - iptables -A INPUT -p tcp --dport $mix_port -j REJECT - ckcmd ip6tables && ip6tables -A INPUT -p tcp --dport $mix_port -j REJECT - } if [ "$public_support" = "已开启" ];then - [ "$mix_port" != "7890" -a -n "$authentication" ] && { - iptables -I INPUT -p tcp --dport $mix_port -j ACCEPT - ckcmd ip6tables && ip6tables -I INPUT -p tcp --dport $mix_port -j ACCEPT - } iptables -I INPUT -p tcp --dport $db_port -j ACCEPT ckcmd ip6tables && ip6tables -I INPUT -p tcp --dport $db_port -j ACCEPT else - #仅允许局域网设备访问面板 - for ip in $host_ipv4 $local_ipv4;do + #仅允许非公网设备访问面板 + for ip in $reserve_ipv4;do iptables -A INPUT -p tcp -s $ip --dport $db_port -j ACCEPT done iptables -A INPUT -p tcp --dport $db_port -j REJECT ckcmd ip6tables && ip6tables -A INPUT -p tcp --dport $db_port -j REJECT fi + if [ "$public_mixport" = "已开启" ];then + iptables -I INPUT -p tcp --dport $mix_port -j ACCEPT + ckcmd ip6tables && ip6tables -I INPUT -p tcp --dport $mix_port -j ACCEPT + else + #仅允许局域网设备访问混合端口 + for ip in $reserve_ipv4;do + iptables -A INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT + done + iptables -A INPUT -p tcp --dport $mix_port -j REJECT + ckcmd ip6tables && ip6tables -A INPUT -p tcp --dport $mix_port -j REJECT + fi iptables -I INPUT -p tcp -d 127.0.0.1 -j ACCEPT #本机请求全放行 } stop_firewall(){