zeaslity/shell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

完成Bitsflow家人云的迁移工作

Browse Source
This commit is contained in:
zeaslity
2025-12-08 08:56:23 +08:00
parent 9d93a1ee6e
commit dcc8afffba
19 changed files with 1515 additions and 404 deletions
Download Patch File Download Diff File Expand all files Collapse all files

185
1-代理Xray/3-BitsFLowCloud-洛杉矶/防火墙-配置.sh
View File

@@ -1,105 +1,90 @@
#!/bin/bash
#
# UFW 防火墙配置脚本
# 适用于 Ubuntu 22.04 LTS
#
# 适用于 Ubuntu 22.04
# --- 脚本开始 ---
# 检查是否以root权限运行
if [ "$EUID" -ne 0 ]; then
echo "请使用 sudo 运行此脚本"
exit 1
fi
echo "========================================="
echo "开始配置 UFW 防火墙规则"
echo "========================================="
# 1. 禁用UFW确保配置过程中不会被锁定
echo ">>> 临时禁用 UFW"
ufw disable
# 2. 重置UFW到默认状态清除所有现有规则
echo ">>> 重置 UFW 到默认状态"
echo "y" | ufw reset
# 3. 设置默认策略:允许所有出站流量,拒绝所有入站流量
echo ">>> 设置默认策略:允许出站,拒绝入站"
ufw default allow outgoing
echo "执行: ufw default allow outgoing"
ufw default deny incoming
echo "执行: ufw default deny incoming"
# 4. 允许白名单IP的所有流量入站方向
echo ">>> 添加白名单 IP 规则(允许所有端口和协议)"
echo "执行: ufw allow from 42.192.52.227/32"
ufw allow from 42.192.52.227/32
echo "执行: ufw allow from 43.154.83.213/32"
ufw allow from 43.154.83.213/32
echo "执行: ufw allow from 144.24.164.121/32"
ufw allow from 144.24.164.121/32
echo "执行: ufw allow from 132.145.87.10/32"
ufw allow from 132.145.87.10/32
echo "执行: ufw allow from 140.238.0.0/16"
ufw allow from 140.238.0.0/16
# 5. 允许公网访问指定端口TCP 和 UDP
echo ">>> 开放公网端口0.0.0.0/0"
echo "执行: ufw allow from 0.0.0.0/0 to any port 443 proto tcp"
ufw allow from 0.0.0.0/0 to any port 443 proto tcp
echo "执行: ufw allow from 0.0.0.0/0 to any port 443 proto udp"
ufw allow from 0.0.0.0/0 to any port 443 proto udp
echo "执行: ufw allow from 0.0.0.0/0 to any port 22333 proto tcp"
ufw allow from 0.0.0.0/0 to any port 22333 proto tcp
echo "执行: ufw allow from 0.0.0.0/0 to any port 22333 proto udp"
ufw allow from 0.0.0.0/0 to any port 22333 proto udp
echo "执行: ufw allow from 0.0.0.0/0 to any port 25000:26000 proto tcp"
ufw allow from 0.0.0.0/0 to any port 25000:26000 proto tcp
echo "执行: ufw allow from 0.0.0.0/0 to any port 25000:26000 proto udp"
ufw allow from 0.0.0.0/0 to any port 25000:26000 proto udp
# 6. 禁止非白名单IP的ICMP请求ping
echo ">>> 配置 ICMP 规则仅允许白名单IP"
echo "注意默认拒绝策略已经阻止非白名单的ICMP白名单IP可以ping"
# 7. 启用UFW
echo ">>> 启用 UFW 防火墙"
echo "y" | ufw enable
# 8. 显示当前规则
echo "========================================="
echo "UFW 防火墙配置完成!当前规则如下:"
echo "========================================="
ufw status verbose
# 输出提示信息,告知用户脚本即将开始
echo "================================================="
echo " UFW 防火墙自动配置脚本即将开始... "
echo "================================================="
echo ""
# --- 1. 重置 UFW ---
# 为了避免与旧规则冲突首先重置UFW到初始状态。
# --force 选项可以在没有交互提示的情况下完成重置。
echo "--- 步骤 1: 重置UFW防火墙清除所有现有规则 ---"
echo "执行命令: sudo ufw --force reset"
sudo ufw --force reset
echo "-------------------------------------------------"
echo ""
# --- 3. 开放特定端口 (对所有IP) ---
# 为公共服务开放指定的端口。
echo "--- 步骤 3: 向所有IP开放指定的TCP/UDP端口 ---"
# 开放 HTTPS (443) 端口
echo "开放端口: 443/tcp 和 443/udp"
echo "执行命令: sudo ufw allow 443"
sudo ufw allow 443
# 开放自定义 (22333) 端口
echo "开放端口: 22333/tcp 和 22333/udp"
echo "执行命令: sudo ufw allow 22333"
sudo ufw allow 22333
# 开放自定义 (25000-26000) 端口范围
echo "开放端口范围: 25000:26000/tcp"
echo "执行命令: sudo ufw allow 25000:26000/tcp"
sudo ufw allow 25000:26000/tcp
echo "开放端口范围: 25000:26000/udp"
echo "执行命令: sudo ufw allow 25000:26000/udp"
sudo ufw allow 25000:26000/udp
echo "-------------------------------------------------"
echo ""
# --- 4. 添加IP白名单 ---
# 为受信任的IP地址开放所有权限方便管理和访问。
echo "--- 步骤 4: 为白名单IP开放所有协议和端口 ---"
WHITELIST_IPS=(
"42.192.52.227/32"
"43.154.83.213/32"
"144.24.164.121/32"
"132.145.87.10/32"
"140.238.0.0/16"
)
# 遍历IP列表并添加规则
for ip in "${WHITELIST_IPS[@]}"; do
echo "添加白名单IP: ${ip}"
echo "执行命令: sudo ufw allow from ${ip} to any"
sudo ufw allow from ${ip} to any
done
echo "-------------------------------------------------"
echo ""
# --- 2. 设置默认策略 ---
# 这是防火墙的基础安全策略。
# deny incoming: 拒绝所有未经明确允许的进入流量。
# allow outgoing: 允许服务器主动发起的任何出站流量。
echo "--- 步骤 2: 设置默认防火墙策略 ---"
echo "设置默认拒绝所有进入流量..."
echo "执行命令: sudo ufw default deny incoming"
sudo ufw default deny incoming
echo "设置默认允许所有出口流量..."
echo "执行命令: sudo ufw default allow outgoing"
sudo ufw default allow outgoing
echo "-------------------------------------------------"
echo ""
# --- 5. ICMP (Ping) 请求处理 ---
# UFW的默认拒绝策略(deny incoming)已经包含了对ICMP的阻止。
# 而上一步的IP白名单规则(ufw allow from <IP>)允许了这些IP的所有协议因此它们可以ping通。
# 这精确地实现了“禁止非白名单IP的ICMP请求”的目标。
echo "--- 步骤 5: ICMP (Ping) 请求说明 ---"
echo "无需额外规则。默认的'deny incoming'策略已阻止非白名单IP的ping请求。"
echo "-------------------------------------------------"
echo ""
# --- 6. 启用 UFW ---
# 应用以上所有规则,正式启动防火墙。
echo "--- 步骤 6: 启用UFW防火墙 ---"
echo "执行命令: sudo ufw enable"
sudo ufw enable
echo "-------------------------------------------------"
echo ""
# --- 7. 显示最终状态 ---
# 显示详细的防火墙状态,以便用户检查配置是否正确。
echo "--- 步骤 7: 显示当前防火墙状态 ---"
echo "执行命令: sudo ufw status verbose"
sudo ufw status verbose
echo "-------------------------------------------------"
echo ""
echo "================================================="
echo " 防火墙配置完成!请检查上面的状态。 "
echo "================================================="
echo "配置总结:"
echo "- 出站流量:全部允许"
echo "- 入站流量:默认拒绝"
echo "- 开放端口443, 22333, 25000-26000 (TCP/UDP)"
echo "- 白名单IP42.192.52.227, 43.154.83.213, 144.24.164.121, 132.145.87.10, 140.238.0.0/16"
echo "- ICMP仅白名单IP可访问"