159 lines
5.0 KiB
Bash
159 lines
5.0 KiB
Bash
#!/bin/bash
|
||
create_chain() {
|
||
# 创建iptables链
|
||
# params:表名 链名
|
||
local table=$1
|
||
local chain=$2
|
||
if ! iptables -t "$table" -n -L "$chain" > /dev/null 2>&1; then
|
||
iptables -t "$table" -N "$chain"
|
||
echo "Created chain $chain in table $table"
|
||
else
|
||
echo "Chain $chain already exists in table $table"
|
||
fi
|
||
}
|
||
|
||
insert_input_output_rules() {
|
||
# 在指定的表的链中插入子链
|
||
# params:"表名:目标链名:需要插入的链"
|
||
local rules=("$@")
|
||
for rule in "${rules[@]}"; do
|
||
IFS=':' read -r table chain target <<< "$rule"
|
||
if ! iptables -t "$table" -C "$chain" -j "$target" > /dev/null 2>&1; then
|
||
iptables -t "$table" -I "$chain" 1 -j "$target"
|
||
echo "Inserted $target to $chain in table $table"
|
||
else
|
||
echo "$target already in $chain in table $table"
|
||
fi
|
||
done
|
||
}
|
||
|
||
add_jump_rules() {
|
||
# 在指定的表的链中添加跳转规则
|
||
# params:表名 目标链名 需要跳转的链
|
||
local table=$1
|
||
local target_chain=$2
|
||
shift 2
|
||
local chains=("$@")
|
||
for chain in "${chains[@]}"; do
|
||
if ! iptables -t "$table" -C "$target_chain" -j "$chain" > /dev/null 2>&1; then
|
||
iptables -t "$table" -A "$target_chain" -j "$chain"
|
||
echo "Added $chain to $target_chain in table $table"
|
||
else
|
||
echo "$chain already in $target_chain in table $table"
|
||
fi
|
||
done
|
||
}
|
||
|
||
create_ipset() {
|
||
local ipset_name=$1
|
||
if ! ipset list "$ipset_name" > /dev/null 2>&1; then
|
||
ipset create "$ipset_name" hash:net maxelem 100000 timeout 0
|
||
echo "Created ipset $ipset_name"
|
||
else
|
||
echo "ipset $ipset_name already exists"
|
||
fi
|
||
}
|
||
|
||
add_ipset_rules() {
|
||
local rules=("$@")
|
||
for rule in "${rules[@]}"; do
|
||
IFS=':' read -r chain action direction ipset_name <<< "$rule"
|
||
if ! iptables -C "$chain" -m set --match-set "$ipset_name" "$direction" -j "$action" > /dev/null 2>&1; then
|
||
iptables -I "$chain" 1 -m set --match-set "$ipset_name" "$direction" -j "$action"
|
||
echo "Added $action rule for $ipset_name ($direction) in $chain"
|
||
else
|
||
echo "$action rule for $ipset_name ($direction) already in $chain"
|
||
fi
|
||
done
|
||
}
|
||
|
||
# 函数:创建systemd服务
|
||
create_systemd_service() {
|
||
local exec_path="/www/server/panel/pyenv/bin/python3 /www/server/panel/script/BT-FirewallServices.py"
|
||
local service_file="/etc/systemd/system/BT-FirewallServices.service"
|
||
if [ ! -f "$service_file" ]; then
|
||
/www/server/panel/pyenv/bin/python3 -c "import os,sys; os.chdir('/www/server/panel/'); sys.path.insert(0, 'class/'); sys.path.insert(0, '/www/server/panel/'); import public; public.stop_syssafe();"
|
||
cat << EOF > "$service_file"
|
||
[Unit]
|
||
Description=Firewall and System Event Listener Service
|
||
After=network.target
|
||
|
||
[Service]
|
||
ExecStart=$exec_path start
|
||
ExecReload=$exec_path reload
|
||
ExecStop=$exec_path stop
|
||
User=root
|
||
Type=simple
|
||
|
||
[Install]
|
||
WantedBy=multi-user.target
|
||
EOF
|
||
systemctl daemon-reload
|
||
systemctl enable BT-FirewallServices.service
|
||
${exec_path} save
|
||
systemctl start BT-FirewallServices.service
|
||
echo "Systemd service created and started"
|
||
/www/server/panel/pyenv/bin/python3 -c "import os,sys; os.chdir('/www/server/panel/'); sys.path.insert(0, 'class/'); sys.path.insert(0, '/www/server/panel/'); import public; public.start_syssafe();"
|
||
else
|
||
echo "Systemd service already exists"
|
||
fi
|
||
}
|
||
|
||
main() {
|
||
# 所有需要创建接管的子链
|
||
local chains=(
|
||
"filter:IN_BT"
|
||
"filter:IN_BT_log"
|
||
"filter:IN_BT_user_ip"
|
||
"filter:IN_BT_ip"
|
||
"filter:IN_BT_user_port"
|
||
"filter:OUT_BT"
|
||
"filter:OUT_BT_user_ip"
|
||
"filter:OUT_BT_user_port"
|
||
"filter:IN_BT_Country"
|
||
"nat:FORWARD_BT"
|
||
)
|
||
for chain in "${chains[@]}"; do
|
||
IFS=':' read -r table chain_name <<< "$chain"
|
||
create_chain "$table" "$chain_name"
|
||
done
|
||
|
||
# 插入接管的子链
|
||
local rules=(
|
||
"filter:INPUT:IN_BT"
|
||
"filter:IN_BT:IN_BT_log"
|
||
"filter:IN_BT:IN_BT_user_ip"
|
||
"filter:IN_BT:IN_BT_ip"
|
||
"filter:IN_BT:IN_BT_user_port"
|
||
"filter:IN_BT_ip:IN_BT_Country"
|
||
"filter:OUTPUT:OUT_BT"
|
||
"filter:OUT_BT:OUT_BT_user_ip"
|
||
"filter:OUT_BT:OUT_BT_user_port"
|
||
"nat:PREROUTING:FORWARD_BT"
|
||
)
|
||
insert_input_output_rules "${rules[@]}"
|
||
|
||
# ipset集合
|
||
local ipsets=(
|
||
"in_bt_user_accept_ipset"
|
||
"in_bt_user_drop_ipset"
|
||
"out_bt_user_accept_ipset"
|
||
"out_bt_user_drop_ipset"
|
||
)
|
||
for ipset_name in "${ipsets[@]}"; do
|
||
create_ipset "$ipset_name"
|
||
done
|
||
|
||
local ipset_rules=(
|
||
"IN_BT_user_ip:ACCEPT:src:in_bt_user_accept_ipset"
|
||
"IN_BT_user_ip:DROP:src:in_bt_user_drop_ipset"
|
||
"OUT_BT_user_ip:ACCEPT:dst:out_bt_user_accept_ipset"
|
||
"OUT_BT_user_ip:DROP:dst:out_bt_user_drop_ipset"
|
||
)
|
||
add_ipset_rules "${ipset_rules[@]}"
|
||
create_systemd_service
|
||
systemctl reload BT-FirewallServices
|
||
echo "yakpanel firewall init finish..."
|
||
}
|
||
|
||
main |