feat(脚本): 优化防火墙相关，优化后脚本自动添加允许端口，无需手动关闭防火墙、适配oracle ubuntu防火墙，适配后无需特殊处理iptables

2021-09-20 01:51:28 +08:00 · 2021-09-20 01:51:28 +08:00 · 38ebab8d1c
parent ae5249ad13
commit 38ebab8d1c
1 changed files with 122 additions and 31 deletions
--- a/install.sh
+++ b/install.sh
@ -253,13 +253,95 @@ readInstallProtocolType() {
 # 读取当前alpn的顺序
 readInstallAlpn() {
 	if [[ -n ${currentInstallProtocolType} ]]; then
-		local alpn=$(jq -r .inbounds[0].streamSettings.xtlsSettings.alpn[0] ${configPath}${frontingType}.json)
+		local alpn
+		alpn=$(jq -r .inbounds[0].streamSettings.xtlsSettings.alpn[0] ${configPath}${frontingType}.json)
 		if [[ -n ${alpn} ]]; then
 			currentAlpn=${alpn}
 		fi
 	fi
 }

+# 检查防火墙
+allowPort() {
+	# 如果防火墙启动状态则添加相应的开放端口
+	if systemctl status netfilter-persistent 2>/dev/null | grep -q "active (exited)"; then
+		local updateFirewalldStatus=
+		if ! iptables -L | grep -q "http(mack-a)"; then
+			updateFirewalldStatus=true
+			iptables -I INPUT -p tcp --dport 80 -m comment --comment "allow http(mack-a)" -j ACCEPT
+		fi
+
+		if ! iptables -L | grep -q "https(mack-a)"; then
+			updateFirewalldStatus=true
+			iptables -I INPUT -p tcp --dport 443 -m comment --comment "allow https(mack-a)" -j ACCEPT
+		fi
+
+		if echo "${updateFirewalldStatus}" | grep -q "true"; then
+			netfilter-persistent save
+		fi
+	elif systemctl status ufw 2>/dev/null | grep -q "active (exited)"; then
+		if ! ufw status | grep -q 443; then
+			sudo ufw allow https
+			checkUFWAllowPort 443
+		fi
+
+		if ! ufw status | grep -q 80; then
+			sudo ufw allow 80
+			checkUFWAllowPort 80
+		fi
+	elif systemctl status firewalld 2>/dev/null | grep -q "active (running)"; then
+		local updateFirewalldStatus=
+		if ! firewall-cmd --list-ports --permanent | grep -qw "80/tcp"; then
+			updateFirewalldStatus=true
+			firewall-cmd --zone=public --add-port=80/tcp --permanent
+			checkFirewalldAllowPort 80
+		fi
+
+		if ! firewall-cmd --list-ports --permanent | grep -qw "443/tcp"; then
+			updateFirewalldStatus=true
+			firewall-cmd --zone=public --add-port=443/tcp --permanent
+			checkFirewalldAllowPort 443
+		fi
+		if echo "${updateFirewalldStatus}" | grep -q "true"; then
+			firewall-cmd --reload
+		fi
+	fi
+}
+
+# 检查80、443端口占用情况
+checkPortUsedStatus() {
+	if lsof -i tcp:80 | grep -q LISTEN; then
+		echoContent red "\n ---> 80端口被占用，请手动关闭后安装\n"
+		lsof -i tcp:80 | grep LISTEN
+		exit 0
+	fi
+
+	if lsof -i tcp:443 | grep -q LISTEN; then
+		echoContent red "\n ---> 443端口被占用，请手动关闭后安装\n"
+		lsof -i tcp:80 | grep LISTEN
+		exit 0
+	fi
+}
+
+# 输出ufw端口开放状态
+checkUFWAllowPort() {
+	if ufw status | grep -q "$1"; then
+		echoContent green " ---> $1端口开放成功"
+	else
+		echoContent red " ---> $1端口开放失败"
+		exit 0
+	fi
+}
+
+# 输出ufw端口开放状态
+checkFirewalldAllowPort() {
+	if firewall-cmd --list-ports --permanent | grep -q "$1"; then
+		echoContent green " ---> $1端口开放成功"
+	else
+		echoContent red " ---> $1端口开放失败"
+		exit 0
+	fi
+}
 # 检查文件目录以及path路径
 readConfigHostPathUUID() {
 	currentPath=
@ -499,6 +581,11 @@ installTools() {
 		${installType} lsb-release >/dev/null 2>&1
 	fi

+	if ! find /usr/bin /usr/sbin | grep -q -w lsof; then
+		echoContent green " ---> 安装lsof"
+		${installType} lsof >/dev/null 2>&1
+	fi
+
 	# 检测nginx版本，并提供是否卸载的选项

 	if ! find /usr/bin /usr/sbin | grep -q -w nginx; then
@ -838,25 +925,27 @@ checkIP() {
 		echoContent yellow " ---> 如解析正确，请等待dns生效，预计三分钟内生效"
 		echoContent yellow " ---> 如以上设置都正确，请重新安装纯净系统后再次尝试"
 		if [[ -n ${localIP} ]]; then
-			echoContent yellow " ---> 检测返回值异常"
+			echoContent yellow " ---> 检测返回值异常，建议手动卸载nginx后重新执行脚本"
 		fi
-		echoContent red " ---> 请检查防火墙是否关闭\n"
-		read -r -p "是否通过脚本关闭防火墙？[y/n]:" disableFirewallStatus
-		if [[ ${disableFirewallStatus} == "y" ]]; then
-			handleFirewall stop
+		echoContent red " ---> 请检查防火墙规则是否开放443、80\n"
+		read -r -p "是否通过脚本修改防火墙规则开放443、80端口？[y/n]:" allPortFirewallStatus
+		if [[ ${allPortFirewallStatus} == "y" ]]; then
+			allowPort
+			handleNginx start
+			checkIP
+		else
+			exit 0
 		fi
-
-		exit 0
+	else
+		if echo "${localIP}" | awk -F "[,]" '{print $2}' | grep -q "." || echo "${localIP}" | awk -F "[,]" '{print $2}' | grep -q ":"; then
+			echoContent red "\n ---> 检测到多个ip，请确认是否关闭cloudflare的云朵"
+			echoContent yellow " ---> 关闭云朵后等待三分钟后重试"
+			echoContent yellow " ---> 检测到的ip如下：[${localIP}]"
+			exit 0
+		fi
+		echoContent green " ---> 当前域名ip为：[${localIP}]"
 	fi

-	if echo "${localIP}" | awk -F "[,]" '{print $2}' | grep -q "." || echo "${localIP}" | awk -F "[,]" '{print $2}' | grep -q ":"; then
-		echoContent red "\n ---> 检测到多个ip，请确认是否关闭cloudflare的云朵"
-		echoContent yellow " ---> 关闭云朵后等待三分钟后重试"
-		echoContent yellow " ---> 检测到的ip如下：[${localIP}]"
-		exit 0
-	fi
-
-	echoContent green " ---> 当前域名ip为：[${localIP}]"
 }
 # 安装TLS
 installTLS() {
@ -902,8 +991,8 @@ installTLS() {
 				echoContent red " ---> TLS安装失败，请检查acme日志"
 				exit 0
 			fi
-			echoContent red " ---> TLS安装失败，检查防火墙中"
-			handleFirewall stop
+			echoContent red " ---> TLS安装失败，正在检查80、443端口是否开放"
+			allowPort
 			echoContent yellow " ---> 重新尝试安装TLS证书"
 			installTLSCount=1
 			installTLS "$1"
@ -1186,7 +1275,7 @@ v2rayVersionManageMenu() {
 	echoContent yellow "4.打开v2ray-core"
 	echoContent yellow "5.重启v2ray-core"
 	echoContent red "=============================================================="
-	read -r -p "请选择：" selectV2RayType
+	read -r -p "请选择:" selectV2RayType
 	if [[ "${selectV2RayType}" == "1" ]]; then
 		updateV2Ray
 	elif [[ "${selectV2RayType}" == "2" ]]; then
@ -1229,7 +1318,7 @@ xrayVersionManageMenu() {
 	echoContent yellow "4.打开Xray-core"
 	echoContent yellow "5.重启Xray-core"
 	echoContent red "=============================================================="
-	read -r -p "请选择：" selectXrayType
+	read -r -p "请选择:" selectXrayType
 	if [[ "${selectXrayType}" == "1" ]]; then
 		updateXray
 	elif [[ "${selectXrayType}" == "2" ]]; then
@ -1916,7 +2005,7 @@ initXrayFrontingConfig() {

 	echoContent yellow "1.切换至${xtlsType}"
 	echoContent red "=============================================================="
-	read -r -p "请选择：" selectType
+	read -r -p "请选择:" selectType
 	if [[ "${selectType}" == "1" ]]; then

 		if [[ "${xtlsType}" == "Trojan" ]]; then
@ -2648,7 +2737,7 @@ updateNginxBlog() {
 	echoContent yellow "8.个人博客02"
 	echoContent yellow "9.404自动跳转baidu"
 	echoContent red "=============================================================="
-	read -r -p "请选择：" selectInstallNginxBlogType
+	read -r -p "请选择:" selectInstallNginxBlogType

 	if [[ "${selectInstallNginxBlogType}" =~ ^[1-9]$ ]]; then
 		#		rm -rf /usr/share/nginx/html
@ -2682,7 +2771,7 @@ addCorePort() {
 	echoContent yellow "1.添加端口"
 	echoContent yellow "2.删除端口"
 	echoContent red "=============================================================="
-	read -r -p "请选择：" selectNewPortType
+	read -r -p "请选择:" selectNewPortType
 	if [[ "${selectNewPortType}" == "1" ]]; then
 		read -r -p "请输入端口号：" newPort
 		if [[ -n "${newPort}" ]]; then
@ -2818,7 +2907,7 @@ manageUser() {
 	echoContent yellow "1.添加用户"
 	echoContent yellow "2.删除用户"
 	echoContent skyBlue "-----------------------------------------------------"
-	read -r -p "请选择：" manageUserType
+	read -r -p "请选择:" manageUserType
 	if [[ "${manageUserType}" == "1" ]]; then
 		addUser
 	elif [[ "${manageUserType}" == "2" ]]; then
@ -3079,7 +3168,7 @@ bbrInstall() {
 	echoContent yellow "1.安装脚本【推荐原版BBR+FQ】"
 	echoContent yellow "2.回退主目录"
 	echoContent red "=============================================================="
-	read -r -p "请选择：" installBBRStatus
+	read -r -p "请选择:" installBBRStatus
 	if [[ "${installBBRStatus}" == "1" ]]; then
 		wget -N --no-check-certificate "https://raw.githubusercontent.com/ylx2016/Linux-NetSpeed/master/tcp.sh" && chmod +x tcp.sh && ./tcp.sh
 	else
@ -3114,7 +3203,7 @@ checkLog() {
 	echoContent yellow "6.清空日志"
 	echoContent red "=============================================================="

-	read -r -p "请选择：" selectAccessLogType
+	read -r -p "请选择:" selectAccessLogType
 	local configPathLog=${configPath//conf\//}

 	case ${selectAccessLogType} in
@ -3964,7 +4053,7 @@ selectCoreInstall() {
 	echoContent yellow "1.Xray-core"
 	echoContent yellow "2.v2ray-core"
 	echoContent red "=============================================================="
-	read -r -p "请选择：" selectCoreType
+	read -r -p "请选择:" selectCoreType
 	case ${selectCoreType} in
 	1)
 		if [[ "${selectInstallType}" == "2" ]]; then
@ -4165,15 +4254,17 @@ switchAlpn() {
 	read -r -p "请选择:" selectSwitchAlpnType
 	if [[ "${selectSwitchAlpnType}" == "1" && "${currentAlpn}" == "http/1.1" ]]; then

-		local frontingTypeJSON=$(jq -r ".inbounds[0].streamSettings.xtlsSettings.alpn = [\"h2\",\"http/1.1\"]" ${configPath}${frontingType}.json)
+		local frontingTypeJSON
+		frontingTypeJSON=$(jq -r ".inbounds[0].streamSettings.xtlsSettings.alpn = [\"h2\",\"http/1.1\"]" ${configPath}${frontingType}.json)
 		echo "${frontingTypeJSON}" | jq . >${configPath}${frontingType}.json

 	elif [[ "${selectSwitchAlpnType}" == "1" && "${currentAlpn}" == "h2" ]]; then
-		local frontingTypeJSON=$(jq -r ".inbounds[0].streamSettings.xtlsSettings.alpn =[\"http/1.1\",\"h2\"]" ${configPath}${frontingType}.json)
+		local frontingTypeJSON
+		frontingTypeJSON=$(jq -r ".inbounds[0].streamSettings.xtlsSettings.alpn =[\"http/1.1\",\"h2\"]" ${configPath}${frontingType}.json)
 		echo "${frontingTypeJSON}" | jq . >${configPath}${frontingType}.json
 	else
 		echoContent red " ---> 选择错误"
-		exit 0;
+		exit 0
 	fi
 	reloadCore
 }
@ -4182,7 +4273,7 @@ menu() {
 	cd "$HOME" || exit
 	echoContent red "\n=============================================================="
 	echoContent green "作者：mack-a"
-	echoContent green "当前版本：v2.5.34"
+	echoContent green "当前版本：v2.5.35"
 	echoContent green "Github：https://github.com/mack-a/v2ray-agent"
 	echoContent green "描述：八合一共存脚本\c"
 	showInstallStatus