su/tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync

Browse Source
This commit is contained in:
sushen339
2025-11-17 17:49:13 +08:00
parent a52da9d09e
commit d14c42a83e
1 changed files with 28 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nft.sh
+28 -12
View File
@@ -1,5 +1,8 @@
#!/bin/bash #!/bin/bash
# 错误时立即退出
set -euo pipefail
# 颜色定义 # 颜色定义
GREEN='\033[0;32m' GREEN='\033[0;32m'
RED='\033[0;31m' RED='\033[0;31m'
@@ -8,7 +11,7 @@ NC='\033[0m' # No Color
# 1. 检查 Root 权限 # 1. 检查 Root 权限
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
echo -e "${RED}[错误] 请使用 root 权限运行此脚本 (sudo ./setup_firewall.sh)${NC}" echo -e "${RED}[错误] 请使用 root 权限运行此脚本 (sudo ./nft.sh)${NC}"
exit 1 exit 1
fi fi
@@ -25,6 +28,13 @@ if ! command -v nft &> /dev/null; then
echo -e "${RED}[错误] 无法识别的操作系统,请手动安装 nftables。${NC}" echo -e "${RED}[错误] 无法识别的操作系统,请手动安装 nftables。${NC}"
exit 1 exit 1
fi fi
# 验证安装是否成功
if ! command -v nft &> /dev/null; then
echo -e "${RED}[错误] nftables 安装失败,请手动安装后重试。${NC}"
exit 1
fi
echo -e "${GREEN}[成功] nftables 安装完成。${NC}"
fi fi
# 3. 验证内核支持 # 3. 验证内核支持
@@ -51,13 +61,18 @@ fi
echo -e "${GREEN}[成功] 检测到 nftables 支持。配置文件路径: ${CONF_PATH}${NC}" echo -e "${GREEN}[成功] 检测到 nftables 支持。配置文件路径: ${CONF_PATH}${NC}"
# 5. 备份原有配置 # 5. 检测 SSH 端口
SSH_PORT=$(grep "^Port" /etc/ssh/sshd_config 2>/dev/null | awk '{print $2}' || echo "22")
SSH_PORT=${SSH_PORT:-22}
echo -e "${YELLOW}[检测] 当前 SSH 端口: ${SSH_PORT}${NC}"
# 6. 备份原有配置
if [ -f "$CONF_PATH" ]; then if [ -f "$CONF_PATH" ]; then
cp "$CONF_PATH" "${CONF_PATH}.bak.$(date +%Y%m%d%H%M%S)" cp "$CONF_PATH" "${CONF_PATH}.bak.$(date +%Y%m%d%H%M%S)"
echo -e "${YELLOW}[提示] 已备份原有配置为 ${CONF_PATH}.bak...${NC}" echo -e "${YELLOW}[提示] 已备份原有配置为 ${CONF_PATH}.bak...${NC}"
fi fi
# 6. 写入配置 # 7. 写入配置
cat > "$CONF_PATH" <<EOF cat > "$CONF_PATH" <<EOF
#!/usr/sbin/nft -f #!/usr/sbin/nft -f
@@ -81,27 +96,27 @@ table inet security_firewall {
ip saddr @blackhole_v4 drop ip saddr @blackhole_v4 drop
ip6 saddr @blackhole_v6 drop ip6 saddr @blackhole_v6 drop
# 3. SYN flood 防护 (阈值 500/s, 突发 500) # 3. SYN flood 防护 (阈值 2000/s, 突发 2000)
# 保护系统内存,防止大规模 SYN 攻击导致死机 # 保护系统内存,防止大规模 SYN 攻击导致死机
tcp flags syn limit rate over 500/second burst 500 packets drop tcp flags syn limit rate over 2000/second burst 2000 packets drop
# 4. ICMP/Ping 限速 (阈值 50/s, 突发 50) # 4. ICMP/Ping 限速 (阈值 2000/s, 突发 2000)
ip protocol icmp limit rate over 50/second burst 50 packets drop ip protocol icmp limit rate over 2000/second burst 2000 packets drop
meta l4proto icmpv6 limit rate over 50/second burst 50 packets drop meta l4proto icmpv6 limit rate over 2000/second burst 2000 packets drop
# 5. SSH 防爆破 (5次/分, 允许瞬间突发5次) # 5. SSH 防爆破 (5次/分, 允许瞬间突发5次)
# 超过限制 -> 加入黑名单 -> 丢弃 # 超过限制 -> 加入黑名单 -> 丢弃
# 注意:请确保你的 SSH 端口是 22, 如果不是, 请修改下方的 dport # SSH 端口: $SSH_PORT (自动检测)
tcp dport 22 ct state new meter flood_v4 { ip saddr timeout 60s limit rate over 5/minute burst 5 packets } \\ tcp dport $SSH_PORT ct state new meter flood_v4 { ip saddr timeout 60s limit rate over 5/minute burst 5 packets } \\
add @blackhole_v4 { ip saddr } drop add @blackhole_v4 { ip saddr } drop
tcp dport 22 ct state new meter flood_v6 { ip6 saddr timeout 60s limit rate over 5/minute burst 5 packets } \\ tcp dport $SSH_PORT ct state new meter flood_v6 { ip6 saddr timeout 60s limit rate over 5/minute burst 5 packets } \\
add @blackhole_v6 { ip6 saddr } drop add @blackhole_v6 { ip6 saddr } drop
} }
} }
EOF EOF
# 7. 应用并启用服务 # 8. 应用并启用服务
echo -e "${YELLOW}[信息] 正在应用规则...${NC}" echo -e "${YELLOW}[信息] 正在应用规则...${NC}"
if nft -f "$CONF_PATH"; then if nft -f "$CONF_PATH"; then
echo -e "${GREEN}[成功] 规则语法正确并已加载!${NC}" echo -e "${GREEN}[成功] 规则语法正确并已加载!${NC}"
@@ -113,6 +128,7 @@ if nft -f "$CONF_PATH"; then
echo -e "${GREEN}[完成] nftables 服务已重启并设置开机自启。${NC}" echo -e "${GREEN}[完成] nftables 服务已重启并设置开机自启。${NC}"
echo -e "${GREEN}---------------------------------------------${NC}" echo -e "${GREEN}---------------------------------------------${NC}"
echo -e "当前 SSH 防护状态:" echo -e "当前 SSH 防护状态:"
echo -e " - SSH 端口: ${GREEN}${SSH_PORT}${NC}"
echo -e " - IPv4/IPv6 双栈支持: ${GREEN}YES${NC}" echo -e " - IPv4/IPv6 双栈支持: ${GREEN}YES${NC}"
echo -e " - SSH 爆破阈值: ${GREEN}5次/分 (突发5次)${NC}" echo -e " - SSH 爆破阈值: ${GREEN}5次/分 (突发5次)${NC}"
echo -e " - 封禁时长: ${GREEN}60分钟${NC}" echo -e " - 封禁时长: ${GREEN}60分钟${NC}"