From ce00bef4a1df4e30a8138dc87c124bee4cf62d1f Mon Sep 17 00:00:00 2001 From: Seeger0216 <65768435+Seeger0216@users.noreply.github.com> Date: Mon, 5 Jul 2021 20:06:53 +0800 Subject: [PATCH] Create iptables.sh --- iptables.sh | 317 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 317 insertions(+) create mode 100644 iptables.sh diff --git a/iptables.sh b/iptables.sh new file mode 100644 index 0000000..c3a606e --- /dev/null +++ b/iptables.sh @@ -0,0 +1,317 @@ +red="\033[31m" +black="\033[0m" + +base=/etc/dnat +mkdir $base 2>/dev/null +conf=$base/conf +touch $conf + +# wget wget --no-check-certificate -qO natcfg.sh http://blog.arloor.com/sh/iptablesUtils/natcfg.sh && bash natcfg.sh + + clear + echo "#############################################################" + echo "# Usage: setup iptables nat rules for domian/ip #" + echo "# Website: http://www.arloor.com/ #" + echo "# Author: ARLOOR #" + echo "# Github: https://github.com/arloor/iptablesUtils #" + echo "#############################################################" + echo + + +setupService(){ + cat > /usr/local/bin/dnat.sh <<"AAAA" +#! /bin/bash +[[ "$EUID" -ne '0' ]] && echo "Error:This script must be run as root!" && exit 1; + + + +base=/etc/dnat +mkdir $base 2>/dev/null +conf=$base/conf +firstAfterBoot=1 +lastConfig="/iptables_nat.sh" +lastConfigTmp="/iptables_nat.sh_tmp" + + +#### +echo "正在安装依赖...." +yum install -y bind-utils &> /dev/null +apt install -y dnsutils &> /dev/null +echo "Completed:依赖安装完毕" +echo "" +#### +turnOnNat(){ + # 开启端口转发 + echo "1. 端口转发开启 【成功】" + sed -n '/^net.ipv4.ip_forward=1/'p /etc/sysctl.conf | grep -q "net.ipv4.ip_forward=1" + if [ $? -ne 0 ]; then + echo -e "net.ipv4.ip_forward=1" >> /etc/sysctl.conf && sysctl -p + fi + + #开放FORWARD链 + echo "2. 开放iptbales中的FORWARD链 【成功】" + arr1=(`iptables -L FORWARD -n --line-number |grep "REJECT"|grep "0.0.0.0/0"|sort -r|awk '{print $1,$2,$5}'|tr " " ":"|tr "\n" " "`) #16:REJECT:0.0.0.0/0 15:REJECT:0.0.0.0/0 + for cell in ${arr1[@]} + do + arr2=(`echo $cell|tr ":" " "`) #arr2=16 REJECT 0.0.0.0/0 + index=${arr2[0]} + echo 删除禁止FOWARD的规则$index + iptables -D FORWARD $index + done + iptables --policy FORWARD ACCEPT +} +turnOnNat + + + +testVars(){ + local localport=$1 + local remotehost=$2 + local remoteport=$3 + # 判断端口是否为数字 + local valid= + echo "$localport"|[ -n "`sed -n '/^[0-9][0-9]*$/p'`" ] && echo $remoteport |[ -n "`sed -n '/^[0-9][0-9]*$/p'`" ]||{ + echo -e "${red}本地端口和目标端口请输入数字!!${black}"; + return 1; + } + + # 检查输入的不是IP + #if [ "$(echo $remotehost |grep -E -o '([0-9]{1,3}[\.]){3}[0-9]{1,3}')" != "" ];then + # local isip=true + # local remote=$remotehost +# + # echo -e "${red}警告:你输入的目标地址是一个ip!${black}" + # return 2; + # fi +} + +dnat(){ + [ "$#" = "3" ]&&{ + local localport=$1 + local remote=$2 + local remoteport=$3 + + cat >> $lastConfigTmp <$base/${1}IP + dnat $1 $remote $3 +} + + +echo "3. 开始监听域名解析变化" +echo "" +while true ; +do +## 获取本机地址 +localIP=$(ip -o -4 addr list | grep -Ev '\s(docker|lo)' | awk '{print $4}' | cut -d/ -f1 | grep -Ev '(^127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$)|(^10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$)|(^172\.1[6-9]{1}[0-9]{0,1}\.[0-9]{1,3}\.[0-9]{1,3}$)|(^172\.2[0-9]{1}[0-9]{0,1}\.[0-9]{1,3}\.[0-9]{1,3}$)|(^172\.3[0-1]{1}[0-9]{0,1}\.[0-9]{1,3}\.[0-9]{1,3}$)|(^192\.168\.[0-9]{1,3}\.[0-9]{1,3}$)') +if [ "${localIP}" = "" ]; then + localIP=$(ip -o -4 addr list | grep -Ev '\s(docker|lo)' | awk '{print $4}' | cut -d/ -f1|head -n 1 ) +fi +echo "本机网卡IP [$localIP]" +cat > $lastConfigTmp <" " "`) #arr2=16 REJECT 0.0.0.0/0 + # 过滤非法的行 + [ "${arr2[2]}" != "" -a "${arr2[3]}" = "" ]&& testVars ${arr2[0]} ${arr2[1]} ${arr2[2]}&&{ + echo "转发规则: ${arr2[0]} => ${arr2[1]}:${arr2[2]}" + dnatIfNeed ${arr2[0]} ${arr2[1]} ${arr2[2]} + } +done + +lastConfigTmpStr=`cat $lastConfigTmp` +lastConfigStr=`cat $lastConfig` +if [ "$firstAfterBoot" = "1" -o "$lastConfigTmpStr" != "$lastConfigStr" ];then + echo '更新iptables规则[DOING]' + source $lastConfigTmp + cat $lastConfigTmp > $lastConfig + echo '更新iptables规则[DONE],新规则如下:' + echo "###########################################################" + iptables -L PREROUTING -n -t nat --line-number + iptables -L POSTROUTING -n -t nat --line-number + echo "###########################################################" +else + echo "iptables规则未变更" +fi + +firstAfterBoot=0 +echo '' > $lastConfigTmp +sleep 60 +echo '' +echo '' +echo '' +done +AAAA +echo + + +cat > /lib/systemd/system/dnat.service <<\EOF +[Unit] +Description=动态设置iptables转发规则 +After=network-online.target +Wants=network-online.target + +[Service] +WorkingDirectory=/root/ +EnvironmentFile= +ExecStart=/bin/bash /usr/local/bin/dnat.sh +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target +EOF + +systemctl daemon-reload +systemctl enable dnat > /dev/null 2>&1 +service dnat stop > /dev/null 2>&1 +service dnat start > /dev/null 2>&1 +} + + +## 获取本机地址 +localIP=$(ip -o -4 addr list | grep -Ev '\s(docker|lo)' | awk '{print $4}' | cut -d/ -f1 | grep -Ev '(^127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$)|(^10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$)|(^172\.1[6-9]{1}[0-9]{0,1}\.[0-9]{1,3}\.[0-9]{1,3}$)|(^172\.2[0-9]{1}[0-9]{0,1}\.[0-9]{1,3}\.[0-9]{1,3}$)|(^172\.3[0-1]{1}[0-9]{0,1}\.[0-9]{1,3}\.[0-9]{1,3}$)|(^192\.168\.[0-9]{1,3}\.[0-9]{1,3}$)') +if [ "${localIP}" = "" ]; then + localIP=$(ip -o -4 addr list | grep -Ev '\s(docker|lo)' | awk '{print $4}' | cut -d/ -f1|head -n 1 ) +fi + + +addDnat(){ + local localport= + local remoteport= + local remotehost= + local valid= + echo -n "本地端口号:" ;read localport + echo -n "远程端口号:" ;read remoteport + # echo $localport $remoteport + # 判断端口是否为数字 + echo "$localport"|[ -n "`sed -n '/^[0-9][0-9]*$/p'`" ] && echo $remoteport |[ -n "`sed -n '/^[0-9][0-9]*$/p'`" ]||{ + echo -e "${red}本地端口和目标端口请输入数字!!${black}" + return 1; + } + + echo -n "目标域名/IP:" ;read remotehost + # # 检查输入的不是IP + # if [ "$remotehost" = "" -o "$(echo $remotehost |grep -E -o '([0-9]{1,3}[\.]){3}[0-9]{1,3}')" != "" ];then + # isip=true + # remote=$remotehost + # echo -e "${red}请输入一个ddns域名${black}" + # return 1 + # fi + + sed -i "s/^$localport.*/$localport>$remotehost:$remoteport/g" $conf + [ "$(cat $conf|grep "$localport>$remotehost:$remoteport")" = "" ]&&{ + cat >> $conf <$remotehost:$remoteport +LINE + } + echo "成功添加转发规则 $localport>$remotehost:$remoteport" + setupService +} + +rmDnat(){ + local localport= + echo -n "本地端口号:" ;read localport + sed -i "/^$localport>.*/d" $conf + echo "done!" +} + +testVars(){ + local localport=$1 + local remotehost=$2 + local remoteport=$3 + # 判断端口是否为数字 + local valid= + echo "$localport"|[ -n "`sed -n '/^[0-9][0-9]*$/p'`" ] && echo $remoteport |[ -n "`sed -n '/^[0-9][0-9]*$/p'`" ]||{ + # echo -e "${red}本地端口和目标端口请输入数字!!${black}"; + return 1; + } + + # # 检查输入的不是IP + # if [ "$(echo $remotehost |grep -E -o '([0-9]{1,3}[\.]){3}[0-9]{1,3}')" != "" ];then + # local isip=true + # local remote=$remotehost + + # # echo -e "${red}警告:你输入的目标地址是一个ip!${black}" + # return 2; + # fi +} + +lsDnat(){ + arr1=(`cat $conf`) +for cell in ${arr1[@]} +do + arr2=(`echo $cell|tr ":" " "|tr ">" " "`) #arr2=16 REJECT 0.0.0.0/0 + # 过滤非法的行 + [ "${arr2[2]}" != "" -a "${arr2[3]}" = "" ]&& testVars ${arr2[0]} ${arr2[1]} ${arr2[2]}&&{ + echo "转发规则: ${arr2[0]}>${arr2[1]}:${arr2[2]}" + } +done +} + + + + +echo -e "${red}你要做什么呢(请输入数字)?Ctrl+C 退出本脚本${black}" +select todo in 增加转发规则 删除转发规则 列出所有转发规则 查看当前iptables配置 +do + case $todo in + 增加转发规则) + addDnat + #break + ;; + 删除转发规则) + rmDnat + #break + ;; + # 增加到IP的转发) + # addSnat + # #break + # ;; + # 删除到IP的转发) + # rmSnat + # #break + # ;; + 列出所有转发规则) + lsDnat + ;; + 查看当前iptables配置) + echo "###########################################################" + iptables -L PREROUTING -n -t nat --line-number + iptables -L POSTROUTING -n -t nat --line-number + echo "###########################################################" + ;; + *) + echo "如果要退出,请按Ctrl+C" + ;; + esac +done