├── README.md
└── iPtato.sh


/README.md:
--------------------------------------------------------------------------------
 1 | # iPtato
 2 | 通过简单的脚本，实现控制系统的出入网络流量
 3 | ## 功能简介
 4 | ### 适配系统
 5 | Debian\Centos\Ubuntu
 6 | ### 首次运行
 7 | - 创建空文件 用于判断脚本是否首次运行
 8 | - 部署需要的软件
 9 | - 清除所有自带防火墙/规则
10 | - 禁止一切入网方向端口(即关闭所有连接服务器的端口)
11 | - 默认开放SSH入网端口
12 | 
13 | ### 出网模块功能
14 | > 封禁功能(即屏蔽)
15 | - 封禁BT、PT、SPAM
16 | - 封禁黑名单网址关键词 <blocklist>
17 | - 自定义封禁关键词（支持：手动输入/本地文件/在线URL 导入）
18 | > 解禁
19 | - 有封就有解，可以跑脚本感受一下
20 | 
21 | ### 入网模块(连接服务器)
22 | > 放行(即开放)
23 | - 入网端口
24 | - 入网IP (计划中)
25 | 
26 | > 取消放行(即不开放)
27 | - 入网端口
28 | - 入网IP(计划中)
29 | 
30 | ### 夺回出入控制
31 | > 如果脚本创建的规则被某些其他应用如某些控制面板破坏
32 | - 你可以先部署好你想用的软件/其他东西 只要你不是想用iptables就行
33 | - 执行这个功能后，会清空所有出入网规则
34 | - 默认仅开放SSH端口
35 | 
36 | ### 注意
37 | > 实际使用iptables封禁关键词来达到审计某些网站的访问，在大规模流量进出的过程测试中效率性能并没有某些应用层面的工具效率高
38 | - 因为数据包大多都是加密的，iptables在匹配过程中很多情况在做无用功，而某些应用层面的工具可以知道应该检查哪部分数据
39 | 
40 | ## 使用脚本
41 | ```ssh
42 | wget -N --no-check-certificate https://raw.githubusercontent.com/Aipblock/iPtato/main/iPtato.sh && chmod +x iPtato.sh && bash iPtato.sh
43 | ```
44 | 
45 | ### 跑过脚本后想继续用
46 | ```ssh
47 | ./iPtato.sh
48 | ```
49 | 
50 | ## Function
51 | ![image](https://user-images.githubusercontent.com/113791222/191405756-4a7a98fe-6302-4299-b512-6052fa28cf19.png)
52 | 
53 | 
54 | 
55 | 


--------------------------------------------------------------------------------
/iPtato.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
  3 | export PATH
  4 | #=================================================
  5 | #       System Required: CentOS/Debian/Ubuntu
  6 | #       Description: iptables 出封禁 入放行
  7 | #       Version: 1.0.20
  8 | #		Blog: 计划中
  9 | #=================================================
 10 | 
 11 | sh_ver="1.0.20"
 12 | Green_font_prefix="\033[32m"
 13 | Red_font_prefix="\033[31m"
 14 | Green_background_prefix="\033[42;37m"
 15 | Red_background_prefix="\033[41;37m"
 16 | Font_color_suffix="\033[0m"
 17 | Info="${green}[信息]${Font_color_suffix}"
 18 | Error="${Red_font_prefix}[错误]${Font_color_suffix}"
 19 | 
 20 | checkfile="/root/checkfile.txt"
 21 | smtp_port="25,26,465,587"
 22 | pop3_port="109,110,995"
 23 | imap_port="143,218,220,993"
 24 | other_port="24,50,57,105,106,158,209,1109,24554,60177,60179"
 25 | bt_key_word="torrent
 26 | .torrent
 27 | peer_id=
 28 | announce
 29 | info_hash
 30 | get_peers
 31 | find_node
 32 | BitTorrent
 33 | announce_peer
 34 | BitTorrent protocol
 35 | announce.php?passkey=
 36 | magnet:
 37 | xunlei
 38 | sandai
 39 | Thunder
 40 | XLLiveUD"
 41 | 
 42 | # check root
 43 | [[ $EUID -ne 0 ]] && echo -e "${Error} 必须使用root用户运行此脚本！\n" && exit 1
 44 | 
 45 | check_system() {
 46 | 	if [[ -f /etc/redhat-release ]]; then
 47 | 		release="centos"
 48 | 	elif cat /etc/issue | grep -q -E -i "debian"; then
 49 | 		release="debian"
 50 | 	elif cat /etc/issue | grep -q -E -i "ubuntu"; then
 51 | 		release="ubuntu"
 52 | 	elif cat /etc/issue | grep -q -E -i "centos|red hat|redhat"; then
 53 | 		release="centos"
 54 | 	elif cat /proc/version | grep -q -E -i "debian"; then
 55 | 		release="debian"
 56 | 	elif cat /proc/version | grep -q -E -i "ubuntu"; then
 57 | 		release="ubuntu"
 58 | 	elif cat /proc/version | grep -q -E -i "centos|red hat|redhat"; then
 59 | 		release="centos"
 60 | 	fi
 61 | 	bit=$(uname -m)
 62 | }
 63 | check_run() {
 64 | 	runflag=0
 65 | 	if [ ! -e "${checkfile}" ]; then
 66 | 		touch $checkfile
 67 | 		echo "首次运行判断文件生成"
 68 | 		set_environment
 69 | 		echo "初次运行脚本 环境部署完成"
 70 | 	else
 71 | 		runflag=1
 72 | 		echo "文件存在 脚本不是初次运行"
 73 | 	fi
 74 | }
 75 | shell_run_tips() {
 76 | 	if [ ${runflag} -eq 0 ]; then
 77 | 		echo
 78 | 		echo "本脚本默认接管 控制出入网 权限"
 79 | 		echo "入网端口仅放行了 SSH端口"
 80 | 		echo
 81 | 	fi
 82 | }
 83 | 
 84 | set_environment() {
 85 | 	install_iptables
 86 | 	install_tool
 87 | 	long_save_rules_tool
 88 | 	rebuild_iptables_rule
 89 | 	able_ssh_port
 90 | }
 91 | install_iptables() {
 92 | 	getiptables=$(iptables -V | awk 'NR==1{print  $1}')
 93 | 	if [ "$release" == "debian" ] || [ "$release" == "ubuntu" ]; then
 94 | 		if [ -z ${getiptables} ]; then
 95 | 			apt-get install iptables -y
 96 | 		fi
 97 | 	elif [[ "$release" == "centos" ]] && [ -z ${getiptables} ]; then
 98 | 		yum install iptables -y	
 99 | 	fi
100 | }
101 | install_tool() {
102 | 	getnetstat=$(netstat --version | awk 'NR==1{print  $1}')
103 | 	if [ "$release" == "debian" ] || [ "$release" == "ubuntu" ]; then
104 | 		if [ -z ${getnetstat} ]; then
105 | 			apt install net-tools -y
106 | 		fi
107 | 	elif [[ "$release" == "centos" ]]; then
108 | 		if [ -z ${getnetstat} ]; then
109 | 			yum install net-tools -y
110 | 		fi
111 | 	fi
112 | }
113 | rebuild_iptables_rule() {
114 | 	iptables -P INPUT ACCEPT
115 | 	iptables -F
116 | 	iptables -A INPUT -m ttl --ttl-gt 80 -j ACCEPT
117 | 	iptables -A INPUT -p icmp -j ACCEPT
118 | 	iptables -A INPUT -i lo -j ACCEPT
119 | 	iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
120 | 	iptables -P INPUT DROP
121 | }
122 | long_save_rules_tool() {
123 | 	if [ "$release" == "debian" ] || [ "$release" == "ubuntu" ]; then
124 | 		echo "此类系统不需安装longruletool"
125 | 	elif [[ "$release" == "centos" ]]; then
126 | 		cipstatu=$(service iptables status | awk 'NR==1{print  $1}')
127 | 		firestatus="$(firewall-cmd --state)"
128 | 		if [ "${firestatus}" == "running" ]; then
129 | 			echo "停止firewall中"
130 | 			systemctl stop firewalld.service
131 | 			echo "禁止firewall开机启动"
132 | 			systemctl disable firewalld.service
133 | 			echo "成功关闭firewall"
134 | 		fi
135 | 		if [ -z ${cipstatu} ]; then
136 | 			yum install iptables-services -y
137 | 			systemctl enable iptables
138 | 		fi
139 | 	fi
140 | }
141 | able_ssh_port() {
142 | 	s="A"
143 | 	get_ssh_port
144 | 	set_in_ports
145 | }
146 | var_v4_v6_iptables() {
147 | 	v4iptables=$(iptables -V)
148 | 	v6iptables=$(ip6tables -V)
149 | 	if [[ ! -z ${v4iptables} ]]; then
150 | 		v4iptables="iptables"
151 | 		if [[ ! -z ${v6iptables} ]]; then
152 | 			v6iptables="ip6tables"
153 | 		fi
154 | 	else
155 | 		exit 1
156 | 	fi
157 | }
158 | 
159 | # 查看出网模块
160 | view_all_disable_out() {
161 | 	echo
162 | 	display_out_port
163 | 	display_out_keyworld
164 | 	echo
165 | }
166 | 
167 | # 出网端口模块
168 | disable_want_port_out() {
169 | 	s="A"
170 | 	input_disable_want_outport
171 | 	set_out_ports
172 | 	echo -e "${Info} 已封禁端口 [ ${PORT} ] !\n"
173 | 	disable_port_type_1="1"
174 | 	while true; do
175 | 		input_disable_want_outport
176 | 		set_out_ports
177 | 		echo -e "${Info} 已封禁端口 [ ${PORT} ] !\n"
178 | 	done
179 | 	display_out_port
180 | }
181 | input_disable_want_outport(){
182 | 	echo -e "请输入欲封禁的 出网端口（单端口/多端口/连续端口段）"
183 | 	if [[ ${disable_port_Type_1} != "1" ]]; then
184 | 	echo -e "${Green_font_prefix}========出网端口示例说明========${Font_color_suffix}
185 |  单端口：25（单个端口）
186 |  多端口：25,26,465,587（多个端口用英文逗号分割）
187 |  连续端口段：25:587（25-587之间的所有端口）" && echo
188 | 	fi
189 | 	read -e -p "(回车默认取消):" PORT
190 | 	[[ -z "${PORT}" ]] && echo "已取消..." && display_out_port && exit 0
191 | }
192 | set_out_ports() {
193 | 	if [[ -n "$v4iptables" ]] && [[ -n "$v6iptables" ]]; then
194 | 		tcp_outport_rules $v4iptables $PORT $s
195 | 		udp_outport_rules $v4iptables $PORT $s
196 | 		tcp_outport_rules $v6iptables $PORT $s
197 | 		udp_outport_rules $v6iptables $PORT $s
198 | 	elif [[ -n "$v4iptables" ]]; then
199 | 		tcp_outport_rules $v4iptables $PORT $s
200 | 		udp_outport_rules $v4iptables $PORT $s
201 | 	fi
202 | 	save_iptables_v4_v6
203 | }
204 | tcp_outport_rules() {
205 | 	[[ "$1" = "$v4iptables" ]] && $1 -t filter -$3 OUTPUT -p tcp -m multiport --dports "$2" -m state --state NEW,ESTABLISHED -j REJECT --reject-with icmp-port-unreachable
206 | 	[[ "$1" = "$v6iptables" ]] && $1 -t filter -$3 OUTPUT -p tcp -m multiport --dports "$2" -m state --state NEW,ESTABLISHED -j REJECT --reject-with tcp-reset
207 | }
208 | udp_outport_rules() {
209 | 	$1 -t filter -$3 OUTPUT -p udp -m multiport --dports "$2" -j DROP
210 | }
211 | 
212 | able_want_port_out() {
213 | 	s="D"
214 | 	input_able_want_outport
215 | 	set_out_ports
216 | 	echo -e "${Info} 已取消封禁端口 [ ${PORT} ] !\n"
217 | 	able_port_type_1="1"
218 | 	while true; do
219 | 		input_able_want_outport
220 | 		set_out_ports
221 | 		echo -e "${Info} 已取消封禁端口 [ ${PORT} ] !\n"
222 | 	done
223 | 	display_out_port
224 | }
225 | input_able_want_outport() {
226 | 	echo -e "请输入欲取消封禁的 出网端口（单端口/多端口/连续端口段）"
227 | 	if [[ ${able_port_Type_1} != "1" ]]; then
228 | 	echo -e "${Green_font_prefix}========出网端口示例说明========${Font_color_suffix}
229 |  单端口：25（单个端口）
230 |  多端口：25,26,465,587（多个端口用英文逗号分割）
231 |  连续端口段：25:587（25-587之间的所有端口）" && echo
232 | 	fi
233 | 	read -e -p "(回车默认取消):" PORT
234 | 	[[ -z "${PORT}" ]] && echo "已取消..." && display_out_port && exit 0
235 | }
236 | 
237 | # 出网关键词模块
238 | disable_want_keyworld_out() {
239 | 	s="A"
240 | 	input_want_keyworld_type "ban"
241 | 	set_out_keywords
242 | 	echo -e "${Info} 已封禁关键词 [ ${key_word} ] !\n"
243 | 	while true; do
244 | 		input_want_keyworld_type "ban" "ban_1"
245 | 		set_out_keywords
246 | 		echo -e "${Info} 已封禁关键词 [ ${key_word} ] !\n"
247 | 	done
248 | 	display_out_keyworld
249 | }
250 | able_want_keyworld_out() {
251 | 	s="D"
252 | 	grep_out_keyword
253 | 	[[ -z ${disable_out_keyworld_list} ]] && echo -e "${Error} 检测到未封禁任何 关键词 !" && exit 0
254 | 	input_want_keyworld_type "unban"
255 | 	set_out_keywords
256 | 	echo -e "${Info} 已解封关键词 [ ${key_word} ] !\n"
257 | 	while true
258 | 	do
259 | 		grep_out_keyword
260 | 		[[ -z ${disable_out_keyworld_list} ]] && echo -e "${Error} 检测到未封禁任何 关键词 !" && exit 0
261 | 		input_want_keyworld_type "unban" "ban_1"
262 | 		set_out_keywords
263 | 		echo -e "${Info} 已解封关键词 [ ${key_word} ] !\n"
264 | 	done
265 | 	display_out_keyworld
266 | }
267 | able_all_keyworld_out() {
268 | 	grep_out_keyword
269 | 	[[ -z ${disable_out_keyworld_text} ]] && echo -e "${Error} 检测到未封禁任何 关键词，请检查 !" && exit 0
270 | 	if [[ ! -z "${v6iptables}" ]]; then
271 | 		Ban_KEY_WORDS_v6_num=$(echo -e "${disable_out_keyworld_v6_list}"|wc -l)
272 | 		for((integer = 1; integer <= ${Ban_KEY_WORDS_v6_num}; integer++))
273 | 			do
274 | 				${v6iptables} -t mangle -D OUTPUT 1
275 | 		done
276 | 	fi
277 | 	Ban_KEY_WORDS_num=$(echo -e "${disable_out_keyworld_list}"|wc -l)
278 | 	for((integer = 1; integer <= ${Ban_KEY_WORDS_num}; integer++))
279 | 		do
280 | 			${v4iptables} -t mangle -D OUTPUT 1
281 | 	done
282 | 	save_iptables_v4_v6
283 | 	display_out_keyworld
284 | 	echo -e "${Info} 已解封所有关键词 !"
285 | }
286 | input_want_keyworld_type() {
287 | 	Type=$1
288 | 	Type_1=$2
289 | 	if [[ $Type_1 != "ban_1" ]]; then
290 | 		echo -e "请选择输入类型：
291 |  1. 手动输入（只支持单个关键词）
292 |  2. 本地文件读取（支持批量读取关键词，每行一个关键词）
293 |  3. 网络地址读取（支持批量读取关键词，每行一个关键词）" && echo
294 | 		read -e -p "(默认: 1. 手动输入):" key_word_type
295 | 	fi
296 | 	[[ -z "${key_word_type}" ]] && key_word_type="1"
297 | 	if [[ ${key_word_type} == "1" ]]; then
298 | 		if [[ $Type == "ban" ]]; then
299 | 			input_disable_want_keyworld
300 | 		else
301 | 			input_able_want_keyworld
302 | 		fi
303 | 	elif [[ ${key_word_type} == "2" ]]; then
304 | 		input_disable_keyworlds_file
305 | 	elif [[ ${key_word_type} == "3" ]]; then
306 | 		input_disable_keyworlds_url
307 | 	else
308 | 		if [[ $Type == "ban" ]]; then
309 | 			input_disable_want_keyworld
310 | 		else
311 | 			input_able_want_keyworld
312 | 		fi
313 | 	fi
314 | }
315 | input_disable_want_keyworld() {
316 | 	echo -e "请输入欲封禁的 关键词（域名等，仅支持单个关键词）"
317 | 	if [[ ${Type_1} != "ban_1" ]]; then
318 | 		echo -e "${Green_font_prefix}========示例说明========${Font_color_suffix}
319 |  关键词：youtube，即禁止访问任何包含关键词 youtube 的域名。
320 |  关键词：youtube.com，即禁止访问任何包含关键词 youtube.com 的域名（泛域名屏蔽）。
321 |  关键词：www.youtube.com，即禁止访问任何包含关键词 www.youtube.com 的域名（子域名屏蔽）。
322 |  更多效果自行测试（如关键词 .zip 即可禁止下载任何 .zip 后缀的文件）。" && echo
323 | 	fi
324 | 	read -e -p "(回车默认取消):" key_word
325 | 	[[ -z "${key_word}" ]] && echo "已取消..." && display_out_keyworld && exit 0
326 | }
327 | input_able_want_keyworld() {
328 | 	echo -e "请输入欲解封的 关键词（根据上面的列表输入完整准确的 关键词）" && echo
329 | 	read -e -p "(回车默认取消):" key_word
330 | 	[[ -z "${key_word}" ]] && echo "已取消..." && display_out_keyworld && exit 0
331 | }
332 | set_out_keywords() {
333 | 	key_word_num=$(echo -e "${key_word}" | wc -l)
334 | 	for ((integer = 1; integer <= ${key_word_num}; integer++)); do
335 | 		i=$(echo -e "${key_word}" | sed -n "${integer}p")
336 | 		out_keyworld_rule $v4iptables "$i" $s
337 | 		[[ ! -z "$v6iptables" ]] && out_keyworld_rule $v6iptables "$i" $s
338 | 	done
339 | 	save_iptables_v4_v6
340 | }
341 | out_keyworld_rule() {
342 | 	$1 -t mangle -$3 OUTPUT -m string --string "$2" --algo bm --to 65535 -j DROP
343 | }
344 | input_disable_keyworlds_file() {
345 | 	echo -e "请输入欲封禁/解封的 关键词本地文件（请使用绝对路径）" && echo
346 | 	read -e -p "(默认 读取脚本同目录下的 key_word.txt ):" key_word
347 | 	[[ -z "${key_word}" ]] && key_word="key_word.txt"
348 | 	if [[ -e "${key_word}" ]]; then
349 | 		key_word=$(cat "${key_word}")
350 | 		[[ -z ${key_word} ]] && echo -e "${Error} 文件内容为空 !" && View_ALL && exit 0
351 | 	else
352 | 		echo -e "${Error} 没有找到文件 ${key_word} !" && display_out_keyworld && exit 0
353 | 	fi	
354 | }
355 | input_disable_keyworlds_url() {
356 | 	echo -e "请输入欲封禁/解封的 关键词网络文件地址（例如 http://xxx.xx/key_word.txt）" && echo
357 | 	read -e -p "(回车默认取消):" key_word
358 | 	[[ -z "${key_word}" ]] && echo "已取消..." && View_ALL && exit 0
359 | 	key_word=$(wget --no-check-certificate -t3 -T5 -qO- "${key_word}")
360 | 	[[ -z ${key_word} ]] && echo -e "${Error} 网络文件内容为空或访问超时 !" && display_out_keyworld && exit 0
361 | }
362 | 
363 | able_want_keyworld_out() {
364 | 	s="D"
365 | 	grep_out_keyword
366 | 	[[ -z ${disable_out_keyworld_list} ]] && echo -e "${Error} 检测到未封禁任何 关键词 !" && exit 0
367 | 	input_want_keyworld_type "unban"
368 | 	set_out_keywords
369 | 	echo -e "${Info} 已解封关键词 [ ${key_word} ] !\n"
370 | 	while true; do
371 | 		grep_out_keyword
372 | 		[[ -z ${disable_out_keyworld_list} ]] && echo -e "${Error} 检测到未封禁任何 关键词 !" && exit 0
373 | 		input_want_keyworld_type "unban" "ban_1"
374 | 		set_out_keywords
375 | 		echo -e "${Info} 已解封关键词 [ ${key_word} ] !\n"
376 | 	done
377 | 	view_all_disable_out
378 | }
379 | 
380 | # 出网细分功能模块
381 | # 封禁BT、PT、SPAM
382 | disable_all_out() {
383 | 	disable_btpt
384 | 	disable_spam
385 | }
386 | 
387 | disable_btpt() {
388 | 	check_BT
389 | 	[[ ! -z ${BT_KEY_WORDS} ]] && echo -e "${Error} 检测到已封禁BT、PT 关键词，无需再次封禁 !" && exit 0
390 | 	s="A"
391 | 	Set_BT
392 | 	echo -e "${Info} 已封禁BT、PT 关键词 !"
393 | }
394 | check_BT() {
395 | 	grep_out_keyword
396 | 	BT_KEY_WORDS=$(echo -e "$disable_out_keyworld_list" | grep "torrent")
397 | }
398 | Set_BT() {
399 | 	key_word=${bt_key_word}
400 | 	set_out_keywords
401 | 	save_iptables_v4_v6
402 | }
403 | 
404 | disable_spam() {
405 | 	check_SPAM
406 | 	[[ ! -z ${SPAM_PORT} ]] && echo -e "${Error} 检测到已封禁SPAM(垃圾邮件) 端口，无需再次封禁 !" && exit 0
407 | 	s="A"
408 | 	Set_SPAM
409 | 	echo -e "${Info} 已封禁SPAM(垃圾邮件) 端口 !"
410 | }
411 | check_SPAM() {
412 | 	grep_out_port
413 | 	SPAM_PORT=$(echo -e "$disable_outport_list" | grep "${smtp_port}")
414 | }
415 | Set_SPAM() {
416 | 	if [[ -n "$v4iptables" ]] && [[ -n "$v6iptables" ]]; then
417 | 		Set_SPAM_Code_v4_v6
418 | 	elif [[ -n "$v4iptables" ]]; then
419 | 		Set_SPAM_Code_v4
420 | 	fi
421 | 	save_iptables_v4_v6
422 | }
423 | Set_SPAM_Code_v4() {
424 | 	for i in ${smtp_port} ${pop3_port} ${imap_port} ${other_port}; do
425 | 		tcp_outport_rules $v4iptables "$i" $s
426 | 		ucp_outport_rules $v4iptables "$i" $s
427 | 	done
428 | }
429 | Set_SPAM_Code_v4_v6() {
430 | 	for i in ${smtp_port} ${pop3_port} ${imap_port} ${other_port}; do
431 | 		for j in $v4iptables $v6iptables; do
432 | 			tcp_outport_rules $j "$i" $s
433 | 			udp_outport_rules $j "$i" $s
434 | 		done
435 | 	done
436 | }
437 | 
438 | # 解封BT、PT、SPAM
439 | able_all_out() {
440 | 	able_btpt
441 | 	able_spam
442 | }
443 | 
444 | able_btpt() {
445 | 	check_BT
446 | 	[[ -z ${BT_KEY_WORDS} ]] && echo -e "${Error} 检测到未封禁BT、PT 关键词，请检查 !" && exit 0
447 | 	s="D"
448 | 	Set_BT
449 | 	echo -e "${Info} 已解封BT、PT 关键词 !"
450 | }
451 | 
452 | able_spam() {
453 | 	check_SPAM
454 | 	[[ -z ${SPAM_PORT} ]] && echo -e "${Error} 检测到未封禁SPAM(垃圾邮件) 端口，请检查 !" && exit 0
455 | 	s="D"
456 | 	Set_SPAM
457 | 	view_all_disable_out
458 | 	echo -e "${Info} 已解封SPAM(垃圾邮件) 端口 !"
459 | }
460 | 
461 | # 入网端口模块
462 | able_want_port_in() {
463 | 	display_in_port
464 | 	s="A"
465 | 	input_able_want_inport
466 | 	set_in_ports
467 | 	echo -e "${Info} 已放行端口 [ ${PORT} ] !\n"
468 | 	able_port_Type_1="1"
469 | 	while true
470 | 	do
471 | 		input_able_want_inport
472 | 		set_in_ports
473 | 		echo -e "${Info} 已放行端口 [ ${PORT} ] !\n"
474 | 	done
475 | }
476 | input_able_want_inport(){
477 | 	echo -e "请输入欲放行的 入网端口（单端口/多端口/连续端口段）"
478 | 	if [[ ${able_port_Type_1} != "1" ]]; then
479 | 	echo -e "${Green_font_prefix}========入网端口示例说明========${Font_color_suffix}
480 |  单端口：25（单个端口）
481 |  多端口：25,26,465,587（多个端口用英文逗号分割）
482 |  连续端口段：25:587（25-587之间的所有端口）" && echo
483 | 	fi
484 | 	read -e -p "(回车默认取消):" PORT
485 | 	[[ -z "${PORT}" ]] && echo "已取消..." && display_in_port && exit 0
486 | }
487 | disable_want_port_in(){
488 | 	display_in_port
489 | 	s="D"
490 | 	input_disable_want_inport
491 | 	set_in_ports
492 | 	echo -e "${Info} 已取消放行端口 [ ${PORT} ] !\n"
493 | 	able_port_Type_1="1"
494 | 	while true
495 | 	do
496 | 		input_disable_want_inport
497 | 		set_in_ports
498 | 		echo -e "${Info} 已取消放行端口 [ ${PORT} ] !\n"
499 | 	done
500 | }
501 | input_disable_want_inport(){
502 | 	echo -e "请输入欲取消的 入网端口（单端口/多端口/连续端口段）"
503 | 	if [[ ${able_port_Type_1} != "1" ]]; then
504 | 	echo -e "${Green_font_prefix}========入网端口示例说明========${Font_color_suffix}
505 |  单端口：25（单个端口）
506 |  多端口：25,26,465,587（多个端口用英文逗号分割）
507 |  连续端口段：25:587（25-587之间的所有端口）" && echo
508 | 	fi
509 | 	read -e -p "(回车默认取消):" PORT
510 | 	[[ -z "${PORT}" ]] && echo "已取消..." && display_in_port && exit 0
511 | }
512 | set_in_ports() {
513 | 	if [[ -n "$v4iptables" ]] && [[ -n "$v6iptables" ]]; then
514 | 		tcp_inport_rules $v4iptables $PORT $s
515 | 		udp_inport_rules $v4iptables $PORT $s
516 | 		tcp_inport_rules $v6iptables $PORT $s
517 | 		udp_inport_rules $v6iptables $PORT $s
518 | 	elif [[ -n "$v4iptables" ]]; then
519 | 		tcp_inport_rules $v4iptables $PORT $s
520 | 		udp_inport_rules $v4iptables $PORT $s
521 | 	fi
522 | 	save_iptables_v4_v6
523 | }
524 | tcp_inport_rules() {
525 | 	[[ "$1" = "$v4iptables" ]] && $1 -t filter -$3 INPUT -p tcp -m multiport --dports "$2" -j ACCEPT -m comment --comment "shellsettcp"
526 | 	[[ "$1" = "$v6iptables" ]] && $1 -t filter -$3 INPUT -p tcp -m multiport --dports "$2" -j ACCEPT -m comment --comment "shellsettcp"
527 | }
528 | udp_inport_rules() {
529 | 	$1 -t filter -$3 INPUT -p udp -m multiport --dports "$2" -j ACCEPT -m comment --comment "shellsetudp";
530 | }
531 | 
532 | # 入网IP模块
533 | able_in_ips() {
534 | 	echo "设计中"
535 | }
536 | display_in_ip() {
537 | 	echo "设计中"
538 | }
539 | 
540 | # 部分调用函数
541 | save_iptables_v4_v6() {
542 | 	if [[ ${release} == "centos" ]]; then
543 | 		if [[ ! -z "$v6iptables" ]]; then
544 | 			service ip6tables save
545 | 			chkconfig --level 2345 ip6tables on
546 | 		fi
547 | 		service iptables save
548 | 		chkconfig --level 2345 iptables on
549 | 	else
550 | 		if [[ ! -z "$v6iptables" ]]; then
551 | 			ip6tables-save >/etc/ip6tables.up.rules
552 | 			echo -e "#!/bin/bash\n/sbin/iptables-restore < /etc/iptables.up.rules\n/sbin/ip6tables-restore < /etc/ip6tables.up.rules" >/etc/network/if-pre-up.d/iptables
553 | 		else
554 | 			echo -e "#!/bin/bash\n/sbin/iptables-restore < /etc/iptables.up.rules" >/etc/network/if-pre-up.d/iptables
555 | 		fi
556 | 		iptables-save >/etc/iptables.up.rules
557 | 		chmod +x /etc/network/if-pre-up.d/iptables
558 | 	fi
559 | }
560 | 
561 | display_out_port() {
562 | 	grep_out_port
563 | 	echo -e "===============${Red_background_prefix} 当前已封禁 端口 ${Font_color_suffix}==============="
564 | 	echo -e "$disable_outport_list" && echo && echo -e "==============================================="
565 | }
566 | 
567 | display_out_keyworld() {
568 | 	grep_out_keyword
569 | 	echo -e "==============${Red_background_prefix} 当前已封禁 关键词 ${Font_color_suffix}=============="
570 | 	echo -e "$disable_out_keyworld_list" && echo -e "==============================================="
571 | }
572 | 
573 | display_in_port() {
574 | 	grep_tcp_inport
575 | 	grep_udp_inport
576 | 	if [[ -n ${able_tcp_inport_list} ]] || [[ -n ${able_udp_inport_list} ]]; then
577 | 	echo -e "===============${Red_background_prefix} 当前已放行 端口 ${Font_color_suffix}==============="
578 | 	fi
579 | 	if [[ -n ${able_tcp_inport_list} ]]; then
580 | 		echo
581 | 		echo "TCP"
582 | 		echo -e "$able_tcp_inport_list" && echo && echo -e "==============================================="
583 | 	fi
584 | 	if [[ -n ${able_udp_inport_list} ]]; then
585 | 		echo
586 | 		echo "UDP"
587 | 		echo -e "$able_udp_inport_list" && echo && echo -e "==============================================="
588 | 	fi
589 | }
590 | 
591 | display_ssh() {
592 | 	get_ssh_port
593 | 	echo
594 | 	echo "SSH 端口为 ${PORT}"
595 | 	echo
596 | }
597 | 
598 | get_ssh_port() {
599 | 	PORT=$(netstat -anp | grep sshd | awk 'NR==1{print  substr($4, 9, length($4)-8)}')
600 | }
601 | grep_out_port() {
602 | 	disable_outport_list=$(iptables -t filter -L OUTPUT -nvx --line-numbers | grep "REJECT" | awk '{print $13}')
603 | }
604 | grep_tcp_inport() {
605 | 	able_tcp_inport_list=$(iptables -t filter -L INPUT -nvx --line-numbers | grep "shellsettcp" | awk '{print $13}')
606 | }
607 | grep_udp_inport() {
608 | 	able_udp_inport_list=$(iptables -t filter -L INPUT -nvx --line-numbers | grep "shellsetudp" | awk '{print $13}')
609 | }
610 | 
611 | grep_out_keyword() {
612 | 	disable_out_keyworld_list=""
613 | 	disable_out_keyworld_v6_list=""
614 | 	if [[ ! -z ${v6iptables} ]]; then
615 | 		disable_out_keyworld_v6_text=$(${v6iptables} -t mangle -L OUTPUT -nvx --line-numbers | grep "DROP")
616 | 		disable_out_keyworld_v6_list=$(echo -e "${disable_out_keyworld_v6_text}" | sed -r 's/.*\"(.+)\".*/\1/')
617 | 	fi
618 | 	disable_out_keyworld_text=$(${v4iptables} -t mangle -L OUTPUT -nvx --line-numbers | grep "DROP")
619 | 	disable_out_keyworld_list=$(echo -e "${disable_out_keyworld_text}" | sed -r 's/.*\"(.+)\".*/\1/')
620 | }
621 | 
622 | diable_blocklist_out() {
623 | 	s="A"
624 | 	echo -e "正在连接 关键词网络文件地址"
625 | 	key_word=$(wget --no-check-certificate -t3 -T5 -qO- "https://raw.githubusercontent.com/Aipblock/saveblocklist/main/block.txt")
626 | 	[[ -z ${key_word} ]] && echo -e "${Error} 网络文件内容为空或访问超时 !" && display_out_keyworld && exit 0
627 | 	key_word_num=$(echo -e "${key_word}"|wc -l)
628 | 	for((integer = 1; integer <= ${key_word_num}; integer++))
629 | 		do
630 | 			i=$(echo -e "${key_word}"|sed -n "${integer}p")
631 | 			set_out_keywords $v4iptables "$i" $s
632 | 			[[ ! -z "$v6iptables" ]] && set_out_keywords $v6iptables "$i" $s
633 | 	done
634 | 	save_iptables_v4_v6
635 | 	echo -e "成功执行" && echo
636 | }
637 | 
638 | clear_rebuild_ipta() {
639 | 	rebuild_iptables_rule
640 | 	echo "已清空所有规则"
641 | 	able_ssh_port
642 | 	echo "仅放行了 SSH端口：${PORT}"
643 | }
644 | 
645 | Update_Shell(){
646 | 	sh_new_ver=$(wget --no-check-certificate -qO- -t1 -T3 "https://raw.githubusercontent.com/Aipblock/iptaMshell/main/iptaMshell.sh"|grep 'sh_ver="'|awk -F "=" '{print $NF}'|sed 's/\"//g'|head -1)
647 | 	[[ -z ${sh_new_ver} ]] && echo -e "${Error} 无法链接到 Github !" && exit 0
648 | 	wget -N --no-check-certificate https://raw.githubusercontent.com/Aipblock/iptaMshell/main/iptaMshell.sh && chmod +x iptaMshell.sh && bash iptaMshell.sh
649 | 	echo -e "脚本已更新为最新版本[ ${sh_new_ver} ] !(注意：因为更新方式为直接覆盖当前运行的脚本，所以可能下面会提示一些报错，无视即可)" && exit 0
650 | }
651 | 
652 | check_system
653 | var_v4_v6_iptables
654 | check_run
655 | action=$1
656 | if [[ ! -z $action ]]; then
657 | 	[[ $action = "banbt" ]] && Ban_BT && exit 0
658 | 	[[ $action = "banspam" ]] && Ban_SPAM && exit 0
659 | 	[[ $action = "banall" ]] && Ban_ALL && exit 0
660 | 	[[ $action = "unbanbt" ]] && UnBan_BT && exit 0
661 | 	[[ $action = "unbanspam" ]] && UnBan_SPAM && exit 0
662 | 	[[ $action = "unbanall" ]] && UnBan_ALL && exit 0
663 | fi
664 | echo && echo -e " iptables防火墙 管理脚本 ${Red_font_prefix}[v${sh_ver}]${Font_color_suffix}
665 |   -- 基于逗比脚本修改 在此感谢大佬--
666 |   -- 与某些转发管理面板可能会有冲突 --
667 | ————————————
668 |   ${Red_font_prefix}出网方向功能
669 |   ${Green_font_prefix}0.${Font_color_suffix} 查看 当前封禁列表
670 |   ${Green_font_prefix}1.${Font_color_suffix} 封禁 BT、PT
671 |   ${Green_font_prefix}2.${Font_color_suffix} 封禁 SPAM(垃圾邮件)
672 |   ${Green_font_prefix}3.${Font_color_suffix} 封禁 BT、PT、SPAM
673 |   ${Green_font_prefix}4.${Font_color_suffix} 封禁 自定义  端口
674 |   ${Green_font_prefix}5.${Font_color_suffix} 封禁 自定义关键词
675 |   ${Green_font_prefix}6.${Font_color_suffix} 解封 BT、PT
676 |   ${Green_font_prefix}7.${Font_color_suffix} 解封 SPAM(垃圾邮件)
677 |   ${Green_font_prefix}8.${Font_color_suffix} 解封 BT、PT+SPAM
678 |   ${Green_font_prefix}9.${Font_color_suffix} 解封 自定义  端口
679 |  ${Green_font_prefix}10.${Font_color_suffix} 解封 自定义关键词
680 |  ${Green_font_prefix}11.${Font_color_suffix} 解封 所有  关键词
681 |  ${Green_font_prefix}12.${Font_color_suffix} 封禁 Blocklists
682 | 
683 | ————————————
684 |  ${Red_font_prefix}入网方向功能
685 | 
686 | ${Green_font_prefix}13.${Font_color_suffix} 查看 当前放行端口
687 | ${Green_font_prefix}14.${Font_color_suffix} 查看 当前放行IP
688 | 
689 | ${Green_font_prefix}15.${Font_color_suffix} 放行 自定义  端口
690 | ${Green_font_prefix}16.${Font_color_suffix} 删除 已放行  端口
691 | ${Green_font_prefix}17.${Font_color_suffix} 放行 自定义 IP
692 | 
693 | ————————————
694 | ${Red_font_prefix}增强功能
695 | 
696 | ${Green_font_prefix}18.${Font_color_suffix} 查看 当前SSH端口
697 | ${Green_font_prefix}19.${Font_color_suffix} 夺回出入控制(清空所有规则)
698 | 
699 | ————————————
700 | ${Green_font_prefix}20.${Font_color_suffix} 升级脚本
701 | ${Red_font_prefix}注意:${Font_color_suffix} 本脚本与某些转发管理面板可能会有冲突
702 | ————————————
703 | " && echo
704 | shell_run_tips
705 | read -e -p " 请输入数字 [0-19]:" num
706 | case "$num" in
707 | 	0)
708 | 	view_all_disable_out
709 | 	;;
710 | 	1)
711 | 	disable_btpt
712 | 	;;
713 | 	2)
714 | 	disable_spam
715 | 	;;
716 | 	3)
717 | 	disable_all_out
718 | 	;;
719 | 	4)
720 | 	disable_want_port_out
721 | 	;;
722 | 	5)
723 | 	disable_want_keyworld_out
724 | 	;;
725 | 	6)
726 | 	able_btpt
727 | 	;;
728 | 	7)
729 | 	able_spam
730 | 	;;
731 | 	8)
732 | 	able_all_out
733 | 	;;
734 | 	9)
735 | 	able_want_port_out
736 | 	;;
737 | 	10)
738 | 	able_want_keyworld_out
739 | 	;;
740 | 	11)
741 | 	able_all_keyworld_out
742 | 	;;
743 | 	12)
744 | 	diable_blocklist_out
745 | 	;;
746 |     13)
747 |     display_in_port
748 | 	;;
749 | 	14)
750 |     display_in_ip
751 | 	;;
752 | 	15)
753 |     able_want_port_in
754 | 	;;
755 | 	16)
756 |     disable_want_port_in
757 | 	;;
758 | 	17)
759 |     able_in_ips
760 | 	;;
761 | 	18)
762 |     display_ssh
763 | 	;;
764 | 	19)
765 |     clear_rebuild_ipta
766 | 	;;
767 | 	20)
768 |     Update_Shell
769 | 	;;
770 | 	*)
771 | 	echo "请输入正确数字 [0-19]"
772 | 	;;
773 | esac
774 | 


--------------------------------------------------------------------------------