diff --git a/bin/update_port.sh b/bin/update_port.sh index ca9af88..83e2792 100644 --- a/bin/update_port.sh +++ b/bin/update_port.sh @@ -73,6 +73,88 @@ find_free_port() { return 1 } +# ========================================== +# 函数名: manage_port +# 参数1: allow 或 deny (操作类型) +# 参数2: 端口号 +# --- 使用示例 --- +# 开启端口 8888 +# manage_port allow 8888 + +# 关闭端口 8888 +# manage_port deny 8888 +# ========================================== +manage_port() { + local ACTION=$1 + local PORT=$2 + + if [[ -z "$PORT" ]]; then + echo "错误: 未提供端口号" + return 1 + fi + + # 统一转换为小写,增强鲁棒性 + ACTION=$(echo "$ACTION" | tr '[:upper:]' '[:lower:]') + + echo "--- 正在对端口 $PORT 执行 $ACTION 操作 ---" + + # 1. 防火墙 (Firewall) 逻辑处理 + if command -v firewall-cmd >/dev/null 2>&1 && systemctl is-active --quiet firewalld; then + # CentOS/RHEL/Fedora (firewalld) + if [ "$ACTION" == "allow" ]; then + sudo firewall-cmd --zone=public --add-port=${PORT}/tcp --permanent + sudo firewall-cmd --zone=public --add-port=${PORT}/udp --permanent + elif [ "$ACTION" == "deny" ]; then + sudo firewall-cmd --zone=public --remove-port=${PORT}/tcp --permanent + sudo firewall-cmd --zone=public --remove-port=${PORT}/udp --permanent + fi + sudo firewall-cmd --reload + echo "[OK] firewalld 规则已更新 ($ACTION)" + + elif command -v ufw >/dev/null 2>&1 && systemctl is-active --quiet ufw; then + # Ubuntu/Debian (ufw) + if [ "$ACTION" == "allow" ]; then + sudo ufw allow ${PORT}/tcp + sudo ufw allow ${PORT}/udp + elif [ "$ACTION" == "deny" ]; then + sudo ufw delete allow ${PORT}/tcp + sudo ufw delete allow ${PORT}/udp + fi + echo "[OK] ufw 规则已更新 ($ACTION)" + + else + # 兜底方案 (iptables) + # allow 使用 -I (Insert) 插入到规则首行,deny 使用 -D (Delete) + local FLAG=$([ "$ACTION" == "allow" ] && echo "-I" || echo "-D") + sudo iptables $FLAG INPUT -p tcp --dport ${PORT} -j ACCEPT 2>/dev/null + sudo iptables $FLAG INPUT -p udp --dport ${PORT} -j ACCEPT 2>/dev/null + echo "[OK] iptables 规则已执行 ($ACTION)" + fi + + # 2. SELinux 逻辑处理 + if command -v getenforce >/dev/null 2>&1; then + local SELINUX_STATUS=$(getenforce) + if [ "$SELINUX_STATUS" == "Enforcing" ]; then + if command -v semanage >/dev/null 2>&1; then + if [ "$ACTION" == "allow" ]; then + # 尝试添加,若存在则尝试修改 + sudo semanage port -a -t http_port_t -p tcp ${PORT} 2>/dev/null || \ + sudo semanage port -m -t http_port_t -p tcp ${PORT} + elif [ "$ACTION" == "deny" ]; then + sudo semanage port -d -t http_port_t -p tcp ${PORT} 2>/dev/null + fi + echo "[OK] SELinux 端口权限已更新 ($ACTION)" + else + # 如果没装 semanage,在 allow 时开启全局布尔值,deny 时通常保持不变以防影响其他业务 + if [ "$ACTION" == "allow" ]; then + echo "[!] 警告: 未找到 semanage,尝试开启全局网络连接开关..." + sudo setsebool -P httpd_can_network_connect 1 + fi + fi + fi + fi +} + update_port(){ local script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # 脚本文件夹绝对路径 @@ -80,6 +162,7 @@ update_port(){ local port=$(find_free_port) modify_json_file "$config_dir/config.json" ".inbounds[0].listen_port" "$port" + manage_port allow "$port" echo "设置端口成功" } diff --git a/install.sh b/install.sh index 6f63e40..5630d84 100644 --- a/install.sh +++ b/install.sh @@ -37,6 +37,12 @@ install(){ } +get_listen_port(){ + local port=$(jq ./config/config.json ".inbounds[0].listen_port") + echo $port +} + + main(){ # 显示菜单 echo "请选择一个操作:" @@ -59,17 +65,19 @@ main(){ # 一键部署 install create_config - run + prot_manage allow $(get_listen_port) + run print_share_link ;; 2) # 生成配置 / 重置配置 create_config + prot_manage allow $(get_listen_port) ;; 3) # 查看分享链接 check_config_file - print_share_link + print_share_link ;; 4) # 修改域名 @@ -81,6 +89,7 @@ main(){ # 修改端口 check_config_file update_port + prot_manage allow $(get_listen_port) restart_docker ;; 6)