#!/bin/bash # 查找随机空闲端口 # 用途: # 在指定端口范围内,随机选择一个当前未被监听(TCP/UDP)的端口 # 参数: # $1: 起始端口(默认 10001) # $2: 结束端口(默认 65535) # $3: 最大随机尝试次数(默认 100) find_free_port() { local start="${1:-10001}" local max="${2:-65535}" local attempts="${3:-100}" # ------------------------------------------------------------ # 收集当前正在监听的端口(TCP + UDP) # 优先使用 ss,其次 netstat # ------------------------------------------------------------ local used_ports raw if command -v ss >/dev/null 2>&1; then # ss 输出示例: # LISTEN 0 128 0.0.0.0:22 raw=$(ss -lntu 2>/dev/null || true) used_ports=$(printf "%s\n" "$raw" \ | awk '{print $5}' \ | sed -E 's/.*[:]//g') elif command -v netstat >/dev/null 2>&1; then # netstat 输出示例: # tcp 0 0 0.0.0.0:22 raw=$(netstat -lntu 2>/dev/null || true) used_ports=$(printf "%s\n" "$raw" \ | awk '{print $4}' \ | sed -E 's/.*[:]//g') else echo "Error: ss or netstat is required to check listening ports." >&2 return 2 fi # ------------------------------------------------------------ # 将已占用端口存入关联数组,便于 O(1) 判断 # 需要 bash 4+ # ------------------------------------------------------------ declare -A used_map local p for p in $used_ports; do # 过滤非数字字段(如 *、:::) if [[ $p =~ ^[0-9]+$ ]]; then used_map["$p"]=1 fi done # ------------------------------------------------------------ # 随机尝试若干次 # 每次随机生成一个端口,只要未被监听就立即返回 # ------------------------------------------------------------ local port i for ((i=0; i&2 return 1 } # ========================================== # 函数名: manage_port # 参数1: allow 或 deny (操作类型) # 参数2: 端口号 # --- 使用示例 --- # 开启端口 8888 # manage_port allow 8888 # 关闭端口 8888 # manage_port deny 8888 # ========================================== manage_port() { local ACTION=$1 local PORT=$2 if [[ -z "$PORT" ]]; then echo "错误: 未提供端口号" return 1 fi # 统一转换为小写,增强鲁棒性 ACTION=$(echo "$ACTION" | tr '[:upper:]' '[:lower:]') echo "--- 正在对端口 $PORT 执行 $ACTION 操作 ---" # 1. 防火墙 (Firewall) 逻辑处理 if command -v firewall-cmd >/dev/null 2>&1 && systemctl is-active --quiet firewalld; then # CentOS/RHEL/Fedora (firewalld) if [ "$ACTION" == "allow" ]; then sudo firewall-cmd --zone=public --add-port=${PORT}/tcp --permanent sudo firewall-cmd --zone=public --add-port=${PORT}/udp --permanent elif [ "$ACTION" == "deny" ]; then sudo firewall-cmd --zone=public --remove-port=${PORT}/tcp --permanent sudo firewall-cmd --zone=public --remove-port=${PORT}/udp --permanent fi sudo firewall-cmd --reload echo "[OK] firewalld 规则已更新 ($ACTION)" elif command -v ufw >/dev/null 2>&1 && systemctl is-active --quiet ufw; then # Ubuntu/Debian (ufw) if [ "$ACTION" == "allow" ]; then sudo ufw allow ${PORT}/tcp sudo ufw allow ${PORT}/udp elif [ "$ACTION" == "deny" ]; then sudo ufw delete allow ${PORT}/tcp sudo ufw delete allow ${PORT}/udp fi echo "[OK] ufw 规则已更新 ($ACTION)" else # 兜底方案 (iptables) # allow 使用 -I (Insert) 插入到规则首行,deny 使用 -D (Delete) local FLAG=$([ "$ACTION" == "allow" ] && echo "-I" || echo "-D") sudo iptables $FLAG INPUT -p tcp --dport ${PORT} -j ACCEPT 2>/dev/null sudo iptables $FLAG INPUT -p udp --dport ${PORT} -j ACCEPT 2>/dev/null echo "[OK] iptables 规则已执行 ($ACTION)" fi # 2. SELinux 逻辑处理 if command -v getenforce >/dev/null 2>&1; then local SELINUX_STATUS=$(getenforce) if [ "$SELINUX_STATUS" == "Enforcing" ]; then if command -v semanage >/dev/null 2>&1; then if [ "$ACTION" == "allow" ]; then # 尝试添加,若存在则尝试修改 sudo semanage port -a -t http_port_t -p tcp ${PORT} 2>/dev/null || \ sudo semanage port -m -t http_port_t -p tcp ${PORT} elif [ "$ACTION" == "deny" ]; then sudo semanage port -d -t http_port_t -p tcp ${PORT} 2>/dev/null fi echo "[OK] SELinux 端口权限已更新 ($ACTION)" else # 如果没装 semanage,在 allow 时开启全局布尔值,deny 时通常保持不变以防影响其他业务 if [ "$ACTION" == "allow" ]; then echo "[!] 警告: 未找到 semanage,尝试开启全局网络连接开关..." sudo setsebool -P httpd_can_network_connect 1 fi fi fi fi } update_port(){ local script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # 脚本文件夹绝对路径 local config_dir="$script_dir/../config" local port=$(find_free_port) modify_json_file "$config_dir/config.json" ".inbounds[0].listen_port" "$port" manage_port allow "$port" echo "设置端口成功" }