feat: add UFW configuration support

2025-08-29 17:59:40 +08:00 · 2025-08-29 17:59:40 +08:00 · 3776b05bed
commit 3776b05bed
parent af62764573
2 changed files with 42 additions and 0 deletions
--- a/configure_priv.sh
+++ b/configure_priv.sh
@ -341,6 +341,17 @@ configure_iptables() {
    [ $offline -eq 1 ] && return
    [ "$(uname)" = "Darwin" ] && return

+    # 如果 ufw 是 active，就直接返回
+    if command_exists ufw; then
+        if sudo ufw status | grep -q "Status: active"; then
+            echo "检测到 ufw 已启用，跳过 iptables 配置。"
+            return
+        fi
+        if confirm_action "检测到 ufw 已存在，是否直接使用 ufw 进行管理，跳过 iptables" "Y"; then
+            return
+        fi
+    fi
+
    if command_exists ifquery && systemctl is-active --quiet networking; then
        # ifupdown: /etc/network/if-pre-up.d/iptables-load
        [ -f /etc/network/if-pre-up.d/iptables-load ] && return
@ -370,6 +381,32 @@ configure_iptables() {
    fi
 }

+configure_ufw() {
+    [ $offline -eq 1 ] && return
+    [ "$(uname)" = "Darwin" ] && return
+    ! command_exists ufw && return
+
+    if sudo ufw status | grep -q "Status: inactive"; then
+        return
+    fi
+
+    # 如果 ufw 没有被脚本初始化过
+    if ! sudo ufw status verbose | grep -q "Initialized by lazy"; then
+        if confirm_action "要配置 ufw 吗？" "N"; then
+            # 默认拒绝所有入站连接
+            sudo ufw default deny incoming
+            sudo ufw default allow outgoing
+            # 允许常用端口
+            sudo ufw allow ssh comment 'SSH (Initialized by lazy)'
+            sudo ufw allow http
+            sudo ufw allow https
+            sudo ufw allow 2263/tcp comment 'SSH'
+            sudo ufw allow 9443/tcp comment 'gost-proxy'
+            sudo ufw allow 6330/tcp comment 'node-exporter'
+        fi
+    fi
+}
+
 configure_zsh_prefix() {
    [ -f ~/.zsh_user ] || return

@ -595,6 +632,7 @@ configure_tmux
 configure_docker
 configure_fail2ban
 configure_iptables
+configure_ufw
 # configure_hostname
 configure_timedate
 configure_bootinfo
--- a/files/iptables-load
+++ b/files/iptables-load
@ -48,4 +48,8 @@ iptables -P INPUT DROP
 add_input_tcp_filter 9443 gost-proxy
 add_input_tcp_filter 6330 node-exporter

+##########
+# if you use ufw, please execute `sudo ufw allow xxxx/tcp comment 'xxxx'``
+##########
+
 # ====================