124 lines
3.3 KiB
Bash
124 lines
3.3 KiB
Bash
#!/bin/bash
|
||
|
||
# 综合防火墙禁用脚本 - 彻底开放所有端口
|
||
|
||
set -e
|
||
|
||
echo "=== 开始彻底禁用所有防火墙,开放所有端口 ==="
|
||
|
||
# 检查root权限
|
||
if [ "$EUID" -ne 0 ]; then
|
||
echo "请使用 root 权限运行此脚本"
|
||
exit 1
|
||
fi
|
||
|
||
# 函数:检查并停止服务
|
||
stop_service() {
|
||
local service_name=$1
|
||
if systemctl is-active --quiet "$service_name"; then
|
||
echo "停止 $service_name 服务..."
|
||
systemctl stop "$service_name"
|
||
systemctl disable "$service_name"
|
||
echo "✓ $service_name 已停止并禁用"
|
||
else
|
||
echo "✓ $service_name 未运行"
|
||
fi
|
||
}
|
||
|
||
# 停止所有防火墙服务
|
||
stop_service "ufw"
|
||
stop_service "firewalld"
|
||
stop_service "nftables"
|
||
stop_service "iptables"
|
||
|
||
# 清除 iptables 规则并设置默认策略为 ACCEPT
|
||
echo "清除 iptables 规则并开放所有连接..."
|
||
iptables -F
|
||
iptables -X
|
||
iptables -t nat -F
|
||
iptables -t nat -X
|
||
iptables -t mangle -F
|
||
iptables -t mangle -X
|
||
iptables -P INPUT ACCEPT
|
||
iptables -P FORWARD ACCEPT
|
||
iptables -P OUTPUT ACCEPT
|
||
|
||
# 清除 ip6tables 规则并设置默认策略为 ACCEPT
|
||
ip6tables -F
|
||
ip6tables -X
|
||
ip6tables -t nat -F
|
||
ip6tables -t nat -X
|
||
ip6tables -t mangle -F
|
||
ip6tables -t mangle -X
|
||
ip6tables -P INPUT ACCEPT
|
||
ip6tables -P FORWARD ACCEPT
|
||
ip6tables -P OUTPUT ACCEPT
|
||
|
||
# 清除 nftables 规则并加载允许所有流量的配置
|
||
echo "清除 nftables 规则并开放所有连接..."
|
||
nft flush ruleset 2>/dev/null || true
|
||
|
||
# 创建允许所有的 nftables 配置
|
||
cat > /tmp/nftables-accept-all.conf << 'EOF'
|
||
#!/usr/sbin/nft -f
|
||
|
||
flush ruleset
|
||
|
||
table inet filter {
|
||
chain input {
|
||
type filter hook input priority 0; policy accept;
|
||
}
|
||
chain forward {
|
||
type filter hook forward priority 0; policy accept;
|
||
}
|
||
chain output {
|
||
type filter hook output priority 0; policy accept;
|
||
}
|
||
}
|
||
EOF
|
||
|
||
nft -f /tmp/nftables-accept-all.conf
|
||
cp /tmp/nftables-accept-all.conf /etc/nftables.conf
|
||
|
||
# 防止其他防火墙服务干扰
|
||
echo "禁用其他可能的防火墙模块和服务..."
|
||
|
||
# 禁用 SELinux(临时)
|
||
setenforce 0 2>/dev/null || true
|
||
|
||
# 停止并禁用 AppArmor
|
||
stop_service "apparmor"
|
||
|
||
# 停止并禁用 Shorewall
|
||
stop_service "shorewall"
|
||
|
||
# 停止并禁用 IPCop(如有)
|
||
stop_service "ipcop"
|
||
|
||
# 停止并禁用 CSF (ConfigServer Security & Firewall)
|
||
stop_service "csf"
|
||
stop_service "lfd"
|
||
|
||
# 清除可能的遗留规则(如 raw, security 表)
|
||
iptables -t raw -F 2>/dev/null || true
|
||
iptables -t security -F 2>/dev/null || true
|
||
ip6tables -t raw -F 2>/dev/null || true
|
||
ip6tables -t security -F 2>/dev/null || true
|
||
|
||
# 显示最终状态
|
||
echo ""
|
||
echo "=== 防火墙状态 ==="
|
||
echo "ufw: $(systemctl is-active ufw 2>/dev/null || echo 'inactive')"
|
||
echo "firewalld: $(systemctl is-active firewalld 2>/dev/null || echo 'inactive')"
|
||
echo "nftables: $(systemctl is-active nftables 2>/dev/null || echo 'inactive')"
|
||
echo "iptables: $(systemctl is-active iptables 2>/dev/null || echo 'inactive')"
|
||
echo ""
|
||
|
||
echo "=== 当前策略 ==="
|
||
echo "IPv4 INPUT: $(iptables -L INPUT -n | grep policy | awk '{print $4}')"
|
||
echo "IPv6 INPUT: $(ip6tables -L INPUT -n | grep policy | awk '{print $4}')"
|
||
|
||
echo ""
|
||
echo "✅ 所有防火墙已彻底禁用,所有端口已开放,外部连接畅通无阻!"
|
||
echo "🚨 警告:此配置极度危险,仅用于测试或封闭网络环境!"
|