ufw+ipset：仅允许大陆与Cloudflare访问80/443

帖子结尾添加了nftable 版本

这是一套基于 UFW + IPSet 方案，用于仅允许 中国大陆与 Cloudflare 访问网站的 80/443 端口。
脚本自动管理规则，兼容双栈网络，并支持每日更新 IP 段。

主要特色：

🧩 原生兼容 UFW：不修改现有规则，只在用户链中追加放行逻辑。

🌏 精准放行：限制访问来源为中国大陆与 Cloudflare。

🔄 自动更新：通过 systemd 定时任务每日刷新 IP 数据。

⚡ 双栈支持：IPv4 与 IPv6 独立控制。

🚀 一键部署脚本

curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/ufw_cn.sh \&& chmod +x ufw_cn.sh \&& ./ufw_cn.sh

✅ 说明： 脚本会自动检测现有 UFW 状态与规则，并在不影响原有策略的前提下，附加 CN 与 Cloudflare 放行规则。

🔍 查看当前规则

iptables -L ufw-user-input -n --line-numbersip6tables -L ufw6-user-input -n --line-numbers

🧹 删除规则（恢复原状）

该操作将清除 IPSet 与相关放行策略，使防火墙恢复默认状态：

curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/cleanup_ipset.sh \&& chmod +x cleanup_ipset.sh \&& ./cleanup_ipset.sh

随后重新调整放行顺序以避免冲突：

# IPv4sudo iptables -D ufw-user-input -p tcp --dport 80 -j ACCEPTsudo iptables -D ufw-user-input -p tcp --dport 443 -j ACCEPTsudo iptables -A ufw-user-input -p tcp --dport 80 -j ACCEPTsudo iptables -A ufw-user-input -p tcp --dport 443 -j ACCEPT

# IPv6sudo ip6tables -D ufw6-user-input -p tcp --dport 80 -j ACCEPTsudo ip6tables -D ufw6-user-input -p tcp --dport 443 -j ACCEPTsudo ip6tables -A ufw6-user-input -p tcp --dport 80 -j ACCEPTsudo ip6tables -A ufw6-user-input -p tcp --dport 443 -j ACCEPT

验证规则是否正确加载：

iptables -L ufw-user-input -n --line-numbersip6tables -L ufw6-user-input -n --line-numbers

⚙️ 其他命令

手动允许某个 IP：

sudo ipset add china 6.6.6.6

从集合中移除指定 IP：

sudo ipset del china 6.6.6.6

放行bingbot（必应爬虫），以下是必应爬虫ip段

sudo ipset add china 157.55.39.0/24sudo ipset add china 207.46.13.0/24sudo ipset add china 40.77.167.0/24sudo ipset add china 13.66.139.0/24sudo ipset add china 13.66.144.0/24sudo ipset add china 52.167.144.0/24sudo ipset add china 13.67.10.16/28sudo ipset add china 13.69.66.240/28sudo ipset add china 13.71.172.224/28sudo ipset add china 139.217.52.0/28sudo ipset add china 191.233.204.224/28sudo ipset add china 20.36.108.32/28sudo ipset add china 20.43.120.16/28sudo ipset add china 40.79.131.208/28sudo ipset add china 40.79.186.176/28sudo ipset add china 52.231.148.0/28sudo ipset add china 20.79.107.240/28sudo ipset add china 51.105.67.0/28sudo ipset add china 20.125.163.80/28sudo ipset add china 40.77.188.0/22sudo ipset add china 65.55.210.0/24sudo ipset add china 199.30.24.0/23sudo ipset add china 40.77.202.0/24sudo ipset add china 40.77.139.0/25sudo ipset add china 20.74.197.0/28sudo ipset add china 20.15.133.160/27sudo ipset add china 40.77.177.0/24sudo ipset add china 40.77.178.0/23

nftable版本

curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/nft_cn.sh \&& chmod +x nft_cn.sh \&& ./nft_cn.sh

查看完整规则集

nft list ruleset

查看 IPv4 集合

nft list set inet filter china_ipv4

查看 IPv6 集合

nft list set inet filter china_ipv6

手动允许某个 IP:

sudo nft add element inet filter china_ipv4 { 6.6.6.6 }

从集合中移除指定 IP:

sudo nft delete element inet filter china_ipv4 { 6.6.6.6 }

放行 Bingbot（必应爬虫）:

sudo nft add element inet filter china_ipv4 { 157.55.39.0/24 }sudo nft add element inet filter china_ipv4 { 207.46.13.0/24 }sudo nft add element inet filter china_ipv4 { 40.77.167.0/24 }sudo nft add element inet filter china_ipv4 { 13.66.139.0/24 }sudo nft add element inet filter china_ipv4 { 13.66.144.0/24 }sudo nft add element inet filter china_ipv4 { 52.167.144.0/24 }sudo nft add element inet filter china_ipv4 { 13.67.10.16/28 }sudo nft add element inet filter china_ipv4 { 13.69.66.240/28 }sudo nft add element inet filter china_ipv4 { 13.71.172.224/28 }sudo nft add element inet filter china_ipv4 { 139.217.52.0/28 }sudo nft add element inet filter china_ipv4 { 191.233.204.224/28 }sudo nft add element inet filter china_ipv4 { 20.36.108.32/28 }sudo nft add element inet filter china_ipv4 { 20.43.120.16/28 }sudo nft add element inet filter china_ipv4 { 40.79.131.208/28 }sudo nft add element inet filter china_ipv4 { 40.79.186.176/28 }sudo nft add element inet filter china_ipv4 { 52.231.148.0/28 }sudo nft add element inet filter china_ipv4 { 20.79.107.240/28 }sudo nft add element inet filter china_ipv4 { 51.105.67.0/28 }sudo nft add element inet filter china_ipv4 { 20.125.163.80/28 }sudo nft add element inet filter china_ipv4 { 40.77.188.0/22 }sudo nft add element inet filter china_ipv4 { 65.55.210.0/24 }sudo nft add element inet filter china_ipv4 { 199.30.24.0/23 }sudo nft add element inet filter china_ipv4 { 40.77.202.0/24 }sudo nft add element inet filter china_ipv4 { 40.77.139.0/25 }sudo nft add element inet filter china_ipv4 { 20.74.197.0/28 }sudo nft add element inet filter china_ipv4 { 20.15.133.160/27 }sudo nft add element inet filter china_ipv4 { 40.77.177.0/24 }sudo nft add element inet filter china_ipv4 { 40.77.178.0/23 }

删除规则

curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/cleanup_nftables.sh \&& chmod +x cleanup_nftables.sh \&& ./cleanup_nftables.sh