VPS Ubuntu 20.04 配置

安装基本工具

1 2	apt update apt install unzip git curl wget iptables nmap -y

安装 Xray

1	bash <(curl -Ls https://github.com/XTLS/Xray-install/raw/main/install-release.sh)

启动 Xray

如果你用的是官方脚本安装，Xray 会自动注册 systemd 服务，运行：

1
2
3

systemctl status xray
systemctl start xray
systemctl enable xray

如果你是手动安装的，可以直接运行：

1	xray run -config /usr/local/etc/xray/config.json

1	nano /usr/local/etc/xray/config.json

{
  "log": {
    "loglevel": "none",
    "access": "/var/log/xray/access.log",
    "error": "/var/log/xray/error.log"
  },
  "dns": {
    "servers": [
      "https+local://cloudflare-dns.com/dns-query",
      "1.1.1.1",
      "1.0.0.1",
      "8.8.8.8",
      "8.8.4.4"
    ]
  },
  "inbounds": [
    {
      "listen": "0.0.0.0",
      "port": 51000,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "5c0a5ab5-b094-4b99-8339-4cb1008e4089",
            "flow": "xtls-rprx-vision"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "realitySettings": {
          "show": false,
          "dest": "yahoo.com:443",
          "xver": 0,
          "serverNames": [
            "yahoo.com"
          ],
          "privateKey": "0PZ5JSMLF-wqmknlDjCpxjWOqfs5zklTm1ZgObUZ3QY",
          "minClientVer": "",
          "maxClientVer": "",
          "maxTimeDiff": 0,
          "shortIds": [
            "a2bd769dbe5544e2"
          ]
        }
      },
      "sniffing": {
        "enabled": false,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ]
      }
    },
    {
      "listen": "0.0.0.0",
      "port": 51001,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "34d74169-45ea-474f-a0d7-23acb6b5b9d4"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "xhttp",
        "security": "reality",
        "realitySettings": {
          "target": "www.apple.com:443",
          "xver": 0,
          "serverNames": [
            "www.apple.com"
          ],
          "privateKey": "0PZ5JSMLF-wqmknlDjCpxjWOqfs5zklTm1ZgObUZ3QY",
          "shortIds": [
            "a2bd769dbe5544e2"
          ]
        }
      },
      "sniffing": {
        "enabled": false,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ]
      }
    },
    {
      "listen": "0.0.0.0",
      "port": 51002,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "flow": "",
            "id": "de0512e6-7d1e-43e8-89fe-d6250875f684"
          }
        ],
        "decryption": "none",
        "fallbacks": []
      },
      "streamSettings": {
        "network": "ws",
        "security": "none",
        "wsSettings": {
          "acceptProxyProtocol": false,
          "headers": {},
          "heartbeatPeriod": 0,
          "host": "",
          "path": "/rss"
        }
      },
      "sniffing": {
        "enabled": false,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ],
        "metadataOnly": false,
        "routeOnly": false
      }
    }
  ],
  "routing": {
    "rules": [
      {
        "type": "field",
        "protocol": [
          "bittorrent"
        ],
        "outboundTag": "block"
      }
    ]
  },
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {}
    },
    {
      "tag": "block",
      "protocol": "blackhole",
      "settings": {}
    }
  ]
}

1	systemctl restart xray

1	wget https://xingyue.serv00.net/apine.zip

BBR

1	nano /etc/sysctl.conf

# 禁用 ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

# 禁用 ping
net.ipv4.icmp_echo_ignore_all = 1

# 调整 TCP 拥塞控制算法为 BBR
net.ipv4.tcp_congestion_control = bbr

sysctl -p

一键登录

1
2
3

mkdir ~/.ssh && chmod 700 ~/.ssh
cd ~/.ssh
nano authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMwe3w4S9SI8pjYMVnibPllQ2b33oB8fx8ZIp/GnyDG/qDdvMZcAYy1M+tmnOk9MViKzFu4agNH70GkdHtHeqzntrizVfdD80JTxigKE/35wEnOdk1k6BvpSCYMMBIqPnmjiXYMBbSDryQCixLJw+7LqYSL9C8+mOSlnzWVQfgdd6kmHzgSrlzn0xiiqOMwGZWn50dXSv8EVIHriqzp/IqD4RDWyqEhKolrZcAl3ukYqZTkkpHNF8YNM0cbKIQbFHHsW8LdCUPh+yZ3OTY9wS4nFmj9eVGHZw4lkBGB8vcHnnu69bW0XYQe/9GKQqOCuolNon9zcky0d9wuKp84Jaz rsa-key-20230612

1	chmod 600 authorized_keys

docker 和 docker-compose

1	curl -fsSL https://get.docker.com \| bash -s docker

1	curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose && chmod +x /usr/local/bin/docker-compose

1	docker -v && docker-compose -v

手动设置 DNS

1	nano /etc/resolv.conf

nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4

docker iptables 控制

1 2	mkdir -p /etc/docker nano /etc/docker/daemon.json

1
2
3

{
  "iptables": false
}

1 2	service docker restart service docker status

iptables

#!/bin/bash

echo "清空现有的所有规则"
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

echo "允许所有流量"
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# 允许本机之间的通信
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# 限制每秒最大 SYN 包数(防止端口扫描)
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP

# 开启 docker 网络
iptables -A FORWARD -o docker0 -j ACCEPT
iptables -A FORWARD -i docker0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# 禁用 NPM 81 网页端
iptables -A INPUT -p tcp --dport 81 -j DROP

# 禁用 3x-ui 端口
iptables -A INPUT -p tcp --dport 49618 -j DROP

service restart docker

echo "docker 重启完毕"

sysctl -p

echo "初始化网络完成"

ssh

1	nano /etc/ssh/sshd_config

Port 2500
AllowTcpForwarding yes
GatewayPorts yes
PasswordAuthentication no
PubkeyAuthentication yes

1	systemctl reload sshd

时区

1	timedatectl set-timezone Asia/Shanghai

节点部署

1	bash <(wget -qO- -o- https://github.com/233boy/Xray/raw/main/install.sh)