frp 透传出来之后,发现有太多不明IP来访问服务了,是写了个脚本结合iptables 和ipset 来过滤访
frp自带的stcp模式有个缺陷,端口都映射到本地 127.0.0.1地址,如果端很多呢?势必会容易记错。
linux frps 服务端配置
[common]
bind_addr = 0.0.0.0
bind_port = 7000
bind_udp_port = 7001
vhost_http_port = 5000
vhost_https_port = 5001
auth_token = xxxxxxxxxxx
max_pool_count = 20
tcp_mux = true
服务器启动脚本, 加入crontab 每10分钟运行一次
#!/bin/bash
counter=$(ps -ef | grep frps | grep -v grep | grep -v check_frps | wc -l)
echo "Number of frps processes in current system:$counter"
if [ "X$counter" == "X0" ]; then
#Try to restart
nohup /usr/local/frp/frp_0.34.2_linux_amd64/frps -c /usr/local/frp/frp_0.34.2_linux_amd64/frps.ini >/dev/null >2&1
sleep 5
fi
yum -y install ipset
yum install ipset-service
ipset create openwrt
ipset create china hash:net hashsize 10000 maxelem 1000000
systemctl enable ipset
获取frpc 所有客户的IP的
``powershell
#!/bin/bash
netstat -an | grep -w 7000 |awk '{print $5}' |cut -d: -f1 |sort -u |grep -v "^$" >>openwrt
sleep 1
sort -nu openwrt > openwrt1
rm -rf openwrt && mv openwrt1 openwrt
cat openwrt
for line in `cat openwrt`
do
echo ipset add openwrt $line
done
第二版shell 加了一些判断逻辑
#!/bin/bash
#================================================#
## frp ##
# Version Number:1.00
# Type:app
# Language:bash shell
# Date:2022-1-9
# describe:动态添加IPSET,并禁止国外IP访问
#================================================#
typeset dir="$( cd "$( dirname "$0" )" && pwd )"
netstat -an | grep -w 7000 |awk '{print $5}' |cut -d: -f1 |grep -v "^$"| sort -n | uniq >${dir}/openwrt1
sleep 1
if [ -e openwrt1 ];then
ipset --list openwrt |grep -v '\:' |grep -v '\.0' >${dir}/openwrt2
sort -n ${dir}/openwrt2 |uniq > ${dir}/openwrt3
diff ${dir}/openwrt1 ${dir}/openwrt3 | grep '<' | awk '{print $2}' >${dir}/openwrt
fi
if [ -s openwrt ];then
for line in `cat ${dir}/openwrt`
do
ipset add openwrt $line
done
else
echo "file is empty"
fi
ipset --list openwrt |grep -v '\:' |grep '\.0'>${dir}/del_openwrt
if [ $? -eq 0 ];then
for line in `cat ${dir}/del_openwrt`
do
ipset del openwrt $line
done
fi
rm -f ${dir}/openwrt & rm -f ${dir}/openwrt[1-3] & rm -f ${dir}/del_openwrt
rm -f cn.zone*
wget http://www.ipdeny.com/ipblocks/data/countries/cn.zone
sort -n ${dir}/cn.zone |uniq > ${dir}/china1
ipset --list china |grep -v '\:' >${dir}/china2
sort -n ${dir}/china2 |uniq > ${dir}/china3
diff ${dir}/china1 ${dir}/china3 | grep '<' | awk '{print $2}' >${dir}/cn.zone
rm -f china*
for i in `cat cn.zone`
do
ipset add china $i
done
ipset --list china |grep -v '\:' >${dir}/china2
rm -f cn.zone
service ipset save
cat /etc/sysconfig/iptabls
# Generated by iptables-save v1.4.21 on Tue Apr 20 01:40:47 2021
*nat
:PREROUTING ACCEPT [289:36021]
:INPUT ACCEPT [85:5239]
:OUTPUT ACCEPT [38:2803]
:POSTROUTING ACCEPT [38:2803]
-A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Apr 20 01:40:47 2021
# Generated by iptables-save v1.4.21 on Tue Apr 20 01:40:47 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:140]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -j ACCEPT
###添加的ipset规则
-A RH-Firewall-1-INPUT -m set --match-set openwrt src -j ACCEPT
-A RH-Firewall-1-INPUT -m set --match-set china src -p tcp -m tcp --dport 25 -j ACCEPT
###添加的ipset规则
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
linux frpc 客服端配置 (被访问服务器地址)
[common]
tls_enable = true
server_addr = 2.2.2.2
server_port = 7000
auth_token = xxxxxxxxxxx
admin_addr = 127.0.0.1
admin_port = 7400
admin_user = admin
admin_pwd = admin
[bt_ssh]
type = tcp
local_ip = 192.168.13.68
local_port = 22
remote_port = 6015
[bt]
type = https
local_ip = 192.168.13.68
local_port = 8887
custom_domains = bt.my.com
proxy_protocol_version = v2
[prokvm]
type = https
local_ip = 192.168.13.68
local_port = 8889
custom_domains = prokvm.my.com
proxy_protocol_version = v2
[esxi3]
type = https
local_ip = 192.168.13.68
local_port = 443
custom_domains = esxi3.my.com
proxy_protocol_version = v2
[esxi4]
type = https
local_ip = 192.168.13.68
local_port = 443
custom_domains = esxi4.my.com
proxy_protocol_version = v2
[range:esxi3_nat]
type = tcp
local_ip = 192.168.13.70
local_port = 10350-10370
remote_port = 10350-10370
[range:esxi4_nat]
type = tcp
local_port = 10450-10470
remote_port = 10450-10470
local_ip = 192.168.13.41
windows 客户端配置文件如下
[common]
tls_enable = true
server_addr = 2.2.2.2
server_port = 7000
auth_token = xxxxxxxxxxx
admin_addr = 127.0.0.1
admin_port = 7400
admin_user = admin
admin_pwd = admin
配置文件弄好了以后,参考下列博客
https://blog.csdn.net/atmosphere_/article/details/104018900
把frp转化为windows服务,随机启动