FRP 通过ipset实现另类可信通讯

最新推荐文章于 2023-09-08 12:05:52 发布

邱天_

最新推荐文章于 2023-09-08 12:05:52 发布

阅读量765

点赞数

文章标签：服务器 linux bash

本文链接：https://blog.csdn.net/feitianyul/article/details/122241018

版权

frp 透传出来之后，发现有太多不明IP来访问服务了，是写了个脚本结合iptables 和ipset 来过滤访

frp自带的stcp模式有个缺陷，端口都映射到本地 127.0.0.1地址，如果端很多呢？势必会容易记错。

linux frps 服务端配置

[common]
bind_addr = 0.0.0.0
bind_port = 7000
bind_udp_port = 7001
vhost_http_port = 5000
vhost_https_port = 5001
auth_token = xxxxxxxxxxx
max_pool_count = 20
tcp_mux = true

服务器启动脚本，加入crontab 每10分钟运行一次

#!/bin/bash
counter=$(ps -ef | grep frps | grep -v grep | grep -v check_frps | wc -l)
echo "Number of frps processes in current system：$counter"
if [ "X$counter" == "X0" ]; then
    #Try to restart
    nohup  /usr/local/frp/frp_0.34.2_linux_amd64/frps -c /usr/local/frp/frp_0.34.2_linux_amd64/frps.ini >/dev/null >2&1
    sleep 5
fi

yum -y install ipset
yum install ipset-service
ipset create openwrt
ipset create china hash:net hashsize 10000 maxelem 1000000
systemctl enable ipset

获取frpc 所有客户的IP的

``powershell

#!/bin/bash
netstat -an | grep -w 7000 |awk  '{print $5}' |cut -d: -f1 |sort -u |grep -v  "^$" >>openwrt
sleep 1
sort -nu  openwrt > openwrt1
rm -rf openwrt && mv openwrt1 openwrt
cat openwrt
for line in `cat openwrt`
do
 echo ipset add openwrt $line
done

第二版shell 加了一些判断逻辑

#!/bin/bash
#================================================#
## frp ##
# Version Number:1.00
# Type:app
# Language:bash shell
# Date:2022-1-9
# describe:动态添加IPSET，并禁止国外IP访问
#================================================#
typeset dir="$( cd "$( dirname "$0"  )" && pwd  )"
netstat -an | grep -w 7000 |awk  '{print $5}' |cut -d: -f1 |grep -v  "^$"| sort -n   | uniq >${dir}/openwrt1
sleep 1
if [ -e openwrt1 ];then
  ipset --list openwrt  |grep -v '\:' |grep -v '\.0' >${dir}/openwrt2
  sort -n  ${dir}/openwrt2 |uniq  > ${dir}/openwrt3
  diff ${dir}/openwrt1 ${dir}/openwrt3 | grep '<' | awk  '{print $2}' >${dir}/openwrt
fi

if [ -s openwrt ];then
  for line in `cat ${dir}/openwrt`
do
  ipset add openwrt $line
done
   else
   echo "file is empty"
fi

ipset --list openwrt |grep -v '\:' |grep '\.0'>${dir}/del_openwrt
 if [ $? -eq 0 ];then
 for line in `cat ${dir}/del_openwrt`
do
  ipset del openwrt $line
done
fi
rm -f ${dir}/openwrt & rm -f ${dir}/openwrt[1-3] & rm -f ${dir}/del_openwrt

rm -f cn.zone*
wget http://www.ipdeny.com/ipblocks/data/countries/cn.zone
sort -n  ${dir}/cn.zone |uniq  > ${dir}/china1
ipset --list china  |grep -v '\:'  >${dir}/china2
sort -n  ${dir}/china2 |uniq  > ${dir}/china3
diff ${dir}/china1 ${dir}/china3 | grep '<' | awk  '{print $2}' >${dir}/cn.zone
rm -f china*
for i in `cat cn.zone`
do
ipset add china $i
done
ipset --list china  |grep -v '\:'  >${dir}/china2
rm -f cn.zone

service ipset save

cat /etc/sysconfig/iptabls


# Generated by iptables-save v1.4.21 on Tue Apr 20 01:40:47 2021
*nat
:PREROUTING ACCEPT [289:36021]
:INPUT ACCEPT [85:5239]
:OUTPUT ACCEPT [38:2803]
:POSTROUTING ACCEPT [38:2803]
-A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Apr 20 01:40:47 2021
# Generated by iptables-save v1.4.21 on Tue Apr 20 01:40:47 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:140]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -j ACCEPT
###添加的ipset规则
-A RH-Firewall-1-INPUT -m set --match-set openwrt src -j ACCEPT
-A RH-Firewall-1-INPUT -m set --match-set china src  -p tcp  -m tcp --dport 25 -j ACCEPT
###添加的ipset规则
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

linux frpc 客服端配置（被访问服务器地址）

[common]
tls_enable = true
server_addr = 2.2.2.2
server_port = 7000
auth_token = xxxxxxxxxxx
admin_addr = 127.0.0.1
admin_port = 7400
admin_user = admin
admin_pwd = admin
[bt_ssh]
type = tcp
local_ip = 192.168.13.68
local_port = 22
remote_port = 6015
[bt]
type = https
local_ip = 192.168.13.68
local_port = 8887
custom_domains = bt.my.com
proxy_protocol_version = v2
[prokvm]
type = https
local_ip = 192.168.13.68
local_port = 8889
custom_domains = prokvm.my.com
proxy_protocol_version = v2
[esxi3]
type = https
local_ip = 192.168.13.68
local_port = 443
custom_domains = esxi3.my.com
proxy_protocol_version = v2
[esxi4]
type = https
local_ip = 192.168.13.68
local_port = 443
custom_domains = esxi4.my.com
proxy_protocol_version = v2
[range:esxi3_nat]
type = tcp
local_ip = 192.168.13.70
local_port = 10350-10370
remote_port = 10350-10370
[range:esxi4_nat]
type = tcp
local_port = 10450-10470
remote_port = 10450-10470
local_ip = 192.168.13.41

windows 客户端配置文件如下

[common]
tls_enable = true
server_addr = 2.2.2.2
server_port = 7000
auth_token = xxxxxxxxxxx
admin_addr = 127.0.0.1
admin_port = 7400
admin_user = admin
admin_pwd = admin

配置文件弄好了以后，参考下列博客
https://blog.csdn.net/atmosphere_/article/details/104018900
把frp转化为windows服务，随机启动

邱天_

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
FRP 通过ipset实现另类可信通讯

frp 透传出来之后，发现有太多不明IP来访问服务了，是写了个脚本结合iptables 和ipset 来过滤访问yum -y install ipsetipset create openwrt``powershell#!/bin/bashnetstat -an | grep -w 7000 |awk '{print $5}' |cut -d: -f1 |sort -u |grep -v "^$" >>openwrtsleep 1sort -nu openwrt > op
复制链接

扫一扫