54 lines
2.1 KiB
Markdown
54 lines
2.1 KiB
Markdown
# denyip
|
||
|
||
针对非国际业务的Linux服务器构建防火墙策略:
|
||
|
||
利用 libpcap 抓取网络包,从中提取源IP地址。
|
||
使用 libipset 实现IP黑名单管理,将不符合访问条件的IP添加至黑名单集合。
|
||
结合 ip2region 库进行初步的IP地域判定,筛选大陆以外的IP地址。
|
||
通过 Go ipquery 进一步精准识别IP地理位置,将确认的非大陆IP加入到 ipset 集合,严格限制非大陆来源的访问。
|
||
此方案能有效保护大陆服务器免受非本地业务访问,提高访问控制的精度与效率。
|
||
|
||
## Build
|
||
|
||
~~~bash
|
||
# Debian System
|
||
apt install build-essential
|
||
apt install golang
|
||
apt install libpcap-dev libcap-dev libsystemd-dev
|
||
|
||
root@NIUYULING:/mnt/c/Users/root/Desktop/git.aixiao.me/DenyIP# make clean; make
|
||
rm -rf a.out ipquery
|
||
rm -rf cap.o common.o ip2region/ip2region.o ip2region/xdb_searcher.o libipset.o
|
||
gcc -g -Wall -Iip2region -c cap.c -o cap.o
|
||
gcc -g -Wall -Iip2region -c common.c -o common.o
|
||
gcc -g -Wall -Iip2region -c ip2region/ip2region.c -o ip2region/ip2region.o
|
||
gcc -g -Wall -Iip2region -c ip2region/xdb_searcher.c -o ip2region/xdb_searcher.o
|
||
gcc -g -Wall -Iip2region -c libipset.c -o libipset.o
|
||
gcc -g -Wall -Iip2region -o a.out cap.o common.o ip2region/ip2region.o ip2region/xdb_searcher.o libipset.o -lpcap -ldbus-1 -lsystemd -L/usr/lib64 -lcap -lipset -lmnl
|
||
root@NIUYULING:/mnt/c/Users/root/Desktop/git.aixiao.me/DenyIP#
|
||
~~~
|
||
|
||
### Help
|
||
|
||
~~~bash
|
||
|
||
root@NIUYULING:/mnt/c/Users/root/Desktop/git.aixiao.me/DenyIP# ./a.out -h
|
||
DenyIP version 0.2
|
||
拒绝Linux服务器非大陆IP工具
|
||
MAIL: aixiao@aixiao.me
|
||
Date: 20241024
|
||
Usage: denyip [-d] [-i <interface>] [-s <start|stop>] [-h|-?]
|
||
-d Daemon mode
|
||
-i interface (default eth0)
|
||
-s regular signal (default start|stop)
|
||
start Enable Iptables rule
|
||
stop Disable Iptables rule
|
||
-h|-? Help Information
|
||
|
||
|
||
root@niuyuling:~/DenyIP# killall -15 denyip # 关闭
|
||
root@niuyuling:~/DenyIP# ./denyip -i eth0 # 启动
|
||
root@niuyuling:~/DenyIP# ./denyip -s start # Iptables 规则打开
|
||
root@niuyuling:~/DenyIP# ./denyip -s stop # Iptables 规则关闭
|
||
~~~
|