这篇文章创建于 2022-10-16 日,距今已有 529 天,请注意甄别内容是否已经过时!
2022.11.11 22:02 :更新了 IPv6 和屏蔽中国大陆 IP 内容。
最近玩了玩 Gcore 的 CDN,但如果 IP 被类似 Censys 之类的服务扫到那就没有意义了。那么如何禁止 Gcore 之外的 IP 访问 Web 端口呢?这里借鉴了一下 Thinking Null 大佬的方法,用 ipset 创建防火墙规则,问题解决。唯一的小问题是 Gcore 提供的 IP 段是 json 格式,抄了一段正则来过滤 IPv4 & IPv6 地址。
注意需要使用 ipset-persistent,iptables-persistent,netfilter-persistent 来使配置持久化。否则重启就需要重新配置咯。

废话少说,直接上脚本。需要 root 权限执行。
#!/bin/bash
apt -y install ipset iptables-persistent ipset-persistent netfilter-persistent
ipset create gcore4 hash:net
ipset create gcore6 hash:net family inet6   #分别创建 Gcore IPv4 和 IPv6 的 ipset
for i in $(curl https://api.gcorelabs.com/cdn/public-ip-list | grep -Eo '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/32');   #正则过滤 Gcore 的 IPv4 地址
do ipset add gcore4 $i;
done
for i in $(curl https://api.gcorelabs.com/cdn/public-ip-list | grep -Eo '(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))/128');  #正则过滤 Gcore 的 IPv6 地址
do ipset add gcore6 $i;
done
iptables -A INPUT -m set --match-set gcore4 src -p tcp -m multiport --dports http,https -j ACCEPT
ip6tables -A INPUT -m set --match-set gcore6 src -p tcp -m multiport --dports http,https -j ACCEPT
iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -j DROP
ip6tables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -j DROP
iptables-save && ip6tables-save
netfilter-persistent save
systemctl enable --now netfilter-persistent
定期更新 IP 段:
#!/bin/bash
ipset destroy gcore4 && ipset destroy gcore6
ipset create gcore4 hash:net
ipset create gcore6 hash:net family inet6
for i in $(curl https://api.gcorelabs.com/cdn/public-ip-list | grep -Eo '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/32'); do ipset add gcore4 $i; done
for i in $(curl https://api.gcorelabs.com/cdn/public-ip-list | grep -Eo '(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))/128'); do ipset add gcore6 $i; done
iptables -A INPUT -m set --match-set gcore4 src -p tcp -m multiport --dports http,https -j ACCEPT
ip6tables -A INPUT -m set --match-set gcore6 src -p tcp -m multiport --dports http,https -j ACCEPT
iptables-save && ip6tables-save
netfilter-persistent save
以上内容加入 crontab,定期执行即可。

类似的,你也可以实现通过 ipset 定向屏蔽特定区域对特定端口的访问,例如只屏蔽中国大陆 IP 访问:
#!/bin/bash
ipset create china4 hash:net
ipset create china6 hash:net family inet6
for i in $(curl https://raw.githubusercontent.com/gaoyifan/china-operator-ip/ip-lists/china.txt);
do ipset add china4 $i;
done
for i in $(curl https://raw.githubusercontent.com/gaoyifan/china-operator-ip/ip-lists/china6.txt);
do ipset add china6 $i;
done
iptables -A INPUT -p tcp -m set --match-set china4 src -m multiport --dports 80,443 -j DROP
ip6tables -A INPUT -p tcp -m set --match-set china6 src -m multiport --dports 80,443 -j DROP
iptables-save && ip6tables-save
netfilter-persistent save
参考:
  1. Thinking Null - iptables设置防火墙规则,仅允许cloudflare通过
  2. Whitelist the CDN servers, if there is ACL on the origin
  3. gaoyifan/china-operator-ip (中国运营商IPv4/IPv6地址库-每日更新)

标签: 技术, GNU/Linux, Gcore, CDN, iptables, ipset, 网络安全

添加新评论