|
|
@@ -2,17 +2,19 @@
|
|
|
# 该脚本用于禁止 jsporxy 用户访问内网,防止 SSRF 攻击
|
|
|
# 需要 root 权限运行,依赖 ipset 命令
|
|
|
#
|
|
|
+if [[ $(iptables -L | grep "anti ssrf") ]]; then
|
|
|
+ exit
|
|
|
+fi
|
|
|
+
|
|
|
ipset create ngx-ban-dstip hash:net
|
|
|
|
|
|
-if [[ ! $(iptables -L | grep "anti ssrf") ]]; then
|
|
|
- iptables \
|
|
|
- -m comment --comment "anti ssrf" \
|
|
|
- -A OUTPUT \
|
|
|
- -p tcp --syn \
|
|
|
- -m owner --uid-owner jsproxy \
|
|
|
- -m set --match-set ngx-ban-dstip dst \
|
|
|
- -j REJECT
|
|
|
-fi
|
|
|
+iptables \
|
|
|
+ -m comment --comment "anti ssrf" \
|
|
|
+ -A OUTPUT \
|
|
|
+ -p tcp --syn \
|
|
|
+ -m owner --uid-owner jsproxy \
|
|
|
+ -m set --match-set ngx-ban-dstip dst \
|
|
|
+ -j REJECT
|
|
|
|
|
|
# https://en.wikipedia.org/wiki/Reserved_IP_addresses
|
|
|
REV_NET=(
|
zjcqoo