wget-q--timeout=60-O-mmode=$1 CNIP=/root/china_ssr.txt gen_iplist(){ cat<<-EOF $(cat${CNIP:=/dev/null}2>/dev/null) EOF } flush_r(){ iptables-FALLCNRULE2>/dev/null iptables-DINPUT-ptcp-jALLCNRULE2>/dev/null iptables-XALLCNRULE2>/dev/null ipset-Xallcn2>/dev/null } mstart(){ ipsetcreateallcnhash:net2>/dev/null ipset-!-R<<-EOF $(gen_iplistsed-es/^/addallcn/) EOF iptables-NALLCNRULE iptables-IINPUT-ptcp-jALLCNRULE iptables-AALLCNRULE-s127.0.0.0/8-jRETURN iptables-AALLCNRULE-s169.254.0.0/16-jRETURN iptables-AALLCNRULE-s224.0.0.0/4-jRETURN iptables-AALLCNRULE-s255.255.255.255-jRETURN iptables-AALLCNRULE-mset--match-setallcnsrc-jRETURN iptables-AALLCNRULE-ptcp-jDROP } if[$mmode==stop];then flush_r exit0 fi flush_r sleep1 mstart/root/allcn.sh/root/allcn.shstopvideny_1.sh#!/bin/bash if[[-z$1]];then num=100 else num=$1 fi cd$(cd$(dirname$BASH_SOURCE)pwd) iplist=`netstat-angrep^tcp.*:80egrep-vLISTEN127.0.0.1awk-F[]+[:]{print$6}sortuniq-csort-rnawk-vstr=$num{if($1>str){print$2}fi}` if[[!-z$iplist]]; then forblack_ipin$iplist do ip_section=`echo$black_ipawk-F.{print$1.$2.$3}` grep-q$ip_section./white_ip.txt if[[$?-eq0]];then echo$black_ip>>./recheck_ip.txt else iptables-nLgrep$black_ipiptables-IINPUT-s$black_ip-jDROP echo$black_ip>>./black_ip.txt fi done fichmod+xdeny_1.sh shdeny_1.shvideny_2.sh#!/bin/bash OLD_IFS=$IFS IFS=$\n forstatusin`cat网站访问日志路径grep特征字符grep-v127.0.0.1awk{print$1}sort-nuniq-csort-n-rhead-20` do IFS=$OLD_IFS NUM=`echo$statusawk{print$1}` IP=`echo$statusawk{print$2}` if[-z`iptables-nvLgrepdpt:80awk{print$8}grep$IP`];then if[$NUM-gt250];then /sbin/iptables-IINPUT-ptcp-s$IP--dport80-jDROP fi fi donechmod+xdeny_2.sh shdeny_2.sh*/20****/root/deny_ip1.sh>dev/null2>1