github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 16:15:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[GH-ISSUE #4692] ban the brute-force attack ssh ip by fail2ban in frp client #3708

New issue
Closed
opened 2026-05-05 14:22:38 -06:00 by gitea-mirror · 14 comments
gitea-mirror commented 2026-05-05 14:22:38 -06:00
Owner
Copy link

Originally created by @MikoyChinese on GitHub (Mar 4, 2025).
Original GitHub issue: https://github.com/fatedier/frp/issues/4692

Hi,

This is a tutorial about how to ban the ip whom try to brute force attack your frp client by fail2ban. update config from https://github.com/fatedier/frp/issues/2470.

requirements:

  1. fail2ban
  2. go-mmproxy

note: If you dont want to build the go-mmproxy, you can try this go-mmproxy.zip version. And for fail2ban, you can found the installation in their github project.

Here are the step:
As for me: All files will save in /home/ubuntu/frp/

1.create a frpc config file :

In this step, you can add proxy_protocol_version to turn on Proxy Protocol, and prepare a local port which using in go-mmproxy, not your real forward port.
For example, I want to proxy my ssh 22 port with frp with proxy protocol, you need a other port such as 12222, so:

frpc.toml

serverAddr = "<your frp server>"
serverPort = <frp server port>
user = "<your user name>"

log.to= "<log file path>"
log.level = "debug"
log.maxDays = 2

auth.method = "token"
auth.token = "<token>"

[[proxies]]
name = "ssh-go-mmproxy"
type = "tcp"
localIP = "127.0.0.1"
localPort = 12222
remotePort = 12345
transport.proxyProtocolVersion = "v2"

2. Set up for go-mmproxy:

You can build it from go-mmproxy github main page or download the x86_64 binary which I build on my Ubuntu 20.04 with go version go1.16.5 linux/amd64 from the following url: go-mmproxy.zip, and move it to somepath where you want. For me, I move it to /home/ubuntu/frp/.

3. Create go-mmproxy service file

You need to create a go-mmproxy.service in /home/ubuntu/frp/. The go-mmproxy will listen 12222 and forward to 22 which is the ssh port.

go-mmproxy.service

[Unit]
Description=go-mmproxy
After=network.target

[Service]
Type=simple
LimitNOFILE=65535
ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123
ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123
ExecStart=/home/ubuntu/frp/go-mmproxy -4 127.0.0.1:22 -l 127.0.0.1:12222
ExecStopPost=/sbin/ip rule del from 127.0.0.1/8 iif lo table 123
ExecStopPost=/sbin/ip route del local 0.0.0.0/0 dev lo table 123
Restart=on-failure
RestartSec=10s

[Install]
WantedBy=multi-user.target

4. Create frpc service file

frpc.service

[Unit]
Description=Frp Client Service
Requires=go-mmproxy.service
After=network.target syslog.target go-mmproxy.service
Wants=network.target

[Service]
Type=simple
Restart=always
RestartSec=5s
ExecStart=/home/ubuntu/frp/frpc -c /home/ubuntu/frp/frpc.toml
ExecStop=/bin/kill $MAINPID
RestartSec=1min
KillMode=control-group

[Install]
WantedBy=multi-user.target

If you have done, you can find in your directory, eg: /home/ubuntu/frp/:

  1. frpc.toml
  2. go-mmproxy
  3. go-mmproxy.service
  4. frpc.service

The link the services file to /etc/systemd/system/ and enable it.

sudo ln -s /home/ubuntu/frp/go-mmproxy.service /etc/systemd/system/go-mmproxy.service
sudo ln -s /home/ubuntu/frp/frpc.service /etc/systemd/system/frpc.service

sudo systemctl enable go-mmproxy.service
sudo systemctl enable frpc.service

sudo service start frpc.service

Add fail2ban

If your OS is Ubuntu, you can install it by sudo apt install fail2ban

Here is the config(you can find the config file in /etc/fail2ban/):

create a jail.local file in /etc/fail2ban

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 5
findtime = 600
bantime.increment = true
bantime.factor = 2
bantime = 300
bantime.overalljails = true
bantime.rndtime = 300

The you can find the remote ip in /var/log/auth.log and /var/log/fail2ban.log.

Originally created by @MikoyChinese on GitHub (Mar 4, 2025). Original GitHub issue: https://github.com/fatedier/frp/issues/4692 Hi, This is a tutorial about how to ban the ip whom try to brute force attack your frp client by [fail2ban](https://github.com/fail2ban/fail2ban). update config from https://github.com/fatedier/frp/issues/2470. requirements: 1. [fail2ban](https://github.com/fail2ban/fail2ban) 2. [go-mmproxy](https://github.com/path-network/go-mmproxy) note: If you dont want to build the go-mmproxy, you can try this [go-mmproxy.zip](https://github.com/fatedier/frp/files/6799973/go-mmproxy.zip) version. And for fail2ban, you can found the installation in their github project. Here are the step: **As for me: All files will save in /home/ubuntu/frp/** #### 1.create a frpc config file : In this step, you can add `proxy_protocol_version` to turn on [Proxy Protocol](https://www.haproxy.com/blog/haproxy/proxy-protocol/), and prepare a local port which using in **go-mmproxy**, not your real forward port. For example, I want to proxy my ssh 22 port with frp with proxy protocol, you need a other port such as 12222, so: **frpc.toml** ``` serverAddr = "<your frp server>" serverPort = <frp server port> user = "<your user name>" log.to= "<log file path>" log.level = "debug" log.maxDays = 2 auth.method = "token" auth.token = "<token>" [[proxies]] name = "ssh-go-mmproxy" type = "tcp" localIP = "127.0.0.1" localPort = 12222 remotePort = 12345 transport.proxyProtocolVersion = "v2" ``` #### 2. Set up for go-mmproxy: You can build it from go-mmproxy github main page or download the x86_64 binary which I build on my Ubuntu 20.04 with go version go1.16.5 linux/amd64 from the following url: [go-mmproxy.zip](https://github.com/fatedier/frp/files/6799973/go-mmproxy.zip), and move it to somepath where you want. For me, I move it to _/home/ubuntu/frp/_. #### 3. Create go-mmproxy service file You need to create a `go-mmproxy.service` in `/home/ubuntu/frp/`. The go-mmproxy will listen `12222` and forward to `22` which is the ssh port. **go-mmproxy.service** ``` [Unit] Description=go-mmproxy After=network.target [Service] Type=simple LimitNOFILE=65535 ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123 ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123 ExecStart=/home/ubuntu/frp/go-mmproxy -4 127.0.0.1:22 -l 127.0.0.1:12222 ExecStopPost=/sbin/ip rule del from 127.0.0.1/8 iif lo table 123 ExecStopPost=/sbin/ip route del local 0.0.0.0/0 dev lo table 123 Restart=on-failure RestartSec=10s [Install] WantedBy=multi-user.target ``` #### 4. Create frpc service file **frpc.service** ``` [Unit] Description=Frp Client Service Requires=go-mmproxy.service After=network.target syslog.target go-mmproxy.service Wants=network.target [Service] Type=simple Restart=always RestartSec=5s ExecStart=/home/ubuntu/frp/frpc -c /home/ubuntu/frp/frpc.toml ExecStop=/bin/kill $MAINPID RestartSec=1min KillMode=control-group [Install] WantedBy=multi-user.target ``` If you have done, you can find in your directory, eg: /home/ubuntu/frp/: 1. frpc.toml 2. go-mmproxy 3. go-mmproxy.service 4. frpc.service The link the services file to /etc/systemd/system/ and enable it. ``` sudo ln -s /home/ubuntu/frp/go-mmproxy.service /etc/systemd/system/go-mmproxy.service sudo ln -s /home/ubuntu/frp/frpc.service /etc/systemd/system/frpc.service sudo systemctl enable go-mmproxy.service sudo systemctl enable frpc.service sudo service start frpc.service ``` #### Add fail2ban If your OS is Ubuntu, you can install it by `sudo apt install fail2ban` Here is the config(you can find the config file in /etc/fail2ban/): create a `jail.local` file in /etc/fail2ban ``` [sshd] # To use more aggressive sshd modes set filter parameter "mode" in jail.local: # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal enabled = true port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s maxretry = 5 findtime = 600 bantime.increment = true bantime.factor = 2 bantime = 300 bantime.overalljails = true bantime.rndtime = 300 ``` The you can find the remote ip in /var/log/auth.log and /var/log/fail2ban.log.
gitea-mirror 2026-05-05 14:22:38 -06:00
gitea-mirror commented 2026-05-05 14:22:41 -06:00
Author
Owner
Copy link

@MikoyChinese commented on GitHub (Mar 4, 2025):

If you want to improve the security of your FRP server, you can use nft-blackhole to block specific countries. If your SSH service only accepts connections from your home country's IP addresses, give it a try—you'll notice how clean your host becomes.

<!-- gh-comment-id:2696749785 --> @MikoyChinese commented on GitHub (Mar 4, 2025): If you want to improve the security of your FRP server, you can use [nft-blackhole](https://github.com/tomasz-c/nft-blackhole) to block specific countries. If your SSH service only accepts connections from your home country's IP addresses, give it a try—you'll notice how clean your host becomes.
gitea-mirror commented 2026-05-05 14:22:41 -06:00
Author
Owner
Copy link

@wuai1024 commented on GitHub (Mar 5, 2025):

Thank you very much

<!-- gh-comment-id:2699690555 --> @wuai1024 commented on GitHub (Mar 5, 2025): Thank you very much
gitea-mirror commented 2026-05-05 14:22:42 -06:00
Author
Owner
Copy link

@wuai1024 commented on GitHub (Mar 5, 2025):

我看 go-mmproxy 没有编译,顺便编译了一个docker版本。

services:
  go-mmproxy-ssh:
    image: wuai1024/go-mmproxy
    container_name: go-mmproxy-ssh
    network_mode: host
    privileged: true
    restart: unless-stopped
    command: -4 127.0.0.1:22-l 127.0.0.1:12222

我是在群辉里面使用的,群辉没有 System 管理,就使用 Docker 也是可以。

现在效果很好:

Image

<!-- gh-comment-id:2699947402 --> @wuai1024 commented on GitHub (Mar 5, 2025): 我看 `go-mmproxy` 没有编译,顺便编译了一个docker版本。 ```bash services: go-mmproxy-ssh: image: wuai1024/go-mmproxy container_name: go-mmproxy-ssh network_mode: host privileged: true restart: unless-stopped command: -4 127.0.0.1:22-l 127.0.0.1:12222 ``` 我是在群辉里面使用的,群辉没有 `System` 管理,就使用 Docker 也是可以。 现在效果很好: ![Image](https://github.com/user-attachments/assets/af86d9e5-39e7-4c7c-b617-be652b3cde25)
gitea-mirror commented 2026-05-05 14:22:42 -06:00
Author
Owner
Copy link

@wuai1024 commented on GitHub (Mar 5, 2025):

测试出来了一个小问题。

环境: frps 部署在服务器A上,然后 frpcgo-mmproxy 部署在服务器B上。
访问: 其他机器访问服务器A上 frps 监听的端口,穿透到服务器B上可以正常获取到 客户端源公网ip,如上图显示。

但是有个特殊情况,不知道是不是环境的问题导致。

就是当我在服务器A中的内网访问这个地址,就会显示内网ip。

<!-- gh-comment-id:2700279750 --> @wuai1024 commented on GitHub (Mar 5, 2025): 测试出来了一个小问题。 环境: `frps` 部署在服务器A上,然后 `frpc` 和 `go-mmproxy` 部署在服务器B上。 访问: 其他机器访问服务器A上 `frps` 监听的端口,穿透到服务器B上可以正常获取到 客户端源公网ip,如上图显示。 但是有个特殊情况,不知道是不是环境的问题导致。 就是当我在服务器A中的内网访问这个地址,就会显示内网ip。
gitea-mirror commented 2026-05-05 14:22:43 -06:00
Author
Owner
Copy link

@frankjoey2048 commented on GitHub (Mar 16, 2025):

services:
go-mmproxy-ssh:
image: wuai1024/go-mmproxy
container_name: go-mmproxy-ssh
network_mode: host
privileged: true
restart: unless-stopped
command: -4 127.0.0.1:22-l 127.0.0.1:12222

纠正一下:

services:
  go-mmproxy-ssh:
    image: wuai1024/go-mmproxy
    container_name: go-mmproxy-ssh
    network_mode: host
    privileged: true
    restart: unless-stopped
    command: -4 127.0.0.1:22 -l 127.0.0.1:12222
<!-- gh-comment-id:2727320368 --> @frankjoey2048 commented on GitHub (Mar 16, 2025): > services: > go-mmproxy-ssh: > image: wuai1024/go-mmproxy > container_name: go-mmproxy-ssh > network_mode: host > privileged: true > restart: unless-stopped > command: -4 127.0.0.1:22-l 127.0.0.1:12222 纠正一下: ``` services: go-mmproxy-ssh: image: wuai1024/go-mmproxy container_name: go-mmproxy-ssh network_mode: host privileged: true restart: unless-stopped command: -4 127.0.0.1:22 -l 127.0.0.1:12222 ```
gitea-mirror commented 2026-05-05 14:22:43 -06:00
Author
Owner
Copy link

@frankjoey2048 commented on GitHub (Mar 17, 2025):

我看 go-mmproxy 没有编译,顺便编译了一个docker版本。

services:
go-mmproxy-ssh:
image: wuai1024/go-mmproxy
container_name: go-mmproxy-ssh
network_mode: host
privileged: true
restart: unless-stopped
command: -4 127.0.0.1:22-l 127.0.0.1:12222
我是在群辉里面使用的,群辉没有 System 管理,就使用 Docker 也是可以。

现在效果很好:

Image

这个好像有点问题,如果按照systemctl 的方式写没问题,但docker 就连不上,我猜想是不是

ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123
ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123

没放进去

<!-- gh-comment-id:2728506528 --> @frankjoey2048 commented on GitHub (Mar 17, 2025): > 我看 `go-mmproxy` 没有编译,顺便编译了一个docker版本。 > > services: > go-mmproxy-ssh: > image: wuai1024/go-mmproxy > container_name: go-mmproxy-ssh > network_mode: host > privileged: true > restart: unless-stopped > command: -4 127.0.0.1:22-l 127.0.0.1:12222 > 我是在群辉里面使用的,群辉没有 `System` 管理,就使用 Docker 也是可以。 > > 现在效果很好: > > ![Image](https://github.com/user-attachments/assets/af86d9e5-39e7-4c7c-b617-be652b3cde25) 这个好像有点问题,如果按照systemctl 的方式写没问题,但docker 就连不上,我猜想是不是 ``` ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123 ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123 ``` 没放进去
gitea-mirror commented 2026-05-05 14:22:44 -06:00
Author
Owner
Copy link

@luomo-pro commented on GitHub (Mar 17, 2025):

我前几天用上面朋友的docker,也是怎么连都不行,访问对外的ip,一直会显示服务器返回空内容。
后面自己编译了个docker,要不行的也可以尝试下。
直接在群辉里,创建一个名为Dockerfile的文件,粘贴如下内容:

FROM golang:1.21-alpine AS builder
RUN apk add --no-cache git
WORKDIR /app
RUN git clone https://github.com/path-network/go-mmproxy .
RUN go build -o mmproxy .

FROM alpine:latest
WORKDIR /app
COPY --from=builder /app/mmproxy .
RUN echo '#!/bin/sh' > /app/start.sh && \
    echo '' >> /app/start.sh && \
    echo '# 设置路由规则' >> /app/start.sh && \
    echo 'ip rule add from 127.0.0.1/8 iif lo table 123 2>/dev/null || true' >> /app/start.sh && \
    echo 'ip route add local 0.0.0.0/0 dev lo table 123 2>/dev/null || true' >> /app/start.sh && \
    echo '' >> /app/start.sh && \
    echo '# 如果没有提供端口映射,使用默认的' >> /app/start.sh && \
    echo 'if [ -z "$PORT_MAPPINGS" ]; then' >> /app/start.sh && \
    echo '  PORT_MAPPINGS="15000:5000"' >> /app/start.sh && \
    echo 'fi' >> /app/start.sh && \
    echo '' >> /app/start.sh && \
    echo '# 解析并启动所有端口映射' >> /app/start.sh && \
    echo 'for mapping in $(echo $PORT_MAPPINGS | tr "," " "); do' >> /app/start.sh && \
    echo '  listen_port=$(echo $mapping | cut -d: -f1)' >> /app/start.sh && \
    echo '  target_port=$(echo $mapping | cut -d: -f2)' >> /app/start.sh && \
    echo '  echo "启动端口映射: $listen_port -> 127.0.0.1:$target_port"' >> /app/start.sh && \
    echo '  /app/mmproxy -l "0.0.0.0:$listen_port" -4 "127.0.0.1:$target_port" -6 "[::1]:$target_port" &' >> /app/start.sh && \
    echo 'done' >> /app/start.sh && \
    echo '' >> /app/start.sh && \
    echo '# 保持容器运行' >> /app/start.sh && \
    echo 'wait' >> /app/start.sh && \
    chmod +x /app/start.sh

ENTRYPOINT ["/app/start.sh"]

然后使用这个命令编译:

sudo docker build -t go-mmproxy .

编译完后要使用就很简单了,使用docker-compose。
注意其中的
PORT_MAPPINGS
定义了对外跟要转发的端口,比如
15000:5000
意思就是监听15000,转发到5000,多个之间使用逗号分割就行。

version: '3'
services:
  go-mmproxy:
    image: go-mmproxy:latest
    container_name: go-mmproxy
    restart: always
    network_mode: host
    cap_add:
      - NET_ADMIN
    environment:
      - PORT_MAPPINGS=15000:5000,15001:5001
<!-- gh-comment-id:2728547880 --> @luomo-pro commented on GitHub (Mar 17, 2025): 我前几天用上面朋友的docker,也是怎么连都不行,访问对外的ip,一直会显示服务器返回空内容。 后面自己编译了个docker,要不行的也可以尝试下。 直接在群辉里,创建一个名为Dockerfile的文件,粘贴如下内容: ``` FROM golang:1.21-alpine AS builder RUN apk add --no-cache git WORKDIR /app RUN git clone https://github.com/path-network/go-mmproxy . RUN go build -o mmproxy . FROM alpine:latest WORKDIR /app COPY --from=builder /app/mmproxy . RUN echo '#!/bin/sh' > /app/start.sh && \ echo '' >> /app/start.sh && \ echo '# 设置路由规则' >> /app/start.sh && \ echo 'ip rule add from 127.0.0.1/8 iif lo table 123 2>/dev/null || true' >> /app/start.sh && \ echo 'ip route add local 0.0.0.0/0 dev lo table 123 2>/dev/null || true' >> /app/start.sh && \ echo '' >> /app/start.sh && \ echo '# 如果没有提供端口映射,使用默认的' >> /app/start.sh && \ echo 'if [ -z "$PORT_MAPPINGS" ]; then' >> /app/start.sh && \ echo ' PORT_MAPPINGS="15000:5000"' >> /app/start.sh && \ echo 'fi' >> /app/start.sh && \ echo '' >> /app/start.sh && \ echo '# 解析并启动所有端口映射' >> /app/start.sh && \ echo 'for mapping in $(echo $PORT_MAPPINGS | tr "," " "); do' >> /app/start.sh && \ echo ' listen_port=$(echo $mapping | cut -d: -f1)' >> /app/start.sh && \ echo ' target_port=$(echo $mapping | cut -d: -f2)' >> /app/start.sh && \ echo ' echo "启动端口映射: $listen_port -> 127.0.0.1:$target_port"' >> /app/start.sh && \ echo ' /app/mmproxy -l "0.0.0.0:$listen_port" -4 "127.0.0.1:$target_port" -6 "[::1]:$target_port" &' >> /app/start.sh && \ echo 'done' >> /app/start.sh && \ echo '' >> /app/start.sh && \ echo '# 保持容器运行' >> /app/start.sh && \ echo 'wait' >> /app/start.sh && \ chmod +x /app/start.sh ENTRYPOINT ["/app/start.sh"] ``` 然后使用这个命令编译: ``` sudo docker build -t go-mmproxy . ``` 编译完后要使用就很简单了,使用docker-compose。 注意其中的 PORT_MAPPINGS 定义了对外跟要转发的端口,比如 15000:5000 意思就是监听15000,转发到5000,多个之间使用逗号分割就行。 ``` version: '3' services: go-mmproxy: image: go-mmproxy:latest container_name: go-mmproxy restart: always network_mode: host cap_add: - NET_ADMIN environment: - PORT_MAPPINGS=15000:5000,15001:5001 ```
gitea-mirror commented 2026-05-05 14:22:44 -06:00
Author
Owner
Copy link

@wuai1024 commented on GitHub (Mar 17, 2025):

这个好像有点问题,如果按照systemctl 的方式写没问题,但docker 就连不上,我猜想是不是

ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123
ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123

没放进去

为了安全和透明,这个路由表规则,需要手动执行,没有封装到 Docker 里。

ip rule add from 127.0.0.1/8 iif lo table 123
ip route add local 0.0.0.0/0 dev lo table 123
<!-- gh-comment-id:2728564695 --> @wuai1024 commented on GitHub (Mar 17, 2025): > 这个好像有点问题,如果按照systemctl 的方式写没问题,但docker 就连不上,我猜想是不是 > > ``` > ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123 > ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123 > ``` > > 没放进去 为了安全和透明,这个路由表规则,需要手动执行,没有封装到 Docker 里。 ```bash ip rule add from 127.0.0.1/8 iif lo table 123 ip route add local 0.0.0.0/0 dev lo table 123 ```
gitea-mirror commented 2026-05-05 14:22:44 -06:00
Author
Owner
Copy link

@gexiaopeng commented on GitHub (Apr 9, 2025):

这个好像有点问题,如果按照systemctl 的方式写没问题,但docker 就连不上,我猜想是不是

ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123
ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123

没放进去

为了安全和透明,这个路由表规则,需要手动执行,没有封装到 Docker 里。

ip rule add from 127.0.0.1/8 iif lo table 123
ip route add local 0.0.0.0/0 dev lo table 123
ip 规则从 127.0.0.1/8 iif lo 表 123 添加
ip route 添加本地 0.0.0.0/0 dev lo 表 123

请问你在群晖的docker怎么样配合执行 ip rule 与 ip route 的? 具体能说吗?非常感谢

<!-- gh-comment-id:2788345327 --> @gexiaopeng commented on GitHub (Apr 9, 2025): > > 这个好像有点问题,如果按照systemctl 的方式写没问题,但docker 就连不上,我猜想是不是 > > ``` > > ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123 > > ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123 > > ``` > > > > > > > > > > > > > > > > > > > > > > > > 没放进去 > > 为了安全和透明,这个路由表规则,需要手动执行,没有封装到 Docker 里。 > > ip rule add from 127.0.0.1/8 iif lo table 123 > ip route add local 0.0.0.0/0 dev lo table 123 > ip 规则从 127.0.0.1/8 iif lo 表 123 添加 > ip route 添加本地 0.0.0.0/0 dev lo 表 123 请问你在群晖的docker怎么样配合执行 ip rule 与 ip route 的? 具体能说吗?非常感谢
gitea-mirror commented 2026-05-05 14:22:45 -06:00
Author
Owner
Copy link

@gexiaopeng commented on GitHub (Apr 9, 2025):

这个好像有点问题,如果按照systemctl 的方式写没问题,但docker 就连不上,我猜想是不是

ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123
ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123

没放进去

为了安全和透明,这个路由表规则,需要手动执行,没有封装到 Docker 里。

ip rule add from 127.0.0.1/8 iif lo table 123
ip route add local 0.0.0.0/0 dev lo table 123

请问封装在docker为什么会不安全?

<!-- gh-comment-id:2788389888 --> @gexiaopeng commented on GitHub (Apr 9, 2025): > > 这个好像有点问题,如果按照systemctl 的方式写没问题,但docker 就连不上,我猜想是不是 > > ``` > > ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123 > > ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123 > > ``` > > > > > > > > > > > > > > > > > > > > > > > > 没放进去 > > 为了安全和透明,这个路由表规则,需要手动执行,没有封装到 Docker 里。 > > ip rule add from 127.0.0.1/8 iif lo table 123 > ip route add local 0.0.0.0/0 dev lo table 123 请问封装在docker为什么会不安全?
gitea-mirror commented 2026-05-05 14:22:45 -06:00
Author
Owner
Copy link

@gexiaopeng commented on GitHub (Apr 9, 2025):

我前几天用上面朋友的docker,也是怎么连都不行,访问对外的ip,一直会显示服务器返回空内容。 后面自己编译了个docker,要不行的也可以尝试下。 直接在群辉里,创建一个名为Dockerfile的文件,粘贴如下内容:

FROM golang:1.21-alpine AS builder
RUN apk add --no-cache git
WORKDIR /app
RUN git clone https://github.com/path-network/go-mmproxy .
RUN go build -o mmproxy .

FROM alpine:latest
WORKDIR /app
COPY --from=builder /app/mmproxy .
RUN echo '#!/bin/sh' > /app/start.sh && \
    echo '' >> /app/start.sh && \
    echo '# 设置路由规则' >> /app/start.sh && \
    echo 'ip rule add from 127.0.0.1/8 iif lo table 123 2>/dev/null || true' >> /app/start.sh && \
    echo 'ip route add local 0.0.0.0/0 dev lo table 123 2>/dev/null || true' >> /app/start.sh && \
    echo '' >> /app/start.sh && \
    echo '# 如果没有提供端口映射,使用默认的' >> /app/start.sh && \
    echo 'if [ -z "$PORT_MAPPINGS" ]; then' >> /app/start.sh && \
    echo '  PORT_MAPPINGS="15000:5000"' >> /app/start.sh && \
    echo 'fi' >> /app/start.sh && \
    echo '' >> /app/start.sh && \
    echo '# 解析并启动所有端口映射' >> /app/start.sh && \
    echo 'for mapping in $(echo $PORT_MAPPINGS | tr "," " "); do' >> /app/start.sh && \
    echo '  listen_port=$(echo $mapping | cut -d: -f1)' >> /app/start.sh && \
    echo '  target_port=$(echo $mapping | cut -d: -f2)' >> /app/start.sh && \
    echo '  echo "启动端口映射: $listen_port -> 127.0.0.1:$target_port"' >> /app/start.sh && \
    echo '  /app/mmproxy -l "0.0.0.0:$listen_port" -4 "127.0.0.1:$target_port" -6 "[::1]:$target_port" &' >> /app/start.sh && \
    echo 'done' >> /app/start.sh && \
    echo '' >> /app/start.sh && \
    echo '# 保持容器运行' >> /app/start.sh && \
    echo 'wait' >> /app/start.sh && \
    chmod +x /app/start.sh

ENTRYPOINT ["/app/start.sh"]

然后使用这个命令编译:

sudo docker build -t go-mmproxy .

编译完后要使用就很简单了,使用docker-compose。 注意其中的 PORT_MAPPINGS 定义了对外跟要转发的端口,比如 15000:5000 意思就是监听15000,转发到5000,多个之间使用逗号分割就行。

version: '3'
services:
  go-mmproxy:
    image: go-mmproxy:latest
    container_name: go-mmproxy
    restart: always
    network_mode: host
    cap_add:
      - NET_ADMIN
    environment:
      - PORT_MAPPINGS=15000:5000,15001:5001

此方法可行,非常感谢!

<!-- gh-comment-id:2788511625 --> @gexiaopeng commented on GitHub (Apr 9, 2025): > 我前几天用上面朋友的docker,也是怎么连都不行,访问对外的ip,一直会显示服务器返回空内容。 后面自己编译了个docker,要不行的也可以尝试下。 直接在群辉里,创建一个名为Dockerfile的文件,粘贴如下内容: > > ``` > FROM golang:1.21-alpine AS builder > RUN apk add --no-cache git > WORKDIR /app > RUN git clone https://github.com/path-network/go-mmproxy . > RUN go build -o mmproxy . > > FROM alpine:latest > WORKDIR /app > COPY --from=builder /app/mmproxy . > RUN echo '#!/bin/sh' > /app/start.sh && \ > echo '' >> /app/start.sh && \ > echo '# 设置路由规则' >> /app/start.sh && \ > echo 'ip rule add from 127.0.0.1/8 iif lo table 123 2>/dev/null || true' >> /app/start.sh && \ > echo 'ip route add local 0.0.0.0/0 dev lo table 123 2>/dev/null || true' >> /app/start.sh && \ > echo '' >> /app/start.sh && \ > echo '# 如果没有提供端口映射,使用默认的' >> /app/start.sh && \ > echo 'if [ -z "$PORT_MAPPINGS" ]; then' >> /app/start.sh && \ > echo ' PORT_MAPPINGS="15000:5000"' >> /app/start.sh && \ > echo 'fi' >> /app/start.sh && \ > echo '' >> /app/start.sh && \ > echo '# 解析并启动所有端口映射' >> /app/start.sh && \ > echo 'for mapping in $(echo $PORT_MAPPINGS | tr "," " "); do' >> /app/start.sh && \ > echo ' listen_port=$(echo $mapping | cut -d: -f1)' >> /app/start.sh && \ > echo ' target_port=$(echo $mapping | cut -d: -f2)' >> /app/start.sh && \ > echo ' echo "启动端口映射: $listen_port -> 127.0.0.1:$target_port"' >> /app/start.sh && \ > echo ' /app/mmproxy -l "0.0.0.0:$listen_port" -4 "127.0.0.1:$target_port" -6 "[::1]:$target_port" &' >> /app/start.sh && \ > echo 'done' >> /app/start.sh && \ > echo '' >> /app/start.sh && \ > echo '# 保持容器运行' >> /app/start.sh && \ > echo 'wait' >> /app/start.sh && \ > chmod +x /app/start.sh > > ENTRYPOINT ["/app/start.sh"] > ``` > > 然后使用这个命令编译: > > ``` > sudo docker build -t go-mmproxy . > ``` > > 编译完后要使用就很简单了,使用docker-compose。 注意其中的 PORT_MAPPINGS 定义了对外跟要转发的端口,比如 15000:5000 意思就是监听15000,转发到5000,多个之间使用逗号分割就行。 > > ``` > version: '3' > services: > go-mmproxy: > image: go-mmproxy:latest > container_name: go-mmproxy > restart: always > network_mode: host > cap_add: > - NET_ADMIN > environment: > - PORT_MAPPINGS=15000:5000,15001:5001 > ``` 此方法可行,非常感谢!
gitea-mirror commented 2026-05-05 14:22:46 -06:00
Author
Owner
Copy link

@wuai1024 commented on GitHub (Apr 9, 2025):

这个好像有点问题,如果按照systemctl 的方式写没问题,但docker 就连不上,我猜想是不是

ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123
ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123

没放进去

为了安全和透明,这个路由表规则,需要手动执行,没有封装到 Docker 里。
ip rule add from 127.0.0.1/8 iif lo table 123
ip route add local 0.0.0.0/0 dev lo table 123
ip 规则从 127.0.0.1/8 iif lo 表 123 添加
ip route 添加本地 0.0.0.0/0 dev lo 表 123

请问你在群晖的docker怎么样配合执行 ip rule 与 ip route 的? 具体能说吗?非常感谢

任务计划,设置开机执行,用root账号就可以执行

ip rule add from 127.0.0.1/8 iif lo table 123
ip route add local 0.0.0.0/0 dev lo table 123

Image

至于我为什么不封装在docker里,因人而异,毕竟这种跟路由相关的。

<!-- gh-comment-id:2789033343 --> @wuai1024 commented on GitHub (Apr 9, 2025): > > > 这个好像有点问题,如果按照systemctl 的方式写没问题,但docker 就连不上,我猜想是不是 > > > ``` > > > ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123 > > > ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123 > > > ``` > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 没放进去 > > > > > > 为了安全和透明,这个路由表规则,需要手动执行,没有封装到 Docker 里。 > > ip rule add from 127.0.0.1/8 iif lo table 123 > > ip route add local 0.0.0.0/0 dev lo table 123 > > ip 规则从 127.0.0.1/8 iif lo 表 123 添加 > > ip route 添加本地 0.0.0.0/0 dev lo 表 123 > > 请问你在群晖的docker怎么样配合执行 ip rule 与 ip route 的? 具体能说吗?非常感谢 任务计划,设置开机执行,用`root`账号就可以执行 ```bash ip rule add from 127.0.0.1/8 iif lo table 123 ip route add local 0.0.0.0/0 dev lo table 123 ``` ![Image](https://github.com/user-attachments/assets/4500d6e9-1a35-4255-80b2-a2c4059e34d1) 至于我为什么不封装在`docker`里,因人而异,毕竟这种跟路由相关的。
gitea-mirror commented 2026-05-05 14:22:46 -06:00
Author
Owner
Copy link

@wuai1024 commented on GitHub (Apr 9, 2025):

觉得我这样麻烦,可以直接用这个

<!-- gh-comment-id:2789035852 --> @wuai1024 commented on GitHub (Apr 9, 2025): 觉得我这样麻烦,可以直接用[这个](https://github.com/fatedier/frp/issues/4692#issuecomment-2788511625)
gitea-mirror commented 2026-05-05 14:22:47 -06:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Apr 24, 2025):

Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.

<!-- gh-comment-id:2825855389 --> @github-actions[bot] commented on GitHub (Apr 24, 2025): Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#3708
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?