tcpforward.go

package main

import (
	"flag"
	"io"
	"log"
	"math/rand"
	"net"
	"net/http"
	"os"
	"strings"
	"sync"
	"tcpforward/Utils"
	"time"
)

var (
	localAddr              string
	remoteAddr             string
	prefix                 string
	rejectReply            string
	rejectReplyFile        string
	debug                  bool
	minConnectionCount     int
	connectionTimeout      int64
	trustTimeout           float64
	webpageRequestRequired bool
	webpageSSL             bool
	webpagePort            string
	webpagePath            string
	webpageSSLPub          string
	webpageSSLKey          string
)

func initFlags() {
	flag.StringVar(&localAddr, "l", ":2081", "host:port to listen on")
	flag.StringVar(&remoteAddr, "r", ":2080", "host:port to forward to")
	flag.StringVar(&prefix, "p", "", "String to prefix log output")
	flag.StringVar(&rejectReply, "jr", "none", "Send something before rejecting\n  bin: random bytes\n  text: random hex text\n file: send a file\n  none: just close")
	flag.StringVar(&rejectReplyFile, "jrf", "", "Path to file for reject reply")
	flag.BoolVar(&debug, "debug", false, "more logs")
	flag.IntVar(&minConnectionCount, "m", 10, "min accepted request")
	flag.Int64Var(&connectionTimeout, "t", 500, "How long a client can take to create enough connections in ms")
	flag.Float64Var(&trustTimeout, "tt", 60, "IP trust reset timer in minute")
	flag.BoolVar(&webpageRequestRequired, "pr", false, "Request webpage is required")
	flag.BoolVar(&webpageSSL, "ps", true, "SSL For webpage is enabled")
	flag.StringVar(&webpagePort, "pp", ":2082", "host:port for webpage verify")
	flag.StringVar(&webpagePath, "ppa", "/verify-mvacrw9khofxsd", "path for webpage verify")
	flag.StringVar(&webpageSSLPub, "psp", "SelfSigned", "path to webpage SSL public cert")
	flag.StringVar(&webpageSSLKey, "psk", "SelfSigned", "path to webpage SSL private key")
	flag.Parse()
}

type IPConnection struct {
	sync.Mutex
	count            int // 记录已接受的连接数
	failedCount      int
	lastConnection   time.Time // 记录最后一次连接时间
	webpageRequested bool
	failedWebpage    bool
}

func webpageVerify(ip string, ipMap map[string]*IPConnection) {
	// 如果未记录该IP，创建记录
	if _, exist := ipMap[ip]; !exist {
		ipMap[ip] = &IPConnection{
			count:            1,
			failedCount:      0,
			lastConnection:   time.Now(),
			webpageRequested: true,
			failedWebpage:    false,
		}
		log.Printf("(Webpage) New IP address %v, waiting for more connections\n", ip)
	} else if !ipMap[ip].webpageRequested {
		// 如果已记录该IP，确定已访问网页
		ipMap[ip].Lock()
		ipMap[ip].webpageRequested = true
		log.Printf("(Webpage) New IP address %v added\n", ip)
		ipMap[ip].Unlock()
	}
	return
}

func forward(conn net.Conn, ipMap map[string]*IPConnection) {
	// 获取连接方的IP地址
	ip, _, _ := net.SplitHostPort(conn.RemoteAddr().String())

	// 如果未记录该IP，创建记录
	if _, exist := ipMap[ip]; !exist {
		ipMap[ip] = &IPConnection{
			count:            1,
			failedCount:      0,
			lastConnection:   time.Now(),
			webpageRequested: false,
			failedWebpage:    false,
		}
		return
	} else {
		// 如果已记录该IP，判断是否达到最大连接数
		ipMap[ip].Lock()
		if ipMap[ip].count < minConnectionCount {
			// 重置连接计数和最后一次连接时间
			if time.Since(ipMap[ip].lastConnection).Milliseconds() >= connectionTimeout {
				ipMap[ip].count = 0
				ipMap[ip].lastConnection = time.Now()
			}
			ipMap[ip].count++
			if ipMap[ip].failedCount < minConnectionCount*3 && ipMap[ip].count%3 == 0 || debug || minConnectionCount <= 3 || ipMap[ip].count < 2 {
				log.Printf("Rejected connection from %v, %v Connections in %dms\n", ip, ipMap[ip].count, time.Since(ipMap[ip].lastConnection).Milliseconds())
				ipMap[ip].failedCount++

			}
			ipMap[ip].Unlock()

			switch strings.ToLower(rejectReply) {
			case "bin":
				conn.Write(Utils.RandomByte(rand.Intn(300) + 100))
			case "text":
				conn.Write([]byte(Utils.RandomString(rand.Intn(640) + 100)))
			case "file":
				{
					//打开本地文件
					file, err := os.Open("example.txt")
					if err != nil {
						log.Printf("ERROR: open file failed: %v", err)
						conn.Close()
						return
					}
					//复制到网络
					_, err = io.Copy(conn, file)
					if err != nil {
						log.Printf("ERROR: reply file failed: %v", err)
						conn.Close()
						return
					}
					file.Close()
				}
			case "none":
				{
				} //skip
			default:
				log.Printf("Warning: Unexpected Rejected Reply: %s", rejectReply)
			}

			conn.Close()
			return
		} else {

			if webpageRequestRequired {
				if !ipMap[ip].webpageRequested {
					if !ipMap[ip].failedWebpage || debug {
						log.Printf("Rejected connection from %v, FAILED WEBPAGE VERIFY\n", ip)
						ipMap[ip].count = 0
						ipMap[ip].failedWebpage = true

					}
					conn.Close()
					ipMap[ip].Unlock()
					return
				}
			}
			if ipMap[ip].count == minConnectionCount {
				log.Printf("Accept connections from %v\n", ip)
				ipMap[ip].count++
			}
			if time.Since(ipMap[ip].lastConnection).Minutes() >= trustTimeout {
				ipMap[ip].count = -2
				ipMap[ip].Unlock()
				log.Printf("Reject %v (trust expired)\n", ip)
			} else {
				ipMap[ip].Unlock()
			}
		}

	}

	client, err := net.Dial("tcp", remoteAddr)
	if err != nil {
		log.Printf("ERROR: Dial failed: %v", err)
		defer conn.Close()
		return
	}
	if debug {
		log.Printf("Forwarding from %v to %v\n", conn.LocalAddr(), client.RemoteAddr())
	}
	go func() {
		defer client.Close()
		defer conn.Close()
		io.Copy(client, conn)
	}()
	go func() {
		defer client.Close()
		defer conn.Close()
		io.Copy(conn, client)
	}()
}

func main() {
	initFlags()
	Utils.InitRandSeed()
	log.Printf("Client > %s > %s > Server\n", localAddr, remoteAddr)
	log.SetPrefix(prefix)
	log.Println(strings.Replace(`
TCPForward init,  Tip:

### Block port from Internet ###
iptables -A INPUT -p tcp --dport <PORT_NUMBER> -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport <PORT_NUMBER> -j DROP
ip6tables -A INPUT -p tcp --dport <PORT_NUMBER> -s ::1 -j ACCEPT
ip6tables -A INPUT -p tcp --dport <PORT_NUMBER> -j DROP

or quickTables -port <PORT_NUMBER> block

### Delete rule ###
iptables -D INPUT -p tcp --dport <PORT_NUMBER> -j DROP
ip6tables -D INPUT -p tcp --dport <PORT_NUMBER> -j DROP

or quickTables -port <PORT_NUMBER> unblock

(execute with root privileges)

`, "<PORT_NUMBER>", localAddr, -1))
	ipMap := make(map[string]*IPConnection)

	if webpageRequestRequired {
		if !webpageSSL {
			go func() {
				http.HandleFunc(webpagePath, func(w http.ResponseWriter, r *http.Request) {
					ip, _, _ := net.SplitHostPort(r.RemoteAddr)
					io.WriteString(w, ip)
					webpageVerify(ip, ipMap)
				})
				err := http.ListenAndServe(webpagePort, nil)
				if err != nil {
					log.Printf("ERROR: failed to accept webpage verify: %v", err)
				}
			}()
		} else {

			go func() {
				//Utils.RandomString(rand.Intn(28) + 10)+".cf",/
				cert, err := Utils.GenerateSelfSignedCert()
				if webpageSSLPub != "SelfSigned" || webpageSSLKey != "SelfSigned" {
					cert, err = Utils.LoadCertFromFile(webpageSSLPub, webpageSSLKey)
				}
				if err != nil {
					log.Fatalf("ERROR: failed to create cert: %v", err)
				}
				err = Utils.StartHTTPSPage(webpagePort, cert, func(ip string) {
					webpageVerify(ip, ipMap)
				}, webpagePath, true)
				if err != nil {
					log.Fatalf("ERROR: failed to accept webpage verify: %v", err)
				}
			}()

		}
		log.Printf("request webpage at %s%s to verify\n", webpagePort, webpagePath)
	}
	listener, err := net.Listen("tcp", localAddr)
	if err != nil {
		log.Fatalf("ERROR: Failed to setup listener: %v", err)
	}

	go func() {
		for {
			conn, err := listener.Accept()
			if err != nil {
				log.Printf("ERROR: failed to accept listener: %v", err)
				continue
			}
			go forward(conn, ipMap)
		}
	}()
	log.Println("  TCPForwarder ready")
	select {}
}

func clearMap(m map[string]*IPConnection) {
	for key := range m {
		delete(m, key)
	}
}