内容很简单，先记下来，方便查阅：

• 伪造IP的PHP代码

<?php
    $ch = curl_init();
    $url = "http://localhost/target_ip.php";
    $header = array(
        'CLIENT-IP:58.68.44.61',
        'X-FORWARDED-FOR:58.68.44.61',
    );
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $page_content = curl_exec($ch);
    curl_close($ch);
    echo $page_content;
?>

• 本地判断来访IP的PHP代码

<?php
    echo getenv('HTTP_CLIENT_IP')."n";
    echo getenv('HTTP_X_FORWARDED_FOR')."n";
    echo getenv('REMOTE_ADDR')."n";
?>

• 伪造IP访问网站

<?php
for ($i = 0; $i < 5; $i++) {
    task();
}
function task() {
    $url = "http://www.xxx.com/?fromuid=272539";
    $ip = "100.100.".rand(1, 255).".".rand(1, 255);
    $headers = array("X-FORWARDED-FOR:$ip");

    $curl = curl_init($url);
    curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($curl, CURLOPT_USERAGENT,  "Mozilla/4.0");
    $src = curl_exec($curl);
    curl_close($curl);
}
?>

参考链接：

• php curl 伪造IP来源的实例代码_php技巧
• curl伪造ip访问网站
• 如何避免用户访问请求伪造ip
• php – Can $_SERVER[‘REMOTE_ADDR’] be trusted? – Stack Overflow