The relevance of blocking visits to prohibited resources affects any admin who may be officially presented with a failure to comply with the law or orders of the relevant authorities.
Why reinvent the wheel when there are specialized programs and distributions for our tasks, for example: Zeroshell, pfSense, ClearOS.
The authorities had one more question: Does the product used have a safety certificate of our state?
We had experience working with the following distributions:
- Zeroshell - the developers even gave a license for 2 years, but it turned out that the distribution kit of interest was illogical for us to perform a critical function for us;
- pfSense - respect and honor, at the same time boring, getting used to the FreeBSD firewall command line and not convenient enough for us (I think it's a matter of habit, but it turned out not to be "that way");
- ClearOS - on our hardware it turned out to be very slow, they could not reach serious testing, so why such heavy interfaces?
- Ideco SELECTA. About the Ideco product is a separate conversation, an interesting product, but for political reasons, not for us, but I also want to βbiteβ them about the license for the same Linux, Roundcube, etc. Where did they get the idea that they "drank" the interface in Python and having taken away the rights of the superuser, they can sell the finished product made up of the developed and modified modules of the Internet community distributed under the GPL&etc.
I understand that now negative exclamations will pour in my direction with demands to substantiate my subjective feelings in detail, but I want to say that this network node is also a traffic balancer for 4 external channels to the Internet, and each channel has its own characteristics. Another cornerstone was the need to work one of several network interfaces in different address spaces, and I Π³ΠΎΡΠΎΠ² recognize that apply wherever necessary and do not need VLANs i not ready. There are devices like TP-Link TL-R480T + in use - they do not behave perfectly, in general, with their own nuances. It turned out to be sane to set up this part on Linux thanks to the Ubuntu official site
The solution under consideration does not claim to be unique, but I would like to ask the question: βWhy should an enterprise adapt to third-party dubious products with serious hardware requirements when an alternative option can be considered?β.
If in the Russian Federation there is a list of Roskomnadzor, in Ukraine there is an annex to the Decision of the National Security Council (for example, no.
Communicating with colleagues at other enterprises, where all sites are prohibited by default and only upon request with the permission of the boss, you can access a specific site, smiling respectfully, thinking and βsmoking over the problemβ, we came to understand that life is still good and we started their search.
Having the opportunity not only to analytically see what they write in the "books of housewives" about traffic filtering, but also to see what happens on the channels of different providers, we noticed the following recipes (any screenshots are a little cut off, please understand, please ask):
Provider 1
- does not bother and imposes its own DNS servers and a transparent proxy server. Well? .. but we have access to where we need it (if we need it :))
Provider 2
- believes that his top provider should think about it, the technical support of the top provider even admitted why I canβt open the site that I need is not prohibited. I think the picture will cheer you up π
As it turned out, they translate the names of banned sites into IP addresses and block exactly the IP (they are not worried that 20 sites can be hosted on this IP address).
Provider 3
- allows traffic to go there, but does not let it back along the route.
Provider 4
- disables all packet manipulation in the specified direction.
And what to do with VPN (Opera browser respect) and plugins for browsers? Playing with the nodal Mikrotik at first, we even got a resource-intensive recipe for L7, which later had to be abandoned (there may be more forbidden names, it becomes sad when, in addition to their direct duties on routes, on 3 dozen expressions, the load of the PPC460GT processor goes to 100 %).
.
What became clear:
DNS on 127.0.0.1 is absolutely not a panacea, modern versions of browsers still allow you to bypass such troubles. It is impossible to restrict all users with truncated rights, and we must not forget about the huge number of alternative DNS. The Internet is not static, and in addition to new DNS addresses, banned sites buy new addresses, change top-level domains, and can add/remove a character in their address. But still has the right to live something like:
ip route add blackhole 1.2.3.4
Getting a list of IP addresses from the list of blocked sites would be quite effective, but for the reasons indicated above, we moved on to considerations about Iptables. There was already a live balancer on CentOS Linux release 7.5.1804.
The user's Internet should be fast, and the Browser should not wait half a minute, concluding that this page is not available. After a long search, we came up with this model:
File 1 -> /script/denied_host, the list of prohibited titles:
test.test
blablabla.bubu
torrent
porno
File 2 -> /script/denied_range, a list of forbidden address spaces and addresses:
192.168.111.0/24
241.242.0.0/16
Script file 3 -> ipt.sh, doing the job with ipables:
# ΡΡΠΈΡΡΠ²Π°Π΅ΠΌ ΠΏΠΎΠ»Π΅Π·Π½ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΈΠ· ΠΏΠ΅ΡΠ΅ΡΠ½Π΅ΠΉ ΡΠ°ΠΉΠ»ΠΎΠ²
HOSTS=`cat /script/denied_host | grep -v '^#'`
RANGE=`cat /script/denied_range | grep -v '^#'`
echo "Stopping firewall and allowing everyone..."
# ΡΠ±ΡΠ°ΡΡΠ²Π°Π΅ΠΌ Π²ΡΠ΅ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ iptables, ΡΠ°Π·ΡΠ΅ΡΠ°Ρ ΡΠΎ ΡΡΠΎ Π½Π΅ Π·Π°ΠΏΡΠ΅ΡΠ΅Π½ΠΎ
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
#ΡΠ΅ΡΠ°Π΅ΠΌ ΠΎΠ±Π½ΠΎΠ²ΠΈΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΎ ΠΌΠ°ΡΡΡΡΡΠ°Ρ
(ΠΎΡΠΎΠ±Π΅Π½Π½ΠΎΡΡΡ Π½Π°ΡΠ΅ΠΉ Π°ΡΡ
ΠΈΡΠ΅ΠΊΡΡΡΡ)
sudo sh rout.sh
# ΡΠΈΠΊΠ»ΠΈΡΠ΅ΡΠΊΠΈ ΠΎΠ±ΡΠ°Π±Π°ΡΡΠ²Π°Ρ ΠΊΠ°ΠΆΠ΄ΡΡ ΡΡΡΠΎΠΊΡ ΡΠ°ΠΉΠ»Π° ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΠΌ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ ΡΡΡΠΎΠΊΠΈ
for i in $HOSTS; do
sudo iptables -I FORWARD -m string --string $i --algo bm --from 1 --to 600 -p tcp -j REJECT --reject-with tcp-reset;
sudo iptables -I FORWARD -m string --string $i --algo bm --from 1 --to 600 -p udp -j DROP;
done
# ΡΠΈΠΊΠ»ΠΈΡΠ΅ΡΠΊΠΈ ΠΎΠ±ΡΠ°Π±Π°ΡΡΠ²Π°Ρ ΠΊΠ°ΠΆΠ΄ΡΡ ΡΡΡΠΎΠΊΡ ΡΠ°ΠΉΠ»Π° ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΠΌ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ Π°Π΄ΡΠ΅ΡΠ°
for i in $RANGE; do
sudo iptables -I FORWARD -p UDP -d $i -j DROP;
sudo iptables -I FORWARD -p TCP -d $i -j REJECT --reject-with tcp-reset;
done
The use of sudo is due to the fact that we have a small hack for managing via the WEB interface, but as the experience of using such a model for more than a year has shown, the WEB is not so necessary. After the implementation, there was a desire to add a list of sites to the database, etc. The number of blocked hosts is more than 250 + a dozen address spaces. Indeed, there is a problem when going to the site via https connection, like the system administrator, I have complaints about browsers :), but these are special cases, most of the responses to the lack of access to the resource are still on our side, we also successfully block Opera VPN, plugins like friGate and telemetry from Microsoft.
Source: habr.com