Maudu'in ya yi kyau sosai, na sani. Misali, akwai mai girma , amma kawai ɓangaren IP na blocklist ana la'akari a can. Za mu kuma ƙara yanki.
Saboda gaskiyar cewa kotuna da RKN sun toshe duk abin da ke daidai da hagu, kuma masu samar da su suna ƙoƙari don kada su fada ƙarƙashin tarar da Revizorro ya bayar, asarar da aka haɗa daga toshewa suna da yawa. Kuma daga cikin wuraren da aka toshe "bisa doka" akwai masu amfani da yawa (sannu, rutracker)
Ina zaune a wajen RKN, amma iyayena, dangi da abokai sun kasance a gida. Don haka aka yanke shawarar samar da hanya mai sauƙi ga mutanen da ke nesa da IT don ƙetare toshewa, zai fi dacewa ba tare da shigarsu ba kwata-kwata.
A cikin wannan bayanin kula, ba zan bayyana ainihin abubuwan cibiyar sadarwa a matakai ba, amma zan bayyana ka'idodin gaba ɗaya na yadda za a iya aiwatar da wannan makirci. Don haka sanin yadda hanyar sadarwar ke aiki gaba ɗaya kuma a cikin Linux musamman ya zama dole.
Nau'in makullai
Da farko, bari mu sabunta tunaninmu game da abin da ake toshewa.
Akwai nau'ikan makullai da yawa a cikin XML da aka sauke daga RKN:
- IP
- Домен
- URL
Don sauƙi, za mu rage su zuwa biyu: IP da domain, kuma za mu cire kawai yankin daga toshe ta URL (mafi daidai, sun riga sun yi mana wannan).
mutanen kirki daga gane mai ban mamaki , ta inda za mu iya samun abin da muke bukata:
- IP:
- Yankuna:
Samun shiga shafukan da aka katange
Don yin wannan, muna buƙatar wasu ƙananan VPS na waje, zai fi dacewa tare da zirga-zirga marasa iyaka - akwai da yawa daga cikin waɗannan don 3-5 daloli. Kuna buƙatar ɗaukar shi a cikin kusa da ƙasashen waje don ping ɗin ba shi da girma sosai, amma kuma, la'akari da cewa Intanet da labarin ƙasa ba koyaushe suke daidai ba. Kuma tunda babu SLA don 5 dolar Amirka, yana da kyau a ɗauki guda 2+ daga masu samarwa daban-daban don haƙurin kuskure.
Na gaba, muna buƙatar saita rami da aka rufaffen daga na'ura mai ba da hanya tsakanin hanyoyin sadarwa zuwa VPS. Ina amfani da Wireguard a matsayin mafi sauri kuma mafi sauƙi don saitawa. Har ila yau, ina da hanyoyin sadarwa na abokin ciniki bisa Linux ( ko wani abu a cikin OpenWRT). A cikin yanayin wasu Mikrotik / Cisco, zaku iya amfani da ka'idodin da ake samu akan su kamar OpenVPN da GRE-over-IPSEC.
Ganewa da juyar da zirga-zirgar sha'awa
Kuna iya, ba shakka, kashe duk zirga-zirgar Intanet ta ƙasashen waje. Amma, mafi mahimmanci, saurin aiki tare da abun ciki na gida zai sha wahala sosai daga wannan. Bugu da ƙari, buƙatun bandwidth akan VPS zai zama mafi girma.
Don haka, za mu buƙaci ko ta yaya mu ware zirga-zirga zuwa wuraren da aka toshe kuma mu zaɓi kai tsaye zuwa rami. Ko da wasu daga cikin "karin" zirga-zirga sun isa wurin, har yanzu yana da kyau fiye da tuki komai ta hanyar rami.
Don sarrafa zirga-zirga, za mu yi amfani da ka'idar BGP kuma mu sanar da hanyoyin zuwa cibiyoyin sadarwar da suka dace daga VPS zuwa abokan ciniki. Bari mu ɗauki Tsuntsu a matsayin ɗaya daga cikin mafi yawan aiki kuma dacewa BGP daemons.
IP
Tare da toshewa ta IP, komai a bayyane yake: kawai muna sanar da duk katange IPs tare da VPS. Matsalar ita ce akwai kusan 600 dubu 32 subnets a cikin jerin da API ya dawo, kuma mafi yawansu su ne /XNUMX runduna. Wannan adadin hanyoyi na iya rikitar da masu amfani da hanyar sadarwa mara ƙarfi.
Don haka, lokacin sarrafa jerin, an yanke shawarar taƙaitawa zuwa cibiyar sadarwar / 24 idan tana da runduna 2 ko fiye. Don haka, an rage yawan hanyoyin zuwa ~ 100 dubu. Rubutun wannan zai biyo baya.
Yankuna
Ya fi rikitarwa kuma akwai hanyoyi da yawa. Misali, zaku iya shigar da Squid na gaskiya akan kowane mai amfani da hanyar sadarwa na abokin ciniki kuma kuyi kutsawar HTTP a wurin kuma ku leka cikin musafaha TLS don samun URL ɗin da ake buƙata a yanayin farko da yanki daga SNI a cikin na biyu.
Amma saboda kowane nau'in sabbin TLS1.3 + eSNI, bincike na HTTPS yana ƙara zama ƙasa da gaske kowace rana. Ee, kuma abubuwan more rayuwa a gefen abokin ciniki suna ƙara rikitarwa - dole ne ku yi amfani da aƙalla OpenWRT.
Sabili da haka, na yanke shawarar ɗaukar hanyar satar amsa ga tambayoyin DNS. Anan ma, duk wani DNS-over-TLS / HTTPS ya fara shawagi a kan ku, amma zamu iya (a yanzu) sarrafa wannan ɓangaren akan abokin ciniki - ko dai musaki shi ko amfani da sabar ku don DoT / DoH.
Yadda za a sa baki DNS?
Anan ma, ana iya samun hanyoyi da yawa.
- Rikicin zirga-zirgar DNS ta hanyar PCAP ko NFLOG
Duk waɗannan hanyoyin shiga tsakani ana aiwatar da su a cikin mai amfani . Amma ba a tallafa masa ba na dogon lokaci kuma aikin yana da matukar mahimmanci, don haka har yanzu kuna buƙatar rubuta kayan aiki don shi. - Analysis na DNS rajistan ayyukan uwar garken
Abin takaici, masu maimaitawa da aka sani a gare ni ba su iya shigar da martani, amma buƙatu kawai. A ka'ida, wannan yana da ma'ana, tun da, ba kamar buƙatun ba, amsoshi suna da tsari mai rikitarwa kuma yana da wuya a rubuta su a cikin rubutun rubutu.
Abin farin ciki, da yawa daga cikinsu sun riga sun goyi bayan DNSTap don wannan dalili.
Menene DNSTap?
Ƙa'idar uwar garken abokin ciniki ce ta dogara da Protocol Buffers da Frame Streams don canjawa daga uwar garken DNS zuwa mai tara tsarin tambayoyin DNS da martani. Mahimmanci, uwar garken DNS yana watsa tambaya da amsa metadata (nau'in saƙo, abokin ciniki / uwar garken IP, da sauransu) da cikakkun saƙon DNS a cikin nau'in (binary) wanda yake aiki tare da su akan hanyar sadarwa.
Yana da mahimmanci a fahimci cewa a cikin tsarin DNSTap, uwar garken DNS yana aiki a matsayin abokin ciniki kuma mai tarawa yana aiki azaman sabar. Wato, uwar garken DNS yana haɗuwa da mai tarawa, kuma ba akasin haka ba.
A yau ana goyan bayan DNSTap a cikin duk shahararrun sabar DNS. Amma, alal misali, BIND a yawancin rabawa (kamar Ubuntu LTS) galibi ana gina shi saboda wasu dalilai ba tare da tallafin sa ba. Don haka kada mu damu da sake haɗuwa, amma ɗauki mai sauƙi da sauri mai maimaitawa - Unbound.
Yadda ake kama DNSTap?
Akwai Abubuwan amfani na CLI don aiki tare da rafi na abubuwan DNSTap, amma ba su dace da magance matsalarmu ba. Saboda haka, na yanke shawarar ƙirƙira keke nawa wanda zai yi duk abin da ya dace:
Algorithm na aiki:
- Lokacin da aka kaddamar, yana loda jerin wuraren da ke cikin fayil ɗin rubutu, yana jujjuya su (habr.com -> com.habr), ban da layukan da suka lalace, duplicates da subdomains (wato idan lissafin ya ƙunshi habr.com da www.habr.com, za a loda shi na farko kawai) kuma ya gina bishiyar prefix don bincike cikin sauri ta wannan jeri
- Yin aiki azaman uwar garken DNSTap, yana jiran haɗi daga uwar garken DNS. A ka'ida, yana goyan bayan duka UNIX da TCP soket, amma sabobin DNS da na sani kawai za su iya amfani da sockets UNIX kawai.
- Fakitin DNSTap masu shigowa ana fara ɓoye su cikin tsarin Protobuf, sannan saƙon DNS na binary kansa, wanda ke ɗaya daga cikin filayen Protobuf, an daidaita shi zuwa matakin bayanan RR na DNS.
- Ana duba ko masaukin da aka nema (ko yankin mahaifansa) yana cikin jerin abubuwan da aka ɗora, idan ba haka ba, ba a yi watsi da amsa ba.
- A/AAAA/CNAME RRs ne kawai aka zaɓa daga amsa kuma ana fitar da adiresoshin IPv4/IPv6 masu dacewa daga cikinsu.
- Ana adana adiresoshin IP tare da daidaitawar TTL kuma ana tallata su ga duk ƙwararrun takwarorinsu na BGP
- Lokacin karɓar amsa yana nuna IP ɗin da aka rigaya, an sabunta TTL ɗin sa
- Bayan TTL ta ƙare, ana cire shigarwar daga cache kuma daga sanarwar BGP
Ƙarin ayyuka:
- Sake karanta jerin yankuna ta SIGHUP
- Ajiye cache ɗin tare da sauran al'amura dnstap-bgp ta hanyar HTTP/JSON
- Kwafi cache akan faifai (a cikin ma'ajin bayanai na BoltDB) don dawo da abinda ke ciki bayan an sake farawa
- Taimako don canzawa zuwa wani sunan cibiyar sadarwa daban (me yasa ake buƙatar wannan za a bayyana a ƙasa)
- IPv6 goyon baya
Ƙuntatawa:
- Ba a tallafawa wuraren IDN tukuna
- Saitunan BGP kaɗan
Na tattara fakiti don sauƙi shigarwa. Ya kamata yayi aiki akan duk sabbin OSes tare da systemd. ba su da wani abin dogaro.
Makircin
Don haka, bari mu fara haɗa dukkan abubuwan haɗin gwiwa tare. A sakamakon haka, ya kamata mu sami wani abu kamar wannan cibiyar sadarwa topology:
Hankalin aikin, ina tsammanin, ya fito fili daga zane:
- Abokin ciniki yana da saitunan uwar garken mu azaman DNS, kuma tambayoyin DNS dole ne su wuce VPN. Wannan ya zama dole don mai bada ba zai iya amfani da tsangwama na DNS don toshewa ba.
- Lokacin buɗe rukunin yanar gizon, abokin ciniki yana aika tambayar DNS kamar "menene IPs na xxx.org"
- Sakakken yana warware xxx.org (ko ɗauka daga cache) kuma ya aika da amsa ga abokin ciniki "xxx.org yana da irin wannan kuma irin wannan IP", yana kwafi shi a layi daya ta hanyar DNSTap
- dnstap-bgp ya sanar da wadannan adireshi a Tsuntsu ta BGP idan yankin yana kan jerin katange
- Tsuntsu yana tallata hanya zuwa waɗannan IPs tare da
next-hop selfabokin ciniki na'ura mai ba da hanya tsakanin hanyoyin sadarwa - Fakiti na gaba daga abokin ciniki zuwa waɗannan IPs suna shiga cikin rami
A kan uwar garken, don hanyoyin zuwa wuraren da aka toshe, Ina amfani da tebur daban a cikin BIRD kuma baya yin cudanya da OS ta kowace hanya.
Wannan makirci yana da koma baya: fakitin SYN na farko daga abokin ciniki, mai yuwuwa, zai sami lokacin barin ta hanyar mai ba da gida. ba a sanar da hanyar nan take ba. Kuma a nan zažužžukan suna yiwuwa dangane da yadda mai badawa ke yin toshewa. Idan kawai ya sauke zirga-zirga, to babu matsala. Kuma idan ya sake tura shi zuwa wasu DPI, to (a zahiri) tasirin musamman yana yiwuwa.
Hakanan yana yiwuwa abokan ciniki ba sa mutunta abubuwan al'ajabi na TTL na DNS, wanda zai iya haifar da abokin ciniki ya yi amfani da wasu bayanan da ba su da tushe daga ruɓaɓɓen cache ɗin sa maimakon tambayar Unbound.
A aikace, na farko ko na biyu ba su haifar da matsala a gare ni ba, amma tafiyarku na iya bambanta.
Sauraron Sabar
Don sauƙi na birgima, na rubuta . Yana iya saita duka sabobin da abokan ciniki bisa Linux (wanda aka tsara don rarraba tushen bashi). Duk saituna a bayyane suke kuma an saita su kaya.yml. An yanke wannan rawar daga babban littafin wasana, saboda haka yana iya ƙunsar kurakurai - barka da zuwa 🙂
Bari mu shiga cikin manyan abubuwan da aka gyara.
BGP
Gudun daemon BGP guda biyu akan mai masaukin baki ɗaya yana da matsala ta asali: BIRD ba ta son saita BGP peering tare da localhost (ko kowane gida na gida). Daga kalmar kwata-kwata. Googling da karanta jerin wasiƙa ba su taimaka ba, suna da'awar cewa wannan ta ƙira ne. Wataƙila akwai wata hanya, amma ban same ta ba.
Kuna iya gwada wani BGP daemon, amma ina son BIRD kuma ana amfani dashi a ko'ina da ni, ba na son samar da abubuwa.
Saboda haka, na ɓoye dnstap-bgp a cikin sunan cibiyar sadarwa, wanda aka haɗa da tushen ta hanyar haɗin yanar gizon veth: kamar bututu ne, wanda ƙarshensa ya tsaya a cikin wurare daban-daban. A kowane ɗayan waɗannan ƙarshen, muna rataye adiresoshin IP na p2p masu zaman kansu waɗanda ba su wuce mai watsa shiri ba, don haka suna iya zama komai. Wannan shine tsarin da ake amfani da shi don samun damar tafiyar matakai a ciki kowa ya so Docker da sauran kwantena.
Domin wannan aka rubuta kuma aikin da aka riga aka kwatanta a sama don jawo kanka ta hanyar gashi zuwa wani sunan suna an ƙara zuwa dnstap-bgp. Saboda wannan, dole ne a gudanar da shi azaman tushen tushe ko bayar da shi zuwa ga binary CAP_SYS_ADMIN ta hanyar umarnin saiti.
Misalin rubutun don ƙirƙirar sararin suna
#!/bin/bash
NS="dtap"
IP="/sbin/ip"
IPNS="$IP netns exec $NS $IP"
IF_R="veth-$NS-r"
IF_NS="veth-$NS-ns"
IP_R="192.168.149.1"
IP_NS="192.168.149.2"
/bin/systemctl stop dnstap-bgp || true
$IP netns del $NS > /dev/null 2>&1
$IP netns add $NS
$IP link add $IF_R type veth peer name $IF_NS
$IP link set $IF_NS netns $NS
$IP addr add $IP_R remote $IP_NS dev $IF_R
$IP link set $IF_R up
$IPNS addr add $IP_NS remote $IP_R dev $IF_NS
$IPNS link set $IF_NS up
/bin/systemctl start dnstap-bgpdnstap-bgp.conf
namespace = "dtap"
domains = "/var/cache/rkn_domains.txt"
ttl = "168h"
[dnstap]
listen = "/tmp/dnstap.sock"
perm = "0666"
[bgp]
as = 65000
routerid = "192.168.149.2"
peers = [
"192.168.149.1",
]tsuntsu.conf
router id 192.168.1.1;
table rkn;
# Clients
protocol bgp bgp_client1 {
table rkn;
local as 65000;
neighbor 192.168.1.2 as 65000;
direct;
bfd on;
next hop self;
graceful restart;
graceful restart time 60;
export all;
import none;
}
# DNSTap-BGP
protocol bgp bgp_dnstap {
table rkn;
local as 65000;
neighbor 192.168.149.2 as 65000;
direct;
passive on;
rr client;
import all;
export none;
}
# Static routes list
protocol static static_rkn {
table rkn;
include "rkn_routes.list";
import all;
export none;
}rkn_routes.list
route 3.226.79.85/32 via "ens3";
route 18.236.189.0/24 via "ens3";
route 3.224.21.0/24 via "ens3";
...DNS
Ta hanyar tsoho, a cikin Ubuntu, bayanin martabar AppArmor yana ƙunshe binary ɗin Unbound, wanda ya hana shi haɗawa zuwa kowane nau'in kwasfa na DNSTap. Kuna iya ko dai share wannan bayanin martaba, ko kuma ku kashe shi:
# cd /etc/apparmor.d/disable && ln -s ../usr.sbin.unbound .
# apparmor_parser -R /etc/apparmor.d/usr.sbin.unboundWataƙila ya kamata a ƙara wannan zuwa littafin wasan kwaikwayo. Yana da manufa, ba shakka, don gyara bayanin martaba kuma a ba da haƙƙoƙin da suka dace, amma na kasance mai kasala.
unbound.conf
server:
chroot: ""
port: 53
interface: 0.0.0.0
root-hints: "/var/lib/unbound/named.root"
auto-trust-anchor-file: "/var/lib/unbound/root.key"
access-control: 192.168.0.0/16 allow
remote-control:
control-enable: yes
control-use-cert: no
dnstap:
dnstap-enable: yes
dnstap-socket-path: "/tmp/dnstap.sock"
dnstap-send-identity: no
dnstap-send-version: no
dnstap-log-client-response-messages: yesZazzagewa da sarrafa lissafin
Yana zazzage jeri, ya taƙaita zuwa prefix pfx. A kar_kara и kar_takaice za ka iya gaya wa IPs da cibiyoyin sadarwa su tsallake ko ba a taƙaice ba. ina bukata. subnet na VPS na yana cikin blocklist 🙂
Abin ban dariya shine RosKomSvoboda API yana toshe buƙatun tare da tsoho wakilin mai amfani da Python. Ga alama rubutun-kiddy ya samu. Saboda haka, mun canza shi zuwa Ognelis.
Ya zuwa yanzu, yana aiki ne kawai tare da IPv4. rabon IPv6 ƙananan ne, amma zai zama sauƙin gyarawa. Sai dai idan kuna amfani da tsuntsu6 shima.
rkn.py
#!/usr/bin/python3
import json, urllib.request, ipaddress as ipa
url = 'https://api.reserve-rbl.ru/api/v2/ips/json'
pfx = '24'
dont_summarize = {
# ipa.IPv4Network('1.1.1.0/24'),
}
dont_add = {
# ipa.IPv4Address('1.1.1.1'),
}
req = urllib.request.Request(
url,
data=None,
headers={
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'
}
)
f = urllib.request.urlopen(req)
ips = json.loads(f.read().decode('utf-8'))
prefix32 = ipa.IPv4Address('255.255.255.255')
r = {}
for i in ips:
ip = ipa.ip_network(i)
if not isinstance(ip, ipa.IPv4Network):
continue
addr = ip.network_address
if addr in dont_add:
continue
m = ip.netmask
if m != prefix32:
r[m] = [addr, 1]
continue
sn = ipa.IPv4Network(str(addr) + '/' + pfx, strict=False)
if sn in dont_summarize:
tgt = addr
else:
tgt = sn
if not sn in r:
r[tgt] = [addr, 1]
else:
r[tgt][1] += 1
o = []
for n, v in r.items():
if v[1] == 1:
o.append(str(v[0]) + '/32')
else:
o.append(n)
for k in o:
print(k)
Ina gudanar da shi a kan kambi sau ɗaya a rana, watakila yana da daraja a cire shi kowane 4 hours. wannan, a ganina, shine lokacin sabuntawa wanda RKN ke buƙata daga masu samarwa. Bugu da ƙari, suna da wasu babban toshewar gaggawa, wanda zai iya zuwa da sauri.
Yana yin haka:
- Yana gudanar da rubutun farko kuma yana sabunta jerin hanyoyin (
rkn_routes.list) don Tsuntsu - Sake saka Tsuntsu
- Sabuntawa da tsaftace jerin wuraren don dnstap-bgp
- Sake kunna dnstap-bgp
rkn_update.sh
#!/bin/bash
ROUTES="/etc/bird/rkn_routes.list"
DOMAINS="/var/cache/rkn_domains.txt"
# Get & summarize routes
/opt/rkn.py | sed 's/(.*)/route 1 via "ens3";/' > $ROUTES.new
if [ $? -ne 0 ]; then
rm -f $ROUTES.new
echo "Unable to download RKN routes"
exit 1
fi
if [ -e $ROUTES ]; then
mv $ROUTES $ROUTES.old
fi
mv $ROUTES.new $ROUTES
/bin/systemctl try-reload-or-restart bird
# Get domains
curl -s https://api.reserve-rbl.ru/api/v2/domains/json -o - | jq -r '.[]' | sed 's/^*.//' | sort | uniq > $DOMAINS.new
if [ $? -ne 0 ]; then
rm -f $DOMAINS.new
echo "Unable to download RKN domains"
exit 1
fi
if [ -e $DOMAINS ]; then
mv $DOMAINS $DOMAINS.old
fi
mv $DOMAINS.new $DOMAINS
/bin/systemctl try-reload-or-restart dnstap-bgpAn rubuta su ba tare da tunani sosai ba, don haka idan kun ga wani abu da za a iya ingantawa - ku tafi.
Saitin abokin ciniki
Anan zan ba da misalai ga masu amfani da hanyar sadarwa na Linux, amma a cikin yanayin Mikrotik / Cisco yakamata ya zama mafi sauƙi.
Da farko, mun kafa Tsuntsu:
tsuntsu.conf
router id 192.168.1.2;
table rkn;
protocol device {
scan time 10;
};
# Servers
protocol bgp bgp_server1 {
table rkn;
local as 65000;
neighbor 192.168.1.1 as 65000;
direct;
bfd on;
next hop self;
graceful restart;
graceful restart time 60;
rr client;
export none;
import all;
}
protocol kernel {
table rkn;
kernel table 222;
scan time 10;
export all;
import none;
}Don haka, za mu daidaita hanyoyin da aka karɓa daga BGP tare da lambar tebur mai lamba 222.
Bayan haka, ya isa a nemi kernel don duba wannan farantin kafin duba wanda ba a taɓa gani ba:
# ip rule add from all pref 256 lookup 222
# ip rule
0: from all lookup local
256: from all lookup 222
32766: from all lookup main
32767: from all lookup defaultKomai, ya rage don saita DHCP akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa don rarraba adireshin IP na ramin uwar garken azaman DNS, kuma shirin yana shirye.
shortcomings
Tare da algorithm na yanzu don samarwa da sarrafa jerin yankuna, ya haɗa da, a tsakanin sauran abubuwa, youtube.com da CDNs.
Kuma wannan yana haifar da gaskiyar cewa duk bidiyon za su bi ta hanyar VPN, wanda zai iya toshe tashar gaba ɗaya. Wataƙila yana da daraja tattara jerin shahararrun yankuna-keɓancewa waɗanda ke toshe RKN na ɗan lokaci, guts suna bakin ciki. Kuma ku tsallake su lokacin yin nazari.
ƙarshe
Hanyar da aka bayyana tana ba ku damar ketare kusan duk wani toshewa da masu samarwa ke aiwatarwa a halin yanzu.
A bisa mahimmanci, dnstap-bgp za a iya amfani da shi don kowane dalili inda ake buƙatar wasu matakan sarrafa zirga-zirga dangane da sunan yankin. Kawai ku tuna cewa a zamaninmu, shafuka dubu na iya rataya akan adireshin IP iri ɗaya (a bayan wasu Cloudflare, alal misali), don haka wannan hanyar tana da ƙarancin daidaito.
Amma ga buƙatun ketare makullin, wannan ya isa sosai.
Ƙarin, gyarawa, buƙatun ja - maraba!
source: www.habr.com