ProHoster > Блог > Gudanarwa > xtables-addons: tace fakiti ta ƙasa

xtables-addons: tace fakiti ta ƙasa

xtables-addons: tace fakiti ta ƙasa
Ayyukan toshe zirga-zirga daga wasu ƙasashe yana da sauƙi, amma abubuwan farko na iya zama yaudara. A yau za mu gaya muku yadda za a iya aiwatar da wannan.

prehistory

Sakamakon binciken Google akan wannan batu yana da ban sha'awa: yawancin mafita sun dade da "rube" kuma wani lokacin yana da alama cewa an adana wannan batu kuma an manta da shi har abada. Mun haɗu ta cikin tsofaffin bayanai da yawa kuma muna shirye don raba sigar zamani na umarnin.

Muna ba da shawarar cewa ku karanta dukan labarin kafin aiwatar da waɗannan umarni.

Ana shirya tsarin aiki

Za a saita tace ta amfani da kayan aiki iptables, wanda ke buƙatar tsawo don aiki tare da bayanan GeoIP. Ana iya samun wannan tsawo a ciki xtables-addons. xtables-addons yana shigar da kari don iptables azaman kernel modules masu zaman kansu, don haka babu buƙatar sake tattara kernel OS.

A lokacin rubuce-rubuce, sigar xtables-addons na yanzu shine 3.9. Koyaya, ana iya samun 20.04 kawai a cikin daidaitattun ma'ajin Ubuntu 3.8 LTS, da 18.04 a cikin ma'ajin Ubuntu 3.0. Kuna iya shigar da tsawo daga mai sarrafa fakiti tare da umarni mai zuwa:

apt install xtables-addons-common libtext-csv-xs-perl

Lura cewa akwai ƙananan bambance-bambance masu mahimmanci a tsakanin sigar 3.9 da yanayin aikin na yanzu, wanda za mu tattauna daga baya. Don ginawa daga lambar tushe, shigar da duk fakitin da suka dace:

apt install git build-essential autoconf make libtool iptables-dev libxtables-dev pkg-config libnet-cidr-lite-perl libtext-csv-xs-perl

Rufe ma'ajiyar:

git clone https://git.code.sf.net/p/xtables-addons/xtables-addons xtables-addons-xtables-addons


cd xtables-addons-xtables-addons

xtables-addons ya ƙunshi kari da yawa, amma muna sha'awar kawai xt_geoip. Idan ba ka so ka ja abubuwan da ba dole ba a cikin tsarin, za ka iya ware su daga ginin. Don yin wannan kuna buƙatar gyara fayil ɗin mconfig. Don duk abubuwan da ake so, shigar y, kuma yi alama ga duk waɗanda ba dole ba n. Muna tattara:

./autogen.sh

./configure

make

Kuma shigar da haƙƙin mai amfani:

make install

Yayin shigar da na'urorin kernel, kuskure mai kama da haka na iya faruwa:

INSTALL /root/xtables-addons-xtables-addons/extensions/xt_geoip.ko
At main.c:160:
- SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:72
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:79
sign-file: certs/signing_key.pem: No such file or directory

Wannan yanayin ya taso ne saboda rashin yiwuwar sanya hannu kan tsarin kwaya, saboda babu abin da za a sa hannu. Kuna iya magance wannan matsalar tare da umarni guda biyu:

cd /lib/modules/(uname -r)/build/certs

cat <<EOF > x509.genkey

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
CN = Modules

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF

openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem

An shigar da tsarin kernel, amma tsarin bai gano shi ba. Bari mu tambayi tsarin don ƙirƙirar taswirar dogaro da la'akari da sabon tsarin, sannan mu loda shi:

depmod -a

modprobe xt_geoip

Bari mu tabbatar cewa xt_geoip yana cikin tsarin:

# lsmod | grep xt_geoip
xt_geoip               16384  0
x_tables               40960  2 xt_geoip,ip_tables

Bugu da ƙari, tabbatar da cewa an ɗora tsawo a cikin iptables:

# cat /proc/net/ip_tables_matches 
geoip
icmp

Muna farin ciki da komai kuma duk abin da ya rage shine ƙara sunan module zuwa / sauransu / kayayyakidon haka tsarin yana aiki bayan sake kunna OS. Daga yanzu, iptables suna fahimtar umarnin geoip, amma ba shi da isasshen bayanai don yin aiki da su. Bari mu fara loda bayanan bayanan geoip.

Samun GeoIP Database

Mun ƙirƙiri kundin adireshi wanda za a adana bayanan da za a iya fahimta ga tsawo na iptables:

mkdir /usr/share/xt_geoip

A farkon labarin, mun ambata cewa akwai bambance-bambance tsakanin sigar daga lambar tushe da sigar daga mai sarrafa fakitin. Bambance-bambancen da aka fi sani shine canjin mai siyar da bayanai da rubutun xt_geoip_dl, wanda ke zazzage sabbin bayanai.

Sigar sarrafa fakiti

Rubutun yana kan hanyar /usr/lib/xtables-addons, amma lokacin da kuka yi ƙoƙarin gudanar da shi, za ku ga kuskuren ba da cikakken bayani:

# ./xt_geoip_dl 
unzip:  cannot find or open GeoLite2-Country-CSV.zip, GeoLite2-Country-CSV.zip.zip or GeoLite2-Country-CSV.zip.ZIP.

A baya can, samfurin GeoLite, wanda yanzu aka sani da GeoLite Legacy, wanda aka rarraba ƙarƙashin lasisi, an yi amfani dashi azaman bayanan bayanai. Ƙirƙirar Commons ASA 4.0 kamfani MaxMind. Abubuwa biyu sun faru tare da wannan samfurin a lokaci ɗaya waɗanda "karya" dacewa tare da tsawo na iptables.

Na farko, a cikin Janairu 2018 sanar game da ƙarewar tallafi ga samfurin, kuma a ranar 2019 ga Janairu, 2, an cire duk hanyoyin da za a zazzage tsohuwar sigar bayanan daga gidan yanar gizon hukuma. Ana ba da shawarar sabbin masu amfani da su yi amfani da samfurin GeoLite2 ko sigar GeoIPXNUMX da aka biya.

Na biyu, tun Disamba 2019 MaxMind ya bayyana game da gagarumin canji na samun damar shiga rumbun adana bayanan su. Don yin biyayya ga Dokar Sirri na Abokin Ciniki na California, MaxMind ya yanke shawarar "rufe" rarraba GeoLite2 tare da rajista.

Tunda muna son amfani da samfuran su, za mu yi rajista a wannan shafin.

xtables-addons: tace fakiti ta ƙasa
Sannan zaku sami imel yana tambayar ku don saita kalmar wucewa. Yanzu da mun ƙirƙiri asusu, muna buƙatar ƙirƙirar maɓallin lasisi. A cikin keɓaɓɓen asusun ku mun sami abun Maɓallan Lasisina, sannan ka danna maballin Ƙirƙirar sabon Maɓallin Lasisi.

Lokacin ƙirƙirar maɓalli, tambaya ɗaya kawai za a yi mana: za mu yi amfani da wannan maɓallin a cikin shirin Sabunta GeoIP? Muna amsa ba daidai ba kuma danna maɓallin tabbatar da. Za a nuna maɓalli a cikin taga pop-up. Ajiye wannan maɓalli a wuri mai aminci, tunda da zarar ka rufe taga mai buɗewa, ba za ka ƙara iya duba maɓalli duka ba.

xtables-addons: tace fakiti ta ƙasa
Muna da ikon sauke bayanan GeoLite2 da hannu, amma tsarin su bai dace da tsarin da rubutun xt_geoip_build ke tsammani ba. Wannan shine inda rubutun GeoLite2xtables ke zuwa don ceto. Don gudanar da rubutun, shigar da NetAddr :: IP perl module:

wget https://cpan.metacpan.org/authors/id/M/MI/MIKER/NetAddr-IP-4.079.tar.gz

tar xvf NetAddr-IP-4.079.tar.gz

cd NetAddr-IP-4.079

perl Makefile.PL

make

make install

Bayan haka, muna rufe ma'ajiyar tare da rubutun kuma mu rubuta maɓallin lasisi da aka samu a baya zuwa fayil:

git clone https://github.com/mschmitt/GeoLite2xtables.git

cd GeoLite2xtables

echo YOUR_LICENSE_KEY=’123ertyui123' > geolite2.license

Bari mu gudanar da rubutun:

# Скачиваем данные GeoLite2
./00_download_geolite2
# Скачиваем информацию о странах (для соответствия коду)
./10_download_countryinfo
# Конвертируем GeoLite2 базу в формат GeoLite Legacy 
cat /tmp/GeoLite2-Country-Blocks-IPv{4,6}.csv |
./20_convert_geolite2 /tmp/CountryInfo.txt > /usr/share/xt_geoip/dbip-country-lite.csv

MaxMind yana ƙaddamar da iyakacin abubuwan zazzagewa 2000 a kowace rana kuma, tare da ɗimbin adadin sabobin, yana ba da cache sabuntawa akan sabar wakili.

Lura cewa dole ne a kira fayil ɗin fitarwa dbip-kasa-lite.csv... Abin takaici, 20_convert_geolite2 baya samar da cikakken fayil. Rubutun xt_geoip_build yana tsammanin ginshiƙai uku:

  • farkon zangon adireshin;
  • ƙarshen iyakar adireshi;
  • Lambar ƙasa a cikin iso-3166-alpha2.

Kuma fayil ɗin fitarwa ya ƙunshi ginshiƙai guda shida:

  • fara kewayon adireshin (wakiltan kirtani);
  • ƙarshen kewayon adireshin (wakiltan kirtani);
  • fara kewayon adireshi (wakilin lamba);
  • ƙarshen kewayon adireshin (wakilin lamba);
  • code na kasar;
  • sunan kasar.

Wannan bambance-bambancen yana da mahimmanci kuma ana iya gyara shi ta hanyoyi guda biyu:

  1. gyara 20_convert_geolite2;
  2. gyara xt_geoip_build.

A cikin yanayin farko mun rage bugawa zuwa tsarin da ake buƙata, kuma a cikin na biyu - muna canza aikin zuwa mai canzawa $cc a kan $ jere->[4]. Bayan wannan zaka iya ginawa:

/usr/lib/xtables-addons/xt_geoip_build -S /usr/share/xt_geoip/ -D /usr/share/xt_geoip

. . .
 2239 IPv4 ranges for ZA
  348 IPv6 ranges for ZA
   56 IPv4 ranges for ZM
   12 IPv6 ranges for ZM
   56 IPv4 ranges for ZW
   15 IPv6 ranges for ZW

Lura cewa marubucin GeoLite2xtables baya la'akari da rubutun sa shirye don samarwa da tayi waƙa don haɓaka rubutun xt_geoip_* na asali. Don haka, bari mu matsa zuwa taron daga lambobin tushe, waɗanda aka riga an sabunta waɗannan rubutun.

Sigar tushe

Lokacin shigarwa daga rubutun lambar tushe xt_geoip_* suna cikin kasida /usr/local/libexec/xtables-addons. Wannan sigar rubutun tana amfani da rumbun adana bayanai IP zuwa Ƙasar Lite. Lasisin lasisin Haɓaka Ƙarfafawa na Commons ne, kuma daga bayanan da ake da su akwai mahimman ginshiƙai uku. Zazzagewa kuma haɗa bayanan:

cd /usr/share/xt_geoip/

/usr/local/libexec/xtables-addons/xt_geoip_dl

/usr/local/libexec/xtables-addons/xt_geoip_build

Bayan waɗannan matakan, iptables suna shirye don aiki.

Yin amfani da geoip a cikin iptables

Module xt_geoip yana ƙara maɓallai biyu kawai:

geoip match options:
[!] --src-cc, --source-country country[,country...]
	Match packet coming from (one of) the specified country(ies)
[!] --dst-cc, --destination-country country[,country...]
	Match packet going to (one of) the specified country(ies)

NOTE: The country is inputed by its ISO3166 code.

Hanyoyin ƙirƙirar dokoki don iptables, gabaɗaya, sun kasance ba su canzawa. Don amfani da maɓallai daga ƙarin samfura, dole ne ka saka sunan tsarin a sarari tare da maɓalli -m. Misali, ka'ida don toshe haɗin TCP mai shigowa akan tashar jiragen ruwa 443 ba daga Amurka akan duk musaya ba:

iptables -I INPUT ! -i lo -p tcp --dport 443 -m geoip ! --src-cc US -j DROP

Fayilolin da xt_geoip_build suka ƙirƙira ana amfani da su ne kawai lokacin ƙirƙirar dokoki, amma ba a la'akari da su yayin tacewa. Don haka, don sabunta bayanan geoip daidai, dole ne ku fara sabunta fayilolin iv*, sannan ku sake ƙirƙirar duk ƙa'idodin da ke amfani da geoip a cikin iptables.

ƙarshe

Tace fakitin bisa kasashe dabara ce da lokaci ya manta da shi. Duk da haka, ana haɓaka kayan aikin software don irin wannan tacewa kuma, wataƙila, nan ba da jimawa ba sabon sigar xt_geoip tare da sabon mai ba da bayanai na geoip zai bayyana a cikin manajan fakiti, wanda zai sauƙaƙa rayuwar masu gudanar da tsarin sosai.

xtables-addons: tace fakiti ta ƙasa

Masu amfani da rajista kawai za su iya shiga cikin binciken. Shigadon Allah.

Shin kun taɓa amfani da tacewa ta ƙasa?

  • 59,1%Da 13

  • 40,9%No9

Masu amfani 22 sun kada kuri'a. Masu amfani 3 sun ƙi.

source: www.habr.com

Add a comment