Ayyukan toshe zirga-zirga daga wasu ƙasashe yana da sauƙi, amma abubuwan farko na iya zama yaudara. A yau za mu gaya muku yadda za a iya aiwatar da wannan.
prehistory
Sakamakon binciken Google akan wannan batu yana da ban sha'awa: yawancin mafita sun dade da "rube" kuma wani lokacin yana da alama cewa an adana wannan batu kuma an manta da shi har abada. Mun haɗu ta cikin tsofaffin bayanai da yawa kuma muna shirye don raba sigar zamani na umarnin.
Muna ba da shawarar cewa ku karanta dukan labarin kafin aiwatar da waɗannan umarni.
Ana shirya tsarin aiki
Za a saita tace ta amfani da kayan aiki iptables, wanda ke buƙatar tsawo don aiki tare da bayanan GeoIP. Ana iya samun wannan tsawo a ciki
A lokacin rubuce-rubuce, sigar xtables-addons na yanzu shine 3.9. Koyaya, ana iya samun 20.04 kawai a cikin daidaitattun ma'ajin Ubuntu 3.8 LTS, da 18.04 a cikin ma'ajin Ubuntu 3.0. Kuna iya shigar da tsawo daga mai sarrafa fakiti tare da umarni mai zuwa:
apt install xtables-addons-common libtext-csv-xs-perl
Lura cewa akwai ƙananan bambance-bambance masu mahimmanci a tsakanin sigar 3.9 da yanayin aikin na yanzu, wanda za mu tattauna daga baya. Don ginawa daga lambar tushe, shigar da duk fakitin da suka dace:
apt install git build-essential autoconf make libtool iptables-dev libxtables-dev pkg-config libnet-cidr-lite-perl libtext-csv-xs-perl
Rufe ma'ajiyar:
git clone https://git.code.sf.net/p/xtables-addons/xtables-addons xtables-addons-xtables-addons
cd xtables-addons-xtables-addons
xtables-addons ya ƙunshi kari da yawa, amma muna sha'awar kawai xt_geoip. Idan ba ka so ka ja abubuwan da ba dole ba a cikin tsarin, za ka iya ware su daga ginin. Don yin wannan kuna buƙatar gyara fayil ɗin mconfig. Don duk abubuwan da ake so, shigar y, kuma yi alama ga duk waɗanda ba dole ba n. Muna tattara:
./autogen.sh
./configure
make
Kuma shigar da haƙƙin mai amfani:
make install
Yayin shigar da na'urorin kernel, kuskure mai kama da haka na iya faruwa:
INSTALL /root/xtables-addons-xtables-addons/extensions/xt_geoip.ko
At main.c:160:
- SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:72
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:79
sign-file: certs/signing_key.pem: No such file or directory
Wannan yanayin ya taso ne saboda rashin yiwuwar sanya hannu kan tsarin kwaya, saboda babu abin da za a sa hannu. Kuna iya magance wannan matsalar tare da umarni guda biyu:
cd /lib/modules/(uname -r)/build/certs
cat <<EOF > x509.genkey
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
CN = Modules
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF
openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem
An shigar da tsarin kernel, amma tsarin bai gano shi ba. Bari mu tambayi tsarin don ƙirƙirar taswirar dogaro da la'akari da sabon tsarin, sannan mu loda shi:
depmod -a
modprobe xt_geoip
Bari mu tabbatar cewa xt_geoip yana cikin tsarin:
# lsmod | grep xt_geoip
xt_geoip 16384 0
x_tables 40960 2 xt_geoip,ip_tables
Bugu da ƙari, tabbatar da cewa an ɗora tsawo a cikin iptables:
# cat /proc/net/ip_tables_matches
geoip
icmp
Muna farin ciki da komai kuma duk abin da ya rage shine ƙara sunan module zuwa / sauransu / kayayyakidon haka tsarin yana aiki bayan sake kunna OS. Daga yanzu, iptables suna fahimtar umarnin geoip, amma ba shi da isasshen bayanai don yin aiki da su. Bari mu fara loda bayanan bayanan geoip.
Samun GeoIP Database
Mun ƙirƙiri kundin adireshi wanda za a adana bayanan da za a iya fahimta ga tsawo na iptables:
mkdir /usr/share/xt_geoip
A farkon labarin, mun ambata cewa akwai bambance-bambance tsakanin sigar daga lambar tushe da sigar daga mai sarrafa fakitin. Bambance-bambancen da aka fi sani shine canjin mai siyar da bayanai da rubutun xt_geoip_dl, wanda ke zazzage sabbin bayanai.
Sigar sarrafa fakiti
Rubutun yana kan hanyar /usr/lib/xtables-addons, amma lokacin da kuka yi ƙoƙarin gudanar da shi, za ku ga kuskuren ba da cikakken bayani:
# ./xt_geoip_dl
unzip: cannot find or open GeoLite2-Country-CSV.zip, GeoLite2-Country-CSV.zip.zip or GeoLite2-Country-CSV.zip.ZIP.
A baya can, samfurin GeoLite, wanda yanzu aka sani da GeoLite Legacy, wanda aka rarraba ƙarƙashin lasisi, an yi amfani dashi azaman bayanan bayanai.
Na farko, a cikin Janairu 2018
Na biyu, tun Disamba 2019 MaxMind
Tunda muna son amfani da samfuran su, za mu yi rajista a wannan shafin.
Sannan zaku sami imel yana tambayar ku don saita kalmar wucewa. Yanzu da mun ƙirƙiri asusu, muna buƙatar ƙirƙirar maɓallin lasisi. A cikin keɓaɓɓen asusun ku mun sami abun Maɓallan Lasisina, sannan ka danna maballin Ƙirƙirar sabon Maɓallin Lasisi.
Lokacin ƙirƙirar maɓalli, tambaya ɗaya kawai za a yi mana: za mu yi amfani da wannan maɓallin a cikin shirin Sabunta GeoIP? Muna amsa ba daidai ba kuma danna maɓallin tabbatar da. Za a nuna maɓalli a cikin taga pop-up. Ajiye wannan maɓalli a wuri mai aminci, tunda da zarar ka rufe taga mai buɗewa, ba za ka ƙara iya duba maɓalli duka ba.
Muna da ikon sauke bayanan GeoLite2 da hannu, amma tsarin su bai dace da tsarin da rubutun xt_geoip_build ke tsammani ba. Wannan shine inda rubutun GeoLite2xtables ke zuwa don ceto. Don gudanar da rubutun, shigar da NetAddr :: IP perl module:
wget https://cpan.metacpan.org/authors/id/M/MI/MIKER/NetAddr-IP-4.079.tar.gz
tar xvf NetAddr-IP-4.079.tar.gz
cd NetAddr-IP-4.079
perl Makefile.PL
make
make install
Bayan haka, muna rufe ma'ajiyar tare da rubutun kuma mu rubuta maɓallin lasisi da aka samu a baya zuwa fayil:
git clone https://github.com/mschmitt/GeoLite2xtables.git
cd GeoLite2xtables
echo YOUR_LICENSE_KEY=’123ertyui123' > geolite2.license
Bari mu gudanar da rubutun:
# Скачиваем данные GeoLite2
./00_download_geolite2
# Скачиваем информацию о странах (для соответствия коду)
./10_download_countryinfo
# Конвертируем GeoLite2 базу в формат GeoLite Legacy
cat /tmp/GeoLite2-Country-Blocks-IPv{4,6}.csv |
./20_convert_geolite2 /tmp/CountryInfo.txt > /usr/share/xt_geoip/dbip-country-lite.csv
MaxMind yana ƙaddamar da iyakacin abubuwan zazzagewa 2000 a kowace rana kuma, tare da ɗimbin adadin sabobin, yana ba da cache sabuntawa akan sabar wakili.
Lura cewa dole ne a kira fayil ɗin fitarwa dbip-kasa-lite.csv... Abin takaici, 20_convert_geolite2 baya samar da cikakken fayil. Rubutun xt_geoip_build yana tsammanin ginshiƙai uku:
- farkon zangon adireshin;
- ƙarshen iyakar adireshi;
- Lambar ƙasa a cikin iso-3166-alpha2.
Kuma fayil ɗin fitarwa ya ƙunshi ginshiƙai guda shida:
- fara kewayon adireshin (wakiltan kirtani);
- ƙarshen kewayon adireshin (wakiltan kirtani);
- fara kewayon adireshi (wakilin lamba);
- ƙarshen kewayon adireshin (wakilin lamba);
- code na kasar;
- sunan kasar.
Wannan bambance-bambancen yana da mahimmanci kuma ana iya gyara shi ta hanyoyi guda biyu:
- gyara 20_convert_geolite2;
- gyara xt_geoip_build.
A cikin yanayin farko mun rage
/usr/lib/xtables-addons/xt_geoip_build -S /usr/share/xt_geoip/ -D /usr/share/xt_geoip
. . .
2239 IPv4 ranges for ZA
348 IPv6 ranges for ZA
56 IPv4 ranges for ZM
12 IPv6 ranges for ZM
56 IPv4 ranges for ZW
15 IPv6 ranges for ZW
Lura cewa marubucin
Sigar tushe
Lokacin shigarwa daga rubutun lambar tushe xt_geoip_* suna cikin kasida /usr/local/libexec/xtables-addons. Wannan sigar rubutun tana amfani da rumbun adana bayanai
cd /usr/share/xt_geoip/
/usr/local/libexec/xtables-addons/xt_geoip_dl
/usr/local/libexec/xtables-addons/xt_geoip_build
Bayan waɗannan matakan, iptables suna shirye don aiki.
Yin amfani da geoip a cikin iptables
Module xt_geoip yana ƙara maɓallai biyu kawai:
geoip match options:
[!] --src-cc, --source-country country[,country...]
Match packet coming from (one of) the specified country(ies)
[!] --dst-cc, --destination-country country[,country...]
Match packet going to (one of) the specified country(ies)
NOTE: The country is inputed by its ISO3166 code.
Hanyoyin ƙirƙirar dokoki don iptables, gabaɗaya, sun kasance ba su canzawa. Don amfani da maɓallai daga ƙarin samfura, dole ne ka saka sunan tsarin a sarari tare da maɓalli -m. Misali, ka'ida don toshe haɗin TCP mai shigowa akan tashar jiragen ruwa 443 ba daga Amurka akan duk musaya ba:
iptables -I INPUT ! -i lo -p tcp --dport 443 -m geoip ! --src-cc US -j DROP
Fayilolin da xt_geoip_build suka ƙirƙira ana amfani da su ne kawai lokacin ƙirƙirar dokoki, amma ba a la'akari da su yayin tacewa. Don haka, don sabunta bayanan geoip daidai, dole ne ku fara sabunta fayilolin iv*, sannan ku sake ƙirƙirar duk ƙa'idodin da ke amfani da geoip a cikin iptables.
ƙarshe
Tace fakitin bisa kasashe dabara ce da lokaci ya manta da shi. Duk da haka, ana haɓaka kayan aikin software don irin wannan tacewa kuma, wataƙila, nan ba da jimawa ba sabon sigar xt_geoip tare da sabon mai ba da bayanai na geoip zai bayyana a cikin manajan fakiti, wanda zai sauƙaƙa rayuwar masu gudanar da tsarin sosai.
Masu amfani da rajista kawai za su iya shiga cikin binciken.
Shin kun taɓa amfani da tacewa ta ƙasa?
-
59,1%Da 13
-
40,9%No9
Masu amfani 22 sun kada kuri'a. Masu amfani 3 sun ƙi.
source: www.habr.com