ProHoster > Pūnaewele > Nā Administration > xtables-addons: kānana pūʻolo ma ka ʻāina

xtables-addons: kānana pūʻolo ma ka ʻāina

xtables-addons: kānana pūʻolo ma ka ʻāina
He mea maʻalahi ka hana o ka pale ʻana i nā kaʻa mai kekahi mau ʻāina, akā hiki ke hoʻopunipuni nā manaʻo mua. I kēia lā e haʻi mākou iā ʻoe pehea e hoʻokō ai i kēia.

prehistory

ʻO nā hopena o kahi hulina Google e pili ana i kēia kumuhana he mea hōʻeha: ʻo ka hapa nui o nā hoʻonā ua lōʻihi ka "popopo" a i kekahi manawa me he mea lā ua hoʻopaʻa ʻia kēia kumuhana a poina mau loa. Ua hui mākou i nā moʻolelo kahiko he nui a ua mākaukau mākou e kaʻana like i kahi mana hou o nā kuhikuhi.

Manaʻo mākou e heluhelu ʻoe i ka ʻatikala holoʻokoʻa ma mua o ka hoʻokō ʻana i kēia mau kauoha.

Hoʻomākaukau i ka ʻōnaehana hana

E hoʻonohonoho ʻia ke kānana me ka hoʻohana ʻana i ka pono ipoku, e koi ana i ka hoʻonui e hana me ka ʻikepili GeoIP. Hiki ke loaʻa kēia hoʻonui ma xtables-hoʻohui. Hoʻokomo ʻo xtables-addons i nā hoʻonui no nā iptables e like me nā modula kernel kūʻokoʻa, no laila ʻaʻohe pono e hoʻohui hou i ka kernel OS.

I ka manawa kākau, ʻo ka mana o kēia manawa o xtables-addons he 3.9. Eia naʻe, hiki ke loaʻa iā 20.04 wale nō i nā waihona waihona Ubuntu 3.8 LTS, a me 18.04 i nā waihona waihona Ubuntu 3.0. Hiki iā ʻoe ke hoʻouka i ka hoʻonui ʻia mai ka luna pūʻulu me kēia kauoha:

apt install xtables-addons-common libtext-csv-xs-perl

E hoʻomaopopo he ʻokoʻa liʻiliʻi akā koʻikoʻi ma waena o ka mana 3.9 a me ke kūlana o kēia manawa o ka papahana, a mākou e kūkākūkā ai ma hope. No ke kūkulu ʻana mai ka code kumu, e hoʻokomo i nā pūʻolo pono a pau:

apt install git build-essential autoconf make libtool iptables-dev libxtables-dev pkg-config libnet-cidr-lite-perl libtext-csv-xs-perl

Hoʻopili i ka waihona:

git clone https://git.code.sf.net/p/xtables-addons/xtables-addons xtables-addons-xtables-addons


cd xtables-addons-xtables-addons

Loaʻa i nā xtables-addons nā mea hoʻonui, akā makemake wale mākou xt_geoip. Inā ʻaʻole ʻoe makemake e kauo i nā hoʻonui pono ʻole i loko o ka ʻōnaehana, hiki iā ʻoe ke haʻalele iā lākou mai ka kūkulu ʻana. No ka hana ʻana i kēia, pono ʻoe e hoʻoponopono i ka faila mconfig. No nā modula makemake a pau, e hoʻouka y, a e kaha i na mea pono ole n. ʻOhi mākou:

./autogen.sh

./configure

make

A e hoʻouka me nā kuleana superuser:

make install

I ka wā o ka hoʻokomo ʻana i nā modula kernel, hiki mai kekahi hewa e like me kēia:

INSTALL /root/xtables-addons-xtables-addons/extensions/xt_geoip.ko
At main.c:160:
- SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:72
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:79
sign-file: certs/signing_key.pem: No such file or directory

Ke kū nei kēia kūlana ma muli o ka hiki ʻole ke kau inoa i nā modula kernel, no ka mea ʻaʻohe mea e hōʻailona. Hiki iā ʻoe ke hoʻoponopono i kēia pilikia me nā kauoha ʻelua:

cd /lib/modules/(uname -r)/build/certs

cat <<EOF > x509.genkey

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
CN = Modules

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF

openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem

Hoʻokomo ʻia ka module kernel i hui ʻia, akā ʻaʻole ʻike ka ʻōnaehana. E noi i ka ʻōnaehana e hana i kahi palapala hilinaʻi e noʻonoʻo ana i ka module hou, a laila hoʻouka iā ia:

depmod -a

modprobe xt_geoip

E hōʻoia e hoʻouka ʻia ʻo xt_geoip i ka ʻōnaehana:

# lsmod | grep xt_geoip
xt_geoip               16384  0
x_tables               40960  2 xt_geoip,ip_tables

Eia hou, e hōʻoia e hoʻouka ʻia ka hoʻonui i nā iptables:

# cat /proc/net/ip_tables_matches 
geoip
icmp

Hauʻoli mākou i nā mea āpau a ʻo nā mea i koe e hoʻohui i ka inoa module i / a pela aku / modulesno laila e hana ka module ma hope o ka hoʻomaka hou ʻana i ka OS. Mai kēia manawa, hoʻomaopopo nā iptables i nā kauoha geoip, akā ʻaʻole lawa ka ʻikepili e hana ai. E hoʻomaka kākou e hoʻouka i ka waihona geoip.

Loaʻa i ka GeoIP Database

Hoʻokumu mākou i kahi papa kuhikuhi kahi e mālama ʻia ai ka ʻike i hiki ke hoʻomaopopo ʻia i ka extension iptables:

mkdir /usr/share/xt_geoip

I ka hoʻomaka ʻana o ka ʻatikala, ua ʻōlelo mākou aia nā ʻokoʻa ma waena o ka mana mai ke kumu kumu a me ka mana mai ka luna pūʻulu. ʻO ka ʻokoʻa i ʻike ʻia ʻo ia ka hoʻololi ʻana i ka mea kūʻai waihona waihona a me ka palapala xt_geoip_dl, ka mea e hoʻoiho i ka ʻikepili hou loa.

Mana mana pūʻolo

Aia ka palapala ma ke ala /usr/lib/xtables-addons, akā ke hoʻāʻo ʻoe e holo, e ʻike ʻoe i kahi hewa ʻike ʻole:

# ./xt_geoip_dl 
unzip:  cannot find or open GeoLite2-Country-CSV.zip, GeoLite2-Country-CSV.zip.zip or GeoLite2-Country-CSV.zip.ZIP.

Ma mua, ua hoʻohana ʻia ka huahana GeoLite, i kapa ʻia ʻo GeoLite Legacy, i hāʻawi ʻia ma lalo o ka laikini, ma ke ʻano he waihona. Creative Commons ASA 4.0 hui MaxMind. ʻElua mau hanana i loaʻa me kēia huahana i ka manawa hoʻokahi i "haʻihaʻi" i ka hoʻohālikelike me ka hoʻonui iptables.

ʻO ka mea mua, ma Ianuali 2018 kūkala ʻia e pili ana i ka pau ʻana o ke kākoʻo no ka huahana, a ma Ianuali 2019, 2, ua wehe ʻia nā loulou āpau i ka hoʻoiho ʻana i ka mana kahiko o ka waihona mai ka pūnaewele mana. Manaʻo ʻia nā mea hoʻohana hou e hoʻohana i ka huahana GeoLite2 a i ʻole kāna mana uku GeoIPXNUMX.

ʻO ka lua, mai Dekemaba 2019 MaxMind wahi e pili ana i kahi hoʻololi koʻikoʻi o ke komo ʻana i kā lākou waihona. No ka hoʻokō ʻana i ke Kānāwai Kūʻai Kūʻai ʻo Kaleponi, ua hoʻoholo ʻo MaxMind e "uhi" i ka hāʻawi ʻana o GeoLite2 me ka hoʻopaʻa inoa.

No ka mea makemake mākou e hoʻohana i kā lākou huahana, e kākau inoa mākou ma kēia ʻaoʻao.

xtables-addons: kānana pūʻolo ma ka ʻāina
E loaʻa iā ʻoe kahi leka uila e noi ana iā ʻoe e hoʻonohonoho i kahi ʻōlelo huna. I kēia manawa ua hana mākou i kahi moʻokāki, pono mākou e hana i kahi kī laikini. Ma kāu moʻokāki pilikino ʻike mākou i ka mea Ka'u Ki Laikini, a laila kaomi i ke pihi E hana hou i ka Laikini Ki.

I ka hana ʻana i kī, e nīnau ʻia iā mākou hoʻokahi wale nō nīnau: e hoʻohana anei mākou i kēia kī i ka papahana GeoIP Update? Pane maikaʻi ʻole mākou a kaomi i ke pihi Eʻae. E hōʻike ʻia ke kī ma kahi pukaaniani pop-up. E mālama i kēia kī ma kahi palekana, ʻoiai ke pani ʻoe i ka pukaaniani pop-up, ʻaʻole hiki iā ʻoe ke ʻike hou i ke kī holoʻokoʻa.

xtables-addons: kānana pūʻolo ma ka ʻāina
Loaʻa iā mākou ka hiki ke hoʻoiho i nā waihona ʻikepili GeoLite2 me ka lima, akā ʻaʻole kūpono ko lākou ʻano me ke ʻano i manaʻo ʻia e ka palapala xt_geoip_build. ʻO kēia kahi e hele mai ai nā palapala GeoLite2xtables e hoʻopakele. No ka holo ʻana i nā palapala, e hoʻokomo i ka NetAddr::IP perl module:

wget https://cpan.metacpan.org/authors/id/M/MI/MIKER/NetAddr-IP-4.079.tar.gz

tar xvf NetAddr-IP-4.079.tar.gz

cd NetAddr-IP-4.079

perl Makefile.PL

make

make install

A laila, hoʻopili mākou i ka waihona me nā palapala a kākau i ke kī laikini i loaʻa mua i kahi faila:

git clone https://github.com/mschmitt/GeoLite2xtables.git

cd GeoLite2xtables

echo YOUR_LICENSE_KEY=’123ertyui123' > geolite2.license

E holo kāua i nā palapala:

# Скачиваем данные GeoLite2
./00_download_geolite2
# Скачиваем информацию о странах (для соответствия коду)
./10_download_countryinfo
# Конвертируем GeoLite2 базу в формат GeoLite Legacy 
cat /tmp/GeoLite2-Country-Blocks-IPv{4,6}.csv |
./20_convert_geolite2 /tmp/CountryInfo.txt > /usr/share/xt_geoip/dbip-country-lite.csv

Hāʻawi ʻo MaxMind i kahi palena o 2000 downloads i kēlā me kēia lā a, me ka nui o nā kikowaena, hāʻawi e hūnā i ka mea hou ma kahi kikowaena proxy.

E ʻoluʻolu e kāhea ʻia ka faila hoʻopuka dbip-country-lite.csv... Minamina, 20_convert_geolite2 ʻaʻole i hoʻopuka i kahi faila kūpono. Palapala xt_geoip_build manaʻo ʻia ʻekolu kolamu:

  • hoʻomaka o ka laulā helu wahi;
  • hope o ka helu wahi;
  • code ʻāina ma iso-3166-alpha2.

A he ʻeono kolamu i loko o ka waihona puka:

  • ka hoʻomaka ʻana o ka pae helu wahi (hōʻike string);
  • ka pau ʻana o ka helu helu wahi (hōʻike string);
  • ka hoʻomaka ʻana o ka laulā helu (helu helu);
  • hope o ka helu wahi helu (helu helu);
  • code o ka ʻāina;
  • ka inoa o ka aina.

He mea koʻikoʻi kēia ʻokoʻa a hiki ke hoʻoponopono ʻia ma kekahi o nā ala ʻelua:

  1. noho aliʻi 20_convert_geolite2;
  2. noho aliʻi xt_geoip_build.

Ma ka hihia mua mākou e ho'ēmi paʻi i ke ʻano i koi ʻia, a ma ka lua - hoʻololi mākou i ka hana i ka mea hoʻololi $cc maluna o $laina->[4]. Ma hope o kēia hiki iā ʻoe ke kūkulu:

/usr/lib/xtables-addons/xt_geoip_build -S /usr/share/xt_geoip/ -D /usr/share/xt_geoip

. . .
 2239 IPv4 ranges for ZA
  348 IPv6 ranges for ZA
   56 IPv4 ranges for ZM
   12 IPv6 ranges for ZM
   56 IPv4 ranges for ZW
   15 IPv6 ranges for ZW

E hoʻomaopopo i ka mea kākau GeoLite2xtables ʻAʻole manaʻo ʻia kāna mau palapala i mākaukau no ka hana ʻana a me nā hāʻawi alahele no ka hoʻomohala ʻana i nā palapala xt_geoip_* kumu. No laila, e neʻe kākou i ka hui mai nā code kumu, kahi i hoʻonui ʻia ai kēia mau palapala.

Puna kumu

I ka hoʻouka ʻana mai nā palapala code source xt_geoip_* aia i loko o ka waihona /usr/local/libexec/xtables-addons. Hoʻohana kēia mana o ka palapala i kahi waihona IP i ka Country Lite. ʻO ka laikini ʻo Creative Commons Attribution License, a mai ka ʻikepili i loaʻa aia nā kolamu pono ʻekolu. Hoʻoiho a hōʻuluʻulu i ka waihona:

cd /usr/share/xt_geoip/

/usr/local/libexec/xtables-addons/xt_geoip_dl

/usr/local/libexec/xtables-addons/xt_geoip_build

Ma hope o kēia mau hana, ua mākaukau nā iptables e hana.

Ke hoʻohana nei i ka geoip i nā iptables

Module xt_geoip hoʻohui i ʻelua mau kī:

geoip match options:
[!] --src-cc, --source-country country[,country...]
	Match packet coming from (one of) the specified country(ies)
[!] --dst-cc, --destination-country country[,country...]
	Match packet going to (one of) the specified country(ies)

NOTE: The country is inputed by its ISO3166 code.

ʻO nā ʻano hana no ka hana ʻana i nā lula no nā iptables, ma ke ʻano nui, ʻaʻole i loli. No ka hoʻohana ʻana i nā kī mai nā modula ʻē aʻe, pono ʻoe e wehewehe pono i ka inoa o ka module me ka hoʻololi -m. No ka laʻana, he lula no ka ālai ʻana i nā pilina TCP e komo mai ana ma ke awa 443 ʻaʻole mai ʻAmelika mai ma nā pilina āpau:

iptables -I INPUT ! -i lo -p tcp --dport 443 -m geoip ! --src-cc US -j DROP

Hoʻohana wale ʻia nā faila i hana ʻia e xt_geoip_build i ka wā e hana ai i nā lula, akā ʻaʻole i mālama ʻia i ka wā kānana. No laila, no ka hoʻoponopono pololei ʻana i ka waihona geoip, pono ʻoe e hōʻano mua i nā faila iv*, a laila e hana hou i nā lula āpau e hoʻohana ai i ka geoip ma iptables.

hopena

ʻO ka kānana ʻana i nā ʻeke e pili ana i nā ʻāina he hoʻolālā i poina ʻia e ka manawa. Eia naʻe, ke kūkulu ʻia nei nā lako polokalamu no ia kānana a, ʻaʻole paha, e ʻike koke ʻia kahi mana hou o xt_geoip me kahi mea hāʻawi ʻikepili geoip hou i nā mana hoʻokele, e hoʻomaʻamaʻa loa i ke ola o nā luna hoʻomalu.

xtables-addons: kānana pūʻolo ma ka ʻāina

Hiki i nā mea hoʻohana i hoʻopaʻa inoa ʻia ke komo i ka noiʻi. Eʻe, e 'oluʻolu.

Ua hoʻohana paha ʻoe i ka kānana ma ka ʻāina?

  • 59,1%ʻAe13

  • 40,9%ʻAʻole9

22 mea hoʻohana i koho. Ua hōʻole nā ​​mea hoʻohana 3.

Source: www.habr.com

Pākuʻi i ka manaʻo hoʻopuka