Lub ncauj lus zoo nkauj raug ntaus, kuv paub. Piv txwv li, muaj ib qho zoo heev , tab sis tsuas yog IP ib feem ntawm daim ntawv teev npe raug txiav txim siab muaj. Peb tseem yuav ntxiv domains.
Vim tias lub tsev hais plaub thiab RKN thaiv txhua yam ntawm txoj cai thiab sab laug, thiab cov neeg muab kev pabcuam tau sim ua kom tsis txhob poob rau hauv kev nplua nyiaj los ntawm Revizorro, qhov cuam tshuam los ntawm kev thaiv yog qhov loj heev. Thiab ntawm qhov "raws li txoj cai" thaiv qhov chaw muaj ntau yam muaj txiaj ntsig (nyob zoo, rutracker)
Kuv nyob sab nraud ntawm RKN txoj cai, tab sis kuv niam kuv txiv, cov txheeb ze thiab cov phooj ywg tseem nyob hauv tsev. Yog li nws tau txiav txim siab los nrog txoj hauv kev yooj yim rau cov neeg nyob deb ntawm IT kom hla kev thaiv, nyiam dua yam tsis muaj kev koom tes txhua.
Hauv daim ntawv no, kuv yuav tsis piav qhia txog cov hauv paus network yam hauv cov kauj ruam, tab sis kuv yuav piav qhia txog cov ntsiab lus dav dav ntawm qhov txheej txheem no tuaj yeem siv tau li cas. Yog li kev paub txog yuav ua li cas lub network ua haujlwm feem ntau thiab hauv Linux tshwj xeeb yog yuav tsum muaj.
Hom xauv
Ua ntej, cia peb ua kom peb nco txog yam uas raug thaiv.
Muaj ntau ntau hom xauv hauv lub unloaded XML los ntawm RKN:
- IP
- Sau npe
- URL
Rau qhov yooj yim, peb yuav txo lawv mus rau ob: IP thiab sau npe, thiab peb tsuas yog rub tawm lub npe los ntawm kev thaiv los ntawm URL (ntau dua, lawv tau ua qhov no rau peb).
cov neeg zoo los ntawm paub ib tug zoo kawg nkaus , los ntawm qhov peb tuaj yeem tau txais yam peb xav tau:
- IP:
- Domains:
Nkag mus rau qhov chaw thaiv
Txhawm rau ua qhov no, peb xav tau qee qhov me me VPS txawv teb chaws, nyiam dua nrog cov tsheb tsis txwv - muaj ntau qhov no rau 3-5 bucks. Koj yuav tsum tau coj mus rau hauv qhov ze txawv teb chaws kom lub ping tsis loj heev, tab sis dua, coj mus rau hauv tus account tias Internet thiab thaj chaw tsis sib xws. Thiab txij li tsis muaj SLA rau 5 bucks, nws yog qhov zoo dua los nqa 2+ daim los ntawm cov chaw muab kev pabcuam sib txawv rau kev ua txhaum cai.
Tom ntej no, peb yuav tsum teeb tsa qhov encrypted los ntawm tus neeg siv khoom router mus rau VPS. Kuv siv Wireguard ua qhov ceev tshaj plaws thiab yooj yim tshaj plaws los teeb tsa. Kuv kuj muaj cov neeg siv khoom routers raws li Linux ( los yog ib yam dab tsi hauv OpenWRT). Hauv qee qhov Mikrotik / Cisco, koj tuaj yeem siv cov txheej txheem muaj nyob rau ntawm lawv xws li OpenVPN thiab GRE-over-IPSEC.
Kev txheeb xyuas thiab kev hloov pauv ntawm cov kev txaus siab
Koj tuaj yeem, tau kawg, kaw tag nrho cov tsheb hauv Internet los ntawm txawv teb chaws. Tab sis, feem ntau yuav, qhov ceev ntawm kev ua hauj lwm nrog cov ntsiab lus hauv zos yuav raug kev txom nyem heev los ntawm qhov no. Ntxiv rau, qhov kev xav tau bandwidth ntawm VPS yuav ntau dua.
Yog li ntawd, peb yuav tsum tau faib cov tsheb khiav mus rau qhov chaw thaiv thiab xaiv coj nws mus rau qhov av. Txawm hais tias qee qhov "ntxiv" tsheb mus rau qhov ntawd, nws tseem zoo dua li kev tsav tsheb txhua yam hauv qhov av.
Txhawm rau tswj kev khiav tsheb, peb yuav siv BGP raws tu qauv thiab tshaj tawm txoj hauv kev rau cov tes hauj lwm tsim nyog los ntawm peb VPS rau cov neeg siv khoom. Cia peb coj BIRD ua ib qho kev ua haujlwm zoo tshaj plaws thiab yooj yim BGP daemons.
IP
Nrog kev thaiv los ntawm IP, txhua yam yog qhov tseeb: peb tsuas yog tshaj tawm txhua tus IPs thaiv nrog VPS. Qhov teeb meem yog tias muaj txog 600 txhiab subnets hauv cov npe uas API rov qab los, thiab feem coob ntawm lawv yog / 32 tus tswv. Cov xov tooj ntawm txoj kev no tuaj yeem cuam tshuam cov neeg siv khoom tsis muaj zog routers.
Yog li ntawd, thaum ua tiav daim ntawv teev npe, nws tau txiav txim siab los xaus rau lub network / 24 yog tias nws muaj 2 lossis ntau tus tswv. Yog li, tus naj npawb ntawm txoj kev raug txo mus rau ~ 100 txhiab. Tsab ntawv rau qhov no yuav ua raws.
Domains
Nws yog qhov nyuaj dua thiab muaj ntau txoj hauv kev. Piv txwv li, koj tuaj yeem nruab ib lub pob tshab Squid ntawm txhua tus neeg siv khoom router thiab ua HTTP cuam tshuam rau ntawd thiab peep rau hauv TLS tuav tes txhawm rau kom tau txais URL thov hauv thawj rooj plaub thiab sau los ntawm SNI hauv qhov thib ob.
Tab sis vim yog txhua yam tshiab ntawm TLS1.3 + eSNI, HTTPS tsom xam tau dhau los ua tsawg thiab tsawg tiag tiag txhua hnub. Yog lawm, thiab cov txheej txheem ntawm cov neeg siv khoom tau dhau los ua qhov nyuaj - koj yuav tau siv tsawg kawg yog OpenWRT.
Yog li ntawd, kuv txiav txim siab coj txoj hauv kev los cuam tshuam cov lus teb rau cov lus nug DNS. Ntawm no, ib yam nkaus, txhua qhov DNS-dhau-TLS / HTTPS pib hla koj lub taub hau, tab sis peb tuaj yeem (rau tam sim no) tswj qhov no ntawm tus neeg siv khoom - txawm tias lov tes taw nws lossis siv koj tus kheej server rau DoT / DoH.
Yuav cuam tshuam DNS li cas?
Ntawm no, ib yam nkaus, yuav muaj ntau txoj hauv kev.
- Kev cuam tshuam ntawm DNS tsheb khiav ntawm PCAP lossis NFLOG
Ob qho tib si ntawm kev cuam tshuam no yog siv hauv kev siv hluav taws xob . Tab sis nws tsis tau txais kev txhawb nqa ntev ntev thiab kev ua haujlwm tseem ceeb heev, yog li koj tseem yuav tsum tau sau cov hlua khi rau nws. - Kev txheeb xyuas ntawm DNS server cav
Hmoov tsis zoo, cov recursors paub rau kuv tsis tuaj yeem sau cov lus teb, tab sis tsuas yog thov. Hauv cov ntsiab lus, qhov no yog qhov laj thawj, vim tias, tsis zoo li cov lus thov, cov lus teb muaj cov qauv nyuaj thiab nws nyuaj rau sau lawv hauv daim ntawv.
Hmoov zoo, ntau ntawm lawv twb txhawb DNSTap rau lub hom phiaj no.
DNSTap yog dab tsi?
Nws yog tus neeg siv-neeg rau zaub mov raws tu qauv raws li Protocol Buffers thiab Ncej kwj rau kev xa tawm los ntawm DNS server mus rau tus sau ntawm cov qauv DNS queries thiab cov lus teb. Qhov tseem ceeb, DNS neeg rau zaub mov xa cov lus nug thiab cov lus teb metadata (hom lus, tus neeg siv khoom / server IP, thiab lwm yam) ntxiv rau ua tiav cov lus DNS hauv daim ntawv (binary) uas nws ua haujlwm nrog lawv hauv lub network.
Nws yog ib qho tseem ceeb kom nkag siab tias hauv DNSTap paradigm, DNS server ua raws li tus neeg siv khoom thiab tus neeg sau ua tus neeg rau zaub mov. Ntawd yog, DNS server txuas mus rau tus sau, thiab tsis hloov pauv.
Niaj hnub no DNSTap tau txais kev txhawb nqa hauv txhua qhov nrov DNS servers. Tab sis, piv txwv li, BIND hauv ntau qhov kev faib tawm (xws li Ubuntu LTS) feem ntau ua rau qee qhov laj thawj yam tsis muaj kev txhawb nqa. Yog li cia peb tsis txhob thab nrog reassembly, tab sis coj ib tug sib zog thiab sai recursor - Unbound.
Yuav ntes DNSTap li cas?
muaj CLI cov khoom siv rau kev ua haujlwm nrog cov kwj ntawm DNSTap cov xwm txheej, tab sis lawv tsis haum rau kev daws peb qhov teeb meem. Yog li ntawd, kuv txiav txim siab los tsim kuv tus kheej lub tsheb kauj vab uas yuav ua txhua yam uas tsim nyog:
Ua haujlwm algorithm:
- Thaum tso tawm, nws thauj cov npe ntawm cov ntawv sau los ntawm cov ntawv nyeem, hloov pauv lawv (habr.com -> com.habr), tsis suav nrog cov kab tawg, duplicates thiab subdomains (piv txwv li yog tias daim ntawv muaj habr.com thiab www.habr.com, nws yuav raug thauj khoom thawj zaug xwb) thiab tsim ib tsob ntoo ua ntej rau kev tshawb nrhiav nrawm los ntawm cov npe no
- Ua raws li DNSTap server, nws tos rau kev sib txuas los ntawm DNS server. Hauv txoj ntsiab cai, nws txhawb nqa UNIX thiab TCP qhov (socket), tab sis DNS servers kuv paub tsuas yog siv tau UNIX sockets.
- Cov pob khoom tuaj DNSTap yog thawj zaug deserialized rau hauv cov qauv Protobuf, thiab tom qab ntawd cov lus binary DNS nws tus kheej, nyob hauv ib qho ntawm Protobuf teb, tau txheeb xyuas rau qib DNS RR cov ntaub ntawv.
- Nws raug kuaj xyuas seb tus tswv tsev thov (lossis nws niam txiv lub npe) puas nyob hauv daim ntawv teev npe, yog tias tsis yog, cov lus teb tsis quav ntsej
- Tsuas yog A / AAAA / CNAME RRs raug xaiv los ntawm cov lus teb thiab cov chaw nyob IPv4 / IPv6 raug rho tawm los ntawm lawv
- IP chaw nyob yog cached nrog configurable TTL thiab tshaj tawm rau tag nrho cov configured BGP cov phooj ywg
- Thaum tau txais cov lus teb taw qhia rau tus IP cached lawm, nws TTL tau hloov kho
- Tom qab TTL tas sij hawm, qhov nkag tau raug tshem tawm ntawm lub cache thiab los ntawm BGP tshaj tawm
Kev ua haujlwm ntxiv:
- Rov nyeem daim ntawv teev npe ntawm SIGHUP
- Khaws lub cache hauv sync nrog rau lwm yam dnstap-bgp ua ntawm HTTP/JSON
- Duplicate lub cache ntawm disk (hauv BoltDB database) los kho nws cov ntsiab lus tom qab rov pib dua
- Kev them nyiaj yug rau kev hloov mus rau lwm lub network namespace (vim li cas qhov no yuav tsum tau piav qhia hauv qab no)
- Kev them nyiaj yug IPv6
Cov kev txwv:
- IDN domains tseem tsis tau txais kev txhawb nqa
- Ob peb BGP teeb tsa
kuv sau pob khoom rau installation yooj yim. Yuav tsum ua haujlwm ntawm txhua qhov OS tsis ntev los no nrog systemd. lawv tsis muaj kev vam khom.
Lub tswv yim
Yog li, cia peb pib sib sau tag nrho cov khoom ua ke. Yog li ntawd, peb yuav tsum tau txais ib yam dab tsi zoo li no network topology:
Lub logic ntawm kev ua haujlwm, kuv xav tias, yog qhov tseeb ntawm daim duab:
- Tus neeg siv khoom muaj peb cov neeg rau zaub mov teeb tsa raws li DNS, thiab cov lus nug DNS yuav tsum tau hla lub VPN. Qhov no yog qhov tsim nyog kom tus kws kho mob tsis tuaj yeem siv DNS cuam tshuam los thaiv.
- Thaum qhib lub xaib, tus neeg siv yuav xa cov lus nug DNS xws li "IPs ntawm xxx.org yog dab tsi"
- Tsis khi daws xxx.org (los yog muab nws los ntawm lub cache) thiab xa cov lus teb rau tus neeg siv "xxx.org muaj xws li thiab xws li IP", duplicating nws nyob rau hauv parallel ntawm DNSTap
- dnstap-bgp ua tshaj tawm cov chaw nyob hauv NKAUJ CUA ntawm BGP yog tias tus sau npe nyob rau hauv daim ntawv thaiv
- NKAUJ CUA tshaj tawm txoj hauv kev rau cov IPs no nrog
next-hop selftus neeg siv khoom router - Cov pob ntawv tom qab los ntawm tus neeg siv khoom mus rau cov IPs no nkag mus hauv qhov av
Ntawm tus neeg rau zaub mov, rau txoj hauv kev mus rau qhov chaw thaiv, kuv siv lub rooj sib cais hauv BIRD thiab nws tsis cuam tshuam nrog OS hauv txhua txoj kev.
Cov tswv yim no muaj qhov tsis zoo: thawj SYN pob ntawv los ntawm tus neeg siv khoom, feem ntau yuav muaj sijhawm tawm mus los ntawm tus kws kho mob hauv tsev. txoj kev tsis tshaj tawm tam sim ntawd. Thiab ntawm no cov kev xaiv muaj peev xwm ua tau nyob ntawm seb tus kws kho mob ua li cas qhov thaiv. Yog hais tias nws cia li tso tsheb khiav, ces tsis muaj teeb meem. Thiab yog hais tias nws redirects nws mus rau ib co DPI, ces (theoretically) cov teebmeem tshwj xeeb yog ua tau.
Nws kuj tseem muaj peev xwm tias cov neeg siv khoom tsis hwm DNS TTL txuj ci tseem ceeb, uas tuaj yeem ua rau tus neeg siv khoom siv qee qhov kev nkag tsis zoo los ntawm nws cov cache rotten es tsis txhob nug Unbound.
Hauv kev xyaum, tsis yog thawj zaug lossis thib ob ua rau muaj teeb meem rau kuv, tab sis koj qhov mileage yuav txawv.
Server Tuning
Rau kev yooj yim ntawm dov, kuv sau . Nws tuaj yeem teeb tsa ob lub servers thiab cov neeg siv khoom raws li Linux (tsim rau deb-raws li kev faib tawm). Tag nrho cov kev teeb tsa tau pom tseeb heev thiab tau teeb tsa inventory.yml. Lub luag haujlwm no raug txiav los ntawm kuv phau ntawv ua si loj, yog li nws yuav muaj qhov yuam kev - nyob zoo π
Cia peb mus los ntawm cov khoom tseem ceeb.
BGP
Kev khiav ob lub BGP daemons ntawm tib tus tswv tsev muaj qhov teeb meem tseem ceeb: BIRD tsis xav teeb tsa BGP peering nrog localhost (lossis ib qho chaw hauv zos). Los ntawm lo lus txhua. Googling thiab nyeem cov ntawv xa ntawv tsis tau pab, lawv thov tias qhov no yog los ntawm kev tsim. Tej zaum muaj qee txoj kev, tab sis kuv nrhiav tsis tau.
Koj tuaj yeem sim lwm BGP daemon, tab sis kuv nyiam BIRD thiab nws siv txhua qhov chaw los ntawm kuv, Kuv tsis xav tsim cov koom haum.
Yog li ntawd, kuv nkaum dnstap-bgp hauv lub network namespace, uas txuas nrog lub hauv paus los ntawm veth interface: nws zoo li cov yeeb nkab, qhov kawg ntawm qhov uas tawm hauv cov npe sib txawv. Ntawm txhua qhov kawg no, peb dai tus kheej p2p IP chaw nyob uas tsis mus dhau tus tswv tsev, yog li lawv tuaj yeem ua dab tsi. Qhov no yog tib lub tshuab siv los nkag rau cov txheej txheem sab hauv nyiam txhua tus Docker thiab lwm lub thawv.
Rau qhov no nws tau sau thiab cov haujlwm tau piav qhia saum toj no rau rub koj tus kheej los ntawm cov plaub hau mus rau lwm qhov chaw npe tau ntxiv rau dnstap-bgp. Vim li no, nws yuav tsum tau khiav raws li hauv paus los yog muab rau CAP_SYS_ADMIN binary ntawm setcap hais kom ua.
Piv txwv tsab ntawv rau tsim namespace
#!/bin/bash
NS="dtap"
IP="/sbin/ip"
IPNS="$IP netns exec $NS $IP"
IF_R="veth-$NS-r"
IF_NS="veth-$NS-ns"
IP_R="192.168.149.1"
IP_NS="192.168.149.2"
/bin/systemctl stop dnstap-bgp || true
$IP netns del $NS > /dev/null 2>&1
$IP netns add $NS
$IP link add $IF_R type veth peer name $IF_NS
$IP link set $IF_NS netns $NS
$IP addr add $IP_R remote $IP_NS dev $IF_R
$IP link set $IF_R up
$IPNS addr add $IP_NS remote $IP_R dev $IF_NS
$IPNS link set $IF_NS up
/bin/systemctl start dnstap-bgpdnstap-bgp.conf ib
namespace = "dtap"
domains = "/var/cache/rkn_domains.txt"
ttl = "168h"
[dnstap]
listen = "/tmp/dnstap.sock"
perm = "0666"
[bgp]
as = 65000
routerid = "192.168.149.2"
peers = [
"192.168.149.1",
]qub. conf
router id 192.168.1.1;
table rkn;
# Clients
protocol bgp bgp_client1 {
table rkn;
local as 65000;
neighbor 192.168.1.2 as 65000;
direct;
bfd on;
next hop self;
graceful restart;
graceful restart time 60;
export all;
import none;
}
# DNSTap-BGP
protocol bgp bgp_dnstap {
table rkn;
local as 65000;
neighbor 192.168.149.2 as 65000;
direct;
passive on;
rr client;
import all;
export none;
}
# Static routes list
protocol static static_rkn {
table rkn;
include "rkn_routes.list";
import all;
export none;
}rkn_routes.list
route 3.226.79.85/32 via "ens3";
route 18.236.189.0/24 via "ens3";
route 3.224.21.0/24 via "ens3";
...DNS
Los ntawm lub neej ntawd, hauv Ubuntu, Unbound binary yog clamped los ntawm AppArmor profile, uas txwv tsis pub nws los ntawm kev sib txuas rau txhua hom DNSTap sockets. Koj tuaj yeem rho tawm qhov profile no, lossis kaw nws:
# cd /etc/apparmor.d/disable && ln -s ../usr.sbin.unbound .
# apparmor_parser -R /etc/apparmor.d/usr.sbin.unboundTej zaum qhov no yuav tsum tau ntxiv rau hauv phau ntawv ua si. Nws yog qhov zoo tagnrho, tau kawg, kho qhov profile thiab muab cov cai tsim nyog, tab sis kuv tub nkees dhau lawm.
unbound.conf
server:
chroot: ""
port: 53
interface: 0.0.0.0
root-hints: "/var/lib/unbound/named.root"
auto-trust-anchor-file: "/var/lib/unbound/root.key"
access-control: 192.168.0.0/16 allow
remote-control:
control-enable: yes
control-use-cert: no
dnstap:
dnstap-enable: yes
dnstap-socket-path: "/tmp/dnstap.sock"
dnstap-send-identity: no
dnstap-send-version: no
dnstap-log-client-response-messages: yesDownloading thiab ua cov npe
Nws rub tawm cov npe, suav nrog rau qhov ua ntej pfx ua. Cov dont_ntxiv ΠΈ tsis_summarize koj tuaj yeem qhia rau IPs thiab networks hla lossis tsis sau. Kuv xav tau nws. lub subnet ntawm kuv VPS yog nyob rau hauv lub blocklist π
Qhov funny tshaj plaws yog tias RosKomSvoboda API blocks thov nrog tus neeg siv Python default. Zoo li tsab ntawv-kiddy tau txais nws. Yog li ntawd, peb hloov nws mus rau Ognelis.
Txog tam sim no, nws tsuas yog ua haujlwm nrog IPv4. qhov sib koom ntawm IPv6 yog me me, tab sis nws yuav yooj yim kho. Tsuas yog koj yuav tsum siv noog 6 thiab.
rkn npo
#!/usr/bin/python3
import json, urllib.request, ipaddress as ipa
url = 'https://api.reserve-rbl.ru/api/v2/ips/json'
pfx = '24'
dont_summarize = {
# ipa.IPv4Network('1.1.1.0/24'),
}
dont_add = {
# ipa.IPv4Address('1.1.1.1'),
}
req = urllib.request.Request(
url,
data=None,
headers={
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'
}
)
f = urllib.request.urlopen(req)
ips = json.loads(f.read().decode('utf-8'))
prefix32 = ipa.IPv4Address('255.255.255.255')
r = {}
for i in ips:
ip = ipa.ip_network(i)
if not isinstance(ip, ipa.IPv4Network):
continue
addr = ip.network_address
if addr in dont_add:
continue
m = ip.netmask
if m != prefix32:
r[m] = [addr, 1]
continue
sn = ipa.IPv4Network(str(addr) + '/' + pfx, strict=False)
if sn in dont_summarize:
tgt = addr
else:
tgt = sn
if not sn in r:
r[tgt] = [addr, 1]
else:
r[tgt][1] += 1
o = []
for n, v in r.items():
if v[1] == 1:
o.append(str(v[0]) + '/32')
else:
o.append(n)
for k in o:
print(k)
Kuv khiav nws ntawm lub kaus mom ib zaug ib hnub, tej zaum nws tsim nyog rub nws txhua 4 teev. qhov no, hauv kuv lub tswv yim, yog lub sijhawm rov ua dua tshiab uas RKN xav tau los ntawm cov neeg muab kev pabcuam. Ntxiv rau, lawv muaj qee qhov kev thaiv ceev ceev, uas tuaj yeem tuaj txog sai dua.
Ua li hauv qab no:
- Khiav thawj tsab ntawv thiab hloov kho cov npe ntawm txoj kev (
rkn_routes.list) rau BIRD - Reload BIRD
- Hloov kho thiab ntxuav cov npe ntawm cov npe rau dnstap-bgp
- Reload dnstap-bgp
rkn_update.sh
#!/bin/bash
ROUTES="/etc/bird/rkn_routes.list"
DOMAINS="/var/cache/rkn_domains.txt"
# Get & summarize routes
/opt/rkn.py | sed 's/(.*)/route 1 via "ens3";/' > $ROUTES.new
if [ $? -ne 0 ]; then
rm -f $ROUTES.new
echo "Unable to download RKN routes"
exit 1
fi
if [ -e $ROUTES ]; then
mv $ROUTES $ROUTES.old
fi
mv $ROUTES.new $ROUTES
/bin/systemctl try-reload-or-restart bird
# Get domains
curl -s https://api.reserve-rbl.ru/api/v2/domains/json -o - | jq -r '.[]' | sed 's/^*.//' | sort | uniq > $DOMAINS.new
if [ $? -ne 0 ]; then
rm -f $DOMAINS.new
echo "Unable to download RKN domains"
exit 1
fi
if [ -e $DOMAINS ]; then
mv $DOMAINS $DOMAINS.old
fi
mv $DOMAINS.new $DOMAINS
/bin/systemctl try-reload-or-restart dnstap-bgpLawv tau sau tsis muaj kev xav ntau, yog li yog tias koj pom qee yam uas tuaj yeem txhim kho - mus rau nws.
Kev teeb tsa tus neeg siv khoom
Ntawm no kuv yuav muab piv txwv rau Linux routers, tab sis nyob rau hauv cov ntaub ntawv ntawm Mikrotik / Cisco nws yuav tsum tau yooj yim dua.
Ua ntej, peb teeb tsa BIRD:
qub. conf
router id 192.168.1.2;
table rkn;
protocol device {
scan time 10;
};
# Servers
protocol bgp bgp_server1 {
table rkn;
local as 65000;
neighbor 192.168.1.1 as 65000;
direct;
bfd on;
next hop self;
graceful restart;
graceful restart time 60;
rr client;
export none;
import all;
}
protocol kernel {
table rkn;
kernel table 222;
scan time 10;
export all;
import none;
}Yog li, peb yuav synchronize cov kev tau txais los ntawm BGP nrog lub kernel routing rooj naj npawb 222.
Tom qab ntawd, nws txaus los nug cov ntsiav los saib ntawm lub phaj no ua ntej saib lub neej ntawd:
# ip rule add from all pref 256 lookup 222
# ip rule
0: from all lookup local
256: from all lookup 222
32766: from all lookup main
32767: from all lookup defaultTxhua yam, nws tseem yuav teeb tsa DHCP ntawm lub router kom faib cov server qhov chaw nyob IP raws li DNS, thiab cov tswv yim npaj txhij.
Disadvantages
Nrog rau tam sim no algorithm rau tsim thiab ua cov npe ntawm cov thawj, nws suav nrog, ntawm lwm yam, youtube.com thiab nws cov CDNs.
Thiab qhov no ua rau qhov tseeb tias txhua cov yeeb yaj kiab yuav dhau los ntawm VPN, uas tuaj yeem cuam tshuam tag nrho cov channel. Tej zaum nws tsim nyog sau cov npe ntawm cov npe nrov-kev cais tawm uas thaiv RKN rau lub sijhawm tam sim no, lub siab tawv nyias. Thiab hla lawv thaum parsing.
xaus
Txoj kev piav qhia tso cai rau koj hla yuav luag txhua qhov thaiv uas cov kws kho mob siv tam sim no.
Hauv txoj ntsiab cai, dnstap-bgp ua tuaj yeem siv rau lwm lub hom phiaj uas xav tau qee qib kev tswj hwm tsheb raws li lub npe sau. Cia li nco ntsoov tias nyob rau hauv peb lub sij hawm, ib txhiab qhov chaw tuaj yeem dai ntawm tib tus IP chaw nyob (tom qab qee qhov Cloudflare, piv txwv li), yog li txoj kev no muaj qhov tseeb tsawg.
Tab sis rau cov kev xav tau ntawm bypassing locks, qhov no yog heev txaus.
Ntxiv, kho, rub thov - txais tos!
Tau qhov twg los: www.hab.com