🥇xtables-addons: lim pob los ntawm lub teb chaws

Txoj haujlwm ntawm kev thaiv tsheb los ntawm qee lub tebchaws zoo li yooj yim, tab sis thawj qhov kev xav tuaj yeem dag. Niaj hnub no peb yuav qhia koj yuav ua li cas qhov no tuaj yeem siv tau.

prehistory

Cov txiaj ntsig ntawm kev tshawb nrhiav hauv Google ntawm cov ncauj lus no yog kev poob siab: feem ntau ntawm cov kev daws teeb meem tau ntev tau "rotten" thiab qee zaum nws zoo li cov ncauj lus no tau raug tso tseg thiab tsis nco qab txog mus ib txhis. Peb tau combed los ntawm ntau cov ntaub ntawv qub thiab npaj txhij los qhia cov lus qhia niaj hnub no.

Peb xav kom koj nyeem tag nrho tsab xov xwm ua ntej ua cov lus txib no.

Npaj lub operating system

Kev lim dej yuav raug teeb tsa siv lub tshuab hluav taws xob iptables, uas yuav tsum muaj kev txuas ntxiv ua haujlwm nrog GeoIP cov ntaub ntawv. Qhov kev txuas ntxiv no tuaj yeem pom hauv xtables-addons. xtables-addons teeb tsa kev txuas ntxiv rau iptables raws li kev ywj pheej kernel modules, yog li tsis tas yuav rov ua dua OS kernel.

Thaum lub sijhawm sau ntawv, tam sim no version ntawm xtables-addons yog 3.9. Txawm li cas los xij, tsuas yog 20.04 tuaj yeem pom hauv tus qauv Ubuntu 3.8 LTS repositories, thiab 18.04 hauv Ubuntu 3.0 repositories. Koj tuaj yeem nruab qhov txuas ntxiv los ntawm tus thawj tswj pob nrog cov lus txib hauv qab no:

apt install xtables-addons-common libtext-csv-xs-perl

Nco ntsoov tias muaj qhov sib txawv me me tab sis tseem ceeb ntawm version 3.9 thiab lub xeev tam sim no ntawm qhov project, uas peb yuav tham tom qab. Txhawm rau tsim los ntawm qhov chaws, nruab tag nrho cov pob tsim nyog:

apt install git build-essential autoconf make libtool iptables-dev libxtables-dev pkg-config libnet-cidr-lite-perl libtext-csv-xs-perl

Clone lub repository:

git clone https://git.code.sf.net/p/xtables-addons/xtables-addons xtables-addons-xtables-addons

cd xtables-addons-xtables-addons

xtables-addons muaj ntau qhov txuas ntxiv, tab sis peb tsuas yog xav tau xt_geov. Yog tias koj tsis xav rub cov extensions tsis tsim nyog rau hauv lub system, koj tuaj yeem cais lawv los ntawm kev tsim. Ua li no koj yuav tsum hloov cov ntaub ntawv mconfig ua. Rau txhua qhov xav tau modules, nruab y, thiab kos tag nrho cov tsis tsim nyog n. Peb sau:

./autogen.sh

./configure

make

Thiab nruab nrog superuser txoj cai:

make install

Thaum lub sij hawm installation ntawm kernel modules, ib qho yuam kev zoo ib yam li cov hauv qab no yuav tshwm sim:

INSTALL /root/xtables-addons-xtables-addons/extensions/xt_geoip.ko
At main.c:160:
- SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:72
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:79
sign-file: certs/signing_key.pem: No such file or directory

Qhov teeb meem no tshwm sim vim tsis muaj peev xwm kos npe rau cov ntsiav modules, vim tsis muaj dab tsi kos npe. Koj tuaj yeem daws qhov teeb meem no nrog ob peb cov lus txib:

cd /lib/modules/(uname -r)/build/certs

cat <<EOF > x509.genkey

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
CN = Modules

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF

openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem

Lub kaw lus kernel tau nruab, tab sis lub kaw lus tsis pom nws. Cia peb hais kom lub kaw lus tsim ib daim ntawv qhia kev vam khom rau hauv tus account tshiab module, thiab tom qab ntawd thauj nws:

depmod -a

modprobe xt_geoip

Cia peb nco ntsoov tias xt_geoip yog loaded rau hauv lub system:

# lsmod | grep xt_geoip
xt_geoip               16384  0
x_tables               40960  2 xt_geoip,ip_tables

Tsis tas li ntawd, nco ntsoov tias qhov txuas ntxiv tau thauj mus rau hauv iptables:

# cat /proc/net/ip_tables_matches 
geoip
icmp

Peb zoo siab nrog txhua yam thiab txhua yam uas tseem tshuav yog ntxiv lub npe module rau / thiab lwm yam / moduleskom lub module ua haujlwm tom qab rebooting OS. Txij no mus, iptables nkag siab geoip cov lus txib, tab sis nws tsis muaj cov ntaub ntawv txaus los ua haujlwm nrog. Cia peb pib thauj cov geoip database.

Tau txais GeoIP Database

Peb tsim ib daim ntawv teev cov ntaub ntawv nkag siab txog iptables txuas ntxiv yuav muab khaws cia:

mkdir /usr/share/xt_geoip

Thaum pib ntawm tsab xov xwm, peb tau hais tias muaj qhov sib txawv ntawm cov version los ntawm qhov chaws thiab cov version los ntawm tus thawj tswj pob. Qhov sib txawv tshaj plaws yog qhov hloov pauv ntawm tus neeg muag khoom database thiab tsab ntawv xt_geoip_dl, uas downloads cov ntaub ntawv tshiab.

Package manager version

Tsab ntawv nyob rau hauv txoj kev /usr/lib/xtables-addons, tab sis thaum koj sim khiav nws, koj yuav pom qhov tsis paub ntau qhov yuam kev:

# ./xt_geoip_dl 
unzip:  cannot find or open GeoLite2-Country-CSV.zip, GeoLite2-Country-CSV.zip.zip or GeoLite2-Country-CSV.zip.ZIP.

Yav dhau los, GeoLite cov khoom, tam sim no hu ua GeoLite Legacy, faib raws li daim ntawv tso cai, tau siv los ua cov ntaub ntawv. Creative Commons ASA 4.0 tuam txhab MaxMind. Ob qhov xwm txheej tshwm sim nrog cov khoom no ib zaug uas "tawg" kev sib raug zoo nrog iptables txuas ntxiv.

Ua ntej, thaum Lub Ib Hlis 2018 tshaj tawm hais txog kev txiav tawm ntawm kev txhawb nqa rau cov khoom, thiab thaum Lub Ib Hlis 2019, 2, txhua qhov txuas mus rub tawm cov ntawv qub ntawm cov ntaub ntawv raug tshem tawm ntawm lub vev xaib raug cai. Cov neeg siv tshiab tau pom zoo kom siv GeoLite2 cov khoom lag luam lossis nws cov ntawv them nyiaj GeoIPXNUMX.

Thib ob, txij lub Kaum Ob Hlis 2019 MaxMind teev tseg hais txog kev hloov pauv tseem ceeb hauv kev nkag mus rau lawv cov databases. Txhawm rau ua raws li California Consumer Privacy Act, MaxMind txiav txim siab "npog" kev faib tawm ntawm GeoLite2 nrog rau npe.

Txij li thaum peb xav siv lawv cov khoom, peb yuav sau npe rau ntawm nplooj ntawv no.

Tom qab ntawd koj yuav tau txais email thov kom koj teev tus password. Tam sim no uas peb tau tsim ib tus as khauj, peb yuav tsum tsim tus yuam sij daim ntawv tso cai. Hauv koj tus kheej tus account peb pom cov khoom Kuv Cov Ntawv Tso Cai, thiab ces nias rau ntawm lub pob Tsim daim License Key tshiab.

Thaum tsim tus yuam sij, peb yuav raug nug tsuas yog ib lo lus nug: peb puas yuav siv tus yuam sij no hauv GeoIP Update program? Peb teb tsis zoo thiab nias lub pob Paub meej tias. Tus yuam sij yuav tshwm nyob rau hauv lub qhov rais pop-up. Txuag tus yuam sij no rau hauv qhov chaw nyab xeeb, zoo li thaum koj kaw lub qhov rai pop-up, koj yuav tsis tuaj yeem saib tag nrho tus yuam sij.

Peb muaj peev xwm rub tawm GeoLite2 databases manually, tab sis lawv cov hom ntawv tsis sib xws nrog cov hom xav tau los ntawm xt_geoip_build tsab ntawv. Qhov no yog qhov twg GeoLite2xtables scripts tuaj cawm. Txhawm rau khiav scripts, nruab NetAddr::IP perl module:

wget https://cpan.metacpan.org/authors/id/M/MI/MIKER/NetAddr-IP-4.079.tar.gz

tar xvf NetAddr-IP-4.079.tar.gz

cd NetAddr-IP-4.079

perl Makefile.PL

make

make install

Tom ntej no, peb clone lub repository nrog scripts thiab sau lub yav tas los tau txais daim ntawv tso cai yuam sij rau ib cov ntaub ntawv:

git clone https://github.com/mschmitt/GeoLite2xtables.git

cd GeoLite2xtables

echo YOUR_LICENSE_KEY=’123ertyui123' > geolite2.license

Cia peb khiav cov ntawv sau:

# Скачиваем данные GeoLite2
./00_download_geolite2
# Скачиваем информацию о странах (для соответствия коду)
./10_download_countryinfo
# Конвертируем GeoLite2 базу в формат GeoLite Legacy 
cat /tmp/GeoLite2-Country-Blocks-IPv{4,6}.csv |
./20_convert_geolite2 /tmp/CountryInfo.txt > /usr/share/xt_geoip/dbip-country-lite.csv

MaxMind txwv qhov kev txwv ntawm 2000 rub tawm ib hnub thiab, nrog ntau tus servers, muab rau cache qhov hloov tshiab ntawm lub npe server.

Thov nco ntsoov tias cov ntaub ntawv tso tawm yuav tsum raug hu dbip-lub teb chaws-lite.csv... Hmoov tsis zoo, 20_convert_geolite2 tsis tsim cov ntaub ntawv zoo meej. Tsab ntawv xt_geoip_build cia siab tias peb kab:

pib ntawm qhov chaw nyob;
kawg ntawm qhov chaw nyob;
lub teb chaws code hauv iso-3166-alpha2.

Thiab cov ntaub ntawv tso zis muaj rau kab:

pib ntawm qhov chaw nyob (txoj hlua sawv cev);
kawg ntawm qhov chaw nyob (txoj kab sawv cev);
pib ntawm qhov chaw nyob (tus lej sawv cev);
kawg ntawm qhov chaw nyob (tus lej sawv cev);
code ntawm lub teb chaws;
lub npe ntawm lub teb chaws.

Qhov tsis sib xws no yog qhov tseem ceeb thiab tuaj yeem kho tau ntawm ob txoj hauv kev:

kav 20_convert_geolite2;
kav xt_geoip_build.

Hauv thawj kis peb txo printf mus rau hom ntawv uas yuav tsum tau, thiab nyob rau hauv lub thib ob - peb hloov lub luag hauj lwm rau qhov sib txawv $cc rau $row->[4]. Tom qab ntawd koj tuaj yeem tsim:

/usr/lib/xtables-addons/xt_geoip_build -S /usr/share/xt_geoip/ -D /usr/share/xt_geoip

. . .
 2239 IPv4 ranges for ZA
  348 IPv6 ranges for ZA
   56 IPv4 ranges for ZM
   12 IPv6 ranges for ZM
   56 IPv4 ranges for ZW
   15 IPv6 ranges for ZW

Nco ntsoov tias tus sau GeoLite2xtables tsis xav txog nws cov ntawv npaj rau kev tsim khoom thiab muab taug qab rau kev txhim kho ntawm thawj xt_geoip_* scripts. Yog li ntawd, cia peb txav mus rau lub rooj sib txoos los ntawm cov lej cim, uas cov scripts twb tau hloov kho lawm.

Source version

Thaum txhim kho los ntawm qhov chaw code scripts xt_geoip_* muaj nyob rau hauv catalog /usr/local/libexec/xtables-addons. Qhov no version ntawm tsab ntawv siv ib tug database IP rau Lub Tebchaws Lite. Daim ntawv tso cai yog Creative Commons Attribution License, thiab los ntawm cov ntaub ntawv muaj muaj peb kab ntawv tsim nyog heev. Download tau thiab sau lub database:

cd /usr/share/xt_geoip/

/usr/local/libexec/xtables-addons/xt_geoip_dl

/usr/local/libexec/xtables-addons/xt_geoip_build

Tom qab cov kauj ruam no, iptables npaj ua haujlwm.

Siv geoip hauv iptables

Module xt_geov tsuas ntxiv ob tug yuam sij:

geoip match options:
[!] --src-cc, --source-country country[,country...]
	Match packet coming from (one of) the specified country(ies)
[!] --dst-cc, --destination-country country[,country...]
	Match packet going to (one of) the specified country(ies)

NOTE: The country is inputed by its ISO3166 code.

Cov txheej txheem tsim cov cai rau iptables, feem ntau, tseem tsis hloov pauv. Txhawm rau siv cov yuam sij los ntawm cov modules ntxiv, koj yuav tsum qhia meej meej lub npe ntawm lub module nrog rau -m hloov. Piv txwv li, txoj cai los thaiv cov kev sib txuas TCP tuaj ntawm chaw nres nkoj 443 tsis yog los ntawm Tebchaws Meskas ntawm txhua qhov kev sib tshuam:

iptables -I INPUT ! -i lo -p tcp --dport 443 -m geoip ! --src-cc US -j DROP

Cov ntaub ntawv tsim los ntawm xt_geoip_build tsuas yog siv thaum tsim cov cai, tab sis tsis suav nrog thaum lim. Yog li, txhawm rau hloov kho cov ntaub ntawv geoip kom raug, koj yuav tsum xub hloov kho cov ntaub ntawv iv*, thiab tom qab ntawd rov tsim txhua txoj cai uas siv geoip hauv iptables.

xaus

Kev lim cov pob ntawv raws li lub teb chaws yog lub tswv yim me ntsis tsis nco qab los ntawm lub sijhawm. Txawm li cas los xij, cov cuab yeej software rau kev lim dej zoo li no tau tsim thiab, tej zaum, tsis ntev los no ib qho tshiab ntawm xt_geoip nrog cov chaw muab ntaub ntawv geoip tshiab yuav tshwm sim hauv cov neeg tswj hwm pob, uas yuav yooj yim heev rau lub neej ntawm cov thawj coj hauv lub cev.

Tsuas yog cov neeg siv sau npe tuaj yeem koom nrog hauv daim ntawv ntsuam xyuas. Kos npe rau hauvthov.

Koj puas tau siv lim los ntawm lub tebchaws?

59,1%Yog 13
40,9%Nr 9

22 cov neeg siv pov npav. 3 cov neeg siv tau txwv.

Tau qhov twg los: www.hab.com

xtables-addons: lim pob los ntawm lub teb chaws