ãŸãããæãããŠããããšããã®ã¯èšãéãã§ãã ããããå ±åã§ãããã
çãããåç¥ã®ãšããããã¹ã³ã ããŸãŒã«ã¯ã16 幎 2018 æ 10 æ¥ä»¥æ¥ãã€ã³ã¿ãŒãããäžã®ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãéåžžã«åºç¯ã«ãããã¯ããããã¡ã€ã³åãã€ã³ã¿ãŒãããäžã®ãµã€ãã®ããŒãž ã€ã³ããã¯ã¹ãããã³ãµã€ããèå¥ã§ãããããã¯ãŒã¯ ã¢ãã¬ã¹ã®çµ±äžç»é²ããè¿œå ããŸãããã€ã³ã¿ãŒãããäžã§ãããã·ã¢é£éŠã§é åžãçŠæ¢ãããŠããæ å ±ãå«ããïŒæ¬æã§ã¯åãªãç»é²ïŒ/XNUMX ã«ãã£ãŠæã å ¬éãããŸãã ãã®çµæããã·ã¢é£éŠåœæ°ãšäŒæ¥ã¯ãå¿ èŠãªå®å šã«åæ³çãªãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ã倱ããèŠããã§ããŸãã
ç§ãããã¬ã«é¢ããèšäºã® XNUMX ã€ãžã®ã³ã¡ã³ãã§ã被害è ããã€ãã¹èšç»ãç«ãŠãã®ãæäŒãçšæããããšè¿°ã¹ãåŸãæ°äººãç§ã®ãšããã«æ¥ãŠããã®ãããªæ¯æŽãæ±ããŠããŸããã ãã¹ãŠããŸããã£ããšãããã®ãã¡ã® XNUMX 人ãããã®ãã¯ããã¯ãèšäºã§èª¬æããããšãå§ããŸããã å°ãèããçµæããµã€ãäžã§ã®æ²é»ãç Žãããããžã§ã¯ããš Facebook ã®æçš¿ã®äžéã®ãããªãã®ãã€ãŸããäžåºŠã ãæžããŠã¿ãããšã«ããŸããã ããã©ãã¹ãã çµæã¯ç®ã®åã«ãããŸãã
å 責äºé
ãã·ã¢é£éŠã®é åã§çŠæ¢ãããŠããæ å ±ãžã®ã¢ã¯ã»ã¹ã®ãããã¯ãåé¿ããæ¹æ³ãå ¬éããããšã¯ããŸãåæ³ã§ã¯ãªãããããã®èšäºã®ç®çã¯ããã·ã¢é£éŠã®é åã§èš±å¯ãããŠãããªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãèªååã§ããæ¹æ³ã«ã€ããŠèª¬æããããšã§ãããã·ã¢é£éŠã®é åã«ãããŸããã誰ãã®è¡çºã«ããããããã€ããŒãéããŠçŽæ¥ã¢ã¯ã»ã¹ã§ããªããªããŸããã ãŸããèšäºããã®ã¢ã¯ã·ã§ã³ã®çµæãšããŠåŸãããä»ã®ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ã¯ãæ®å¿µãªå¯äœçšã§ãããèšäºã®ç®çã§ã¯æ±ºããŠãããŸããã
ãŸããç§ã¯è·æ¥ãè·æ¥ã人çã«ãããŠäž»ã«ãããã¯ãŒã¯ ã¢ãŒããã¯ãã§ãããããããã°ã©ãã³ã°ãš Linux ã¯ç§ã®åŸæåéã§ã¯ãããŸããã ãããã£ãŠãåœç¶ã®ããšãªãããã¹ã¯ãªãããããé©åã«äœæã§ããVPS ã®ã»ãã¥ãªãã£åé¡ãããæ·±ã解決ã§ããããã«ãªããŸãã ããªãã®ææ¡ãååã«è©³çŽ°ã§ããã°ãæè¬ã®æãæã£ãŠåãå ¥ããããŸããèšäºã®æ¬æã«åãã§è¿œå ãããŠããã ããŸãã
TL; DR
ã¬ãžã¹ããªã®ã³ããŒãš BGP ãããã³ã«ã䜿çšããŠãæ¢åã®ãã³ãã«ãä»ãããªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãèªååããŸãã ç®æšã¯ããããã¯ããããªãœãŒã¹ã«å®ãŠããããã¹ãŠã®ãã©ãã£ãã¯ããã³ãã«ããåé€ããããšã§ãã æå°éã®èª¬æãã»ãšãã©ã段éçãªèª¬æã§ãã
ãã®ããã«ã¯äœãå¿ èŠã§ãã?
æ®å¿µãªããããã®æçš¿ã¯ãã¹ãŠã®äººã«åãããã®ã§ã¯ãããŸããã ãã®ææ³ã䜿çšããã«ã¯ãããã€ãã®èŠçŽ ãçµã¿åãããå¿ èŠããããŸãã
- ããããã³ã° ãã£ãŒã«ãã®å€åŽã®ã©ããã« Linux ãµãŒããŒãå¿ èŠã§ãã å°ãªããšããã®ãããªãµãŒããŒã欲ãããšããé¡æ - 幞ããªããšã«ãçŸåšã§ã¯å¹Žé 9 ãã«ãããããããã¯ãã以äžã®è²»çšãããããŸãã ãã®æ¹æ³ã¯ãå¥ã® VPN ãã³ãã«ãããå Žåã«ãé©ããŠããããµãŒããŒãããããã³ã° ãã£ãŒã«ãå ã«é 眮ã§ããŸãã
- ã«ãŒã¿ãŒã¯ã次ã®ããšãã§ããã»ã©è³¢ãå¿
èŠããããŸãã
- ä»»æã® VPN ã¯ã©ã€ã¢ã³ã (ç§ã¯ OpenVPN ã奜ã¿ãŸãããPPTPãL2TPãGRE+IPSecããŸãã¯ãã³ãã« ã€ã³ã¿ãŒãã§ã€ã¹ãäœæãããã®ä»ã®ãªãã·ã§ã³ã§ãæ§ããŸãã)ã
- BGPv4 ãããã³ã«ã ã€ãŸããSOHO ã®å Žåã¯ãQuagga ãŸã㯠Bird ãã€ã³ã¹ããŒã«ã§ãã OpenWRT/LEDE/åæ§ã®ã«ã¹ã¿ã ãã¡ãŒã ãŠã§ã¢ãåãã Mikrotik ãŸãã¯ã«ãŒã¿ãŒã«ãªãå¯èœæ§ããããŸãã PCã«ãŒã¿ãŒã®äœ¿çšãçŠæ¢ãããŠããŸããã äŒæ¥ã®å Žåã¯ãå¢çã«ãŒã¿ãŒã®ããã¥ã¡ã³ã㧠BGP ãµããŒããæ¢ããŠãã ããã
- Linux ã®äœ¿çšæ³ãšãBGP ãããã³ã«ãå«ããããã¯ãŒã¯ ãã¯ãããžãç解ããŠããå¿ èŠããããŸãã ãããã¯ãå°ãªããšããã®ãããªã¢ã€ãã¢ãåŸãããšæã£ãŠããŸãã ä»åã¯ãã®èšå€§ããåãå ¥ããæºåãã§ããŠããªãã®ã§ãç解ã§ããªãéšåã«ã€ããŠã¯èªåã§å匷ããå¿ èŠããããŸãã ãã ãããã¡ãããã³ã¡ã³ãå ã®ç¹å®ã®è³ªåã«ã¯ãçãããŸããç§ã ããåçããããã§ã¯ãããŸããã®ã§ãé æ ®ãªã質åããŠãã ããã
äŸã§äœ¿çšãããŠãããã®
- ç»èšç°¿ã®ã³ã㌠- ãã
https://github.com/zapret-info/z-i VPS - Ubuntu 16.04 - ã«ãŒãã£ã³ã°ãµãŒãã¹ -
é³¥1.6.3 - ã«ãŒã¿ãŒ -
Mikrotik hAP ac - äœæ¥ãã©ã«ã㌠- ç§ãã¡ã¯ã«ãŒããšããŠäœæ¥ããŠãããããã»ãšãã©ã®ãã®ã¯ã«ãŒãã®ããŒã ãã©ã«ããŒã«é
眮ãããŸãã ããããïŒ
- /root/blacklist - ã³ã³ãã€ã« ã¹ã¯ãªãããå«ãäœæ¥ãã©ã«ããŒ
- /root/zi - github ããã®ã¬ãžã¹ããªã®ã³ããŒ
- /etc/bird - Bird ãµãŒãã¹èšå®ã®æšæºãã©ã«ããŒ
- ã«ãŒãã£ã³ã° ãµãŒããŒãšãã³ãã«çµç«¯ãã€ã³ããåãã VPS ã®å€éš IP ã¢ãã¬ã¹ã¯ 194.165.22.146ãASN 64998 ã§ãã ã«ãŒã¿ãŒã®å€éš IP ã¢ãã¬ã¹ - 81.177.103.94ãASN 64999
- ãã³ãã«å ã® IP ã¢ãã¬ã¹ã¯ãããã 172.30.1.1 ãš 172.30.1.2 ã§ãã
ãã¡ãããä»ã®ã«ãŒã¿ãŒããªãã¬ãŒãã£ã³ã° ã·ã¹ãã ããœãããŠã§ã¢è£œåã䜿çšããŠããããã®ããžãã¯ã«åãããŠãœãªã¥ãŒã·ã§ã³ã調æŽããããšãã§ããŸãã
ç°¡åã«èšããšããœãªã¥ãŒã·ã§ã³ã®ããžãã¯
- æºåè¡çº
- VPSã®ååŸ
- ã«ãŒã¿ãŒãã VPS ãžã®ãã³ãã«ã®ç¢ºç«
- åœç€Ÿã¯ã¬ãžã¹ããªã®ã³ããŒãåãåããå®æçã«æŽæ°ããŸã
- ã«ãŒãã£ã³ã° ãµãŒãã¹ã®ã€ã³ã¹ããŒã«ãšæ§æ
- ã¬ãžã¹ããªã«åºã¥ããŠã«ãŒãã£ã³ã° ãµãŒãã¹ã®éçã«ãŒãã®ãªã¹ããäœæããŸãã
- ã«ãŒã¿ãŒããµãŒãã¹ã«æ¥ç¶ãããã¹ãŠã®ãã©ãã£ãã¯ããã³ãã«çµç±ã§éä¿¡ããããã«èšå®ããŸãã
å®éã®è§£æ±ºç
æºåè¡çº
ã€ã³ã¿ãŒãããäžã«ã¯ãéåžžã«ãªãŒãºããã«ãªäŸ¡æ Œã§ VPS ãæäŸãããµãŒãã¹ãæ°å€ããããŸãã ãããŸã§ã®ãšãããç§ã¯å¹Žé9ãã«ã®ãªãã·ã§ã³ãèŠã€ããŠäœ¿çšããŠããŸãããããŸãæ°ã«ããªããŠããæ1Eã®ãªãã·ã§ã³ããã¡ãã¡ã«ãããããããŸãã VPS ã®éžæã«é¢ããåé¡ã¯ãã®èšäºã®ç¯å²ãã¯ããã«è¶ ããŠãããããããã«ã€ããŠããããªãããšããããŸããããã³ã¡ã³ãã§è³ªåããŠãã ããã
VPS ãã«ãŒãã£ã³ã° ãµãŒãã¹ã ãã§ãªãããã³ãã«ã®çµç«¯ã«ã䜿çšããå Žåã¯ããã®ãã³ãã«ã確ç«ããã»ãŒç¢ºå®ã« NAT ãæ§æããå¿ èŠããããŸãã ãããã®æäœã«é¢ããæ瀺ã¯ã€ã³ã¿ãŒãããäžã«å€æ°ãããŸãããããã§ã¯ç¹°ãè¿ããŸããã ãã®ãããªãã³ãã«ã®äž»ãªèŠä»¶ã¯ãVPS ãžã®ãã³ãã«ããµããŒãããå¥ã®ã€ã³ã¿ãŒãã§ã€ã¹ãã«ãŒã¿ãŒäžã«äœæããå¿ èŠãããããšã§ãã 䜿çšãããŠããã»ãšãã©ã® VPN ãã¯ãããžãŒã¯ãã®èŠä»¶ãæºãããŠããŸããããšãã°ãtun ã¢ãŒãã® OpenVPN ã¯å®ç§ã§ãã
ã¬ãžã¹ããªã®ã³ããŒãååŸãã
ãžã£ãã©ã€ã«ãèšã£ãããã«ããæã ã劚害ããè ã¯æã ãå©ããã ãããã RKN ã¯çŠæ¢ããããªãœãŒã¹ã®ã¬ãžã¹ã¿ãäœæããŠãããããåé¡ã解決ããããã«ãã®ã¬ãžã¹ã¿ã䜿çšããªãã®ã¯çœªã§ãã github ããã¬ãžã¹ããªã®ã³ããŒãåãåããŸãã
Linux ãµãŒããŒã«ç§»åããã«ãŒã ã³ã³ããã¹ã (é è€ã â) git ããŸã ã€ã³ã¹ããŒã«ãããŠããªãå Žåã¯ã€ã³ã¹ããŒã«ããŸãã
apt install git
ããŒã ãã£ã¬ã¯ããªã«ç§»åããã¬ãžã¹ããªã®ã³ããŒãåãåºããŸãã
cd ~ && git clone --depth=1 https://github.com/zapret-info/z-i
cron æŽæ°ãèšå®ããŸã (20 åã« XNUMX åå®è¡ããŸãããä»»æã®ééãéžæã§ããŸã)ã ãããè¡ãããã«ãç§ãã¡ã¯ç«ã¡äžããŸã crontab -e 次ã®è¡ãè¿œå ããŸãã
*/20 * * * * cd ~/z-i && git pull && git gc
ã¬ãžã¹ããªã®æŽæ°åŸã«ã«ãŒãã£ã³ã° ãµãŒãã¹çšã®ãã¡ã€ã«ãäœæããããã¯ãæ¥ç¶ããŸãã ãããè¡ãã«ã¯ããã¡ã€ã«ãäœæããŸã /root/zi/.git/hooks/post-merge 次ã®å 容ã§ïŒ
#!/usr/bin/env bash
changed_files="$(git diff-tree -r --name-only --no-commit-id ORIG_HEAD HEAD)"
check_run() {
echo "$changed_files" | grep --quiet "$1" && eval "$2"
}
check_run dump.csv "/root/blacklist/makebgp"
ãããå®è¡å¯èœã«ããããšãå¿ããªãã§ãã ãã
chmod +x /root/z-i/.git/hooks/post-merge
ããã¯ãåç §ãã makebgp ã¹ã¯ãªããã¯åŸã§äœæããŸãã
ã«ãŒãã£ã³ã° ãµãŒãã¹ã®ã€ã³ã¹ããŒã«ãšæ§æ
é³¥ãã€ã³ã¹ããŒã«ããŸãã æ®å¿µãªãããçŸåš Ubuntu ãªããžããªã«æ²èŒãããŠããé³¥ã®ããŒãžã§ã³ã¯ã鮮床ã®ç¹ã§å§ç¥é³¥ã®ç³ã«å¹æµãããããæåã«ãœãããŠã§ã¢éçºè ã®å ¬åŒ PPA ãã·ã¹ãã ã«è¿œå ããå¿ èŠããããŸãã
add-apt-repository ppa:cz.nic-labs/bird
apt update
apt install bird
ãã®åŸãããã« IPv6 ã® Bird ãç¡å¹ã«ããŸãããã®ã€ã³ã¹ããŒã«ã§ã¯ããã¯å¿ èŠãããŸããã
systemctl stop bird6
systemctl disable bird6
以äžã¯ãæå°éã® Bird ãµãŒãã¹æ§æãã¡ã€ã« (/etc/bird/bird.confïŒãããã§ååã§ãïŒãããŠãèªåã®ããŒãºã«åãããŠã¢ã€ãã¢ãéçºããã調æŽãããããããšã誰ãçŠããŠããªãããšãããäžåºŠæãåºããŠãã ããïŒ
log syslog all;
router id 172.30.1.1;
protocol kernel {
scan time 60;
import none;
# export all; # Actually insert routes into the kernel routing table
}
protocol device {
scan time 60;
}
protocol direct {
interface "venet*", "tun*"; # Restrict network interfaces it works with
}
protocol static static_bgp {
import all;
include "pfxlist.txt";
#include "iplist.txt";
}
protocol bgp OurRouter {
description "Our Router";
neighbor 81.177.103.94 as 64999;
import none;
export where proto = "static_bgp";
local as 64998;
passive off;
multihop;
}
ã«ãŒã¿ãŒ ID - ã«ãŒã¿ãŒ IDãèŠèŠçã«ã¯ IPv4 ã¢ãã¬ã¹ã®ããã«èŠããŸãããIPv32 ã¢ãã¬ã¹ã§ã¯ãããŸããã ãã®äŸã§ã¯ãIPv4 ã¢ãã¬ã¹åœ¢åŒã®ä»»æã® 4 ãããæ°å€ã䜿çšã§ããŸãããããã€ã¹ (ãã®å Žå㯠VPS) ã® IPvXNUMX ã¢ãã¬ã¹ãæ£ç¢ºã«ç€ºãã®ã«é©ãã圢åŒã§ãã
ãããã³ã« ãã€ã¬ã¯ãã¯ãã©ã®ã€ã³ã¿ãŒãã§ã€ã¹ãã«ãŒãã£ã³ã° ããã»ã¹ã§åäœããããå®çŸ©ããŸãã ãã®äŸã§ã¯ãããã€ãã®ååã®äŸã瀺ããŠããŸãããä»ã®ååãè¿œå ããããšãã§ããŸãã ãã®è¡ã¯åçŽã«åé€ã§ããŸãããã®å ŽåããµãŒããŒã¯ IPv4 ã¢ãã¬ã¹ãæã€ãã¹ãŠã®äœ¿çšå¯èœãªã€ã³ã¿ãŒãã§ã€ã¹ããªãã¹ã³ããŸãã
éçãããã³ã«ã¯ããã®åŸã®ã¢ããŠã³ã¹ã®ããã«ãã¡ã€ã«ãããã¬ãã£ãã¯ã¹ãš IP ã¢ãã¬ã¹ (ãã¡ãããå®éã«ã¯ /32 ãã¬ãã£ãã¯ã¹) ã®ãªã¹ããããŒãããéæ³ã§ãã ãããã®ãªã¹ãã®åºæã«ã€ããŠã¯ä»¥äžã§èª¬æããŸãã IP ã¢ãã¬ã¹ã®èªã¿èŸŒã¿ã¯ããã©ã«ãã§ã³ã¡ã³ãã¢ãŠããããŠããããšã«æ³šæããŠãã ãããããã¯å€§éã®ã¢ããããŒããåå ã§ãã æ¯èŒã®ããã«ããã®èšäºã®å·çæç¹ã§ã¯ããã¬ãã£ãã¯ã¹ã®ãªã¹ãã«ã¯ 78 è¡ãIP ã¢ãã¬ã¹ã®ãªã¹ãã«ã¯ 85898 è¡ããããŸãããã¬ãã£ãã¯ã¹ã®ãªã¹ãã®ã¿ã§éå§ããã³ãããã°ããIP ããŒããæå¹ã«ãããã©ããã匷ããå§ãããŸããã«ãŒã¿ãŒãè©ŠããŠã¿ãåŸãå°æ¥ã決ããã®ã¯ããªã次第ã§ãã ãããã®ãã¹ãŠããã«ãŒãã£ã³ã° ããŒãã«å ã® 85 ã®ãšã³ããªãç°¡åã«æ¶åã§ããããã§ã¯ãããŸããã
å®éãprotocol bgp ã¯ã«ãŒã¿ãŒãšã® bgp ãã¢ãªã³ã°ãèšå®ããŸãã IP ã¢ãã¬ã¹ã¯ã«ãŒã¿ã®å€éšã€ã³ã¿ãŒãã§ã€ã¹ã®ã¢ãã¬ã¹ (ãŸãã¯ã«ãŒã¿åŽã®ãã³ãã« ã€ã³ã¿ãŒãã§ã€ã¹ã®ã¢ãã¬ã¹) ã§ã64998 ãš 64999 ã¯èªåŸã·ã¹ãã ã®çªå·ã§ãã ãã®å Žåãä»»æã® 16 ãããæ°å€ã®åœ¢åŒã§å²ãåœãŠãããšãã§ããŸãããRFC6996 ïœ 64512 ïœ 65534 ã§å®çŸ©ããããã©ã€ããŒãç¯å²ã® AS çªå·ã䜿çšããããšããå§ãããŸã (32 ããã ASN çšã®åœ¢åŒããããŸããããããç§ãã¡ã®å Žåãããã¯æããã«ããããã§ãïŒã 説æãããŠããèšå®ã§ã¯ eBGP ãã¢ãªã³ã°ã䜿çšãããŠãããã«ãŒãã£ã³ã° ãµãŒãã¹ãšã«ãŒã¿ãŒã®èªåŸã·ã¹ãã ã®çªå·ã¯ç°ãªãå¿ èŠããããŸãã
ã芧ã®ãšããããµãŒãã¹ã¯ã«ãŒã¿ãŒã® IP ã¢ãã¬ã¹ãç¥ãå¿ èŠããããããåçãŸãã¯ã«ãŒãã£ã³ã°äžå¯èœãªãã©ã€ããŒã (RFC1918) ã¢ãã¬ã¹ãŸãã¯å ±æ (RFC6598) ã¢ãã¬ã¹ãããå Žåãå€éšãµãŒããŒã§ãã¢ãªã³ã°ã確ç«ãããªãã·ã§ã³ã¯ãããŸããããã ãããµãŒãã¹ã¯ãã³ãã«å ã§ãåäœããŸãã
ãŸããXNUMX ã€ã®ãµãŒãã¹ããè€æ°ã®ç°ãªãã«ãŒã¿ãŒã«ã«ãŒããæäŸã§ããããšãæããã§ãããããã³ã«ã® bgp ã»ã¯ã·ã§ã³ãã³ããŒããè¿é£ã«ãŒã¿ãŒã® IP ã¢ãã¬ã¹ãå€æŽããããšã§ããããã®èšå®ãè€è£œããã ãã§ãã ãã®ããããã®äŸã§ã¯ãæãæ±çšçãªãã³ãã«å€éšã®ãã¢ãªã³ã°ã®èšå®ã瀺ããŠããŸãã èšå®ã® IP ã¢ãã¬ã¹ãå€æŽããããšã§ããããããã³ãã«ã«ç°¡åã«åé€ã§ããŸãã
ã«ãŒãã£ã³ã° ãµãŒãã¹ã®ã¬ãžã¹ããªã®åŠç
ããã§ãå®éã«ã¯ãåã®æ®µéã§éçãªãããã³ã«ã§èšåãããã¬ãã£ãã¯ã¹ãš IP ã¢ãã¬ã¹ã®ãªã¹ããäœæããå¿ èŠããããŸãã ãããè¡ãã«ã¯ãã¬ãžã¹ã㪠ãã¡ã€ã«ãååŸãã次ã®ã¹ã¯ãªããã䜿çšããŠããããå¿ èŠãªãã¡ã€ã«ãäœæããŸãã /root/ãã©ãã¯ãªã¹ã/makebgp
#!/bin/bash
cut -d";" -f1 /root/z-i/dump.csv| tr '|' 'n' | tr -d ' ' > /root/blacklist/tmpaddr.txt
cat /root/blacklist/tmpaddr.txt | grep / | sed 's_.*_route & reject;_' > /etc/bird/pfxlist.txt
cat /root/blacklist/tmpaddr.txt | sort | uniq | grep -Eo "([0-9]{1,3}[.]){3}[0-9]{1,3}" | sed 's_.*_route &/32 reject;_' > /etc/bird/iplist.txt
/etc/init.d/bird reload
logger 'bgp list compiled'
å®è¡å¯èœã«ããããšãå¿ããªãã§ãã ãã
chmod +x /root/blacklist/makebgp
ããã§ãæåã§å®è¡ããŠã/etc/bird å ã®ãã¡ã€ã«ã®å€èŠ³ã芳å¯ã§ããããã«ãªããŸãã
ãããããåã®æ®µéã§ãŸã ååšããªããã¡ã€ã«ãæ€çŽ¢ããããã«æ瀺ãããããçŸæç¹ã§ã¯ Bird ãæ©èœããŠããŸããã ãããã£ãŠããããèµ·åããŠãéå§ãããããšã確èªããŸãã
systemctl start bird
birdc show route
80 çªç®ã®ã³ãã³ãã®åºåã«ã¯ã次ã®ãããªçŽ XNUMX ã¬ã³ãŒãã衚瀺ãããŸã (ããã¯çŸæç¹ã§ã¯ãããŸãããã»ããã¢ãããããšãã¯ããã¹ãŠããããã¯ãŒã¯ã®ãããã¯ã«ããã RKN ã®ç±å¿ãã«ãã£ãŠç°ãªããŸã)ã
54.160.0.0/12 unreachable [static_bgp 2018-04-19] * (200)
ããŒã
birdc show protocol
ãµãŒãã¹å ã®ãããã³ã«ã®ã¹ããŒã¿ã¹ã衚瀺ãããŸãã ã«ãŒã¿ãŒãæ§æãããŸã§ (次ã®ãã€ã³ããåç §)ãOurRouter ãããã³ã«ã¯éå§ç¶æ (æ¥ç¶ãŸãã¯ã¢ã¯ãã£ããã§ãŒãº) ã«ãªããæ¥ç¶ãæåãããšã¢ããç¶æ (確ç«ãã§ãŒãº) ã«ãªããŸãã ããšãã°ãç§ã®ã·ã¹ãã ã§ã¯ããã®ã³ãã³ãã®åºåã¯æ¬¡ã®ããã«ãªããŸãã
BIRD 1.6.3 ready.
name proto table state since info
kernel1 Kernel master up 2018-04-19
device1 Device master up 2018-04-19
static_bgp Static master up 2018-04-19
direct1 Direct master up 2018-04-19
RXXXXXx1 BGP master up 13:10:22 Established
RXXXXXx2 BGP master up 2018-04-24 Established
RXXXXXx3 BGP master start 2018-04-22 Connect Socket: Connection timed out
RXXXXXx4 BGP master up 2018-04-24 Established
RXXXXXx5 BGP master start 2018-04-24 Passive
ã«ãŒã¿ãŒã®æ¥ç¶
誰ãããã®è¶³åžãèªãã®ã«ããããããŠããã§ãããããå æ°ãåºããŠãã ãã-çµããã¯è¿ã¥ããŠããŸãã ããã«ããã®ã»ã¯ã·ã§ã³ã§ã¯è©³ããæé ã説æããããšã¯ã§ããŸãããæé ã¯ã¡ãŒã«ãŒããšã«ç°ãªããŸãã
ãã ããããã€ãã®äŸããèŠãããŸãã äž»ãªããžãã¯ã¯ãBGP ãã¢ãªã³ã°ã確ç«ããåä¿¡ãããã¹ãŠã®ãã¬ãã£ãã¯ã¹ã«ãã¯ã¹ãããããå²ãåœãŠããã³ãã« (p2p ã€ã³ã¿ãŒãã§ã€ã¹çµç±ã§ãã©ãã£ãã¯ãéä¿¡ããå¿ èŠãããå Žå) ãŸãã¯ãã©ãã£ãã¯ãã€ãŒãµãããã«éä¿¡ãããå Žåã®ãã¯ã¹ãããã IP ã¢ãã¬ã¹ãæãããã«ããããšã§ãã
ããšãã°ãRouterOS ã® Mikrotik ã§ã¯ãããã¯æ¬¡ã®ããã«è§£æ±ºãããŸãã
/routing bgp instance set default as=64999 ignore-as-path-len=yes router-id=172.30.1.2
/routing bgp peer add in-filter=dynamic-in multihop=yes name=VPS remote-address=194.165.22.146 remote-as=64998 ttl=default
/routing filter add action=accept chain=dynamic-in protocol=bgp comment="Set nexthop" set-in-nexthop=172.30.1.1
ãããŠCisco IOSã§ã¯ - ãã®ããã«
router bgp 64999
neighbor 194.165.22.146 remote-as 64998
neighbor 194.165.22.146 route-map BGP_NEXT_HOP in
neighbor 194.165.22.146 ebgp-multihop 250
!
route-map BGP_NEXT_HOP permit 10
set ip next-hop 172.30.1.1
åããã³ãã«ã BGP ãã¢ãªã³ã°ãšæçšãªãã©ãã£ãã¯ã®éä¿¡ã®äž¡æ¹ã«äœ¿çšãããå Žåããã¯ã¹ãããããèšå®ããå¿ èŠã¯ãªãããããã³ã«ã䜿çšããŠæ£ããèšå®ãããŸãã ãã ããæåã§èšå®ããŠãç¶æ³ãæªåããããšã¯ãããŸããã
ä»ã®ãã©ãããã©ãŒã ã§ã¯ãèªåã§èšå®ãç解ããå¿ èŠããããŸãããåé¡ãããå Žåã¯ã³ã¡ã³ãã«æžããŠãã ãããç§ããæäŒãããŸãã
BGP ã»ãã·ã§ã³ãéå§ããã倧èŠæš¡ãããã¯ãŒã¯ãžã®ã«ãŒããå°çããŠããŒãã«ã«ã€ã³ã¹ããŒã«ããããã©ãã£ãã¯ãããããã®ã¢ãã¬ã¹ã«æµãã幞çŠãè¿ã¥ããããbird ãµãŒãã¹ã«æ»ã£ãŠãããã«æ¥ç¶ããŠãããšã³ããªã®ã³ã¡ã³ãã解é€ããŠã¿ãŠãã ããã IP ã¢ãã¬ã¹ã®ãªã¹ãããã®åŸã«å®è¡
systemctl reload bird
ã«ãŒã¿ãŒãããã 85 ã®ã«ãŒããã©ã®ããã«è»¢éãããã確èªããŠãã ããã ãã©ã°ãæãæºåãããŠããããã©ãããããèããŠãã ãã:)
åèšã§
çŽç²ã«çè«çã«ã¯ãäžèšã®æé ãå®äºãããšããã£ã«ã¿ãªã³ã° ã·ã¹ãã ãééããŠãã·ã¢é£éŠã§çŠæ¢ãããŠãã IP ã¢ãã¬ã¹ã«ãã©ãã£ãã¯ãèªåçã«ãªãã€ã¬ã¯ããããµãŒãã¹ãåŸãããŸãã
ãã¡ãããæ¹åããããšãå¯èœã§ãã ããšãã°ãPerl ãŸã㯠Python ãœãªã¥ãŒã·ã§ã³ã䜿çšã㊠IP ã¢ãã¬ã¹ã®ãªã¹ããèŠçŽããã®ã¯éåžžã«ç°¡åã§ãã Net::CIDR::Lite ã䜿çšããŠãããè¡ãåçŽãª Perl ã¹ã¯ãªããã¯ã85 ã®ãã¬ãã£ãã¯ã¹ã 60 (XNUMX ã§ã¯ãªã) ã«å€æããŸããããã¡ããããããã¯ãããã¢ãã¬ã¹ãããã¯ããã«åºãç¯å²ã®ã¢ãã¬ã¹ãã«ããŒããŸãã
ãã®ãµãŒãã¹ã¯ ISO/OSI ã¢ãã«ã®ç¬¬ XNUMX ã¬ãã«ã§åäœãããããã¬ãžã¹ããªã«èšé²ãããŠããééã£ãã¢ãã¬ã¹ã«è§£æ±ºãããå Žåããµã€ã/ããŒãžã®ãããã¯ãåé¿ã§ããŸããã ãã ããã¬ãžã¹ããªãšãšãã«ãnxdomain.txt ãã¡ã€ã«ã github ããå°çããŸãããã®ãã¡ã€ã«ã¯ãã¹ã¯ãªãããæ°åå®è¡ããã ãã§ãããšãã° Chrome ã® SwitchyOmega ãã©ã°ã€ã³ã®ã¢ãã¬ã¹ ãœãŒã¹ã«ç°¡åã«å€ãããŸãã
ãŸããã€ã³ã¿ãŒããã ãŠãŒã¶ãŒã ãã§ãªããèªåã§ãªãœãŒã¹ãå ¬éããå Žå (ããšãã°ãWeb ãµã€ããã¡ãŒã« ãµãŒããŒããã®æ¥ç¶ã§å®è¡ãããŠããå Žå)ããœãªã¥ãŒã·ã§ã³ãããã«æ¹è¯ããå¿ èŠãããããšã«ãèšåããå¿ èŠããããŸãã ã«ãŒã¿ãŒã®æ段ã䜿çšããŠããã®ãµãŒãã¹ããã®çºä¿¡ãã©ãã£ãã¯ããããªã㯠ã¢ãã¬ã¹ã«å³å¯ã«ãã€ã³ãããå¿ èŠããããŸããããããªããšãã«ãŒã¿ãŒãåä¿¡ãããã¬ãã£ãã¯ã¹ã®ãªã¹ãã«å«ãŸãããªãœãŒã¹ãšã®æ¥ç¶ã倱ãããŸãã
ã質åãããããŸãããããã€ã§ããçãããããŸãã
æŽæ°ã ããããšã
UPD2ã ååã®çãããVPS ãšã«ãŒã¿ãŒã®éã«ãã³ãã«ãèšå®ããæé ãèšäºã«è¿œå ããªãã£ãã®ã¯ééãã ã£ãããã§ãã ããã«ãã£ãŠå€ãã®çåãçããŸãã
念ã®ããããã®ã¬ã€ããéå§ããåã«ãå¿
èŠãªæ¹åã« VPN ãã³ãã«ããã§ã«èšå®ãããã®æ©èœã確èªããŠããããšãããäžåºŠæèšããŠãããŸã (ããšãã°ãããã©ã«ããŸãã¯éçã«ãã©ãã£ãã¯ãããã«åããããšã«ãã£ãŠ)ã ãã®ãã§ãŒãºããŸã å®äºããŠããªãå Žåã¯ããã®èšäºã®æé ã«åŸãããšã¯ããŸãæå³ããããŸããã ããã«é¢ããç¬èªã®ããã¹ãã¯ãŸã ãããŸããããGoogle ã§ãOpenVPN ãµãŒããŒã®ã»ããã¢ããããš VPS ã«ã€ã³ã¹ããŒã«ãããŠãããªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã®ååãå
¥åãããOpenVPN ã¯ã©ã€ã¢ã³ãã®ã»ããã¢ããããšã«ãŒã¿ãŒã®ååãå
¥åããŠæ€çŽ¢ããŠã¿ãŠãã ããããåç
§ãããšãããã¬ã«é¢ããèšäºãå«ãããã®ããŒãã«é¢ããèšäºãæ°å€ãèŠã€ããã§ãããã
UPD3ã
UPD4ã ãšã©ãŒãå°ãä¿®æ£ããŸã (æ¬æã«ã¯è¿œå ããŸããã§ãã):
1) 代ããã« systemctl ãªããŒãããŒã ã³ãã³ãã䜿çšããã®ã¯çã«ããªã£ãŠããŸã ããŒããã¯èšå®.
2) Mikrotik ã«ãŒã¿ãŒå
ã§ããã¯ã¹ããããããã³ãã«ã® XNUMX çªç®ã®åŽã® IP ã«å€æŽãã代ããã« /ã«ãŒãã£ã³ã°ãã£ã«ã¿ãŒè¿œå ã¢ã¯ã·ã§ã³=åãå
¥ããã§ãŒã³=åç-ã€ã³ãããã³ã«=bgpã³ã¡ã³ã=»ãã¯ã¹ãããããèšå®Â» set-in-nexthop=172.30.1.1 ã¢ãã¬ã¹ãæå®ããã«ããã³ãã« ã€ã³ã¿ãŒãã§ã€ã¹ãžã®ã«ãŒããçŽæ¥æå®ããã®ãåççã§ãã /routing filter add action=acceptchain=dynamic-inprotocol=bgp comment=»ãã¯ã¹ããããã®èšå®Â» set-in-nexthop-direct=<ã€ã³ã¿ãŒãã§ãŒã¹å>
UPD5ã æ°ãããµãŒãã¹ãç»å ŽããŸãã
ãããŠãããããã®æç¹ã§ã¯ãç¥æ¯ãæãããŠèšäºãæŽæ°ããã ãã§ååã§ãã
UPD6ã ç解ããããªãããå§ããã人åãã®èšäºã®æ¹èšç -
åºæïŒ habr.com