Kufunika koletsa maulendo kuzinthu zoletsedwa kumakhudza woyang'anira aliyense yemwe angaimbidwe mlandu wolephera kutsatira malamulo kapena malamulo a maboma okhudzidwa.
Chifukwa chiyani kubwezeretsanso gudumu pomwe pali mapulogalamu apadera ndi magawo ogawa ntchito zathu, mwachitsanzo: Zeroshell, pfSense, ClearOS.
Oyang'anira anali ndi funso lina: Kodi zomwe zagwiritsidwa ntchito zili ndi satifiketi yachitetezo yochokera kudziko lathu?
Tinali ndi chidziwitso chogwira ntchito ndi magawo otsatirawa:
- Zeroshell - Madivelopa adapereka chilolezo chazaka 2, koma zidapezeka kuti zida zogawa zomwe tidakondwera nazo, mopanda nzeru, zidatichitira ntchito yovuta;
- pfSense - ulemu ndi ulemu, nthawi yomweyo wotopetsa, kuzolowera mzere wolamula wa FreeBSD firewall ndipo sizoyenera kwa ife (ndikuganiza kuti ndi chizolowezi, koma zidakhala njira yolakwika);
- ClearOS - pazida zathu zidakhala zochedwa kwambiri, sitinathe kuyesedwa kwambiri, ndiye chifukwa chiyani mawonekedwe olemetsa chonchi?
- Ideco SELECTA. Chogulitsa cha Ideco ndi kukambirana kosiyana, chinthu chosangalatsa, koma pazifukwa zandale osati za ife, ndikufunanso "kuwaluma" za chilolezo cha Linux, Roundcube, ndi zina zotero. Adazitenga kuti ganizo loti podula mawonekedwe Python ndipo pochotsa ufulu wa ogwiritsa ntchito apamwamba, atha kugulitsa chinthu chomalizidwa chopangidwa ndi ma module opangidwa ndi osinthidwa kuchokera pagulu la intaneti lomwe limagawidwa pansi pa GPL&etc.
Ndikumvetsetsa kuti tsopano mawu omveka olakwika adzatsanuliridwa m'njira yanga ndi zofuna kuti nditsimikizire momwe ndikumvera mwatsatanetsatane, koma ndikufuna kunena kuti node iyi yapaintaneti ndi njira yoyendetsera magalimoto a 4 kunja kwa intaneti, ndipo njira iliyonse ili ndi makhalidwe ake. . Mwala wina wapangodya unali kufunikira kwa imodzi mwama intaneti angapo kuti igwire ntchito m'malo osiyanasiyana, ndipo I okonzeka vomerezani kuti ma VLAN angagwiritsidwe ntchito kulikonse komwe kuli kofunikira osati kofunikira osakonzeka. Pali zida zomwe zimagwiritsidwa ntchito monga TP-Link TL-R480T + - sizimachita bwino, makamaka, ndi mawonekedwe awo. Zinali zotheka kukonza gawo ili pa Linux chifukwa cha tsamba lovomerezeka la Ubuntu . Komanso, njira iliyonse imatha "kugwa" nthawi iliyonse, komanso kuwuka. Ngati muli ndi chidwi ndi script yomwe ikugwira ntchito pano (ndipo izi ndizoyenera kusindikizidwa mosiyana), lembani mu ndemanga.
Yankho lomwe likuganiziridwa silikunena kuti ndi lapadera, koma ndikufuna kufunsa funso: "Chifukwa chiyani bizinesi iyenera kuzolowera zinthu zokayikitsa za gulu lachitatu zomwe zili ndi zofunika kwambiri pa hardware pomwe njira ina ingaganizidwe?"
Ngati mu Russian Federation pali mndandanda wa Roskomnadzor, ku Ukraine pali chowonjezera pa Chisankho cha National Security Council (mwachitsanzo. ), ndiye kuti atsogoleri amderalo nawonso samagona. Mwachitsanzo, tinapatsidwa mndandanda wa malo oletsedwa omwe, mwa lingaliro la oyang'anira, amalepheretsa zokolola kuntchito.
Kulankhulana ndi anzako m'mabizinesi ena, komwe mwachisawawa malo onse amaletsedwa ndipo pokhapokha mutapempha ndi chilolezo cha bwana mungathe kupeza malo enieni, kumwetulira mwaulemu, kuganiza ndi "kusuta pa vutoli", tinazindikira kuti moyo. akadali bwino ndipo tinayamba kufufuza kwawo.
Pokhala ndi mwayi osati kungowona zomwe amalemba mu "mabuku a amayi apakhomo" ponena za kusefa kwa magalimoto, komanso kuti tiwone zomwe zikuchitika pamayendedwe a othandizira osiyanasiyana, tawona maphikidwe otsatirawa (zithunzi zilizonse ndizochepa, chonde kumvetsetsa pofunsa):
Wopatsa 1
- sichikuvutitsa ndikuyika ma seva ake a DNS ndi seva yowonetsera yowonekera. Chabwino? .. koma tili ndi mwayi wofikira komwe timafunikira (ngati tikuzifuna :))
Wopatsa 2
- amakhulupirira kuti wothandizira wake wamkulu ayenera kuganiza za izi, thandizo laukadaulo la wopereka wamkulu adavomereza chifukwa chomwe sindingathe kutsegula tsamba lomwe ndimafunikira, lomwe silinali loletsedwa. Ndikuganiza kuti chithunzicho chidzakusangalatsani :)
Monga momwe zinakhalira, amamasulira mayina a malo oletsedwa kukhala ma adilesi a IP ndikuletsa IP yokha (sakuvutitsidwa ndi mfundo yakuti adilesi iyi ya IP ikhoza kulandira malo 20).
Wopatsa 3
- amalola magalimoto kupita kumeneko, koma samalola kubwerera m'njira.
Wopatsa 4
- imaletsa chinyengo chilichonse chokhala ndi mapaketi mbali yomwe yatchulidwa.
Zoyenera kuchita ndi VPN (kulemekeza msakatuli wa Opera) ndi mapulagini osatsegula? Kusewera ndi node Mikrotik poyamba, tidakhala ndi njira yopangira L7, yomwe pambuyo pake tinayenera kuisiya (pakhoza kukhala mayina oletsedwa, zimakhala zomvetsa chisoni pamene, kuwonjezera pa maudindo ake enieni a njira, pa 3 dazeni. mawu omwe purosesa ya PPC460GT imapita ku 100 %).
.
Zomwe zidadziwika:
DNS pa 127.0.0.1 si njira yothetsera vutoli; asakatuli amakono amakulolani kuti mulambalale zovuta zotere. Ndikosatheka kuletsa ogwiritsa ntchito onse kuti achepetse ufulu, ndipo tisaiwale za kuchuluka kwa DNS ina. Intaneti siimaima, ndipo kuwonjezera pa maadiresi atsopano a DNS, malo oletsedwa amagula maadiresi atsopano, kusintha madera apamwamba, ndipo akhoza kuwonjezera / kuchotsa khalidwe mu adiresi yawo. Koma ali ndi ufulu wokhala ndi moyo monga:
ip route add blackhole 1.2.3.4Zingakhale zothandiza kupeza mndandanda wa ma adilesi a IP pamndandanda wamawebusayiti oletsedwa, koma pazifukwa zomwe tafotokozazi, tidapitilira kumalingaliro a Iptables. Panali kale zowerengera zamoyo pa CentOS Linux kutulutsa 7.5.1804.
Intaneti ya wogwiritsa ntchitoyo iyenera kukhala yachangu, ndipo Wosakatula sayenera kudikirira theka la miniti, kutsimikizira kuti tsamba ili silikupezeka. Pambuyo pofufuza kwa nthawi yayitali, tinafika pa chitsanzo ichi:
Fayilo 1 -> /script/denied_host, mndandanda wa mayina oletsedwa:
test.test
blablabla.bubu
torrent
pornoFayilo 2 -> /script/denied_range, mndandanda wamaadiresi oletsedwa ndi ma adilesi:
192.168.111.0/24
241.242.0.0/16Script wapamwamba 3 -> ipt.shkugwira ntchito ndi zithunzi:
# ΡΡΠΈΡΡΠ²Π°Π΅ΠΌ ΠΏΠΎΠ»Π΅Π·Π½ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΈΠ· ΠΏΠ΅ΡΠ΅ΡΠ½Π΅ΠΉ ΡΠ°ΠΉΠ»ΠΎΠ²
HOSTS=`cat /script/denied_host | grep -v '^#'`
RANGE=`cat /script/denied_range | grep -v '^#'`
echo "Stopping firewall and allowing everyone..."
# ΡΠ±ΡΠ°ΡΡΠ²Π°Π΅ΠΌ Π²ΡΠ΅ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ iptables, ΡΠ°Π·ΡΠ΅ΡΠ°Ρ ΡΠΎ ΡΡΠΎ Π½Π΅ Π·Π°ΠΏΡΠ΅ΡΠ΅Π½ΠΎ
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
#ΡΠ΅ΡΠ°Π΅ΠΌ ΠΎΠ±Π½ΠΎΠ²ΠΈΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΎ ΠΌΠ°ΡΡΡΡΡΠ°Ρ
(ΠΎΡΠΎΠ±Π΅Π½Π½ΠΎΡΡΡ Π½Π°ΡΠ΅ΠΉ Π°ΡΡ
ΠΈΡΠ΅ΠΊΡΡΡΡ)
sudo sh rout.sh
# ΡΠΈΠΊΠ»ΠΈΡΠ΅ΡΠΊΠΈ ΠΎΠ±ΡΠ°Π±Π°ΡΡΠ²Π°Ρ ΠΊΠ°ΠΆΠ΄ΡΡ ΡΡΡΠΎΠΊΡ ΡΠ°ΠΉΠ»Π° ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΠΌ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ ΡΡΡΠΎΠΊΠΈ
for i in $HOSTS; do
sudo iptables -I FORWARD -m string --string $i --algo bm --from 1 --to 600 -p tcp -j REJECT --reject-with tcp-reset;
sudo iptables -I FORWARD -m string --string $i --algo bm --from 1 --to 600 -p udp -j DROP;
done
# ΡΠΈΠΊΠ»ΠΈΡΠ΅ΡΠΊΠΈ ΠΎΠ±ΡΠ°Π±Π°ΡΡΠ²Π°Ρ ΠΊΠ°ΠΆΠ΄ΡΡ ΡΡΡΠΎΠΊΡ ΡΠ°ΠΉΠ»Π° ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΠΌ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ Π°Π΄ΡΠ΅ΡΠ°
for i in $RANGE; do
sudo iptables -I FORWARD -p UDP -d $i -j DROP;
sudo iptables -I FORWARD -p TCP -d $i -j REJECT --reject-with tcp-reset;
done
Kugwiritsiridwa ntchito kwa sudo ndi chifukwa chakuti tili ndi kuthyolako pang'ono kwa kuyang'anira kudzera pa WEB mawonekedwe, koma monga momwe tawonetsera pakugwiritsa ntchito chitsanzo chotero kwa chaka choposa, WEB siyofunika kwambiri. Pambuyo pakukhazikitsa, panali chikhumbo chowonjezera mndandanda wamasamba ku database, ndi zina. Chiwerengero cha makamu otsekedwa ndi opitilira 250 + malo khumi ndi awiri. Pali vuto pamene mukupita kutsamba kudzera pa kugwirizana kwa https, monga woyang'anira dongosolo, ndili ndi madandaulo okhudza osatsegula :), koma izi ndizochitika zapadera, zambiri zomwe zimayambitsa kusowa mwayi wopeza gwero zidakali kumbali yathu. , timalepheretsanso Opera VPN ndi mapulagini monga friGate ndi telemetry kuchokera ku Microsoft.
Source: www.habr.com