Chabwino, za "kukondedwa" ndikukokomeza. M’malo mwake, “anakhoza kukhala limodzi ndi.”
Monga mukudziwira, kuyambira pa Epulo 16, 2018, Roskomnadzor yakhala ikuletsa kugwiritsa ntchito intaneti movutikira kwambiri, ndikuwonjezera "Unified Registry of domain names, ma index amasamba amasamba pa intaneti ndi ma adilesi apaintaneti omwe amalola kuzindikira masamba. pa intaneti," yomwe ili ndi zidziwitso zomwe kugawa kwake ndikoletsedwa ku Russian Federation" (m'mawu - kaundula) ndi / 10 nthawi zina. Zotsatira zake, nzika za Chitaganya cha Russia ndi mabizinesi akuvutika, popeza ataya mwayi wopeza zinthu zovomerezeka zomwe amafunikira.
Nditanena mu ndemanga ku imodzi mwa nkhani za Habré kuti ndinali wokonzeka kuthandiza ozunzidwa pokhazikitsa njira yolambalala, anthu angapo anabwera kwa ine kupempha thandizo loterolo. Zonse zikawayendera, m'modzi wa iwo adalimbikitsa kufotokozera njirayo m'nkhani. Nditaganizira pang'ono, ndinaganiza zosiya chete pa webusaitiyi ndikuyesera kamodzi kuti ndilembe chinachake chapakati pakati pa polojekiti ndi positi ya Facebook, i.e. habrapost. Chotsatira chiri pamaso panu.
chandalama
Popeza sizovomerezeka kwambiri kufalitsa njira zodutsira kutsekereza mwayi wopeza zidziwitso zoletsedwa m'gawo la Russian Federation, cholinga cha nkhaniyi ndikulankhula za njira yomwe imakupatsani mwayi wopeza mwayi wopeza zinthu zomwe zimaloledwa pa. gawo la Chitaganya cha Russia, koma chifukwa cha zochita za munthu si mwachindunji kudzera WOPEREKA wanu. Ndipo kupeza zinthu zina zomwe zapezedwa chifukwa cha zochita kuchokera m'nkhaniyo ndizotsatira zoyipa ndipo siziri cholinga cha nkhaniyo.
Komanso, popeza ndine womanga ma network ndi ntchito, ntchito ndi njira ya moyo, mapulogalamu ndi Linux sizinthu zanga zamphamvu. Chifukwa chake, zowona, zolembedwa zitha kulembedwa bwino, nkhani zachitetezo mu VPS zitha kuchitidwa mozama, ndi zina zambiri. Malingaliro anu adzalandiridwa ndi chiyamiko, ngati ali omveka mokwanira - ndidzakhala wokondwa kuwawonjezera palemba la nkhaniyi.
TL; DR
Timagwiritsa ntchito njira zopezera zinthu kudzera mumsewu womwe ulipo kale pogwiritsa ntchito kaundula wa registry ndi protocol ya BGP. Cholinga chake ndikuchotsa magalimoto onse opita kuzinthu zotsekeredwa mumsewu. Mafotokozedwe ochepa, makamaka malangizo atsatane-tsatane.
Mukufuna chiyani pa izi?
Tsoka ilo, positi iyi si ya aliyense. Kuti mugwiritse ntchito njirayi, muyenera kuphatikiza zinthu zingapo:
Muyenera kukhala ndi seva ya linux kwinakwake kunja kwa gawo lotsekereza. Kapenanso chikhumbo chokhala ndi seva yotere - mwamwayi tsopano imawononga $ 9 / chaka, ndipo mwina zochepa. Njirayi ndiyoyeneranso ngati muli ndi njira yosiyana ya VPN, ndiye kuti seva ikhoza kukhala mkati mwa gawo lotsekereza.
kasitomala aliyense wa VPN yemwe mumakonda (ndimakonda OpenVPN, koma ikhoza kukhala PPTP, L2TP, GRE + IPSec kapena njira ina iliyonse yomwe imapanga mawonekedwe a ngalande);
BGPv4 protocol. Zomwe zikutanthauza kuti kwa SOHO ikhoza kukhala Mikrotik kapena rauta iliyonse yokhala ndi OpenWRT/LEDE/ firmware yofananira yomwe imakupatsani mwayi woyika Quagga kapena Mbalame. Kugwiritsa ntchito rauta ya PC nakonso sikuletsedwa. Pankhani ya bizinesi, yang'anani thandizo la BGP muzolemba za rauta yanu yamalire.
Muyenera kumvetsetsa kagwiritsidwe ntchito ka Linux ndi matekinoloje ochezera pa intaneti, kuphatikiza protocol ya BGP. Kapena kufuna kupeza lingaliro loterolo. Popeza sindine wokonzeka kukumbatira kukula kwa nthawi ino, muyenera kuphunzira zina zomwe simukuzimvetsa nokha. Komabe, ine, ndithudi, ndiyankha mafunso enieni mu ndemanga ndipo sindingathe kukhala ndekha ndikuyankha, kotero musazengereze kufunsa.
/root/blacklist - chikwatu chogwira ntchito ndi zolemba zophatikiza
/root/zi - kopi ya registry kuchokera ku github
/etc/bird - chikwatu chokhazikika pazokonda za mbalame
Adilesi yakunja ya IP ya VPS yokhala ndi seva yolowera ndi malo otsekera ngalande ndi 194.165.22.146, ASN 64998; Adilesi yakunja ya IP ya rauta - 81.177.103.94, ASN 64999
Ma adilesi a IP mkati mwa ngalandeyo ndi 172.30.1.1 ndi 172.30.1.2, motsatana.
Zachidziwikire, mutha kugwiritsa ntchito ma routers ena aliwonse, makina ogwiritsira ntchito ndi mapulogalamu apulogalamu, kusintha yankho lamalingaliro awo.
Mwachidule - malingaliro a yankho
Zochita zokonzekera
Kupeza VPS
Kukweza ngalande kuchokera pa rauta kupita ku VPS
Timalandira ndikusintha pafupipafupi kopi ya registry
Kukhazikitsa ndi kukonza utumiki wa mayendedwe
Timapanga mndandanda wa mayendedwe osasunthika a ntchito yolowera kutengera kaundula
Timagwirizanitsa router ku utumiki ndikukonzekera kutumiza magalimoto onse kudzera mumsewu.
Njira yeniyeni
Zochita zokonzekera
Pali mautumiki ambiri pa intaneti omwe amapereka VPS pamitengo yabwino kwambiri. Pakalipano ndapeza ndipo ndikugwiritsa ntchito mwayi wa $ 9 / chaka, koma ngakhale simukudandaula kwambiri, pali zambiri zomwe mungasankhe 1E / mwezi pamakona onse. Funso losankha VPS liri kutali kwambiri ndi nkhaniyi, kotero ngati wina sakumvetsa kanthu pa izi, funsani mu ndemanga.
Ngati mugwiritsa ntchito VPS osati pa ntchito yolowera, komanso kuti muyimitse ngalandeyo, muyenera kukweza ngalandeyi ndipo, pafupifupi, konzekerani NAT. Pali malangizo ambiri pazochita izi pa intaneti, sindibwerezanso apa. Chofunikira chachikulu panjira yotere ndikuti iyenera kupanga mawonekedwe osiyana pa rauta yanu yomwe imathandizira njira yopita ku VPS. Ukadaulo wogwiritsidwa ntchito kwambiri wa VPN umakwaniritsa izi - mwachitsanzo, OpenVPN mu tun mode ndiyabwino.
Kupeza kopi ya registry
Monga Jabrail adanenera, "Amene amatitchinga atithandiza." Popeza RKN ikupanga kaundula wa zinthu zoletsedwa, lingakhale tchimo kusagwiritsa ntchito kaundulayu kuthetsa vuto lathu. Tidzalandira kopi ya registry kuchokera ku github.
Timapita ku seva yanu ya Linux, kugwera mumizu (sudo su -) ndikuyika git ngati sichinayikidwe kale.
apt install git
Pitani ku chikwatu chakunyumba ndikutulutsa kaundula wa registry.
cd ~ && git clone --depth=1 https://github.com/zapret-info/z-i
Timakhazikitsa zosintha za cron (ndimachita kamodzi mphindi 20 zilizonse, koma mutha kusankha nthawi iliyonse yomwe imakusangalatsani). Kuti tichite izi timayamba crontab -e ndikuwonjezera mzere wotsatira kwa icho:
*/20 * * * * cd ~/z-i && git pull && git gc
Timagwirizanitsa mbedza yomwe imapanga mafayilo a utumiki woyendetsa pambuyo pokonzanso registry. Kuti muchite izi, pangani fayilo /root/zi/.git/hook/post-merge ndi izi:
Tipanga script ya makebgp yomwe mbedza imatchula pambuyo pake.
Kukhazikitsa ndi kukonza ntchito yolowera
Ikani mbalame. Tsoka ilo, mtundu wa mbalame zomwe zayikidwa pano mu nkhokwe za Ubuntu zikufanana mwatsopano ndi ndowe za Archeopteryx, chifukwa chake tiyenera kuwonjezera kaye PPA yovomerezeka ya opanga mapulogalamuwa.
Pansipa pali fayilo yosinthira mbalame yocheperako (/etc/bird/bird.conf), zomwe ndi zokwanira kwa ife (ndipo ndikukumbutsaninso kuti palibe amene amaletsa kupanga ndi kukonza lingalirolo kuti ligwirizane ndi zosowa zanu)
log syslog all;
router id 172.30.1.1;
protocol kernel {
scan time 60;
import none;
# export all; # Actually insert routes into the kernel routing table
}
protocol device {
scan time 60;
}
protocol direct {
interface "venet*", "tun*"; # Restrict network interfaces it works with
}
protocol static static_bgp {
import all;
include "pfxlist.txt";
#include "iplist.txt";
}
protocol bgp OurRouter {
description "Our Router";
neighbor 81.177.103.94 as 64999;
import none;
export where proto = "static_bgp";
local as 64998;
passive off;
multihop;
}
ID ya router - chizindikiritso cha rauta, chomwe chikuwoneka ngati adilesi ya IPv4, koma sichomwe. Kwa ife, ikhoza kukhala nambala iliyonse ya 32-bit mu mtundu wa adilesi ya IPv4, koma ndi mawonekedwe abwino kuwonetsa ndendende adilesi ya IPv4 ya chipangizo chanu (pankhaniyi, VPS).
protocol direct imatanthawuza maulalo ati omwe angagwire ntchito ndi njira yolowera. Chitsanzo chimapereka mayina angapo a zitsanzo, mukhoza kuwonjezera ena. Mutha kungochotsa mzerewu; pakadali pano, seva imamvera zonse zomwe zilipo ndi adilesi ya IPv4.
protocol static ndi matsenga athu omwe amadzaza mindandanda yama prefixes ndi ma adilesi a IP (omwe alidi / 32 prefixes, inde) kuchokera pamafayilo kuti alengezedwe. Komwe mindandandayi imachokera tikambirana pansipa. Chonde dziwani kuti kutsitsa ma adilesi a IP kumaperekedwa mwachisawawa, chifukwa chake ndi kuchuluka kwa kukweza. Poyerekeza, pa nthawi yolemba, pali mizere 78 pamndandanda wa prefixes, ndi 85898 pamndandanda wa ma adilesi a IP. tsogolo lili ndi inu kusankha mutayesa rauta wanu. Sikuti aliyense wa iwo akhoza kukumba mosavuta zolembera 85 patebulo lolowera.
protocol bgp, kwenikweni, imakhazikitsa bgp kuyang'ana ndi rauta yanu. Adilesi ya IP ndi adilesi ya mawonekedwe akunja a rauta (kapena adilesi ya mawonekedwe a ngalande kumbali ya rauta), 64998 ndi 64999 ndi manambala a machitidwe odziyimira pawokha. Pachifukwa ichi, atha kugawidwa mumtundu wa manambala aliwonse a 16-bit, koma ndibwino kugwiritsa ntchito manambala a AS kuchokera pagulu lachinsinsi lomwe limatanthauzidwa ndi RFC6996 - 64512-65534 kuphatikiza (pali mawonekedwe a 32-bit ASNs, koma kwa ife izi ndizovuta kwambiri). Kukonzekera kofotokozedwa kumagwiritsa ntchito kuyang'ana kwa eBGP, momwe ziwerengero za machitidwe odziyimira pawokha a utumiki woyendetsa ndi rauta ziyenera kukhala zosiyana.
Monga mukuwonera, ntchitoyi iyenera kudziwa adilesi ya IP ya rauta, ndiye ngati muli ndi adilesi yachinsinsi kapena yosasinthika (RFC1918) kapena yogawana (RFC6598), mulibe mwayi wokweza kuyang'ana kunja. mawonekedwe, koma ntchitoyi idzagwirabe ntchito mkati mwa ngalandeyo.
Ndizodziwikiratu kuti kuchokera pautumiki umodzi mutha kupereka njira zopita ku ma router angapo osiyanasiyana - ingowafananiza makonda potengera gawo la protocol bgp ndikusintha adilesi ya IP ya mnansi. Ichi ndichifukwa chake chitsanzochi chikuwonetsa zokonda zowonera kunja kwa ngalandeyo, monga momwe zimakhalira padziko lonse lapansi. Ndikosavuta kuwachotsa mumsewu posintha ma adilesi a IP pamakonzedwe moyenerera.
Kukonza kaundula wa utumiki wa mayendedwe
Tsopano tifunika, kwenikweni, kuti tipange mndandanda wa prefixes ndi ma adilesi a IP, omwe adatchulidwa mu protocol static pagawo lapitalo. Kuti tichite izi, timatenga fayilo ya registry ndikupanga mafayilo omwe tikufuna kuchokera pamenepo pogwiritsa ntchito script yotsatirayi, kuyikidwamo /root/blacklist/makebgp
Kutulutsa kwa lamulo lachiwiri kuyenera kuwonetsa zolemba za 80 (izi ndi zapano, koma mukayikhazikitsa, zonse zidzadalira changu cha RKN poletsa maukonde) monga chonchi:
idzawonetsa momwe ma protocol ali mkati mwautumiki. Mpaka mutakonza rauta (onani mfundo yotsatira), protocol ya OurRouter idzakhala poyambira (Lumikizani kapena Active gawo), ndipo mutatha kulumikizana bwino idzapita kumtunda (Gawo lokhazikitsidwa). Mwachitsanzo, pa dongosolo langa zotuluka za lamuloli zikuwoneka motere:
BIRD 1.6.3 ready.
name proto table state since info
kernel1 Kernel master up 2018-04-19
device1 Device master up 2018-04-19
static_bgp Static master up 2018-04-19
direct1 Direct master up 2018-04-19
RXXXXXx1 BGP master up 13:10:22 Established
RXXXXXx2 BGP master up 2018-04-24 Established
RXXXXXx3 BGP master start 2018-04-22 Connect Socket: Connection timed out
RXXXXXx4 BGP master up 2018-04-24 Established
RXXXXXx5 BGP master start 2018-04-24 Passive
Kulumikiza rauta
Aliyense mwina watopa ndi kuwerenga nsapato izi, koma limbikani mtima - mapeto ali pafupi. Komanso, mu gawo lino sindingathe kupereka malangizo a sitepe ndi sitepe - zidzakhala zosiyana kwa wopanga aliyense.
Komabe, nditha kukuwonetsani zitsanzo zingapo. Lingaliro lalikulu ndikukweza kuyang'ana kwa BGP ndikugawa nexthop ku ma prefixes onse omwe alandilidwa, kuloza ku ngalande yathu (ngati tikufuna kutumiza magalimoto kudzera pa p2p mawonekedwe) kapena adilesi ya IP ya nexthop ngati magalimoto apita ku ethernet).
Mwachitsanzo, pa Mikrotik mu RouterOS izi zimathetsedwa motere
Pamapulatifomu ena, muyenera kudzipangira nokha, koma ngati muli ndi zovuta, lembani ndemanga, ndiyesetsa kukuthandizani.
Pambuyo pa gawo lanu la BGP layamba, njira zopita ku maukonde akuluakulu zafika ndipo zaikidwa patebulo, magalimoto ayenda kupita ku maadiresi kuchokera kwa iwo ndipo chisangalalo chili pafupi, mukhoza kubwerera ku utumiki wa mbalame ndikuyesera kumasula kulowa komwe kumagwirizanitsa mndandanda wa ma adilesi a IP, tsatirani izi
Mwachidziwitso, mutamaliza njira zomwe tafotokozazi, tsopano muli ndi ntchito yomwe imatumizanso magalimoto ku ma adilesi a IP oletsedwa ku Russian Federation m'mbuyomu.
Ikhoza, ndithudi, kukhala bwino. Mwachitsanzo, ndikosavuta kufotokoza mwachidule mndandanda wama adilesi a IP pogwiritsa ntchito mayankho a perl kapena python. Chilembo chosavuta cha Perl pochita izi pogwiritsa ntchito Net ::CIDR::Lite imasintha ma prefixes zikwi 85 kukhala 60 (osati chikwi), koma, ndithudi, imakhudza ma adilesi okulirapo kuposa omwe atsekeredwa.
Popeza kuti ntchitoyi ikugwira ntchito pamlingo wachitatu wa chitsanzo cha ISO/OSI, sichidzakupulumutsani kuti musatseke tsamba/tsamba ngati itsimikiza ku adilesi yolakwika monga momwe zalembedwera mu registry. Koma pamodzi ndi registry, fayilo nxdomain.txt imabwera kuchokera ku github, yomwe ndi mikwingwirima yochepa ya script imasanduka gwero la maadiresi, mwachitsanzo, SwitchyOmega plugin mu Chrome.
Ndikofunikiranso kunena kuti yankho likufuna kukonzanso kwina ngati simuli wogwiritsa ntchito intaneti, komanso kufalitsa zinthu zina nokha (mwachitsanzo, tsamba la webusayiti kapena ma seva amayendetsa pa intanetiyi). Pogwiritsa ntchito njira za rauta, ndikofunikira kumangirira mosamalitsa kuchuluka kwa magalimoto omwe akutuluka kuchokera pautumikiwu kupita ku adilesi yanu yapagulu, apo ayi mudzataya kulumikizana ndi zinthu zomwe zili ndi mndandanda wazomwe zimalandiridwa ndi rauta.
Ngati muli ndi mafunso, funsani, ndine wokonzeka kuyankha.
UPD. Zikomo panyanja и TerAnYu kwa magawo a git omwe amalola kuchepetsa kutsitsa.
UPD2. Anzanga, zikuwoneka ngati ndalakwitsa posawonjezera malangizo okhazikitsa ngalande pakati pa VPS ndi rauta ku nkhaniyi. Mafunso ambiri amadzutsidwa ndi izi.
Zikatero, ndiwonanso kuti musanayambe bukhuli, mwakonza kale njira ya VPN komwe mukufuna ndikuyang'ana momwe imagwirira ntchito (mwachitsanzo, potembenuza magalimoto pamenepo mwachisawawa kapena mokhazikika). Ngati simunatsirize gawo ili, sizomveka kutsatira njira zomwe zili m'nkhaniyi. Ndilibe malemba anga pa izi, koma ngati Google "kukhazikitsa seva ya OpenVPN" pamodzi ndi dzina la makina ogwiritsira ntchito omwe amaikidwa pa VPS, ndi "kukhazikitsa kasitomala wa OpenVPN" ndi dzina la router yanu. , mudzapeza zolemba zingapo pankhaniyi, kuphatikizapo za Habré.
UPD3. Wosadzipereka Ndinalemba nambala yomwe imatembenuza dump.csv kukhala fayilo ya mbalame yokhala ndi chidule cha ma adilesi a IP. Chifukwa chake, gawo la "Kukonza zolembera za ntchito yolowera" lingasinthidwe ndikuyitanitsa pulogalamu yake. https://habr.com/post/354282/#comment_10782712
UPD4. Kugwira ntchito pang'ono pazolakwa (sindinawonjezere palemba):
1) m'malo mwake systemctl reload mbalame ndizomveka kugwiritsa ntchito lamulo birdc kupanga.
2) mu rauta ya Mikrotik, m'malo mosintha nexthop kukhala IP ya mbali yachiwiri ya ngalandeyo. /sefa yolowera onjezerani zochita=kuvomereza unyolo=mphamvu-mu protocol=bgp ndemanga=»Khalani nexthop» set-in-nexthop=172.30.1.1 ndizomveka kutchula njira yopita kumtunda, popanda adilesi /sefa yolowera onjezerani zochita=kuvomereza unyolo=mphamvu-mu protocol=bgp ndemanga=»Khalani nexthop» set-in-nexthop-direct=<interface name>
UPD5. Ntchito yatsopano yawoneka https://antifilter.download, komwe mungatenge mndandanda wa ma adilesi opangidwa kale a IP. Kusinthidwa theka la ola lililonse. Kumbali ya kasitomala, zonse zomwe zatsala ndikukonza zolembazo ndi "njira ... kukana".
Ndipo panthawiyi, mwinamwake, ndizokwanira kugwedeza agogo anu ndikusintha nkhaniyo.
UPD6. Nkhani yosinthidwanso kwa iwo omwe safuna kuizindikira, koma akufuna kuyamba - apa.