Ntchito yoletsa magalimoto ochokera kumayiko ena ikuwoneka ngati yosavuta, koma zoyamba zomwe zingawoneke zitha kukhala zachinyengo. Lero tikuuzani momwe izi zingakwaniritsire.
prehistory
Zotsatira za kusaka kwa Google pamutuwu ndizokhumudwitsa: zambiri mwazothetsera zakhala "zovunda" ndipo nthawi zina zikuwoneka kuti mutuwu wasungidwa ndikuyiwalika kwamuyaya. Taphatikiza zolemba zakale zambiri ndipo takonzeka kugawana malangizo amakono.
Tikukulimbikitsani kuti muwerenge nkhani yonse musanapereke malamulowa.
Kukonzekera opaleshoni dongosolo
Zosefera zidzakonzedwa pogwiritsa ntchito zofunikira iptables, zomwe zimafuna kukulitsa kuti zigwire ntchito ndi data ya GeoIP. Zowonjezera izi zitha kupezeka mkati . xtables-addons imayika zowonjezera za iptables ngati ma module a kernel odziimira, kotero palibe chifukwa chobwezera OS kernel.
Panthawi yolemba, mtundu waposachedwa wa xtables-addons ndi 3.9. Komabe, 20.04 yokha ingapezeke muzosungirako za Ubuntu 3.8 LTS, ndi 18.04 muzosungirako za Ubuntu 3.0. Mutha kukhazikitsa zowonjezera kuchokera kwa woyang'anira phukusi ndi lamulo ili:
apt install xtables-addons-common libtext-csv-xs-perlDziwani kuti pali kusiyana kochepa koma kofunikira pakati pa mtundu wa 3.9 ndi momwe polojekitiyi ikuyendera, zomwe tidzakambirana pambuyo pake. Kuti mupange kuchokera ku code source, yikani mapepala onse ofunikira:
apt install git build-essential autoconf make libtool iptables-dev libxtables-dev pkg-config libnet-cidr-lite-perl libtext-csv-xs-perlKonzani nkhokwe:
git clone https://git.code.sf.net/p/xtables-addons/xtables-addons xtables-addons-xtables-addons
cd xtables-addons-xtables-addonsxtables-addons ili ndi zowonjezera zambiri, koma timangokondwera nazo xt_geoip. Ngati simukufuna kukoka zowonjezera zosafunikira mu dongosolo, mutha kuzichotsa pakumanga. Kuti muchite izi muyenera kusintha fayilo mconfig. Kwa ma modules onse omwe mukufuna, ikani y, ndipo lembani zosafunika n. Timasonkhanitsa:
./autogen.sh./configuremakeNdipo ikani ndi ufulu wa superuser:
make installPakuyika ma module a kernel, zolakwika zofanana ndi izi zitha kuchitika:
INSTALL /root/xtables-addons-xtables-addons/extensions/xt_geoip.ko
At main.c:160:
- SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:72
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:79
sign-file: certs/signing_key.pem: No such file or directoryIzi zimachitika chifukwa chosatheka kusaina ma module a kernel, chifukwa palibe chosayina. Mutha kuthetsa vutoli ndi malamulo angapo:
cd /lib/modules/(uname -r)/build/certscat <<EOF > x509.genkey[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
CN = Modules
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOFopenssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pemModule ya kernel yophatikizidwa imayikidwa, koma dongosolo silizindikira. Tiyeni tifunse dongosolo kuti lipange mapu odalira poganizira gawo latsopanoli, kenako ndikuyiyika:
depmod -amodprobe xt_geoipTiyeni tiwonetsetse kuti xt_geoip yayikidwa mu dongosolo:
# lsmod | grep xt_geoip
xt_geoip 16384 0
x_tables 40960 2 xt_geoip,ip_tablesKuphatikiza apo, onetsetsani kuti kukulitsa kwakwezedwa mu iptables:
# cat /proc/net/ip_tables_matches
geoip
icmpNdife okondwa ndi chilichonse ndipo chomwe chatsala ndikuwonjezera dzina la module / etc / moduleskotero kuti gawoli limagwira ntchito pambuyo poyambitsanso OS. Kuyambira pano, iptables imamvetsetsa malamulo a geoip, koma ilibe deta yokwanira yogwirira ntchito. Tiyeni tiyambe kutsitsa nkhokwe ya geoip.
Kupeza GeoIP Database
Timapanga chikwatu momwe zidziwitso zomveka ku iptables zowonjezera zidzasungidwa:
mkdir /usr/share/xt_geoipKumayambiriro kwa nkhaniyi, tidanena kuti pali kusiyana pakati pa mtunduwo kuchokera ku code source ndi mtundu kuchokera kwa woyang'anira phukusi. Kusiyana kowonekera kwambiri ndikusintha kwa opereka database ndi script xt_geoip_dl, yomwe imatsitsa zatsopano.
Mtundu wa woyang'anira phukusi
Zolembazo zili m'njira /usr/lib/xtables-addons, koma mukayesa kuyendetsa, muwona cholakwika chopanda chidziwitso:
# ./xt_geoip_dl
unzip: cannot find or open GeoLite2-Country-CSV.zip, GeoLite2-Country-CSV.zip.zip or GeoLite2-Country-CSV.zip.ZIP.M'mbuyomu, chinthu cha GeoLite, chomwe tsopano chimadziwika kuti GeoLite Legacy, chogawidwa pansi pa laisensi, chinkagwiritsidwa ntchito ngati nkhokwe. kampani . Zochitika ziwiri zidachitika ndi mankhwalawa nthawi imodzi zomwe "zinaphwanya" kugwirizana ndi kukulitsa kwa iptables.
Choyamba, mu January 2018 za kutha kwa chithandizo cha malonda, ndipo pa Januware 2019, 2, maulalo onse otsitsa mtundu wakale wa database adachotsedwa patsamba lovomerezeka. Ogwiritsa ntchito atsopano akulimbikitsidwa kugwiritsa ntchito chinthu cha GeoLite2 kapena mtundu wake wolipira wa GeoIPXNUMX.
Kachiwiri, kuyambira Disembala 2019 MaxMind za kusintha kwakukulu kwa mwayi wopezeka ku database yawo. Kuti atsatire lamulo la California Consumer Privacy Act, MaxMind adaganiza "kuphimba" kugawa kwa GeoLite2 ndikulembetsa.
Popeza tikufuna kugwiritsa ntchito malonda awo, tidzalembetsa patsamba lino.
Kenako mudzalandira imelo yopempha kuti muyike mawu achinsinsi. Tsopano popeza tapanga akaunti, tifunika kupanga kiyi ya layisensi. Mu akaunti yanu timapeza chinthucho Makiyi Anga a License, ndiyeno dinani batani Pangani License Key yatsopano.
Popanga kiyi, tidzafunsidwa funso limodzi lokha: kodi tidzagwiritsa ntchito kiyiyi mu pulogalamu ya GeoIP Update? Timayankha molakwika ndikudina batani Tsimikizani. Mfungulo idzawonetsedwa pawindo la pop-up. Sungani kiyiyi pamalo otetezeka, chifukwa mukatseka zenera lotulukira, simudzatha kuwona kiyi yonseyo.
Titha kutsitsa pamanja ma database a GeoLite2, koma mawonekedwe ake sagwirizana ndi mawonekedwe omwe amayembekezeredwa ndi xt_geoip_build script. Apa ndipamene zolemba za GeoLite2xtables zimadzapulumutsa. Kuti mugwiritse ntchito zolemba, yikani NetAddr ::IP perl module:
wget https://cpan.metacpan.org/authors/id/M/MI/MIKER/NetAddr-IP-4.079.tar.gztar xvf NetAddr-IP-4.079.tar.gzcd NetAddr-IP-4.079perl Makefile.PLmakemake installKenako, timagwirizanitsa chosungiracho ndi zolemba ndikulemba kiyi ya layisensi yomwe tinapeza kale ku fayilo:
git clone https://github.com/mschmitt/GeoLite2xtables.gitcd GeoLite2xtablesecho YOUR_LICENSE_KEY=β123ertyui123' > geolite2.licenseTiyeni tiyendetse ma script:
# Π‘ΠΊΠ°ΡΠΈΠ²Π°Π΅ΠΌ Π΄Π°Π½Π½ΡΠ΅ GeoLite2
./00_download_geolite2
# Π‘ΠΊΠ°ΡΠΈΠ²Π°Π΅ΠΌ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΎ ΡΡΡΠ°Π½Π°Ρ
(Π΄Π»Ρ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΡ ΠΊΠΎΠ΄Ρ)
./10_download_countryinfo
# ΠΠΎΠ½Π²Π΅ΡΡΠΈΡΡΠ΅ΠΌ GeoLite2 Π±Π°Π·Ρ Π² ΡΠΎΡΠΌΠ°Ρ GeoLite Legacy
cat /tmp/GeoLite2-Country-Blocks-IPv{4,6}.csv |
./20_convert_geolite2 /tmp/CountryInfo.txt > /usr/share/xt_geoip/dbip-country-lite.csvMaxMind imayika malire otsitsa 2000 patsiku ndipo, ndi ma seva ambiri, imapereka kusungitsa zosinthazo pa seva ya proxy.
Chonde dziwani kuti linanena bungwe wapamwamba ayenera kutchedwa dbip-country-lite.csv... Tsoka ilo, 20_convert_geolite2 sichimapanga fayilo yabwino. Zolemba xt_geoip_build imayembekezera magawo atatu:
- chiyambi cha ma adilesi;
- mapeto a maadiresi osiyanasiyana;
- Kodi dziko mu iso-3166-alpha2.
Ndipo fayilo yotulutsa ili ndi magawo asanu ndi limodzi:
- chiyambi cha maadiresi (chiwonetsero cha zingwe);
- mapeto a maadiresi (chiwonetsero cha zingwe);
- chiyambi cha maadiresi (kuyimira manambala);
- mapeto a maadiresi (chiwonetsero cha manambala);
- kodi dziko;
- dzina la dziko.
Kusagwirizanaku ndikovuta kwambiri ndipo kutha kuwongoleredwa m'njira ziwiri:
- sinthani 20_convert_geolite2;
- sinthani xt_geoip_build.
Poyamba timachepetsa ku mtundu wofunikira, ndipo chachiwiri - timasintha ntchitoyo kukhala yosinthika $cc pa $mzere->[4]. Pambuyo pake, mukhoza kupanga:
/usr/lib/xtables-addons/xt_geoip_build -S /usr/share/xt_geoip/ -D /usr/share/xt_geoip. . .
2239 IPv4 ranges for ZA
348 IPv6 ranges for ZA
56 IPv4 ranges for ZM
12 IPv6 ranges for ZM
56 IPv4 ranges for ZW
15 IPv6 ranges for ZWDziwani kuti wolemba sichiwona zolemba zake zokonzeka kupanga ndi zopereka pakupanga zolemba zoyambirira za xt_geoip_*. Chifukwa chake, tiyeni tipitirire ku msonkhano kuchokera ku ma code code, momwe zolembedwazi zasinthidwa kale.
Mtundu woyambira
Mukakhazikitsa kuchokera ku source code scripts xt_geoip_* zili mu katalogu /usr/local/libexec/xtables-addons. Mtundu uwu wa script umagwiritsa ntchito database . Layisensi ndi Creative Commons Attribution License, ndipo kuchokera pazomwe zilipo pali zigawo zitatu zofunika kwambiri. Koperani ndi kusonkhanitsa database:
cd /usr/share/xt_geoip//usr/local/libexec/xtables-addons/xt_geoip_dl/usr/local/libexec/xtables-addons/xt_geoip_buildPambuyo pa izi, iptables ndi okonzeka kugwira ntchito.
Kugwiritsa ntchito geoip mu iptables
Gawo xt_geoip amangowonjezera makiyi awiri:
geoip match options:
[!] --src-cc, --source-country country[,country...]
Match packet coming from (one of) the specified country(ies)
[!] --dst-cc, --destination-country country[,country...]
Match packet going to (one of) the specified country(ies)
NOTE: The country is inputed by its ISO3166 code.Njira zopangira malamulo a iptables, kawirikawiri, zimakhalabe zosasintha. Kuti mugwiritse ntchito makiyi ochokera kuma module owonjezera, muyenera kufotokoza momveka bwino dzina la module ndi -m switch. Mwachitsanzo, lamulo loletsa kulumikizana kwa TCP komwe kukubwera padoko 443 osati kuchokera ku USA pamawonekedwe onse:
iptables -I INPUT ! -i lo -p tcp --dport 443 -m geoip ! --src-cc US -j DROPMafayilo opangidwa ndi xt_geoip_build amagwiritsidwa ntchito popanga malamulo okha, koma samaganiziridwa posefa. Chifukwa chake, kuti musinthe bwino database ya geoip, muyenera kaye kusinthira mafayilo a iv*, ndikukonzanso malamulo onse omwe amagwiritsa ntchito geoip mu iptables.
Pomaliza
Kusefa mapaketi kutengera mayiko ndi njira yomwe inayiwalika ndi nthawi. Ngakhale izi, zida zamapulogalamu zosefera zotere zikupangidwa ndipo, mwina, posachedwa mtundu watsopano wa xt_geoip wokhala ndi wopereka data wa geoip watsopano udzawonekera mwa oyang'anira phukusi, zomwe zipangitsa kuti moyo wa oyang'anira dongosolo ukhale wosalira zambiri.
Ogwiritsa ntchito olembetsedwa okha ndi omwe angatenge nawo gawo pa kafukufukuyu. chonde.
Kodi mudagwiritsapo ntchito zosefera ndi dziko?
-
59,1%Yes13
-
40,9%No9
Ogwiritsa 22 adavota. Ogwiritsa 3 adakana.
Source: www.habr.com