Kukoshera kwekuvharidzira kushanya kune zviwanikwa zvinorambidzwa kunobata chero maneja anogona kupomerwa zviri pamutemo kutadza kutevedzera mutemo kana mirairo yezviremera zvakakodzera.
Sei kudzoreredza vhiri kana paine zvirongwa zvehunyanzvi uye kugoverwa kwemabasa edu, semuenzaniso: Zeroshell, pfSense, ClearOS.
Iwo manejimendi aive nemumwe mubvunzo: Chigadzirwa chakashandiswa chine chitupa chekuchengetedza kubva mudunhu redu here?
Takava neruzivo rwekushanda nekugovera kunotevera:
- Zeroshell - vagadziri vakatopa rezinesi remakore maviri, asi zvakazoitika kuti kit yekugovera yataifarira, zvisina musoro, yakaita basa rakakosha kwatiri;
- pfSense - ruremekedzo uye rukudzo, panguva imwe chete inofinha, kujaira mutsara wekuraira weFreeBSD firewall uye isingatinakire zvakaringana isu (ndinofunga inyaya yetsika, asi yakazova nzira isiriyo);
- ClearOS - pane yedu Hardware yakave inononoka, takatadza kusvika pakuyedzwa kwakakomba, saka nei nzvimbo dzinorema kudaro?
- Ideco SELECTA. Iyo Ideco chigadzirwa ihurukuro yakaparadzana, inonakidza chigadzirwa, asi nekuda kwezvikonzero zvezvematongerwo enyika kwete zvedu, uye ini ndodawo "kuvaruma" nezve rezinesi reiyo Linux yakafanana, Roundcube, nezvimwe. Vakaiwanepi pfungwa yekuti nekucheka interface kupinda Python uye nekubvisa kodzero dzevashandisi vepamusoro, vanogona kutengesa chigadzirwa chakapedzwa chakagadzirwa nemamodule akagadziridzwa uye akagadziridzwa kubva munharaunda yeInternet akagoverwa pasi peGPL&etc.
Ini ndinonzwisisa kuti iko zvino manyemwe asina kunaka achadururira munzira yangu nezvido zvekusimbisa manzwiro angu ekuzvibata zvakadzama, asi ini ndinoda kutaura kuti iyi network node iriwo traffic balancer ye4 nzira dzekunze kuInternet, uye chiteshi chega chega chine hunhu hwayo. . Imwe dombo repakona kwaive kudiwa kweimwe yeakawanda network network kuti ishande munzvimbo dzakasiyana kero, uye ini vakagadzirira bvuma kuti maVLAN anogona kushandiswa kwese pazvinenge zvichidikanwa uye zvisingakodzeri hazvisati zvaita. Pane zvishandiso zviri kushandiswa seTP-Link TL-R480T+ - havazvibate zvakakwana, kazhinji, nemanuances avo. Zvaigoneka kugadzirisa chikamu ichi paLinux nekuda kweUbuntu official webhusaiti . Uyezve, imwe neimwe yechiteshi inogona "kudonha" chero nguva, pamwe nekusimuka. Kana iwe uchifarira script iri kushanda izvozvi (uye izvi zvakakodzera kudhindwa kwakasiyana), nyora mumashoko.
Mhinduro iri kutariswa haitaure yakasarudzika, asi ndinoda kubvunza mubvunzo: "Nei bhizinesi richifanira kuchinjika kune wechitatu-bato rinopokana zvigadzirwa zvine zvakakomba hardware zvinodiwa kana imwe sarudzo inogona kutariswa?"
Kana muRussian Federation mune runyoro rweRoskomnadzor, muUkraine kune annex kune Chisarudzo cheNational Security Council (somuenzaniso. ), ipapo vatungamiriri venzvimbo havararewo. Semuenzaniso, takapihwa rondedzero yemasaiti akarambidzwa ayo, mukuona kwemaneja, anokanganisa budiriro munzvimbo yebasa.
Kukurukurirana nevaunoshanda navo kune mamwe mabhizinesi, uko nekusarudzika mawebhusaiti ese anorambidzwa uye kana uchinge wakumbira nemvumo yemukuru iwe unogona kuwana chaiyo saiti, uchinyemwerera zvine ruremekedzo, kufunga uye "kuputa pamusoro pedambudziko", takasvika pakunzwisisa kuti hupenyu. achiri akanaka uye takatanga kutsvaga kwavo.
Kuve nemukana kwete wekuona nekuongorora chete zvavanonyora mu "mabhuku emadzimai epamba" nezve kusefa kwetraffic, asi zvakare kuona zviri kuitika pamatanho evanopa vakasiyana, takaona mabikirwo anotevera (chero zviratidziro zvakatemwa zvishoma, ndapota nzwisisa. ):
Provider 1
- hainetse uye inomisikidza yayo ega DNS maseva uye yakajeka proxy server. Zvakanaka? .. asi isu tinokwanisa kuwana kwatinoida (kana tichiida :))
Provider 2
- anotenda kuti mupi wake wepamusoro anofanira kufunga pamusoro peizvi, rubatsiro rwepamusoro rwemupi wepamusoro akatobvuma kuti nei ndisingakwanisi kuzarura saiti yandaida, iyo yakanga isina kurambidzwa. Ndinofunga kuti mufananidzo uchakufadza iwe :)
Sezvazvakazoitika, ivo vanoshandura mazita emasaiti akarambidzwa kuita IP kero uye vanovhara iyo IP pachayo (havanetswa nekuti iyi IP kero inogona kugamuchira 20 nzvimbo).
Provider 3
- inobvumira traffic kuenda ikoko, asi haibvumire kudzoka munzira.
Provider 4
- inorambidza zvese manipulations nemapaketi munzira yakatarwa.
Chii chekuita neVPN (kuremekedza kune Opera browser) uye browser plugins? Kutamba neiyo node Mikrotik pakutanga, takatowana resipi-yakawanda resipi yeL7, iyo yatakazosiya (panogona kunge paine mamwe mazita akarambidzwa, zvinova zvinosuruvarisa apo, mukuwedzera kune yakananga mabasa enzira, pa3 gumi nemaviri. matauriro iyo PPC460GT processor mutoro unoenda ku100 %).
.
Zvakazojeka:
DNS pa127.0.0.1 haisi mushonga zvachose; shanduro dzemazuva ano dzemabrowser dzichiri kukubvumira kuti upfuure matambudziko akadaro. Hazvibviri kudzikamisa vese vashandisi kune dzakaderedzwa kodzero, uye isu hatifanirwe kukanganwa nezve nhamba huru yeimwe DNS. Indaneti haina kumira, uye kuwedzera kune itsva DNS kero, nzvimbo dzinorambidzwa dzinotenga kero itsva, shandura nzvimbo dzepamusoro-soro, uye dzinogona kuwedzera / kubvisa unhu mukero yavo. Asi uchine kodzero yekurarama senge:
ip route add blackhole 1.2.3.4Zvingave zvakanaka kuwana runyorwa rwekero dzeIP kubva pane rondedzero yemasaiti akarambidzwa, asi nezvikonzero zvataurwa pamusoro apa, takaenderera mberi nekufunga nezveIptables. Paive patove neanorarama balancer paCentOS Linux kuburitswa 7.5.1804.
Indaneti yemushandisi inofanirwa kukurumidza, uye Browser haifanire kumirira hafu yeminiti, ichigumisa kuti peji iyi haisipo. Mushure mekutsvaga kwenguva refu takasvika kune iyi modhi:
Faira 1 -> /script/denied_host, mazita emazita anorambidzwa:
test.test
blablabla.bubu
torrent
pornoFaira 2 -> /script/denied_range, runyorwa rwenzvimbo dzinorambidzwa kero nemakero:
192.168.111.0/24
241.242.0.0/16Script faira 3 -> ipt.shkuita basa nema ipables:
# ΡΡΠΈΡΡΠ²Π°Π΅ΠΌ ΠΏΠΎΠ»Π΅Π·Π½ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΈΠ· ΠΏΠ΅ΡΠ΅ΡΠ½Π΅ΠΉ ΡΠ°ΠΉΠ»ΠΎΠ²
HOSTS=`cat /script/denied_host | grep -v '^#'`
RANGE=`cat /script/denied_range | grep -v '^#'`
echo "Stopping firewall and allowing everyone..."
# ΡΠ±ΡΠ°ΡΡΠ²Π°Π΅ΠΌ Π²ΡΠ΅ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ iptables, ΡΠ°Π·ΡΠ΅ΡΠ°Ρ ΡΠΎ ΡΡΠΎ Π½Π΅ Π·Π°ΠΏΡΠ΅ΡΠ΅Π½ΠΎ
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
#ΡΠ΅ΡΠ°Π΅ΠΌ ΠΎΠ±Π½ΠΎΠ²ΠΈΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΎ ΠΌΠ°ΡΡΡΡΡΠ°Ρ
(ΠΎΡΠΎΠ±Π΅Π½Π½ΠΎΡΡΡ Π½Π°ΡΠ΅ΠΉ Π°ΡΡ
ΠΈΡΠ΅ΠΊΡΡΡΡ)
sudo sh rout.sh
# ΡΠΈΠΊΠ»ΠΈΡΠ΅ΡΠΊΠΈ ΠΎΠ±ΡΠ°Π±Π°ΡΡΠ²Π°Ρ ΠΊΠ°ΠΆΠ΄ΡΡ ΡΡΡΠΎΠΊΡ ΡΠ°ΠΉΠ»Π° ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΠΌ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ ΡΡΡΠΎΠΊΠΈ
for i in $HOSTS; do
sudo iptables -I FORWARD -m string --string $i --algo bm --from 1 --to 600 -p tcp -j REJECT --reject-with tcp-reset;
sudo iptables -I FORWARD -m string --string $i --algo bm --from 1 --to 600 -p udp -j DROP;
done
# ΡΠΈΠΊΠ»ΠΈΡΠ΅ΡΠΊΠΈ ΠΎΠ±ΡΠ°Π±Π°ΡΡΠ²Π°Ρ ΠΊΠ°ΠΆΠ΄ΡΡ ΡΡΡΠΎΠΊΡ ΡΠ°ΠΉΠ»Π° ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΠΌ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ Π°Π΄ΡΠ΅ΡΠ°
for i in $RANGE; do
sudo iptables -I FORWARD -p UDP -d $i -j DROP;
sudo iptables -I FORWARD -p TCP -d $i -j REJECT --reject-with tcp-reset;
done
Kushandiswa kwesudo kunokonzerwa nekuti isu tine diki hack yekudzora kuburikidza neWEB interface, asi seruzivo rwekushandisa modhi yakadaro kweanopfuura gore yakaratidza, WEB haina kudikanwa. Mushure mekuita, pakanga paine chishuwo chekuwedzera rondedzero yemasaiti kune database, nezvimwe. Huwandu hwevakavharirwa mauto anopfuura 250 + gumi nemaviri kero nzvimbo. Pane chaizvo dambudziko kana uchienda kune saiti kuburikidza ne https yekubatanidza, senge sisitimu maneja, ndine zvichemo nezve browser :), asi izvi zviitiko zvakakosha, mazhinji ezvinokonzeresa kushaikwa kwekuwana zviwanikwa zvichiri kudivi redu. , isu zvakare takabudirira kuvharira Opera VPN uye plugins senge friGate uye telemetry kubva kuMicrosoft.
Source: www.habr.com