Musoro wacho wakanyatsorohwa, ndinoziva. Somuenzaniso, pane huru , asi chete IP chikamu che blocklist chinoonekwa ipapo. Tichawedzerawo domains.
Nekuda kwekuti matare uye RKN inovhara zvese kurudyi nekuruboshwe, uye vapeji vari kuedza nesimba kuti varege kuwira pasi pefaindi dzakapihwa naRevizorro, kurasikirwa kwakabatana kubva pakuvhara kwakakura kwazvo. Uye pakati pe "zviri pamutemo" nzvimbo dzakavharwa kune akawanda anobatsira (hesi, rutracker)
Ndinogara kunze kwenzvimbo yeRKN, asi vabereki vangu, hama neshamwari vakasara pamba. Saka zvakasarudzwa kuti zviuye nenzira iri nyore yekuti vanhu vari kure neIT vapfuure nekuvhara, zviri nani pasina kutora kwavo kutora chikamu zvachose.
Mune ino chinyorwa, ini handisi kuzotsanangura zvakakosha network zvinhu mumatanho, asi ndichatsanangura misimboti yakajairika yekuti chirongwa ichi chingaitwe sei. Saka ruzivo rwekuti network inoshanda sei mune zvese uye muLinux kunyanya ndiyo inofanirwa kuve nayo.
Mhando dzekiyi
Kutanga, ngatimutsidzire ndangariro yedu yezviri kudziviswa.
Kune akati wandei marudzi ekiyi muXML yakaburitswa kubva kuRKN:
- IP
- Domain
- URL
Kuti zvive nyore, tichavadzikisa kusvika paviri: IP uye domain, uye isu tichangoburitsa iyo domain kubva pakuvhara ne URL (chaizvo, ivo vakatotiitira izvi).
vanhu vakanaka kubva akaziva zvinoshamisa , kuburikidza nayo tinogona kuwana zvatinoda:
- IP:
- Domains:
Kuwanikwa kune nzvimbo dzakavharwa
Kuti tiite izvi, tinoda imwe VPS diki yekune dzimwe nyika, zviri nani ine isina muganho traffic - kune akawanda aya e3-5 madhora. Iwe unofanirwa kuitora munzvimbo dziri pedyo kunze kwenyika kuitira kuti ping irege kunyanya kukura, asi zvakare, funga kuti Indaneti uye geography hazviwanzoenderana. Uye sezvo pasina SLA ye5 madhora, zviri nani kutora 2+ zvidimbu kubva kune vakasiyana vanopa kuti vatenderwe kukanganisa.
Tevere, isu tinofanirwa kuseta yakavharidzirwa mugero kubva kumutengi router kuenda kuVPS. Ini ndinoshandisa Wireguard seyo inokurumidza uye iri nyore kumisikidza. Ini zvakare ndine vatengi ma routers anobva kuLinux ( kana chimwe chinhu muOpenWRT). Munyaya yemamwe Mikrotik / Cisco, unogona kushandisa mapuroteni aripo pavari seOpenVPN uye GRE-pamusoro-IPSEC.
Identification uye redirection of traffic of interest
Iwe unogona, hongu, kudzima ese Internet traffic kuburikidza nenyika dzekunze. Asi, kazhinji, kumhanya kwekushanda nemukati zvemukati kuchatambura zvakanyanya kubva pane izvi. Uyezve, iyo bandwidth inodiwa paVPS ichave yakanyanya kukwirira.
Naizvozvo, isu tichada neimwe nzira kugovera traffic kune yakavharika mawebhusaiti uye nekusarudza kutungamira kune tunnel. Kunyangwe kana imwe ye "yakawedzera" traffic ikasvikapo, ichiri nani pane kutyaira zvese nemugero.
Kugadzirisa traffic, isu tichashandisa iyo BGP protocol uye kuzivisa nzira kune inodiwa network kubva kuVPS yedu kune vatengi. Ngatitorei BIRD seimwe yeanonyanya kushanda uye ari nyore madhimoni eBGP.
IP
Nekuvharira neIP, zvese zviri pachena: isu tinongozivisa ese akavharirwa IPs neVPS. Dambudziko nderekuti kune mazana matanhatu ezviuru ma subnets mune rondedzero iyo API inodzoka, uye yakawanda yacho ndeye / 600 mauto. Iyi nhamba yemakwara inogona kuvhiringa isina simba vatengi ma routers.
Naizvozvo, pakugadzirisa rondedzero, zvakasarudzwa kupfupisa kusvika kunetiweki / 24 kana iine 2 kana anopfuura mauto. Nokudaro, nhamba yemigwagwa yakaderedzwa kusvika ~ 100 zviuru. Iyo script yeizvi ichatevera.
Domains
Zvakanyanya kuoma uye kune nzira dzakawanda. Semuenzaniso, unogona kuisa squid inoonekera pane yega yega mutengi router uye woita HTTP kudzvanya ipapo wodongorera mukati meTLS kubata ruoko kuti uwane iyo yakakumbirwa URL mune yekutanga kesi uye dura kubva kuSNI mune yechipiri.
Asi nekuda kwemhando dzese dzakatsva TLS1.3 + eSNI, kuongororwa kweHTTPS kuri kuita kushoma uye kushoma chaiko mazuva ese. Ehe, uye zvivakwa padivi remutengi zviri kuramba zvichinetsa - uchafanirwa kushandisa kanenge OpenWRT.
Naizvozvo, ndakafunga kutora nzira yekudzora mhinduro kune zvikumbiro zveDNS. Pano, zvakare, chero DNS-pamusoro-TLS / HTTPS inotanga kutenderera pamusoro wako, asi isu tinokwanisa (parizvino) kudzora chikamu ichi pamutengi - kungave kudzima kana kushandisa yako sevha yeDoT / DoH.
Nzira yekudzivirira sei DNS?
Pano, zvakare, panogona kunge kune nzira dzakawanda.
- Kubata kweDNS traffic kuburikidza nePCAP kana NFLOG
Nzira mbiri idzi dzekuvharira dzinoshandiswa mukushandisa . Asi haina kutsigirwa kwenguva yakareba uye mashandiro acho ndeekare, saka iwe uchiri kufanira kunyora harness yayo. - Ongororo yeDNS server logs
Nehurombo, marecursors anozivikanwa kwandiri haakwanise kunyora mhinduro, asi zvikumbiro chete. Muchidimbu, izvi zvine musoro, sezvo, kusiyana nezvikumbiro, mhinduro dzine chimiro chakaoma uye zvakaoma kuzvinyora muchimiro chemavara.
Neraki, vazhinji vavo vanototsigira DNStap nekuda kweichi chinangwa.
Chii chinonzi DNStap?
Iyo iprotocol-server protocol yakavakirwa paProtocol Buffers uye Frame Streams yekuendesa kubva kuDNS server kuenda kumuunganidzi weakarongwa DNS mibvunzo nemhinduro. Zvikurukuru, sevha yeDNS inotumira metadata yemubvunzo uye yekupindura (rudzi rwemeseji, mutengi/sevha IP, zvichingodaro) pamwe nekuzadza mameseji eDNS mu (binary) fomu yaanoshanda navo pane network.
Izvo zvakakosha kuti unzwisise kuti muDNStap paradigm, iyo DNS server inoshanda semutengi uye muunganidzi anoita sevhavha. Ndiko kuti, sevha yeDNS inobatanidza kune muunganidzi, uye kwete zvinopesana.
Nhasi DNStap inotsigirwa mune ese anozivikanwa DNS maseva. Asi, semuenzaniso, BIND mukugovera kwakawanda (seUbuntu LTS) inowanzovakwa nekuda kwechimwe chikonzero pasina rutsigiro rwayo. Saka ngatisazvinetse nekuunganidzazve, asi tora yakareruka uye nekukurumidza recursor - Unbound.
Nzira yekubata DNStap?
kune CLI zvishandiso zvekushanda nerukova rwezviitiko zveDNStap, asi hazvina kukodzera kugadzirisa dambudziko redu. Naizvozvo, ndakafunga kugadzira bhasikoro rangu iro rinoita zvese zvinodiwa:
Basa algorithm:
- Kana yatangwa, inorodha runyorwa rwemadomain kubva kune chinyorwa faira, inoashandura (habr.com -> com.habr), isingabatanidzi mitsara yakaputsika, duplicates uye subdomain (kureva kana rondedzero ine habr.com uye www.habr.com, ichatakurwa chete yekutanga) uye inovaka prefix muti wekutsvaga nekukurumidza kuburikidza nerunyorwa urwu
- Kuita seDNStap server, inomirira kubatana kubva kuDNS server. Mumutemo, inotsigira zvese UNIX uye TCP zvigadziko, asi DNS maseva andinoziva anogona kushandisa UNIX sockets chete.
- Inouya DNStap mapaketi anotanga kubviswa muProtobuf chimiro, uyezve iyo binary DNS meseji pachayo, iri mune imwe yeminda yeProtobuf, inopatsanurwa kusvika padanho reDNS RR rekodhi.
- Inotariswa kana iyo yakakumbirwa host (kana iyo mubereki domain) iri mune yakarodha runyorwa, kana zvisiri, mhinduro inofuratirwa.
- Chete A/AAAA/CNAME RRs ndidzo dzinosarudzwa kubva mumhinduro uye anoenderana IPv4/IPv6 kero anotorwa kubva kwavari.
- IP kero dzakachengetwa neTTL inogadziriswa uye inoshambadzirwa kune vese vakagadzirirwa BGP vezera
- Kana uchigamuchira mhinduro inongedza kune yatove yakavharirwa IP, TTL yayo inogadziridzwa
- Mushure mekunge TTL yapera, yekupinda inobviswa kubva kucache uye kubva BGP zviziviso
Kuwedzera kushanda:
- Kuverengazve rondedzero yemadomasi neSIGHUP
- Kuchengeta cache mukuwirirana nemamwe mamiriro dnstap-bgp kuburikidza neHTTP/JSON
- Dzokorora cache pane diski (muBoltDB dhatabhesi) kudzoreredza zvirimo mushure mekutangazve
- Tsigiro yekuchinja kune imwe network namespace (nei izvi zvichidikanwa zvichatsanangurwa pazasi)
- IPv6 rutsigiro
Kukanganisa:
- IDN domains haisati yatsigirwa
- Zvirongwa zvishoma zveBGP
Ndakaunganidza mapakeji kuitira nyore kugadzika. Inofanirwa kushanda pane ese achangoburwa maOS ane systemd. havana zvavanovimba nazvo.
The scheme
Saka, ngatitangei kuunganidza zvinhu zvose pamwe chete. Nekuda kweizvozvo, isu tinofanirwa kuwana chimwe chinhu senge iyi network topology:
Iyo pfungwa yebasa, ndinofunga, yakajeka kubva pamufananidzo:
- Mutengi ane server yedu yakagadziriswa seDNS, uye DNS mibvunzo inofanirawo kuenda pamusoro peVPN. Izvi zvinodikanwa kuitira kuti mupi asakwanise kushandisa DNS kuvharira kuvhara.
- Pakuvhura saiti, mutengi anotumira DNS mubvunzo senge "ndeipi maIPs exxx.org"
- vasina kusungwa inogadzirisa xxx.org (kana kuitora kubva kucache) uye inotumira mhinduro kumutengi "xxx.org ine IP yakadai uye yakadai", ichidzokorora nenzira yakafanana kuburikidza neDNStap
- dnstap-bgp inozivisa kero idzi mukati SHIRI kuburikidza neBGP kana iyo domain iri pane yakavharwa rondedzero
- SHIRI inoshambadza nzira kuenda kumaIPs aya ne
next-hop selfmutengi router - Mapaketi anotevera kubva kumutengi kune aya maIPs anoenda nemugero
Pane sevha, kune nzira dzekuenda kunzvimbo dzakavharika, ini ndinoshandisa tafura yakaparadzana mukati meBIRD uye haipindirani neOS chero nzira.
Ichi chirongwa chine chinokanganisa: yekutanga SYN packet kubva kumutengi, ingangoita, ichave nenguva yekubuda kuburikidza nemupi wepamba. nzira haiziviswe pakarepo. Uye pano sarudzo dzinogoneka zvichienderana nekuti mupi anovhara sei. Kana akangodonha traffic, saka hapana dambudziko. Uye kana akaidzosera kune imwe DPI, saka (theoretically) yakakosha mhedzisiro inogoneka.
Zvinogoneka zvakare kuti vatengi havaremekedze DNS TTL zvishamiso, izvo zvinogona kuita kuti mutengi ashandise mamwe manyorerwo ekare kubva kune yakaora cache pane kubvunza Unbound.
Mukuita, kana yekutanga kana yechipiri yakakonzera matambudziko kwandiri, asi mileage yako inogona kusiyana.
Server Tuning
Kuti zvive nyore kukunguruka, ndakanyora . Inogona kugadzirisa ese maseva uye vatengi zvichibva paLinux (yakagadzirirwa deb-based distributions). Maseting ese ari pachena uye akaiswa mukati inventory.yml. Iri basa rakachekwa kubva mubhuku rangu hombe rekutamba, saka rinogona kunge riine zvikanganiso - kugamuchirwa π
Ngatiende kuburikidza nezvikamu zvikuru.
BGP
Kumhanyisa madhimoni maviri eBGP pane imwecheteyo ine dambudziko rakakosha: SHIRD haidi kumisikidza BGP yekutarisa neiyo localhost (kana chero yemuno interface). Kubva pashoko zvachose. Googling uye kuverenga tsamba-zvinyorwa hazvina kubatsira, ivo vanoti izvi nekugadzira. Pamwe pane imwe nzira, asi handina kuiwana.
Unogona kuedza imwe BGP daemon, asi ini ndinoda SHIRD uye inoshandiswa kwese neni, ini handidi kugadzira masangano.
Naizvozvo, ndakavanza dnstap-bgp mukati metiweki namespace, iyo yakabatana nemudzi kuburikidza neveth interface: yakafanana nepombi, iyo migumo inonamira kunze mune dzakasiyana mazita. Pane imwe neimwe yeiyi migumo, isu tinorembera yakavanzika p2p IP kero isingaende kupfuura iyo host, saka vanogona kuve chero chinhu. Iyi ndiyo imwe nzira inoshandiswa kuwana maitiro mukati anodiwa navose Docker nemimwe midziyo.
Nokuda kwaizvozvi zvakanyorwa uye kushanda kwatotsanangurwa pamusoro pekukwevera iwe nevhudzi kune imwe nzvimbo yezita kwakawedzerwa kune dnstap-bgp. Nekuda kweizvi, inofanirwa kumhanya semudzi kana kupihwa kuCAP_SYS_ADMIN binary kuburikidza neiyo setcap command.
Muenzaniso script yekugadzira namespace
#!/bin/bash
NS="dtap"
IP="/sbin/ip"
IPNS="$IP netns exec $NS $IP"
IF_R="veth-$NS-r"
IF_NS="veth-$NS-ns"
IP_R="192.168.149.1"
IP_NS="192.168.149.2"
/bin/systemctl stop dnstap-bgp || true
$IP netns del $NS > /dev/null 2>&1
$IP netns add $NS
$IP link add $IF_R type veth peer name $IF_NS
$IP link set $IF_NS netns $NS
$IP addr add $IP_R remote $IP_NS dev $IF_R
$IP link set $IF_R up
$IPNS addr add $IP_NS remote $IP_R dev $IF_NS
$IPNS link set $IF_NS up
/bin/systemctl start dnstap-bgpdnstap-bgp.conf
namespace = "dtap"
domains = "/var/cache/rkn_domains.txt"
ttl = "168h"
[dnstap]
listen = "/tmp/dnstap.sock"
perm = "0666"
[bgp]
as = 65000
routerid = "192.168.149.2"
peers = [
"192.168.149.1",
]shiri.conf
router id 192.168.1.1;
table rkn;
# Clients
protocol bgp bgp_client1 {
table rkn;
local as 65000;
neighbor 192.168.1.2 as 65000;
direct;
bfd on;
next hop self;
graceful restart;
graceful restart time 60;
export all;
import none;
}
# DNSTap-BGP
protocol bgp bgp_dnstap {
table rkn;
local as 65000;
neighbor 192.168.149.2 as 65000;
direct;
passive on;
rr client;
import all;
export none;
}
# Static routes list
protocol static static_rkn {
table rkn;
include "rkn_routes.list";
import all;
export none;
}rkn_routes.list
route 3.226.79.85/32 via "ens3";
route 18.236.189.0/24 via "ens3";
route 3.224.21.0/24 via "ens3";
...DNS
Nekumisikidza, muUbuntu, iyo Unbound binary inosungwa neAppArmor mbiri, iyo inoirambidza kubva pakubatana kune ese marudzi eDNStap sockets. Unogona kudzima mbiri iyi, kana kuidzima:
# cd /etc/apparmor.d/disable && ln -s ../usr.sbin.unbound .
# apparmor_parser -R /etc/apparmor.d/usr.sbin.unboundIzvi zvichida kuwedzerwa kubhuku rekutamba. Zvakanakira, hongu, kugadzirisa chimiro uye kuburitsa kodzero dzinodiwa, asi ini ndaive nehusimbe.
unbound.conf
server:
chroot: ""
port: 53
interface: 0.0.0.0
root-hints: "/var/lib/unbound/named.root"
auto-trust-anchor-file: "/var/lib/unbound/root.key"
access-control: 192.168.0.0/16 allow
remote-control:
control-enable: yes
control-use-cert: no
dnstap:
dnstap-enable: yes
dnstap-socket-path: "/tmp/dnstap.sock"
dnstap-send-identity: no
dnstap-send-version: no
dnstap-log-client-response-messages: yesKudhaunirodha uye kugadzirisa zvinyorwa
Iyo inodhawunirodha rondedzero, inopfupisa kune prefix pfx. The dont_add ΠΈ dont_summarize unogona kuudza IPs uye network kuti svetuka kana kusapfupikisa. Ndaida. iyo subnet yeVPS yangu yaive mu blocklist π
Chinhu chinosetsa ndechekuti RosKomSvoboda API inovhara zvikumbiro neiyo default Python mushandisi mumiriri. Zvinotaridza kunge script-mwana azviwana. Naizvozvo, tinochishandura kuita Ognelis.
Parizvino, inoshanda chete neIPv4. chikamu che IPv6 idiki, asi zvichava nyore kugadzirisa. Kunze kwekunge uchifanirwa kushandisa shiri6 zvakare.
rkn.py
#!/usr/bin/python3
import json, urllib.request, ipaddress as ipa
url = 'https://api.reserve-rbl.ru/api/v2/ips/json'
pfx = '24'
dont_summarize = {
# ipa.IPv4Network('1.1.1.0/24'),
}
dont_add = {
# ipa.IPv4Address('1.1.1.1'),
}
req = urllib.request.Request(
url,
data=None,
headers={
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'
}
)
f = urllib.request.urlopen(req)
ips = json.loads(f.read().decode('utf-8'))
prefix32 = ipa.IPv4Address('255.255.255.255')
r = {}
for i in ips:
ip = ipa.ip_network(i)
if not isinstance(ip, ipa.IPv4Network):
continue
addr = ip.network_address
if addr in dont_add:
continue
m = ip.netmask
if m != prefix32:
r[m] = [addr, 1]
continue
sn = ipa.IPv4Network(str(addr) + '/' + pfx, strict=False)
if sn in dont_summarize:
tgt = addr
else:
tgt = sn
if not sn in r:
r[tgt] = [addr, 1]
else:
r[tgt][1] += 1
o = []
for n, v in r.items():
if v[1] == 1:
o.append(str(v[0]) + '/32')
else:
o.append(n)
for k in o:
print(k)
Ndinomhanya pakorona kamwe chete pazuva, zvichida zvakakodzera kuidhonza maawa mana oga oga. iyi, mumaonero angu, ndiyo nguva yekuvandudza iyo RKN inoda kubva kune vanopa. Uyezve, vane kumwe kuvharika kwepamusoro-soro, kunogona kusvika nekukurumidza.
Inoita zvinotevera:
- Inomhanyisa script yekutanga uye inovandudza rondedzero yemakwara (
rkn_routes.list) yeSHIRI - Reload BIRD
- Inogadziridza uye inochenesa rondedzero yemadomasi e dnstap-bgp
- Reload dnstap-bgp
rkn_update.sh
#!/bin/bash
ROUTES="/etc/bird/rkn_routes.list"
DOMAINS="/var/cache/rkn_domains.txt"
# Get & summarize routes
/opt/rkn.py | sed 's/(.*)/route 1 via "ens3";/' > $ROUTES.new
if [ $? -ne 0 ]; then
rm -f $ROUTES.new
echo "Unable to download RKN routes"
exit 1
fi
if [ -e $ROUTES ]; then
mv $ROUTES $ROUTES.old
fi
mv $ROUTES.new $ROUTES
/bin/systemctl try-reload-or-restart bird
# Get domains
curl -s https://api.reserve-rbl.ru/api/v2/domains/json -o - | jq -r '.[]' | sed 's/^*.//' | sort | uniq > $DOMAINS.new
if [ $? -ne 0 ]; then
rm -f $DOMAINS.new
echo "Unable to download RKN domains"
exit 1
fi
if [ -e $DOMAINS ]; then
mv $DOMAINS $DOMAINS.old
fi
mv $DOMAINS.new $DOMAINS
/bin/systemctl try-reload-or-restart dnstap-bgpVakanyorwa pasina kufunga kwakanyanya, saka kana iwe ukaona chimwe chinhu chinogona kuvandudzwa - enda.
Client setup
Pano ini ndichapa mienzaniso yeLinux routers, asi munyaya yeMikrotik / Cisco inofanira kunge iri nyore.
Kutanga, isu tinogadzira BIRD:
shiri.conf
router id 192.168.1.2;
table rkn;
protocol device {
scan time 10;
};
# Servers
protocol bgp bgp_server1 {
table rkn;
local as 65000;
neighbor 192.168.1.1 as 65000;
direct;
bfd on;
next hop self;
graceful restart;
graceful restart time 60;
rr client;
export none;
import all;
}
protocol kernel {
table rkn;
kernel table 222;
scan time 10;
export all;
import none;
}Nekudaro, isu tichawiriranisa nzira dzakagamuchirwa kubva kuBGP neiyo kernel routing tafura nhamba 222.
Mushure meizvozvo, zvakakwana kubvunza kernel kuti itarise ndiro iyi isati yatarisa iyo yakasarudzika:
# ip rule add from all pref 256 lookup 222
# ip rule
0: from all lookup local
256: from all lookup 222
32766: from all lookup main
32767: from all lookup defaultZvese, zvinosara kugadzirisa DHCP pane router kugovera server's tunnel IP kero seDNS, uye chirongwa chagadzirira.
kutadza
Iine yazvino algorithm yekugadzira uye kugadzirisa iyo rondedzero yemadomasi, inosanganisira, pakati pezvimwe zvinhu, youtube.com uye maCDN ayo.
Uye izvi zvinotungamira kune chokwadi chekuti mavhidhiyo ese achaenda kuburikidza neVPN, iyo inogona kuvhara chiteshi chose. Zvichida zvakakosha kunyora rondedzero yeanozivikanwa madomasi-asingaverengeki anovharira iyo RKN yenguva, matumbu akatetepa. Uye zvitsvetuke kana uchidzokorodza.
mhedziso
Iyo yakatsanangurwa nzira inobvumidza iwe kuti upfuure chero chero chinovharira icho vanopa vari kuita parizvino.
Kunyanya, dnstap-bgp inogona kushandiswa kune chero chimwe chinangwa apo imwe nhanho yekudzora traffic inodiwa zvichibva pazita rezita. Ingo ramba uchifunga kuti munguva yedu, zviuru zvesaiti zvinogona kurembera pane imwecheteyo IP kero (kuseri kweimwe Cloudflare, semuenzaniso), saka iyi nzira ine yakaderera chaiyo.
Asi kune zvinodiwa zvekupfuura makiyi, izvi zvakakwana zvakakwana.
Kuwedzerwa, kurongeka, kudhonza zvikumbiro - kugamuchirwa!
Source: www.habr.com