Basa rekuvhara traffic kubva kune dzimwe nyika rinoita serakapusa, asi maonerwo ekutanga anogona kunyengera. Nhasi tichakuudza kuti izvi zvingaitwa sei.
prehistory
Zvigumisiro zvekutsvaga kweGoogle pamusoro penyaya iyi zvinoodza mwoyo: zvizhinji zvezvigadziriswa zvakagara "zvakaora" uye dzimwe nguva zvinoratidzika kuti nyaya iyi yakavharwa uye yakakanganwa zvachose. Isu takabatanidza akawanda ezvinyorwa zvekare uye takagadzirira kugovera shanduro yemazuva ano yemirairo.
Tinokurudzira kuti uverenge chinyorwa chose usati waita iyi mirairo.
Kugadzirira sisitimu yekushandisa
Sefa ichagadziriswa uchishandisa utility iptables, izvo zvinoda kuwedzerwa kushanda neGeoIP data. Iyi yekuwedzera inogona kuwanikwa mukati . xtables-addons inoisa mawedzero eiptables seyakazvimirira kernel modules, saka hapana chikonzero chekudzosera iyo OS kernel.
Panguva yekunyora, iyo yazvino vhezheni ye xtables-addons ndeye 3.9. Nekudaro, 20.04 chete inogona kuwanikwa mune yakajairwa Ubuntu 3.8 LTS repositori, uye 18.04 muUbuntu 3.0 repositori. Iwe unogona kuisa iyo yekuwedzera kubva kumaneja wepakeji nemurairo unotevera:
apt install xtables-addons-common libtext-csv-xs-perlZiva kuti pane misiyano midiki asi yakakosha pakati pevhezheni 3.9 uye mamiriro azvino eprojekiti, yatichakurukura gare gare. Kuvaka kubva kusource code, isa ese anodiwa mapakeji:
apt install git build-essential autoconf make libtool iptables-dev libxtables-dev pkg-config libnet-cidr-lite-perl libtext-csv-xs-perlClone iyo repository:
git clone https://git.code.sf.net/p/xtables-addons/xtables-addons xtables-addons-xtables-addons
cd xtables-addons-xtables-addonsxtables-addons ine akawanda ekuwedzera, asi isu tinongofarira xt_geoip. Kana iwe usingade kudhonza zvisina kufanira ekuwedzera muhurongwa, unogona kuvabvisa kubva pakuvaka. Kuti uite izvi unofanirwa kugadzirisa faira mconfig. Kune ese ma module anodiwa, isa y, uye maka zvose zvisina kufanira n. Tinounganidza:
./autogen.sh./configuremakeUye isa nekodzero dze superuser:
make installPanguva yekuiswa kwekernel modules, kukanganisa kwakafanana neinotevera kunogona kuitika:
INSTALL /root/xtables-addons-xtables-addons/extensions/xt_geoip.ko
At main.c:160:
- SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:72
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:79
sign-file: certs/signing_key.pem: No such file or directoryMamiriro ezvinhu aya anomuka nekuda kwekutadza kusaina kernel modules, nekuti hapana chekusaina. Unogona kugadzirisa dambudziko iri nemimwe mirairo:
cd /lib/modules/(uname -r)/build/certscat <<EOF > x509.genkey[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
CN = Modules
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOFopenssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pemIyo yakasanganiswa kernel module yakaiswa, asi sisitimu haizvione. Ngatibvunzei sisitimu kuti igadzire mepu yekutsamira ichifunga nezve module nyowani, tozoiisa:
depmod -amodprobe xt_geoipNgativei nechokwadi chekuti xt_geoip yaiswa muhurongwa:
# lsmod | grep xt_geoip
xt_geoip 16384 0
x_tables 40960 2 xt_geoip,ip_tablesPamusoro pezvo, ita shuwa kuti iyo yekuwedzera inoiswa muma iptables:
# cat /proc/net/ip_tables_matches
geoip
icmpIsu tinofara nezvose uye chasara kuwedzera zita remodule ku / etc / moduleskuitira kuti module inoshanda mushure mekutangazve OS. Kubva zvino zvichienda mberi, iptables inonzwisisa geoip mirairo, asi haina data yakakwana yekushanda nayo. Ngatitange kurodha geoip dhatabhesi.
Kuwana iyo GeoIP Database
Isu tinogadzira dhairekitori umo ruzivo rwunonzwisisika kune iptables yekuwedzera ichachengetwa:
mkdir /usr/share/xt_geoipPakutanga kwechinyorwa, takataura kuti pane mutsauko pakati pevhezheni kubva kune kodhi kodhi uye vhezheni kubva kune pasuru maneja. Musiyano unonyanya kuoneka ndeye shanduko yemutengesi wedatabase uye script xt_geoip_dl, iyo inodhawunirodha data ichangoburwa.
Package maneja shanduro
Iyo script iri munzira /usr/lib/xtables-addons, asi paunoyedza kuimhanyisa, uchaona isina ruzivo rwakanyanya kukanganisa:
# ./xt_geoip_dl
unzip: cannot find or open GeoLite2-Country-CSV.zip, GeoLite2-Country-CSV.zip.zip or GeoLite2-Country-CSV.zip.ZIP.Pakutanga, chigadzirwa cheGeoLite, chave kuzivikanwa seGeoLite Legacy, chakagoverwa pasi perezinesi, chaishandiswa sedatabase. kambani . Zviitiko zviviri zvakaitika nechigadzirwa ichi kamwechete icho "chakaputsa" kuenderana neiyo iptables yekuwedzera.
Kutanga, muna Ndira 2018 nezve kupera kwekutsigirwa kwechigadzirwa, uye muna Ndira 2019, 2, zvese zvinongedzo zvekurodha vhezheni yekare yedhatabhesi zvakabviswa pawebhusaiti yepamutemo. Vashandisi vatsva vanokurudzirwa kushandisa iyo GeoLite2 chigadzirwa kana yayo yakabhadharwa vhezheni GeoIPXNUMX.
Kechipiri, kubva muna Zvita 2019 MaxMind nezve shanduko yakakosha mukuwana kune yavo database. Kuti vatevedzere California Consumer Privacy Act, MaxMind yakafunga "kuvhara" kugoverwa kweGeoLite2 nekunyoresa.
Sezvo isu tichida kushandisa chigadzirwa chavo, isu tichanyoresa pane ino peji.
Iwe unozogamuchira email ichikumbira kuti uise password. Zvino zvatagadzira account, isu tinofanirwa kugadzira kiyi rezinesi. Muakaundi yako wega tinowana chinhu chacho Makiyi angu erezinesi, wobva wadzvanya bhatani Gadzira kiyi yerezinesi nyowani.
Kana tichigadzira kiyi, isu tichabvunzwa mubvunzo mumwe chete: tichashandisa kiyi iyi muchirongwa cheGeoIP Update? Tinopindura zvisina kunaka uye tinya bhatani simbisa. Kiyi icharatidzwa pahwindo rinobuda. Sevha kiyi iyi munzvimbo yakachengeteka, sekunge wangovhara hwindo repop-up, hauchakwanisa kuona kiyi yese.
Isu tine kugona kudhawunirodha GeoLite2 dhatabhesi nemaoko, asi chimiro chavo hachienderane nefomati inotarisirwa neiyo xt_geoip_build script. Apa ndipo panouya GeoLite2xtables zvinyorwa zvinouya kuzonunura. Kuti uite zvinyorwa, isa iyo NetAddr ::IP perl module:
wget https://cpan.metacpan.org/authors/id/M/MI/MIKER/NetAddr-IP-4.079.tar.gztar xvf NetAddr-IP-4.079.tar.gzcd NetAddr-IP-4.079perl Makefile.PLmakemake installTevere, isu tinogadzirisa repository nezvinyorwa uye tonyora iyo yakambowanikwa rezinesi kiyi kufaira:
git clone https://github.com/mschmitt/GeoLite2xtables.gitcd GeoLite2xtablesecho YOUR_LICENSE_KEY=β123ertyui123' > geolite2.licenseNgatimhanyei zvinyorwa:
# Π‘ΠΊΠ°ΡΠΈΠ²Π°Π΅ΠΌ Π΄Π°Π½Π½ΡΠ΅ GeoLite2
./00_download_geolite2
# Π‘ΠΊΠ°ΡΠΈΠ²Π°Π΅ΠΌ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΎ ΡΡΡΠ°Π½Π°Ρ
(Π΄Π»Ρ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΡ ΠΊΠΎΠ΄Ρ)
./10_download_countryinfo
# ΠΠΎΠ½Π²Π΅ΡΡΠΈΡΡΠ΅ΠΌ GeoLite2 Π±Π°Π·Ρ Π² ΡΠΎΡΠΌΠ°Ρ GeoLite Legacy
cat /tmp/GeoLite2-Country-Blocks-IPv{4,6}.csv |
./20_convert_geolite2 /tmp/CountryInfo.txt > /usr/share/xt_geoip/dbip-country-lite.csvMaxMind inoisa muganho we2000 kudhawunirodha pazuva uye, nenhamba huru yemaseva, inopa cache iyo yekuvandudza pane proxy server.
Ndokumbira utarise kuti iyo yakabuda faira inofanirwa kudanwa dbip-country-lite.csv... Nehurombo, 20_convert_geolite2 haiburitse faira yakakwana. Script xt_geoip_build inotarisira makoramu matatu:
- kutanga kwekero renji;
- kupera kwekero renji;
- kodhi yenyika mu iso-3166-alpha2.
Uye iyo yakabuda faira ine makoramu matanhatu:
- kutanga kwekero renji (tambo inomiririra);
- kuguma kwekero renji (tambo inomiririra);
- kutanga kwekero renji (nhamba inomiririra);
- kupera kwekero renji (nhamba inomiririra);
- kodhi yenyika;
- zita renyika.
Kusiyana uku kwakakosha uye kunogona kugadziriswa neimwe yenzira mbiri:
- edit 20_convert_geolite2;
- edit xt_geoip_build.
Muchiitiko chekutanga tinoderedza kune chimiro chinodiwa, uye chechipiri - tinoshandura kugoverwa kune kushanduka $cc pamusoro $mutsara-> [4]. Mushure meizvi, unogona kugadzira:
/usr/lib/xtables-addons/xt_geoip_build -S /usr/share/xt_geoip/ -D /usr/share/xt_geoip. . .
2239 IPv4 ranges for ZA
348 IPv6 ranges for ZA
56 IPv4 ranges for ZM
12 IPv6 ranges for ZM
56 IPv4 ranges for ZW
15 IPv6 ranges for ZWCherechedza kuti munyori haitarise zvinyorwa zvayo zvakagadzirira kugadzirwa uye zvinopihwa kuitira kugadzirwa kwepakutanga xt_geoip_* zvinyorwa. Naizvozvo, ngatiendererei kugungano kubva kumakodhi ezvinyorwa, umo zvinyorwa izvi zvakatovandudzwa.
Kwakabva shanduro
Paunenge uchiisa kubva kusource kodhi zvinyorwa xt_geoip_* dziri mukatalogi /usr/local/libexec/xtables-addons. Iyi vhezheni yechinyorwa inoshandisa database . Rezinesi ndeyeCreative Commons Attribution License, uye kubva kune iripo data pane anodiwa makoramu matatu. Dhawunirodha uye unganidza database:
cd /usr/share/xt_geoip//usr/local/libexec/xtables-addons/xt_geoip_dl/usr/local/libexec/xtables-addons/xt_geoip_buildMushure mematanho aya, iptables yakagadzirira kushanda.
Kushandisa geoip mune iptables
Module xt_geoip anowedzera makiyi maviri chete:
geoip match options:
[!] --src-cc, --source-country country[,country...]
Match packet coming from (one of) the specified country(ies)
[!] --dst-cc, --destination-country country[,country...]
Match packet going to (one of) the specified country(ies)
NOTE: The country is inputed by its ISO3166 code.Nzira dzekugadzira mitemo yeptables, kazhinji, inoramba isina kuchinjwa. Kuti ushandise makiyi kubva kune mamwe mamodule, iwe unofanirwa kutsanangura zvakajeka zita reiyo module ine -m switch. Semuenzaniso, mutemo wekuvharisa inouya TCP kubatana pachiteshi 443 kwete kubva kuUSA pane ese mainterfaces:
iptables -I INPUT ! -i lo -p tcp --dport 443 -m geoip ! --src-cc US -j DROPMafaira akagadzirwa ne xt_geoip_build anoshandiswa chete kana achigadzira mitemo, asi haana kuverengerwa kana kusefa. Saka, kuti ugadzirise nemazvo geoip dhatabhesi, unofanira kutanga wagadziridza iv* mafaera, wobva wadzoreredza mitemo yese inoshandisa geoip muiptables.
mhedziso
Kusefa mapaketi zvichienderana nenyika izano rakambokanganwika nenguva. Zvisinei neizvi, maturusi esoftware ekusefa kwakadaro ari kugadzirwa uye, pamwe, munguva pfupi inotevera vhezheni itsva ye xt_geoip ine itsva geoip data provider ichaonekwa mumapakeji maneja, izvo zvinorerutsa zvakanyanya hupenyu hwevatariri vehurongwa.
Vashandisi vakanyoresa chete ndivo vanogona kutora chikamu muongororo. , Munogamuchirwa.
Wakamboshandisa kusefa nenyika here?
-
59,1%Hongu13
-
40,9%No9
22 vashandisi vakavhota. 3 vashandisi vakaramba.
Source: www.habr.com