xtables-addons: baakadaha shaandhaynta waddan ahaan

Hawsha joojinta taraafikada dalalka qaarkood waxay u muuqataa mid fudud, laakiin dareenka ugu horreeya wuxuu noqon karaa khiyaano. Maanta waxaan kuu sheegi doonaa sida tan loo hirgelin karo.

prehistory

Natiijooyinka raadinta Google ee mawduucan waa niyad jab: inta badan xalalka ayaa muddo dheer ahaa "qurun" mararka qaarkoodna waxay u muuqataa in mawduucan la daboolay oo la ilaaway weligiis. Waxaan soo marnay diiwaanno badan oo duug ah waxaanan diyaar u nahay inaan wadaagno hab casri ah oo hab-raacyada ah.

Waxaan kugula talineynaa inaad akhrido maqaalka oo dhan ka hor inta aanad fulin amarradan.

Diyaarinta nidaamka hawlgalka

Shaandhaynta waxaa lagu habayn doonaa iyadoo la isticmaalayo utility Iptables, taas oo u baahan kordhinta si ay ula shaqeyso xogta GeoIP. Kordhintan waxaa laga heli karaa gudaha xtables-addons. xtables-addons waxay ku rakibtaa kordhinta iptables si ay u noqdaan unugyo kernel madax-bannaan, markaa looma baahna in dib loo soo ururiyo kernel-ka OS.

Waqtiga qorista, nooca hadda ee xtables-addons waa 3.9. Si kastaba ha ahaatee, kaliya 20.04 ayaa laga heli karaa heerka caadiga ah ee Ubuntu 3.8 LTS, iyo 18.04 gudaha Ubuntu 3.0. Waxaad ka soo dejisan kartaa kordhinta maareeyaha xirmada adoo wata amarka soo socda:

apt install xtables-addons-common libtext-csv-xs-perl

Ogow in ay jiraan farqi yar oo muhiim ah oo u dhexeeya nooca 3.9 iyo heerka uu hadda marayo mashruuca, oo aan dib uga hadli doono. Si aad u dhisto koodhka isha, ku rakib dhammaan xidhmooyinka lagama maarmaanka ah:

apt install git build-essential autoconf make libtool iptables-dev libxtables-dev pkg-config libnet-cidr-lite-perl libtext-csv-xs-perl

Xir kaydka:

git clone https://git.code.sf.net/p/xtables-addons/xtables-addons xtables-addons-xtables-addons

cd xtables-addons-xtables-addons

xtables-addons waxay ka kooban tahay kordhin badan, laakiin waxaan xiiseyneynaa kaliya xt_geoip. Haddii aadan rabin inaad ku jiido kordhinta aan loo baahnayn nidaamka, waxaad ka saari kartaa dhismaha. Si aad tan u samayso waxaad u baahan tahay inaad wax ka beddesho faylka mconfig. Dhammaan cutubyada la rabo, ku rakib y, oo calaamadee dhammaan kuwa aan loo baahnayn n. Waxaan aruurineynaa:

./autogen.sh

./configure

make

Oo ku rakib xuquuqaha isticmaalaha:

make install

Inta lagu jiro rakibidda cutubyada kernel-ka, khalad la mid ah kuwan ayaa dhici kara:

INSTALL /root/xtables-addons-xtables-addons/extensions/xt_geoip.ko
At main.c:160:
- SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:72
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:79
sign-file: certs/signing_key.pem: No such file or directory

Xaaladdani waxay soo baxdaa sababtoo ah suurtogal la'aanta saxiixa modules kernel, sababtoo ah waxba saxiixin. Waxaad ku xallin kartaa dhibaatadan dhowr amar:

cd /lib/modules/(uname -r)/build/certs

cat <<EOF > x509.genkey

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
CN = Modules

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF

openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem

Qaybta kernel-ka la soo ururiyey waa la rakibay, laakiin nidaamku ma ogaanayo. Aynu waydiino nidaamka si uu u sameeyo khariidad ku-tiirsanaanta anagoo tixgelinayna cutubka cusub, ka dibna ku shubo:

depmod -a

modprobe xt_geoip

Aan hubino in xt_geoip lagu shubay nidaamka:

# lsmod | grep xt_geoip
xt_geoip               16384  0
x_tables               40960  2 xt_geoip,ip_tables

Intaa waxaa dheer, hubi in kordhinta lagu shubay iptables:

# cat /proc/net/ip_tables_matches 
geoip
icmp

Waanu ku faraxsanahay wax walba, waxa hadhayna waa in lagu daro magaca moduleka / iwm / modulessi moduleka uu u shaqeeyo ka dib marka dib loo bilaabo OS. Hadda laga bilaabo, iptables waxay fahmeen amarrada geoip, laakiin ma hayso xog ku filan oo ay kula shaqeyso. Aan bilowno rarista xogta geoip.

Helitaanka Xogta GeoIP

Waxaan abuurnaa hagaha xogta lagu fahmi karo kordhinta iptables lagu kaydin doono:

mkdir /usr/share/xt_geoip

Bilowgii maqaalka, waxaan ku soo sheegnay inay jiraan farqi u dhexeeya nooca ka soo baxa koodhka isha iyo nooca maamulaha xirmada. Farqiga ugu weyn ee la dareemi karo waa isbeddelka iibiyaha xogta iyo qoraalka xt_geoip_dl, kaas oo soo dejinaya xogtii ugu dambeysay.

Nooca maamulaha xirmada

Qoraalku wuxuu ku yaalaa wadada /usr/lib/xtables-addons, laakiin markaad isku daydo inaad socodsiiso, waxaad arki doontaa qalad aan xog badan lahayn:

# ./xt_geoip_dl 
unzip:  cannot find or open GeoLite2-Country-CSV.zip, GeoLite2-Country-CSV.zip.zip or GeoLite2-Country-CSV.zip.ZIP.

Markii hore, badeecada GeoLite, oo hadda loo yaqaan GeoLite Legacy, oo lagu qaybiyey shatiga, ayaa loo isticmaalay xog ururin ahaan. Hal-abuurka Commons ASA 4.0 shirkad MaxMind. Laba dhacdo ayaa ku dhacay alaabtan hal mar kuwaas oo "jabiyey" waafaqsanaanta iptables-ka.

Marka hore, Janaayo 2018 lagu dhawaaqay ku saabsan joojinta taageerada badeecada, iyo Janaayo 2019, 2, dhammaan xiriirinta soo dejinta nuqulkii hore ee xogta ayaa laga saaray websaydhka rasmiga ah. Isticmaalayaasha cusub waxaa lagula talinayaa inay isticmaalaan badeecada GeoLite2 ama nooca lacagta lagu bixiyo ee GeoIPXNUMX.

Marka labaad, ilaa Disembar 2019 MaxMind sheegay ku saabsan isbeddel weyn oo ku yimid gelitaanka xog-ururintooda. Si loo hoggaansamo Xeerka Qarsoonaanta Macmiilka California, MaxMind wuxuu go'aansaday inuu "daboolo" qaybinta GeoLite2 diiwaangelinta.

Maadaama aan rabno inaan isticmaalno alaabtooda, waxaan isku diiwaan gelin doonaa boggan.

Kadib waxaad heli doontaa iimayl ku weydiinaya inaad dejiso furaha sirta ah. Hadda oo aan abuurnay akoon, waxaan u baahanahay inaan abuurno furaha shatiga. Koontadaada gaarka ah waxaan ka heleynaa shayga Furayaasha shatigayga, ka dibna dhagsii badhanka Samee furaha shatiga cusub.

Marka la abuurayo furaha, waxa nala waydiin doonaa hal su'aal oo kaliya: furahan ma ku isticmaali doonaa barnaamijka Cusbooneysiinta GeoIP? Waxaan uga jawaabnaa si xun oo taabsi badhanka Xaqiiji. Furaha waxaa lagu soo bandhigi doonaa daaqad pop-up ah. Ku keydi furahan meel nabdoon, maadaama marka aad xirto daaqada pop-upka, ma awoodi doontid inaad aragto furaha oo dhan.

Waxaan awood u leenahay inaan gacanta ku soo dejisanno xogta GeoLite2, laakiin qaabkoodu kuma habboona qaabka la filayo qoraalka xt_geoip_build. Tani waa halka qoraallada GeoLite2xtables ay ka soo gurmadaan. Si aad u socodsiiso qoraallada, ku rakib NetAddr :: moduleka IP perl:

wget https://cpan.metacpan.org/authors/id/M/MI/MIKER/NetAddr-IP-4.079.tar.gz

tar xvf NetAddr-IP-4.079.tar.gz

cd NetAddr-IP-4.079

perl Makefile.PL

make

make install

Marka xigta, waxaan ku xireynaa kaydka qoraallo waxaanan ku qornaa furihii shatiga ee hore loo helay faylka:

git clone https://github.com/mschmitt/GeoLite2xtables.git

cd GeoLite2xtables

echo YOUR_LICENSE_KEY=’123ertyui123' > geolite2.license

Aynu socodsiinno qoraallada:

# Скачиваем данные GeoLite2
./00_download_geolite2
# Скачиваем информацию о странах (для соответствия коду)
./10_download_countryinfo
# Конвертируем GeoLite2 базу в формат GeoLite Legacy 
cat /tmp/GeoLite2-Country-Blocks-IPv{4,6}.csv |
./20_convert_geolite2 /tmp/CountryInfo.txt > /usr/share/xt_geoip/dbip-country-lite.csv

MaxMind waxay ku soo rogtay xadka 2000 oo la soo dejiyo maalintii iyo, oo leh tiro badan oo adeegayaal ah, waxay soo bandhigaysaa in lagu kaydiyo cusboonaysiinta server-ka wakiilnimada.

Fadlan la soco in faylka wax soo saarka la waco dbip-dal-lite.csv... Nasiib darrose, 20_convert_geolite2 ma soo saaro fayl qumman. Qoraal xt_geoip_build waxay filayaan saddex tiir:

• bilawga tirada ciwaanka;
• dhamaadka tirada ciwaanka;
• Koodhka dalka ee iso-3166-alpha2.

Faylka soo-saarku wuxuu ka kooban yahay lix tiir:

• bilawga kala duwanaanta ciwaanka (matalaad xadhig);
• dhamaadka tirada ciwaanka (matalaad xadhig);
• bilawga tirada ciwaanka (matalaad tiro);
• dhamaadka tirada ciwaanka (matalaad tiro);
• code ee dalka;
• magaca dalka.

Farqigaani waa mid halis ah waxaana lagu sixi karaa laba siyaabood midkood:

1. wax ka beddel 20_convert_geolite2;
2. wax ka beddel xt_geoip_build.

Marka ugu horeysa waxaan yareynaa printf qaabka loo baahan yahay, iyo kan labaad - waxaan u beddelnaa hawsha doorsoomayaasha $cc on $ saf->[4]. Tan ka dib waxaad dhisi kartaa:

/usr/lib/xtables-addons/xt_geoip_build -S /usr/share/xt_geoip/ -D /usr/share/xt_geoip

. . .
 2239 IPv4 ranges for ZA
  348 IPv6 ranges for ZA
   56 IPv4 ranges for ZM
   12 IPv6 ranges for ZM
   56 IPv4 ranges for ZW
   15 IPv6 ranges for ZW

Ogow qoraaga GeoLite2xtables ma tixgeliyo qoraalladeeda u diyaarsan wax soo saarka iyo soo jeedinta raadraac loogu talagalay horumarinta qoraallada asalka ah ee xt_geoip_* Sidaa darteed, aan u gudubno golaha oo ka soo jeeda koodhadhka isha, kuwaas oo qoraalladan horay loo cusbooneysiiyay.

Nooca xiga

Markaad ku rakiban tahay qoraallada koodhka isha xt_geoip_* waxay ku yaalaan buug-yaraha /usr/local/libexec/xtables-addons. Noocan qoraalka ah waxa uu isticmaalaa xog-ururin IP ilaa Country Lite. Shatiga waa shatiga Astaanta Hal-abuurka Guud, iyo xogta la hayo waxaa jira saddex tiir oo lagama maarmaan ah. Soo deji oo ururi xogta macluumaadka:

cd /usr/share/xt_geoip/

/usr/local/libexec/xtables-addons/xt_geoip_dl

/usr/local/libexec/xtables-addons/xt_geoip_build

Tallaabooyinkan ka dib, iptables waxay diyaar u yihiin inay shaqeeyaan.

Isticmaalka geoip ee iptables

Module xt_geoip wuxuu ku darayaa laba fure oo keliya:

geoip match options:
[!] --src-cc, --source-country country[,country...]
	Match packet coming from (one of) the specified country(ies)
[!] --dst-cc, --destination-country country[,country...]
	Match packet going to (one of) the specified country(ies)

NOTE: The country is inputed by its ISO3166 code.

Hababka loo abuuro xeerar loogu talagalay iptables, guud ahaan, waxba isma beddelaan. Si aad u isticmaasho furayaasha cutubyo dheeri ah, waa inaad si cad u qeexdaa magaca moduleka oo leh furaha -m. Tusaale ahaan, qaanuun lagu xannibo isku xirka TCP ee soo galaya dekedda 443 ee aan ka iman USA dhammaan is-dhexgalka:

iptables -I INPUT ! -i lo -p tcp --dport 443 -m geoip ! --src-cc US -j DROP

Faylasha uu sameeyay xt_geoip_build waxa la adeegsadaa kaliya marka la samaynayo xeerar, laakiin xisaabta laguma daro marka la shaandhaynayo. Sidaa darteed, si aad si sax ah u cusbooneysiiso xogta geoip, waa inaad marka hore cusboonaysiisaa iv * faylasha, ka dibna dib u abuurtaa dhammaan sharciyada u isticmaala geoip ee iptables.

gunaanad

Shaandhaynta baakadaha ku salaysan wadamadu waa xeelad wakhtigu ilaabay. Iyadoo ay taasi jirto, qalabka software ee shaandhaynta noocan oo kale ah ayaa la soo saarayaa, laga yaabee, dhawaan nooc cusub oo xt_geoip ah oo leh bixiyaha xogta geoip cusub ayaa ka soo muuqan doona maamulayaasha xirmada, taas oo si weyn u fududeyn doonta nolosha maamulayaasha nidaamka.

Isticmaalayaasha diiwaangashan oo keliya ayaa ka qaybqaadan kara sahanka. Soo gal, soo dhawoow.

Weligaa ma isticmaashay shaandhaynta waddan?

• 59,1%Haa13

• 40,9%No9

22 isticmaale ayaa u codeeyay. 3 isticmaale ayaa ka aamusay.

Source: www.habr.com