ProHoster > Blog > Tsamaiso > xtables-addons: liphutheloana tsa sefa ka naha

xtables-addons: liphutheloana tsa sefa ka naha

xtables-addons: liphutheloana tsa sefa ka naha
Mosebetsi oa ho thibela sephethephethe ho tsoa linaheng tse ling o bonahala o le bonolo, empa maikutlo a pele a ka thetsa. Kajeno re tla u bolella hore na sena se ka etsoa joang.

prehistory

Liphello tsa patlisiso ea Google tabeng ena lia soabisa: boholo ba tharollo ke nako e telele e "bolileng" 'me ka linako tse ling ho bonahala eka taba ena e bolokiloe mme e lebetsoe ka ho sa feleng. Re ipapisitse le lirekoto tse ngata tsa khale mme re ikemiselitse ho arolelana mofuta oa sejoale-joale oa litaelo.

Re khothaletsa hore u bale sengoloa kaofela pele u etsa litaelo tsena.

Ho lokisa sistimi ea ts'ebetso

Tlhophiso e tla lokisoa ho sebelisoa sesebelisoa li-iptables, e hlokang katoloso ho sebetsa le data ea GeoIP. Katoloso ena e ka fumanoa ho xtables-addons. xtables-addons e kenya li-extensions bakeng sa li-iptables e le li-module tsa kernel tse ikemetseng, ka hona ha ho hlokahale ho tsosolosa kernel ea OS.

Ka nako ea ho ngola, mofuta oa hajoale oa xtables-addons ke 3.9. Leha ho le joalo, ke 20.04 feela e ka fumanoang litsing tse tloaelehileng tsa Ubuntu 3.8 LTS, le 18.04 libakeng tsa polokelo tsa Ubuntu 3.0. O ka kenya katoloso ho tsoa ho mookameli oa sephutheloana ka taelo e latelang:

apt install xtables-addons-common libtext-csv-xs-perl

Hlokomela hore ho na le phapang e nyenyane empa e le ea bohlokoa pakeng tsa phetolelo ea 3.9 le boemo ba hona joale ba morero, oo re tla o tšohla hamorao. Ho aha ho tsoa ho khoutu ea mohloli, kenya liphutheloana tsohle tse hlokahalang:

apt install git build-essential autoconf make libtool iptables-dev libxtables-dev pkg-config libnet-cidr-lite-perl libtext-csv-xs-perl

Kopanya sebaka sa polokelo:

git clone https://git.code.sf.net/p/xtables-addons/xtables-addons xtables-addons-xtables-addons


cd xtables-addons-xtables-addons

xtables-addons e na le likeketso tse ngata, empa re thahasella feela xt_geoip. Haeba u sa batle ho hula li-extensions tse sa hlokahaleng ho sistimi, u ka li kenyelletsa moahong. Ho etsa sena o hloka ho hlophisa file mconfig. Bakeng sa li-module tsohle tse lakatsehang, kenya y, ’me u tšoaee bohle ba sa hlokahaleng n. Re bokella:

./autogen.sh

./configure

make

'Me u kenye ka litokelo tsa superuser:

make install

Nakong ea ho kenya li-module tsa kernel, phoso e tšoanang le e latelang e ka hlaha:

INSTALL /root/xtables-addons-xtables-addons/extensions/xt_geoip.ko
At main.c:160:
- SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:72
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:79
sign-file: certs/signing_key.pem: No such file or directory

Boemo bona bo hlaha ka lebaka la ho se khonehe ho saena li-module tsa kernel, hobane ha ho letho le lokelang ho saena. O ka rarolla bothata bona ka litaelo tse 'maloa:

cd /lib/modules/(uname -r)/build/certs

cat <<EOF > x509.genkey

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
CN = Modules

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF

openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem

Module ea kernel e hlophisitsoeng e kentsoe, empa sistimi ha e e bone. Ha re kope sistimi ho theha 'mapa oa ts'epo ho latela mojule o mocha, ebe o o kenya:

depmod -a

modprobe xt_geoip

Ha re etse bonnete ba hore xt_geoip e kentsoe tsamaisong:

# lsmod | grep xt_geoip
xt_geoip               16384  0
x_tables               40960  2 xt_geoip,ip_tables

Ho phaella moo, etsa bonnete ba hore katoloso e kenngoa ho iptables:

# cat /proc/net/ip_tables_matches 
geoip
icmp

Re thabetse ntho e 'ngoe le e' ngoe 'me ho setseng ke ho kenyelletsa lebitso la mojule ho / etc / modulese le hore mojule o sebetse ka mor'a ho tsosolosa OS. Ho tloha joale ho ea pele, iptables e utloisisa litaelo tsa geoip, empa ha e na data e lekaneng ea ho sebetsa le eona. Ha re qaleng ho kenya pokello ea litaba tsa geoip.

Ho fumana Database ea GeoIP

Re theha bukana eo ho eona tlhahisoleseling e utloisisehang ho katoloso ea iptables e tla bolokoa:

mkdir /usr/share/xt_geoip

Qalong ea sengoloa, re boletse hore ho na le phapang lipakeng tsa mofuta o tsoang ho khoutu ea mohloli le mofuta o tsoang ho mookameli oa sephutheloana. Phapang e hlokomelehang haholo ke phetoho ho morekisi oa database le script xt_geoip_dl, e khoasollang lintlha tsa morao-rao.

Mofuta oa molaoli oa sephutheloana

Sengoloa se tseleng /usr/lib/xtables-addons, empa ha u leka ho e tsamaisa, u tla bona phoso e sa rutehang haholo:

# ./xt_geoip_dl 
unzip:  cannot find or open GeoLite2-Country-CSV.zip, GeoLite2-Country-CSV.zip.zip or GeoLite2-Country-CSV.zip.ZIP.

Pejana, sehlahisoa sa GeoLite, seo hona joale se tsejoang e le GeoLite Legacy, se ajoa tlas'a laesense, se ne se sebelisoa joalo ka polokelo ea litaba. Creative Commons ASA 4.0 khamphani MaxMind. Liketsahalo tse peli li etsahetse ka sehlahisoa sena hang-hang se "robileng" ho lumellana le katoloso ea iptables.

Ntlha ea pele, ka January 2018 tsebisitsoe mabapi le ho felisoa ha tšehetso bakeng sa sehlahisoa, 'me ka la 2019 Pherekhong 2, likhokahano tsohle tsa ho jarolla mofuta oa khale oa database li tlositsoe webosaeteng ea semmuso. Basebelisi ba bacha ba khothaletsoa ho sebelisa sehlahisoa sa GeoLite2 kapa mofuta oa sona o lefelloang GeoIPXNUMX.

Taba ea bobeli, ho tloha ka December 2019 MaxMind e boletse mabapi le phetoho e kholo ea phihlello ea datha tsa bona. Ho latela Molao oa Lekunutu oa Bareki oa California, MaxMind o nkile qeto ea ho "koahela" kabo ea GeoLite2 ka ngoliso.

Kaha re batla ho sebelisa sehlahisoa sa bona, re tla ngolisa leqepheng lena.

xtables-addons: liphutheloana tsa sefa ka naha
Ka mor'a moo, u tla fumana lengolo-tsoibila le u kopang hore u behe phasewete. Kaha joale re thehile ak'haonte, re hloka ho theha senotlolo sa laesense. Ak'haonteng ea hau ea botho re fumana ntho eo Linotlolo tsa ka tsa License, ebe o tobetsa konopo Hlahisa Senotlolo se secha sa License.

Ha re theha senotlolo, re tla botsoa potso e le 'ngoe feela: na re tla sebelisa senotlolo see lenaneong la GeoIP Update? Re araba hampe ebe re tobetsa konopo netefatsa. Senotlolo se tla hlaha fensetereng ea pop-up. Boloka senotlolo sena sebakeng se sireletsehileng, kaha hang ha u koala fensetere ea pop-up, u ke ke ua hlola u khona ho bona senotlolo kaofela.

xtables-addons: liphutheloana tsa sefa ka naha
Re na le bokhoni ba ho khoasolla boitsebiso ba GeoLite2 ka letsoho, empa sebopeho sa bona ha se tsamaisane le sebopeho se lebelletsoeng ke xt_geoip_build script. Mona ke moo mangolo a GeoLite2xtables a thusang teng. Ho tsamaisa mongolo, kenya NetAddr::IP perl module:

wget https://cpan.metacpan.org/authors/id/M/MI/MIKER/NetAddr-IP-4.079.tar.gz

tar xvf NetAddr-IP-4.079.tar.gz

cd NetAddr-IP-4.079

perl Makefile.PL

make

make install

Ka mor'a moo, re kopanya sebaka sa polokelo ka mangolo ebe re ngola senotlolo sa laesense se fumanoeng pele faeleng:

git clone https://github.com/mschmitt/GeoLite2xtables.git

cd GeoLite2xtables

echo YOUR_LICENSE_KEY=’123ertyui123' > geolite2.license

Ha re tsamaise scripts:

# Скачиваем данные GeoLite2
./00_download_geolite2
# Скачиваем информацию о странах (для соответствия коду)
./10_download_countryinfo
# Конвертируем GeoLite2 базу в формат GeoLite Legacy 
cat /tmp/GeoLite2-Country-Blocks-IPv{4,6}.csv |
./20_convert_geolite2 /tmp/CountryInfo.txt > /usr/share/xt_geoip/dbip-country-lite.csv

MaxMind e beha moeli oa ho jarolleloa ha 2000 ka letsatsi mme, ka palo e kholo ea li-server, e ithaopela ho boloka ntlafatso ho seva sa proxy.

Ka kopo hlokomela hore faele ea tlhahiso e tlameha ho bitsoa dbip-country-lite.csv... Ka bomalimabe, 20_convert_geolite2 ha e hlahise faele e phethahetseng. Script xt_geoip_build e lebeletse litšiea tse tharo:

  • qalo ea sebaka sa aterese;
  • pheletso ea sebaka sa aterese;
  • khoutu ea naha ho iso-3166-alpha2.

Mme faele e hlahisoang e na le likholomo tse tšeletseng:

  • qalo ea sebaka sa aterese (boemeli ba likhoele);
  • pheletso ea sebaka sa aterese (boemeli ba likhoele);
  • qalo ea lethathamo la liaterese (boemeli ba linomoro);
  • pheletso ea lethathamo la liaterese (kemelo ea linomoro);
  • khoutu ea naha;
  • lebitso la naha.

Phapang ena e bohlokoa haholo 'me e ka lokisoa ka e' ngoe ea litsela tse peli:

  1. edita 20_convert_geolite2;
  2. edita xt_geoip_build.

Tabeng ea pele, re fokotsa hatisa ho sebopeho se hlokahalang, 'me ka lekhetlo la bobeli - re fetola kabelo ho feto-fetoha $cc mabapi le $ mola->[4]. Ka mor'a moo, o ka etsa:

/usr/lib/xtables-addons/xt_geoip_build -S /usr/share/xt_geoip/ -D /usr/share/xt_geoip

. . .
 2239 IPv4 ranges for ZA
  348 IPv6 ranges for ZA
   56 IPv4 ranges for ZM
   12 IPv6 ranges for ZM
   56 IPv4 ranges for ZW
   15 IPv6 ranges for ZW

Hlokomela hore mongoli GeoLite2xtables ha e nke hore mangolo a eona a loketse tlhahiso le litlhahiso pina bakeng sa nts'etsopele ea mangolo a mantlha a xt_geoip_*. Ka hona, a re feteleng pele ho ea kopanong ho tsoa ho likhoutu tsa mohloli, moo mangolo ana a seng a ntlafalitsoe.

Mofuta oa mohloli

Ha o kenya ho tsoa ho mangolo a khoutu ea mohloli xt_geoip_* li fumaneha lethathamong la libuka /usr/local/libexec/xtables-addons. Mofuta ona oa mongolo o sebelisa polokelo ea litaba IP ho Country Lite. Laesense ke Creative Commons Attribution License, 'me ho tsoa ho data e fumanehang ho na le likholomo tse tharo tse hlokahalang haholo. Khoasolla le ho kopanya database:

cd /usr/share/xt_geoip/

/usr/local/libexec/xtables-addons/xt_geoip_dl

/usr/local/libexec/xtables-addons/xt_geoip_build

Ka mor'a mehato ena, iptables e loketse ho sebetsa.

Ho sebelisa geoip ho li-iptables

Module xt_geoip e eketsa linotlolo tse peli feela:

geoip match options:
[!] --src-cc, --source-country country[,country...]
	Match packet coming from (one of) the specified country(ies)
[!] --dst-cc, --destination-country country[,country...]
	Match packet going to (one of) the specified country(ies)

NOTE: The country is inputed by its ISO3166 code.

Mekhoa ea ho theha melao ea iptables, ka kakaretso, e lula e sa fetohe. Ho sebelisa linotlolo ho tsoa ho li-module tse ling, o tlameha ho hlakisa lebitso la mojule ka -m switch. Mohlala, molao oa ho thibela likhokahano tse kenang tsa TCP boema-kepeng ba 443 eseng USA ho li-interfaces tsohle:

iptables -I INPUT ! -i lo -p tcp --dport 443 -m geoip ! --src-cc US -j DROP

Lifaele tse entsoeng ke xt_geoip_build li sebelisoa feela ha ho etsoa melao, empa ha li hlokomeloe ha li sefa. Kahoo, ho ntlafatsa ka nepo database ea geoip, o tlameha ho qala ka ho nchafatsa lifaele tsa iv*, ebe o khutlisetsa melao eohle e sebelisang geoip ho iptables.

fihlela qeto e

Ho sefa lipakete ho latela linaha ke leano le batlang le lebetsoe ke nako. Leha ho le joalo, lisebelisoa tsa software bakeng sa ho sefa joalo li ntse li ntlafatsoa 'me, mohlomong, haufinyane mofuta o mocha oa xt_geoip o nang le mofani oa data oa geoip o tla hlaha ho batsamaisi ba liphutheloana, tse tla nolofatsa haholo bophelo ba batsamaisi ba sistimi.

xtables-addons: liphutheloana tsa sefa ka naha

Ke basebelisi ba ngolisitsoeng feela ba ka kenyang letsoho phuputsong. kenaka kopo.

A na u kile ua sebelisa sefa ho ea ka linaha?

  • 59,1%Ee13

  • 40,9%No9

Basebelisi ba 22 ba ile ba khetha. Basebelisi ba 3 ba ile ba hana.

Source: www.habr.com

Eketsa ka tlhaloso