Ukufaneleka kokuthintela utyelelo kwizibonelelo ezithintelweyo kuchaphazela nawuphi na umlawuli onokumangalelwa ngokusemthethweni ngokusilela ukuthobela umthetho okanye imiyalelo yabasemagunyeni abafanelekileyo.
Kutheni ukubuyisela ivili xa kukho iinkqubo ezikhethekileyo kunye nokuhanjiswa kwemisebenzi yethu, umzekelo: Zeroshell, pfSense, ClearOS.
Abaphathi babenomnye umbuzo: Ngaba imveliso esetyenzisiweyo inaso isatifikethi sokhuseleko esivela kwilizwe lethu?
Sinamava okusebenza ngosasazo olulandelayo:
- I-Zeroshell - abaphuhlisi bade banikela ngelayisenisi yeminyaka emi-2, kodwa kwavela ukuba ikiti yokusabalalisa esasinomdla kuyo, ngokungekho ngqiqweni, yenza umsebenzi obalulekileyo kuthi;
- pfSense - intlonipho kunye nembeko, kwangaxeshanye iyadika, ukuqhela kumgca womyalelo weFreeBSD firewall kwaye ayilungelanga ngokwaneleyo kuthi (ndicinga ukuba ngumcimbi womkhwa, kodwa yaba yindlela engalunganga);
- I-ClearOS-kwi-hardware yethu iye yacotha kakhulu, asikwazanga ukufikelela kuvavanyo olunzulu, kutheni le nto ujongano olunzima kangaka?
- Ideco SELECTA. Imveliso ye-Ideco yingxoxo eyahlukileyo, imveliso enomdla, kodwa ngenxa yezizathu zezopolitiko kungekhona kuthi, kwaye ndifuna "ukuluma" malunga nelayisenisi ye-Linux efanayo, i-Roundcube, njl. Bayifumana phi ingcamango yokuba ngokusika i-interface ibe Python kwaye ngokuthatha amalungelo omsebenzisi ophezulu, banokuthengisa imveliso egqityiweyo eyenziwe ngeemodyuli eziphuhlisiwe kunye nezilungisiweyo ezivela kuluntu lwe-Intanethi olusasazwa phantsi kwe-GPL & njl.
Ndiyaqonda ukuba ngoku izikhuzo ezimbi ziya kuthululela kwicala lam kunye neemfuno zokuqinisekisa iimvakalelo zam ezizimeleyo ngokweenkcukacha, kodwa ndifuna ukuthi le node yenethiwekhi ikwayi-traffic balancer ye-4 itshaneli zangaphandle kwi-Intanethi, kwaye itshaneli ngalinye lineempawu zalo. . Elinye ilitye lembombo yayiyimfuneko yokuba enye yeendlela ezininzi zonxibelelwano lwenethiwekhi isebenze kwiindawo ezahlukeneyo zeedilesi, kwaye I ilungile vuma ukuba iiVLANs zinokusetyenziswa kuyo yonke indawo apho kuyimfuneko kwaye kungekho mfuneko ayilunganga. Kukho izixhobo ezisetyenziswayo ezifana ne-TP-Link TL-R480T + - abaziphathanga ngokugqibeleleyo, ngokubanzi, kunye ne-nuances yabo. Kwakunokwenzeka ukuqwalasela le nxalenye kwi-Linux enkosi kwi-Ubuntu iwebhusayithi esemthethweni . Ngaphezu koko, ishaneli nganye "inokuwa" nangaliphi na ixesha, kunye nokunyuka. Ukuba unomdla kwiskripthi esisebenzayo ngoku (kwaye oku kufanelekile ukupapashwa okwahlukileyo), bhala kwizimvo.
Isisombululo esiqwalaselwayo asisibanga sahlukile, kodwa ndingathanda ukubuza lo mbuzo: "Kutheni le nto ishishini kufuneka liziqhelanise neemveliso ezithandabuzekayo zomntu wesithathu ezineemfuno ezinzulu zehardware xa kunokuqwalaselwa enye indlela?"
Ukuba kwiRussian Federation kukho uluhlu lweRoskomnadzor, e-Ukraine kukho isihlomelo kwiSigqibo seBhunga loKhuseleko lweSizwe (umzekelo. ), ke iinkokeli zendawo azilali nazo. Umzekelo, sinikwe uluhlu lweendawo ezithintelweyo ezithi, ngokoluvo lwabaphathi, ziphazamise imveliso emsebenzini.
Ukunxibelelana nabalingane kwamanye amashishini, apho ngokungagqibekanga zonke iisayithi zithintelwe kwaye kuphela xa uceliwe ngemvume yomphathi unokufikelela kwindawo ethile, uncumo ngembeko, ukucinga kunye βnokutshaya phezu kwengxakiβ, siye saqonda ukuba ubomi. iselungile kwaye siqale ukukhangela kwabo.
Ukuba nethuba kungekhona nje ngokuhlalutya oko bakubhala "kwiincwadi zabafazi" malunga nokucoca i-traffic, kodwa nokubona okwenzekayo kwiitshaneli zababoneleli abahlukeneyo, siye saqaphela ezi ndlela zokupheka zilandelayo (naziphi na izikrini zincinci, nceda uqonde ):
Umboneleli 1
-ayikhathazi kwaye ibeka iiseva zayo ze-DNS kunye neseva yommeleli ecacileyo. Ewe? .. kodwa sinokufikelela apho sifuna khona (ukuba siyayifuna :))
Umboneleli 2
- ukholelwa ukuba umnikezeli wakhe ophezulu kufuneka acinge ngale nto, inkxaso yezobuchwepheshe yomnikezeli ophezulu waze wavuma ukuba kutheni ndingakwazi ukuvula indawo endiyidingayo, eyayingavumelekanga. Ndicinga ukuba umfanekiso uya kukonwabisa :)
Njengoko kwavela, baguqulela amagama eendawo ezinqatshelwe kwiidilesi ze-IP kwaye bavimbe i-IP ngokwayo (abakhathazwa kukuba le dilesi ye-IP inokusingatha iindawo ze-20).
Umboneleli 3
- ivumela itrafikhi ukuba iye apho, kodwa ayikuvumeli umva endleleni.
Umboneleli 4
- inqanda zonke iipakethi eziphathwayo kwicala elichaziweyo.
Yintoni onokuyenza nge-VPN (ngembeko kwi-browser ye-Opera) kunye neeplagi zesiphequluli? Ukudlala nge-node ye-Mikrotik ekuqaleni, sade safumana iresiphi enzima ye-L7, emva koko kwafuneka siyilahle (kunokuba namagama anqatshelwe ngakumbi, kuba buhlungu xa, ngaphezu koxanduva oluthe ngqo lweendlela, kwi-3 dozen. intetho umthwalo weprosesa wePPC460GT uya kwi 100 %).
.
Yintoni eyacacayo:
I-DNS ku-127.0.0.1 ayisiyiyo i-panacea ngokupheleleyo; Akunakwenzeka ukunciphisa bonke abasebenzisi kumalungelo ancitshisiweyo, kwaye akufuneki silibale malunga nenani elikhulu lenye i-DNS. I-intanethi ayigxininisi, kwaye ngaphezu kweedilesi ezintsha ze-DNS, iisayithi ezinqatshelwe zithenga iidilesi ezintsha, zitshintshe i-domain eziphezulu, kwaye zingongeza / zisuse umlingiswa kwidilesi yazo. Kodwa usenelungelo lokuphila into enje:
ip route add blackhole 1.2.3.4Kuya kusebenza kakhulu ukufumana uluhlu lweedilesi ze-IP kuluhlu lweendawo ezithintelweyo, kodwa ngenxa yezizathu ezichazwe ngasentla, siqhubele phambili kwingqwalasela malunga nee-Iptables. Kwakukho i-balancer ephilayo kwi-CentOS Linux ukukhululwa 7.5.1804.
I-Intanethi yomsebenzisi kufuneka ikhawuleze, kwaye iBrowser akufanele ilinde isiqingatha somzuzu, igqibe kwelokuba eli phepha alikho. Emva kokukhangela ixesha elide safika kule modeli:
Ifayile 1 -> /script/denied_host, uluhlu lwamagama athintelweyo:
test.test
blablabla.bubu
torrent
pornoIfayile 2 -> /script/denied_range, uluhlu lwezithuba zeedilesi ezithintelweyo kunye needilesi:
192.168.111.0/24
241.242.0.0/16Ifayile yeskripthi 3 -> ipt.shukwenza umsebenzi ngeepables:
# ΡΡΠΈΡΡΠ²Π°Π΅ΠΌ ΠΏΠΎΠ»Π΅Π·Π½ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΈΠ· ΠΏΠ΅ΡΠ΅ΡΠ½Π΅ΠΉ ΡΠ°ΠΉΠ»ΠΎΠ²
HOSTS=`cat /script/denied_host | grep -v '^#'`
RANGE=`cat /script/denied_range | grep -v '^#'`
echo "Stopping firewall and allowing everyone..."
# ΡΠ±ΡΠ°ΡΡΠ²Π°Π΅ΠΌ Π²ΡΠ΅ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ iptables, ΡΠ°Π·ΡΠ΅ΡΠ°Ρ ΡΠΎ ΡΡΠΎ Π½Π΅ Π·Π°ΠΏΡΠ΅ΡΠ΅Π½ΠΎ
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
#ΡΠ΅ΡΠ°Π΅ΠΌ ΠΎΠ±Π½ΠΎΠ²ΠΈΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΎ ΠΌΠ°ΡΡΡΡΡΠ°Ρ
(ΠΎΡΠΎΠ±Π΅Π½Π½ΠΎΡΡΡ Π½Π°ΡΠ΅ΠΉ Π°ΡΡ
ΠΈΡΠ΅ΠΊΡΡΡΡ)
sudo sh rout.sh
# ΡΠΈΠΊΠ»ΠΈΡΠ΅ΡΠΊΠΈ ΠΎΠ±ΡΠ°Π±Π°ΡΡΠ²Π°Ρ ΠΊΠ°ΠΆΠ΄ΡΡ ΡΡΡΠΎΠΊΡ ΡΠ°ΠΉΠ»Π° ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΠΌ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ ΡΡΡΠΎΠΊΠΈ
for i in $HOSTS; do
sudo iptables -I FORWARD -m string --string $i --algo bm --from 1 --to 600 -p tcp -j REJECT --reject-with tcp-reset;
sudo iptables -I FORWARD -m string --string $i --algo bm --from 1 --to 600 -p udp -j DROP;
done
# ΡΠΈΠΊΠ»ΠΈΡΠ΅ΡΠΊΠΈ ΠΎΠ±ΡΠ°Π±Π°ΡΡΠ²Π°Ρ ΠΊΠ°ΠΆΠ΄ΡΡ ΡΡΡΠΎΠΊΡ ΡΠ°ΠΉΠ»Π° ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΠΌ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ Π°Π΄ΡΠ΅ΡΠ°
for i in $RANGE; do
sudo iptables -I FORWARD -p UDP -d $i -j DROP;
sudo iptables -I FORWARD -p TCP -d $i -j REJECT --reject-with tcp-reset;
done
Ukusetyenziswa kwe-sudo kungenxa yokuba sine-hack encinci yokulawula ngokusebenzisa i-WEB interface, kodwa njengamava ekusebenziseni imodeli engaphezulu konyaka ibonisiwe, i-WEB ayiyimfuneko kangako. Emva kokuphunyezwa, kwakukho umnqweno wokongeza uluhlu lweendawo kwi-database, njl. Inani leenginginya ezivaliweyo lingaphezulu kwe-250 + izithuba zeedilesi ezilishumi elinesibini. Kukho ngokwenene ingxaki xa usiya kwindawo ngokusebenzisa uxhulumaniso lwe-https, njengomlawuli wenkqubo, ndinezikhalazo malunga nabaphequluli :), kodwa ezi ziimeko ezikhethekileyo, uninzi lwezinto ezibangela ukunqongophala kokufikelela kwisixhobo zisekho kwicala lethu. , siphinde sithintele ngempumelelo i-Opera VPN kunye neeplagi ezifana nefriGate kunye ne-telemetry evela kwiMicrosoft.
umthombo: www.habr.com