Umsebenzi wokuthintela izithuthi ezivela kumazwe athile ubonakala ulula, kodwa imbonakalo yokuqala inokukhohlisa. Namhlanje siza kukuxelela ukuba le nto ingaphunyezwa njani.
ukubuzwa
Iziphumo zokukhangela kweGoogle kwesi sihloko ziyadanisa: uninzi lwezisombululo sele lude "lubolile" kwaye ngamanye amaxesha kubonakala ngathi esi sihloko sigcinwe kwaye silibalekile ngonaphakade. Sidlule kwiirekhodi ezininzi ezindala kwaye sikulungele ukwabelana ngoguqulelo lwangoku lwemiyalelo.
Sicebisa ukuba ulifunde lonke inqaku phambi kokwenza le miyalelo.
Ukulungiselela inkqubo yokusebenza
Uhluzo luya kuqwalaselwa kusetyenziswa into eluncedo iptables, efuna ulwandiso lokusebenza ngedatha yeGeoIP. Olu lwandiso lunokufumaneka kwi . I-xtables-addons ifakela izandiso zee-iptables njengeemodyuli zekernel ezizimeleyo, ngoko akukho mfuneko yokuqokelela kwakhona i-OS kernel.
Ngexesha lokubhala, inguqulelo yangoku yee-xtables-addons yi-3.9. Nangona kunjalo, yi-20.04 kuphela enokufumaneka kwiindawo zokugcina ze-Ubuntu 3.8 LTS, kunye ne-18.04 kwii-Ubuntu 3.0 zokugcina. Ungafaka ulwandiso kumphathi wepakethe ngalo myalelo ulandelayo:
apt install xtables-addons-common libtext-csv-xs-perlQaphela ukuba kukho umahluko omncinci kodwa obalulekileyo phakathi kwenguqulo 3.9 kunye nemeko yangoku yeprojekthi, esiza kuxoxa ngayo kamva. Ukwakha kwikhowudi yemvelaphi, faka zonke iipakethe eziyimfuneko:
apt install git build-essential autoconf make libtool iptables-dev libxtables-dev pkg-config libnet-cidr-lite-perl libtext-csv-xs-perlCola indawo yokugcina:
git clone https://git.code.sf.net/p/xtables-addons/xtables-addons xtables-addons-xtables-addons
cd xtables-addons-xtables-addonsI-xtables-addons iqulethe izongezo ezininzi, kodwa sinomdla kuphela xt_geoip. Ukuba awufuni ukutsala izandiso ezingeyomfuneko kwinkqubo, unokuzikhuphela ngaphandle kolwakhiwo. Ukwenza oku kufuneka uhlele ifayile mconfig. Kuzo zonke iimodyuli ezifunekayo, faka y, kwaye uphawule zonke ezingeyomfuneko n. Siqokelela:
./autogen.sh./configuremakeKwaye faka ngamalungelo omsebenzisi ophezulu:
make installNgexesha lofakelo lweemodyuli zekernel, impazamo efana nale ilandelayo inokwenzeka:
INSTALL /root/xtables-addons-xtables-addons/extensions/xt_geoip.ko
At main.c:160:
- SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:72
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:79
sign-file: certs/signing_key.pem: No such file or directoryLe meko ivela ngenxa yokungenakwenzeka kokusayina iimodyuli ze-kernel, kuba akukho nto yokutyikitya. Ungayisombulula le ngxaki ngemiyalelo embalwa:
cd /lib/modules/(uname -r)/build/certscat <<EOF > x509.genkey[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
CN = Modules
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOFopenssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pemImodyuli ye-kernel ehlanganisiweyo ifakiwe, kodwa inkqubo ayiyibhaqi. Masibuze inkqubo ukuba yenze imephu yokuxhomekeka ithathela ingqalelo imodyuli entsha, kwaye emva koko ilayishe:
depmod -amodprobe xt_geoipMasiqinisekise ukuba i-xt_geoip ilayishiwe kwinkqubo:
# lsmod | grep xt_geoip
xt_geoip 16384 0
x_tables 40960 2 xt_geoip,ip_tablesUkongeza, qiniseka ukuba ulwandiso lulayishwe kwii-iptables:
# cat /proc/net/ip_tables_matches
geoip
icmpSiyavuya ngayo yonke into kwaye okuseleyo kukongeza igama lemodyuli kuyo / njl / iimodyuliukuze imodyuli isebenze emva kokuqalisa ngokutsha i-OS. Ukususela ngoku, iptables iyayiqonda imiyalelo ye-geoip, kodwa ayinayo idatha eyaneleyo yokusebenza nayo. Masiqalise ukulayisha idatabase ye geoip.
Ukufumana iDatha yeGeoIP
Senza uluhlu apho ulwazi oluqondakalayo kulwandiso lwe-iptables luya kugcinwa:
mkdir /usr/share/xt_geoipEkuqaleni kwenqaku, sikhankanye ukuba kukho ukungafani phakathi koguqulelo oluvela kwikhowudi yomthombo kunye noguqulelo oluvela kumphathi wephakheji. Umahluko obonakalayo lutshintsho kumthengisi wedatha kunye neskripthi xt_geoip_dl, ekhuphela idatha yamva nje.
Uguqulelo lomphathi wepakethi
Iskripthi sikwimendo /usr/lib/xtables-addons, kodwa xa uzama ukusiqhuba, uya kubona impazamo engenalwazi kakhulu:
# ./xt_geoip_dl
unzip: cannot find or open GeoLite2-Country-CSV.zip, GeoLite2-Country-CSV.zip.zip or GeoLite2-Country-CSV.zip.ZIP.Ngaphambili, imveliso yeGeoLite, ngoku eyaziwa ngokuba yiGeoLite Legacy, isasazwe phantsi kwelayisensi, yayisetyenziswa njengendawo yogcino-lwazi. Inkampani . Iziganeko ezibini zenzeke kunye nale mveliso ngokukhawuleza "yaphuka" ukuhambelana nokwandiswa kwe-iptables.
Okokuqala, ngoJanuwari 2018 malunga nokupheliswa kwenkxaso yemveliso, kwaye ngoJanuwari 2019, 2, zonke izixhumanisi zokukhuphela inguqulo endala yedatha zisusiwe kwiwebhusayithi esemthethweni. Abasebenzisi abatsha bayacetyiswa ukuba basebenzise imveliso yeGeoLite2 okanye inguqulelo yayo ehlawulweyo yeGeoIPXNUMX.
Okwesibini, ukusukela ngoDisemba ka-2019 iMaxMind malunga notshintsho olubalulekileyo ekufikeleleni koovimba beenkcukacha zabo. Ukuthobela i-California Consumer Privacy Act, iMaxMind igqibe ekubeni "igubungele" ukuhanjiswa kweGeoLite2 ngobhaliso.
Ekubeni sifuna ukusebenzisa imveliso yabo, siya kubhalisa kweli phepha.
Emva koko uya kufumana i-imeyile ekucela ukuba usete igama eliyimfihlo. Ngoku ukuba senze i-akhawunti, kufuneka senze isitshixo selayisensi. Kwi-akhawunti yakho yobuqu sifumana into Izitshixo zam zelayisensi, kwaye emva koko ucofe iqhosha Yenza iqhosha elitsha lelayisensi.
Xa udala isitshixo, siya kubuzwa umbuzo omnye kuphela: ngaba siya kusebenzisa esi sitshixo kwinkqubo yoHlaziyo lweGeoIP? Siphendula kakubi kwaye cinezela iqhosha Qinisekisa. Isitshixo siya kuboniswa kwifestile ye-pop-up. Gcina esi sitshixo kwindawo ekhuselekileyo, njengokuba nje uvale i-pop-up window, awusayi kuphinda ube nakho ukujonga isitshixo sonke.
Siyakwazi ukukhuphela i-database ye-GeoLite2 ngesandla, kodwa ifomathi yabo ayihambelani nefomathi elindeleke ngeskripthi se-xt_geoip_build. Apha kulapho izikripthi zeGeoLite2xtables zisiza khona. Ukuqhuba izikripthi, faka i-NetAddr::IP imodyuli ye-perl:
wget https://cpan.metacpan.org/authors/id/M/MI/MIKER/NetAddr-IP-4.079.tar.gztar xvf NetAddr-IP-4.079.tar.gzcd NetAddr-IP-4.079perl Makefile.PLmakemake installOkulandelayo, sidibanisa indawo yokugcina kunye nezikripthi kwaye sibhale isitshixo selayisensi esifunyenwe ngaphambili kwifayile:
git clone https://github.com/mschmitt/GeoLite2xtables.gitcd GeoLite2xtablesecho YOUR_LICENSE_KEY=β123ertyui123' > geolite2.licenseMasiqhube izikripthi:
# Π‘ΠΊΠ°ΡΠΈΠ²Π°Π΅ΠΌ Π΄Π°Π½Π½ΡΠ΅ GeoLite2
./00_download_geolite2
# Π‘ΠΊΠ°ΡΠΈΠ²Π°Π΅ΠΌ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΎ ΡΡΡΠ°Π½Π°Ρ
(Π΄Π»Ρ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΡ ΠΊΠΎΠ΄Ρ)
./10_download_countryinfo
# ΠΠΎΠ½Π²Π΅ΡΡΠΈΡΡΠ΅ΠΌ GeoLite2 Π±Π°Π·Ρ Π² ΡΠΎΡΠΌΠ°Ρ GeoLite Legacy
cat /tmp/GeoLite2-Country-Blocks-IPv{4,6}.csv |
./20_convert_geolite2 /tmp/CountryInfo.txt > /usr/share/xt_geoip/dbip-country-lite.csvI-MaxMind ibeka umda wokukhutshelwa kwe-2000 ngosuku kwaye, kunye nenani elikhulu leeseva, inikezela ngokugcina ukuhlaziywa kwiseva yommeleli.
Nceda uqaphele ukuba ifayile yemveliso kufuneka ibizwe dbip-country-lite.csv... Ngelishwa, 20_convert_geolite2 ayivelisi ifayile egqibeleleyo. Ushicilelo xt_geoip_build ilindele iikholamu ezintathu:
- ukuqala koluhlu lweedilesi;
- ukuphela koluhlu lweedilesi;
- ikhowudi yelizwe kwi-iso-3166-alpha2.
Kwaye ifayile yemveliso iqulethe iikholamu ezintandathu:
- ukuqala koluhlu lweedilesi (umelo lwentambo);
- isiphelo soluhlu lweedilesi (umboniso womtya);
- ukuqala koluhlu lweedilesi (ukumelwa kwamanani);
- ukuphela koluhlu lweedilesi (umelo lwamanani);
- ikhowudi yelizwe;
- igama lelizwe.
Lo mahluko ubalulekile kwaye unokulungiswa ngenye yeendlela ezimbini:
- hlela 20_convert_geolite2;
- hlela xt_geoip_build.
Kwimeko yokuqala sinciphisa kwifomathi efunekayo, kwaye okwesibini - sitshintsha isabelo kwi-variable $cc phezu $umqolo->[4]. Emva koko unokwakha:
/usr/lib/xtables-addons/xt_geoip_build -S /usr/share/xt_geoip/ -D /usr/share/xt_geoip. . .
2239 IPv4 ranges for ZA
348 IPv6 ranges for ZA
56 IPv4 ranges for ZM
12 IPv6 ranges for ZM
56 IPv4 ranges for ZW
15 IPv6 ranges for ZWQaphela ukuba umbhali ayithatheli ingqalelo izikripthi zayo ezilungele ukuveliswa kunye nokunikezelwa kuphuhliso lwemibhalo eshicilelweyo ye-xt_geoip_* yoqobo. Ke ngoko, masiqhubele phambili kwindibano ukusuka kwiikhowudi zomthombo, apho ezi zikripthi sele zihlaziyiwe.
Uguqulelo lomthombo
Xa uhlohla kwikhowudi yemibhalo yemvelaphi xt_geoip_* zibekwe kwikhathalogu /usr/local/libexec/xtables-addons. Olu guqulelo lweskripthi lusebenzisa isiseko sedatha . Ilayisensi yiCreative Commons Attribution License, kwaye kwidatha ekhoyo kukho iikholamu ezintathu eziyimfuneko kakhulu. Khuphela kwaye udibanise isiseko sedatha:
cd /usr/share/xt_geoip//usr/local/libexec/xtables-addons/xt_geoip_dl/usr/local/libexec/xtables-addons/xt_geoip_buildEmva kwala manyathelo, iiptables zilungele ukusebenza.
Ukusebenzisa i-geoip kwii-iptables
Imodyuli xt_geoip yongeza kuphela izitshixo ezimbini:
geoip match options:
[!] --src-cc, --source-country country[,country...]
Match packet coming from (one of) the specified country(ies)
[!] --dst-cc, --destination-country country[,country...]
Match packet going to (one of) the specified country(ies)
NOTE: The country is inputed by its ISO3166 code.Iindlela zokwenza imigaqo yeeptables, ngokubanzi, zihlala zingatshintshi. Ukusebenzisa izitshixo ezisuka kwiimodyuli ezongezelelweyo, kufuneka ucacise ngokucacileyo igama lemodyuli ene--m switch. Umzekelo, umthetho wokuvala uqhagamshelo lwe-TCP olungenayo kwi-port 443 hayi ukusuka e-USA kuzo zonke iindawo zojongano:
iptables -I INPUT ! -i lo -p tcp --dport 443 -m geoip ! --src-cc US -j DROPIifayile ezenziwe ngu xt_geoip_build zisetyenziswa kuphela xa kuyilwa imithetho, kodwa azithathelwa ngqalelo xa kuhluzwa. Ngaloo ndlela, ukuhlaziya ngokuchanekileyo i-database ye-geoip, kufuneka uqale uhlaziye iifayile ze-iv*, kwaye uphinde wenze yonke imigaqo esebenzisa i-geoip kwiiptables.
isiphelo
Ukuhluza iipakethi ezisekelwe kumazwe liqhinga elithile elilityelweyo lixesha. Ngaphandle koku, izixhobo zesoftware zokucoca okunjalo ziyaphuhliswa kwaye, mhlawumbi, kungekudala inguqulelo entsha ye-xt_geoip enomboneleli wedatha entsha ye-geoip iya kuvela kubaphathi bephakheji, eya kwenza lula kakhulu ubomi babalawuli benkqubo.
Ngabasebenzisi ababhalisiweyo kuphela abanokuthatha inxaxheba kuphando. , ndiyacela.
Ngaba ukhe wasebenzisa ukuhluza ngokwelizwe?
-
59,1%Ewe13
-
40,9%No9
22 abasebenzisi bavoti. Abasebenzisi aba-3 abakhange.
umthombo: www.habr.com