Ukufaneleka kokuvimbela ukuvakasha ezinsizeni ezingavunyelwe kuthinta noma yimuphi umlawuli ongase abekwe icala ngokusemthethweni lokwehluleka ukuhambisana nomthetho noma imiyalo yeziphathimandla ezifanele.
Kungani usungula kabusha isondo lapho kunezinhlelo ezikhethekile nokusabalalisa kwemisebenzi yethu, isibonelo: Zeroshell, pfSense, ClearOS.
Abaphathi bebenomunye umbuzo: Ingabe umkhiqizo osetshenzisiwe unaso isitifiketi sokuphepha esivela esifundeni sethu?
Sibe nolwazi lokusebenza ngokusatshalaliswa okulandelayo:
- I-Zeroshell - abathuthukisi baze banikela ngelayisense yeminyaka emi-2, kodwa kwavela ukuthi ikhithi yokusabalalisa ebesiyithanda, ngokungenangqondo, yasenzela umsebenzi obalulekile;
- pfSense - inhlonipho nodumo, ngasikhathi sinye kuyisicefe, ukujwayela umugqa womyalo we-FreeBSD firewall futhi akusilungele ngokwanele (ngicabanga ukuthi kuyindaba yomkhuba, kepha kuphenduke indlela engalungile);
- I-ClearOS - ku-hardware yethu ibonakale ihamba kancane kakhulu, asikwazanga ukufinyelela ekuhlolweni okubucayi, kungani-ke izixhumanisi ezinzima kangaka?
- Ideco SELECTA. Umkhiqizo we-Ideco uyingxoxo ehlukile, umkhiqizo othokozisayo, kodwa ngenxa yezizathu zezepolitiki hhayi zethu, futhi ngifuna "ukubaluma" mayelana nelayisensi ye-Linux, i-Roundcube, njll. Bawuthathaphi umqondo wokuthi ngokusika i-interface ibe Python futhi ngokuphuca amalungelo abasebenzisi abakhulu, bangathengisa umkhiqizo osuphelile owenziwe ngamamojula athuthukisiwe futhi ashintshiwe avela emphakathini we-inthanethi asakazwa ngaphansi kwe-GPL&njll.
Ngiyaqonda ukuthi izibabazo ezingezinhle manje zizothululela ngakumi nezimfuno zokuqinisekisa imizwa yami ngokuningiliziwe, kodwa ngifuna ukusho ukuthi le nodi yenethiwekhi iphinde ibe yi-traffic balancer yeziteshi ezi-4 zangaphandle ze-Intanethi, futhi isiteshi ngasinye sinezici zaso. . Elinye itshe legumbi kwaba isidingo sokuthi okukodwa kokuxhumana kwenethiwekhi kusebenze ezindaweni ezihlukene zamakheli, futhi I isilungile vuma ukuthi ama-VLAN angasetshenziswa yonke indawo lapho kunesidingo futhi kungadingeki ayilungile. Kukhona amadivaysi asetshenziswayo njenge-TP-Link TL-R480T+ - awaziphathi kahle, ngokuvamile, ngama-nuances awo. Kube nokwenzeka ukulungisa le ngxenye ku-Linux sibonga kuwebhusayithi esemthethweni ye-Ubuntu . Ngaphezu kwalokho, isiteshi ngasinye "singawa" nganoma yisiphi isikhathi, futhi sikhuphuke. Uma unentshisekelo kusikripthi esisebenzayo njengamanje (futhi lokhu kuwufanele ukushicilelwa okuhlukile), bhala kumazwana.
Isixazululo esicatshangelwayo asisho ukuthi sihlukile, kodwa ngingathanda ukubuza umbuzo: "Kungani ibhizinisi kufanele livumelane nemikhiqizo engabazekayo evela eceleni enezidingo ezibucayi zehadiwe lapho kungacatshangelwa enye inketho?"
Uma e-Russian Federation kukhona uhlu lwe-Roskomnadzor, e-Ukraine kukhona isijobelelo seSinqumo soMkhandlu Wezokuphepha Kazwelonke (isibonelo. ), abaholi bendawo nabo abalali. Isibonelo, sinikezwe uhlu lwezindawo ezingavunyelwe, ngokubona kwabaphathi, zikhubaza ukukhiqiza emsebenzini.
Ukuxhumana nozakwethu kwamanye amabhizinisi, lapho ngokuzenzakalelayo zonke izingosi zivinjelwe futhi kuphela uma ucela ngemvume yomphathi ungakwazi ukufinyelela indawo ethile, ukumomotheka ngenhlonipho, ukucabanga kanye "nokubhema phezu kwenkinga", saqonda ukuthi ukuphila kusekuhle futhi siqale ukusesha kwabo.
Ukuba nethuba hhayi nje lokubona ngokuhlaziya lokho abakubhala βezincwadini zamakhosikaziβ mayelana nokuhlunga kwethrafikhi, kodwa futhi ukubona ukuthi kwenzekani eziteshini zabahlinzeki abahlukene, siqaphele izindlela zokupheka ezilandelayo (noma yiziphi izithombe-skrini zisikiwe kancane, sicela uqonde ):
Umhlinzeki 1
- ayihluphi futhi ibeka amaseva ayo e-DNS kanye neseva elibamba esobala. Nokho?.. kodwa siyakwazi ukufinyelela lapho sikudinga khona (uma sikudinga :))
Umhlinzeki 2
- ukholelwa ukuthi umhlinzeki wakhe ophezulu kufanele acabange ngalokhu, usekelo lochwepheshe lomhlinzeki ophezulu lwaze lwavuma ukuthi kungani ngingakwazi ukuvula isayithi engangilidinga, elalingavinjelwe. Ngicabanga ukuthi isithombe sizokujabulisa :)
Njengoba kwenzeka, bahumusha amagama amasayithi avinjelwe kumakheli e-IP futhi bavimbe i-IP ngokwayo (abakhathazwa ukuthi leli kheli le-IP lingabamba amasayithi angu-20).
Umhlinzeki 3
- ivumela ithrafikhi ukuthi iye lapho, kodwa ayikuvumeli ukuthi ibuyele emzileni.
Umhlinzeki 4
- yenqabela konke ukukhohlisa ngamaphakethe ngendlela eshiwo.
Yini okufanele uyenze nge-VPN (inhlonipho yesiphequluli se-Opera) nama-plugin esiphequluli? Ukudlala nge-node Mikrotik ekuqaleni, saze sathola iresiphi eningi yezinsiza ze-L7, okwadingeka siyishiye kamuva (kungase kube namagama anqatshelwe kakhulu, kuyadabukisa lapho, ngaphezu kwezibopho zayo eziqondile zemizila, ku-3 dozen. izinkulumo umthwalo weprosesa we-PPC460GT uya ku-100 %).
.
Okwaba sobala:
I-DNS ku-127.0.0.1 ayilona neze ikhambi, iziphequluli zesimanje zisakuvumela ukuthi udlule izinkinga ezinjalo. Akunakwenzeka ukukhawulela bonke abasebenzisi kumalungelo ancishisiwe, futhi akumele sikhohlwe ngenani elikhulu lenye i-DNS. I-inthanethi ayimile, futhi ngaphezu kwamakheli amasha e-DNS, amasayithi angavunyelwe athenga amakheli amasha, ashintshe izizinda ezisezingeni eliphezulu, futhi angangeza/asuse uhlamvu ekhelini lawo. Kodwa usenelungelo lokuphila into efana nalena:
ip route add blackhole 1.2.3.4Kungasebenza kahle kakhulu ukuthola uhlu lwamakheli e-IP ohlwini lwamasayithi anqatshelwe, kodwa ngenxa yezizathu ezishiwo ngenhla, sidlulele ekucabangeni mayelana nama-Iptables. Bekuvele kukhona ibhalansi ebukhoma ekukhishweni kwe-CentOS Linux 7.5.1804.
I-inthanethi yomsebenzisi kufanele isheshe, futhi Isiphequluli akufanele silinde uhhafu weminithi, siphethe ngokuthi leli khasi alitholakali. Ngemva kokusesha isikhathi eside safika kule modeli:
Ifayela 1 -> /script/denied_host, uhlu lwamagama anqatshelwe:
test.test
blablabla.bubu
torrent
pornoIfayela 2 -> /script/denied_range, uhlu lwezikhala namakheli angavunyelwe:
192.168.111.0/24
241.242.0.0/16Ifayela Lombhalo 3 -> ipt.shukwenza umsebenzi ngama-ipables:
# ΡΡΠΈΡΡΠ²Π°Π΅ΠΌ ΠΏΠΎΠ»Π΅Π·Π½ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΈΠ· ΠΏΠ΅ΡΠ΅ΡΠ½Π΅ΠΉ ΡΠ°ΠΉΠ»ΠΎΠ²
HOSTS=`cat /script/denied_host | grep -v '^#'`
RANGE=`cat /script/denied_range | grep -v '^#'`
echo "Stopping firewall and allowing everyone..."
# ΡΠ±ΡΠ°ΡΡΠ²Π°Π΅ΠΌ Π²ΡΠ΅ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ iptables, ΡΠ°Π·ΡΠ΅ΡΠ°Ρ ΡΠΎ ΡΡΠΎ Π½Π΅ Π·Π°ΠΏΡΠ΅ΡΠ΅Π½ΠΎ
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
#ΡΠ΅ΡΠ°Π΅ΠΌ ΠΎΠ±Π½ΠΎΠ²ΠΈΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΎ ΠΌΠ°ΡΡΡΡΡΠ°Ρ
(ΠΎΡΠΎΠ±Π΅Π½Π½ΠΎΡΡΡ Π½Π°ΡΠ΅ΠΉ Π°ΡΡ
ΠΈΡΠ΅ΠΊΡΡΡΡ)
sudo sh rout.sh
# ΡΠΈΠΊΠ»ΠΈΡΠ΅ΡΠΊΠΈ ΠΎΠ±ΡΠ°Π±Π°ΡΡΠ²Π°Ρ ΠΊΠ°ΠΆΠ΄ΡΡ ΡΡΡΠΎΠΊΡ ΡΠ°ΠΉΠ»Π° ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΠΌ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ ΡΡΡΠΎΠΊΠΈ
for i in $HOSTS; do
sudo iptables -I FORWARD -m string --string $i --algo bm --from 1 --to 600 -p tcp -j REJECT --reject-with tcp-reset;
sudo iptables -I FORWARD -m string --string $i --algo bm --from 1 --to 600 -p udp -j DROP;
done
# ΡΠΈΠΊΠ»ΠΈΡΠ΅ΡΠΊΠΈ ΠΎΠ±ΡΠ°Π±Π°ΡΡΠ²Π°Ρ ΠΊΠ°ΠΆΠ΄ΡΡ ΡΡΡΠΎΠΊΡ ΡΠ°ΠΉΠ»Π° ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΠΌ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠΈ Π°Π΄ΡΠ΅ΡΠ°
for i in $RANGE; do
sudo iptables -I FORWARD -p UDP -d $i -j DROP;
sudo iptables -I FORWARD -p TCP -d $i -j REJECT --reject-with tcp-reset;
done
Ukusetshenziswa kwe-sudo kungenxa yokuthi sinokugqekeza okuncane kokuphatha nge-WEB interface, kodwa njengoba ulwazi lokusebenzisa imodeli enjalo isikhathi esingaphezu konyaka lubonisile, i-WEB ayidingeki kangako. Ngemuva kokuqaliswa, kube nesifiso sokwengeza uhlu lwamasayithi ku-database, njll. Inani labasingathi abavinjiwe lingaphezu kuka-250 + izikhala zamakheli eziyishumi nambili. Kukhona inkinga ngempela lapho uya kusayithi ngoxhumano lwe-https, njengomphathi wesistimu, nginezikhalazo mayelana neziphequluli :), kodwa lezi yizimo ezikhethekile, iningi lezimbangela zokuntuleka kokufinyelela kunsiza zisehlangothini lwethu. , siphinde sivimbe ngempumelelo i-Opera VPN nama-plugin afana ne-friGate ne-telemetry evela ku-Microsoft.
Source: www.habr.com