Umsebenzi wokuvimba ithrafikhi evela emazweni athile ubonakala ulula, kodwa okuvelayo kokuqala kungakhohlisa. Namuhla sizokutshela ukuthi lokhu kungenziwa kanjani.
prehistory
Imiphumela yosesho lwe-Google kulesi sihloko iyadumaza: iningi lezixazululo sekuyisikhathi eside "libolile" futhi ngezinye izikhathi kubonakala sengathi lesi sihloko sigcinwe eshelufini futhi sikhohliwe phakade. Sisebenzise amarekhodi amaningi amadala futhi silungele ukwabelana ngenguqulo yesimanje yemiyalelo.
Sincoma ukuthi ufunde yonke indatshana ngaphambi kokusebenzisa le miyalo.
Ilungiselela uhlelo lokusebenza
Ukuhlunga kuzolungiswa kusetshenziswa insiza iptables, edinga isandiso ukuze isebenze nedatha ye-GeoIP. Lesi sandiso singatholakala ku . I-xtables-addons ifaka izandiso zama-iptables njengamamojula e-kernel azimele, ngakho-ke asikho isidingo sokuhlanganisa kabusha i-OS kernel.
Ngesikhathi sokubhala, inguqulo yamanje ye-xtables-addons ingu-3.9. Kodwa-ke, yi-20.04 kuphela engatholakala kumakhosombe ajwayelekile we-Ubuntu 3.8 LTS, kanye ne-18.04 kumakhosombe we-Ubuntu 3.0. Ungafaka isandiso esivela kumphathi wephakheji ngomyalo olandelayo:
apt install xtables-addons-common libtext-csv-xs-perlQaphela ukuthi kunomehluko omncane kodwa obalulekile phakathi kwenguqulo 3.9 kanye nesimo samanje sephrojekthi, esizoxoxa ngaso kamuva. Ukuze wakhe ngekhodi yomthombo, faka wonke amaphakheji adingekayo:
apt install git build-essential autoconf make libtool iptables-dev libxtables-dev pkg-config libnet-cidr-lite-perl libtext-csv-xs-perlKhipha indawo yokugcina:
git clone https://git.code.sf.net/p/xtables-addons/xtables-addons xtables-addons-xtables-addons
cd xtables-addons-xtables-addonsI-xtables-addons iqukethe izandiso eziningi, kodwa sinentshisekelo kuzo kuphela xt_geoip. Uma ungafuni ukuhudulela izandiso ezingadingekile ohlelweni, ungazikhipha ekwakhiweni. Ukuze wenze lokhu udinga ukuhlela ifayela mconfig. Kuwo wonke amamojula owathandayo, faka y, futhi umake zonke ezingadingekile n. Siqoqa:
./autogen.sh./configuremakeFuthi faka ngamalungelo abasebenzisi abakhulu:
make installNgesikhathi sokufakwa kwamamojula e-kernel, kungenzeka iphutha elifana nalokhu okulandelayo:
INSTALL /root/xtables-addons-xtables-addons/extensions/xt_geoip.ko
At main.c:160:
- SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:72
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:79
sign-file: certs/signing_key.pem: No such file or directoryLesi simo sivela ngenxa yokungenakwenzeka kokusayina amamojula e-kernel, ngoba lutho ukusayina. Ungakwazi ukuxazulula le nkinga ngemiyalo embalwa:
cd /lib/modules/(uname -r)/build/certscat <<EOF > x509.genkey[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
CN = Modules
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOFopenssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pemImojuli ye-kernel ehlanganisiwe ifakiwe, kodwa isistimu ayiyiboni. Ake sibuze isistimu ukuthi yakhe imephu yokuncika icabangela imojuli entsha, bese siyilayisha:
depmod -amodprobe xt_geoipMasiqinisekise ukuthi i-xt_geoip ilayishwe ohlelweni:
# lsmod | grep xt_geoip
xt_geoip 16384 0
x_tables 40960 2 xt_geoip,ip_tablesUkwengeza, qiniseka ukuthi isandiso silayishwe kuma-iptables:
# cat /proc/net/ip_tables_matches
geoip
icmpSijabule ngakho konke futhi okusele ukwengeza igama lemojula kuyo / njll / amamojulaukuze imodyuli isebenze ngemuva kokuqalisa kabusha i-OS. Kusukela manje, i-iptables iyaqonda imiyalo ye-geoip, kodwa ayinayo idatha eyanele yokusebenza ngayo. Masiqale ukulayisha isizindalwazi se-geoip.
Ukuthola Isizindalwazi se-GeoIP
Sakha uhla lwemibhalo lapho ulwazi oluqondakalayo kusandiso se-iptables luzogcinwa khona:
mkdir /usr/share/xt_geoipEkuqaleni kwe-athikili, sishilo ukuthi kunomehluko phakathi kwenguqulo kusuka kukhodi yomthombo kanye nenguqulo evela kumphathi wephakheji. Umehluko ophawuleka kakhulu ushintsho kumthengisi wesizindalwazi kanye neskripthi xt_geoip_dl, elanda idatha yakamuva.
Inguqulo yesiphathi sephakheji
Umbhalo utholakala endleleni /usr/lib/xtables-addons, kodwa uma uzama ukuyisebenzisa, uzobona iphutha elingafundisi kakhulu:
# ./xt_geoip_dl
unzip: cannot find or open GeoLite2-Country-CSV.zip, GeoLite2-Country-CSV.zip.zip or GeoLite2-Country-CSV.zip.ZIP.Ngaphambilini, umkhiqizo we-GeoLite, manje owaziwa ngokuthi i-GeoLite Legacy, owawusatshalaliswa ngaphansi kwelayisensi, wawusetshenziswa njengendawo egciniwe. inkampani . Imicimbi emibili yenzeke ngalo mkhiqizo ngesikhathi esisodwa "ephule" ukuhambisana nesandiso se-iptables.
Okokuqala, ngoJanuwari 2018 mayelana nokuqedwa kokusekelwa komkhiqizo, futhi ngoJanuwari 2019, 2, zonke izixhumanisi zokulanda inguqulo endala yesizindalwazi zisusiwe kuwebhusayithi esemthethweni. Abasebenzisi abasha banconywa ukuthi basebenzise umkhiqizo we-GeoLite2 noma inguqulo yawo ekhokhelwayo i-GeoIPXNUMX.
Okwesibili, kusukela ngoDisemba 2019 iMaxMind mayelana noshintsho olubalulekile ekufinyeleleni kusizindalwazi sabo. Ukuze ihambisane Nomthetho Wobumfihlo Babathengi base-California, i-MaxMind inqume "ukumboza" ukusatshalaliswa kwe-GeoLite2 ngokubhaliswa.
Njengoba sifuna ukusebenzisa umkhiqizo wabo, sizobhalisa kuleli khasi.
Uzothola i-imeyili ekucela ukuthi usethe iphasiwedi. Manje njengoba sesidale i-akhawunti, sidinga ukudala ukhiye welayisensi. Ku-akhawunti yakho yomuntu siqu sithola into Okhiye Bami Belayisensi, bese uchofoza inkinobho Khiqiza ukhiye omusha welayisensi.
Uma sidala ukhiye, sizobuzwa umbuzo owodwa kuphela: sizosebenzisa lo khiye ohlelweni Lokuvuselela i-GeoIP? Siphendula kabi bese sicindezela inkinobho Qinisekisa. Ukhiye uzovezwa efasiteleni le-pop-up. Londoloza lo khiye endaweni ephephile, njengoba uma usuvale iwindi le-pop-up, ngeke usakwazi ukubuka wonke ukhiye.
Sinekhono lokulanda imibhalo yolwazi ye-GeoLite2 mathupha, kodwa ifomethi yayo ayihambelani nefomethi elindelwe iskripthi se-xt_geoip_build. Kulapho izikripthi ze-GeoLite2xtables zisiza khona. Ukuze usebenzise imibhalo, faka i-NetAddr::IP perl module:
wget https://cpan.metacpan.org/authors/id/M/MI/MIKER/NetAddr-IP-4.079.tar.gztar xvf NetAddr-IP-4.079.tar.gzcd NetAddr-IP-4.079perl Makefile.PLmakemake installOkulandelayo, sihlanganisa indawo yokugcina ngemibhalo bese sibhala ukhiye welayisense otholwe ngaphambilini efayeleni:
git clone https://github.com/mschmitt/GeoLite2xtables.gitcd GeoLite2xtablesecho YOUR_LICENSE_KEY=’123ertyui123' > geolite2.licenseMasiqalise imibhalo:
# Скачиваем данные GeoLite2
./00_download_geolite2
# Скачиваем информацию о странах (для соответствия коду)
./10_download_countryinfo
# Конвертируем GeoLite2 базу в формат GeoLite Legacy
cat /tmp/GeoLite2-Country-Blocks-IPv{4,6}.csv |
./20_convert_geolite2 /tmp/CountryInfo.txt > /usr/share/xt_geoip/dbip-country-lite.csvI-MaxMind ibeka umkhawulo wokulandwa okungu-2000 ngosuku futhi, ngenani elikhulu lamaseva, inikezela ngokugcina isibuyekezo kuseva elibamba.
Sicela uqaphele ukuthi ifayela lokuphumayo kufanele libizwe I-dbip-country-lite.csv... Ngeshwa, 20_guqula_i-geolite2 ayikhiqizi ifayela eliphelele. Iskripthi xt_geoip_build ilindele amakholomu amathathu:
- ukuqala kwebanga lamakheli;
- ukuphela kwebanga lamakheli;
- ikhodi yezwe ku-iso-3166-alpha2.
Futhi ifayela lokuphumayo liqukethe amakholomu ayisithupha:
- ukuqala kobubanzi bekheli (ukumelwa kweyunithi yezinhlamvu);
- ukuphela kobubanzi bekheli (ukumelwa kweyunithi yezinhlamvu);
- ukuqala kohlu lwamakheli (ukumelwa kwezinombolo);
- ukuphela kohlu lwamakheli (ukumelwa kwezinombolo);
- ikhodi yezwe;
- igama lezwe.
Lokhu kwehluka kubucayi futhi kungalungiswa ngenye yezindlela ezimbili:
- hlela 20_guqula_i-geolite2;
- hlela xt_geoip_build.
Esimweni sokuqala, sinciphisa kufomethi edingekayo, futhi okwesibili - sishintsha isabelo sibe esiguquguqukayo $cc on $umugqa->[4]. Ngemva kwalokhu ungakha:
/usr/lib/xtables-addons/xt_geoip_build -S /usr/share/xt_geoip/ -D /usr/share/xt_geoip. . .
2239 IPv4 ranges for ZA
348 IPv6 ranges for ZA
56 IPv4 ranges for ZM
12 IPv6 ranges for ZM
56 IPv4 ranges for ZW
15 IPv6 ranges for ZWQaphela ukuthi umbhali ayicabangi ukuthi imibhalo yayo isilungele ukukhiqizwa nokunikezwayo ukuze kuthuthukiswe imibhalo yokuqala ye-xt_geoip_*. Ngakho-ke, ake sidlulele ekuhlanganiseni sisuka kumakhodi omthombo, lapho le mibhalo eseyibuyekeziwe kakade.
Inguqulo yomthombo
Lapho ufaka kusuka kumaskripthi ekhodi yomthombo xt_geoip_* zitholakala kukhathalogi /usr/local/libexec/xtables-addons. Le nguqulo yombhalo isebenzisa isizindalwazi . Ilayisensi yi-Creative Commons Attribution License, futhi kudatha etholakalayo kukhona amakholomu amathathu adingeka kakhulu. Landa futhi uhlanganise i-database:
cd /usr/share/xt_geoip//usr/local/libexec/xtables-addons/xt_geoip_dl/usr/local/libexec/xtables-addons/xt_geoip_buildNgemuva kwalezi zinyathelo, i-iptables isilungele ukusebenza.
Ukusebenzisa i-geoip kuma-iptables
Imodyuli xt_geoip wengeza okhiye ababili kuphela:
geoip match options:
[!] --src-cc, --source-country country[,country...]
Match packet coming from (one of) the specified country(ies)
[!] --dst-cc, --destination-country country[,country...]
Match packet going to (one of) the specified country(ies)
NOTE: The country is inputed by its ISO3166 code.Izindlela zokudala imithetho ye-iptables, ngokuvamile, zihlala zingashintshiwe. Ukuze usebenzise okhiye abasuka kumamojula engeziwe, kufanele ucacise igama lemojuli ngokushintsha -m. Isibonelo, umthetho wokuvimba uxhumo lwe-TCP olungenayo ku-port 443 hhayi e-USA kukho konke ukuxhumana:
iptables -I INPUT ! -i lo -p tcp --dport 443 -m geoip ! --src-cc US -j DROPAmafayela adalwe ngu-xt_geoip_build asetshenziswa kuphela lapho kwakhiwa imithetho, kodwa awanakwa lapho kuhlunga. Ngakho, ukuze ubuyekeze kahle isizindalwazi se-geoip, kufanele uqale ubuyekeze amafayela e-iv*, bese udala kabusha yonke imithetho esebenzisa i-geoip kuma-iptables.
isiphetho
Ukuhlunga amaphakethe ngokusekelwe emazweni kuyisu elikhohliwe ngandlela thile yisikhathi. Naphezu kwalokhu, amathuluzi esofthiwe okuhlunga okunjalo ayathuthukiswa futhi, mhlawumbe, maduze inguqulo entsha ye-xt_geoip enomhlinzeki omusha wedatha ye-geoip izovela kubaphathi bephakheji, okuzokwenza kube lula kakhulu ukuphila kwabaphathi besistimu.
Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo. , wamukelekile.
Uke wasebenzisa ukuhlunga ngezwe?
-
59,1%Yebo13
-
40,9%No9
Bangu-22 abasebenzisi abavotile. Abasebenzisi abangama-3 bayenqaba.
Source: www.habr.com