Why reinvent the wheel when there are specialized programs and distributions for our tasks, for example: Zeroshell, pfSense, ClearOS.
Another question was asked by the authorities: Does the product used have a security certificate from our state?
We had experience working with the following distributions:
- Zeroshell - the developers even presented a license for 2 years, but it turned out that the distribution of interest was illogical for us to fulfill a critical function for us;
- pfSense - respect and honor, at the same time boring, getting used to the command line of the FreeBSD firewall is not convenient enough for us (I think itâs a matter of habit, but it wasnât the âthat wayâ);
- ClearOS - it turned out to be very slow on our hardware, we couldnât get to serious testing, and why such heavy interfaces?
- Ideco SELECTA. There is a separate conversation about the Aydeko product, an interesting product, but for political reasons itâs not for us, but I also want to âbiteâ them about the license for the same Linux, Roundcube, etc. Why did they get that having âcutâ the interface in Python and having selected superuser rights, they can sell a finished product made up of developed and improved modules of the Internet community distributed under the GPL & etc.
I understand that now negative cries will pour in my direction with requirements to substantiate my subjective feelings in detail, but I want to say that this network node is also a balancer of traffic to 4 external channels to the Internet, and each channel has its own characteristics. Another cornerstone was the need to work on one of several network interfaces in different address spaces, and Iâm ready to admit that Iâm not ready to use VLANs wherever I need to . In use there are devices such as TP-Link TL-R480T + - they do not behave perfectly, in general with their own nuances. It turned out to be responsible to configure this part on Linux thanks to the Ubuntu website. IP Balancing: we combine several Internet channels into one . Moreover, each of the channels can "fall" at any time, as well as rise. If you are interested in a script that works at the moment (and this is worth a separate publication) - write in the comments.
The solution in question does not pretend to be unique, but I want to ask the question: âWhy does the company have to adapt to questionable third-party products with serious hardware requirements when can an alternative be considered?â
If in Russia there is a list of Roskomnadzor, in Ukraine - an annex to the Decision of the National Security Council (eg. Here ), then the leaders also do not sleep on the ground. For example, we were given a list of banned sites that, in the opinion of management, worsen labor productivity in the workplace.
Communicating with colleagues at other enterprises where all sites are prohibited by default and only upon request with the permission of the boss, you can access a specific site, smiling respectfully, thinking and âsmoking a problemâ, it became clear that life is good and we started your search.
Having the opportunity not only to analytically see what âhousewives booksâ write about traffic filtering, but also to see what happens on the channels of different providers, we noticed the following recipes (any screenshots are a bit cropped, please understand to ask):
| Provider 1 | - Does not bother and imposes its own DNS server and transparent proxy server. Well? .. but we have access where we need it (if we need it :)) |
| Provider 2 | - He believes that his top provider should think about it, the technical support of the top provider even admitted why I canât open the necessary non-prohibited site for me. I think the picture will amuse you :)
As it turned out, they translate the names of forbidden sites into IP addresses and block IP (it does not bother them that 20 sites can be hosted on this IP address). |
| Provider 3 | - passes traffic there, but does not allow it back along the route. |
| Provider 4 | - prohibits all manipulations with packages in the specified direction. |
.
What became clear:
CSN on 127.0.0.1 is absolutely not a panacea, modern versions of browsers still allow you to bypass such troubles. It is impossible to limit all users with stripped down rights, and one must not forget about the huge number of alternative DNS. The Internet is not static, and in addition to new DNS addresses, banned sites buy new addresses, change top-level domains, and can add / remove characters in their addresses. But still he has the right to live something like:
ip route add blackhole 1.2.3.4
Obtaining a list of IP addresses from the list of banned sites would be quite effective, but for the reasons mentioned above, we turned to considerations of Iptables. There was already a live balancer on CentOS Linux release 7.5.1804.
The userâs Internet should be fast, and the browser should not wait half a minute, concluding that this page is not available. After a long search, we came to this model:
File 1 -> / script / denied_host , list of forbidden names:
test.test blablabla.bubu torrent porno
File 2 -> / script / denied_range , a list of forbidden address spaces and addresses:
192.168.111.0/24 241.242.0.0/16
Script file 3 -> ipt.sh , which works with ipables:
# HOSTS=`cat /script/denied_host | grep -v '^#'` RANGE=`cat /script/denied_range | grep -v '^#'` echo "Stopping firewall and allowing everyone..." # iptables, sudo iptables -F sudo iptables -X sudo iptables -t nat -F sudo iptables -t nat -X sudo iptables -t mangle -F sudo iptables -t mangle -X sudo iptables -P INPUT ACCEPT sudo iptables -P FORWARD ACCEPT sudo iptables -P OUTPUT ACCEPT # ( ) sudo sh rout.sh # for i in $HOSTS; do sudo iptables -I FORWARD -m string --string $i --algo bm --from 1 --to 600 -p tcp -j REJECT --reject-with tcp-reset; sudo iptables -I FORWARD -m string --string $i --algo bm --from 1 --to 600 -p udp -j DROP; done # for i in $RANGE; do sudo iptables -I FORWARD -p UDP -d $i -j DROP; sudo iptables -I FORWARD -p TCP -d $i -j REJECT --reject-with tcp-reset; done
The use of sudo is due to the fact that we have a small hack for managing via the WEB interface, but as experience has shown using this model for more than a year, then WEB is not so necessary. After implementation there was a desire to make a list of sites in the database, etc. The number of blocked hosts is more than 250 + a dozen address spaces. Indeed, there is a problem when switching to the site via an https connection, like the system administrator, I have complaints about browsers :), but these are special cases, most of the responses to the lack of access to the resource are still on our side, we also successfully block Opera VPN, plugins like friGate and telemetry from Microsoft.
