The relevance of blocking visits to prohibited resources affects any admin who may be officially presented with a failure to comply with the law or orders of the relevant authorities.
Why reinvent the wheel when there are specialized programs and distributions for our tasks, for example: Zeroshell, pfSense, ClearOS.
Another question was asked by the authorities: Does the product used have a security certificate from our state?
We had experience working with the following distributions:
- Zeroshell - the developers even presented a license for 2 years, but it turned out that the distribution of interest was illogical for us to fulfill a critical function for us;
- pfSense - respect and honor, at the same time boring, getting used to the command line of the FreeBSD firewall is not convenient enough for us (I think it’s a matter of habit, but it wasn’t the “that way”);
- ClearOS - it turned out to be very slow on our hardware, we couldn’t get to serious testing, and why such heavy interfaces?
- Ideco SELECTA. There is a separate conversation about the Aydeko product, an interesting product, but for political reasons it’s not for us, but I also want to “bite” them about the license for the same Linux, Roundcube, etc. Why did they get that having “cut” the interface in Python and having selected superuser rights, they can sell a finished product made up of developed and improved modules of the Internet community distributed under the GPL & etc.
I understand that now negative cries will pour in my direction with requirements to substantiate my subjective feelings in detail, but I want to say that this network node is also a balancer of traffic to 4 external channels to the Internet, and each channel has its own characteristics. Another cornerstone was the need to work on one of several network interfaces in different address spaces, and I’m
ready to admit that I’m
not ready to use VLANs wherever I
need to . In use there are devices such as TP-Link TL-R480T + - they do not behave perfectly, in general with their own nuances. It turned out to be responsible to configure this part on Linux thanks to the Ubuntu website.
IP Balancing: we combine several Internet channels into one . Moreover, each of the channels can "fall" at any time, as well as rise. If you are interested in a script that works at the moment (and this is worth a separate publication) - write in the comments.
The solution in question does not pretend to be unique, but I want to ask the question: “Why does the company have to adapt to questionable third-party products with serious hardware requirements when can an alternative be considered?”
If in Russia there is a list of Roskomnadzor, in Ukraine - an annex to the Decision of the National Security Council (eg.
Here ), then the leaders also do not sleep on the ground. For example, we were given a list of banned sites that, in the opinion of management, worsen labor productivity in the workplace.
Communicating with colleagues at other enterprises where all sites are prohibited by default and only upon request with the permission of the boss, you can access a specific site, smiling respectfully, thinking and “smoking a problem”, it became clear that life is good and we started your search.
Having the opportunity not only to analytically see what “housewives books” write about traffic filtering, but also to see what happens on the channels of different providers, we noticed the following recipes (any screenshots are a bit cropped, please understand to ask):
And what to do with VPN (Opera browser respect) and browser plug-ins? First, playing with the Mikrotik nodal we even had a resource-intensive recipe for L7, which we later had to refuse (there may be more forbidden names, it becomes sad when, in addition to its direct duties on routes, on 3 dozens of expressions, the PPC460GT processor goes to 100 %).
.
What became clear:
CSN on 127.0.0.1 is absolutely not a panacea, modern versions of browsers still allow you to bypass such troubles. It is impossible to limit all users with stripped down rights, and one must not forget about the huge number of alternative DNS. The Internet is not static, and in addition to new DNS addresses, banned sites buy new addresses, change top-level domains, and can add / remove characters in their addresses. But still he has the right to live something like:
ip route add blackhole 1.2.3.4
Obtaining a list of IP addresses from the list of banned sites would be quite effective, but for the reasons mentioned above, we turned to considerations of Iptables. There was already a live balancer on CentOS Linux release 7.5.1804.
The user’s Internet should be fast, and the browser should not wait half a minute, concluding that this page is not available. After a long search, we came to this model:
File 1 ->
/ script / denied_host , list of forbidden names:
test.test blablabla.bubu torrent porno
File 2 ->
/ script / denied_range , a list of forbidden address spaces and addresses:
192.168.111.0/24 241.242.0.0/16
Script file 3 ->
ipt.sh , which works with ipables:
The use of sudo is due to the fact that we have a small hack for managing via the WEB interface, but as experience has shown using this model for more than a year, then WEB is not so necessary. After implementation there was a desire to make a list of sites in the database, etc. The number of blocked hosts is more than 250 + a dozen address spaces. Indeed, there is a problem when switching to the site via an https connection, like the system administrator, I have complaints about browsers :), but these are special cases, most of the responses to the lack of access to the resource are still on our side, we also successfully block Opera VPN, plugins like friGate and telemetry from Microsoft.
