说真的,我阻止(返回,当然不是丢弃)UDP :53 到我的权威名称服务器。解析器将回退到 TCP,我不需要任何针对欺骗性源 IP 的速率限制。因为 DDoS 攻击的欺骗受害者只会得到相当于 UDP 或 TCP ack 的连接被拒绝,而不是更大的 DNS 答案。
简单的解决方案,一切都很好。还是不是那么简单?
一些云业务提供“永远免费”的 VM 实例。不是很大,但对我来说足够了,所以我将把我的基础设施迁移到那里,包括 mail.example.com。该机器处理 @example.com ( example.com MX 10 mail.example.com) 的传入邮件。但是,要从@example.com 发送电子邮件,机器需要一个 PTR 记录(192.0.2.1 PTR mail.example.com)。但是,云提供商不允许添加 PTR 记录。那么,也许我只是使用中继来发送电子邮件,托管在另一个允许设置 PTR 记录的云提供商处?
那个中继虚拟机只需要一个名为... mail.example.com 的 PTR 记录?或者 smtp.example.org 也可以吗?而且 – 如果它也可以 – 电子邮件收件人的服务器 – pechora1.icann.org – 是否只需检查 smtp.example.org 是否为 smtp.example.org 并接受来自[email protected] 的电子邮件?没有额外的 DNS 要求?(而且——如果是的话——为什么?)
在下面指定的环境中,IPv4 像猫一样发出咕噜声,但 IPv6 会在短时间内消失——即即使主机也无法通过 Docker 网络通过 IPv6 访问其容器。我错过了什么?
编辑#1
替换 64:ff9b:: w/ 全局,但问题仍然存在。主机失去了与直接连接的 Docker 容器的 IPv6(但不是 IPv4)连接。首先“没有到主机的路由”,然后超时。
剧本.yml
---
- hosts: all
become: yes
become_method: sudo
tasks:
- import_tasks: tasks/firewall.yml
- import_tasks: tasks/router.yml
- import_tasks: tasks/docker.yml
- name: /usr/local/docker-services
file:
path: /usr/local/docker-services
owner: root
group: root
mode: '0700'
state: directory
- name: nginx-site.conf
copy:
dest: /usr/local/docker-services/nginx-site.conf
owner: root
group: root
mode: '0666'
src: files/nginx-site.conf
- name: docker-compose.yml
copy:
dest: /usr/local/docker-services/docker-compose.yml
owner: root
group: root
mode: '0666'
content: |
version: '2.4'
networks:
ext-nginx:
internal: true
enable_ipv6: true
driver_opts:
com.docker.network.bridge.name: docker1
ipam:
config:
- subnet: 192.168.234.0/30
gateway: 192.168.234.1
- subnet: 64:ff9b::192.168.234.0/126
gateway: 64:ff9b::192.168.234.1
services:
nginx:
container_name: nginx
image: nginx
restart: always
logging:
options:
labels: container
labels:
container: nginx
networks:
ext-nginx:
ipv4_address: 192.168.234.2
ipv6_address: 64:ff9b::192.168.234.2
priority: 1
volumes:
- type: bind
source: /usr/local/docker-services/nginx-site.conf
target: /etc/nginx/conf.d/default.conf
read_only: true
register: docker_compose_yml
- name: docker-compose.service
copy:
dest: /etc/systemd/system/docker-compose.service
owner: root
group: root
mode: '0644'
src: files/docker-compose.service
register: docker_compose_service
- name: systemctl daemon-reload
when: docker_compose_service.changed
systemd:
daemon_reload: yes
- name: systemctl stop docker-compose.service
when: >-
docker_compose_service.changed
or docker_compose_yml.changed
service:
name: docker-compose
state: stopped
- name: systemctl start docker-compose.service
service:
name: docker-compose
state: started
enabled: yes
任务/firewall.yml
---
- name: Firewall rules applicator
apt:
name: iptables-persistent
- name: Firewall rules file
loop: [4, 6]
copy:
dest: '/etc/iptables/rules.v{{ item }}'
owner: root
group: root
mode: '0644'
src: 'files/firewall/rules.v{{ item }}'
register: firewall_file
- name: Apply firewall rules
when: 'firewall_file.results[0].changed or firewall_file.results[1].changed'
service:
name: netfilter-persistent
state: restarted
任务/路由器.yml
---
- name: net.ipv4.ip_forward
sysctl:
name: net.ipv4.ip_forward
value: '1'
- name: net.ipv6.conf.all.forwarding
sysctl:
name: net.ipv6.conf.all.forwarding
value: '1'
任务/docker.yml
---
- name: apt-transport-https
apt:
name: apt-transport-https
- name: Docker apt key
apt_key:
url: https://download.docker.com/linux/debian/gpg
- name: Docker apt repo
apt_repository:
filename: docker
repo: >
deb https://download.docker.com/linux/debian
{{ ansible_lsb.codename }} stable
- name: /etc/docker
file:
path: /etc/docker
owner: root
group: root
mode: '0755'
state: directory
- name: /etc/docker/daemon.json
copy:
dest: /etc/docker/daemon.json
owner: root
group: root
mode: '0644'
content: '{"iptables":false}'
- name: Docker
apt:
name: docker-ce
- name: Docker compose
apt:
name: docker-compose
文件/防火墙/rules.v4
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -d 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o docker1 -d 192.168.234.2/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i docker1 -o eth0 -j ACCEPT
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -d 78.47.124.58 -p tcp -m tcp --dport 80 -j DNAT --to 192.168.234.2
-A POSTROUTING -o eth0 ! -s 78.47.124.58 -j MASQUERADE
COMMIT
文件/防火墙/rules.v6
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -d ::1/128 ! -i lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o docker1 -d 64:ff9b::192.168.234.2 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i docker1 -o eth0 -j ACCEPT
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -d 2a01:4f8:c0c:3bc1::/64 -p tcp -m tcp --dport 80 -j DNAT --to 64:ff9b::192.168.234.2
-A POSTROUTING -o eth0 ! -s 2a01:4f8:c0c:3bc1::/64 -j MASQUERADE
COMMIT
文件/nginx-site.conf
server {
listen 80;
listen [::]:80;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
文件/docker-compose.service
[Unit]
Requires=docker.service
[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/usr/local/docker-services
ExecStart=/usr/bin/docker-compose up -d --force-recreate
ExecStop=/usr/bin/docker-compose down
[Install]
WantedBy=multi-user.target
我已经设置了三个 Wireguard 节点——a、b 和 c(下面的 Vagrantfile)。b 和 c 都连接到 a 并且能够通过 Wireguard 隧道 ping a。但是 b 和 c 不能互相 ping 通——为什么?
Vagrant.configure("2") do |config|
[
{
name: "a",
wgcfg: <<-WGCFG
[Interface]
PrivateKey=gCQW9uFhkiFwXAOfVINXm+BF4s8fZcTWAfxJboAg01I=
ListenPort=50031
Address=192.168.234.65/26
[Peer]
PublicKey=5T5HdEaGxtDLCoC4QTb3B1e0suer4IadTEwWZ5Je7w0=
AllowedIPs=192.168.234.0/26
PersistentKeepalive=25
[Peer]
PublicKey=1nYwoKaMswzdiM/2UNDDJf/DRX5m/6M27dLMOeqaxwk=
AllowedIPs=192.168.234.0/26
PersistentKeepalive=25
WGCFG
},
{
name: "b",
wgcfg: <<-WGCFG
[Interface]
PrivateKey=KFsOZmkbHUmPNQmjgWn4lJa/MiszGcAuFNJb8HSda2M=
Address=192.168.234.66/26
[Peer]
PublicKey=5U5KqwaEA3I9nMYAfVA6thA2XUwOUVU8Y4C8CzeRzVo=
Endpoint=172.28.128.3:50031
AllowedIPs=192.168.234.0/26
PersistentKeepalive=25
WGCFG
},
{
name: "c",
wgcfg: <<-WGCFG
[Interface]
PrivateKey=6Gl/ZbyOKJHhQUSLaMrShU/ukNfvvDdiwz1a7t45Q3I=
Address=192.168.234.67/26
[Peer]
PublicKey=5U5KqwaEA3I9nMYAfVA6thA2XUwOUVU8Y4C8CzeRzVo=
Endpoint=172.28.128.3:50031
AllowedIPs=192.168.234.0/26
PersistentKeepalive=25
WGCFG
}
].each do |specs|
config.vm.define specs[:name] do |config|
config.vm.box = "ubuntu/bionic64"
config.vm.network "private_network", type: "dhcp"
config.vm.provider "virtualbox" do |vb|
vb.memory = "1024"
end
config.vm.provision "shell", inline: <<-SHELL
sudo add-apt-repository -y ppa:wireguard/wireguard
sudo bash -c 'DEBIAN_FRONTEND=noninteractive apt-get -y install wireguard tshark'
sudo bash -exo pipefail -c 'cat <<<"$0" >/etc/wireguard/wg1.conf' '#{specs[:wgcfg]}'
sudo systemctl enable [email protected]
sudo systemctl restart [email protected]
sudo bash -exo pipefail -c 'cat <<<'net.ipv4.ip_forward=1' >/etc/sysctl.d/99-router.conf'
sudo sysctl -w net.ipv4.ip_forward=1
SHELL
end
end
end
当我访问例如。https://www.google.com,我的网络浏览器 (IceWeasel) 在 URL 旁边只显示一个(灰色)锁定图标。但是,当我访问例如。https://www.cia.gov,显示绿色锁和“中央情报局”。
有什么区别以及如何为我自己的 WWW 服务器创建一个“简单”(第一个)?