From 383af3f34017ded5432b46fabfd04ffb34eda8a2 Mon Sep 17 00:00:00 2001 From: thest1tch Date: Sat, 14 Oct 2023 13:33:45 +0500 Subject: [PATCH] update --- docs/{software => }/hass/package/budilnik.md | 0 docs/{software => }/hass/package/index.md | 0 docs/{software => }/hass/zigbee2mqtt.md | 0 docs/network/mikrotik/bgp.md | 12 -- docs/network/mikrotik/chr.md | 190 ++++++++++++++++++- docs/network/mikrotik/unblock-site.md | 69 +++++++ mkdocs.yml | 15 +- 7 files changed, 260 insertions(+), 26 deletions(-) rename docs/{software => }/hass/package/budilnik.md (100%) rename docs/{software => }/hass/package/index.md (100%) rename docs/{software => }/hass/zigbee2mqtt.md (100%) delete mode 100755 docs/network/mikrotik/bgp.md create mode 100644 docs/network/mikrotik/unblock-site.md diff --git a/docs/software/hass/package/budilnik.md b/docs/hass/package/budilnik.md similarity index 100% rename from docs/software/hass/package/budilnik.md rename to docs/hass/package/budilnik.md diff --git a/docs/software/hass/package/index.md b/docs/hass/package/index.md similarity index 100% rename from docs/software/hass/package/index.md rename to docs/hass/package/index.md diff --git a/docs/software/hass/zigbee2mqtt.md b/docs/hass/zigbee2mqtt.md similarity index 100% rename from docs/software/hass/zigbee2mqtt.md rename to docs/hass/zigbee2mqtt.md diff --git a/docs/network/mikrotik/bgp.md b/docs/network/mikrotik/bgp.md deleted file mode 100755 index 2004b50..0000000 --- a/docs/network/mikrotik/bgp.md +++ /dev/null @@ -1,12 +0,0 @@ -# BGP на RouterOS 7 - -``` -/routing bgp template -add as="ВАША ВЫДУМАННАЯ AS БЕЗ СКОБОК" disabled=no hold-time=4m input.filter=bgp_in .ignore-as-path-len=yes keepalive-time=1m multihop=yes name=antifilter routing-table=main - -/routing bgp connection -add disabled=no hold-time=4m input.filter=bgp_in .ignore-as-path-len=yes keepalive-time=1m local.address= "ВАШ ВНУТРЕННИЙ ИП БЕЗ СКОБОК" .role=ebgp multihop=yes name=antifilter_bgp remote.address=45.154.73.71/32 .as=65432 router-id="ВАШ ВНЕШНИЙ ИП БЕЗ СКОБОК" routing-table=main templates=antifilter - -/routing filter rule -add chain=bgp_in disabled=no rule="set gw "название VPN интерфейса"; accept;" -``` \ No newline at end of file diff --git a/docs/network/mikrotik/chr.md b/docs/network/mikrotik/chr.md index 3135cc8..4ed1cf8 100755 --- a/docs/network/mikrotik/chr.md +++ b/docs/network/mikrotik/chr.md @@ -1,14 +1,188 @@ # Cloud Hosted Router -У MikroTik CHR статический IP +## Установка IP адреса -```plaintext -/ip address add interface=ether1 address=10.103.0.111 netmask=255.255.255.0 -/ip route add gateway=10.103.0.254 dst-address=0.0.0.0/0 distance=1 +=== "У MikroTik CHR статический IP" + + ``` + /ip address add interface=ether1 address=10.103.0.111 netmask=255.255.255.0 + /ip route add gateway=10.103.0.254 dst-address=0.0.0.0/0 distance=1 + ``` + +=== "У MikroTik CHR автоматический IP(dhcp)" + + ``` + /ip dhcp-client add disabled=no interface=ether1 + ``` + +## Настройка NTP + +``` +/system ntp client +set enabled=yes +/system ntp client servers +add address=193.171.23.163 +add address=85.114.26.194 ``` -У MikroTik CHR автоматический IP(dhcp) +## Настройка Firewall + +=== "Filter" + + ``` + /ip firewall filter + add action=accept chain=input dst-port=22024,29514 in-interface=ether1 \ + protocol=tcp src-address-list=Admin_IP + add action=accept chain=input comment="VPN Wireguard" dst-port=34567 \ + in-interface=ether1 protocol=udp + add action=accept chain=input dst-port=34568 in-interface=ether1 protocol=udp \ + src-address=5.189.70.251 + add action=accept chain=input dst-port=34569 in-interface=ether1 protocol=udp + add action=accept chain=input comment=l2tp port=1701,500,4500 protocol=udp \ + src-address=95.59.244.153 + add action=accept chain=input protocol=ipsec-esp + add action=accept chain=input comment=Socks5 dst-port=24444 \ + in-interface-list=VPN protocol=tcp + add action=drop chain=input dst-port=24444 in-interface-list=!VPN protocol=\ + tcp + add action=accept chain=input comment="Web Proxy" dst-port=25555 \ + in-interface-list=VPN log=yes log-prefix=webproxy protocol=tcp + add action=drop chain=input connection-state="" dst-port=8080 \ + in-interface-list=!VPN port="" protocol=tcp src-port="" + add action=drop chain=input connection-state="" dst-port=25555 \ + in-interface-list=!VPN port="" protocol=tcp src-port="" + add action=return chain=detect-ddos comment="Anti DDos" dst-limit=\ + 32,32,src-and-dst-addresses/10s + add action=add-dst-to-address-list address-list=ddos-target \ + address-list-timeout=10m chain=detect-ddos + add action=add-src-to-address-list address-list=ddos-attackers \ + address-list-timeout=10m chain=detect-ddos + add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \ + protocol=tcp tcp-flags=syn,ack + add action=fasttrack-connection chain=forward comment=" fasttrack" \ + connection-state=established,related hw-offload=yes + add action=accept chain=input comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC \F3\F1\F2\ + \E0\ED\EE\E2\EB\E5\ED\ED\FB\E5 \E8 \F1\E2\FF\E7\E0\ED\ED\FB\E5 \E2\F5\EE\ + \E4\F9\E8\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" connection-state=\ + established,related,untracked + add action=accept chain=forward connection-state=\ + established,related,untracked + add action=drop chain=input comment="Drop invalid" connection-state=invalid \ + log-prefix=invalid + add action=drop chain=forward connection-state=invalid log-prefix=invalid + add action=drop chain=input connection-state="" dst-port=53 \ + in-interface-list=WAN port="" protocol=udp src-port="" + add action=drop chain=input comment=NTP connection-state=new dst-port=123 \ + in-interface-list=WAN log-prefix=" " protocol=tcp + add action=drop chain=input connection-state=new dst-port=123 \ + in-interface-list=WAN log-prefix=" " protocol=udp + add action=drop chain=input comment="Drop SSH brutforce" dst-port=22-23 \ + protocol=tcp + add action=accept chain=input comment="defconf: accept ICMP after RAW" \ + protocol=icmp + add action=accept chain=input comment="\F0\E0\E7\F0\E5\F8\E0\E5\EC \EF\EE\E4\ + \EA\EB\FE\F7\E5\ED\E8\FF \E8\E7 \ED\E0\F8\E5\E9 \EB\EE\EA \F1\E5\F2\E8" \ + in-interface=!ether1 src-address=192.168.3.0/24 + add action=drop chain=forward comment=\ + "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ + connection-state=new in-interface-list=WAN + add action=drop chain=forward comment="defconf: drop bad forward IPs" \ + dst-address-list=no_forward_ipv4 + add action=drop chain=forward comment="defconf: drop bad forward IPs" \ + src-address-list=no_forward_ipv4 + add action=drop chain=input comment="defconf: drop all not coming from LAN" \ + in-interface-list=!VPN log-prefix=drop + ``` + +=== "NAT" + ``` + /ip firewall nat + add action=masquerade chain=srcnat + add action=masquerade chain=srcnat out-interface=ether1 src-address=\ + 192.168.3.1 + ``` + +=== "RAW" + ``` + /ip firewall raw + add action=accept chain=prerouting comment=\ + "defconf: enable for transparent firewall" disabled=yes + add action=accept chain=prerouting comment="defconf: accept DHCP discover" \ + dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\ + udp src-address=0.0.0.0 src-port=68 + add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ + src-address-list=bad_ipv4 + add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\ + yes dst-address-list=bad_ipv4 log=yes log-prefix=132 + add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ + src-address-list=bad_src_ipv4 + add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\ + yes dst-address-list=bad_dst_ipv4 log=yes + add action=drop chain=prerouting comment="defconf: drop non global from WAN" \ + in-interface=ether1 src-address-list=not_global_ipv4 + add action=drop chain=prerouting comment=\ + "defconf: drop forward to local lan from WAN" dst-address=192.168.1.0/24 \ + in-interface-list=WAN + add action=drop chain=prerouting comment=\ + "defconf: drop local if not from default IP range" in-interface-list=LAN \ + log=yes src-address=!192.168.3.0/24 + add action=drop chain=prerouting comment="defconf: drop bad UDP" log-prefix=\ + 123 port=0 protocol=udp + add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \ + jump-target=icmp4 protocol=icmp + add action=jump chain=prerouting comment="defconf: jump to TCP chain" \ + jump-target=bad_tcp protocol=tcp + add action=accept chain=prerouting comment=\ + "defconf: accept everything else from LAN" in-interface-list=VPN + add action=accept chain=prerouting comment=\ + "defconf: accept everything else from WAN" in-interface-list=WAN + add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \ + tcp-flags=!fin,!syn,!rst,!ack + add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn + add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst + add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack + add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg + add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst + add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg + add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \ + protocol=tcp + ``` + +=== "Address List" -```plaintext -/ip dhcp-client add disabled=no interface=ether1 -``` \ No newline at end of file + ``` + /ip firewall address-list + add address=192.168.1.2-192.168.88.254 list=allowed_to_router + add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4 + add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4 + add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4 + add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4 + add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4 + add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4 + add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\ + bad_ipv4 + add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\ + bad_ipv4 + add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\ + bad_ipv4 + add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4 + add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4 + add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4 + add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4 + add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4 + add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4 + add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4 + add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4 + add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\ + not_global_ipv4 + add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4 + add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4 + add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4 + add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4 + add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4 + add list=ddos-attackers + add list=ddos-target + add address=5.189.70.251 list=Admin_IP + add address=10.0.10.2 list=Admin_IP + add address=95.59.244.153 list=Admin_IP + ``` \ No newline at end of file diff --git a/docs/network/mikrotik/unblock-site.md b/docs/network/mikrotik/unblock-site.md new file mode 100644 index 0000000..39fa598 --- /dev/null +++ b/docs/network/mikrotik/unblock-site.md @@ -0,0 +1,69 @@ +# Обход блокировок + +Расписывать как поднять и настроить VPN через Wireguard или OpenVPN не буду. В сети достаточно инструкций. Чуть ниже слева есть еще одна от меня. + +Варианта как обходить блокировки 2: + +- через таблицу маршрутизации, куда вносим ресурсы руками или скриптами +- через BGP с одного "неизвестного" сайта + +## Вариант 1: таблица маршрутизации + +Статья о маркировке трафика, для отправки его в VPN: [Policy_Base_Routing](https://wiki.mikrotik.com/wiki/Policy_Base_Routing) + +Формируем списки (`address-list`) для подсетей, трафик на которые будем гнать через VPN: +``` +# auth.servarr.com - заблоченный ресурс +/ip firewall address-list add list=unblock address=auth.servarr.com +``` +Вместо формирования руками, готовые списки можно выкачивать с [https://antifilter.download](https://antifilter.download) + +Создаем таблицу маршрутизации + +``` +/routing table +add Disabled=no name=unblock fib +``` +Настраиваем правила роутинга + +``` +/ip firewall mangle add disabled=no action=mark-routing chain=prerouting dst-address-list=unblock new-routing-mark=unblock passthrough=yes src-address=192.168.88.2-192.168.88.254 +/ip route add disabled=no dst-address=0.0.0.0/0 type=unicast gateway=wireguard1 routing-mark=unblock scope=30 target-scope=10 +/ip firewall nat add chain=srcnat src-address=192.168.88.0/24 out-interface=wireguard1 action=masquerade +``` + +## Вариант 2: BGP + +Проверяем, что VPN жив и работает. + +Выпускаем трафик BGP с маршрутизатора + +``` +/ip firewall filter add action=accept chain=output protocol=tcp dst-address=51.75.66.20 dst-port=179 out-interface=wireguard1 +``` + +Прописываем маршрут до сервиса antifilter.network через VPN. Это нужно для того, чтобы если провайдер блочит или фильтрует BGP, на нас это не влияло. + +``` +/ip route add dst-address=51.75.66.20/32 gateway=wireguard1 +``` + +Настраиваем пиринг с сервисом + +!!! info "Mikrotik ROS7" + + ``` + /routing bgp template + add as="64999" disabled=no hold-time=4m input.filter=bgp_in .ignore-as-path-len=yes keepalive-time=1m multihop=yes name=antifilter routing-table=main + + /routing bgp connection + add as=64999 disabled=no hold-time=4m input.filter=bgp_in \ + .ignore-as-path-len=yes keepalive-time=1m local.address= .role=\ + ebgp multihop=yes name=bgp-antifilter.net output.filter-chain=discard \ + remote.address=51.75.66.20/32 .as=65444 router-id= \ + routing-table=main templates=antifilter + + /routing filter rule + add chain=bgp_in disabled=no rule="set gw wireguard1; accept; + add chain=discard disabled=no rule=reject + ``` \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 7f8ce19..6f00aa0 100755 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -78,11 +78,6 @@ nav: - Stop-Process: software/powershell/stop-process.md - Count-Pages: software/powershell/count-pages.md - Send-Mail: software/powershell/send-mail.md - - Home Assistant: - - Zigbee2mqtt: software/hass/zigbee2mqtt.md - - Пакеты конфигураций: - - software/hass/package/index.md - - Будильник: software/hass/package/budilnik.md - Chrome: - Download bar: software/chrome/download-bar.md - Windows: @@ -106,6 +101,14 @@ nav: - Proxmox VE: - index.md - CT Template: proxmox/ct-template.md + - Home Assistant: + - Addons: + - Zigbee2mqtt: hass/zigbee2mqtt.md + - Package: + - hass/package/index.md + - Будильник: hass/package/budilnik.md + - Device: + Xiaomi Airpurifier: hass/device/xiaomi-airpurifier.md - Другое: - SSL для сайта: other/ssl-for-site.md - Self Hosted: other/self-hosted.md @@ -152,7 +155,7 @@ nav: - Split-DNS: network/mikrotik/split-dns.md - Hairpin NAT: network/mikrotik/hairpin-nat.md - UPnP: network/mikrotik/upnp.md - - BGP: network/mikrotik/bgp.md + - Обход блокировок: network/mikrotik/unblock-site.md - Ubiquiti: - Добавление новой точки: network/ubi/add-new-ap.md - Ошибка обновления: network/ubi/failed-update.md