routeros:IP分流/DNS劫持与分流/广告屏蔽/恶意IP屏蔽/HE DDNS |
您所在的位置:网站首页 › ros国内分流 › routeros:IP分流/DNS劫持与分流/广告屏蔽/恶意IP屏蔽/HE DDNS |
|
ROS瞎折腾:IP分流/DNS劫持与分流/广告屏蔽/恶意IP屏蔽/HE DDNS
目前使用情况
ros软设置
1. 利用debian自动更新国内IP以及端口扫描IP或者使用ros的脚本获取cnip列表;
2. 静态dns设置,配合ROS DNS劫持以及filter实现adblock(需下载rsc文件;
3. 基于l7的特权域名DNS分流(需要下载rsc文件);
4. mangle设置;
5. ip nat设置;
6. route设置;
7. filter设置;
8. queue qos
9. he ddns和update he sit1 ipv4脚本
10.定时刷新dns缓存;
the end
目前使用情况 宽带是200联通光纤; 光猫改桥接模式,H61双千兆工业机刷ROS主路 ac87u的WAN口接ros的LAN口,设置为ac模式,兼顾AC和交换机; 黑群虚拟debian10当透明网关 LAN IP为192.168.50.1/24; 旁路debian设置静态ip为192.168.50.110/24; ROS设置主dns为114等公共dns,并备用联通dns; DHCP网络设置为主dns是透明网关ip,副dns为ros网关自己ip; DDNS使用HE.NET(Hurricane Electric),并同时使用了他家的IPv6 TunnelBroker,ROS挂脚本更新IPv6 TunnelBroker的ip4地址、ddns同步更新; TLS的更新,因为国情目前使用dns验证方式手动每三个月定期更新ssl证书。ros软设置 123习惯性第一步是要删除默认设置,winbox system rest config,路由重启后默认的账户就是amin,密码是空——至少x86是。 然后设置基本的ppoe、dhcp、dns、adress、route和masq,这些设置网上很多教程,这儿就不再说了。 这里涉及到的网卡信息: 内网LAN IP是192.168.50.0/24, 旁路ip是192.168.50.110/24。 创建bridge,重命名bridge为LAN, port关联机器的ether2(局域网内网网卡) 1. 利用debian自动更新国内IP以及端口扫描IP或者使用ros的脚本获取cnip列表; 12mkdir -m 777 /etc/RosUpdate nano /etc/RosUpdate/RosIpUpdate.sh然后把以下内容贴进去,然后ctrl+x,y,保存文件。 注意: 这里默认是安装了nginx部署了简单的web服务了,作用是为了后面ros自动下载debian里面的rsc文件。 这里的端口扫描iip名单,使用的是东北大学网络中心–网络威胁黑名单系统; 1234567891011121314151617#!/bin/bash ## down BlockedIp from http://antivirus.neu.edu.cn/ sudo curl -s http://antivirus.neu.edu.cn/ssh/lists/neu.txt |sed -e '/^#.*/d' -e 's/^/add address=/g' -e 's/$/\/32 list=zzblocked/g'|sed -e $'1i\\\n/ip firewall address-list' -e $'1i\\\nremove [/ip firewall address-list find list=zzblocked]' |sed '$a \/' |sed '$a /file remove blocked.rsc'>blocked.rsc && mv blocked.rsc /usr/share/nginx/html/ ## down cnip direct from https://www.ipdeny.com/ipblocks/data/countries/cn.zone sudo curl -s https://www.ipdeny.com/ipblocks/data/countries/cn.zone |sed -e '/^#.*/d' -e 's/^/add address=/g' -e 's/$/ list=zzCNIP/g'|sed -e $'1i\\\n/ip firewall address-list' -e $'1i\\\nremove [/ip firewall address-list find list=zzCNIP]' -e $'1i\\\nadd address=10.0.0.0/8 list=zzCNIP comment=private-network' -e $'1i\\\nadd address=172.16.0.0/12 list=zzCNIP comment=private-network' -e $'1i\\\nadd address=192.168.0.0/16 list=zzCNIP comment=private-network' |sed '$a \/' |sed '$a /file remove cnip.rsc'>cnip.rsc && mv cnip.rsc /usr/share/nginx/html/cnip.rsc ## CNIP_BACKUP_down cnip.rsc && Replace CN with zzCNIP # sudo curl -s http://www.iwik.org/ipcountry/mikrotik/CN |sed -e "s/CN/zzCNIP/g">cnip.rsc && mv cnip.rsc /usr/share/nginx/html/cnip.rsc ## CNIP_BACKUP_down cnip direct from https://raw.githubusercontent.com/17mon/china_ip_list/master/china_ip_list.txt # sudo curl -s https://raw.githubusercontent.com/17mon/china_ip_list/master/china_ip_list.txt |sed -e '/^#.*/d' -e 's/^/add address=/g' -e 's/$/ list=zzCNIP/g'|sed -e $'1i\\\n/ip firewall address-list' -e $'1i\\\nremove [/ip firewall address-list find list=zzCNIP]' -e $'1i\\\nadd address=10.0.0.0/8 list=zzCNIP comment=private-network' -e $'1i\\\nadd address=172.16.0.0/12 list=zzCNIP comment=private-network' -e $'1i\\\nadd address=192.168.0.0/16 list=zzCNIP comment=private-network' |sed '$a \/' |sed '$a /file remove cnip.rsc'>cnip.rsc && mv cnip.rsc /usr/share/nginx/html/cnip.rsc ## CNIP_BACKUP_from http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest # sudo curl -s http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' |sed -e '/^#.*/d' -e 's/^/add address=/g' -e 's/$/ list=zzCNIP/g'|sed -e $'1i\\\n/ip firewall address-list' -e $'1i\\\nremove [/ip firewall address-list find list=zzCNIP]' -e $'1i\\\nadd address=10.0.0.0/8 list=zzCNIP comment=private-network' -e $'1i\\\nadd address=172.16.0.0/12 list=zzCNIP comment=private-network' -e $'1i\\\nadd address=192.168.0.0/16 list=zzCNIP comment=private-network' |sed '$a \/' |sed '$a /file remove cnip.rsc'>cnip.rsc && mv cnip.rsc /usr/share/nginx/html/cnip.rsc然后定时任务: 123chmod +x /etc/RosUpdate/RosIpUpdate.sh chmod +x /etc/RosUpdate/RosIpUpdate.sh crontab -e在任务最下面一行加入以下内容,意思是每20小时运行下命令。 1* */20 * * * /etc/RosUpdate/RosIpUpdate.sh >/dev/null 2>&1ctrl+x,y,保存文件任务配置文件,并重新加载cron: 1/etc/init.d/cron reload && /etc/init.d/cron restart这里就基本搞定了rsc文件的自动生成。 但是在任务自动运行之前,要先手动运行下命令获取rsc文件供当前使用。 1sudo curl -s http://antivirus.neu.edu.cn/ssh/lists/neu.txt |sed -e '/^#.*/d' -e 's/^/add address=/g' -e 's/$/\/32 list=zzblocked/g'|sed -e $'1i\\\n/ip firewall address-list' -e $'1i\\\nremove [/ip firewall address-list find list=zzblocked]' |sed '$a \/' |sed '$a /file remove blocked.rsc'>blocked.rsc && mv blocked.rsc /usr/share/nginx/html/ 1sudo curl -s https://www.ipdeny.com/ipblocks/data/countries/cn.zone |sed -e '/^#.*/d' -e 's/^/add address=/g' -e 's/$/ list=zzCNIP/g'|sed -e $'1i\\\n/ip firewall address-list' -e $'1i\\\nremove [/ip firewall address-list find list=zzCNIP]' -e $'1i\\\nadd address=10.0.0.0/8 list=zzCNIP comment=private-network' -e $'1i\\\nadd address=172.16.0.0/12 list=zzCNIP comment=private-network' -e $'1i\\\nadd address=192.168.0.0/16 list=zzCNIP comment=private-network' |sed '$a \/' |sed '$a /file remove cnip.rsc'>cnip.rsc && mv cnip.rsc /usr/share/nginx/html/cnip.rsc之后,之后,拷贝以下内容,保存为scripts.rsc,然后导入到winbox的files里面,在terminal里面运行im file=scripts.rsc,即可导入成功,脚本内容为从debian的web服务器下载和导入cnip.rsc和blocked.rsc文件,并导入ros中,每23:23:23运行一次。 1234567891011121314151617181920212223242526272829303132333435363738/system script add name="zzIP_update" \ policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ dont-require-permissions=no \ source="\r\ \n:local cnip "cnip.rsc";\r\ \n:local blocked "blocked.rsc";\r\ \n:local urlhost "192.168.50.110";\r\ \n:local cnippath "/cnip.rsc";\r\ \n:local blockedpath "/blocked.rsc";\r\ \n:delay 3;\r\ \n\r\ \n/tool fetch mode=http \\\r\ \nurl=("http://".(\$urlhost).(\$cnippath)) \\\r\ \ndst-path=(\$cnip);\r\ \n:log info message=([/file get (\$cnip) contents]);\r\ \n\r\ \n/im file=(\$cnip);\r\ \n:log info message="update zzCNIP";\r\ \n\r\ \n/tool fetch mode=http \\\r\ \nurl=("http://".(\$urlhost).(\$blockedpath)) \\\r\ \ndst-path=(\$blocked);\r\ \n:log info message=([/file get (\$blocked) contents]);\r\ \n\r\ \n/im file=(\$blocked);\r\ \n:log info message="update blockedIP";\r\ \n\r\ "; / /system scheduler add comment="zzIP_update_scheduler" \ interval=23:23:23 name="zzIP_update" \ on-event="zzIP_update" \ policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-date=jan/01/1970 \ start-time=startup; / 1234如果没linux服务器在运行,可以简单想使用cnip列表。操作如下。 在导入上面的rsc之后,进入system scripts,直接编辑zzIP_update这个脚本,拷贝下面的内容,替换掉原来的内容即可。 下面这个脚本内容是直接下载别人做好的rsc文件并导入到ROS。不过这个脚本中address list的命名为 “CN”,和我本文中的zzCNIP不同(我修改为zzCNIP是因为列表太多,zz会方便排序查看)。所以如果使用下面这个脚本,后续得自己调整下mangle设置。 另外,我不确定下面这个CNIP列表是不是定时更新的。 123456# paln B /tool fetch mode=http url="http://www.iwik.org/ipcountry/mikrotik/CN" \ dst-path=cnip.rsc :log info ([/file get cnip.rsc contents]) /im file=cnip.rsc / 2. 静态dns设置,配合ROS DNS劫持以及filter实现adblock(需下载rsc文件;静态dns设置,用于广告屏蔽。 由于域名太多,rsc文件请直接下载吧。链接见文末; 广告屏蔽域名都是自用的,我不怎么刷视频,不怎么看新闻,所以慎用,如使用后造成流浪内容不便,请自行抓包修改静态dns内容; static的内容吧,大致形式如下,然后会在firewall filter里面屏蔽240.0.0.1,即可做到广告屏蔽。 1234/ip dns static add address=240.0.0.1 name="yun.wbscdn.cn" comment="adblock0001" disabled=no add address=240.0.0.1 name="ad.niui.com" comment="adblock0002" disabled=no / 3. 基于l7的特权域名DNS分流(需要下载rsc文件); 1234基于l7的域名分流,用于dns防污染,作用嘛就是特权域名截流给指定dns去解析。 至于指定dns如果成功来回程,看大家了。 这里只是打上了mark,需要随后在mangle表里进行下一步设置,才能完成截流。 示例如下,导入两个list是因为域名太多~~ 1234/ip firewall layer7-protocol add name=1111dns001 regexp="c\\.com|124\\.com"; add name=1111dns002 regexp="h\\.com|24\\.com"; / 4. mangle设置; 123456789101112131415161718192021222324252627282930313233343536/ip firewall mangle add action=change-ttl chain=forward new-ttl=set:128 passthrough=yes add action=change-mss chain=forward new-mss=1440 passthrough=yes protocol=tcp \ tcp-flags=syn tcp-mss=1441-65535 ## 放行透明网关的流量(accept bypass connection) add action=accept chain=prerouting comment="accept gateway" src-address=\ 192.168.50.110 add action=accept chain=output src-address=192.168.50.110 add action=accept chain=postrouting src-address=192.168.50.110 ## ROS路由器本机流量特权域名的DNS流量打标记(mark VIP domian‘s DNS connection from local of ROS) add action=mark-connection chain=output comment="local dns to 1111" dst-port=\ 53 layer7-protocol=1111dns001 new-connection-mark=to1111dns passthrough=\ yes protocol=udp add action=mark-connection chain=output comment="local dns to 1111" dst-port=\ 53 layer7-protocol=1111dns002 new-connection-mark=to1111dns passthrough=\ yes protocol=udp ## 局域网设备特权域名的DNS流量打标记(mark VIP domian‘s DNS connection from LAN devices) add action=mark-connection chain=prerouting comment="lan dns to 1111dns" \ dst-port=53 layer7-protocol=1111dns001 new-connection-mark=to1111dns \ passthrough=yes protocol=udp add action=mark-connection chain=prerouting comment="lan dns to 1111dns" \ dst-port=53 layer7-protocol=1111dns002 new-connection-mark=to1111dns \ passthrough=yes protocol=udp ## ROS路由器本机以及局域网设备none cnip流量打标记##(Mark the connection from both ROS_local & LAN_Devices that dst-address is not in CNIP) add action=mark-routing chain=prerouting comment="LAN connection dst-to nonecnip mark routing for bypass" dst-address=\ !192.168.50.0/24 dst-address-list=!zzCNIP dst-address-type=!local \ new-routing-mark=hot passthrough=yes src-address=192.168.50.0/24 add action=mark-routing chain=output comment="ros loacl connection dst-to nonecnip mark routing for bypass" dst-address-list=\ !zzCNIP dst-address-type=!local new-routing-mark=hot passthrough=yes \ src-address-type=local 5. ip nat设置; 1234567891011121314151617181920212223242526272829303132333435363738394041/ip firewall nat ## 局域网设备上网地址转换 add action=masquerade chain=srcnat comment="LAN IP masquertade" src-address=\ 192.168.50.0/24 ## ROS本机local流量地址转换,解决本机流量走透明网关后无法回程的问题(ROS local connetion that bypass nat setting) add action=src-nat chain=srcnat comment="ros local connection masquertade" \ dst-address-list=!zzCNIP src-address-type=local to-addresses=192.168.50.1 ## 备用地址转换? add action=masquerade chain=srcnat comment="wan interface masquertade" \ out-interface=pppoe-out1 add action=masquerade chain=srcnat disabled=yes out-interface=WAN \ to-addresses=0.0.0.0 ## 端口转发示例 add action=dst-nat chain=dstnat dst-address=!192.168.50.0/24 \ dst-address-type=local dst-port=80 protocol=tcp to-addresses=\ 192.168.50.139 to-ports=80 ## 放行透明网关的DNS (accept DNS from bypass) add action=accept chain=dstnat comment="accept gateway" dst-port=53 protocol=\ udp src-address=192.168.50.110 ## dns劫持到ROS,使广告拦截和隐私保护的静态dns起作用 ## [all dns connection dst-nat to ROS, to make static_dns(adblock dns settings) effect] add action=dst-nat chain=dstnat comment="DNS Redirect to ROS(UDP)" \ dst-address=!192.168.50.1 dst-port=53 in-interface-list="LAN Interfaces" \ protocol=udp to-addresses=192.168.50.1 to-ports=53 add action=dst-nat chain=dstnat comment="DNS Redirect to ROS(TCP)" \ dst-address=!192.168.50.1 dst-port=53 in-interface-list="LAN Interfaces" \ protocol=tcp to-addresses=192.168.50.1 to-ports=53 ## 特权域名查询劫持到1.1.1.1 (VIP domain’s DNS connection dst-nat to 1.1.1.1) add action=dst-nat chain=dstnat comment="redirect dns to 1111" \ connection-mark=to1111dns protocol=udp to-addresses=1.1.1.1 to-ports=53 6. route设置; 12345add check-gateway=ping distance=1 gateway=192.168.50.110 routing-mark=hot ##旁路不通走ros网关,恩,应该是这个意思吧 add distance=3 gateway=192.168.50.1 add distance=4 gateway=pppoe-out1 7. filter设置;filter部分设置主要是根据以下网址内的防火墙修改而来,规则内容比较多,需要的可以下载rsc附件。rsc文件内,含有这个网址给出的端口扫描ip,并直接定制了计划任务,所以如果没有linux旁路的,可以利用备用方法获取cnip,端口扫描IP的获取用这里的rsc文件。 注意事项: 此防火墙使用interface list代替了interface,所以使用前请替换掉相关网卡为自己的网卡名字; “LAN Port Scanner List” and "LAN High Connection Rates"相关的规则请慎用,或者调整参数后使用,因为会把局域网ip,包括旁路IP也拉黑,我已经调整设置,让LAN IP即使被加入 “LAN Port Scanner List” and “LAN High Connection Rates”,也可以使用正常。你可以直接禁用 “LAN Port Scanner List” and "LAN High Connection Rates"相关规则;但最好修改加以保留,可以调整这些规则,把192.168.0.0/16这个域排除,也就是内网网段排除应该就可以了吧。RFC MikroTik Firewall 6.0 for IPv4 (Free Version) 8. queue qos 123QOS这部分,默认基于宽带是200M设置的. tree里面我只设置了父tree的总宽带为200M宽带的90%,子tree我并没有设置那几个常用的参数,等有空了吧。。 另外,默认这里是20台设备的qos,如果需要更多设备,请修改参数"pcq-total-limit=1000KiB",这里1000/50=20,所以需要更多设备就修改1000这个参数为50的倍数即可。 9. he ddns和update he sit1 ipv4脚本打开winbox,system scripts,新建一个脚本,自己命名,然后拷贝进去吧,这个没有按照标准导入rsc的格式来写,所以导入rsc文件可能会格式不对。 1234567891011121314151617181920212223242526272829303132333435363738394041##start update sit1 & he ipv4 # Update Hurricane Electric IPv6 Tunnel Client IPv4 address # Add it below in /system scheduler :local HEtunnelinterface "sit1":local HEtunnelid "123456" ##login https://tunnelbroker.net/account.php; get the"Account Name:" :local HEuserid "AccountName" ##ip6 tunnel--advaced--Update Key: :local HEpass "UpdateKey" :local HEupdatehost "ipv4.tunnelbroker.net" :local HEupdatepath "/nic/update" :local WANinterface "pppoe-out1" :local outputfile ("HE-" . $HEtunnelid . ".txt") # Internal processing below... # ---------------------------------- :local HEipv4addr # Get WAN interface IP address :set HEipv4addr [/ip address get [/ip address find interface=$WANinterface] address] :set HEipv4addr [:pick [:tostr $HEipv4addr] 0 [:find [:tostr $HEipv4addr] "/"]] :if ([:len $HEipv4addr] = 0) do={ :log error ("Could not get IP for interface " . $WANinterface) :error ("Could not get IP for interface " . $WANinterface) } # Update the HEtunnelinterface with WAN IP /interface 6to4 { :if ([get ($HEtunnelinterface) local-address] != $HEipv4addr) do={ :log info ("Updating " . $HEtunnelinterface . " local-address with new IP " . $HEipv4addr . "...") set ($HEtunnelinterface) local-address=$HEipv4addr } } /tool fetch mode=http \ host=($HEupdatehost) \ url=("https://" . $HEupdatehost . $HEupdatepath . \ "?username=" . $HEuserid . \ "&password=" . $HEpass . \ "&hostname=" . $HEtunnelid . \ "&myip=" . $HEipv4addr) \ dst-path=($outputfile) :log info ([/file get ($outputfile) contents]) /file remove ($outputfile) ##end下面这个用得多一些,更新ddns的脚本,同样是新建scripts,粘贴进去脚本 1234567891011121314151617181920212223242526272829303132##start update/dyn he free dns's ddns :local ddnshost "yourdomain" :local key "ddns_update_key" :local updatehost "dyn.dns.he.net" :local WANinterface "pppoe-out1" :local outputfile ("HE_DDNS" . ".txt") # Internal processing below... # ---------------------------------- :delay 15 :local ipv4addr # Get WAN interface IP address :set ipv4addr [/ip address get [/ip address find interface=$WANinterface] address] :set ipv4addr [:pick [:tostr $ipv4addr] 0 [:find [:tostr $ipv4addr] "/"]] :if ([:len $ipv4addr] = 0) do={ :log error ("Could not get IP for interface " . $WANinterface) :error ("Could not get IP for interface " . $WANinterface) } :log info ("Updating DDNS IPv4 address" . " Client IPv4 address to new IP " . $ipv4addr . "...") /tool fetch mode=http url="https://$updatehost/nic/update?hostname=$ddnshost&password=$key&myip=$ipv4addr" \ dst-path=$outputfile :log info ([/file get ($outputfile) contents]) /file remove ($outputfile) ##end可以把脚本放到 /ppp profile default里面开机运行脚本;然后再再system的计划任务里面添加定时运行脚本. 双保险保证ddns更新。 10.定时刷新dns缓存; 12345678910111213141516171819/ /system script add dont-require-permissions=no \ name="\C7\E5\C0\EDDNS\BB\BA\B4\E6_flush_dns_cache" \ policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ source=\ "\ /ip dns cache flush\r\ \n\r:log info "\C7\E5\C0\EDDNS\BB\BA\B4\E6_Regularly_flush_dns_cache"\ \n\r" / / /system scheduler add interval="08:13:33" \ name="\B6\A8\C6\DA\C7\E5\C0\EDDNS\BB\BA\B4\E6_Regularly_flush_dns_cache" \ on-event="\C7\E5\C0\EDDNS\BB\BA\B4\E6_flush_dns_cache" \ policy="ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api,romon" \ start-date="jan/01/1990" \ start-time=02:00:00 the end[RSC文件下载] : https://download.csdn.net/download/garindu/12448022 |
今日新闻 |
推荐新闻 |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |