References:
https://github.com/aziraphale/routeros-dns-adblock
http://winhelp2002.mvps.org/hosts.htm
Prerequisities:
– any box running PHP, i used centos server
– the access to the MikroTik console
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 |
[root@7s1 ~]# [root@7s1 ~]# #download RouterOS DNS Server AdBlock Configuration [root@7s1 ~]# wget https://github.com/aziraphale/routeros-dns-adblock/archive/master.zip --2016-02-07 15:02:03-- https://github.com/aziraphale/routeros-dns-adblock/archive/master.zip Resolving github.com (github.com)... 192.30.252.131 Connecting to github.com (github.com)|192.30.252.131|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://codeload.github.com/aziraphale/routeros-dns-adblock/zip/master [following] --2016-02-07 15:02:04-- https://codeload.github.com/aziraphale/routeros-dns-adblock/zip/master Resolving codeload.github.com (codeload.github.com)... 192.30.252.162 Connecting to codeload.github.com (codeload.github.com)|192.30.252.162|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 457551 (447K) [application/zip] Saving to: ‘master.zip’ 100%[====================================================================================>] 457,551 467KB/s in 1.0s 2016-02-07 15:02:05 (467 KB/s) - ‘master.zip’ saved [457551/457551] [root@7s1 ~]# #move it in a proper folder [root@7s1 ~]# mkdir blocking [root@7s1 ~]# mv master.zip blocking/ [root@7s1 ~]# cd blocking/ [root@7s1 blocking]# [root@7s1 blocking]# ll total 448 -rw-r--r--. 1 root root 457551 Feb 7 15:02 master.zip [root@7s1 blocking]# [root@7s1 blocking]# unzip master.zip Archive: master.zip 8bd97572d1b8d99b3780c26ce98f25e1262db2df creating: routeros-dns-adblock-master/ extracting: routeros-dns-adblock-master/.gitignore inflating: routeros-dns-adblock-master/README.md inflating: routeros-dns-adblock-master/process.custom.php inflating: routeros-dns-adblock-master/process.dan-pollock.php inflating: routeros-dns-adblock-master/process.hphosts.php inflating: routeros-dns-adblock-master/process.malwaredomainlist.com.php inflating: routeros-dns-adblock-master/process.malwaredomains.com.php inflating: routeros-dns-adblock-master/process.mvps.php inflating: routeros-dns-adblock-master/process.peter-lowe.php inflating: routeros-dns-adblock-master/process.php inflating: routeros-dns-adblock-master/process.spam404.php inflating: routeros-dns-adblock-master/source.custom.txt inflating: routeros-dns-adblock-master/source.dan-pollock.txt inflating: routeros-dns-adblock-master/source.hphosts.txt inflating: routeros-dns-adblock-master/source.malwaredomainlist.com.txt inflating: routeros-dns-adblock-master/source.malwaredomains.com.txt inflating: routeros-dns-adblock-master/source.mvps.txt inflating: routeros-dns-adblock-master/source.peter-lowe.txt inflating: routeros-dns-adblock-master/source.spam404.txt [root@7s1 blocking]# [root@7s1 blocking]# [root@7s1 blocking]# ll total 452 -rw-r--r--. 1 root root 457551 Feb 7 15:02 master.zip drwxr-xr-x. 2 root root 4096 Oct 25 15:53 routeros-dns-adblock-master [root@7s1 blocking]# [root@7s1 blocking]# cd routeros-dns-adblock-master/ [root@7s1 routeros-dns-adblock-master]# ll total 1892 -rw-r--r--. 1 root root 900 Oct 25 15:53 process.custom.php -rw-r--r--. 1 root root 1256 Oct 25 15:53 process.dan-pollock.php -rw-r--r--. 1 root root 1007 Oct 25 15:53 process.hphosts.php -rw-r--r--. 1 root root 1000 Oct 25 15:53 process.malwaredomainlist.com.php -rw-r--r--. 1 root root 1002 Oct 25 15:53 process.malwaredomains.com.php -rw-r--r--. 1 root root 913 Oct 25 15:53 process.mvps.php -rw-r--r--. 1 root root 913 Oct 25 15:53 process.peter-lowe.php -rw-r--r--. 1 root root 3986 Oct 25 15:53 process.php -rw-r--r--. 1 root root 940 Oct 25 15:53 process.spam404.php -rw-r--r--. 1 root root 3969 Oct 25 15:53 README.md -rw-r--r--. 1 root root 110 Oct 25 15:53 source.custom.txt -rw-r--r--. 1 root root 322418 Oct 25 15:53 source.dan-pollock.txt -rw-r--r--. 1 root root 802060 Oct 25 15:53 source.hphosts.txt -rw-r--r--. 1 root root 44736 Oct 25 15:53 source.malwaredomainlist.com.txt -rw-r--r--. 1 root root 42219 Oct 25 15:53 source.malwaredomains.com.txt -rw-r--r--. 1 root root 502790 Oct 25 15:53 source.mvps.txt -rw-r--r--. 1 root root 65456 Oct 25 15:53 source.peter-lowe.txt -rw-r--r--. 1 root root 103973 Oct 25 15:53 source.spam404.txt [root@7s1 routeros-dns-adblock-master]# [root@7s1 routeros-dns-adblock-master]# #download the current version of MVPS hosts file [root@7s1 routeros-dns-adblock-master]# wget -O source.mvps.txt winhelp2002.mvps.org/hosts.txt --2016-02-07 15:22:18-- http://winhelp2002.mvps.org/hosts.txt Resolving winhelp2002.mvps.org (winhelp2002.mvps.org)... 216.155.126.40 Connecting to winhelp2002.mvps.org (winhelp2002.mvps.org)|216.155.126.40|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 508717 (497K) [text/plain] Saving to: ‘source.mvps.txt’ 100%[====================================================================================>] 508,717 347KB/s in 1.4s 2016-02-07 15:22:20 (347 KB/s) - ‘source.mvps.txt’ saved [508717/508717] [root@7s1 routeros-dns-adblock-master]# [root@7s1 routeros-dns-adblock-master]# #edit process.php 1) commenting-out the filter list files that you don't want to use [root@7s1 routeros-dns-adblock-master]# # 2) enable routeros script => define('BIND9_OUTPUT', false); [root@7s1 routeros-dns-adblock-master]# vim process.php [root@7s1 routeros-dns-adblock-master]# [root@7s1 routeros-dns-adblock-master]# #that's mine configuration [root@7s1 routeros-dns-adblock-master]# head -n 30 process.php <?php $files = [ // destination IPs only used in RouterOS mode # "peter-lowe" => ["240.0.0.1"], "mvps" => ["240.0.0.2"], # "hphosts" => ["240.0.0.3"], # "dan-pollock" => ["240.0.0.4"], # "spam404" => ["240.0.0.5"], # "malwaredomains.com" => ["240.0.0.6"], # "malwaredomainlist.com" => ["240.0.0.7"], # "custom" => ["240.0.0.255"], ]; // Might be a bit memory-intensive/slow... not strictly necessary, as RouterOS will just display a warning on duplicates. Only applicable in RouterOS mode define('SKIP_DUPLICATES', true); // Seems to be faster - use integer (CRC32 hash) keys for matching duplicates, rather than strings define('SKIP_DUPLICATES_CRC32', true); // Only applies to RouterOS output define('PER_FILE_LIMIT', 3000); // Enables output of bind9 zone files instead of RouterOS scripts. Forces skip_duplicates to ON define('BIND9_OUTPUT', false); // Name of Bind9 "null" zone file define('BIND9_NULL_ZONEFILE_NAME', '/etc/bind/db.null'); define('IN_PROCESS', 1); $totalTimeStart = microtime(true); [root@7s1 routeros-dns-adblock-master]# [root@7s1 routeros-dns-adblock-master]# #let's go... [root@7s1 routeros-dns-adblock-master]# php process.php NOTE: Removing duplicate hosts is ENABLED (via crc32). mvps => 240.0.0.2 ... ..13574 hosts (18821.22ms) (5 files) Total duration: 18821.73ms Total hosts: 13574 Total files: 5 Peak RAM use: 2.00 MB [root@7s1 routeros-dns-adblock-master]# [root@7s1 routeros-dns-adblock-master]# [root@7s1 routeros-dns-adblock-master]# [root@7s1 routeros-dns-adblock-master]# #five rsc scripts have been created [root@7s1 routeros-dns-adblock-master]# ll *rsc -rw-r--r--. 1 root root 151791 Feb 7 15:42 script.mvps-0.rsc -rw-r--r--. 1 root root 153836 Feb 7 15:42 script.mvps-1.rsc -rw-r--r--. 1 root root 156486 Feb 7 15:42 script.mvps-2.rsc -rw-r--r--. 1 root root 156121 Feb 7 15:42 script.mvps-3.rsc -rw-r--r--. 1 root root 87676 Feb 7 15:42 script.mvps-4.rsc [root@7s1 routeros-dns-adblock-master]# [root@7s1 routeros-dns-adblock-master]# #let's upload them to the router via ssh [root@7s1 routeros-dns-adblock-master]# scp *rsc olie1@192.168.0.1:/ script.mvps-0.rsc 100% 148KB 148.2KB/s 00:00 script.mvps-1.rsc 100% 150KB 150.2KB/s 00:00 script.mvps-2.rsc 100% 153KB 152.8KB/s 00:00 script.mvps-3.rsc 100% 152KB 152.5KB/s 00:00 script.mvps-4.rsc 100% 86KB 85.6KB/s 00:00 [root@7s1 routeros-dns-adblock-master]# [root@7s1 routeros-dns-adblock-master]# [olie1@MikroTik] > # on the router-side, print interfaces and firewall filters [olie1@MikroTik] > interface print Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS 0 R ether1-gateway ether 1500 1598 2028 00:10:DC:4F:DD:8A 1 S ether2-master-local ether 1500 1598 2028 E4:8D:8C:E9:C4:44 2 S ether3-slave-local ether 1500 1598 2028 E4:8D:8C:E9:C4:45 3 S ether4-slave-local ether 1500 1598 2028 E4:8D:8C:E9:C4:46 4 S ether5-slave-local ether 1500 1598 2028 E4:8D:8C:E9:C4:47 5 RS wlan1 wlan 1500 1600 E4:8D:8C:E9:C4:48 6 R bridge-local bridge 1500 1598 E4:8D:8C:E9:C4:44 [olie1@MikroTik] > [olie1@MikroTik] > ip firewall filter print Flags: X - disabled, I - invalid, D - dynamic 0 D ;;; special dummy rule to show fasttrack counters chain=forward 1 ;;; Gigaserver watchdog chain=input action=accept protocol=tcp src-address=85.118.128.29 dst-port=80 log=no log-prefix="" 2 XI ;;; default configuration chain=input action=accept protocol=icmp log=no log-prefix="" 3 ;;; default configuration chain=input action=accept connection-state=established,related log=no log-prefix="" 4 ;;; default configuration chain=input action=drop in-interface=ether1-gateway log=no log-prefix="" 5 ;;; default configuration chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 6 ;;; default configuration chain=forward action=accept connection-state=established,related log=no log-prefix="" 7 ;;; default configuration chain=forward action=drop connection-state=invalid log=no log-prefix="" 8 ;;; default configuration chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix="" [olie1@MikroTik] > [olie1@MikroTik] > #add a firewall filter rule to block outbound access to the 240.0.0.0/4 IPv4 range and move it to the proper possion [olie1@MikroTik] > /ip firewall filter add chain=forward in-interface=ether1-gateway connection-state=new protocol=tcp dst-address=240.0.0.0/4 action=reject reject-with=tcp-reset [olie1@MikroTik] > ip firewall filter move 9 8 [olie1@MikroTik] > ip firewall filter print Flags: X - disabled, I - invalid, D - dynamic 0 D ;;; special dummy rule to show fasttrack counters chain=forward 1 ;;; Gigaserver watchdog chain=input action=accept protocol=tcp src-address=85.118.128.29 dst-port=80 log=no log-prefix="" 2 XI ;;; default configuration chain=input action=accept protocol=icmp log=no log-prefix="" 3 ;;; default configuration chain=input action=accept connection-state=established,related log=no log-prefix="" 4 ;;; default configuration chain=input action=drop in-interface=ether1-gateway log=no log-prefix="" 5 ;;; default configuration chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 6 ;;; default configuration chain=forward action=accept connection-state=established,related log=no log-prefix="" 7 chain=forward action=reject reject-with=tcp-reset connection-state=new protocol=tcp dst-address=240.0.0.0/4 in-interface=ether1-gateway log=no log-prefix="" 8 ;;; default configuration chain=forward action=drop connection-state=invalid log=no log-prefix="" 9 ;;; default configuration chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix="" [olie1@MikroTik] > #check if we do have rsc scripts [olie1@MikroTik] > file print # NAME TYPE SIZE CREATION-TIME 0 skins directory jan/01/1970 01:00:01 1 supout.rif .rif file 462.6KiB feb/05/2016 22:55:22 2 script.mvps-0.rsc script 148.2KiB feb/07/2016 15:44:52 3 script.mvps-1.rsc script 150.2KiB feb/07/2016 15:44:54 4 script.mvps-2.rsc script 152.8KiB feb/07/2016 15:44:54 5 script.mvps-3.rsc script 152.5KiB feb/07/2016 15:44:54 6 script.mvps-4.rsc script 85.6KiB feb/07/2016 15:44:54 7 2016--02-06.backup backup 30.2KiB feb/06/2016 01:21:49 8 2016-02-06.backup backup 29.7KiB feb/06/2016 00:42:26 9 auto-before-reset.backup backup 25.1KiB jan/02/1970 01:00:47 10 pub directory feb/05/2016 21:06:25 11 2016-02-07.backup backup 35.6KiB feb/07/2016 15:23:56 [olie1@MikroTik] > [olie1@MikroTik] > [olie1@MikroTik] > #execute our rsc scripts with the root level command import [olie1@MikroTik] > import script.mvps-0.rsc Script file loaded and executed successfully [olie1@MikroTik] > [olie1@MikroTik] > import script.mvps-1.rsc Script file loaded and executed successfully [olie1@MikroTik] > import script.mvps-2.rsc Script file loaded and executed successfully [olie1@MikroTik] > import script.mvps-3.rsc Script file loaded and executed successfully [olie1@MikroTik] > import script.mvps-4.rsc Script file loaded and executed successfully [olie1@MikroTik] > [olie1@MikroTik] > #check if DHCP server provides DNS settings that include using the router as clients main DNS resolver [olie1@MikroTik] > ip dhcp-server network print # ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN 0 ;;; default configuration 192.168.0.0/24 192.168.0.1 [olie1@MikroTik] > [olie1@MikroTik] > #check if we have enough memory [olie1@MikroTik] > system resource monitor cpu-used: 2% cpu-used-per-cpu: 2% free-memory: 93508KiB [olie1@MikroTik] > |
Pro „probouzení“ stroje v LAN je potřeba splnit několik požadavků, ale v podstatě se pracuje na 2. vrstvě ISO/OSI. Více zde. Při probouzení stroje z WAN do hry vstupuje další vrstva a po cestě musí magick paket překonat router, který ho pošle do správného subnetu.
Pokud máte veřejnou IP adresu (pro případ WOL musí být navíc i pevná) a vlastní router, nastavení na routeru bude vypadat následovně:
Na obrázku je screenshot z konfigurace routeru ASUS WL500g Premium. V nastavení „NAT Setting –> Virtual Server“ je otevřen port TCP/UDP 80 a směrován do LAN na rozhraní 192.168.1.10 port TCP/UDP 3389, což je port, který defaultně používá microsoftí vzdálená plocha (Remote Desktop Protokol).
Pro „probuzení“ stroje pak stačí zadat do nějaké online WOL aplikace na internetu (např. http://wake-on-lan.samuraj-cz.com) IP adresu na WAN rozhraní routeru, MAC adresu probouzeného stroje a port, v tomto případě port č. 80. I když je udáváno, že magick paket je posílán jako UDP datagram na port 0, 7 nebo 9, spolehlivě fungují i ostatní porty stejně jako v tomto případě UDP 3389 – což je nakonec výhodné z hlediska bezpečnosti a jednoduchosti konfigurace v tom, že pro dvě služby je otevřen jeden port.
Pokud vlastníte tento SOHO router (postup by měl být funkční i u ostatních) a nechcete mít oddělenou síť, která je před routerem tzn., že stanice před routerem budou ve stejném subnetu (a „vidět“), lze toto vyřešit zcela triviálně tak, že v routeru:
pozn. jelikož adresa routeru je nyní nastavena v jiném subnetu, není tedy možno se dostat do webové konfigurace routeru; pokud se potřebujete dostat do routeru, stačí na jednom PC nastavit stejný subnet jako má router, tedy 10.0.0.2/24 a připojit se