Инструкция по установке dosgate_uh
Перед установкой и запуском dosgate-uh рекомендуется снять весь продуктивный трафик с платформы
Известные проблемы и их решения
Настройка dosgate_uh.conf
nano /etc/dosgate-uh.conf
Глобальная конфигурация
global:
traffic-policy:
good: accept
bad: drop
violate: drop
Конфигурация сетевых устройств
net:
ens224:
rx:
queues:
count: 8
len: 512
ens256:
tx:
queues:
count: 8
len: 512
Настройки захвата трафика
capture:
path: /var/cache/dosgate-uh/capture
filename: cap_${DEV}_${ID}_${NUM}.pcap
age: 3600
count: 10
size: 10M
Конфигурация сбора/экспорта статистики
stats:
period: 10
push:
type: collectd
plugin: unixsock
target: /var/run/collectd-unixsock
stats: all
hostname: dosgate-uh01
queue-len: 0
period:
collect: 5
send: 10
Настройка отслеживания подключений
conntrack:
limit: 10000000
reclaim:
soft: 80
hard: 95
icmp:
window: 10
traffic-policy:
good: accept
bad: drop
violate: drop
tcp:
active-close: both
catch-up: 20
traffic-policy:
good: accept
bad: drop
violate: drop
Путь к каталогу с реестром профиля приложения
По умолчанию: /var/lib/dosgate-uh/profiles
application:
registry: /var/lib/dosgate-uh/profiles
monitor-fs: true
Создание файла политики
Пример настройки политики test.policy
# Получаем ID арены (требуется далее)
sudo dgctl -u arena:// -c list
# Получаем ID профилей (требуется далее)
sudo dgctl -u arena://first -c list
# Создаем политику "test"
sudo nano /var/lib/dosgate-uh/profiles/test.policy
{
"test": {
"arena": 1, #id арены на dosgate
"profile": 1, #id профиля на dosgate
"id": 1, #id политики политики приложения
"verify": {
"checksum": [
"none"
]
},
"tls": {
"conntrack": {
"tcp": {
"timeout": {
"new": 10,
"confirmed": 600,
"time-wait": 30
},
"active-close": "both",
"traffic-policy": {
"good": "accept",
"bad": "drop",
"violate": "drop"
}
}
}
}
}
}
Установка пакета
sudo apt-get update
sudo apt-get install dosgate-uh=1.2.2-1
Обработка статистики в collectd
-
Создаем файл /etc/collectd/dosgate-uh-types.db
-
Указываем содержимое файла:
xsk_rx_frames frames:COUNTER:0:U
xsk_rx_bytes bytes:COUNTER:0:U
xsk_tx_frames frames:COUNTER:0:U
xsk_tx_bytes bytes:COUNTER:0:U
xsk_rx_drop drop:COUNTER:0:U
xsk_tx_error error:COUNTER:0:U
xsk_frame_alloc bytes:COUNTER:0:U
xsk_frame_alloc_error bytes:COUNTER:0:U
xsk_frame_free bytes:COUNTER:0:U
xsk_partial_writes bytes:COUNTER:0:U
xsk_full_reads bytes:COUNTER:0:U
xsk_opterr bytes:COUNTER:0:U
xsk_fill_frames frames:COUNTER:0:U
xsk_comp_frames frames:COUNTER:0:U
xsk_kick_tx bytes:COUNTER:0:U
xsk_rounds bytes:COUNTER:0:U
xsk_poll bytes:COUNTER:0:U
xsk_poll_nb bytes:COUNTER:0:U
xsk_rx_inv_desc bytes:COUNTER:0:U
xsk_tx_inv_desc bytes:COUNTER:0:U
xsk_rx_ring_full bytes:COUNTER:0:U
xsk_fill_ring_empty bytes:COUNTER:0:U
cap_frames frames:COUNTER:0:U
cap_bytes bytes:COUNTER:0:U
cap_rotates bytes:COUNTER:0:U
cap_errors bytes:COUNTER:0:U
proc_frames frames:COUNTER:0:U
proc_bytes bytes:COUNTER:0:U
proc_dg_error bytes:COUNTER:0:U
proc_frame_error bytes:COUNTER:0:U
proc_frame_verify_error bytes:COUNTER:0:U
proc_frame_mod_error bytes:COUNTER:0:U
proto_buf_alloc bytes:COUNTER:0:U
proto_buf_alloc_error bytes:COUNTER:0:U
proto_buf_destroy bytes:COUNTER:0:U
proto_map_alloc bytes:COUNTER:0:U
proto_map_alloc_error bytes:COUNTER:0:U
proto_map_destroy bytes:COUNTER:0:U
proto_stack_alloc bytes:COUNTER:0:U
proto_stack_alloc_error bytes:COUNTER:0:U
proto_stack_destroy bytes:COUNTER:0:U
tcp_open bytes:COUNTER:0:U
tcp_close bytes:COUNTER:0:U
tcp_seq_late bytes:COUNTER:0:U
tcp_seq_early bytes:COUNTER:0:U
tcp_large_syn bytes:COUNTER:0:U
tcp_invalid_checksum bytes:COUNTER:0:U
stream_block_alloc bytes:COUNTER:0:U
stream_block_alloc_error bytes:COUNTER:0:U
stream_block_free bytes:COUNTER:0:U
stream_shard_alloc bytes:COUNTER:0:U
stream_shard_alloc_error bytes:COUNTER:0:U
stream_shard_free bytes:COUNTER:0:U
ct_allocated bytes:COUNTER:0:U
ct_destroyed bytes:COUNTER:0:U
ct_alloc_error bytes:COUNTER:0:U
ct_reclaim_soft bytes:COUNTER:0:U
ct_reclaim_soft_scanned bytes:COUNTER:0:U
ct_reclaim_soft_reclaimed bytes:COUNTER:0:U
ct_reclaim_hard bytes:COUNTER:0:U
ct_reclaim_hard_scanned bytes:COUNTER:0:U
ct_reclaim_hard_reclaimed bytes:COUNTER:0:U
ct_collsisions bytes:COUNTER:0:U
ct_collision_reclaimed bytes:COUNTER:0:U
ct_collision_errors bytes:COUNTER:0:U
ct_overlimit bytes:COUNTER:0:U
ct_closed bytes:COUNTER:0:U
ct_timeout bytes:COUNTER:0:U
ct_frames_status_good bytes:COUNTER:0:U
ct_frames_status_bad bytes:COUNTER:0:U
ct_frames_status_violate bytes:COUNTER:0:U
ct_frames_error bytes:COUNTER:0:U
ct_frames_invalid bytes:COUNTER:0:U
tls_create bytes:COUNTER:0:U
tls_free bytes:COUNTER:0:U
tls_records bytes:COUNTER:0:U
tls_handshake bytes:COUNTER:0:U
tls_appdata bytes:COUNTER:0:U
tls_version_error bytes:COUNTER:0:U
tls_length_error bytes:COUNTER:0:U
tls_content_error bytes:COUNTER:0:U
tls_version_missmatch_error bytes:COUNTER:0:U
tls_system_error bytes:COUNTER:0:U
dtls_create bytes:COUNTER:0:U
dtls_free bytes:COUNTER:0:U
dtls_records bytes:COUNTER:0:U
dtls_handshake bytes:COUNTER:0:U
dtls_appdata bytes:COUNTER:0:U
dtls_tls12_cid bytes:COUNTER:0:U
dtls_tls13_uh bytes:COUNTER:0:U
dtls_version_error bytes:COUNTER:0:U
dtls_length_error bytes:COUNTER:0:U
dtls_content_error bytes:COUNTER:0:U
dtls_system_error bytes:COUNTER:0:U
dtls_epoch_error bytes:COUNTER:0:U
dtls_seq_error bytes:COUNTER:0:U
mem_pbuf_alloc bytes:COUNTER:0:U
mem_pbuf_alloc_error bytes:COUNTER:0:U
mem_pbuf_free bytes:COUNTER:0:U
mem_pbuf_data_alloc bytes:COUNTER:0:U
mem_pbuf_data_alloc_error bytes:COUNTER:0:U
mem_pbuf_data_free bytes:COUNTER:0:U
mem_seg_alloc bytes:COUNTER:0:U
mem_seg_alloc_error bytes:COUNTER:0:U
mem_seg_free bytes:COUNTER:0:U
mem_hash_alloc bytes:COUNTER:0:U
mem_hash_alloc_error bytes:COUNTER:0:U
mem_hash_free bytes:COUNTER:0:U
offenders_alloc bytes:COUNTER:0:U
offenders_alloc_error bytes:COUNTER:0:U
offenders_destroy bytes:COUNTER:0:U
offenders_first bytes:COUNTER:0:U
offenders_known bytes:COUNTER:0:U
offenders_error bytes:COUNTER:0:U
offenders_reg_error bytes:COUNTER:0:U
offenders_queued bytes:COUNTER:0:U
offenders_queue_overflow bytes:COUNTER:0:U
offenders_lost bytes:COUNTER:0:U
offenders_exported bytes:COUNTER:0:U
offenders_handler_miss bytes:COUNTER:0:U
offenders_handler_expired bytes:COUNTER:0:U
offenders_handler_send bytes:COUNTER:0:U
offenders_handler_send_error bytes:COUNTER:0:U
offenders_child_restart_request bytes:COUNTER:0:U
offenders_child_restart bytes:COUNTER:0:U
push_msg_alloc bytes:COUNTER:0:U
push_msg_alloc_error bytes:COUNTER:0:U
push_msg_free bytes:COUNTER:0:U
push_created bytes:COUNTER:0:U
push_create_error bytes:COUNTER:0:U
push_started bytes:COUNTER:0:U
push_socket_error bytes:COUNTER:0:U
push_config_error bytes:COUNTER:0:U
push_connect_start bytes:COUNTER:0:U
push_connect_error bytes:COUNTER:0:U
push_connect_timeout bytes:COUNTER:0:U
push_connect_success bytes:COUNTER:0:U
push_timeout bytes:COUNTER:0:U
push_send_error bytes:COUNTER:0:U
push_send_msgs bytes:COUNTER:0:U
push_enqueued bytes:COUNTER:0:U
push_enqueue_error bytes:COUNTER:0:U
push_rounds bytes:COUNTER:0:U
push_rounds_empty bytes:COUNTER:0:U
defrag_in bytes:COUNTER:0:U
defrag_valid bytes:COUNTER:0:U
defrag_dup bytes:COUNTER:0:U
defrag_invalid bytes:COUNTER:0:U
defrag_out bytes:COUNTER:0:U
defrag_reclaim_soft bytes:COUNTER:0:U
defrag_reclaim_hard bytes:COUNTER:0:U
defrag_scan_confirmed bytes:COUNTER:0:U
defrag_scan_new bytes:COUNTER:0:U
defrag_reclaim_new bytes:COUNTER:0:U
defrag_confirm_new bytes:COUNTER:0:U
defrag_full bytes:COUNTER:0:U
defrag_error bytes:COUNTER:0:U
defrag_frag_alloc bytes:COUNTER:0:U
defrag_frag_alloc_error bytes:COUNTER:0:U
defrag_frag_free bytes:COUNTER:0:U
defrag_entry_alloc bytes:COUNTER:0:U
defrag_entry_alloc_error bytes:COUNTER:0:U
defrag_entry_free bytes:COUNTER:0:U
defrag_key_error bytes:COUNTER:0:U
defrag_key_id_error bytes:COUNTER:0:U
- В
nano collectd.confтребуется добавить строку:
TypesDB "/etc/collectd/dosgate-uh-types.db"
- Выполняем команду
sudo systemctl restart collectd
Запуск dosgate-uh
sudo systemctl start dosgate-uh
sudo systemctl status dosgate-uh
sudo systemctl enable dosgate-uh
Направление трафика в dosgate_uh
Для того чтобы направить пакет на обработку в stateful-модуль требуется создать соответствующее правило
# <arena-name> - название арены в соответствии с /etc/dosgate.conf
# <profile-name> - название профиля
# Опции -m protocol tcp и др. - опциональны, можно направлять сразу весь трафик создав правило без опций -m
#
dgctl -u profile://<arena-name>/<profile-name> -c insert -- -m protocol tcp -m dst 192.168.100.1 -m dport 443 -j PASS uh app tls 1
1 - это ID политики приложения в файле policy