Irƙiri bango na kanku tare da kayan aiki mai amfani ta amfani da wannan rubutun mai sauƙi sashi na 2

Firewall_ (sadarwar)

Barkan ku dai baki daya, a yau na kawo muku kashi na biyu na wannan jerin karatuttukan akan Firewall tare da kayan kwalliya, mai sauqi ka iya kwafa da liqa, Ina jin cewa a qarshen rana shine abinda duk masu neman shiga suke nema ko ma mafi yawa gogaggen, me yasa dole mu sake kirkirar dabaran sau 100, daidai?

A wannan lokacin na gaya musu cewa suyi ƙoƙari su mai da hankali kan takamaiman takamaiman batun ko muna son katangar mu ta kasance mai saurin tashin hankali tare da manufofin KASHE FITOWA. Wannan rubutun shima yana cikin bukatar mai karanta wannan shafin da sakonnin nawa. (A cikin tunani wiiiiiiiiiiiii)

Bari muyi magana kadan game da "fa'idodi da raunin" kafa manufofin Fitarwa, wanda zan iya fada muku shine cewa yana sanya aikin ya zama mai wahala da wahala, duk da haka abin da yake nuna shine a matakin hanyar sadarwa zaku sami tsaro fiye da idan kun zauna Don yin tunani, tsarawa da tsara manufofin da kyau, kuna da uwar garken mafi aminci.

Don kar in tayar da hankali ko fita daga batun, zan yi muku bayani da sauri da misalin yadda dokokinku za su fi yawa ko kaɗan

iptables -AmUTUTUT -o eth0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT
-A saboda mun kara doka
-o yana nufin zirga-zirgar fita waje, sa'annan a sanya ma'anar idan ba'a bayyana shi ba saboda yayi daidai da dukkan su.
-sport tashar asali, tana taka muhimmiyar rawa saboda a mafi yawan lokuta bamu san daga tashar da zasu fara nema ba, idan haka ne zamu iya amfani da dport
–Dubai tashar jirgin ruwa, lokacin da muka sani gaba daya cewa haɗin mai fita dole ne kawai zuwa takamaiman tashar jiragen ruwa. Dole ne ya zama ga wani abu takamaimai kamar uwar garken MySQL misali.
-m jiha –Hukumar da aka kafa Wannan ya riga ya zama ƙawa na kiyaye haɗin haɗin da aka riga aka kafa, zamu iya shiga ciki a cikin post na gaba
-d don magana game da inda aka nufa, idan za'a iya tantance shi, misali ssh zuwa takamaiman na'ura ta ip

#!/bin/bash

# Muna tsaftace teburin iptables -F iptables -X # Muna tsaftace kayan aikin NAT -t nat -F iptables -t nat -X # mangle table don abubuwa kamar PPPoE, PPP, da ATM iptables -t mangle -F iptables -t mangle -X # Manufofin Ina tsammanin wannan ita ce hanya mafi kyau ga masu farawa kuma # har yanzu ba dadi, zanyi bayanin fitarwa (fitarwa) duk saboda suna haɗin sadarwa #, shigarwa mun watsar da komai, kuma babu sabar da zata ci gaba. iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P GABA DROP #Intranet LAN intranet = eth0 #Extranet wan extranet = eth1 # Kiyaye jihar. Duk abin da ya riga ya haɗu (an kafa shi) mun barshi kamar wannan abubuwan buɗe ido - INPUT -m state - an kafa jihar, RELATED -j ACCEPT
iptables -A fitar da -m jihar - an kafa jihar, RELATED -j ACCEPT
# Kayan madauki iptables -A shigar da -i lo -j KARYA
# Abubuwan buɗewa na madauki fitarwa -A FITOWA -o lo -j ACCEPT

# http, https, ba mu ayyana aikin dubawa ba saboda # muna son ya zama duka abin kyama -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# tashi
# http, https, ba ma ayyana aikin dubawa saboda
# muna son ya zama na kowa amma idan muka saka tashar fitarwa
iptables -AmUTUTUT -p tcp --sport 80 -j ACCEPT kayan aiki -AUTUTUT -p tcp -sport 443 -j ACCEPT

# ssh kawai a ciki kuma daga wannan keɓaɓɓiyar ip ta ippt -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 7659 -j ACCEPT
# fitarwa # ssh kawai a ciki kuma daga wannan kewayon ip's
iptables -AmUTUTUT -p tcp -d 192.168.xx / 24 -o $ intranet -sport 7659 -j ACCEPT
# saka idanu misali idan suna da zabbix ko wasu nau'ikan sabis na snmp iptables -A INPUT -p tcp -s 192.168.1.1 -i $ intranet --dport 10050 -j ACCEPT
# tashi
# saka idanu misali idan suna da zabbix ko wani sabis na snmp
iptables -A FITATUT -p tcp -d 192.168.1.1 -o $ intranet -dport 10050 -j ACCEPT

# icmp, ping mai kyau shine shawarar ku abin birgewa -A INPUT -p icmp -s 192.168.xx / 24 -i $ intranet -j ACCEPT
# tashi
# icmp, ping mai kyau shine shawarar ku
iptables -A KYAUTA -p icmp -d 192.168.xx / 24 -o $ intranet -j KARYA

#mysql tare da postgres shine tashar jiragen ruwa 5432 iptables -A INPUT -p tcp -s 192.168.xx --sport 3306 -i $ intranet -j ACCEPT
# fitarwa - tambayar da mai amfani yayi don takamaiman takamaiman # tsarin sabar: 192.168.1.2 mysql: 192.168.1.3
#mysql tare da postgres shine tashar jirgin ruwa 5432
iptables -AmUTUTUT -p tcp -s 192.168.1.2 -d 192.168.1.3 --daganar 3306 -o $ intranet -j ACCEPT

#sendmail bueeeh idan kanaso ka turo wasu wasiku # masu amfani -AUTARUTU -p tcp --dport 25 -j ACCEPT # Anti-SPOOFING 09/07/2014 # SERVER_IP = "190.xxx" # server IP - the real wan ip na sabarku LAN_RANGE = "192.168.xx / 21" # LAN kewayon cibiyar sadarwar ku ko kuma vlan # Ip's din ku wanda bai kamata ya shiga cikin kayan ba, shine amfani da wata 'yar ma'ana idan har muna da abin da ya dace da WAN, bai kamata ya taba shiga ba # nau'in LAN na zirga-zirga ta wannan hanyar SPOOF_IPS = "0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" # Aiwatar da aiki na Tsoho - da za'ayi yayin da kowace doka tayi daidai da ACTION = " DROP "# Packets with the same ip with my server through the wan iptables -A INPUT -i $ extranet -s $ SERVER_IP -j $ ACTION
iptables -SUTUTUN -o $ extranet -s $ SERVER_IP -j $ ACTION

# Fakitoci tare da LAN Range don wan, na sanya shi kamar haka idan kuna da # kowane takamaiman hanyar sadarwa, amma wannan ba shi da kyau tare da bin # doka a cikin "don" madaukai madaukai -A INPUT -i $ extranet -s $ LAN_RANGE -j $ ACTION
iptables -AmUTUTT -o $ extranet -s $ LAN_RANGE -j $ ACTION

## Duk hanyoyin sadarwar SPOOF ba a basu izinin wan don ip a $ SPOOF_IPS yi iptables -A INPUT -i $ extranet -s $ ip -j $ ACTION
iptables -A FITOWA -o $ kari -s $ ip -j $ ACTION
aikata

A cikin bita na gaba zamuyi kewayon tashar jiragen ruwa da kuma tsayar da manufofin da aka tsara da sunaye, a tsakanin sauran abubuwa ... Ina jiran tsokaci da buƙatunku.


Abubuwan da ke cikin labarin suna bin ka'idodinmu na ka'idojin edita. Don yin rahoton kuskure danna a nan.

Kasance na farko don yin sharhi

Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Mai alhakin bayanan: Miguel Ángel Gatón
  2. Dalilin bayanan: Gudanar da SPAM, gudanar da sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.