Tabbatar da hanyar sadarwar ku tare da Abubuwan --ira - Wakili - NAT - ID: KASHI NA 1

Wannan sakon yana ƙoƙarin fayyace kaɗan game da yadda cibiyoyin sadarwa ke aiki da yadda ake juya kayan aikinmu na Linux a cikin na'ura mai ba da hanya tsakanin hanyoyin sadarwa wanda ke tabbatar da ɗan hanyar sadarwarmu, ko da kuwa gida ne ko ma kasuwanci. Don haka bari mu sauka zuwa kasuwanci:

Wannan abun ya dogara ne akan littafin "Linux - Gudanar da Tsarin Gudanar da Ayyuka da Ayyukan Yanar gizo" - Sébastien BOBILLIER

Hanyar hanya da tacewa

Don magana da fahimta game da kwatance, da farko za mu iya bayyana menene rawar mai amfani da hanyar sadarwa? Saboda wannan zamu iya cewa na'ura mai ba da hanya tsakanin hanyoyin sadarwa, ban da ƙirƙirar hanyar sadarwa da kuma ba da damar haɗi tare da wasu kayan aiki (sanin cewa za mu iya yin hakan ta hanyar AP, Switch, Hub ko wasu) yana da ikon haɗa hanyoyin sadarwa biyu daban da juna.

na'ura mai ba da hanya tsakanin hanyoyin sadarwa

Kamar yadda muke gani a cikin hoton, akwai hanyar sadarwa ta gida "10.0.1.0" wacce aka samo asali ta hanyar na'ura mai ba da hanya tsakanin hanyoyin sadarwa, kuma ta isa daya daga cikin hanyoyin biyu. Sannan na'ura mai ba da hanya tsakanin hanyoyin sadarwa ta hanyar amfani da ita, tana da wata hanyar sadarwar, tare da IP ta jama'a wacce zata iya amfani da ita ta Intanet. Aikin turawa shine asali don zama matsakaici tsakanin waɗannan hanyoyin sadarwar guda biyu don su iya sadarwa.

Linux a matsayin na'ura mai ba da hanya tsakanin hanyoyin sadarwa.

A dabi'ance, Linux Kernel ya riga yana da ikon yin "turawa", amma ta tsoho yana da nakasa, don haka idan muna son Linux ɗinmu suyi wannan aikin dole ne muje fayil ɗin.

/proc/sys/net/ipv4/ip_forward

A can za mu ga cewa fayil ne wanda kawai ya ƙunshi sifili "0", abin da dole ne mu yi shi ne canza shi zuwa "1" ɗaya don kunna wannan halayyar. Wannan abin takaici an share shi lokacin da muka sake kunna kwamfutar, don barin ta kunna ta tsohuwa dole ne muyi amfani da umarnin:

sysctl net.ipv4.ip_forward=1

Ko gyara shi kai tsaye a cikin fayil ɗin /etc/sysctl.conf. Dogaro da rarrabuwa wannan daidaitawar zata iya kasancewa cikin fayil a ciki  /etc/sysctl.d/.

Ta hanyar tsoho Linux ɗinmu dole ne su kasance suna da teburin sarrafawa, wanda gabaɗaya shine daidaitawar hanyar sadarwar lan mu da haɗi da na'ura mai ba da hanya tsakanin hanyoyin sadarwa. Idan muna son ganin wannan kwatance za mu iya amfani da umarni biyu:

route -n

o

netstat -nr

Duk dokokin biyu ya kamata su dawo iri ɗaya.

Hoton hotuna daga 2014-09-30 18:23:06

Gabaɗaya, wannan daidaitawar ya isa Linux ɗinku suyi aiki a matsayin wayofar andofar kuma sauran kwamfutoci na iya kewaya ta kwamfutarmu. Yanzu, idan muna son Linux ɗinmu ya haɗa cibiyoyin sadarwa biyu ko sama, ko na gida ne ko a'a, za mu iya amfani da hanyoyi masu tsayayye.

A ce Linux na da hanyoyin sadarwa guda biyu, na farko yana da haɗin Intanet wanda cibiyar sadarwar sa ta 172.26.0.0 sannan na biyu (10.0.0.0) yana da kwamfutoci daga wata hanyar sadarwa ta cikin gida. Idan muna son tura fakiti zuwa waccan hanyar sadarwar za mu iya amfani da:

route add -net 10.0.0.0 netmask 255.0.0.0 gw 172.26.0.8

Gaba ɗaya shi ne:

route add -net REDDESTINO netmask MASCARA gw IPDELLINUX

idan muka bayar hanya -n ba tare da la'akari da kasancewar wannan hanyar sadarwar ba ko babu, wannan hanyar za ta daidaita a teburinmu.

Hoton hotuna daga 2014-09-30 18:31:35

Idan muna son kawar da faɗin hanya za mu iya amfani da shi

route del -net 10.0.0.0 netmask 255.0.0.0

Abubuwan birgewa.

Ainihin ana amfani da kayan aiki don tace fakiti, mai fita, mai shigowa ko wasu, wannan ya sa ya zama babban kayan aiki don sarrafa zirga-zirgar sadarwar mu. Da kyau, kayan aiki, kamar yadda yake bamu damar tace zirga-zirga daga wannan kwamfutar, hakanan yana bamu damar tace zirga-zirgar da take bi ta ciki. (Ana turawa). Za'a iya raba abubuwan sarrafawa zuwa tebur, sarƙoƙi, da ayyuka.

  • Alloli:  m akwai iya zama tebur biyu, tace, don tace fakiti kuma  nat don fassara adiresoshin, wato, matsawa daga wata hanyar sadarwa zuwa wata hanyar sadarwa.
  • Sarƙoƙi: Sarkar tana nufin nau'in zirga-zirgar da muke son tacewa ko iyo, wato, wacce zirga-zirga za mu yi amfani da teburin? kuma zasu iya zama:  Input: Mai shigowa zirga-zirga, MULKI: fitowar mutane waje ko GABA: Motocin zirga-zirga da ke ratsa ta, amma ba haɗin kansa bane.
  • Hakanan yana iya bayyana GASKIYA, wanda ake amfani dashi don magance fakiti ta wata hanya bayan an shawo kanshi.
  • Ayyuka: Ayyuka sune ainihin aikin da za'a yi tare da sarkar. Wannan aikin na iya zama DARA, hakan kawai yana lalata wannan zirga-zirgar ko Yarda da. hakan yana ba masu zirga-zirga damar yin irin wannan aikin.

Ana adana dokokin IPTABLES kuma ana aiwatar dasu cikin tsari yadda aka ƙirƙira su, kuma idan ƙa'ida ta share ƙa'idar da ta gabata, ana amfani da ƙa'idar ƙarshe a cikin tsari koyaushe.

Manufofin Firewall.

Gabaɗaya, wutar wuta tana aiki ta hanyoyi biyu:

  1. Bada izinin duk zirga-zirga banda, ko
  2. Kada ku ba da izinin kowane zirga-zirga sai ...

Don amfani da manufofi, yi amfani da IPTABLES - P SARKIN AIKI

Inda kirtani yake wakiltar nau'in zirga-zirga (INPUT, OUTPUT, GABA, POSTROUTING ...) kuma aikin shine DUBU KO KARBATA.

Bari mu duba misali.

Hoton hotuna daga 2014-09-30 18:53:23

Anan zamu ga cewa da farko na iya ping, sa'annan na fadawa IPTABLES cewa duk zirga-zirgar JIMA yana KASHEWA ko ba'a yarda dashi ba. Sannan na fadawa IPTABLES su yarda dashi.

Idan za mu gina katangar bango daga tushe dole ne a koyaushe mu yi amfani da dokokin (Kada a bar duk wata zirga-zirga sai ... Saboda wannan to muna amfani da dokoki

iptables -P INPUT DROP iptables -P MUTANE DROP kayan aiki -P GABA DROP
Idan waɗannan manufofin suka yi aiki, ba za su sami kowane irin haɗin haɗi ba
.

Don dawowa zamu rubuta iri ɗaya kuma maye gurbin DROP da ACCEPT.

A wannan gaba, tunda an hana duk zirga-zirga, zamu fara gayawa IPTABLES ɗinmu zirga-zirgar da zata iya samu.

A tsari ne:

iptables -A cadena -s ip_orgigen -d ip_destino -p protocolo --dport puerto -j acción

Inda:

Kirtani = INTUTU, FITOWA KO GABA

asali_ip = Asalin fakiti, wannan na iya zama IP ɗaya ko hanyar sadarwa kuma a wannan yanayin dole ne mu saka abin rufe fuska).

makoma_ip = inda fakiti ke tafiya. wannan na iya zama IP ɗaya ko hanyar sadarwa kuma a wannan yanayin dole ne mu saka abin rufe fuska).

yarjejeniya = yana nuna yarjejeniyar da fakiti ke amfani da su (icmp, tcp, udp ...)

tashar jiragen ruwa = tashar jirgin ruwa na zirga-zirga.

aiki = SHA ko karɓa.

Alal misali:

Hoton hotuna daga 2014-09-30 19:26:41

DUKAN an iyakance manufofin.

Hoton hotuna daga 2014-09-30 19:27:42

Sa'annan mun ƙara dokoki don samun damar yin zirga-zirga ta tashar 80 HTTP da 443 HTTPS, tare da yarjejeniyar TCP. Sannan tashar jiragen ruwa 53 Ana amfani dashi don abokin cinikin DNS don warware yankuna, in ba haka ba baza ku kewaya ba. Wannan yana aiki tare da ladabin udp.

Layin:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Saboda haka ne: Lokacin da kake yin buƙatar HTTP misali, zaka haɗa zuwa tashar jiragen ruwa 80 na sabar, amma sabar don dawo da bayanin yana buƙatar haɗi tare da kai ta kowace tashar jiragen ruwa. (Gabaɗaya yafi 1024).

Da yake duk tasharmu ta rufe wannan ba zai samu ba sai dai idan mun bude dukkan tashar jiragen sama sama da 1024 (Mummunan ra'ayi). Abin da wannan ke faɗi shi ne cewa duk zirga-zirgar da ke shigowa daga haɗin da na kafa kaina karɓaɓɓe ne. Ina nufin, haɗin da tun asali na fara.

Lokacin sanya OUTPUT a cikin ƙa'idodi, wannan ya shafi kayan aikin da ake magana ne kawai, idan muna amfani da kayan aikinmu azaman mai amfani da hanyar sadarwa don ba da damar waɗannan haɗin, dole ne mu canza OUTPUT zuwa GABA. Tun da yake zirga-zirga na wucewa ta cikin kwamfutar amma ba a fara ta ba
Duk waɗannan ƙa'idodin an share su bayan sake farawa, don haka dole ne ku ƙirƙiri rubutun don su fara ta tsohuwa. Amma zamu ga wannan a gaba

Ina fatan kun so wannan bayanin. A na gaba zanyi magana akan NAT, wakili da kuma rubutun Firewal.


12 comments, bar naka

Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.

  1.   Rogelio pinto m

    Wannan shine asalin da yan kasuwa da yawa ke dauka don kera katangun gidan su, wanda shine dalilin da yasa akwai nau'ikan katuwar wuta da ke dauke da linux a kasuwa, wasu suna da kyau wasu kuma basu da yawa.

  2.   Eber m

    Labari mai kyau. Ina jiran kashi na biyu.

  3.   Milton m

    Kyakkyawan bayani, ya taimaka min fahimtar wakili na aikina. na gode

  4.   faust m

    Sannu Jlcmux,

    Kyakkyawan, Ina son shi sosai, yaushe yaushe za a sami ɗayan ɓangaren?

    Gaisuwa da godiya ga rabawa

    1.    @Bbchausa m

      Godiya ga sharhi.

      Na aika da dayan bangaren jiya, a tsakar rana ina tsammanin za su buga shi.

      Na gode.

  5.   Isra'ila m

    Kyakkyawan labarin aboki @ Jlcmux, Na koya dashi kwarai da gaske tunda ya bayyana wasu shubuhohi da nake da su na wani lokaci, ta yadda ba za ku damu da raba littafin asalin labarin ba, na Sébastien BOBILLIER, da kyau slau2s kuma yanzu don ganin bangare na 2, salu2s.

    1.    @Bbchausa m

      Barka dai Mun gode da yin tsokaci kan Isra'ila.

      Ya zama cewa ina da littafin a cikin sifar jiki. Amma na sami wannan haɗin yanar gizon akan Litattafan Google. http://books.google.com.co/books?id=zxASM3ii4GYC&pg=PA356&lpg=PA356&dq=S%C3%A9bastien+BOBILLIER+Linux+%E2%80%93+Administraci%C3%B3n+del+sistema+y+explotaci%C3%B3n+de+los+servicios+de+red#v=onepage&q=

      Ina ganin ya cika.

  6.   Ariel m

    Labari mai kyau, na ƙara tambaya: Menene fa'idar amfani da Linux azaman mai amfani da hanyar sadarwa, idan akwai, game da kayan aikin da aka sadaukar dasu? Ko dai kawai don motsa jiki? Na san akwai keɓaɓɓun ɓarna amma ban sani ba ko za su ceci tsofaffin Kwamfutocin ne ko samar da ƙarin sassauƙa a cikin tsari.

    1.    @Bbchausa m

      Da kyau, ina tsammanin fa'idodi da rashin amfani sun dogara da yanayin da zaku aiwatar da wannan. Me yasa tabbas baza ku sayi UTM ko wani abu makamancin haka ba don gidan ku? Kuma wataƙila don ƙaramin kasuwancin da ba zai iya iya ba shi ma. Hakanan yana da kyau azaman motsa jiki, saboda yana taimaka maka fahimtar duk dabaru na wannan kuma zaka iya inganta sayayyar FWall sosai. Bayan wannan kusan dukkanin waɗannan na'urori suna da Linux.

      Na gode.

  7.   Ariel m

    Barka dai, tambaya, shin zaku iya samar da wani abu na "wucin gadi" a cikin Linux don kwatankwacin aikin tsakanin hanyoyin sadarwa? (salon fasalin fakiti) don aiki tare da injunan kama-da-wane? misali idan ina da eth0 (saboda ina da kati guda ɗaya tak tabbas) zan iya ƙirƙirar eth1 don yin wata hanyar sadarwa? Mai koyarwa sosai!

    1.    kari m

      A cikin Linux zaku iya ƙirƙirar maɓallan kama-da-wane, ba shakka. Idan kana da eth0, zaka iya samun eth0: 0, eth0: 1, eth0: 2 ... da dai sauransu

  8.   chinoloco m

    Don haka mai kyau, godiya ga rabawa