en el previous post Mun ga yadda IPTables ke aiki don aiki azaman Firewall. Yanzu zamu iya ganin yadda ake kirkirar waɗancan rubutun domin a aiwatar da dokoki kai tsaye lokacin da tsarin ya fara, da kuma yadda zamu iya kawar ko dakatar da waɗancan dokokin na ɗan lokaci.
Kafin yin rubutun da nuna muku yadda yake, bari muyi magana kadan game da NAT da kuma tunanin abin da muke son yi da wannan kayan aikin.
NAT da Yanayin misali.
Lokacin da muke magana game da NAT, zamu iya rikitar da wannan ta hanyar hanya, tunda dukansu suna kula da haɗa hanyoyin sadarwa daban daban da juna. Bambanci na ainihi shine cewa ana amfani da hanya don zuwa daga wannan hanyar sadarwar gida zuwa wani kuma wannan ɗayan hanyar sadarwar na iya haɗawa da na'ura mai ba da hanya tsakanin hanyoyin sadarwa da fita zuwa Intanit.
Ganin cewa, lokacin da muke magana game da NAT, muna magana ne game da fakiti masu jigila daga cibiyar sadarwar gida ko masu zaman kansu zuwa hanyar sadarwar jama'a ko Intanet. Yana yin wannan ta ɓoye fakiti ta sanya IP ɗin jama'a wanda yake zuwa Intanit dashi. A wasu kalmomi, ba mu buƙatar na'ura mai ba da hanya tsakanin hanyoyin sadarwa, saboda IP ɗin jama'a yana da mallakar GNU / Linux kai tsaye.
Zamuyi aiki da wannan ne da taken da muke amfani da Linux dinmu azaman hanyar sadarwa / Firewall don fita zuwa yanar gizo daga hanyar sadarwa. Amma a nan yanayi biyu na iya bayyana.
- Wannan Linux ɗinmu yana tsakanin na'ura mai ba da hanya tsakanin hanyoyin sadarwa na mai ba da sabis da cibiyar sadarwar gida.
A wannan yanayin, tsakanin na'ura mai ba da hanya tsakanin hanyoyin sadarwa da Linux ɗinmu akwai hanyar sadarwa, kuma tsakanin Linux da cibiyar sadarwar gida akwai wata hanyar sadarwa daban. Wannan yana nufin cewa na'ura mai ba da hanya tsakanin hanyoyin sadarwa ba za ta yi NAT haka ba, tare da sauƙaƙe zirga-zirgar zirga-zirga kamar yadda aka bayyana a ciki previous post Zai yi kyau.
- Cewa Linux ɗin mu yana da haɗin yanar gizo wanda aka haɗa shi da hanyar sadarwar gida kuma ta hanyar ɗayan hanyar da yake karɓar IP ɗin jama'a kai tsaye wanda yake aiki dashi.
Wannan yana nufin cewa Linux ɗinmu dole ne suyi NAT don fakiti su isa Intanet.
Don dalilan wannan ƙaramin dakin binciken sannan, zamu ce Linux ɗin mu na karɓar IP ɗin jama'a kai tsaye kuma ta haka ne zasu iya gwada tasirin NAT.
Don yin NAT sai muyi amfani da rubutun
iptables -t nat -A GABATARWA -O eth1 -j MASQUERADE
Inda eth1 shine kewayawa inda muke karɓar IP ɗin jama'a, ma'ana, inda muke zuwa Intanit.
Irƙirar rubutun iptables
Idan kuma haka ne: 172.26.0.0 shine hanyar sadarwarmu ta gida kuma 81.2.3.4 shine IP ɗin jama'a wanda muke zuwa Intanit dashi. (ip tsaye ne). Ina da hanyoyin musayar ra'ayi na eth0 (cibiyar sadarwar gida)
eth1 (Cibiyar sadarwar jama'a).
Asali ya ƙunshi ƙirƙirar rubutu wanda za'a iya kira daga /etc/init.d/firestop (misali). kuma daga wannan rubutun zamu iya farawa, tsayawa ko bincika matsayin saitunanmu, kamar yadda mukeyi da kowane tsarin daemon.
Ace dokokin IPTABLES na sune:
#! / bin / bash # Firewall na gidana. # Sunan fayil / sauransu / Firewall_on # Daga Jlcmux Twitter: @Jlcmux # # Manufar asali. iptables -P INPOUT DOP iptables -P OUTPUT DROP iptables -P GABA DOP # #NAT don raba yanar gizo daga eth0 zuwa eth1 iptables -t nat -A GABATARWA -O eth1 -j SNAT --to-source 81.2.3.4 # # Bada izinin shigowa da na bude ta hanyar kayan aiki na - GABA -m jihar - an kafa STATLLED, RELATED -j ACCEPT # # Izinin masu shigowa izini masu izini -GABATARWA -i eth0 -o eth1 -p tcp -dport 80 -j ACCEPT iptables -GABAN -i eth0 -o eth1 -p tcp -dport 443 -j ACCEPT iptables -AKAI gaba -i eth0 -o eth1 -p udp -dport 53 -j ACCEPT
Bayanin:
Rubutun yana yin haka mai zuwa:
- Na farko takura dukkan kewayawa, haɗi da zirga-zirga. (Ka'idodin Firewall na asali)
- Sannan ƙirƙirar NAT tare da ma'anar1. yana nuna cewa muna da tsayayyen jama'a ip «81.2.3.4»
- Yana buɗe tashoshin da ake buƙata don karɓar fakitin haɗin haɗin da na fara.
- Yana karɓar fitowar HTTP, HTTPS, da zirga-zirgar DNS.
Idan muna so muyi amfani da kayan aikin mu don yin zirga-zirga ya kamata mu maimaita layukan mu canza GABA zuwa INPUT ko OUTPUT yadda ya dace.
Soke rubutun.
Yanzu zamu kirkiri wani rubutu wanda ya birkita dukkan abubuwan da ke sama kuma ya bar wa kwamfutar tsabtace duk wannan. (Don dalilai na gwaji ko kawai muna so mu kashe katangar bango).
#! / bin / bash # Firewall na gidana. # Sunan fayil / sauransu / firewall_off # Daga Jlcmux Twitter: @Jlcmux # # Share iptables Dokokin -F # # Aiwatar da manufofin tsoho (duk hanyar da aka yarda da ita) iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT
Aiki da kai.
Yanzu dole ne mu ƙirƙiri rubutun a ciki /da sauransu/init.d/ kuma sabis ɗin yana farawa ta atomatik kuma zamu iya sarrafa shi ta hanyar da ta fi dacewa.
#! / bin / bash # Firewall na gidana. # Sunan fayil /etc/init.d/ Firewall # Ta Jlcmux Twitter: @Jlcmux harka $ 1 a farawa) / sauransu / firewall_on ;; tasha) / sauransu / firewall_off ;; matsayi) iptables -L ;; *) amsa kuwwa "Daidaitaccen tsari
Bayanin:
Wannan rubutun na karshe da muka saka a ciki /da sauransu/init.d/ tare da suna wasan wuta. Don haka idan muna son sarrafa Firewall zamu iya amfani da umarnin /etc/init.d/ farawar bango. Hakanan zamu iya dakatar da shi ko ganin jihar.
Yanzu zamu shirya fayil ɗin /etc/rc.local kuma mun sanya wani abu kamar: /etc/init.d/ farawar bango don farawa tare da tsarin.
Kazalika. Wannan kashi na biyu kenan. Ina fatan ya kawo muku komai. A na gaba zamu ga wakili da IDS.
7 comments, bar naka
Idan kana amfani da Debian akwai wani kunshi a cikin repo (iptables-persistent) wanda yayi hakan daidai, ya zubar da dokokin yanzu a cikin /etc/iptables/rules.v4 ko v6 ya danganta da abin da kayi amfani da shi sannan ya zartar maka dasu. lokacin da ka daga tsarin.
A aikace, don tsabtace daidaitaccen Firewall na al'ada (kuma yin amfani da NAT ba zai zama haka ba a ra'ayina), a mafi yawan lokuta ƙa'ida ta sakewa da sake saita tsoffin manufofin zuwa ACCEPT zasu isa.
Amma a ka'ida, kuma kamar yadda na sani, ban da wannan kuma kuna buƙatar share layin da ba tsoho ba kuma sake saita masu ƙidayar. Ayyukan da za'ayi la'akari da cewa banda "tace" akwai wasu teburin, (ya zama tilas a karanta fayil ɗin "/ proc / net / ip_tables_names" don wannan).
Af, orthodoxy yana cewa dole ne Tacewar zaɓi ta riga ta tashi kafin cibiyar sadarwar ta kasance. Ban san yadda ake cin nasara akan sauran tsarin Linux ba, amma akan na Debian ana iya daidaita rubutun kuma a sanya shi a cikin kundin adireshin "/etc/network/if-pre-up.d/".
Kyakkyawan katangar katangar kowa. 😉
Sannu, sakon yana da kyau sosai. Na karanta duka kundin 2.
Jiran na gaba 🙂
Tambaya daga jahilcina, muna ci gaba da kayan wasan kwaikwayo, amma ga nau'ikan kwaya da yawa muna da nftables, Na riga na gwada, tambayoyin sune, shin nftable wani abu ne game da kayan kwalliya? Shin za a ci gaba da amfani da abubuwan da ba su dace ba na tsawon lokaci?
Gode.
nftables sun hada da dukkan kayan aiki na iptables, ip6table, arptables and ebtables, duk suna amfani da wani sabon kayan more rayuwa a duka sararin kernelspace da kuma filin amfani, wanda ke tabbatar da kyakkyawan aiki da ingantaccen aiki. nftable zasu maye gurbin kayan kwalliya da duk sauran kayan aikin da aka ambata amma ba don yanzu ba, ba kalla ba har sai lokacin da aka samu yaduwar amfani da kayan kwalliyar kamar haka.
kyakkyawan matsayi, Ina so in kara karantawa tunda an bayyana sosai .. gaishe gaishe godiya babbar gudummawa
Barka dai! Yayi kyau duka post.
A matsayin gudummawa zaku iya ƙarawa zuwa ƙarshen a wannan ɓangaren:
"Yanzu za mu gyara fayil din /etc/rc.local kuma mu sanya wani abu kamar: /etc/init.d/firestop farawa domin ya fara da tsarin."
Sanya wannan zuwa rc.local.
idan [-x /etc/init.d/ Firewall]; to
/etc/init.d/ farawar bango
fi
Wanne yana nufin cewa idan "Firewall" yana da izinin aiwatarwa, aiwatar da shi, idan ba haka ba.
Idan kuna son "Firewall" ba zai fara ba, kawai kuna cire izinin ne.
Misali: chmod + x /etc/init.d/ Tacewar zaɓi
don sanya shi gudana akan kowane farawa ko ...
chmod -x /etc/init.d/ bango
don kawar da shi gaba daya.
Na gode!