Mu mbiri yapitayi Tidawona kasinthidwe ka IPTables kuti kagwire ngati Firewall. Tsopano titha kuwona momwe tingapangire zolembedwazo kuti malamulowo azitsatiridwa pokhapokha dongosolo likayamba, komanso momwe tingathetsere kapena kuletsa malamulowo kwakanthawi.
Tisanayambe kulemba ndikukuwonetsani momwe zimawonekera, tiyeni tikambirane pang'ono za NAT ndi lingaliro la zomwe tikufuna kuchita ndi chipangizochi.
Zotsatira
NAT ndi Context yachitsanzo.
Tikamayankhula za NAT, titha kusokoneza izi ndi mayendedwe, popeza onse ali ndiudindo wolumikiza ma netiweki awiriwa. Kusiyanitsa kwenikweni ndikuti mayendedwe ake amagwiritsidwa ntchito kuchoka pa netiweki ina kupita kwina ndipo netiweki iyi imatha kulumikizidwa ndi rauta ndikupita pa intaneti.
Pomwe, tikamayankhula za NAT, timakambirana zakuwongolera mapaketi kuchokera pa netiweki yapafupi kapena yachinsinsi kupita kumalo ochezera a pa Intaneti kapena pa intaneti. Imachita izi pobisa mapaketi poyika IP yapagulu yomwe imagwiritsa ntchito intaneti. Ndiye kuti, sitikusowa rauta, chifukwa IP ya anthu onse imasungidwa mwachindunji ndi kompyuta ndi GNU / Linux.
Tigwiritsa ntchito izi ndi mawu omwe tikugwiritsa ntchito Linux ngati rauta / firewall kuti mupite pa intaneti kuchokera pa netiweki yapafupi. Koma apa zochitika ziwiri zitha kuwoneka.
- Kuti Linux yathu ili pakati pa rauta ya wothandizira ndi netiweki yakomweko.
Poterepa, pakati pa rauta ndi Linux pakhoza kukhala netiweki, ndipo pakati pa Linux ndi netiweki yakomweko pakhoza kukhala netiweki ina. Izi zikutanthauza kuti rauta yathu sayenera kuchita NAT motere, ndi mayendedwe osavuta monga amafotokozera mbiri yapitayi Zingakhale bwino.
- Kuti Linux yathu ili ndi mawonekedwe olumikizidwa ndi netiweki yapafupi komanso kudzera pa mawonekedwe ena imalandira mwachindunji IP yapagulu yomwe imayendera.
Izi zikutanthauza kuti Linux yathu iyenera kuchita NAT kuti mapaketi athe kufikira intaneti.
Pazolinga za labotale yaying'ono pamenepo, tidzanena kuti Linux yathu imalandira IP yapagulu mwachindunji ndikuti athe kuyesa kuyesa zotsatira za NAT.
Kuti tichite NAT timagwiritsa ntchito syntax
iptables -t nat -A KUPITSIRA -O eth1 -j MASQUERADE
Komwe eth1 ndiye mawonekedwe omwe timalandila IP yapagulu, ndiye kuti, komwe timapita pa intaneti.
Kupanga zolemba za iptables
Tiyerekeze kuti: 172.26.0.0 ndi netiweki yakomweko ndipo 81.2.3.4 ndiye IP yapagulu yomwe timagwiritsa ntchito intaneti. (ndi static ip). Ndili ndi polumikizira eth0 (Netiweki yapafupi)
eth1 (Malo ochezera a pa Intaneti).
Zimangokhala ndi kupanga pulogalamu yomwe ingatchulidwe kuchokera ku /etc/init.d/firestop (mwachitsanzo). ndipo kuchokera palemba ili titha kuyamba, kuyimitsa kapena kuwona momwe tikusinthira, monga timachitira ndi daemon iliyonse.
Tiyerekeze kuti malamulo anga a IPTABLES NDI:
#! / bin / bash # Firewall yanyumba yanga. # Fayilo dzina / etc / firewall_on # Wolemba Jlcmux Twitter: @Jlcmux # # Mfundo zoyambira. iptables -P INPOUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # #NAT kugawana intaneti kuchokera pa eth0 mpaka eth1 iptables -t nat -A POSTROUTING -O eth1 -j SNAT - to-source 81.2.3.4 - -A FORWARD -i eth0 -o eth1 -p tcp - kutumiza 80 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 443 -j ACCEPT
Kufotokozera:
Zolemba zake zimachita izi:
- Choyamba lembetsani kuyenda konse, kulumikizana ndi kuchuluka kwamagalimoto. (Malamulo Oyambira a Firewall)
- Kenako pangani NAT ndi eth1 komwe mukupita. kuwonetsa kuti tili ndi static public ip "81.2.3.4"
- Imatsegula madoko ofunikira kuti alandire mapaketi olumikizidwa omwe ndidayambitsa.
- Amalandira kuchuluka kwa ma HTTP, HTTPS, ndi DNS.
Ngati tikufuna kugwiritsa ntchito zida zathu kuyenda tiyenera kubwereza mizere ndikusintha FORWARD kupita ku INPUT kapena OUTPUT koyenera.
Letsani script.
Tsopano tipanga script yomwe imaposa zonse zomwe zili pamwambapa ndikusiya makompyuta kukhala oyera pazonsezi. (Pazoyesera kapena tikungofuna kuzimitsa chowotcha moto).
#! / bin / bash # Zowonera kunyumba kwanga. # Fayilo dzina / etc / firewall_off # Wolemba Jlcmux Twitter: @Jlcmux # #Kuchotsa Malamulo a ipt -F # #Kugwiritsa ntchito mfundo zosasinthika (magalimoto onse amavomereza) iptables -P ZOTHANDIZA LANDIRANI iptables -P OUTPUT LANDIRANI iptables -P PATSOGOLO Vomerezani
Kusintha.
Tsopano tiyenera kupanga zolemba mkati /etc/init.d/ ndipo ntchito imayamba zokha ndipo titha kuyisamalira mwanjira yabwino kwambiri.
#! / bin / bash # Firewall yanyumba yanga. # Fayilo dzina /etc/init.d/ firewall # Wolemba Jlcmux Twitter: @Jlcmux mlandu $ 1 poyambira) / etc / firewall_on ;; imani) / etc / firewall_off ;; udindo) iptables -L ;; *) echo "syntax yolakwika. Yoyenera = /etc/init.d/ firewall start | stop | status ;; esac
Kufotokozera:
Zolemba izi zomaliza tidaziyika /etc/init.d/ ndi dzina chowotcha moto. Chifukwa chake ngati tikufuna kuyang'anira firewall titha kugwiritsa ntchito lamuloli /etc/init.d/ firewall kuyamba. Momwemonso titha kuyimitsa kapena kuwona boma.
Tsopano tikusintha fayilo /etc/rc.local ndipo timayika monga: /etc/init.d/ firewall kuyamba kotero kuti imayamba ndi dongosolo.
Komanso. Ili ndiye gawo lachiwiri. Ndikukhulupirira kuti ibweretsa china chake kwa nonsenu. Chotsatira tikuwona Proxy ndi IDS.
Ndemanga za 7, siyani anu
Ngati mukugwiritsa ntchito Debian pali phukusi mu repo (iptables-solid) lomwe limachita chimodzimodzi, limataya malamulo apano mu /etc/iptables/rules.v4 kapena v6 kutengera zomwe mumagwiritsa ntchito kenako nkuzigwiritsa ntchito kwa inu mukakweza dongosolo.
Mwachizoloŵezi, kuyeretsa makonzedwe a firewall a iptables (ndi kugwiritsa ntchito NAT sizingakhale choncho malinga ndi momwe ndimaonera), nthawi zambiri lamulo lokhazikitsanso ndi kukhazikitsanso mfundo zosasinthika kuti ACCEPT zikhala zokwanira.
Koma poganiza, komanso momwe ndikudziwira, kuwonjezera pa izi muyeneranso kuchotsa zingwe zosasinthika ndikukhazikitsanso matebulo. Zomwe zikuyenera kuchitidwa poganizira kuti kuwonjezera pa "fyuluta" palinso matebulo ena, (ndizovomerezeka kuti muwerenge fayilo "/ proc / net / ip_tables_names" za ichi).
Mwa njira, orthodoxy imati chowotcha moto chiyenera kukhala chisanafike kale netiwekiyo. Sindikudziwa momwe zimachitikira m'machitidwe ena a Linux, koma pa a Debian, zolembedwazo zitha kusinthidwa ndikuyika chikwatu "/etc/network/if-pre-up.d/".
Kuyatsa bwino aliyense. 😉
Moni, uthengawo ndi wabwino kwambiri. Ndidawerenga mavoliyumu onse awiri.
Kudikira next lotsatira
Funso lakusadziwa kwanga, timapitilizabe ndi ma iptables, koma pamitundu ingapo ya kernel tili ndi zovuta, ndikuyesa kale, mafunso ndi akuti, kodi nftables ndi beta yokhudza iptables? Kodi iptables ipitilizabe kugwiritsidwa ntchito kwanthawi yayitali?
Zikomo inu.
nftables imaphatikizapo magwiridwe antchito onse a iptables, ip6tables, arptable ndi ebtables, zonse pogwiritsa ntchito zomangamanga zatsopano mu kernelspace ndi namespace, zomwe zimatsimikizira magwiridwe antchito ndi magwiridwe antchito. nftables idzalowa m'malo mwa iptables ndi zida zina zonse zomwe zatchulidwa koma osati pakadali pano, osachepera kufikira pomwe anthu ambiri azigwiritsa ntchito zida zotere.
uthenga wabwino kwambiri, ndimafuna kuwerenga zambiri popeza zafotokozedwa bwino .. moni zikomo kwambiri
Moni! Zabwino kwambiri zonsezo.
Monga chopereka mutha kuwonjezera kumapeto kwa gawo ili:
"Tsopano tikonza fayilo ya /etc/rc.local ndikuyika ngati: /etc/init.d/firestop kuyamba kotero kuti iyambe ndi dongosolo."
Onjezani izi ku rc.local.
ngati [-x /etc/init.d/ firewall]; ndiye
/etc/init.d/ firewall kuyamba
fi
Zomwe zikutanthauza kuti ngati "firewall" ili ndi zilolezo zakupha, ikani, ngati sichoncho.
Ngati mukufuna kuti "firewall" isayambe, muyenera kungochotsa zilolezo.
Mwachitsanzo: chmod + x /etc/init.d/ firewall
kuti ziziyenda koyambira kulikonse kapena ...
chmod -x /etc/init.d/ firewall
kuti mulepheretse kwathunthu.
Zikomo!