Iyi posvo inoedza kujekesa zvishoma nezve mashandiro emashandisirwo uye maitiro ekushandura michina yedu yeLinux kuita Router inovimbisa zvishoma netiweki yedu, ingave iri kumba kana kunyange bhizinesi. Saka ngatidzikei kubhizinesi:
Kugadzira uye kusefa
Kuti titaure uye tinzwisise nezvekufambisa tinokwanisa kutanga kutsanangura kuti basa rei router chii? Kune izvi tinogona kutaura kuti router, pamusoro pekugadzira netiweki uye kubvumidza kubatana nemimwe michina (tichiziva kuti tinogona kuzviita neAP, switch, Hub kana vamwe) inokwanisa kubatanidza netiweki mbiri dzakasiyana kune imwe neimwe.
Sezvatinogona kuona mumufananidzo, pane yemuno network "10.0.1.0" iyo inogadzirwa neiyo router, uye inosvika kune imwe yeayo maviri maficha. Ipapo iyo router pane imwe interface, ine imwe network, ine yayo yeruzhinji IP iyo iyo yaunogona kubatanidza kune iyo Internet. Iyo yekufambisa basa ndeyekuti ishande semurevereri pakati pema network maviri aya kuitira kuti vakwanise kutaura.
Linux se router.
Sezvingatarisirwa, iyo Linux Kernel yatove nekwanisi yekuita "kuendesa mberi", asi nekutadza yakaremara, saka kana tichida kuti Linux yedu iite basa iri tinofanira kuenda kune iyo faira.
/proc/sys/net/ipv4/ip_forward
Ikoko ndipo patinozoona kuti iri faira rinongori ne zero "0", chatinofanirwa kuita kuchinjisa kune imwe "1" kuti tiite hunhu uhu. Izvi zvinosuruvarisa kuti zvinodzimwa patinotangazve komputa, kuti tisiye ichiitwa nekusarudzika isu tinofanirwa kushandisa rairo:
sysctl net.ipv4.ip_forward=1
Kana kuigadzirisa zvakananga mufaira /etc/sysctl.conf. Zvichienderana nekuparadzirwa uku kumisikidzwa kunogona zvakare kunge kuri faira mu /etc/sysctl.d/.
Nekutadza Linux yedu inofanira kunge iine tafura yekufambisa, iyo inowanzo gadziriso yeyedu network uye kubatana kune iyo router. Kana tichida kuona iyi nzira tinokwanisa kushandisa mirairo miviri:
route -n
o
netstat -nr
Mirairo miviri iyi inofanira kudzoka yakafanana.
Muzhinji, kumisikidzwa uku kwakakwanira kuti Linux yako ishande seGateway uye mamwe makomputa anogona kufamba kuburikidza nekombuta yedu. Iye zvino, kana tichida kuti Linux yedu ibatanidze maviri kana anopfuura maratidziro, angave emuno kana kwete, semuenzaniso, tinogona kushandisa nzira dzetsika.
Ngatitii yangu Linux ine maviri network maratidziro, yekutanga ine Internet yekubatanidza iyo network iri 172.26.0.0 uye yechipiri (10.0.0.0) ine mamwe makomputa kubva kune imwe netiweki yemuno. Kana isu tichida kuendesa mapaketi kune iyo imwe netiweki yatinogona kushandisa:
route add -net 10.0.0.0 netmask 255.0.0.0 gw 172.26.0.8
Kazhinji iri:
route add -net REDDESTINO netmask MASCARA gw IPDELLINUX
kana tikapa nzira -n zvisinei nekuti network iyi iripo here kana kuti kwete, iyi nzira ichagadziriswa patafura yedu.
Kana isu tichida kubvisa zvakataurwa nzira isu tinogona kushandisa
route del -net 10.0.0.0 netmask 255.0.0.0
Zvinyorwa.
Chaizvoizvo iptables inoshandiswa kusefa mapaketi, ichibuda, inopinda kana vamwe, izvi zvinoita chishandiso chakakura kubata yedu network traffic. Zvakanaka, iptables, sekungotitendera kusefa traffic yekomputa imwechete, inotibvumidzawo kusefa traffic inopfuura napo. (Kutumira). Iptable inogona kukamurwa mumatafura, ngetani, uye zviito.
- Mabhodhi: chaizvo panogona kuve nematafura maviri, Sefa, kusefa mapaketi uye nat kushandura kero, ndiko kuti, kubva kune imwe network kuenda kune imwe.
- Maketani: Iyo cheni inoreva rudzi rwe traffic yatinoda kusefa kana kushambira, ndiko kuti, kunzira ipi yatichaisa matafura? uye vanogona kuva: chiyamuro: Traffic inouya, BUDIRO: traffic inobuda kana PAMBIRI: Traffic inopfuura napo, asi haisi iyo yega kubatana.
- Inogona zvakare kuoneka KUSVIRA, Inoshandiswa kurapa iyo packet neimwe nzira mushure mekunge yafambiswa.
- Zviito: Zviito ndizvo chaizvo chiito chinofanira kuitwa neketani. Izvi zvinogona kuva DONHEDZA, izvo zvinongoparadza iro traffic kana Bvuma. iyo inobvumira traffic kuita chiito chakadai.
IPTABLES mitemo inochengetwa uye inoitwa nenzira iyo yavakagadzirwa, uye kana mutemo ukabvisa mutemo wekare, wekupedzisira mutemo muhurongwa unogara uchishandiswa.
Firewall Mitemo.
Muzhinji, firewalls zvinowanzo shanda munzira mbiri:
- Rega traffic dzese kunze, kana
- Usatendere chero traffic kunze ...
Kuti ushandise marongero, shandisa IPTABLES - P CHITSAUKO CHETE
Iko tambo inomiririra mhando yetraffic (INPUT, OUTPUT, MBERI, POSTROUTING ...) uye chiito chiri DROP KANA KUTI BVUMA.
Ngatitarisei pamuenzaniso.
Pano tinoona kuti pakutanga ini ndakakwanisa ping, ipapo ini ndakaudza IPTABLES kuti yese OUTPUT traffic yaive DROP kana isingatenderwe. Ipapo ini ndakaudza IPTABLES kuti igamuchire.
Kana tichizovaka firewall kubva pakutanga tinofanirwa kugara tichishandisa mitemo ye (Usatendere chero traffic kunze kwe ... Kune izvi isu tinoshandisa mirau
iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P YEMAHARA DROP
Kudzoka tinonyora zvakafanana uye kutsiva DROP ne ACCEPT.
Panguva ino, sezvo traffic dzese dzakarambwa, isu tinotanga kutaurira edu IPTABLES kuti ndeipi traffic yaingave nayo.
Iyo syntax ndeiyi:
iptables -A cadena -s ip_orgigen -d ip_destino -p protocolo --dport puerto -j acción
Donde:
Tambo = INPUT, OUTPUT kana kumberi
mavambo_ip = Mavambo emapaketi, iyi inogona kuve imwechete IP kana network uye mune iyi kesi tinofanirwa kudoma mask).
pinduko_ip = kuri kuenda mapaketi. iyi inogona kuve imwechete IP kana network uye mune iyi kesi tinofanirwa kudoma mask).
protocol = inoratidza protocol inoshandiswa nemapaketi (icmp, tcp, udp ...)
chiteshi = kwekuenda chiteshi che traffic.
chiito = Donhedza kana Bvuma.
Muenzaniso:
YOSE mitemo inorambidzwa inoshanda.
Ipapo isu tinowedzera iyo mitemo kuti tikwanise kuve nemigwagwa kuburikidza nechiteshi 80 HTTP uye 443 HTTPS, ine TCP protocol. Wobva waisa port 53 Inoshandisirwa mutengi weDNS kugadzirisa madomeni, zvikasadaro haufambe. Izvi zvinoshanda ne udp protocol.
Mutsara:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Imhaka yezvinotevera: Paunoita chikumbiro cheHTTP semuenzaniso, unobatana kune chiteshi 80 cheseva, asi sevha yekudzosa ruzivo inoda kubatana newe kuburikidza nechero chiteshi. (Kazhinji yakakura kupfuura 1024).
Sezvo madoko edu ese akavharwa izvi hazvigoneke kunze kwekunge isu tavhura zviteshi zvese zvakakwirira kupfuura 1024 (Pfungwa yakaipa). Izvo zvinotaurwa izvi ndezvekuti zvese zvinouya traffic zvinouya kubva mukubatana kwandazvisimbisa pachangu zvinogamuchirwa. Ndiri kureva, kubatana uko musimboti wandakatanga.
Ndinovimba waifarira ruzivo urwu. Mune inotevera ini ndichataura nezve NAT, Proxy uye zvinyorwa zveFirewal.
Ichi ndicho chikonzero chinotorwa nevamabhizimusi vazhinji kuti vagadzire yavo yavo firewall, ndosaka paine akawanda mabhenji emoto emadziro ane akadzika midzi mukati memusika, mamwe akanaka uye mamwe haana kunyanyisa.
Yakanaka chinyorwa. Ndinotarisira chikamu chechipiri.
Tsananguro yakanaka kwazvo, zvakandibatsira kunzwisisa proxy yebasa rangu. Ndatenda
Mhoro Jlcmux,
Yakanaka, ndakaifarira chaizvo, rimwe bato richawanikwa riini?
Kwaziso nekutenda nekugovana
Ndatenda nekutaura.
Ndakatumira chimwe chikamu nezuro, mukufamba kwezuva ndinofunga vachange vachichishambadza.
Thanks.
Yakanaka kwazvo chinyorwa shamwari @ Jlcmux, ndakanyatsodzidza naye kubva paakajekesa kumwe kusahadzika kwandaive nako kwenguva, nenzira yausingafarire kugovera bhuku renyaya yechinyorwa, icho chaSébastien BOBILLIER, zvakanaka slau2s uye ikozvino ku ona chikamu chechipiri, salu2s.
Mhoro Kutenda nekupindura Israel.
Zvinoitika kuti ndine bhuku iri muchimiro chemuviri. Asi ini ndawana iyi link paGoogle Mabhuku. http://books.google.com.co/books?id=zxASM3ii4GYC&pg=PA356&lpg=PA356&dq=S%C3%A9bastien+BOBILLIER+Linux+%E2%80%93+Administraci%C3%B3n+del+sistema+y+explotaci%C3%B3n+de+los+servicios+de+red#v=onepage&q=
Ndinofunga zvakakwana.
Chinyorwa chakanakisa kwazvo, ini ndinowedzera mubvunzo: Chii chingave mukana wekushandisa linux se router, kana paine chero, zvine chekuita ne Hardware yakatsaurirwa kwariri? Kana ndeyekurovedza muviri chete here? Ndoziva kune akatsaurwa distros asi ini handizive kana vachifanira kununura maPC epashure kana kupa kumwe kuchinjika mukugadzirisa.
Zvakanaka, ini ndinofunga zvakanakira nekuipira zvinoenderana nemamiriro ezvinhu auchazoshandisa izvi. Nei zvirokwazvo usiri kuzotenga UTM kana chimwe chinhu chakadai cheimba yako? Uye pamwe kune bhizinesi diki risingakwanise kana. Izvo zvakare zvakanaka sekurovedza muviri, sezvo zvichikubatsira iwe kunzwisisa zvese zvine musoro zveizvi uye iwe unogona zvirinani kumisikidza yakazvitsaurira FWall. Kuwedzera kune izvo zvinenge zvese izvi zvishandiso chaizvo izvo zvavanazvo Embedded Linux.
Thanks.
Mhoroi, mubvunzo, iwe unogona here kugadzira iyo "yekugadzira" interface mu linux nenzira yakafanana nzira pakati pemanethiwekhi? (packet tracer maitiro) kushanda nemuchina chaiwo? semuenzaniso kana ndine eth0 (nekuti ini ndine kadhi rimwe chete zvaro) ndinogona kugadzira eth1 kugadzira imwe network? Mudzidzisi akanaka kwazvo!
MuLinux unogona kugadzira chaiwo maficha, hongu. Kana iwe uine eth0, unogona kuva eth0: 0, eth0: 1, eth0: 2 ... nezvimwewo
Saka zvakanaka, ndatenda nekugovana