Kuchengetedza network yako neIptable - Proxy - NAT - IDS: CHIKAMU 1

@Jlcmux

6 maminitsi

Iyi posvo inoedza kujekesa zvishoma nezve mashandiro emashandisirwo uye maitiro ekushandura michina yedu yeLinux kuita Router inovimbisa zvishoma netiweki yedu, ingave iri kumba kana kunyange bhizinesi. Saka ngatidzikei kubhizinesi:

Izvi zvirimo zvinoenderana nebhuku "Linux - System Administration uye Network Services Operation" - Sébastien BOBILLIER

Kugadzira uye kusefa

Kuti titaure uye tinzwisise nezvekufambisa tinokwanisa kutanga kutsanangura kuti basa rei router chii? Kune izvi tinogona kutaura kuti router, pamusoro pekugadzira netiweki uye kubvumidza kubatana nemimwe michina (tichiziva kuti tinogona kuzviita neAP, switch, Hub kana vamwe) inokwanisa kubatanidza netiweki mbiri dzakasiyana kune imwe neimwe.

router

Sezvatinogona kuona mumufananidzo, pane yemuno network "10.0.1.0" iyo inogadzirwa neiyo router, uye inosvika kune imwe yeayo maviri maficha. Ipapo iyo router pane imwe interface, ine imwe network, ine yayo yeruzhinji IP iyo iyo yaunogona kubatanidza kune iyo Internet. Iyo yekufambisa basa ndeyekuti ishande semurevereri pakati pema network maviri aya kuitira kuti vakwanise kutaura.

Linux se router.

Sezvingatarisirwa, iyo Linux Kernel yatove nekwanisi yekuita "kuendesa mberi", asi nekutadza yakaremara, saka kana tichida kuti Linux yedu iite basa iri tinofanira kuenda kune iyo faira.

/proc/sys/net/ipv4/ip_forward

Ikoko ndipo patinozoona kuti iri faira rinongori ne zero "0", chatinofanirwa kuita kuchinjisa kune imwe "1" kuti tiite hunhu uhu. Izvi zvinosuruvarisa kuti zvinodzimwa patinotangazve komputa, kuti tisiye ichiitwa nekusarudzika isu tinofanirwa kushandisa rairo:

sysctl net.ipv4.ip_forward=1

Kana kuigadzirisa zvakananga mufaira /etc/sysctl.conf. Zvichienderana nekuparadzirwa uku kumisikidzwa kunogona zvakare kunge kuri faira mu  /etc/sysctl.d/.

Nekutadza Linux yedu inofanira kunge iine tafura yekufambisa, iyo inowanzo gadziriso yeyedu network uye kubatana kune iyo router. Kana tichida kuona iyi nzira tinokwanisa kushandisa mirairo miviri:

route -n

o

netstat -nr

Mirairo miviri iyi inofanira kudzoka yakafanana.

Screenshot kubva 2014-09-30 18:23:06

Muzhinji, kumisikidzwa uku kwakakwanira kuti Linux yako ishande seGateway uye mamwe makomputa anogona kufamba kuburikidza nekombuta yedu. Iye zvino, kana tichida kuti Linux yedu ibatanidze maviri kana anopfuura maratidziro, angave emuno kana kwete, semuenzaniso, tinogona kushandisa nzira dzetsika.

Ngatitii yangu Linux ine maviri network maratidziro, yekutanga ine Internet yekubatanidza iyo network iri 172.26.0.0 uye yechipiri (10.0.0.0) ine mamwe makomputa kubva kune imwe netiweki yemuno. Kana isu tichida kuendesa mapaketi kune iyo imwe netiweki yatinogona kushandisa:

route add -net 10.0.0.0 netmask 255.0.0.0 gw 172.26.0.8

Kazhinji iri:

route add -net REDDESTINO netmask MASCARA gw IPDELLINUX

kana tikapa nzira -n zvisinei nekuti network iyi iripo here kana kuti kwete, iyi nzira ichagadziriswa patafura yedu.

Screenshot kubva 2014-09-30 18:31:35

Kana isu tichida kubvisa zvakataurwa nzira isu tinogona kushandisa

route del -net 10.0.0.0 netmask 255.0.0.0

Zvinyorwa.

Chaizvoizvo iptables inoshandiswa kusefa mapaketi, ichibuda, inopinda kana vamwe, izvi zvinoita chishandiso chakakura kubata yedu network traffic. Zvakanaka, iptables, sekungotitendera kusefa traffic yekomputa imwechete, inotibvumidzawo kusefa traffic inopfuura napo. (Kutumira). Iptable inogona kukamurwa mumatafura, ngetani, uye zviito.

  • Mabhodhi:  chaizvo panogona kuve nematafura maviri, Sefa, kusefa mapaketi uye  nat kushandura kero, ndiko kuti, kubva kune imwe network kuenda kune imwe.
  • Maketani: Iyo cheni inoreva rudzi rwe traffic yatinoda kusefa kana kushambira, ndiko kuti, kunzira ipi yatichaisa matafura? uye vanogona kuva:  chiyamuro: Traffic inouya, BUDIRO: traffic inobuda kana PAMBIRI: Traffic inopfuura napo, asi haisi iyo yega kubatana.
  • Inogona zvakare kuoneka KUSVIRA, Inoshandiswa kurapa iyo packet neimwe nzira mushure mekunge yafambiswa.
  • Zviito: Zviito ndizvo chaizvo chiito chinofanira kuitwa neketani. Izvi zvinogona kuva DONHEDZA, izvo zvinongoparadza iro traffic kana Bvuma. iyo inobvumira traffic kuita chiito chakadai.

IPTABLES mitemo inochengetwa uye inoitwa nenzira iyo yavakagadzirwa, uye kana mutemo ukabvisa mutemo wekare, wekupedzisira mutemo muhurongwa unogara uchishandiswa.

Firewall Mitemo.

Muzhinji, firewalls zvinowanzo shanda munzira mbiri:

  1. Rega traffic dzese kunze, kana
  2. Usatendere chero traffic kunze ...

Kuti ushandise marongero, shandisa IPTABLES - P CHITSAUKO CHETE

Iko tambo inomiririra mhando yetraffic (INPUT, OUTPUT, MBERI, POSTROUTING ...) uye chiito chiri DROP KANA KUTI BVUMA.

Ngatitarisei pamuenzaniso.

Screenshot kubva 2014-09-30 18:53:23

Pano tinoona kuti pakutanga ini ndakakwanisa ping, ipapo ini ndakaudza IPTABLES kuti yese OUTPUT traffic yaive DROP kana isingatenderwe. Ipapo ini ndakaudza IPTABLES kuti igamuchire.

Kana tichizovaka firewall kubva pakutanga tinofanirwa kugara tichishandisa mitemo ye (Usatendere chero traffic kunze kwe ... Kune izvi isu tinoshandisa mirau

iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P YEMAHARA DROP
Kana aya marongero akashanda, ivo havazove nechero mhando yekubatana
.

Kudzoka tinonyora zvakafanana uye kutsiva DROP ne ACCEPT.

Panguva ino, sezvo traffic dzese dzakarambwa, isu tinotanga kutaurira edu IPTABLES kuti ndeipi traffic yaingave nayo.

Iyo syntax ndeiyi:

iptables -A cadena -s ip_orgigen -d ip_destino -p protocolo --dport puerto -j acción

Donde:

Tambo = INPUT, OUTPUT kana kumberi

mavambo_ip = Mavambo emapaketi, iyi inogona kuve imwechete IP kana network uye mune iyi kesi tinofanirwa kudoma mask).

pinduko_ip = kuri kuenda mapaketi. iyi inogona kuve imwechete IP kana network uye mune iyi kesi tinofanirwa kudoma mask).

protocol = inoratidza protocol inoshandiswa nemapaketi (icmp, tcp, udp ...)

chiteshi = kwekuenda chiteshi che traffic.

chiito = Donhedza kana Bvuma.

Muenzaniso:

Screenshot kubva 2014-09-30 19:26:41

YOSE mitemo inorambidzwa inoshanda.

Screenshot kubva 2014-09-30 19:27:42

Ipapo isu tinowedzera iyo mitemo kuti tikwanise kuve nemigwagwa kuburikidza nechiteshi 80 HTTP uye 443 HTTPS, ine TCP protocol. Wobva waisa port 53 Inoshandisirwa mutengi weDNS kugadzirisa madomeni, zvikasadaro haufambe. Izvi zvinoshanda ne udp protocol.

Mutsara:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Imhaka yezvinotevera: Paunoita chikumbiro cheHTTP semuenzaniso, unobatana kune chiteshi 80 cheseva, asi sevha yekudzosa ruzivo inoda kubatana newe kuburikidza nechero chiteshi. (Kazhinji yakakura kupfuura 1024).

Sezvo madoko edu ese akavharwa izvi hazvigoneke kunze kwekunge isu tavhura zviteshi zvese zvakakwirira kupfuura 1024 (Pfungwa yakaipa). Izvo zvinotaurwa izvi ndezvekuti zvese zvinouya traffic zvinouya kubva mukubatana kwandazvisimbisa pachangu zvinogamuchirwa. Ndiri kureva, kubatana uko musimboti wandakatanga.

Paunenge uchiisa OUTPUT mumitemo, izvi zvinongoshanda chete kumidziyo iri kubvunzwa, kana tiri kushandisa michina yedu se router kubvumira izvi kubatana, tinofanirwa kushandura OUTPUT kuenda kumberi. Sezvo traffic inopfuura nepakombuta asi haina kutangwa nayo
Yese mitemo iyi inobviswa mushure mekutanga zvekare, saka unofanirwa kugadzira zvinyorwa kuitira kuti vatange nekutadza. Asi isu tichaona izvi mune inotevera

Ndinovimba waifarira ruzivo urwu. Mune inotevera ini ndichataura nezve NAT, Proxy uye zvinyorwa zveFirewal.


Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira iyo data: Miguel Ángel Gatón
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako

  1.   Rogelio pinto akadaro
    inoita 10 makore

    Ichi ndicho chikonzero chinotorwa nevamabhizimusi vazhinji kuti vagadzire yavo yavo firewall, ndosaka paine akawanda mabhenji emoto emadziro ane akadzika midzi mukati memusika, mamwe akanaka uye mamwe haana kunyanyisa.

    Pindura Rogelio Pinto
  2.   Heber akadaro
    inoita 10 makore

    Yakanaka chinyorwa. Ndinotarisira chikamu chechipiri.

    Pindura kuna Hebheri
  3.   Milton akadaro
    inoita 10 makore

    Tsananguro yakanaka kwazvo, zvakandibatsira kunzwisisa proxy yebasa rangu. Ndatenda

    Pindura Milton
  4.   faustod akadaro
    inoita 10 makore

    Mhoro Jlcmux,

    Yakanaka, ndakaifarira chaizvo, rimwe bato richawanikwa riini?

    Kwaziso nekutenda nekugovana

    Pindura faustod
    1.    @Jlcmx akadaro
      inoita 10 makore

      Ndatenda nekutaura.

      Ndakatumira chimwe chikamu nezuro, mukufamba kwezuva ndinofunga vachange vachichishambadza.

      Thanks.

      Pindura kuna @Jlcmux
  5.   Izirayeri akadaro
    inoita 10 makore

    Yakanaka kwazvo chinyorwa shamwari @ Jlcmux, ndakanyatsodzidza naye kubva paakajekesa kumwe kusahadzika kwandaive nako kwenguva, nenzira yausingafarire kugovera bhuku renyaya yechinyorwa, icho chaSébastien BOBILLIER, zvakanaka slau2s uye ikozvino ku ona chikamu chechipiri, salu2s.

    Pindura Israeri
    1.    @Jlcmx akadaro
      inoita 10 makore

      Mhoro Kutenda nekupindura Israel.

      Zvinoitika kuti ndine bhuku iri muchimiro chemuviri. Asi ini ndawana iyi link paGoogle Mabhuku. http://books.google.com.co/books?id=zxASM3ii4GYC&pg=PA356&lpg=PA356&dq=S%C3%A9bastien+BOBILLIER+Linux+%E2%80%93+Administraci%C3%B3n+del+sistema+y+explotaci%C3%B3n+de+los+servicios+de+red#v=onepage&q=

      Ndinofunga zvakakwana.

      Pindura kuna @Jlcmux
  6.   Ariel akadaro
    inoita 10 makore

    Chinyorwa chakanakisa kwazvo, ini ndinowedzera mubvunzo: Chii chingave mukana wekushandisa linux se router, kana paine chero, zvine chekuita ne Hardware yakatsaurirwa kwariri? Kana ndeyekurovedza muviri chete here? Ndoziva kune akatsaurwa distros asi ini handizive kana vachifanira kununura maPC epashure kana kupa kumwe kuchinjika mukugadzirisa.

    Pindura Ariel
    1.    @Jlcmx akadaro
      inoita 10 makore

      Zvakanaka, ini ndinofunga zvakanakira nekuipira zvinoenderana nemamiriro ezvinhu auchazoshandisa izvi. Nei zvirokwazvo usiri kuzotenga UTM kana chimwe chinhu chakadai cheimba yako? Uye pamwe kune bhizinesi diki risingakwanise kana. Izvo zvakare zvakanaka sekurovedza muviri, sezvo zvichikubatsira iwe kunzwisisa zvese zvine musoro zveizvi uye iwe unogona zvirinani kumisikidza yakazvitsaurira FWall. Kuwedzera kune izvo zvinenge zvese izvi zvishandiso chaizvo izvo zvavanazvo Embedded Linux.

      Thanks.

      Pindura kuna @Jlcmux
  7.   Ariel akadaro
    inoita 9 makore

    Mhoroi, mubvunzo, iwe unogona here kugadzira iyo "yekugadzira" interface mu linux nenzira yakafanana nzira pakati pemanethiwekhi? (packet tracer maitiro) kushanda nemuchina chaiwo? semuenzaniso kana ndine eth0 (nekuti ini ndine kadhi rimwe chete zvaro) ndinogona kugadzira eth1 kugadzira imwe network? Mudzidzisi akanaka kwazvo!

    Pindura Ariel
    1.    ichit akadaro
      inoita 9 makore

      MuLinux unogona kugadzira chaiwo maficha, hongu. Kana iwe uine eth0, unogona kuva eth0: 0, eth0: 1, eth0: 2 ... nezvimwewo

      Pindura kuna elav
  8.   chinoloco akadaro
    inoita 9 makore

    Saka zvakanaka, ndatenda nekugovana

    Pindura chinoloco