Kuchengetedza network yako neIptable - Proxy - NAT - IDS: CHIKAMU 2

In the past post Isu takaona kumisikidzwa kweIPTables kuti ishande seFirewall. Iye zvino tava kuona maitiro ekugadzira iwo magwaro kuitira kuti mitemo iitwe otomatiki kana sisitimu yatanga, uyezve nemabatiro atingaite kubvisa kana kumisa iwo mirawo kwekanguva.

Tisati taita script nekukuratidza kuti zvinotaridzika sei, ngatitaurei zvishoma nezveNAT uye pfungwa yezvatinoda kuita nemidziyo iyi.

NAT uye Context yemuenzaniso.

Kana tichitaura nezveNAT, tinogona kuvhiringidza izvi nekutenderera, nekuti vese vari vaviri vari mukutungamira kwekubatanidza netiweki dzakasiyana dzakasiyana kune imwe neimwe. Musiyano chaiwo ndewekuti nzira inoshandiswa kuisa kubva kune imwe netiweki yemuno kuenda kune imwe uye iyi imwe netiweki inogona kubatanidza kune router uye kubuda kuenda kuInternet.

Ipo, kana isu tichitaura nezveNAT, tinotaura nezvekufambisa mapaketi kubva kunetiweki yemuno kana yakavanzika kunetiweki yeruzhinji kana neInternet. Inoita izvi nekuvhara mapakeji nekuisa yeruzhinji IP iyo iyo iyo inoenda kuInternet. Mune mamwe mazwi, isu hatidi rauta, nekuti yeruzhinji IP ndeyayo yakanangana nekombuta yeGNU / Linux.

nat

Tichashanda izvi nesirogani yatiri kushandisa Linux yedu se router / firewall kuenda kuInternet kubva kunetiweki yemuno Asi pano zviitiko zviviri zvinogona kuoneka.

  • Kuti yedu Linux iri pakati peiyo router yeanopa sevhisi uye yemuno network

Mune ino kesi, pakati penzira neLinux yedu paizove netiweki, uye pakati peLinux netiweki yemuno paizova neimwe netiweki yakasiyana. Izvi zvinoreva kuti router yedu haifanire kuita NAT seakadaro, ine yakapusa traffic traffic sekutsanangurwa kwazviri past post Zvingave zvakanaka.

  • Kuti Linux yedu ine chinongedzo chakabatana neinetiweki yemuno uye kuburikidza neiyo imwe interface inogamuchira yakananga IP yeruzhinji yainofamba nayo

Izvi zvinoreva kuti Linux yedu inofanira kuita NAT kuitira kuti mapakeji akwanise kusvika paInternet.

Nezve zvinangwa zveiri diki murabhoritari ipapo, isu tichati Linux yedu inogamuchira yeruzhinji IP yakananga uye nekudaro inokwanisa kuyedza mhedzisiro yeNAT.

Kuita NAT isu tinobva tashandisa syntax

 iptables -t nat -A KUSVIRA -O eth1 -j MASQUERADE

Iko eth1 ndiyo inowanikwa patinogashira yeruzhinji ip, ndiko kuti, kwatinoenda kuInternet.

MASQUERADE inoshandiswa kana ip iri yeruzhinji asi inogona kusiyana nekufamba kwenguva (simba). Zvikasadaro tinogona kushandisa SNAT -to-source ip

Kugadzira iptables script

Ngatitii izvozvi: 172.26.0.0 ndeyedu network uye 81.2.3.4 ndiyo yeruzhinji IP yatinoenda nayo kuInternet. (iri yakamira ip). Ndine maumbirwo eth0 (Yemunharaunda network)

eth1 (Veruzhinji network).

Chaizvoizvo inosanganisira kugadzira script inogona kudaidzwa kubva ku /etc/init.d/firestop (semuenzaniso). uye kubva pachinyorwa ichi tinogona kutanga, kumira kana kutarisa mamiriro ekugadzirisa kwedu, sezvatinoita nechero daemon yemaitiro.

Ngatiti yangu IPTABLES mitemo NDI:

#! / bin / bash # Firewall yemumba mangu. # File zita / nezvimwe / firewall_on # NaJlcmux Twitter: @Jlcmux # # Basic policy. iptables -P INPOUT DROP iptables -P OUTPUT DROP iptables -P YEMAHARA DROP # #NAT yekugovana Internet kubva eth0 kusvika eth1 iptables -t nat -A KUSVIRA -O eth1 -j SNAT --to-sosi 81.2.3.4
# # Bvumira zvinopinda zvinosangana zvakatangwa neangu iptables -A YEMAHARA -m mamiriro --state YAKASIMBISWA, RELATED -j BATSIRA # # Mvumo inobuda inobuda iptables -A MBERI -i eth0 -o eth1 -p tcp -dport 80 -j Bvuma iptables -A KUSVIRA -i eth0 -o eth1 -p tcp -dport 443 -j Bvuma iptables -A PAMUSORO -i eth0 -o eth1 -p udp -dport 53 -j Bvuma
Ngatirege kukanganwa kupa mvumo yekuuraya

Tsananguro:

Iyo script inonyanya kuita zvinotevera:

  1. Kutanga kudzora kwese kufamba, kubatana uye traffic. (Basic Firewall Maitiro)
  2. Wobva wagadzira iyo NAT pamwe nekuenda eth1. zvichiratidza kuti tine static yeruzhinji ip "81.2.3.4"
  3. Ino vhura iwo madoko anodiwa kuti ugamuchire mapakeji ekubatanidza atangwa neni.
  4. Inogamuchira yakabuda HTTP, HTTPS, uye DNS traffic.
Mitemo yakatemerwa FORWARD traffic nekuti tiri kushandisa Linux yedu seRouter, saka marongero acho anoshandiswa traffic iyo inopfuura kuburikidza neLinux, ndiko kuti, inoshanda seyopindirana. Izvi zvinoreva kuti Linux yedu haigone kufamba kana kugamuchira chero dhata zvakananga. Izvo zvinongoshanda chete kumakomputa akabatana pairi, asi kwete kune iyo yega

Kana tichida kushandisa michina yedu kufamba tinofanirwa kudzokorora mitsara uye nekushandura MBERI kuenda INPUT kana OUTPUT zvakakodzera.

Kanzura script.

Iye zvino tave kuzogadzira script inodarika zvese zviri pamusoro uye ichisiya komputa yakachena pane zvese izvi. (Nezvinangwa zvekuyedza kana isu tinongoda kudzima firewall).

#! / bin / bash # Firewall yemumba mangu. # File zita / nezvimwe / firewall_off # NaJlcmux Twitter: @Jlcmux # #Deleting iptables Mitemo -F # #Kushandisa zvisizvo marongero (traffic dzese dzakagamuchirwa) iptables -P KUSVIRA Bvuma iptables -P ZVINOGONESESA Gamuchira iptables -P PASI PASI BATSIRA

Otomatiki.

Iye zvino isu tinofanirwa kugadzira iyo script mukati /etc/init.d/ uye sevhisi inotanga otomatiki uye isu tinogona kuibata nenzira yakasununguka.

#! / bin / bash # Firewall yemumba mangu. # File zita /etc/init.d/ firewall # NaJlcmux Twitter: @Jlcmux kesi $ 1 mukutanga) / etc / firewall_on ;; mira) / etc / firewall_off ;; chimiro) iptables -L ;; *) echo "Yakaipa syntax. Inoshanda = /etc/init.d/ firewall kutanga | mira | chimiro ;; esac

Tsananguro:

Iyi yekupedzisira script isu takaisa mukati /etc/init.d/ rine zita firewall. Saka kana isu tichida kubata iyo firewall tinogona kushandisa rairo /etc/init.d/ firewall kutanga. Nenzira imwecheteyo isu tinogona kuimisa kana kuona nyika.

Iye zvino tava kuzogadzirisa iyo faira /etc/rc.local uye isu takaisa chakadai. /etc/init.d/ firewall kutanga kutanga nehurongwa.

Naizvo. Ichi chikamu chechipiri. Ndinovimba inounza chimwe chinhu kunemi mese. In inotevera tinoona Proxy uye IDS.


Izvo zviri muchinyorwa zvinoomerera pamisimboti yedu ye tsika dzekunyora. Kuti utaure chikanganiso tinya pano.

Makomendi gumi, siya zvako

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa.

*

*

  1. Inotarisira iyo data: Miguel Ángel Gatón
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako

  1.   dhunter akadaro

    Kana iwe urikushandisa Debian pane pasuru mune repo (iptables-inopfuurira) inoita chaizvo izvo, inokanda iyo yazvino mitemo mu /etc/iptables/rules.v4 kana v6 zvinoenderana nezvaunoshandisa wozoishandisa kwauri paunosimudza hurongwa.

  2.   ocz akadaro

    Mukuita, kuchenesa yakajairika iptables firewall yekumisikidza (uye kushandisa NAT kwaisazove kwakadaro kubva pakuona kwangu), kazhinji kacho mutemo unobhururuka uye kumisazve marongero emitemo ku ACCEPT zvaizokwana.
    Asi mune dzidziso, uye sekuziva kwangu, pamusoro peizvi iwe unodawo kujekesa tambo dzisiri-dzekumisikidza uye kumisazve ma counters. Zviito zvinofanirwa kuitwa uchifunga kuti kuwedzera kune "firita" kune mamwe matafura, (zvinosungirwa kuverenga iyo faira "/ proc / net / ip_tables_names" yeizvi).

    Nenzira, dzidziso inotaura kuti firewall inofanirwa kunge yatove isati yasvika network. Ini handizive kuti inoitwa sei mune mamwe maLinux masisitimu, asi mune maDebian iwo script anogona kuchinjika uye kuiswa mudhairekitori "/etc/network/if-pre-up.d/".

    Kunaka moto wese munhu. 😉

  3.   NauTiluS akadaro

    Mhoroi, iyo posvo yakanaka kwazvo. Ndakaverenga ese maviri mavhoriyamu.

    Kumirira rinotevera 🙂

  4.   anonymous akadaro

    Mubvunzo kubva mukusaziva kwangu, isu tinoenderera mberi nema iptables, asi kune akati wandei kernel vhezheni isu tine nftables, ini ndave kutoyedza, mibvunzo ndeiyi, ndeye nftables chimwe chinhu beta zvine chekuita ne iptables? Ko iptables inoenderera ichishandiswa kwenguva yakareba?

    Ndinokutendai.

    1.    yukiteru akadaro

      nftables inosanganisira ese mashandiro eptables, ip6tables, arptable uye ebtables, ese achishandisa chivakwa chitsva mune zvese kernelspace uye nzvimbo yekushandisa, iyo inovimbisa kuita kuri nani uye nekuvandudza mashandiro. nftables ichatsiva iptables uye ese mamwe maturusi ataurwa asi kwete kwenguva iripo, zvirinani kusvika pave nekupararira kwekushandiswa kwe nftables kwakadaro.

  5.   Alejandro akadaro

    yakanaka kwazvo posvo, ini ndaida kuverenga zvimwe sezvo zvakanyatsotsanangurwa .. kwaziso nekutenda kukuru mupiro

  6.   Avrah akadaro

    Mhoro! Zvakanakisa zvese zviri zviviri.
    Semupiro iwe unogona kuwedzera kusvika kumagumo muchikamu chino:

    "Iye zvino tichagadzirisa iyo /etc/rc.local faira ndokuisa chimwe chakadai: /etc/init.d/firestop tanga kuti itange nehurongwa."

    Wedzera izvi ku rc.local.

    kana [-x /etc/init.d/ firewall]; ipapo
    /etc/init.d/ firewall kutanga
    fi

    Zvinoreva kuti kana "firewall" iine mvumo yekuuraya, chiite, kana zvisiri.
    Kana iwe uchida kuti "firewall" isatange, iwe unongofanirwa kubvisa mvumo.

    Semuenzaniso: chmod + x /etc/init.d/ firewall
    kuti iite kuti imhanye pane yega yega yekutanga kana ...
    chmod -x /etc/init.d/ firewall
    kuidzima zvachose.

    Ndinokutendai!