In the past post Isu takaona kumisikidzwa kweIPTables kuti ishande seFirewall. Iye zvino tava kuona maitiro ekugadzira iwo magwaro kuitira kuti mitemo iitwe otomatiki kana sisitimu yatanga, uyezve nemabatiro atingaite kubvisa kana kumisa iwo mirawo kwekanguva.
Tisati taita script nekukuratidza kuti zvinotaridzika sei, ngatitaurei zvishoma nezveNAT uye pfungwa yezvatinoda kuita nemidziyo iyi.
NAT uye Context yemuenzaniso.
Kana tichitaura nezveNAT, tinogona kuvhiringidza izvi nekutenderera, nekuti vese vari vaviri vari mukutungamira kwekubatanidza netiweki dzakasiyana dzakasiyana kune imwe neimwe. Musiyano chaiwo ndewekuti nzira inoshandiswa kuisa kubva kune imwe netiweki yemuno kuenda kune imwe uye iyi imwe netiweki inogona kubatanidza kune router uye kubuda kuenda kuInternet.
Ipo, kana isu tichitaura nezveNAT, tinotaura nezvekufambisa mapaketi kubva kunetiweki yemuno kana yakavanzika kunetiweki yeruzhinji kana neInternet. Inoita izvi nekuvhara mapakeji nekuisa yeruzhinji IP iyo iyo iyo inoenda kuInternet. Mune mamwe mazwi, isu hatidi rauta, nekuti yeruzhinji IP ndeyayo yakanangana nekombuta yeGNU / Linux.
Tichashanda izvi nesirogani yatiri kushandisa Linux yedu se router / firewall kuenda kuInternet kubva kunetiweki yemuno Asi pano zviitiko zviviri zvinogona kuoneka.
- Kuti yedu Linux iri pakati peiyo router yeanopa sevhisi uye yemuno network
Mune ino kesi, pakati penzira neLinux yedu paizove netiweki, uye pakati peLinux netiweki yemuno paizova neimwe netiweki yakasiyana. Izvi zvinoreva kuti router yedu haifanire kuita NAT seakadaro, ine yakapusa traffic traffic sekutsanangurwa kwazviri past post Zvingave zvakanaka.
- Kuti Linux yedu ine chinongedzo chakabatana neinetiweki yemuno uye kuburikidza neiyo imwe interface inogamuchira yakananga IP yeruzhinji yainofamba nayo
Izvi zvinoreva kuti Linux yedu inofanira kuita NAT kuitira kuti mapakeji akwanise kusvika paInternet.
Nezve zvinangwa zveiri diki murabhoritari ipapo, isu tichati Linux yedu inogamuchira yeruzhinji IP yakananga uye nekudaro inokwanisa kuyedza mhedzisiro yeNAT.
Kuita NAT isu tinobva tashandisa syntax
iptables -t nat -A KUSVIRA -O eth1 -j MASQUERADE
Iko eth1 ndiyo inowanikwa patinogashira yeruzhinji ip, ndiko kuti, kwatinoenda kuInternet.
Kugadzira iptables script
Ngatitii izvozvi: 172.26.0.0 ndeyedu network uye 81.2.3.4 ndiyo yeruzhinji IP yatinoenda nayo kuInternet. (iri yakamira ip). Ndine maumbirwo eth0 (Yemunharaunda network)
eth1 (Veruzhinji network).
Chaizvoizvo inosanganisira kugadzira script inogona kudaidzwa kubva ku /etc/init.d/firestop (semuenzaniso). uye kubva pachinyorwa ichi tinogona kutanga, kumira kana kutarisa mamiriro ekugadzirisa kwedu, sezvatinoita nechero daemon yemaitiro.
Ngatiti yangu IPTABLES mitemo NDI:
#! / bin / bash # Firewall yemumba mangu. # File zita / nezvimwe / firewall_on # NaJlcmux Twitter: @Jlcmux # # Basic policy. iptables -P INPOUT DROP iptables -P OUTPUT DROP iptables -P YEMAHARA DROP # #NAT yekugovana Internet kubva eth0 kusvika eth1 iptables -t nat -A KUSVIRA -O eth1 -j SNAT --to-sosi 81.2.3.4 # # Bvumira zvinopinda zvinosangana zvakatangwa neangu iptables -A YEMAHARA -m mamiriro --state YAKASIMBISWA, RELATED -j BATSIRA # # Mvumo inobuda inobuda iptables -A MBERI -i eth0 -o eth1 -p tcp -dport 80 -j Bvuma iptables -A KUSVIRA -i eth0 -o eth1 -p tcp -dport 443 -j Bvuma iptables -A PAMUSORO -i eth0 -o eth1 -p udp -dport 53 -j Bvuma
Tsananguro:
Iyo script inonyanya kuita zvinotevera:
- Kutanga kudzora kwese kufamba, kubatana uye traffic. (Basic Firewall Maitiro)
- Wobva wagadzira iyo NAT pamwe nekuenda eth1. zvichiratidza kuti tine static yeruzhinji ip "81.2.3.4"
- Ino vhura iwo madoko anodiwa kuti ugamuchire mapakeji ekubatanidza atangwa neni.
- Inogamuchira yakabuda HTTP, HTTPS, uye DNS traffic.
Kana tichida kushandisa michina yedu kufamba tinofanirwa kudzokorora mitsara uye nekushandura MBERI kuenda INPUT kana OUTPUT zvakakodzera.
Kanzura script.
Iye zvino tave kuzogadzira script inodarika zvese zviri pamusoro uye ichisiya komputa yakachena pane zvese izvi. (Nezvinangwa zvekuyedza kana isu tinongoda kudzima firewall).
#! / bin / bash # Firewall yemumba mangu. # File zita / nezvimwe / firewall_off # NaJlcmux Twitter: @Jlcmux # #Deleting iptables Mitemo -F # #Kushandisa zvisizvo marongero (traffic dzese dzakagamuchirwa) iptables -P KUSVIRA Bvuma iptables -P ZVINOGONESESA Gamuchira iptables -P PASI PASI BATSIRA
Otomatiki.
Iye zvino isu tinofanirwa kugadzira iyo script mukati /etc/init.d/ uye sevhisi inotanga otomatiki uye isu tinogona kuibata nenzira yakasununguka.
#! / bin / bash # Firewall yemumba mangu. # File zita /etc/init.d/ firewall # NaJlcmux Twitter: @Jlcmux kesi $ 1 mukutanga) / etc / firewall_on ;; mira) / etc / firewall_off ;; chimiro) iptables -L ;; *) echo "Yakaipa syntax. Inoshanda = /etc/init.d/ firewall kutanga | mira | chimiro ;; esac
Tsananguro:
Iyi yekupedzisira script isu takaisa mukati /etc/init.d/ rine zita firewall. Saka kana isu tichida kubata iyo firewall tinogona kushandisa rairo /etc/init.d/ firewall kutanga. Nenzira imwecheteyo isu tinogona kuimisa kana kuona nyika.
Iye zvino tava kuzogadzirisa iyo faira /etc/rc.local uye isu takaisa chakadai. /etc/init.d/ firewall kutanga kutanga nehurongwa.
Naizvo. Ichi chikamu chechipiri. Ndinovimba inounza chimwe chinhu kunemi mese. In inotevera tinoona Proxy uye IDS.
Kana iwe urikushandisa Debian pane pasuru mune repo (iptables-inopfuurira) inoita chaizvo izvo, inokanda iyo yazvino mitemo mu /etc/iptables/rules.v4 kana v6 zvinoenderana nezvaunoshandisa wozoishandisa kwauri paunosimudza hurongwa.
Mukuita, kuchenesa yakajairika iptables firewall yekumisikidza (uye kushandisa NAT kwaisazove kwakadaro kubva pakuona kwangu), kazhinji kacho mutemo unobhururuka uye kumisazve marongero emitemo ku ACCEPT zvaizokwana.
Asi mune dzidziso, uye sekuziva kwangu, pamusoro peizvi iwe unodawo kujekesa tambo dzisiri-dzekumisikidza uye kumisazve ma counters. Zviito zvinofanirwa kuitwa uchifunga kuti kuwedzera kune "firita" kune mamwe matafura, (zvinosungirwa kuverenga iyo faira "/ proc / net / ip_tables_names" yeizvi).
Nenzira, dzidziso inotaura kuti firewall inofanirwa kunge yatove isati yasvika network. Ini handizive kuti inoitwa sei mune mamwe maLinux masisitimu, asi mune maDebian iwo script anogona kuchinjika uye kuiswa mudhairekitori "/etc/network/if-pre-up.d/".
Kunaka moto wese munhu. 😉
Mhoroi, iyo posvo yakanaka kwazvo. Ndakaverenga ese maviri mavhoriyamu.
Kumirira rinotevera 🙂
Mubvunzo kubva mukusaziva kwangu, isu tinoenderera mberi nema iptables, asi kune akati wandei kernel vhezheni isu tine nftables, ini ndave kutoyedza, mibvunzo ndeiyi, ndeye nftables chimwe chinhu beta zvine chekuita ne iptables? Ko iptables inoenderera ichishandiswa kwenguva yakareba?
Ndinokutendai.
nftables inosanganisira ese mashandiro eptables, ip6tables, arptable uye ebtables, ese achishandisa chivakwa chitsva mune zvese kernelspace uye nzvimbo yekushandisa, iyo inovimbisa kuita kuri nani uye nekuvandudza mashandiro. nftables ichatsiva iptables uye ese mamwe maturusi ataurwa asi kwete kwenguva iripo, zvirinani kusvika pave nekupararira kwekushandiswa kwe nftables kwakadaro.
yakanaka kwazvo posvo, ini ndaida kuverenga zvimwe sezvo zvakanyatsotsanangurwa .. kwaziso nekutenda kukuru mupiro
Mhoro! Zvakanakisa zvese zviri zviviri.
Semupiro iwe unogona kuwedzera kusvika kumagumo muchikamu chino:
"Iye zvino tichagadzirisa iyo /etc/rc.local faira ndokuisa chimwe chakadai: /etc/init.d/firestop tanga kuti itange nehurongwa."
Wedzera izvi ku rc.local.
kana [-x /etc/init.d/ firewall]; ipapo
/etc/init.d/ firewall kutanga
fi
Zvinoreva kuti kana "firewall" iine mvumo yekuuraya, chiite, kana zvisiri.
Kana iwe uchida kuti "firewall" isatange, iwe unongofanirwa kubvisa mvumo.
Semuenzaniso: chmod + x /etc/init.d/ firewall
kuti iite kuti imhanye pane yega yega yekutanga kana ...
chmod -x /etc/init.d/ firewall
kuidzima zvachose.
Ndinokutendai!