Umlilo: iiptables zabantu (iArch)

Okokuqala, onke amakhredithi aya kuwo @YukiteruAmano, kuba esi sithuba sisekwe kwi- tutorial uthumele kwiforum. Umahluko kukuba ndiza kugxila kuyo igophe, nangona kunokwenzeka ukuba isebenzela ezinye i-distros esekwe kwi inkqubo.

Yintoni iFirehol?

Umlilo, sisicelo esincinci esisinceda ukuba siphathe i-firewall edityaniswe kwikernel nakwisixhobo sayo iptables. I-Firehol, ayinalo ujongano lomzobo, lonke uqwalaselo kufuneka lwenziwe ngeefayile zombhalo, kodwa ngaphandle koku, ubumbeko luselula kubasebenzisi be-novice, okanye lunamandla kwabo bafuna iindlela eziphambili. Konke okwenziwa nguFirehol, kukwenza kube lula ukuyilwa kwemithetho ye-iptable kangangoko kunokwenzeka kunye nokwenza ukuba kubekho i-firewall elungileyo kwinkqubo yethu.

Ukufakwa kunye noqwalaselo

Umlilo awukho kwiindawo zokugcina ezisemthethweni zeArch, ke siza kubhekisa kuwo AUR.

yaourt -S firehol
Emva koko siya kwifayile yoqwalaselo.

sudo nano /etc/firehol/firehol.conf

Kwaye sidibanisa imigaqo apho, onokuyisebenzisa estas.

Qhubeka nokwenza iFirehol isiqalo ngasinye. Intle elula ngenkqubo.

sudo systemctl enable firehol

Saqala iFirehol.

sudo systemctl start firehol

Okokugqibela siyaqinisekisa ukuba imigaqo ye-iptables yenziwe kwaye yalayishwa ngokuchanekileyo.

sudo iptables -L

Khubaza i-IPv6

Njengoko umlilo awuphathi ip6i kwaye kuba uninzi lonxibelelwano lwethu alunankxaso IPv6, Ingcebiso yam kukuyikhubaza.

En igophe sidibanisa ipv6.disable = 1 kumgca we-kernel kwi / etc / default / grub file


...
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="rw ipv6.disable=1"
GRUB_CMDLINE_LINUX=""
...

Ngoku siyihlaziya igrub.cfg:

sudo grub-mkconfig -o /boot/grub/grub.cfg

En Debian kwanele nge:

sudo echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf


Umxholo wenqaku uyabambelela kwimigaqo yethu imigaqo yokuziphatha yokuhlela. Ukuxela impazamo cofa apha.

Izimvo ezi-26, shiya ezakho

Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.

  1.   Felipe sitsho

    Andiqondi. Ngaba ulandela isifundo kwaye sele unayo i-Firewall esebenzayo kwaye uvale lonke unxibelelwano? Enye into Isifundo seArch sinzima umzekelo andikaze ndisebenzise iSudo okanye iourour Firewall. Nangona kunjalo iyaqondwa. Okanye mhlawumbi umntu omtsha ubhala i-yogurt kwaye uya kufumana impazamo. KwiManjaro ichanekile ngakumbi.

    1.    yukiteru sitsho

      Njengoko usitsho @felipe, ulandela isifundo kwaye ubeke /etc/firehol/firehol.conf fayile imigaqo enikezwe ngu @cookie kwindawo yokuncamathisela, uya kuba sele une-firewall elula yokukhusela inkqubo kwinqanaba elisisiseko. Oluqwalaselo lusebenza kuyo yonke i-distro apho unokubeka khona iFirehol, ngokungafaniyo nendawo nganye ephatha iinkonzo zayo ngeendlela ezahlukeneyo (iDebian nge-sysvinit, iArch ene-systemd) kunye nofakelo, wonke umntu uyazi into anayo, kwiArch kufuneka Sebenzisa i-AUR kunye ne-yaourt repos, kwi-Debian ezisemthethweni zanele, kwaye ke kwezinye ezininzi, kuya kufuneka ukhangele kancinane kwii-repositories kwaye uhlengahlengise umyalelo wokufaka.

  2.   ci sitsho

    Enkosi, ndiyayiqaphela.

  3.   Lungiselela sitsho

    Yonke into intle kakhulu ... kodwa eyona nto ibalulekileyo ilahlekile; Kuya kufuneka uchaze ukuba yenziwe njani imigaqo !!, ukuba zithetha ntoni, uyenza njani emitsha ... Ukuba ayichazwanga, into oyibekayo ayisebenzi kangako: - /

    1.    yukiteru sitsho

      Ukudala imigaqo emitsha kulula, uxwebhu lomlilo lucacile kwaye luchanekile ngokwemiqathango yokudala imigaqo yesiko, ke ukufunda kancinci kuya kwenza kube lula kuwe ukuba uzilungiselele kwaye uzilungelelanise neemfuno zakho.

      Ndicinga ukuba isizathu sokuqala se @cookie seposi njengam kwiforum, yayikukunika abasebenzisi kunye nabafundi isixhobo esivumela ukuba banike iikhompyuter zabo ukhuseleko olungakumbi, konke kwinqanaba elisisiseko. Eminye ishiywe kukuhamba ukuze uvumelane neemfuno zakho.

    2.    Cookie sitsho

      Ukuba ufunda ikhonkco kwisifundo iYukiteru uyakuqonda ukuba injongo kukwazisa isicelo kunye noqwalaselo lwesiseko somlilo. Ndacacisa ukuba iposti yam ikopi kuphela egxile kwiArch.

  4.   UMaacub sitsho

    Kwaye le yeyabantu '? o_O
    Zama iGufw kwiArch: https://aur.archlinux.org/packages/gufw/ >> Cofa kwiMeko. Okanye ufw ukuba ukhetha i-terminal: Sudo ufw vumela

    Sele ukhuselekile ukuba ungumsebenzisi oqhelekileyo. Oko kukuthi 'ngabantu'

    1.    iyeva sitsho

      I-Firehol ngokwenyani isiphelo esingaphambili se-IPTables kwaye ukuba siyithelekisa neyokugqibela, yeyomntu 😀

    2.    yukiteru sitsho

      Ndithathela ingqalelo ufw (IGufw sisinxibelelanisi sayo) njengokhetho olubi malunga nokhuseleko. Isizathu: kwimithetho engaphezulu yokhuseleko endiyibhalileyo kwi-ufw, andinakukuthintela ukuba kuvavanyo lwe-firewall yam zombini kwiWebhu kunye nezo ndizenzileyo ndisebenzisa i-nmap, iinkonzo ezinje nge-avahi-daemon kunye ne-exim4 ziya kuvela zivulekile, kwaye kuphela Uhlaselo lwe "stealth" lwalwanele ukwazi ezona mpawu zincinci zenkqubo yam, i-kernel kunye neenkonzo ezibalekayo, into engazange yenzeke kum ndisebenzisa umlilo okanye i-firewall ye-arno.

      1.    Umngcipheko sitsho

        Ewe, andazi ngawe, kodwa njengoko ndibhalile ngasentla, ndisebenzisa uXubuntu kwaye i-firewall yam ihamba ne-GUFW kwaye ndaziphumelela ZONKE iimvavanyo zekhonkco ezibekwe ngumbhali ngaphandle kwengxaki. Yonke into. Akukho nto ivulekileyo. Ke kumava am ufw (kwaye ke gufw) ndenza ngokumangalisayo. Andigxeki ekusebenziseni ezinye iindlela zolawulo lwe-firewall, kodwa i-gufw isebenza ngokungagungqiyo kwaye inika iziphumo ezikhuselekileyo.

        Ukuba unayo nayiphi na imvavanyo ocinga ukuba inokubaphosa emngciphekweni kwinkqubo yam, ndixelele ukuba ziyintoni kwaye ndiya kubavuyela apha kwaye ndikwazise iziphumo.

        1.    yukiteru sitsho

          Apha ngezantsi ndibeka into ngesihloko se-ufw, apho ndithi impazamo endiyibonileyo ngo-2008, ndisebenzisa Ubuntu 8.04 Hardy Heron. Yintoni esele bayilungisile? Eyona nto inokwenzeka kukuba kunjalo, akukho sizathu sakhathazeka, kodwa nangona kunjalo, oko akuthethi ukuba ibug yayikhona kwaye ndingayibonisa, nangona yayingeyonto imbi ukufa, ndayeka iidemon avahi-daemon kunye ne-exim4, kwaye ingxaki sele isonjululwe. Into ebaluleke kunazo zonke kukuba kuphela ezo nkqubo zimbini zinengxaki.

          Ndikhankanye inyani njenge-anecdote yobuqu, kwaye ndacinga ngendlela efanayo xa ndisithi: «ndicinga ...»

          Ukubulisa 🙂

    3.    Umngcipheko sitsho

      +1

  5.   iingxowa sitsho

    @Yukiteru: Ngaba uyizamile kwikhompyuter yakho? Ukuba ujonge kwi-PC yakho, kuyinto eqhelekileyo ukuba ungafikelela kwizibuko lenkonzo ye-X, kuba ukugcwala kwabantu kuvaliwe yile yenethiwekhi, hayi eyasekhaya:
    http://www.ubuntu-es.org/node/140650#.UgJZ3cUyYZg
    https://answers.launchpad.net/gui-ufw/+question/194272

    Ukuba akunjalo, nceda unike ingxelo ngegciwane
    Ukubulisa 🙂

    1.    yukiteru sitsho

      Ukusuka kwenye ikhompyuter usebenzisa inethiwekhi ye-Lan kwimeko ye-nmap, nange-Web usebenzisa eli phepha https://www.grc.com/x/ne.dll?bh0bkyd2Sebenzisa ukhetho lwamazibuko esiko, bobabini bavumile ukuba i-avahi kunye ne-exim4 bemamele kumnatha nangona i-ufw ibinokuthintela ukuvimba kwabo.

      Ndisombulule loo nkcukacha incinci ye-avahi-daemon kunye ne-exim4 ngokumane ndikhubaza iinkonzo kwaye yiyo ... khange ndixele bug emva koko, kwaye ndicinga ukuba akukho ngqiqweni ukuyenza ngoku, kuba ibibuyile Ngo-2008, usebenzisa i-Hardy.

      1.    Umngcipheko sitsho

        U-2008 wayeneminyaka emi-5 eyadlulayo; ukusuka kwiHardy Heron ukuya kwiRaring Ringtail kukho i-10 * buntus. Oluvavanyo lunye kwi-Xubuntu yam, eyenziwe izolo kwaye iphindaphindwe namhlanje (Agasti 2013) inika ukugqibelela kuyo yonke into. Kwaye ndisebenzisa i-UFW kuphela.

        Ndiyaphinda: Ngaba unalo naluphi na uvavanyo olongezelelweyo oza kulwenza? Ngovuyo ndiyayenza kwaye ndinika ingxelo yoko kuphuma kweli cala.

        1.    yukiteru sitsho

          Yenza i-SYN kunye ne-IDLE yokukhangela kwi-PC yakho usebenzisa i-nmap, eya kukunika umbono wokuba ikhuseleke kangakanani inkqubo yakho.

          1.    Umngcipheko sitsho

            Indoda ye-nmap inemigca engaphezulu kwama-3000. Ukuba undinika imiyalelo yokuphumeza ngovuyo, ndiza kuyenza kwaye ndiza kunika ingxelo ngeziphumo.

          2.    yukiteru sitsho

            Hmm bendingazi malunga nephepha le-3000 lamadoda le-nmap. kodwa i-zenmap iluncedo ekwenzeni into endikuxelela yona, ngumphambili womzobo we-nmap, kodwa nangoku ukhetho lwe-SYN scan nge-nmap yi -sS, ngelixa ukhetho lokukhangela ungasebenzi lungu -s, kodwa owona myalelo Ndiza kuba.

            Yenza iskena esivela komnye umatshini esalatha kwi-ip yomatshini wakho ngobuntu, ungayenzi eyakho ipc, kuba ayisebenzi njalo.

          3.    yukiteru sitsho

            HLEKA KAKHULU!! Impazamo yam malunga namaphepha angama-3000, xa yayiyimigca 😛

  6.   UJeus Israel Perales Martinez sitsho

    Andazi kodwa ndicinga ukuba i-GUI yento kwi-GNU / Linux yokulawula i-firewall iya kuba yinto enengqiqo kwaye ungashiyi yonke into engatyhilwanga njengakwi-ubuntu okanye yonke into egutyungelwe njenge-fedora, kufanelekile ukuba ulunge xD, okanye into yokumisela ezinye iindlela zokubulala xD hjahjahjaja Kuncinci ukulwa nam nabo kunye ne-jdk evulekileyo kodwa nangona kunjalo kuya kufuneka ugcine umgaqo wokumanga

  7.   Mauricio sitsho

    Ndiyabulela kuko konke ukukhubeka okwenzeke kwixa elidlulileyo ngee-iptables, namhlanje ndiyakwazi ukuqonda i-niverl eluhlaza, oko kukuthi, thetha ngqo kuye njengoko ivela kumzi-mveliso.

    Kwaye ayisiyonto inzima, kulula kakhulu ukuyifunda.

    Ukuba umbhali weposti uyandivumela, ndiza kuthumela ngaphandle isicatshulwa somlilo endisisebenzisayo ngoku.

    Imigaqo # # yokucoca
    iiptables -F
    iiptables -X
    iiptables -Z
    iiptables -t nat -F

    # # Cwangcisa umgaqo-nkqubo osisiseko: I-DROP
    iptables -P Igalelo lokwenza
    iptables -P ISIPHUMO SOKUQHUBA
    iptables -P PHAMBILI NGOKUXELAYO

    # Sebenza kwindawo yasekhaya ngaphandle kwemida
    iptables -IGALELO -i lo -j YAMKELA
    iptables -ISIPHUMO -o lo -j YAMKELA

    # Vumela umatshini ukuba uye kwiwebhu
    iptables -I-INPUT -p tcp -m tcp -sport 80 -m conntrack -ctstate RELATED, ESTABLISHED -j YAMKELA
    iptables -I-OUTPUT -p tcp -m tcp-ingxelo 80 -j YAMKELA

    # Sele ikhusele iwebhusayithi
    iptables -I-INPUT -p tcp -m tcp -sport 443 -m conntrack -ctstate RELATED, ESTABLISHED -j YAMKELA
    iptables -I-OUTPUT -p tcp -m tcp-ingxelo 443 -j YAMKELA

    # Vumela ukuphuma ngaphakathi ngaphakathi
    iptables -ISIPHUMO -p icmp -icmp-uhlobo echo-sicelo -j YAMKELE
    iptables -I-INPUT -p icmp -icmp-uhlobo echo-phendula -j YAMKELA

    # Ukukhuselwa kwe-SSH

    #ifakwa -I-INPUT -p tcp -nika ingxelo 22 -m ukubuyela umva- indawo emitsha -m ukunciphisa -imitha engama-30 / ngomzuzu -ukuqhawuka -ku-5 -m ukuphawula -ukuphawula "i-SSH-kick" -j YAMKELA
    #iptables -A INPUT -p tcp -m tcp -dport 22 -j LOG -log-prefix "SSH ACCESS ATTEMPT:" -log-level 4
    #iptables -I-INPUT -p tcp -m tcp-ingxelo 22 -j DROP

    # Imigaqo yesirhubhe ukuvumela unxibelelwano oluphumayo nolungenayo kwizibuko
    iptables -I-INPUT -p tcp -m tcp -dport 16420 -m conntrack –ctstate NEW -m izimvo- ingxelo "aMule" -j YAMKELA
    iptables -I-OUTPUT -p tcp -m tcp -sport 16420 -m conntrack -ctstate RELATED, ESTABLISHED -m comment -comment "aMule" -j YAMKELA
    iptables -I-INPUT -p udp -dport 9995 -m izimvo -i-comment "aMule" -j YAMKELA
    iptables -ISIPHUMO -p udp -sport 9995 -j YAMKELA
    iptables -I-INPUT -p udp-ingxelo 16423 -j YAMKELA
    iptables -ISIPHUMO -p udp -sport 16423 -j YAMKELA

    Ngoku inkcazo encinci. Njengoko ubona, kukho imigaqo kunye nomgaqo-nkqubo we-DROP ongagqibekanga, akukho nto ishiya kwaye ingena kwiqela ngaphandle kokukuxelela.

    Emva koko, iziseko zidlulisiwe, i-localhost kunye nokukhangela kwinethiwekhi yenethiwekhi.

    Uyabona ukuba kukho imigaqo ye-ssh kunye ne-amule. Ukuba bajongeka kakuhle ukuba benziwe njani, banokwenza eminye imigaqo abayifunayo.

    Icebo kukubona ubume bemigaqo kwaye usebenzise uhlobo oluthile lwezibuko okanye umthetho olandelwayo, nokuba yi-udp okanye i-tcp.

    Ndiyathemba ukuba ungayiqonda le nto ndiyithumele apha.

    1.    Cookie sitsho

      Kuya kufuneka wenze iposti uyichaze 😉 ingalunga.

  8.   @Kwizinto sitsho

    Ndinombuzo. Kwimeko apho ufuna ukwala uxhulumaniso lwe-http kunye nee-https ndibeke:

    umncedisi "http https" yehla?

    Kwaye nayiphi na inkonzo?

    Gracias