Xa u -Linux wayeneenyanga ezimbalwa ubudala ndabhala into elula kakhulu yokuqonda isifundo kwi-iptables: iptables zee-newbies, ezinomdla, ezinomdla (inxalenye yokuqala) . Sebenzisa izikweko njengokuthelekisa ikhompyuter yethu kunye nendlu yethu, i-firewall yethu kunye nomnyango wendlu, kunye neminye imizekelo, ndacacisa ngendlela eyonwabisayo, ngaphandle kobuchwephesha obuninzi okanye iikhonsepthi ezinzima, yintoni i-firewall, yintoni iptables kunye nendlela yokuqalisa ukuyisebenzisa kunye qwalasela. Oku kukuqhubekeka, icandelo lesi-2 lesifundo sokuqala se-iptables
Kuyenzeka ukuba kwiintsuku ezimbalwa ezidlulileyo ndisebenzisa i-Linksys AP (Indawo yokuFikelela) ndibeke iWifi ekhayeni lentombi yam, nangona indawo leyo ingeyona inolwazi kwezobuchwephesha, oko kukuthi, ayisiyiyo into yokuba kukho iingozi ezininzi zokuqhekeka, kuhlala kunjalo Uluvo olulungileyo lokuba nokhuseleko olugqwesileyo kwiWifi nakwiikhompyuter.
Andizukubeka ingxelo kukhuseleko lweWifi apha, njengoko ingesosizathu seposi, ndiza kugxila kulungiselelo lwe-iptables endizisebenzisa ngoku kwilaptop yam.
Kwiposi yangaphambili bendichazile ukuba kufanelekile kwi-firewall ukukhanyela kuqala zonke izithuthi ezingenayo, ngenxa yoku:
sudo iptables -P INPUT DROP
Emva koko kufuneka sivumele ikhompyuter yethu ukuba ibe nemvume yokufaka idatha:
sudo iptables -A INPUT -i lo -j ACCEPT
Kananjalo nokwamkela iipakethi zezicelo ezivela kwikhompyuter yethu:
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Ukuza kuthi ga ngoku ikhompyuter yethu inokuhamba kwi-intanethi ngaphandle kweengxaki, kodwa akukho mntu uvela nakweyiphi na enye indawo (i-LAN, intanethi, iWifi, njl.njl.) Uya kuba nakho ukufikelela kwikhompyuter yethu nangayiphi na indlela. Siza kuqala ukumisela ii-iptable ngokweemfuno zethu.
Index
Sebenzisa i-ulogd ukukhupha ii-iptable logs kwenye ifayile:
Ngokuzenzekelayo ii-iptables logs zingena kwilog kernel, inkqubo yenkqubo, okanye into enjalo ... kwiArch ngokungagqibekanga, ngoku andikhumbuli nokuba bayaphi, yiyo loo nto ndisebenzisa ulogd ukwenzela ukuba ii-iptable logs zikwenye ifayile.
sudo iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ULOG
Ukunika ukufikelela kwiseva yam yabucala:
Andisebenzisi iVirtualBox okanye nantoni na efana nokwenza ubuchule, ndineseva yabucala endiyisebenzisileyo Qemu + KVM ekufuneka ikwazi ukuqhagamshela kwilaptop yam ngolu hlobo, kunye nemithetho ye-iptables endiyichazileyo ngentla apha ayizokwazi, yiyo loo nto kufuneka ndinike imvume kwi-IP yeseva yam ebonakalayo ukuze ikwazi ukufikelela kwilaptop yam:
sudo iptables -A INPUT -i virbr0 -p tcp -s 192.168.122.88 -j ACCEPT
Siza kunika iinkcukacha ngalo mgca, kubalulekile ukuba uqonde ukuba yintoni na iparameter nganye, kuba ziya kuphinda-phindwa kakhulu ukusukela ngoku:
-IGALELO Ndithi ndiza kubhengeza umthetho wezithuthi ezingenayo
-ndiye virbr0 : Ndibhengeza ukuba indawo endiza kwamkela ngayo ukugcwala kwabantu ayisiyi-etho (LAN) okanye i-wlan0 (Wifi), nditsho ngokukodwa ukuba luhlobo lwam lwe-virbr0, Oko kukuthi, ujongano lwenethiwekhi ebonakalayo (ngaphakathi) apho ilaptop yam inxibelelana nayo iseva yam ebonakalayo (kunye nokunye)
-p tcp : Ndicacisa umthetho olandelwayo, ezona zisetyenzisiweyo yi-UDP kunye ne-TCP, apha ibanele ngokwaneleyo ukuba ingayibeki le nto kodwa ... kulisiko ukukhankanya uhlobo lwenkqubo olwamkelekileyo
-s 192.168.122.88 Umthombo, umthombo weephakeji. Ngamanye amagama, umthetho ubhekisa kwiipakethi eziza ngokukodwa kwi-IP 192.168.122.88
-J YAMKELA Sele apha ndithetha into endifuna ukuyenza ngeephakeji ezihambelana noku kungasentla, kule meko yamkela.
Ngamanye amagama, njengesishwankathelo, ndiza kwamkela iipakethi ezivela kwi-IP 192.168.122.88, kodwa ukuba ufuna ukufaka iipakethi ezivela kwi-IP KODWA! Bangena kwi-interface engekho virbr0, Oko kukuthi, masithi bazama ukufaka iipakethi ezivela kwi-IP 192.168.122.88 kodwa zivela kwikhompyuter kwinethiwekhi yethu ye-Wifi, ukuba kunjalo, iipakethi ziyakwaliwa. ngoba? Kuba sicacisa gca ukuba ewe, siyazamkela iipakethi ukusukela nge192.168.122.88. njl.) emva koko ayiyi kwamkelwa. Ngokucacisa ujongano njengoko ubona sinokuthi sikuthintele nangakumbi, sinokuba nolawulo olungcono kokungenayo (okanye okungangeniyo) kwikhompyuter yethu.
Ukwamkela i-ping kuyo nayiphi na i-IP ye-Wifi yasekhaya:
Ukusuka kwenye ikhompyuter edibanisa ne-Wifi, ukuba uzama ukukhangela ilaptop yam ndifuna ukuyivumela. isizathu? Umbono kukuba kwezi veki zimbalwa zizayo ukudibanisa iPC kwindlu esecaleni kwenethiwekhi, ke ukwabelana ngolwazi kunganzima, kulunge ngakumbi xa ndiqala ukwenza iimvavanyo zokuqhagamshela idesktop kwiWifi, kuya kufuneka ndibambe ilaptop ukujonga unxibelelwano, ukuba ilaptop yam ayindibuyisi ndicinga ukuba i-AP iyasilela, okanye ukuba bekukho impazamo xa ungena kwi-Wifi, yiyo loo nto ndifuna ukuvumela i-ping.
sudo iptables -A INPUT -i wlo1 -p icmp -s 192.168.1.0/24 -d 192.168.1.51 -j ACCEPT
-IGALELO : Njengangaphambili, ndibhekisa kwitrafikhi engenayo
-ndiyi1 : Iyafana ngaphambili. Kwimeko yangaphambili ndicacisile ujongano olubonakalayo, kule meko ndikhankanya olunye ujongano, lwewifi yam: wlo1
-p icmp Inkqubo ye-Icmp, icmp = ping. Oko kukuthi, andivumeli i-SSH okanye nantoni na efanayo, ndivumela i-ping (icmp) kuphela
-s 192.168.1.0/24 Umthombo weepakethi, okt ukuba nje iipakethi zivela kwi-IP 192.168.1.? iyakwamkelwa
-d 192.168.1.51 : Indawo IP, Oko kukuthi, IP yam.
-J YAMKELA Ndibonisa ukuba ndenze ntoni ngeephakeji ezihambelana noku kungasentla, yamkela.
Oko kukuthi, kwaye ukucacisa oku ngendlela ebalekayo, ndiyamkela ukuba bayandibamba (icmp protocol) endiyokufika ikwi-IP yam, okoko nje bevela kwi-IP enje nge-192.168.1 .__ kodwa kananjalo, abanakuza nakweyiphi na inethiwekhi , Kuya kufuneka bangene ngokukodwa kwi-Wifi network interface (wlo1)
Yamkela i-SSH kwi-IP enye kuphela:
Ngamanye amaxesha ndifuna ukunxibelelana nge I-SSH kwi-smartphone yam ukulawula ilaptop, Kungenxa yoko le nto kufuneka ndivumele ukufikelela kwe-SSH kwilaptop yam kwi-IPs yeWifi yam, yoku:
sudo iptables -A INPUT -i wlo1 -p tcp -s 192.168.1.0/24 -d 192.168.1.51 --dport 22 -j ACCEPT
Ukusuka kulo mgca ekuphela kwento eyahlukileyo okanye efanele ukuphawulwa yile: -Ingxelo 22 (I-SSH port ndiyisebenzisayo)
Oko kukuthi, ndiyayamkela imizamo yokuqhagamshela kwilaptop yam ngezibuko 22, ukuba nje zivela kuyo nayiphi na i-IP ye-wifi yam, kufuneka babe ne-IP yam njengendawo ethile kwaye beze nakwi-wlo1 interface, oko kukuthi, i-wifi (hayi i-lan, njl.
Ukubavumela ukuba bajonge iwebhusayithi yakho:
Ayilotyala lam, kodwa ukuba ngaba nabani na kuni unewebhusayithi ebanjelweyo kwaye akafuni ukwala ukufikelela nakubani na, oko kukuthi, ukuba wonke umntu naphi na unokufikelela kule webhusayithi, kulula kakhulu kunokuba unokucinga:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Ngamanye amagama, apha bavumela zonke izithuthi ezingenayo (tcp) ngezibuko le-80. Njengoko ubona, andichazi ukuba zeziphi ii-IPs okanye inethiwekhi endivumela ukufikelela kuzo, ngokungachazi uluhlu lwe-IP lokuvumela, iptables ithatha ukuba ndifuna ukuvumela ukufikelela kuzo zonke iindawo ezikhoyo ze-IP, oko kukuthi, kwihlabathi liphela 🙂
Olunye udibaniso:
Ndineminye imithetho emininzi enje, umzekelo, yamkela i-ping yee-IPs ekhaya lasekhaya i-LAN (kule nto ilayini efanayo nale ingentla, ukutshintsha uluhlu lwe-IP), yona leyo efanayo nale bendiyichazile ngasentla ... ilaptop ngenxa yoko andizisebenzisi izinto ezintsonkothileyo, zokuthintela umda kunxibelelwano, i-anti DDoS, ndiyishiya kwiiseva, kwilaptop yam andiyifuni
Ngapha koko, ukuza kuthi ga ngoku inqaku.
Njengoko ubona, ukusebenza nge-iptables ayisiyonto inzima nangayiphi na indlela, nje ukuba wakhe iskripthi apho ubhala khona imithetho yakho kulula kakhulu emva koko uyiguqule, ukongeza okanye ususe imigaqo kwi-firewall yakho.
Andizithathi njengengcali kulo mbandela ukude kuwo, ngaphandle kwako nakuphi na ukuthandabuza onako, baphawula apha, ndiza kuzama ukukunceda kangangoko ndinako.
Phendula nge quote
Izimvo ezi-31, shiya ezakho
Kulunge kakhulu, kuchazwe kakuhle, kuhle.
Ndiyaluthanda olu hlobo lweposi.
Enkosi kakhulu ngokubeka ingxelo 🙂
Esi sithuba sasilityala endandinalo ixesha elide, kuyathandeka kwaye kumnandi ekugqibeleni ukuze ndikwazi ukulihlawula ^ _ ^
Phendula nge quote
umbuzo usecuba?
… Kuyenzeka ukuba kwiintsuku ezimbalwa ezidlulileyo ndisebenzisa i-Linksys AP (Indawo yokuFikelela) ndibeke iWifi endlwini yentombi yam
Ewe ndizelwe kwaye ndahlala eCuba. kutheni umbuzo?
@FIXOCONN: Molo mhlobo kwaye uxolele umxholo wombuzo, kodwa uyichaza njani iCinnamon ukuba ivele njengendawo yedesktop kwindawo yomsebenzisi? Ndisebenzisa iMint 13 kunye neCinnamon, kodwa akukho ndlela ndiyifumana ngayo ilogo yeCinnamon ukuba ivele kummeli-arhente yam ngalo lonke ixesha ndiphawula kule ndawo.
Ngaba ungaba nobubele ukudlula kum iinkcukacha zomenzeli wakho ukuba ayisiyongxaki enkulu? Ndingathanda ukwazi loo datha ukuyibeka ngokwam =)
Ndikushiya iphepha ukuze uphinde ulijonge kwaye undinike ulwazi. Enkosi kunye nee-Admins, xolela "i-trolling" (ukuba ungayibiza njalo) kwicala lam ngolu lwazi -> http://user-agent-string.info/
Yongeza "iCinnamon" (ngaphandle kwezicatshulwa) kulo naliphi na icandelo loMsebenzisi, emva koko ilogo kufuneka ivele kumagqabantshintshi azayo 🙂
Kuhle kakhulu kwisithuba! icace gca
Enkosi ngokufunda kunye nombulelo ngezimvo zakho 🙂
Enkosi kakhulu!
Molo, okokuqala kokuvuyisana nebhlog, ndicinga ukuba intle.
Into enokuba ilungile ukuyichaza kukuba ukhetho lokungena kwi-ULOG alusebenzi kwiinkqubo zokusebenza ezine-ulogd2, kule meko umthetho kufuneka ube:
Iimpawu ze-sudo -I-INPUT -p tcp -m tcp -tcp-flags FIN, SYN, RST, ACK SYN -j NFLOG
Okokuqala, enkosi kakhulu ngento oyithethayo malunga nebhlog yakho
Ndifakile ulogd v2.0.2-2 kwiArch, kwaye umgca endiwubekayo usebenza ngaphandle kweengxaki (kuye kwafuneka ndibeke i-loglevel = 1 kwi /etc/ulogd.conf, kodwa ithatha iinkuni kwenye ifayile ngaphandle kwengxaki.
Usebenzisa ulogd v2 okanye ngaphezulu, umgca endikushiyele usebenza gwenxa kuwe?
Imibuliso kunye nombulelo ngokuphawula.
Ndandihlala ndilinde inxenye yesibini, ndiyakhumbula xa ndifunda eyokuqala (yayikukuqalwa kwam kwizithonga zomlilo). Enkosi @ KZKG ^ Gaara, malunga 🙂
Enkosi ngokundifunda 😀
Kwaye hehe ewe, into endiyithethileyo ... le post yayilityala endandinalo kwakudala ... _ ^
Imibuliso. Kuhle kakhulu kwisithuba. Ndizama ukumisela imigaqo ye-iptables yokuhambisa kwakhona ukugcwala kwabantu kwi-squid ukuya kwi-dansguardian kwaye ayikafezekisi injongo. Ndingaluvuyela uncedo malunga noku.
iptable zoko? Ngaba ayenziwanga ngokuthe ngqo ii-ACLs kwi-squid?
"Ndineminye imithetho emininzi efana .."
Le ndiyibiza ngokuba yiparanoia, mfana
Okuncinci kwaye ubeka ipakethe yeRotwailer's kwizibuko ngalinye elivulekileyo kwimodem / kwi-router yakho
HAHAHAHAHAHAHAHAHA Ndifa yintsini naba rottwailers hahahaha
Ndiyabulisa mfondini, kuyenzeka ukuba ndifuna uncedo lokumisela ii-IPTable ngendlela enqabela ukufikelela kwizibuko lama-80 kuphela xa ndichwetheza idilesi kwisikhangeli segama lam lesiko, kulapho umzekelo ndichwetheza ns1.mydomain.com kwaye ns2.mydomain. com (amagama am), IPtables iyala ukufikelela kwizibuko 80 ukuze isikhangeli sizame ukulayisha iphepha kodwa emva kwethutyana liphelelwe kwaye lingaze lilayishe, kuyenzeka ukuba sele ndizamile ngemiyalelo enje:
iptables -I-INPUT -d ns1.midomini.com -p tcp -dport 80 -j DROP
iptables -I-INPUT -d ns2.midomini.com -p tcp -dport 80 -j DROP
Kodwa ekuphela kwento eyenzayo kukungavumi ukungena kwizibuko lama-80 kuyo yonke imimandla yam (kuba babelana nge-IP efanayo ne-Virtual Host), ndifuna ukuba kubekhona kuphela kwi-url yamagama am kunye ne-IP apho amagama am abhekisa kuwo, Oko kukuthi, iitafile ze-IP ziyakwala ukufikelela kwizibuko 80 apha:
ns1.midomini.com (Ukhomba A) -> 102.887.23.33
ns2.midomini.com (Ukhomba A) -> 102.887.23.34
kunye nee-IPs ezichazwa ngamagama ashiyekileyo
102.887.23.33
102.887.23.34
Umzekelo wenkampani enale nkqubo yile: I-Dreamhost
Amagama abo amagama: ns1.dreamhost.com kunye ne-ns2.dreamhost.com kunye nee-IPs abalatha ukuba bangaphenduli xa betayitshwa kwindawo yedilesi yesikhangeli.
Ndiyabulela kakhulu kwangaphambili ngenxa yokuqwalaselwa kwakho, ndingathanda ukuba undinike isandla ngale nto, ndiyayidinga kwaye ngokukhawuleza !!
Usuku olumnwandi !!
Molo Ivan,
Nxibelelana nam nge-imeyile (kzkggaara [at] desdelinux [ichaphaza] net) ukuyithetha ngokuzolileyo kwaye ndikucacise ngcono, ngomso nakanjani ndizakuphendula (namhlanje ndiyadlula)
Into ofuna ukuyenza ilula, andazi ukuba kutheni le mizila undixelela yona ingakusebenzeli, kufanele, kodwa kuya kufuneka ujonge iilog kunye nezinye izinto ezinokuba zinde kakhulu apha.
Ndiyabulisa kwaye ndilinde i-imeyile yakho
Ngokwethiyori ngee-iptables ndingazithintela izicelo zokunqamla kwiinkqubo ezinje nge-aircrack. Ndinyanisile ??? Ewe ndiza kwenza iimvavanyo kodwa ukuba undixelele ukuba ungandonwabisa kakhulu i-XDDD
Kwithiyori ndicinga njalo, ngoku, andazi ukuba inokwenziwa njani, andikaze ndiyenze ... kodwa ndiyaphinda, kwithiyori, ndicinga ukuba inokwenzeka.
Emva kokusebenzisa imigaqo ye-iptables, akunakwenzeka ukuba ndingene kwiifolda ekwabelwana ngazo kuthungelwano lwasekhaya. Nguwuphi umthetho endifanele ukuwusebenzisa ukuyilungisa?
Enkosi kuwe.
Yeyiphi imigaqo ye-iptables oyisebenzisileyo?
Le yinxalenye yesi-2 ye "iptables zeNewbies", uyifundile eyokuqala? Ndicela oku ukwazi ukuba uyisebenzise na imigaqo ebikwisithuba sangaphambili
Ewe, ndizifundile zombini ezi ndawo. Isikripthi esizisekelayo kwesinye isithuba osiposileyo malunga nokuqala kwemithetho yenkqubo.
#! / bin / ibash
# - UTF 8 -
# Iptables yokubini
iptables = »/ usr / bin / iptables»
kulahliwe ""
## Iitafile ezicocekileyo ##
Iifayile zeedola -F
$ iptables -X
$ iptables -Z
#echo »-Yenziwe i-FLUS kwii-iptables» && echo »»
## Ukuseka iinkuni nge-ULOGD ##
$ iptables -I-INPUT -p tcp -m tcp -tcp-iiflegi FIN, SYN, RST, ACK SYN -j ULOG
# # Chaza umgaqo-nkqubo we-DROP ongagqibekanga ##
$ iptables -P INPUT DROP
$ iptables -P YOKUPHILA PHAMBILI
#echo »-Umgaqo-nkqubo we-DROP ochazwe ngokungagqibekanga» && echo »»
# # Vumela yonke into kwi-localhost ##
$ iptables -I-INPUT -i lo -j YAMKELA
$ iptables -ISIPHUMO -o lo -j YAMKELA
#echo »-Zonke zivunyelwe kwindawo yasekhaya» && echo »»
# # Vumela ukufaka iipakethi zonxibelelwano endizenzayo # #
$ iptables -I-INPUT -m state-state ESTABBISHED, RELATED -j YAMKELA
#echo »- Iipakethi zonxibelelwano ezivunyelweyo eziqalwe ndim» && echo »»
ulahlele ngaphandle "############################
phendula »## IIPHEPHA EQWALASELEKILEYO KULUNGILE! ## »
ulahlele ngaphandle "############################
Ndifundile kwi-intanethi ukuba kwi-samba kufuneka ube nale migaqo ilandelayo kwiskripthi:
$ iptables -I-INPUT -p tcp-ingxelo 139 -j Yamkela
$ iptables -I-INPUT -p tcp-ingxelo 445 -j Yamkela
$ iptables -I-INPUT -p udp -sport 137 -j YAMKELA
$ iptables -I-INPUT -p udp-ingxelo 137 -j YAMKELA
$ iptables -I-INPUT -p udp-ingxelo 138 -j YAMKELA
Nangona kunjalo, nditsho nabo ndinokubona amaqela omsebenzi weewindows. : S
Ingxaki isonjululwe. Guqula iqela lomsebenzi kunye nemikhosi ivumela iiparameter kwifayile yoqwalaselo lwe-samba.
Inqaku elihle, lilungile !!!!
Ndiyifunde nje kwaye ndiyayithanda indlela oyichaza ngayo kunye nokusetyenziswa kweeptables, ndingathanda ukufunda indlela yokuyisebenzisa kubunzulu obukhulu.
Ukubulisa kunye nenqaku elihle, ndiyathemba ukuba uza kupapasha ngakumbi malunga neIptable! ^ ^
Mthandi;
Ndinommeleli onee-iptables kwaye enye yeenethiwekhi zam ayinakho ukuphawula http://www.google.cl Ngesi sizathu izibuko livaliwe kwaye ndizama iindlela eziliwaka zokuvula amazibuko kwaye akukho nto yenzekayo. Ukuba andikwazi ping andikwazi ukudibanisa imbonakalo
Ndiyakuvuyela ngeposi! Kulunge kakhulu. Kodwa ndinombuzo. Ngamanye amaxesha idilesi ye-IP oyinikezelwe kwinethiwekhi inokutshintsha (ukuba kuyinyani ukuba sinokwabela i-IP kwii-Add zethu ze-MAC), kodwa ngaba kunokwenzeka ukuba ii-Iptable zivumele ukufikelela kwiseva yethu nge-SSH ngedilesi ye-MAC?
Ndiyathemba ukuba ndizichaze kakuhle.
Ngokuzithoba, kwaye enkosi kakhulu!
Molo, uyazi ukuba ndine-linux server emiselweyo kwaye emva kokubeka le miyalelo ndithintele yonke into kwaye ndalahleka ukufikelela, ndingaphinda ndibuyise phantse yonke into kodwa ndilahlekile zizinto ezi-2. * Andisakwazi ukufikelela kwisikhangeli sewebhu ngegama elithi «iseva» ukuba nge-ip, 10.10.10.5 kwelinye icala andiziboni izixhobo ekwabelwana ngazo ezivela kumhloli weewindows kwinethiwekhi, ngaphambi kokuba ndibeke \\ iseva kunye ubone zonke izixhobo ekwabelwana ngazo. Ndiyathemba ukuba ungandinceda, ndiyazi ukuba ayisosidima kodwa andikwazi ukusombulula, enkosi
Ndicaphula igama nezwi:
'
Inkqubo ye-icmp, icmp = ping. Oko kukuthi, andivumeli i-SSH okanye nantoni na efanayo, ndivumela i-ping (icmp) kuphela
'
I-ICMP kunye ne-PING azifani. I-Pinging yinxalenye ye-ICMP protocol, kodwa ayisiyiyo yonke into. Inkqubo ye-ICMP (iProtokholi yoLawulo loMyalezo we-Intanethi) inokusetyenziswa okuninzi, ezinye zazo ezinobungozi ezithile. Kwaye wamkela yonke i-ICMP traffic. Kuya kufuneka uthintele kuphela kwi-ping.
Nibuliso!
Kuya kufuneka ndenze uqeqesho kodwa andiqondi kakhulu malunga neeptables, ungandinceda…
enkosi!!!!!!!