Kulo post yangaphambili Sibonile ukumiselwa kwee-IPTables ukuze zisebenze njengeFirewall. Ngoku sinokubona ukuba sizenza njani ezo skripthi ukuze imigaqo yenziwe ngokuzenzekelayo xa inkqubo iqala, kunye nendlela esinokuphelisa ngayo okanye simise loo mithetho okomzuzwana.
Ngaphambi kokwenza iskripthi kwaye sikubonise indlela ejongeka ngayo, masithethe kancinci malunga ne-NAT kunye nomxholo wento esifuna ukuyenza ngezi zixhobo.
I-NAT kunye noMxholo womzekelo.
Xa sithetha nge-NAT, sinokuyibhida le ndlela, kuba bobabini banoxanduva lokudibanisa iinethiwekhi ezimbini ezahlukeneyo. Umahluko wokwenyani kukuba ukuhambisa kusetyenziswa ukusukela kwinethiwekhi yendawo iye kwenye kwaye enye inethiwekhi inokuqhagamshela kwi-router kwaye iphume iye kwi-Intanethi.
Ngelixa, xa sithetha nge-NAT, sithetha ngokuhambisa iipakethi ukusuka kuthungelwano lwasekhaya okanye lwabucala kwinethiwekhi yoluntu okanye kwi-Intanethi. Ikwenza oku ngokufihla iipakethi ngokubeka i-IP yoluntu ehamba nayo kwi-Intanethi. Ngamanye amagama, asiyidingi i-router, kuba i-IP yoluntu yeyakhe ngqo yikhompyuter ye-GNU / Linux.
Siza kusebenza oku ngesiqubulo esithi sisebenzisa i-Linux njenge-router / firewall ukuya kwi-Intanethi kuthungelwano lwasekhaya. Kodwa nantsi imeko ezimbini ezinokuvela.
- Ukuba iLinux yethu iphakathi kwendlela yomnikezeli wesevisi kunye nenethiwekhi yendawo.
Kule meko, phakathi kwendlela kunye neLinux yethu kuya kubakho uthungelwano, kwaye phakathi kweLinux kunye nenethiwekhi yendawo bekuya kubakho enye inethiwekhi eyahlukileyo. Oku kuthetha ukuba i-router yethu ayizukuyenza i-NAT ngolu hlobo, kunye neendlela ezilula zendlela njengoko kuchaziwe post yangaphambili Kungakuhle.
- Ukuba iLinux yethu inonxibelelwano oluxhunyiwe kwinethiwekhi yendawo kunye nolunye ujongano lufumana ngokuthe ngqo i-IP yoluntu apho ihamba khona.
Oku kuthetha ukuba iLinux yethu kufuneka yenze i-NAT ukuze iipakethi zikwazi ukufikelela kwi-Intanethi.
Ngeenjongo zelebhu encinci emva koko, siza kuthi iLinux yethu ifumana i-IP yoluntu ngokuthe ngqo kwaye ke sikwazi ukuvavanya iziphumo ze-NAT.
Ukwenza i-NAT sisebenzisa is syntax
iptables -t nat -A UKUQHUTYELWA -O eth1 -j MASQUERADE
Apho i-eth1 yindawo apho sifumana i-ip yoluntu, oko kukuthi, apho siya khona kwi-Intanethi.
Ukwenza iptables script
Masithi ke: 172.26.0.0 yinethiwekhi yethu yendawo kwaye i-81.2.3.4 yi-IP yoluntu esihamba nayo kwi-Intanethi. (yinto emileyo ip). Ndinee-interfaces eth0 (uthungelwano lwasekhaya)
I-eth1 (Inethiwekhi yoluntu).
Ngokusisiseko iquka ukwenza iskripthi esinokubizwa ukusuka /etc/init.d/firestop (umzekelo). kwaye kwesi skripthi sinokuqala, siyeke okanye siqwalasele imeko yoqwalaselo lwethu, njengoko sisenza ngayo nayiphi na inkqubo yedemon.
Masithi imithetho yam IPTABLES YILE:
#! / bin / bash # I-firewall yasekhaya. # Igama lefayile / njl / firewall_on # NguJlcmux Twitter: @Jlcmux # # Umgaqo-nkqubo osisiseko. iptables -P INPOUT DROP iptables -P ISIPHUMO SOKUQHUBA i-iptables -P PHAMBILI IDROP # #NAT yokwabelana nge-Intanethi ukusuka kwi-eth0 ukuya kwi-eth1 iptables -t nat -A UKUQHUBA -O eth1 -j SNAT -mthombo 81.2.3.4 # # Vumela unxibelelwano olungenayo oluqaliswe zii-iptables zam -I-FORWARD -m state -state ESTABLISHED, RELATED -j ACCEPT # # iptables ezigunyazisiweyo eziphumayo -I-FORWARD -i eth0 -o eth1 -p tcp -dport 80 -j YAMKELA ii-iptables -I-FORWARD -i eth0 -o eth1 -p tcp -dport 443 -j YAMKELA iiptables -A PHAMBILI -i eth0 -o eth1 -p udp -dport 53 -j YAMKELA
Ingcaciso:
Iskripthi ngokusisiseko senza oku kulandelayo:
- Okokuqala thintela konke ukuhamba, unxibelelwano kunye nokugcwala. (Imigaqo-nkqubo esisiseko ye-Firewall)
- Emva koko yenza i-NAT ngendawo ekuya kuyo i-eth1. Ibonisa ukuba sinendawo kawonkewonke ip "81.2.3.4"
- Ivula amazibuko ayimfuneko ukufumana iipakethi zonxibelelwano eziqaliswe ndim.
- Yamkela ukuphuma kwe-HTTP, i-HTTPS, kunye nokugcwala kwe-DNS.
Ukuba sifuna ukusebenzisa izixhobo zethu ukuhamba kufuneka siphinde imigca kwaye sitshintshe PHAMBILI kwi-INPUT okanye kwi-OUTPUT ngokufanelekileyo.
Rhoxisa iskripthi.
Ngoku siza kwenza iskripthi esigqitha konke oku kungasentla kwaye sishiya ikhomputha icocekile kuko konke oku. (Ngeenjongo zokuvavanya okanye sifuna nje ukucima i-firewall).
#! / bin / bash # I-firewall yasekhaya. # Igama lefayile / njl.
Zenzekelayo.
Ngoku kufuneka senze iskripthi ngaphakathi /etc/init.d/ kwaye inkonzo iqala ngokuzenzekelayo kwaye singayilawula ngendlela etofotofo.
#! / bin / bash # I-firewall yasekhaya. # Igama lefayile /etc/init.d/ firewall # NguJlcmux Twitter: @Jlcmux ityala $ 1 ekuqaleni) / etc / firewall_on ;; yeka) / etc / firewall_off ;; ubume) iptables -L ;; *) echo "Is syntax engalunganga. Ivumelekile = / etc /init.d/ firewall start | stop | status ;; esac
Ingcaciso:
Iskripthi sokugqibela esisifakileyo /etc/init.d/ enegama umlilo. Ke ukuba sifuna ukulawula i-firewall sinokusebenzisa lo myalelo /etc/init.d/ firewall qala. Ngendlela efanayo singayimisa okanye sibone urhulumente.
Ngoku siza kuhlenga ifayile /etc/rc.local kwaye sibeka into efana nale: /etc/init.d/ firewall qala ukuqala ngenkqubo.
Njengokuba. Le yinxalenye yesibini. Ndiyathemba ukuba izisa into kuni nonke. Kwixesha elilandelayo sibona iProxy kunye ne-IDS.
Ukuba usebenzisa iDebian, kukho iphakheji kwi-repo (i-iptables-eqhubekayo) eyenza kanye loo nto, ilahla imithetho yangoku kwi /etc/iptables/rules.v4 okanye v6 kuxhomekeke kwinto oyisebenzisayo kwaye uyisebenzise kuwe xa uphakamisa inkqubo.
Ngokwenziwayo, ukucoca ubumbeko lwe-firewall yesiqhelo iptables (kwaye ukusebenzisa i-NAT ngekhe kubenjalo ngokokubona kwam), kwiimeko ezininzi umthetho wokugungxulwa kunye nokuseta kwakhona imigaqo-nkqubo emiselweyo ukuba yamkele iyakwanela.
Kodwa kwithiyori, kwaye ngokokwazi kwam, ukongeza koku kuya kufuneka ucime imitya engagungqiyo kwaye usete kwakhona izinto zokubala. Imisebenzi ekufuneka ithathelwe ingqalelo ukongeza ekubeni ukongeza kwi "filter" kukho ezinye iitafile, (kunyanzelekile ukuba ufunde ifayile "/ proc / net / ip_tables_names" yoku).
Ngendlela, i-orthodoxy ithi i-firewall kufuneka ibe sele iphakame ngaphambi kwenethiwekhi. Andazi ukuba iphunyezwe njani kwezinye iinkqubo zeLinux, kodwa kwii-Debian, iskripthi sinokulungiswa kwaye sisetelwe kulawulo "/etc/network/if-pre-up.d/".
Ukulungisa umlilo wonke umntu. 😉
Molo, iposti intle kakhulu. Ndiyifundile yonke imiqulu emi-2.
Ilinde elandelayo 🙂
Umbuzo wokungazi kwam, siyaqhubeka nee-iptables, kodwa kwiinguqulelo ezininzi zekernel sinee-nftables, sele ndivavanya, imibuzo yile, ngaba i-nftables yinto ye-beta ngokubhekisele kwi-iptables? Ngaba iptables iya kuqhubeka nokusetyenziswa ixesha elide?
Enkosi kuwe.
Izinto ezingafaniyo zibandakanya konke ukusebenza kwe-iptables, ip6tables, izinto ezinokuphindaphindwa kunye neebtable, konke kusetyenziswa isiseko esitsha kuzo zombini i-kernelspace kunye nendawo yomsebenzisi, eqinisekisa ukusebenza okungcono kunye nokusebenza okuphuculweyo. Izinto ezingasasebenziyo ziya kuthatha indawo ye-iptables kunye nazo zonke ezinye izixhobo ezichaziweyo kodwa hayi okwangoku, ubuncinci kude kube kukho ukusetyenziswa okubanzi kwezinto ezingafaniyo.
iposti entle kakhulu, bendifuna ukufunda ngakumbi kuba icacisiwe kakuhle .. imibuliso enkosi kakhulu ngegalelo
Mholweni! Kulunge kakhulu kokubini.
Njengegalelo onokongeza esiphelweni kule nxalenye:
"Ngoku sizakuhlela /etc/rc.local fayile kwaye sibeke into efana nale: /etc/init.d/firestop qala ukuze iqale ngenkqubo."
Yongeza oku kwi-rc.
ukuba [-x /etc/init.d/ firewall]; emva koko
/etc/init.d/ firewall qala
fi
Oko kuthetha ukuba ukuba "i-firewall" ineemvume zokwenza, yiphumeze, ukuba akunjalo.
Ukuba ufuna i "firewall" ingaqali, kufuneka ususe iimvume.
Umzekelo: chmod + x /etc/init.d/ firewall
ukuyenza ibaleke kwisiqalo ngasinye okanye ...
chmod -x /etc/init.d/ firewall
ukukhubaza ngokupheleleyo.
Nibuliso!