I-Firehol: ama-iptables wabantu (i-Arch)

Okokuqala, wonke amakhredithi aya ku- @YukiteruAmano, ngoba lokhu okuthunyelwe kususelwa ku- Ukufundisa uthumele esithangamini. Umehluko ukuthi ngizogxila kuwo Arch, yize izosebenzela amanye ama-distros asuselwa ku- i-systemd.

Yini iFirehol?

Umlilo, uhlelo lokusebenza oluncane olusisiza ukuphatha i-firewall ehlanganiswe ne-kernel nethuluzi layo iptables. IFirehol ayinaso isikhombimsebenzisi sokuqhafaza, konke ukumiswa kufanele kwenziwe ngamafayela wombhalo, kepha ngaphandle kwalokhu, ukumiswa kusese lula kubasebenzisi be-novice, noma kunamandla kulabo abafuna izinketho ezithuthukile. Konke okwenziwa yiFirehol ukwenza kube lula ukwenziwa kwemithetho ye-iptables ngangokunokwenzeka futhi kunike amandla i-firewall enhle yohlelo lwethu.

Ukufakwa nokumiswa

IFirehol ayikho ezinqolobaneni ezisemthethweni ze-Arch, ngakho-ke sizobheka I-AUR.

yaourt -S firehol
Ngemuva kwalokho siya kufayela lokumisa.

sudo nano /etc/firehol/firehol.conf

Futhi sengeza imithetho lapho, ongayisebenzisa ukhona.

Gcina kusebenze i-Firehol ekuqaleni ngakunye. Ilula kalula nge-systemd.

sudo systemctl enable firehol

Saqala iFirehol.

sudo systemctl start firehol

Ekugcineni siqinisekisa ukuthi imithetho ye-iptables yenziwe futhi yalayishwa kahle.

sudo iptables -L

Khubaza i-IPv6

Njengoba umlilo awuphathi ip6table futhi njengoba ukuxhumana kwethu okuningi kungasekeli i- I-IPv6, isincomo sami ukukukhubaza.

En Arch siyengeza ipv6.disable = 1 kulayini we-kernel kufayela le / etc / default / grub


...
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="rw ipv6.disable=1"
GRUB_CMDLINE_LINUX=""
...

Manje sakha kabusha i- i-grub.cfg:

sudo grub-mkconfig -o /boot/grub/grub.cfg

En Debian kwanele nge:

sudo echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf


Okuqukethwe yi-athikili kunamathela ezimisweni zethu ze izimiso zokuhlelela. Ukubika iphutha chofoza lapha.

Amazwana ayi-26, shiya okwakho

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.

  1.   Felipe kusho

    Angiqondi. Ingabe ulandela okokufundisa futhi usuvele unayo i-Firewall esebenzayo futhi uvimbele konke ukuxhumana? Enye into Isifundo se-Arch siyinkimbinkimbi ngokwesibonelo angikaze ngisebenzise iSudo noma i-yaourt Firewall. Nokho kuyaqondakala. Noma mhlawumbe umuntu omusha ubhala i-yaourt futhi uzothola iphutha. OkweManjaro kulungile.

    1.    I-Yukiteru kusho

      Njengoba usho u- @felipe, ulandela okokufundisa bese ufaka /etc/firehol/firehol.conf fayela imithetho enikezwe i- @cookie kunamathisela, uzobe usuvele une-firewall elula yokuvikela uhlelo ezingeni eliyisisekelo. Lokhu kulungiselelwa kusebenza kunoma iyiphi i-distro lapho ungabeka khona i-Firehol, ngokukhethekile kwe-distro ngayinye iphatha izinsizakalo zayo ngezindlela ezihlukile (i-Debian ngokusebenzisa i-sysvinit, i-Arch ne-systemd) nangokufakwa, wonke umuntu uyakwazi anakho, ku-Arch kufanele sebenzisa i-AUR ne-yaourt repos, eDebian ezisemthethweni zanele, ngakho-ke kwezinye eziningi, kufanele nje useshe okuncane ezinqolobaneni bese uvumelanisa umyalo wokufaka.

  2.   ci kusho

    Ngiyabonga, ngiyaqaphela.

  3.   Lungiselela kusho

    Konke lokho kuhle kakhulu ... kepha okubaluleke kakhulu akukho; Kufanele uchaze ukuthi imithetho yenziwa kanjani !!, ukuthi isho ukuthini, nokuthi ungayakha kanjani emisha ... Uma lokho kungachazwanga, okufakayo akusizi ngalutho: - /

    1.    I-Yukiteru kusho

      Ukudala imithetho emisha kulula, imibhalo ye-firehol icacile futhi inembile maqondana nokwakha imithetho yangokwezifiso, ngakho-ke ukufunda kancane kuzokwenza kube lula kuwe ukuyenza ngendlela oyifisayo futhi uyihambisane nezidingo zakho.

      Ngicabanga ukuthi isizathu sokuqala seposi le- @cookie njengeyami esithangamini, bekungukunikeza abasebenzisi nabafundi ithuluzi elibavumela ukuthi banikeze amakhompyutha abo ukuphepha okuthe xaxa, konke kusezingeni eliyisisekelo. Okusele kushiywe eceleni ukuze uvumelane nezidingo zakho.

    2.    Ikhukhi kusho

      Uma ufunda isixhumanisi esifundweni saseYukiteru uzobona ukuthi inhloso ukwazisa uhlelo kanye nokumiswa kwe-firewall eyisisekelo. Ngacacisa ukuthi engikuthumelayo bekuyikhophi kuphela eligxile ku-Arch.

  4.   Maacub kusho

    Futhi lokhu kungenxa yabantu '? o_O
    Zama i-Gufw ku-Arch: https://aur.archlinux.org/packages/gufw/ >> Chofoza Isimo. Noma ufw uma ukhetha ukuphela: Sudo ufw sikwazi

    Usuvele uvikelekile uma ungumsebenzisi ojwayelekile. Lokho 'kungokwabantu'

    1.    izinga kusho

      I-Firehol impela ingu-Front-End yama-IPTables futhi uma uyiqhathanisa neyakamuva, ingumuntu 😀 impela

    2.    I-Yukiteru kusho

      Ngibheka i-ufw (iGufw iyisixhumi nje sayo) njengenketho embi maqondana nezokuphepha. Isizathu: ukuthola eminye imithetho yezokuphepha engiyibhale ku-ufw, angikwazi ukukugwema lokho ezivivinyweni ze-firewall yami, zombili ngeWebhu kanye nalezo ezenziwa kusetshenziswa i-nmap, izinsizakalo ezinjenge-avahi-daemon ne-exim4 zizovela zivulekile, futhi kuphela Ukuhlaselwa kwe- "stealth" kwakwanele ukwazi izici ezincane kakhulu zohlelo lwami, i-kernel kanye nezinsizakalo ezazihamba, okuthile okungazange kwenzeke kimi ngisebenzisa i-firehol noma i-firewall ye-arno.

      1.    I-Giskard kusho

        Hhayi, angazi ngawe, kepha njengoba ngibhale ngenhla, ngisebenzisa uXubuntu futhi i-firewall yami ihamba ne-GUFW futhi ngidlulise ZONKE izivivinyo zesixhumanisi umlobi azibeka ngaphandle kwezinkinga. Konke ukucathula. Akukho okuvuliwe. Ngakho-ke, ekuhlangenwe nakho kwami ​​ufw (ngakho-ke gufw) zilungile kimi. Angigxeki ekusebenziseni ezinye izindlela zokulawula i-firewall, kepha i-gufw isebenza ngokungenaphutha futhi inikeza imiphumela emihle yokuphepha.

        Uma unezivivinyo ezithile ocabanga ukuthi zingaphonsa ukuba sengozini ohlelweni lwami, ngitshele ukuthi ziyini futhi ngizozijabulela ngokuzithokozisa lapha futhi ngizokwazisa imiphumela.

        1.    I-Yukiteru kusho

          Ngezansi ngiphawula okuthile ngendaba ye-ufw, lapho ngithi iphutha engilibone ngo-2008, ngisebenzisa Ubuntu 8.04 Hardy Heron. Yini asebeke bayilungisa? Okungenzeka kakhulu ukuthi lokhu kunjalo, ngakho-ke asikho isizathu sokukhathazeka, kepha noma kunjalo, lokho akusho ukuthi isinambuzane besikhona futhi bengingasikhombisa, yize bekungeyona into embi ukufa, mina kuphela kumiswe amademoni avahi-daemon kanye ne-exim4, futhi sekuxazululwe inkinga. Into exaka kakhulu kunakho konke ukuthi lezo zinqubo ezimbili kuphela ezazinenkinga.

          Ngasho leli qiniso njenge-anecdote yomuntu siqu, futhi ngabeka umbono ofanayo lapho ngithi: «Ngicabanga ukuthi ...»

          Sanibonani

    3.    I-Giskard kusho

      +1

  5.   amasaka kusho

    @Yukiteru: Uzamile kwikhompyutha yakho? Uma ubheka kusuka ku-PC yakho, kuyinto ejwayelekile ukuthi ungangena echwebeni le-X, ngoba ithrafikhi evinjiwe yile yenethiwekhi, hhayi i-localhost:
    http://www.ubuntu-es.org/node/140650#.UgJZ3cUyYZg
    https://answers.launchpad.net/gui-ufw/+question/194272

    Uma kungenjalo, sicela ubike isiphazamisi 🙂
    Sanibonani

    1.    I-Yukiteru kusho

      Kusuka kwenye ikhompyutha kusetshenziswa inethiwekhi yeLan esimweni se-nmap, nange-Web kusetshenziswa leli khasi https://www.grc.com/x/ne.dll?bh0bkyd2Kusetshenziswa inketho yamachweba wangokwezifiso, bobabili bavumile ukuthi i-avahi ne-exim4 babelalele kusuka enetheni yize i-ufw yayilungiselelwe ukuvimba kwabo.

      Leyo mininingwane emincane ye-avahi-daemon ne-exim4 ngiyixazulule ngokumane ngikhubaza izinsizakalo futhi yilokho ... angibikanga bug ngaleso sikhathi, futhi ngicabanga ukuthi akunangqondo ukukwenza manje, ngoba lokho ubuyile ngo-2008, esebenzisa uHardy.

      1.    I-Giskard kusho

        U-2008 wayeneminyaka emi-5 eyedlule; ukusuka eHardy Heron kuye eRaring Ringtail kune-10 * buntus. Lokho kuhlolwa okufanayo ku-Xubuntu wami, okwenziwe izolo futhi okuphindiwe namuhla (Agasti 2013) kunika okuphelele kukho konke. Futhi ngisebenzisa i-UFW kuphela.

        Ngiyaphinda ngiyasho: Ngabe kukhona ezinye izivivinyo ongazenza? Ngenjabulo ngiyakwenza futhi ngibike okuqhamuka kulolu hlangothi.

        1.    I-Yukiteru kusho

          Yenza ukuskena kwe-SYN ne-IDLE kwe-PC yakho usebenzisa i-nmap, lokho kuzokunikeza umbono wokuthi iphephe kangakanani isistimu yakho.

          1.    I-Giskard kusho

            Indoda ye-nmap inemigqa engaphezu kuka-3000. Uma unginika imiyalo yokuthi ngiyenze ngenjabulo, ngizoyenza futhi ngizobika umphumela.

          2.    I-Yukiteru kusho

            Hmm, bengingazi ngamakhasi wamadoda angama-3000 we-nmap. kepha i-zenmap iwusizo lokwenza lokhu engikutshela khona, ingumfanekiso ongaphambili wokuqhafaza we-nmap, kepha nokho inketho yokuskena i-SYN nge-nmap is -sS, Ngenkathi inketho yokuskena kokungenzi lutho ingu -s, kepha umyalo oqondile u-I ngizo.

            Yenza ukuskena komunye umshini okhombe i-ip yomshini wakho nge-ubuntu, ungakwenzi kusuka ku-pc yakho, ngoba akusebenzi lokho.

          3.    I-Yukiteru kusho

            LOL !! Iphutha lami ngamakhasi angama-3000, lapho ayengolayini 😛

  6.   UJeus Israel Perales Martinez kusho

    Angazi kepha ngicabanga ukuthi i-GUI yalokhu ku-GNU / Linux ukuphatha i-firewall kungaba ukuhlakanipha ngandlela thile futhi ingashiyi yonke into ingamboziwe njengaku-ubuntu noma yonke into embozwe njengakwi-fedora, kufanele ube yi-xD enhle, noma okuthile ukumisa ezinye izindlela zokubulala ezibulalayo xD hjahjahjaja It has little that I fight with them and the open jdk but in the end you also have to keep the principle of kiss

  7.   Mauricio kusho

    Ngenxa yazo zonke izikhubekiso ezenzeke esikhathini esedlule ngama-iptables, namuhla ngiyakwazi ukuqonda i-niverl eluhlaza, okungukuthi, khuluma naye ngqo njengoba kuvela efektri.

    Futhi akuyona into eyinkimbinkimbi, kulula kakhulu ukuyifunda.

    Uma umbhali wokuthunyelwe engivumela, ngizothumela ingcaphuno yombhalo we-firewall engiwusebenzisa njengamanje.

    # # Imithetho yokuhlanza
    iptables -F
    iptables -X
    iptables -Z
    iptables -t nat -F

    # # Setha inqubomgomo yokuzenzakalelayo: DROP
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P PHAMBILI IDROPHU

    # Sebenza ku-localhost ngaphandle kwemingcele
    iptables -A INPUT -i lo -j ACCEPT
    iptables -I-OUTPUT -o lo -j YAMUKELA

    # Vumela umshini ukuthi uye kuwebhu
    iptables -I-INPUT -p tcp -m tcp -sport 80 -m conntrack –ctate state RELATED, ESTABLISHED -j ACCEPT
    iptables -I-OUTPUT -p tcp -m tcp -dport 80 -j YAMUKELA

    # Kakade futhi ukuvikela ama-webs
    iptables -I-INPUT -p tcp -m tcp -sport 443 -m conntrack –ctate state RELATED, ESTABLISHED -j ACCEPT
    iptables -I-OUTPUT -p tcp -m tcp -dport 443 -j YAMUKELA

    # Vumela ukuphuma ngaphakathi nangaphandle
    iptables -I-OUTPUT -p icmp –icmp-type echo-request -j YAMUKELA
    iptables -I-INPUT -p icmp –icmp-type echo-reply -j ACCEPT

    # Ukuvikelwa kwe-SSH

    #Izintambo -I INPUT -p tcp -dport 22 -m conntrack –ststate NEW -m limit --limit 30 / minute --limit-burst 5 -m comment –comment "SSH-kick" -j ACCEPT
    #iptables -A INPUT -p tcp -m tcp –dport 22 -j LOG –log-prefix "SSH ACCESS ATTEMPT:" -log-level 4
    #Izintambo -I-INPUT -p tcp -m tcp -dport 22 -j DROP

    # Imithetho ye-amule yokuvumela ukuxhumana okuphumayo nokungenayo kwitheku
    iptables -A INPUT -p tcp -m tcp –dport 16420 -m conntrack –ctstate NEW -m comment –comment "aMule" -j ACCEPT
    iptables -A OUTPUT -p tcp -m tcp –sport 16420 -m conntrack –ctstate RELATED, ESTABLISHED -m comment –comment "aMule" -j ACCEPT
    iptables -I-INPUT -p udp -dport 9995 -m ukuphawula - ukuphawula "aMule" -j ACCEPT
    iptables -I-OUTPUT -p udp -sport 9995 -j YAMUKELA
    iptables -A INPUT -p udp -dport 16423 -j ACCEPT
    iptables -I-OUTPUT -p udp -sport 16423 -j YAMUKELA

    Manje incazelo encane. Njengoba ukwazi ukubona, kunemithetho enenqubomgomo ye-DROP ngokuzenzakalela, akukho okushiya kungene iqembu ngaphandle kokuthi ubatshele.

    Ngemuva kwalokho, okuyisisekelo kuyaphasiswa, i-localhost nokuzula kunethiwekhi yamanethiwekhi.

    Uyabona ukuthi kukhona nemithetho ye-ssh ne-amule. Uma bebukeka kahle ukuthi benziwa kanjani, bangenza eminye imithetho abayifunayo.

    Ubuqili ukubona ukwakheka kwemithetho futhi kusebenza ohlotsheni oluthile lwechweba noma umthetho olandelwayo, kungaba i-udp noma i-tcp.

    Ngiyethemba ungakuqonda lokhu engisanda kukuthumela lapha.

    1.    Ikhukhi kusho

      Kufanele wenze okuthunyelwe ukukuchaza 😉 kungaba kuhle.

  8.   @NomzamoMbatha kusho

    Nginombuzo. Uma kwenzeka ufuna ukwenqaba ukuxhumana kwe-http ne-https engikubekile:

    ukwehla kweseva "http https"?

    Futhi njalo nganoma iyiphi insizakalo?

    Gracias