Ukuvikela inethiwekhi yakho ngama-Iptable - Ummeleli - I-NAT - IDS: INGXENYE 1

@Jlcmux

Imizuzu ye-6

Lokhu okuthunyelwe kuzama ukucacisa okuncane mayelana nokuthi amanethiwekhi asebenza kanjani nokuthi angayiguqula kanjani imishini yethu yeLinux ibe yiRouter eqinisekisa inethiwekhi yethu kancane, kungaba sekhaya noma sebhizinisini. Ngakho-ke ake siye ebhizinisini:

Lokhu okuqukethwe kusekelwe encwadini ethi "Linux - System Administration and Network Services Operation" - uSébastien BOBILLIER

Umzila nokuhlunga

Ukukhuluma nokuqonda ngomzila singaqala ngokuchaza ukuthi yini umsebenzi we-router? Ngalokhu singasho ukuthi i-router, ngaphezu kokudala inethiwekhi nokuvumela ukuxhumana neminye imishini (ukwazi ukuthi singakwenza lokhu nge-AP, switch, Hub noma abanye) inamandla okuxhuma amanethiwekhi amabili ahlukene komunye nomunye.

router

Njengoba sikwazi ukubona esithombeni, kukhona inethiwekhi yendawo "10.0.1.0" eyenziwe i-router, futhi ifinyelela kwesinye sezixhumi zayo ezimbili. Ngemuva kwalokho i-router kwenye i-interface yayo, inenye inethiwekhi, ene-IP yayo yomphakathi engaxhuma ngayo kwi-Intanethi. Umsebenzi womzila ngokuyisisekelo usebenza njengomxhumanisi phakathi kwalezi zinethiwekhi ezimbili ukuze bakwazi ukuxhumana.

I-Linux njenge-router.

Ngokwemvelo, iLinux Kernel isivele inekhono lokwenza "ukudlulisa", kepha ngokuzenzakalela ikhutshaziwe, ngakho-ke uma sifuna iLinux yethu yenze lo msebenzi kufanele siye kufayela.

/proc/sys/net/ipv4/ip_forward

Lapho sizothola ukuthi yifayela eliqukethe kuphela u-0 "1", okumele sikwenze ukulishintsha libe ngu- "XNUMX" ukuze kusebenze lokhu kuziphatha. Lokhu ngeshwa kuyasuswa lapho siqala kabusha ikhompyutha, ukuyishiya isebenze ngokuzenzakalela kufanele sisebenzise umyalo:

sysctl net.ipv4.ip_forward=1

Noma uyihlele ngqo kufayela /etc/sysctl.conf. Ngokuya ngokusatshalaliswa lokhu kulungiselelwa kungabuye kube kufayela ku-  /etc/sysctl.d/.

Ngokuzenzakalelayo i-Linux yethu kufanele ibe netafula lokuhambisa umzila, okuvamise ukumiswa kwenethiwekhi yethu ye-lan nokuxhumeka ku-router. Uma sifuna ukubona lo mzila singasebenzisa imiyalo emibili:

route -n

o

netstat -nr

Yomibili le miyalo kufanele ibuye efanayo.

Izithombe-skrini ezivela ngo-2014-09-30 18:23:06

Ngokuvamile, lokhu kulungiselelwa kwanele ukuthi i-Linux yakho isebenze njengeSango kanye namanye amakhompyutha angazulazula kwikhompyutha yethu. Manje, uma sifuna iLinux yethu ixhume amanethiwekhi amabili noma ngaphezulu, noma ngabe asendaweni noma cha, isibonelo, singasebenzisa imizila emile.

Ake sithi i-Linux yami inezindawo ezimbili zokuxhumana, eyokuqala ine-inthanethi lapho inethiwekhi yayo ingu-172.26.0.0 bese eyesibili (10.0.0.0) inamanye amakhompyutha avela kwenye inethiwekhi yendawo. Uma sifuna ukuhambisa amaphakethe kuleyo enye inethiwekhi esingayisebenzisa:

route add -net 10.0.0.0 netmask 255.0.0.0 gw 172.26.0.8

Ngokuvamile kunjalo:

route add -net REDDESTINO netmask MASCARA gw IPDELLINUX

uma sinikela umzila -n noma ngabe le nethiwekhi ikhona noma cha, lo mzila uzolungiswa etafuleni lethu.

Izithombe-skrini ezivela ngo-2014-09-30 18:31:35

Uma sifuna ukuqeda umzila osetshenzisiwe singasebenzisa

route del -net 10.0.0.0 netmask 255.0.0.0

Ama-Iptable.

Ngokuyinhloko ama-iptables asetshenziselwa ukuhlunga iphakethe, ukuphuma, ukungena noma abanye, lokhu kukwenza ithuluzi elihle lokuphatha ithrafikhi yethu yenethiwekhi. Yebo, ama-iptables, njengoba nje esivumela ukuhlunga ithrafikhi kukhompyutha eyodwa, futhi kusivumela nokuhlunga ithrafikhi edlula kuyo. (Ukudlulisela phambili). Ama-Iptable angahlukaniswa ngamatafula, amaketanga, nezenzo.

  • Amabhodi:  ngokuyisisekelo kungaba namatafula amabili, hlunga, ukuhlunga amaphakethe kanye  ubusuku ukuhumusha amakheli, okungukuthi, ukusuka kwinethiwekhi eyodwa kuya kwenye.
  • Amaketanga: Iketanga lisho uhlobo lwethrafikhi esifuna ukuluhluza noma ukubhukuda, okungukuthi, sizosebenzisa amatafula kumuphi umgwaqo? futhi zingaba:  INPUT: Izimoto ezingenayo, UMPHUMELA: ithrafikhi ephumayo noma PHAMBILI: Ithrafikhi edlula kuyo, kepha akuyona ukuxhumana okufanele.
  • Kungabonakala futhi UKUDLULA, esetshenziselwa ukwelapha iphakethe ngendlela ethile ngemuva kokuhanjiswa.
  • Izenzo: Izenzo empeleni isenzo okufanele senziwe ngeketanga. Lesi senzo singaba I-DROP, lokho kucekela phansi leyo traffic noma YAMUKELA. lokho kuvumela ithrafikhi ukwenza leso senzo.

Imithetho ye-IPTABLES iyagcinwa futhi yenziwe ngendlela edalwe ngayo, futhi uma umthetho ususa umthetho wangaphambilini, umthetho wokugcina ku-oda uhlala usetshenziswa.

Izinqubomgomo ze-Firewall.

Ngokuvamile, ama-firewall ngokwemvelo asebenza ngezindlela ezimbili:

  1. Vumela wonke umgwaqo ngaphandle, noma
  2. Ungavumeli noma iyiphi ithrafikhi ngaphandle ...

Ukufaka izinqubomgomo, sebenzisa IPTABLES - P ISENZO CHAIN

Lapho intambo imele uhlobo lwethrafikhi (INPUT, OUTPUT, PHAMBILI, POSTROUTING ...) futhi isenzo sithi DROP NOMA WAMUKELE.

Ake sibheke isibonelo.

Izithombe-skrini ezivela ngo-2014-09-30 18:53:23

Lapha sibona ukuthi ekuqaleni ngikwazile ukubamba, ngabe sengitshela i-IPTABLES ukuthi wonke umgwaqo we-OUTPUT yi-DROP noma awuvunyelwe. Ngibe sengitshela i-IPTABLES ukuthi ikwamukele.

Uma sizokwakha i-firewall kusuka ekuqaleni kufanele ngaso sonke isikhathi sisebenzise imithetho ye (Ungavumeli noma yimuphi umgwaqo ngaphandle kwalokhu ...

iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P PHAMBILI DROP
Uma lezi zinqubomgomo zisebenza, ngeke zibe nohlobo lokuxhumeka
.

Ukubuyela sibhala okufanayo bese sishintsha i-DROP nge-ACCEPT.

Kuleli qophelo, njengoba wonke umgwaqo wenqatshiwe, siqala ukutshela ama-IPTABLES ethu ukuthi angaba namuphi umgwaqo.

I-syntax yile:

iptables -A cadena -s ip_orgigen -d ip_destino -p protocolo --dport puerto -j acción

Kuphi:

Intambo = OKOKUFAKA, OKUPHUMAYO noma PHAMBILI

Umsuka_ip = Umsuka wamaphakethe, lokhu kungaba yi-IP eyodwa noma inethiwekhi futhi kulokhu kufanele sicacise imaski).

ukuphela_ip = lapho amaphakethe aya khona. le kungaba yi-IP eyodwa noma inethiwekhi futhi kulokhu kufanele sisho imaski).

umthetho = kukhombisa umthetho olandelwayo osetshenziswe ngamaphakethe (icmp, tcp, udp ...)

itheku = indawo okuyiwa kuyo yomgwaqo.

isenzo = DROP noma YAMUKELA.

Isibonelo:

Izithombe-skrini ezivela ngo-2014-09-30 19:26:41

ZONKE izinqubomgomo ezikhawulelwe ziyasebenza.

Izithombe-skrini ezivela ngo-2014-09-30 19:27:42

Ngemuva kwalokho sifaka imithetho ukuze sikwazi ukuthola ithrafikhi nge-port 80 HTTP kanye ne-443 HTTPS, ngenqubo ye-TCP. Ngemuva kwalokho i-port 53 Isetshenziselwa iklayenti le-DNS ukuxazulula izizinda, ngaphandle kwalokho ngeke uzulazule. Lokhu kusebenza nge-udp protocol.

Ulayini:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Kungenxa yalokhu okulandelayo: Uma wenza isicelo se-HTTP ngokwesibonelo, uxhuma ethekwini 80 yeseva, kepha iseva ukubuyisa imininingwane idinga ukuxhuma kuwe nganoma iyiphi imbobo. (Ngokuvamile mkhulu kune-1024).

Njengoba wonke amachweba ethu evaliwe lokhu ngeke kuzuzwe ngaphandle kokuthi sivule wonke amachweba aphakeme kuno-1024 (Umbono omubi). Lokhu kusho ukuthi yonke imigwaqo engenayo evela ekuxhumekeni engizenzele yona iyamukelwa. Ngisho, ukuxhumana engikuqalile ngokomthetho.

Lapho ufaka i-OUTPUT emithethweni, lokhu kusebenza kuphela kwimishini okukhulunywa ngayo, uma sisebenzisa okokusebenza kwethu njengomzila ukuvumela lokhu kuxhumana, kufanele sishintshe OUTPUT siye PHAMBILI. Njengoba ithrafikhi idlula kwikhompyutha kepha ayiqalwa yiyo
Yonke le mithetho iyasuswa ngemuva kokuqala kabusha, ngakho-ke kufanele wakhe imibhalo ukuze iqale ngokuzenzakalela. Kepha lokhu sizokubona kokulandelayo

Ngithemba ukuthi uluthandile lolu lwazi. Kokulandelayo ngizokhuluma nge-NAT, Ummeleli kanye nezikripthi zeFirewal.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.

  1.   Rogelio pinto kusho
    kwenza iminyaka 10

    Lesi yisisekelo osomabhizinisi abaningi abasithathayo ukwenza ama-firewall abo, yingakho kunemikhiqizo eminingi kangaka yezingilazi ezinama-linux ashumekiwe emakethe, ezinye zilungile kanti ezinye azikho kangako.

    Phendula uRogelio Pinto
  2.   UHebhere kusho
    kwenza iminyaka 10

    Indatshana enhle kakhulu. Ngibheke phambili engxenyeni yesibili.

    Phendula u-Heber
  3.   Milton kusho
    kwenza iminyaka 10

    Incazelo enhle kakhulu, ingisizile ukuqonda ummeleli womsebenzi wami. Ngiyabonga

    Phendula uMilton
  4.   i-faustod kusho
    kwenza iminyaka 10

    Sawubona Jlcmux,

    Kuhle, ngiyithandile impela, lizotholakala nini elinye iqembu?

    Ukubingelela nokubonga ngokwabelana

    Phendula ku-faustod
    1.    @NomzamoMbatha kusho
      kwenza iminyaka 10

      Siyabonga ngokuphawula.

      Ngithumele enye ingxenye izolo, ngokuhamba kosuku ngicabanga ukuthi bazoyishicilela.

      Ukubingelela

      Phendula ku @Jlcmux
  5.   Israel kusho
    kwenza iminyaka 10

    I-athikili enhle kakhulu umngani @ Jlcmux, ngifunde naye impela kwazise ucacise ukungabaza okuthile ebenginakho isikhathi esithile, ngendlela ongeke ube nenkinga ngayo ukwabelana ngencwadi yomthombo walesi sihloko, kaSébastien BOBILLIER, well slau2s and now ukubona ingxenye yesi-2, ama-salu2s.

    Phendula ku-Israyeli
    1.    @NomzamoMbatha kusho
      kwenza iminyaka 10

      Sawubona Siyabonga ngokuphawula u-Israyeli.

      Kuvela ukuthi le ncwadi ngiyiphethe ngokomzimba. Kepha ngithole lesi sixhumanisi ku-Google Books. http://books.google.com.co/books?id=zxASM3ii4GYC&pg=PA356&lpg=PA356&dq=S%C3%A9bastien+BOBILLIER+Linux+%E2%80%93+Administraci%C3%B3n+del+sistema+y+explotaci%C3%B3n+de+los+servicios+de+red#v=onepage&q=

      Ngicabanga ukuthi kuphelele.

      Phendula ku @Jlcmux
  6.   Ariel kusho
    kwenza iminyaka 10

    I-athikili enhle kakhulu, ngifaka umbuzo: Kungaba yini inzuzo yokusebenzisa i-linux njenge-router, uma ikhona, maqondana nehardware enikezelwe kuyo? Noma kwenzelwa ukuzivocavoca umzimba kuphela? Ngiyazi ukuthi kukhona ama-distros azinikele kepha angazi ukuthi kufanele asindise ama-PC amadala noma anikeze ukuguquguquka okungaphezulu kokucushwa.

    Phendula u-Ariel
    1.    @NomzamoMbatha kusho
      kwenza iminyaka 10

      Yebo, ngicabanga ukuthi okuhle nokungalungi kuncike esimweni lapho uzokusebenzisa khona lokhu. Kungani ngokuqinisekile ungeke uthenge i-UTM noma into enjalo endlini yakho? Futhi mhlawumbe ngebhizinisi elincane elingakwazi ukukukhokhela. Kuhle futhi njengokuzivocavoca, ngoba kukusiza uqonde yonke imiqondo yalokhu futhi ungalungiselela kangcono i-FWall ezinikele. Ngaphezu kwalokho cishe wonke lawa madivayisi empeleni anakho yi-Embedded Linux.

      Ukubingelela

      Phendula ku @Jlcmux
  7.   Ariel kusho
    kwenza iminyaka 9

    Sawubona, umbuzo, ungasikhiqiza isikhombimsebenzisi "sokufakelwa" ku-linux ngomzila ofanayo phakathi kwamanethiwekhi? (isitayela se-packet tracer) ukusebenza nemishini ebonakalayo? isb. uma ngine-eth0 (ngoba nginekhadi elilodwa), ngingaqala i-eth1 ukwenza enye inethiwekhi? Umfundisi omuhle kakhulu!

    Phendula u-Ariel
    1.    izinga kusho
      kwenza iminyaka 9

      KuLinux ungakha izixhumi ezibonakalayo, kunjalo. Uma une-eth0, ungaba ne-eth0: 0, eth0: 1, eth0: 2 ... njll

      Phendula u-elav
  8.   i-chinoloco kusho
    kwenza iminyaka 9

    Kuhle kakhulu, ngiyabonga ngokwabelana

    Phendula ku-chinoloco