Ku okuthunyelwe kwangaphambilini Sibone ukumiswa kwama-IPTable ukuthi asebenze njenge-Firewall. Manje sesiyabona ukuthi singawakha kanjani lawo maskripthi ukuze imithetho yenziwe ngokuzenzakalela lapho uhlelo luqala, nokuthi singayisusa kanjani noma simise leyo mithetho isikhashana.
Ngaphambi kokwenza iskripthi futhi sikubonise ukuthi sibukeka kanjani, ake sikhulume kancane nge-NAT nomqondo walokho esifuna ukukwenza ngalo mshini.
I-NAT nokuqukethwe kwesibonelo.
Uma sikhuluma nge-NAT, singakudida lokhu ngomzila, ngoba bobabili baphethe ukuxhuma amanethiwekhi amabili ahlukene komunye nomunye. Umehluko wangempela ukuthi ukuhanjiswa kusetshenziswa ukusuka kwinethiwekhi yendawo kuya kwenye futhi le nethiwekhi ingaxhuma ku-router bese iphuma iye kwi-Intanethi.
Ngenkathi, uma sikhuluma nge-NAT, sikhuluma ngokuhambisa amaphakethe kusuka kunethiwekhi yendawo noma yangasese kwinethiwekhi yomphakathi noma kwi-Intanethi. Lokhu ikwenza ngokufihla amaphakethe ngokubeka i-IP yomphakathi ehamba ngayo kwi-Intanethi. Lokho wukuthi, asidingi i-router, ngoba i-IP yomphakathi ibanjwe ngqo yikhompyutha ene-GNU / Linux.
Lokhu sizokusebenzisa ngesiqubulo esithi sisebenzisa i-Linux yethu njenge-router / firewall ukuphuma ku-Intanethi kusuka kunethiwekhi yendawo. Kepha lapha kungavela izimo ezimbili.
- Ukuthi iLinux yethu iphakathi komzila womhlinzeki wesevisi nenethiwekhi yendawo.
Kulokhu, phakathi kwe-router ne-Linux yethu kuzoba nenethiwekhi, futhi phakathi kwe-Linux nenethiwekhi yendawo kuzoba nenye inethiwekhi ehlukile. Lokhu kusho ukuthi i-router yethu bekungadingeki yenze i-NAT kanjalo, ngomzila olula womgwaqo njengoba kuchaziwe okuthunyelwe kwangaphambilini Kungakuhle.
- Ukuthi iLinux yethu inesixhumi esibonakalayo esixhunywe kunethiwekhi yasendaweni futhi ngesinye isikhombimsebenzisi sithola ngqo i-IP yomphakathi ezulazula ngayo.
Lokhu kusho ukuthi iLinux yethu kufanele yenze i-NAT ukuze amaphakethe afinyelele kwi-Intanethi.
Ngokwezinhloso zale laboratory encane ngaleso sikhathi, sizothi iLinux yethu ithola i-IP yomphakathi ngqo futhi ngaleyo ndlela ikwazi ukuhlola imiphumela yeNAT.
Ukwenza i-NAT sisebenzisa i-syntax
iptables -t nat -A UKUDLULA -O eth1 -j MASQUERADE
Lapho i-eth1 isikhombimsebenzisi lapho sithola khona i-ip yomphakathi, okungukuthi, lapho siya khona kwi-Intanethi.
Ukwakha iskripthi se-iptables
Ake sithi-ke: 172.26.0.0 yinethiwekhi yethu yasendaweni futhi i-81.2.3.4 iyi-IP yomphakathi esiya kuyo kwi-Intanethi. (iyi-static ip). Ngine-interface eth0 (Inethiwekhi yendawo)
eth1 (Inethiwekhi yomphakathi).
Ngokuyisisekelo iqukethe ukudala iskripthi esingabizwa kusuka ku- /etc/init.d/firestop (ngokwesibonelo). futhi kusuka kulo mbhalo singaqala, simise noma sihlole isimo sokumiswa kwethu, njengoba senza nganoma iyiphi i-daemon yohlelo.
Ake sithi imithetho yami ye-IPTABLES IYI:
#! / bin / bash # I-Firewall yasekhaya lami. # Igama lefayela / njll / firewall_on # NguJlcmux Twitter: @Jlcmux # # Inqubomgomo eyisisekelo. iptables -P INPOUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # #NAT to share Internet from eth0 to eth1 iptables -t nat -A POSTROUTING -O eth1 -j SNAT - to-source 81.2.3.4 # # Vumela ukuxhumana okungenayo okuqaliswe ama-iptables ami -I-FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT # # iptables traffic ephumayo egunyaziwe -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT iptables -A PHAMBILI -i eth0 -o eth1 -p tcp --dport 443 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 53 -j ACCEPT
Ukuchazwa:
Iskripthi ngokuyisisekelo senza okulandelayo:
- Okokuqala khawula konke ukuzulazula, ukuxhumeka nethrafikhi. (Izinqubomgomo Eziyisisekelo ze-Firewall)
- Ngemuva kwalokho dala i-NAT nge-eth1 okuyiwa kuyo. okukhombisa ukuthi sine-static yomphakathi ip «81.2.3.4»
- Ivula amachweba adingekayo ukuthola amaphakethe wokuxhuma aqalwe yimina.
- Yamukela ithrafikhi ephumayo ye-HTTP, i-HTTPS, ne-DNS.
Uma besifuna ukusebenzisa imishini yethu ukuzulazula kufanele siphinde imigqa bese sishintsha PHAMBILI siye ku-INPUT noma ku-OUTPUT njengoba kufanele.
Khansela iskripthi.
Manje sizokwakha iskripthi esidlula konke lokhu okungenhla futhi sishiye ikhompyutha ihlanzekile kukho konke lokhu. (Ngezinhloso zokuhlola noma sifuna nje ukuvala i-firewall).
#! / bin / bash # I-Firewall yasekhaya lami. # Igama lefayela / njll.
Izenzakalelayo.
Manje kufanele senze iskripthi ngaphakathi /etc/init.d/ futhi insizakalo iqala ngokuzenzekelayo futhi singayiphatha ngendlela ethokomele.
#! / bin / bash # I-Firewall yasekhaya lami. # Igama lefayela /etc/init.d/ firewall # NguJlcmux Twitter: @Jlcmux icala $ 1 ekuqaleni) / etc / firewall_on ;; misa) / etc / firewall_off ;; isimo) iptables -L ;; *) echo "I-syntax engalungile. Kuvumelekile = /etc/init.d/ firewall start | stop | status ;; esac
Ukuchazwa:
Lo mbhalo wokugcina siwufakile /etc/init.d/ enegama isicishamlilo. Ngakho-ke uma sifuna ukuphatha i-firewall singasebenzisa umyalo /etc/init.d/ firewall start. Ngendlela efanayo singayimisa noma sibone umbuso.
Manje sizohlela ifayela /etc/rc.local futhi sibeka okufana: /etc/init.d/ firewall start ukuze iqale ngohlelo.
Kanjalo. Le yingxenye yesibili. Ngiyethemba liletha okuthile kini nonke. Kokulandelayo sibona i-Proxy ne-IDS.
Uma usebenzisa iDebian kunephakeji ku-repo (iptables-eqhubekayo) eyenza lokho kanye, ilahla imithetho yamanje ku- /etc/iptables/rules.v4 noma v6 kuya ngokuthi usebenzisa ini bese ikusebenzisa kuwe lapho uphakamisa uhlelo.
Ngokwenzayo, ukuhlanza ukucushwa okujwayelekile kwe-iptables firewall (futhi ukusebenzisa i-NAT bekungeke kube njalo ngokombono wami), ezimweni eziningi umthetho wokugudluza nokusetha kabusha izinqubomgomo ezizenzakalelayo ku-ACCEPT kuzokwanela.
Kepha ngombono, futhi ngokwazi kwami, ngaphezu kwalokhu udinga nokusula izintambo ezingezona ezenzakalelayo bese usetha kabusha izinto zokubala. Izenzo okufanele zenziwe kucatshangelwa ukuthi ngaphezu kwe- "filter" kukhona amanye amatafula, (kuphoqelekile ukufunda ifayili "/ proc / net / ip_tables_names" lalokhu).
Ngendlela, i-orthodoxy ithi i-firewall kumele ngabe isivele iphakame ngaphambi kokuthi inethiwekhi ibe. Angazi ukuthi itholakala kanjani kwezinye izinhlelo zeLinux, kepha kwabakwaDebian iskripthi singashintshwa futhi sisethwe enkombeni "/etc/network/if-pre-up.d/".
I-firewalling enhle wonke umuntu. 😉
Sawubona, okuthunyelwe kuhle kakhulu. Ngifunde yonke imiqulu emi-2.
Ilinde okulandelayo 🙂
Umbuzo ovela ekungazini kwami, siyaqhubeka nama-iptables, kepha ezinhlotsheni eziningana ze-kernel sine-nftables, sengiyayihlola, imibuzo ithi, ingabe i-nftables yinto ethile ye-beta maqondana nama-iptables? Ngabe ama-iptables azoqhubeka nokusetshenziswa isikhathi eside?
Ngiyabonga
I-nftables ifaka phakathi konke ukusebenza kwama-iptables, ama-ip6tables, ama-arptable nama-ebtables, konke kusetshenziswa ingqalasizinda entsha kuzo zombili i-kernelspace ne-userspace, eqinisekisa ukusebenza okungcono nokusebenza okuthuthukile. Ama-nftables azothatha isikhundla se-iptables nawo wonke amanye amathuluzi ashiwo kepha hhayi okwamanje, okungenani kuze kube yilapho sekusetshenziswa kabanzi okwengeziwe kwama-nftable kanjalo.
okuthunyelwe okuhle kakhulu, bengifuna ukufunda okuningi ngoba kuchazwe kahle kakhulu .. imikhonzo ngiyabonga umnikelo omkhulu
Sawubona! Kuhle kakhulu kokubili okuthunyelwe.
Njengomnikelo ungangeza ekugcineni kule ngxenye:
"Manje sizohlela ifayela le / /etc/rc.local bese sibeka okufana nalokhu: /etc/init.d/ firewall start ukuze iqale ngohlelo."
Faka lokhu ku-rc.local.
uma [-x /etc/init.d/ firewall]; lapho-ke
/etc/init.d/ firewall start
fi
Okusho ukuthi uma "i-firewall" inezimvume zokwenza, yisebenzise, uma kungenjalo.
Uma ufuna ukuthi "i-firewall" ingaqali, kufanele ususe izimvume.
Isibonelo: chmod + x /etc/init.d/ firewall
ukuyenza isebenze kukho konke ukuqala noma ...
chmod -x /etc/init.d/ firewall
ukuyikhubaza ngokuphelele.
Ukubingelela!