para saita Firewall ko Tacewar zaɓi a cikin Linux, zamu iya yin amfani da iptables, kayan aiki mai karfi wanda kamar yawancin masu amfani sun manta dashi. Kodayake akwai wasu hanyoyin, kamar su abubuwan hawa da kayan kwalliya don tace zirga-zirga a matakin haɗin, ko Squid a matakin aikace-aikacen, iptables na iya zama da amfani sosai a mafi yawan lokuta, aiwatar da kyakkyawan tsaro a cikin tsarinmu a matakin zirga-zirga da safarar raga .
Kernel na Linux yana aiwatar da kayan aiki, wani ɓangaren yana kula da tace fakiti kuma a cikin wannan labarin muna koya muku don daidaitawa a hanya mai sauƙi. A sauƙaƙe, abubuwan motsa jiki suna gano abin da bayanai za su iya da waɗanda ba za su iya shigarwa ba, keɓe ƙungiyar ku daga barazanar da za ta iya yi musu. Kuma kodayake akwai wasu ayyukan kamar Firehol, Firestarter, da sauransu, da yawa daga cikin waɗannan shirye-shiryen bango suna amfani da kayan aiki mai kyau ...
To, Bari mu sauka zuwa aiki, da misalai zaku fahimci komai da kyau (don waɗannan sharuɗɗan ya zama dole don samun dama, don haka yi amfani da sudo a gaban umarnin ko kuma zama tushen):
Hanyar gama gari don amfani da iptables don ƙirƙirar manufofin tace shine:
IPTABLES -TATTAUNAWA I / O ACTION
Inda -BAYAN JAGORA shine hujjar da zamu yi amfani da ita, yawanci -P don kafa tsoffin siyasa, kodayake akwai wasu kamar -L don ganin manufofin da muka tsara, -F don share manufofin da aka kirkira, -Z don sake saita ma'aunin baiti da fakiti, da dai sauransu. Wani zaɓi shine -A don ƙara siyasa (ba tsoho ba), -I don saka doka a wani takamaiman matsayi, da -D don share dokar da aka bayar. Hakanan za a sami wasu muhawara don nuna -p ladabi, –sport tashar tushe, –daga tashar tashar jirgin ruwa, -i shiga mai shigowa, -o kewayawa mai fita, -s asalin adireshin IP da -d adireshin IP.
Bugu da ƙari kuma I / O zan wakilta idan siyasa ana amfani da shi ne wajen shigar da INPUT, zuwa ga fitowar OUTPUT ko kuma SHUGABAN zirga-zirgar GABA (akwai wasu kamar PREROUTING, POSTROUTING, amma ba za mu yi amfani da su ba). A ƙarshe, abin da na kira AIKI na iya ɗaukar darajar YARDA idan muka yarda, KI ƙin yarda idan muka ƙi ko DARA idan muka kawar. Bambancin dake tsakanin DROP da REJECT shi ne idan aka ki amincewa da fakiti tare da REJECT, injin da ya samo asali zai san cewa an ƙi shi, amma tare da DROP yana yin shiru kuma maharin ko asalin ba zai san abin da ya faru ba, kuma ba zai sani idan muna da Tacewar zaɓi ko haɗin kawai ya ɓace. Akwai kuma wasu, kamar su LOG, waɗanda ke biye da syslog ...
Don gyara dokoki, za mu iya shirya fayil ɗin iptables tare da editan rubutu da muka fi so, nano, gedit, ... ko ƙirƙirar rubutun tare da dokoki (idan kuna son ƙetare su, kuna iya yin sa ta sanya # a gaban layin don ya zama ba a kula da shi ba a matsayin sharhi) ta amfani da umarnin wasan bidiyo kamar yadda za mu bayyana shi a nan. A cikin Debian da abubuwan banbanci kuma zaku iya amfani da kayan aikin iptables - adanawa da kayan haɓakawa -
Manufar mafi tsauri ita ce toshe komai, kwata-kwata duk zirga-zirga, amma wannan zai bar mu ware, tare da:
iptables -P INPUT DROP
Don karban duka:
iptables -P INPUT ACCEPT
Idan muna son hakan duk karɓaɓɓun zirga-zirga daga ƙungiyarmu an karɓa:
iptables -P OUTPUT ACEPT
La wani mataki na tsattsauran ra'ayi zai kasance don shafe duk manufofin daga iptables tare da:
iptables -F
Bari mu je ga ƙarin tabbatattun dokokiKa yi tunanin cewa kana da sabar yanar gizo kuma saboda haka dole ne a ba da izinin zirga-zirga ta tashar jiragen ruwa 80:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Kuma idan ban da ƙa'idar da ta gabata, muna son ƙungiyar da ke da kayan kwalliya kawai kwamfutoci zasu gani akan subnet din mu kuma wannan ba hanyar yanar gizo bace ta gano shi:
iptables -A INPUT -p tcp -s 192.168.30.0/24 --dport 80 -j ACCEPT
A layin da ya gabata, abin da muke faɗi ga maɓallan abubuwa shi ne ƙara doka -A, don a shigar da abubuwan shigarwa, da yarjejeniyar TCP, ta tashar jiragen ruwa 80. Yanzu kaga kana so na an ƙi binciken yanar gizo ga injunan gida wadanda suke wucewa ta cikin injin da ke aiki da kifaye:
iptables -t filter -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 DROP
Ina tsammanin amfani mai sauki ne, la'akari da abin da kowane sigogin kayan aiki ke da shi, za mu iya ƙara dokoki masu sauƙi. Kuna iya yin duk haɗuwa da ƙa'idodi waɗanda muke tunanin ... Don kar in ƙara miƙa kaina, kawai ƙara abu ɗaya, kuma wannan shine cewa idan aka sake tayar da injin, za'a share manufofin da aka kirkira. An sake farawa tebur kuma zasu kasance kamar da, sabili da haka, da zarar kun ayyana ƙa'idodi da kyau, idan kanaso ka maida su dawwamamme, dole ne ka sanya su su fara daga /etc/rc.local ko kuma idan kana da Debian ko kuma abubuwanda suka samo asali suna amfani da kayan aikin da aka bamu (iptables-save, iptables-restore and iptables-apply).
Wannan shine farkon labarin dana gani akan IPTABLES cewa, kodayake yana da yawa-yana buƙatar matsakaiciyar ilimi-, SAI KAI KAI ZUWA KATSINA.
Ina ba da shawarar kowa ya yi amfani da shi azaman "littafin bayani mai sauri" saboda yana da kyau sosai kuma ya bayyana. 8-)
Ina son kuyi magana a cikin labarin na gaba game da ko canji zuwa tsarin cikin mafi yawan rarraba Linux, yana tasiri ta wata hanyar tsaro na Linux gabaɗaya, kuma idan wannan canjin na mafi kyau ko mafi munin na gaba da rarraba Linux. Ina kuma son sanin abin da aka sani game da makomar devuan (debian ba tare da tsari ba).
Na gode sosai da kuke yin labarai masu kyau.
Kuna iya yin labarin da ke bayanin teburin mango?
Toshe Facebook kawai?