Nhanganyaya kuIPTABLES: gadzira Firewall paLinux

iptables

Para kugadzirisa firewall kana firewall muLinux, tinogona kushandisa iptables, chishandiso chine simba chinoratidzika kunge chakakanganikwa nevashandisi vazhinji. Kunyangwe paine dzimwe nzira, dzakadai semabheti uye arptable kusefa traffic padanho rekubatanidza, kana squid padanho rekushandisa, iptables inogona kubatsira zvakanyanya muzviitiko zvakawanda, kuita chengetedzo yakanaka musystem yedu padanho rekutakura uye rekufambisa remambure.

Iyo Linux kernel inoshandisa iptables, chikamu icho inotarisira kusefa mapakeji uye kuti muchinyorwa chino tinokudzidzisa iwe kugadzirisa nenzira yakapusa. Zvichitaurwa zviri nyore, iptables inoratidza kuti ndeapi ruzivo anogona uye haugone kupinda, ichiparadzanisa timu yako kubva kune zvingangotyisidzira Uye kunyangwe paine mamwe mapurojekiti akaita saFirehol, Firestarter, nezvimwe, mazhinji emapurogiramu e firewall anoshandisa iptables ...

Zvakanaka, Ngatidzikei pasi tishande, nemienzaniso iwe unonzwisisa zvese zvirinani (yezviitiko izvi zvakafanira kuve neropafadzo, saka shandisa Sudo pamberi pemurairo kana kuva mudzi):

Iyo yakajairwa nzira yekushandisa iptables kugadzira firita mutemo ndeye:

IPTABLES -ARGUMENTS I / O CHITSAUKO

Iko -GARENTI iri nharo dzatichashandisa, kazhinji -P yekumisikidza mutemo wakasarudzika, kunyangwe paine zvimwe zvakaita se -L kuti tione marongero atakagadzira, -F yekudzima mutemo wakagadzirwa, -Z yekumisazve mabheti uye mapaketi ekuverenga, nezvimwe. Imwe sarudzo ndeye -A yekuwedzera mutemo (kwete nekutadza), -I kuisa mutemo pane imwe nzvimbo, uye -D kudzima wakapihwa mutemo. Pachavewo nekumwe kukakavara kunongedzera ku -p protocols, -sport source port, -dport yekuenda chiteshi, -i inouya interface, -o ichibuda interface, -s sosi IP kero uye -d yekuenda IP kero.

iptables yekuisa-kubuda

Uyezve ini / O ndaimiririra kana zvematongerwo enyika inoiswa kune INPUT yekuisa, kune iyo OUTPUT kuburitsa kana iri FORWARD traffic redirection (kune vamwe vakaita sePREROUTING, POSTROUTING, asi isu hatizomboishandisa). Chekupedzisira, izvo zvandadaidza kuti ACTION zvinogona kutora kukosha BVUNZA kana tikabvuma, RAMBA kana tikaramba kana DONhedZA kana tikabvisa. Musiyano uripo pakati peDROP neREJECT ndewekuti kana paketi ikarambwa neREJECT, muchina wakautanga uchaziva kuti warambwa, asi iine DROP inoshanda chinyararire uye anorwisa kana mavambo haazive zvakaitika, uye haazo ziva kana isu tine firewall kana kubatana kwakatadza chete. Kune zvekare vamwe, senge LOG, iyo inoteedzera iyo syslog ...

Kugadzirisa mitemo, tinogona kugadzirisa iyo iptables faira neyedu yakasarudzika mhariri, nano, gedit, ... kana kugadzira zvinyorwa nemitemo (kana iwe uchida kuvanyanyisa, unogona kuzviita nekuisa # pamberi petambo kuti ive kufuratirwa senge chirevo) kuburikidza neconsole nemirairo sezvatichazvitsanangura pano. MuDebian uye zvigadzirwa unogona zvakare kushandisa iptables-chengetedza uye iptables-dzosera maturu ...

Mutemo wakanyanyisa ndeyekuvhara zvese, zvachose traffic, asi izvi zvichatisiya takasarudzika, na:

iptables -P INPUT DROP

Kugamuchira zvese:

iptables -P INPUT ACCEPT

Kana tichida izvozvo traffic yose inobuda kubva kuchikwata chedu inogamuchirwa:

iptables -P OUTPUT ACEPT

La chimwe chiito chakanyanya kungave kudzima marongero ese kubva iptables ne:

iptables -F

Ngatiendei kune yakawanda kongiri mitemoFungidzira kuti une webhu server uye nekudaro traffic kuburikidza nechiteshi 80 inofanirwa kubvumidzwa:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Uye kana tichiwedzera mutemo wekare, isu tinoda timu ine iptables zvinongoonekwa nemakomputa pane yedu subnet uye izvo zvinoenda zvisingaonekwe netiweki yekunze:

iptables -A INPUT -p tcp -s 192.168.30.0/24 --dport 80 -j ACCEPT

Mutsetse wekare, zvatiri kutaura kune iptables kuwedzera mutemo -A, kuitira kuti INPUT zvinowaniswa, uye protocol yeTCP, kuburikidza nechiteshi 80, inogamuchirwa. Zvino fungidzira iwe uchida kuti ndiite kubhurawuza pawebhu kunorambwa yemachina emuno anopfuura nemuchina unomhanya iptables:

iptables -t filter -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 DROP

Ini ndinofunga kuti kushandiswa kuri nyore, tichifunga izvo chimwe nechimwe paramende che iptables chiri, tinogona kuwedzera mitemo yakapusa. Iwe unogona kuita ese musanganiswa nemitemo yatinofungidzira ... Kuti urege kuzvitambanudza zvakanyanya, ingo wedzera chimwe chinhu chimwe, uye izvo ndezvekuti kana muchina ukadzorerwa patsva, marongero akagadzirwa anozobviswa. Tafura idzi dzinotangwazve uye dzichasara sepakutanga, saka, kana uchinge wanyatsotsanangura mitemo, kana iwe uchida kuvaita zvachose, unofanira kuzviita vatange kubva /etc/rc.local kana kana uine Debian kana zvigadzirwa shandisa zvishandiso zvatiri kupihwa (iptables-save, iptables-restore and iptables-apply).


Makomendi gumi, siya zvako

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako

  1.   Jimmy orano akadaro

    Ichi ndicho chinyorwa chekutanga chandinoona pane IPTABLES iyo, kunyangwe iri gobvu -inoda svikiro nhanho yeruzivo-, INOENDA ZVAKANANGIRA KUGRAIN.

    Ini ndinokurudzira munhu wese kuti aishandise se "inokurumidza bhuku rekunongedzera" sezvo yakanyatsogadziriswa uye kutsanangurwa 8-)

  2.   JESU akadaro

    Ndinoda kuti iwe utaure mune chinyorwa mune ramangwana nezvekuti shanduko ku systemd mune zvakawanda zvekuparadzira linux, inokanganisa neimwe nzira chengetedzo ye linux zvakajairika, uye kana shanduko iyi iri yekuita zvirinani kana zvakaipisisa zvemangwana nekuparadzirwa kwelinux. Ndinodawo kuziva izvo zvinozivikanwa nezve ramangwana re devuan (debian isina systemd).
    Ndatenda zvikuru iwe unogadzira zvakanaka kwazvo zvinyorwa.

  3.   slevin akadaro

    Iwe unogona here kugadzira chinyorwa chinotsanangura tafura yemangle?

  4.   Sebastian akadaro

    Bvisa chete Facebook?