ukuba Qwalasela i-firewall okanye i-firewall kwiLinux, sinako ukusebenzisa iptables, Isixhobo esinamandla esibonakala ngathi silityelwe ngabasebenzisi abaninzi. Nangona zikho ezinye iindlela, ezinje ngee-ebtable kunye nezinto ezinokucocwa zokucoca ukugcwala kwinqanaba lokudibanisa, okanye iS squid kwinqanaba lesicelo, ii-iptables zinokuba luncedo kakhulu kwiimeko ezininzi, ukumilisela ukhuseleko olufanelekileyo kwinkqubo yethu kwinqanaba lokugcwala kunye nokuthuthwa komnatha. .
I-Linux kernel isebenzisa iptables, inxenye ethi Unakekela iipakethe zokucoca kwaye kweli nqaku sikufundisa ukuba uqwalasele ngendlela elula. Ukubeka ngokulula, ii-iptables zichonga ukuba loluphi ulwazi olunokungena kwaye alunakungena, ukwahlula iqela lakho kwizisongelo ezinokubakho. Kwaye nangona zikho ezinye iiprojekthi ezinje ngeFirehol, iFirestarter, njl., Uninzi lwezi nkqubo zomlilo zisebenzisa iptables ...
Ewe, Makhe siye emsebenzini, ngemizekelo oya kuyiqonda ngcono yonke into (kula matyala kufuneka ubenamalungelo, ke sebenzisa Sudo phambi komyalelo okanye ube yingcambu):
Indlela ngokubanzi yokusebenzisa iptables ukwenza umgaqo-nkqubo wokucoca yile:
IPHEPHA -IINGXOXO I / O YENZO
Phi -I-ARGUMENT ikho impikiswano esiza kuyisebenzisa, ngesiqhelo -P ukuseka umgaqo-nkqubo osilelayo, nangona zikhona ezinye ezinje -L ukubona imigaqo-nkqubo esiyilungisileyo, -F ukucima umgaqo-nkqubo owenziweyo, -Z ukuseta kwakhona i-byte kunye neepakethi zokubala, njl. Olunye ukhetho kukuba -A ukongeza umgaqo-nkqubo (hayi ongagqibekanga), -i ukufaka umthetho kwindawo ethile, kunye -D ukucima umthetho onikiweyo. Kuya kubakho ezinye iingxoxo ukukhomba -p iiprothokholi, -sport source port, -dport ye-port port, -i-interface engenayo, -o-interface ophumayo, -s idilesi ye-IP kunye -d idilesi ye-IP.
Ngapha koko I / O iya kubonisa ukuba ezopolitiko Isetyenziswe kwigalelo le-INPUT, kwimveliso ye-OUTPUT okanye kukuphinda ubuye kwindlela yezithuthi (kukho ezinye ezinje nge-PREROUTING, POSTROUTING, kodwa asizukuzisebenzisa). Okokugqibela, into endiyibize ngokuba yi-ACTION inokuthatha ixabiso LAMKELE ukuba samkela, YENZA ukuba siyala okanye SIYASIPHA ukuba siyasusa. Umahluko phakathi kwe-DROP kunye ne-REJECT kukuba xa ipakethi ikhatyiwe nge-REJECT, umatshini ovela kuyo uya kwazi ukuba uyaliwe, kodwa nge-DROP wenza cwaka kwaye umhlaseli okanye imvelaphi akazukukwazi okwenzekileyo, kwaye ngekhe sazi ukuba sine-firewall okanye uqhagamshelo aluphumelelanga. Kukho nezinye, ezinje nge-LOG, ezilandelela isyslog ...
Ukuguqula imigaqo, singazihlela iifayile ze-iptables ngomhleli wokubhaliweyo esikukhethileyo, nano, gedit, ... okanye wenze izikripthi ezinemigaqo (ukuba ufuna ukuzibhala ngaphezulu, ungayenza ngokubeka # phambi komgca ukuze ibe Ukungahoywa njengamagqabantshintshi) ngekhonsoli enemiyalelo njengoko siza kuyichaza apha. Kwi-Debian nakwiziphumo onokuzisebenzisa ukugcina-iptables kunye neeptables-ukubuyisela izixhobo ...
Umgaqo-nkqubo ogqithiseleyo kukuvimba yonke into, ngokupheleleyo zonke izithuthi, kodwa oku kuya kusishiya sodwa, kunye:
iptables -P INPUT DROP
Ukwamkela konke:
iptables -P INPUT ACCEPT
Ukuba siyayifuna loo nto Zonke izithuthi eziphumayo kwiqela lethu zamkelwe:
iptables -P OUTPUT ACEPT
La Elinye inyathelo elibukhali kukucima yonke imigaqo-nkqubo ukusuka iptables nge:
iptables -F
Makhe siye kwimithetho ebambekayoKhawufane ucinge ukuba uneseva yewebhu kwaye ngenxa yoko ukugcwala kwizikhululo ezingama-80 kufuneka kuvunyelwe:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Kwaye ukuba ukongeza kumgaqo wangaphambili, sifuna iqela elinee-iptables kubonakala kuphela kwiikhompyuter kwi-subnet yethu kwaye loo nto ayiqwalaselwa yinethiwekhi yangaphandle:
iptables -A INPUT -p tcp -s 192.168.30.0/24 --dport 80 -j ACCEPT
Kumgca odlulileyo, into esiyithethayo kwi-iptables kukongeza umthetho -A, ukuze amagalelo e-INPUT, kunye ne-TCP protocol, ngezibuko 80 yamkelwe. Ngoku khawufane undifune Ukhangelo lwewebhu luyaliwe Oomatshini bendawo abadlula kumatshini osebenzisa iptables:
iptables -t filter -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 DROP
Ndicinga ukuba ukusetyenziswa kulula, kuthathelwa ingqalelo ukuba yeyiphi iparameter ye-iptables, sinokongeza imigaqo elula. Unokwenza yonke indibaniselwano kunye nemithetho esiyicingayo ... Ukuze ungandisi ngakumbi, yongeza enye into, kwaye oko kukuthi ukuba umatshini wenziwa ngokutsha, imigaqo-nkqubo eyenziweyo iya kucinywa. Iitafile ziqalisiwe kwaye ziya kuhlala zinje ngaphambili, ke ngoko, xa uyichaze kakuhle imigaqo, ukuba ufuna ukubenza basisigxina, kufuneka ubenze baqalise ukusuka /etc/rc.local okanye ukuba uneDebian okanye ezinye izinto ezisebenzisiweyo sebenzisa izixhobo esizinikiweyo (iptables-save, iptables-restore and iptables-apply).
Eli linqaku lokuqala endilibonayo KWI-IPTABLES ukuba, nangona lixinene-lifuna inqanaba eliphakathi lolwazi-, LIYA NGQO KWI-GRAIN.
Ndincoma wonke umntu ukuba ayisebenzise njenge "ncwadana yemigaqo ekhawulezayo" njengoko icinezelwe kakuhle kwaye icacisiwe. 8-)
Ndingathanda ukuba uthethe kwinqaku elizayo malunga nokuba ngaba utshintsho kwindlela yokusebenza kuninzi lwe-linux, ichaphazela ngandlela thile ukhuseleko lwe-linux ngokubanzi, kwaye ukuba olu tshintsho lolokulunga okanye kubi kwikamva kunye nokusasazwa kwe-linux. Ndingathanda nokwazi okwaziwayo ngekamva le-devuan (i-debian ngaphandle kwenkqubo).
Enkosi kakhulu ngokwenza amanqaku amnandi kakhulu.
Ngaba unokwenza inqaku elichaza itafile yemangle?
Vimba kuphela i-Facebook?