para ukumisa i-firewall noma i-firewall ku-Linux, singasebenzisa ama-iptables, ithuluzi elinamandla elibonakala likhohliwe abasebenzisi abaningi. Yize kunezinye izindlela, ezinjengama-ebtable kanye nama-arptable wokuhlunga ithrafikhi ezingeni lokuxhumanisa, noma i-squid ezingeni lokufaka isicelo, ama-iptables angasiza kakhulu ezimweni eziningi, aqalise ukuphepha okuhle ohlelweni lwethu ezingeni lomgwaqo nasekuthuthweni kwenetha .
I-Linux kernel isebenzisa ama-iptables, ingxenye leyo unakekela ukuhlunga amaphakethe nokuthi kule ndatshana sikufundisa ukuthi ulungiselele ngendlela elula. Kalula nje, ama-iptables akhomba ukuthi yiluphi ulwazi olungangena nolungeke lungene, luhlukanisa iqembu lakho nezinsongo ezingaba khona. Futhi yize kunamanye amaphrojekthi afana neFirehol, iFirestarter, njll., Eziningi zalezi zinhlelo ze-firewall zisebenzisa ama-iptables ...
Yebo, Ake siqale ukusebenza, ngezibonelo uzokuqonda konke kangcono (kulawa macala kuyadingeka ukuba ube namalungelo, ngakho-ke sebenzisa iSudo phambi komyalo noma ube yimpande):
Indlela ejwayelekile yokusebenzisa iptables ukudala inqubomgomo yokuhlunga yile:
IZINHLANGANO EZININGI - IZIPHAMBANO ISENZO SE-I / O
Kuphi -UMPHIKISANO ukhona impikiswano esizoyisebenzisa, imvamisa -P ukusungula inqubomgomo ezenzakalelayo, noma kukhona ezinye ezinjenge -L ukubona izinqubomgomo esizilungisile, -F Ukususa inqubomgomo edaliwe, -Z ukusetha kabusha amabala we-byte namaphakethe, njll. Enye inketho -A ukufaka inqubomgomo (hhayi okuzenzakalelayo), -I ukufaka umthetho endaweni ethile, kanye -D ukususa umthetho onikeziwe. Kuzoba nezinye izimpikiswano zokukhomba ku- -p protocols, –sport source port, –dport for ukuphela port, -i interface engenayo, -o interface interface, -s source IP address and -d destination IP address.
Ngaphezu kwalokho i-O / O izomela uma ipolitiki Kusetshenziswa okokufaka kwe-INPUT, kokukhishwayo kwe-OUTPUT noma kuqondiswa kabusha kwethrafikhi (kukhona ezinye ezifana ne-PREROUTING, POSTROUTING, kepha ngeke sizisebenzise). Ekugcineni, lokho engikubize nge-ACTION kungathatha inani LAMUKELE uma samukela, NQABA uma senqaba noma SIXAZA uma siqeda. Umehluko phakathi kwe-DROP ne-REJECT ngukuthi lapho iphakethe linqatshwa nge-REJECT, umshini owuqalile uzokwazi ukuthi wenqatshiwe, kepha nge-DROP wenza buthule futhi umhlaseli noma imvelaphi ngeke azi ukuthi kwenzekeni, futhi ngeke yazi uma sine-firewall noma ukuxhumana kuhlulekile Kukhona nezinye ezifana ne-LOG, ezithumela ukulandelwa kwe-syslog ...
Ukuguqula imithetho, singahlela ifayili le-iptables ngesihleli sethu sombhalo esincamelayo, i-nano, i-gedit, ... noma sakhe imibhalo enemithetho (uma ufuna ukuyikhipha, ungayenza ngokubeka i- # phambi komugqa ukuze ibe kunganakwa njengamazwana) ngokusebenzisa ikhonsoli enemiyalo njengoba sizokuchaza lapha. Ku-Debian nakwezinye izinto ongazisebenzisa ungasebenzisa i-iptables-save kanye ne-iptables-restore tools ...
Inqubomgomo eyeqise kakhulu ukuvimba yonke into, ngokuphelele sonke isiminyaminya, kepha lokhu kuzosishiya sodwa, no:
iptables -P INPUT DROP
Ukwamukela konke:
iptables -P INPUT ACCEPT
Uma sifuna lokho yonke ithrafikhi ephumayo eqenjini lethu iyamukelwa:
iptables -P OUTPUT ACEPT
La esinye isenzo esinamandla kungaba ukusula zonke izinqubomgomo kusuka kuma-iptables nge:
iptables -F
Ake siye emithethweni ethe xaxaCabanga ukuthi une-server yewebhu ngakho-ke ithrafikhi edlula echwebeni 80 kumele ivunyelwe:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Futhi uma ngaphezu komthetho odlule, sifuna iqembu elinama-iptables kubonakala kuphela ngamakhompyutha ku-subnet yethu futhi lokho akunakwa yinethiwekhi yangaphandle:
iptables -A INPUT -p tcp -s 192.168.30.0/24 --dport 80 -j ACCEPT
Kulayini owedlule, esikushoyo kuma-iptables ukufaka umthetho -A, ukuze okokufaka kwe-INPUT, nephrothokholi ye-TCP, ngetheku 80, yamukelwe. Manje ake ucabange ukuthi ufuna ngikwenze ukuphequlula iwebhu kuyanqatshwa imishini yasendaweni edlula emshinini osebenzisa ama-iptables:
iptables -t filter -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 DROP
Ngicabanga ukuthi ukusetshenziswa kulula, uma kubhekwa ukuthi ipharamitha ngayinye yama-iptables yenzelwe ini, singangeza imithetho elula. Ungenza yonke inhlanganisela nemithetho esiyicabangayo ... Ukuze ungazeluli ngokwengeziwe, vele ungeze into eyodwa ngaphezulu, futhi lokho wukuthi uma umshini uvuselelwa kabusha, izinqubomgomo ezidaliwe zizosuswa. Amatafula aqalisiwe kabusha futhi azohlala njengakuqala, ngakho-ke, uma usuyichaze kahle imithetho, uma ufuna ukubenza babe unomphela, kufanele ubenze baqalise kusuka /etc/rc.local noma uma une-Debian noma okuphuma kokunye sebenzisa amathuluzi esiwanikiwe (iptables-save, iptables-restore and iptables-apply).
Lesi yindatshana yokuqala engiyibona ku-IPTABLES ukuthi, yize iminyene - idinga ulwazi olusezingeni eliphakathi-, IYA EBUTHINI NGOKUQONDILE.
Ngincoma wonke umuntu ukuthi ayisebenzise njenge- "manual reference esheshayo" njengoba ifingqiwe kahle futhi yachazwa 8-)
Ngingathanda ukuthi ukhulume endatshaneni ezayo mayelana nokuthi ushintsho olwenziwe kusistimu ekusatshalalisweni okuningi kwe-linux, luthinta ngandlela thile ukuphepha kwe-linux ngokujwayelekile, nokuthi uma lolu shintsho lungelokuhle noma okubi kakhulu ekusakazweni kwe-linux. Ngingathanda nokwazi ukuthi yini eyaziwayo ngekusasa le-devuan (debian ngaphandle kwe-systemd).
Ngiyabonga kakhulu wenza izindatshana ezinhle kakhulu.
Ngabe ungenza i-athikili echaza itafula lama-mangle?
Vimba i-Facebook kuphela?