Yadda Ake Saita Wutar Wuta ta Iptables Don Ba da damar Nesa zuwa Sabis a Linux - Sashe na 8

Gabatar da Shirin Takaddar Gidauniyar Linux

Za ku tuna daga Sashe na 1 - Game da Iptables na wannan LFCE (Linux Foundation Certified Engineer ) jerin cewa mun ba da ainihin bayanin abin da Firewall yake: hanyar sarrafawa. fakiti masu shigowa da barin hanyar sadarwa. Ta \manage a zahiri muna nufin:

1. Don ba da izini ko hana wasu fakiti shiga ko barin hanyar sadarwar mu.
2. Don tura wasu fakiti daga wuri guda na hanyar sadarwa zuwa wancan.

bisa ga ƙayyadaddun sharudda.

A cikin wannan labarin za mu tattauna yadda ake aiwatar da tacewar fakiti na asali da kuma yadda ake saita Tacewar zaɓi tare da iptables, gaban gaba zuwa netfilter, wanda shine ƙirar kernel na asali da ake amfani da shi don kashe wuta.

Da fatan za a lura cewa firewalling babban batu ne kuma wannan labarin ba a yi niyya ya zama cikakkiyar jagora don fahimtar duk abin da ake son sani game da shi ba, a maimakon haka a matsayin mafari don zurfafa nazarin wannan batu. Koyaya, za mu sake duba batun a cikin Sashe na 10 na wannan jerin lokacin da muka bincika takamaiman takamaiman yanayin amfani da Tacewar zaɓi a cikin Linux.

Kuna iya tunanin bangon wuta azaman filin jirgin sama na duniya inda jiragen fasinja ke zuwa da tafiya kusan 24/7. Dangane da wasu sharuɗɗa, kamar ingancin fasfo na mutum, ko ƙasarsa ta asali (don ambato ƴan misalai) ana iya ba shi ko ita izinin shiga ko barin wata ƙasa.

Haka kuma, jami’an filin jirgin za su iya umurtar mutane da su tashi daga wani wuri na filin jirgin zuwa wani idan ya cancanta, misali lokacin da suke bukatar shiga ta Hukumar Kwastam.

Za mu iya samun misalin filin jirgin sama yana da amfani yayin sauran wannan koyawa. Kawai ku tuna da waɗannan alaƙa yayin da muke ci gaba:

1. Mutane = Fakitin
2. Firewall = Filin jirgin sama
3. Kasar #1 = Cibiyar sadarwa #1
4. Kasar #2 = Network #2
5. Dokokin filin jirgin sama da jami'ai ke aiwatar da su = dokokin kashe wuta

Iptables - The Basics

A ƙananan matakin, kernel ɗin kanta ce \yanke yanke shawara abin da za a yi da fakiti bisa ga ƙa'idodin da aka taru a cikin sarkar, ko jumloli Waɗannan sarƙoƙi suna bayyana matakan da ya kamata a ɗauka yayin da kunshin ya yi daidai da ka'idojin da aka ayyana.

Matakin farko da iptables ya yi zai ƙunshi yanke shawarar abin da za a yi da fakiti:

1. karba shi (bari ya shiga cikin hanyar sadarwar mu)?
2. Kin shi ( hana shi shiga hanyar sadarwar mu)?
3. Maida shi (zuwa wata sarka)?

Kamar dai kuna mamakin dalilin da yasa ake kiran wannan kayan aiki iptables, saboda an tsara waɗannan sarƙoƙi a cikin tebur, tare da tace tebur shine wanda aka fi sani da wanda yake shine. ana amfani dashi don aiwatar da tacewa fakiti tare da tsoffin sarƙoƙi guda uku:

1. Sarkar INPUT tana ɗaukar fakitin da ke shigowa cikin hanyar sadarwar, waɗanda aka tsara don shirye-shiryen gida.

2. Ana amfani da sarkar OUTPUT don tantance fakitin da suka samo asali daga cibiyar sadarwar gida, waɗanda za a aika zuwa waje.

3. Sarkar GABA tana aiwatar da fakitin da ya kamata a tura zuwa wata manufa (kamar yadda ake yin na'ura mai ba da hanya tsakanin hanyoyin sadarwa).

Ga kowane ɗayan waɗannan sarƙoƙi akwai ƙayyadaddun ƙayyadaddun ƙayyadaddun tsarin, wanda ke ba da bayanin abin da ya kamata a yi ta tsohuwa lokacin da fakiti ba su dace da kowace ƙa'ida a cikin sarkar ba. Kuna iya duba ƙa'idodin da aka ƙirƙira don kowace sarkar da tsohuwar manufar ta gudanar da umarni mai zuwa:

# iptables -L

Manufofin da ake da su sune kamar haka:

1. YARDA → bari fakitin ya wuce. Duk fakitin da bai dace da kowace ƙa'ida a cikin sarkar ba ana ba da izinin shiga cibiyar sadarwa.
2. DROP → yana sauke fakitin a nutse. Duk fakitin da bai dace da kowace ƙa'ida ba a cikin sarkar an hana shi shiga cibiyar sadarwa.
3. RA'AYI → ya ƙi fakitin kuma ya dawo da saƙon bayanai. Wannan musamman baya aiki azaman siyayya ta asali. Maimakon haka, ana nufin cika ka'idojin tace fakiti.

Idan ya zo ga yanke shawarar wace manufofin za ku aiwatar, kuna buƙatar yin la'akari da riba da lalacewa na kowace hanya kamar yadda aka bayyana a sama - lura cewa babu girman-daidaitacce. -duk mafita.

Don ƙara doka zuwa Tacewar zaɓi, kira umarnin iptables kamar haka:

# iptables -A chain_name criteria -j target

ku,

1. -A yana nufin Append (saka ƙa'idar yanzu zuwa ƙarshen sarkar).
2. chain_name shine ko dai INPUT, OUTPUT, ko GABA.
3. manufa shine mataki, ko manufofin, don aiwatarwa a wannan harka (KARBAR, RA'AYI, ko DROP).
4. ma'auni shine saitin sharuɗɗan da za a bincika fakitin. Ya ƙunshi aƙalla ɗaya (mafi yuwuwar ƙari) na tutoci masu zuwa. Zaɓuɓɓuka a cikin maɓalli, waɗanda aka raba su da sandar tsaye, suna daidai da juna. Sauran suna wakiltar maɓalli na zaɓi:

[--protocol | -p] protocol: specifies the protocol involved in a rule.
[--source-port | -sport] port:[port]: defines the port (or range of ports) where the packet originated.
[--destination-port | -dport] port:[port]: defines the port (or range of ports) to which the packet is destined.
[--source | -s] address[/mask]: represents the source address or network/mask.
[--destination | -d] address[/mask]: represents the destination address or network/mask.
[--state] state (preceded by -m state): manage packets depending on whether they are part of a state connection, where state can be NEW, ESTABLISHED, RELATED, or INVALID.
[--in-interface | -i] interface: specifies the input interface of the packet.
[--out-interface | -o] interface: the output interface.
[--jump | -j] target: what to do when the packet matches the rule.

Bari mu manne duk waɗannan a cikin misalan al'ada guda 3 ta amfani da yanayin gwaji na gaba don biyun farko:

Firewall: Debian Wheezy 7.5 
Hostname: dev2.gabrielcanepa.com
IP Address: 192.168.0.15

Source: CentOS 7 
Hostname: dev1.gabrielcanepa.com
IP Address: 192.168.0.17

Kuma wannan ga misali na ƙarshe

NFSv4 server and firewall: Debian Wheezy 7.5 
Hostname: debian
IP Address: 192.168.0.10

Source: Debian Wheezy 7.5 
Hostname: dev2.gabrielcanepa.com
IP Address: 192.168.0.15

Za mu fara ayyana manufar DROP don shigar da pings zuwa Tacewar tamu. Wato, za a sauke fakitin icmp a hankali.

# ping -c 3 192.168.0.15

# iptables -A INPUT --protocol icmp --in-interface eth0 -j DROP

Kafin mu ci gaba da ɓangaren KI, za mu cire duk ka'idoji daga sarkar INPUT don tabbatar da cewa za a gwada fakitinmu ta wannan sabuwar doka:

# iptables -F INPUT
# iptables -A INPUT --protocol icmp --in-interface eth0 -j REJECT

# ping -c 3 192.168.0.15

Za mu yi mu'amala da sarkar OUTPUT yayin da muke tafiyar da zirga-zirgar ababen hawa:

# iptables -A OUTPUT --protocol tcp --destination-port 22 --out-interface eth0 --jump REJECT

Gudun waɗannan umarni a cikin uwar garken NFSv4/Tacewar zaɓi don rufe tashar jiragen ruwa 2049 da 111 don kowane nau'in zirga-zirga:

# iptables -F
# iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 2049 -j REJECT
# iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 111 -j REJECT

Yanzu bari mu buɗe waɗannan tashoshin jiragen ruwa mu ga abin da ya faru.

# iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 111 -j ACCEPT
# iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 2049 -j ACCEPT

Kamar yadda kuke gani, mun sami damar hawa rabon NFSv4 bayan buɗe zirga-zirga.

A cikin misalan da suka gabata mun nuna yadda ake saka ka'idoji zuwa sarƙoƙi na INPUT da OUTPUT. Idan muna so mu saka su a wurin da aka riga aka ƙayyade, ya kamata mu yi amfani da -I (babban i) sauyawa maimakon.

Kuna buƙatar tuna cewa za a yi la'akari da ƙa'idodi ɗaya bayan ɗaya, kuma kimantawa tana tsayawa (ko tsalle) lokacin da aka daidaita manufofin DROP ko KARBA. Don wannan dalili, zaku iya samun kanku cikin buƙatar matsar da dokoki sama ko ƙasa a cikin jerin sarkar kamar yadda ake buƙata.

Za mu yi amfani da ƙaramin misali don nuna wannan:

Mu sanya doka mai zuwa,

# iptables -I INPUT 2 -p tcp --dport 80 -j ACCEPT

a matsayi 2) a cikin sarkar INPUT (ta haka motsi baya #2 kamar #3)

Yin amfani da saitin da ke sama, za a bincika zirga-zirga don ganin ko an tura shi zuwa tashar jiragen ruwa 80 kafin a duba tashar jiragen ruwa 2049.

Madadin haka, zaku iya share ƙa'ida kuma canza maƙasudin sauran ƙa'idodin zuwa RA'AYI (ta amfani da maɓallin -R):

# iptables -D INPUT 1
# iptables -nL -v --line-numbers
# iptables -R INPUT 2 -i eth0 -s 0/0 -p tcp --dport 2049 -j REJECT
# iptables -R INPUT 1 -p tcp --dport 80 -j REJECT

A ƙarshe, amma ba kalla ba, kuna buƙatar tunawa cewa don ka'idodin Tacewar zaɓi ya dage, kuna buƙatar adana su zuwa fayil sannan ku mayar da su ta atomatik a kan boot (ta amfani da hanyar da kuka fi so ko wacce kuke so. akwai don rarraba ku).

Ajiye dokokin Firewall:

# iptables-save > /etc/iptables/rules.v4		[On Ubuntu]
# iptables-save > /etc/sysconfig/iptables		[On CentOS / OpenSUSE]

Maido da dokoki:

# iptables-restore < /etc/iptables/rules.v4		[On Ubuntu]
# iptables-restore < /etc/sysconfig/iptables		[On CentOS / OpenSUSE]

Anan zamu iya ganin irin wannan hanya (ajiyewa da maido da ka'idodin Tacewar zaɓi da hannu) ta amfani da fayil ɗin dummy mai suna iptables.dump maimakon tsoho kamar yadda aka nuna a sama.

# iptables-save > iptables.dump

Don yin waɗannan canje-canjen su dawwama a cikin takalma:

Ubuntu: Shigar da fakitin iptables-na dindindin, wanda zai loda ƙa'idodin da aka adana a cikin fayil ɗin /etc/iptables/rules.v4.

# apt-get install iptables-persistent

CentOS: Ƙara layin 2 masu zuwa zuwa fayil /etc/sysconfig/iptables-config.

IPTABLES_SAVE_ON_STOP="yes"
IPTABLES_SAVE_ON_RESTART="yes"

OpenSUSE: Jerin da aka yarda da tashar jiragen ruwa, ka'idoji, adireshi, da sauransu (wanda aka ware ta waƙafi) a cikin /etc/sysconfig/SuSEfirewall2.

Don ƙarin bayani duba fayil ɗin kanta, wanda aka yi sharhi sosai.

Kammalawa

Misalan da aka bayar a cikin wannan labarin, yayin da ba su rufe duk karrarawa da whistles na iptables ba, suna yin amfani da manufar kwatanta yadda ake kunnawa da kuma hana zirga-zirgar ababen hawa masu shigowa ko masu fita.

Ga masu son kashe wuta, ku tuna cewa za mu sake duba wannan batu tare da ƙarin takamaiman aikace-aikace a cikin Kashi na 10 na wannan jerin LFCE.

Jin kyauta don sanar da ni idan kuna da wata tambaya ko sharhi.