Jerin RHCSA: Muhimman Abubuwan Tacewar Wuta da Kula da zirga-zirgar hanyar sadarwa ta amfani da FirewallD da Iptables - Kashi na 11

A cikin sassauƙan kalmomi, Tacewar zaɓi tsarin tsaro ne wanda ke sarrafa zirga-zirga masu shigowa da masu fita a cikin hanyar sadarwa bisa ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙa'idodi (kamar fakitin manufa/tushen ko nau'in zirga-zirga, alal misali).

A cikin wannan labarin za mu sake nazarin abubuwan da ake amfani da su na Firewalld, tsoho mai tsauri ta wuta daemon a cikin Red Hat Enterprise Linux 7, da sabis na iptables, sabis na bangon bango na Linux, wanda yawancin tsarin da masu gudanar da hanyar sadarwa suka san su sosai, kuma wanda kuma akwai shi. a cikin RHEL 7.

Kwatanta Tsakanin FirewallD da Iptables

A ƙarƙashin murfin, duka biyun wuta da sabis na iptables suna magana da tsarin netfilter a cikin kernel ta hanyar dubawa iri ɗaya, ba abin mamaki bane, umarnin iptables. Koyaya, sabanin sabis ɗin iptables, Firewalld na iya canza saitunan yayin aiki na yau da kullun ba tare da rasa haɗin da ke akwai ba.

Ya kamata a shigar da Firewalld ta tsohuwa a cikin tsarin RHEL ɗin ku, kodayake ƙila baya gudana. Kuna iya tabbatarwa tare da umarni masu zuwa (Firewall-config shine kayan aikin daidaitawar mai amfani):

# yum info firewalld firewall-config

kuma,

# systemctl status -l firewalld.service

A gefe guda, ba a haɗa sabis ɗin iptables ta tsohuwa ba, amma ana iya shigar dashi ta hanyar.

# yum update && yum install iptables-services

Dukansu daemons za a iya farawa da kunna su don farawa akan taya tare da umarnin tsarin da aka saba:

# systemctl start firewalld.service | iptables-service.service
# systemctl enable firewalld.service | iptables-service.service

Karanta Hakanan: Dokoki masu Amfani don Sarrafa Sabis na Tsari

Dangane da fayilolin daidaitawa, sabis ɗin iptables yana amfani da /etc/sysconfig/iptables (wanda ba zai wanzu ba idan ba a shigar da kunshin a cikin tsarin ku ba). A kan akwatin RHEL 7 da aka yi amfani da shi azaman kullin tari, wannan fayil ɗin yana kama da haka:

Ganin cewa firewalld yana adana tsarin sa a cikin kundayen adireshi biyu, /usr/lib/firewalld da /etc/firewalld:

# ls /usr/lib/firewalld /etc/firewalld

Za mu bincika waɗannan fayilolin daidaitawa daga baya a cikin wannan labarin, bayan mun ƙara ƴan dokoki anan da can. Ya zuwa yanzu zai isa tunatar da ku cewa koyaushe kuna iya samun ƙarin bayani game da kayan aikin biyu tare da su.

# man firewalld.conf
# man firewall-cmd
# man iptables

Baya ga wannan, ku tuna don kallon Bita Mahimman Dokoki & Takardun Tsarin - Sashe na 1 na jerin yanzu, inda na bayyana maɓuɓɓuka da yawa inda za ku iya samun bayanai game da fakitin da aka shigar akan tsarin RHEL 7 na ku.

Amfani da Iptables don Sarrafa zirga-zirgar hanyar sadarwa

Kuna iya komawa zuwa Sanya Iptables Firewall - Part 8 na Linux Foundation Certified Engineer (LFCE) jerin don sabunta ƙwaƙwalwar ajiyar ku game da iptables internals kafin ci gaba. Don haka, za mu iya tsalle kai tsaye cikin misalan.

TCP tashoshin jiragen ruwa 80 da 443 su ne tsoffin tashoshin jiragen ruwa da sabar gidan yanar gizo Apache ke amfani da ita don sarrafa al'ada (HTTP) da amintaccen zirga-zirgar gidan yanar gizo (HTTPS). Kuna iya ba da izinin zirga-zirgar gidan yanar gizo mai shigowa da mai fita ta hanyar tashar jiragen ruwa biyu akan mahallin enp0s3 kamar haka:

# iptables -A INPUT -i enp0s3 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o enp0s3 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -i enp0s3 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o enp0s3 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

Wataƙila akwai lokutan da kuke buƙatar toshe duk (ko wasu) nau'in zirga-zirgar ababen hawa da suka samo asali daga takamaiman hanyar sadarwa, a ce 192.168.1.0/24 misali:

# iptables -I INPUT -s 192.168.1.0/24 -j DROP

zai sauke duk fakitin da ke fitowa daga hanyar sadarwar 192.168.1.0/24, yayin da,

# iptables -A INPUT -s 192.168.1.0/24 --dport 22 -j ACCEPT

kawai zai ba da izinin zirga-zirga masu shigowa ta tashar jiragen ruwa 22.

Idan kun yi amfani da akwatin RHEL 7 ɗin ku ba kawai azaman Tacewar zaɓi na software ba, har ma a matsayin ainihin tushen kayan aiki, ta yadda ya zauna tsakanin cibiyoyin sadarwa guda biyu, dole ne an riga an kunna tura IP a cikin tsarin ku. Idan ba haka ba, kuna buƙatar gyara /etc/sysctl.conf kuma saita ƙimar net.ipv4.ip_forward zuwa 1, kamar haka:

net.ipv4.ip_forward = 1

sannan ajiye canjin, rufe editan rubutun ku sannan a karshe gudanar da umarni mai zuwa don amfani da canjin:

# sysctl -p /etc/sysctl.conf

Misali, kuna iya shigar da firinta a akwatin ciki mai IP 192.168.0.10, tare da sauraron sabis na CUPS akan tashar jiragen ruwa 631 (duka kan sabar bugu da kan Tacewar zaɓi). Don tura buƙatun bugu daga abokan ciniki a wancan gefen Tacewar zaɓi, yakamata ku ƙara ƙa'idar iptables mai zuwa:

# iptables -t nat -A PREROUTING -i enp0s3 -p tcp --dport 631 -j DNAT --to 192.168.0.10:631

Da fatan za a tuna cewa iptables yana karanta ƙa'idodin sa bi-da-bi, don haka tabbatar da tsoffin manufofin ko ƙa'idodin daga baya ba su wuce waɗanda aka zayyana a cikin misalan da ke sama ba.

Farawa da FirewallD

Ɗaya daga cikin canje-canjen da aka gabatar tare da firewalld shine yankuna. Wannan ra'ayi yana ba da damar raba cibiyoyin sadarwa zuwa matakin amincewa da yankuna daban-daban da mai amfani ya yanke shawarar sanya kan na'urori da zirga-zirgar cikin wannan hanyar sadarwa.

Don lissafin yankuna masu aiki:

# firewall-cmd --get-active-zones

A cikin misalin da ke ƙasa, yankin jama'a yana aiki, kuma an sanya mahaɗin enp0s3 zuwa gare shi ta atomatik. Don duba duk bayanan game da wani yanki na musamman:

# firewall-cmd --zone=public --list-all

Tun da kuna iya karanta ƙarin game da yankuna a cikin jagorar Tsaro na RHEL 7, za mu lissafa wasu takamaiman misalai ne kawai anan.

Don samun jerin ayyukan tallafi, yi amfani.

# firewall-cmd --get-services

Don ba da izinin zirga-zirgar gidan yanar gizo na http da https ta hanyar Tacewar zaɓi, tasiri nan da nan kuma akan takalmi na gaba:

# firewall-cmd --zone=MyZone --add-service=http
# firewall-cmd --zone=MyZone --permanent --add-service=http
# firewall-cmd --zone=MyZone --add-service=https
# firewall-cmd --zone=MyZone --permanent --add-service=https
# firewall-cmd --reload

Idan–zone an cire shi, ana amfani da yankin tsoho (zaka iya duba tare da Firewall-cmd –get-default-zone).

Don cire ƙa'idar, maye gurbin kalmar ƙara da cirewa a cikin umarnin da ke sama.

Da farko, kuna buƙatar gano idan an kunna masquerading don yankin da ake so:

# firewall-cmd --zone=MyZone --query-masquerade

A cikin hoton da ke ƙasa, za mu iya ganin cewa an kunna masquerading don yankin waje, amma ba don jama'a ba:

Kuna iya ko dai kunna maskurin ga jama'a:

# firewall-cmd --zone=public --add-masquerade

ko amfani da masquerading a waje. Ga abin da za mu yi don maimaita Misali na 3 tare da Firewalld:

# firewall-cmd --zone=external --add-forward-port=port=631:proto=tcp:toport=631:toaddr=192.168.0.10

Kuma kar a manta da sake shigar da Tacewar zaɓi.

Kuna iya samun ƙarin misalan akan Sashe na 9 na jerin RHCSA, inda muka yi bayanin yadda ake ba da izini ko kashe tashoshin da sabar yanar gizo da sabar ftp galibi ke amfani da su, da kuma yadda ake canza ƙa'idar da ta dace lokacin da tsohuwar tashar jiragen ruwa na waɗannan ayyukan. ana canza su. Bugu da ƙari, ƙila za ku so ku koma ga Firewalld wiki don ƙarin misalai.

Karanta Hakanan: Misalai masu Amfani FirewallD don Sanya Wuta a cikin RHEL 7

Kammalawa

A cikin wannan labarin mun bayyana abin da Firewall yake, menene ayyuka da ake da su don aiwatar da ɗaya a cikin RHEL 7, kuma mun ba da wasu misalai da za su iya taimaka maka farawa da wannan aikin. Idan kuna da wasu sharhi, shawarwari, ko tambayoyi, jin daɗin sanar da mu ta amfani da fom ɗin da ke ƙasa. Na gode a gaba!