Yadda Ake Yin Tace Fakiti, Fassara Adireshin Yanar Gizo da Saita Matsalolin Runtime na Kernel - Part 2

Kamar yadda aka yi alkawari a cikin Sashe na 1 (Setup Static Network Routing), a cikin wannan labarin (Sashe na 2 na jerin RHCE) za mu fara da gabatar da ka'idodin tace fakiti da fassarar adireshin cibiyar sadarwa (NAT) a cikin Red Hat Enterprise Linux 7, kafin nutsewa cikin saita sigogin kernel na lokacin aiki don gyara halayen kernel mai gudana idan wasu yanayi sun canza ko buƙatu sun taso.

Tace Fakitin hanyar sadarwa a cikin RHEL 7

Lokacin da muke magana game da tace fakiti, muna komawa ga tsarin da wuta ta kunna inda yake karanta taken kowane fakitin bayanan da ke ƙoƙarin wuce ta. Sannan, tana tace fakitin ta hanyar ɗaukar matakin da ake buƙata bisa ƙa'idodin da mai sarrafa tsarin ya bayyana a baya.

Kamar yadda ƙila kuka sani, farawa da RHEL 7, tsohuwar sabis ɗin da ke sarrafa ka'idodin Tacewar zaɓi shine Tacewar zaɓi. Kamar iptables, yana magana da netfilter module a cikin Linux kernel don bincika da sarrafa fakitin cibiyar sadarwa. Ba kamar iptables ba, sabuntawa na iya yin tasiri nan da nan ba tare da katse hanyoyin haɗin kai ba - ba ma dole ka sake kunna sabis ɗin ba.

Wani fa'ida na firewalld shine yana ba mu damar ayyana dokoki dangane da sunayen sabis da aka riga aka tsara (ƙari akan wancan a cikin minti ɗaya).

A cikin Sashe na 1, mun yi amfani da yanayin kamar haka:

Koyaya, zaku tuna cewa mun kashe wuta akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa #2 don sauƙaƙa misalin tunda ba mu rufe fakitin tacewa ba tukuna. Bari mu ga yanzu yadda za mu iya kunna fakiti masu shigowa waɗanda aka ƙaddara don takamaiman sabis ko tashar jiragen ruwa a wurin da ake nufi.

Da farko, bari mu ƙara doka ta dindindin don ba da izinin zirga-zirgar shigowa cikin enp0s3 (192.168.0.19) zuwa enp0s8 (10.0.0.18):

# firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i enp0s3 -o enp0s8 -j ACCEPT

Umurnin da ke sama zai adana ƙa'idar zuwa /etc/firewalld/direct.xml:

# cat /etc/firewalld/direct.xml

Sannan ba da damar ƙa'idar ta fara aiki nan da nan:

# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i enp0s3 -o enp0s8 -j ACCEPT

Yanzu zaku iya telnet zuwa sabar yanar gizo daga akwatin RHEL 7 kuma sake kunna tcpdump don saka idanu kan zirga-zirgar TCP tsakanin injinan biyu, wannan lokacin tare da Tacewar zaɓi a cikin na'ura mai ba da hanya tsakanin hanyoyin sadarwa #2 kunna.

# telnet 10.0.0.20 80
# tcpdump -qnnvvv -i enp0s3 host 10.0.0.20

Me zai faru idan kuna son ba da izinin haɗi mai shigowa zuwa sabar yanar gizo (tashar jiragen ruwa 80) daga 192.168.0.18 da toshe haɗin kai daga wasu tushe a cikin hanyar sadarwar 192.168.0.0/24?

A cikin Tacewar zaɓi na sabar gidan yanar gizo, ƙara ƙa'idodi masu zuwa:

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.18/24" service name="http" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.18/24" service name="http" accept' --permanent
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" drop'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" drop' --permanent

Yanzu zaku iya yin buƙatun HTTP zuwa sabar gidan yanar gizo, daga 192.168.0.18 da kuma daga wasu na'ura a cikin 192.168.0.0/24. A cikin yanayin farko ya kamata haɗin ya kammala cikin nasara, yayin da a na biyun zai ƙare.

Don yin haka, kowane ɗayan waɗannan umarni zai yi dabara:

# telnet 10.0.0.20 80
# wget 10.0.0.20

Ina ba ku shawara mai ƙarfi da ku bincika takaddun Harshe Mai Kyau na Firewalld a cikin Fedora Project Wiki don ƙarin cikakkun bayanai kan ƙa'idodi masu ƙarfi.

Fassarar Adireshin Yanar Gizo a cikin RHEL 7

Fassara Adireshin Sadarwar Sadarwa (NAT) shine tsari inda rukunin kwamfutoci (kuma yana iya zama ɗaya daga cikinsu) a cikin hanyar sadarwa mai zaman kansa ana ba da adireshin IP na musamman na jama'a. Sakamakon haka, har yanzu ana gano su ta musamman ta adireshin IP na sirri na kansu a cikin hanyar sadarwar amma a waje duk “da alama” iri ɗaya ne.