Shorewall - Wutar Wuta mai Girma don Haɓaka Sabar Linux


Ƙirƙirar bangon wuta a cikin Linux na iya zama mai ban tsoro ga sabon sabon, ko ga wanda bai saba da iptables ba. An yi sa'a, akwai mafita mai sauƙin amfani a Shorewall.

A cikin wannan koyawa mai nau'i-nau'i da yawa, zan fara muku da Shorewall, kuma in bi ku ta wasu ƙarin batutuwa masu ci gaba tare da wannan kyakkyawan tsarin tacewar wuta.

Menene Shorewall?

Shorewall ainihin ƙarshen gaba ne zuwa iptables, amma yanayin layi ne na gaba-gaba wanda ke amfani da adadin fayilolin rubutu don daidaitawa. Duk da yake Shorewall babban tsarin bangon wuta ne wanda za'a iya auna shi akan manyan hanyoyin sadarwa waɗanda ke ba da injuna da yawa, za mu fara farawa tare da daidaitaccen tsarin mu'amala guda biyu kuma mu ƙusa tushen tushe.

Tsarin mu'amalar mu'amala guda biyu ya ƙunshi na'ura mai tashoshin Ethernet guda biyu, ɗaya yana shigowa, ɗayan kuma yana fita zuwa cibiyar sadarwar gida.

Shigar da Shorewall a cikin Linux

Ana iya shigar da Shorewall ta amfani da apt-get da yum kayan aikin sarrafa fakitin.

$ sudo apt-get install shorewall6
$ sudo yum install shorewall6

Bayan shigarwa, muna buƙatar kwafin samfurin samfurin daga/usr/share/doc/shorewall directory zuwa tsoho directory Shorewall/sauransu/shorewall.

$ sudo cp /usr/share/doc/shorewall/example/two-interfaces/* /etc/shorewall

Sannan cd zuwa /etc/shorewall.

$ cd /etc/shorewall

Idan muka kalli wannan kundin adireshi, zamu ga tarin fayiloli da fayil ɗin shorewall.conf. Shorewall yana kallon hanyar sadarwar a matsayin rukuni na yankuna daban-daban, don haka fayil na farko da muke so mu duba shi ne fayil ɗin /etc/shorewall/zones.

A nan, mun ga cewa akwai yankuna uku da aka ayyana ta tsohuwa: net, loc, da duka. Yana da mahimmanci a lura cewa Shorewall yana ɗaukar injin kashe wuta da kansa a matsayin yankinsa kuma yana adana shi a cikin wani canji mai suna $FW. Za ku ga wannan m a cikin sauran fayilolin sanyi.

Fayil ɗin /etc/shorewall/zones kyakkyawa ne mai bayyana kansa. Kana da net zone (internet fuskantar dubawa), da loc zone (LAN fuskantar dubawa), da duk, wanda shi ne komai.

Wannan saitin yana ba da abubuwa masu zuwa:

  1. Yana ba da damar duk buƙatun haɗin kai daga yankin gida (LAN) zuwa yankin yanar gizo (Internet).
  2. Yana sauke duk buƙatun haɗin (ba kula) daga yankin yanar gizo zuwa Tacewar zaɓi da LAN.
  3. Ya ƙi kuma ya rubuta duk wasu buƙatun.

Matsayin LOG LEVEL ya kamata ya saba da duk wanda ya yi gudanarwa tare da Apache, MySQL, ko kowane adadin sauran shirye-shiryen FOSS. A wannan yanayin, muna gaya wa Shorewall don amfani da matakin bayanan shiga.

Idan kuna son samun tacewar zaɓinku don gudanarwa daga LAN ɗinku, zaku iya ƙara layin masu zuwa zuwa fayil ɗin “/etc/shorewall/policy”.

#SOURCE		DEST	POLICY		LOG		LEVEL		LIMIT:BURST
loc			$FW		ACCEPT
$FW			loc		ACCEPT

Yanzu da aka tsara yankunanmu da manufofinmu, dole ne mu daidaita hanyoyin mu. Kuna yin haka ta hanyar gyara fayil ɗin /etc/shorewall/interfaces.

Anan, mun saita hanyar haɗin yanar gizon mu a matsayin eth0 zuwa yankin yanar gizo. A gefen LAN ɗin mu, mun saita ɗayan ƙirar, eth1, zuwa yankin yanki. Da fatan za a daidaita wannan fayil don daidaita tsarin ku da kyau.

Zaɓuɓɓuka daban-daban da za ku iya sanya wa ɗayan waɗannan mu'amala suna da yawa, kuma an fi bayyana su dalla-dalla akan shafin mutum.

$ man shorewall-interfaces

Gagarumin saukar wasu daga cikinsu sune kamar haka:

  1. nosmurfs - fakitin tacewa tare da adireshin watsa shirye-shirye azaman tushe.
  2. logmartians - fakitin log tare da adireshin tushe mai yiwuwa.
  3. routefilter – tacewa hanyar kwaya don hana zubewa.

Tabbas, yanzu da tsarinmu ya kasance Firewall, za mu buƙaci wasu hanyoyin haɗin gwiwa da za a ba su izini don samun abin da ya kamata mu yi. Kuna ayyana waɗannan a cikin fayil ɗin dokoki a /etc/shorewall/rules.

Wannan fayil ɗin yana kama da ruɗani da farko, musamman saboda ginshiƙan sun yi karo da juna, amma masu kai suna da kyan bayanin kansu. Na farko, kuna da ginshiƙin ACTION, wanda ke bayyana abin da kuke son aiwatarwa.

Bayan haka, kuna da taken SOURCE inda zaku ayyana yankin da fakitin ya samo asali. Bayan haka, kuna da DEST, ko inda za ku, wanda shine yanki ko adireshin IP na wurin da za ku. Bari mu yi amfani da misali.

A ce kuna son gudanar da sabar SSH a bayan Tacewar zaɓinku akan injin tare da adireshin IP na 192.168.1.25. Ba wai kawai za ku buɗe tashar jiragen ruwa a cikin Tacewar zaɓi ba, amma dole ne ku gaya wa Firewall cewa duk wani zirga-zirgar da ke zuwa tashar jiragen ruwa 22 yana buƙatar tura shi zuwa injin a 192.168.1.25.

Wannan ana kiransa Port Forwarding. Siffa ce ta gama gari akan yawancin Tacewar zaɓi/masu amfani da wuta. A cikin /etc/shorewall/rules, za ku cim ma wannan ta ƙara layi kamar haka:

SSH(DNAT)	net		loc:192.168.1.25

A sama, mun ayyana kowane fakitin SSH da ke fitowa daga yankin yanar gizo zuwa Tacewar zaɓi dole ne a tura su (DNAT) zuwa tashar jiragen ruwa 22 akan na'ura mai adireshin 192.168.1.25.

Wannan shi ake kira Network Address Translation ko NAT. The \D kawai yana gaya wa Shorewall cewa wannan NAT ce don adireshin inda ake nufi.

Domin wannan ya yi aiki, dole ne ku sami damar tallafin NAT a cikin kernel ɗin ku. Idan kuna buƙatar NAT kuma ba ku da shi, da fatan za a duba koyawa ta kan Maimaita Kernel Debian.

Rubutun Magana

Shafin Gida na Shorewall

A cikin labarin na gaba, za mu yi tafiya ta cikin wasu ƙarin batutuwa masu ci gaba, amma yakamata a sami yalwa anan don fara ku a yanzu. Kamar koyaushe, don Allah a duba shafukan mutum don ƙarin fahimta mai zurfi.