Tambayoyin Tambayoyi 13 akan Linux iptables Firewall
Nishita Agarwal, Maziyartan Tecmint akai-akai ta ba da labarin gogewarta (Tambaya da Amsa) tare da mu game da hirar aikin da ta yi a wani kamfani mai zaman kansa a Pune, Indiya. An yi mata tambayoyi da yawa kan batutuwa daban-daban duk da haka ita ƙwararriya ce a cikin iptables kuma tana son raba waɗannan tambayoyin da amsarsu (ta ba da) masu alaƙa da iptables ga wasu waɗanda wataƙila za su yi hira nan gaba.
Duk tambayoyin da Amsar su an sake rubuta su bisa ƙwaƙwalwar Nishita Agarwal.
Sannu abokai! Sunana Nishita Agarwal. Na Bincika Digiri na farko a Fasaha. Yankin da nake da shi shine UNIX kuma Variants of UNIX (BSD, Linux) yana burge ni tun lokacin da na ji shi. Ina da shekaru 1+ na gogewa Ina neman canjin aiki wanda ya ƙare da wani kamfani mai ɗaukar hoto a Pune, Indiya.
Ga tarin abubuwan da aka tambaye ni yayin hirar. Na rubuta waɗannan tambayoyin ne kawai da amsarsu waɗanda ke da alaƙa da iptables dangane da ƙwaƙwalwar ajiya na. Da fatan wannan zai taimaka muku wajen warware Hirar ku.
Amsa: Na dade ina amfani da iptables kuma ina sane da duka iptables da Firewall. Iptables shiri ne na aikace-aikacen da aka rubuta galibi a cikin Harshen Shirye-shiryen C kuma ana fitar dashi ƙarƙashin lasisin Jama'a na GNU. An rubuto don ra'ayi na gudanarwar tsarin, sabon sakin kwanciyar hankali idan iptables 1.4.21.ana iya ɗaukar iptables azaman Tacewar zaɓi don UNIX kamar tsarin aiki wanda za'a iya kiran shi azaman iptables/netfilter, mafi daidai. Mai Gudanarwa yana hulɗa tare da iptables ta hanyar kayan aikin na'ura/GUI na gaba don ƙarawa da ayyana ka'idodin Tacewar zaɓi cikin tebur da aka riga aka ƙayyade. Netfilter module ne da aka gina a cikin kwaya wanda ke yin aikin tacewa.
Firewalld shine sabon aiwatar da ka'idojin tacewa a cikin RHEL/CentOS 7 (ana iya aiwatar da su a cikin wasu rabawa waɗanda ƙila ban sani ba). Ya maye gurbin iptables dubawa kuma yana haɗi zuwa netfilter.
Amsa: Ko da yake na yi amfani da duka kayan aikin ƙarshen GUI na gaba don iptables kamar Webmin a cikin GUI da samun damar kai tsaye zuwa iptables ta hanyar na'ura wasan bidiyo.Kuma dole ne in yarda cewa samun damar kai tsaye zuwa iptables ta hanyar na'ura wasan bidiyo na Linux yana ba mai amfani iko mai girma a cikin nau'i mafi girma na sassauci da fahimtar abin da ke faruwa a bango, idan ba wani abu ba. GUI na novice shugaba ne yayin da na'ura wasan bidiyo na gogaggu ne.
Amsa: iptables da firewalld suna aiki iri ɗaya (Tacewar fakiti) amma tare da hanyoyi daban-daban. iptables suna zubar da duk ƙa'idodin da aka saita a duk lokacin da aka yi canji ba kamar firewalld ba. Yawanci wurin daidaitawar iptables ya ta'allaka ne a '/etc/sysconfig/iptables' yayin da tsarin wutan wuta ya ta'allaka ne a '/etc/firewalld/', wanda shine saitin fayilolin XML. ya fi sauƙi idan aka kwatanta da daidaitawar iptables, duk da haka ana iya samun aiki iri ɗaya ta amfani da duka aikace-aikacen tace fakiti watau, iptables da Firewalld. Firewalld yana gudanar da iptables a ƙarƙashin murfinsa tare da ƙirar layin umarni na kansa da fayil ɗin sanyi wanda ke tushen XML kuma ya faɗi sama.
Amsa: Na saba da iptables kuma yana aiki kuma idan babu wani abu da ke buƙatar wani abu mai ƙarfi na Firewalld, da alama babu dalilin ƙaura daga iptables zuwa firewalld. > A mafi yawan lokuta, ya zuwa yanzu ban taba ganin iptables suna haifar da matsala ba. Har ila yau ka'idar fasahar Watsa Labarai ta ce \me yasa aka gyara idan ba a karye ba Ko da yake wannan shine tunanina na kaina kuma ba zan taba damuwa da aiwatar da firewalld ba idan Kungiyar za ta maye gurbin iptables da firewalld.
Menene Tables da ake amfani da su a cikin iptables? Ba da taƙaitaccen bayanin teburin da aka yi amfani da su a cikin iptables da sarƙoƙi da suke tallafawa.
Amsa: Na gode da karramawar. Matsar zuwa sashin tambaya, Akwai teburi guda huɗu da ake amfani da su a cikin iptables, sune:
- Nat Table
- Table Mangle
- Tace Tebur
- Raw Tebur
Teburin Nat: Teburin Nat ana amfani da shi da farko don Fassara Adireshin Sadarwar Sadarwa. Fakitin maƙera suna samun canjin adireshin IP ɗin su kamar yadda ka'idodin ke cikin tebur. Fakiti a cikin rafi suna ratsa Tebur Nat sau ɗaya kawai. Wato, Idan fakiti daga jet na Fakiti an rufe su da sauran fakitin da ke cikin rafi ba za su sake ratsawa ta wannan tebur ba. Ana ba da shawarar kada a tace a cikin wannan tebur. Sarƙoƙi da Teburin NAT ke goyan bayan su ne Sarkar PREROUTING, Sarkar POSTROUTING da sarkar FITARWA.
Teburin Mangle : Kamar yadda sunan ya nuna, wannan tebur yana aiki don sarrafa fakiti. Ana amfani dashi don canza fakiti na musamman. Ana iya amfani da shi don canza abun ciki na fakiti daban-daban da masu kai. Ba za a iya amfani da tebur na mangle ba don Masquerading. Sarkar da aka goyan baya sune Sarkar PREROUTING, Sarkar FITARWA, Sarkar Gaba, Sarkar INPUT, Sarkar POSTROUTING.
Teburin Tace: Teburin Tacewa shine tsayayyen tebur da aka yi amfani da shi a cikin iptables. Ana amfani dashi don tace Fakiti. Idan ba a fayyace ƙa'idodi ba, ana ɗaukar Teburin Tacewa azaman tebur na asali kuma ana yin tacewa akan wannan tebur ɗin. Sarkar da aka tallafa sune Sarkar INPUT, Sarkar FITARWA, Sarkar GABA.
Raw Tebur : Tebur mai rahusa yana zuwa aiki lokacin da muke son saita fakitin da aka keɓe a baya. Yana goyan bayan Sarkar PREROUTING da OUTPUT Chain.
Amsa: Abin da ke biyo baya shine ƙimar manufa waɗanda za mu iya ƙididdige su a cikin manufa a cikin iptables:
-
- YARDA : Karɓi fakiti
- QUEUE : Paas Package zuwa sararin mai amfani (wurin da aikace-aikacen da direbobi suke zaune)
- DROP : Ajiye Fakitin
- DAAWO : Koma Sarkar kira zuwa sarkar kira kuma a daina aiwatar da tsari na gaba na Fakiti na yanzu a cikin sarkar.
Ta yaya za ku Bincika iptables rpm waɗanda ake buƙata don shigar da iptables a cikin CentOS?.
Amsa: iptables rpm suna cikin daidaitaccen shigarwa na CentOS kuma ba ma buƙatar shigar da shi daban. Za mu iya duba rpm kamar:
# rpm -qa iptables iptables-1.4.21-13.el7.x86_64
Idan kuna buƙatar shigar da shi, kuna iya yin yum don samun shi.
# yum install iptables-services
Amsa: Don duba matsayin iptables, kuna iya gudanar da umarni mai zuwa akan tashar.
# service iptables status [On CentOS 6/5] # systemctl status iptables [On CentOS 7]
Idan ba ya gudana, ana iya aiwatar da umarnin da ke ƙasa.
---------------- On CentOS 6/5 ---------------- # chkconfig --level 35 iptables on # service iptables start ---------------- On CentOS 7 ---------------- # systemctl enable iptables # systemctl start iptables
Hakanan muna iya bincika idan an ɗora nauyin iptables ko a'a, kamar:
# lsmod | grep ip_tables
Amsa: Dokokin na yanzu a cikin iptables ana iya yin bita a sauƙaƙe kamar:
# iptables -L
Samfuran Fitarwa
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
Amsa: Don cire sarkar iptables, kuna iya amfani da waɗannan umarni.
# iptables --flush OUTPUT
Don goge duk ƙa'idodin iptables.
# iptables --flush
Amsa: Za'a iya cimma yanayin da ke sama ta hanyar gudanar da umarnin da ke ƙasa.
# iptables -A INPUT -s 192.168.0.7 -j ACCEPT
Za mu iya haɗa daidaitaccen slash ko abin rufe fuska a cikin tushen kamar:
# iptables -A INPUT -s 192.168.0.7/24 -j ACCEPT # iptables -A INPUT -s 192.168.0.7/255.255.255.0 -j ACCEPT
Amsa: Muna fatan ssh yana aiki akan tashar jiragen ruwa 22, wanda kuma shine tsohuwar tashar ssh, zamu iya ƙara ƙa'ida zuwa iptables kamar:
Don karɓar fakitin tcp don sabis na ssh (tashar jiragen ruwa 22).
# iptables -A INPUT -s -p tcp --dport 22 -j ACCEPT
Don ƙin yarda da fakitin tcp don sabis na ssh (tashar jiragen ruwa 22).
# iptables -A INPUT -s -p tcp --dport 22 -j REJECT
Don ƙin yarda da fakitin tcp don sabis na ssh (tashar jiragen ruwa 22).
# iptables -A INPUT -s -p tcp --dport 22 -j DENY
Don DROP fakitin tcp don sabis na ssh (tashar jiragen ruwa 22).
# iptables -A INPUT -s -p tcp --dport 22 -j DROP
Amsa: To duk abin da nake buƙata in yi amfani da shi shine zaɓin 'multiport' tare da iptables tare da lambobin tashar jiragen ruwa da za a toshe kuma za a iya cimma yanayin da ke sama a tafi guda ɗaya kamar yadda. >
# iptables -A INPUT -s 192.168.0.6 -p tcp -m multiport --dport 21,22,23,80 -j DROP
Ana iya bincika ƙa'idodin da aka rubuta ta amfani da umarnin da ke ƙasa.
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited DROP tcp -- 192.168.0.6 anywhere multiport dports ssh,telnet,http,webcache Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
Mai Tambayoyi: Abin da nake son tambaya ke nan. Kai ma'aikaci ne mai kima da ba za mu so mu rasa ba. Zan ba da shawarar sunan ku ga HR. Idan kuna da wata tambaya za ku iya yi mani.
A matsayina na ɗan takara ba na son kashe tattaunawar don haka ci gaba da tambaya game da ayyukan da zan yi idan aka zaɓa da kuma menene sauran buɗaɗɗen kamfani. Ba a ma maganar HR zagaye ba wuya a fashe kuma na sami damar.
Har ila yau, ina so in gode wa Avishek da Ravi (waɗanda ni abokina ne tun da daɗewa) don ɗaukar lokaci don rubuta hira ta.
Abokai! Idan kun yi irin wannan hirar kuma kuna son raba kwarewar hirarku ga miliyoyin masu karanta Tecmint a duk faɗin duniya? sannan aika tambayoyinku da amsoshinku zuwa [email kare] ko kuna iya ƙaddamar da ƙwarewar hirarku ta amfani da fom mai zuwa.
Na gode! Ci gaba da haɗi. Hakanan sanar dani idan zan iya amsa tambaya daidai fiye da abin da na yi.