Dokokin 25 masu amfani IPtable Firewall Duk Mai Gudanar da Linux yakamata ya sani


saita Tacewar zaɓi ta yadda zai dace da tsarin da buƙatun masu amfani don haɗin mai shigowa da mai fita, ba tare da barin tsarin cikin haɗari ba.

Wannan shine inda iptables ya zo da amfani. Iptables wuta ce ta layin umarni na Linux wanda ke ba masu gudanar da tsarin damar sarrafa zirga-zirga masu shigowa da masu fita ta hanyar saitin ƙa'idodin tebur masu daidaitawa.

Iptables yana amfani da saitin tebur waɗanda ke da sarƙoƙi waɗanda ke ƙunshe da ƙayyadaddun ƙayyadaddun ƙayyadaddun tsarin mai amfani. Godiya gare su mai kula da tsarin zai iya tace zirga-zirgar hanyar sadarwa na tsarin sa yadda ya kamata.

A cikin littafin iptables, a halin yanzu akwai nau'ikan tebur guda 3:

    1. TACE - wannan shine tsohon tebur, wanda ya ƙunshi ginannen sarƙoƙi don:
      1. INPUT  - fakitin da aka nufa don kwasfa na gida
      2. GABA – fakitin da aka bi ta hanyar tsarin
      3. OUTPUT - fakitin da aka samar a gida

      1. PREROUTING - ana amfani dashi don canza fakiti da zaran an karɓa
      2. OUTPUT - ana amfani dashi don canza fakitin da aka samar a gida
      3. POSTROUTING - ana amfani dashi don canza fakiti yayin da suke shirin fita

      1. PREROUTING - don canza haɗin haɗi mai shigowa
      2. OUTPUT - don canza fakitin gida
      3. INPUT - don fakiti masu shigowa
      4. POSTROUTING - don canza fakiti yayin da suke shirin fita
      5. GABA – don fakitin da aka zarce ta cikin akwatin

      A cikin wannan labarin, zaku ga wasu umarni masu amfani waɗanda zasu taimaka muku sarrafa akwatin tacewar zaɓi na Linux ta hanyar iptables. Don manufar wannan labarin, zan fara da mafi sauƙi  umarni kuma in tafi zuwa mafi rikitarwa har ƙarshe.

      1. Fara/Tsayawa/Sake kunna Iptables Firewall

      Da farko, ya kamata ku san yadda ake sarrafa sabis na iptables a cikin rarraba Linux daban-daban. Wannan abu ne mai sauƙi:

      ------------ On Cent/RHEL 7 and Fedora 22+ ------------
      # systemctl start iptables
      # systemctl stop iptables
      # systemctl restart iptables
      
      ------------ On Cent/RHEL 6/5 and Fedora ------------
      # /etc/init.d/iptables start 
      # /etc/init.d/iptables stop
      # /etc/init.d/iptables restart
      

      2. Bincika duk Dokokin Firewall IPtables

      Idan kuna son bincika ƙa'idodin ku na yanzu, yi amfani da umarni mai zuwa:

      # iptables -L -n -v
      

      Wannan yakamata ya dawo da fitarwa kamar wanda ke ƙasa:

      Chain INPUT (policy ACCEPT 1129K packets, 415M bytes)
       pkts bytes target prot opt in out source destination 
       0 0 ACCEPT tcp -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
       0 0 ACCEPT udp -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
       0 0 ACCEPT tcp -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
       0 0 ACCEPT udp -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
      Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
       pkts bytes target prot opt in out source destination 
       0 0 ACCEPT all -- * lxcbr0 0.0.0.0/0 0.0.0.0/0 
       0 0 ACCEPT all -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0
      Chain OUTPUT (policy ACCEPT 354K packets, 185M bytes)
       pkts bytes target prot opt in out source destination

      Idan kun fi son bincika ƙa'idodi don takamaiman tebur, zaku iya amfani da zaɓi -t wanda ke biye da tebur wanda kuke son dubawa. Misali, don bincika ƙa'idodi a cikin tebur NAT, zaku iya amfani da:

      # iptables -t nat -L -v -n
      

      3. Toshe Specific IP address in IPtables Firewall

      Idan kun sami wani sabon abu ko aiki na cin zarafi daga adireshin IP zaku iya toshe adireshin IP ɗin tare da ƙa'ida mai zuwa:

      # iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
      

      Inda kuke buƙatar canza \xxx.xxx.xxx.xxx\ tare da ainihin adireshin IP. Yi hankali sosai lokacin gudanar da wannan umarni saboda zaku iya toshe adireshin IP ɗin ku da gangan. Zaɓin -A yana ƙara ƙa'ida a ƙarshen sarkar da aka zaɓa.

      Idan kawai kuna son toshe zirga-zirgar TCP daga waccan adireshin IP, zaku iya amfani da zaɓin -p wanda ke ƙayyade ƙa'idar. Ta haka umarnin zai yi kama da haka:

      # iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j DROP
      

      4. Buɗe Adireshin IP a cikin Firewall IPtables

      Idan kun yanke shawarar cewa ba ku son toshe buƙatun daga takamaiman adireshin IP, zaku iya share dokar toshewa tare da umarni mai zuwa:

      # iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP
      

      Zaɓin -D yana share ƙa'idodi ɗaya ko fiye daga sarkar da aka zaɓa. Idan kun fi son amfani da zaɓin da ya fi tsayi za ku iya amfani da -- share.

      5. Toshe Specific Port akan IPtables Firewall

      Wani lokaci kuna iya toshe haɗin mai shigowa ko masu fita akan takamaiman tashar jiragen ruwa. Yana da ma'auni mai kyau na tsaro kuma ya kamata ku yi tunani da gaske a kan lamarin lokacin kafa tacewar ku.

      Don toshe haɗin da ke fita akan takamaiman tashar tashar jiragen ruwa amfani da:

      # iptables -A OUTPUT -p tcp --dport xxx -j DROP
      

      Don ba da damar haɗi masu shigowa amfani:

      # iptables -A INPUT -p tcp --dport xxx -j ACCEPT
      

      A cikin misalan guda biyu canza \xxx\ tare da ainihin tashar jiragen ruwa da kuke son ba da izini. Idan kuna son toshe zirga-zirgar UDP maimakon TCP, kawai canza \tcp\ tare da \udp\ a cikin ƙa'idar iptables na sama.

      6. Bada Maɓalli da yawa akan IPtables ta amfani da Multiport

      Kuna iya ba da izinin tashar jiragen ruwa da yawa a lokaci ɗaya, ta amfani da multiport, a ƙasa zaku iya samun irin wannan doka don haɗin mai shigowa da mai fita:

      # iptables -A INPUT  -p tcp -m multiport --dports 22,80,443 -j ACCEPT
      # iptables -A OUTPUT -p tcp -m multiport --sports 22,80,443 -j ACCEPT
      

      7. Ba da izinin Kewayon Yanar Gizo na Musamman akan Tashoshi na Musamman akan IPtables

      Kuna iya iyakance wasu haɗi akan takamaiman tashar jiragen ruwa zuwa cibiyar sadarwar da aka bayar. Bari mu ce kuna son ba da izinin haɗin kai mai fita a tashar jiragen ruwa 22 zuwa cibiyar sadarwar 192.168.100.0/24.

      Kuna iya yin shi da wannan umarni:

      # iptables -A OUTPUT -p tcp -d 192.168.100.0/24 --dport 22 -j ACCEPT
      

      8. Toshe Facebook akan IPtables Firewall

      Wasu ma'aikata suna son toshe hanyar shiga Facebook ga ma'aikatansu. A ƙasa akwai misalin yadda ake toshe zirga-zirga zuwa Facebook.

      Lura: Idan kai mai kula da tsarin ne kuma kana buƙatar amfani da waɗannan dokoki, ka tuna cewa abokan aikinka na iya daina magana da kai :)

      Da farko nemo adiresoshin IP da Facebook ke amfani da su:

      # host facebook.com 
      facebook.com has address 66.220.156.68
      
      # whois 66.220.156.68 | grep CIDR
      CIDR: 66.220.144.0/20
      

      Sannan zaku iya toshe wannan hanyar sadarwar Facebook da:

      # iptables -A OUTPUT -p tcp -d 66.220.144.0/20 -j DROP
      

      Ka tuna cewa kewayon adireshin IP da Facebook ke amfani da shi na iya bambanta a ƙasar ku.

      9. Saita Gabatar da tashar jiragen ruwa a cikin IPtables

      Wani lokaci kuna iya tura zirga-zirgar sabis ɗaya zuwa wata tashar jiragen ruwa. Kuna iya cimma wannan tare da umarni mai zuwa:

      # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 2525
      

      Umurnin da ke sama yana tura duk zirga-zirgar zirga-zirga masu shigowa akan hanyar sadarwa ta hanyar sadarwa eth0, daga tashar jiragen ruwa 25 zuwa tashar jiragen ruwa 2525. Kuna iya canza tashar jiragen ruwa tare da waɗanda kuke buƙata.

      10. Toshe Ambaliyar hanyar sadarwa a tashar tashar Apache tare da IPtables

      Wani lokaci adiresoshin IP na iya buƙatar haɗin kai da yawa zuwa tashoshin yanar gizon yanar gizonku. Wannan na iya haifar da al'amurra da yawa kuma don hana irin waɗannan matsalolin, zaku iya amfani da doka mai zuwa:

      # iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
      

      Umurnin da ke sama yana iyakance haɗin da ke shigowa daga minti ɗaya zuwa 100 kuma yana saita iyaka ta fashe zuwa 200. Kuna iya shirya iyaka da fashewa zuwa takamaiman buƙatun ku.

      11. Toshe Buƙatun Ping mai shigowa akan IPtables

      Wasu masu gudanar da tsarin suna son toshe buƙatun ping masu shigowa saboda matsalolin tsaro. Duk da yake barazanar ba ta da girma, yana da kyau a san yadda ake toshe irin wannan buƙatar:

      # iptables -A INPUT -p icmp -i eth0 -j DROP
      

      12. Bada damar madauki

      Samun dawowa (samun shiga daga 127.0.0.1) yana da mahimmanci kuma koyaushe yakamata ku bar shi yana aiki:

      # iptables -A INPUT -i lo -j ACCEPT
      # iptables -A OUTPUT -o lo -j ACCEPT
      

      13. Ajiye Log na Fakitin Sadarwar Sadarwar da aka sauke akan IPtables

      Idan kuna son shiga fakitin da aka jefar akan mahallin cibiyar sadarwa eth0, zaku iya amfani da umarni mai zuwa:

      # iptables -A INPUT -i eth0 -j LOG --log-prefix "IPtables dropped packets:"
      

      Kuna iya canza ƙimar bayan \ --log-prefix\ tare da wani abu ta zaɓinku. Ana shigar da saƙon a cikin /var/log/messages kuma kuna iya nemo su da:

      # grep "IPtables dropped packets:" /var/log/messages
      

      14. Toshe  isa ga takamaiman adireshin MAC akan IPtables

      Kuna iya toshe hanyar shiga tsarin ku daga takamaiman adireshin MAC ta amfani da:

      # iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
      

      Tabbas, kuna buƙatar canza \00:00:00:00:00:00 tare da ainihin adireshin MAC da kuke son toshewa.

      15. Ƙayyade yawan Haɗin Haɗin kai a kowane adireshin IP

      Idan ba kwa son samun haɗin haɗin kai da yawa da aka kafa daga adireshin IP guda ɗaya akan tashar da aka ba ku zaku iya amfani da umarnin da ke ƙasa:

      # iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
      

      Umurnin da ke sama yana ba da izinin haɗin kai sama da 3 kowane abokin ciniki. Tabbas, zaku iya canza lambar tashar jiragen ruwa don dacewa da sabis daban-daban. Hakanan ya kamata a canza --connlimit-sama don dacewa da buƙatun ku.

      16. Bincika cikin Dokar IPtables

      Da zarar kun bayyana ka'idodin iptables, zaku so ku bincika lokaci zuwa lokaci kuma na iya buƙatar canza su. Hanya mai sauƙi don bincika cikin dokokinku shine amfani da:

      # iptables -L $table -v -n | grep $string
      

      A cikin misalin da ke sama, kuna buƙatar canza $tebur tare da ainihin tebur ɗin da kuke son bincika da $string tare da ainihin kirtani da kuke nema.

      Ga misali:

      # iptables -L INPUT -v -n | grep 192.168.0.100
      

      17. Ƙayyade Sabbin Sarkar IPTables

      Tare da iptables, zaku iya ayyana sarkar ku da adana dokokin al'ada a ciki. Don ayyana sarkar, yi amfani da:

      # iptables -N custom-filter
      

      Yanzu zaku iya bincika idan sabon tacewa yana nan:

      # iptables -L
      
      Chain INPUT (policy ACCEPT)
      target prot opt source destination
      
      Chain FORWARD (policy ACCEPT)
      target prot opt source destination
      Chain OUTPUT (policy ACCEPT)
      target prot opt source destination
      Chain custom-filter (0 references)
      target prot opt source destination

      18. Shafe sarƙoƙi ko Dokoki na Wuta na IPtables

      Idan kuna son goge sarƙoƙi na Firewall, zaku iya amfani da:

      # iptables -F
      

      Kuna iya jujjuya sarƙoƙi daga takamaiman tebur tare da:

      # iptables -t nat -F
      

      Kuna iya canza \nat\ tare da ainihin teburin waɗanne sarƙoƙi da kuke son cirewa.

      19. Ajiye Dokokin IPtables zuwa Fayil

      Idan kuna son adana dokokin Tacewar zaɓi, zaku iya amfani da umarnin iptables-save. Kuna iya amfani da waɗannan abubuwan don adanawa da adana dokokin ku a cikin fayil:

      # iptables-save > ~/iptables.rules
      

      Ya rage naku inda zaku adana fayil ɗin da kuma yadda zaku sanya masa suna.

      20. Mayar da Dokokin IPtables daga Fayil

      Idan kuna son dawo da jerin dokokin iptables, zaku iya amfani da iptables-restore. Umurnin yayi kama da haka:

      # iptables-restore < ~/iptables.rules
      

      Tabbas hanyar fayil ɗin dokokin ku na iya bambanta.

      21. Saita Dokokin IPtables don Yarda da PCI

      Ana iya buƙatar wasu masu gudanar da tsarin don saita sabar su zama mai haɗa PCI. Akwai buƙatu da yawa ta masu siyar da yarda da PCI daban-daban, amma akwai kaɗan na gama gari.

      A yawancin lokuta, kuna buƙatar samun adireshin IP fiye da ɗaya. Kuna buƙatar amfani da ƙa'idodin da ke ƙasa don adireshin IP na rukunin yanar gizon. Yi hankali sosai lokacin amfani da ƙa'idodin ƙasa kuma yi amfani da su kawai idan kun tabbatar da abin da kuke yi:

      # iptables -I INPUT -d SITE -p tcp -m multiport --dports 21,25,110,143,465,587,993,995 -j DROP
      

      Idan kuna amfani da cPanel ko kwamitocin sarrafawa irin wannan, kuna iya buƙatar toshe tashar jiragen ruwa shima. Ga misali:

      # iptables -I in_sg -d DEDI_IP -p tcp -m multiport --dports  2082,2083,2095,2096,2525,2086,2087 -j DROP
      

      Lura: Don tabbatar da kun cika buƙatun mai siyar da PCI, duba rahoton su a hankali kuma kuyi amfani da ƙa'idodin da ake buƙata. A wasu lokuta kuna iya buƙatar toshe zirga-zirgar UDP akan wasu tashoshin jiragen ruwa kuma.

      22. Bada Haɗin Kafa da Masu alaƙa

      Kamar yadda zirga-zirgar hanyar sadarwar ke keɓance akan mai shigowa da mai fita, za ku so ku ba da izinin kafaffen zirga-zirga masu shigowa da alaƙa. Don haɗin kai mai shigowa yi da:

      # iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      

      Don amfani mai fita:

      # iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
      

      23. Ajiye Fakiti marasa inganci a cikin IPtables

      Yana yiwuwa a sami wasu fakitin cibiyar sadarwa da aka yiwa alama mara inganci. Wasu mutane na iya gwammace su shiga waɗannan fakitin, amma wasu sun gwammace su jefar da su. Don sauke fakitin marasa inganci, zaku iya amfani da:

      # iptables -A INPUT -m conntrack --ctstate INVALID -j DROP 
      

      24. Toshe Haɗin kai akan Interface Interface

      Wasu tsarin na iya samun hanyar sadarwa fiye da ɗaya. Kuna iya iyakance damar zuwa wannan hanyar sadarwa ta hanyar sadarwa ko toshe haɗi daga takamaiman adireshin IP.

      Misali:

      # iptables -A INPUT -i eth0 -s xxx.xxx.xxx.xxx -j DROP
      

      Canja \xxx.xxx.xxx.xxx tare da ainihin adireshin IP (ko cibiyar sadarwa) da kuke son toshewa.

      25. Kashe wasikun masu fita ta hanyar IPTables

      Idan tsarin ku bai kamata ya kasance yana aika kowane imel ba, zaku iya toshe tashar jiragen ruwa masu fita akan tashoshin SMTP. Misali zaka iya amfani da wannan:

      # iptables -A OUTPUT -p tcp --dports 25,465,587 -j REJECT
      

      Kammalawa

      Iptables wuta ce mai ƙarfi wacce zaku iya amfana da ita cikin sauƙi. Yana da mahimmanci ga kowane mai gudanar da tsarin ya koyi aƙalla tushen tushen iptables. Idan kana son samun ƙarin cikakkun bayanai game da iptables da zaɓuɓɓukan sa, ana ba da shawarar sosai don karanta littafinsa:

      # man iptables
      

      Idan kuna tunanin ya kamata mu ƙara ƙarin umarni zuwa wannan jerin, da fatan za a raba su tare da mu, ta hanyar ƙaddamar da su a cikin sashin sharhin da ke ƙasa.