Jagorar Mai farawa zuwa IPTables (Linux Firewall) Umurni

Idan kana amfani da Kwamfuta na ɗan lokaci, dole ne ka saba da kalmar \Firewall Mun san cewa abubuwa suna kama da rikitarwa daga saman amma ta wannan koyawa, za mu bayyana tushen IPTable da kuma amfani da mahimman umarni. ta yadda ko da kai dalibin sadarwar yanar gizo ne ko kuma kana son zurfafa zurfafa cikin hanyoyin sadarwa, za ka iya amfana da wannan jagorar.

Yadda Firewall ke aiki abu ne mai sauƙi. Yana haifar da shamaki tsakanin amintattun cibiyoyin sadarwa da marasa amana don haka tsarin ku zai iya zama amintattu daga fakitin ƙeta.

Amma ta yaya za mu yanke shawarar abin da ke da aminci da abin da ba haka ba? Ta hanyar tsoho, kuna samun wasu gata don saita dokoki don Firewall ɗinku amma don ƙarin cikakkun bayanai game da fakiti masu shigowa da masu fita, IPTables sune abin da kuke buƙata mafi yawa.

Ana iya amfani da IPTables don yin lissafin sirri ko kuma ana iya amfani da su ga duk hanyar sadarwa. Amfani da IPTables, za mu ayyana saitin dokoki waɗanda za mu iya sa ido, ba da izini ko toshe fakitin cibiyar sadarwa masu shigowa ko masu fita.

Maimakon kawai a mai da hankali kan dukan ɓangaren ka'idar, za mu tattauna ne kawai abin da ke da mahimmanci a cikin duniya mai amfani. Don haka bari mu fara da fahimtar ainihin ra'ayoyin IPTables.

Fahimtar Ka'idar IPTables

Yayin da muke tattaunawa kan IPTables, dole ne mu fahimci sharuɗɗan 3: Tables, Chains, da Dokoki. Da yake waɗannan su ne muhimman sassa, za mu tattauna kowannensu.

Don haka bari mu fara da Tables.

Akwai nau'ikan tebur guda 5 a cikin IPTables kuma kowanne yana da ƙa'idodi daban-daban da ake amfani da su. Don haka bari mu fara da teburin gama gari \Filer.

  1. Tace Tebur - Wannan shine tsoho da babban tebur yayin amfani da IPTables. Yana nufin duk lokacin da ba za ku ambaci kowane takamaiman tebur ba yayin aiwatar da dokoki, za a yi amfani da su a teburin tacewa. Kamar yadda sunansa ya nuna, aikin Teburin Filter shine yanke shawara ko za a bar fakitin su isa inda suke ko kuma su musanta bukatarsu.
  2. NAT (Fassarar Adireshin Yanar Gizo) - Kamar yadda sunansa ya nuna, wannan tebur yana bawa masu amfani damar tantance fassarar adiresoshin cibiyar sadarwa. Matsayin wannan tebur shine sanin ko za'a gyara da kuma yadda za'a canza tushen da kuma inda adireshin fakitin.
    3. Teburin Mangle - Wannan tebur yana ba mu damar canza taken IP na fakiti. Misali, zaku iya daidaita TTL zuwa ko dai tsawaita ko gajarta hops na cibiyar sadarwa wanda fakitin zai iya dorewa. Hakazalika, ana iya gyaggyara sauran masu rubutun IP bisa ga abin da kuke so.
  3. RAW Tebur - Babban amfani da wannan tebur shine don bin diddigin haɗin kai yayin da yake ba da hanyar yin alama ga fakiti don duba fakiti a matsayin wani ɓangare na zama mai gudana.
  4. Table Tsaro - Yin amfani da teburin Tsaro, masu amfani za su iya amfani da alamun tsaro na SELinux na ciki akan fakitin cibiyar sadarwa.

Don mafi yawan lokuta masu amfani, nau'ikan 2 na ƙarshe (RAW da Tsaro) na tebur ba su da yawa da za su yi kuma kawai zaɓuɓɓukan 3 na farko ana ƙidaya su azaman manyan tebur.

Yanzu, bari muyi magana game da Chains.

Suna nuna hali a wuraren da ke cikin hanyar sadarwar inda za mu iya amfani da dokoki. A cikin IPTables, muna nau'ikan sarƙoƙi guda 5 kuma zamu tattauna kowannensu. Ka tuna cewa ba kowane nau'in sarkar ke samuwa ga kowane nau'in tebur ba.

  1. Pre-routing - Ana amfani da wannan sarkar akan duk wani fakitin da ke shigowa da zarar an shigar da ita cikin tarin cibiyar sadarwa kuma ana sarrafa wannan sarkar tun ma kafin a yanke shawarar kai tsaye dangane da inda fakitin zai kasance.
  2. Sarkar shigarwa - Ita ce wurin da fakiti ke shiga cikin tarin cibiyar sadarwa.
  3. Sarkar Gaba - shine wurin da aka tura fakitin ta hanyar tsarin ku.
  4. Sarkar fitarwa - Ana amfani da sarkar fitarwa akan fakiti lokacin da ta samo asali ta tsarin ku kuma ta fita.
  5. Bayan hanya - Wannan shi ne cikakken akasin sarkar da aka riga aka yi amfani da ita kuma ana amfani da ita zuwa fakitin da aka tura ko masu fita da zarar an yanke shawarar hanyar.

Yanzu, abin da kawai ya rage don tattauna shi ne dokoki, kuma shine mafi sauƙi daga cikin 3 da muka tattauna a nan. Don haka bari mu kammala abin da ya rage a bangaren ka'idar.

Dokoki ba komai bane illa saiti ko umarni ɗaya wanda masu amfani ke sarrafa zirga-zirgar hanyar sadarwa. Da zarar kowace sarkar ta fara aiki, za a bincika fakitin a kan ƙayyadaddun ƙayyadaddun ƙa'idodi.

Idan ka'ida daya bai gamsar da sharadi ba, za'a tsallake ta zuwa na gaba kuma idan ta gamsar da sharadi, za'a kayyade ka'ida ta gaba da kimar abin da aka sa a gaba.

Kowace doka tana da abubuwa guda biyu: bangaren da ya dace da abin da ake nufi.

  1. Matching Bangaren - Sune sharuɗɗa daban-daban don ayyana dokoki waɗanda za a iya daidaita su ta hanyar yarjejeniya, adireshin IP, adireshin tashar jiragen ruwa, musaya, da masu kai.
  2. Manufar Manufa - Wannan aikin ne da za a fara da zarar an cika sharuɗɗan.

Wannan shine ɓangaren bayanin kuma yanzu za mu rufe mahimman umarni masu alaƙa da IPTables a cikin Linux.

Shigar da IPTables Firewall a cikin Linux

A cikin rarrabawar Linux na zamani kamar Pop!_OS, IPTables suna zuwa an riga an shigar dasu amma idan tsarin ku bai rasa kunshin IPTables ba, zaku iya shigar dashi cikin sauƙi ta hanyar ba da umarni:

Don shigar da IPTables akan umarnin dnf.

$ sudo dnf install iptables-services

Muhimmi: Idan kana amfani da Firewalld, dole ne ka kashe shi kafin a ci gaba da shigarwa. Don dakatar da Tacewar zaɓi gaba ɗaya, dole ne ku yi amfani da umarni masu zuwa:

$ sudo systemctl stop firewalld
$ sudo systemctl disable firewalld
$ sudo systemctl mask firewalld

Don shigar da IPTables akan umarnin da ya dace.

$ sudo apt install iptables

Da zarar kun shigar da IPTables, zaku iya kunna Tacewar zaɓi ta umarni da aka bayar:

$ sudo systemctl enable iptables
$ sudo systemctl start iptables

Don saka idanu akan yanayin sabis na IPTable, zaku iya amfani da umarnin da aka bayar:

$ sudo systemctl status iptables

Koyi Tushen Dokar IPTables a cikin Linux

Da zarar mun gama tare da shigarwa, za mu iya ci gaba tare da syntax na IPTables wanda zai ba ku damar tweak da kuskure kuma ya ba ku damar daidaitawa kamar yadda kuke bukata.

Asalin ma'anar IPTables shine kamar haka:

# iptables -t {type of table} -options {chain points} {condition or matching component} {action}

Bari mu fahimci bayanin umarnin da ke sama:

Kashi na farko shine -t inda zamu iya zaɓar daga kowane zaɓin tebur guda 5 da ake da su kuma idan kun cire sashin -t daga umarnin, zai yi amfani da tebur mai tacewa kamar yadda yake. tsoho nau'in tebur.

Kashi na biyu shine na sarkar. Anan zaku iya zaɓar daga zaɓuɓɓukan maki daban-daban kuma ana ba da waɗannan zaɓuɓɓukan a ƙasa:

  • -A - Yana ƙara sabuwar doka zuwa sarkar a ƙarshen sarkar.
  • -C - Yana bincika ƙa'ida ko ya gamsar da buƙatun sarkar.
  • -D - Yana ba masu amfani damar share wata ƙa'idar data kasance daga sarkar.
  • -F - Wannan zai cire kowace doka da mai amfani ya ayyana.
  • -I - Yana ba masu amfani damar ƙara sabuwar doka a ƙayyadadden matsayi.
  • -N - Yana ƙirƙirar sabuwar sarkar gaba ɗaya.
  • -v - Lokacin da aka yi amfani da shi tare da zaɓin jeri, yana kawo cikakkun bayanai.
  • -X - Yana goge sarkar.

Zaɓuɓɓukan daidaitawa sune yanayin duba buƙatar sarkar. Kuna iya zaɓar daga zaɓuɓɓuka daban-daban kuma ana ba da wasu daga cikinsu a ƙasa:

Protocols -p
Source IP -s
Destination IP -d
IN interface -i
OUT interface -o

Ga TCP, sune kamar haka:

-sport
-dport
--tcp-flags

Yanzu, idan muka yi la'akari da sashin aikin, zaɓuɓɓukan da ke akwai sun dogara da nau'in tebur kamar NAT, kuma teburin mangle yana da ƙarin zaɓuɓɓuka idan aka kwatanta da wasu. Ta yin amfani da aiki, za ka iya kuma kai hari kan takamaiman tebur ko sarka.

Ayyukan da aka fi amfani da su shine Jump (-j) wanda zai bamu zaɓuɓɓuka da yawa kamar:

  • YARDA - Ana amfani da shi don karɓar fakiti da kuma kawo ƙarshen wucewa.
  • DROP - Ana amfani da shi don sauke fakiti da kawo ƙarshen wucewa.
  • KARE – Wannan yayi kama da DROP amma yana aika fakitin da aka ƙi zuwa tushen.
  • DAwo - Wannan zai dakatar da ratsa fakitin a cikin ƙaramin sarkar kuma zai aika takamaiman fakitin zuwa mafi girman sarkar ba tare da wani tasiri ba.

Da zarar mun gama tare da syntax, za mu nuna muku yadda zaku iya amfani da IPTables gami da daidaitawa na asali.

Idan kuna son bincika abin da ke wucewa ta Firewall ɗinku ta tsohuwa, jera saitin ƙa'idodi na yanzu hanya ce cikakke. Don lissafin dokokin da aka yi amfani da su, yi amfani da umarnin da aka bayar:

$ sudo iptables -L

A cikin wannan sashe, za mu nuna muku yadda zaku iya ba da izini ko hana zirga-zirgar hanyar sadarwa don takamaiman tashar jiragen ruwa. Za mu nuna muku wasu sanannun tashoshin jiragen ruwa kamar yadda muke so mu kasance masu taimako gwargwadon iyawa.
Idan kuna son ba da izinin zirga-zirgar hanyar sadarwa ta HTTPS, dole ne mu ƙyale tashar jiragen ruwa no 443 ta amfani da umarnin da aka bayar:

$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Hakazalika, zaku iya musaki zirga-zirgar gidan yanar gizon HTTP ta hanyar ba da umarni:

$ sudo iptables -A INPUT -p tcp --dport 80 -j REJECT

Bayanin zaɓuɓɓukan umarni da aka yi amfani da su:

  • -p

    don bincika ka'idodin da aka ƙayyade kuma a cikin yanayinmu yana da TCP.
    • Ana amfani da
  • --dport don tantance tashar tashar da za a nufa.
    • Ana amfani da
  • -j don ɗaukar mataki (karɓa ko sauke).

Ee, zaku iya sarrafa zirga-zirgar hanyar sadarwa daga adireshin IP. Ba ɗaya ko biyu kawai ba amma kuma sarrafa kewayon adiresoshin IP kuma za mu nuna muku yadda.

Don ba da izinin takamaiman adireshin IP, yi amfani da tsarin umarni da aka bayar:

$ sudo iptables -A INPUT -s 69.63.176.13 -j ACCEPT

Hakazalika, don sauke fakiti daga takamaiman IP, ana buƙatar ku yi amfani da tsarin umarni da aka bayar:

$ sudo iptables -A INPUT -s 192.168.0.27 -j DROP

Idan kuna so, kuna iya sarrafa kewayon adiresoshin IP ta amfani da tsarin umarni da aka bayar:

$ sudo iptables -A INPUT -m range --src-range 192.168.0.1-192.168.0.255 -j REJECT

Wani lokaci muna iya kawo karshen yin kuskure yayin ƙirƙirar dokoki kuma hanya mafi kyau don shawo kan waɗannan kurakuran shine share su. Share ƙayyadaddun ƙa'idodi sune mafi sauƙi tsari a cikin wannan jagorar kuma don share su, da farko, dole ne mu jera su.

Don jera ƙayyadaddun dokoki tare da lambobi, yi amfani da umarnin da aka bayar:

$ sudo iptables -L --line-numbers

Don share dokoki, dole ne mu bi tsarin umarni da aka bayar:

$ sudo iptables -D <INPUT/FORWARD/OUTPUT> <Number>

Bari mu ɗauka ina so in share doka ta 10 daga INPUT don haka zan yi amfani da umarnin da aka bayar:

$ sudo iptables -D INPUT 10

Don bincika ko mun sami nasarar cire doka, dole ne mu jera dokoki ta hanyar da aka bayar:

$ sudo iptables -L –line-numbers

Kamar yadda kuke gani, mun sami nasarar cire doka ta 10.

Kuna iya yin mamakin dalilin da yasa dole mu adana dokoki inda suke aiki lafiya bayan amfani da su? Matsalar ita ce da zarar tsarin ku ya sake kunnawa, duk ƙayyadaddun ƙayyadaddun dokoki waɗanda ba a adana su ba za a share su don haka yana da mahimmanci a gare mu.

Don adana dokoki a cikin distros na tushen RHEL:

$ sudo /sbin/service iptables save

Don adana dokoki a cikin abubuwan Debian:

$ sudo /sbin/iptables–save

Don ƙarin koyo game da dokokin IPtable Firewall, duba cikakken jagorar mu a:

  • 25 Dokokin Gudun Wuta na IPtable Duk Mai Gudanar da Linux Ya Kamata Ya sani

A cikin wannan jagorar, mun yi ƙoƙarin sauƙaƙe abubuwa don kowa ya amfana da shi. Wannan jagorar bayani ce ta asali akan IPTables kuma idan kuna da wasu tambayoyi, jin daɗin yin tambaya a cikin sharhi.