Jagora na asali akan IPTables (Linux Firewall) Tukwici/Umarnin

Wannan koyarwar tana jagorantar ku yadda Firewall ke aiki a Linux Operating system kuma menene IPTables a Linux? Firewall yana yanke hukuncin ƙaddarar fakiti mai shigowa da mai fita cikin tsarin. IPTables katangar gida ce mai ƙa'ida kuma an riga an girka ta akan mafi yawan tsarin aikin Linux. Ta hanyar tsoho yana gudana ba tare da wata doka ba. IPTables an haɗa shi a cikin Kernel 2.4, kafin a kira shi ipchains ko ipfwadm. IPTables kayan aiki ne na gaba don magana da kwaya kuma tana yanke shawarar fakitoci don tacewa. Wannan jagorar na iya taimaka muku ga mummunan ra'ayi da umarni na asali na IPTables inda zamu bayyana ƙa'idodin kayan aiki na yau da kullun waɗanda zaku iya komawa da kuma tsara su gwargwadon buƙatarku.

Ana amfani da sabis daban-daban don ladabi daban-daban kamar:

  1. iptables ya shafi IPv4.
  2. ip6table ya shafi IPv6.
  3. kayan kwalliya sun shafi ARP.
  4. ebtables ya shafi firam ɗin Ethernet ..

IPTables manyan fayiloli sune:

  1. /etc/init.d/iptables - init script don fara | dakatar | sake farawa da adana dokoki.
  2. /sauransu/sysconfig/iptables - inda aka adana Dokokin.
  3. /sbin/iptables - binary.

Akwai tebur guda uku a halin yanzu.

  • Tace
  • NAT
  • Mangle

A halin yanzu, akwai duka sarƙoƙi guda huɗu:

  1. INPUT: Tsoffin sarkar da ta samo asali daga tsarin.
  2. SAUKI: Tsohuwar sarkar samarwa daga tsarin.
  3. GABA: Ana aikawa da tsoffin fakiti ta wata hanyar amfani.
  4. RH-Firewall-1-INPUT: Sarkar al'ada da aka ƙayyade mai amfani.

Lura: Sama manyan fayiloli na iya ɗan bambanta a cikin Ubuntu Linux.

Yadda ake farawa, tsaya kuma sake kunna Firewall na Iptabe.

# /etc/init.d/iptables start 
# /etc/init.d/iptables stop
# /etc/init.d/iptables restart

Don fara IPTables akan butar system, yi amfani da wannan umarnin.

#chkconfig --level 345 iptables on

Ajiye ka'idojin IPTables tare da umarnin ƙasa. Duk lokacin da tsarin ya sake kunnawa kuma ya sake farawa da sabis na IPTables, dokokin ƙaura ko kuma sake saita su za su fita. Commandasan umarni adana TPTables dokoki a cikin/etc/sysconfig/iptables file ta tsohuwa kuma ana amfani da dokoki ko maido su idan IPTables ya fita.

#service iptables save

Duba halin IPTables/Firewall. Zaɓuɓɓuka “-L” (Listetet), “-v” (Verbose) da “-n” (Nuni a tsarin lambobi).

 iptables -L -n -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    6   396 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 5 packets, 588 bytes)
 pkts bytes target     prot opt in     out     source               destination

Nuna dokokin IPTables tare da lambobi. Ta hanyar amfani da hujja “- layin-layi” zaka iya sanyawa ko cire dokoki.

 iptables -n -L -v --line-numbers

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       51  4080 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 45 packets, 5384 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Yin shara ko share dokokin IPTables. Commandasan umarnin zai cire duk ƙa'idodi daga tebur. Backupauki ajiyar kundin tsarin mulki kafin aiwatar da umarnin sama.

 iptables -F

Share ko sanya ƙa'idodi, bari mu fara ganin ƙa'idodi cikin sarƙoƙi. Commandsasan umarni zasu nuna ƙa'idoji a cikin sarƙoƙin INPUT da OUTPUT tare da lambobin doka waɗanda zasu taimaka mana ƙara ko share dokoki

 iptables -L INPUT -n --line-numbers

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
 iptables -L OUTPUT -n --line-numbers
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Bari mu ce idan kuna son share mulki na 5 daga sarkar INPUT. Yi amfani da umarni mai zuwa.

 iptables -D INPUT 5

Don sakawa ko sanya doka zuwa sarkar INPUT tsakanin dokoki 4 zuwa 5.

 iptables -I INPUT 5 -s ipaddress -j DROP

Munyi ƙoƙari don rufe abubuwan amfani da ayyukan IPTables don masu buƙata. Kuna iya ƙirƙirar ƙa'idodi masu rikitarwa da zarar kun sami cikakken fahimtar TCP/IP da kyakkyawan ilimin saitin ku.