Usoro RHCSA: Firewall dị mkpa na njikwa okporo ụzọ netwọk site na iji FirewallD na Iptables - Akụkụ 11

N'okwu dị mfe, firewall bụ usoro nchekwa nke na-achịkwa okporo ụzọ na-abata na nke na-apụ na netwọkụ dabere na usoro nke iwu eburu ụzọ kọwaa (dịka ebe njedebe/isi iyi ma ọ bụ ụdị okporo ụzọ, dịka ọmụmaatụ).

N'isiokwu a, anyị ga-atụle isi nke firewalld, ndabara ike firewall daemon na Red Hat Enterprise Linux 7, na iptables ọrụ, ihe nketa firewall ọrụ maka Linux, nke ọtụtụ usoro na netwọk nchịkwa maara nke ọma, na nke dịkwa dị. na RHEL 7.

Ntụnyere n'etiti FirewallD na Iptables

N'okpuru mkpuchi ahụ, ma firewalld na ọrụ iptables na-agwa netfilter framework na kernel site na otu interface ahụ, ọ bụghị ihe mgbagwoju anya, iwu iptables. Otú ọ dị, n'adịghị ka ọrụ iptables, firewalld nwere ike ịgbanwe ntọala n'oge ọrụ usoro nkịtị na-enweghị njikọ dị adị.

Ekwesịrị ịwụnye Firewalld na ndabara na sistemụ RHEL gị, n'agbanyeghị na ọ nwere ike ọ gaghị arụ ọrụ. Ị nwere ike nyochaa site na iwu ndị a (firewall-config bụ ngwá ọrụ nhazi njirimara njirimara):

# yum info firewalld firewall-config

na,

# systemctl status -l firewalld.service

N'aka nke ọzọ, ọrụ iptables adịghị etinye na ndabara, mana enwere ike itinye ya site na ya.

# yum update && yum install iptables-services

Enwere ike ịmalite ma mee ka daemons abụọ ahụ nwee ike ịmalite na buut site na iwu sistemu a na-emebu:

# systemctl start firewalld.service | iptables-service.service
# systemctl enable firewalld.service | iptables-service.service

Gụọkwa: Iwu bara uru iji jikwaa ọrụ sistemụ

Banyere faịlụ nhazi, ọrụ iptables na-eji /etc/sysconfig/iptables(nke na-agaghị adị ma ọ bụrụ na etinyeghị ngwugwu na sistemụ gị). Na igbe RHEL 7 ejiri dị ka ọnụ ụyọkọ, faịlụ a dị ka nke a:

Ebe firewalld na-echekwa nhazi ya n'ofe akwụkwọ ndekọ aha abụọ, /usr/lib/firewalld na /etc/firewalld:

# ls /usr/lib/firewalld /etc/firewalld

Anyị ga-enyocha faịlụ nhazi ndị a n'ihu n'ihu n'isiokwu a, mgbe anyị gbakwunyere iwu ole na ole ebe a na ebe ahụ. Ka ọ dị ugbu a, ọ ga-ezuru ichetara gị na ị nwere ike ịchọta ozi ndị ọzọ gbasara ngwaọrụ abụọ ahụ mgbe niile.

# man firewalld.conf
# man firewall-cmd
# man iptables

Ndị ọzọ karịa nke ahụ, cheta na ị ga-eleba anya na nyochaa iwu dị mkpa & akwụkwọ ndekọ usoro - Akụkụ 1 nke usoro dị ugbu a, ebe m kọwara ọtụtụ ebe ị nwere ike nweta ozi gbasara ngwugwu arụnyere na usoro RHEL 7 gị.

Iji Iptables jikwaa okporo ụzọ netwọkụ

Ị nwere ike ịtu aka na Configure Iptables Firewall - Nkebi 8 nke usoro Linux Foundation Certified Engineer (LFCE) iji mee ka ebe nchekwa gị dị ọhụrụ gbasara iptables internals tupu ịga n'ihu. Ya mere, anyị ga-enwe ike ịbanye ozugbo n'ime ihe atụ.

TCP ọdụ ụgbọ mmiri 80 na 443 bụ ọdụ ụgbọ mmiri ndabara nke sava weebụ Apache na-eji ijikwa okporo ụzọ weebụ nkịtị (HTTP) yana nchekwa (HTTPS). Ị nwere ike ikwe ka okporo ụzọ webụ na-abata na nke na-apụ apụ site na ọdụ ụgbọ mmiri abụọ ahụ na interface enp0s3 dị ka ndị a:

# iptables -A INPUT -i enp0s3 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o enp0s3 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -i enp0s3 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o enp0s3 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

Enwere ike ịnwe oge mgbe ịchọrọ igbochi ụdị okporo ụzọ niile (ma ọ bụ ụfọdụ) sitere na netwọkụ akọwapụtara, kwuo 192.168.1.0/24 dịka ọmụmaatụ:

# iptables -I INPUT -s 192.168.1.0/24 -j DROP

ga-ahapụ ngwugwu niile sitere na netwọkụ 192.168.1.0/24, ebe,

# iptables -A INPUT -s 192.168.1.0/24 --dport 22 -j ACCEPT

ga-ekwe ka okporo ụzọ na-abata site na ọdụ ụgbọ mmiri 22.

Ọ bụrụ na ị na-eji igbe RHEL 7 gị ọ bụghị naanị dị ka firewall sọftụwia, kamakwa dị ka nke dabere na ngwaike, nke mere na ọ na-anọdụ n'etiti netwọkụ abụọ dị iche, ọ ga-abụrịrị na enyerelarị mbugharị IP na sistemụ gị. Ọ bụrụ na ọ bụghị, ịkwesịrị idezi /etc/sysctl.conf wee tọọ uru net.ipv4.ip_forward ka ọ bụrụ 1, dịka ndị a:

net.ipv4.ip_forward = 1

wee chekwaa mgbanwe ahụ, mechie editọ ederede gị wee mechaa mee iwu a ka itinye mgbanwe ahụ:

# sysctl -p /etc/sysctl.conf

Dịka ọmụmaatụ, ịnwere ike itinye ngwa nbipute na igbe dị n'ime nke nwere IP 192.168.0.10, yana ọrụ CUPS na-ege ntị na ọdụ ụgbọ mmiri 631 (ma na ihe nkesa mbipụta yana na firewall gị). Iji zipu arịrịọ ndị ahịa n'akụkụ nke ọzọ nke firewall, ị ga-agbakwunye iwu iptables ndị a:

# iptables -t nat -A PREROUTING -i enp0s3 -p tcp --dport 631 -j DNAT --to 192.168.0.10:631

Biko buru n'uche na iptables na-agụ iwu ya n'usoro, yabụ gbaa mbọ hụ na atumatu ndabara ma ọ bụ iwu emechaa anaghị ewepụ ndị ahụ akọwapụtara n'ụkpụrụ ndị a dị n'elu.

Na-amalite na FirewallD

Otu n'ime mgbanwe ndị ewepụtara na firewalld bụ mpaghara. Echiche a na-enye ohere ikewa netwọk n'ime ọkwa ntụkwasị obi mpaghara dị iche iche onye ọrụ kpebiri itinye na ngwaọrụ na okporo ụzọ n'ime netwọk ahụ.

Iji depụta mpaghara ndị na-arụ ọrụ:

# firewall-cmd --get-active-zones

N'ihe atụ dị n'okpuru, mpaghara ọha na-arụ ọrụ, e kenyere interface enp0s3 na ya na-akpaghị aka. Ka ilele ozi niile gbasara otu mpaghara:

# firewall-cmd --zone=public --list-all

Ebe ị nwere ike ịgụkwu gbasara mpaghara na ntuziaka nchekwa RHEL 7, anyị ga-edepụta naanị ụfọdụ ọmụmaatụ akọwapụtara ebe a.

Iji nweta ndepụta nke ọrụ akwadoro, jiri.

# firewall-cmd --get-services

Iji kwe ka okporo ụzọ webụ http na https site na firewall, dị irè ozugbo na akpụkpọ ụkwụ na-esote:

# firewall-cmd --zone=MyZone --add-service=http
# firewall-cmd --zone=MyZone --permanent --add-service=http
# firewall-cmd --zone=MyZone --add-service=https
# firewall-cmd --zone=MyZone --permanent --add-service=https
# firewall-cmd --reload

Ọ bụrụ na ewepụrụ koodu>–mpaghara, a na-eji mpaghara ndabara (ị nwere ike ịlele ya na firewall-cmd –get-default-zone).

Iji wepụ iwu, dochie okwu gbakwunye na wepụ n'iwu ndị dị n'elu.

Nke mbụ, ị ga-achọ ịchọpụta ma enyerela masquerading maka mpaghara a chọrọ:

# firewall-cmd --zone=MyZone --query-masquerade

N'ihe onyonyo dị n'okpuru, anyị nwere ike ịhụ na enyere aka ịmegharị ihe maka mpaghara mpụga, mana ọ bụghị maka ọha:

Ị nwere ike ma ọ bụ mee ka masquerading maka ọha:

# firewall-cmd --zone=public --add-masquerade

ma ọ bụ jiri masquerading na mpụga. Nke a bụ ihe anyị ga-eme iji firewalld megharịa ihe atụ 3:

# firewall-cmd --zone=external --add-forward-port=port=631:proto=tcp:toport=631:toaddr=192.168.0.10

Ma echefukwala ibugharị firewall.

Ị nwere ike ịchọta ihe atụ ndị ọzọ na Nkebi 9 nke usoro RHCSA, ebe anyị kọwara otú e si kwe ka ma ọ bụ gbanyụọ ọdụ ụgbọ mmiri nke sava weebụ na ihe nkesa ftp na-ejikarị, yana otu esi agbanwe iwu kwekọrọ mgbe ọdụ ụgbọ mmiri maka ọrụ ndị ahụ. na-agbanwe. Na mgbakwunye, ị nwere ike ịtu aka na firewalld wiki maka ọmụmaatụ ndị ọzọ.

Gụkwuo: Ihe Nlereanya FirewallD bara uru iji hazie Firewall na RHEL 7

Mmechi

N'isiokwu a, anyị akọwawo ihe firewall bụ, kedu ọrụ dịnụ iji mejuputa otu na RHEL 7, ma nyekwa ihe atụ ole na ole nwere ike inyere gị aka ịmalite ọrụ a. Ọ bụrụ na ị nwere ajụjụ ọ bụla, aro ma ọ bụ ajụjụ, nweere onwe gị iji ụdị dị n'okpuru mee ka anyị mara. Daalụ n'ọdịnihu!