13 Ajụjụ ajụjụ ọnụ na Linux iptables Firewall
Nishita Agarwal, onye ọbịa Tecmint na-agakarị na-akọrọ anyị ahụmahụ ya (Ajụjụ na Azịza) gbasara ajụjụ ọnụ ọrụ ọ ka nyere n'otu ụlọ ọrụ nnabata nkeonwe na Pune, India. Ajụrụ ya ọtụtụ ajụjụ na isiokwu dị iche iche n'agbanyeghị na ọ bụ ọkachamara na iptables na ọ chọrọ ịkọrọ ajụjụ ndị ahụ na azịza ha (o nyere) metụtara iptables ndị ọzọ nwere ike na-enye ajụjụ ọnụ n'ọdịnihu dị nso.
Edegharịrị ajụjụ niile na azịza ha dabere na ebe nchekwa Nishita Agarwal.
Ndewo Enyi! Aha m bụ Nishita Agarwal. Achụsola m nzere bachelọ na teknụzụ. Mpaghara m nke Specialization bụ UNIX na Variants nke UNIX (BSD, Linux) na-adọrọ mmasị m kemgbe oge m nụrụ ya. Enwere m ahụmahụ 1+ afọ. Anọ m na-achọ mgbanwe ọrụ nke kwụsịrị na ụlọ ọrụ nnabata na Pune, India.
Nke a bụ nchịkọta ihe a jụrụ m n'oge Ajụjụ ọnụ. Edere m naanị ajụjụ ndị ahụ na azịza ha metụtara iptables dabere na ebe nchekwa m. Atụrụ anya na nke a ga-enyere gị aka n'ịgbawa ajụjụ ọnụ gị.
Azịza: M na-eji iptables ogologo oge ma amaara m ma iptables na firewall. Iptables bụ ngwa ngwa nke edere n'asụsụ C Programming Language wee wepụta ya n'okpuru GNU General Public License. Edere maka echiche nchịkwa sistemụ, ntọhapụ kwụsiri ike kachasị ọhụrụ ma ọ bụrụ na iptables 1.4.21.iptables nwere ike were dị ka firewall maka UNIX dị ka sistemụ arụmọrụ nke enwere ike ịkpọ dị ka iptables/netfilter, n'ụzọ ziri ezi. Onye nchịkwa na-emekọ ihe na iptables site na ngwa njikwa n'ihu GUI iji gbakwunye na kọwaa iwu firewall n'ime tebụl ndị eburu ụzọ kọwaa. Netfilter bụ modul arụnyere n'ime kernel nke na-arụ ọrụ nzacha.
Firewalld bụ mmejuputa iwu kachasị ọhụrụ nke iwu nzacha na RHEL/CentOS 7 (enwere ike itinye ya na nkesa ndị ọzọ nke m nwere ike ọ gaghị ama). Ọ dochie anya iptables interface wee jikọọ na netfilter.
Azịza: Ọ bụ ezie na ejirila m ma GUI dabeere n'ihu ngwaọrụ maka iptables dị ka Webmin na GUI na Direct access to iptables via console.Na m ga-ekweta na ozugbo ịnweta ohere. iptables site na Linux console na-enye onye ọrụ ikike dị ukwuu n'ụdị mgbanwe dị elu yana nghọta ka mma nke ihe na-eme na ndabere, ma ọ bụrụ na ọ bụghị ihe ọ bụla ọzọ. GUI bụ maka onye nchịkwa novice ebe njikwa bụ maka ahụmahụ.
Azịza: iptables na firewalld na-eje ozi otu nzube (Packet Filtering) ma na ụzọ dị iche iche. iptables na-ekpochapụ iwu niile edobere oge ọ bụla emere mgbanwe n'adịghị ka firewalld. A na-emekarị ebe nhazi iptables dị na '/etc/sysconfig/iptables' ebe nhazi firewalld dị na '/etc/firewalld/', nke bụ faịlụ XML.Ịhazi nke firewalld dabeere na XML. dị mfe ma e jiri ya tụnyere nhazi nke iptables, agbanyeghị, enwere ike nweta otu ọrụ site na iji ma ngwa nzacha ngwugwu ya bụ, iptables na firewalld. Firewalld na-agba iptables n'okpuru mkpuchi ya yana njikwa ahịrị iwu nke ya na faịlụ nhazi nke dabere na XML wee kwuo n'elu.
Azịza: Amaara m iptables ma ọ na-arụ ọrụ ma ọ bụrụ na ọ nweghị ihe na-achọ akụkụ siri ike nke firewalld, ọ dịghị ihe kpatara ịkwaga nhazi m niile site na iptables gaa na firewalld. N'ọtụtụ ọnọdụ, ruo ugbu a ahụbeghị m iptables na-emepụta okwu. Ọzọkwa iwu izugbe nke teknụzụ ozi na-ekwu\kedu ihe kpatara idozi ma ọ bụrụ na emebighị ya Agbanyeghị, nke a bụ echiche nke m na agaghị m achọ itinye firewalld ma ọ bụrụ na nzukọ a ga-eji firewalld dochie iptables.
Kedu ihe bụ tebụl eji eme ihe na iptables? Nye nkọwa dị nkenke nke tebụl ndị a na-eji na iptables na agbụ ha na-akwado.
Azịza: Daalụ maka nnabata. N'ịga n'akụkụ ajụjụ, Enwere tebụl anọ eji na iptables, ya bụ:
- Nat Tebụl
- Okpokoro Mangle
- Okpokoro nzacha
- Tebụlụ Raw
Tebụl Nat: A na-eji tebụl Nat eme ihe maka ntụgharị asụsụ netwọkụ. Ngwunye masqueraded na-agbanwe adreesị IP ha dịka iwu dị na tebụl. Ngwungwu dị na iyi ahụ na-agafe tebụl Nat naanị otu ugboro. ntụgharị., Ọ bụrụ na a na-ekpuchi ngwugwu si na jet nke ngwugwu, ha fọdụrụ nke ngwugwu na iyi agaghị agabiga na tebụl a ọzọ. A na-atụ aro ka ị ghara nzacha na tebụl a. Chains nke NAT Tebụl na-akwado bụ PREROUTING Chain, POSTROUTING Chain na OUTPUT Chain.
Tebụl Mangle : Dị ka aha ahụ na-egosi, tebụl a na-eje ozi maka ijikwa ngwugwu. A na-eji ya maka mgbanwe ngwungwu pụrụ iche. Enwere ike iji ya gbanwee ọdịnaya nke ngwugwu dị iche iche na nkụnye eji isi mee ha. Enweghị ike iji tebụl mangle maka Massquerading. Agbụ a na-akwado bụ PREROUTING Chain, OUTPUT Chain, Forward Chain, INPUT Chain, POSTROUTING Chain.
Tebụl nzacha: Tebụl nzacha bụ tebụl ndabara ejiri na iptables. A na-eji ya maka nzacha ngwugwu. Ọ bụrụ na akọwapụtaghị iwu ọ bụla, a na-ewere Tebụl Filter dị ka tebụl ndabara na nzacha na-adabere na tebụl a. Chains akwadoro bụ ụdọ INPUT, Chain OUTPUT, Chain FORWARD.
Tebụlụ Raw: Tebụlụ raw na-abata n'ọrụ mgbe anyị chọrọ ịhazi ngwugwu ndị ewepụrụ na mbụ. Ọ na-akwado PREROUTING Chain na OUTPUT Chain.
Azịza: Ndị na-esote bụ ụkpụrụ ebumnuche anyị nwere ike ịkọwapụta na ebumnuche na iptables:
-
- NAbata : Nabata ngwugwu
- QUEUE : Paas Package to user space (ebe ngwa na ndị ọkwọ ụgbọala bi)
- DROP : tufuo ngwugwu
- Nlaghachi: weghachite njikwa n'agbụ ịkpọ oku wee kwụsị ime usoro iwu na-esote maka ngwugwu dị ugbu a na yinye.
Kedu ka ị ga-esi lelee iptables rpm nke achọrọ iji wụnye iptables na CentOS?.
Azịza: iptables rpm gụnyere na nrụnye CentOS ọkọlọtọ na anyị achọghị ịwụnye ya iche. Anyị nwere ike ịlele rpm dị ka:
# rpm -qa iptables iptables-1.4.21-13.el7.x86_64
Ọ bụrụ na ịchọrọ ịwụnye ya, ị nwere ike ime yum iji nweta ya.
# yum install iptables-services
Azịza: Iji lelee ọkwa nke iptables, ị nwere ike ịme iwu a na njedebe.
# service iptables status [On CentOS 6/5] # systemctl status iptables [On CentOS 7]
Ọ bụrụ na ọ naghị agba ọsọ, enwere ike ịme iwu dị n'okpuru.
---------------- On CentOS 6/5 ---------------- # chkconfig --level 35 iptables on # service iptables start ---------------- On CentOS 7 ---------------- # systemctl enable iptables # systemctl start iptables
Anyị nwekwara ike ịlele ma ọ bụrụ na ebudoro modul iptables ma ọ bụ na ọ bụghị, dịka:
# lsmod | grep ip_tables
Azịza: Iwu ndị dị ugbu a na iptables nwere ike nyochaa dị ka:
# iptables -L
Mmepụta sample
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
Azịza: Iji kpochapu otu agbụ iptables, ị nwere ike iji iwu ndị a.
# iptables --flush OUTPUT
Iji kpochapụ iwu iptables niile.
# iptables --flush
Azịza: Enwere ike nweta ọnọdụ dị n'elu naanị site n'ịgba iwu dị n'okpuru.
# iptables -A INPUT -s 192.168.0.7 -j ACCEPT
Anyị nwere ike ịgụnye slash ọkọlọtọ ma ọ bụ nkpuchi subnet na isi mmalite dị ka:
# iptables -A INPUT -s 192.168.0.7/24 -j ACCEPT # iptables -A INPUT -s 192.168.0.7/255.255.255.0 -j ACCEPT
Azịza: Na-atụ anya ssh na-agba ọsọ na ọdụ ụgbọ mmiri 22, nke bụkwa ọdụ ụgbọ mmiri maka ssh, anyị nwere ike itinye iwu na iptables dị ka:
Ịnabata ngwugwu tcp maka ọrụ ssh (ọdụ ụgbọ mmiri 22).
# iptables -A INPUT -s -p tcp --dport 22 -j ACCEPT
Iji jụ ngwugwu tcp maka ọrụ ssh (ọdụ ụgbọ mmiri 22).
# iptables -A INPUT -s -p tcp --dport 22 -j REJECT
Iji jụ ngwugwu tcp maka ọrụ ssh (ọdụ ụgbọ mmiri 22).
# iptables -A INPUT -s -p tcp --dport 22 -j DENY
Iji DROP tcp ngwugwu maka ọrụ ssh (ọdụ ụgbọ mmiri 22).
# iptables -A INPUT -s -p tcp --dport 22 -j DROP
Azịza: Ọfọn, naanị ihe m ga-eji bụ nhọrọ 'multiport' nwere iptables na-esote nọmba ọdụ ụgbọ mmiri ga-egbochi ma ọnọdụ dị n'elu nwere ike nweta n'otu oge.
# iptables -A INPUT -s 192.168.0.6 -p tcp -m multiport --dport 21,22,23,80 -j DROP
Enwere ike ịlele iwu edere site na iji iwu dị n'okpuru.
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited DROP tcp -- 192.168.0.6 anywhere multiport dports ssh,telnet,http,webcache Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
Onye na-ajụ ajụjụ: Nke ahụ bụ naanị ihe m chọrọ ịjụ. Ị bụ onye ọrụ bara uru anyị agaghị achọ ịhapụ. Aga m akwado aha gị na HR. Ọ bụrụ na ị nwere ajụjụ ọ bụla ị nwere ike ịjụ m.
Dị ka onye ndoro-ndoro anya, achọghị m igbu mkparịta ụka ahụ n'ihi ya nọgide na-ajụ maka ọrụ m ga-arụ ma ọ bụrụ na ahọpụtara m na ihe ndị ọzọ oghere na ụlọ ọrụ. Ọ bụghị ikwu banyere HR gburugburu adịghị ike ịgbawa na m nwetara ohere.
Ọ ga-amasị m ikele Avishek na Ravi (ndị m bụ enyi kemgbe ogologo oge) maka iwepụta oge iji detuo ajụjụ ọnụ m.
Ndị enyi! Ọ bụrụ na ị gbara ajụjụ ọnụ ọ bụla ma ị ga-achọ ịkọrọ ọtụtụ nde ndị na-agụ Tecmint gburugburu ụwa ahụmịhe ajụjụ ọnụ gị? wee zipu ajụjụ gị na azịza gị na [email echebe] ma ọ bụ ị nwere ike nyefee ahụmịhe ajụjụ ọnụ gị site na iji fọm na-esote.
Daalụ! Jikọọ. Meekwa ka m mara ma m gaara aza ajụjụ nke ọma karịa ihe m mere.