Itọsọna Ipilẹ lori IPTables (Firewall Linux) Awọn imọran/Awọn pipaṣẹ
Itọsọna yii ṣe itọsọna fun ọ bi ogiriina ṣe n ṣiṣẹ ni Linux Operating system ati kini IPTables ni Linux? Ogiriina pinnu ipinnu ti awọn apo-iwe ti nwọle ati ti njade ninu eto. IPTables jẹ ogiriina ti o da lori ofin ati pe o ti fi sii tẹlẹ lori pupọ julọ ẹrọ ṣiṣe Lainos. Nipa aiyipada o nṣiṣẹ laisi eyikeyi awọn ofin. IPTables wa ninu Kernel 2.4, ṣaaju ni a pe ni ipchains tabi ipfwadm. IPTables jẹ ọpa iwaju lati ba ekuro sọrọ ati pinnu awọn apo-iwe lati ṣe àlẹmọ. Itọsọna yii le ṣe iranlọwọ fun ọ si imọran ti o ni inira ati awọn ofin ipilẹ ti awọn IPTables nibiti a yoo ṣe apejuwe awọn ofin iptables to wulo eyiti o le tọka ati ṣe adani bi o ṣe nilo rẹ.
Awọn iṣẹ oriṣiriṣi lo fun awọn ilana oriṣiriṣi bi:
- iptables kan si IPv4.
- ip6tabulu kan si IPv6.
- awọn ohun-elo arptables kan si ARP.
- ebtables kan si awọn fireemu Ethernet ..
IPTables awọn faili akọkọ ni:
- /etc/init.d/iptables - akosile init lati bẹrẹ | da | tun bẹrẹ ati fipamọ awọn ilana.
- /etc/sysconfig/iptables - nibiti a ti fipamọ Awọn Ofin.
- /sbin/iptables - alakomeji.
Awọn tabili mẹta wa bayi.
- Ajọ
- NAT
- Mangle
Lọwọlọwọ, awọn ẹwọn mẹrin mẹrin wa:
- INPUT: Pq aiyipada ti o bẹrẹ si eto.
- OUTUTUTU: pq aiyipada ti o npese lati eto.
- SIWAJU: Awọn apo-iwe pq aiyipada ni a firanṣẹ nipasẹ wiwo miiran.
- RH-Firewall-1-INPUT: Ẹwọn aṣa ti a ṣalaye olumulo.
Akiyesi: Loke awọn faili akọkọ le yatọ si die ni Ubuntu Linux.
Bii o ṣe le bẹrẹ, da duro ati tun Firewall Iptabe bẹrẹ.
# /etc/init.d/iptables start # /etc/init.d/iptables stop # /etc/init.d/iptables restart
Lati bẹrẹ IPTables lori bata eto, lo aṣẹ atẹle.
#chkconfig --level 345 iptables on
Fifipamọ awọn ofin ofin IPTables pẹlu aṣẹ isalẹ. Nigbakugba ti eto ba tun bẹrẹ ati tun bẹrẹ iṣẹ IPTables, awọn ofin ijade kuro ni ita tabi tunto. Ni isalẹ aṣẹ fi awọn ofin TPTables pamọ sinu/ati be be/sysconfig/faili iptables nipasẹ aiyipada ati pe a lo awọn ofin tabi mu pada ni ọran ti IPTables ṣan jade.
#service iptables save
Ṣiṣayẹwo ipo IPTables/Ogiriina. Awọn aṣayan “-L” (Listetetet), “-v” (Verbose) ati “-n” (Awọn ifihan ni ọna kika).
iptables -L -n -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 6 396 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 5 packets, 588 bytes) pkts bytes target prot opt in out source destination
Han IPTables ofin pẹlu awọn nọmba. Pẹlu iranlọwọ ti ariyanjiyan “–awọn nọmba-laini” o le fi kun tabi yọ awọn ofin kuro.
iptables -n -L -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 51 4080 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 45 packets, 5384 bytes) num pkts bytes target prot opt in out source destination
Fifọ tabi paarẹ awọn ofin IPTables. Ni isalẹ aṣẹ yoo yọ gbogbo awọn ofin kuro lati awọn tabili. Gba afẹyinti awọn ofin ṣaaju ṣiṣe pipaṣẹ loke.
iptables -F
Piparẹ tabi fikun awọn ofin, jẹ ki a kọkọ wo awọn ofin ni awọn ẹwọn. Awọn ofin isalẹ yoo ṣe afihan awọn ilana ofin ni INPUT ati awọn ẹwọn OUTPUT pẹlu awọn nọmba ofin eyiti yoo ṣe iranlọwọ fun wa lati ṣafikun tabi paarẹ awọn ofin
iptables -L INPUT -n --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
iptables -L OUTPUT -n --line-numbers Chain OUTPUT (policy ACCEPT) num target prot opt source destination
Jẹ ki a sọ ti o ba fẹ paarẹ ofin ko si 5 lati pq INPUT. Lo pipaṣẹ atẹle.
iptables -D INPUT 5
Lati fikun tabi fikun ofin si pq INPUT laarin laarin awọn ofin 4 ati 5.
iptables -I INPUT 5 -s ipaddress -j DROP
A ṣẹṣẹ gbiyanju lati bo awọn lilo ati awọn iṣẹ ipilẹ ti IPTables fun alaini. O le ṣẹda awọn ofin idiju ni kete ti o ba ni oye pipe ti TCP/IP ati imoye to dara ti iṣeto rẹ.