Itọsọna Ipilẹ lori IPTables (Firewall Linux) Awọn imọran/Awọn pipaṣẹ

Itọsọna yii ṣe itọsọna fun ọ bi ogiriina ṣe n ṣiṣẹ ni Linux Operating system ati kini IPTables ni Linux? Ogiriina pinnu ipinnu ti awọn apo-iwe ti nwọle ati ti njade ninu eto. IPTables jẹ ogiriina ti o da lori ofin ati pe o ti fi sii tẹlẹ lori pupọ julọ ẹrọ ṣiṣe Lainos. Nipa aiyipada o nṣiṣẹ laisi eyikeyi awọn ofin. IPTables wa ninu Kernel 2.4, ṣaaju ni a pe ni ipchains tabi ipfwadm. IPTables jẹ ọpa iwaju lati ba ekuro sọrọ ati pinnu awọn apo-iwe lati ṣe àlẹmọ. Itọsọna yii le ṣe iranlọwọ fun ọ si imọran ti o ni inira ati awọn ofin ipilẹ ti awọn IPTables nibiti a yoo ṣe apejuwe awọn ofin iptables to wulo eyiti o le tọka ati ṣe adani bi o ṣe nilo rẹ.

Awọn iṣẹ oriṣiriṣi lo fun awọn ilana oriṣiriṣi bi:

iptables kan si IPv4.
ip6tabulu kan si IPv6.
awọn ohun-elo arptables kan si ARP.
ebtables kan si awọn fireemu Ethernet ..

IPTables awọn faili akọkọ ni:

/etc/init.d/iptables - akosile init lati bẹrẹ | da | tun bẹrẹ ati fipamọ awọn ilana.
/etc/sysconfig/iptables - nibiti a ti fipamọ Awọn Ofin.
/sbin/iptables - alakomeji.

Awọn tabili mẹta wa bayi.

Ajọ
NAT
Mangle

Lọwọlọwọ, awọn ẹwọn mẹrin mẹrin wa:

INPUT: Pq aiyipada ti o bẹrẹ si eto.
OUTUTUTU: pq aiyipada ti o npese lati eto.
SIWAJU: Awọn apo-iwe pq aiyipada ni a firanṣẹ nipasẹ wiwo miiran.
RH-Firewall-1-INPUT: Ẹwọn aṣa ti a ṣalaye olumulo.

Akiyesi: Loke awọn faili akọkọ le yatọ si die ni Ubuntu Linux.

Bii o ṣe le bẹrẹ, da duro ati tun Firewall Iptabe bẹrẹ.

# /etc/init.d/iptables start 
# /etc/init.d/iptables stop
# /etc/init.d/iptables restart

Lati bẹrẹ IPTables lori bata eto, lo aṣẹ atẹle.

#chkconfig --level 345 iptables on

Fifipamọ awọn ofin ofin IPTables pẹlu aṣẹ isalẹ. Nigbakugba ti eto ba tun bẹrẹ ati tun bẹrẹ iṣẹ IPTables, awọn ofin ijade kuro ni ita tabi tunto. Ni isalẹ aṣẹ fi awọn ofin TPTables pamọ sinu/ati be be/sysconfig/faili iptables nipasẹ aiyipada ati pe a lo awọn ofin tabi mu pada ni ọran ti IPTables ṣan jade.

#service iptables save

Ṣiṣayẹwo ipo IPTables/Ogiriina. Awọn aṣayan “-L” (Listetetet), “-v” (Verbose) ati “-n” (Awọn ifihan ni ọna kika).

 iptables -L -n -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    6   396 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 5 packets, 588 bytes)
 pkts bytes target     prot opt in     out     source               destination

Han IPTables ofin pẹlu awọn nọmba. Pẹlu iranlọwọ ti ariyanjiyan “–awọn nọmba-laini” o le fi kun tabi yọ awọn ofin kuro.

 iptables -n -L -v --line-numbers

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       51  4080 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 45 packets, 5384 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Fifọ tabi paarẹ awọn ofin IPTables. Ni isalẹ aṣẹ yoo yọ gbogbo awọn ofin kuro lati awọn tabili. Gba afẹyinti awọn ofin ṣaaju ṣiṣe pipaṣẹ loke.

 iptables -F

Piparẹ tabi fikun awọn ofin, jẹ ki a kọkọ wo awọn ofin ni awọn ẹwọn. Awọn ofin isalẹ yoo ṣe afihan awọn ilana ofin ni INPUT ati awọn ẹwọn OUTPUT pẹlu awọn nọmba ofin eyiti yoo ṣe iranlọwọ fun wa lati ṣafikun tabi paarẹ awọn ofin

 iptables -L INPUT -n --line-numbers

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

 iptables -L OUTPUT -n --line-numbers
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Jẹ ki a sọ ti o ba fẹ paarẹ ofin ko si 5 lati pq INPUT. Lo pipaṣẹ atẹle.

 iptables -D INPUT 5

Lati fikun tabi fikun ofin si pq INPUT laarin laarin awọn ofin 4 ati 5.

 iptables -I INPUT 5 -s ipaddress -j DROP

A ṣẹṣẹ gbiyanju lati bo awọn lilo ati awọn iṣẹ ipilẹ ti IPTables fun alaini. O le ṣẹda awọn ofin idiju ni kete ti o ba ni oye pipe ti TCP/IP ati imoye to dara ti iṣeto rẹ.