Saita iptables a CentOS 7

A duk Tsarukan aiki dogara ne a kan Linux da kwaya, akwai wani gina-in Firewall, yin iko da kuma tace na shigowa da masu fita zirga-zirga, dangane da dokoki ko kayyade dandamali. A CENTOS 7 rarraba, da iptables mai amfani aikata irin wannan aiki, hulda tare da gina-in NetFilter Firewall. Wani lokaci da tsarin gudanarwa ko cibiyar sadarwa manajan yana da a daidaita aiki da wannan bangaren, danganci ka'idojin. Kamar yadda wani ɓangare na yau labarin, za mu son magana game da kayan yau da kullum na iptables sanyi a cikin muka ambata a sama OS.

Sanya iptables a CentOS 7

A kayan aiki da kanta ne m ga aikin nan da nan bayan da shigarwa na CentOS 7 da aka kammala ba, amma m akwai buƙatar ka shigar da wasu ayyuka, wanda za mu magana game da. A dandali karkashin shawara akwai wani gina-in kayan aiki da ya yi aikin Firewall aiki kira Firewalld. Don kauce wa rikice-rikice, tare da kara aikin, muna bada shawara a kashe wannan bangaren. Kumbura Umarnin a kan wannan topic karanta a cikin wani abu a kan wadannan link.

girkawa iptables

Ya kamata a fi mayar da hankali ga tsarin ƙarin aka gyara na mai amfani a karkashin shawara a yau. Za su taimaka a kafa dokokin da sauran sigogi. Loading ne da za'ayi daga hukuma mangaza, don haka ba ya dauki lokaci mai yawa.

All kara ayyuka za a sanya a cikin gargajiya wasan bidiyo, don haka gudu shi da wani m hanya.

An fara da m saita da iptables mai amfani a CentOS 7

A Sudo Yum Shigar iptables-Services umurnin ne alhakin installing da sabis. Shigar da shi, kuma latsa shiga key.

Tabbatar da superuser asusun da tantancewa da kalmar sirri daga gare ta. Lura cewa idan queries sudo, da shigar da haruffa a jere ana taba nuna.

Shigar da kalmar wucewa shigar iptables a CentOS 7 ta hanyar da m

Yana za a samarwa don ƙara daya kunshin ga tsarin, tabbatar da wannan mataki ta zabi da Y version.

Tabbatarwa na ƙara sabon iptables sabis kunshe-kunshe a CentOS 7

Bayan kammala da shigarwa, duba halin yanzu version na kayan aiki: Sudo iptables --Version.

Dubawa da version na iptables mai amfani a CentOS 7 ta hanyar da m

A sakamakon zai bayyana a cikin sabon kirtani.

Nuna na yanzu version na iptables mai amfani a CentOS 7 ta hanyar da m

Yanzu da OS ne cikakken shirye domin kara sanyi na Firewall ta cikin iptables mai amfani. Mun ƙawãta familiarizing kanka tare da sanyi a kan abubuwa, da suka fara da manajan sabis.

Da tsayawa da kuma ƙaddamar iptables sabis

Iptables yanayin management ake bukata a lokuta inda ka bukatar ka duba mataki na wasu dokoki ko kawai zata sake farawa da bangaren. Wannan ne yake aikata ta amfani saka dokokin.

Shigar da Sudo Service iptables Tsaida da kuma danna kan shigar da key da ta dakatar da ayyuka.

Tsayawa iptables Utility Services a CentOS 7 ta hanyar da Terminal

Don tabbatar da wannan hanya, saka da superuser kalmar sirri.

Kalmar sirri shigarwa zuwa tasha iptables utilities a CentOS 7

Idan tsari ne nasara, wani sabon kirtani za a nuna, na nuna canje-canje a cikin sanyi fayil.

Sanarwar game da tsayawa sabis utilities iptables a CentOS 7

Da ƙaddamar da sabis da aka yi kusan guda hanyar, kawai line yakan mallaki cikin Sudo Service iptables Fara view.

Run iptables Kayan more rayuwa Services a CentOS 7 a Terminal

A irin wannan sake yi, lokacin da na fara ko tsayawa da mai amfani shi ne samuwa a kowane lokaci, kada ka manta kawai mayar da baya da darajar a lokacin da zai kasance a bukatar.

Kamar yadda aka ambata a baya, da iko da Tacewar zaɓi aka yi ta manual ko ta atomatik ƙara dokoki. Alal misali, wasu ƙarin aikace-aikace iya samun damar kayan aiki, canza wasu manufofin. Duk da haka, mafi irin ayyuka har yanzu yi da hannu. Ganin jerin duk halin yanzu dokoki ne samuwa via da Sudo iptables -L umurninSa.

Nuna jerin duk halin yanzu iptables mai amfani dokoki a CentOS 7

A nuna sakamakon za a bayani a kan uku, sarƙoƙi: "Input", "fitarwa" da "DAN GABA" - mai shigowa, mai fita da isar da zirga-zirga, bi da bi.

View daga cikin jerin duk dokoki utilities iptables a CentOS 7

Za ka iya ayyana matsayi na dukkan sarƙoƙi ta shigar Sudo iptables -S.

Nuna jerin da iptables mai amfani haihuwarka a CentOS 7

Idan dokoki gani ba ya gamsuwa da ku, su kawai ake kawai share. A gaba dayan jerin aka barrantar kamar wannan: sudo iptables -F. Bayan kunnawa, da mulki za a sharewa cikakken ga dukan uku sarƙoƙi.

Clear List of All Dokokin iptables Kayan more rayuwa a CentOS 7

Lokacin da ka bukatar ka shafi kawai manufofin daga wasu guda sarkar, wani ƙarin shaida da aka kara wa line:

Sudo iptables -F Input

Sudo iptables -F Output

Sudo iptables -F Forward

Share jerin dokoki don takamaiman iptables sarkar a CentOS 7

Babu duk mallakar nufin cewa babu zirga-zirga tace saituna ba a yi amfani da wani ɓangare. Next, da tsarin gudanarwarku zai da kansa saka sabon sigogi yin amfani da wannan na'ura wasan bidiyo, da umurninSa, kuma daban-daban da muhawara.

Karɓa da kuma faduwa zirga-zirga a cikin marũruwa

Kowane sarkar da aka kaga dabam ga samun ko tarewa zirga-zirga. By kafa a wasu ma'anar, shi za a iya cimma wannan, misali, duk mai shigowa zirga-zirga za a katange. Don yin wannan, umurnin dole sudo iptables --policy Input Drop, inda Input ne sunan da sarkar, da kuma Drop ne a sallama darajar.

Sake saita mai shigowa queries a cikin iptables mai amfani a CentOS 7

Daidai wannan sigogi an saita ga sauran haihuwarka, misali, Sudo iptables --policy Output Drop. Idan kana bukatar ka saita mai darajar da samun zirga-zirga, sa'an nan da digo canje-canje a kan Amince kuma itace sudo iptables --policy shigar da yarda.

Port Resolution da Kulle

Kamar yadda ka sani, duk cibiyar sadarwa da aikace-aikace da kuma matakai aiki ta hanyar wasu tashar jiragen ruwa. By tarewa ko warware wasu adiresoshin, za ka iya saka idanu damar dukkan cibiyar sadarwa dalilai. Bari mu bincika da tashar jiragen ruwa a gaba ga misali 80. A cikin Terminal, shi zai zama isa ya shiga cikin Sudo iptables -A shigar -P TCP --DPort 80 -J Amince umurninSa, inda -A - ƙara wani sabon mulkin, Input - Shawara na da sarkar, -p - yarjejeniya definition a wannan yanayin, TCP, a --DPORT ne manufa tashar jiragen ruwa.

Rule domin bude tashar jiragen ruwa 80 a cikin iptables mai amfani a CentOS 7

Daidai wannan umurnin kuma ya shafi tashar jiragen ruwa 22, wanda aka yi amfani da SSH sabis: Sudo iptables -A shigar -P TCP --DPORT 22 -J Amince.

Rule domin bude tashar jiragen ruwa 22 a iptables Utility a CentOS 7

Don toshe kayyade tashar jiragen ruwa, da kirtani da ake amfani da daidai da wannan nau'in, kawai a karshen cikin Amince canje-canje zuwa Drop. A sakamakon haka, shi dai itace, misali, Sudo iptables -A shigar -P TCP --DPORT 2450 -J sauke.

Sarauta na tashar jiragen ruwa ban a iptables mai amfani a CentOS 7

Duk wadannan dokoki da aka shigar a cikin sanyi fayil kuma ba za ka iya duba su a kowane lokaci. Mun tunatar da ku, shi ne yake aikata ta hanyar sudo iptables -L. Idan kana bukatar ka ƙyale wani cibiyar sadarwa IP address tare da tashar jiragen ruwa tare da tashar jiragen ruwa, da kirtani ne dan kadan modified - bayan TPC aka kara -S da adireshin kanta. Sudo iptables -A Input -p TCP -S 12.12.12.12/32 --DPORT 22 -J Amince, inda 12.12.12.12/32 ne dole IP address.

Rule domin karbar IP adireshin da tashar jiragen ruwa a iptables a CentOS 7

Tarewa na faruwa a kan wannan manufa ta canza a karshen darajar Amince a kan sauke. To, shi dai fitar, misali, Sudo iptables -A shigar -p TCP -S 12.12.12.0/224 --DPORT 22 -J sauke.

Rule domin tarewa IP adireshin da tashar jiragen ruwa a iptables a CentOS 7

ICMP tarewa

ICMP (Internet Control Message layinhantsaki) - a yarjejeniya da aka hada a TCP / IP da aka hannu a watsin kuskure saƙonni da kuma gaggawa yanayi a lõkacin da aiki tare da zirga-zirga. Alal misali, sa'ad da nema uwar garke ne ba samuwa, wannan kayan aiki da ya yi aikin sabis da ayyuka. A iptables mai amfani ba ka damar toshe ta ta hanyar Firewall, kuma za ka iya yin shi ta amfani da Sudo iptables -A fitarwa -P ICMP --icmp-Type 8 -J sauke umurninSa. Zai toshe buƙatun daga da kuma zuwa ga uwar garke.

A farko mulki don toshe da iptables plugging a CentOS 7

Mai shigowa buƙatun suna da An katange kadan daban-daban. Sa'an nan kuma ka bukatar ka shigar da Sudo iptables -I shigar -P ICMP --icmp-Type 8 -J Drop. Bayan kunna wadannan dokoki, da uwar garken ba za su amsa wa ping buƙatun.

Na biyu mulki don kulle plugging a iptables a CentOS 7

Prevent mara izini ayyuka a kan uwar garke

Wani lokaci sabobin an hõre DDOS hare-hare, ko kuma sauran m ayyuka daga intruders. A daidai gyara na Firewall zai ba ka damar kare kanka daga irin wannan shiga ba tare da izini ba. Don fara da, mu bada shawara kafa irin wannan sharudda:

Mun rubuta a cikin iptables -A Input -P TCP --DPORT 80 -M Yawan --Limit 20 / Minute --Limit-fashe 100 -J Amince, inda --Limit 20 / Minute iyaka a kan mita tabbatacce sakamakon . Za ka iya saka wani sashi ne na auna kanka da, misali, / na biyu, / minti daya, / hour, / rana. --Limit-fashe Number - iyaka a kan yawan m kunshe-kunshe. All dabi'u suna nuna akayi daban-daban bisa ga shugaba fifiko.

Kiyaye Doka daga DDOS a iptables a CentOS 7

Next, za ka iya haramta scanning na bude tashoshin jiragen ruwa a cire daya daga cikin yiwu Sanadin shiga ba tare da izini ba. Shigar da farko Sudo iptables -N Block-Scan umurninSa.

A farko mulki to ban iptables tashoshin jiragen ruwa a CentOS 7

Sa'an nan saka da Sudo iptables -A Block-scan -P TCP -TCP-flags Syn, Ack, Fin, na farko -M Yawan -Limit 1 / S -J koma.

Na biyu mulki to ban iptables tashoshin jiragen ruwa a CentOS 7

A karshe uku umurnin ne: sudo iptables -A block-scan -J drop. Block-scan magana a cikin wadannan lokuta - sunan da kewaye amfani.

The uku mulki don toshe da scan tashar jiragen ruwa na iptables a CentOS 7

A saituna nuna a yau ne kawai dalilin da aiki a lura da kayan aiki na Firewall. A cikin aikin hukuma takardun na mai amfani da za ka ga wani bayanin duk samuwa muhawara da kuma zabin da za ka iya saita da Firewall musamman a karkashin your buƙatun. Sama da misali tsaro dokoki, wanda aka fi sau da yawa amfani da a mafi yawan lokuta ake buƙata.