Kuzo zonke izinhlelo ezisebenzayo ezisuselwa ku-Linux Kernel, kukhona i-firewall eyakhelwe ngaphakathi, esebenzisa ukulawula nokuhlunga kwethrafikhi engenayo naphumayo, kususelwa kwimithetho echaziwe noma endaweni yesikhulumi. Ekusatshalalisweni kwe-CentOS 7, ukusetshenziswa kwe-IPTEST kwenza umsebenzi onjalo, uxhumana ne-netfilter firewall eyakhelwe ngaphakathi. Kwesinye isikhathi umphathi wohlelo noma umphathi wenethiwekhi kufanele alungiselele ukusebenza kwale ngxenye, enquma imithetho efanele. Njengengxenye yendatshana yanamuhla, singathanda ukukhuluma ngezinto eziyisisekelo zokucushwa kwezikhalazo ku-OS okushiwo ngenhla.
Lungiselela ama-Iptables kuma-CentOS 7
Ithuluzi ngokwalo liyatholakala ukuthi lisebenze ngokushesha ngemuva kokuqedwa kokufakwa kwe-CentOS 7, kepha futhi kuzodingeka ukuthi kufakwe ezinye izinsizakalo, esizokhuluma ngazo. Epulatifomu ebhekwayo kunelinye ithuluzi elakhelwe ngaphakathi elenza umsebenzi we-firewall obizwa nge-firewalld. Ukugwema izingxabano, nomsebenzi owengeziwe, sincoma ukuthi sikhubazele le ngxenye. Imiyalo eyandisiwe kulesi sihloko ifundwe kwenye impahla esixhumanisi esilandelayo.Funda kabanzi: Khubaza Firewalld kuma-CentOS 7
Njengoba wazi, amaphrothokhokholi we-IPv4 ne-IPV6 angasetshenziswa ohlelweni. Namuhla sizogxila kusibonelo se-IPv4, kepha uma ufuna ukumisa enye iphrothokholi, uzodinga esikhundleni seqembu. Izikhalazo. Ngokusetshenziswa kwekhonsoli IP6Tables.
Ukufaka ama-Iptables
Kufanele kube kuqala kwizilo ezingeziwe zohlelo lokusebenza olubhekwayo namuhla. Bazosiza ekubekeni imithetho namanye amapharamitha. Ukulayisha kwenziwa kusuka kwibhayisiko elisemthethweni, ngakho-ke akuthathi isikhathi esiningi.
- Zonke ezinye izenzo zizokwenziwa kwi-Classical Console, ngakho-ke wugijime nganoma iyiphi indlela elula.
- I-Sudo YUM Faka umyalo we-IpTable-Services Ingcemi unesibopho sokufaka izinsizakalo. Faka bese ucindezela inkinobho ethi Enter.
- Qinisekisa i-akhawunti ye-superuser ngokucacisa iphasiwedi kuyo. Uyacelwa ukuthi uqaphele ukuthi lapho imibuzo i-Sudo, izinhlamvu ezifakiwe ezikulayini azikaze ziboniswe.
- Kuzophakanyiswa ukwengeza iphakheji elilodwa ohlelweni, qinisekisa lesi senzo ngokukhetha uhlobo lwe-Y.
- Lapho usuqedile ukufakwa, hlola uhlobo lwamanje lwethuluzi: sudo ipts -
- Umphumela uzovela entanjeni entsha.
Manje i-OS isilungele ngokuphelele ukucushwa okwengeziwe kwesicishamlilo ngokusebenzisa i-IPTAbles Utility. Siphakamisa ukubajwayeza ngokucushwa kwezinto, kusukela ngezinsizakalo zokuphatha.
Ukuma kanye Nokwethula Izinsizakalo ze-Iptables
Ukuphathwa kwemodi ye-IPTAble kudingeka ezimweni lapho udinga ukubheka isenzo semithetho ethile noma umane uqale kabusha ingxenye. Lokhu kwenziwa kusetshenziswa imiyalo eshumekiwe.
- Faka i-Sudo Service Ipt Stop bese uqhafaza kukhiye wokufaka ukumisa izinsizakalo.
- Ukuqinisekisa le nqubo, chaza iphasiwedi ye-superuser.
- Uma inqubo iphumelela, kuzovezwa intambo entsha, ikhombisa ushintsho kufayela lokucushwa.
- Ukwethulwa kwezinsizakalo kwenziwa cishe ngendlela efanayo, kuphela umugqa uthola izinsiza ze-Sudo Service IPTAbles Qala ukubuka.
Ukuqalisa kabusha okufanayo, ukuqala noma ukumisa ukusetshenziswa kuyatholakala nganoma yisiphi isikhathi, ungakhohlwa ukubuyisa inani lokubuyela emuva lapho lizodingeka.
Bheka futhi ususe imithetho
Njengoba kushiwo ngaphambili, ukulawulwa kwe-firewall kwenziwa yi-Manual noma ngokungezwa ngokuzenzakalela imithetho. Isibonelo, ezinye izinhlelo zokusebenza ezingeziwe zingafinyelela ithuluzi, ziguqule izinqubomgomo ezithile. Kodwa-ke, izinyathelo eziningi ezinjalo zisenziwa ngesandla. Ukubuka uhlu lwayo yonke imithetho yamanje kuyatholakala nge-Sudo Iptables -L Command.
Emthethweni obonisiwe kuzoba nolwazi ngamaketanga amathathu: "okufakwayo", "okukhipha" kanye "phambili" - okuzayo nokudlulisa, ngokulandelana.
Ungachaza isimo sawo wonke amaketanga ngokufaka i-sudo eptables -S.
Uma imithetho ibonwa ingagculisekile kuwe, bavele basuswe. Lonke uhlu lusulwa kanjena: Sudo Iptables -f. Ngemuva kokusebenza, umthetho uzosuswa ngokuphelele kuwo wonke amaketabhu amathathu.
Lapho udinga ukuthinta kuphela izinqubomgomo ezivela ku-chain eyodwa, kufakwa impikiswano eyengeziwe kulayini:
Sudo iptable -F okokufaka
Sudo iptables -F okuphumayo
Sudo eptable -f phambili
Ukungabikho kwayo yonke imithetho kusho ukuthi azikho izilungiselelo zokuhlunga traffic ezingasetshenziswa kunoma iyiphi ingxenye. Okulandelayo, umphathi wesistimu uzocacisa ngokuzimela amapharamitha amasha esebenzisa ikhonsoli efanayo, umyalo nezimpikiswano ezahlukahlukene.
Ukwemukela nokulahla ithrafikhi ngamaketanga
I-chain ngayinye ilungiselelwe ngokwehlukana ukuthola noma ukuvimba ithrafikhi. Ngokubeka okushiwo okuthile, kungatholakala lokho, ngokwesibonelo, wonke amathrafikhi angenayo azovinjwa. Ukuze wenze lokhu, umyalo kumele ube ne-Sudow Iptables Wort --Policy Wort Drop, lapho ukufaka khona igama leketanga, futhi ukwehla kuyinani lokulahla.
Ngempela amapharamitha afanayo asethelwe eminye imibuthano, ngokwesibonelo, i-Sudo Iptables --Policy Outpput Drop. Uma udinga ukusetha inani lokuthola ithrafikhi, khona-ke ukwehla kwezinguquko kukwamukeleka futhi kuvela iSudo Ipt Games - Ukwamukela ukufakwa kwe-Sudow.
Isinqumo sePort and Lock
Njengoba wazi, zonke izinhlelo zokusebenza zenethiwekhi nezinqubo zisebenza ngechweba elithile. Ngokuvinjwa noma ukuxazulula amakheli athile, ungabheka ukufinyelela kwazo zonke izinhloso zenethiwekhi. Ake sihlaze ichweba phambili ngesibonelo 80. Ku-terminal, kuzokwanela ukufaka i-sudo ipters -Ukufaka -P TCP - jwport 80 -J ukwamukela umthetho omusha, ukufaka - isiphakamiso I-chain, -P - Incazelo yephrothokholi kuleli cala, i-TCP, A --DoPort yichweba eliya kulo.
Impela umyalo ofanayo futhi usebenza ku-Port 22, esetshenziswa yi-SSH Service: Sudo Iptables -Ukufaka -P TCP --J amukele 22.
Ukuvimba imbobo ebekiwe, intambo isetshenziswa ngqo uhlobo olufanayo, kuphela ekugcineni koshintsho olwemukela. Ngenxa yalokhu, kuyavela, ngokwesibonelo, i-sudo iptables - Ukufaka okufakiwe -P TCP --J ukwehla okungama-2450 -J.
Yonke le mithetho ifakwa kwifayela lokucushwa futhi ungawabuka nganoma yisiphi isikhathi. Sikukhumbuza, kwenziwa ngeSudo Iptables -L. Uma udinga ukuvumela ikheli lenethiwekhi ye-IP ngechweba kanye netheku, intambo iguqulwa kancane - ngemuva kokuthi i-TPC ingezwe-amakheli uqobo. I-Sudo Eptable-Ukufaka -p TCP -S -S 12.12.12.12/32 --dport 22 - lapho 12.12.12.12/322 yikheli elidingekayo le-IP.
Ukuvinjwa kwenzeka ngomgomo ofanayo ngokushintsha ekugcineni kwenani lokwamukela ekwehleni. Lapho-ke kuvela, ngokwesibonelo, i-Sudo Iptables -Ukufaka -P TCP -S 12.12.12.0/224 --dport 22 -J Drop.
Ukuvinjwa kwe-ICMP
I-ICMP (I-Intanethi Yokulawula Umlayezo) - Iphrothokholi efakiwe ku-TCP / IP futhi iyabandakanyeka ekudluliseleni imiyalezo yephutha nezimo eziphuthumayo lapho usebenza ngethrafikhi. Isibonelo, lapho iseva eceliwe ingatholakali, leli thuluzi lisebenza imisebenzi yensiza. I-Iptbles Utility ikuvumela ukuba uyivimbele ngokusebenzisa i-firewall, futhi ungayenza isebenzise i-sudo ipts - okuphuma -P ICMP - Uhlobo lwe-ICMP - hlobo umyalo we-ICMP Izovimba izicelo kusuka kuseva yakho.
Izicelo ezingenayo zivinjelwe okuhlukile. Ngemuva kwalokho udinga ukufaka i-Sudo Iptables -I-Faka -P ICMP - Uhlobo lwe-8 -J Drop. Ngemuva kokwenza kusebenze le mithetho, iseva ngeke iphendule kwizicelo zePing.
Vikela izenzo ezingagunyaziwe kuseva
Kwesinye isikhathi amaseva ahlaselwa yi-DDOS noma ezinye izenzo ezingagunyaziwe ezivela kubahlaseli. Ukulungiswa okulungile kwe-firewall kuzokuvumela ukuthi uzivikele kulolu hlobo lokugenca. Okokuqala, sincoma ukubeka imithetho enjalo:
- Sibhala kwi-IPTTS - Ukufaka okufakiwe -P TCP - -Port 80 -M Umkhawulo - Limit 20 / Minute . Ungacacisa iyunithi lokulinganisa ngokwakho, ngokwesibonelo, / okwesibili, / umzuzu, / ihora, / usuku. - Limit-burst inombolo - umkhawulo ngenani lamaphakeji alahlekile. Onke amanani aboniswa ngawodwa ngokusho kokuncamelayo komqondisi.
- Okulandelayo, ungavimbela ukuskena kwamachweba avulekile ukususa enye yezimbangela zokugenca. Faka i-Sudo Iptables yokuqala -n block-scan umyalo.
- Ngemuva kwalokho chaza i-sudo iptables -I-block-scan -p -p -p -p -p -p -P TCP -TCP-flags syn, ack, Fin, RST -M ukubuyisa - kukubuya 1 / S-BJ.
- Umyalo wokugcina wesithathu yile: sudo iptables -I-block-scan-j yehla. Inkulumo yokuskena okuvinjelwe kulezi zimo - igama lesifunda elisetshenzisiwe.
Izilungiselelo eziboniswe namuhla ziyisisekelo somsebenzi kuthuluzi lokulawula le-firewall. Emibhalweni esemthethweni ye-Utility uzothola incazelo yazo zonke izimpikiswano ezitholakalayo nezinketho futhi ungamisa i-firewall ngokuqondile izicelo zakho. Ngaphezulu kwemithetho yezokuphepha ejwayelekile, evame ukusetshenziswa futhi ezimweni eziningi iyadingeka.