affiliate shirin Bayanan basira
Sakewa Masu bada bayanai Manufar cin zarafi
kai -- burger
Kwamitin sarrafawaControlPanel
Sabar don amsawaAdministrationSSLManajan ISPWindows VPSVPS LinuxVPS don VPN
Bayanan basira Sauƙaƙan umarni don aiki tare da sabis na Riba
Main Bayanan basira Ana saita Firewall akan Linux

Ana saita Firewall akan Linux

Firewall akan Linux yana taka muhimmiyar rawa wajen tabbatar da tsarin kwamfuta. Yana aiki azaman shinge, sarrafawa da tace zirga-zirgar hanyar sadarwa don kare tsarin daga shiga mara izini, hare-hare, da sauran barazana. Ba tare da ingantaccen tsarin Wuta ba, uwar garken na iya zama mai rauni ga nau'ikan hare-haren cyber iri-iri, wanda ke haifar da mummunan sakamako ga tsaro da sirrin bayanai.

A cikin wannan labarin, za mu dubi manyan kayan aiki guda biyu don daidaitawa ta Linux Firewall: firewalld da iptables. Za mu gudanar da nazarin kwatancen fasalin su, aikinsu, da fa'idodin su. Bugu da ƙari, za mu samar da cikakkun bayanai game da kafawa da amfani da kowane ɗayan waɗannan kayan aikin, da kuma tattauna mafi kyawun ayyuka don kiyaye tsarin ku tare da Firewall akan dandalin Linux. Za a nuna duk ayyukan akan a uwar garke ta atomatik tare da tushe.

Table da ke ciki
Rage rage

Ana saita Firewalld akan Linux

Firewalld (Firewall Daemon) shiri ne don sarrafa bangon wuta a cikin tsarin aiki na Linux. Yana ba da hanyar haɗin mai amfani don daidaita ƙa'idodin Tacewar zaɓi, ba da izini ko toshe haɗin aikace-aikacen cibiyar sadarwa. An riga an shigar da shi ta tsohuwa a yawancin rarrabawar uwar garken. Idan ba a riga an shigar da Firewalld ba, ana iya shigar da shi daban-daban daga ma'ajiyar rarraba ta hukuma.

Don tsarin Red Hat (kamar RHEL, CentOS, Fedora) ana yin shigarwa tare da umarnin:

yum install firewalld

Don Debian/Ubuntu:

apt-get install firewalld

Bayan shigarwa, ana iya farawa kuma kunna shi nan da nan tare da umarnin:

systemctl start firewalld

Na gaba, kuna buƙatar ƙara sabis ɗin zuwa farawa:

systemctl enable firewalld
Ƙara Firewalld a cikin Linux autoload

A wannan gaba, muna ba da shawarar kashe ufw, saboda ba a ba da shawarar yin amfani da wannan kayan aikin lokaci guda tare da Firewalld ko iptables ba. Duba halin:

systemctl status ufw
Duba ufw Linux

Don dakatar da shi, shigar da umarni:

systemctl stop ufw

Don cikakken kashewa:

ufw disable

Bayan waɗannan ayyukan, zaku iya ci gaba don saita Firewalld.

Na farko, wajibi ne a ayyana yankunan aminci. Firewalld yana amfani da ra'ayin yankuna don tantance matakin amana don mu'amalar hanyar sadarwa. Ana ba da kowane yanki yanki ɗaya, kuma ana amfani da ka'idodin Tacewar zaɓi dangane da yankin. Ana buɗe jerin duk wuraren da ake da su tare da umarni:

firewall-cmd --get-zones

Yawanci, ana amfani da manyan yankuna 4:

  1. Jama'a: Wannan yankin na cibiyoyin sadarwar da kuke ganin ba su da aminci;
  2. Private: Yana shafi cibiyoyin sadarwar gida ko wasu amintattun hanyoyin haɗin yanar gizo;
  3. ciki: Ana amfani da shi don cibiyoyin sadarwa na ciki, kamar waɗanda ke cikin ƙungiya ko cibiyar sadarwar kamfani;
  4. DMZ: Wannan yanki shine inda galibi ake sanya sabobin da yakamata a iya samun su daga intanet.

Duk da haka, wannan misali ɗaya ne kawai. Kuna iya ƙara yankin ku ta amfani da umarnin:

firewall-cmd --permanent --new-zone=nameyourzone

Bayan ƙarawa, ana buƙatar sake saukewa:

firewall-cmd --reload

Don share yanki, ana amfani da irin wannan hanya

firewall-cmd --permanent --delete-zone=nameyourzone

Bayan ayyana yankuna, ya zama dole a ba da izinin zirga-zirga don ayyukan da ake buƙata da tashar jiragen ruwa. Don ba da izinin takamaiman sabis, yi amfani da umarnin:

firewall-cmd --zone=public --add-service=name

ina sunan shine sunan sabis. Misali, don ba da izinin zirga-zirga don Apache:

firewall-cmd --zone=public --add-service=http

Don ayyana halaltattun tashoshin jiragen ruwa, yi amfani da umarnin:

firewall-cmd --zone=public --add-port=number/protocol

Misali, daidaitaccen tashar jiragen ruwa 22 na SSH zai yi kama da wannan:

firewall-cmd --zone=public --add-port=22/tcp

A wannan mataki, an riga an halicci manyan dokoki. Bayan haka, ƙididdige yadda za a sarrafa zirga-zirga dangane da tushen, inda ake nufi, tashar jiragen ruwa, da sauran sharuɗɗan. Don ƙara ƙa'ida (amfani da jama'a zone a matsayin misali):

firewall-cmd --zone=public rule

Misali, don ba da izinin zirga-zirga mai shigowa daga kowace tushe zuwa tashar jiragen ruwa 80 (HTTP):

firewall-cmd --zone=public --add-port=80/tcp --permanent

Don cire doka:

firewall-cmd --permanent --remove-rule=rule_specification

ina mulki shine nau'in mulki (misali, tashar jiragen ruwa, sabis, mulkin mallaka, da sauransu), da ƙayyadaddun ƙa'ida shine ƙayyadaddun ƙa'idar kanta.

Bayan yin canje-canje ga tsarin Firewalld, ya zama dole a adana da amfani da su. Don ajiye canje-canje, yi amfani da umarnin:

firewall-cmd --runtime-to-permanent

Don aiwatar da canje-canje:

firewall-cmd --reload

Bayan kammala saitin, zaku iya tabbatar da sigogin da aka zaɓa ta buɗe jerin duk dokoki:

firewall-cmd --list-all
dokokin Linux firewalld

Idan wasu matsaloli sun taso, duba rajistan ayyukan Firewalld tare da umarnin:

journalctl -u firewalld

Lura: Mun rufe gaba ɗaya algorithm don saita haɗin. Kayan aiki yana da ayyuka masu yawa. Don cikakkun bayanai akan duk zaɓuɓɓukan da ake da su, zaku iya amfani da takardun aikin hukuma ko bude taimako:

firewall-cmd --help

Ana saita iptables akan Linux

Ba kamar Firewalld ba, iptables tsoho ne amma har yanzu kayan aikin da ake amfani da shi sosai a cikin Linux don sarrafa tacewar wuta. Yana ba da ƙarin tsari kai tsaye da sassauƙa ga ƙa'idodin tace fakiti a matakin kernel na Linux. Koyaya, iptables yana buƙatar ƙarin ilimi da ƙwarewa idan aka kwatanta da Firewalld, yana sa ya zama ƙasa da isa ga masu farawa. Bincika sigar kayan aikin da aka riga aka shigar tare da umarni:

iptables -V

Idan ba a shigar da kayan aiki ba, zai buƙaci shigar da shi. Umurnin shigarwa akan Ubuntu, Debian:

apt install iptables

Don tsarin Red Hat (misali, CentOS, Fedora):

yum install iptables

Umurnin kunnawa bayan shigarwa:

systemctl start iptables

Don ƙara zuwa farawa, aiwatar da:

systemctl enable iptables

Kafin fara daidaitawar iptables, yana da mahimmanci a fahimci yadda yake aiki. Wannan yana taimakawa ta hanyar haɗin gwiwar shirin. Ga alama kamar haka:

iptables -t table action chain additional_parameters

Bari mu zurfafa cikin kowane abu.

Iptables yana da manyan teburi guda huɗu: tace, nat, mangle, da danye. Kowane an ƙera shi don sarrafa wasu nau'ikan fakiti kuma yana da nasa sarƙoƙi na dokoki:

  1. tace: Wannan shi ne tebur da aka fi amfani da shi, yana ɗauke da dokokin tace fakiti. Ana amfani da shi don yanke shawara kan ko ba da izini ko hana fakiti.
  2. natAna amfani da wannan tebur don gyara adiresoshin cibiyar sadarwa da tashoshin jiragen ruwa a cikin fakiti. Ana amfani da shi sau da yawa don kafa masquerading (NAT).
  3. mangle: A cikin wannan tebur, zaku iya canza fakitin taken. Ana amfani da shi don ayyukan fakiti na musamman, kamar yin alama.
  4. raw: Ana amfani da wannan tebur don daidaita ƙa'idodin da ake amfani da su kafin su shiga cikin tsarin bin diddigin haɗin. Yawancin lokaci ana amfani da shi don kafa dokoki waɗanda bai kamata tsarin bin diddigin su canza shi ba, kamar sauke fakiti daga wasu adireshi.

Kowane tebur yana ɗauke da saitin sarƙoƙi. Sarƙoƙi jerin ƙa'idodi ne waɗanda ake bincika su bi da bi. Akwai sarƙoƙi da aka riga aka ƙayyade guda uku:

  1. INPUT (mai shigowa). Dokokin da ke cikin wannan sarkar sun ƙayyade abin da za a yi tare da fakiti masu shigowa.
  2. FITOWA (mai fita). Wannan sarkar ta shafi duk fakitin da kwamfutarka ta aika zuwa wasu na'urori ko kwamfutoci a kan hanyar sadarwa.
  3. GABA (gabatarwa). Dokokin da ke cikin wannan sarkar sun ƙayyade abin da za a yi da fakitin da aka tura.

A ƙarshe, kowace sarkar tana da wani aiki (manufa). A aikace, ana amfani da manyan ayyuka guda 5:

  1. YardaBada izinin fakitin ya wuce ta Tacewar zaɓi.
  2. SHA: Karɓar fakitin kuma jefar da shi ba tare da wani amsa ba.
  3. FADA: Karɓar fakitin kuma aika mai aikawa da saƙon kuskure na ICMP.
  4. shiga: Shiga fakitin a cikin log ɗin tsarin kuma yi wani aiki (misali, ACEPT ko DROP).
  5. MAYARWA: Dakatar da duba ka'idoji a cikin sarkar yanzu kuma komawa cikin sarkar kira (idan an zartar).

Don fara saitin, buɗe jerin ƙa'idodin da ke akwai tare da umarni:

iptables -L
Ana saita Firewall akan Linux

A matsayin jagora don daidaita Iptables, bari mu kalli misalai masu amfani na umarnin da aka fi amfani da su. Don saukakawa, za mu raba misalan zuwa rukuni 3, dangane da takamaiman sarkar.

sarkar Input:

  1. Bada izinin zirga-zirga mai shigowa ta hanyar ka'idar TCP akan tashar jiragen ruwa 80:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

2. Bada izinin zirga-zirga mai shigowa ta hanyar ka'idar UDP akan tashar jiragen ruwa 22:

iptables -A INPUT -p udp --dport 22 -j ACCEPT

3. Toshe zirga-zirga mai shigowa daga takamaiman adireshin IP:

iptables -A INPUT -s 192.168.1.100 -j DROP

sarkar fitarwa:

  1. Bada izinin zirga-zirga mai fita ta hanyar ka'idar TCP akan tashar jiragen ruwa 443:
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

2. Bada izinin zirga-zirga mai fita ta hanyar ka'idar UDP akan tashar jiragen ruwa 80:

iptables -A OUTPUT -p udp --dport 80 -j ACCEPT

3. Toshe zirga-zirga mai fita zuwa takamaiman tashar jiragen ruwa (misali, 21):

iptables -A OUTPUT -p tcp --dport 21 -j DROP

sarkar DAN GABA:

  1. Toshe zirga-zirgar ababen hawa daga takamaiman kewayon adiresoshin IP:
iptables -A FORWARD -s 172.16.0.0/24 -j DROP

2. Toshe isar da fakiti daga takamaiman hanyar sadarwa:

iptables -A FORWARD -i eth1 -j DROP

3. Ƙayyade adadin haɗin haɗin gwiwa na lokaci ɗaya don takamaiman tashar jiragen ruwa (a cikin wannan misalin, haɗin kai 10 a minti daya akan tashar jiragen ruwa 80):

iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute -j ACCEPT

Kamar yadda kake gani, a kowane yanayi daban, ana amfani da ƙarin hujja (umurni). Don samun cikakken jerin yuwuwar gardama da cikakken goyan bayan aikin kayan aikin, shigar:

iptables -h
Jerin umarnin saitin saitin Linux iptables

Don tabbatar da saitunan daidai, sake shigar da umarnin don duba jerin dokoki:

iptables -L
Duba dokokin iptables Linux

Don share takamaiman ƙa'ida, yi amfani da umarnin:

iptables -D chain rule_number

Misali, idan kuna son share lamba 1 daga sarkar INPUT, umarnin zai yi kama da haka:

iptables -D INPUT 1

Don share duk dokoki tare da umarni ɗaya:

iptables -F

Muhimmin bayanin kula: Ba a adana dokokin iptables ta atomatik bayan sake kunna tsarin ko sabis. Don adana ƙa'idodin, suna buƙatar ƙara su zuwa fayil ɗin sanyi kuma a dawo dasu bayan sake kunnawa. The iptables-ajiye da kuma iptables-maidowa masu amfani zasu iya taimakawa tare da wannan. Don adana dokoki, shigar da umarni:

iptables-save > /etc/iptables/rules.v4

Wannan yana adana ƙa'idodin iptables na yanzu a cikin fayilolin dokokinv4. Don dawowa bayan sake yi, shigar:

iptables-restore < /etc/iptables/rules.v4

Wannan umarnin yana dawo da ƙa'idodi daga fayilolin dokoki.v4.

Kammalawa

Saita Firewall akan Linux ta amfani da Firewalld ko iptables wani muhimmin al'amari ne na tabbatar da tsaron uwar garken. Dukansu kayan aikin biyu suna ba da ingantattun hanyoyin sarrafa zirga-zirgar hanyar sadarwa da kuma kare tsarin daga shiga mara izini da hare-haren intanet. Zaɓin tsakanin firewalld da iptables ya dogara da takamaiman buƙatu da abubuwan da mai amfani ke so, la'akari da ayyuka daban-daban da ƙarfin su.

❮ Labari na baya Masu amfani da Linux: Gudanarwa da Izini
Labari na gaba ❯ Binciken Load Server

Tambaye mu game da VPS

A ko da yaushe a shirye muke mu amsa tambayoyinku a kowane lokaci dare ko rana.
ProfitServer
@profitserver
Shiga channel