Affiliate program Knowledgebase
Kutengesa Data centers Abuse policy
musoro--burger
Control panelcontrolPanel
Server yemhinduroadhiminiSSLISPmanagerVPS WindowsVPS LinuxVPS yeVPN
Knowledgebase Mirayiridzo yakapusa yekushanda neProfitserver sevhisi
kuru Knowledgebase Kugadzirisa Firewall paLinux

Kugadzirisa Firewall paLinux

Firewall paLinux inoita basa rakakosha kuchengetedza komputa system. Inoita sechipinganidzo, kutonga uye kusefa network traffic kuchengetedza sisitimu kubva kune isina mvumo yekuwana, kurwiswa, uye kumwe kutyisidzira. Pasina Firewall yakanyatso gadziridzwa, sevha inogona kuve panjodzi yemhando dzakasiyana dzecyberattacks, zvichitungamira kune zvakakomba mhedzisiro yekuchengetedza data uye kuvanzika.

Muchikamu chino, tichatarisa maturusi maviri makuru ekugadzirisa iyo Linux Firewall: firewalld uye iptables. Isu tichaita ongororo yekufananidza yezvimiro zvavo, mashandiro, uye zvakanakira. Pamusoro pezvo, isu tinopa yakadzama mirairo yekumisikidza uye kushandisa yega yega maturusi aya, pamwe nekukurukura zvakanakisa maitiro ekuchengetedza system yako neFirewall papuratifomu yeLinux. Zviito zvese zvicharatidzwa pa a virtual server nekuwana midzi.

Zviri mukati
Deredza

Kugadzirisa firewalld paLinux

Firewall (Firewall Daemon) chirongwa chekutonga firewall muLinux masisitimu anoshanda. Inopa mushandisi interface yekumisikidza mitemo ye firewall, inobvumira kana kuvharira kubatana kwetiweki application. Iyo inofanomisikidzwa neyakagadzika mune yakawanda server kugovera. Kana Firewalld isati yaiswa, inogona kuiswa yakazvimiririra kubva kune yekugovera zviri pamutemo repositori.

Kune Red Hat masisitimu (akadai seRHEL, CentOS, Fedora) kuisirwa kunoitwa nemurairo:

yum install firewalld

ZveDebian/Ubuntu:

apt-get install firewalld

Mushure mekuiswa, inogona kutangwa uye kuvhurwa nekukasira nekuraira:

systemctl start firewalld

Tevere, iwe unofanirwa kuwedzera iyo sevhisi kuti utange:

systemctl enable firewalld
Kuwedzera firewalld muLinux autoload

Panguva ino, tinokurudzira kudzima ufw, sezvo kushandiswa panguva imwe chete kwechigadzirwa ichi ne firewalld kana iptables hazvikurudzirwi. Tarisa chimiro:

systemctl status ufw
Kutarisa ufw linux

Kuti uimise, isa murairo:

systemctl stop ufw

Kudzima zvachose:

ufw disable

Mushure mezviito izvi, unogona kuenderera mberi nekugadzirisa firewalld.

Kutanga, zvinodikanwa kutsanangura nzvimbo dzekuvimba. Firewalld inoshandisa iyo pfungwa yenzvimbo kuona huwandu hwekuvimba kune network interfaces. Imwe neimwe interface inopihwa imwe nzvimbo, uye firewall mitemo inoshandiswa zvichienderana nenzvimbo. Rondedzero yenzvimbo dzese dziripo inovhurwa nemurairo:

firewall-cmd --get-zones

Kazhinji, 4 nzvimbo huru dzinoshandiswa:

  1. ruzhinji rwevanhu: Nzvimbo iyi ndeyemanetiweki aunoona seasina kuchengetedzeka;
  2. Private: Inoshanda kunetiweki epamba kana mamwe akavimbika network yekubatanidza;
  3. Internal: Inoshandiswa kune network yemukati, senge iyo iri mukati mesangano kana yemakambani network;
  4. DMZ: Nzvimbo iyi ndipo panowanzoiswa maseva anofanirwa kuwanikwa kubva painternet.

Zvisinei, uyu unongova muenzaniso mumwe chete. Iwe unogona kuwedzera yako zone uchishandisa murairo:

firewall-cmd --permanent --new-zone=nameyourzone

Mushure mekuwedzera, kurodha zvakare kunodiwa:

firewall-cmd --reload

Kudzima nzvimbo, nzira yakafanana inoshandiswa

firewall-cmd --permanent --delete-zone=nameyourzone

Mushure mekutsanangura nzvimbo, zvinodikanwa kubvumidza traffic kune inodiwa masevhisi uye madoko. Kubvumira imwe sevhisi, shandisa murairo:

firewall-cmd --zone=public --add-service=name

apo zita ndiro zita rebasa. Semuenzaniso, kubvumidza traffic yeApache:

firewall-cmd --zone=public --add-service=http

Kutsanangura zviteshi zvinotenderwa, shandisa murairo:

firewall-cmd --zone=public --add-port=number/protocol

Semuenzaniso, yakajairwa makumi maviri nemaviri chiteshi cheSSH chaizotaridzika seizvi:

firewall-cmd --zone=public --add-port=22/tcp

Panguva ino, mitemo mikuru yakatogadzirwa. Tevere, tarisa kuti traffic ichagadziriswa sei zvichienderana nenzvimbo, kwainoenda, chiteshi, uye mamwe maitiro. Kuwedzera mutemo (uchishandisa iyo ruzhinji rwevanhu zone semuenzaniso):

firewall-cmd --zone=public rule

Semuenzaniso, kubvumira traffic inouya kubva kune chero sosi kuenda kuchiteshi 80 (HTTP):

firewall-cmd --zone=public --add-port=80/tcp --permanent

Kubvisa mutemo:

firewall-cmd --permanent --remove-rule=rule_specification

apo mutongi ndiyo mhando yemutemo (semuenzaniso, port, service, rich-rule, etc.), uye rule_specification ndiyo tsanangudzo yemutemo pachayo.

Mushure mekuita shanduko kuFirewalld kumisikidzwa, zvinodikanwa kuti uzvichengetedze uye uzvishandise. Kuti uchengetedze shanduko, shandisa murairo:

firewall-cmd --runtime-to-permanent

Kushandisa shanduko:

firewall-cmd --reload

Kana wapedza kuseta, unogona kuonesa maparameter akasarudzwa nekuvhura runyoro rwemitemo yese:

firewall-cmd --list-all
firewall Linux mitemo

Kana paine matambudziko amuka, tarisa iyo Firewalld matanda nemurairo:

journalctl -u firewalld

Ongorora: Isu takangovhara iyo general algorithm yekumisikidza kubatana. Chishandiso chine basa rakakura. Kuti uwane ruzivo rwakakwana pane ese aripo sarudzo, unogona kushandisa iyo official documentation kana vhura rubatsiro:

firewall-cmd --help

Kugadzirisa iptables paLinux

Kusiyana neFirewalld, iptables ndeyekare asi ichiri kushandiswa zvakanyanya muLinux yekugadzirisa firewall. Inopa nzira yakananga uye inochinjika kumitemo yekusefa yepakiti paLinux kernel level. Nekudaro, iptables inoda ruzivo rwepamusoro uye ruzivo kana ichienzaniswa neFirewalld, zvichiita kuti isawanike kune vanotanga. Tarisa iyo pre-yakaiswa vhezheni yechishandiso nemurairo:

iptables -V

Kana chishandiso chisina kuiswa, chinoda kuiswa. Iwo murairo wekugadza paUbuntu, Debian:

apt install iptables

YeRed Hat masisitimu (semuenzaniso, CentOS, Fedora):

yum install iptables

Murairo we activation mushure mekuiswa:

systemctl start iptables

Kuti uwedzere kune yekutanga, ita:

systemctl enable iptables

Usati watanga iyo iptables kumisikidzwa, zvakakosha kuti unzwisise kuti inoshanda sei. Izvi zvinobatsirwa ne syntax yepurogiramu. Zvinotaridzika sezvizvi:

iptables -t table action chain additional_parameters

Ngationgororei zvakadzama muchinhu chimwe nechimwe.

Iptables ine matafura mana makuru: sefa, nat, mangle, uye mbishi. Imwe neimwe yakagadzirirwa kugadzirisa mamwe marudzi emapaketi uye ine maketani ayo emitemo:

  1. firita: Iyi ndiyo tafura inonyanya kushandiswa, ine packet kusefa mitemo. Inoshandiswa pakuita zvisarudzo pamusoro pekubvumira kana kuramba mapaketi.
  2. nat: Tafura iyi inoshandiswa kugadzirisa kero yetiweki uye zviteshi mumapaketi. Inowanzo shandiswa kumisikidza masquerading (NAT).
  3. mangle: Mutafura iyi, unogona kugadzirisa misoro yepakiti. Inoshandiswa kune yakasarudzika packet mashandiro, sekumaka.
  4. mbishi: Tafura iyi inoshandiswa kugadzirisa mitemo inoshanda vasati vapfuura nekubatanidza nzira yekutevera. Inowanzo shandiswa kumisikidza mitemo isingafanirwe kugadziridzwa neiyo tracking system, sekudonhedza mapaketi kubva kune mamwe kero.

Tafura imwe neimwe ine seti yemaketani. Maketani ndiwo nhevedzano yemitemo inotariswa sequentially. Kune matatu akatemerwa cheni:

  1. INPUT (inouya). Mitemo iri mucheni iyi inosarudza zvekuita nemapaketi anouya.
  2. OUTPUT (inobuda). Cheni iyi inoshanda kumapaketi ese anotumirwa nekombuta yako kune mamwe maturusi kana makomputa ari panetwork.
  3. KUFAMBIRA (kuendesa mberi). Mitemo iri mucheni iyi inotsanangura zvekuita nemapaketi anotumirwa.

Pakupedzisira, cheni yega yega ine chimwe chiito (chinangwa). Mukuita, 5 zviito zvikuru zvinoshandiswa:

  1. ACCEPT: Bvumira pakiti kuti ipfuure nepafirewall.
  2. DONHEDZA: Ramba pakiti uye uirase pasina mhinduro.
  3. RUDZA: Ramba pakiti uye tumira anotumira meseji yeICMP yekukanganisa.
  4. log: Isa pakiti murogi yehurongwa uye ita chimwe chiito (semuenzaniso, ACCEPT kana DROP).
  5. Dzokera: Rega kutarisa mitemo mumaketani azvino uye dzokera kuketani yekufona (kana iripo).

Kuti utange kuseta, vhura runyorwa rwemitemo iripo nemurairo:

iptables -L
Kugadzirisa Firewall paLinux

Segwara rekugadzirisa maIptables, ngatitarisei mienzaniso inoshanda yemirairo inonyanya kushandiswa. Kuti zvive nyore, tichagovanisa mienzaniso kuita mapoka matatu, zvichienderana neketani chaiyo.

cheni chiyamuro:

  1. Bvumira traffic inouya kuburikidza neTCP protocol pachiteshi 80:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

2. Bvumira traffic inouya kuburikidza neUDP protocol pachiteshi 22:

iptables -A INPUT -p udp --dport 22 -j ACCEPT

3. Vhara traffic inouya kubva kune chaiyo IP kero:

iptables -A INPUT -s 192.168.1.100 -j DROP

cheni goho:

  1. Bvumira traffic inobuda kuburikidza neTCP protocol pachiteshi 443:
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

2. Bvumira traffic inobuda kuburikidza neUDP protocol pachiteshi 80:

iptables -A OUTPUT -p udp --dport 80 -j ACCEPT

3. Vhara traffic inobuda kune imwe chiteshi (semuenzaniso, 21):

iptables -A OUTPUT -p tcp --dport 21 -j DROP

cheni MBERI:

  1. Vhara traffic inotumirwa kubva kune yakatarwa siyana ye IP kero:
iptables -A FORWARD -s 172.16.0.0/24 -j DROP

2. Vhara kutumirwa kwemapaketi kubva kune chaiyo network interface:

iptables -A FORWARD -i eth1 -j DROP

3. Deredza nhamba yekubatanidza panguva imwe chete kune imwe chiteshi (mumuenzaniso uyu, gumi paminiti pachiteshi 10):

iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute -j ACCEPT

Sezvauri kuona, mune yega yega yega yega, imwe nharo yekuwedzera (murairo) inoshandiswa. Kuti uwane runyorwa ruzere rwezvinobvira kupokana uye rutsigiro rwakakwana rwekushanda kwechishandiso, pinda:

iptables -h
iptables linux setup command list

Kuti uone kuti marongero akarurama, isa zvakare murairo kuti uone rondedzero yemitemo:

iptables -L
Kutarisa iptables linux mitemo

Kudzima mutemo chaiwo, shandisa murairo:

iptables -D chain rule_number

Semuenzaniso, kana iwe uchida kudzima mutemo nhamba 1 kubva kuINPUT cheni, murairo uchaita seizvi:

iptables -D INPUT 1

Kudzima mitemo yese nemurairo mumwechete:

iptables -F

Nyaya inokosha: iptables mitemo haichengetedzwe otomatiki mushure mekutangazve sisitimu kana sevhisi. Kuti uchengetedze mitemo, inofanirwa kuwedzerwa kune faira yekugadzirisa uye kudzorerwa mushure mekutangazve. The iptables-chengetedza uye iptables-kudzorera zvishandiso zvinogona kubatsira neizvi. Kuti uchengetedze mitemo, isa mutemo:

iptables-save > /etc/iptables/rules.v4

Izvi zvinochengetedza ikozvino iptables mitemo mumitemo.v4 faira. Kuti udzorere mushure mekutangazve, isa:

iptables-restore < /etc/iptables/rules.v4

Uyu murairo unodzorera mitemo kubva pamitemo.v4 faira.

mhedziso

Kugadzirisa Firewall paLinux uchishandisa firewalld kana iptables chinhu chakakosha chekuchengetedza server kuchengetedza. Maturusi ese ari maviri anopa nzira dzakavimbika dzekutarisira network traffic uye kuchengetedza sisitimu kubva kune isina mvumo yekuwana uye cyberattacks. Sarudzo pakati pe firewalld uye iptables zvinoenderana nezvinodiwa chaizvo uye zvido zvemushandisi, tichifunga nezvekuita kwavo kwakasiyana uye simba.

❮ Nyaya yapfuura Linux Users: Management uye Mvumo
Nyaya inotevera ❯ Server Load Diagnostics

Tibvunze nezveVPS

Isu tinogara takagadzirira kupindura mibvunzo yako chero nguva yemasikati kana husiku.
ProfitServer
@profitserver
Join pachiteshi