CentOS prievadų atidarymas arba blokavimas naudojant iptables
Tikrinam ar ugniasienė (ne)blokuoja prievadų (angl. port):
iptables -L -n
Jei reikia atliekam reikiamų prievadų pridėjimą. Pagal nutylėjimą konfigūracija saugoma /etc/sysconfig/iptables faile:
nano /etc/sysconfig/iptables
Jei norime atidaryti 80 prievadą (port) pridedame tokią taisyklę:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
Galime pridėti ir taip:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Jei reikia ištrinti taisyklę, pvz, Nr. 5 :
iptables -D INPUT 5
Jei norime pakoreguoti, pvz, leisti prisijungti tik iš tam tikro potinklio:
iptables -R INPUT 5 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
Patikrinam taisykles:
sudo iptables -L Chain INPUT (policy ACCEPT) ...
Sukuriam taisyklę blokuoti visą likusį srautą:
iptables -P INPUT DROP
Pasitikriname:
sudo iptables -L Chain INPUT (policy DROP) ...
Nepamirštam:
service iptables restart
service iptables save
Tikrinam ar prievadai atidaryti:
netstat -tulpn | less
arba
nmap -sT -O localhost
Pastaba:
CentOS/RHEL 6 turi terminal-user interface (TUI) įrankį:
system-config-firewall-tui
Pradedant CentOS ir RHEL 7, ugniasienės taisykles valdo firewalld paslaugų demonas. Komandinės eilutės klientas yra firewall-cmd, pasinaudojant juo galime valdyti/atnaujinti ugniasienės taisykles.
Norėdami atverti naują prievadą (pvz TCP / 80) nuolat, naudokite šias komandas:
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --reload
Be „–permanent“ parametro, ugniasienės taisyklė neišliks perkrovus.
Komandos iptables keletas opcijų:
-A: (Append), adds a rule to the IP Tables -L: (List), shows the current rules -m conntrack: allows rules to be based on the current connection state, elaborated in the the --cstate command. --cstate: explains the states that connections can be in, there are 4: New, Related, Established, and Invalid -p: (protocol), refers to the the protocol of the rule or of the packet to check.The specified protocol can be one of tcp, udp, udplite, icmp, esp, ah, sctp or the special keyword "all". --dport: (port), refers to the the port through which the machine connects -j: (jump), this command refers to the action that needs to be taken if something matches a rule perfectly. It translates to one of four possibilities: -ACCEPT: the packet is accepted, and no further rules are processed -REJECT: the packet is rejected, and the sender is notified, and no further rules are processed -DROP: the packet is rejected, but the sender is not notified, and no further rules are processed -LOG: the packet is accepted but logged, and the following rules are processed -I: (Insert), adds a rule between two previous ones -I INPUT 3: inserts a rule into the IP Table to make it the third in the list -v: (verbose), offers more details about a rule