Ukuxilongwa koqhagamshelwano lwenethiwekhi kwi-EDGE i-router ebonakalayo

Kwezinye iimeko, iingxaki zinokuvela xa useka i-router ebonakalayo. Umzekelo, ukuthunyelwa kwezibuko (NAT) akusebenzi kwaye/okanye kukho ingxaki ekusekweni kweFirewall imithetho ngokwazo. Okanye ufuna nje ukufumana iilogi ze-router, jonga ukusebenza kwetshaneli, kwaye uqhube ukuxilongwa kwenethiwekhi. Umboneleli welifu Cloud4Y uchaza ukuba kwenziwa njani oku.

Ukusebenza ngerouter ebonakalayo

Okokuqala, kufuneka silungiselele ukufikelela kwi-router ebonakalayo - i-EDGE. Ukwenza oku, sifaka iinkonzo zayo kwaye siye kwithebhu efanelekileyo - Izicwangciso ze-EDGE. Apho senza iSimo se-SSH, seta igama eligqithisiweyo, kwaye uqiniseke ukuba ugcina utshintsho.

Ukuba sisebenzisa imithetho engqongqo ye-Firewall, xa yonke into inqatshelwe ngokungagqibekanga, ngoko songeza imithetho evumela ukudibanisa kwi-router ngokwayo nge-port ye-SSH:

Emva koko sidibanisa nawuphi na umxhasi we-SSH, umzekelo i-PuTTY, kwaye sifike kwi-console.

Kwikhonsoli, imiyalelo ifumaneka kuthi, uluhlu lwayo olunokubonwa kusetyenziswa:
uluhlu

Yiyiphi imiyalelo enokuba luncedo kuthi? Nalu uluhlu lwezona ziluncedo:

• bonisa ujongano -Iza kubonisa ujongano olukhoyo kunye needilesi ze-IP ezifakiweyo kuzo
• bonisa log -iya kubonisa iilogi ze-router
• bonisa ukulandela ukulandela -Iya kukunceda ukuba ubukele ilog ngexesha lokwenyani ngohlaziyo oluqhubekayo. Umgaqo ngamnye, nokuba yi-NAT okanye i-Firewall, unokhetho lokungena ngemvume, xa lunikwe amandla, iziganeko ziya kubhalwa kwilogi, eziza kuvumela ukuxilongwa.
• bonisa i-flowtable -Iza kubonisa yonke itheyibhile yoqhagamshelo olusekiweyo kunye neeparamitha zabo
  Umzekelo:1: tcp 6 21599 ESTABLISHED src=9Х.107.69.ХХХ dst=178.170.172.XXX sport=59365 dport=22 pkts=293 bytes=22496 src=178.170.172.ХХХ dst=91.107.69.173 sport=22 dport=59365 pkts=206 bytes=83569 [ASSURED] mark=0 rid=133427 use=1
• bonisa iflowtable topN 10 — ikuvumela ukuba ubonise inani elifunekayo lemigca, kulo mzekelo we-10
• bonisa i-flowtable topN 10 yokuhlelwa-nge-pkts — iya kunceda ukuhlenga imidibaniso ngenani leepakethi ukusuka kwencinci ukuya kwenkulu
• bonisa i-flowtable topN 10 yokuhlelwa-ngeebhayithi - iya kunceda ukuhlenga imidibaniso ngenani leebhayithi ezigqithiselweyo ukusuka kwencinci ukuya kwenkulu
• bonisa flowtable rule-id ID topN 10 — iya kunceda ukubonisa unxibelelwano ngomgaqo ofunekayo we-ID
• bonisa flowtablespec SPEC - ukukhetha okuguquguqukayo ngakumbi koqhagamshelwano, apho i-SPEC - ibeka imigaqo efunekayo yokucoca, umzekelo proto=tcp: srcIP=9Х.107.69.ХХХ: ezemidlalo=59365, ekukhethweni usebenzisa iprotocol ye-TCP kunye nedilesi ye-IP yomthombo 9Х.107.69. XX ukusuka kwizibuko lomthumeli 59365
  Umzekelo:> show flowtable flowspec proto=tcp:srcip=90.107.69.171:sport=59365
1: tcp 6 21599 ESTABLISHED src=9Х.107.69.XX dst=178.170.172.xxx sport=59365 dport=22 pkts=1659 bytes=135488 src=178.170.172.xxx dst=xx.107.69.xxx sport=22 dport=59365 pkts=1193 bytes=210361 [ASSURED] mark=0 rid=133427 use=1
Total flows: 1
• bonisa amathontsi epakethe -iya kukuvumela ukuba ujonge izibalo kwiipakethi
• bonisa ukuhamba kwefirewall -Ibonisa izinto zokubala zeepakethe zomlilo kunye nokuhamba kwepakethi.

Sinokusebenzisa izixhobo ezisisiseko zokuxilonga inethiwekhi ngokuthe ngqo kwi-EDGE router:

• ping ip ILIZWI
• i-ping ip I-WORD ubukhulu Ubukhulu Isibalo COUNT i-nofrag - i-ping ebonisa ubungakanani bedatha ethunyelwayo kunye nenani lokutshekisha, kwaye ikwanqabele ukuhlukana kobungakanani bepakethi emiselweyo.
• traceroute ip ILIZWI

Ulandelelwano lokuxilonga ukusebenza kweFirewall kwi-Edge

1. Qalisa bonisa i-firewall kwaye ujonge imithetho efakiweyo yokucoca isiko kwi-usr_rules table
2. Sijonga ikhonkco le-POSTROUTIN kwaye silawula inani leepakethi eziwisiweyo zisebenzisa i-DROP field. Ukuba kukho ingxaki ngomzila we-asymmetric, siya kurekhoda ukunyuka kwamaxabiso.
   Masenze iitshekhi ezongezelelweyo:
   • I-Ping iya kusebenza kwicala elinye kwaye ingabi kwelinye icala
   • I-ping iya kusebenza, kodwa iiseshoni ze-TCP aziyi kusekwa.
3. Sijonga imveliso yolwazi malunga needilesi ze-IP - bonisa ipset
4. Nika amandla ukungena kumthetho we-firewall kwiinkonzo ze-Edge
5. Sijonga iziganeko kwilog - bonisa ukulandela ukulandela
6. Sijonga unxibelelwano sisebenzisa i-rule_id efunekayo - bonisa i-id ethi flowtable
7. Ngo kunceda bonisa izibalo zokuhamba Sithelekisa uqhagamshelo lwangoku oluFakelweyo lokuNgena okuHambisayo ngobuninzi obuvunyelweyo (Umthamo opheleleyo wokuqukuqela) kubumbeko lwangoku. Ulungelelwaniso olukhoyo kunye nemida inokujongwa kwi-VMware NSX Edge. Ukuba unomdla, ndingathetha ngale nto kwinqaku elilandelayo.

Yintoni enye onokuyifunda kwiblogi? Cloud4Y

→ Iintsholongwane ezixhathisa i-CRISPR zakha "ikhusi" ukukhusela i-genomes kwii-enzymes ezingena kwi-DNA
→ Yasilela njani ibhanki?
→ Ithiyori enkulu ye-Snowflake
→ I-intanethi kwiibhaluni
→ AbaPentesters abaphambili kwi-cybersecurity

Bhalisela yethu yocingo-ijelo ukuze ungaphoswa linqaku elilandelayo! Asibhali ngaphezu kwesibini ngeveki kwaye kuphela kwishishini. Siyakukhumbuza ukuba abaqalisi banokufumana i-RUB 1. ukusuka kwi-Cloud000Y. Iimeko kunye nefomu yesicelo kwabo banomdla inokufumaneka kwiwebhusayithi yethu: bit.ly/2sj6dPK

umthombo: www.habr.com