Home | 簡體中文 | 繁體中文 | 雜文 | 打賞(Donations) | ITEYE 博客 | OSChina 博客 | Facebook | Linkedin | 知乎專欄 | Search | About

第 41 章 Firewall

摘要

Linux Firewall 安裝與配置

目錄

41.1. TCP/IP 相關內核配置項
41.1.1. net.ipv4.ip_forward
41.1.2. net.ipv4.icmp_echo_ignore_all
41.2. iptables - administration tools for packet filtering and NAT
41.2.1. Getting Started
41.2.1.1. CentOS/Redhat TUI 工具
41.2.2. 用戶自定義規則連
41.2.2.1. Chains List
41.2.2.2. Chains Refresh
41.2.2.3. Chains Admin
41.2.2.4. 重置
41.2.3. Protocols 協議
41.2.4. Interfaces 網絡適配器介面
41.2.5. 源IP地址
41.2.6. Ports 連接埠
41.2.6.1. range
41.2.6.2. multiport
41.2.7. NAT
41.2.7.1. Redirect
41.2.7.2. Postrouting and IP Masquerading
41.2.7.3. Prerouting
41.2.7.4. DNAT and SNAT
41.2.7.5. DMZ zone
41.2.8. Module(模組)
41.2.8.1. IPTables and Connection Tracking
41.2.8.2. string
41.2.8.3. connlimit
41.2.8.4. recent
41.2.8.5. limit
41.2.8.6. nth
41.2.8.6.1. DNAT
41.2.8.6.2. SNAT
41.2.8.7. random 模組
41.2.9. IPV6
41.2.10. iptables-xml - Convert iptables-save format to XML
41.2.11. access.log IP封鎖腳本
41.2.12. Example
41.2.12.1. INPUT Rule Chains
41.2.12.1.1. OpenSSH
41.2.12.1.2. FTP
41.2.12.1.3. DNS
41.2.12.1.4. WWW
41.2.12.1.5. SOCKS5
41.2.12.1.6. Mail Server
41.2.12.1.7. MySQL
41.2.12.1.8. PostgreSQL
41.2.12.1.9. DHCP
41.2.12.1.10. Samba
41.2.12.1.11. ICMP
41.2.12.1.12. 禁止IP訪問自己
41.2.12.1.13. DENY
41.2.12.2. OUTPUT Rule Chains
41.2.12.2.1. outbound
41.2.12.2.2. ICMP
41.2.12.2.3. NFS
41.2.12.2.4. SSH
41.2.12.2.5. 禁止自己訪問某個IP
41.2.12.3. Forward
41.2.12.3.1. TCPMSS
41.2.12.4. Malicious Software and Spoofed IP Addresses
41.2.12.5. /etc/sysconfig/iptables 操作系統預設配置
41.3. ulogd - The Netfilter Userspace Logging Daemon
41.4. ufw - program for managing a netfilter firewall
41.4.1. /etc/default/ufw
41.4.2. ip_forward
41.4.3. DHCP
41.4.4. Samba
41.5. Firewalld
41.5.1. firewalld
41.5.1.1. firewall-cmd
41.5.2. 如果你不習慣使用firewalld想用回Iptables
41.6. Shorewall
41.6.1. Installation Instructions
41.6.1.1. Install using RPM
41.6.1.2. Install using apt-get
41.6.2. Configuring Shorewall
41.6.2.1. zones
41.6.2.2. policy
41.6.2.3. interfaces
41.6.2.4. masq
41.6.2.5. rules
41.6.2.6. params
41.7. Firewall GUI Tools
41.8. Endian Firewall
41.9. Smooth Firewall
41.10. Sphirewall

41.1. TCP/IP 相關內核配置項

checking status

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
		

or just checking out the value in the /proc system

$ cat /proc/sys/net/ipv4/ip_forward
0
		

enable

sysctl -w net.ipv4.ip_forward=1
		

or

		
#redhat
echo 1 > /proc/sys/net/ipv4/ip_forward
#debian/ubuntu
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward;
		
		

disable

sysctl -w net.ipv4.ip_forward=0
		

or

		
echo 0 > /proc/sys/net/ipv4/ip_forward
		
		

without rebooting the system

41.1.1. net.ipv4.ip_forward

表 41.1. net.ipv4.ip_forward

userroutewan
192.168.0.2eth0:192.168.0.1 eth1:172.16.0.1172.16.0.254

			
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
			
			

try out ping host from 192.168.0.2 to 192.168.0.1 , 172.16.0.1 and 172.16.0.254

you can access 192.168.0.1 , 172.16.0.1, but 172.16.0.254 time out

sysctl -w net.ipv4.ip_forward=1

try again ping 172.16.0.254

41.1.2. net.ipv4.icmp_echo_ignore_all

如果希望屏蔽別人 ping 你的主機,則加入以下代碼:

# Disable ping requests
net.ipv4.icmp_echo_ignore_all = 1