Home | 簡體中文 | 繁體中文 | 雜文 | 打賞(Donations) | ITEYE 博客 | OSChina 博客 | Facebook | Linkedin | 知乎專欄 | Search | Email

第 40 章 Firewall

摘要

Linux Firewall 安裝與配置

目錄

40.1. TCP/IP 相關內核配置項
40.1.1. net.ipv4.ip_forward
40.1.2. net.ipv4.icmp_echo_ignore_all
40.2. iptables - administration tools for packet filtering and NAT
40.2.1. Getting Started
40.2.1.1. CentOS/Redhat TUI 工具
40.2.2. 用戶自定義規則連
40.2.2.1. Chains List
40.2.2.2. Chains Refresh
40.2.2.3. Chains Admin
40.2.2.4. 重置
40.2.3. Protocols 協議
40.2.4. Interfaces 網絡適配器介面
40.2.5. 源IP地址
40.2.6. Ports 連接埠
40.2.6.1. range
40.2.6.2. multiport
40.2.7. NAT
40.2.7.1. Redirect
40.2.7.2. Postrouting and IP Masquerading
40.2.7.3. Prerouting
40.2.7.4. DNAT and SNAT
40.2.7.5. DMZ zone
40.2.8. Module(模組)
40.2.8.1. IPTables and Connection Tracking
40.2.8.2. string
40.2.8.3. connlimit
40.2.8.4. recent
40.2.8.5. limit
40.2.8.6. nth
40.2.8.7. random 模組
40.2.9. IPV6
40.2.10. iptables-xml - Convert iptables-save format to XML
40.2.11. access.log IP封鎖腳本
40.2.12. Example
40.2.12.1. INPUT Rule Chains
40.2.12.2. OUTPUT Rule Chains
40.2.12.3. Forward
40.2.12.4. Malicious Software and Spoofed IP Addresses
40.2.12.5. /etc/sysconfig/iptables 操作系統預設配置
40.3. ulogd - The Netfilter Userspace Logging Daemon
40.4. ufw - program for managing a netfilter firewall
40.4.1. /etc/default/ufw
40.4.2. ip_forward
40.4.3. DHCP
40.4.4. Samba
40.5. Firewalld
40.5.1. firewalld
40.5.1.1. firewall-cmd
40.5.2. 如果你不習慣使用firewalld想用回Iptables
40.6. Shorewall
40.6.1. Installation Instructions
40.6.1.1. Install using RPM
40.6.1.2. Install using apt-get
40.6.2. Configuring Shorewall
40.6.2.1. zones
40.6.2.2. policy
40.6.2.3. interfaces
40.6.2.4. masq
40.6.2.5. rules
40.6.2.6. params
40.7. Firewall GUI Tools
40.8. Endian Firewall
40.9. Smooth Firewall
40.10. Sphirewall

40.1. TCP/IP 相關內核配置項

checking status

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
		

or just checking out the value in the /proc system

$ cat /proc/sys/net/ipv4/ip_forward
0
		

enable

sysctl -w net.ipv4.ip_forward=1
		

or

		
#redhat
echo 1 > /proc/sys/net/ipv4/ip_forward
#debian/ubuntu
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward;
		
		

disable

sysctl -w net.ipv4.ip_forward=0
		

or

		
echo 0 > /proc/sys/net/ipv4/ip_forward
		
		

without rebooting the system

40.1.1. net.ipv4.ip_forward

表 40.1. net.ipv4.ip_forward

userroutewan
192.168.0.2eth0:192.168.0.1 eth1:172.16.0.1172.16.0.254

			
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
			
			

try out ping host from 192.168.0.2 to 192.168.0.1 , 172.16.0.1 and 172.16.0.254

you can access 192.168.0.1 , 172.16.0.1, but 172.16.0.254 time out

sysctl -w net.ipv4.ip_forward=1

try again ping 172.16.0.254

40.1.2. net.ipv4.icmp_echo_ignore_all

如果希望屏蔽別人 ping 你的主機,則加入以下代碼:

# Disable ping requests
net.ipv4.icmp_echo_ignore_all = 1