Home | Mirror | Search

第 45 章 Firewall

摘要

Linux Firewall 安裝與配置

目錄

1. sysctl - configure kernel parameters at runtime
1.1. net.ipv4.ip_forward
1.2. net.ipv4.icmp_echo_ignore_all
2. iptables - administration tools for packet filtering and NAT
2.1. Getting Started
2.1.1. CentOS/Redhat TUI 工具
2.1.2. Protocols
2.1.3. Interfaces
2.1.4. IP Addresses
2.1.5. Ports
2.1.6. IPTables and Connection Tracking
2.2. User-defined Chain
2.2.1. Chains List
2.2.2. Chains Refresh
2.2.3. Chains Admin
2.3. Common Chains Filtering
2.3.1. INPUT Rule Chains
2.3.1.1. OpenSSH
2.3.1.2. FTP
2.3.1.3. DNS
2.3.1.4. WWW
2.3.1.5. SOCKS5
2.3.1.6. Mail Server
2.3.1.7. MySQL
2.3.1.8. PostgreSQL
2.3.1.9. DHCP
2.3.1.10. Samba
2.3.1.11. ICMP
2.3.1.12. 禁止IP訪問自己
2.3.1.13. DENY
2.3.2. OUTPUT Rule Chains
2.3.2.1. outbound
2.3.2.2. ICMP
2.3.2.3. NFS
2.3.2.4. SSH
2.3.2.5. 禁止自己訪問某個IP
2.3.3. Forward
2.3.3.1. TCPMSS
2.3.4. Malicious Software and Spoofed IP Addresses
2.4. NAT
2.4.1. Redirect
2.4.2. Postrouting and IP Masquerading
2.4.3. Prerouting
2.4.4. DNAT and SNAT
2.4.5. DMZ zone
2.5. Module(模組)
2.5.1. string
2.5.2. connlimit
2.5.3. limit
2.6. IPV6
2.7. iptables-xml - Convert iptables-save format to XML
2.8. Example
2.9. access.log IP封鎖腳本
3. ulogd - The Netfilter Userspace Logging Daemon
4. ufw - program for managing a netfilter firewall
4.1. /etc/default/ufw
4.2. ip_forward
4.3. DHCP
4.4. Samba
5. Shorewall
5.1. Installation Instructions
5.1.1. Install using RPM
5.1.2. Install using apt-get
5.2. Configuring Shorewall
5.2.1. zones
5.2.2. policy
5.2.3. interfaces
5.2.4. masq
5.2.5. rules
5.2.6. params
6. Firewall GUI Tools
7. Endian Firewall
8. Smooth Firewall

1. sysctl - configure kernel parameters at runtime

checking status

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
	

or just checking out the value in the /proc system

$ cat /proc/sys/net/ipv4/ip_forward
0
	

enable

sysctl -w net.ipv4.ip_forward=1
	

or

	
#redhat
echo 1 > /proc/sys/net/ipv4/ip_forward
#debian/ubuntu
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward;
	
	

disable

sysctl -w net.ipv4.ip_forward=0
	

or

	
echo 0 > /proc/sys/net/ipv4/ip_forward
	
	

without rebooting the system

1.1. net.ipv4.ip_forward

表 45.1. net.ipv4.ip_forward

userroutewan
192.168.0.2eth0:192.168.0.1 eth1:172.16.0.1172.16.0.254

		
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
		
		

try out ping host from 192.168.0.2 to 192.168.0.1 , 172.16.0.1 and 172.16.0.254

you can access 192.168.0.1 , 172.16.0.1, but 172.16.0.254 time out

sysctl -w net.ipv4.ip_forward=1

try again ping 172.16.0.254

1.2. net.ipv4.icmp_echo_ignore_all

如果希望屏蔽別人 ping 你的主機,則加入以下代碼:

# Disable ping requests
net.ipv4.icmp_echo_ignore_all = 1
		
comments powered by Disqus