Home | 简体中文 | 繁体中文 | 杂文 | Search | ITEYE 博客 | OSChina 博客 | Facebook | Linkedin | 知乎专栏 | Email

第 38 章 Firewall

摘要

Linux Firewall 安装与配置

目录

38.1. TCP/IP 相关内核配置项
38.1.1. net.ipv4.ip_forward
38.1.2. net.ipv4.icmp_echo_ignore_all
38.2. iptables - administration tools for packet filtering and NAT
38.2.1. Getting Started
38.2.1.1. CentOS/Redhat TUI 工具
38.2.2. 用户自定义规则连
38.2.2.1. Chains List
38.2.2.2. Chains Refresh
38.2.2.3. Chains Admin
38.2.2.4. 重置
38.2.3. Protocols 协议
38.2.4. Interfaces 网络适配器接口
38.2.5. 源IP地址
38.2.6. Ports 端口
38.2.7. NAT
38.2.7.1. Redirect
38.2.7.2. Postrouting and IP Masquerading
38.2.7.3. Prerouting
38.2.7.4. DNAT and SNAT
38.2.7.5. DMZ zone
38.2.8. Module(模块)
38.2.8.1. IPTables and Connection Tracking
38.2.8.2. string
38.2.8.3. connlimit
38.2.8.4. recent
38.2.8.5. limit
38.2.8.6. nth
38.2.9. IPV6
38.2.10. iptables-xml - Convert iptables-save format to XML
38.2.11. access.log IP封锁脚本
38.2.12. Example
38.2.12.1. INPUT Rule Chains
38.2.12.2. OUTPUT Rule Chains
38.2.12.3. Forward
38.2.12.4. Malicious Software and Spoofed IP Addresses
38.2.12.5. /etc/sysconfig/iptables 操作系统默认配置
38.3. ulogd - The Netfilter Userspace Logging Daemon
38.4. ufw - program for managing a netfilter firewall
38.4.1. /etc/default/ufw
38.4.2. ip_forward
38.4.3. DHCP
38.4.4. Samba
38.5. Shorewall
38.5.1. Installation Instructions
38.5.1.1. Install using RPM
38.5.1.2. Install using apt-get
38.5.2. Configuring Shorewall
38.5.2.1. zones
38.5.2.2. policy
38.5.2.3. interfaces
38.5.2.4. masq
38.5.2.5. rules
38.5.2.6. params
38.6. Firewall GUI Tools
38.7. Endian Firewall
38.8. Smooth Firewall
38.9. Sphirewall

38.1. TCP/IP 相关内核配置项

checking status

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
		

or just checking out the value in the /proc system

$ cat /proc/sys/net/ipv4/ip_forward
0
		

enable

sysctl -w net.ipv4.ip_forward=1
		

or

		
#redhat
echo 1 > /proc/sys/net/ipv4/ip_forward
#debian/ubuntu
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward;
		
		

disable

sysctl -w net.ipv4.ip_forward=0
		

or

		
echo 0 > /proc/sys/net/ipv4/ip_forward
		
		

without rebooting the system

38.1.1. net.ipv4.ip_forward

表 38.1. net.ipv4.ip_forward

userroutewan
192.168.0.2eth0:192.168.0.1 eth1:172.16.0.1172.16.0.254

			
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
			
			

try out ping host from 192.168.0.2 to 192.168.0.1 , 172.16.0.1 and 172.16.0.254

you can access 192.168.0.1 , 172.16.0.1, but 172.16.0.254 time out

sysctl -w net.ipv4.ip_forward=1

try again ping 172.16.0.254

38.1.2. net.ipv4.icmp_echo_ignore_all

如果希望屏蔽别人 ping 你的主机,则加入以下代码:

# Disable ping requests
net.ipv4.icmp_echo_ignore_all = 1
			
comments powered by Disqus