Home | 简体中文 | 繁体中文 | 杂文 | 打赏(Donations) | ITEYE 博客 | OSChina 博客 | Facebook | Linkedin | 知乎专栏 | Search | Email

第 41 章 Firewall

摘要

Linux Firewall 安装与配置

目录

41.1. TCP/IP 相关内核配置项
41.1.1. net.ipv4.ip_forward
41.1.2. net.ipv4.icmp_echo_ignore_all
41.2. iptables - administration tools for packet filtering and NAT
41.2.1. Getting Started
41.2.1.1. CentOS/Redhat TUI 工具
41.2.2. 用户自定义规则连
41.2.2.1. Chains List
41.2.2.2. Chains Refresh
41.2.2.3. Chains Admin
41.2.2.4. 重置
41.2.3. Protocols 协议
41.2.4. Interfaces 网络适配器接口
41.2.5. 源IP地址
41.2.6. Ports 端口
41.2.6.1. range
41.2.6.2. multiport
41.2.7. NAT
41.2.7.1. Redirect
41.2.7.2. Postrouting and IP Masquerading
41.2.7.3. Prerouting
41.2.7.4. DNAT and SNAT
41.2.7.5. DMZ zone
41.2.8. Module(模块)
41.2.8.1. IPTables and Connection Tracking
41.2.8.2. string
41.2.8.3. connlimit
41.2.8.4. recent
41.2.8.5. limit
41.2.8.6. nth
41.2.8.7. random 模块
41.2.9. IPV6
41.2.10. iptables-xml - Convert iptables-save format to XML
41.2.11. access.log IP封锁脚本
41.2.12. Example
41.2.12.1. INPUT Rule Chains
41.2.12.2. OUTPUT Rule Chains
41.2.12.3. Forward
41.2.12.4. Malicious Software and Spoofed IP Addresses
41.2.12.5. /etc/sysconfig/iptables 操作系统默认配置
41.3. ulogd - The Netfilter Userspace Logging Daemon
41.4. ufw - program for managing a netfilter firewall
41.4.1. /etc/default/ufw
41.4.2. ip_forward
41.4.3. DHCP
41.4.4. Samba
41.5. Firewalld
41.5.1. firewalld
41.5.1.1. firewall-cmd
41.5.2. 如果你不习惯使用firewalld想用回Iptables
41.6. Shorewall
41.6.1. Installation Instructions
41.6.1.1. Install using RPM
41.6.1.2. Install using apt-get
41.6.2. Configuring Shorewall
41.6.2.1. zones
41.6.2.2. policy
41.6.2.3. interfaces
41.6.2.4. masq
41.6.2.5. rules
41.6.2.6. params
41.7. Firewall GUI Tools
41.8. Endian Firewall
41.9. Smooth Firewall
41.10. Sphirewall

41.1. TCP/IP 相关内核配置项

checking status

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
		

or just checking out the value in the /proc system

$ cat /proc/sys/net/ipv4/ip_forward
0
		

enable

sysctl -w net.ipv4.ip_forward=1
		

or

		
#redhat
echo 1 > /proc/sys/net/ipv4/ip_forward
#debian/ubuntu
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward;
		
		

disable

sysctl -w net.ipv4.ip_forward=0
		

or

		
echo 0 > /proc/sys/net/ipv4/ip_forward
		
		

without rebooting the system

41.1.1. net.ipv4.ip_forward

表 41.1. net.ipv4.ip_forward

userroutewan
192.168.0.2eth0:192.168.0.1 eth1:172.16.0.1172.16.0.254

			
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
			
			

try out ping host from 192.168.0.2 to 192.168.0.1 , 172.16.0.1 and 172.16.0.254

you can access 192.168.0.1 , 172.16.0.1, but 172.16.0.254 time out

sysctl -w net.ipv4.ip_forward=1

try again ping 172.16.0.254

41.1.2. net.ipv4.icmp_echo_ignore_all

如果希望屏蔽别人 ping 你的主机,则加入以下代码:

# Disable ping requests
net.ipv4.icmp_echo_ignore_all = 1