Home | 简体中文 | 繁体中文 | 杂文 | 打赏(Donations) | ITEYE 博客 | OSChina 博客 | Facebook | Linkedin | 知乎专栏 | Search | Email

第 40 章 Firewall

摘要

Linux Firewall 安装与配置

目录

40.1. TCP/IP 相关内核配置项
40.1.1. net.ipv4.ip_forward
40.1.2. net.ipv4.icmp_echo_ignore_all
40.2. iptables - administration tools for packet filtering and NAT
40.2.1. Getting Started
40.2.1.1. CentOS/Redhat TUI 工具
40.2.2. 用户自定义规则连
40.2.2.1. Chains List
40.2.2.2. Chains Refresh
40.2.2.3. Chains Admin
40.2.2.4. 重置
40.2.3. Protocols 协议
40.2.4. Interfaces 网络适配器接口
40.2.5. 源IP地址
40.2.6. Ports 端口
40.2.6.1. range
40.2.6.2. multiport
40.2.7. NAT
40.2.7.1. Redirect
40.2.7.2. Postrouting and IP Masquerading
40.2.7.3. Prerouting
40.2.7.4. DNAT and SNAT
40.2.7.5. DMZ zone
40.2.8. Module(模块)
40.2.8.1. IPTables and Connection Tracking
40.2.8.2. string
40.2.8.3. connlimit
40.2.8.4. recent
40.2.8.5. limit
40.2.8.6. nth
40.2.9. IPV6
40.2.10. iptables-xml - Convert iptables-save format to XML
40.2.11. access.log IP封锁脚本
40.2.12. Example
40.2.12.1. INPUT Rule Chains
40.2.12.2. OUTPUT Rule Chains
40.2.12.3. Forward
40.2.12.4. Malicious Software and Spoofed IP Addresses
40.2.12.5. /etc/sysconfig/iptables 操作系统默认配置
40.3. ulogd - The Netfilter Userspace Logging Daemon
40.4. ufw - program for managing a netfilter firewall
40.4.1. /etc/default/ufw
40.4.2. ip_forward
40.4.3. DHCP
40.4.4. Samba
40.5. Firewalld
40.5.1. firewalld
40.5.1.1. firewall-cmd
40.5.2. 如果你不习惯使用firewalld想用回Iptables
40.6. Shorewall
40.6.1. Installation Instructions
40.6.1.1. Install using RPM
40.6.1.2. Install using apt-get
40.6.2. Configuring Shorewall
40.6.2.1. zones
40.6.2.2. policy
40.6.2.3. interfaces
40.6.2.4. masq
40.6.2.5. rules
40.6.2.6. params
40.7. Firewall GUI Tools
40.8. Endian Firewall
40.9. Smooth Firewall
40.10. Sphirewall

40.1. TCP/IP 相关内核配置项

checking status

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
		

or just checking out the value in the /proc system

$ cat /proc/sys/net/ipv4/ip_forward
0
		

enable

sysctl -w net.ipv4.ip_forward=1
		

or

		
#redhat
echo 1 > /proc/sys/net/ipv4/ip_forward
#debian/ubuntu
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward;
		
		

disable

sysctl -w net.ipv4.ip_forward=0
		

or

		
echo 0 > /proc/sys/net/ipv4/ip_forward
		
		

without rebooting the system

40.1.1. net.ipv4.ip_forward

表 40.1. net.ipv4.ip_forward

userroutewan
192.168.0.2eth0:192.168.0.1 eth1:172.16.0.1172.16.0.254

			
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
			
			

try out ping host from 192.168.0.2 to 192.168.0.1 , 172.16.0.1 and 172.16.0.254

you can access 192.168.0.1 , 172.16.0.1, but 172.16.0.254 time out

sysctl -w net.ipv4.ip_forward=1

try again ping 172.16.0.254

40.1.2. net.ipv4.icmp_echo_ignore_all

如果希望屏蔽别人 ping 你的主机,则加入以下代码:

# Disable ping requests
net.ipv4.icmp_echo_ignore_all = 1