Troubleshooting Linux Firewalls, Shinn
man iptables
man ip6tables
設定時先關 ip_forwarding,防任何封包流通
echo 0 > /proc/sys/net/ipv4/ip_forward如果防火牆使用 bootp 或 dhcp 得到 IP 地址
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 2 > /proc/sys/net/ipv4/ip_dynaddr #更精密如果防火牆使用 static IP 地址
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
禁止 source routing
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
for f in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > $f
done
fi
停止回應 ICMP redirect 要求
# Do not respond to 'redirected' ICMP packets from gateways
if [ -e /proc/sys/net/ipv4/secure_redirects ]; then
echo 1 > /proc/sys/net/ipv4/secure_redirects
fi
停止發送 ICMP redirect 要求
# Do not reply to 'redirected' packets if requested
if [ -e /proc/sys/net/ipv4/send_redirects ]; then
echo 0 > /proc/sys/net/ipv4/send_redirects
fi
停止接收 ICMP redirect
# Even more ICMP redirect suppression
# do not accept redirects
if [ -e /proc/sys/net/ipv4/accept_redirects ]; then
echo 0 > /proc/sys/net/ipv4/accept_redirects
fi
停止回應 proxy ARP 要求
# Do not respond to a proxy arp request.
#do not reply to 'proxyarp' packets
if [ -e /proc/sys/net/ipv4/proxy_arp ]; then
echo 0 > /proc/sys/net/ipv4/proxy_arp
fi
防 IP spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f
done
fi
防火星 IP 地址
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
停 ICMP echo messages 廣播
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts停 ICMP echo request 回應
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
停路由器假廣播記碌
echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses設定 FIN-WAIT-2 時間,四十五秒作者建意
echo 45 > /proc/sys/net/ipv4/tcp_fin_timeout設定 UDP connection timout 時間
echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
起動 TCP syn cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies停 IP ECN,Explicit Congestion Notification
echo 0 > /proc/sys/net/ipv4/tcp_ecn
扫一扫
2192
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
