Home | 简体中文 | 繁体中文 | 杂文 | Github | 知乎专栏 | 51CTO学院 | CSDN程序员研修院 | OSChina 博客 | 腾讯云社区 | 阿里云栖社区 | Facebook | Linkedin | Youtube | 打赏(Donations) | About
知乎专栏多维度架构

第 30 章 Firewall

摘要

Linux Firewall 安装与配置

目录

30.1. TCP/IP 相关内核配置项
30.1.1. net.ipv4.ip_forward
30.1.2. net.ipv4.icmp_echo_ignore_all
30.2. iptables - administration tools for packet filtering and NAT
30.2.1. Getting Started
30.2.2. 用户自定义规则连
30.2.3. Protocols 协议
30.2.4. Interfaces 网络适配器接口
30.2.5. 源IP地址
30.2.6. Ports 端口
30.2.7. NAT
30.2.8. Module(模块)
30.2.9. IPV6
30.2.10. iptables-xml - Convert iptables-save format to XML
30.2.11. access.log IP封锁脚本
30.2.12. Example
30.3. ulogd - The Netfilter Userspace Logging Daemon
30.4. ufw - program for managing a netfilter firewall
30.4.1. /etc/default/ufw
30.4.2. ip_forward
30.4.3. DHCP
30.4.4. Samba
30.5. CentOS 7/8 Firewalld
30.5.1. 如果你不习惯使用firewalld想用回Iptables
30.5.2. 安装 firewalld
30.5.3. firewalld 配置文件
30.5.4. firewall-cmd
30.5.5. 区域
30.5.6. 端口操作
30.5.7. 服务
30.5.8. IP 伪装
30.5.9. 端口转发
30.5.10. 富规则
30.6. Shorewall
30.6.1. Installation Instructions
30.6.2. Configuring Shorewall
30.7. Firewall GUI Tools
30.8. Endian Firewall
30.9. Smooth Firewall
30.10. Sphirewall

30.1. TCP/IP 相关内核配置项

checking status

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
		

or just checking out the value in the /proc system

$ cat /proc/sys/net/ipv4/ip_forward
0
		

enable

sysctl -w net.ipv4.ip_forward=1
		

or

		
#redhat
echo 1 > /proc/sys/net/ipv4/ip_forward
#debian/ubuntu
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward;
		
		

disable

sysctl -w net.ipv4.ip_forward=0
		

or

		
echo 0 > /proc/sys/net/ipv4/ip_forward
		
		

without rebooting the system

30.1.1. net.ipv4.ip_forward

表 30.1. net.ipv4.ip_forward

userroutewan
192.168.0.2eth0:192.168.0.1 eth1:172.16.0.1172.16.0.254

			
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
			
			

try out ping host from 192.168.0.2 to 192.168.0.1 , 172.16.0.1 and 172.16.0.254

you can access 192.168.0.1 , 172.16.0.1, but 172.16.0.254 time out

sysctl -w net.ipv4.ip_forward=1

try again ping 172.16.0.254

30.1.2. net.ipv4.icmp_echo_ignore_all

如果希望屏蔽别人 ping 你的主机,则加入以下代码:

# Disable ping requests
net.ipv4.icmp_echo_ignore_all = 1