Home | 简体中文 | 繁体中文 | 杂文 | Github | 知乎专栏 | Facebook | Linkedin | Youtube | 打赏(Donations) | About
知乎专栏

第 29 章 Firewall

摘要

Linux Firewall 安装与配置

目录

29.1. TCP/IP 相关内核配置项
29.1.1. net.ipv4.ip_forward
29.1.2. net.ipv4.icmp_echo_ignore_all
29.2. iptables - administration tools for packet filtering and NAT
29.2.1. Getting Started
29.2.2. 用户自定义规则连
29.2.3. Protocols 协议
29.2.4. Interfaces 网络适配器接口
29.2.5. 源IP地址
29.2.6. Ports 端口
29.2.7. NAT
29.2.8. Module(模块)
29.2.9. IPV6
29.2.10. iptables-xml - Convert iptables-save format to XML
29.2.11. access.log IP封锁脚本
29.2.12. Example
29.3. ulogd - The Netfilter Userspace Logging Daemon
29.4. ufw - program for managing a netfilter firewall
29.4.1. /etc/default/ufw
29.4.2. ip_forward
29.4.3. DHCP
29.4.4. Samba
29.5. CentOS 7/8 Firewalld
29.5.1. 如果你不习惯使用firewalld想用回Iptables
29.5.2. 安装 firewalld
29.5.3. firewalld 配置文件
29.5.4. firewall-cmd
29.5.5. 区域
29.5.6. 端口操作
29.5.7. 服务
29.5.8. IP 伪装
29.5.9. 端口转发
29.5.10. 富规则
29.6. Shorewall
29.6.1. Installation Instructions
29.6.2. Configuring Shorewall
29.7. Firewall GUI Tools
29.8. Endian Firewall
29.9. Smooth Firewall
29.10. Sphirewall

29.1. TCP/IP 相关内核配置项

checking status

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
		

or just checking out the value in the /proc system

$ cat /proc/sys/net/ipv4/ip_forward
0
		

enable

sysctl -w net.ipv4.ip_forward=1
		

or

		
#redhat
echo 1 > /proc/sys/net/ipv4/ip_forward
#debian/ubuntu
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward;
		
		

disable

sysctl -w net.ipv4.ip_forward=0
		

or

		
echo 0 > /proc/sys/net/ipv4/ip_forward
		
		

without rebooting the system

29.1.1. net.ipv4.ip_forward

表 29.1. net.ipv4.ip_forward

userroutewan
192.168.0.2eth0:192.168.0.1 eth1:172.16.0.1172.16.0.254

			
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
			
			

try out ping host from 192.168.0.2 to 192.168.0.1 , 172.16.0.1 and 172.16.0.254

you can access 192.168.0.1 , 172.16.0.1, but 172.16.0.254 time out

sysctl -w net.ipv4.ip_forward=1

try again ping 172.16.0.254

29.1.2. net.ipv4.icmp_echo_ignore_all

如果希望屏蔽别人 ping 你的主机,则加入以下代码:

# Disable ping requests
net.ipv4.icmp_echo_ignore_all = 1