Troubleshooting Linux Firewalls, Shinn

 

man iptablesman ip6tables

 

 

設定時先關 ip_forwarding，防任何封包流通

echo 0 > /proc/sys/net/ipv4/ip_forward

如果防火牆使用 bootp 或 dhcp 得到 IP 地址

echo 1 > /proc/sys/net/ipv4/ip_dynaddrecho 2 > /proc/sys/net/ipv4/ip_dynaddr #更精密

如果防火牆使用 static IP 地址

echo 0 > /proc/sys/net/ipv4/ip_dynaddr

禁止 source routing

if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then  for f in /proc/sys/net/ipv4/conf/*/accept_source_route  do   echo 0 > $f  donefi

停止回應 ICMP redirect 要求

# Do not respond to 'redirected' ICMP packets from gatewaysif [ -e /proc/sys/net/ipv4/secure_redirects ]; then  echo 1 > /proc/sys/net/ipv4/secure_redirectsfi

停止發送 ICMP redirect 要求

# Do not reply to 'redirected' packets if requestedif [ -e /proc/sys/net/ipv4/send_redirects ]; then  echo 0 > /proc/sys/net/ipv4/send_redirectsfi

停止接收 ICMP redirect

# Even more ICMP redirect suppression# do not accept redirectsif [ -e /proc/sys/net/ipv4/accept_redirects ]; then  echo 0 > /proc/sys/net/ipv4/accept_redirectsfi

停止回應 proxy ARP 要求

# Do not respond to a proxy arp request.#do not reply to 'proxyarp' packetsif [ -e /proc/sys/net/ipv4/proxy_arp ]; then  echo 0 > /proc/sys/net/ipv4/proxy_arpfi

防 IP spoofing

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filterif [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then  for f in /proc/sys/net/ipv4/conf/*/rp_filter  do   echo 1 > $f  donefi

防火星 IP 地址

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

停 ICMP echo messages 廣播

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

停 ICMP echo request 回應

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

停路由器假廣播記碌

echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

設定 FIN-WAIT-2 時間，四十五秒作者建意

echo 45 > /proc/sys/net/ipv4/tcp_fin_timeout

設定 UDP connection timout 時間

echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout

起動 TCP syn cookies

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

停 IP ECN，Explicit Congestion Notification

echo 0 > /proc/sys/net/ipv4/tcp_ecn