Linux 網路/IP 防火牆 (適用於 Linux-2.0)
< Linux 網路
IP 防火牆和防火牆問題在 Firewall-HOWTO 中有更深入的介紹。IP 防火牆允許您透過過濾或允許您指定的 IP 地址的進出資料包來保護您的機器免受未經授權的網路訪問。有三種不同型別的規則:入站過濾、出站過濾和轉發過濾。入站規則應用於網路裝置接收到的資料包。出站規則應用於網路裝置要傳送的資料包。轉發規則應用於接收到的非本機資料包,即要被路由的資料包。
核心編譯選項
Networking options --->
[*] Network firewalls
....
[*] IP: forwarding/gatewaying
....
[*] IP: firewalling
[ ] IP: firewall packet logging
IP 防火牆規則的配置是使用 ipfwadm 命令完成的。正如我之前提到的,安全並不是我的專長,因此雖然我將提供一個您可以使用的示例,但如果您重視安全,您應該自行研究並制定自己的規則。
IP 防火牆最常見的用途可能是當您使用 Linux 機器作為路由器和防火牆閘道器來保護您的本地網路免受來自您網路外部的未經授權的訪問時。
以下配置基於來自 Arnt Gulbrandsen,<agulbra@troll.no> 的貢獻。
該示例描述了在此圖中說明的 Linux 防火牆/路由器機器上防火牆規則的配置
- -
\ | 172.16.37.0
\ | /255.255.255.0
\ --------- |
| 172.16.174.30 | Linux | |
NET =================| f/w |------| ..37.19
| PPP | router| | --------
/ --------- |--| Mail |
/ | | /DNS |
/ | --------
- -
以下命令通常應放在 rc 檔案中,以便在系統每次啟動時自動啟動。為了最大限度地提高安全性,它們應在網路介面配置後執行,但在介面實際啟動之前執行,以防止任何人未經授權訪問防火牆機器。
#!/bin/sh
# Flush the 'Forwarding' rules table
# Change the default policy to 'accept'
#
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p accept
#
# .. and for 'Incoming'
#
/sbin/ipfwadm -I -f
/sbin/ipfwadm -I -p accept
# First off, seal off the PPP interface
# I'd love to use '-a deny' instead of '-a reject -y' but then it
# would be impossible to originate connections on that interface too.
# The -o causes all rejected datagrams to be logged. This trades
# disk space against knowledge of an attack of configuration error.
#
/sbin/ipfwadm -I -a reject -y -o -P tcp -S 0/0 -D 172.16.174.30
# Throw away certain kinds of obviously forged packets right away:
# Nothing should come from multicast/anycast/broadcast addresses
#
/sbin/ipfwadm -F -a deny -o -S 224.0/3 -D 172.16.37.0/24
#
# and nothing coming from the loopback network should ever be
# seen on a wire
#
/sbin/ipfwadm -F -a deny -o -S 127.0/8 -D 172.16.37.0/24
# accept incoming SMTP and DNS connections, but only
# to the Mail/Name Server
#
/sbin/ipfwadm -F -a accept -P tcp -S 0/0 -D 172.16.37.19 25 53
#
# DNS uses UDP as well as TCP, so allow that too
# for questions to our name server
#
/sbin/ipfwadm -F -a accept -P udp -S 0/0 -D 172.16.37.19 53
#
# but not "answers" coming to dangerous ports like NFS and
# Larry McVoy's NFS extension. If you run squid, add its port here.
#
/sbin/ipfwadm -F -a deny -o -P udp -S 0/0 53 \
-D 172.16.37.0/24 2049 2050
# answers to other user ports are okay
#
/sbin/ipfwadm -F -a accept -P udp -S 0/0 53 \
-D 172.16.37.0/24 53 1024:65535
# Reject incoming connections to identd
# We use 'reject' here so that the connecting host is told
# straight away not to bother continuing, otherwise we'd experience
# delays while ident timed out.
#
/sbin/ipfwadm -F -a reject -o -P tcp -S 0/0 -D 172.16.37.0/24 113
# Accept some common service connections from the 192.168.64 and
# 192.168.65 networks, they are friends that we trust.
#
/sbin/ipfwadm -F -a accept -P tcp -S 192.168.64.0/23 \
-D 172.16.37.0/24 20:23
# accept and pass through anything originating inside
#
/sbin/ipfwadm -F -a accept -P tcp -S 172.16.37.0/24 -D 0/0
# deny most other incoming TCP connections and log them
# (append 1:1023 if you have problems with ftp not working)
#
/sbin/ipfwadm -F -a deny -o -y -P tcp -S 0/0 -D 172.16.37.0/24
# ... for UDP too
#
/sbin/ipfwadm -F -a deny -o -P udp -S 0/0 -D 172.16.37.0/24
良好的防火牆配置有點棘手。本示例應該是一個不錯的起點。ipfwadm 手冊頁提供了一些使用該工具的幫助。如果您打算配置防火牆,請務必四處詢問,從您認為可靠的來源獲取儘可能多的建議,並讓某人從外部測試/檢查您的配置。