首页 > 系统管理 > 防火墙简单设置

防火墙简单设置

2008年12月14日

使用iptables:

IPtables是Linux系统核心之一,我们使用的操作系统是CentOS,安装后默认只打开了22端口,下面举例说明如何用iptables打开的80端口:

    vi /etc/sysconfig/iptables

添加 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3001 -j ACCEPT

    /sbin/service iptables restart 重新启动服务

检查结果 /sbin/iptables -L -n

    Iptables指南

安装和使用APF

APF, Advanced Policy Firewall,是 Rf-x Networks 出品的Linux下比较流行的软件防火墙。它是iptables的一个界面脚本 。

下载安装APF
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

  tar -xzvf apf-current.tar.gz

  cd apf-版本

  ./install.sh

配置APF

  vi /etc/apf/conf.apf
  
  将 USE_DS=”0″ 更改为 USE_DS=”1″ ;把 USE_AD=”0″更改为 USE_AD=”1″ 。
  
  配置端口,cPanel下的推荐:
  
  cPanel
  IG_TCP_CPORTS=”20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096″
  IG_UDP_CPORTS=”21,53,873″
  
  EGF=”1″
  EG_TCP_CPORTS=”21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089″
  EG_UDP_CPORTS=”20,21,37,53,873″

配置完成后保存退出,并启动APF防火墙:

  /usr/local/sbin/apf -s

  请注意,此时防火墙是运行在调试模式,每五分钟重洗配置。这样能避免因为错误的配置而使服务器瘫痪。

  确保配置无误后,再次进入配置文件(vi /etc/apf/conf.apf),将 DEVM=”1″ 更改为 DEVM=”0″ 。这样APF就会运行在常规模式下。

  重启APF(/usr/local/sbin/apf -s)。

  注意事项:如果你的Linux内核将iptables直接编译而非模块模式的话,请将配置文件中的 MONOKERN=”0″ 更改为 MONOKERN=”1″ 。

使用APF防止DDOS攻击

      配置目录在(/etc/apf/ad)。其日志文件保存在/var/log/apfados_log。

  下面我们将配置APF使其遇到DoS后发送电子邮件给管理员。

  打开配置文件:

  vi /etc/apf/ad/conf.antidos
  查找 [E-Mail Alerts] 。

  CONAME=”Your Company” 填写网站或公司名称。

  将 USR_ALERT=”0″ 更改为 USR_ALERT=”0″ ,从而使系统发送电子邮件。

  USR=”your@email.com” 填写电子邮件地址。

  保存并退出,重启APF(/usr/local/sbin/apf -r)。

设置系统重启后自动打开APF

  让系统每次重新启动后自动运行APF:  chkconfig –level 2345 apf on

  关闭自动启动:  chkconfig –del apf

APF所有选项

Option: Change: Description:
DEVM Yes When set to “1”, a 5 minute cronjob is set that will flush the firewall.When first configuring your firewall, leave this as enabled(“1”), and when you are sure everything is set up properly, set this to disabled(“0”).
FWPATH Rarely Path of firewall installationRarely do you have to change this value.
IF Sometimes Network interface to firewall.If the network interface you wish to firewall is not on ‘eth0’, then you will have to change this to the correct interface.
MONOKERN Rarely Support Monolithic kernel builds [no LKM’s]You should change this value if iptables is not compiled as a module. (If you have iptables installed, and APF complains about iptables without setting up the firewall)
TCP_STOP Rarely How to handle TCP packet filteringYou should leave this value as “DROP”
UDP_STOP Rarely How to handle UDP packet filteringYou should leave this value as “DROP”
DSTOP Rarely How to handle all other packet filteringYou should leave this value as “DROP”
ICMP_LIM Rarely Packet/time ratio for ICMP packets before dropping packets.If there is a chance that host may legitimately ping you more frequently then you may need to change this value. This option reduces the amount of traffic being sent out if someone attacks you through ICMP.
BLK_MCATNET Yes Block multicastingUnless you need multicasting, you should set this to enable(“1”), just in case.
BLK_PRVNET Yes Block all private ipv4 addressesUnless the server resides behind a firewall with NAT, you should enable(“1”) this. Setting this option to enable reduces the chance of spoof attacks.
BLK_RESNET Sometimes Block all ipv4 address space marked reserved for future useThere is a chance that some of the address space listed may become live ips, so either enable(“1”), and make sure your ‘/etc/apf/internals/ reserved.networks’ file is up to date, or just leave it disabled(“0”).
USE_DS Sometimes Use DShield.org’s “block” list of top networks that have exhibited suspicious activityThis top list is a list of the top 20 attacking class C subnets over a 3 day period. It is safe to enable(“1”) this option. If you are interested in seeing this list, you can find it here: http://feeds.dshield.org/block.txt
USE_AD Sometimes Import our ad.rules ban list generated by antidosThis essentially enables the antidos section of the APF firewall, and requires you to modify the ‘/etc/apf/ad/conf.antidos’ file.
CDPORTS Sometimes Common drop ports; these ports do not get logged
Ingress (inbound)
IG_TCP_CPORTS Yes Common ingress (inbound) TCP portsThe default value for this is 22 (SSH Port). You may want to add (seperated by a comma ‘,’):
– FTP port (21)
– DNS (53)
– HTTP port (80)
– HTTP SSL port (443)
– SMTP (25) SSL (465)
– POP (110) SSL (995)
– IMAP (143) SSL (993)
– CPANEL (2082) SSL (2083)
– WHM (2086) SSL (2087)
– CPANEL WebMail (2095) SSL (2096)
– for FTP connections (6000_7000)
(to indicate a range, you indicate with a ‘_’ character. ie: 6000_7000)For a more complete list of ports and services located on them, check your ‘/etc/services’ file.
IG_UDP_CPORTS Yes Common ingress (inbound) UDP portsThe default value for this is nothing. You may want to add (seperated by a comma ‘,’):
– FTP data port (20)
– FTP (21)
– DNS (53)
(to indicate a range, you indicate with a ‘_’ character. ie: 6000_7000)For a more complete list of ports and services located on them, check your ‘/etc/services’ file.
IG_ICMP_CPORTS Sometimes Common ICMP (inbound) typesThe default value should be enough, but if you want to block certain ICMP types, look at the ‘/etc/apf/internals/icmp.types’ file to find out what each code means.
Egress (outbound)
EGF Sometimes Egress filtering [0 = Disabled / 1 = Enabled]If you wish to enable Egress filtering, set this to enabled(1). If you set this to disabled, skip the whole Egress section. Egress filtering will block all outgoing ports, so the server will only be able to connect outwards on the ports provided in the next variables.
EG_TCP_CPORTS Sometimes Common egress (outbound) TCP portsThe FAQ section in the Cpanel website suggests the following ports:
21, 25, 26, 37, 43, 53, 80, 113, 465, 873, 2089, 3306(873 and 2089 are supposidely used for the cpanel update script)For a more complete list of ports and services located on them, check your ‘/etc/services’ file.
EG_UDP_CPORTS Sometimes Common egress (outbound) UDP portsThe FAQ section in the Cpanel website suggests the following ports:
20, 21, 53, 465, 873(873 is supposidely used for the cpanel update script)For a more complete list of ports and services located on them, check your ‘/etc/services’ file.
EG_ICMP_CPORTS Sometimes Common ICMP (outbound) typesThe default value should be enough, but if you want to block certain ICMP types, look at the ‘/etc/apf/internals/icmp.types’ file to find out what each code means.
Log paths and control settings
IPTLOG Rarely Status log pathThe location and file name of the log file to be used.
DROP_LOG Rarely Log TCP/UDP DROP chains [required for antidos]. Data logged to kernel logThe default value of enabled(“1”) should be good for most situations, unless you do not want your kernel log file to get clogged with this type of data. Remeber, this is required to be enabled if you enable antidos.
LRATE Rarely Max firewall events to log per/minute. Log events exceeding these limits will be lost!The default value should be sufficent. Altering this value may alter the efficency of the antidos.
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

系统管理

  1. 本文目前尚无任何评论.
  1. 本文目前尚无任何 trackbacks 和 pingbacks.

This blog is kept spam free by WP-SpamFree.