簡單設定 kernel 選項在使用 iptables 前

Troubleshooting Linux Firewalls, Shinn

 

man iptables

man ip6tables

 

 

設定時先關 ip_forwarding，防任何封包流通

echo 0 > /proc/sys/net/ipv4/ip_forward

如果防火牆使用 bootp 或 dhcp 得到 IP 地址

echo 1 > /proc/sys/net/ipv4/ip_dynaddr

echo 2 > /proc/sys/net/ipv4/ip_dynaddr #更精密

如果防火牆使用 static IP 地址

echo 0 > /proc/sys/net/ipv4/ip_dynaddr

禁止 source routing

if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
  for f in /proc/sys/net/ipv4/conf/*/accept_source_route
  do
   echo 0 > $f
  done
fi

停止回應 ICMP redirect 要求

# Do not respond to 'redirected' ICMP packets from gateways
if [ -e /proc/sys/net/ipv4/secure_redirects ]; then
  echo 1 > /proc/sys/net/ipv4/secure_redirects
fi

停止發送 ICMP redirect 要求

# Do not reply to 'redirected' packets if requested
if [ -e /proc/sys/net/ipv4/send_redirects ]; then
  echo 0 > /proc/sys/net/ipv4/send_redirects
fi

停止接收 ICMP redirect

# Even more ICMP redirect suppression
# do not accept redirects
if [ -e /proc/sys/net/ipv4/accept_redirects ]; then
  echo 0 > /proc/sys/net/ipv4/accept_redirects
fi

停止回應 proxy ARP 要求

# Do not respond to a proxy arp request.
#do not reply to 'proxyarp' packets
if [ -e /proc/sys/net/ipv4/proxy_arp ]; then
  echo 0 > /proc/sys/net/ipv4/proxy_arp
fi

防 IP spoofing

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
  for f in /proc/sys/net/ipv4/conf/*/rp_filter
  do
   echo 1 > $f
  done
fi

防火星 IP 地址

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

停 ICMP echo messages 廣播

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

停 ICMP echo request 回應

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

停路由器假廣播記碌

echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

設定 FIN-WAIT-2 時間，四十五秒作者建意

echo 45 > /proc/sys/net/ipv4/tcp_fin_timeout

設定 UDP connection timout 時間

echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout

起動 TCP syn cookies

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

停 IP ECN，Explicit Congestion Notification

echo 0 > /proc/sys/net/ipv4/tcp_ecn