2005年10月24日 星期一

使用shorewall來輔助設定iptable

1 iptable

設定在linux核心防火牆功能的工具。

2 shorewall

  輔助設定iptable的工具,這是我慣用的Mandrake10.2系統所內附的。

2.1 我所設定的檔案

  shorewall的設定檔都在/etc/shorewall裏面(etc都是放跟設定相關的),其中要改的是policy和rules兩個設定檔。policy是防火牆的政策,rules顧名思義是規則。

2.1.1 設定的方法

  要作設定前,就要有明確的方針。以下以只放行80,443,22,177 等為例:

* 編輯policy,修改如下:

  
fw net ACCEPT
net all DROP info
all all REJECT info

上面的意思簡單來說:就是所有封包都先擋,通過防火牆規則的才放行。詳細設定規則這個檔案前面的註解就有很多好說明與範例。

* 編輯rules,修改如下:

ACCEPT net:x.y.z.0/24 fw udp 177 -
ACCEPT net:x.y.z.0/24 fw tcp 80,443,22,177 -

  第一行,是只放行來自x.y.z的網域可以透過udp連線177。

  第二行就比較多了,是放行來自x.y.z的網域透過tcp連80,443,22,177,80是網頁伺服器,22,443應該是ftp和smb(連windows網芳)。

* 執行shorewall去更新新的iptable,使新的防火牆規則生效:

1. 先驗證:下shorewall check檢查有沒有規則設錯。
2. 重新啟動防火牆:下shorewall restart使新規則生效。

那這樣一來防火牆規則就設定好了。

2 則留言:

匿名 提到...

Brand Blogs Capture the Attention of Some Companies
Michael Marx loves Barq's root beer. He frequently wears a Barq's T-shirt ... One of the best-known blogs about Netflix, hackingnetflix.com , was started last November by Mike Kaltschnee, who lives in Danbury, Conn.
Hello, you have an interesting blog here... I think I'll add you to my favorites. With your permission I'll be coming back to check out what else you do. Can I tell a friend?

great job making this blog (good design!), keep up the good work!

~ have a nice day.
check out my blog or my making out kissing tips site if you want.

匿名 提到...

Flock founder hopes new browser will fly with users
Startup Flock has released a Firefox-based browser meant to enhance the user experience by incorporating some of the Web's most social features, such as file sharing, RSS feeds and Web logging, according to the ...
Find out how to buy and sell anything, like things related to company construction mn road on interest free credit and pay back whenever you want! Exchange FREE ads on any topic, like company construction mn road!

count