Because my machine configuration is not high, firestarter too unstable in breezy on my old crash, novice guide to the top of the shorewall is not aimed at single users, the rules of grammar shorewall3.0.4 change.
The machine: The Telecom ADSL, ISP dynamically assigned ip.鍗曟満鍗曠綉鍗¤繛鎺dsl modem(PPPoE)涓婄綉锛屽叏鏂板畨瑁卻horewall銆?br />
1, linux firewall basics
銆??闄や簡杞欢鍜岀‖浠堕槻鐏鐨勫垎绫诲锛屽鏋滀互灏佸寘鎶垫尅鏈哄埗鏉ュ垎绫伙紝澶ф鍙互鍒嗕负proxy鍜孖P Filter銆?br />
Basically there are two linux's IP Filter firewall basic mechanisms, namely: Ip Filter and TCP_Wrapper.
銆??杩欓噷鎴戜滑璋圛P Filter锛屽洜涓簊horewall鍙互閫氳繃IPTABLES绠?崟璁剧疆IP Filter鐨勮鍒欍?
Or: If you do not trouble the syntax of iptables rules, or you can write your own batch of some iptables command shell procedure, can not install shorewall or any other firewall. Because the basic firewall under linux by setting the iptables rules are completed.
1. First determine (uname command to determine the core, lsmod to determine the current load module, if ipchains, run rmmod ipchains.
Then modprobe ip_tables iptables can be used in the module loaded now) what your kernel is used to resist the mechanism is not
銆??鎴戜滑闇?鐨刬ptables(Ubuntu5.10鐨勬槸iptables)
銆??Linux Kernel Version 2.0锛氫娇鐢?ipfwadm
Linux Kernel Version 2.2: using ipchains
銆??Linux Kernel Version 2.4锛氫富瑕佹槸浣跨敤 iptables 浣嗕负浜嗗吋瀹?ipchains 锛屽洜姝ゅ湪 Version 2.4 鐗堟湰涓紝鍚屾椂灏?ipchains 缂栬瘧鎴愭ā缁勪緵浣跨敤锛屽ソ璁╀娇鐢ㄨ?浠嶇劧鍙互浣跨敤渚嗚嚜 2.2 鐗堢殑 ipchains 鐨勯槻鐏瑙勫垯銆?br />
And then execute the following code to watch the current firewall rules (network case, root user)
$ Sudo iptables-L-n (L is the meaning of the rules listed in the current table, n is the meaning of IP and HOSTNAME to the mutual conversion, this can speed up the display speed)
銆??$ sudo iptables -t nat -L -n (-t nat鐨勫惈涔夋槸鏄剧ずnat鐨刦ilter銆俰ptables浼氭湁nat tables鍜宖ilter tables锛屼笉鍔犲弬鏁颁负filter銆傛湁鍏磋叮鐨勫厔寮熷彲浠ュ弬鐪嬪叾浠栧叧浜巌ptables鐨勪粙缁嶏紝浠嬩簬澶暱锛屾澶勪笉鍋氫粙缁?)
Next we removed all the existing firewall rules (network case) root @ *** root] # / sbin / iptables [-t tables] [-FXZ]
The meaning of which parameters are:
銆??-F 锛氭竻闄ゆ墍浠ュ凡缁忓缓绔嬬殑瑙勫垯;
銆??-X 锛氭潃鎺夋墍鏈変娇鐢ㄨ?寤虹珛鐨?chain ( tables );
-Z: a count of all the chain and the traffic statistics classified as 0;
Example: [root @ *** root] # / sbin / iptables-F
[Root @ *** root] # / sbin / iptables-X
[Root @ *** root] # / sbin / iptables-Z
[Root @ *** root] # / sbin / iptables-t nat-F
Second, the specific installation Shorewall3.0.4
銆??涓嬭浇shorewall鏈?柊鐨勭ǔ瀹氱増鏈?.0.4(tarball瀹夎锛屽嵆涓烘簮浠g爜make瀹夎銆傜‘瀹氫綘鐨勬満鍣ㄨ窡闅忊?鏂版墜鎸囧崡鈥欒浜嗗熀鏈紪璇戝伐鍏?锛岀敱浜庢柊绔嬪緱閲岄潰杩樻槸2.澶氱殑鐗堟湰锛屽湪瀹樻柟缃戠珯鐪嬬殑鏄?鐨勪粙缁嶏紝鎵?互瀹夎3.0.4銆?Installation is simple and does not have other dependent issues.
1. Download: http://www1.shorewall.net/pub/shorewall/3.0/shorewall-3.0.4/
2. You'll need: iptables (mentioned above) + iproute (check this command is sudo Which ip) (basically ubuntu5.10 having had, so it can not be considered)
3. Try not to edit the ms-windows inside the shorewall configuration files, because the ms and lin are not the same text layout, such as carriage return.
4.cd to your directory after extracting and then. / Install.sh Enter, see no error message, the OK. But at the moment does not start shorewall. Like to hold us to start.榛樿瀹夎涔嬪悗灏辨槸姣忔鍚姩灏辫嚜鍔ㄥ惎鍔ㄩ槻鐏(璁剧疆鏂囦欢鍦?/etc/shorewall/shorewall.conf銆傛壘鍒癝TARTUP_ENABLED=Yes
, Yes representatives at startup!)
銆??5.瀹夎涔嬪悗鎵?湁鏂囦欢鍒嗗埆浣嶄簬锛?usr/shorewall 鍜?sbin 鍜?/etc/shorewall锛屾垜浠渶瑕佹敞鎰忕殑灏辨槸/etc/shorewall銆?Here is the configuration file. (Personal recommendation, for a number of important and often do not need to change the file can be hidden attribute chattr + i up, specific instructions, please look for 'man' man)
6. View installed version: sudo shorewall version 3.0.4 of the message can be
銆??涓夈?閰嶇疆Shorewall3.0.4
Detailed in the official documentation: http://www.shorewall.net/Documentation.htm, shorewall many documents, but little used in general users, especially our dial-up users of this single.
1. First of all configuration / etc / shorewall / zones file, browse to the last, add the following code: # ZONE TYPE OPTIONS
There's this line of the original document, fw is the firewall itself, must be net ipv4
loc ipv4
# LAST LINE - DO NOT REMOVE
One of each type, options explained, the front part of the profile there, if we have strict requirements, you can refer to file configuration, the general user profile into the top on it.
2. Configure / etc / shorewall / interfaces, (here is the name used in the ZONE files / etc / shorewall / zones defined in the name, so in order not to mistake. This zone is relatively simple name and recommended this approach.) # ZONE INTERFACE BROADCAST OPTIONS
net ppp0
# LAST LINE - DO NOT REMOVE
Similarly, the profile of the various parameters were explained in detail
3. Configure / etc / shorewall / rules and / etc / shorewall / policy
Relations: policy is to define the default policy to all of the connections (from one zone to another zone, such as we defined from the loc to net);
rules is to define specific firewall rules, that is the policy which do not.
Has conditions: any connection, firewall, first check the rules, if the rule does not describe the requirements on this link, you call the policy of the default configuration.
/ Etc / shorewall / policy configuration as follows (default) # SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT: BURST
# LEVEL
loc net ACCEPT
net all DROP info
all all REJECT info
# LAST LINE - DO NOT REMOVE
I usually read the following, to save each open port trouble. fw net ACCEPT
net all DROP info
all all REJECT info
The meaning of the above is to allow the machine all connect to the network requirements; network to connect to all of my zones (such as firewall fw, local loc) have dropped the connection request tcp packets, and logged. Reject all connection requests and logged (when the connection is refused, the firewall will return a RST (accession protocol is TCP) or an ICMP port unreachable packet to other protocols)
銆??/etc/shorewall/rules閰嶇疆濡備笅(涓?埇涓嶉渶瑕佸お澶ч厤缃紝闄ら潪浣犵殑鏈哄櫒杩愯浜嗘瘮濡傛兂web鏈嶅姟鍣ㄤ箣绫荤殑涓滆タ銆傞渶瑕佺鍙e紑鏀炬椂鍊欏啀鏉ラ厤缃鏂囦欢)
銆??杩欓噷鎴戦?鎷╀繚鎸侀粯璁わ紝灏辨槸娌℃湁瀹氫箟鐨勪笢瑗裤?濡傛灉浣犱互鍚庢兂寮?粈涔堢鍙o紝灏辫嚜宸卞湪杩欎釜涓婇潰鍐欏氨鏄簡銆?On the various options, configuration files there are very detailed description.姣斿 ACCEPT net loc icmp echo-request灏辨槸璁╃綉缁滃彲浠ing鍒版湰鏈虹殑璁剧疆銆?After you have to open ftp, bt, pop3 and other ports, he himself set in the above!
銆??鍥涖?鍚姩shorewall
sudo shorewall start (note again a / var / lock / subsys to this folder, program needs, but ubuntu not in the directory, so to build their own! otherwise error message will be prompted)
銆??鎴栬?閲嶆柊鍚姩璁$畻鏈哄氨鑷姩鍚姩浜嗭紝淇敼/etc/default/shorewall鐨勬枃浠讹紝鎶妔tarup鏀逛负1鍗冲彲銆?涓?埇鎯呭喌涓嬶紝濡傛灉浣犵殑杩愭皵瀹炲湪涓嶅ソ锛屽氨璇疯嚜宸辨妸璇ョ▼搴弆n涓?釜杩炴帴鍒皉cS.d涓?
相关链接:
burn pptx to dvd or cd in windows 7 for sharing on
A DOMESTIC room, map description IDC
Longhorn Beta1 only compatible with two kinds of graphics chips
HP Means To Maintain The Integrity Of Former Coach
BenQ compete in, with a hope that the road
XviD to iPhone
Remain A Top: The Blue Sea To
Specialist Puzzle And Word Games
Hot Languages Education
DIVX to iPod
Desktop And Notebook Computers To Connect With Online IR
OGM to AVI
For you Recreation
New Communications Tools
New changes in PMP certification exam
No comments:
Post a Comment