Troubleshooting Linux Firewalls, Shinn

man iptablesman ip6tables

設定時先關 ip_forwarding，防任何封包流通

echo 0 > /proc/sys/net/ipv4/ip_forward

如果防火牆使用 bootp 或 dhcp 得到 IP 地址

echo 1 > /proc/sys/net/ipv4/ip_dynaddrecho 2 > /proc/sys/net/ipv4/ip_dynaddr #更精密

如果防火牆使用 static IP 地址

echo 0 > /proc/sys/net/ipv4/ip_dynaddr

禁止 source routing

if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; thenfor f in /proc/sys/net/ipv4/conf/*/accept_source_routedoecho 0 > $fdone
fi

停止回應 ICMP redirect 要求

# Do not respond to 'redirected' ICMP packets from gateways
if [ -e /proc/sys/net/ipv4/secure_redirects ]; thenecho 1 > /proc/sys/net/ipv4/secure_redirects
fi

停止發送 ICMP redirect 要求

# Do not reply to 'redirected' packets if requested
if [ -e /proc/sys/net/ipv4/send_redirects ]; thenecho 0 > /proc/sys/net/ipv4/send_redirects
fi

停止接收 ICMP redirect

# Even more ICMP redirect suppression
# do not accept redirects
if [ -e /proc/sys/net/ipv4/accept_redirects ]; thenecho 0 > /proc/sys/net/ipv4/accept_redirects
fi

停止回應 proxy ARP 要求

# Do not respond to a proxy arp request.
#do not reply to 'proxyarp' packets
if [ -e /proc/sys/net/ipv4/proxy_arp ]; thenecho 0 > /proc/sys/net/ipv4/proxy_arp
fi

防 IP spoofing

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; thenfor f in /proc/sys/net/ipv4/conf/*/rp_filterdoecho 1 > $fdone
fi

防火星 IP 地址

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

停 ICMP echo messages 廣播

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

停 ICMP echo request 回應

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

停路由器假廣播記碌

echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

設定 FIN-WAIT-2 時間，四十五秒作者建意

echo 45 > /proc/sys/net/ipv4/tcp_fin_timeout

設定 UDP connection timout 時間

echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout

起動 TCP syn cookies

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

停 IP ECN，Explicit Congestion Notification

echo 0 > /proc/sys/net/ipv4/tcp_ecn