转至繁体中文版     | 网站首页 | 图文教程 | 资源下载 | 站长博客 | 图片素材 | 武汉seo | 武汉网站优化 | 
最新公告:     敏韬网|教学资源学习资料永久免费分享站!  [mintao  2008年9月2日]        
您现在的位置: 学习笔记 >> 图文教程 >> 数据库 >> SyBase >> 正文
Linux服务器上适用的防火墙(转自CU)         ★★★★

Linux服务器上适用的防火墙(转自CU)

作者:闵涛 文章来源:闵涛的学习笔记 点击数:3053 更新时间:2009/4/22 23:08:00
32m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
then
echo -e "\n\tEnable bad error message protection......."
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo -e "\n\tDisabling tcp_ecn,please wait..."
echo 0 >/proc/sys/net/ipv4/tcp_ecn
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_reordering ]
then
echo -e "\n\tchangling tcp_reordering,please wait..."
echo 0 >/proc/sys/net/ipv4/tcp_reordering
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_wmem ]
then
echo -e "\n\tchanging tcp_wmem,please wait..."
echo "4096 16384 131072" >/proc/sys/net/ipv4/tcp_wmem
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/tcp_rmem ]
then
echo -e "\n\tchanging tcp_rmem,please wait..."
echo "4096 87380 174760" >/proc/sys/net/ipv4/tcp_rmem
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/tcp_mem ]
then
echo -e "\n\tchanging tcp_mem,please wait..."
echo "97280 97792 98304" >/proc/sys/net/ipv4/tcp_mem
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/tcp_adv_win_scale ]
then
echo -e "\n\tchanging tcp_adv_win_scale,please wait..."
echo 2 >/proc/sys/net/ipv4/tcp_adv_win_scale
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/tcp_rfc1337 ]
then
echo -e "\n\tchanging tcp_rfc1337,please wait..."
echo 0 >/proc/sys/net/ipv4/tcp_rfc1337
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi


if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]

then

echo -e "\n\tDisabing ICMP redirects,please wait...."
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]

then
echo -e "\n\tDisabling source routing of packets,please wait...."
for i in /proc/sys/net/ipv4/conf/*/accept_source_route

do
echo 0 > $i

done
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]
then
echo -e "\n\tIgnore any broadcast icmp echo requests......"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi


if [ -e /proc/sys/net/ipv4/icmp_destunreach_rate ]
then
echo -e "modify icmp_destunreach_rate and icmp_echoreply_rate.."
echo 5 > /proc/sys/net/ipv4/icmp_destunreach_rate
echo 5 > /proc/sys/net/ipv4/icmp_echoreply_rate
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/bootp_relay ]
then
echo -e "\n\tDisable the bootp_relay......"
echo 0 > /proc/sys/net/ipv4/conf/all/bootp_relay
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
#
if [ -e /proc/sys/net/ipv4/tcp_timestamps ]
then
echo -e "\n\tDisable the tcp_timestamps......"
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_fin_timeout ]
then
echo -e "\n\tSetting up tcp_fin_timeout...."
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]
then
echo -e "\n\tDisabling tcp_window_scaling...."
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_sack ]
then
echo -e "\n\tDisabling tcp_sack...."
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/tcp_abort_on_overflowe ]
then
echo -e "\n\t Enabling tcp_abort_on_overflow"
echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
then
echo -e "\n\t Enabling icmp_ignore_bogus_error_responses"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/forwarding ]
then
echo -e "\n\t disabling forwarding"
echo 1 > /proc/sys/net/ipv4/forwarding
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/mc_forwarding ]
then
echo -e "\n\t disabling mc_forwarding"
echo 1 > /proc/sys/net/ipv4/mc_forwarding
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/config/all/log_martians ]

then
echo -e "\n\tnot LOG packets with impossible addresses to kernel log...."
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
for x in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $x
done
if [ -e /proc/sys/net/ipv4/conf/all/proxy_arp ]
then
echo -e "\n\tdisable proxy_arp...."
echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]
then
echo -e "\n\tdisable send_redirects...."
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/conf/all/secure_redirects ]
then
echo -e "\n\tenable secure_redirects...."
echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all


}

unload_module()
{
for MODULE in ipt_TTL iptable_mangle ipt_mark ipt_MARK ipt_MASQUERADE ip_nat_irc ip_nat_ftp ipt_LOG \
ipt_limit ipt_REJECT ip_conntrack_irc ip_conntrack_ftp ipt_state iptable_nat iptable_filter ip_tables; do
if (( `lsmod | grep -c "$MODULE"` )); then
rmmod $MODULE > /dev/null 2>&1
fi
done
}

load_config()
{
FW_LOCATE=/etc/firewall
if [ ! -e "$FW_LOCATE" ]

then
mkdir $FW_LOCATE
fi

if [ ! -f /etc/firewall/firewall.conf ]

then
echo "can not find firewall.conf,creating one with default setting..."
echo -e " UPLINK=eth1 \n UPIP=211.137.58.48 \n INTERFACES=lo eth0 \n LOAD_MODULES=no \n LOG_ILLEGAL_FLAGS=yes \n DENYIP=10.0.0.1 10.0.0.255 \n DENYUDPPORT=7 9 19 107 137 138 139 161 199 369 \n TCP_PORT_LOG=135 137 138 139 445 500 1433 3306 515 513 \n OPEN_TCP= 21 22 \n OPEN_UDP= \n LAN_IF=eth0 \n MALFORMED_PACKET_LOG=no \n MANAGE_IP=61.129.112.46 \n DISABLE_ALL_LOG=no \n " > /etc/firewall/firewall.conf

fi

echo -e "\t\t\t Loading the firewall configuration.......\n"

UPLINK=`grep "UPLINK" /etc/firewall/firewall.conf | cut -d = -f 2 `

UPIP=`grep "UPIP" /etc/firewall/firewall.conf | cut -d = -f 2`

INTERFACES=`grep "INTERFACES" /etc/firewall/firewall.conf | cut -d = -f 2`

LOAD_MODULES=`grep "LOAD_MODULES" /etc/firewall/firewall.conf | cut -d = -f 2`

LOG_ILLEGAL_FLAGS=`grep "LOG_ILLEGAL_FLAGS" /etc/firewall/firewall.conf | cut -d = -f 2`

OPEN_TCP=`grep "OPEN_TCP" /etc/firewall/firewall.conf | cut -d = -f 2`

OPEN_UDP=`grep "OPEN_UDP" /etc/firewall/firewall.conf | cut -d = -f 2`

TCP_PORT_LOG=`grep "TCP_PORT_LOG" /etc/firewall/firewall.conf | cut -d = -f 2`

DENYIP=`grep "DENYIP" /etc/firewall/firewall.conf | cut -d = -f 2`

UDP_PORT_LOG=`grep "UDP_PORT_LOG" /etc/firewall/firewall.conf | cut -d = -f 2`

MALFORMED_PACKET_LOG=` grep "MALFORED_PACKET_LOG" /etc/firewall/firewall.conf | cut -d = -f 2 `

MANAGE_IP=` grep "MANAGE_IP" /etc/firewall/firewall.conf | cut -d = -f 2 `

DISABLE_ALL_LOG=` grep "DISABLE_ALL_LOG" /etc/firewall/firewall.conf | cut -d = -f 2 `

if [ "$DISABLE_ALL_LOG" == "yes" ]; then
MALFORMED_PACKET_LOG=no
UDP_PORT_LOG=
TCP_PORT_LOG=
LOG_ILLEGAL_FLAGS=no
fi
}

check_root
check_enviroment

# if [ "$NAT" == "DHCP" ]; then
# if [ -z "$UPIP" ]; then
# echo " [ WAIT ]"
# echo -n "-> $UPLINK has no IP address. Waiting for DHCP"
# for COUNT in 1 2 3 4 5 6 7 8 9 10; do
# sleep 1
# echo -n "*#"
# UPIP=`ifconfig ${UPLINK} | grep inet | cut -d : -f 2 | cut -d " " -f 1`
# if [ -n "$UPIP" ]; then
# echo " [ FOUND ]"
# break
# else
# if [ "$COUNT" == "10" ]; then
# echo " [ MISSING ]"
# echo "-> WARNING: IP address for $UPLINK not found. "
# fi
# fi
# done
# fi
#fi

if [ "$1" = "start" ]
then
echo "Starting firewall......"

ip_stack_adjust
load_config

echo -e "Now prepareing the kernel to use for a firewall ,please wait....."

#if [ "$NAT" = " dynamic " ]
# then
# echo -e "\n\tEnable dynamic ip support...."
# echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# echo -e "\t\t\t\t\033[3;032m [ OK ] \033[0m\n"
# fi

#echo 0 > /proc/sys/net/ipv4/conf/all/bootp_relay

#depmod -a

#define the load modules function

if [ "$LOAD_MODULES" = "yes" ]
then

if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]
then
echo -e "\n\tLoading iptables modules please wait...."
mp ip_tables
mp ipt_LOG
mp ipt_owner

上一页  [1] [2] [3] [4] [5]  下一页


没有相关教程
教程录入:mintao    责任编辑:mintao 
  • 上一篇教程:

  • 下一篇教程:
    • 【字体: 】【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口
      注:本站部分文章源于互联网,版权归原作者所有!如有侵权,请原作者与本站联系,本站将立即删除! 本站文章除特别注明外均可转载,但需注明出处! [MinTao学以致用网]
      网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!)
    同类栏目
    · Sql Server  · MySql
    · Access  · ORACLE
    · SyBase  · 其他
    更多内容
    热门推荐 更多内容
  • 没有教程
    		•
    赞助链接
    更多内容
    闵涛博文 更多关于武汉SEO的内容
    500 - 内部服务器错误。

    500 - 内部服务器错误。

    您查找的资源存在问题,因而无法显示。
    | 设为首页 |加入收藏 | 联系站长 | 友情链接 | 版权申明 | 广告服务
    MinTao学以致用网

    Copyright @ 2007-2012 敏韬网(敏而好学,文韬武略--MinTao.Net)(学习笔记) Inc All Rights Reserved.
    闵涛 投放广告、内容合作请Q我! E_mail:admin@mintao.net(欢迎提供学习资源)

    站长:MinTao ICP备案号:鄂ICP备11006601号-18

    闵涛站盟:医药大全-武穴网A打造BCD……
    		咸宁网络警察报警平台