2008-05-05
ubuntu firewall shorewall quickstart
关键字: ubuntu firewall shorewall quickstart
1.apt-get install shorewall
2.
cp /usr/share/doc/shorewall/default-config/policy /etc/shorewall/policy
cp /usr/share/doc/shorewall/default-config/rules /etc/shorewall/rules
cp /usr/share/doc/shorewall/default-config/interfaces /etc/shorewall/interfaces
cp /usr/share/doc/shorewall/default-config/zones /etc/shorewall/zones
3.
modify /etc/shorewall/zones file
add this line 'net ipv4' after 'fw firewall'
4.
modify /etc/shorewall/interfaces file
add this line 'net eth0 detect dhcp,tcpflags,logmartians,nosmurfs' after '#ZONE INTERFACE BROADCAST OPTIONS'
ps if you ip is static please 'dhcp,' text
5.
modify /etc/shorewall/policy file
add follow code
$FW net ACCEPT
net $FW DROP info
net all DROP info
all all REJECT info
after '#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST'
6.
modify /etc/shorewall/rules file
add follow code
SSH/ACCEPT net $FW
HTTP/ACCEPT net $FW
Ping/ACCEPT net $FW
SMTP/ACCEPT net $FW
DNS/ACCEPT net $FW
FTP/ACCEPT net $FW
POP3/ACCEPT net $FW
after 'SECTION NEW'
then delete SECTION NEW line
ps: above code will enable ssh, http, ping, smtp, dns, ftp, pop3 service
7.
modify /etc/default/shorewall file
change startup=0 to startup=1
ok done
execute '/etc/init.d/shorewall start' to start your firewall
or 'invoke-rc.d shorewall start'
ps
shorewall also enable dynamic block or drop ip address functionality like gentoo dyfw
just use
shorewall drop ipaddress
shorewall reject ipaddress
2.
cp /usr/share/doc/shorewall/default-config/policy /etc/shorewall/policy
cp /usr/share/doc/shorewall/default-config/rules /etc/shorewall/rules
cp /usr/share/doc/shorewall/default-config/interfaces /etc/shorewall/interfaces
cp /usr/share/doc/shorewall/default-config/zones /etc/shorewall/zones
3.
modify /etc/shorewall/zones file
add this line 'net ipv4' after 'fw firewall'
4.
modify /etc/shorewall/interfaces file
add this line 'net eth0 detect dhcp,tcpflags,logmartians,nosmurfs' after '#ZONE INTERFACE BROADCAST OPTIONS'
ps if you ip is static please 'dhcp,' text
5.
modify /etc/shorewall/policy file
add follow code
$FW net ACCEPT
net $FW DROP info
net all DROP info
all all REJECT info
after '#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST'
6.
modify /etc/shorewall/rules file
add follow code
SSH/ACCEPT net $FW
HTTP/ACCEPT net $FW
Ping/ACCEPT net $FW
SMTP/ACCEPT net $FW
DNS/ACCEPT net $FW
FTP/ACCEPT net $FW
POP3/ACCEPT net $FW
after 'SECTION NEW'
then delete SECTION NEW line
ps: above code will enable ssh, http, ping, smtp, dns, ftp, pop3 service
7.
modify /etc/default/shorewall file
change startup=0 to startup=1
ok done
execute '/etc/init.d/shorewall start' to start your firewall
or 'invoke-rc.d shorewall start'
ps
shorewall also enable dynamic block or drop ip address functionality like gentoo dyfw
just use
shorewall drop ipaddress
shorewall reject ipaddress
评论