防火墙脚本文件
使用ipchains 可以建立防火墙,使用IP伪装等等。Ipchains 与系统核心交互,并告诉内核过滤哪些数据包。因此所有的防火墙设置都保存在内核中,在系统重新启动时就丢掉了。
为了避免出现这种情况,我们推荐使用 System V(系统V)的init 脚本来使安全策略永远有效。要达到这个目的,就应该象下面的例子一样,为每一个服务器在 “/etc/rc.d/init.d”下创建一个防火墙脚本文件。为了保险起见,每一个服务器提供不同的服务,并使用不同的防火墙配置。由于这个原因,我们提供了一系列不同的防火墙配置,你可以对它们进行测试并修改成自己所需要的样子。同时,我们也假设你具有关于过滤型防火墙和防火墙规定工作过程的最基本知识。
为Web服务器配置“/etc/rc.d/init.d/firewall”脚本文件
下面是用于我们Web服务器的配置脚本文件。这个配置允许在回馈网卡上的所有流量,缺省情况下是ICMP ,DNS 缓存(Caching)和客户服务器(53),SSH服务器(22),HTTP服务器(80),HTTPS 服务器(443),SMTP 客户机(25),FTP 服务器(20,21)和OUTGOING TRACEROUTE请求(用于了解在访问某个地址过程中出现的错误----译者注)。
如果不需要我在下面文件中缺省列出的某些服务,你可以用行开头加“#”来注释掉该行。如果需要某些被注释掉的服务,去掉该行开头的“#”就可以了。
请在Web服务器上创建如下的防火墙脚本文件(用 touch /etc/rc.d/init.d/firewall ):
#!/bin/sh
#
# ----------------------------------------------------------------------------
# Last modified by Gerhard Mourani: 02-01-2000
# ----------------------------------------------------------------------------
# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# This software is provided as an example and basis for individual firewall
# development. This software is provided without warranty.
#
# Any material furnished by Robert L. Ziegler is furnished on an
# "as is" basis. He makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
# ----------------------------------------------------------------------------
#
# Invoked from /etc/rc.d/init.d/firewall.
# chkconfig: - 60 95
# description: Starts and stops the IPCHAINS Firewall
# used to provide Firewall network services.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
# See how we were called.
case "$1" in
start)
echo -n "Starting Firewalling Services: "
# Some definitions for easy maintenance.
# ----------------------------------------------------------------------------
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
EXTERNAL_INTERFACE="eth0" # whichever you use
LOOPBACK_INTERFACE="lo"
IPADDR="208.164.186.3"
ANYWHERE="any/0"
NAMESERVER_1="208.164.186.1" # Your primary name server
NAMESERVER_2="208.164.186.2" # Your secondary name server
SMTP_SERVER="mail.openarch.com" # Your Mail Hub Server.
