歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux綜合 >> Linux資訊 >> 更多Linux

使用IPFILTER設置小型企業防火牆步驟

  一、 網絡環境  1、主機A:安裝freebsd4.7,安裝三塊網卡fXP0、xl0和xl1。  fxp0為對外網卡,IP:x.x.x.x ISP為我提供的IP地址  xl0為對內公共區域網卡,IP:192.168.0.1  xl1為對內服務提供區域網卡,IP:192.168.80.1  2、主機B:對外提供www服務主機,ip地址為:192.168.80.80  3、主機C:對外提供FTP服務主機,ip:192.168.80.3。  4、其他工作站N台。    二、編譯內核  1、#cd /sys/i386/conf  #cp GENERIC kernel_IPF    2、編譯kernel_IPF,加入一下選項:  options IPFILTER  options IPFILTER_LOG  options IPFILTER_DEFAULT_BLOCK    3、#/usr/sbin/config kernel_IPF  #cd ../../compile/kernel_IPF  #make kepend  #make  #make install    4、編輯/etc/rc.rc.conf,打開以下選項:  defaultrouter="x.x.x.1" x.x.x.1為ISP提供的網關  gateway_enable="YES"  ipfilter_enable="YES"  ipnat_enable="YES"  5、重新啟動系統:reboot    三、配置防火牆  1、 設置地址轉換ipnat。在/etc下新建文件ipnat.rules,內容為:  map fxp0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/tcp  map fxp0 192.168.0.0/24 -> 0/32 portmap tcp/udp 10000:30000  map fxp0 192.168.0.0/24 -> 0/32  map fxp0 192.168.80.0/24 -> 0/32 portmap tcp/udp 300001:60000  map fxp0 192.168.80.0/24 -> 0/32 portmap  rdr fxp0 x.x.x.x/32 port 80 -> 192.168.0.2 port 80  rdr fxp0 x.x.x.x/32 port ftp -> 192.168.0.3 port ftp  rdr fxp0 x.x.x.x/32 port 30001-50000 -> 192.168.80.3 port 30001 tcp    2、設置包過濾ipfilter。在/etc下新建文件ipf.rules,內容為:  block in log quick all with short  block in log quick all with ipopts  block in log quick all with frag  block in log quick all with opt lsrr  block in log quick all with opt ssrr    以上五句為過濾掉可能會帶來安全問題的短數據包或具備路由信息的數據包以及防止非法掃描服務器    pass out on xl0 all  pass in on xlo all  pass out on xl1 all  pass in on xl1 all  pass out quick on lo0 all  pass in quick on lo0 all  以上為內部網絡界面和loopback網絡界面可以自由發送和接受數據包    block out on fxp0 all  以上為屏蔽外部網絡界面向外發送數據包    block out log on fxp0 from any to 192.168.0.0/16  block out log quick on fxp0 from any to 0.0.0.0/8  block out log quick on fxp0 from any to 169.254.0.0/8  block out log quick on fxp0 from any to 10.0.0.0/8  block out log quick on fxp0 from any to 127.16.0.0/12  block out log quick on fxp0 from any to 127.0.0.0/8  block out log quick on fxp0 from any to 192.0.2.0/24  block out log quick on fxp0 from any to 204.152.64.0/23  block out log quick on fxp0 from any to 224.0.0.0/3  以上為屏蔽不合法地址的輸出數據    pass out log on fxp0 proto tcp/udp from any to any keep state  pass out log on fxp0 proto icmp all keep state  以上為允許TCP 、UDP、ICMP數據包向外發送出去,並且允許回應數據包發送回到內部網絡    block in log on fxp0 from 192.168.0.0/16 to any  block in log quick on fxp0 from 10.0.0.0/8 to any  block in log quick on fxp0 from 172.16.0.0/12 to any  block in log quick on fxp0 from 127.0.0.0/8 to any  block in log quick on fxp0 from 192.0.2.0/24 to any  block in log quick on fxp0 from 169.254.0.0/16 to any  block in log quick on fxp0 from 224.0.0.0/3 to any  block in log quick on fxp0 from 204.152.64.0/23 to any  block in log quick on fxp0 from x.x.x.x/32 to any  block in log quick on fxp0 from any to x.x.x.0/32  block in log quick on fxp0 from any to x.x.x.255/32  以上為屏蔽具備內部網絡地址的數據包被轉發到外部網絡    pass in quick on fxp0 proto tcp from any to any port = 80 flags S/SA keep state  pass in quick on fxp0 proto tcp from any to any port = ftp flags S/SA keep state  pass in quick on fxp0 proto tcp from any to any port = ftp-data flags S/SA keep state  pass in quick on fxp0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state  以上為允許www和ftp進入,並且允許對ftp數據端口的數據進行轉發    block in quick on fxp0 all  禁止其他的連接進入fxp0    block in log quick on fxp0 proto icmp from any to any icmp-type redir  block in log quick on fxp0 proto icmp from any to any  block in log quick on fxp0 proto icmp from any to any icmp-type echo  以上為禁止別人ping我得網絡    block return-rst in log on fxp0 proto tcp from any to any flags S/SA  block return-icmp(net-unr) in log on fxp0 proto udp from any to any  以上對其他tcp請求,防火牆回應一個RST數據包關閉連接。對UDP請求,防火牆回應網絡不可達到的ICMP包。  或者在/etc/sysctl.conf中加入:  net.inet.tcp.blackhole=2  net.inet.udp.blackhole=1  能夠有效地避免端口掃描    3、然後編輯/etc/rc.conf,加入一下命令,讓ipfilter和ipnat在系統啟動的時候可以自動加載:  ipfilter_enables=”YES”  ipf –C –f /etc/ipf.rules  ipfilter_flags=”-E”    ipnat_enable=”YES”  ipnat_program=”/sbin/ipnat –CF -f”  ipnat_rules=”/etc/ipnat.rules”    ipmon_enable=”YES”  ipmon_flags=”-D /var/log/ipfilter.log”  4、在/usr/log/建立文件ipfilter.log,並更改其屬性為755,這樣你的防火牆日志就記錄到/var/log/ipfilter.log文件中,可以隨時對其進行查看。    四、設置FTP服務器,使其支持被動連接(pasv)  1.Proftpd:編輯你的proftpd的配置文件proftpd.conf,加入一下內容:  MasqueradeAddress x.x.x.x  PassivePorts 30001 50000  2.Pure-ftpd:編輯你的FTP配置文件,加入一下內容:  PassivePortRange 30001 50000  ForcePassiveIP x.x.x.x  3.Serv-U:  a、在serv-U的”本地服務器”―――”設置”―――”高級”―――”PASV端口范圍”輸入30001 50000  b、在serv-U的”域”―――”你自己建立的域”―――”設置”―――”高級”選中”允許被動模式傳送”,” 使用IP”輸入:x.x.x.x




Copyright © Linux教程網 All Rights Reserved