Molet

Ubuntu Linux系统下设置shorewall防火墙

Molet 安全防护 2023-01-19 414浏览 0

服务器采用Ubuntu作为操作系统,两块网卡,一块接外网(eth0),一块接内网(eth1)。采用shorewall作为防火墙。

配置网卡:

sudo vi /etc/network/interfaces

Ubuntu下设置shorewall防火墙

服务器采用Ubuntu作为操作系统,两块网卡,一块接外网(eth0),一块接内网(eth1)。采用shorewall作为防火墙。

配置网卡:

sudo vi /etc/network/interfaces ———————————————— # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5).

# The loopback network interface auto lo iface lo inet loopback

# This is a list of hotpluggable network interfaces. # They will be activated automatically by the hotplug subsystem. mapping hotplug script grep map eth0

# The primary network interface iface eth0 inet static address 192.168.2.250 netmask 255.255.255.0 network 192.168.2.0 broadcast 192.168.2.255 gateway 192.168.2.1 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 202.96.209.6

auto eth1 iface eth1 inet static address 192.168.10.254 netmask 255.255.255.0 network 192.168.10.0 broadcast 192.168.10.255

1、安装shorewall

sudo apt-get install shorewall

2、拷贝配置文件

sudo cp /usr/share/shorewall/modules /etc/shorewall

sudo cp /usr/share/doc/shorewall/default-config/policy /etc/shorewall/

sudo cp /usr/share/doc/shorewall/default-config/nat /etc/shorewall/

sudo cp /usr/share/doc/shorewall/default-config/zones /etc/shorewall/

sudo cp /usr/share/doc/shorewall/default-config/maclist /etc/shorewall/

sudo cp /usr/share/doc/shorewall/default-config/blacklist /etc/shorewall/

sudo cp /usr/share/doc/shorewall/default-config/interfaces /etc/shorewall/interfaces

sudo cp /usr/share/doc/shorewall/default-config/rules /etc/shorewall/rules

sudo cp /usr/share/doc/shorewall/default-config/hosts /etc/shorewall/hosts

sudo cp /usr/share/doc/shorewall/default-config/masq /etc/shorewall/masq

3、配置网卡

sudo vi /etc/shorewall/interfaces

在倒数第二行,也就是在 “#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE” 这一行之后加上:

net eth0 detect

loc eth1 detect

4、配置网络别名

sudo vi /etc/shorewall/zones

在倒数第二行,也就是在 “#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE” 这一行之后加上:

net Net Internet

loc Local Local Networks

5、配置IP伪装,也就是透明代理

sudo vi /etc/shorewall/masq

在倒数第二行,也就是在 “#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE” 这一行之后加上:

eth0 eth1

6、配置策略

sudo vi /etc/shorewall/policy

在#LAST LINE — DO NOT REMOVE这一行最后加上:

loc net ACCEPT

net all DROP info

all all REJECT info

7、配置防火墙规则

sudo vi /etc/shorewall/rules

在倒数第二行,也就是在 “#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE” 这一行后加上:

#incoming traffic (由 internet 去 firewall)

AllowSSH net fw

AllowDNS net fw

AllowWeb net fw

AllowSMB net fw

AllowNNTP net fw

AllowNTP net fw

AllowRdate net fw

AllowSMTP net fw

DropPing net fw

#outgoing traffic (由 firewall 去 internet)

AllowWeb fw net

AllowDNS fw net

AllowSMTP fw net

AllowSMB fw net

AllowSMTP fw net

AllowNNTP fw net

AllowNTP fw net

AllowRdate fw net

AllowSSH fw net

#open special ports

ACCEPT net fw tcp 9980

8、修改 shorewall.conf 自动开启 IP 转发

sudo gedit /etc/shorewall/shorewall.conf

查找到:

IP_FORWARDING=Keep

修改为:

IP_FORWARDING=On

# 保存关闭文件

9、修改 /etc/default/shorewall 自动运行防火墙

sudo vi /etc/default/shorewall

查找到:

startup=0

修改为:

startup=1

10、启动防火墙

sudo shorewall start

11、至此防火墙配置完成。

继续浏览有关 安全 的文章
发表评论