Changeset 0e389d13 for postlfs/security/firewalling-systemd.xml
- Timestamp:
- 10/26/2014 02:55:55 PM (10 years ago)
- Branches:
- krejzi/svn
- Children:
- 169031f
- Parents:
- cb9c6940
- File:
-
- 1 moved
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/firewalling-systemd.xml
rcb9c6940 r0e389d13 141 141 </caution> 142 142 143 <para>The firewall configuration script installed in the iptables section144 differs from the standard configuration script. It only has two of145 the standard targets: start and status. The other targets are clear146 and lock. For instance if you issue:</para>147 148 <screen role="root"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>149 150 <para>the firewall will be restarted just as it is upon system startup.151 The status target will present a list of all currently implemented152 rules. The clear target turns off all firewall rules and the lock153 target will block all packets in and out of the computer with the154 exception of the loopback interface.</para>155 156 143 <para>The main startup firewall is located in the file 157 <filename>/etc/ rc.d/rc.iptables</filename>. The sections below provide144 <filename>/etc/systemd/scripts/iptables</filename>. The sections below provide 158 145 three different approaches that can be used for a system.</para> 159 146 … … 178 165 to the Linux 2.6 kernels.</para> 179 166 180 <screen role="root"><?dbfo keep-together="auto"?><userinput>cat > /etc/rc.d/rc.iptables << "EOF" 167 <screen role="root"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts 168 169 cat > /etc/systemd/scripts/iptables << "EOF" 181 170 <literal>#!/bin/sh 182 171 183 # Begin rc.iptables172 # Begin /etc/systemd/scripts/iptables 184 173 185 174 # Insert connection-tracking modules … … 250 239 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 251 240 252 # End $rc_base/rc.iptables</literal>241 # End /etc/systemd/scripts/iptables</literal> 253 242 EOF 254 chmod 700 /etc/ rc.d/rc.iptables</userinput></screen>243 chmod 700 /etc/systemd/scripts/iptables</userinput></screen> 255 244 256 245 <para>This script is quite simple, it drops all traffic coming … … 284 273 a worm via a buffer-overflow).</para> 285 274 286 <screen role="root"><?dbfo keep-together="auto"?><userinput>cat > /etc/rc.d/rc.iptables << "EOF" 275 <screen role="root"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts 276 277 cat > /etc/systemd/scripts/iptables << "EOF" 287 278 <literal>#!/bin/sh 288 279 289 # Begin rc.iptables280 # Begin /etc/systemd/scripts/iptables 290 281 291 282 echo … … 371 362 372 363 # Enable IP Forwarding 373 echo 1 > /proc/sys/net/ipv4/ip_forward</literal> 364 echo 1 > /proc/sys/net/ipv4/ip_forward 365 366 # End /etc/systemd/scripts/iptables</literal> 374 367 EOF 375 chmod 700 /etc/ rc.d/rc.iptables</userinput></screen>368 chmod 700 /etc/systemd/scripts/iptables</userinput></screen> 376 369 377 370 <para>With this script your intranet should be reasonably secure
Note:
See TracChangeset
for help on using the changeset viewer.