我正在禁用防火墙的机器上执行一些规则,但是当我运行 rcSuSEfirewall2 时,默认情况下会应用很多规则和策略:
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min bu rst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min bu rst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain forward_ext (0 references)
target prot opt source destination
Chain input_ext (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 3/min bu rst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2- INext-DROP-DEFLT '
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- anywhere anywhere PKTTYPE = broadcast
LOG tcp -- anywhere anywhere limit: avg 3/min bu rst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options pre fix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min bu rst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min bu rst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP -DEFLT '
DROP all -- anywhere anywhere
Chain reject_func (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-res et
REJECT udp -- anywhere anywhere reject-with icmp-po rt-unreachable
REJECT all -- anywhere anywhere reject-with icmp-pr oto-unreachable
继续我的问题:如何将 Suse 防火墙设置为在启动时显示 ACCEPT 链中的所有策略?像这样:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
(my custom DROP Rule)
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PS:我知道听起来没有意义,但这是因为我在其中添加了额外的规则/etc/sysconfig/scripts/SuSEfirewall2-custom
我正在使用 SuSE Linux Enterprise Server 11 Service Pack 3
更新:
我重新检查了 Yast 防火墙是否有一个选项可以将策略设置为“接受”,但什么也没有。
答案1
好吧,我想分享这个解决方法,我认为它并不像我想要的那么优雅,但它有效。
首先创建一个文件并根据需要调用它,即fwsrv
#!/bin/bash
# Author: Francisco Tapia
#
# /etc/init.d/fwsrv
#
### BEGIN INIT INFO
# Provides: fwsrv
# Required-Start: network
# Should-Start: $null
# Required-Stop: $null
# Should-Stop: $null
# Default-Start: 5
# Default-Stop: 5
# Short-Description: Executes iptables rules.
# Description: this is not a service.
### END INIT INFO
. /etc/rc.status
rc_reset
case "$1" in
start)
# use colour for ease of spotting
echo -e "\E[36mRunning $0 (start)...\E[0m";
/etc/init.d/fwsrv.d/start
echo -e "\E[36mDone $0 \E[0m";
;;
stop)
echo -e "\E[36mRunning $0 (stop)...\E[0m";
/etc/init.d/fwsrv.d/stop
echo -e "\E[36mDone $0 \E[0m";
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage $0 (start|stop|restart)"
exit 1;
;;
esac
rc_exit
然后创建 2 个文件,一个名为start,另一个stop在脚本中包含此内容。
#!/bin/bash
# run scripts with names starting 0-9 in foreground. if you want to
# put a script in start.d and you care about when it gets run in relation
# to other scripts, give it a name starting 0-9
for i in $(dirname $0)/start.d/[0-9]*;do
test -x $i && echo -e "\E[36mRunning ${i} \E[0m" && $i
done
# run scripts with names starting a-z in the background
# as this reduces the over all time this script takes to run.
for i in $(dirname $0)/start.d/[a-z]*;do
test -x $i && echo -e "\E[36mRunning ${i} \E[0m" && $i &
done
# wait for children to exit
wait;
最后一个称为规则,它将包含我想要的所有规则:
#!/bin/bash
rcSuSEfirewall2 start
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
#My Desired Rules
然后在终端中执行以下命令。
cp fwsrv /etc/init.d/fwsrv
chmod u+x /etc/init.d/fwsrv
mkdir -p /etc/init.d/fwsrv.d/start.d
mkdir -p /etc/init.d/fwsrv.d/stop.d
cp start /etc/init.d/fwsrv.d/start
cp stop /etc/init.d/fwsrv.d/stop
chmod u+x /etc/init.d/fwsrv.d/start
chmod u+x /etc/init.d/fwsrv.d/stop
cp rules /etc/init.d/fwsrv.d/start.d/rules
chmod u+x /etc/init.d/fwsrv.d/start.d/rules
insserv /etc/init.d/fwsrv
现在,机器将在启动时启动防火墙并清理所有规则并应用所有自定义规则。如果你想添加更多规则只需编辑规则文件/etc/init.d/fwsrv.d/start.d/