|
|
楼主 |
发表于 2003-8-23 12:48:56
|
显示全部楼层
=============>《linux防火墙探秘》第200页有段话:
禁止声称来自C类私有地址及到C类私有地址的包:
脚本如下:
iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth1 -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -i eth1 -s 192.168.0.0/16 -j DROP
iptables -A OUTPUT -i eth1 -d 192.168.0.0/16 -j DROP
============>《rhl-sg-en》(redhat文档)第70页有段话:
To take the restrictions a step further, block all outside connections that attempt to spoof private IP
address ranges to in�ltrate your LAN. If a LAN uses the 192.168.1.0/24 range, a rule can set the
Internet facing network device (for example, eth0) to drop any packets to that device with an address
in your LAN IP range. Because it is recommended to reject forwarded packets as a default policy, any
other spoofed IP address to the external-facing device (eth0) will be rejected automatically.
iptables -A FORWARD -p tcp -s 192.168.1.0/24 -i eth0 -j DROP
iptables -A FORWARD -p udp -s 192.168.1.0/24 -i eth0 -j DROP
============>依照《rhl-sg-en》文档所写,
做到禁止声称来自C类私有地址及到C类私有地址的包,
我觉得用下列两句就可以了:
iptables -A INPUT -s 192.168.0.0/16 -i eth1 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -o eth1 -j DROP
搞不清,为什么《linux防火墙探秘》作者会那样写,道理何在呢?会不会也有他的道理呢?
因为iptables调试比较困难,至少需要三台机才可以合理的调试,谁有条件,试试看。
欢迎讨论,以及提出疑点。 |
|
IP卡
狗仔卡
显身卡
发表于 2003-8-23 21:07:45