Duangw

Sysctl脚本

 

该脚本用来设置几个与网络相关的内核参数,以避免潜在的网络攻击。

本文内容基于Slackware Linux。

1 rc.sysctl模板

这里提供了一个模板rc.sysctl.ref,内容如下:

#!/bin/sh
# Start/stop/restart my some network kernel parameters.
#

start() {

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
	echo 0 > $i
done

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
	echo 0 > $i
done

# Don't send Redirect Messages
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
	echo 0 > $i
done

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
	echo 1 > $i
done

# Log packets with impossible addresses.
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
	echo 1 > $i
done

# be verbose on dynamic ip-addresses
# (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

}

stop() {

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
	echo 1 > $i
done

echo 0 > /proc/sys/net/ipv4/tcp_syncookies

for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
	echo 1 > $i
done

for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
	echo 1 > $i
done

for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
	echo 0 > $i
done

for i in /proc/sys/net/ipv4/conf/*/log_martians; do
	echo 0 > $i
done

echo 0 > /proc/sys/net/ipv4/ip_dynaddr

echo 1 > /proc/sys/net/ipv4/tcp_ecn

}


case "$1" in
'start')
	start
	;;
'stop')
	stop
	;;
'restart')
	stop
	start
	;;
*)
	echo "usage $0 start|stop|restart"
esac

 

2 配置方法

把模板文件rc.sysctl.ref复制到/etc/rc.d/目录下,改名为rc.sysctl:

# cp rc.sysctl.ref /etc/rc.d/rc.sysctl

编辑/etc/rc.d/rc.M,将调用脚本的语句加入到rc.inet2的前面。

网络接口启动以后有些参数设置才有效。在网络接口启动后,网络服务启动(rc.inet2)前设置是一个不错的地方。调用方法也提供一个模板rc.M.ref

# Initialize some networking parameters.
if [ -x /etc/rc.d/rc.sysctl ]; then
  . /etc/rc.d/rc.sysctl start
fi

另外有一个参数是关于IP转发的,Slackware提供了一个脚本/etc/rc.d/rc.ip_forward来设置,网关和路由器会用到此功能。