APF:修订间差异
无编辑摘要 |
(→相关条目) |
||
(未显示同一用户的6个中间版本) | |||
第13行: | 第13行: | ||
== APF配置 == | == APF配置 == | ||
===修改配置文件=== | |||
# | # vi /etc/apf/conf.apf | ||
===端口设置 (INGRES)=== | |||
* [[cPanel]]的设置 | |||
# Common ingress (inbound) TCP ports | # Common ingress (inbound) TCP ports | ||
IG_TCP_CPORTS=" 20,21,22,25,26,53,80,110,143,443,465,993,995,2082, | IG_TCP_CPORTS=" 20,21,22,25,26,53,80,110,143,443,465,993,995,2082, | ||
第23行: | 第23行: | ||
# Common ingress (inbound) UDP ports | # Common ingress (inbound) UDP ports | ||
IG_UDP_CPORTS="21,53,465,873" | IG_UDP_CPORTS="21,53,465,873" | ||
* [[DirectAdmin]] 面板的设置 | |||
# Common ingress (inbound) TCP ports | # Common ingress (inbound) TCP ports | ||
IG_TCP_CPORTS=" 21,22,25,53,80,110,111,143,443,587953,2222,3306,32769" | IG_TCP_CPORTS=" 21,22,25,53,80,110,111,143,443,587953,2222,3306,32769" | ||
第29行: | 第29行: | ||
IG_UDP_CPORTS="53,111,631,724,5353,32768,32809" | IG_UDP_CPORTS="53,111,631,724,5353,32768,32809" | ||
===让APF监控外出流量=== | |||
修改: | |||
EGF= | EGF="0" | ||
为 | |||
EGF= | EGF="1" | ||
# Tell APF what ports to monitor | # Tell APF what ports to monitor | ||
# Common egress (outbound) TCP ports (for Cpanel servers) | # Common egress (outbound) TCP ports (for Cpanel servers) | ||
第47行: | 第47行: | ||
# If all works edit the config file and change the developer mode to 0 | # If all works edit the config file and change the developer mode to 0 | ||
# pico /etc/apf/conf.apf | # pico /etc/apf/conf.apf | ||
修改 | |||
DEVM= | DEVM="1" | ||
为 | |||
DEVM= | DEVM="0" | ||
===重启 APF=== | |||
# /usr/local/sbin/apf -r | # /usr/local/sbin/apf -r | ||
===查看APF日志=== | |||
查看日志 | |||
tail -f /var/log/apf_log | tail -f /var/log/apf_log | ||
输出类似下面的内容: | |||
Aug 23 01:25:55 ocean apf(31448): (insert) deny all to/from 185.14.157.123 | Aug 23 01:25:55 ocean apf(31448): (insert) deny all to/from 185.14.157.123 | ||
Aug 23 01:39:43 ocean apf(32172): (insert) allow all to/from 185.14.157.123 | Aug 23 01:39:43 ocean apf(32172): (insert) allow all to/from 185.14.157.123 | ||
===让APF随服务器自动启动=== | |||
让APF随服务器自动启动,运行下面的命令: | |||
chkconfig --level 2345 apf on | chkconfig --level 2345 apf on | ||
禁止APF自动启动,运行下面的命令: | |||
chkconfig --del apf | chkconfig --del apf | ||
* | ===通过APF禁止IP=== | ||
可通过下面两种方法禁止IP | |||
* 通过命令: | |||
/etc/apf/apf -d IPHERE COMMENTHERENOSPACES | |||
>-d 表示禁止IP | |||
> IPHERE 要禁止的IP地址 | |||
> | |||
> COMMENTSHERENOSPACES 注释该IP被封的原因 | |||
该命令是立即生效的 | |||
例子: | |||
./apf -d 185.14.157.123 TESTING | ./apf -d 185.14.157.123 TESTING | ||
vi /etc/apf/deny_hosts.rules | |||
文件中多出来: | |||
# added 185.14.157.123 on 08/23/05 01:25:55 | # added 185.14.157.123 on 08/23/05 01:25:55 | ||
第96行: | 第103行: | ||
185.14.157.123 | 185.14.157.123 | ||
*通过编辑文件 deny_hosts.rules | |||
vi /etc/apf/deny_hosts.rules | |||
然后在该文件中添加要过滤的IP. 需要重新APF设置才会生效: | |||
/etc/apf/apf -r | /etc/apf/apf -r | ||
===解禁IP=== | |||
从deny_hosts.rules文件中移除IP就可以解禁该IP. | |||
* 直接编辑文件 | |||
vi /etc/apf/deny_hosts.rules | |||
找到IP并删除掉,然后重启APF: | |||
/etc/apf/apf -r | /etc/apf/apf -r | ||
*使用命令 | |||
如果IP不在deny_hosts.rules, 使用该命令可以将IP添加到APF的白名单中allow_hosts.rules | |||
/etc/apf/apf -a IPHERE COMMENTHERENOSPACES | /etc/apf/apf -a IPHERE COMMENTHERENOSPACES | ||
> | |||
> IPHERE | > -a 表示允许IP | ||
> | |||
> IPHERE 要允许的IP地址 | |||
>COMMENTHERENOSPACES 注释 | |||
例子: | |||
./apf -a 185.14.157.123 UNBLOCKING | ./apf -a 185.14.157.123 UNBLOCKING | ||
vi /etc/apf/allow_hosts.rules | |||
# added 185.14.157.123 on 08/23/05 01:39:43 | # added 185.14.157.123 on 08/23/05 01:39:43 | ||
# UNBLOCKING | # UNBLOCKING | ||
185.14.157.123 | 185.14.157.123 | ||
===APF自定义Iptables命令=== | |||
/etc/apf下有2个配置文件postroute.rules和preroute.rules。把Iptables的POSTROUTE和 PREROUTE命令放入对应的配置文件,APF在启动时就会自动调用实现NAT转发。 | |||
其他Iptables自定义命令可以直接写入/etc/apf/firewall里面。 | |||
==APF常用操作命令== | ==APF常用操作命令== | ||
apf -s # 启动APF防火墙 | apf -s # 启动APF防火墙 | ||
第144行: | 第164行: | ||
apf -u # 将IP/IP段从白/黑名单中删除 | apf -u # 将IP/IP段从白/黑名单中删除 | ||
==相关条目== | ==相关条目== | ||
[[iptables]] [[DDoS-Deflate]] | [[iptables]] [[DDoS-Deflate]] [[CSF]] | ||
[[category:服务器]] [[category:防火墙]] | [[category:服务器]] [[category:防火墙]] |
2010年5月2日 (日) 23:56的最新版本
APF是Linux服务器常用的免费防火墙。
APF安装[ ]
- 下载APF源码
# wget http://www.rfxn.com/downloads/apf-current.tar.gz
- 解压缩
# tar -xvzf apf-current.tar.gz
- 进入 APF目录
# cd apf-0.9.7-1/ or whatever the latest version is.
- 运行安装文件
# ./install.sh
APF配置[ ]
修改配置文件[ ]
# vi /etc/apf/conf.apf
端口设置 (INGRES)[ ]
- cPanel的设置
# Common ingress (inbound) TCP ports IG_TCP_CPORTS=" 20,21,22,25,26,53,80,110,143,443,465,993,995,2082, 2083,2086,2087,2095,2096,3306,6666"\ # Common ingress (inbound) UDP ports IG_UDP_CPORTS="21,53,465,873"
- DirectAdmin 面板的设置
# Common ingress (inbound) TCP ports IG_TCP_CPORTS=" 21,22,25,53,80,110,111,143,443,587953,2222,3306,32769" # Common ingress (inbound) UDP ports IG_UDP_CPORTS="53,111,631,724,5353,32768,32809"
让APF监控外出流量[ ]
修改: EGF="0" 为 EGF="1"
- Tell APF what ports to monitor
- Common egress (outbound) TCP ports (for Cpanel servers)
EG_TCP_CPORTS="21,22,25,26,37,43,53,80,110,113,443,465,873,2089,3306"
- Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,465,873"
- Common ICMP (outbound) types
- 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"
- Save your changes! Ctrl+X then press Y
- Start APF
- /usr/local/sbin/apf -s
- If all works edit the config file and change the developer mode to 0
- pico /etc/apf/conf.apf
修改 DEVM="1" 为 DEVM="0"
重启 APF[ ]
# /usr/local/sbin/apf -r
查看APF日志[ ]
查看日志 tail -f /var/log/apf_log
输出类似下面的内容:
Aug 23 01:25:55 ocean apf(31448): (insert) deny all to/from 185.14.157.123 Aug 23 01:39:43 ocean apf(32172): (insert) allow all to/from 185.14.157.123
让APF随服务器自动启动[ ]
让APF随服务器自动启动,运行下面的命令:
chkconfig --level 2345 apf on
禁止APF自动启动,运行下面的命令:
chkconfig --del apf
通过APF禁止IP[ ]
可通过下面两种方法禁止IP
- 通过命令:
/etc/apf/apf -d IPHERE COMMENTHERENOSPACES
>-d 表示禁止IP
> IPHERE 要禁止的IP地址
> COMMENTSHERENOSPACES 注释该IP被封的原因
该命令是立即生效的
例子:
./apf -d 185.14.157.123 TESTING
vi /etc/apf/deny_hosts.rules
文件中多出来:
# added 185.14.157.123 on 08/23/05 01:25:55 # TESTING 185.14.157.123
- 通过编辑文件 deny_hosts.rules
vi /etc/apf/deny_hosts.rules
然后在该文件中添加要过滤的IP. 需要重新APF设置才会生效:
/etc/apf/apf -r
解禁IP[ ]
从deny_hosts.rules文件中移除IP就可以解禁该IP.
- 直接编辑文件
vi /etc/apf/deny_hosts.rules
找到IP并删除掉,然后重启APF:
/etc/apf/apf -r
- 使用命令
如果IP不在deny_hosts.rules, 使用该命令可以将IP添加到APF的白名单中allow_hosts.rules
/etc/apf/apf -a IPHERE COMMENTHERENOSPACES
> -a 表示允许IP
> IPHERE 要允许的IP地址
>COMMENTHERENOSPACES 注释
例子:
./apf -a 185.14.157.123 UNBLOCKING
vi /etc/apf/allow_hosts.rules
# added 185.14.157.123 on 08/23/05 01:39:43 # UNBLOCKING 185.14.157.123
APF自定义Iptables命令[ ]
/etc/apf下有2个配置文件postroute.rules和preroute.rules。把Iptables的POSTROUTE和 PREROUTE命令放入对应的配置文件,APF在启动时就会自动调用实现NAT转发。 其他Iptables自定义命令可以直接写入/etc/apf/firewall里面。
APF常用操作命令[ ]
apf -s # 启动APF防火墙
apf -r # 重启APF防火墙
apf -f # 刷新APF防火墙配置文件
apf -l # 列出APF的配置信息,与iptables -nL类似
apf -st # APF信息统计。主要包括白名单,黑名单信息。
apf -a IP地址/IP段(FQDN) "注释" # 将IP/IP段添加到白名单
apf -d IP地址/IP段(FQDN) "注释" # 将IP/IP段添加到黑名单
apf -u # 将IP/IP段从白/黑名单中删除