|
|
Home
> IT > System Administration > 为Apache设定一个简单防火墙策略
为Apache设定一个简单防火墙策略
在Red Hat 9系统上安装了Apache HTTP Server 1.3.3,对防火墙进行一个简单设定, 允许HTTP和HTTPS访问Web服务器.一. 设定防火墙策略
如果你没有设定HTTP访问80端口和HTTPS访问443端口, 你需要做如下的设置. 添加下面的内容到防火墙控制脚本 /usr/local/etc/firewall的 端口访问部分:#Allow incoming HTTP requests (to Web Server) iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT如果你没有运行SSL服务器, 可以简单的通过在第三行前添加注释符号(#).
二. 设定脚本权限和运行脚本
#chmod +x firewall #/usr/local/etc/firewall
三. 确认是否实施防火墙策略
运行iptables -L确认HTTP和HTTPS端口是否已经打开. 下面是正确的iptables输出信息(最后两行):ACCEPT icmp -- anywhere anyhere state ESTABLISHED ACCEPT tcp -- anywhere anywhere state ESTABLISHED ACCEPT udp -- anywhere anywhere state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:imap ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https
四. 创建服务文件
#vi /etc/init.d/firewall --拷贝下面区域内容然后张贴到firewall中--
#!/bin/sh
#
# This script is responsible for loading the custom
# IPTables Firewall settings.
#
# chkconfig: 345 96 96
#
# processname: /usr/local/etc/firewall
#
# description: Controls the custom built firewall rules
#
# Source function library:
. /etc/init.d/functions
RETVAL=0
start () {
echo "Loading Firewall Rules: "
/usr/local/etc/firewall > /dev/null
touch /var/lock/subsys/firewall
RETVAL=$?
[ $RETVAL -eq 0 ] && success || failure
echo -n "Status:"
echo
return $RETVAL
}
flush () {
echo -n "Turning Firewall Off"
iptables -F
rm -rf /var/lock/subsys/firewall
RETVAL=$?
[ $RETVAL -eq 0 ] && success || failure
echo
return $RETVAL
}
status () {
echo "Current Firewall Configuration:"
RETVAL=$?
iptables -L
return $RETVAL
}
panic () {
echo "Enabling Panic Mode. Only SSH access allowed!!"
echo -n "You must run '$0 start' to allow other ports "
echo " through the firewall again."
echo -n "Panic Mode Status:"
/sbin/iptables -F
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -j DROP
[ $RETVAL -eq 0 ] && success || failure
echo
return $RETVAL
}
case "$1" in
start)
start
;;
restart)
start
;;
flush)
flush
;;
stop)
flush
;;
status)
status
;;
list)
status
;;
panic)
panic
;;
*)
echo "Usage:$0 {start|stop|restart|flush|status|list|panic}"
exit 1
esac
exit $RETVAL
-- 结束 --
五. 设定服务文件执行权限
设定服务文件执行权限; 添加到系统自动启动服务列表#chmod 700 /etc/init.d/firewall #chkconfig --add firewall service firewall restart
