配置 etc sysctl.conf

#SYNflood防护
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_syncookies = 1

#禁止IP源路由
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.eth0.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.lo.accept_source_route = 0

#IP spoofing防护
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.eth0.arp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.arp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.lo.arp_filter = 1
net.ipv4.conf.lo.rp_filter = 1

#禁止ICMP重定向
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.eth0.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.lo.accept_redirects = 0

#禁止广播echo包回应
net.ipv4.icmp_echo_ignore_broadcasts = 1

#禁止网络路由器功能
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0

#启用日志记录Spoofed 包,源路由包和重定向包
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.eth0.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.lo.log_martians = 1