Options kernels à utiliser pour restreindre des comportements de routage, ICMP… inutiles à proposer.
Pour de nombreux paramètres réseaux, configurer le fichier suivant qui liste les paramètres kernel à exécuter au démarrage.
vi /etc/sysctl.d/custom.conf
net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.ip_forward = 0 #Inclus la ligne suivante : net.ipv4.conf.docker0.forwarding = 0 net.ipv6.conf.all.forwarding=0 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.all.proxy_arp = 0 ################################################################### # Custom vm.swappiness=2
Pour charger la configuration modifiée sans redémarrer.
sysctl -p
sysctl.conf
complet.
# # /etc/sysctl.conf - Configuration file for setting system variables # See /etc/sysctl.d/ for additional system variables. # See sysctl.conf (5) for information. # #kernel.domainname = example.com # Uncomment the following to stop low-level messages on console #kernel.printk = 3 4 1 3 ##############################################################3 # Functions previously found in netbase # # Uncomment the next two lines to enable Spoof protection (reverse-path filter) # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 # Uncomment the next line to enable TCP/IP SYN cookies # See http://lwn.net/Articles/277146/ # Note: This may impact IPv6 TCP sessions too net.ipv4.tcp_syncookies=1 # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=0 # Uncomment the next line to enable packet forwarding for IPv6 # Enabling this option disables Stateless Address Autoconfiguration # based on Router Advertisements for this host net.ipv6.conf.all.forwarding=0 ################################################################### # Additional settings - these settings can improve the network # security of the host and prevent against some network attacks # including spoofing attacks and man in the middle attacks through # redirection. Some network environments, however, require that these # settings are disabled so review and enable them as needed. # # Do not accept ICMP redirects (prevent MITM attacks) net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 # _or_ # Accept ICMP redirects only for gateways listed in our default # gateway list (enabled by default) net.ipv4.conf.all.secure_redirects = 0 # gateway list (enabled by default) net.ipv4.conf.all.secure_redirects = 0 # # Do not send ICMP redirects (we are not a router) net.ipv4.conf.all.send_redirects = 0 # # Do not accept IP source route packets (we are not a router) net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 # # Log Martian Packets net.ipv4.conf.all.log_martians = 1 # # Proxy ARP net.ipv4.conf.all.proxy_arp = 0 ################################################################### # Magic system request Key # 0=disable, 1=enable all # Debian kernels have this set to 0 (disable the key) # See https://www.kernel.org/doc/Documentation/sysrq.txt # for what other values do #kernel.sysrq=1 ################################################################### # Protected links # # Protects against creating or following links under certain conditions # Debian kernels have both set to 1 (restricted) # See https://www.kernel.org/doc/Documentation/sysctl/fs.txt #fs.protected_hardlinks=0 #fs.protected_symlinks=0 # Disable IPv6 autoconf net.ipv6.conf.all.autoconf = 0 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.eth0.autoconf = 0 net.ipv6.conf.all.accept_ra_defrtr = 0 net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.eth0.accept_ra_defrtr = 0 net.ipv6.conf.all.accept_ra_pinfo = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 net.ipv6.conf.eth0.accept_ra_pinfo = 0 net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 net.ipv6.conf.eth0.accept_ra = 0
Différence de conf entre une installation originale Debian 9 et les modifications appliquées (Original à gauche, modifié à droite).
net.ipv4.conf.all.forwarding = 1 | net.ipv4.conf.all.forwarding = 0 net.ipv4.conf.all.log_martians = 0 | net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.all.rp_filter = 0 | net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.secure_redirects = 1 | net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.send_redirects = 1 | net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.forwarding = 1 | net.ipv4.conf.default.forwarding = 0 net.ipv4.conf.default.rp_filter = 0 | net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.docker0.forwarding = 1 | net.ipv4.conf.docker0.forwarding = 0 net.ipv4.conf.eth0.forwarding = 1 | net.ipv4.conf.eth0.forwarding = 0 net.ipv4.conf.lo.forwarding = 1 | net.ipv4.conf.lo.forwarding = 0 net.ipv4.ip_forward = 1 | net.ipv4.ip_forward = 0 net.ipv6.conf.all.accept_redirects = 1 | net.ipv6.conf.all.accept_redirects = 0