lively using firewall script for iptables 9 개월 전
적당한 옵션으로 커널이 컴파일되어 있고 ip_tables 등의 필요한 모듈이 로드되는 시스템이 필요하겠지...
http://en.gentoo-wiki.com/wiki/Iptables
그 다음엔 스크립트다.
의도는 대충 다음과 같다.
1. 모두 DROP하는 정책이다.
2. 외부에서 내부로 ssh 접속을 허용한다. (port 22)
3. 내부에서 외부로 ssh 연결을 허용한다. (port 22)
4. http와 https 역시 양방향 모두 허용한다. (port 80, 443)
5. 내부에서 외부로 DNS 쿼리를 허용한다. (port 53)
6. svn 연결을 양방향 모두 허용한다. (port 3690)
7. 포트 스캔 등을 로깅하고 드랍한다.
8. 핑을 제한적으로 허용한다.
....
firewall 구동 스크립트다.
#!/bin/bash
IPT="sudo /sbin/iptables"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT -N check_flags
$IPT -F check_flags
$IPT -N allow_in
$IPT -F allow_in
$IPT -N allow_out
$IPT -F allow_out
$IPT -N allowed_connection
$IPT -F allowed_connection
$IPT -A allowed_connection -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A allowed_connection -j DROP
$IPT -A check_flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPT -A check_flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A check_flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPT -A check_flags -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A check_flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPT -A check_flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A check_flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPT -A check_flags -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A check_flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPT -A check_flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A check_flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPT -A check_flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N icmp_allowed
$IPT -F icmp_allowed
$IPT -A icmp_allowed -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A icmp_allowed -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"
$IPT -A icmp_allowed -p icmp -j DROP
$IPT -A allow_in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT
$IPT -A allow_in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT
$IPT -A allow_in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT
$IPT -A allow_in -p tcp --sport 80 -j ACCEPT
$IPT -A allow_in -p tcp --sport 443 -j ACCEPT
$IPT -A allow_in -p tcp --dport 80 -j ACCEPT
$IPT -A allow_in -p tcp --dport 443 -j ACCEPT
$IPT -A allow_in -p udp --sport 53 -j ACCEPT
$IPT -A allow_in -p tcp --sport 3690 -j ACCEPT
$IPT -A allow_out -p tcp --sport 22 -j ACCEPT
$IPT -A allow_out -p tcp --dport 80 -j ACCEPT
$IPT -A allow_out -p tcp --dport 443 -j ACCEPT
$IPT -A allow_out -p tcp --sport 80 -j ACCEPT
$IPT -A allow_out -p tcp --sport 443 -j ACCEPT
$IPT -A allow_out -p udp --dport 53 -j ACCEPT
$IPT -A allow_out -p tcp --dport 3690 -j ACCEPT
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A INPUT -p icmp -j icmp_allowed
$IPT -A INPUT -j check_flags
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -j allow_in
$IPT -A INPUT -j allowed_connection
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A FORWARD -p icmp -j icmp_allowed
$IPT -A FORWARD -j check_flags
$IPT -A FORWARD -o lo -j ACCEPT
$IPT -A FORWARD -j allow_in
$IPT -A FORWARD -j allowed_connection
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -p icmp -j icmp_allowed
$IPT -A OUTPUT -j check_flags
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -j allow_out
$IPT -A OUTPUT -j allowed_connection
IPT="sudo /sbin/iptables"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT -N check_flags
$IPT -F check_flags
$IPT -N allow_in
$IPT -F allow_in
$IPT -N allow_out
$IPT -F allow_out
$IPT -N allowed_connection
$IPT -F allowed_connection
$IPT -A allowed_connection -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A allowed_connection -j DROP
$IPT -A check_flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPT -A check_flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A check_flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPT -A check_flags -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A check_flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPT -A check_flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A check_flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPT -A check_flags -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A check_flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPT -A check_flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A check_flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPT -A check_flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N icmp_allowed
$IPT -F icmp_allowed
$IPT -A icmp_allowed -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A icmp_allowed -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"
$IPT -A icmp_allowed -p icmp -j DROP
$IPT -A allow_in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT
$IPT -A allow_in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT
$IPT -A allow_in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT
$IPT -A allow_in -p tcp --sport 80 -j ACCEPT
$IPT -A allow_in -p tcp --sport 443 -j ACCEPT
$IPT -A allow_in -p tcp --dport 80 -j ACCEPT
$IPT -A allow_in -p tcp --dport 443 -j ACCEPT
$IPT -A allow_in -p udp --sport 53 -j ACCEPT
$IPT -A allow_in -p tcp --sport 3690 -j ACCEPT
$IPT -A allow_out -p tcp --sport 22 -j ACCEPT
$IPT -A allow_out -p tcp --dport 80 -j ACCEPT
$IPT -A allow_out -p tcp --dport 443 -j ACCEPT
$IPT -A allow_out -p tcp --sport 80 -j ACCEPT
$IPT -A allow_out -p tcp --sport 443 -j ACCEPT
$IPT -A allow_out -p udp --dport 53 -j ACCEPT
$IPT -A allow_out -p tcp --dport 3690 -j ACCEPT
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A INPUT -p icmp -j icmp_allowed
$IPT -A INPUT -j check_flags
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -j allow_in
$IPT -A INPUT -j allowed_connection
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A FORWARD -p icmp -j icmp_allowed
$IPT -A FORWARD -j check_flags
$IPT -A FORWARD -o lo -j ACCEPT
$IPT -A FORWARD -j allow_in
$IPT -A FORWARD -j allowed_connection
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -p icmp -j icmp_allowed
$IPT -A OUTPUT -j check_flags
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -j allow_out
$IPT -A OUTPUT -j allowed_connection
firewall 해제 스크립트다.
#!/bin/bash
IPT="sudo /sbin/iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
IPT="sudo /sbin/iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
iptables...... 꽤 어렵다.... 위의 내용만 꾸역꾸역 이해하고 있는 정도... 자유롭게 사용하기는 아직 어려움이 많네...
코멘트를 남겨보아효
가까운 글
- Game 섹션 web BMI calculator 추가!
- lively using firewall script for iptables
- [Flash/Flex] ActionScript 3.0, byte size to human size.