Ҷ iptables ϴ 찡 ִ.
ȭ Ģ ۼϴ° ġ ʰ ̱ ϰ Ȩ κ ⸦ ϰ Ⱑ ȭ ٰŶ ϱ ̴.
װ .
iptables Ʈ , Ŷ ø̼ ˻, ӵ , å ϱ Ŀ Ѵ.
CentOS 6.4 Minimal iptables ġǾ ִ.
ip6tables Բ ġǾ ִµ ̴ IPv6 ü迡 Ѵ.
# rpm -qa | grep iptables
iptables-1.4.7-9.el6.x86_64
iptables-ipv6-1.4.7-9.el6.x86_64
ġǾ ʴٸ ġ
# yum -y install iptables
# chkconfig --list
ip6tables 0: 1: 2: 3: 4: 5: 6:
iptables 0: 1: 2: 3: 4: 5: 6:
α Ѵ.
# chkconfig iptables on
Ѵ.
# service iptables start
iptables ġ
/etc/sysconfig/iptables
ΰ κп ؼ Ѵ.
1) ̺(tables)
켱 iptables ̶̺ ְ ִµ ̺ filter, nat, mangle, raw 4 ̺ Ǹ ߿ 츮 ʿ Ģ filter ̴̺.
2) ü(chain)
iptables filter ̺ ̸ ǵ ü ϴµ ̴ INPUT, OUTPUT, FORWARD ̴.
üε Ʈũ Ʈ(IP Ŷ) Ͽ Ģ Ѵ.
Ŷ(INPUT) Ͽ (ACCEPT) , ź(REJECT) , (DROP) Ѵ.
INPUT - ȣƮ ǻ Ŷ
OUTPUT - ȣƮ ǻͿ ϴ Ŷ
FORWARD - ȣƮ ǻͰ ƴ Ŷ, ͷ Ǵ ȣƮ ǻ ϴ Ŷ
3) ġ(match)
iptables Ŷ óҶ ؾ ϴ Ų.
, Ű Ŷ鸸 Ģ Ѵ.
--source (-s) : IPּҳ Ʈũ Ī
--destination (-d) : ipּҳ Ʈũ Ī
--protocol (-p) : Ư ݰ Ī
--in-interface (i) : Է ̽
--out-interface (-o) : ̽
--state : ¿ Ī
--string : ø̼ Ʈ Ī
--comment : Ŀ Ģ Ǵ ִ 256Ʈ ּ
--syn (-y) : SYN Ŷ ʴ´.
--fragment (-f) : ° ؼ Ģ Ѵ.
--table (-t) : ó ̺
--jump (-j) : Ģ ´ Ŷ ó ΰ Ѵ.
--match (-m) : Ư ġ
4) Ÿ(target)
iptables Ŷ Ģ ġ ϴ Ÿ Ѵ.
ACCEPT - Ŷ Ƶδ.
DROP - Ŷ . (Ŷ ۵ ó)
REJECT - Ŷ ̿ ÿ Ŷ Ѵ.
LOG - Ŷ syslog Ѵ.
RETURN - ȣ ü Ŷ ó Ѵ.
REJECT Ϸ źϰ connection refused ִ ݸ DROP ״ telnet ڿ ä Ŷ Ѵ.
緮 ̷ Ģ ڰ ȥϸ ؼ õϴ Ϸ REJECT ϴ .
5) (Connection Tracking)
iptables (connection tracking)̶ Ͽ Ʈũ ¿ ϰ ְ ش.
¸ ǥ ϱ , ¿ ý ڰ ϰų ź ִ
NEW — ο ûϴ Ŷ, , HTTP û
ESTABLISHED — Ϻ Ŷ
RELATED — ῡ ο ûϴ Ŷ, Ʈ 20 FTP Ʈ 1024 ̻ Ʈ ϴ.
INVALID — ǥ ῡ Ŷ
¿ (stateful) iptables Ʈũ ݿ ϴ.
UDP ¸ ʴ (stateless) ݿ ִ.
6) ɾ(commond)
-A (--append) : ο Ģ ߰Ѵ.
-D (--delete) : Ģ Ѵ.
-C (--check) : Ŷ ƮѴ.
-R (--replace) : ο Ģ üѴ.
-I (--insert) : ο Ģ Ѵ.
-L (--list) : Ģ Ѵ.
-F (--flush) : chainκ Ģ Ѵ.
-Z (--zero) : chain Ŷ Ʈ ī 0 .
-N (--new) : ο chain .
-X (--delete-chain) : chain Ѵ.
-P (--policy) : ⺻å Ѵ.
6) ⺻
Ŷ ʷ Ģ ˻ϰ, Ģ ġϴ Ŷ Ͽ Ÿٿ ACCEPT,DROP Ѵ.
Ģ ġϰ ۾ Ǹ, Ŷ ش Ģ óϰ üο ߰ Ģ Ѵ.
Ŷ ü Ģ ġ ʾ Ģ ٴڿ ϸ ⺻å(policy) ȴ.
⺻ å policy ACCEPT , policy DROP ִ.
Ϲ ⺻å Ŷ DROP ϰ Ư Ʈ IPּҵ ACCEPT ϰ .
7) iptables
Iptables Ȯ Ʒ ϸ ϴ.
# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Ʒ Ȯ ִ.
# iptables -nL --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
5 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
# iptables -L -v
Chain INPUT (policy DROP 1626 packets, 214K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
944 194K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain
4 245 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
6 304 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
2 88 ACCEPT tcp -- any any anywhere anywhere tcp dpt:mysql
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 179 packets, 22190 bytes)
pkts bytes target prot opt in out source destination
Ʒ CentOS 6.4 Minimal ⺻ iptables ̴.
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
⺻ å Ŷ ACCEPT̸, SSH ⺻ Ǿ ִ.
̰ ! ο å Ģ ۼ ̴.
*
⺻ å ־ DROP ݿ SSH ̶ ȴ. Ƿ ϴ ⺻ å ACCEPT ؼ SSH ģ ٽ ⺻ å DROP ϵ
iptables ۾ ܼ(ǻͷ) ۾ϰ ִٸ ɰ .
--------------------------⺻ Ѵ ---------------------------------
1) ⺻ å ACCEPT
# iptables -P INPUT ACCEPT
2) üο ǵ Ģ
# iptables -F
3) Ȯغ Ģ ŵǾ ִ.
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
4) INPUT üο ȣƮ ̽ Ŷ ߰
# iptables -A INPUT -i lo -j ACCEPT
Ϲ Ʈ localhost Ϳ Ǿ ϱ ʿϴ.
5) INPUT üο state ġǴ ° ESTABLISHED,RELATED Ŷ ߰
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
INPUT üο ӿ ϴ Ŷ( Ŷ ) κ ƴ Ŷ (ICMP ftp ϴ Ŷ) ϴ Ģ̴.
6) INPUT üο tcp̸ Ʈ 22 Ŷ ߰
# iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
̷ν SSH ȴ. telnet Ʈ 23
7) INPUT üο ⺻ å (DROP)
# iptables -P INPUT DROP
8) FORWARD üο ⺻å
# iptables -P FORWARD DROP
ñ ʱ 忡 Ŷ DROP
9) OUTPUT üο ⺻å
# iptables -P OUTPUT ACCEPT
10) ͵鿡 Ȯ
# iptables -L -v
Chain INPUT (policy DROP 108 packets, 12199 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
273 25012 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 9 packets, 1612 bytes)
pkts bytes target prot opt in out source destination
11) ͵
# service iptables save
iptables: ȭ Ģ /etc/sysconfig/iptables : [ OK ]
----------------- ⺻ ------------------------------------
* ߿
iptables Ģ ſ ߿ϴ.
chain 192.168.100.0/24 ݿ Ŷ dropϵ (drop ϵ ݿ ԵǴ) 192.168.100.13 Ŷ ϴ chain (-A) Ŀ ߰ϸ ڿ ߰ ߰ Ģ õȴ.
192.168.100.13 ϴ Ģ dropϴ Ģ ؾѴ.
Ʒ ⺻ å OUTPUT ü DROP (iptables -P OUTPUT DROP) 츦 OUTPUT Բ Ͽ.
Ӽ
DNS -- TCP 53 / UDP 53
# iptables -A INPUT -p tcp --dport 53 -j ACCEPT
# iptables -A INPUT -p udp --dport 53 -j ACCEPT
HTTP -- TCP 80
# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
HTTPS -- TCP 443
# iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -m multiport --dports 80,443 -j ACCEPT
MySQL -- TCP 3306
# iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
FTP(passive mode)
# iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# iptables -A OUTPUT -p tcp –-sport 21 -j ACCEPT
# iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 1024:65535 -j ACCEPT
ϼ
SMTP -- TCP 25
# iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
Secure SMTP -- TCP 465
# iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
POP3 -- TCP 110
# iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
Secure POP3 -- TCP 995
# iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
IMAP -- TCP 143
# iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
Secure IMAP -- 993
# iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
ICMP (ping)
# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
NTP ðȭ
# iptables -A INPUT -p udp --dport 123 -j ACCEPT
NULL Ŷ Ŷ ã ȴ.
# iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
syn-flood attack
syn-flood attack ڰ ο ݺ ҽ Ҹ Ű
# iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Anti synflood with iptables
Edit /etc/sysctl.conf to defend against certain types of attacks and append / update as follows:
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.netfilter.ip_conntrack_max = 1048576
XMAS Ŷ
XMAS Ŷ
# iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables
ϵ iptables ϴ /etc/sysconfig/iptables vi ϰų iptables ɾ Ѵ.
Ȯϱ
# iptables -nL --line-number
Ʒ 3 Ʒ R(replace) - ϰ ȴ
# iptables -R INPUT 3 -p tcp --dport 2222 -j ACCEPT
̽
̽ Ŷ
# iptables -A INPUT -i lo -j ACCEPT
ī Ŷ
# iptables -A INPUT -i eth0 -j ACCEPT
IP ּ
ŷ ip Ŷ
# iptables -A INPUT -s 192.168.0.3 -j ACCEPT
ŷ ip 뿪 Ŷ
# iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
ŷ ip 뿪 Ŷ
# iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
ŷ ip MACּ Ŷ
# iptables -A INPUT -s 192.168.0.3 -m mac --mac-source 00:50:80
:FD:E6:32 -j ACCEPT
Ʈ
# iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT
ڵȭ ũƮ
#!/bin/bash
# iptables ڵȭ ũƮ
# Ը ؼ սô.
iptables -F
#
# TCP Ʈ 22 SSH
# մϴ
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
#
# ⺻ å մϴ
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# localhost
iptables -A INPUT -i lo -j ACCEPT
#
# established and related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Apache Ʈ 80
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#
#
/sbin/service iptables save
#
#
iptables -L -v
1) Ը ° Ŀ (myfirewall)
2) # chmod +x myfirewall
3) ./myfirewall