¼¹ö±¸ÃàÀ» ÇÒ¶§ iptables¸¦ ²¨³õ°í ÇÏ´Â °æ¿ì°¡ ÀÖ´Ù.
µüº¸¸é ¹æȺ® ±ÔÄ¢À» ÀÛ¼ºÇÏ´Â°Ô ¸¸¸¸Ä¡ ¾Ê°Ô º¸À̱⵵ ÇÏ°í Ȩ¼¹öÀÇ °æ¿ì ´ëºÎºÐ °øÀ¯±â¸¦ »ç¿ëÇÏ°í ÀÖÀ¸´Ï °øÀ¯±â°¡ ¹æȺ® ¿ªÇÒÀ» ¾î´ÀÁ¤µµ ÇØÁٰŶó°í ¹Ï±â ¶§¹®ÀÌ´Ù.
¿À´ÃÀº ±×°É ÆÄÇìÃÄ º¸ÀÚ.
iptables¶õ ³ÝÇÊÅÍ ÇÁ·ÎÁ§Æ®¿¡¼ °³¹ßÇßÀ¸¸ç ±¤¹üÀ§ÇÑ ÇÁ·ÎÅäÄÝ »óÅ ÃßÀû, ÆÐŶ ¾ÖÇø®ÄÉÀÌ¼Ç °èÃþ°Ë»ç, ¼Óµµ Á¦ÇÑ, ÇÊÅ͸µ Á¤Ã¥À» ¸í½ÃÇϱâ À§ÇÑ °·ÂÇÑ ¸ÅÄ¿´ÏÁòÀ» Á¦°øÇÑ´Ù.
CentOS 6.4 Minimal ¿¡´Â iptables°¡ ¼³Ä¡µÇ¾î ÀÖ´Ù.
ip6tablesµµ ÇÔ²² ¼³Ä¡µÇ¾î Àִµ¥ ÀÌ´Â IPv6 ü°è¿¡¼ »ç¿ëÇÑ´Ù.
# rpm -qa | grep iptables
iptables-1.4.7-9.el6.x86_64
iptables-ipv6-1.4.7-9.el6.x86_64
¼³Ä¡µÇ¾î ÀÖÁö ¾Ê´Ù¸é ¼³Ä¡
# yum -y install iptables
# chkconfig --list
ip6tables 0:ÇØÁ¦ 1:ÇØÁ¦ 2:ÇØÁ¦ 3:ÇØÁ¦ 4:ÇØÁ¦ 5:ÇØÁ¦ 6:ÇØÁ¦
iptables 0:ÇØÁ¦ 1:ÇØÁ¦ 2:ÇØÁ¦ 3:ÇØÁ¦ 4:ÇØÁ¦ 5:ÇØÁ¦ 6:ÇØÁ¦
¼ºñ½º¸¦ ½ÃÀÛÇÁ·Î±×·¥¿¡ µî·ÏÇÑ´Ù.
# chkconfig iptables on
¼ºñ½º¸¦ ½ÃÀÛÇÑ´Ù.
# service iptables start
iptablesÀÇ ÆÄÀÏÀ§Ä¡
/etc/sysconfig/iptables
¾î·Á¿î ¿ë¾îµéÀº Á¦²¸µÎ°í °£·«È÷ »ç¿ëÇÒ ºÎºÐ¿¡ ´ëÇؼ ¼³¸íÇÑ´Ù.
1) Å×À̺í(tables)
¿ì¼± iptables¿¡´Â Å×À̺íÀ̶ó´Â ±¤¹üÀ§ÇÑ ¹üÁÖ°¡ Àִµ¥ ÀÌ Å×À̺íÀº filter, nat, mangle, raw °°Àº 4°³ÀÇ Å×À̺í·Î ±¸¼ºµÇ¸ç ÀÌÁß¿¡¼ ¿ì¸®¿¡°Ô ÇÊ¿äÇÑ °ÍÀº ÇÊÅ͸µ ±ÔÄ¢À» ¼¼¿ì´Â filter Å×À̺íÀÌ´Ù.
2) üÀÎ(chain)
iptables¿¡´Â filter Å×ÀÌºí¿¡ ¹Ì¸® Á¤ÀÇµÈ ¼¼°¡ÁöÀÇ Ã¼ÀÎÀÌ Á¸ÀçÇϴµ¥ ÀÌ´Â INPUT, OUTPUT, FORWARD ÀÌ´Ù.
ÀÌ Ã¼ÀεéÀº ¾î¶°ÇÑ ³×Æ®¿öÅ© Æ®·¡ÇÈ(IP ÆÐŶ)¿¡ ´ëÇÏ¿© Á¤ÇØÁø ±ÔÄ¢µéÀ» ¼öÇàÇÑ´Ù.
°¡·É µé¾î¿À´Â ÆÐŶ(INPUT)¿¡ ´ëÇÏ¿© Çã¿ë(ACCEPT)ÇÒ °ÍÀÎÁö, °ÅºÎ(REJECT)ÇÒ °ÍÀÎÁö, ¹ö¸±(DROP)°ÍÀÎÁö¸¦ °áÁ¤ÇÑ´Ù.
INPUT - È£½ºÆ® ÄÄÇ»Å͸¦ ÇâÇÑ ¸ðµç ÆÐŶ
OUTPUT - È£½ºÆ® ÄÄÇ»ÅÍ¿¡¼ ¹ß»ýÇÏ´Â ¸ðµç ÆÐŶ
FORWARD - È£½ºÆ® ÄÄÇ»ÅÍ°¡ ¸ñÀûÁö°¡ ¾Æ´Ñ ¸ðµç ÆÐŶ, Áï ¶ó¿ìÅÍ·Î »ç¿ëµÇ´Â È£½ºÆ® ÄÄÇ»Å͸¦ Åë°úÇÏ´Â ÆÐŶ
3) ¸ÅÄ¡(match)
iptables¿¡¼ ÆÐŶÀ» ó¸®ÇÒ¶§ ¸¸Á·ÇØ¾ß ÇÏ´Â Á¶°ÇÀ» °¡¸®Å²´Ù.
Áï, ÀÌ Á¶°ÇÀ» ¸¸Á·½ÃÅ°´Â ÆÐŶµé¸¸ ±ÔÄ¢À» Àû¿ëÇÑ´Ù.
--source (-s) : Ãâ¹ßÁö IPÁÖ¼Ò³ª ³×Æ®¿öÅ©¿ÍÀÇ ¸ÅĪ
--destination (-d) : ¸ñÀûÁö ipÁÖ¼Ò³ª ³×Æ®¿öÅ©¿ÍÀÇ ¸ÅĪ
--protocol (-p) : ƯÁ¤ ÇÁ·ÎÅäÄÝ°úÀÇ ¸ÅĪ
--in-interface (i) : ÀÔ·Â ÀÎÅ×ÆäÀ̽º
--out-interface (-o) : Ãâ·Â ÀÎÅÍÆäÀ̽º
--state : ¿¬°á »óÅ¿ÍÀÇ ¸ÅĪ
--string : ¾ÖÇø®ÄÉÀÌ¼Ç °èÃþ µ¥ÀÌÅÍ ¹ÙÀÌÆ® ¼ø¼¿ÍÀÇ ¸ÅĪ
--comment : Ä¿³Î ¸Þ¸ð¸® ³»ÀÇ ±ÔÄ¢°ú ¿¬°èµÇ´Â ÃÖ´ë 256¹ÙÀÌÆ® ÁÖ¼®
--syn (-y) : SYN ÆÐŶÀ» Çã¿ëÇÏÁö ¾Ê´Â´Ù.
--fragment (-f) : µÎ ¹ø° ÀÌÈÄÀÇ Á¶°¢¿¡ ´ëÇؼ ±ÔÄ¢À» ¸í½ÃÇÑ´Ù.
--table (-t) : ó¸®µÉ Å×À̺í
--jump (-j) : ±ÔÄ¢¿¡ ¸Â´Â ÆÐŶÀ» ¾î¶»°Ô ó¸®ÇÒ °ÍÀΰ¡¸¦ ¸í½ÃÇÑ´Ù.
--match (-m) : ƯÁ¤ ¸ðµâ°úÀÇ ¸ÅÄ¡
4) Ÿ°Ù(target)
iptables´Â ÆÐŶÀÌ ±ÔÄ¢°ú ÀÏÄ¡ÇÒ ¶§ µ¿ÀÛÀ» ÃëÇϴ Ÿ°ÙÀ» Áö¿øÇÑ´Ù.
ACCEPT - ÆÐŶÀ» ¹Þ¾ÆµéÀδÙ.
DROP - ÆÐŶÀ» ¹ö¸°´Ù. (ÆÐŶÀÌ Àü¼ÛµÈ ÀûÀÌ ¾ø´ø °Íó·³)
REJECT - ÆÐŶÀ» ¹ö¸®°í ÀÌ¿Í µ¿½Ã¿¡ ÀûÀýÇÑ ÀÀ´ä ÆÐŶÀ» Àü¼ÛÇÑ´Ù.
LOG - ÆÐŶÀ» syslog¿¡ ±â·ÏÇÑ´Ù.
RETURN - È£Ãâ üÀÎ ³»¿¡¼ ÆÐŶ 󸮸¦ °è¼ÓÇÑ´Ù.
REJECT´Â ¼ºñ½º¿¡ Á¢¼ÓÇÏ·Á´Â »ç¿ëÀÚÀÇ ¾×¼¼½º¸¦ °ÅºÎÇÏ°í connection refused¶ó´Â ¿À·ù ¸Þ½ÃÁö¸¦ º¸¿©ÁÖ´Â ¹Ý¸é DROPÀº ¸» ±×´ë·Î telnet »ç¿ëÀÚ¿¡°Ô ¾î¶°ÇÑ °æ°í ¸Þ½ÃÁöµµ º¸¿©ÁÖÁö ¾ÊÀº ä ÆÐŶÀ» µå·ÓÇÑ´Ù.
°ü¸®ÀÚÀÇ Àç·®²¯ ÀÌ·¯ÇÑ ±ÔÄ¢À» »ç¿ëÇÒ ¼ö ÀÖÁö¸¸ »ç¿ëÀÚ°¡ È¥¶õ½º·¯¿öÇÏ¸ç °è¼ÓÇؼ Á¢¼ÓÀ» ½ÃµµÇÏ´Â °ÍÀ» ¹æÁöÇÏ·Á¸é REJECT¸¦ »ç¿ëÇÏ´Â °ÍÀÌ ÁÁ´Ù.
5) ¿¬°á ÃßÀû(Connection Tracking)
iptables´Â ¿¬°á ÃßÀû(connection tracking)À̶ó´Â ¹æ¹ýÀ» »ç¿ëÇÏ¿© ³»ºÎ ³×Æ®¿öÅ© »ó ¼ºñ½º ¿¬°á »óÅ¿¡ µû¶ó¼ ±× ¿¬°áÀ» °¨½ÃÇÏ°í Á¦ÇÑÇÒ ¼ö ÀÖ°Ô ÇØÁØ´Ù.
¿¬°á ÃßÀû ¹æ½ÄÀº ¿¬°á »óŸ¦ Ç¥¿¡ ÀúÀåÇϱ⠶§¹®¿¡, ´ÙÀ½°ú °°Àº ¿¬°á »óÅ¿¡ µû¶ó¼ ½Ã½ºÅÛ °ü¸®ÀÚ°¡ ¿¬°áÀ» Çã¿ëÇϰųª °ÅºÎÇÒ ¼ö ÀÖ´Ù
NEW — »õ·Î¿î ¿¬°áÀ» ¿äûÇÏ´Â ÆÐŶ, ¿¹, HTTP ¿äû
ESTABLISHED — ±âÁ¸ ¿¬°áÀÇ ÀϺÎÀÎ ÆÐŶ
RELATED — ±âÁ¸ ¿¬°á¿¡ ¼ÓÇÏÁö¸¸ »õ·Î¿î ¿¬°áÀ» ¿äûÇÏ´Â ÆÐŶ, ¿¹¸¦ µé¸é Á¢¼Ó Æ÷Æ®°¡ 20ÀÎ ¼öµ¿ FTPÀÇ °æ¿ì Àü¼Û Æ÷Æ®´Â »ç¿ëµÇÁö ¾ÊÀº 1024 ÀÌ»óÀÇ ¾î´À Æ÷Æ®¶óµµ »ç¿ë °¡´ÉÇÏ´Ù.
INVALID — ¿¬°á ÃßÀûÇ¥¿¡¼ ¾îµð ¿¬°á¿¡µµ ¼ÓÇÏÁö ¾ÊÀº ÆÐŶ
»óÅ¿¡ ±â¹Ý(stateful)ÇÑ iptables ¿¬°á ÃßÀû ±â´ÉÀº ¾î´À ³×Æ®¿öÅ© ÇÁ·ÎÅäÄÝ¿¡¼³ª »ç¿ë °¡´ÉÇÏ´Ù.
UDP¿Í °°ÀÌ »óŸ¦ ÀúÀåÇÏÁö ¾Ê´Â (stateless) ÇÁ·ÎÅäÄÝ¿¡¼µµ »ç¿ëÇÒ ¼ö ÀÖ´Ù.
6) ¸í·É¾î(commond)
-A (--append) : »õ·Î¿î ±ÔÄ¢À» Ãß°¡ÇÑ´Ù.
-D (--delete) : ±ÔÄ¢À» »èÁ¦ÇÑ´Ù.
-C (--check) : ÆÐŶÀ» Å×½ºÆ®ÇÑ´Ù.
-R (--replace) : »õ·Î¿î ±ÔÄ¢À¸·Î ±³Ã¼ÇÑ´Ù.
-I (--insert) : »õ·Î¿î ±ÔÄ¢À» »ðÀÔÇÑ´Ù.
-L (--list) : ±ÔÄ¢À» Ãâ·ÂÇÑ´Ù.
-F (--flush) : chainÀ¸·ÎºÎÅÍ ±ÔÄ¢À» ¸ðµÎ »èÁ¦ÇÑ´Ù.
-Z (--zero) : ¸ðµç chainÀÇ ÆÐŶ°ú ¹ÙÀÌÆ® Ä«¿îÅÍ °ªÀ» 0À¸·Î ¸¸µç´Ù.
-N (--new) : »õ·Î¿î chainÀ» ¸¸µç´Ù.
-X (--delete-chain) : chainÀ» »èÁ¦ÇÑ´Ù.
-P (--policy) : ±âº»Á¤Ã¥À» º¯°æÇÑ´Ù.
6) ±âº» µ¿ÀÛ
ÆÐŶ¿¡ ´ëÇÑ µ¿ÀÛÀº À§¿¡¼ ºÎÅÍ Â÷·Ê·Î °¢ ±ÔÄ¢¿¡ ´ëÇØ °Ë»çÇÏ°í, ±× ±ÔÄ¢°ú ÀÏÄ¡ÇÏ´Â ÆÐŶ¿¡ ´ëÇÏ¿© Ÿ°Ù¿¡ ÁöÁ¤ÇÑ ACCEPT,DROPµîÀ» ¼öÇàÇÑ´Ù.
±ÔÄ¢ÀÌ ÀÏÄ¡ÇÏ°í ÀÛ¾÷ÀÌ ¼öÇàµÇ¸é, ±× ÆÐŶÀº ÇØ´ç ±ÔÄ¢ÀÇ °á°ú¿¡ µû¸® ó¸®ÇÏ°í üÀο¡¼ Ãß°¡ ±ÔÄ¢À» ¹«½ÃÇÑ´Ù.
ÆÐŶÀÌ Ã¼ÀÎÀÇ ¸ðµç ±ÔÄ¢°ú ¸ÅÄ¡ÇÏÁö ¾Ê¾Æ ±ÔÄ¢ÀÇ ¹Ù´Ú¿¡ µµ´ÞÇϸé Á¤ÇØÁø ±âº»Á¤Ã¥(policy)ÀÌ ¼öÇàµÈ´Ù.
±âº» Á¤Ã¥Àº policy ACCEPT , policy DROP À¸·Î ¼³Á¤ÇÒ ¼ö ÀÖ´Ù.
ÀϹÝÀûÀ¸·Î ±âº»Á¤Ã¥Àº ¸ðµç ÆÐŶ¿¡ ´ëÇØ DROPÀ» ¼³Á¤ÇÏ°í Ưº°È÷ ÁöÁ¤µÈ Æ÷Æ®¿Í IPÁּҵ ´ëÇØ ACCEPT¸¦ ¼öÇàÇÏ°Ô ¸¸µç´Ù.
7) iptables Ãâ·Â
Iptables ÀÇ ·ê¼ÂÀ» È®ÀÎÇÒ ¶§ ¾Æ·¡¿Í °°ÀÌ ÇÏ¸é º¸±â ´õ Æí¸®ÇÏ´Ù.
# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
¾Æ·¡¿Í °°ÀÌ °¢ ·ê¼ÂÀÇ Àû¿ë¼ø¼±îÁö È®ÀÎ °¡´ÉÇÑ ¹æ¹ýµµ ÀÖ´Ù.
# iptables -nL --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
5 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
# iptables -L -v
Chain INPUT (policy DROP 1626 packets, 214K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
944 194K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain
4 245 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
6 304 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
2 88 ACCEPT tcp -- any any anywhere anywhere tcp dpt:mysql
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 179 packets, 22190 bytes)
pkts bytes target prot opt in out source destination
¾Æ·¡´Â CentOS 6.4 MinimalÀÇ ±âº»ÀûÀÎ iptablesÀÇ ¼³Á¤³»¿ëÀÌ´Ù.
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
±âº» Á¤Ã¥ÀÌ ¸ðµç ÆÐŶ¿¡ ´ëÇØ ACCEPTÀ̸ç, SSH ¼ºñ½º°¡ ±âº»ÀûÀ¸·Î Çã¿ëµÇ¾î ÀÖ´Ù.
ÀÌ°ÍÀ» °ú°¨È÷ ³¯¸®°í! »õ·Î¿î Á¤Ã¥ÀÇ ±ÔÄ¢À» ÀÛ¼ºÇÒ °ÍÀÌ´Ù.
* ÁÖÀÇ
±âº» Á¤Ã¥ ¼ö¸³¿¡ ÀÖ¾î DROPÀ¸·Î ¼³Á¤ÇÒ °æ¿ì ¿ø°Ý¿¡¼ SSH¸¦ Á¢¼ÓÇØ »ç¿ëÁßÀ̶ó¸é ±× ¼ø°£ ¼¹ö¿¡ Á¢¼ÓÇÒ ¼ö ¾ø°Ô µÈ´Ù. ±×·¯¹Ç·Î ÀÏ´Ü ±âº» Á¤Ã¥À» ACCEPT·Î ¼³Á¤Çؼ SSH ¼³Á¤À» ¸¶Ä£ÈÄ ´Ù½Ã ±âº» Á¤Ã¥À» DROPÀ¸·Î º¯°æÇϵµ·Ï ÇÏÀÚ
ÇöÀç iptables ÀÛ¾÷À» ÄܼÖ(¼¹öÄÄÇ»ÅÍ·Î)»óÀ¸·Î ÀÛ¾÷ÇÏ°í ÀÖ´Ù¸é ¹®Á¦ µÉ°ÍÀÌ ¾ø´Ù.
--------------------------±âº»¼³Á¤À» ½ÃÀÛÇÑ´Ù ---------------------------------
1) ±âº» Á¤Ã¥À» ACCEPT ·Î º¯°æ
# iptables -P INPUT ACCEPT
2) üÀο¡ Á¤ÀÇµÈ ¸ðµç ±ÔÄ¢À» »èÁ¦
# iptables -F
3) È®ÀÎÇغ¸¸é ±ÔÄ¢ÀÌ ¸ðµÎ Á¦°ÅµÇ¾î ÀÖ´Ù.
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
4) INPUT üÀο¡ ·ÎÄÃÈ£½ºÆ® ÀÎÅÍÆäÀ̽º¿¡ µé¾î¿À´Â ¸ðµç ÆÐŶÀ» Çã¿ë Ãß°¡
# iptables -A INPUT -i lo -j ACCEPT
ÀϹÝÀûÀ¸·Î ¸¹Àº ¼ÒÇÁÆ®¿þ¾îµéÀÌ localhost ¾î´ðÅÍ¿Í Åë½ÅÀÌ µÇ¾î¾ß Çϱ⿡ ÇÊ¿äÇÏ´Ù.
5) INPUT üÀο¡ state ¸ðµâ°ú ¸ÅÄ¡µÇ´Â ¿¬°á»óÅ°¡ ESTABLISHED,RELATEDÀÎ ÆÐŶ¿¡ ´ëÇØ Çã¿ë Ãß°¡
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
INPUT üÀο¡ Á¢¼Ó¿¡ ¼ÓÇÏ´Â ÆÐŶ(ÀÀ´ä ÆÐŶÀ» °¡Áø°Í)°ú ±âÁ¸ÀÇ Á¢¼Ó ºÎºÐÀº ¾Æ´ÏÁö¸¸ ¿¬°ü¼ºÀ» °¡Áø ÆÐŶ (ICMP ¿¡·¯³ª ftpµ¥ÀÌÅÍ Á¢¼ÓÀ» Çü¼ºÇÏ´Â ÆÐŶ)À» Çã¿ëÇÏ´Â ±ÔÄ¢ÀÌ´Ù.
6) INPUT üÀο¡ ÇÁ·ÎÅçÄÝÀÌ tcpÀÌ¸ç ¸ñÀûÁöÆ÷Æ®°¡ 22¹øÀÎ ÆÐŶ¿¡ ´ëÇØ Çã¿ë Ãß°¡
# iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
À̷νá SSH Á¢¼ÓÀÌ Çã¿ëµÈ´Ù. telnetÀÇ °æ¿ì´Â ¸ñÀûÁö Æ÷Æ®°¡ 23¹ø
7) ÀÌÁ¦ INPUT üÀο¡ ´ëÇÑ ±âº» Á¤Ã¥À» ¹ö¸²(DROP)À¸·Î º¯°æ
# iptables -P INPUT DROP
8) FORWARD üÀο¡ ´ëÇÑ ±âº»Á¤Ã¥À» ¹ö¸²À¸·Î º¯°æ
# iptables -P FORWARD DROP
¼¹ö¸¦ ¶ó¿ìÆñâ±â·Î »ç¿ëÇÏÁö ¾Ê±â¿¡ ¸ðµç Æ÷¿öµå¿¡ ´ëÇÑ ÆÐŶÀ» DROP
9) OUTPUT üÀο¡ ´ëÇÑ ±âº»Á¤Ã¥À» Çã¿ëÀ¸·Î º¯°æ
# iptables -P OUTPUT ACCEPT
10) ¼³Á¤ÇÑ °Íµé¿¡ ´ëÇÑ È®ÀÎ
# iptables -L -v
Chain INPUT (policy DROP 108 packets, 12199 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
273 25012 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 9 packets, 1612 bytes)
pkts bytes target prot opt in out source destination
11) ¼³Á¤ÇÑ °Íµé ÀúÀå
# service iptables save
iptables: ¹æȺ® ±ÔÄ¢À» /etc/sysconfig/iptables¿¡ ÀúÀå Áß: [ OK ]
----------------- ±âº» ¼³Á¤ ³¡ ------------------------------------
* Áß¿ä
iptables ±ÔÄ¢À» ¸¸µé ¶§´Â ¼ø¼°¡ ¸Å¿ì Áß¿äÇÏ´Ù.
¿¹¸¦ µé¾î ¸¸ÀÏ chain¿¡¼ ·ÎÄà 192.168.100.0/24 ¼ºê³Ý¿¡¼ µé¾î¿À´Â ¸ðµç ÆÐŶÀ» dropÇϵµ·Ï ÁöÁ¤ÇÑ ÈÄ (drop Çϵµ·Ï ÁöÁ¤µÈ ¼ºê³Ý¿¡ Æ÷ÇԵǴÂ) 192.168.100.13¿¡¼ µé¾î¿À´Â ÆÐŶÀ» ¸ðµå Çã¿ëÇÏ´Â chain (-A)À» ±× ÈÄ¿¡ Ãß°¡ÇÏ¸é µÚ¿¡ Ãß°¡µÈ Ãß°¡ ±ÔÄ¢ÀÌ ¹«½ÃµÈ´Ù.
¸ÕÀú 192.168.100.13¸¦ Çã¿ëÇÏ´Â ±ÔÄ¢À» ¼³Á¤ÇÑ ÈÄ ¼ºê³ÝÀ» dropÇÏ´Â ±ÔÄ¢À» ¼³Á¤ÇؾßÇÑ´Ù.
¾Æ·¡ÀÇ ¼³Á¤Àº ±âº» Á¤Ã¥À» OUTPUT üÀÎÀ» DROP (iptables -P OUTPUT DROP)À¸·Î ¼³Á¤ÇßÀ» °æ¿ì¸¦ ´ëºñÇØ OUTPUTµµ ÇÔ²² ±â¼úÇÏ¿´´Ù.
³×ÀÓ¼¹ö
DNS -- TCP 53 / UDP 53
# iptables -A INPUT -p tcp --dport 53 -j ACCEPT
# iptables -A INPUT -p udp --dport 53 -j ACCEPT
À¥¼¹ö
HTTP -- TCP 80
# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
HTTPS -- TCP 443
# iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -m multiport --dports 80,443 -j ACCEPT
MySQL -- TCP 3306
# iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
FTP(passive mode)
# iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# iptables -A OUTPUT -p tcp –-sport 21 -j ACCEPT
# iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 1024:65535 -j ACCEPT
¸ÞÀϼ¹ö
SMTP -- TCP 25
# iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
Secure SMTP -- TCP 465
# iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
POP3 -- TCP 110
# iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
Secure POP3 -- TCP 995
# iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
IMAP -- TCP 143
# iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
Secure IMAP -- 993
# iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
ICMP Çã¿ë (ping)
# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
NTP ½Ã°£µ¿±âÈ
# iptables -A INPUT -p udp --dport 123 -j ACCEPT
NULL ÆÐŶÀº Á¤Âû ÆÐŶÀ¸·Î ¼¹ö¼³Á¤ÀÇ ¾àÇÑ °÷À» ã±âÀ§ÇÑ ¹æ¹ýÀ¸·Î »ç¿ëµÈ´Ù.
# iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
syn-flood attack Â÷´Ü
syn-flood attackÀº °ø°ÝÀÚ°¡ »õ·Î¿î ¿¬°áÀ» ¸¸µé°í ºüÁö°í¸¦ ¹Ýº¹ÇØ ¸®¼Ò½ºÀÇ ¼Ò¸ð¸¦ ½ÃÅ°´Â °Í
# iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Anti synflood with iptables
Edit /etc/sysctl.conf to defend against certain types of attacks and append / update as follows:
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.netfilter.ip_conntrack_max = 1048576
XMAS ÆÐŶ Â÷´Ü
XMAS ¶ÇÇÑ Á¤Âû ÆÐŶ
# iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables ¼öÁ¤¹ý
µî·ÏµÈ iptables¸¦ ¼öÁ¤ÇÏ´Â ¹æ¹ýÀº /etc/sysconfig/iptables ¿¡¼ Á÷Á¢ vi·Î ¼öÁ¤Çϰųª iptables ¸í·É¾î¸¦ »ç¿ëÇÑ´Ù.
½ÇÇà ¼ø¹øÀ» È®ÀÎÇϱâ
# iptables -nL --line-number
¾Æ·¡ÀÇ ¿¹´Â ¼ø¹ø 3ÀÇ ÇàÀ» ¾Æ·¡¿Í °°ÀÌ R(replace) - ¼öÁ¤ÇÏ°Ô µÈ´Ù
# iptables -R INPUT 3 -p tcp --dport 2222 -j ACCEPT
ÀÎÅÍÆäÀ̽º ÁöÁ¤
·çÇÁ¹é ÀÎÅÍÆäÀ̽º¿¡ ´ëÇØ ¸ðµç ÆÐŶÀ» Çã¿ë
# iptables -A INPUT -i lo -j ACCEPT
·£Ä«µå ÁöÁ¤¿¡ ´ëÇØ ¸ðµç ÆÐŶÀ» Çã¿ë
# iptables -A INPUT -i eth0 -j ACCEPT
IP ÁÖ¼Ò ÁöÁ¤
½Å·ÚÇÒ ¸¸ÇÑ ip¿¡ ´ëÇØ ¸ðµç ÆÐŶÀ» Çã¿ë
# iptables -A INPUT -s 192.168.0.3 -j ACCEPT
½Å·ÚÇÒ ¸¸ÇÑ ip ´ë¿ª¿¡ ´ëÇØ ¸ðµç ÆÐŶÀ» Çã¿ë
# iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
½Å·ÚÇÒ ¸¸ÇÑ ip ´ë¿ª¿¡ ´ëÇØ ¸ðµç ÆÐŶÀ» Çã¿ë
# iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
½Å·ÚÇÒ ¸¸ÇÑ ip¿Í MACÁÖ¼Ò¿¡ ´ëÇØ ¸ðµç ÆÐŶÀ» Çã¿ë
# iptables -A INPUT -s 192.168.0.3 -m mac --mac-source 00:50:80
:FD:E6:32 -j ACCEPT
Æ÷Æ® ¹üÀ§ÁöÁ¤
# iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT
ÀÚµ¿È ½ºÅ©¸³Æ®
#!/bin/bash
# iptables ¼³Á¤ ÀÚµ¿È ½ºÅ©¸³Æ®
# ÀÔ¸À¿¡ µû¶ó ¼öÁ¤Çؼ »ç¿ëÇսôÙ.
iptables -F
#
# TCP Æ÷Æ® 22¹øÀ» SSH Á¢¼ÓÀ» À§ÇØ Çã¿ë
# ¿ø°Ý Á¢¼ÓÀ» À§ÇØ ¸ÕÀú ¼³Á¤ÇÕ´Ï´Ù
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
#
# ±âº» Á¤Ã¥À» ¼³Á¤ÇÕ´Ï´Ù
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# localhost Á¢¼Ó Çã¿ë
iptables -A INPUT -i lo -j ACCEPT
#
# established and related Á¢¼ÓÀ» Çã¿ë
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Apache Æ÷Æ® 80 Çã¿ë
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#
# ¼³Á¤À» ÀúÀå
/sbin/service iptables save
#
# ¼³Á¤ÇÑ ³»¿ëÀ» Ãâ·Â
iptables -L -v
1) À§ ³»¿ëÀ» ÀÔ¸À¿¡ ¸Â°Ô ¼öÁ¤ÇÑ ÈÄ¿¡ ÀúÀå(myfirewall)
2) # chmod +x myfirewall
3) ./myfirewall