070-8260-2526
9 ~ 6
352-0331-1626-83
:ũڸ
ȸ
12434
iptable ,Ÿ
1. iptables ? iptables ȭ ϴ μ Ŀ 2.4 Ǵ ipchains ϴ ȭ ̴. iptables Ŀλ netfilter Ŷ ϴ ִ. Ŷ̶ Ŷ ش ü Ŷ ϴ Ѵ. Ϲ Ŷ ش . ش IP:PORT, IP:PORT, checksum, ɼǵ ʹ ۵Ͱ . Ư ִ Ŷ (ACCEPT) (DROP) , Ư ǵ پ Ŷ ó Ѵ. iptables å ߿ κ Chain̴. Chain Ŷ ۵ ¸ ϸ iptables ⺻ Chain . (⺻ Chain ̸ Ұϴ. ̿ܿ -N ɼ ϴ Chain ִ.) Chain INPUT : ⺻ å Chain FORWARD : forwarding ⺻ å Chain OUTPUT : ⺻ å ------> INPUT ------> Linux Server ------> OUTPUT ------> | | +------------- FORWARD ---------------+ Linux Server Ŷ INPUT Chain ϰ Linux Server ܺη Ŷ OUTPUT Chain ϰ ȴ. FORWARD Chain Linux Server ƴ Ŷ ϴ Chain̴. (FORWARD Chain NAT(Ʈũ ) ȴ.) 2 iptables iptables 캸 . iptables ȴ. iptables -A INPUT -s [߽] --sport [߽ Ʈ] -d [] --dport [ Ʈ] -j [å] iptables -A : ο Ģ ߰Ѵ. -D : Ģ Ѵ. -C : Ŷ ƮѴ. -I : ο Ģ Ѵ. -R : ο Ģ üѴ. -L : ο Ģ Ѵ. -F : ü Ģ Ѵ. -Z : ü Ŷ Ʈ ī 0 . -N : ο ü . -X : ü Ѵ. -P : ⺻ å Ѵ. iptables ɼ -p : Ŷ Ʈȣ Ǵ ̸ Ѵ. (ex : tcp, udp, 21, 22) -s : Ŷ ߽ Ѵ. (ex : address[/mask]) -d : Ŷ Ѵ. -i : Ģ ̽ ̸ Ѵ. (ex : eth0, eth1) -j : Ģ ´ Ŷ ó ΰ Ѵ. -y : û Ŷ SYN Ŷ ʴ´. -f : ° Ģ Ѵ. 3 iptables Ģ ߰ 127.0.0.1 , ÿ ûϴ ICMP Ŷ ϰ ϸ ɱ? ping û Ǵ ICMP ̸, ߽ ּҴ 127.0.0.1̴. Ŷ ǥ (DROP)̸, ϴ α ping̴. ̸ . // ü ߰ϱ iptables # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination // 127.0.0.1 ping ִ. # ping -c 3 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.029 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.028 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.026 ms --- 127.0.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1998ms rtt min/avg/max/mdev = 0.026/0.027/0.029/0.006 ms // 127.0.0.1 ping źϴ ü ߰ # iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP // iptables ü ߰ Ȯ ִ. # iptables -L // iptables icmp DROP Ǿ ִ. Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- SUNSYSTEM anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination // ping źε Ȯ ִ. # ping -c 3 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. --- 127.0.0.1 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2008ms 4 iptables Ģ iptables ü Է° ϰ Էϸ ȴ. iptables -D INPUT -s [߽] --sport [߽ Ʈ] -d [] --dport [ Ʈ] -j [å] iptables -D INPUT [ ȣ] ( ȣ service iptables stat Ȯ ִ.) iptables -F INPUT Է ü ȴ. Էߴ ü غ . # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- SUNSYSTEM anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # iptables -D INPUT 1 // iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP ؼ ִ. # iptables -L Cain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination 5. iptables å ȭ ̴. ־ ؼ ȿ ȿϱ Ͻÿ ſ ߿ϴ. Ŷ źϴ ϵǸ Ŀ Ʈ ִ Ͽ ȿ . Ƿ ϴ å źϴ å ؾ Ѵ. // Ʒ ϸ 켱 22 Ʈ ߿ 22~30 Ʈ SSH ϴ. # iptables -A INPUT -p tcp --dport 22 -j ACCEPT # iptables -A INPUT -p tcp --dport 22:30 -j DROP # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP tcp -- anywhere anywhere tcp dpts:ssh:30 // Ʒ ϸ 켱 22~30 Ʈ ڿ ƹ 22 Ʈ ܺο SSH ȴ. // iptables Է ٷ DZ ݿ ۾ 쿣 . # iptables -A INPUT -p tcp --dport 22:30 -j DROP # iptables -A INPUT -p tcp --dport 22 -j ACCEPT 6. ⺻ ó ġ ȭ ϸ /etc/sysconfig/iptables ȴ. Ʈ iptables Ʒ Ʈ ߰ϵ // iptables # rm -rf /etc/sysconfig/iptables rm: remove Ϲ `/etc/sysconfig/iptables'? y // iptables å ߰ # iptables -A INPUT -p tcp --dport 20 -j ACCEPT // ftp-data # iptables -A INPUT -p tcp --dport 21 -j ACCEPT // ftp # iptables -A INPUT -p tcp --dport 22 -j ACCEPT // ssh # iptables -A INPUT -p udp --dport 53 -j ACCEPT // named # iptables -A INPUT -p tcp --dport 80 -j ACCEPT // http # iptables -A INPUT -p tcp --dport 110 -j ACCEPT // pop3 # iptables -A INPUT -p tcp --dport 143 -j ACCEPT //imap # iptables -A INPUT -p tcp --dport 3306 -j ACCEPT // mysql # iptables -A INPUT -p icmp --icmp-type echo-request -j DROP // ping ź # iptables -A INPUT -p tcp --dport 1:65335 -j DROP // Ʈ ź // iptables Ȯ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:imap ACCEPT tcp -- anywhere anywhere tcp dpt:mysql DROP icmp -- anywhere anywhere icmp echo-request DROP tcp -- anywhere anywhere tcp dpts:tcpmux:65335 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination // iptables # service iptables save ȭ Ģ /etc/sysconfig/iptables : [ OK ] # ls /etc/sysconfig/iptables* /etc/sysconfig/iptables /etc/sysconfig/iptables-config // iptables # service iptables start ȭ Ģ ϴ : [ OK ] chains ACCEPT Ģ : filter [ OK ] iptables ϴ : [ OK ] iptables ȭ Ģ ϴ : [ OK ] ߰ iptables о : ip_conntrack_netbios_ns [ OK ] // iptables # service iptables status ̺: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 9 DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 10 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65335 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination // nmap Ʈ ĵ # nmap localhost Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-04-14 13:45 KST Interesting ports on SUNSYSTEM (127.0.0.1): Not shown: 1673 filtered ports PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp closed ftp 22/tcp open ssh 80/tcp closed http 110/tcp open pop3 143/tcp closed imap 3306/tcp open mysql 7. iptables Ȯ 1ʵ 80Ʈ Ȱ IP 10 ̻ SYN Ų. (, û ƴ Ͽ ûŶ ʵ Ѵ.) ̿ ڼ http://netfilter.org HOWTO о ٶ. # iptables -A INPUT -p tcp --dport 80 -m recent --update --seconds 1 --hitcount 10 --name HTTP -j DROP