070-8260-2526
ÆòÀÏ ¿ÀÀü 9½Ã ~ ¿ÀÈÄ 6½Ã
´ÜÀ§³óÇù
352-0331-1626-83
¿¹±ÝÁÖ:°¸¸¼öÅ×Å©³ÝÄÚ¸®¾Æ
ÀÚÁÖ¹¯´Â Áú¹®
Ȩ > °í°´¼¾ÅÍ > ÀÚÁÖ¹¯´Â Áú¹®
Á¶È¸¼ö
12513
Áú¹®
iptable ¼³Á¤¹æ¹ý,±âŸ Áö½ÄÁ¤º¸
1. iptables ¶õ? iptables´Â ¸®´ª½º»ó¿¡¼ ¹æȺ®À» ¼³Á¤ÇÏ´Â µµ±¸·Î¼ Ä¿³Î 2.4 ÀÌÀü ¹öÀü¿¡¼ »ç¿ëµÇ´ø ipchains¸¦ ´ë½ÅÇÏ´Â ¹æȺ® µµ±¸ÀÌ´Ù. iptables´Â Ä¿³Î»ó¿¡¼ÀÇ netfilter ÆÐŶÇÊÅ͸µ ±â´ÉÀ» »ç¿ëÀÚ °ø°£¿¡¼ Á¦¾îÇÏ´Â ¼öÁØÀ¸·Î »ç¿ëÇÒ ¼ö ÀÖ´Ù. ÆÐŶÇÊÅ͸µÀ̶õ Áö³ª°¡´Â ÆÐŶÀÇ ÇØ´õ¸¦ º¸°í ±× Àüü ÆÐŶÀÇ ¿î¸íÀ» °áÁ¤ÇÏ´Â °ÍÀ» ¸»ÇÑ´Ù. ÀϹÝÀûÀ¸·Î ÆÐŶÀº ÇØ´õ¿Í µ¥ÀÌÅ͸¦ °¡Áø´Ù. ÇØ´õ¿¡ ÇÊÅ͸µÇÒ Á¤º¸ÀÎ Ãâ¹ßÁöIP:PORT, µµÂøÁöIP:PORT, checksum, ÇÁ·ÎÅäÄÝ ¿É¼ÇµîÀ» °¡Áö¸ç µ¥ÀÌÅÍ´Â °¢°¢ÀÇ Àü¼Ûµ¥ÀÌÅÍ°¡ µé¾î°£´Ù. ƯÁ¤ Á¶°ÇÀ» °¡Áö°í ÀÖ´Â ÆÐŶ¿¡ ´ëÇØ Çã¿ë(ACCEPT)°ú Â÷´Ü(DROP)µîÀ» ÁöÁ¤ÇÒ ¼ö ÀÖÀ¸¸ç, ƯÁ¤ Á¶°ÇµîÀ» ÅëÇØ ´Ù¾çÇÑ ¹æ½ÄÀÇ ÆÐŶ ÇÊÅ͸µ°ú ó¸® ¹æ½ÄÀ» Áö¿øÇÑ´Ù. iptables Á¤Ã¥Àº ¿©·¯ ±¸ºÐÀ¸·Î ³ª´²Áö¸ç Áß¿äÇÑ ºÎºÐÀº ChainÀÌ´Ù. ChainÀº ÆÐŶÀÌ Á¶ÀÛµÉ »óŸ¦ ÁöÁ¤Çϸç iptables¿¡ ³»ÀåµÈ ±âº» ChainÀº ´ÙÀ½°ú °°´Ù. (±âº» ChainÀº ¿µ±¸ÀûÀÌ¸ç »èÁ¦°¡ ºÒ°¡´ÉÇÏ´Ù. ÀÌ¿Ü¿¡ -N ¿É¼ÇÀ¸·Î ÁöÁ¤ÇÏ´Â »ç¿ëÀÚ Á¤ÀÇ ChainÀÌ ÀÖ´Ù.) Chain INPUT : ¼¹ö·Î µé¾î¿À´Â ±âº» Á¤Ã¥ Chain FORWARD : ¼¹ö¿¡¼ forwarding ±âº» Á¤Ã¥ Chain OUTPUT : ¼¹ö¿¡¼ ³ª°¡´Â ±âº» Á¤Ã¥ ------> INPUT ------> Linux Server ------> OUTPUT ------> | | +------------- FORWARD ---------------+ Linux Server¸¦ ¸ñÀûÁö·Î »ï´Â ¸ðµç ÆÐŶÀº INPUT ChainÀ» Åë°úÇÏ°í Linux Server¿¡¼ »ý¼ºµÇ ¿ÜºÎ·Î º¸³»Áö´Â ¸ðµç ÆÐŶÀº OUTPUT ChainÀ» Åë°úÇÏ°Ô µÈ´Ù. FORWARD ChainÀÇ °æ¿ì ÇöÀçÀÇ Linux Server°¡ ¸ñÀûÁö°¡ ¾Æ´Ñ ÆÐŶÀÌ Åë°úÇÏ´Â ChainÀÌ´Ù. (FORWARD ChainÀº NAT(³×Æ®¿öÅ© °øÀ¯) ±â´É »ç¿ëÀ» À§ÇØ »ç¿ëµÈ´Ù.) 2 iptablesÀÇ ±¸Á¶ ¸ÕÀú iptables¿¡ ´ëÇØ »ìÆ캸µµ·Ï ÇÏÀÚ. iptables´Â ´ÙÀ½ÀÇ ±¸Á¶·Î ±¸¼ºµÈ´Ù. iptables -A INPUT -s [¹ß½ÅÁö] --sport [¹ß½ÅÁö Æ÷Æ®] -d [¸ñÀûÁö] --dport [¸ñÀûÁö Æ÷Æ®] -j [Á¤Ã¥] iptables ¸í·É -A : »õ·Î¿î ±ÔÄ¢À» Ãß°¡ÇÑ´Ù. -D : ±ÔÄ¢À» »èÁ¦ÇÑ´Ù. -C : ÆÐŶÀ» Å×½ºÆ®ÇÑ´Ù. -I : »õ·Î¿î ±ÔÄ¢À» »ðÀÔÇÑ´Ù. -R : »õ·Î¿î ±ÔÄ¢À¸·Î ±³Ã¼ÇÑ´Ù. -L : »õ·Î¿î ±ÔÄ¢À» Ãâ·ÂÇÑ´Ù. -F : üÀÎÀÇ ¸ðµç ±ÔÄ¢À» »èÁ¦ÇÑ´Ù. -Z : ¸ðµç üÀÎÀÇ ÆÐŶ°ú ¹ÙÀÌÆ® Ä«¿îÅÍ °ªÀ» 0À¸·Î ¸¸µç´Ù. -N : »õ·Î¿î üÀÎÀ» ¸¸µç´Ù. -X : üÀÎÀ» »èÁ¦ÇÑ´Ù. -P : ±âº» Á¤Ã¥À» º¯°æÇÑ´Ù. iptables ¿É¼Ç -p : ÆÐŶÀÇ ÇÁ·ÎÅäÄÝÀÇ Æ÷Æ®¹øÈ£ ¶Ç´Â À̸§À» ¸í½ÃÇÑ´Ù. (ex : tcp, udp, 21, 22) -s : ÆÐŶÀÇ ¹ß½ÅÁö¸¦ ¸í½ÃÇÑ´Ù. (ex : address[/mask]) -d : ÆÐŶÀÇ µµÂøÁö¸¦ ¸í½ÃÇÑ´Ù. -i : ±ÔÄ¢À» Àû¿ëÇÒ ÀÎÅÍÆäÀ̽º À̸§À» ¸í½ÃÇÑ´Ù. (ex : eth0, eth1) -j : ±ÔÄ¢¿¡ ¸Â´Â ÆÐŶÀ» ¾î¶»°Ô ó¸®ÇÒ °ÍÀΰ¡¸¦ ¸í½ÃÇÑ´Ù. -y : Á¢¼Ó ¿äû ÆÐŶÀÎ SYN ÆÐŶÀ» Çã¿ëÇÏÁö ¾Ê´Â´Ù. -f : µÎ ¹ø° ÀÌÈÄÀÇ Á¶°¢¿¡ ´ëÇØ ±ÔÄ¢À» ¸í½ÃÇÑ´Ù. 3 iptables ±ÔÄ¢ Ãß°¡ ¿¹¸¦ µé¾î ¸¸¾à 127.0.0.1 Áï, ·ÎÄÿ¡¼ ¿äûÇÏ´Â ¸ðµç ICMP ÆÐŶ¿¡ ´ëÇØ ¹«½ÃÇÏ°íÀÚ ÇÒ ¶§ ¾î¶»°Ô ÇÏ¸é µÉ±î? ping ¿äû¿¡ »ç¿ëµÇ´Â ÇÁÅäÅäÄÝÀº ICMP ÇÁ·ÎÅäÄÝÀ̸ç, ¹ß½Å ÁÖ¼Ò´Â 127.0.0.1ÀÌ´Ù. ÆÐŶ ÇÊÅÍÀÇ ¸ñÇ¥´Â Æó±â(DROP)À̸ç, »ç¿ëÇÏ´Â ÇÁ·Î±×·¥Àº pingÀÌ´Ù. À̸¦ ±â¹ÝÀ¸·Î ·êÀ» ¸¸µé¸é ´ÙÀ½°ú °°´Ù. // üÀÎÀ» Ãß°¡Çϱâ Àü iptables # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination // 127.0.0.1 ·Î pingÀÌ Á¤»óÀûÀ¸·Î Çã¿ëµÊÀ» ¾Ë ¼ö ÀÖ´Ù. # ping -c 3 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.029 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.028 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.026 ms --- 127.0.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1998ms rtt min/avg/max/mdev = 0.026/0.027/0.029/0.006 ms // 127.0.0.1 ·Î °¡´Â pingÀ» °ÅºÎÇϴ üÀÎ Ãß°¡ # iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP // iptables¿¡ üÀÎÀÌ Ãß°¡µÊÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù. # iptables -L // ÇöÀç iptables¿¡ icmp DROP ·êÀÌ Àû¿ëµÇ¾î ÀÖ´Ù. Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- SUNSYSTEM anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination // pingÀÌ °ÅºÎµÊÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù. # ping -c 3 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. --- 127.0.0.1 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2008ms 4 iptables ±ÔÄ¢ Á¦°Å iptablesÀÇ Ã¼ÀÎ ÀԷ°ú ¸¶Âù°¡Áö·Î »èÁ¦¸¦ ÇÒ ¶§¿¡µµ µ¿ÀÏÇÏ°Ô ÀÔ·ÂÇÏ¸é µÈ´Ù. iptables -D INPUT -s [¹ß½ÅÁö] --sport [¹ß½ÅÁö Æ÷Æ®] -d [¸ñÀûÁö] --dport [¸ñÀûÁö Æ÷Æ®] -j [Á¤Ã¥] iptables -D INPUT [ÇÊÅ͸µ ¹øÈ£] (ÇÊÅ͸µ ¹øÈ£´Â service iptables statÀ» ÅëÇØ È®ÀÎÇÒ ¼ö ÀÖ´Ù.) ¡Ø iptables -F INPUT À» ÀÔ·ÂÇÒ °æ¿ì ¸ðµç üÀÎÀÌ »èÁ¦µÈ´Ù. ±×·¯¸é À§¿¡ ÀÔ·ÂÇß´ø üÀÎÀ» Á¦°ÅÇغ¸µµ·Ï ÇÏÀÚ. # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- SUNSYSTEM anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # iptables -D INPUT 1 // iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP¸¦ »ç¿ëÇؼ »èÁ¦ÇÒ ¼öµµ ÀÖ´Ù. # iptables -L Cain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination 5. iptables Á¤Ã¥ ¼ø¼ ¸ðµç ¹æȺ®Àº ¼øÂ÷Àû ½ÇÇàÀÌ´Ù. Áï µî·Ï ¼ø¼¿¡ ÀÖ¾î¼ ¸ÕÀú µî·ÏÇÑ ´ëÇؼ È¿·ÂÀÌ À¯È¿Çϱ⠶§¹®¿¡ µî·Ï½Ã¿¡´Â ¼ø¼°¡ ¸Å¿ì Áß¿äÇÏ´Ù. ¸ðµç ÀÔÃâ·Â ÆÐŶ¿¡ ´ëÇØ °ÅºÎÇÏ´Â ¼³Á¤ÀÌ ¸ÕÀú µî·ÏµÇ¸é ±× ÀÌÈÄ¿¡ Æ÷Æ®¸¦ ¿¾îÁÖ´Â ¼³Á¤À» ÇÏ¿©µµ È¿°ú°¡ ¾ø´Ù. ±×·¯¹Ç·Î Çã¿ëÇÏ´Â Á¤Ã¥À» ¸ÕÀú Á¤ÀÇÇÑ ´ÙÀ½ °ÅºÎÇÏ´Â Á¤Ã¥À» ¼³Á¤ÇØ¾ß ÇÑ´Ù. // ¾Æ·¡¿Í °°ÀÌ ¼³Á¤ÇÏ¸é ¿ì¼±ÀûÀ¸·Î 22¹ø Æ÷Æ®°¡ ¿¸° ÈÄ ³ªÁß¿¡ 22¹ø~30¹ø Æ÷Æ®°¡ ¸·È÷±â ¶§¹®¿¡ SSH Á¢¼ÓÀÌ °¡´ÉÇÏ´Ù. # iptables -A INPUT -p tcp --dport 22 -j ACCEPT # iptables -A INPUT -p tcp --dport 22:30 -j DROP # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP tcp -- anywhere anywhere tcp dpts:ssh:30 // ¾Æ·¡¿Í °°ÀÌ ¼³Á¤ÇÏ¸é ¿ì¼±ÀûÀ¸·Î 22¹ø~30¹ø Æ÷Æ®°¡ ¸·È÷±â ¶§¹®¿¡ µÚ¿¡¼ ¾Æ¹«¸® 22¹ø Æ÷Æ®¸¦ ¿¾îµµ ¿ÜºÎ¿¡¼ SSH·Î Á¢¼ÓÇÒ ¼ö ¾ø°Ô µÈ´Ù. // iptables·Î ÀÔ·ÂÇÒ °æ¿ì ¹Ù·Î Àû¿ëÀÌ µÇ±â ¶§¹®¿¡ ¿ø°Ý¿¡¼ ÀÛ¾÷ÇÒ °æ¿ì¿£ ÁÖÀÇÇÏÀÚ. # iptables -A INPUT -p tcp --dport 22:30 -j DROP # iptables -A INPUT -p tcp --dport 22 -j ACCEPT 6. ¼ºñ½º¸¦ À§ÇÑ ±âº» ¼³Á¤ óÀ½ ¼³Ä¡½Ã ¹æȺ®À» ¼³Á¤Çϸé /etc/sysconfig/iptables ÆÄÀÏÀÌ »ý¼ºµÈ´Ù. µðÆúÆ® iptables ÆÄÀÏÀ» »èÁ¦ÇÑ ÈÄ ¾Æ·¡ÀÇ Æ÷Æ®¸¦ Ãß°¡Çϵµ·Ï ÇÏÀÚ // ±âÁ¸ iptables ÆÄÀÏ Á¦°Å # rm -rf /etc/sysconfig/iptables rm: remove ÀÏ¹Ý ÆÄÀÏ `/etc/sysconfig/iptables'? y // iptables Á¤Ã¥ Ãß°¡ # iptables -A INPUT -p tcp --dport 20 -j ACCEPT // ftp-data # iptables -A INPUT -p tcp --dport 21 -j ACCEPT // ftp # iptables -A INPUT -p tcp --dport 22 -j ACCEPT // ssh # iptables -A INPUT -p udp --dport 53 -j ACCEPT // named # iptables -A INPUT -p tcp --dport 80 -j ACCEPT // http # iptables -A INPUT -p tcp --dport 110 -j ACCEPT // pop3 # iptables -A INPUT -p tcp --dport 143 -j ACCEPT //imap # iptables -A INPUT -p tcp --dport 3306 -j ACCEPT // mysql # iptables -A INPUT -p icmp --icmp-type echo-request -j DROP // ping¿¡ ´ëÇÑ ÀÀ´ä °ÅºÎ # iptables -A INPUT -p tcp --dport 1:65335 -j DROP // ¼ºñ½ºÆ÷Æ® ¸ðµÎ °ÅºÎ // iptables È®ÀÎ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:imap ACCEPT tcp -- anywhere anywhere tcp dpt:mysql DROP icmp -- anywhere anywhere icmp echo-request DROP tcp -- anywhere anywhere tcp dpts:tcpmux:65335 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination // iptables ¸¦ ÀúÀå # service iptables save ¹æȺ® ±ÔÄ¢À» /etc/sysconfig/iptables¿¡ ÀúÀå Áß: [ OK ] # ls /etc/sysconfig/iptables* /etc/sysconfig/iptables /etc/sysconfig/iptables-config // iptables Àç½ÃÀÛ # service iptables start ¹æȺ® ±ÔÄ¢À» »èÁ¦ÇÏ´Â Áß: [ OK ] chains¸¦ ACCEPT ±ÔÄ¢À¸·Î ¼³Á¤ÇÔ: filter [ OK ] iptables ¸ðµâÀ» Á¦°ÅÇÏ´Â Áß: [ OK ] iptables ¹æȺ® ±ÔÄ¢µéÀ» Àû¿ëÇÏ´Â Áß: [ OK ] Ãß°¡ iptables ¸ðµâÀ» Àоî¿À´Â Áß: ip_conntrack_netbios_ns [ OK ] // iptables »óÅ # service iptables status Å×À̺í: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 9 DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 10 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65335 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination // nmap Æ÷Æ® ½ºÄµ # nmap localhost Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-04-14 13:45 KST Interesting ports on SUNSYSTEM (127.0.0.1): Not shown: 1673 filtered ports PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp closed ftp 22/tcp open ssh 80/tcp closed http 110/tcp open pop3 143/tcp closed imap 3306/tcp open mysql 7. iptablesÀÇ È®Àå 1Ãʵ¿¾È 80Æ÷Æ®¿¡ ¶È°°Àº IP°¡ 10¹ø ÀÌ»óÀÇ SYN°¡ µé¾î¿À¸é µå¶ø½ÃŲ´Ù. (Áï, Á¤»óÀûÀÎ ¿äûÀÌ ¾Æ´Ñ À¥¼ºñ½º °ø°ÝÀ¸·Î °£ÁÖÇÏ¿© ¿äûÆÐŶÀ» Æó±â½ÃÄÑ ÀÀ´äÇÏÁö ¾Êµµ·Ï ÇÑ´Ù.) ÀÌ¿ÜÀÇ ÀÚ¼¼ÇÑ »çÇ×Àº http://netfilter.orgÀÇ HOWTO¸¦ Àо±æ ¹Ù¶õ´Ù. # iptables -A INPUT -p tcp --dport 80 -m recent --update --seconds 1 --hitcount 10 --name HTTP -j DROP