리룩스 상에서 iptable을 이용한 방화벽 설정입니다.
별로 쓸일이 많지는 않겠지만.
짬짬이 책보고 만든건데 기본적인건 해봤는데 몇가지는 테스트 못했습니다.
SSL 지원되는 IMAP이나 SECONDARY NAMESERVER 같은거 말이죠.
기본룰은 모든걸을 막고 필요한 것만을 통과시키는 규칙입니다.
윈도우용 편집기를 이용해서 작성하면 정상적인 작동이 안됩니다.
——————————————————————-
#!/bin/sh
. /etc/rc.d/init.d/functions
. /etc/sysconfig/network
#네트워크가 활성화상태인지체크
if [ ${NETWORKING} = "no" ]; then
    exit 0
fi
#iptable설치확인
if [ ! -x /sbin/iptables ]; then
    exit 0
fi
#변수선언
IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`    #ip주소
EXTERNAL_INTERFACE="eth0"            #외부인터넷연결인터페이스
LOOPBACK_INTERFACE="lo"            #루프백인터페이스
PRIMARY_NAMESERVER="111.111.111.111"        #1차내임서버
SECONDARY_NAMESERVER="222.222.222.222"    #2차내임서버
SMTP_SERVER="333.333.333.333"            #메일서버
LOOPBACK="127.0.0.0/8"            #예약된루프백주소범위
CLASS_A="10.0.0.0/8"                #A클래스사설ip범위
CLASS_B="172.16.0.0/12"            #B클래스사설ip범위
CLASS_C="192.168.0.1/16"            #C클래스사설ip범위
CLASS_D_MULTICAST="224.0.0.0/4"        #D클래스멀티캐스트주소
CLASS_E_RESERVED_NET="240.0.0.0/5"        #E클래스의예약된주소
BROADCAST_SRC="0.0.0.0"            #브로드캐스트소스주소
BROADCAST_DEST="255.255.255.224"        #브로드캐스트목적지주소
PRIVPORTS="0:1023"                #특권(privilege)을 준 포트범위
UNPRIVPORTS="1024:"                #특권을 주지않은(unprivilege)포트범위
SSH_LOCAL_PORTS="1022:65535"            #로컬클라이언트를 위한 포트범위
SSH_REMOTE_PORTS="513:65535"        #원격클라이언트를 위한 포트범위
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
#모든규칙삭제
iptables -F
#사용자정의 체인삭제
iptables -X
#기본정책을 DROP으로 한다
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#루트백인터페이스에 대해 무제한의 트래픽을 허용
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
#./rc.firewall.blocked 파일에 있는 주소를 거부한다
if [ -f ./rc.firewall.blocked ]; then
    deny_file="./rc.firewall.blocked"
    while read ip_addy
    do
        case $ip_addy in
            *)echo "$ip_addy DROP"
            iptables -A INPUT -i $EXTERNAL_INTERFACE -s $ip_addy -j DROP
            iptables -A INPUT -i $EXTERNAL_INTERFACE -d $ip_addy -j DROP
            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $ip_addy -j REJECT
            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $ip_addy -j REJECT
        ;;
        esac
    done < $deny_file
    unset deny_file
fi
unset ip_addy
#./rc.firewall.accepted 파일에 있는 주소를 허락
if [ -f ./rc.firewall.accepted ]; then
    allow_file="./rc.firewall.accepted"
    while read ip_addy
    do
        case $ip_addy in
            *)echo "$ip_addy ACCEPT"
            iptables -A INPUT -i $EXTERNAL_INTERFACE -s $ip_addy -j ACCEPT
            iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $ip_addy -j ACCEPT
        ;;
        esac
    done < $allow_file
    unset allow_file
fi
unset ipaddr
#소스주소가 자신의 IP인 것처럼 위장해서 들어오는 패킷을 drop
iptables -A INPUT -s $IPADDR -j DROP
#소스주소가 A,B,C클래스의 사설IP인 패킷을거부
iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
iptables -A INPUT -s $CLASS_C -j DROP
#브로드캐스트주소를 소스로하는 패킷을 차단
iptables -A INPUT -s $BROADCAST_DEST -j DROP
iptables -A INPUT -d $BROADCAST_SRC -j DROP
#D클래스 멀티캐스트 주소를 거부한다
iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
#예약된 E클래스 주소는 거부한다
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
#IANA에 의해 예약된 특정주소거부(2001.01.04 기준)
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.0.2.0/24 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.9/3 -j DROP
#UDP TRACEROUTE(네임서버에 필요)
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp –source-port $TRACEROUTE_SRC_PORTS -d $IPADDR –destination-port $TRACEROUTE_DEST_PORTS -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR –source-port $TRACEROUTE_SRC_PORTS –destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
#포위드전용 DNS 서버
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp -s $PRIMARY_NAMESERVER –source-port 53 -d $IPADDR –destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR –source-port $UNPRIVPORTS -d $PRIMARY_NAMESERVER –destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! –syn -s $PRIMARY_NAMESERVER –source-port 53 -d $IPADDR –destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR –source-port $UNPRIVPORTS -d $PRIMARY_NAMESERVER –destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp -s $SECONDARY_NAMESERVER –source-port 53 -d $IPADDR –destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR –source-port $UNPRIVPORTS -d $SECONDARY_NAMESERVER –destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! –syn -s $SECONDARY_NAMESERVER –source-port 53 -d $IPADDR –destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR –source-port $UNPRIVPORTS -d $SECONDARY_NAMESERVER –destination-port 53 -j ACCEPT
#SSH 서버
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp –source-port $SSH_REMOTE_PORTS -d $IPADDR –destination-port 22 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! –syn -s $IPADDR –source-port 22 –destination-port $SSH_REMOTE_PORTS -j ACCEPT
#SSH 클라이언트
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR –source-port $SSH_LOCAL_PORTS –destination-port 22 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! –syn –source-port 22 -d $IPADDR –destination-port $SSH_LOCAL_PORTS -j ACCEPT
#HTTP 서버
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp –source-port $UNPRIVPORTS -d $IPADDR –destination-port 80 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! –syn -s $IPADDR –source-port 80 –destination-port $UNPRIVPORTS -j ACCEPT
#HTTPS 서버
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp –source-port $UNPRIVPORTS -d $IPADDR –destination-port 443 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! –syn -s $IPADDR –source-port 443 –destination-port $UNPRIVPORTS -j ACCEPT
#MYSQL 서버
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp –source-port $UNPRIVPORTS -d $IPADDR –destination-port 3306 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! –syn -s $IPADDR –source-port 3306 –destination-port $UNPRIVPORTS -j ACCEPT
#MYSQL 클라이언트
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR –source-port $UNPRIVPORTS –destination-port 3306 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! –syn –source-port 3306 -d $IPADDR –destination-port $UNPRIVPORTS -j ACCEPT
#FTP 서버
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp –source-port $UNPRIVPORTS -d $IPADDR –destination-port 21 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! –syn -s $IPADDR –source-port 21 –destination-port $UNPRIVPORTS -j ACCEPT
#FTP 포트모드서버
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! –syn –source-port $UNPRIVPORTS -d $IPADDR –destination-port 20 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR –source-port 20 –destination-port $UNPRIVPORTS -j ACCEPT
#FTP 패시브모드서버
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp –source-port $UNPRIVPORTS -d $IPADDR –destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! –syn -s $IPADDR –source-port $UNPRIVPORTS –destination-port $UNPRIVPORTS -j ACCEPT
#POP 서버
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp –source-port $UNPRIVPORTS -d $IPADDR –destination-port 110 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! –syn -s $IPADDR –source-port 110 –destination-port $UNPRIVPORTS -j ACCEPT
#POP 클라이언트
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR –source-port $UNPRIVPORTS –destination-port 110 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! –syn –source-port 110 -d $IPADDR –destination-port $UNPRIVPORTS -j ACCEPT
#IMAP 서버
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp –source-port $UNPRIVPORTS -d $IPADDR –destination-port 143 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! –syn -s $IPADDR –source-port 143 –destination-port $UNPRIVPORTS -j ACCEPT
#IMAP 클라이언트
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR –source-port $UNPRIVPORTS –destination-port 143 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! –syn –source-port 143 -d $IPADDR –destination-port $UNPRIVPORTS -j ACCEPT
#SSL 지원되는 IMAP서버
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp –source-port $UNPRIVPORTS -d $IPADDR –destination-port 993 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! –syn -s $IPADDR –source-port 993 –destination-port $UNPRIVPORTS -j ACCEPT
#SSL 지원되는 IMAP 클라이언트
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR –source-port $UNPRIVPORTS –destination-port 993 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! –syn –source-port 993 -d $IPADDR –destination-port $UNPRIVPORTS -j ACCEPT
#SMTP 서버
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp –source-port $UNPRIVPORTS -d $IPADDR –destination-port 25 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! –syn -s $IPADDR –source-port 25 –destination-port $UNPRIVPORTS -j ACCEPT
#SMTP 클라이언트
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR –source-port $UNPRIVPORTS –destination-port 25 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! –syn –source-port 25 -d $IPADDR –destination-port $UNPRIVPORTS -j ACCEPT
#DNS 서버
#서버와 서버간 또는 클라이언트와의 질의 반응
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp –source-port $UNPRIVPORTS -d $IPADDR –destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR –source-port 53 –destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp –source-port 53 -d $IPADDR –destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR –source-port 53 –destination-port 53 -j ACCEPT
#DNS 클라이언트
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR –source-port $UNPRIVPORTS –destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp –source-port 53 -d $IPADDR –destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR –source-port $UNPRIVPORTS –destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! –syn –source-port 53 -d $IPADDR –destination-port $UNPRIVPORTS -j ACCEPT
#DNS Zone 전송
#PRIMARY NAMESERVER
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -s $SECONDARY_NAMESERVER –source-port $UNPRIVPORTS -d $IPADDR –destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR –source-port 53 -d $SECONDARY_NAMESERVER –destination-port $UNPRIVPORTS -j ACCEPT
#SECONDARY NAMESERVER
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -s $PRIMARY_NAMESERVER –source-port $UNPRIVPORTS -d $IPADDR –destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR –source-port 53 -d $PRIMARY_NAMESERVER –destination-port $UNPRIVPORTS -j ACCEPT
#ICMP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp –icmp-type echo-reply -d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp –icmp-type destination-unreachable -d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp –icmp-type source-quench -d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp –icmp-type time-exceeded -d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp –icmp-type parameter-problem -d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR –icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR –icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR –icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR –icmp-type parameter-problem -j ACCEPT
#rsync 서버
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp –source-port $UNPRIVPORTS -d $IPADDR –destination-port 873 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! –syn -s $IPADDR –source-port 873 –destination-port $UNPRIVPORTS -j ACCEPT
#rsync 클라이언트
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR –source-port $UNPRIVPORTS –destination-port 873 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! –syn –source-port 873 -d $IPADDR –destination-port $UNPRIVPORTS -j ACCEPT
#time 클라이언트
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR –source-port $UNPRIVPORTS –destination-port 37 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! –syn –source-port 37 -d $IPADDR –destination-port $UNPRIVPORTS -j ACCEPT
echo "FIREWALL START"

iptables 스크립트 예제

댓글 남기기

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다