[CentOS] ¹æȺ® ¼³Á¤ - iptables
¼¹ö ±¸Ãà½Ã¿¡ iptables¸¦ ²¨µÎ°í Â÷ÈÄ¿¡ °ü·Ã »çÇ×µîÀ» ¾÷µ¥ÀÌÆ® Çϰųª ÀØ°í »ç´Â ºÐµéÀÌ ¸¹À»²¨¶ó º»´Ù. óÀ½¿¡ iptables¸¦ Á¢ÇÏ¸é ¹æȺ® ±ÔÄ¢ ÀÛ¼ºÇÏ´Â°Ô ¿©°£ º¹ÀâÇØ º¸ÀÌ´Â °ÍÀÌ ¾Æ´Ï±â ¶§¹®ÀÌ´Ù. Ȩ¼¹öÀÇ °æ¿ì ´ëºÎºÐ °øÀ¯±â¸¦ »ç¿ëÇÒÅÙµ¥, À̸¦ ¹Ï°í µîÇѽÃÇϱ⵵ ÇÒÅ×´Ù. Çà¿©³ª iptables°¡ ±Ã±ÝÇØÁ³´Ù¸é Àß Ã£¾Æ¿Ô´Ù.
iptalbes¶õ?
iptables¶õ ³ÝÇÊÅÍ ÇÁ·ÎÁ§Æ®¿¡¼ °³¹ßÇßÀ¸¸ç ±¤¹üÀ§ÇÑ ÇÁ·ÎÅäÄÝ »óÅ ÃßÀû, ÆÐŶ ¾ÖÇø®ÄÉÀÌ¼Ç °èÃþ°Ë»ç, ¼Óµµ Á¦ÇÑ, ÇÊÅ͸µ Á¤Ã¥À» ¸í½ÃÇϱâ À§ÇÑ °·ÂÇÑ ¸ÅÄ¿´ÏÁòÀ» Á¦°øÇÑ´Ù.
¼ºñ½º µî·Ï°ú ½ÃÀÛ
CentOS 6.4 Minimal¿¡´Â iptables°¡ ¼³Ä¡µÇ¾î ÀÖ´Ù. ip6tablesµµ ÇÔ²² ¼³Ä¡µÇ¾î Àִµ¥ ÀÌ´Â IPv6 ü°è¿¡¼ »ç¿ëÇÑ´Ù.
rpm -qa | grep iptables
iptables-1.4.7-9.el6.x86_64
iptables-ipv6-1.4.7-9.el6.x86_64
¼³Ä¡µÇ¾î ÀÖÁö ¾Ê´Ù¸é ¼³Ä¡
yum -y install iptables
»óÅ ȮÀÎ
chkconfig --list
ip6tables 0:ÇØÁ¦ 1:ÇØÁ¦ 2:ÇØÁ¦ 3:ÇØÁ¦ 4:ÇØÁ¦ 5:ÇØÁ¦ 6:ÇØÁ¦
iptables 0:ÇØÁ¦ 1:ÇØÁ¦ 2:ÇØÁ¦ 3:ÇØÁ¦ 4:ÇØÁ¦ 5:ÇØÁ¦ 6:ÇØÁ¦
¼ºñ½º¸¦ ½ÃÀÛÇÁ·Î±×·¥¿¡ µî·ÏÇÑ´Ù.
chkconfig iptables on
¼ºñ½º¸¦ ½ÃÀÛÇÑ´Ù.
service iptables start
iptablesÀÇ ÆÄÀÏÀ§Ä¡´Â /etc/sysconfig/iptables ÀÌ´Ù.
iptables ¿ë¾î
¾î·Á¿î ¿ë¾îµéÀº Á¦²¸µÎ°í °£·«È÷ »ç¿ëÇÒ ºÎºÐ¿¡ ´ëÇؼ ¼³¸íÇÑ´Ù.
1) Å×À̺í(tables)
¿ì¼± iptables¿¡´Â Å×À̺íÀ̶ó´Â ±¤¹üÀ§ÇÑ ¹üÁÖ°¡ Àִµ¥, ÀÌ Å×À̺íÀº filter, nat, mangle, raw °°Àº 4°³ÀÇ Å×À̺í·Î ±¸¼ºµÇ¸ç, ÀÌÁß¿¡¼ ¿ì¸®¿¡°Ô ÇÊ¿äÇÑ °ÍÀº ÇÊÅ͸µ ±ÔÄ¢À» ¼¼¿ì´Â filter Å×À̺íÀÌ´Ù.
2) üÀÎ(chain)
iptables¿¡´Â filter Å×ÀÌºí¿¡ ¹Ì¸® Á¤ÀÇµÈ ¼¼°¡ÁöÀÇ Ã¼ÀÎÀÌ Á¸ÀçÇϴµ¥ ÀÌ´Â INPUT, OUTPUT, FORWARD ÀÌ´Ù. ÀÌ Ã¼ÀεéÀº ¾î¶°ÇÑ ³×Æ®¿öÅ© Æ®·¡ÇÈ(IP ÆÐŶ)¿¡ ´ëÇÏ¿© Á¤ÇØÁø ±ÔÄ¢µéÀ» ¼öÇàÇÑ´Ù.
°¡·É µé¾î¿À´Â ÆÐŶ(INPUT)¿¡ ´ëÇÏ¿© Çã¿ë(ACCEPT)ÇÒ °ÍÀÎÁö, °ÅºÎ(REJECT)ÇÒ °ÍÀÎÁö, ¹ö¸±(DROP)°ÍÀÎÁö¸¦ °áÁ¤ÇÑ´Ù.
- INPUT : È£½ºÆ® ÄÄÇ»Å͸¦ ÇâÇÑ ¸ðµç ÆÐŶ
- OUTPUT : È£½ºÆ® ÄÄÇ»ÅÍ¿¡¼ ¹ß»ýÇÏ´Â ¸ðµç ÆÐŶ
- FORWARD : È£½ºÆ® ÄÄÇ»ÅÍ°¡ ¸ñÀûÁö°¡ ¾Æ´Ñ ¸ðµç ÆÐŶ, Áï ¶ó¿ìÅÍ·Î »ç¿ëµÇ´Â È£½ºÆ® ÄÄÇ»Å͸¦ Åë°úÇÏ´Â ÆÐŶ
3) ¸ÅÄ¡(match)
iptables¿¡¼ ÆÐŶÀ» ó¸®ÇÒ¶§ ¸¸Á·ÇØ¾ß ÇÏ´Â Á¶°ÇÀ» °¡¸®Å²´Ù. Áï, ÀÌ Á¶°ÇÀ» ¸¸Á·½ÃÅ°´Â ÆÐŶµé¸¸ ±ÔÄ¢À» Àû¿ëÇÑ´Ù.
- --source (-s) : Ãâ¹ßÁö IPÁÖ¼Ò³ª ³×Æ®¿öÅ©¿ÍÀÇ ¸ÅĪ
- --destination (-d) : ¸ñÀûÁö ipÁÖ¼Ò³ª ³×Æ®¿öÅ©¿ÍÀÇ ¸ÅĪ
- --protocol (-p) : ƯÁ¤ ÇÁ·ÎÅäÄÝ°úÀÇ ¸ÅĪ
- --in-interface (i) : ÀÔ·Â ÀÎÅ×ÆäÀ̽º
- --out-interface (-o) : Ãâ·Â ÀÎÅÍÆäÀ̽º
- --state : ¿¬°á »óÅ¿ÍÀÇ ¸ÅĪ
- --string : ¾ÖÇø®ÄÉÀÌ¼Ç °èÃþ µ¥ÀÌÅÍ ¹ÙÀÌÆ® ¼ø¼¿ÍÀÇ ¸ÅĪ
- --comment : Ä¿³Î ¸Þ¸ð¸® ³»ÀÇ ±ÔÄ¢°ú ¿¬°èµÇ´Â ÃÖ´ë 256¹ÙÀÌÆ® ÁÖ¼®
- --syn (-y) : SYN ÆÐŶÀ» Çã¿ëÇÏÁö ¾Ê´Â´Ù.
- --fragment (-f) : µÎ ¹ø° ÀÌÈÄÀÇ Á¶°¢¿¡ ´ëÇؼ ±ÔÄ¢À» ¸í½ÃÇÑ´Ù.
- --table (-t) : ó¸®µÉ Å×À̺í
- --jump (-j) : ±ÔÄ¢¿¡ ¸Â´Â ÆÐŶÀ» ¾î¶»°Ô ó¸®ÇÒ °ÍÀΰ¡¸¦ ¸í½ÃÇÑ´Ù.
- --match (-m) : ƯÁ¤ ¸ðµâ°úÀÇ ¸ÅÄ¡
4) Ÿ°Ù(target)
iptables´Â ÆÐŶÀÌ ±ÔÄ¢°ú ÀÏÄ¡ÇÒ ¶§ µ¿ÀÛÀ» ÃëÇϴ Ÿ°ÙÀ» Áö¿øÇÑ´Ù.
- ACCEPT : ÆÐŶÀ» ¹Þ¾ÆµéÀδÙ.
- DROP : ÆÐŶÀ» ¹ö¸°´Ù(ÆÐŶÀÌ Àü¼ÛµÈ ÀûÀÌ ¾ø´ø °Íó·³).
- REJECT : ÆÐŶÀ» ¹ö¸®°í ÀÌ¿Í µ¿½Ã¿¡ ÀûÀýÇÑ ÀÀ´ä ÆÐŶÀ» Àü¼ÛÇÑ´Ù.
- LOG : ÆÐŶÀ» syslog¿¡ ±â·ÏÇÑ´Ù.
- RETURN : È£Ãâ üÀÎ ³»¿¡¼ ÆÐŶ 󸮸¦ °è¼ÓÇÑ´Ù.
REJECT´Â ¼ºñ½º¿¡ Á¢¼ÓÇÏ·Á´Â »ç¿ëÀÚÀÇ ¾×¼¼½º¸¦ °ÅºÎÇÏ°í connection refused¶ó´Â ¿À·ù ¸Þ½ÃÁö¸¦ º¸¿©ÁÖ´Â ¹Ý¸é DROPÀº ¸» ±×´ë·Î telnet »ç¿ëÀÚ¿¡°Ô ¾î¶°ÇÑ °æ°í ¸Þ½ÃÁöµµ º¸¿©ÁÖÁö ¾ÊÀº ä ÆÐŶÀ» µå·ÓÇÑ´Ù. °ü¸®ÀÚÀÇ Àç·®²¯ ÀÌ·¯ÇÑ ±ÔÄ¢À» »ç¿ëÇÒ ¼ö ÀÖÁö¸¸ »ç¿ëÀÚ°¡ È¥¶õ½º·¯¿öÇÏ¸ç °è¼ÓÇؼ Á¢¼ÓÀ» ½ÃµµÇÏ´Â °ÍÀ» ¹æÁöÇÏ·Á¸é REJECT¸¦ »ç¿ëÇÏ´Â °ÍÀÌ ÁÁ´Ù.
5) ¿¬°á ÃßÀû(Connection Tracking)
iptables´Â ¿¬°á ÃßÀû(connection tracking)À̶ó´Â ¹æ¹ýÀ» »ç¿ëÇÏ¿© ³»ºÎ ³×Æ®¿öÅ© »ó ¼ºñ½º ¿¬°á »óÅ¿¡ µû¶ó¼ ±× ¿¬°áÀ» °¨½ÃÇÏ°í Á¦ÇÑÇÒ ¼ö ÀÖ°Ô ÇØÁØ´Ù. ¿¬°á ÃßÀû ¹æ½ÄÀº ¿¬°á »óŸ¦ Ç¥¿¡ ÀúÀåÇϱ⠶§¹®¿¡, ´ÙÀ½°ú °°Àº ¿¬°á »óÅ¿¡ µû¶ó¼ ½Ã½ºÅÛ °ü¸®ÀÚ°¡ ¿¬°áÀ» Çã¿ëÇϰųª °ÅºÎÇÒ ¼ö ÀÖ´Ù.
- NEW : »õ·Î¿î ¿¬°áÀ» ¿äûÇÏ´Â ÆÐŶ, ¿¹, HTTP ¿äû
- ESTABLISHED : ±âÁ¸ ¿¬°áÀÇ ÀϺÎÀÎ ÆÐŶ
- RELATED : ±âÁ¸ ¿¬°á¿¡ ¼ÓÇÏÁö¸¸ »õ·Î¿î ¿¬°áÀ» ¿äûÇÏ´Â ÆÐŶ, ¿¹¸¦ µé¸é Á¢¼Ó Æ÷Æ®°¡ 20ÀÎ ¼öµ¿ FTPÀÇ °æ¿ì Àü¼Û Æ÷Æ®´Â »ç¿ëµÇÁö ¾ÊÀº 1024 ÀÌ»óÀÇ ¾î´À Æ÷Æ®¶óµµ »ç¿ë °¡´ÉÇÏ´Ù.
- INVALID : ¿¬°á ÃßÀûÇ¥¿¡¼ ¾îµð ¿¬°á¿¡µµ ¼ÓÇÏÁö ¾ÊÀº ÆÐŶ
»óÅ¿¡ ±â¹Ý(stateful)ÇÑ iptables ¿¬°á ÃßÀû ±â´ÉÀº ¾î´À ³×Æ®¿öÅ© ÇÁ·ÎÅäÄÝ¿¡¼³ª »ç¿ë °¡´ÉÇÏ´Ù. UDP¿Í °°ÀÌ »óŸ¦ ÀúÀåÇÏÁö ¾Ê´Â (stateless) ÇÁ·ÎÅäÄÝ¿¡¼µµ »ç¿ëÇÒ ¼ö ÀÖ´Ù.
6) ¸í·É¾î(commond)
- -A (--append) : »õ·Î¿î ±ÔÄ¢À» Ãß°¡ÇÑ´Ù.
- -D (--delete) : ±ÔÄ¢À» »èÁ¦ÇÑ´Ù.
- -C (--check) : ÆÐŶÀ» Å×½ºÆ®ÇÑ´Ù.
- -R (--replace) : »õ·Î¿î ±ÔÄ¢À¸·Î ±³Ã¼ÇÑ´Ù.
- -I (--insert) : »õ·Î¿î ±ÔÄ¢À» »ðÀÔÇÑ´Ù.
- -L (--list) : ±ÔÄ¢À» Ãâ·ÂÇÑ´Ù.
- -F (--flush) : chainÀ¸·ÎºÎÅÍ ±ÔÄ¢À» ¸ðµÎ »èÁ¦ÇÑ´Ù.
- -Z (--zero) : ¸ðµç chainÀÇ ÆÐŶ°ú ¹ÙÀÌÆ® Ä«¿îÅÍ °ªÀ» 0À¸·Î ¸¸µç´Ù.
- -N (--new) : »õ·Î¿î chainÀ» ¸¸µç´Ù.
- -X (--delete-chain) : chainÀ» »èÁ¦ÇÑ´Ù.
- -P (--policy) : ±âº»Á¤Ã¥À» º¯°æÇÑ´Ù.
7) ±âº» µ¿ÀÛ
- ÆÐŶ¿¡ ´ëÇÑ µ¿ÀÛÀº À§¿¡¼ ºÎÅÍ Â÷·Ê·Î °¢ ±ÔÄ¢¿¡ ´ëÇØ °Ë»çÇÏ°í, ±× ±ÔÄ¢°ú ÀÏÄ¡ÇÏ´Â ÆÐŶ¿¡ ´ëÇÏ¿© Ÿ°Ù¿¡ ÁöÁ¤ÇÑ ACCEPT, DROPµîÀ» ¼öÇàÇÑ´Ù.
- ±ÔÄ¢ÀÌ ÀÏÄ¡ÇÏ°í ÀÛ¾÷ÀÌ ¼öÇàµÇ¸é, ±× ÆÐŶÀº ÇØ´ç ±ÔÄ¢ÀÇ °á°ú¿¡ µû¸® ó¸®ÇÏ°í üÀο¡¼ Ãß°¡ ±ÔÄ¢À» ¹«½ÃÇÑ´Ù.
- ÆÐŶÀÌ Ã¼ÀÎÀÇ ¸ðµç ±ÔÄ¢°ú ¸ÅÄ¡ÇÏÁö ¾Ê¾Æ ±ÔÄ¢ÀÇ ¹Ù´Ú¿¡ µµ´ÞÇϸé Á¤ÇØÁø ±âº»Á¤Ã¥(policy)ÀÌ ¼öÇàµÈ´Ù.
- ±âº» Á¤Ã¥Àº policy ACCEPT , policy DROP À¸·Î ¼³Á¤ÇÒ ¼ö ÀÖ´Ù.
ÀϹÝÀûÀ¸·Î ±âº»Á¤Ã¥Àº ¸ðµç ÆÐŶ¿¡ ´ëÇØ DROPÀ» ¼³Á¤ÇÏ°í Ưº°È÷ ÁöÁ¤µÈ Æ÷Æ®¿Í IPÁּҵ ´ëÇØ ACCEPT¸¦ ¼öÇàÇÏ°Ô ¸¸µç´Ù.
8) iptables Ãâ·Â
IptablesÀÇ ·ê¼ÂÀ» È®ÀÎÇÒ¶§ ¾Æ·¡¿Í °°ÀÌ ÇÏ¸é º¸±â ´õ Æí¸®ÇÏ´Ù.
iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
¾Æ·¡¿Í °°ÀÌ °¢ ·ê¼ÂÀÇ Àû¿ë¼ø¼±îÁö È®ÀÎ °¡´ÉÇÑ ¹æ¹ýµµ ÀÖ´Ù.
iptables -nL --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
5 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
iptables -L -v
Chain INPUT (policy DROP 1626 packets, 214K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
944 194K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain
4 245 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
6 304 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
2 88 ACCEPT tcp -- any any anywhere anywhere tcp dpt:mysql
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 179 packets, 22190 bytes)
pkts bytes target prot opt in out source destination
iptables ¼³Á¤
¾Æ·¡´Â CentOS 6.4 MinimalÀÇ ±âº»ÀûÀÎ iptablesÀÇ ¼³Á¤³»¿ëÀÌ´Ù.
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
±âº» Á¤Ã¥ÀÌ ¸ðµç ÆÐŶ¿¡ ´ëÇØ ACCEPTÀ̸ç, SSH ¼ºñ½º°¡ ±âº»ÀûÀ¸·Î Çã¿ëµÇ¾î ÀÖ´Ù. ÀÌ°ÍÀ» °ú°¨È÷ ³¯¸®°í! »õ·Î¿î Á¤Ã¥ÀÇ ±ÔÄ¢À» ÀÛ¼ºÇÒ °ÍÀÌ´Ù.
±âº» Á¤Ã¥ ¼ö¸³¿¡ ÀÖ¾î DROPÀ¸·Î ¼³Á¤ÇÒ °æ¿ì ¿ø°Ý¿¡¼ SSH¸¦ Á¢¼ÓÇØ »ç¿ëÁßÀ̶ó¸é ±× ¼ø°£ ¼¹ö¿¡ Á¢¼ÓÇÒ ¼ö ¾ø°Ô µÈ´Ù. ±×·¯¹Ç·Î ÀÏ´Ü ±âº» Á¤Ã¥À» ACCEPT·Î ¼³Á¤Çؼ SSH ¼³Á¤À» ¸¶Ä£ÈÄ ´Ù½Ã ±âº» Á¤Ã¥À» DROPÀ¸·Î º¯°æÇϵµ·Ï ÇÏÀÚ. ÇöÀç iptables ÀÛ¾÷À» ÄܼÖ(¼¹öÄÄÇ»ÅÍ·Î)»óÀ¸·Î ÀÛ¾÷ÇÏ°í ÀÖ´Ù¸é ¹®Á¦ µÉ°ÍÀÌ ¾ø´Ù.
±âº»¼³Á¤
±âº» Á¤Ã¥À» ACCEPT ·Î º¯°æ
BASHiptables -P INPUT ACCEPT
üÀο¡ Á¤ÀÇµÈ ¸ðµç ±ÔÄ¢À» »èÁ¦
BASHiptables -F
È®ÀÎÇغ¸¸é ±ÔÄ¢ÀÌ ¸ðµÎ Á¦°ÅµÇ¾î ÀÖ´Ù.
BASHiptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
INPUT üÀο¡ ·ÎÄÃÈ£½ºÆ® ÀÎÅÍÆäÀ̽º¿¡ µé¾î¿À´Â ¸ðµç ÆÐŶÀ» Çã¿ë Ãß°¡
BASHiptables -A INPUT -i lo -j ACCEPT
ÀϹÝÀûÀ¸·Î ¸¹Àº ¼ÒÇÁÆ®¿þ¾îµéÀÌ localhost ¾î´ðÅÍ¿Í Åë½ÅÀÌ µÇ¾î¾ß Çϱ⿡ ÇÊ¿äÇÏ´Ù.
INPUT üÀο¡ state ¸ðµâ°ú ¸ÅÄ¡µÇ´Â ¿¬°á»óÅ°¡ ESTABLISHED, RELATEDÀÎ ÆÐŶ¿¡ ´ëÇØ Çã¿ë Ãß°¡
BASHiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
INPUT üÀο¡ Á¢¼Ó¿¡ ¼ÓÇÏ´Â ÆÐŶ(ÀÀ´ä ÆÐŶÀ» °¡Áø°Í)°ú ±âÁ¸ÀÇ Á¢¼Ó ºÎºÐÀº ¾Æ´ÏÁö¸¸ ¿¬°ü¼ºÀ» °¡Áø ÆÐŶ (ICMP ¿¡·¯³ª ftpµ¥ÀÌÅÍ Á¢¼ÓÀ» Çü¼ºÇÏ´Â ÆÐŶ)À» Çã¿ëÇÏ´Â ±ÔÄ¢ÀÌ´Ù.
INPUT üÀο¡ ÇÁ·ÎÅçÄÝÀÌ tcpÀÌ¸ç ¸ñÀûÁöÆ÷Æ®°¡ 22¹øÀÎ ÆÐŶ¿¡ ´ëÇØ Çã¿ë Ãß°¡
BASHiptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
À̷νá SSH Á¢¼ÓÀÌ Çã¿ëµÈ´Ù. telnetÀÇ °æ¿ì´Â ¸ñÀûÁö Æ÷Æ®°¡ 23¹ø
ÀÌÁ¦ INPUT üÀο¡ ´ëÇÑ ±âº» Á¤Ã¥À» ¹ö¸²(DROP)À¸·Î º¯°æ
BASHiptables -P INPUT DROP
FORWARD üÀο¡ ´ëÇÑ ±âº»Á¤Ã¥À» ¹ö¸²À¸·Î º¯°æ
BASHiptables -P FORWARD DROP
¼¹ö¸¦ ¶ó¿ìÆñâ±â·Î »ç¿ëÇÏÁö ¾Ê±â¿¡ ¸ðµç Æ÷¿öµå¿¡ ´ëÇÑ ÆÐŶÀ» DROP
OUTPUT üÀο¡ ´ëÇÑ ±âº»Á¤Ã¥À» Çã¿ëÀ¸·Î º¯°æ
BASHiptables -P OUTPUT ACCEPT
¼³Á¤ÇÑ °Íµé¿¡ ´ëÇÑ È®ÀÎ
BASHiptables -L -v Chain INPUT (policy DROP 108 packets, 12199 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 273 25012 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 9 packets, 1612 bytes) pkts bytes target prot opt in out source destination
¼³Á¤ÇÑ °Íµé ÀúÀå
BASHservice iptables save iptables: ¹æȺ® ±ÔÄ¢À» /etc/sysconfig/iptables¿¡ ÀúÀå Áß: [ OK ]
iptables ±ÔÄ¢À» ¸¸µé ¶§´Â ¼ø¼°¡ ¸Å¿ì Áß¿äÇÏ´Ù. ¿¹¸¦ µé¾î ¸¸ÀÏ chain¿¡¼ ·ÎÄà 192.168.100.0/24 ¼ºê³Ý¿¡¼ µé¾î¿À´Â ¸ðµç ÆÐŶÀ» dropÇϵµ·Ï ÁöÁ¤ÇÑ ÈÄ (drop Çϵµ·Ï ÁöÁ¤µÈ ¼ºê³Ý¿¡ Æ÷ÇԵǴÂ) 192.168.100.13¿¡¼ µé¾î¿À´Â ÆÐŶÀ» ¸ðµå Çã¿ëÇÏ´Â chain (-A)À» ±× ÈÄ¿¡ Ãß°¡ÇÏ¸é µÚ¿¡ Ãß°¡µÈ Ãß°¡ ±ÔÄ¢ÀÌ ¹«½ÃµÈ´Ù. ¸ÕÀú 192.168.100.13¸¦ Çã¿ëÇÏ´Â ±ÔÄ¢À» ¼³Á¤ÇÑ ÈÄ ¼ºê³ÝÀ» dropÇÏ´Â ±ÔÄ¢À» ¼³Á¤ÇؾßÇÑ´Ù.
±× ¹ÛÀÇ ¼ºñ½º Çã¿ë
¾Æ·¡ÀÇ ¼³Á¤Àº ±âº» Á¤Ã¥À» OUTPUT üÀÎÀ» DROP (iptables -P OUTPUT DROP)À¸·Î ¼³Á¤ÇßÀ» °æ¿ì¸¦ ´ëºñÇØ OUTPUTµµ ÇÔ²² ±â¼úÇÏ¿´´Ù.
³×ÀÓ¼¹ö
DNS -- TCP 53 / UDP 53
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
À¥¼¹ö
HTTP -- TCP 80
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
HTTPS -- TCP 443
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -m multiport --dports 80,443 -j ACCEPT
MySQL -- TCP 3306
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
FTP(passive mode)
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp –-sport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024:65535 -j ACCEPT
¸ÞÀϼ¹ö
SMTP -- TCP 25
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
Secure SMTP -- TCP 465
iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
POP3 -- TCP 110
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
Secure POP3 -- TCP 995
iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
IMAP -- TCP 143
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
Secure IMAP -- 993
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
ICMP Çã¿ë (ping)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
NTP ½Ã°£µ¿±âÈ
iptables -A INPUT -p udp --dport 123 -j ACCEPT
¼¹ö Ãë¾àÁ¡ º¸¾È
NULL ÆÐŶ Â÷´Ü
NULL ÆÐŶÀº Á¤Âû ÆÐŶÀ¸·Î ¼¹ö¼³Á¤ÀÇ ¾àÇÑ °÷À» ã±âÀ§ÇÑ ¹æ¹ýÀ¸·Î »ç¿ëµÈ´Ù.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
syn-flood attack Â÷´Ü
syn-flood attackÀº °ø°ÝÀÚ°¡ »õ·Î¿î ¿¬°áÀ» ¸¸µé°í ºüÁö°í¸¦ ¹Ýº¹ÇØ ¸®¼Ò½ºÀÇ ¼Ò¸ð¸¦ ½ÃÅ°´Â °Í
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Anti synflood with iptables
Edit /etc/sysctl.conf to defend against certain types of attacks and append / update as follows:
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.netfilter.ip_conntrack_max = 1048576
XMAS ÆÐŶ Â÷´Ü
XMAS ¶ÇÇÑ Á¤Âû ÆÐŶÀÌ´Ù.
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
±âŸ »ç¿ë¹ý
iptables ¼öÁ¤¹ý
µî·ÏµÈ iptables¸¦ ¼öÁ¤ÇÏ´Â ¹æ¹ýÀº /etc/sysconfig/iptables
¿¡¼ Á÷Á¢ vi·Î ¼öÁ¤Çϰųª iptables ¸í·É¾î¸¦ »ç¿ëÇÑ´Ù.
½ÇÇà ¼ø¹øÀ» È®ÀÎÇϱâ
iptables -nL --line-number
¾Æ·¡ÀÇ ¿¹´Â ¼ø¹ø 3ÀÇ ÇàÀ» ¾Æ·¡¿Í °°ÀÌ R(replace) - ¼öÁ¤ÇÏ°Ô µÈ´Ù.
iptables -R INPUT 3 -p tcp --dport 2222 -j ACCEPT
ÀÎÅÍÆäÀ̽º ÁöÁ¤
·çÇÁ¹é ÀÎÅÍÆäÀ̽º¿¡ ´ëÇØ ¸ðµç ÆÐŶÀ» Çã¿ë
iptables -A INPUT -i lo -j ACCEPT
·£Ä«µå ÁöÁ¤¿¡ ´ëÇØ ¸ðµç ÆÐŶÀ» Çã¿ë
iptables -A INPUT -i eth0 -j ACCEPT
IP ÁÖ¼Ò ÁöÁ¤
½Å·ÚÇÒ ¸¸ÇÑ ip¿¡ ´ëÇØ ¸ðµç ÆÐŶÀ» Çã¿ë
iptables -A INPUT -s 192.168.0.3 -j ACCEPT
½Å·ÚÇÒ ¸¸ÇÑ ip ´ë¿ª¿¡ ´ëÇØ ¸ðµç ÆÐŶÀ» Çã¿ë
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
½Å·ÚÇÒ ¸¸ÇÑ ip ´ë¿ª¿¡ ´ëÇØ ¸ðµç ÆÐŶÀ» Çã¿ë
iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
½Å·ÚÇÒ ¸¸ÇÑ ip¿Í MACÁÖ¼Ò¿¡ ´ëÇØ ¸ðµç ÆÐŶÀ» Çã¿ë
iptables -A INPUT -s 192.168.0.3 -m mac --mac-source 00:50:80:FD:E6:32 -j ACCEPT
Æ÷Æ® ¹üÀ§ÁöÁ¤
iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT
ÀÚµ¿È ½ºÅ©¸³Æ®
ÀÚÁÖ ¹æȺ® ¼³Á¤À» ÃʱâÈÇÏ°í Àç¼³Á¤ÇØ¾ß ÇÑ´Ù¸é ÀÚµ¿È ½ºÅ©¸³Æ®¸¦ Â¥³õ´Â°Ô ÁÁ´Ù. ¾Æ·¡´Â ±×¿¡ ´ëÇÑ ¿¹ÀÌ´Ù.
#!/bin/bash
# iptables ¼³Á¤ ÀÚµ¿È ½ºÅ©¸³Æ®
# ÀÔ¸À¿¡ µû¶ó ¼öÁ¤Çؼ »ç¿ëÇսôÙ.
iptables -F
# TCP Æ÷Æ® 22¹øÀ» SSH Á¢¼ÓÀ» À§ÇØ Çã¿ë
# ¿ø°Ý Á¢¼ÓÀ» À§ÇØ ¸ÕÀú ¼³Á¤ÇÕ´Ï´Ù
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# ±âº» Á¤Ã¥À» ¼³Á¤ÇÕ´Ï´Ù
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# localhost Á¢¼Ó Çã¿ë
iptables -A INPUT -i lo -j ACCEPT
# established and related Á¢¼ÓÀ» Çã¿ë
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Apache Æ÷Æ® 80 Çã¿ë
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# ¼³Á¤À» ÀúÀå
/sbin/service iptables save
# ¼³Á¤ÇÑ ³»¿ëÀ» Ãâ·Â
iptables -L -v
- À§ ³»¿ëÀ» ÀÔ¸À¿¡ ¸Â°Ô ¼öÁ¤ÇÑ ÈÄ¿¡ ÀúÀå(myfirewall)
±ÇÇѺο©
BASHchmod +x myfirewall
½ÇÇà
BASH./myfirewall
Ãâó: https://webdir.tistory.com/170 [WEBDIR]