- CentOS 5, 6 iptables »ç¿ë¹æ¹ý
- CentOS 7 firewall »ç¿ë¹æ¹ý
- CentOS 7 iptables »ç¿ë¹æ¹ý
±âº»ÀûÀ¸·Î ¼³Ä¡µÈ iptables¸¦ »ç¿ëÇÏ¿© ¼³Á¤À» ÇÕ´Ï´Ù.
– ±âº» SSH ÀÎ 22¹ø Æ÷Æ®¸¸ Çã¿ëµÈ »óÅÂÀÔ´Ï´Ù.
– À¥¼ºñ½º(www)¸¦ À§ÇØ 22 ¼³Á¤ ¾Æ·¡¿¡ TCP 80 À» Ãß°¡ÇÕ´Ï´Ù.
– À¥¼¹ö¿¡ SSL ÀÎÁõ¼°¡ ¼³Ä¡µÇ¾î https ÁÖ¼Ò·Î ¼ºñ½ºÇÏ´Â °æ¿ì TCP 443 Ãß°¡ÇÕ´Ï´Ù.
# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel# Manual customization of this file is not recommended.¡¦
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp — dport 443 -j ACCEPT
¡¦
COMMIT
¹æȺ®À» »ç¿ëÇÏ¿© ƯÁ¤ IP Çã¿ë
-A INPUT -s ip ÁÖ¼Ò -j ACCEPT
¹æȺ®À» »ç¿ëÇÏ¿© ƯÁ¤ IP Â÷´Ü
-A INPUT -s ip ÁÖ¼Ò -j DROP
¹æȺ®À» »ç¿ëÇÏ¿© ƯÁ¤ Port Çã¿ë
-A INPUT -p tcp –dport 443 -j ACCEPT
¹æȺ®À» »ç¿ëÇÏ¿© ƯÁ¤ Port Â÷´Ü
-A INPUT -p tcp –dport 443 -j DROP
¹æȺ®À» »ç¿ëÇÏ¿© ƯÁ¤ IP¿Í Port Â÷´Ü
-A INPUT -s 172.20.3.**-p tcp –dport 22 -j DROP
¹æȺ®À» »ç¿ëÇÏ¿© ƯÁ¤ IP¿Í Port¸¦ Â÷´ÜÇÑ ÈÄ ¹æ¾îµÈ ·Î±× ¼³Á¤
-I INPUT -s 172.20.3.** -p tcp –dport 22 -j LOG –log-prefix ¡°[PLURA SSH Defend]¡±
¾Æ·¡ÀÇ ³»¿ëÀº [Plura¼ºñ½º]¿¡¼ º¸¿©Áö´Â ·Î±×ÀÔ´Ï´Ù.
{¡°@ceelog¡±: {¡°timegenerated¡±:¡±2016-06-09T19:52:30.001446+09:00¡È,¡±programname¡±:¡±kernel¡±,¡±hostname¡±:¡±centos6¡È,¡±syslogtag¡±:¡±kernel:¡±,¡±pri¡±:¡±4¡È,¡±pri-text¡±:¡±kern.warning¡±,¡±syslogfacility¡±:¡±0¡È,¡±syslogfacility-text¡±:¡±kern¡±,¡±syslogseverity¡±:¡±4¡È,¡±syslogseverity-text¡±:¡±warning¡±,¡±msg¡±:¡±[PLURA SSH Defend]IN=eth0 OUT= MAC=08:00:27:d6:c6:1b:08:00:27:36:6b:8a:08:00 SRC=172.20.3.87 DST=172.20.3.84 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4198 DF PROTO=TCP SPT=34381 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 ¡°}}
¹æȺ® ¼³Á¤ÀÌ ¿Ï·áµÇ¸é, ¹æȺ®À» Àç½ÃÀÛÇØÁÝ´Ï´Ù.
# /etc/init.d/iptables restart ¶Ç´Â service iptables restart
[CentOS 7] firewall »ç¿ë¹æ¹ý
±âº» ¹æȺ® ½Ã½ºÅÛÀÌ º¯°æµÇ¾ú½À´Ï´Ù. ÀÌÀü¿¡´Â iptables¸¦ »ç¿ëÇߴµ¥ CentOS 7 ¿¡¼´Â ¡®firewalld¡¯¶ó´Â ¹æȺ® ½Ã½ºÅÛÀÌ ±âº»À¸·Î žÀçµÇ¾ú½À´Ï´Ù.
- ¹æȺ®¿¡´Â zone(¿µ¿ª)À̶ó´Â °ÍÀÌ Á¸ÀçÇÕ´Ï´Ù. °³¹æµÈ ³×Æ®¿öÅ©¿Í ¿¬°áµÇ¾î ÀÖ´Ù¸é public zone(°ø°³¿µ¿ª)¿¡ ÀÖ´Â ·êÀÌ Àû¿ëµÇ°í, °³ÀÎ ³×Æ®¿öÅ©¿¡ ÀÖ´Ù¸é ´Ù¸¥ zoneÀÇ ·êÀ» Àû¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù.
- ¿ì¸®´Â ¼¹ö ¿ëµµ·Î ¸®´ª½º¸¦ »ç¿ëÇϱ⠶§¹®¿¡ °³¹æµÈ public zone¸¸ ÇÊ¿äÇÕ´Ï´Ù. ¶ÇÇÑ ¹æȺ®¿¡´Â public zoneÀÌ ±âº» zoneÀ¸·Î ¼³Á¤µÇ¾îÀÖ½À´Ï´Ù. ¹æȺ® ¼³Á¤ ÆÄÀÏ¿¡¼ º¯°æ °¡´ÉÇÕ´Ï´Ù.
public zoneÀÇ ¼³Á¤ ÆÄÀÏ
# vi /etc/firewalld/zones/public.xml
<?xml version=¡±1.0¡È encoding=¡±utf-8¡È?> <zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name=¡±dhcpv6-client¡±/>
<service name=¡±http¡±/>
<service name=¡±ssh¡±/>
<port protocol=¡±tcp¡± port=¡±80¡È/>
<port protocol=¡±tcp¡± port=¡±8080¡È/>
</zone>
¹æȺ® Àç½ÃÀÛ
# firewall-cmd –reload
- ¼³Á¤ ÆÄÀÏÀº xml Çü½ÄÀ¸·Î µÇ¾îÀÖÀ¸¸ç, firewall-cmd –permanent –zone=public ¸í·ÉÀ¸·Î Ãß°¡Çß´ø ·êµéÀÌ ÀúÀå µÇ¾îÀÖ½À´Ï´Ù. zoneÀÇ ¼³Á¤ ÆÄÀÏÀ» º¯°æÇÒ °æ¿ì ¹æȺ® Àç·Îµå¸¦ ÇØ¾ß ¹Ý¿µÀÌ µË´Ï´Ù.
* ( –permanent ¿Í –zone¾Õ¿¡´Â -°¡ 2¹ø µé¾î°©´Ï´Ù. copy&paste ÇÒ °æ¿ì ¸í·É¾î°¡ ½ÇÇàµÇÁö¾Ê½À´Ï´Ù)*
- Âü°í·Î ¼³Á¤ ÆÄÀÏ¿¡ Ãß°¡µÈ ·êÀº ¿µ±¸ ¹Ý¿µµË´Ï´Ù. ¸¸¾à – permanent ¿É¼ÇÀ» ³ÖÁö ¾ÊÀ¸¸é, ÀϽÃÀûÀ¸·Î Áï½Ã ¹Ý¿µµÊÀ» ÀǹÌÇÕ´Ï´Ù.(ÀçºÎÆÃÇÒ °æ¿ì zoneÀÇ ¼³Á¤ ÆÄÀÏ¿¡ Ãß°¡ µÇÁö¾ÊÀº ·êÀº ÀüºÎ »èÁ¦µÊ. )
Æ÷Æ® Ãß°¡/Á¦°Å
Ãß°¡ # firewall-cmd –permanent –zone=public –add-port=80/tcp
Á¦°Å # firewall-cmd –permanent –zone=public –remove-port=80/tcp
Àç½ÃÀÛ # firewall-cmd –reload
¼ºñ½º Ãß°¡/Á¦°Å
Ãß°¡ # firewall-cmd –permanent –zone=public –add-service=http
Á¦°Å # firewall-cmd –permanent –zone=public –remove-service=http
Àç½ÃÀÛ # firewall-cmd –reload
ÀÓÀÇÀÇ ·ê Ãß°¡/Á¦°Å
Ãß°¡ # firewall-cmd –permanent –zone=public –add-rich-rule=¡±rule family=ipv4 source address= 192.168.0.4/24 service name=http accept¡±
Á¦°Å # firewall-cmd –permanent –zone=public –remove-service=http¡±rule family=ipv4 source address= 192.168.0.4/24 service name=http accept¡±
Àç½ÃÀÛ # firewall-cmd –reload
[ÀÀ¿ë] http ¼ºñ½º¿¡¼ ƯÁ¤ ip Â÷´Ü Ãß°¡ ¹× ÇØÁ¦
Â÷´Ü # firewall-cmd –permanent –zone=public –add-rich-rule=¡±rule family=ipv4 source address= 192.168.0.4 service name=http reject¡±
ÇØÁ¦ # firewall-cmd –permanent –zone=public –remove-service=http¡±rule family=ipv4 source address= 192.168.0.4 service name=http reject¡±
Àç½ÃÀÛ # firewall-cmd –reload
Çã¿ëÇÑ Æ÷Æ® ¸ñ·Ï
# firewall-cmd –list-ports
¹æȺ® »óÅ ȮÀÎ
# firewall-cmd –state
È°¼ºÈµÈ zone ¸ñ·Ï
# firewall-cmd –get-active-zones
ÇöÀç Á¸ÀçÇÏ´Â ¼ºñ½º ¸ñ·Ï
# firewall-cmd –get-service
public zone¿¡ ÀÖ´Â ¼ºñ½º ¸ñ·Ï
# firewall-cmd –zone=public –list-services
[CentOS 7] iptables »ç¿ë¹æ¹ý
ÇöÀç ÀÛµ¿ ÁßÀÎ firewalld µ¥¸óÀ» ÁßÁö ½ÃŲ ÈÄ ÀçºÎÆýÿ¡µµ ¿Ã¶ó¿ÀÁö ¾Êµµ·Ï ¼³Á¤ÇÕ´Ï´Ù.
# systemctl stop firewalld
# systemctl mask firewalld
iptables ¸¦ ¼³Ä¡ÇÕ´Ï´Ù.(OS¼³Ä¡½Ã À¥¼¹ö ±¸¼ºÀ¸·Î ¼³Ä¡½Ã ÀÚµ¿ ¼³Ä¡µÊ)
# yum install iptables-services
iptables ¼ºñ½º µ¥¸ó ÀçºÎÆýà ÀÚµ¿ ¼³Á¤ÇÕ´Ï´Ù.
# systemctl enable iptables
iptables ¼ºñ½º ½ÃÀÛÇÕ´Ï´Ù.(½ÃÀÛ/Àç½ÃÀÛ/ÁßÁö)
# systemctl start/restart/stop iptables
iptables Àç½ÃÀÛÇÕ´Ï´Ù.
# systemctl restart iptables
[Ãâó]
oracle-base.com https://oracle-base.com/articles/linux/linux-firewall-firewalld