• CentOS 5, 6 iptables »ç¿ë¹æ¹ý
  • CentOS 7 firewall »ç¿ë¹æ¹ý
  • CentOS 7 iptables »ç¿ë¹æ¹ý

 

 

[CentOS 5, 6] iptables »ç¿ë¹æ¹ý

 

±âº»ÀûÀ¸·Î ¼³Ä¡µÈ iptables¸¦ »ç¿ëÇÏ¿© ¼³Á¤À» ÇÕ´Ï´Ù.

– ±âº» SSH ÀÎ 22¹ø Æ÷Æ®¸¸ Çã¿ëµÈ »óÅÂÀÔ´Ï´Ù.
– À¥¼­ºñ½º(www)¸¦ À§ÇØ 22 ¼³Á¤ ¾Æ·¡¿¡ TCP 80 À» Ãß°¡ÇÕ´Ï´Ù.
– À¥¼­¹ö¿¡ SSL ÀÎÁõ¼­°¡ ¼³Ä¡µÇ¾î https ÁÖ¼Ò·Î ¼­ºñ½ºÇÏ´Â °æ¿ì TCP 443 Ãß°¡ÇÕ´Ï´Ù.

 # vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel# Manual customization of this file is not recommended.¡¦
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT 
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp — dport 443 -j ACCEPT
¡¦
COMMIT

 

¹æÈ­º®À» »ç¿ëÇÏ¿© ƯÁ¤ IP Çã¿ë

-A INPUT -s ip ÁÖ¼Ò -j ACCEPT

 

¹æÈ­º®À» »ç¿ëÇÏ¿© ƯÁ¤ IP Â÷´Ü

-A INPUT -s ip ÁÖ¼Ò -j DROP

 

¹æÈ­º®À» »ç¿ëÇÏ¿© ƯÁ¤ Port Çã¿ë

-A INPUT -p tcp –dport 443 -j ACCEPT

 

¹æÈ­º®À» »ç¿ëÇÏ¿© ƯÁ¤ Port Â÷´Ü

-A INPUT -p tcp –dport 443 -j DROP

 

¹æÈ­º®À» »ç¿ëÇÏ¿© ƯÁ¤ IP¿Í Port Â÷´Ü

-A INPUT -s 172.20.3.**-p tcp –dport 22 -j DROP

 

¹æÈ­º®À» »ç¿ëÇÏ¿© ƯÁ¤ IP¿Í Port¸¦ Â÷´ÜÇÑ ÈÄ ¹æ¾îµÈ ·Î±× ¼³Á¤

-I INPUT -s 172.20.3.** -p tcp –dport 22 -j LOG –log-prefix ¡°[PLURA SSH Defend]¡±

 

¾Æ·¡ÀÇ ³»¿ëÀº [Plura¼­ºñ½º]¿¡¼­ º¸¿©Áö´Â ·Î±×ÀÔ´Ï´Ù.

{¡°@ceelog¡±: {¡°timegenerated¡±:¡±2016-06-09T19:52:30.001446+09:00¡È,¡±programname¡±:¡±kernel¡±,¡±hostname¡±:¡±centos6¡È,¡±syslogtag¡±:¡±kernel:¡±,¡±pri¡±:¡±4¡È,¡±pri-text¡±:¡±kern.warning¡±,¡±syslogfacility¡±:¡±0¡È,¡±syslogfacility-text¡±:¡±kern¡±,¡±syslogseverity¡±:¡±4¡È,¡±syslogseverity-text¡±:¡±warning¡±,¡±msg¡±:¡±[PLURA SSH Defend]IN=eth0 OUT= MAC=08:00:27:d6:c6:1b:08:00:27:36:6b:8a:08:00 SRC=172.20.3.87 DST=172.20.3.84 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4198 DF PROTO=TCP SPT=34381 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 ¡°}}

 

 

¹æÈ­º® ¼³Á¤ÀÌ ¿Ï·áµÇ¸é, ¹æÈ­º®À» Àç½ÃÀÛÇØÁÝ´Ï´Ù.

# /etc/init.d/iptables restart ¶Ç´Â service iptables restart

 

[CentOS 7] firewall »ç¿ë¹æ¹ý

±âº» ¹æÈ­º® ½Ã½ºÅÛÀÌ º¯°æµÇ¾ú½À´Ï´Ù. ÀÌÀü¿¡´Â iptables¸¦ »ç¿ëÇߴµ¥ CentOS 7 ¿¡¼­´Â ¡®firewalld¡¯¶ó´Â ¹æÈ­º® ½Ã½ºÅÛÀÌ ±âº»À¸·Î žÀçµÇ¾ú½À´Ï´Ù.

  • ¹æÈ­º®¿¡´Â zone(¿µ¿ª)À̶ó´Â °ÍÀÌ Á¸ÀçÇÕ´Ï´Ù. °³¹æµÈ ³×Æ®¿öÅ©¿Í ¿¬°áµÇ¾î ÀÖ´Ù¸é public zone(°ø°³¿µ¿ª)¿¡ ÀÖ´Â ·êÀÌ Àû¿ëµÇ°í, °³ÀÎ ³×Æ®¿öÅ©¿¡ ÀÖ´Ù¸é ´Ù¸¥ zoneÀÇ ·êÀ» Àû¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù.
  • ¿ì¸®´Â ¼­¹ö ¿ëµµ·Î ¸®´ª½º¸¦ »ç¿ëÇϱ⠶§¹®¿¡ °³¹æµÈ public zone¸¸ ÇÊ¿äÇÕ´Ï´Ù. ¶ÇÇÑ ¹æÈ­º®¿¡´Â public zoneÀÌ ±âº» zoneÀ¸·Î ¼³Á¤µÇ¾îÀÖ½À´Ï´Ù.  ¹æÈ­º® ¼³Á¤ ÆÄÀÏ¿¡¼­ º¯°æ °¡´ÉÇÕ´Ï´Ù.

public zoneÀÇ ¼³Á¤ ÆÄÀÏ

# vi /etc/firewalld/zones/public.xml

<?xml version=¡±1.0¡È encoding=¡±utf-8¡È?>

<zone>

 <short>Public</short>

 <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

 <service name=¡±dhcpv6-client¡±/>

 <service name=¡±http¡±/>

 <service name=¡±ssh¡±/>

 <port protocol=¡±tcp¡± port=¡±80¡È/>

 <port protocol=¡±tcp¡± port=¡±8080¡È/>

</zone>

 

 

¹æÈ­º® Àç½ÃÀÛ

# firewall-cmd –reload

  • ¼³Á¤ ÆÄÀÏÀº xml Çü½ÄÀ¸·Î µÇ¾îÀÖÀ¸¸ç, firewall-cmd –permanent –zone=public ¸í·ÉÀ¸·Î Ãß°¡Çß´ø ·êµéÀÌ ÀúÀå µÇ¾îÀÖ½À´Ï´Ù. zoneÀÇ ¼³Á¤ ÆÄÀÏÀ» º¯°æÇÒ °æ¿ì ¹æÈ­º® Àç·Îµå¸¦ ÇØ¾ß ¹Ý¿µÀÌ µË´Ï´Ù.
    * ( –permanent ¿Í –zone¾Õ¿¡´Â -°¡ 2¹ø µé¾î°©´Ï´Ù. copy&paste ÇÒ °æ¿ì ¸í·É¾î°¡ ½ÇÇàµÇÁö¾Ê½À´Ï´Ù)*
  • Âü°í·Î ¼³Á¤ ÆÄÀÏ¿¡ Ãß°¡µÈ ·êÀº ¿µ±¸ ¹Ý¿µµË´Ï´Ù. ¸¸¾à – permanent ¿É¼ÇÀ» ³ÖÁö ¾ÊÀ¸¸é, ÀϽÃÀûÀ¸·Î Áï½Ã ¹Ý¿µµÊÀ» ÀǹÌÇÕ´Ï´Ù.(ÀçºÎÆÃÇÒ °æ¿ì zoneÀÇ ¼³Á¤ ÆÄÀÏ¿¡ Ãß°¡ µÇÁö¾ÊÀº ·êÀº ÀüºÎ »èÁ¦µÊ. )

 

Æ÷Æ® Ãß°¡/Á¦°Å

Ãß°¡ # firewall-cmd –permanent –zone=public –add-port=80/tcp

Á¦°Å # firewall-cmd –permanent –zone=public –remove-port=80/tcp

Àç½ÃÀÛ # firewall-cmd –reload

 

¼­ºñ½º Ãß°¡/Á¦°Å

Ãß°¡ # firewall-cmd –permanent –zone=public –add-service=http

Á¦°Å # firewall-cmd –permanent –zone=public –remove-service=http

Àç½ÃÀÛ # firewall-cmd –reload

 

ÀÓÀÇÀÇ ·ê Ãß°¡/Á¦°Å

Ãß°¡ # firewall-cmd –permanent –zone=public –add-rich-rule=¡±rule family=ipv4 source address= 192.168.0.4/24 service name=http accept¡±

Á¦°Å # firewall-cmd –permanent –zone=public –remove-service=http¡±rule family=ipv4 source address= 192.168.0.4/24 service name=http accept¡±

Àç½ÃÀÛ # firewall-cmd –reload

 

[ÀÀ¿ë] http ¼­ºñ½º¿¡¼­ ƯÁ¤ ip Â÷´Ü Ãß°¡ ¹× ÇØÁ¦

Â÷´Ü # firewall-cmd –permanent –zone=public –add-rich-rule=¡±rule family=ipv4 source address= 192.168.0.4 service name=http reject¡±

ÇØÁ¦ # firewall-cmd –permanent –zone=public –remove-service=http¡±rule family=ipv4 source address= 192.168.0.4 service name=http reject¡±

Àç½ÃÀÛ # firewall-cmd –reload

 

Çã¿ëÇÑ Æ÷Æ® ¸ñ·Ï

# firewall-cmd –list-ports

 

¹æÈ­º® »óÅ ȮÀÎ

# firewall-cmd –state

 

È°¼ºÈ­µÈ zone ¸ñ·Ï

# firewall-cmd –get-active-zones

 

ÇöÀç Á¸ÀçÇÏ´Â ¼­ºñ½º ¸ñ·Ï

# firewall-cmd –get-service

 

public zone¿¡ ÀÖ´Â ¼­ºñ½º ¸ñ·Ï

# firewall-cmd –zone=public –list-services

 

 

[CentOS 7] iptables »ç¿ë¹æ¹ý

ÇöÀç ÀÛµ¿ ÁßÀÎ firewalld µ¥¸óÀ» ÁßÁö ½ÃŲ ÈÄ ÀçºÎÆýÿ¡µµ ¿Ã¶ó¿ÀÁö ¾Êµµ·Ï ¼³Á¤ÇÕ´Ï´Ù.

# systemctl stop firewalld

# systemctl mask firewalld

 

iptables ¸¦ ¼³Ä¡ÇÕ´Ï´Ù.(OS¼³Ä¡½Ã À¥¼­¹ö ±¸¼ºÀ¸·Î ¼³Ä¡½Ã ÀÚµ¿ ¼³Ä¡µÊ)

# yum install iptables-services

 

iptables ¼­ºñ½º µ¥¸ó ÀçºÎÆýà ÀÚµ¿ ¼³Á¤ÇÕ´Ï´Ù.

# systemctl enable iptables

 

iptables ¼­ºñ½º ½ÃÀÛÇÕ´Ï´Ù.(½ÃÀÛ/Àç½ÃÀÛ/ÁßÁö)

# systemctl start/restart/stop iptables

 

iptables Àç½ÃÀÛÇÕ´Ï´Ù.

# systemctl restart iptables

 

[Ãâó]

oracle-base.com https://oracle-base.com/articles/linux/linux-firewall-firewalld