= \@ocat |
= \@cat{Stuffs} |
+ \@cat{Linux} |
= \@ecat |
= \TableOfContents |
= |
= !firewall ¼¼Æà |
= º¸Åë ´ÙÀ½ÀÇ ¿¹Á¦¸¦ º¸¸é ¿øÇÏ´Â firewall ¼¼ÆÃÀ» ÇÏ½Ç ¼ö ÀÖ½À´Ï´Ù. |
= |
= /etc/sysconfig/iptables ¿¡ ½á³Ö°í ½ÇÇà ÆÛ¹Ì¼Ç ÁÖ°í rc.local ¿¡ ÀÌ ÆÄÀÏÀ» ½ÇÇàÇÏ°Ô ÇÏ¸é µË´Ï´Ù. [kltp | http://kltp.kldp.org]¿¡¼ °¡Á®¿Ô½À´Ï´Ù. |
= /*! wikiXmacros¿Í \\basis \\easis ÀÌ¿ë*/ |
= \def@bverb={ |
= <tt> |
= \dcSave |
= \noDefault |
= } |
= \def@everb={ |
= \dcRestore |
= </tt> |
= } |
= \def@bverbox=<table style="background-color:#eeeeee; border:1 solid;"><tr><td>\@bverb |
= \def@everbox=\@everb</td></tr></table> |
= \@bverbox |
= \basis |
= #!/bin/sh |
= |
= # ¸ðµâÀ» ¿Ã¸°´Ù. |
= /sbin/modprobe ip_conntrack |
= /sbin/modprobe ip_conntrack_ftp |
= /sbin/modprobe iptable_nat |
= /sbin/modprobe iptable_mangle |
= # ¿ì¼± ¸ðµç RuleÀ» Á¤¸®ÇÑ´Ù. |
= /sbin/iptables -F |
= |
= /sbin/iptables -A INPUT -m state --state RELATED -j ACCEPT |
= |
= # localhost¿¡¼ÀÇ trafficÀ» ¹Þ¾ÆµéÀδÙ. |
= /sbin/iptables -A INPUT -i lo -j ACCEPT |
= |
= # ƯÁ¤ ip¿¡¼ÀÇ ¸ðµç ¿¬°áÀ» ¹Þ¾ÆµéÀδ٠|
= /sbin/iptables -A INPUT -s mimosa.snu.ac.kr -j ACCEPT |
= /sbin/iptables -A INPUT -s 192.168.1.100 -j ACCEPT |
= # ƯÁ¤ ip¿¡¼ ³» PCÀÇ Æ¯Á¤ Æ÷Æ®·Î Á¢±ÙÇÒ ¼ö ÀÖ°Ô ÇØÁØ´Ù. |
= /sbin/iptables -A INPUT -s 192.168.1.102 -p tcp --destination-port 80 -j ACCEPT #jwpark |
= /sbin/iptables -A INPUT -s 192.168.1.112 -p tcp --destination-port 80 -j ACCEPT #gdlee |
= /sbin/iptables -A INPUT -s 192.168.1.112 -p tcp --destination-port 22 -j ACCEPT #gdlee |
= /sbin/iptables -A INPUT -s 192.168.1.112 -p tcp --destination-port 2401 -j ACCEPT #gdlee pserver |
= /sbin/iptables -A INPUT -s 192.168.1.112 -p udp --destination-port 2401 -j ACCEPT #gdlee pserver |
= /sbin/iptables -A INPUT -s 192.168.1.112 -p udp --destination-port 137:139 -j ACCEPT #gdlee pserver |
= /sbin/iptables -A INPUT -s 192.168.1.112 -p tcp --destination-port 137:139 -j ACCEPT #gdlee pserver |
= # x manager port 6000 |
= #/sbin/iptables -A INPUT -p tcp --destination-port 6000 -j ACCEPT |
= |
= # È®¸³µÈ ¿¬°á¿¡ ´ëÇÑ PacketÀ» ¹Þ¾ÆµéÀδÙ. |
= /sbin/iptables -A INPUT -i eth0 -p tcp ! --syn -j ACCEPT |
= #/sbin/iptables -A INPUT -i eth0 -p udp ! --syn -j ACCEPT |
= |
= # ÀÎÁõ ¿¬°áÀ» °ÅºÎÇÑ´Ù(±×·¸Áö ¾ÊÀ» °æ¿ì ¸ÞÀϼ¹ö°¡ ¿À·§µ¿¾È ŸÀӾƿô »óÅ°¡ µÉ °ÍÀÌ´Ù.) |
= /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 113 -j REJECT |
= |
= # echo³ª ¸ñÀûÁö¿¡ µµÂø ¸øÇϰųª ½Ã°£ ÃÊ°úµÈ icmp packetµéÀ» ¹Þ¾ÆµéÀδÙ. |
= |
= /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type 0 -j ACCEPT |
= /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type 3 -j ACCEPT |
= /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type 11 -j ACCEPT |
= |
= # ´ÙÀ½À¸·Î °¢°¢¿¡ ´ëÇÑ Á¤Ã¥À» ¼¼¿î´Ù. |
= /sbin/iptables -P INPUT ACCEPT |
= /sbin/iptables -P OUTPUT ACCEPT |
= /sbin/iptables -P FORWARD ACCEPT |
= |
= /sbin/iptables -A INPUT -p tcp --dport 1:30000 -j DROP |
= /sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j DROP |
= |
= \easis |
= \@everbox |
= ¶Ç´Â ÀÌ·¸°Ô ½ÇÇàÇÑ ´ÙÀ½¿¡ /sbin/service iptables save Çϸé config ³»¿ëÀÌ /etc/sysconfig/iptables¿¡ ½áÁö°í(½ÇÇà ½ºÅ©¸³Æ® ¾Æ´Õ´Ï´Ù.) |
= |
= ntsysv¸¦ »ç¿ëÇϰųª Á÷Á¢ ¼¼ÆÃÀ» ¹Ù²ã¼ ºÎÆýà iptables ¼ºñ½º¸¦ È°¼ºÈ ½ÃÅ°¸é µË´Ï´Ù. |
= !Á»´õ °í±ÞÀÇ °·ÂÇÑ ¼¼Æà |
= °í±Þ ¼¼ÆÃÀ» ¿øÇÏ½Ã¸é ´ÙÀ½ ȨÆäÀÌÁö¿¡ °¡¼Å¼ °ËÁõµÈ ÆÄÀ̾î¿ù ½ºÅ©¸³Æ®¸¦ ±¸ÇÒ ¼ö ÀÖ½À´Ï´Ù. NAT¿Í ¸¶½ºÄ¿·¹À̵ù ipsec µî ¿©·¯ ¼¼ÆÃÀ» Áö¿øÇØÁÝ´Ï´Ù. |
= [Arno's IPTABLES Firewall Script | http://rocky.molphys.leidenuniv.nl/] |
= |
= http://www.linuxguruz.com/iptables/ ¿¡¼ ¸µÅ©¸¦ °¡Á®¿Ô½À´Ï´Ù. |
= |