- firewall ¼¼ÆÃ
- Á»´õ °í±ÞÀÇ °·ÂÇÑ ¼¼ÆÃ
firewall ¼¼ÆÃ
º¸Åë ´ÙÀ½ÀÇ ¿¹Á¦¸¦ º¸¸é ¿øÇÏ´Â firewall ¼¼ÆÃÀ» ÇÏ½Ç ¼ö ÀÖ½À´Ï´Ù.
/etc/sysconfig/iptables ¿¡ ½á³Ö°í ½ÇÇà ÆÛ¹Ì¼Ç ÁÖ°í rc.local ¿¡ ÀÌ ÆÄÀÏÀ» ½ÇÇàÇÏ°Ô ÇÏ¸é µË´Ï´Ù. kltp¿¡¼ °¡Á®¿Ô½À´Ï´Ù.
#!/bin/sh
# ¸ðµâÀ» ¿Ã¸°´Ù.
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_mangle
# ¿ì¼± ¸ðµç RuleÀ» Á¤¸®ÇÑ´Ù.
/sbin/iptables -F
/sbin/iptables -A INPUT -m state --state RELATED -j ACCEPT
# localhost¿¡¼ÀÇ trafficÀ» ¹Þ¾ÆµéÀδÙ.
/sbin/iptables -A INPUT -i lo -j ACCEPT
# ƯÁ¤ ip¿¡¼ÀÇ ¸ðµç ¿¬°áÀ» ¹Þ¾ÆµéÀδÙ
/sbin/iptables -A INPUT -s mimosa.snu.ac.kr -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.100 -j ACCEPT
# ƯÁ¤ ip¿¡¼ ³» PCÀÇ Æ¯Á¤ Æ÷Æ®·Î Á¢±ÙÇÒ ¼ö ÀÖ°Ô ÇØÁØ´Ù.
/sbin/iptables -A INPUT -s 192.168.1.102 -p tcp --destination-port 80 -j ACCEPT #jwpark
/sbin/iptables -A INPUT -s 192.168.1.112 -p tcp --destination-port 80 -j ACCEPT #gdlee
/sbin/iptables -A INPUT -s 192.168.1.112 -p tcp --destination-port 22 -j ACCEPT #gdlee
/sbin/iptables -A INPUT -s 192.168.1.112 -p tcp --destination-port 2401 -j ACCEPT #gdlee pserver
/sbin/iptables -A INPUT -s 192.168.1.112 -p udp --destination-port 2401 -j ACCEPT #gdlee pserver
/sbin/iptables -A INPUT -s 192.168.1.112 -p udp --destination-port 137:139 -j ACCEPT #gdlee pserver
/sbin/iptables -A INPUT -s 192.168.1.112 -p tcp --destination-port 137:139 -j ACCEPT #gdlee pserver
# x manager port 6000
#/sbin/iptables -A INPUT -p tcp --destination-port 6000 -j ACCEPT
# È®¸³µÈ ¿¬°á¿¡ ´ëÇÑ PacketÀ» ¹Þ¾ÆµéÀδÙ.
/sbin/iptables -A INPUT -i eth0 -p tcp ! --syn -j ACCEPT
#/sbin/iptables -A INPUT -i eth0 -p udp ! --syn -j ACCEPT
# ÀÎÁõ ¿¬°áÀ» °ÅºÎÇÑ´Ù(±×·¸Áö ¾ÊÀ» °æ¿ì ¸ÞÀϼ¹ö°¡ ¿À·§µ¿¾È ŸÀӾƿô »óÅ°¡ µÉ °ÍÀÌ´Ù.)
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 113 -j REJECT
# echo³ª ¸ñÀûÁö¿¡ µµÂø ¸øÇϰųª ½Ã°£ ÃÊ°úµÈ icmp packetµéÀ» ¹Þ¾ÆµéÀδÙ.
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type 3 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type 11 -j ACCEPT
# ´ÙÀ½À¸·Î °¢°¢¿¡ ´ëÇÑ Á¤Ã¥À» ¼¼¿î´Ù.
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 1:30000 -j DROP
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
|
¶Ç´Â ÀÌ·¸°Ô ½ÇÇàÇÑ ´ÙÀ½¿¡ /sbin/service iptables save Çϸé config ³»¿ëÀÌ /etc/sysconfig/iptables¿¡ ½áÁö°í(½ÇÇà ½ºÅ©¸³Æ® ¾Æ´Õ´Ï´Ù.)
ntsysv¸¦ »ç¿ëÇϰųª Á÷Á¢ ¼¼ÆÃÀ» ¹Ù²ã¼ ºÎÆýà iptables ¼ºñ½º¸¦ È°¼ºÈ ½ÃÅ°¸é µË´Ï´Ù.
Á»´õ °í±ÞÀÇ °·ÂÇÑ ¼¼ÆÃ
°í±Þ ¼¼ÆÃÀ» ¿øÇÏ½Ã¸é ´ÙÀ½ ȨÆäÀÌÁö¿¡ °¡¼Å¼ °ËÁõµÈ ÆÄÀ̾î¿ù ½ºÅ©¸³Æ®¸¦ ±¸ÇÒ ¼ö ÀÖ½À´Ï´Ù. NAT¿Í ¸¶½ºÄ¿·¹À̵ù ipsec µî ¿©·¯ ¼¼ÆÃÀ» Áö¿øÇØÁÝ´Ï´Ù.
Arno's IPTABLES Firewall Script
http://www.linuxguruz.com/iptables/ ¿¡¼ ¸µÅ©¸¦ °¡Á®¿Ô½À´Ï´Ù.
Posted by rommance at 2005-03-23 14:56:33
. 3238 hits
. source
. info
. diff
. 0.061 sec
|