1. iptables.sh 를 만들어 실행하기로 한다.
2. iptables.sh 내용
#iptables 경로
iptables=/sbin/iptables
#SERVER IP 확인
HOST_IP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
NETMASK="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $4}' | cut -d : -f 2`"
#기존 설정 모두 삭제
$iptables -F
#INPUT Rules 설정
$iptables -Z INPUT
$iptables -P INPUT ACCEPT
#local IP ACCEPT
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A INPUT -s $HOST_IP -j ACCEPT
#invalid packets DROP
#abnormal status packet
$iptables -A INPUT -m state --state INVALID -j DROP
#DNS/udp service ACCEPT
$iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
#TCP service
$iptables -A INPUT -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
$iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
#VPN
$iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
$iptables -A INPUT -i eth0 -p gre -j ACCEPT
$iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123 #VPN서버 IP
$iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT
$iptalbes -A FORWARD -i eth0 -o ppp0 -j ACCEPT
#ftp
$iptables -A INPUT -s 123.123.0.0/16 -p tcp --dport 21 -j ACCEPT
#ssh
$iptables -A INPUT -s 123.123.0.0/16 -p tcp --dport 22 -j ACCEPT
#telnet : not use
#$iptables -A INPUT -s 123.0.0.0/8 -p tcp --dport 23 -j ACCEPT
# 25(SMTP), 80(WEB) ACCEPT
$iptables -A INPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# AUTH for clients
$iptables -A INPUT -p tcp --dport 113 -m state --state NEW,ESTABLISHED -j ACCEPT
# pop3s 995 : not use
#$iptables -A INPUT -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
# mysql
# local, remote DB server IP
$iptables -A INPUT -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -A INPUT -s 123.123.255.0/24 -p tcp --dport 3306 -j ACCEPT
# ip bandwidth
#$iptables -A INPUT -s 123.0.0.0/8 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# UDP service : DNS
$iptables -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
# ICMP service
# ping service
$iptables -A INPUT -s 123.123.0.0/16 -p icmp --icmp-type echo-request -j ACCEPT
# SYN packet deny
$iptables -A INPUT -p tcp --syn -j REJECT
# Drop All packet
# from 0 to 1023 port DROP
$iptables -A INPUT -p tcp --dport 0:1023 -j DROP
$iptables -A INPUT -p udp --dport 0:1023 -j DROP
$iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT
echo -e "\nDone.\n"
exit;
3. 실행가능한 퍼미션으로 바꾼다.
#chmod 700 iptables.sh
4. 실행한다.
#./iptables.sh
5. 적용된 iptables 를 확인해 본다.
#iptables -L
끝.
'Linux' 카테고리의 다른 글
vsftpd 파일 업로드시 553 could not create file 에러.. (0) | 2015.07.13 |
---|---|
Linux NFS 설정 (0) | 2015.07.13 |
Linux 아파치 재시작 에러 : Address already in use (0) | 2015.07.08 |
리눅스 ESTABLISHED 포트확인 및 죽이기 (0) | 2015.07.06 |
CentOS 7 VPN 설정 (0) | 2015.07.03 |