방화벽설정_iptables
2014. 9. 4. 10:21
|
|
방화벽설정_iptables
팁!
commed에서 메일 발송
vim편집기에서 대소문자 변환하는 방법
영문글자위에서 shift + ~
커널 버전 확인
h[root /root]# uname -a
Linux centos 2.6.18-348.12.1.el5 #1 SMP Wed Jul 10 05:31:48 EDT 2013 i686 athlon i386 GNU/Linux
모듈확인
h[root /root]# lsmod
iptables 도움말
h[root /root]# iptables --hlep
방화벽성정 뷰어
h[root /root]# iptables -L ; iptables -L INPUT 인풋체인만 보여줘라 ;
h[root /etc]# iptables -L -v ; 자세히 보여줘라
방화벽 전체 풀어주는것
h[root /root]# iptables -F
방화벽체인 삭제
h[root /root]# iptables -X RH-Firewall-1-INPUT ; "RH-Firewall-1-INPUT" 체인명
ftp서비스 시작
h[root /etc/xinetd.d]# service vsftpd start
iptables 옵션
옵션
-m : iptable에서 확장모듈을 로드하기 위한 옵션
m state 는 /lib/iptables/libipt_state.so <== 이 모듈을 로드하기위한것입니다.
예를 들면 테스트를 위해서 아래처럼 없는 모듈을 옵션뒤에 넣어보면 쉽게 알수
있을것입니다.
[root@centos1 iptables]# iptables -m test
iptables v1.3.5: Couldn't load match `test':/lib/iptables/libipt_test.so: cannot open shared object file: No such file or directory
그리고 로드된 모듈은 /proc/net/ip_tables_matches 이파일에서 볼수 있습니다.
그리고 state 옵션은 뒤에 아래와 같은 네가지 tcp 상태 옵션이 올수 있습니다.
NEW : 새 연결을 시도하는 패킷
ESTABLISHED : 양쪽 방향에서 연결이 완료된 패킷과 관련이 있는 패킷
RELATED : 새 연결을 시도하는 패킷이지만 이전 연결과 관련있는 패킷
예를 들면 ftp data 전송 패킷.(예를 들면 ftp 서비스가 방화벽에서 허용되어 있고
연결되어 있는 상태라면 ftp data 패킷도 허용이 돕니다)
-m : iptable에서 확장모듈을 로드하기 위한 옵션
m state 는 /lib/iptables/libipt_state.so <== 이 모듈을 로드하기위한것입니다.
예를 들면 테스트를 위해서 아래처럼 없는 모듈을 옵션뒤에 넣어보면 쉽게 알수
있을것입니다.
[root@centos1 iptables]# iptables -m test
iptables v1.3.5: Couldn't load match `test':/lib/iptables/libipt_test.so: cannot open shared object file: No such file or directory
그리고 로드된 모듈은 /proc/net/ip_tables_matches 이파일에서 볼수 있습니다.
그리고 state 옵션은 뒤에 아래와 같은 네가지 tcp 상태 옵션이 올수 있습니다.
NEW : 새 연결을 시도하는 패킷
ESTABLISHED : 양쪽 방향에서 연결이 완료된 패킷과 관련이 있는 패킷
RELATED : 새 연결을 시도하는 패킷이지만 이전 연결과 관련있는 패킷
예를 들면 ftp data 전송 패킷.(예를 들면 ftp 서비스가 방화벽에서 허용되어 있고
연결되어 있는 상태라면 ftp data 패킷도 허용이 돕니다)
-A : 룰을 추가한다.
INPUT : 입력 패킷
-j : 패킷허용여부
REJECT : 서비스에 접속하려는 사용자의 엑세스를 거부하고 connection refuesed 라는
오류 메시지를 보여준다.
DROP : 어떠한 경고 메세지도 보여주지 않은 채 패킷을 drop 한다.
INPUT : 입력 패킷
-j : 패킷허용여부
REJECT : 서비스에 접속하려는 사용자의 엑세스를 거부하고 connection refuesed 라는
오류 메시지를 보여준다.
DROP : 어떠한 경고 메세지도 보여주지 않은 채 패킷을 drop 한다.
포트제어에 대한 옵션은
--sport , --dport
--sport : 소스패킷 포트
--dport : 타겟패킷 포트
--sport , --dport
--sport : 소스패킷 포트
--dport : 타겟패킷 포트
**************************************************************
방화벽 설정 파일
centos[root /etc/sysconfig] # vi iptables
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)
Chain RH-Firewall-1-INPUT (2 references)
*방화벽은 위에서 부터 적용하면서 허용되면 연결이되고 조건이 만족하지 못하면 다음으로 넘간다.
h[root /lib/iptables]# iptables -I INPUT -m state --state ESTABLISHED,RELATED -p all -j ACCEPT
h[root /lib/iptables]# iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
h[root /lib/iptables]# iptables -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
h[root /lib/iptables]# iptables -A INPUT -p all -j REJECT ; 모든 포트를 막는다.
h[root /lib/iptables]# iptables -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
h[root /lib/iptables]# iptables -A INPUT -p all -j REJECT ; 모든 포트를 막는다.
h[root /root]# iptables -I INPUT -i lo -p all -j ACCEPT ; 로컬은 실뢰한다는 설정 추가
# iptables -I INPUT 1 -j RH-Firewall-1-INPUT ; 사용자 체인 (RH-Firewall-1-INPUT)을 인풋체인이 넣기
**************************************************************
설정해놓은 방화벽 적용하기
h[root /root]# cd /etc
h[root /etc]# cd sysconfig
h[root /etc/sysconfig]# ls *iptables*
iptables iptables-config iptables2
h[root /etc/sysconfig]# cp iptables iptables.bak
h[root /etc/sysconfig]# iptables
iptables iptables-restore iptables-save
h[root /etc/sysconfig]# iptables-save > iptables
h[root /etc/sysconfig]# cat iptables
# Generated by iptables-save v1.3.5 on Wed Jul 24 20:18:22 2013
*filter
:INPUT ACCEPT [1171:110870]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3502:1979225]
:NSchain - [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j NSchain
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A NSchain -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A NSchain -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Wed Jul 24 20:18:22 2013
h[root /etc]# cd sysconfig
h[root /etc/sysconfig]# ls *iptables*
iptables iptables-config iptables2
h[root /etc/sysconfig]# cp iptables iptables.bak
h[root /etc/sysconfig]# iptables
iptables iptables-restore iptables-save
h[root /etc/sysconfig]# iptables-save > iptables
h[root /etc/sysconfig]# cat iptables
# Generated by iptables-save v1.3.5 on Wed Jul 24 20:18:22 2013
*filter
:INPUT ACCEPT [1171:110870]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3502:1979225]
:NSchain - [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j NSchain
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A NSchain -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A NSchain -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Wed Jul 24 20:18:22 2013
백업해놓은 설정 불러오기
h[root /etc/sysconfig]# iptables-restore < iptables.bak
포트사용 모니터링
h[root /etc/sysconfig]# iptstate
h[root /root]# chkconfig --list iptables
iptables 0:해제 1:해제 2:활성 3:활성 4:활성 5:활성 6:해제
iptables 0:해제 1:해제 2:활성 3:활성 4:활성 5:활성 6:해제
h[root /lib/iptables]# iptables -I INPUT -m state --state ESTABLISHED -p all -j ACCEPT ; -A마지막 줄에 넣는다 -I 선택한(INPUT 2) 줄에 넣는다. -m state 모듀을 선택하고 --state 옵션( ESTABLISHED
h[root /etc/xinetd.d]# iptables -A INPUT -p tcp --dport 23 -j REJECT ; telnet서비스(tcp프로토콜에에 23번포트)를 모두 막아라.reject는 막는걸 알려준다 drop은 알려주지 않고 막는다.
h[root /etc/xinetd.d]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:telnet reject-with icmp-port-unreachable
h[root /etc/xinetd.d]# telnet localhost ; telnet접속 안됨 확인
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]# iptables -D INPUT -p tcp --dport 23 -j REJECT ; 방금 올린 정책을 삭제하는 명령 -D옵션이 삭제
h[root /etc/xinetd.d]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
h[root /etc/xinetd.d]# iptables -D INPUT 1 ; 정책 삭제 명령 INPUT 1 번을 삭제하라는 명령 앞에 라인번호 붙이려면
iptables: Index of deletion too big
h[root /etc/xinetd.d]# iptables -R INPUT 1 -s 192.168.10.103 -d 192.168.10.3 -p tcp --dport telnet -j REJECT ; 192.168.10.103에서 192.168.10.3서버로 들어오는 tcp 서비스만 막아라 -s소스IP , -d목적지 IP
h[root /etc/xinetd.d]# iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.10.103 192.168.10.3 tcp dpt:23 reject-with icmp-port-unreachable
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]# pgrep -fl vsftpd
h[root /etc/xinetd.d]# service vsftpd start
vsftpd에 대한 vsftpd을 시작 중: [ OK ]
h[root /etc/xinetd.d]# iptables -A INPUT -d 172.20.20.0/24 -p tcp --dport 21 -j REJECT
h[root /etc/xinetd.d]# iptables -L INPUT -n Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.10.103 192.168.10.3 tcp dpt:23 reject-w ith icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 172.20.20.0/24 tcp dpt:21 reject-w ith icmp-port-unreachable
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]# iptables -A INPUT -p icmp -j REJECT
h[root /etc/xinetd.d]# iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.10.103 192.168.10.3 tcp dpt:23 reject-w ith icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 172.20.20.0/24 tcp dpt:21 reject-w ith icmp-port-unreachable
REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-po rt-unreachable
h[root /etc/xinetd.d]# iptables -L INPUT --line-number -n
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT tcp -- 192.168.10.103 192.168.10.3 tcp dpt:23 rej ect-with icmp-port-unreachable
2 REJECT tcp -- 0.0.0.0/0 172.20.20.0/24 tcp dpt:21 rej ect-with icmp-port-unreachable
3 REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 reject-with ic mp-port-unreachable
h[root /etc/xinetd.d]# iptables -D INPUT 3
h[root /etc/xinetd.d]# iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.10.103 192.168.10.3 tcp dpt:23 reject-w ith icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 172.20.20.0/24 tcp dpt:21 reject-w ith icmp-port-unreachable
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]# iptables -A INPUT -p icmp -j DROP
h[root /etc/xinetd.d]# iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.10.103 192.168.10.3 tcp dpt:23 reject-w ith icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 172.20.20.0/24 tcp dpt:21 reject-w ith icmp-port-unreachable
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
h[root /etc/xinetd.d]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:telnet reject-with icmp-port-unreachable
h[root /etc/xinetd.d]# telnet localhost ; telnet접속 안됨 확인
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]# iptables -D INPUT -p tcp --dport 23 -j REJECT ; 방금 올린 정책을 삭제하는 명령 -D옵션이 삭제
h[root /etc/xinetd.d]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
h[root /etc/xinetd.d]# iptables -D INPUT 1 ; 정책 삭제 명령 INPUT 1 번을 삭제하라는 명령 앞에 라인번호 붙이려면
iptables: Index of deletion too big
h[root /etc/xinetd.d]# iptables -R INPUT 1 -s 192.168.10.103 -d 192.168.10.3 -p tcp --dport telnet -j REJECT ; 192.168.10.103에서 192.168.10.3서버로 들어오는 tcp 서비스만 막아라 -s소스IP , -d목적지 IP
h[root /etc/xinetd.d]# iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.10.103 192.168.10.3 tcp dpt:23 reject-with icmp-port-unreachable
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]# pgrep -fl vsftpd
h[root /etc/xinetd.d]# service vsftpd start
vsftpd에 대한 vsftpd을 시작 중: [ OK ]
h[root /etc/xinetd.d]# iptables -A INPUT -d 172.20.20.0/24 -p tcp --dport 21 -j REJECT
h[root /etc/xinetd.d]# iptables -L INPUT -n Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.10.103 192.168.10.3 tcp dpt:23 reject-w ith icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 172.20.20.0/24 tcp dpt:21 reject-w ith icmp-port-unreachable
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]# iptables -A INPUT -p icmp -j REJECT
h[root /etc/xinetd.d]# iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.10.103 192.168.10.3 tcp dpt:23 reject-w ith icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 172.20.20.0/24 tcp dpt:21 reject-w ith icmp-port-unreachable
REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-po rt-unreachable
h[root /etc/xinetd.d]# iptables -L INPUT --line-number -n
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT tcp -- 192.168.10.103 192.168.10.3 tcp dpt:23 rej ect-with icmp-port-unreachable
2 REJECT tcp -- 0.0.0.0/0 172.20.20.0/24 tcp dpt:21 rej ect-with icmp-port-unreachable
3 REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 reject-with ic mp-port-unreachable
h[root /etc/xinetd.d]# iptables -D INPUT 3
h[root /etc/xinetd.d]# iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.10.103 192.168.10.3 tcp dpt:23 reject-w ith icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 172.20.20.0/24 tcp dpt:21 reject-w ith icmp-port-unreachable
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]# iptables -A INPUT -p icmp -j DROP
h[root /etc/xinetd.d]# iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.10.103 192.168.10.3 tcp dpt:23 reject-w ith icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 172.20.20.0/24 tcp dpt:21 reject-w ith icmp-port-unreachable
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- anywhere anywhere state RELATED ; 관련된 포트는 허용해라
ACCEPT all -- anywhere anywhere state ESTABLISHED ; 리턴되는 패킷은 허용해라
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ; 처음보내는 뉴패킷은 허용해라
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state ESTABLISHED ; 리턴되는 패킷은 허용해라
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ; 처음보내는 뉴패킷은 허용해라
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /etc/xinetd.d]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
h[root /etc/xinetd.d]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
h[root /etc/xinetd.d]# iptables -P INPUT DROP
h[root /etc/xinetd.d]# iptables -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
h[root /etc/xinetd.d]# iptables -P INPUT ACCEPT
h[root /etc/xinetd.d]# iptables -A ONPUT -p all -j REJECT
iptables: No chain/target/match by that name
h[root /etc/xinetd.d]# iptables -A INPUT -p all -j REJECT
h[root /etc/xinetd.d]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /etc/xinetd.d]# service httpd restart
httpd 를 정지 중: [실패]
httpd (을)를 시작 중: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
h[root /etc/xinetd.d]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
h[root /etc/xinetd.d]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:http
h[root /etc/xinetd.d]# iptables -D INPUT 3
h[root /etc/xinetd.d]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /etc/xinetd.d]# iptables -I INPUT 2 -p tcp --dport 80 -j ACCEPT
h[root /etc/xinetd.d]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]# telnet
telnet> open
(to) centos2
Trying 172.20.20.112...
h[root /etc/xinetd.d]# ftp centos2
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]# cd /lib/iptables/
h[root /lib/iptables]# ls
libip6t_CONNMARK.so libip6t_limit.so libipt_MARK.so libipt_connlimit.so libipt_policy.so
libip6t_DSCP.so libip6t_mac.so libipt_MASQUERADE.so libipt_connmark.so libipt_realm.so
libip6t_HL.so libip6t_mark.so libipt_MIRROR.so libipt_conntrack.so libipt_recent.so
libip6t_LOG.so libip6t_multiport.so libipt_NETMAP.so libipt_dccp.so libipt_rpc.so
libip6t_MARK.so libip6t_owner.so libipt_NFQUEUE.so libipt_dscp.so libipt_sctp.so
libip6t_NFQUEUE.so libip6t_physdev.so libipt_NOTRACK.so libipt_ecn.so libipt_standard.so
libip6t_REJECT.so libip6t_policy.so libipt_REDIRECT.so libipt_esp.so libipt_state.so
libip6t_TRACE.so libip6t_rt.so libipt_REJECT.so libipt_hashlimit.so libipt_statistic.so
libip6t_ah.so libip6t_standard.so libipt_SAME.so libipt_helper.so libipt_string.so
libip6t_connmark.so libip6t_state.so libipt_SNAT.so libipt_icmp.so libipt_tcp.so
libip6t_dscp.so libip6t_tcp.so libipt_TARPIT.so libipt_iprange.so libipt_tcpmss.so
libip6t_dst.so libip6t_udp.so libipt_TCPMSS.so libipt_length.so libipt_tos.so
libip6t_eui64.so libipt_CLASSIFY.so libipt_TOS.so libipt_limit.so libipt_ttl.so
libip6t_frag.so libipt_CLUSTERIP.so libipt_TRACE.so libipt_mac.so libipt_udp.so
libip6t_hbh.so libipt_CONNMARK.so libipt_TTL.so libipt_mark.so libipt_unclean.so
libip6t_hl.so libipt_DNAT.so libipt_ULOG.so libipt_multiport.so
libip6t_icmpv6.so libipt_DSCP.so libipt_addrtype.so libipt_owner.so
libip6t_ipv6header.so libipt_ECN.so libipt_ah.so libipt_physdev.so
libip6t_length.so libipt_LOG.so libipt_comment.so libipt_pkttype.so
h[root /lib/iptables]# ls *stat*
libip6t_state.so libipt_state.so libipt_statistic.so
h[root /lib/iptables]# iptables -I INPUT -m state --state ESTABLISHED -p all -j ACCEPT
h[root /lib/iptables]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /lib/iptables]#
h[root /lib/iptables]# telnet centos2
Trying 172.20.20.112...
Connected to centos2 (172.20.20.112).
Escape character is '^]'.
CentOS release 5.9 (Final)
Kernel 2.6.18-348.el5 on an i686
login:
login:
login:
Login incorrect
Connection closed by foreign host.
h[root /lib/iptables]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /lib/iptables]# iptables -F
h[root /lib/iptables]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
h[root /lib/iptables]#
h[root /lib/iptables]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
h[root /lib/iptables]# iptables -A INPUT -m state --stete NEW -p tcp --dport 23 -j ACCEPT
iptables v1.3.5: Unknown arg `--stete'
Try `iptables -h' or 'iptables --help' for more information.
h[root /lib/iptables]# iptables -A INPUT -m state --state NEW -p tcp --dport 23 -j ACCEPT
h[root /lib/iptables]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
h[root /lib/iptables]# iptables -R INPUT -m state --stete NEW,ESTABLISHED -p tcp --dport 23 -j ACCEPT
iptables v1.3.5: -R requires a rule number
Try `iptables -h' or 'iptables --help' for more information.
h[root /lib/iptables]# iptables -R INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 23 -j ACCEPT
iptables v1.3.5: -R requires a rule number
Try `iptables -h' or 'iptables --help' for more information.
h[root /lib/iptables]# iptables -R INPUT 2 -m state --state NEW,ESTABLISHED -p tcp --dport 23 -j ACCEPT
h[root /lib/iptables]# iptables -R INPUT 2 -m state --state NEW -p tcp --dport 23 -j ACCEPT
h[root /lib/iptables]# iptables -I INPUT -m state --state ESTABLISHED -p all -j ACCEPT
h[root /lib/iptables]# iptables -I INPUT 3 -m state --state NEW -p tcp --dport 80 -j ACCEPT
h[root /lib/iptables]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]# iptables -L INPUT --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state ESTABLISHED
2 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
3 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
4 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet
h[root /lib/iptables]# iptables -I INPUT 4 -m state --state NEW -p tcp --dport 21 -j ACCEPT
h[root /lib/iptables]# iptables -A INPUT -p all -j REJECT
h[root /lib/iptables]# iptables -L INPUT --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state ESTABLISHED
2 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
3 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
4 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
5 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet
6 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /lib/iptables]# grep -w ftp-date /etc/services
h[root /lib/iptables]# grep -w ftp-data /etc/services
ftp-data 20/tcp
ftp-data 20/udp
h[root /lib/iptables]# iptables -I INPUT -m state --state RELATED -p all -j ACCEPT
h[root /lib/iptables]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]# iptables -F
h[root /lib/iptables]# iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
h[root /lib/iptables]# iptables -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
h[root /lib/iptables]# iptables -I INPUT -m state --state ESTABLISHED,RELATED -p all -j ACCEPT
h[root /lib/iptables]# iptables -A INPUT -p all -j REJECT
h[root /lib/iptables]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dp:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /lib/iptables]#
h[root /lib/iptables]# iptables -A OUTPUT -p tcp --dport 23 -j REJECT
h[root /lib/iptables]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:telnet reject-with icmp-port-unreachable
h[root /lib/iptables]#
h[root /lib/iptables]# cd /etc/sysconfig/
h[root /etc/sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
h[root /etc/sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
h[root /etc/sysconfig]# iptables
iptables iptables-restore iptables-save
h[root /etc/sysconfig]# iptables
iptables iptables-restore iptables-save
h[root /etc/sysconfig]# iptables-save
# Generated by iptables-save v1.3.5 on Tue Jul 23 22:13:22 2013
*filter
:INPUT ACCEPT [1435:438842]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8240:1984280]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 23 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Jul 23 22:13:22 2013
h[root /etc/sysconfig]# iptables-save > iptables2
h[root /etc/sysconfig]# cat iptables2
# Generated by iptables-save v1.3.5 on Tue Jul 23 22:13:55 2013
*filter
:INPUT ACCEPT [1435:438842]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8268:1987368]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 23 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Jul 23 22:13:55 2013
h[root /etc/sysconfig]# iptables -F
h[root /etc/sysconfig]# iptables
apm-scripts/ ipmi prelink
apmd ipmievd raid-check
atd iptables rawdevices
auditd iptables-config readonly-root
authconfig iptables2 rhn/
autofs irda run-parts
bluetooth irqbalance samba
cbq/ kdump samba.bak
clock kernel saslauthd
conman keyboard selinux
console/ krb524 sendmail
cpuspeed kudzu smartmontools
crond lm_sensors spamassassin
desktop mkinitrd/ squid
dovecot modules/ syslog
dund named system-config-netboot
firstboot netconsole system-config-securitylevel
grub network system-config-users
hidd network-scripts/ tomcat5
httpd networking/ tux
hwconf nfs udev-stw
i18n nspluginwrapper vncservers
init ntpd wpa_supplicant
ip6tables pand xinetd
ip6tables-config pm-action
h[root /etc/sysconfig]# iptables-restore < iptables2
h[root /etc/sysconfig]# iptables
iptables v1.3.5: no command specified
Try `iptables -h' or 'iptables --help' for more information.
h[root /etc/sysconfig]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:telnet reject-with icmp-port-unreachable
h[root /etc/xinetd.d]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
h[root /etc/xinetd.d]# iptables -P INPUT DROP
h[root /etc/xinetd.d]# iptables -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
h[root /etc/xinetd.d]# iptables -P INPUT ACCEPT
h[root /etc/xinetd.d]# iptables -A ONPUT -p all -j REJECT
iptables: No chain/target/match by that name
h[root /etc/xinetd.d]# iptables -A INPUT -p all -j REJECT
h[root /etc/xinetd.d]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /etc/xinetd.d]# service httpd restart
httpd 를 정지 중: [실패]
httpd (을)를 시작 중: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
h[root /etc/xinetd.d]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
h[root /etc/xinetd.d]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:http
h[root /etc/xinetd.d]# iptables -D INPUT 3
h[root /etc/xinetd.d]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /etc/xinetd.d]# iptables -I INPUT 2 -p tcp --dport 80 -j ACCEPT
h[root /etc/xinetd.d]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]# telnet
telnet> open
(to) centos2
Trying 172.20.20.112...
h[root /etc/xinetd.d]# ftp centos2
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
h[root /etc/xinetd.d]#
h[root /etc/xinetd.d]# cd /lib/iptables/
h[root /lib/iptables]# ls
libip6t_CONNMARK.so libip6t_limit.so libipt_MARK.so libipt_connlimit.so libipt_policy.so
libip6t_DSCP.so libip6t_mac.so libipt_MASQUERADE.so libipt_connmark.so libipt_realm.so
libip6t_HL.so libip6t_mark.so libipt_MIRROR.so libipt_conntrack.so libipt_recent.so
libip6t_LOG.so libip6t_multiport.so libipt_NETMAP.so libipt_dccp.so libipt_rpc.so
libip6t_MARK.so libip6t_owner.so libipt_NFQUEUE.so libipt_dscp.so libipt_sctp.so
libip6t_NFQUEUE.so libip6t_physdev.so libipt_NOTRACK.so libipt_ecn.so libipt_standard.so
libip6t_REJECT.so libip6t_policy.so libipt_REDIRECT.so libipt_esp.so libipt_state.so
libip6t_TRACE.so libip6t_rt.so libipt_REJECT.so libipt_hashlimit.so libipt_statistic.so
libip6t_ah.so libip6t_standard.so libipt_SAME.so libipt_helper.so libipt_string.so
libip6t_connmark.so libip6t_state.so libipt_SNAT.so libipt_icmp.so libipt_tcp.so
libip6t_dscp.so libip6t_tcp.so libipt_TARPIT.so libipt_iprange.so libipt_tcpmss.so
libip6t_dst.so libip6t_udp.so libipt_TCPMSS.so libipt_length.so libipt_tos.so
libip6t_eui64.so libipt_CLASSIFY.so libipt_TOS.so libipt_limit.so libipt_ttl.so
libip6t_frag.so libipt_CLUSTERIP.so libipt_TRACE.so libipt_mac.so libipt_udp.so
libip6t_hbh.so libipt_CONNMARK.so libipt_TTL.so libipt_mark.so libipt_unclean.so
libip6t_hl.so libipt_DNAT.so libipt_ULOG.so libipt_multiport.so
libip6t_icmpv6.so libipt_DSCP.so libipt_addrtype.so libipt_owner.so
libip6t_ipv6header.so libipt_ECN.so libipt_ah.so libipt_physdev.so
libip6t_length.so libipt_LOG.so libipt_comment.so libipt_pkttype.so
h[root /lib/iptables]# ls *stat*
libip6t_state.so libipt_state.so libipt_statistic.so
h[root /lib/iptables]# iptables -I INPUT -m state --state ESTABLISHED -p all -j ACCEPT
h[root /lib/iptables]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /lib/iptables]#
h[root /lib/iptables]# telnet centos2
Trying 172.20.20.112...
Connected to centos2 (172.20.20.112).
Escape character is '^]'.
CentOS release 5.9 (Final)
Kernel 2.6.18-348.el5 on an i686
login:
login:
login:
Login incorrect
Connection closed by foreign host.
h[root /lib/iptables]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /lib/iptables]# iptables -F
h[root /lib/iptables]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
h[root /lib/iptables]#
h[root /lib/iptables]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
h[root /lib/iptables]# iptables -A INPUT -m state --stete NEW -p tcp --dport 23 -j ACCEPT
iptables v1.3.5: Unknown arg `--stete'
Try `iptables -h' or 'iptables --help' for more information.
h[root /lib/iptables]# iptables -A INPUT -m state --state NEW -p tcp --dport 23 -j ACCEPT
h[root /lib/iptables]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
h[root /lib/iptables]# iptables -R INPUT -m state --stete NEW,ESTABLISHED -p tcp --dport 23 -j ACCEPT
iptables v1.3.5: -R requires a rule number
Try `iptables -h' or 'iptables --help' for more information.
h[root /lib/iptables]# iptables -R INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 23 -j ACCEPT
iptables v1.3.5: -R requires a rule number
Try `iptables -h' or 'iptables --help' for more information.
h[root /lib/iptables]# iptables -R INPUT 2 -m state --state NEW,ESTABLISHED -p tcp --dport 23 -j ACCEPT
h[root /lib/iptables]# iptables -R INPUT 2 -m state --state NEW -p tcp --dport 23 -j ACCEPT
h[root /lib/iptables]# iptables -I INPUT -m state --state ESTABLISHED -p all -j ACCEPT
h[root /lib/iptables]# iptables -I INPUT 3 -m state --state NEW -p tcp --dport 80 -j ACCEPT
h[root /lib/iptables]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]# iptables -L INPUT --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state ESTABLISHED
2 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
3 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
4 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet
h[root /lib/iptables]# iptables -I INPUT 4 -m state --state NEW -p tcp --dport 21 -j ACCEPT
h[root /lib/iptables]# iptables -A INPUT -p all -j REJECT
h[root /lib/iptables]# iptables -L INPUT --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state ESTABLISHED
2 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
3 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
4 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
5 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet
6 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /lib/iptables]# grep -w ftp-date /etc/services
h[root /lib/iptables]# grep -w ftp-data /etc/services
ftp-data 20/tcp
ftp-data 20/udp
h[root /lib/iptables]# iptables -I INPUT -m state --state RELATED -p all -j ACCEPT
h[root /lib/iptables]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]#
h[root /lib/iptables]# iptables -F
h[root /lib/iptables]# iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
h[root /lib/iptables]# iptables -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
h[root /lib/iptables]# iptables -I INPUT -m state --state ESTABLISHED,RELATED -p all -j ACCEPT
h[root /lib/iptables]# iptables -A INPUT -p all -j REJECT
h[root /lib/iptables]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dp:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /lib/iptables]#
h[root /lib/iptables]# iptables -A OUTPUT -p tcp --dport 23 -j REJECT
h[root /lib/iptables]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:telnet reject-with icmp-port-unreachable
h[root /lib/iptables]#
h[root /lib/iptables]# cd /etc/sysconfig/
h[root /etc/sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
h[root /etc/sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
h[root /etc/sysconfig]# iptables
iptables iptables-restore iptables-save
h[root /etc/sysconfig]# iptables
iptables iptables-restore iptables-save
h[root /etc/sysconfig]# iptables-save
# Generated by iptables-save v1.3.5 on Tue Jul 23 22:13:22 2013
*filter
:INPUT ACCEPT [1435:438842]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8240:1984280]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 23 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Jul 23 22:13:22 2013
h[root /etc/sysconfig]# iptables-save > iptables2
h[root /etc/sysconfig]# cat iptables2
# Generated by iptables-save v1.3.5 on Tue Jul 23 22:13:55 2013
*filter
:INPUT ACCEPT [1435:438842]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8268:1987368]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 23 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Jul 23 22:13:55 2013
h[root /etc/sysconfig]# iptables -F
h[root /etc/sysconfig]# iptables
apm-scripts/ ipmi prelink
apmd ipmievd raid-check
atd iptables rawdevices
auditd iptables-config readonly-root
authconfig iptables2 rhn/
autofs irda run-parts
bluetooth irqbalance samba
cbq/ kdump samba.bak
clock kernel saslauthd
conman keyboard selinux
console/ krb524 sendmail
cpuspeed kudzu smartmontools
crond lm_sensors spamassassin
desktop mkinitrd/ squid
dovecot modules/ syslog
dund named system-config-netboot
firstboot netconsole system-config-securitylevel
grub network system-config-users
hidd network-scripts/ tomcat5
httpd networking/ tux
hwconf nfs udev-stw
i18n nspluginwrapper vncservers
init ntpd wpa_supplicant
ip6tables pand xinetd
ip6tables-config pm-action
h[root /etc/sysconfig]# iptables-restore < iptables2
h[root /etc/sysconfig]# iptables
iptables v1.3.5: no command specified
Try `iptables -h' or 'iptables --help' for more information.
h[root /etc/sysconfig]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:telnet reject-with icmp-port-unreachable
# iptables -I INPUT 1 -j NSchain ; 새로만든 사용자 체인을 인풋체인이 넣기
h[root /root]# iptables -I INPUT -i lo -p all -j ACCEPT ; 로컬은 실뢰한다는 설정 추가
h[root /root]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
NSchain all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /root]# iptables -L -v INPUT
Bad argument `INPUT'
Try `iptables -h' or 'iptables --help' for more information.
h[root /root]# iptables -L -v
Chain INPUT (policy ACCEPT 1171 packets, 111K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere ; 로컬은 실뢰한다는 설정 추가
539 53840 NSchain all -- any any anywhere anywhere
972 70593 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLIS HED
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp
1035 123K REJECT all -- any any anywhere anywhere reject-with icmp-port- unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3317 packets, 1960K bytes)
pkts bytes target prot opt in out source destination
Chain NSchain (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:doma in
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:doma in
Chain RH-Firewall-1-INPUT (0 references)
pkts bytes target prot opt in out source d
h[root /root]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
NSchain all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
h[root /root]# iptables -L -v INPUT
Bad argument `INPUT'
Try `iptables -h' or 'iptables --help' for more information.
h[root /root]# iptables -L -v
Chain INPUT (policy ACCEPT 1171 packets, 111K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere ; 로컬은 실뢰한다는 설정 추가
539 53840 NSchain all -- any any anywhere anywhere
972 70593 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLIS HED
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp
1035 123K REJECT all -- any any anywhere anywhere reject-with icmp-port- unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3317 packets, 1960K bytes)
pkts bytes target prot opt in out source destination
Chain NSchain (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:doma in
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:doma in
Chain RH-Firewall-1-INPUT (0 references)
pkts bytes target prot opt in out source d
h[root /etc/sysconfig]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
24 11362 ACCEPT all -- lo any anywhere anywhere
1818 146K NSchain all -- any any anywhere anywhere
1141 69818 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
2 120 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
4 240 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp
671 75682 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1177 packets, 136K bytes)
pkts bytes target prot opt in out source destination
Chain NSchain (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:domain
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:domain
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
24 11362 ACCEPT all -- lo any anywhere anywhere
1818 146K NSchain all -- any any anywhere anywhere
1141 69818 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
2 120 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
4 240 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp
671 75682 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1177 packets, 136K bytes)
pkts bytes target prot opt in out source destination
Chain NSchain (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:domain
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:domain
***********************************************************************************
***********************************************************************************
|
예제풀이 master server 의 방화벽 설정을 아래와 같이 하시오. INPUT loop back device(lo) 에 대해서는 모든 서비스 허용. ssh 허용 ftp 허용 나머지포트(x) ------------------------------ OUTPUT loop back device(lo) 에 대해서는 모든 서비스 허용. 목적지 주소가 172.20.20.0/24 네트워크에 대해서만 외부로 telnet 접속 허용 나머지포트(x) ------------------------------------------------------------------- *. 설정하기전에 모든 rule과 사용자 정의 체인을 삭제하시오. *. 사용자 정의 체인을 사용하시요. * ftp를 허용하는 rule 설정과 telnet을 허용하는 rule 설정을 각각 사용자 정의 체인을 생성해서 등록하시오. *. 시스템을 리부팅했을때에도 현재의 설정을 계속사용할수 있도록 default 설정으로 저장하시오 solve) *. 사용자 정의체인 설정 ------------------------------------------------------------------------ iptables -F 그리고 사용자 정의 체인이 있는경우 iptables -X 사용자정의체인명 이렇게 해서 삭제한다. iptables -N DenyChain (*.여기서는 편의상 모든서비스를 거부하는것을 DenyChain 에 정의했습니다) iptables -A DenyChain -p all -j REJECT iptables -N TestChain iptables -A TestChain -m state --state NEW -p tcp --dport 21 -j ACCEPT iptables -N TestChain2 iptables -A TestChain2 -m state --state NEW -d 172.20.20.0/24 -p tcp --dport 23 -j ACCEPT ------------------------------------------------------------------------ *. INPUT chain 설정. ------------------------------------------------------------------------ iptables -A INPUT -i lo -p all -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -p all -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT iptables -A INPUT -j TestChain iptables -A INPUT -j DenyChain *. OUTPUT chain 설정 ------------------------------------------------------------------------ iptables -A OUTPUT -o lo -p all -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -p all -j ACCEPT iptables -A OUTPUT -j TestChain2 iptables -A OUTPUT -j DenyChain * 리부팅 했을때에도 현재의 설정을 적용하려면 iptables-save > /etc/sysconfig/iptables 확인은 service iptables start 해서 iptables -L 로 확인할 수 있음
*****************************************************************************
*****************************************************************************
학원교제
|
'IT > 컴퓨터' 카테고리의 다른 글
sshd_config 설정 파일 설명 (0) | 2014.09.04 |
---|---|
DNS서버 설정 (0) | 2014.09.04 |
centos server설치 (0) | 2014.09.04 |