리눅스, 자료실, 성경검색, 추억의게임, 고전게임, 오락실게임, rootman, http://www.rootman.co.kr
* 54.224.118.247 *
| Home | Profile | Linux | 자료실 | zabbix | Mysql 5.6 | 갤러리 | 성경검색 | 해피니스 | 자유게시판 | 게시물검색 | L | O | R |    

 
[Doc/Faq] iptables를 통한 방화벽 구축 (_firewall.sh, _firewall_conf.sh)
 작성자 : rootman
Date : 2007-08-20 22:37  |  Hit : 12,767  
안녕하세요.
rootman.co.kr 운영자 정찬호입니다.

날씨도 나른하고, 대체 손에 잡히는 일이 없네요.
아자 아자 힘을 내려 하는데.. 그것도 잘 안 되고.~

취미삼아 사진 찍으려는 것도 잘 안 되고,, 그냥 더위 탓해야 겠네요.

개인 서버에서 쓰고 있는 방화벽 공개합니다.
공개되어 있는 것도 많고, 우수한 것도 많이 있지만,
그래도 이리 저리 긁어 긁어서 만든.. 그리고 개인적으로 잘 쓰고 있는 것이니만큼,
되움되시라고 공개합니다.

1. 파일은 두 개입니다.
_firewall.sh (아이피 대역 설정 및 Enable/Disabled 처리)
_firewall_conf.sh (위 파일에서 설정된 스트립트 모음)

2. 설정 변경 사항
(1) 아이피 대역 변경
(2) 필요한 서비스 추가 혹은 불필요한 서비스 주석 처리
(3) 한 개 이상의 아이피 추가는 띄워쓰기로 구분합니다.

3. 간략 설명
(1) default policy는 Drop입니다.
(2) 하지만 # sh _firewall.sh stop을 하셔도 기본적인 rule은 허용됩니다.(ssh,dns)

4. 문제 발생 시
- 모릅니다. ㅡㅡ
- ssh 아이피 대역 만큼음 꼭 잘 설정하세요.
- 서비스 지장 시, # sh _firewall.sh destroy를 하시면 방화벽 초기화됩니다.


부디 !! 안전하세요.


#--------------------------------------------------------------------------------------------
# 파일명 : _firewall.sh
#--------------------------------------------------------------------------------------------

#!/bin/sh
# Last Update : 2007/08/20
# Writer : JeongChanHo([email protected])
# http://www.rootman.co.kr
# FileName : _firewall.sh
#-----------------------------------------------// include source library
SW_ssh_port=22;
SW_telnet_port=23;

AllowHost_ssh="any/0 192.168.100.0/16";
AllowHost_ftp="any/0 192.168.100.0/16";
AllowHost_http="any/0";
AllowHost_telnet="192.168.100.0/16";
AllowHost_rsync="any/0";
AllowHost_icmp="any/0";
AllowHost_samba=" 192.168.100.0/16";

Drop_GeoIP="FI US IT LT CN DE CS JP";

IPADDR="`ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

function_file="/root/bin/_firewall_conf.sh";

External_Interface="eth0"; # external interface name
LoopBack_InterFace="lo"; # Loopback interface name

#-----------------------------------------------------------------------------------------
if [ ! -f ${function_file} ]; then
clear;
echo -e "\\nWe need ${function_file}\\n";
exit 0;
fi
source ${function_file};

#-----------------------------------------------------------------------------------------
case "$1" in
start)
#clear;
echo -e "Starting Firewalling.......................\\n";
#----------------------------------------------
init_firewall # Delete chain in this system.
allow_LoopBackIP # allow LoopBack IP
allow_LocalIP # allow Local IP
drop_fileIP # if you drop extra IP, set this!

#----------------------- Network IP

#-------------------------------
# user define rules
#-------------------------------
allow_dns
#drop_geoip # range (커널에 geoip 패치가 되어 있으면 해제)
drop_ddos
allow_ftp
allow_ssh # range
allow_selfloop # range

allow_telnet # range
proc_ipv4
allow_syslog # 원격 로그 서버로 사용중이면 설정

allow_smtp
allow_http # default로 ssl 포트(443)도 open함
allow_pop3
allow_ntp
allow_snmp

#allow_samba # range

allow_rsync
allow_mysql
allow_arreo
allow_icmp
allow_logwrite
allow_default
allow_pay

allow_output
firewall_status

;;
stop)
clear;
echo -e "Shutting Firewalling........ \\n";
echo;

#-------------------------------
# default rules
#-------------------------------
init_firewall
allow_dns
allow_ssh
allow_default
allow_output
firewall_status
;;

destroy)
destroy_firewall
;;

status)
firewall_status
;;
esac;

echo "+";
exit 0;



#--------------------------------------------------------------------------------------------
# 파일명 : _firewall_conf.sh
#--------------------------------------------------------------------------------------------
init_firewall() {
iptables -F
iptables -X
iptables -t mangle -F
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p tcp ! --syn -j ACCEPT
}
destroy_firewall() {
iptables -F
iptables -X
iptables -t mangle -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p tcp ! --syn -j ACCEPT
}
allow_LoopBackIP() {
echo "--------------------------------";
echo ${LoopBack_InterFace};
echo "--------------------------------";
iptables -A INPUT -i ${LoopBack_InterFace} -j ACCEPT
}
allow_LocalIP() {
iptables -A INPUT -s ${IPADDR} -i ${LoopBack_InterFace} -j ACCEPT
}
drop_fileIP() {
deny_file="/root/bin/blackiplist.txt";
if [ -f ${deny_file} ]; then
for cnt in $(cat ${deny_file})
do
iptables -A INPUT -s ${cnt} -j DROP
done
fi
}
drop_spoofIP() {
iptables -A INPUT -s ${IPADDR} -j DROP
}
drop_broadcast() {
BROADCAST_SRC="0.0.0.0"; # 브로드 캐스트소스 주소
BROADCAST_DEST="255.255.255.255"; # 브로드캐스트 목적지 주소

iptables -A INPUT -s ${BROADCAST_DEST} -j DROP
iptables -A INPUT -d ${BROADCAST_SRC} -j DROP
}
drop_abcdeCLASS() {
CLASS_A="10.0.0.0/8"; # A class Privacy Area
CLASS_B="172.16.0.0/12"; # B class Privacy Area
CLASS_C="192.168.0.0/16"; # C class Privacy Area
CLASS_D_MULTICAST="224.0.0.0/4"; # D class Multicast Area
CLASS_E_RESERVED_NET="240.0.0.0/5"; # E class Reserved Area

iptables -A INPUT -s ${CLASS_A} -j DROP
iptables -A INPUT -s ${CLASS_B} -j DROP
#iptables -A INPUT -s ${CLASS_C} -j DROP
iptables -A INPUT -s ${CLASS_D_MULTICAST} -j DROP
iptables -A INPUT -s ${CLASS_E_RESERVED_NET} -j DROP
}
drop_iana() {
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
}
drop_invalid() {
iptables -A INPUT -m state --state INVALID -j DROP
#iptables -A OUTPUT -m state --state INVALID -j DROP
}
proc_ipv4() {
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
}
allow_dns() {
iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --sport 953 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 953 -m state --state NEW,ESTABLISHED -j ACCEPT
}
drop_ddos() {
iptables -A FORWARD -m recent --name badguy --rcheck --seconds 300 -j DROP
iptables -A FORWARD -p tcp --syn --dport 80 -m connlimit --connlimit-above 30 -m recent --name badguy --set -j DROP
iptables -A FORWARD -p tcp --syn --dport 80 -m connlimit --connlimit-above 30 -j DROP

# -- Syn_Fooding
eval 'sysctl -w net.ipv4.tcp_max_syn_backlog=4096'
eval 'sysctl -w net.ipv4.tcp_syncookies=1'
eval 'sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1'
eval 'sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1'
eval 'sysctl -w net.ipv4.ip_default_ttl=64'
eval 'sysctl -w net.ipv4.ipfrag_time-=15'
eval 'sysctl -w net.ipv4.tcp_retries1=3'
eval 'sysctl -w net.ipv4.tcp_syn_retries=2'
eval 'sysctl -w net.ipv4.tcp_retries2=7'
eval 'sysctl -w net.ipv4.conf.eth0.rp_filter=1'
eval 'sysctl -w net.ipv4.conf.lo.rp_filter=1'
eval 'sysctl -w net.ipv4.conf.default.rp_filter=1'
eval 'sysctl -w net.ipv4.conf.all.rp_filter=1'

# icmp redirect deny
eval 'sysctl -w net.ipv4.conf.eth0.accept_redirects=0'
eval 'sysctl -w net.ipv4.conf.lo.accept_redirects=0'
eval 'sysctl -w net.ipv4.conf.default.accept_redirects=0'
eval 'sysctl -w net.ipv4.conf.all.accept_redirects'

# source route packet deny
eval 'sysctl -w net.ipv4.conf.eth0.accept_source_route=0'
eval 'sysctl -w net.ipv4.conf.lo.accept_source_route=0'
eval 'sysctl -w net.ipv4.conf.default.accept_source_route=0'
eval 'sysctl -w net.ipv4.conf.all.accept_source_route=0'

# bootp packet deny
eval 'sysctl -w net.ipv4.conf.eth0.bootp_relay=0'
eval 'sysctl -w net.ipv4.conf.lo.bootp_relay=0'
eval 'sysctl -w net.ipv4.conf.default.bootp_relay=0'
eval 'sysctl -w net.ipv4.conf.all.bootp_relay=0'

# redirect deny from gateway
eval 'sysctl -w netnet.ipv4.conf.eth0.secure_redirects=0'
eval 'sysctl -w netnet.ipv4.conf.lo.secure_redirects=0'
eval 'sysctl -w netnet.ipv4.conf.default.secure_redirects=0'
eval 'sysctl -w netnet.ipv4.conf.all.secure_redirects=0'

# proxy arp deny
eval 'sysctl -w net.ipv4.conf.eth0.proxy_arp=0'
eval 'sysctl -w net.ipv4.conf.lo.proxy_arp=0'
eval 'sysctl -w net.ipv4.conf.default.proxy_arp=0'
eval 'sysctl -w net.ipv4.conf.all.proxy_arp=0'

# 1M Per 280 (bucket)
eval 'sysctl -w net.ipv4.tcp_keepalive_time=30'
eval 'sysctl -w net.ipv4.tcp_fin_timeout=20'
eval 'sysctl -w net.ipv4.tcp_max_tw_buckets=5580000'
eval 'sysctl -w net.ipv4.tcp_keepalive_probes=5'
}
drop_geoip() {
#iptables -A INPUT -p tcp --dport 21:23 -m geoip ! --src-cc KR -j DROP

for Drop_GeoIPCode in ${Drop_GeoIP}
do
iptables -A INPUT -p tcp --dport 25 -m geoip --src-cc ${Drop_GeoIPCode} -j DROP
done;
}
allow_ssh() {
for AllowHost_ssh_IP in ${AllowHost_ssh}
do
iptables -A INPUT -p tcp -s ${AllowHost_ssh_IP} --dport ${SW_ssh_port} -m state --state NEW,ESTABLISHED -j ACCEPT
done;

iptables -A INPUT -p tcp --dport ${SW_ssh_port} -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dport ${SW_ssh_port} -m state --state NEW -m recent --set --name SSHSCAN
iptables -A INPUT -p tcp --dport ${SW_ssh_port} -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --rttl --name SSHSCAN -j LOG --log-prefix SSH_Scan:
iptables -A INPUT -p tcp --dport ${SW_ssh_port} -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --rttl --name SSHSCAN -j DROP
}
allow_ftp() {
for AllowHost_ftp_IP in ${AllowHost_ftp}
do
iptables -A INPUT -p tcp -s ${AllowHost_ftp_IP} --sport 1024:65535 --dport 20:21 -j ACCEPT
iptables -A INPUT -p tcp -s ${AllowHost_ftp_IP} --sport 1024:65535 --dport 1024:65535 -j ACCEPT
done;
#iptables -A INPUT -p tcp --dport 20:21 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_telnet() {
for AllowHost_telnet_IP in ${AllowHost_telnet}
do
iptables -A INPUT -p tcp -s ${AllowHost_telnet_IP} --dport ${SW_telnet_port} -m state --state NEW,ESTABLISHED -j ACCEPT

done;
}
allow_syslog() {
iptables -A INPUT -p tcp --dport 514 -j ACCEPT
iptables -A INPUT -p udp --dport 514 -j ACCEPT
}
allow_smtp() {
iptables -A INPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_http() {
for AllowHost_http_IP in ${AllowHost_http}
do
iptables -A INPUT -p tcp -s ${AllowHost_http_IP} --dport 80 --sport 1024:65535 -d ${IPADDR} -j ACCEPT
done;
iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
}

allow_pop3() {
iptables -A INPUT -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_ntp() {
iptables -A INPUT -p tcp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_snmp() {
iptables -A INPUT -p udp --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_samba() {
for AllowHost_samba_IP in ${AllowHost_samba}
do
iptables -A INPUT -p udp -s ${AllowHost_samba_IP} --dport 137:139 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s ${AllowHost_samba_IP} --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s ${AllowHost_samba_IP} --dport 901 -m state --state NEW,ESTABLISHED -j ACCEPT
done;
}
allow_rsync() {
for AllowHost_rsync_IP in ${AllowHost_rsync}
do
#iptables -A INPUT -p tcp -s ${AllowHost_rsync_IP} --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s ${AllowHost_rsync_IP} --dport 873 --sport 1024:65535 -d ${IPADDR} -j ACCEPT
done;
iptables -A INPUT -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_mysql() {
iptables -A INPUT -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_arreo() {
iptables -A INPUT -p tcp --dport 10201 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 10250 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_icmp() {
for AllowHost_icmp_IP in ${AllowHost_icmp}
do
#iptables -A INPUT -s ${AllowHost_icmp_IP} -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -s ${AllowHost_icmp_IP} -p icmp -j ACCEPT
done;
}
allow_logwrite() {
LOGFORMAT="-m limit --limit 1/h --limit-burst 3 -j LOG"
iptables -A INPUT -m state --state INVALID ${LOGFORMAT} --log-prefix 'ANY Packet Refuse'
#iptables -A OUTPUT -m state --state INVALID ${LOGFORMAT} --log-prefix 'OUTPUT ANY Packet Refuse'

iptables -A INPUT -p tcp --syn ${LOGFORMAT} --log-prefix 'SYN Refuse'
iptables -A INPUT -p tcp --syn ${LOGFORMAT} --log-prefix 'SYN Refuse'

iptables -A INPUT -p tcp --dport 1:65535 ${LOGFORMAT} --log-prefix 'TCP Refuse'
iptables -A INPUT -p udp --dport 1:65535 ${LOGFORMAT} --log-prefix 'UDP Refuse'

iptables -A INPUT -p udp --dport 1:65535 ${LOGFORMAT} --log-prefix 'UDP Refuse'
iptables -A INPUT -p icmp --icmp-type echo-request ${LOGFORMAT} --log-prefix 'PING Refuse'
iptables -A INPUT -p icmp --icmp-type echo-request ${LOGFORMAT} --log-prefix 'PING Refuse'
}
allow_default() {
# auth
iptables -A INPUT -p tcp --dport 113 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_pay() {
# dacom
iptables -A INPUT -p tcp --dport 7777 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 10240 -m state --state NEW,ESTABLISHED -j ACCEPT

# hankuk
iptables -A INPUT -p tcp --dport 10001 -m state --state NEW,ESTABLISHED -j ACCEPT

# kspay
iptables -A INPUT -p tcp --dport 29999 -m state --state NEW,ESTABLISHED -j ACCEPT

# teledit
iptables -A INPUT -p tcp --dport 31000 -m state --state NEW,ESTABLISHED -j ACCEPT

# name
iptables -A INPUT -p tcp --dport 81:85 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_output() {
#iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
echo "No output";

}

firewall_status() {
iptables -L -n;
echo "-------------------------------------------------------------------------------";
echo "# Scripted By JungChanHo ";
echo "# This file easily used to adjust Firewall System. ";
echo "-------------------------------------------------------------------------------";
echo "# Deny IP Append : ${deny_file} ";
echo "-------------------------------------------------------------------------------";
echo "# /proc/net/ipt_recent/badguy : $(cat /proc/net/ipt_recent/badguy) ";
echo "-------------------------------------------------------------------------------";
}


 
 

Total. 645
번호 분류 제목 작성자 등록일 조회수
645 기초강좌 NFS server unable to open connection to tcp6/udp6 networks rootman 09-27 2212
644 php [php] mssql ms-sql 한글 변환 끄적임.. 정리 rootman 03-29 3244
643 기초강좌 java vim 에서 자바 환경 만들기 rootman 02-16 2436
642 삭제예정 [xencenter] xenserver tool 설치 rootman 08-24 3405
641 mysql [mysql] Creating a File-Per-Table Tablespace Outside the Dat… rootman 08-03 3587
640 기초강좌 Centos Xwindow 설치 rootman 06-16 4449
639 php [php] highlight 함수 rootman 04-01 4309
638 qmail [qmail] qmail-scanner에 filtering 된 이메일 처리 rootman 02-14 4754
637 Shell [날짜] awk를 이용하여 unixtime의 시간 차 구하기 rootman 01-27 5626
636 기초강좌 centos에 그놈(gnome) 설치하기 rootman 01-10 5549
635 쉘(awk) [awk] shell 변수 사용하기 rootman 12-27 5257
634 기초강좌 서버 캐시 메모리 초기화하기 (drop_caches) rootman 12-11 6223
633 windows tips 그리드 제거 배치 스크립트 rootman 11-28 5828
632 기초강좌 패스워드 lockgin control rootman 09-06 4
631 windows tips win7 자동 로그인 설정하기 rootman 08-18 5651
 1  2  3  4  5  6  7  8  9  10    
AND OR