iptables 세팅 정상인지 봐주세요.
작성자 정보
- Hyosik 작성
- 작성일
컨텐츠 정보
- 1,801 조회
- 0 추천
- 목록
본문
IPtables 설정을 했는데요.
아래와 같이 했는데두 불구하고 모든 패킷이 맘대로 왔다갔다 하네요.
머가 잘못된건지 조언 부탁드립니다.
#!/bin/sh
SERVICE_IP="210.212.12.2"
#Firewall IP
/bin/echo "1" >/proc/sys/net/ipv4/ip_forward
# Reset
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F
# Public policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# INPUT Non Public IP
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 255.255.255.255/32 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -s 248.0.0.0/5 -j DROP
# FORWARD Non Public IP
iptables -A FORWARD -s 10.0.0.0/8 -j DROP
iptables -A FORWARD -s 255.255.255.255/32 -j DROP
iptables -A FORWARD -s 0.0.0.0/8 -j DROP
iptables -A FORWARD -s 169.254.0.0/16 -j DROP
iptables -A FORWARD -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -s 192.0.2.0/24 -j DROP
iptables -A FORWARD -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -s 224.0.0.0/4 -j DROP
iptables -A FORWARD -s 240.0.0.0/5 -j DROP
iptables -A FORWARD -s 248.0.0.0/5 -j DROP
# OUTPUT Non Public IP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 255.255.255.255/32 -j DROP
iptables -A OUTPUT -d 0.0.0.0/8 -j DROP
iptables -A OUTPUT -d 169.254.0.0/16 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.0.2.0/24 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -d 224.0.0.0/4 -j DROP
iptables -A OUTPUT -d 240.0.0.0/5 -j DROP
iptables -A OUTPUT -d 248.0.0.0/5 -j DROP
# Local Network
iptables -A FORWARD -s 61.107.79.0/24 -j ACCEPT
# State
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p ALL -m state --state INVALID -j DROP
iptables -A FORWARD -p ALL -m state --state INVALID -j DROP
iptables -A OUTPUT -p ALL -m state --state INVALID -j ACCEPT
# SSH
iptables -A INPUT -p TCP -s 210.212.12.0/24 --dport 22 -j ACCEPT
iptables -A INPUT -p TCP -s 210.212.12.0/24 --sport 22 -j ACCEPT
iptables -A FORWARD -p TCP -s 210.212.12.0/24 --dport 22 -j ACCEPT
iptables -A FORWARD -p TCP -s 210.212.12.0/24 --sport 22 -j ACCEPT
# ICMP Handle
iptables -N ICMP_HANDLE
iptables -F ICMP_HANDLE
iptables -A ICMP_HANDLE -p ICMP --icmp-type echo-reply -j ACCEPT
iptables -A ICMP_HANDLE -p ICMP --icmp-type network-unreachable -j ACCEPT
iptables -A ICMP_HANDLE -p ICMP --icmp-type host-unreachable -j ACCEPT
iptables -A ICMP_HANDLE -p ICMP --icmp-type port-unreachable -j ACCEPT
iptables -A ICMP_HANDLE -p ICMP --icmp-type fragmentation-needed -j ACCEPT
iptables -A ICMP_HANDLE -p ICMP --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p ICMP -j ICMP_HANDLE
iptables -A FORWARD -p ICMP -j ICMP_HANDLE
# Echo
iptables -A FORWARD -p TCP --sport 7 -j ACCEPT
iptables -A FORWARD -p UDP --sport 7 -j ACCEPT
iptables -A FORWARD -p TCP --dport 7 -j ACCEPT
iptables -A FORWARD -p UDP --dport 7 -j ACCEPT
# FTP
iptables -A FORWARD -p TCP --sport 20 -j ACCEPT
iptables -A FORWARD -p TCP --sport 21 -j ACCEPT
iptables -A FORWARD -p TCP --dport 20 -j ACCEPT
iptables -A FORWARD -p TCP --dport 21 -j ACCEPT
# SMTP
iptables -A FORWARD -p TCP --sport 25 -j ACCEPT
iptables -A FORWARD -p TCP --dport 25 -j ACCEPT
# DNS Port
iptables -A FORWARD -p TCP --sport 53 -j ACCEPT
iptables -A FORWARD -p TCP --dport 53 -j ACCEPT
# WEB
iptables -A FORWARD -p TCP --sport 80 -j ACCEPT
iptables -A FORWARD -p TCP --dport 8080 -j ACCEPT
iptables -A FORWARD -p TCP --sport 80 -j ACCEPT
iptables -A FORWARD -p TCP --dport 8080 -j ACCEPT
# POP3
iptables -A FORWARD -p TCP --sport 110 -j ACCEPT
iptables -A FORWARD -p TCP --dport 110 -j ACCEPT
# Msn
iptables -A FORWARD -p TCP --sport 1863 -j ACCEPT
iptables -A FORWARD -p TCP --dport 1863 -j ACCEPT
관련자료
-
이전
-
다음
