· KLDP.org · KLDP.net · KLDP Wiki · KLDP BBS ·
iptables

iptables

WikiPedia:Iptables´Â ¸®´ª½º 2.4 ÀÌÀü ¹öÀü¿¡¼­ ¾²ÀÌ´ø WikiPedia:Ipchains¸¦ ´ë½ÅÇÏ´Â IP ¼öÁØÀÇ ÆÐŶ ó¸® À¯Æ¿¸®Æ¼ÀÔ´Ï´Ù. Netfilter¶ó ºÒ¸®´Â Ä¿³Î ³»ÀÇ ÆÐŶ ÇÊÅ͸µ ±â´ÉÀ» »ç¿ëÀÚ °ø°£¿¡¼­ Á¦¾îÇÏ´Â µ¥¿¡ »ç¿ëµË´Ï´Ù. ±âº»ÀûÀ¸·Î´Â ƯÁ¤ Á¶°ÇÀ» °¡Áø ÆÐŶ¿¡ ´ëÇÑ Çã¿ë(ACCEPT)°ú Â÷´Ü(DROP) µîÀ» ÁöÁ¤ÇØ ÁÙ ¼ö ÀÖÁö¸¸, ¼ö¸¹Àº È®Àå ±â´ÉÀ» ÅëÇØ ´Ù¾çÇÑ ¹æ½ÄÀÇ ÇÊÅ͸µ(match: ÇÁ·ÎÅäÄÝ, ±æÀÌ, ToS, ...)°ú ó¸® ¹æ½Ä(target: NAT, ·Î±ë, ¸¶Å·, Àüȯ, ...)À» Áö¿øÇÏ°í ÀÖ½À´Ï´Ù. ¸®´ª½º ±â¹ÝÀÇ ¿©·¯ °ø°³/»ó¿ë ¹æÈ­º®µé ¹× ±âŸ ³×Æ®¿öÅ© ÀåºñµéÀÌ iptables¸¦ ÀÌ¿ëÇÏ°í ÀÖ½À´Ï´Ù.

  • http://www.netfilter.org/ : netfilter/iptables ȨÆäÀÌÁö
  • /lib/modules/{version}/kernel/net/ipv4/netfilter µð·ºÅ͸®¿¡ È®Àå ±â´ÉÀ» À§ÇÑ ¿ÀºêÁ§Æ® ÆÄÀϵéÀÌ ÀÖ½À´Ï´Ù.
  • Ä¿³Î ¿É¼Ç Æ®¸®ÀÇ 'Device Drivers/Networking support/Networking options/Network packet filtering' ÇÏ¿¡ °ü·Ã ¿É¼ÇµéÀÌ À§Ä¡ÇÕ´Ï´Ù. (2.6 ±âÁØ)
  • Netfilter ¼³Á¤ÀÇ ÀúÀå°ú º¹±¸¸¦ À§ÇØ iptables-save¿Í iptables-restore ÇÁ·Î±×·¥ÀÌ »ç¿ëµË´Ï´Ù.
  • À¯»çÇÑ ÇÁ·Î±×·¥À¸·Î arptables°¡ ÀÖ½À´Ï´Ù. ºê¸®Áö ¹æÈ­º®¿¡¼­ ¸µÅ© ·¹À̾î(ÀÌ´õ³Ý)¿¡¼­ÀÇ ÇÊÅ͸µ µîÀ» ¼öÇàÇÏ´Â [http]bridge-netfilterÀÇ »ç¿ëÀÚ °ø°£ À¯Æ¿¸®Æ¼ÀÔ´Ï´Ù.

KLDPWiki ³»ÀÇ °ü·Ã ¹®¼­

ÆÁ

  • targetÀ» ÁöÁ¤ÇÏÁö ¾Ê°í ±ÔÄ¢À» Áý¾î³ÖÀ¸¸é ÆÐŶ Ä«¿îÆ®¸¸ ¿Ã¶ó°¡°í ´ÙÀ½ ±ÔÄ¢À¸·Î ³Ñ¾î°©´Ï´Ù. °£´ÜÇÏ°Ô ÆÐŶ Ä«¿îÆÃÀ» ÇÏ´Â µ¥¿¡ »ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù. '-v' ¿É¼ÇÀ» ºÙ¿©¼­ ¸®½ºÆÃÀ» Çϸé ÆÐŶ/¹ÙÀÌÆ® Ä«¿îÆ®°¡ ÇÔ²² Ç¥½ÃµË´Ï´Ù.

iptables script

  • °¢ÀÚ »ç¿ëÇÏ°í ÀÖ´Â ÀϹÝÈ­µÈ »ç¿ë¸ñÀûÀÇ rule script¸¦ ¼Ò°³ÇØÁÖ¼¼¿ä.
  • "/etc/sysctl.conf"¿¡¼­ ´ÙÀ½ Ç׸ñÀ» È®ÀÎÇÏ¿© È°¼ºÈ­¸¦ ¹Ýµå½Ã ÇØÁÖ¾î¾ß ÇÕ´Ï´Ù.
    net.ipv4.ip_forward = 1
    
    # IPv6 forward¸¦ Áö¿øÇÏ·Á¸é (ÀÌ °æ¿ì´Â ip6tables¸¦ »ç¿ëÇÏ´Â °æ¿ì°ÚÁÒ)
    # net.ipv6.ip_forward = 1
    
  • µÎ°³ÀÇ Interface¸¦ »ç¿ëÇÏ¿© °£´ÜÇÑ ÀÎÅÍ³Ý °øÀ¯±â·Î ¸¸µé¾îÁÖ´Â rule script
    #!/bin/sh
    # by minzkn <minzkn@infoeq.com>
    
    # ¿ÜºÎ ÀÎÅͳÝÀÌ µÇ´Â interface (ADSLÀÎ °æ¿ì´Â ppp0°¡ µÇ°ÚÁÒ)
    IF_EXTERN=eth0
    # ³»ºÎ gateway°¡ µÉ interface
    IF_LOCAL=eth1
    # »ç¿ëÇÒ local ÁּҴ뿪
    MASQUE_ADDRESS=192.168.0.0/24
    #MASQUE_ADDRESS=10.0.0.0/8
    
    /sbin/iptables -P INPUT ACCEPT
    /sbin/iptables -F INPUT
    /sbin/iptables -P OUTPUT ACCEPT
    /sbin/iptables -F OUTPUT
    /sbin/iptables -P FORWARD DROP
    /sbin/iptables -F FORWARD
    /sbin/iptables -t nat -F
    
    /sbin/iptables -A FORWARD -i ${IF_EXTERN} -o ${IF_LOCAL} -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A FORWARD -i ${IF_LOCAL} -o ${IF_EXTERN} -j ACCEPT
    /sbin/iptables -A FORWARD -j LOG
    
    /sbin/iptables -t nat -A POSTROUTING -o ${IF_EXTERN} -s ${MASQUE_ADDRESS} -j MASQUERADE
    
    # ¿ÜºÎ·ÎºÎÅÍ ³»ºÎÀÇ IP·Î ƯÁ¤ Æ÷Æ®¸¦ Æ÷¿öµå½Ãų¶§ ´ÙÀ½°ú °°ÀÌ ÇÏ¸é µÊ. (¾Æ·¡ ¿¹½Ã´Â cvs portÀÎ 2401¸¦ 192.168.0.100 ¿¡ Æ÷¿öµå ½ÃÅ°´Â ¿¹Á¦)
    #/sbin/iptables -t nat -A PREROUTING -i ${IF_EXTERN} -p tcp --dport 2401 -j DNAT --to 192.168.0.100:2401
    
    # End if masq_ip.sh
    
  • ¹æÈ­º® ¹× °øÀ¯±â µÎ°¡Áö ¸ðµÎ¸¦ ¼Õ½±°Ô ¼³Á¤ÇÏ·Á°í ¸¸µé¾ú´ø script
    #!/bin/sh
    
    # Copyright (C) INFOEQ co.,LTD.
    # All rights reserved.
    # 
    # Author: JaeHyuk Cho <minzkn@infoeq.com>
    #
    # mzfirewall.sh version 1.0.0 20080530
    
    EXEC_IPTABLES=/sbin/iptables
    EXEC_IFCONFIG=/sbin/ifconfig
    
    SERVER_INTERFACE=eth0
    #SERVER_INTERFACE=eth1
    #SERVER_INTERFACE=tun6to4
    #SERVER_INTERFACE=bond0
    
    # *** °øÀ¯±â ¼³Á¤ ***
    USE_NAT=yes
    # ¿ÜºÎ ÀÎÅͳÝÀÌ µÇ´Â interface (ADSLÀÎ °æ¿ì´Â ppp0°¡ µÇ°ÚÁÒ)
    EXTERN_INTERFACE=${SERVER_INTERFACE}
    # ³»ºÎ gateway°¡ µÉ interface
    LOCAL_INTERFACE=eth1
    # »ç¿ëÇÒ local ÁּҴ뿪
    MASQUE_ADDRESS=192.168.0.0/24
    
    # -----------------------------------------------------
    # ±â¹ÝÀÛ¾÷ Áغñ
    
    # Interface IP¸¦ ¾ò¾î¿Â´Ù.
    SERVER_IP=`${EXEC_IFCONFIG} ${SERVER_INTERFACE} | grep "\<inet addr\>" | awk '{ gsub("addr:", "" ) ; print $2}'` 
    CHAIN_NAME_PREFIX=MZSERVER
    
    # -----------------------------------------------------
    # ±â¹ÝÇÔ¼ö (¶óÀ̺귯¸®)
    
    # ½Å±Ô chainÀ» »ý¼º ÇÔ¼ö - chain target
    s_mzfirewall_create_chain() {
        # »õ·Î¿î chainÀ» »ý¼ºÇÑ´Ù.
        ${EXEC_IPTABLES} -t filter -N ${2}
        
        # ³Ñ°ÜÁÙ chainÀ» Çü¼ºÇÑ´Ù.
        ${EXEC_IPTABLES} -t filter -A ${1} -j ${2}
    }
    
    # ÀÔ·Â °³º°°ÅºÎÁ¤Ã¥ ÇÔ¼ö - protocol source sport destination dport
    s_mzfirewall_block_input_drop() {
        ${EXEC_IPTABLES} -A ${CHAIN_NAME_PREFIX}_BLOCK_INPUT -p ${1} -s ${2} --sport ${3} -d ${4} --dport ${5} -j DROP
    }
    
    # ÀÔ·Â °³º°°ÅºÎÁ¤Ã¥ ÇÔ¼ö - protocol source destination
    s_mzfirewall_block_input_drop_noport() {
        ${EXEC_IPTABLES} -A ${CHAIN_NAME_PREFIX}_BLOCK_INPUT -p ${1} -s ${2} -d ${3} -j DROP
    }
    
    # ÀÔ·Â °ÅºÎÁ¤Ã¥ ÇÔ¼ö - protocol source sport destination dport
    s_mzfirewall_input_drop() {
        ${EXEC_IPTABLES} -A ${CHAIN_NAME_PREFIX}_INPUT -p ${1} -s ${2} --sport ${3} -d ${4} --dport ${5} -j DROP
    }
    
    # ÀÔ·Â °ÅºÎÁ¤Ã¥ ÇÔ¼ö - protocol source destination
    s_mzfirewall_input_drop_noport() {
        ${EXEC_IPTABLES} -A ${CHAIN_NAME_PREFIX}_INPUT -p ${1} -s ${2} -d ${3} -j DROP
    }
    
    # ÀÔ·Â Çã¿ëÁ¤Ã¥ ÇÔ¼ö - protocol source sport destination dport
    s_mzfirewall_input_accept() {
        ${EXEC_IPTABLES} -A ${CHAIN_NAME_PREFIX}_INPUT -p ${1} -s ${2} --sport ${3} -d ${4} --dport ${5} -j ACCEPT
    }
    
    # ÀÔ·Â Çã¿ëÁ¤Ã¥ ÇÔ¼ö - protocol source destination
    s_mzfirewall_input_accept_noport() {
        ${EXEC_IPTABLES} -A ${CHAIN_NAME_PREFIX}_INPUT -p ${1} -s ${2} -d ${3} -j ACCEPT
    }
    
    # Ãâ·Â °ÅºÎÁ¤Ã¥ ÇÔ¼ö - protocol source sport destination dport
    s_mzfirewall_output_drop() {
        ${EXEC_IPTABLES} -A ${CHAIN_NAME_PREFIX}_OUTPUT -p ${1} -s ${2} --sport ${3} -d ${4} --dport ${5} -j DROP
    }
    
    # Ãâ·Â °ÅºÎÁ¤Ã¥ ÇÔ¼ö - protocol source destination
    s_mzfirewall_output_drop_noport() {
        ${EXEC_IPTABLES} -A ${CHAIN_NAME_PREFIX}_OUTPUT -p ${1} -s ${2} -d ${3} -j DROP
    }
    
    # Ãâ·Â Çã¿ëÁ¤Ã¥ ÇÔ¼ö - protocol source sport destination dport
    s_mzfirewall_output_accept() {
        ${EXEC_IPTABLES} -I ${CHAIN_NAME_PREFIX}_OUTPUT -p ${1} -s ${2} --sport ${3} -d ${4} --dport ${5} -j ACCEPT
    }
    
    # Ãâ·Â Çã¿ëÁ¤Ã¥ ÇÔ¼ö - protocol source destination
    s_mzfirewall_output_accept_noport() {
        ${EXEC_IPTABLES} -A ${CHAIN_NAME_PREFIX}_OUTPUT -p ${1} -s ${2} -d ${3} -j ACCEPT
    }
    
    # -----------------------------------------------------
    # ¼öÇàÇÔ¼ö
    
    # ÃʱâÈ­ °úÁ¤
    mzfirewall_clean() {
        # ¸ðµç chainµéÀÇ ±ÔÄ¢À» »èÁ¦ÇÑ´Ù.
        ${EXEC_IPTABLES} -F
    
        # ±ÔÄ¢ÀÌ ¾ø´Â chainÀ» Á¦°ÅÇÑ´Ù.
        ${EXEC_IPTABLES} -X
    }
    
    # ±âº» Á¤Ã¥ ¼³Á¤
    mzfirewall_default_raw() {
        # ÀÔ·ÂÀº ±âº»ÀûÀ¸·Î ¸ðµÎ ¸·´Â´Ù.
        ${EXEC_IPTABLES} -P INPUT DROP
        
        # Ãâ·ÂÀº ±âº»ÀûÀ¸·Î ¸ðµÎ Çã¿ëÇÑ´Ù.
        ${EXEC_IPTABLES} -P OUTPUT ACCEPT
        
        # Ãâ·ÂÀº ±âº»ÀûÀ¸·Î ¸ðµÎ Çã¿ëÇÑ´Ù.
        ${EXEC_IPTABLES} -P FORWARD ACCEPT
    }
    
    # »ó½Ä¼öÁØÀÇ ¹æÈ­º® Á¤Ã¥À» ¼³Á¤ÇÑ´Ù.
    mzfirewall_default_rule() {
        # À߸øµÈ TCP»óÅ´ ¸ðµÎ ¸·´Â´Ù.
        ${EXEC_IPTABLES} -A INPUT -p tcp -m state --state INVALID -j DROP
    
        # ÀÌ¹Ì Á¢¼ÓµÇ¾î ÀÖ´Â ¿¬°áÀº ÀÔ·ÂÀ» Çã¿ëÇÑ´Ù.
        ${EXEC_IPTABLES} -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
    
        # loopbackÀÇ ¸ðµç ÀÔ·ÂÀº Çã¿ëÇÑ´Ù.
        ${EXEC_IPTABLES} -A INPUT -i lo -j ACCEPT
        ${EXEC_IPTABLES} -A INPUT -p tcp -d any/0 --dport auth -j ACCEPT
    }
    
    # ½Å±Ô chainÀ» »ý¼º
    mzfirewall_create_chain() {
        s_mzfirewall_create_chain INPUT ${CHAIN_NAME_PREFIX}_BLOCK_INPUT
        s_mzfirewall_create_chain INPUT ${CHAIN_NAME_PREFIX}_INPUT
        s_mzfirewall_create_chain OUTPUT ${CHAIN_NAME_PREFIX}_OUTPUT
        s_mzfirewall_create_chain FORWARD ${CHAIN_NAME_PREFIX}_FORWARD
    }
    
    # ÀÔ·Â ¹æÈ­º® Á¤Ã¥
    mzfirewall_input_rules() {
        # domain accept
        s_mzfirewall_input_accept udp 0/0 domain 0/0 0:
        s_mzfirewall_input_accept tcp 0/0 domain 0/0 0:
    
        # ICMP ÀÔ·Â Çã¿ë
        s_mzfirewall_input_accept_noport icmp 0/0 0/0
    
        # FTP ÀÔ·Â Çã¿ë
        s_mzfirewall_input_accept tcp 0/0 1024: 0/0 ftp
        s_mzfirewall_input_accept tcp 0/0 0: 0/0 ftp-data
    
        # TELNET ÀÔ·Â Çã¿ë
        s_mzfirewall_input_accept tcp 0/0 1024: 0/0 telnet
    
        # SSH ÀÔ·Â Çã¿ë
        s_mzfirewall_input_accept tcp 0/0 1024: 0/0 ssh
    
        # HTTP ÀÔ·Â Çã¿ë
        s_mzfirewall_input_accept tcp 0/0 1024: 0/0 http
    
        # ƯÁ¤ Æ÷Æ® ÀÔ·Â Çã¿ë
        s_mzfirewall_input_accept tcp 0/0 1024: 0/0 2744
    }
    
    # Ãâ·Â ¹æÈ­º® Á¤Ã¥ - °ÅºÎÁ¤Ã¥À» ¸ÕÀú ±â¼úÇÕ´Ï´Ù.
    mzfirewall_output_rules() {
        # ¿ÜºÎ·ÎÀÇ IRCÁ¢¼Ó °ÅºÎ - IRC¸¦ »ç¿ëÇÏÁö ¾Ê´Â´Ù¸é IRCÃâ·Â°ÅºÎ¸¦ ÃßõÇÕ´Ï´Ù.
        #s_mzfirewall_output_drop tcp 0/0 0: 0/0 ircd
    
        # DOMAIN Ãâ·Â Çã¿ë
        s_mzfirewall_output_accept udp 0/0 0: 0/0 domain
        s_mzfirewall_output_accept tcp 0/0 0: 0/0 domain
        
        # SMTP Ãâ·Â Çã¿ë
        s_mzfirewall_output_accept udp 0/0 0: 0/0 smtp
    }
    
    # ºí·¢¸®½ºÆ® Â÷´Ü
    mzfirewall_block_input_rules() {
        # ±×³É ½ºÅ©¸³Æ® ¼öÁ¤Çؼ­ Ãß°¡ÇÒ¶§...
        s_mzfirewall_block_input_drop_noport all 210.212.219.61/32 0/0
    
        # block.list ÆÄÀÏ¿¡ Â÷´ÜÇÒ IP¸ñ·ÏÀ» ¿­°ÅÇÏ¸é µÇ´Â ¹æ¹ý
        #exec < "block.list"
        #while read block_ip
        #do
        #    block_ip=`echo ${block_ip} | sed 's/ //g'`
        #    if ! [ $(echo ${block_ip} | grep "^#") ] ; then
        #        if [ "${block_ip}" != "" ]  ; then
        #            s_mzfirewall_block_input_drop_noport all ${block_ip} 0/0
        #        fi
        #    fi
        #done
    }
    
    # °øÀ¯±â
    mzfirewall_nat() {
        if [ "${USE_NAT}" = "yes" ]; then
            # POSTROUTINGÀº ³»ºÎ¿¡¼­ ¿ÜºÎ·Î Àü¼ÛÇÒ¶§ ±ÔÄ¢ÀÌ°í PREROUTINGÀº ¿ÜºÎ¿¡¼­ ³»ºÎ·Î Àü¼ÛÇÒ¶§ ±ÔÄ¢ÀÓ.
    
            # ±âº»ÀûÀ¸·Î Åë°ú½ÃÅ°´Â Interface °æ·Î¸¦ Çü¼ºÇÑ´Ù.
            ${EXEC_IPTABLES} -A ${CHAIN_NAME_PREFIX}_FORWARD -i ${EXTERN_INTERFACE} -o ${LOCAL_INTERFACE} -m state --state ESTABLISHED,RELATED -j ACCEPT
            ${EXEC_IPTABLES} -A ${CHAIN_NAME_PREFIX}_FORWARD -i ${LOCAL_INTERFACE} -o ${EXTERN_INTERFACE} -j ACCEPT
            ${EXEC_IPTABLES} -A ${CHAIN_NAME_PREFIX}_FORWARD -j LOG
    
            # Local IP address ´ë¿ªÀ» Masquerade ½ÃŲ´Ù.
            ${EXEC_IPTABLES} -t nat -A POSTROUTING -o ${EXTERN_INTERFACE} -s ${MASQUE_ADDRESS} -j MASQUERADE
    
            # ¿ÜºÎ·ÎºÎÅÍ ³»ºÎÀÇ IP·Î ƯÁ¤ Æ÷Æ®¸¦ Æ÷¿öµå½Ãų¶§ ´ÙÀ½°ú °°ÀÌ ÇÏ¸é µÊ. (¾Æ·¡ ¿¹½Ã´Â cvs portÀÎ 2401¸¦ 192.168.0.100 ¿¡ Æ÷¿öµå ½ÃÅ°´Â ¿¹Á¦)
            #${EXEC_IPTABLES} -t nat -A PREROUTING -i ${EXTERN_INTERFACE} -p tcp --dport 2401 -j DNAT --to 192.168.0.100:2401
        fi
    }
    
    # °á°ú È®ÀÎ
    mzfirewall_report() {
        echo "iptables path is \"${EXEC_IPTABLES}\""
        echo "server ip is \"${SERVER_IP}\" (${SERVER_INTERFACE})"
    
        ${EXEC_IPTABLES} --list
    }
    
    # ¹æÈ­º® »ç¿ë
    mzfirewall_start() {
        mzfirewall_clean
        mzfirewall_default_raw
        mzfirewall_default_rule
        mzfirewall_create_chain
    
        mzfirewall_input_rules
        mzfirewall_output_rules
    
        mzfirewall_block_input_rules
    
        mzfirewall_nat
    }
    
    # ¹æÈ­º® »ç¿ë¾ÈÇÔ
    mzfirewall_stop() {
        mzfirewall_clean    
        
        # ÀÔ·ÂÀº ±âº»ÀûÀ¸·Î ¸ðµÎ Çã¿ëÇÑ´Ù.
        ${EXEC_IPTABLES} -P INPUT ACCEPT
        
        # Ãâ·ÂÀº ±âº»ÀûÀ¸·Î ¸ðµÎ Çã¿ëÇÑ´Ù.
        ${EXEC_IPTABLES} -P OUTPUT ACCEPT
        
        # Ãâ·ÂÀº ±âº»ÀûÀ¸·Î ¸ðµÎ Çã¿ëÇÑ´Ù.
        ${EXEC_IPTABLES} -P FORWARD ACCEPT
    
    }
    
    # ¹æÈ­º® Àç½ÃÀÛ
    mzfirewall_restart() {
        mzfirewall_stop
        mzfirewall_start
    }
    
    # -----------------------------------------------------
    
    case "$1" in
        start)
            mzfirewall_start
            ;;
        stop)
            mzfirewall_stop
            ;;
        restart|reload)
            mzfirewall_restart
            ;;
        report|show|list|status)
            mzfirewall_report
            ;;
        *)
            echo $"Usage: $0 {start|stop|restart|status}"
            exit 1
    esac
    
    # End of mzfirewall.sh
    


Àü´Þ ¸Þ½ÃÁö

¸µÅ© °É¾î³õÀ¸½Å ÆäÀÌÁö¸¦ Á÷Á¢ À§Å°¿¡ ºÙ¿©¼­ ¹ø¿ªÇصµ µÉ±î¿ä? - jachin 2024-03-29




sponsored by andamiro
sponsored by cdnetworks
sponsored by HP

Valid XHTML 1.0! Valid CSS! powered by MoniWiki
last modified 2009-03-12 14:58:04
Processing time 0.0076 sec