내가 현재 관리 중인 서버의 iptables 정책을 공개한다. 공개해서 개선/유지/보수 하는 것이 목적.
이상없이 돌아가고 있기 때문에 그대로 쓰면 된다.
#!/bin/bash
#################################################################
# Title : A simple firewall for home users #
# Version : 1.1 #
# Tested-on : ubuntu 11.04//sbin/iptables v1.4.4 #
# Author : Brian Jung (09/17/2011) #
# Copyright : N/A #
# Note : Thanks to Ubuntu Korea users #
#################################################################
##[ COMMON ROUTINE ]##############################################
## Variables ##
##################################################################
HOME=$(ifconfig -a eth0 | awk '/(cast)/ { print $2 }' | cut -d ':' -f2 | head -1);
iPGroup_BLACKLIST="";
# Block Services - 닫을 포트를 여기에 추가한다.
portGroup_KNOWN_SERVICE="21 23 25 53 69 79 87 110 111 161 512 513 514 515 540 631 1080 1214 2000 2049 4288 5000 6000 6001 6002";
# Must be open for SSH
port_SSH="22";
##[ COMMON ROUTINE ]##############################################
## Initialize ##
##################################################################
#........................................remove previous policies
/sbin/iptables --flush;
/sbin/iptables --delete-chain;
/sbin/iptables --zero;
/sbin/iptables --table nat --flush;
/sbin/iptables --policy INPUT ACCEPT;
/sbin/iptables --policy FORWARD ACCEPT;
/sbin/iptables --policy OUTPUT ACCEPT;
#.....................................................DROP::ALL
/sbin/iptables --policy INPUT DROP;
/sbin/iptables --policy FORWARD DROP;
/sbin/iptables --policy OUTPUT DROP;
#......................................ACCEPT::incoming traffic
/sbin/iptables --append INPUT --in-interface lo --jump ACCEPT;
#......................................ACCEPT::outgoing traffic
/sbin/iptables --append OUTPUT --jump ACCEPT;
#..............................................................
##[ COMMON ROUTINE ]##############################################
## Start using internet(TCP,UDP) ##
##################################################################
#............................................ACCEPT::INPUT::ALL
/sbin/iptables --append INPUT --in-interface eth0 --match state --state NEW,ESTABLISHED,RELATED --jump ACCEPT;
/sbin/iptables --append INPUT --in-interface eth0 --match state --state NEW,ESTABLISHED,RELATED --jump ACCEPT;
#..............................................................
###############################################################
## Customized area(WARNING::DO NOT USE '--destination-port') ##
###############################################################
#..............................................DROP::black list
for IPLIST in $iPGroup_BLACKLIST
do
/sbin/iptables --table filter --insert INPUT --protocol tcp --source $IPLIST --destination $HOME --jump DROP;
done;
#.............................................REJECT::KNOWN.PORT::STEALTH
for STEALTH_PORT in $portGroup_KNOWN_SERVICE;
do
/sbin/iptables --table filter --insert INPUT --protocol tcp --match state --state NEW,ESTABLISHED --source 0/0 --source-port $STEALTH_PORT --jump REJECT;
/sbin/iptables --table filter --insert OUTPUT --protocol tcp --match state --state ESTABLISHED --source $HOME --source-port $STEALTH_PORT --jump REJECT;
done;
#...................................................ACCEPT::ssh
for IPLIST in $iPGroup_USER_SSH;
do
/sbin/iptables --table filter --insert INPUT --protocol tcp --match state --state NEW,ESTABLISHED --source $IPLIST --source-port $port_SSH --destination $HOME --jump ACCEPT;
/sbin/iptables --table filter --insert OUTPUT --protocol tcp --match state --state ESTABLISHED --source $HOME --source-port $port_SSH --destination $IPLIST --jump ACCEPT;
done;
##################################################################
## Block known attacks ##
##################################################################
#.............................................. DROP::port scan
/sbin/iptables --new-chain port-scan;
/sbin/iptables --append port-scan --protocol tcp --tcp-flags SYN,ACK,FIN,RST RST --match limit --limit 1/s --jump RETURN;
/sbin/iptables --append port-scan --jump DROP;
#....................................................DROP::ping
/sbin/iptables --append INPUT --protocol icmp --match icmp --icmp-type echo-request --jump DROP;
/sbin/iptables --append OUTPUT --protocol icmp --match icmp --icmp-type echo-reply --jump DROP;
#.....................................DROP::no syn flood attack
/sbin/iptables --new-chain syn-flood;
/sbin/iptables --append syn-flood --protocol tcp --syn --match limit --limit 1/s --limit-burst 4 --jump ACCEPT;
/sbin/iptables --append syn-flood --protocol tcp --syn --jump DROP;
#..............................................................
##################################################################
## Log ##
##################################################################
#......................................................examples
#/sbin/iptables --append INPUT --jump LOG --log-prefix "FIREWALL:INPUT ";
#/sbin/iptables --append FORWARD --jump LOG --log-prefix "FIREWALL:FORWARD";
#/sbin/iptables --append OUTPUT --jump LOG --log-prefix "FIREWALL:OUTPUT ";
#..............................................................
##[ COMMON ROUTINE ]###########################################
## End of traffic ##
###############################################################
#................................................can be omitted
/sbin/iptables --append INPUT --jump DROP;
/sbin/iptables --append OUTPUT --jump DROP;
#..............................................................