Computer/Linux / 리눅스

현재 운영 중인 iptables

jswlinux 2011. 9. 17. 22:52
내가 현재 관리 중인 서버의 iptables 정책을 공개한다. 공개해서 개선/유지/보수 하는 것이 목적.
이상없이 돌아가고 있기 때문에 그대로 쓰면 된다.

#!/bin/bash

#################################################################

# Title   : A simple firewall for home users #

# Version  : 1.1 #

# Tested-on : ubuntu 11.04//sbin/iptables v1.4.4 #

# Author  : Brian Jung (09/17/2011) #

# Copyright : N/A  #

# Note   : Thanks to Ubuntu Korea users #

#################################################################


##[ COMMON ROUTINE ]##############################################

## Variables ##

##################################################################

HOME=$(ifconfig -a eth0 | awk '/(cast)/ { print $2 }' | cut -d ':' -f2 | head -1);

iPGroup_BLACKLIST="";


# Block Services - 닫을 포트를 여기에 추가한다.

portGroup_KNOWN_SERVICE="21 23 25 53 69 79 87 110 111 161 512 513 514 515 540 631 1080 1214 2000 2049 4288 5000 6000 6001 6002";


# Must be open for SSH
port_SSH="22";


##[ COMMON ROUTINE ]##############################################

## Initialize ##

##################################################################

#........................................remove previous policies

/sbin/iptables --flush;

/sbin/iptables --delete-chain;

/sbin/iptables --zero;

/sbin/iptables --table nat --flush;

/sbin/iptables --policy INPUT ACCEPT;

/sbin/iptables --policy FORWARD ACCEPT;

/sbin/iptables --policy OUTPUT ACCEPT;


#.....................................................DROP::ALL

/sbin/iptables --policy INPUT  DROP;

/sbin/iptables --policy FORWARD DROP;

/sbin/iptables --policy OUTPUT DROP;


#......................................ACCEPT::incoming traffic

/sbin/iptables --append INPUT --in-interface lo --jump ACCEPT;


#......................................ACCEPT::outgoing traffic

/sbin/iptables --append OUTPUT --jump ACCEPT;


#..............................................................

##[ COMMON ROUTINE ]##############################################

## Start using internet(TCP,UDP) ##

##################################################################

#............................................ACCEPT::INPUT::ALL

/sbin/iptables --append INPUT --in-interface eth0 --match state --state NEW,ESTABLISHED,RELATED --jump ACCEPT;

/sbin/iptables --append INPUT --in-interface eth0 --match state --state NEW,ESTABLISHED,RELATED --jump ACCEPT;


#..............................................................

###############################################################

## Customized area(WARNING::DO NOT USE '--destination-port') ##

###############################################################

#..............................................DROP::black list

for IPLIST in $iPGroup_BLACKLIST

do

/sbin/iptables --table filter --insert INPUT --protocol tcp --source $IPLIST --destination $HOME --jump DROP;

done;



#.............................................REJECT::KNOWN.PORT::STEALTH

for STEALTH_PORT in $portGroup_KNOWN_SERVICE;

do

/sbin/iptables --table filter --insert INPUT --protocol tcp --match state --state NEW,ESTABLISHED --source 0/0 --source-port $STEALTH_PORT --jump REJECT;

/sbin/iptables --table filter --insert OUTPUT --protocol tcp --match state --state ESTABLISHED --source $HOME --source-port $STEALTH_PORT --jump REJECT;

done;


#...................................................ACCEPT::ssh

for IPLIST in $iPGroup_USER_SSH;

do

/sbin/iptables --table filter --insert INPUT --protocol tcp --match state --state NEW,ESTABLISHED --source $IPLIST --source-port $port_SSH --destination $HOME --jump ACCEPT;

/sbin/iptables --table filter --insert OUTPUT --protocol tcp --match state --state ESTABLISHED   --source $HOME --source-port $port_SSH --destination $IPLIST --jump ACCEPT;

done;


##################################################################

## Block known attacks ##

##################################################################


#.............................................. DROP::port scan

/sbin/iptables --new-chain port-scan;

/sbin/iptables --append port-scan --protocol tcp --tcp-flags SYN,ACK,FIN,RST RST --match limit --limit 1/s --jump RETURN;

/sbin/iptables --append port-scan --jump DROP;


#....................................................DROP::ping

/sbin/iptables --append INPUT --protocol icmp --match icmp --icmp-type echo-request --jump DROP;

/sbin/iptables --append OUTPUT --protocol icmp --match icmp --icmp-type echo-reply  --jump DROP;


#.....................................DROP::no syn flood attack

/sbin/iptables --new-chain syn-flood;

/sbin/iptables --append syn-flood --protocol tcp --syn --match limit --limit 1/s --limit-burst 4 --jump ACCEPT;

/sbin/iptables --append syn-flood --protocol tcp --syn --jump DROP;


#..............................................................

##################################################################

## Log ##

##################################################################

#......................................................examples

#/sbin/iptables --append INPUT  --jump LOG --log-prefix "FIREWALL:INPUT ";

#/sbin/iptables --append FORWARD --jump LOG --log-prefix "FIREWALL:FORWARD";

#/sbin/iptables --append OUTPUT --jump LOG --log-prefix "FIREWALL:OUTPUT ";

#..............................................................

##[ COMMON ROUTINE ]###########################################

## End of traffic                      ##

###############################################################

#................................................can be omitted

/sbin/iptables --append INPUT --jump DROP;

/sbin/iptables --append OUTPUT --jump DROP;

#.............................................................. 
저작자표시 비영리 변경금지