======firewall======

iptables設定
<code bash iptables.bash>
#!/bin/bash

# show iptable list
# iptables -L

# table initialize
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

# in-close/out-open (default policy)
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# in-open [localaddr or localif]
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A INPUT -i eth0 -j ACCEPT
#iptables -A FORWARD -i lo -j ACCEPT
#iptables -A FORWARD -i eth0 -j ACCEPT
#iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT

# in-open [icmp from 192.168.1.0/24]
#iptables -A INPUT -p icmp -j ACCEPT
#iptables -A FORWARD -p icmp -j ACCEPT
iptables -A INPUT  -s 192.168.1.0/24 -p icmp -j ACCEPT

# in-open [established or related]
#iptables -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# in-WANIF(src:local addr)-close
#iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP
#iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP
#iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP
#iptables -A FORWARD -i ppp+ -s 10.0.0.0/8 -j DROP
#iptables -A FORWARD -i ppp+ -s 172.16.0.0/12 -j DROP
#iptables -A FORWARD -i ppp+ -s 192.168.0.0/16 -j DROP

# in-WANIF(dst:local addr)-close
#iptables -A INPUT -i ppp+ -d 10.0.0.0/8 -j DROP
#iptables -A INPUT -i ppp+ -d 172.16.0.0/12 -j DROP
#iptables -A INPUT -i ppp+ -d 192.168.0.0/16 -j DROP
#iptables -A FORWARD -i ppp+ -d 10.0.0.0/8 -j DROP
#iptables -A FORWARD -i ppp+ -d 172.16.0.0/12 -j DROP
#iptables -A FORWARD -i ppp+ -d 192.168.0.0/16 -j DROP

# block WAN: syn flood (enable every 1req/1sec)
#iptables -A INPUT -i ppp+ -p tcp --syn -m limit --limit 1/s -j ACCEPT
#iptables -A FORWARD -i ppp+ -p tcp --syn -m limit --limit 1/s -j ACCEPT
#iptables -A INPUT -i ppp+ -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#iptables -A FORWARD -i ppp+ -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# in-open [web]
# iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport http -j ACCEPT

# in-open [VNC]
# iptables -A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT	
# iptables -A OUTPUT -p tcp -m tcp --sport 5901 -j ACCEPT
iptables -A INPUT  -s 192.168.1.0/24 -p tcp -m tcp --dport 5901 -j ACCEPT	
iptables -A OUTPUT -d 192.168.1.0/24 -p tcp -m tcp --sport 5901 -j ACCEPT

#  in-close [SSH brute force atack]
#iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
#iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

#  in-open [SSH] (notice: palce this after brute force block)
#iptables -A INPUT -p tcp --dport ssh -m state --state NEW -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport ssh -m state --state NEW -j ACCEPT
</code>

参考

  *iptablesの設定メモ 
    *http://koexuka.blogspot.jp/2009/12/iptables.html

  *port番号変更
    *http://cs.saases.jp/20120518/1811.html

  *ファイアウォールの設定 (かなり充実)
    *http://software.aufheben.info/linux/firewall.html

  *iptablesの設定 (設定の詳細説明)
    *http://www.nina.jp/server/redhat/iptables/iptables.html

  *俺でも解るIPTABLES (設定の詳細説明)
    *http://nemo.mods.jp/burikama/tips/iptables.html

  *絵でみるiptablesの動作Add Star
    *http://d.hatena.ne.jp/alexei-karamazov/20130225/1361806504

  *SSHアタック
    *http://d.hatena.ne.jp/ryousanngata/20120129/1327843403
    *http://blog.browncat.org/2007/07/sshiptables2.html
    *http://www2s.biglobe.ne.jp/~nuts/labo/inti/ipt_recent.html

- - - - - - - -