firewall

iptables設定

#!/bin/bash
 
# show iptable list
# iptables -L
 
# table initialize
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
 
# in-close/out-open (default policy)
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
 
# in-open [localaddr or localif]
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A INPUT -i eth0 -j ACCEPT
#iptables -A FORWARD -i lo -j ACCEPT
#iptables -A FORWARD -i eth0 -j ACCEPT
#iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT
 
# in-open [icmp from 192.168.1.0/24]
#iptables -A INPUT -p icmp -j ACCEPT
#iptables -A FORWARD -p icmp -j ACCEPT
iptables -A INPUT  -s 192.168.1.0/24 -p icmp -j ACCEPT
 
# in-open [established or related]
#iptables -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# in-WANIF(src:local addr)-close
#iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP
#iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP
#iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP
#iptables -A FORWARD -i ppp+ -s 10.0.0.0/8 -j DROP
#iptables -A FORWARD -i ppp+ -s 172.16.0.0/12 -j DROP
#iptables -A FORWARD -i ppp+ -s 192.168.0.0/16 -j DROP
 
# in-WANIF(dst:local addr)-close
#iptables -A INPUT -i ppp+ -d 10.0.0.0/8 -j DROP
#iptables -A INPUT -i ppp+ -d 172.16.0.0/12 -j DROP
#iptables -A INPUT -i ppp+ -d 192.168.0.0/16 -j DROP
#iptables -A FORWARD -i ppp+ -d 10.0.0.0/8 -j DROP
#iptables -A FORWARD -i ppp+ -d 172.16.0.0/12 -j DROP
#iptables -A FORWARD -i ppp+ -d 192.168.0.0/16 -j DROP
 
# block WAN: syn flood (enable every 1req/1sec)
#iptables -A INPUT -i ppp+ -p tcp --syn -m limit --limit 1/s -j ACCEPT
#iptables -A FORWARD -i ppp+ -p tcp --syn -m limit --limit 1/s -j ACCEPT
#iptables -A INPUT -i ppp+ -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#iptables -A FORWARD -i ppp+ -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
 
# in-open [web]
# iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport http -j ACCEPT
 
# in-open [VNC]
# iptables -A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT	
# iptables -A OUTPUT -p tcp -m tcp --sport 5901 -j ACCEPT
iptables -A INPUT  -s 192.168.1.0/24 -p tcp -m tcp --dport 5901 -j ACCEPT	
iptables -A OUTPUT -d 192.168.1.0/24 -p tcp -m tcp --sport 5901 -j ACCEPT
 
#  in-close [SSH brute force atack]
#iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
#iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
 
#  in-open [SSH] (notice: palce this after brute force block)
#iptables -A INPUT -p tcp --dport ssh -m state --state NEW -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport ssh -m state --state NEW -j ACCEPT

参考

iptablesの設定メモ
- http://koexuka.blogspot.jp/2009/12/iptables.html

port番号変更
- http://cs.saases.jp/20120518/1811.html

ファイアウォールの設定 (かなり充実)
- http://software.aufheben.info/linux/firewall.html

iptablesの設定 (設定の詳細説明)
- http://www.nina.jp/server/redhat/iptables/iptables.html

俺でも解るIPTABLES (設定の詳細説明)
- http://nemo.mods.jp/burikama/tips/iptables.html

絵でみるiptablesの動作Add Star
- http://d.hatena.ne.jp/alexei-karamazov/20130225/1361806504

SSHアタック

- - - - - - - -