리눅스 분류
iptables 관련 초짜 질문이니다..
작성자 정보
- 윤호아빠 작성
- 작성일
컨텐츠 정보
- 2,342 조회
- 1 댓글
- 0 추천
- 목록
본문
#!/bin/sh
SERVICE_IP="118.46.xxx.xx"
/bin/echo "1" >/proc/sys/net/ipv4/ip_forward
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m limit --limit '12/minute' -j LOG --log-prefix="INPUT:"
iptables -A FORWARD -m limit --limit '12/minute' -j LOG --log-prefix="FORWARD:"
iptables -A OUTPUT -m limit --limit '12/minute' -j LOG --log-prefix="OUTPUT:"
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 255.255.255.255/32 -j DROP
iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 192.0.2.0/24 -j DROP
#iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
iptables -A INPUT -i eth0 -s 248.0.0.0/5 -j DROP
# ssh buste attack rule
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSHSCAN
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
--seconds 60 --hitcount 5 --rttl --name SSHSCAN -j LOG --log-prefix SSH_Scan:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
--seconds 60 --hitcount 5 --rttl --name SSHSCAN -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A FORWARD -i eth0 -s 255.255.255.255/32 -j DROP
iptables -A FORWARD -i eth0 -s 0.0.0.0/8 -j DROP
iptables -A FORWARD -i eth0 -s 169.254.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 192.0.2.0/24 -j DROP
#iptables -A FORWARD -i eth3 -s 192.168.80.0/24 -j DROP
iptables -A FORWARD -i eth0 -s 224.0.0.0/4 -j DROP
iptables -A FORWARD -i eth0 -s 240.0.0.0/5 -j DROP
iptables -A FORWARD -i eth0 -s 248.0.0.0/5 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 255.255.255.255/32 -j DROP
iptables -A OUTPUT -d 0.0.0.0/8 -j DROP
iptables -A OUTPUT -d 169.254.0.0/16 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.0.2.0/24 -j DROP
#iptables -A OUTPUT -d 192.168.80.0/24 -j DROP
iptables -A OUTPUT -d 224.0.0.0/4 -j DROP
iptables -A OUTPUT -d 240.0.0.0/5 -j DROP
iptables -A OUTPUT -d 248.0.0.0/5 -j DROP
iptables -A INPUT -i eth0 -p TCP -s 0/0 --sport 1024: --dport 21 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eth0 -p TCP -s 0/0 --sport 1024: --dport 20 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eth0 -p TCP -s 0/0 --sport 1024: --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p UDP --sport 1024: --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP --sport 1024: --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP --sport 53 --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p UDP --sport 53 --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP -s 0/0 --dport 22 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 9090 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 9099 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 4040 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 8088 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 8090 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.1.155 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -s 192.168.1.172 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -s 192.168.1.173 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -s 192.168.1.31 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -s 192.168.1.34 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -s 192.168.1.30 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -s 192.168.1.35 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -s 192.168.1.36 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -s 192.168.1.239 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -o eth0 -j DROP -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth3 -o eth0 -j DROP -m string --algo bm --string "cyworld"
iptables -A FORWARD -s 192.168.80.0/24 -o eth0 -p tcp --dport 80 -j DROP
iptables -A FORWARD -s 192.168.1.100 -o eth0 -p tcp --dport 80 -j DROP
iptables -A FORWARD -s 192.168.1.105 -o eth0 -p tcp --dport 80 -j DROP
#iptables -A FORWARD -s 192.168.1.239 -o eth0 -p tcp --dport 80 -j DROP
iptables -A FORWARD -s 192.168.1.101 -o eth0 -p tcp --dport 80 -j DROP
iptables -A FORWARD -s 192.168.1.108 -o eth0 -p tcp --dport 80 -j DROP
iptables -A FORWARD -s 192.168.1.82 -o eth0 -p tcp --dport 80 -j DROP
#iptables -A FORWARD -s 192.168.1.212 -o eth0 -j DROP
iptables -A FORWARD -i eth1 -s 192.168.1.73 -o eth0 -j ACCEPT -m string --algo bm --string "nate"
iptables -A FORWARD -i eth1 -s 192.168.1.71 -o eth0 -j ACCEPT -m string --algo bm --string "nate"
iptables -A FORWARD -i eth1 -s 192.168.1.239 -o eth0 -j ACCEPT -m string --algo bm --string "nate"
iptables -A FORWARD -i eth1 -s 192.168.1.155 -o eth0 -j ACCEPT -m string --algo bm --string "nate"
#iptables -A FORWARD -i eth1 -s 192.168.1.51 -o eth0 -j ACCEPT -m string --algo bm --string "nate"
iptables -A FORWARD -i eth1 -s 192.168.1.25 -o eth0 -j ACCEPT -m string --algo bm --string "nate"
iptables -A FORWARD -i eth1 -o eth0 -j DROP -m string --algo bm --string "nate"
iptables -A FORWARD -i eth1 -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.80.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.81.0/24 -j ACCEPT
...
....
리눅스를 배우고 있는 초짜입니다.. 현재 사용중인 iptables 중 일부입니다..
여기서 빨간색으로 되어 있는 ip "192.168.1.239" 를 처음에는 인터넷을 차단했다가 다시 열었습니다..
그리고 nate 및 싸이월드 또한 들오가게 ip 추가도 했고요..
그런데도 인터넷 및 네이트온 이 안 되는데.. 무슨 문제일까요..
SERVICE_IP="118.46.xxx.xx"
/bin/echo "1" >/proc/sys/net/ipv4/ip_forward
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m limit --limit '12/minute' -j LOG --log-prefix="INPUT:"
iptables -A FORWARD -m limit --limit '12/minute' -j LOG --log-prefix="FORWARD:"
iptables -A OUTPUT -m limit --limit '12/minute' -j LOG --log-prefix="OUTPUT:"
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 255.255.255.255/32 -j DROP
iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 192.0.2.0/24 -j DROP
#iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
iptables -A INPUT -i eth0 -s 248.0.0.0/5 -j DROP
# ssh buste attack rule
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSHSCAN
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
--seconds 60 --hitcount 5 --rttl --name SSHSCAN -j LOG --log-prefix SSH_Scan:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
--seconds 60 --hitcount 5 --rttl --name SSHSCAN -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A FORWARD -i eth0 -s 255.255.255.255/32 -j DROP
iptables -A FORWARD -i eth0 -s 0.0.0.0/8 -j DROP
iptables -A FORWARD -i eth0 -s 169.254.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 192.0.2.0/24 -j DROP
#iptables -A FORWARD -i eth3 -s 192.168.80.0/24 -j DROP
iptables -A FORWARD -i eth0 -s 224.0.0.0/4 -j DROP
iptables -A FORWARD -i eth0 -s 240.0.0.0/5 -j DROP
iptables -A FORWARD -i eth0 -s 248.0.0.0/5 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 255.255.255.255/32 -j DROP
iptables -A OUTPUT -d 0.0.0.0/8 -j DROP
iptables -A OUTPUT -d 169.254.0.0/16 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.0.2.0/24 -j DROP
#iptables -A OUTPUT -d 192.168.80.0/24 -j DROP
iptables -A OUTPUT -d 224.0.0.0/4 -j DROP
iptables -A OUTPUT -d 240.0.0.0/5 -j DROP
iptables -A OUTPUT -d 248.0.0.0/5 -j DROP
iptables -A INPUT -i eth0 -p TCP -s 0/0 --sport 1024: --dport 21 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eth0 -p TCP -s 0/0 --sport 1024: --dport 20 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eth0 -p TCP -s 0/0 --sport 1024: --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p UDP --sport 1024: --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP --sport 1024: --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP --sport 53 --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p UDP --sport 53 --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP -s 0/0 --dport 22 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 9090 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 9099 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 4040 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 8088 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 8090 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.1.155 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -s 192.168.1.172 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -s 192.168.1.173 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -s 192.168.1.31 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -s 192.168.1.34 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -s 192.168.1.30 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -s 192.168.1.35 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -s 192.168.1.36 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -s 192.168.1.239 -o eth0 -j ACCEPT -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth1 -o eth0 -j DROP -m string --algo bm --string "cyworld"
iptables -A FORWARD -i eth3 -o eth0 -j DROP -m string --algo bm --string "cyworld"
iptables -A FORWARD -s 192.168.80.0/24 -o eth0 -p tcp --dport 80 -j DROP
iptables -A FORWARD -s 192.168.1.100 -o eth0 -p tcp --dport 80 -j DROP
iptables -A FORWARD -s 192.168.1.105 -o eth0 -p tcp --dport 80 -j DROP
#iptables -A FORWARD -s 192.168.1.239 -o eth0 -p tcp --dport 80 -j DROP
iptables -A FORWARD -s 192.168.1.101 -o eth0 -p tcp --dport 80 -j DROP
iptables -A FORWARD -s 192.168.1.108 -o eth0 -p tcp --dport 80 -j DROP
iptables -A FORWARD -s 192.168.1.82 -o eth0 -p tcp --dport 80 -j DROP
#iptables -A FORWARD -s 192.168.1.212 -o eth0 -j DROP
iptables -A FORWARD -i eth1 -s 192.168.1.73 -o eth0 -j ACCEPT -m string --algo bm --string "nate"
iptables -A FORWARD -i eth1 -s 192.168.1.71 -o eth0 -j ACCEPT -m string --algo bm --string "nate"
iptables -A FORWARD -i eth1 -s 192.168.1.239 -o eth0 -j ACCEPT -m string --algo bm --string "nate"
iptables -A FORWARD -i eth1 -s 192.168.1.155 -o eth0 -j ACCEPT -m string --algo bm --string "nate"
#iptables -A FORWARD -i eth1 -s 192.168.1.51 -o eth0 -j ACCEPT -m string --algo bm --string "nate"
iptables -A FORWARD -i eth1 -s 192.168.1.25 -o eth0 -j ACCEPT -m string --algo bm --string "nate"
iptables -A FORWARD -i eth1 -o eth0 -j DROP -m string --algo bm --string "nate"
iptables -A FORWARD -i eth1 -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.80.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.81.0/24 -j ACCEPT
...
....
리눅스를 배우고 있는 초짜입니다.. 현재 사용중인 iptables 중 일부입니다..
여기서 빨간색으로 되어 있는 ip "192.168.1.239" 를 처음에는 인터넷을 차단했다가 다시 열었습니다..
그리고 nate 및 싸이월드 또한 들오가게 ip 추가도 했고요..
그런데도 인터넷 및 네이트온 이 안 되는데.. 무슨 문제일까요..
관련자료
-
이전
-
다음
댓글 1
로군님의 댓글
- 로군
- 작성일
ACCEPT 구문을 상위로 올려보세요 ^^'
DROP 구문은 아래로.
DROP 구문은 아래로.
