HOME > °­ÁÂ >
°­ÁÂ| ¸®´ª½º ¹× ¿ÀǼҽº¿¡ °ü·ÃµÈ °­Á¸¦ º¸½Ç ¼ö ÀÖ½À´Ï´Ù.
 
¢Æ DolyÀÇ CentOS7 °­ÁÂ32 12. ³×Æ®¿öÅ© º¸¾È¼³Á¤ 12.2 iptables ¼­ºñ½º (3/3)
Á¶È¸ : 17,085  


¢Æ DolyÀÇ CentOS7 °­ÁÂ32 12. ³×Æ®¿öÅ© º¸¾È¼³Á¤ 12.2 iptables ¼­ºñ½º (3/3)



 º» °­Á¸¦ ±â¹ÝÀ¸·Î ¼­ÀûÀ» ÁýÇÊÇß½À´Ï´Ù. Ã¥ÀÌ ³ª¿À°í ¿¬Àç°­Á¸¦ ¾²°Ô µÇ³×¿ä.. CentOS7Àº ¼­Àûµµ, °­Áµµ ¸¹ÀÌ ºÎÁ·Çϳ׿ä. ¸®´ª½º ¼­¹ö¸¦ 10³â ³Ñ°Ô ±¸ÃàÇÏ°í °ü¸®Çϰí ÄÁ¼³ÆÃÇϸ鼭 ²À ÇÊ¿äÇÑ ºÎºÐ°ú ¾Ë¾Æ¾ß ÇÒ ºÎºÐµéÀ» ²Ä²ÄÈ÷ üũÇϸ鼭 °­Á¸¦ ½áº¸·ÁÇÕ´Ï´Ù. °­ÁÂÁß ¿ÀÅ»ÀÚ°¡ Àְųª ¼³¸íÀÌ ºÎÁ·Çϰí À߸øµÈ °æ¿ì doly°ñ¹ðÀÌsuperuser.co.krÀ¸·Î ¸ÞÀÏÇÑÅë ºÎŹµå¸³´Ï´Ù. °­Á°¡ ¼öÁ¤µÇ¸é ´õ ¸¹Àº ºÐµé²² µµ¿òÀÌ µÉ°ÍÀ̶ó »ý°¢ÇÏ°í °­Á¸¦ ±â¹ÝÀ¸·Î ÁýÇ浃 ¼­Àû¶ÇÇÑ ¿Ï¼ºµµ°¡ ³ô¾ÆÁöÁö ¾ÊÀ»±î »ý°¢ÇÕ´Ï´Ù.


12.2. iptables ¼­ºñ½º

12.2.4. iptables °í±Þ ¼³Á¤
¸®´ª½º Ä¿³Î 2.4ºÎÅÍ Netfilter¶ó´Â ÆÐŶ ó¸® ¿£ÁøÀÌ Æ÷ÇԵǾî ÀÖ´Ù. ÀÌ ¿£ÁøÀ» Á¦¾îÇϱâ À§ÇØ »ç¿ëÇÏ´Â ÅøÀÌ iptablesÀÌ´Ù. ¾Õ¿¡¼­ »ìÆìº» firewalld, iptables ¼­ºñ½º ¸ðµÎ iptables¸¦ ÀÌ¿ëÇÏ´Â °ÍÀÌ´Ù. iptables¸¦ ÀÌ¿ëÇÑ ¹æÈ­º® ±ÔÄ¢ ¼³Á¤ ¹ý¿¡ ´ëÇØ ¾Ë¾Æº¸µµ·Ï ÇÏÀÚ. ÀÌ Ã¥¿¡¼­ ´Ù·çÁö ¾Ê´Â iptablesÀÇ ¸¹Àº ±â´ÉÀº ¡°¸®´ª½º ¼­¹ö º¸¾È°ü¸® ½Ç¹«¡±¼­ÀûÀ» ÂüÁ¶ÇÏ±æ ¹Ù¶õ´Ù.

12.2.4.1. iptables ±ÔÄ¢ È®ÀÎ(-nL)
ÀÌ¹Ì ¼³Á¤µÈ iptablesÀÇ ±ÔÄ¢À» È®ÀÎÇÒ °æ¿ì ´ÙÀ½°ú °°ÀÌ ÀÔ·ÂÇÑ´Ù. ¾ÆÁÖ ºó¹øÇÏ°Ô »ç¿ëµÇ´Â ¿É¼ÇÀÌ´Ï ²À ±â¾ïÇØ µÎÀÚ.

~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
REJECT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8 reject-with icmp-host-prohibited
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpts:5900:5910
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
REJECT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8 reject-with icmp-host-prohibited
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            127.0.0.1            state NEW tcp dpt:8080
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


À§ ³»¿ëÀº iptables ¸í·ÉÀÇ -L ¿É¼ÇÀ» »ç¿ëÇÏ¿© ¼³Á¤µÈ ±ÔÄ¢À» È®ÀÎÇϰí ÀÖ´Ù. -n¿É¼ÇÀº Æ÷Æ®¹øÈ£, IP ÁÖ¼Ò µîÀ» ¼ýÀÚ·Î º¸¿©ÁÖ±â À§ÇØ »ç¿ëÇÏ¿´´Ù. -v¸¦ ÇÔ²² »ç¿ëÇÏ¸é ´õ »ó¼¼ÇÑ ³»¿ë°ú ±ÔÄ¢À» ÅëÈ­ÇÑ ÆÐŶ, Æ®·¡ÇÈÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù. -t ¿É¼ÇÀ» µû·Î ÁÖÁö ¾Ê¾Ò±â ¶§¹®¿¡ ±âº» Å×À̺íÀÎ filter Å×ÀÌºí¿¡ ´ëÇØ¼­¸¸ º¸¿©ÁØ´Ù.



12.2.4.2. ±ÔÄ¢ ÃʱâÈ­(-F)
¼³Á¤µÈ ¸ðµç ±ÔÄ¢À» ÃʱâÈ­ ÇϰíÀÚ ÇÑ´Ù¸é ´ÙÀ½°ú °°ÀÌ ÀÔ·ÂÇØ º¸ÀÚ.

~]# iptables -F

iptables ¸í·ÉÀÇ -F¿É¼ÇÀ» »ç¿ëÇÏ¿© ¸ðµç ±ÔÄ¢À» ÃʱâÈ­(Flush)ÇÏ¿´´Ù. ¿©±â¼­µµ -t ¿É¼ÇÀ» ÁÖÁö ¾Ê¾Ò±â ¶§¹®¿¡ ±âº» Å×À̺íÀÎ filter Å×ÀÌºí¿¡ ´ëÇØ¼­¸¸ ÃʱâÈ­ µÈ´Ù. ÃʱâÈ­ ÈÄ ±ÔÄ¢À» È®ÀÎÇØ º¸ÀÚ.

~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


filter Å×À̺íÀÇ ±âº»Ã¼ÀÎÀÎ INPUT, FORWARD, OUTPUT¸¸ Á¸ÀçÇÏ´Â °ÍÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù.

12.2.4.3. ƯÁ¤ IP¿¡ ´ëÇÑ Á¢±Ù Á¦¾î(-s)
iptables¸¦ ÀÌ¿ëÇÏ¿© ƯÁ¤ IP¿¡ ´ëÇØ Á¢±ÙÀ» Çã¿ëÇϰųª, Â÷´ÜÇÒ ¼ö ÀÖ´Ù. ¸®´ª½º ¼­¹ö¿¡ ³»°¡ »ç¿ëÇÏ´Â IP¿¡ ´ëÇØ¼­´Â ¸ðµç Á¢±ÙÀ» Çã¿ëÇϰíÀÚ ÇÑ´Ù¸é ´ÙÀ½°ú °°ÀÌ ÀÔ·ÂÇÏÀÚ.


~]# iptables -A INPUT -s 192.168.0.200 -j ACCEPT


À§ ³»¿ëÀº -A¿É¼ÇÀ» »ç¿ëÇÏ¿© INPUT üÀο¡ ±ÔÄ¢À» Ãß°¡(append, üÀÎÀÇ ¸¶Áö¸·¿¡ ±ÔÄ¢ Ãß°¡)ÇÑ´Ù. -s¸¦ »ç¿ëÇÏ¿© Ãâ¹ßÁö(source)°¡ 192.168.0.200ÀÎ ¸ðµç ÆÐŶÀº -j¿É¼ÇÀ» »ç¿ëÇÏ¿© ACCEPT(Çã¿ë) ÇÑ´Ù´Â °ÍÀÌ´Ù. ¿©±â¼­ -j´Â Ÿ°ÙÀ» ¼³Á¤ÇÏ´Â ¿É¼ÇÀÌ´Ù. 
¾ÇÀÇ ÀûÀÎ »ç¿ëÀÚ IP¸¦ Â÷´ÜÇϰíÀÚ ÇÑ´Ù¸é ´ÙÀ½°ú °°Àº ·êÀ» ÀÔ·ÂÇÒ ¼ö ÀÖ´Ù.


~]# iptables -A INPUT -s 192.168.0.100 -j DROP


À§¿Í °°ÀÌ ÀÔ·ÂÇϸé, 192.168.0.10¿¡¼­ Á¢±ÙÇÏ´Â ¸ðµç ÆÐŶÀ» DROP(Æó±â) ÇÏ¿© Á¢¼ÓÇÏÁö ¸øÇÏ°Ô ÇÑ´Ù. Ÿ°ÙÀ» REJECT(°ÅºÎ)·Î ¼³Á¤ÇÏ¿© °ÅºÎÇÒ ¼öµµ ÀÖ´Ù.

12.2.4.4. ƯÁ¤ Æ÷Æ® ¹× ÇÁ·ÎÅäÄÝ Á¢±Ù Á¦¾î
À¥¼­ºñ½º Á¢¼ÓÀ» Çã¿ëÇØ º¸ÀÚ. À¥¼­ºñ½º´Â HTTP(tcp/80), HTTPS(tcp/443)¸¦ »ç¿ëÇÑ´Ù. ´ÙÀ½°ú °°ÀÌ À¥¼­ºñ½º¿¡ ´ëÇØ Çã¿ëÇØ º¸ÀÚ.


~]# iptables -I INPUT -p tcp --dport 80 -j ACCEPT
~]# iptables -I INPUT -p tcp --dport 443 -j ACCEPT


À§ ³»¿ëÀº -I¿É¼ÇÀ» »ç¿ëÇÏ¿© INPUT üÀο¡ ±ÔÄ¢À» »ðÀÔ(insert, üÀÎÀÇ ¾ÕÂÊ¿¡ ±ÔÄ¢À» »ðÀÔ)ÇÑ´Ù. -p¸¦ »ç¿ëÇÏ¿© ÇÁ·ÎÅäÄÝÀ» tcp·Î ¼³Á¤, --dport¸¦ »ç¿ëÇÏ¿© ¸ñÀûÁö Æ÷Æ®°¡ 80¹ø, 443¹øÀ¸·Î ÁöÁ¤ÇÑ´Ù. -j¿É¼ÇÀ» »ç¿ëÇÏ¿© ACCEPT(Çã¿ë) ÇÑ´Ù´Â °ÍÀÌ´Ù. ¿©±â¼­ -j´Â Ÿ°ÙÀ» ¼³Á¤ÇÏ´Â ¿É¼ÇÀÌ´Ù.

~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


¾Õ¿¡¼­ ÀÔ·ÂÇÑ ±ÔÄ¢ÀÌ INPUT üÀο¡ Ãß°¡µÈ °ÍÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù. -I ¿É¼ÇÀ» »ç¿ëÇÏ¿´±â ¶§¹®¿¡ ³ªÁß¿¡ »ðÀÔÇÑ ±ÔÄ¢ÀÌ À§ÂÊ¿¡ ³õÀÎ °ÍÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù. iptables´Â À§¿¡¼­ºÎÅÍ ¾Æ·¡·Î ±ÔÄ¢ÀÌ Àû¿ëµÇ±â ¶§¹®¿¡ À§ÂÊ¿¡ ±ÔÄ¢ÀÌ ¿ì¼± Àû¿ëµÈ´Ù.

12.2.4.5. iptables ÁÖ¿ä ¿É¼Ç
¾Õ¿¡¼­ °£´ÜÇÏ°Ô iptables ¼³Á¤ ¹ý¿¡ ´ëÇØ ¾Ë¾Æº¸¾Ò´Ù. iptables ¸í·É¾î¸¦ Á÷Á¢ »ç¿ëÇÏ´Â °æ¿ì ÀÚÁÖ »ç¿ëµÇ´Â ¿É¼Ç¿¡ ´ëÇØ ¾Ë¾Æº¸µµ·Ï ÇϰڴÙ.


12.2.4.6. iptables ÁÖ¿ä Å×ÀÌºí ¹× Ã¼ÀÎ
iptables´Â 5°³ÀÇ Å×À̺í(filter, nat, mangle, raw, security)ÀÌ ÀÖ´Ù. ¿©±â¼­ ÁÖ·Î »ç¿ëµÇ´Â Å×À̺íÀº filter, nat, mangleÀÌ´Ù. °¢ Å×ÀÌºí¿¡´Â ±âº» üÀÎÀÌ ÀÖ´Ù.

°¢ Å×À̺í°ú ±âº»Ã¼ÀΰúÀÇ °ü°è´Â ´ÙÀ½ ±×¸²À» »ìÆìº¸ÀÚ.

[±×¸²]  Ãâó http://linux-ip.net/nf/nfk-traversal.png


À§ ±×¸²À» º¸¸é ÆÐŶÀÇ È帧À» ¾Ë ¼ö ÀÖÀ» °ÍÀÌ´Ù. iptablesÀÇ ±âº» Å×À̺íÀÎ filterÅ×À̺íÀ» ±âÁØÀ¸·Î º¸ÀÚ. filterÅ×ÀÌºí¿¡´Â 3°³ÀÇ ±âº» üÀÎÀÌ ÀÖ´Ù. ÆÐŶÀÌ ¼­¹ö·Î µé¾î¿Ã ¶§ INPUT, ÆÐŶÀÌ ¼­¹ö¿¡¼­ ³ª°¥ ¶§ OUTPUT, ÆÐŶÀÌ ¼­¹ö¸¦ Åë°úÇÒ ¶§ FORWARD üÀÎÀÌ »ç¿ëµÈ´Ù. À§ ±×¸²°ú °°ÀÌ FORWARD üÀÎÀº ¼­¹ö¸¦ Åë°úÇϱ⠶§¹®¿¡ INPUT°ú OUTPUT·ê¿¡ ¿µÇâÀ» ¹ÞÁö ¾Ê´Â´Ù. 
MASQUERADING¼³Á¤Àº ³»ºÎÀûÀ¸·Î ´ÙÀ½ ·êÀÌ Àû¿ëµÈ´Ù.

~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

-t ¿É¼ÇÀ¸·Î nat Å×À̺íÀ» ÁöÁ¤Çϰí, -A ¿É¼ÇÀ¸·Î POSTROUTING üÀο¡ -o ¿É¼ÇÀ¸·Î eth0 µð¹ÙÀ̽º¸¦ ÅëÇØ ³ª°¡´Â ÆÐŶ¿¡ ´ëÇØ¼­ -j ¿É¼ÇÀ¸·Î MASQUERADE Ÿ°ÙÀ» Á¤ÀÇÇÑ´Ù. À§ ±×¸²À» º¸¸é natÅ×À̺íÀÇ POSTROUTING üÀÎÀº °¡Àå ¸¶Áö¸·¿¡ Àû¿ëµÇ´Â üÀÎÀÌ´Ù.
Æ÷Æ®Æ÷¿öµù ¼³Á¤Àº ³»ºÎÀûÀ¸·Î ´ÙÀ½ ·êÀÌ Àû¿ëµÈ´Ù.

~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080

-t ¿É¼ÇÀ¸·Î nat Å×À̺íÀ» ÁöÁ¤Çϰí, -A ¿É¼ÇÀ¸·Î POSTROUTING üÀο¡ -i ¿É¼ÇÀ¸·Î eth0 µð¹ÙÀ̽º¸¦ ÅëÇØ µé¾î¿À´Â ÆÐŶ Áß -p ¿É¼ÇÀ¸·Î tcp ÇÁ·ÎÅäÄÝ, --dport ¿É¼ÇÀ¸·Î 80Æ÷Æ®¿¡ ´ëÇØ¼­ -j ¿É¼ÇÀ¸·Î DNAT Ÿ°ÙÀ» Á¤ÀÇÇϰí --to-destination ¿É¼ÇÀ¸·Î 127.0.0.1ÀÇ 8080Æ÷Æ®·Î Æ÷¿öµùÇÑ´Ù. À§ ±×¸²À» º¸¸é natÅ×À̺íÀÇ PREROUTING üÀÎÀº filterÅ×À̺íÀÇ Ã¼ÀÎµé º¸´Ù ¸ÕÀú Àû¿ëµÇ´Â üÀÎÀÌ´Ù.



12.2.4.7. filter Å×À̺íÀÇ ÁÖ¿ä Ÿ°Ù
¸®´ª½º¸¦ ÀÌ¿ëÇÏ¿© ¼­¹ö±¸Ãà ½Ã °¡Àå ¸¹ÀÌ »ç¿ëÇÏ´Â Å×À̺íÀÌ filterÀÌ´Ù. ÀÌ filter Å×À̺íÀÇ ÁÖ¿ä Ÿ°Ù¿¡ ´ëÇØ ¾Ë¾Æº¸µµ·Ï ÇÏÀÚ.



12.2.4.8. iptables ¼­ºñ½º ±ÔÄ¢ ¼öÁ¤
system-config-firewall(¶Ç´Â system-config-firewall-tui)À» »ç¿ëÇÏ¿© ¼³Á¤ÇÑ ÆÄÀÏÀ» Á÷Á¢ ¼öÁ¤ÇÏ¿© ¿øÇÏ´Â ±ÔÄ¢À» Àû¿ë½ÃÄÑ º¸µµ·Ï ÇÏÀÚ. ¾Õ¿¡¼­ ¿©·¯ ¼³Á¤À» ÇÏ¿´´Ù¸é ´ÙÀ½³»¿ë°ú ºñ½ÁÇÑ ¼³Á¤ÆÄÀÏ(/etc/sysconfig/iptables)À» È®ÀÎÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth+ -j MASQUERADE
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5910 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -o eth+ -j ACCEPT
-A FORWARD -i eth0 -m state --state NEW -m tcp -p tcp -d 127.0.0.1 --dport 8080 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


óÀ½ º¸¸é º¹ÀâÇØ º¸ÀÏ °ÍÀÌ´Ù. ¿©±â¼­ MASQUERADING ¼³Á¤Àº Á¦°ÅÇϰí, FORWARD·ê ±îÁö Á¦°Å ÇÏ°í³ª¸é ´ÙÀ½°ú °°ÀÌ ±ò²ûÇØ Áø´Ù. ±×¸®°í ¸î ¸î ±ÔÄ¢¿¡ #À¸·Î ½ÃÀÛÇÏ´Â ÁÖ¼®À» ´Þ¾Æ º¸¾Ò´Ù.


# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
## Æ÷Æ® Æ÷¿öµù 80 -> 8080
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## Ping ¸·±â
-A INPUT -p icmp -m icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
## SSH
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
## WEB
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
## VNC
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5910 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

°¢ ¼³Á¤ ³»¿ë¿¡ ÁÖ¼®À» ´Þ¾Æ Á» ´õ º¸±â ÆíÇÏ°Ô ¼öÁ¤ÇÏ¿´´Ù. 
SSHÀÇ °æ¿ì ¹ü¿ëÀûÀ¸·Î »ç¿ëµÇ±â º¸´Ù´Â ƯÁ¤ IP¿¡¼­¸¸ Á¢¼ÓµÇµµ·Ï Á¦ÇÑÇÏ´Â °æ¿ì°¡ ´ëºÎºÐÀÌ´Ù. ¹°·Ð °íÁ¤IP°¡ ÇÒ´çµÈ °æ¿ìÀÌ´Ù. ´ÙÀ½°ú °°ÀÌ ·êÀ» ¼öÁ¤ÇØ º¸ÀÚ.

...
## SSH
-A INPUT -s 192.168.0.200 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.205 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
...

À§ ¼³Á¤Àº 192.168.0.200¹ø, 192.168.0.205¹ø IP¿¡¼­ SSH¿¡ Á¢¼Ó °¡´ÉÇϵµ·Ï Á¦ÇÑÇÑ °ÍÀÌ´Ù. ¶Ç´Â ´ÙÀ½°ú °°ÀÌ ¼³Á¤ÇÒ ¼ö ÀÖ´Ù.

...
## SSH
-A INPUT -s 192.168.0.200,192.168.0.205 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
...

¸¸¾à 192.168.0.xxx¿¡¼­ ¸ðµÎ Á¢¼Ó °¡´ÉÇÏ°Ô ÇÏ·Á¸é ´ÙÀ½°ú °°ÀÌ ¼öÁ¤ÇÑ´Ù.

..
## SSH
-A INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
...

¼³Á¤À» ¿Ï·áÇÑ ÈÄ¿¡´Â iptables ¼­ºñ½º¸¦ Àç½ÃÀÛÇϸé Àû¿ëµÈ´Ù.


7~]# systemctl restart iptables

iptblaes ¸í·É¾î¸¦ »ç¿ëÇÏ¿© ¼³Á¤µÈ ·êÀ» È®ÀÎÇØ º¸ÀÚ.

~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
REJECT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8 reject-with icmp-host-prohibited
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  192.168.0.200        0.0.0.0/0            state NEW tcp dpt:22
ACCEPT     tcp  --  192.168.0.201        0.0.0.0/0            state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpts:5900:5910
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:127.0.0.1:8080

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

-t nat ¿É¼ÇÀ» »ç¿ëÇÏ¿© nat Å×À̺íÀÇ ¼³Á¤ ³»¿ª ¶ÇÇÑ È®ÀÎ ÇÏ¿´´Ù.


 ÀÌ»óÀ¸·Î 32¹øÂ° °­Á¸¦ ¸¶¹«¸® ÇÕ´Ï´Ù. CentOS7ÀÌµç ±× ÇÏÀ§ ¹öÀüÀ̵ç iptables¸¦ »ç¿ëÇÏ¿© ¹æÈ­º® ±ÔÄ¢À» °ü¸®Çϱ⠶§¹®¿¡ iptablesÀÇ ±âº»Àº ¾Ë°í ÀÖ¾î¾ß ÇÑ´Ù. filter±ÔÄ¢¿¡ ´ëÇØ¼­¶óµµ ±âº»Àº ²À ¾Ë°í Àֱ⸦ ¹Ù¶õ´Ù. Ã¥Àº ÁýÇʵµ ÁýÇÊÀÌÁö¸¸ Å»°íÈÄ¿¡ °Ë¼ö, ±³Á¤ °úÁ¤ÀÌ º¹ÀâÇϳ׿ä. Ã¥ ÃâÆÇ ÈÄ Àá½Ã ½¬¾ú´Ù°¡ ¸¹Àº ºÐµéÀÇ ¿äû¿¡ ÀÇÇØ °­Á¸¦ ÀÛ¼ºÇÕ´Ï´Ù. ÃÊÁöÀϰü óÀ½¶æ ±×´ë·Î ³¡±îÁö °­Á¸¦ ¾µ°ÍÀÔ´Ï´Ù.^^  ¿­½ÉÈ÷ ¶Ù´Â µµ¸®(Doly)¿´½À´Ï´Ù.^^ 
 
#################################################
* º» °­Á´ ¾ðÁ¦µç °»½ÅµÉ ¼ö ÀÖÀ¸¸ç, ¿ø±ÛÀº www.linux.co.kr °­ÁÂ>¸®´ª½º>DolyÀÇ ¿¬Àç°­Á ¿¡¼­ ¼öÁ¤µË´Ï´Ù. 
* º» °­ÁÂÀÇ ÀϺΠ¶Ç´Â Àüü¸¦ ÀοëÇÏ½Ç °æ¿ì, ¹Ýµå½Ã Ãâó¸¦ ¹àÇô Áֽñ⠹ٶø´Ï´Ù.

* ¼öÁ¤ÀÌ·Â :
 2016.04.06(¼ö): ´ëÀüÇà KTX¿¡¼­ °­ÁÂÀû¾î º¾´Ï´Ù.



[¿ø±Û¸µÅ©] : https://www.linux.co.kr/home2/board/subbs/board.php?bo_table=lecture&wr_id=1867


ÀÌ ±ÛÀ» Æ®À§ÅÍ·Î º¸³»±â ÀÌ ±ÛÀ» ÆäÀ̽ººÏÀ¸·Î º¸³»±â ÀÌ ±ÛÀ» ¹ÌÅõµ¥ÀÌ·Î º¸³»±â

 
µµ¸®
µµ¸®(Doly)
(ÁÖ)¼öÆÛÀ¯Àú ±â¼úÀÌ»ç (CTO)
¸®´ª½º¸¶½ºÅÍ 1±Þ,2±Þ Ãßõ±³Àç(2014³â) ÁýÇÊ
¸®´ª½º¸¶½ºÅÍ 1±Þ,2±Þ Àü¹®À§¿ø(ÃâÁ¦)(Çѱ¹Á¤º¸Åë½ÅÁøÈïÇùȸ, 2005³â~)
SULinux 1.0, 1.5, 2.0, 2014 °³¹ß ÃѰý(sulinux.net, 1998³â~)
SSU,LSCP,LSMP,CCMT¿Ü ´Ù¼ö ¿ÀǼҽº ÇÁ·ÎÁ§Æ® °³¹ß ¹× ¿î¿ë (lscp.sf.net¿Ü,2009³â~)
¸®´ª½º ´ë·® ½Ã½ºÅÛ ±¸Ãà ¹× °ü¸®(5,000´ë¸®´ª½º ¼­¹ö ±¸Ãà ¹× °ü¸® °æÇè, 2000³â~)

E-Mail : doly°ñ»±ÀÌsuperuser.co.kr
¼Ò°³ : ÇÏ·ç ÇÏ·ç ÃÖ¼±À» ´ÙÇսôÙ!!