Linux サーバ構築 ( Fedora Core5 ) - セキュリティ
iptables
シェルスクリプトを用いた iptables の設定方法です。システム起動時に自動的にファイアウォールが構築されるように設定します。
- ファイアウォール(iptables サービス)の停止
# /etc/init.d/iptables status # /etc/init.d/iptables stop # chkconfig --list iptables iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off # chkconfig --del iptables
- iptables シェルスクリプト の作成
/usr/local/sbin/iptables-myhost
#!/bin/sh # iptables-myhost ################################################################################ # 1.init and def ################################################################################ # (Clear iptables) IPTABLES="/sbin/iptables" $IPTABLES -F -t filter # Delete roules $IPTABLES -F -t nat # Delete roules $IPTABLES -F -t mangle # Delete roules $IPTABLES -X # Delete chains # (Network Address) INT_NET="192.168.1.0/24" # Internal network address # (NIC) NIC0="eth0" # NIC0 NIC0_IP="123.456.789.1" # NIC0 address # (Port) FTP_PORT="40000:50000" # FTP Passive Mode port # (Load Modules) modprobe ip_conntrack_ftp # FTP Statefull Inspection modprobe ip_nat_ftp # FTP NAT ################################################################################ # 2.Common rules ################################################################################ ### (FTP Statefull Inspection second packet) ### $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p tcp --dport auth -j REJECT # (for ident) $IPTABLES -A OUTPUT -p tcp --dport auth -j REJECT # (for ident) $IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # (for dest-unreach) $IPTABLES -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # (for dest-unreach) $IPTABLES -A INPUT -i lo -j ACCEPT # (for localhost) $IPTABLES -A OUTPUT -o lo -j ACCEPT # (for localhost) ################################################################################ # 3.NIC0 INPUT ################################################################################ ### ACCEPT FROM ALL ### $IPTABLES -A INPUT -p tcp -d $NIC0_IP --dport http -i $NIC0 -j ACCEPT # (http[tcp80]) $IPTABLES -A INPUT -p tcp -d $NIC0_IP --dport https -i $NIC0 -j ACCEPT # (https[tcp443]) ### ACCEPT FROM INT ### $IPTABLES -A INPUT -p tcp -s $INT_NET -d $NIC0_IP --dport ssh -i $NIC0 -j ACCEPT # (ssh[tcp22]) $IPTABLES -A INPUT -p icmp -s $INT_NET -d $NIC0_IP --icmp-type 8 -i $NIC0 -j ACCEPT # (ping[icmp]) ### DROP ### $IPTABLES -A INPUT -p udp --dport 23 -i $NIC0 -j DROP # (telnet[udp23]) $IPTABLES -A INPUT -p tcp --dport 23 -i $NIC0 -j DROP # (telnet[tcp23]) $IPTABLES -A INPUT -p udp --dport 67:68 -i $NIC0 -j DROP # (dhtp[udp67:68]) $IPTABLES -A INPUT -p udp --dport 135 -i $NIC0 -j DROP # (location service[udp135]) $IPTABLES -A INPUT -p tcp --dport 135 -i $NIC0 -j DROP # (location service[tcp135]) $IPTABLES -A INPUT -p udp --dport 137:139 -i $NIC0 -j DROP # (netbios[udp137:139]) $IPTABLES -A INPUT -p tcp --dport 137:139 -i $NIC0 -j DROP # (netbios[tcp137:139]) $IPTABLES -A INPUT -p udp --dport 162 -i $NIC0 -j DROP # (sntptrap[udp162]) $IPTABLES -A INPUT -p tcp --dport 443 -i $NIC0 -j DROP # (https[tcp443]) $IPTABLES -A INPUT -p udp --dport 445 -i $NIC0 -j DROP # (microfsoft-ds[udp445]) $IPTABLES -A INPUT -p tcp --dport 445 -i $NIC0 -j DROP # (microfsoft-ds[tcp445]) $IPTABLES -A INPUT -p udp --dport routed -i $NIC0 -j DROP # (rip[udp520]) $IPTABLES -A INPUT -p udp --dport 1080 -i $NIC0 -j DROP # (socks[udp1080]) $IPTABLES -A INPUT -p udp --dport 1900 -i $NIC0 -j DROP # (UPnP[udp1900]) $IPTABLES -A INPUT -p tcp --dport 5000 -i $NIC0 -j DROP # (UPnP[tcp5000]) $IPTABLES -A INPUT -p udp --dport 33434:33500 -i $NIC0 -j DROP # (traceroute[udp33434:33500]) $IPTABLES -A INPUT -p icmp -i $NIC0 -j DROP # (ping[icmp]) ################################################################################ # 4.NIC0 OUTPUT ################################################################################ ### ACCEPT TO ALL ### $IPTABLES -A OUTPUT -p udp -s $NIC0_IP --dport domain -o $NIC0 -j ACCEPT # (DNS send zone[udp53]) $IPTABLES -A OUTPUT -p udp -s $NIC0_IP --dport 123 -o $NIC0 -j ACCEPT # (for NTP[udp123]) $IPTABLES -A OUTPUT -p tcp -s $NIC0_IP --dport http -o $NIC0 -j ACCEPT # (yum http[tcp80]) $IPTABLES -A OUTPUT -p tcp -s $NIC0_IP --dport https -o $NIC0 -j ACCEPT # (yum https[tcp443]) $IPTABLES -A OUTPUT -p tcp -s $NIC0_IP --dport ftp -o $NIC0 -j ACCEPT # (yum ftp[tcp21]) ### ACCEPT TO INT ### $IPTABLES -A OUTPUT -p tcp -s $NIC0_IP -d $INT_NET --sport ftp-data -o $NIC0 -j ACCEPT # (FTP-DATA [tcp20]) ### DROP ### $IPTABLES -A OUTPUT -p tcp -s $NIC0_IP --dport 137:139 -o $NIC0 -j DROP # (For NetBIOS [tcp137:139]) $IPTABLES -A OUTPUT -p udp -s $NIC0_IP --dport 137:139 -o $NIC0 -j DROP # (For NetBIOS [udp137:139]) ################################################################################# # 5.Deny and Log ################################################################################# ### INPUT ### $IPTABLES -A INPUT -j LOG --log-prefix "IN-Deny! " $IPTABLES -A INPUT -j DROP ### OUTPUT ### $IPTABLES -A OUTPUT -j LOG --log-prefix "OUT-Deny! " $IPTABLES -A OUTPUT -j DROP ### FORWARD ### $IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD-Deny! " $IPTABLES -A FORWARD -j DROP ### End of file ###
- iptables シェルスクリプト のパーミッション変更
# chmod 700 /usr/local/sbin/iptables-myhost
- iptables 起動設定
/etc/rc.local ( 下記を追加 )
# # set iptables # /usr/local/sbin/iptables-myhost
( 最終更新日時 : 2008/08/31 21:24:47 )