데비안8 설치 직후 방화벽 기본 설정 하기 iptables 간단 사용법

Last modified by wewe on 2016/05/28 01:16

현재 Iptables 설정 보기

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptable에 적용할 설정들을 마련하기

# vi /etc/iptables.이름.rules
*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) 허용할 포트들
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections
# The --dport number is the same as in /etc/ssh/sshd_config   SSH를 위한 포트 허용
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Now you should read up on iptables rules and consider whether ssh access
# for everyone is really desired. Most likely you will only allow access from certain IPs.

# Allow ping   핑 허용
#  note that blocking other types of icmp packets is considered a bad idea by some
#  remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
#  https://security.stackexchange.com/questions/22711
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:   위의 내용빼고 모든 포트 막기
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

만든 설정을 iptables에 적용하기

이름 부분에 임의의 영문이름을 넣어주세요

# iptables-restore < /etc/iptables.이름.rules

적용이 잘 되었는지 확인하기

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             loopback/8           reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:22
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

반대로 이미 적용 되어 있는 iptables을 백업 할 수 도 있습니다.

iptables-save > /etc/iptables.up.rules

데비안 8 재부팅 후에 iptables 방화벽 설정 자동 적용하기

check : exam) iptables.up.rules

현재 iptables 설정을 파일로 저장

iptables-save > /etc/iptables.up.rules

재부팅 후 실행할 배치 파일 만들기

 editor /etc/network/if-pre-up.d/iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules

권한 설정하기

chmod +x /etc/network/if-pre-up.d/iptables

참고

https://wiki.debian.org/iptables

Created by wewe on 2016/05/17 21:02
     

  

Tips

Did you know that you can improve XWiki? Take 5 minutes to fill this survey and help this open source project!

위위비  wewe.be - Powered by XWiki