久々にIPTABLEの設定を見直すことにしたので,現在の設定をまず確認。

 

[root@desktop conf]#  service iptables status
テーブル: filter
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp —  0.0.0.0/0            192.168.11.5        icmp type 8
3    ACCEPT     icmp —  0.0.0.0/0            192.168.11.5        icmp type 0
4    ACCEPT     tcp  —  192.168.11.0/24      192.168.11.5        tcp dpt:22
5    ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
6    ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
7    ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
8    LOGGING    all  —  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
num  target     prot opt source               destination

Chain OUTPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp —  192.168.11.5         0.0.0.0/0           icmp type 0
3    ACCEPT     icmp —  192.168.11.5         0.0.0.0/0           icmp type 8
4    ACCEPT     tcp  —  192.168.11.5         192.168.11.0/24     tcp spt:22
5    ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           tcp spt:80
6    ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           tcp spt:443
7    LOGGING    all  —  0.0.0.0/0            0.0.0.0/0

Chain LOGGING (2 references)
num  target     prot opt source               destination
1    LOG        all  —  0.0.0.0/0            0.0.0.0/0           limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `DROP:’
2    DROP       all  —  0.0.0.0/0            0.0.0.0/0

[root@desktop conf]#

 

[root@desktop conf]# iptables -v -L INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    8   560 ACCEPT     all  —  lo     any     anywhere             anywhere
    0     0 ACCEPT     icmp —  eth0   any     anywhere             desktop.localdomain icmp echo-request
    0     0 ACCEPT     icmp —  eth0   any     anywhere             desktop.localdomain icmp echo-reply
 1062 71555 ACCEPT     tcp  —  eth0   any     192.168.11.0/24      desktop.localdomain tcp dpt:ssh
    0     0 ACCEPT     tcp  —  any    any     anywhere             anywhere            tcp dpt:http
    0     0 ACCEPT     tcp  —  any    any     anywhere             anywhere            tcp dpt:https
    0     0 ACCEPT     all  —  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
   15  2088 LOGGING    all  —  any    any     anywhere             anywhere

[root@desktop conf]# iptables -v -L OUTPUT
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    8   560 ACCEPT     all  —  any    lo      anywhere             anywhere
    0     0 ACCEPT     icmp —  any    eth0    desktop.localdomain  anywhere            icmp echo-reply
    0     0 ACCEPT     icmp —  any    eth0    desktop.localdomain  anywhere            icmp echo-request
 1144  149K ACCEPT     tcp  —  any    eth0    desktop.localdomain  192.168.11.0/24     tcp spt:ssh
    0     0 ACCEPT     tcp  —  any    any     anywhere             anywhere            tcp spt:http
    0     0 ACCEPT     tcp  —  any    any     anywhere             anywhere            tcp spt:https
   86  7988 LOGGING    all  —  any    any     anywhere             anywhere
[root@desktop conf]#

[root@desktop conf]# /sbin/iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere
ACCEPT     icmp —  anywhere             desktop.localdomain icmp echo-request
ACCEPT     icmp —  anywhere             desktop.localdomain icmp echo-reply
ACCEPT     tcp  —  192.168.11.0/24      desktop.localdomain tcp dpt:ssh
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:https
ACCEPT     all  —  anywhere             anywhere            state RELATED,ESTABLISHED
LOGGING    all  —  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere
ACCEPT     icmp —  desktop.localdomain  anywhere            icmp echo-reply
ACCEPT     icmp —  desktop.localdomain  anywhere            icmp echo-request
ACCEPT     tcp  —  desktop.localdomain  192.168.11.0/24     tcp spt:ssh
ACCEPT     tcp  —  anywhere             anywhere            tcp spt:http
ACCEPT     tcp  —  anywhere             anywhere            tcp spt:https
LOGGING    all  —  anywhere             anywhere

Chain LOGGING (2 references)
target     prot opt source               destination
LOG        all  —  anywhere             anywhere            limit: avg 3/hour burst 5 LOG level warning prefix `DROP:’
DROP       all  —  anywhere             anywhere

[root@desktop conf]# /sbin/iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    8   560 ACCEPT     all  —  lo     any     anywhere             anywhere
    0     0 ACCEPT     icmp —  eth0   any     anywhere             desktop.localdomain icmp echo-request
    0     0 ACCEPT     icmp —  eth0   any     anywhere             desktop.localdomain icmp echo-reply
 1137 76219 ACCEPT     tcp  —  eth0   any     192.168.11.0/24      desktop.localdomain tcp dpt:ssh
    0     0 ACCEPT     tcp  —  any    any     anywhere             anywhere            tcp dpt:http
    0     0 ACCEPT     tcp  —  any    any     anywhere             anywhere            tcp dpt:https
    0     0 ACCEPT     all  —  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
   15  2088 LOGGING    all  —  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    8   560 ACCEPT     all  —  any    lo      anywhere             anywhere
    0     0 ACCEPT     icmp —  any    eth0    desktop.localdomain  anywhere            icmp echo-reply
    0     0 ACCEPT     icmp —  any    eth0    desktop.localdomain  anywhere            icmp echo-request
 1205  157K ACCEPT     tcp  —  any    eth0    desktop.localdomain  192.168.11.0/24     tcp spt:ssh
    0     0 ACCEPT     tcp  —  any    any     anywhere             anywhere            tcp spt:http
    0     0 ACCEPT     tcp  —  any    any     anywhere             anywhere            tcp spt:https
   98  8840 LOGGING    all  —  any    any     anywhere             anywhere

Chain LOGGING (2 references)
 pkts bytes target     prot opt in     out     source               destination
    6   673 LOG        all  —  any    any     anywhere             anywhere            limit: avg 3/hour burst 5 LOG level warning prefix `DROP:’
  113 10928 DROP       all  —  any    any     anywhere             anywhere
[root@desktop conf]#

[root@desktop conf]# /sbin/iptables -nvxL
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       8      560 ACCEPT     all  —  lo     *       0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     icmp —  eth0   *       0.0.0.0/0            192.168.11.5        icmp type 8
       0        0 ACCEPT     icmp —  eth0   *       0.0.0.0/0            192.168.11.5        icmp type 0
    1230    82035 ACCEPT     tcp  —  eth0   *       192.168.11.0/24      192.168.11.5        tcp dpt:22
       0        0 ACCEPT     tcp  —  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
       0        0 ACCEPT     tcp  —  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
       0        0 ACCEPT     all  —  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
      15     2088 LOGGING    all  —  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       8      560 ACCEPT     all  —  *      lo      0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     icmp —  *      eth0    192.168.11.5         0.0.0.0/0           icmp type 0
       0        0 ACCEPT     icmp —  *      eth0    192.168.11.5         0.0.0.0/0           icmp type 8
    1318   172832 ACCEPT     tcp  —  *      eth0    192.168.11.5         192.168.11.0/24     tcp spt:22
       0        0 ACCEPT     tcp  —  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:80
       0        0 ACCEPT     tcp  —  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:443
     106     9408 LOGGING    all  —  *      *       0.0.0.0/0            0.0.0.0/0

Chain LOGGING (2 references)
    pkts      bytes target     prot opt in     out     source               destination
       6      673 LOG        all  —  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `DROP:’
     121    11496 DROP       all  —  *      *       0.0.0.0/0            0.0.0.0/0
[root@desktop conf]#

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

IPテーブルの再設定

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

「メモ:スクリプト作成用」

[root@desktop conf]# myhost=`ifconfig eth0 | grep “inet addr” | awk ‘{print $2}’ | sed ‘s/addr://’`
[root@desktop conf]# echo $myhost
192.168.11.5
[root@desktop conf]#

[root@desktop conf]# bcast=`ifconfig eth0 | grep “inet addr” | awk ‘{print $3}’ | sed ‘s/Bcast://’`
[root@desktop conf]# echo $bcast
192.168.11.255
[root@desktop conf]#

[root@desktop conf]# mask=`ifconfig eth0 | grep “inet addr” | awk ‘{print $4}’ | sed ‘s/Mask://’`
[root@desktop conf]# echo $mask
255.255.255.0
[root@desktop conf]#

 

① 既存の設定を初期化して,削除。(SAVEはしない)

[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere
ACCEPT     icmp —  anywhere             desktop.localdomain icmp echo-request
ACCEPT     icmp —  anywhere             desktop.localdomain icmp echo-reply
ACCEPT     tcp  —  192.168.11.0/24      desktop.localdomain tcp dpt:ssh
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:https
ACCEPT     all  —  anywhere             anywhere            state RELATED,ESTABLISHED
LOGGING    all  —  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere
ACCEPT     icmp —  desktop.localdomain  anywhere            icmp echo-reply
ACCEPT     icmp —  desktop.localdomain  anywhere            icmp echo-request
ACCEPT     tcp  —  desktop.localdomain  192.168.11.0/24     tcp spt:ssh
ACCEPT     tcp  —  anywhere             anywhere            tcp spt:http
ACCEPT     tcp  —  anywhere             anywhere            tcp spt:https
LOGGING    all  —  anywhere             anywhere

Chain LOGGING (2 references)
target     prot opt source               destination
LOG        all  —  anywhere             anywhere            limit: avg 3/hour burst 5 LOG level warning prefix `DROP:’
DROP       all  —  anywhere             anywhere
[root@desktop ~]# /sbin/iptables -P INPUT ACCEPT
[root@desktop ~]# /sbin/iptables -P FORWARD DROP
[root@desktop ~]# /sbin/iptables -P OUTPUT ACCEPT
[root@desktop ~]# /sbin/iptables -F
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain LOGGING (0 references)
target     prot opt source               destination
[root@desktop ~]#

②INPUT基本設定

[root@desktop ~]# /sbin/iptables -A INPUT -i lo -j ACCEPT
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain LOGGING (0 references)
target     prot opt source               destination
[root@desktop ~]#

③INPUT詳細設定と確認

[root@desktop ~]# /sbin/iptables -A INPUT -i eth0 -p icmp -j ACCEPT
[root@desktop ~]# /sbin/iptables -A INPUT -i eth0 -p tcp –dport 22 -j ACCEPT
[root@desktop ~]# /sbin/iptables -A INPUT -i eth0 -p tcp –dport 80 -j ACCEPT
[root@desktop ~]# /sbin/iptables -A INPUT -i eth0 -s 192.168.11.0/24 -p all -j ACCEPT
[root@desktop ~]# /sbin/iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
[root@desktop ~]# /sbin/iptables -P INPUT DROP
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere
ACCEPT     icmp —  anywhere             anywhere
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:http
ACCEPT     all  —  192.168.11.0/24      anywhere
ACCEPT     all  —  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain LOGGING (0 references)
target     prot opt source               destination
[root@desktop ~]#

 

④OUTPUT詳細設定と確認

 

[root@desktop ~]# /sbin/iptables -A OUTPUT -o lo -j ACCEPT
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere
ACCEPT     icmp —  anywhere             anywhere
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:http
ACCEPT     all  —  192.168.11.0/24      anywhere
ACCEPT     all  —  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere

Chain LOGGING (0 references)
target     prot opt source               destination
[root@desktop ~]# /sbin/iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
[root@desktop ~]# /sbin/iptables -A OUTPUT -o eth0 -p tcp –dport 22 -j ACCEPT
[root@desktop ~]# /sbin/iptables -A OUTPUT -o eth0 -p tcp –dport 80 -j ACCEPT
[root@desktop ~]# /sbin/iptables -A OUTPUT -o eth0 -s 192.168.11.0/24 -p all -j ACCEPT
[root@desktop ~]# /sbin/iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
[root@desktop ~]# /sbin/iptables -P OUTPUT DROP
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere
ACCEPT     icmp —  anywhere             anywhere
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:http
ACCEPT     all  —  192.168.11.0/24      anywhere
ACCEPT     all  —  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere
ACCEPT     icmp —  anywhere             anywhere
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:http
ACCEPT     all  —  192.168.11.0/24      anywhere
ACCEPT     all  —  anywhere             anywhere            state RELATED,ESTABLISHED

Chain LOGGING (0 references)
target     prot opt source               destination
[root@desktop ~]#

⑤設定の確認と保存

[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere
ACCEPT     icmp —  anywhere             anywhere
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:http
ACCEPT     all  —  192.168.11.0/24      anywhere
ACCEPT     all  —  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere
ACCEPT     icmp —  anywhere             anywhere
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:http
ACCEPT     all  —  192.168.11.0/24      anywhere
ACCEPT     all  —  anywhere             anywhere            state RELATED,ESTABLISHED

Chain LOGGING (0 references)
target     prot opt source               destination
[root@desktop ~]#

[root@desktop ~]# /etc/init.d/iptables save
ファイアウォールのルールを /etc/sysconfig/iptables に保存中[  OK  ]
[root@desktop ~]# /etc/init.d/iptables restart
ファイアウォールルールを適用中:                            [  OK  ]
チェインポリシーを ACCEPT に設定中filter                   [  OK  ]
iptables モジュールを取り外し中                            [  OK  ]
iptables ファイアウォールルールを適用中:                   [  OK  ]
iptables モジュールを読み込み中ip_conntrack_netbios_ns     [  OK  ]
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere
ACCEPT     icmp —  anywhere             anywhere
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:http
ACCEPT     all  —  192.168.11.0/24      anywhere
ACCEPT     all  —  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere
ACCEPT     icmp —  anywhere             anywhere
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:http
ACCEPT     all  —  192.168.11.0/24      anywhere
ACCEPT     all  —  anywhere             anywhere            state RELATED,ESTABLISHED

Chain LOGGING (0 references)
target     prot opt source               destination
[root@desktop ~]#

 

※ /etc/hosts.allow & /etc/hosts.denyも利用しているので上記の設定でもSSHも特定のセグメントのみしか

 利用出来ないようにしている。

/sbin/iptables -A INPUT -i eth0 -s 192.168.11.0/24 -p all -j ACCEPT に関しては,よりセキュアにするには

外して良いかと考えている。