管理者: 2008年4月アーカイブ
久々にIPTABLEの設定を見直すことにしたので,現在の設定をまず確認。
[root@desktop conf]# service iptables status
テーブル: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 192.168.11.5 icmp type 8
3 ACCEPT icmp -- 0.0.0.0/0 192.168.11.5 icmp type 0
4 ACCEPT tcp -- 192.168.11.0/24 192.168.11.5 tcp dpt:22
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
8 LOGGING all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 192.168.11.5 0.0.0.0/0 icmp type 0
3 ACCEPT icmp -- 192.168.11.5 0.0.0.0/0 icmp type 8
4 ACCEPT tcp -- 192.168.11.5 192.168.11.0/24 tcp spt:22
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:443
7 LOGGING all -- 0.0.0.0/0 0.0.0.0/0
Chain LOGGING (2 references)
num target prot opt source destination
1 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `DROP:'
2 DROP all -- 0.0.0.0/0 0.0.0.0/0
[root@desktop conf]#
[root@desktop conf]# iptables -v -L INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 560 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- eth0 any anywhere desktop.localdomain icmp echo-request
0 0 ACCEPT icmp -- eth0 any anywhere desktop.localdomain icmp echo-reply
1062 71555 ACCEPT tcp -- eth0 any 192.168.11.0/24 desktop.localdomain tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
15 2088 LOGGING all -- any any anywhere anywhere
[root@desktop conf]# iptables -v -L OUTPUT
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 560 ACCEPT all -- any lo anywhere anywhere
0 0 ACCEPT icmp -- any eth0 desktop.localdomain anywhere icmp echo-reply
0 0 ACCEPT icmp -- any eth0 desktop.localdomain anywhere icmp echo-request
1144 149K ACCEPT tcp -- any eth0 desktop.localdomain 192.168.11.0/24 tcp spt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:https
86 7988 LOGGING all -- any any anywhere anywhere
[root@desktop conf]#
[root@desktop conf]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere desktop.localdomain icmp echo-request
ACCEPT icmp -- anywhere desktop.localdomain icmp echo-reply
ACCEPT tcp -- 192.168.11.0/24 desktop.localdomain tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOGGING all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- desktop.localdomain anywhere icmp echo-reply
ACCEPT icmp -- desktop.localdomain anywhere icmp echo-request
ACCEPT tcp -- desktop.localdomain 192.168.11.0/24 tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:https
LOGGING all -- anywhere anywhere
Chain LOGGING (2 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/hour burst 5 LOG level warning prefix `DROP:'
DROP all -- anywhere anywhere
[root@desktop conf]# /sbin/iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 560 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- eth0 any anywhere desktop.localdomain icmp echo-request
0 0 ACCEPT icmp -- eth0 any anywhere desktop.localdomain icmp echo-reply
1137 76219 ACCEPT tcp -- eth0 any 192.168.11.0/24 desktop.localdomain tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
15 2088 LOGGING all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 560 ACCEPT all -- any lo anywhere anywhere
0 0 ACCEPT icmp -- any eth0 desktop.localdomain anywhere icmp echo-reply
0 0 ACCEPT icmp -- any eth0 desktop.localdomain anywhere icmp echo-request
1205 157K ACCEPT tcp -- any eth0 desktop.localdomain 192.168.11.0/24 tcp spt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:https
98 8840 LOGGING all -- any any anywhere anywhere
Chain LOGGING (2 references)
pkts bytes target prot opt in out source destination
6 673 LOG all -- any any anywhere anywhere limit: avg 3/hour burst 5 LOG level warning prefix `DROP:'
113 10928 DROP all -- any any anywhere anywhere
[root@desktop conf]#
[root@desktop conf]# /sbin/iptables -nvxL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 560 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 192.168.11.5 icmp type 8
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 192.168.11.5 icmp type 0
1230 82035 ACCEPT tcp -- eth0 * 192.168.11.0/24 192.168.11.5 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
15 2088 LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 560 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * eth0 192.168.11.5 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * eth0 192.168.11.5 0.0.0.0/0 icmp type 8
1318 172832 ACCEPT tcp -- * eth0 192.168.11.5 192.168.11.0/24 tcp spt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443
106 9408 LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOGGING (2 references)
pkts bytes target prot opt in out source destination
6 673 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `DROP:'
121 11496 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[root@desktop conf]#
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
IPテーブルの再設定
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
「メモ:スクリプト作成用」
[root@desktop conf]# myhost=`ifconfig eth0 | grep "inet addr" | awk '{print $2}' | sed 's/addr://'`
[root@desktop conf]# echo $myhost
192.168.11.5
[root@desktop conf]#
[root@desktop conf]# bcast=`ifconfig eth0 | grep "inet addr" | awk '{print $3}' | sed 's/Bcast://'`
[root@desktop conf]# echo $bcast
192.168.11.255
[root@desktop conf]#
[root@desktop conf]# mask=`ifconfig eth0 | grep "inet addr" | awk '{print $4}' | sed 's/Mask://'`
[root@desktop conf]# echo $mask
255.255.255.0
[root@desktop conf]#
① 既存の設定を初期化して,削除。(SAVEはしない)
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere desktop.localdomain icmp echo-request
ACCEPT icmp -- anywhere desktop.localdomain icmp echo-reply
ACCEPT tcp -- 192.168.11.0/24 desktop.localdomain tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOGGING all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- desktop.localdomain anywhere icmp echo-reply
ACCEPT icmp -- desktop.localdomain anywhere icmp echo-request
ACCEPT tcp -- desktop.localdomain 192.168.11.0/24 tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:https
LOGGING all -- anywhere anywhere
Chain LOGGING (2 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/hour burst 5 LOG level warning prefix `DROP:'
DROP all -- anywhere anywhere
[root@desktop ~]# /sbin/iptables -P INPUT ACCEPT
[root@desktop ~]# /sbin/iptables -P FORWARD DROP
[root@desktop ~]# /sbin/iptables -P OUTPUT ACCEPT
[root@desktop ~]# /sbin/iptables -F
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain LOGGING (0 references)
target prot opt source destination
[root@desktop ~]#
②INPUT基本設定
[root@desktop ~]# /sbin/iptables -A INPUT -i lo -j ACCEPT
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain LOGGING (0 references)
target prot opt source destination
[root@desktop ~]#
③INPUT詳細設定と確認
[root@desktop ~]# /sbin/iptables -A INPUT -i eth0 -p icmp -j ACCEPT
[root@desktop ~]# /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
[root@desktop ~]# /sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
[root@desktop ~]# /sbin/iptables -A INPUT -i eth0 -s 192.168.11.0/24 -p all -j ACCEPT
[root@desktop ~]# /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@desktop ~]# /sbin/iptables -P INPUT DROP
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain LOGGING (0 references)
target prot opt source destination
[root@desktop ~]#
④OUTPUT詳細設定と確認
[root@desktop ~]# /sbin/iptables -A OUTPUT -o lo -j ACCEPT
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain LOGGING (0 references)
target prot opt source destination
[root@desktop ~]# /sbin/iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
[root@desktop ~]# /sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
[root@desktop ~]# /sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
[root@desktop ~]# /sbin/iptables -A OUTPUT -o eth0 -s 192.168.11.0/24 -p all -j ACCEPT
[root@desktop ~]# /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@desktop ~]# /sbin/iptables -P OUTPUT DROP
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain LOGGING (0 references)
target prot opt source destination
[root@desktop ~]#
⑤設定の確認と保存
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain LOGGING (0 references)
target prot opt source destination
[root@desktop ~]#
[root@desktop ~]# /etc/init.d/iptables save
ファイアウォールのルールを /etc/sysconfig/iptables に保存中[ OK ]
[root@desktop ~]# /etc/init.d/iptables restart
ファイアウォールルールを適用中: [ OK ]
チェインポリシーを ACCEPT に設定中filter [ OK ]
iptables モジュールを取り外し中 [ OK ]
iptables ファイアウォールルールを適用中: [ OK ]
iptables モジュールを読み込み中ip_conntrack_netbios_ns [ OK ]
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain LOGGING (0 references)
target prot opt source destination
[root@desktop ~]#
※ /etc/hosts.allow & /etc/hosts.denyも利用しているので上記の設定でもSSHも特定のセグメントのみしか
利用出来ないようにしている。
/sbin/iptables -A INPUT -i eth0 -s 192.168.11.0/24 -p all -j ACCEPT に関しては,よりセキュアにするには
外して良いかと考えている。
