TechnoCNS (테크노CNS)

linux 7.1 kernel 2.4.x iptables setting-방화벽

이름 : Mr heo 번호 : 41 조회 : 212652
업로드 : 2001-06-08 18:02:22

IP Table을 이용한 FireWall Script입니다.

원출처는 [MonMotha's IPTables Firewall]이며
상단부의 설정부문을 수정해 주시면 잘돌아가고 있습니다.

http://t245.dyndns.org/~monmotha/firewall/index.php

#!/bin/sh
# ----------------------------------------------------------------------|
# This is it...MonMotha's Firewall 2.3.3-pre1! |
# ----------------------------------------------------------------------|
# 2.3 RELEASE NOTES: This is the 2.2 series with some extra stuff, |
# including MAC address matching, stateful matching, port forwarding, |
# per-proto accept behavior, and some other stuff that I might think |
# about adding later. |
# ----------------------------------------------------------------------|
# COMMENTS from MonMotha, Steff, and LaptopZZ: |
# |
# Please...PLEASE give me feedback on your experiences with this script |
# I would really like to know what everyone wants, what works, and |
# about the inevitable bugs present in anything. |
# |
# Direct all feedback to: bvmopen@usa.net |
# --MonMotha |
# ----------------------------------------------------------------------|
# SYSTEM REQUIREMENTS: You must have either compiled the appropriate |
# iptables support into your 2.4 kernel or have loaded all the |
# applicable modules BEFORE you run this script. This script assumes |
# that you have everything compiled into your kernel. |
# |
# You will need (at least) the following kernel options to use |
# this firewall: CONFIG_NETFILTER, CONFIG_IP_NF_IPTABLES, |
# CONFIG_IP_NF_FILTER, CONFIG_IP_NF_MATCH_STATE and |
# CONFIG_IP_NF_TARGET_REJECT. |
# To use the masquerading you will also need (at least): |
# CONFIG_IP_NF_CONNTRACK, CONFIG_IP_NF_NAT, CONFIG_IP_NF_NAT_NEEDED |
# and CONFIG_IP_NF_TARGET_MASQUERADE. |
# Additional options may be needed to use other features. |
# |
# You need iptables. Get it at "http://netfilter.filewatcher.org". |
# |
# This script was written (and partially tested) with iptables 1.2 |
# and kernel 2.4.0 or 2.4.1 in mind. |
# |
# Also, this is a BASH shell script...any 2.x version of GNU BASH |
# should work. |
# |
# SED should no longer be required since I use builtins now. |
# ----------------------------------------------------------------------|
# |
# This is distributed under the modified BSD liscense: |
# |
# Redistribution and use in source and binary forms, with or without |
# modification, are permitted provided that the following conditions |
# are met: |
# |
# 1.Redistributions of source code must retain the above copyright |
# notice, this list of conditions and the following disclaimer. |
# 2.Redistributions in binary form must reproduce the above |
# copyright notice, this list of conditions and the following |
# disclaimer in the documentation and/or other materials provided |
# with the distribution. |
# 3.The name of the author may not be used to endorse or promote |
# products derived from this software without specific prior |
# written permission. |
# |
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE |
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER |
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR |
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN |
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE |
# |
# While this may be used freely for commercial use, I do REQUEST that |
# any commercial users please tell me via e-mail at bvmopen@usa.net |
# that they are using it, why they chose it, how well it works, etc. |
# |
# ----------------------------------------------------------------------|
# IMPORTANT: This firewall is currently in beta! It may be too |
# restrictive or insecure. |
# ----------------------------------------------------------------------|
# CHANGELOG: (Since 2.3.0-pre1a only) |
# version 2.3.3: Fatal syntax error in IP forward detect fix |
# Don't bail on no IP forward for no LAN |
# version 2.3.3-pre1: Reject with tcp-reset for TCP option |
# Removed the huge list of censorship |
# Moved the port forwards to stable options |
# Moved the TOS mangling to stable options |
# Check before enabling IP Forwarding and |
# IP SynCookies |
# Don't run censorship loop if no rules |
# Request low latency TOS on UDP packets for |
# games on ports 4000-7000 (Diablo II) |
# Fix bad syntax in the port forwarding loops |
# Reversed DMZIN and DMZOUT fixed |
# Various syntax fixes |
# Stateful inspection on forward chain |
# Other stateful matching changes |
# version 2.3.2: Fixed bad syntax in DMZ_IFACE loop |
# version 2.3.2-pre2: Put a real liscense on it (BSD liscense) |
# Changed format of ALLOW_HOSTWISE and |
# DENY_HOSTWISE to be less confusing |
# (the ":" was changed to ">") |
# Added LOG_FLOOD option to tweak log limit |
# Added SYN_FLOOD option to tweak SYN limit |
# Added PING_FLOOD option to tweak PING limit |
# version 2.3.2-pre1: Stateful matching on active FTP and SSH |
# rules (thanks to Len Padilla) |
# Fixed a minor bug in chain creation order |
# (thanks to Peter Lindman) |
# TOS Optimizations (thanks to vesa alatalo) |
# Begin DMZ Support |
# Proofread comments and correct |
# Use BASH builtins instead of sed |
# (thanks to Craig Ludington) |
# Fixed "USE_SNAT" bug in port forwarding |
# (has been changed to "SNAT_LAN") |
# (thanks to Fr??ic Marchand) |
# Tuned down default TCP allows (remove POP3) |
# version 2.3.1: Option for 1:1 or subnet:1 static NAT |
# Internet censorship options |
# version 2.3.1-pre2: Added option to deny specific ports from |
# specific hosts |
# Added limiting to logging chains to prevent |
# log DoSing |
# Spiffed up comments |
# Changed the "AUTH_ALLOW" and "DNS" options |
# to be more generic and flexible |
# version 2.3.1-pre1: Updated comments for new kernel version |
# Removed double drop setting |
# Updated for iptables-1.2 |
# Began a kernel option list |
# version 2.3.0: No changes from pre1g |
# version 2.3.0-pre1g: Tuned down default TCP allows |
# Restructure to SSH loop |
# Status Reporting Fixes (newlines, etc.) |
# Fix log prefix length on accept loops |
# version 2.3.0-pre1f: Moved the ICMP echo-request limit to where |
# it should have been |
# Allows the rest of the ICMP like it should |
# Remove the interface matching from ICMP |
# echo-request (not needed) |
# version 2.3.0-pre1e: Fixed an issue in the invalid matching |
# version 2.3.0-pre1d: Spiffed up comments |
# Port Forwarding |
# Moved the deny setting to normal options |
# version 2.3.0-pre1c: Minor fixes that don't (currently) affect |
# functionality |
# version 2.3.0-pre1b: Security fix documented in 2.1.13 |
# Slight logic change in TCP_ALLOW loop |
# Don't print allow messages if nothign is |
# allowed by that loop |
# Changed IPTables download URL |
# version 2.3.0-pre1a: Initial branch from 2.1.12 |
# Add stuff in release notes except port fw |
# ----------------------------------------------------------------------|
# USE AT YOUR OWN RISK! THIS IS WITHOUT ANY WARRANTY STATED OR IMPLIED! |
# That means NONE whatsoever, not even fitfullness for purpose! |
# ----------------------------------------------------------------------|
# You NEED to set this! |
# Configuration follows: |
# |
# Notes about configuration: |
# Some things take more than one option; separate with spaces. |
# You probably don't want all the ports I have under here open, portscan|
# yourself to find what you want open. |
# For SSH you need port 22 in TCP_ALLOW, and set the appropriate SSH |
# system(s) to "TRUE". |
# If you want to used host-based identd allowing, do NOT put 113 in |
# TCP_ALLOW and DO set ALLOW_TCP_HOSTWISE (using 113 as the port).|
# Of course, you can also put 113 in TCP_ALLOW to allow anyone. |
# The same applies to DNS zone transfers (only use port 53 and UDP). |
# MAC_MASQ is ONLY used to the purposes of masquerading and it will |
# override the MASQ_LAN setting for masquerading. However, you |
# must still define MASQ_LAN properly. |
# INTERNAL_LAN must always be properly defined for other things! |
# You can use hostnames anywhere, but you'll need to have access to the |
# DNS server when the script runs and you might not get the expected |
# since the DNS lookup is only done once. |
# You can mix and match hosts with public IPs and masqueraded hosts in |
# INTERNAL_LAN as long as you define the ones to use NAT later. |
# DMZ support can currently be considered (at best) PREALPHA. |
# Confused yet? Please suggest how I can make this clearer! |

# Main configuration, modify to suit your setup
IPTABLES="/usr/local/sbin/iptables" # set to your iptables location, must be set
TCP_ALLOW="22 25 80" # TCP ports to allow
UDP_ALLOW="6112 6119 4000" # UDP ports to allow
INET_IFACE="ppp0" # the interface your internet's on (one only), must be set
LAN_IFACE="eth0" # the interface your LAN's on (one only)
USE_SSH1="TRUE" # set to TRUE if you use "real" SSH1 (anything else is interpreted as FALSE)
USE_OPENSSH="FALSE" # set to TRUE if you use OpenSSH (anything else is interpreted as FALSE)
INTERNAL_LAN="192.168.0.0/24 192.168.1.0/24" # The internal LAN (Including DMZs but not censored hosts)
MASQ_LAN="192.168.0.0/24 192.168.1.0/24" # the internal network(s) to be masqueraded (this is overridden by MAC_MASQ)
DROP="TREJECT" # What to do with packets we don't want: DROP, REJECT, TREJECT (Reject with tcp-reset for TCP), LDROP (log and drop), LREJECT (log and reject), TLREJECT (log and reject with tcp-reset)
DENY_ALL="" # Internet hosts to explicitly deny from accessing your system at all
DENY_HOSTWISE_TCP="" # Specific hosts to deny access to specific TCP ports; format is "IP>PORT"
DENY_HOSTWISE_UDP="" # Specific hosts to deny access to specific UDP ports; format is "IP>PORT"
ALLOW_HOSTWISE_TCP="207.69.200.132>113 216.32.132.250>113 206.132.27.156>113 209.81.232.66>113 207.45.69.69>113 216.80.83.185>113 212.158.123.66>113"
# Specific hosts allowed access to specific TCP ports; format is "IP>PORT"
ALLOW_HOSTWISE_UDP="" # Specific hosts allowed access to specific UDP ports; format is "IP>PORT"
ALLOW_OUT_TCP="" # Internal hosts allowed to be forwarded out on TCP (internet censorship!) (do not put this/these host/s in INTERNAL_LAN, but do define their method of access [snat, masq] if not a public ip)
TCP_FW="" # TCP port forwards (will pick reverse masquerading if you use masquerading or snat), form is "SPORT:DPORT>IP"
UDP_FW="" # UDP port forwards (will pick reverse masquerading if you use masquerading or snat), form is "SPORT:DPORT>IP"
MANGLE_TOS_OPTIMIZE="TRUE" # TOS Optimizations on or off (TRUE/FALSE toggle)

############## REMOVE THIS OR IT WON'T RUN HOMEZ ###############
echo "You need to edit the config section!" ####################
exit 99 ###### REMOVE THIS OR IT WON'T RUN HOMEZ ###############
############## REMOVE THIS OR IT WON'T RUN HOMEZ ###############

# Only modify these if you have a genuine need, the defaults should be fine for a personal firewall
LOG_FLOOD="2/s" # Limit on logging (for LREJECT and LDROP, the packet will always take the policy regardless of logging)
SYN_FLOOD="4/s" # GLOBAL limit on SYN packets (will probably need increased for a server since this matches ALL SYN packets)
PING_FLOOD="1/s" # Limit on icmp-echo requests to reply to

# Below here is experimental
MAC_MASQ="" # MAC addresses permitted to use masquerading, leave blank to not use
MAC_SNAT="" # MAC addresses permitted to use static NAT, leave blank to not use (format is :)
SNAT_LAN="" # Internal networks/hosts to use static NAT (format is :) (this is overridden by MAC_SNAT)

# Only touch these if you're daring (PREALPHA stuff)
DMZ_IFACE="" # Interface your DMZ is on (leave blank if you don't have one) MUST DEFINE LAN_IFACE IF YOU USE THIS!

# ----------------------------------------------------------------------|
# Do not modify configuration below here |
# ----------------------------------------------------------------------|
FILTER_CHAINS="INETIN INETOUT DMZIN DMZOUT TCPACCEPT UDPACCEPT LDROP LREJECT TREJECT LTREJECT"
# ----------------------------------------------------------------------|
# You shouldn't need to modify anything below here |
# ----------------------------------------------------------------------|

# Let's load it!
echo "Loading iptables firewall:"

# Configuration Sanity Checks
echo -n "Checking configuration..."
if ! [ -x $IPTABLES ] ; then
echo
echo "ERROR IN CONFIGURATION: IPTABLES doesn't exist or isn't executable!"
exit 1
fi
if [ "$DMZ_IFACE" = "$LAN_IFACE" ] ; then
echo
echo "ERROR IN CONFIGURATION: DMZ_IFACE and LAN_IFACE can't be the same!"
exit 1
fi
echo "passed"

# Turn on IP forwarding
echo -n "Checking IP Forwarding..."
if [ -e /proc/sys/net/ipv4/ip_forward ] ; then
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "enabled."
else
echo "support not found! This will probably cause problems!"
fi

# Enable TCP Syncookies
echo -n "Checking IP SynCookies..."
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "enabled."
else
echo "support not found, but that's OK."
fi

# Flush everything
# If you need compatability, you can comment some or all of these out,
# but remember, if you re-run it, it'll just add the new rules in, it
# won't remove the old ones for you then, this is how it removes them.
echo -n "Flush: "
${IPTABLES} -t filter -F INPUT
echo -n "INPUT "
${IPTABLES} -t filter -F OUTPUT
echo -n "OUTPUT1 "
${IPTABLES} -t filter -F FORWARD
echo -n "FORWARD "
${IPTABLES} -t nat -F PREROUTING
echo -n "PREROUTING1 "
${IPTABLES} -t nat -F OUTPUT
echo -n "OUTPUT2 "
${IPTABLES} -t nat -F POSTROUTING
echo -n "POSTROUTING "
${IPTABLES} -t mangle -F PREROUTING
echo -n "PREROUTING2 "
${IPTABLES} -t mangle -F OUTPUT
echo -n "OUTPUT3"
echo

# Create new chains
# Output to /dev/null in case they don't exist from a previous invocation
echo -n "Creating chains: "
for chain in ${FILTER_CHAINS} ; do
${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -N ${chain}
echo -n "${chain} "
done
echo

# Default Policies
# INPUT is still ACCEPT, the INETIN chain (defined above and jumped to later)
# is given a policy of DROP at the end
# Policy can't be reject becuase of kernel limitations
echo -n "Default Policies: "
${IPTABLES} -t filter -P INPUT ACCEPT
echo -n "INPUT:ACCEPT "
${IPTABLES} -t filter -P OUTPUT ACCEPT
echo -n "OUTPUT:ACCEPT "
${IPTABLES} -t filter -P FORWARD DROP
echo -n "FORWARD:DROP "
echo

# Local traffic to internet or crossing subnets
# This should cover what we need if we don't use masquerading
# Unfortunately, MAC address matching isn't bidirectional (for
# obvious reasons), so IP based matching is done here
echo -n "Local Traffic Rules: "
for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT
${IPTABLES} -t filter -A FORWARD -d ${subnet} -m state --state ESTABLISHED,RELATED -j ACCEPT
echo -n "${subnet}:ACCEPT "
done
echo

if [ "$ALLOW_OUT_TCP" != "" ] ; then
echo -n "Internet censorship TCP allows: "
for rule in ${ALLOW_OUT_TCP} ; do
echo "$rule" | {
IFS=':' read intip destip
${IPTABLES} -t filter -A FORWARD -s ${intip} -d ${destip} -o ${INET_IFACE} -j ACCEPT
${IPTABLES} -t filter -A FORWARD -d ${intip} -s ${destip} -i ${INET_IFACE} -j ACCEPT
echo -n "${intip}:${destip} "
}
done
echo
fi

# Set up basic NAT if the user wants it
if [ "$MASQ_LAN" != "" ] ; then
echo -n "Setting up masquerading: "
if [ "$MAC_MASQ" = "" ] ; then
for subnet in ${MASQ_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE
echo -n "${subnet}:MASQUERADE "
done
else
for address in ${MAC_MASQ} ; do
${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j MASQUERADE
echo -n "${address}:MASQUERADE "
done
fi
echo
fi
if [ "$SNAT_LAN" != "" ] ; then #Static NAT used
echo -n "Setting up static NAT: "
if [ "$MAC_SNAT" = "" ] ; then
for rule in ${SNAT_LAN} ; do
echo "$rule" | {
IFS=':' read host destip
${IPTABLES} -t nat -A POSTROUTING -s ${host} -o ${INET_IFACE} -j SNAT --to-source ${destip}
echo -n "${subnet}:SNAT "
}
done
else
for rule in ${MAC_SNAT} ; do
echo "$rule" | {
IFS=':' read address destip
${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j SNAT --to-source ${destip}
echo -n "${address}:SNAT "
}
done
fi
echo
fi

#TCP Port-Forwards
if [ "$TCP_FW" != "" ] ; then
echo -n "TCP Port Forwards: "
if [ "$SNAT_LAN" != ""] || [ "$USE_MASQ" = "TRUE" ] ; then
for rule in ${TCP_FW} ; do
echo "$rule" | {
IFS=':>' read srcport destport host
${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to ${host}:${destport}
echo -n "${rule} "
}
done
else
for rule in ${TCP_FW} ; do
echo "$rule" | {
IFS=':>' read srcport destport host
${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p tcp --dport ${srcport} -j REDIRECT --to ${host}:${destport}
echo -n "${rule} "
}
done
fi
echo
fi

#UDP Port Forwards
if [ "$UDP_FW" != "" ] ; then
echo -n "UDP Port Forwards: "
if [ $SNAT_LAN != "" ] || [ "$USE_MASQ" = "TRUE" ] ; then
for rule in ${UDP_FW} ; do
echo "$rule" | {
IFS=':>' read srcport destport host
${IPTABLES} -t nat -A PREROUTING -p udp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to ${host}:${destport}
echo -n "${rule} "
}
done
else
for rule in ${UDP_FW} ; do
echo "$rule" | {
IFS=':>' read srcport destport host
${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p udp --dport ${srcport} -j REDIRECT --to ${host}:${destport}
echo -n "${rule} "
}
done
fi
echo
fi

# ===============================================
# -------Chain setup before jumping to them------
# ===============================================

# Set up INET chains
echo -n "Setting up INET chains: "
${IPTABLES} -t filter -A INPUT -i ${INET_IFACE} -j INETIN
echo -n "INETIN "
${IPTABLES} -t filter -A OUTPUT -o ${INET_IFACE} -j INETOUT
echo -n "INETOUT "
echo

# For now we'll subject the DMZ to the same rules as the internet when going onto the trusted LAN
# And we'll let it go anywhere on the internet
if [ "$DMZ_IFACE" != "" ] ; then
echo -n "Setting up DMZ Chains: "
${IPTABLES} -A INPUT -o ${DMZ_IFACE} -j DMZOUT
echo -n "DMZOUT "
${IPTABLES} -A INPUT -i ${DMZ_IFACE} -j DMZIN
echo -n "DMZIN "
echo
echo -n "DMZ for LAN Forwarding to INETIN..."
${IPTABLES} -A DMZOUT -o ${LAN_IFACE} -j INETIN
echo "done"
echo -n "DMZ for Internet Forwarding to INETOUT..."
${IPTABLES} -A DMZOUT -o ${INET_IFACE} -j INETOUT
echo -n "done"
fi

#These logging chains are valid to specify in DROP= above
#Set up LDROP
echo -n "Setting up drop chains chains: "
${IPTABLES} -t filter -A LDROP -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "TCP Dropped "
${IPTABLES} -t filter -A LDROP -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "UDP Dropped "
${IPTABLES} -t filter -A LDROP -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "ICMP Dropped "
${IPTABLES} -t filter -A LDROP -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
${IPTABLES} -t filter -A LDROP -j DROP
echo -n "LDROP "

#And LREJECT too
${IPTABLES} -t filter -A LREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "TCP Rejected "
${IPTABLES} -t filter -A LREJECT -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "UDP Rejected "
${IPTABLES} -t filter -A LREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "ICMP Dropped "
${IPTABLES} -t filter -A LREJECT -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level warning --log-prefix "FRAGMENT Rejected "
${IPTABLES} -t filter -A LREJECT -j REJECT
echo -n "LREJECT "

#Don't forget TREJECT
${IPTABLES} -t filter -A TREJECT -p tcp -j REJECT --reject-with tcp-reset
${IPTABLES} -t filter -A TREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
${IPTABLES} -t filter -A TREJECT -j REJECT
echo -n "TREJECT "

#And LTREJECT
${IPTABLES} -t filter -A LTREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "TCP Rejected "
${IPTABLES} -t filter -A LTREJECT -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "UDP Rejected "
${IPTABLES} -t filter -A LTREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level info --log-prefix "ICMP Dropped "
${IPTABLES} -t filter -A LTREJECT -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level warning --log-prefix "FRAGMENT Rejected "
${IPTABLES} -t filter -A LTREJECT -p tcp -j REJECT --reject-with tcp-reset
${IPTABLES} -t filter -A LTREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
${IPTABLES} -t filter -A LTREJECT -j REJECT
echo -n "LTREJECT "

#newline
echo

# Set up the per-proto ACCEPT chains
echo -n "Setting up per-proto ACCEPT: "

# TCPACCEPT
# SYN Flood Protection
${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit ${SYN_FLOOD} -j ACCEPT
${IPTABLES} -t filter -A TCPACCEPT -p tcp ! --syn -j ACCEPT
# Log anything that hasn't matched yet and ${DROP} it since we don't know what it is
${IPTABLES} -t filter -A TCPACCEPT -m limit --limit ${LOG_FLOOD} -j LOG --log-prefix "Mismatch in TCPACCEPT "
${IPTABLES} -t filter -A TCPACCEPT -j ${DROP}
echo -n "TCPACCEPT "

#UDPACCEPT
${IPTABLES} -t filter -A UDPACCEPT -p udp -j ACCEPT
# Log anything not UDP (it shouldn't be here), and ${DROP} it since it's not supposed to be here
${IPTABLES} -t filter -A UDPACCEPT -m limit --limit ${LOG_FLOOD} -j LOG --log-prefix "Mismatch on UDPACCEPT "
${IPTABLES} -t filter -A UDPACCEPT -j ${DROP}
echo -n "UDPACCEPT "

#Done
echo

# -------------------------------------------------
# =================================================
# -------------------------------------------------

#Explicit denies
if [ "$DENY_ALL" != "" ] ; then
echo -n "Denying hosts: "
for host in ${DENY_ALL} ; do
${IPTABLES} -t filter -A INETIN -s ${host} -j ${DROP}
echo -n "${host}:${DROP}"
done
echo
fi

if [ "$DENY_HOSTWISE_TCP" != "" ] ; then
echo -n "Hostwise TCP Denies: "
for rule in ${DENY_HOSTWISE_TCP} ; do
echo "$rule" | {
IFS='>' read host port
${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport ${port} -j ${DROP}
echo -n "${rule} "
}
done
echo
fi

if [ "$DENY_HOSTWISE_UDP" != "" ] ; then
echo -n "Hostwise UDP Denies: "
for rule in ${DENY_HOSTWISE_UDP} ; do
echo "$rule" | {
IFS='>' read host port
${IPTABLES} -t filter -A INETIN -p udp -s ${host} --dport ${port} -j ${DROP}
echo -n "${rule} "
}
done
echo
fi

#Invalid packets are always annoying
echo -n "${DROP}ing invalid packets..."
${IPTABLES} -t filter -A INETIN -m state --state INVALID -j ${DROP}
echo "done"

# ================================================================
# ------------Allow stuff we have chosen to allow in--------------
# ================================================================

#Start allowing stuff

# Flood "security"
# You'll still respond to these if they comply with the limits
# Default limits are 1/sec for ICMP pings
# SYN Flood is on a per-port basis because it's a security hole to put it here!
# This is just a packet limit, you still get the packets on the interface and
# still may experience lag if the flood is heavy enough
echo -n "Flood limiting: "
# Ping Floods (ICMP echo-request)
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit ${PING_FLOOD} -j ACCEPT
echo -n "ICMP-PING "
echo

echo -n "Allowing the rest of the ICMP messages in..."
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ! echo-request -j ACCEPT
echo "done"

if [ "$TCP_ALLOW" != "" ] ; then
echo -n "TCP Input Allow: "
for port in ${TCP_ALLOW} ; do
if [ "0$port" = "021" ]; then #Active FTP (thanks steff)
${IPTABLES} -t filter -A INETIN -p tcp --sport 20 --dport 1024:65535 ! --syn -m state --state RELATED -j TCPACCEPT
fi
${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j TCPACCEPT
echo -n "${port} "
done
echo
fi

if [ "$UDP_ALLOW" != "" ] ; then
echo -n "UDP Input Allow: "
for port in ${UDP_ALLOW} ; do
${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j UDPACCEPT
echo -n "${port} "
done
echo
fi

#SSH Rulesets
if [ $USE_SSH1 = TRUE ] || [ $USE_OPENSSH = TRUE ]; then
echo -n "Accounting for SSH..."
if [ $USE_SSH1 = TRUE ]; then #SSH1
${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 513:1023 ! --syn -m state --state RELATED -j TCPACCEPT
echo -n "SSH1 "
fi
if [ $USE_OPENSSH = TRUE ] ; then #OpenSSH
${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 1024:65535 ! --syn -m state --state RELATED -j TCPACCEPT
echo -n "OpenSSH "
fi
echo
fi

#Hostwise allows
if [ "$ALLOW_HOSTWISE_TCP" != "" ] ; then
echo -n "Hostwise TCP Allows: "
for rule in ${ALLOW_HOSTWISE_TCP} ; do
echo "$rule" | {
IFS='>' read host port
${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport ${port} -j ACCEPT
echo -n "${rule} "
}
done
echo
fi

if [ "$ALLOW_HOSTWISE_UDP" != "" ] ; then
echo -n "Hostwise UDP Allows: "
for rule in ${ALLOW_HOSTWISE_UDP} ; do
echo "$rule" | {
IFS='>' read host port
${IPTABLES} -t filter -A INETIN -p udp -s ${host} --dport ${port} -j ACCEPT
echo -n "${rule} "
}
done
echo
fi

echo -n "Allowing established outbound connections back in..."
${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED -j ACCEPT
echo "done"

# Type of Service mangle optimizations (the ACTIVE FTP one will only work for uploads)
if [ $MANGLE_TOS_OPTIMIZE == TRUE ] ; then
echo -n "Optimizing traffic: "
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
echo -n "telnet "
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
echo -n "ssh "
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput
echo -n "ftp "
${IPTABLES} -t mangle -A OUTPUT -p udp --dport 4000:7000 -j TOS --set-tos Minimize-Delay
echo -n "diablo2 "
echo
fi

#What to do on those INET chains when we hit the end
echo -n "Setting up INET policies: "
#Drop if we cant find a valid inbound rule.
${IPTABLES} -t filter -A INETIN -j ${DROP}
echo -n "INETIN:${DROP} "
#We can send what we want to the internet
${IPTABLES} -t filter -A INETOUT -j ACCEPT
echo -n "INETOUT:ACCEPT "
echo

#All done!
echo "Done loading the firewall!"

윗글 :

sendmail에서 sircam virus 차단하기

밑글 :

Re: linux 7.1 kernel 2.4.x iptable

Absolute number:65

번호	제목	첨부파일	크기	전송	이름	업로드
	Re: linux 7.1 kernel 2.4.x iptab			0	Mr heo	06-08
	Re: linux 7.1 kernel 2.4.x iptab			0	Mr heo	06-08
	Re: linux 7.1 kernel 2.4.x iptab			0	Mr heo	06-08
	Re: linux 7.1 kernel 2.4.x iptab			0	Mr heo	06-08
	Re: linux 7.1 kernel 2.4.x iptab			0	허정균	08-21
	iptables에서 다이알패드사용하기			0	허정균	08-29
40	해킹방지 portsentry	portsentry-1.0	42KB	3992	Mr heo	06-07
	log 내역 분석	logcheck-1.1.1	29KB	3992	Mr heo	06-07
	해킹방지 portsentry 1.1 -> for l	portsentry-1.1	44KB	4342	허정균	02-16
	Re: 해킹방지 portsentry 1.1 ->	portsentry	43KB	3613	허정균	02-16
	Re: 해킹방지 portsentry 1.1 ->	portsentry.conf	11KB	8070	허정균	02-16
	Re: 해킹방지 portsentry 1.1 ->	portsentryd	671B	4070	허정균	02-16
39	한통adsl 설정하기	techupprint.htm	26KB	4846	허정균	05-04
	한통 adsl 접속 유지..			0	허정균	05-04
	한통adsl 접속유지 2			0	허정균	05-15
38	Linux Real IP Forward/Firewall Mac			0	허정균	05-03
37	ipchaines,패킷필터링 응용- 특정사이			0	허정균	05-03
	ipchaines 예제 및 설명서	IPCHAINS-HOWTO	65KB	5685	허정균	05-12
36	kernel 2.2.X 의 IP MASQ			0	허정균	05-03
	ipmasqadm.rpm 다이알 패드 사용시	ipmasqadm.rpm	24KB	3668	허정균	05-15
	ipmasqadm-0.4.2.rpm 설정값사이	ipmasqadm-0.4.	18KB	4112	허정균	05-19
	ipmasqadm setting 값 - 다이알	rclira.fir	108B	4167	허정균	09-12
	ipmasqadm의 마지막 정리	ipmasq.txt	989B	3941	허정균	09-17
35	리눅스 라우팅-ipmasq-디스켓 한장	coyote2.zip	3.65MB	3485	허정균	05-02
	전체적인설면-리라	lira.htm	125KB	6233	허정균	05-02
	리라에서 ip알아내기			0	허정균	05-18
	사용기			0	허정균	05-02
	ipmasqadm & ipvsadm kernel 2.2.*	ipheo.tar	70KB	3428	허정균	05-15
	리눅스 라우팅-ipmasq-디스켓 한장	Coyote Linux.r	2.46MB	3397	허정균	09-20
	echo "1" > /proc/sys/net/ipv4/ip			0	허정균	10-05