[보안] iptables 예제 (클루닉스 방화벽)

#! /bin/sh

#

# firewall        Start/Stop firewall with iptables

#

# chkconfig: 2345 99 99

# description:         Clunix Firewall filtering & NAT with iptables

#                 eth0 : external link(onboard intel)

#                 eth1 : internal link(pci-realtek)

#

# Donghyun Kim <ryan at

clunix.com> 2002.09.25 #

EXTERNAL_NIC=eth0

INTERNAL_NIC=eth1

# Source function library.

. /etc/init.d/functions

# Source Network config

. /etc/sysconfig/network

# Check that networking is up.

if [ ${NETWORKING} = “no” ]

then

        exit 0

fi

[ -x /sbin/iptables ] || exit 0

RETVAL=0

start() {

        # check /var/lock/subsys/firewall file

        if [ -f /var/lock/subsys/firewall ] ; then

                return

        fi

        # print “start firewall” msg

        echo -n $”Starting Firewall: ”

        #

        # start firewall & NAT

        #

        modprobe ip_conntrack_ftp

        modprobe ip_nat_ftp

        echo 1 > /proc/sys/net/ipv4/ip_forward

        #

        # init iptables

        #

        # flush all chains

        iptables -F

        iptables -X

        chains=`cat /proc/net/ip_tables_names 2>/dev/null`

        for i in $chains

        do

                iptables -t $i -F

                iptables -t $i -X

                iptables -t $i -Z

        done

        ##########################################################

############

        # set default policies

        ##########################################################

############

        # firewall itself : output only

        iptables -P INPUT DROP

        iptables -P OUTPUT ACCEPT

        # firewall filtering

        iptables -P FORWARD DROP

        

####################################################################

##

        # User defined chains

        ##########################################################

############

        #

        # refuse :

        # explicit refuse chains

        # logging to /var/log/firewall (via syslog kern.debug) &

reject

        #

        iptables -N refuse

        # debug

        #iptables -A refuse –src 147.46.0.0/16 -j LOG \\

        #  –log-prefix “refused: ” –log-level debug

        #iptables -A refuse –src 211.241.202.133 -j LOG \\

        #  –log-prefix “refused: ” –log-level debug

        iptables -A refuse -i ! $INTERNAL_NIC -m limit –limit

1/m -j LOG \\

          –log-prefix “refused: ” –log-level debug

        iptables -A refuse -p tcp -m limit –limit 10/s -j REJECT

\\

          –reject-with tcp-reset

        iptables -A refuse -p udp -m limit –limit 10/s -j REJECT

        iptables -A refuse -j DROP

        #

        # global_icmp :

        # specified ICMP packets are accepted globally

        #

        # accept following icmp pkt

        #  –  0 : echo reply

        #  –  3 : dest unreachable

        #  –  4 : source quench (by 소리바다?)

        #  –  5 : redirect

        #  –  8 : echo request

        #  – 11 : time exceed

        iptables -N global_icmp

        iptables -A global_icmp -p icmp –icmp-type 0 -j ACCEPT

        iptables -A global_icmp -p icmp –icmp-type 3 -j ACCEPT

        iptables -A global_icmp -p icmp –icmp-type 4 -j ACCEPT

        iptables -A global_icmp -p icmp –icmp-type 5 -j ACCEPT

        iptables -A global_icmp -p icmp –icmp-type 8 -j ACCEPT

        iptables -A global_icmp -p icmp –icmp-type 11 -j ACCEPT

        #

        # global_udp :

        # specified udp packets are accepted globally

        #

        iptables -N global_udp

        # edonkey (4661-4663/tcp, 4665/udp) for all PC

        iptables -A global_udp -p udp –dport 4665 -j ACCEPT

        # 소리바다

        #iptables -A global_udp -p udp –dport 7674 -j ACCEPT

        #iptables -A global_udp -p udp –dport 22321 -j ACCEPT

        #

        # global_tcp :

        # specified tcp packets (that is valid) are accepted

globally

        #

        iptables -N global_tcp

        # drop new pkt that has no syn

        iptables -A global_tcp -p tcp ! –syn -m state –state

NEW -j refuse

        # MSN file transfer (6891-6900/tcp) for all PC

        # http://support.microsoft.com/default.aspx?scid=KB;EN-

US;Q278887&

        iptables -A global_tcp -p tcp –dport 6891:6900 -j ACCEPT

        # edonkey (4661-4663/tcp, 4665/udp) for all PC

        iptables -A global_tcp -p tcp –dport 4661:4663 -j ACCEPT

        # 소리바다

        #iptables -A global_tcp -p tcp –dport 7675 -j ACCEPT

        #

        # open :

        # accept connection by each server:port

        #

        iptables -N open

        # ares (211.241.202.129) : smtp(25/tcp), wts(3389/tcp),

pop3(110/tcp),

        #                          imap(143/tcp)

        iptables -A open -p tcp -d 211.241.202.129 –dport 25 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.129 –dport 3389 –

j ACCEPT

        #iptables -A open -p tcp -d 211.241.202.129 –dport 110 –

j ACCEPT

        # master (211.241.202.133) : ftp(21/tcp), ssh(22/tcp), dns

(53/udp),

        #                            www(80/tcp), https(443/tcp)

        iptables -A open -p tcp -d 211.241.202.133 –dport 21 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.133 –dport 22 -j

ACCEPT

        iptables -A open -p udp -d 211.241.202.133 –dport 53 -j

ACCEPT

        #iptables -A open -p tcp -d 211.241.202.133 –dport 80 -j

ACCEPT

        #iptables -A open -p tcp -d 211.241.202.133 –dport 443 –

j ACCEPT

        # winmaster (211.241.202.134) : wts(3389/tcp)

        #iptables -A open -p tcp -d 211.241.202.134 –dport 3389 –

j ACCEPT

        # temp wts (211.241.202.242) : wts(3389/tcp)

        iptables -A open -p tcp -d 211.241.202.242 –dport 3389 –

j ACCEPT

        # wts.clunix.com (211.241.202.245) : wts(3389/tcp)

        iptables -A open -p tcp -d 211.241.202.245 –dport 3389 –

j ACCEPT

        # wts.manpa.net (211.241.202.135) : http(80/tcp) wts

(3389/tcp)

        iptables -A open -p tcp -d 211.241.202.135 –dport 80 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.135 –dport 3389 –

j ACCEPT

        # tech (211.241.202.221) : http(80/tcp), ftp(21/tcp)

        iptables -A open -p tcp -d 211.241.202.221 –dport 80 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.221 –dport 21 -j

ACCEPT

        # 서진우 서버 (211.241.202.223) : ftp(21/tcp), ssh

(22/tcp), http(80/tcp)

        iptables -A open -p tcp -d 211.241.202.223 –dport 21 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.223 –dport 22 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.223 –dport 80 -j

ACCEPT

        # 김동현 PC (211.241.202.174) : wts(3389/tcp)

        iptables -A open -p tcp -d 211.241.202.174 –dport 3389 –

j ACCEPT

        # 박영광 PC (211.241.202.173) : wts(3389/tcp)

        iptables -A open -p tcp -d 211.241.202.173 –dport 3389 –

j ACCEPT

        # 원재관 PC (211.241.202.177) : wts(3389/tcp)

        iptables -A open -p tcp -d 211.241.202.177 –dport 3389 –

j ACCEPT

        # 윤영태 PC (211.241.202.176) : wts(3389/tcp)

        iptables -A open -p tcp -d 211.241.202.176 –dport 3389 –

j ACCEPT

        # 서진우 PC 211.241.202.152 :

        #   ftp(21/tcp), ssh(22/tcp), http(80/tcp), wts(3389/tcp)

        iptables -A open -p tcp -d 211.241.202.152 –dport 21 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.153 –dport 21 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.152 –dport 22 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.242 –dport 21 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.242 –dport 22 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.153 –dport 22 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.152 –dport 80 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.153 –dport 80 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.153 –dport 53 -j

ACCEPT

        iptables -A open -p udp -d 211.241.202.153 –dport 53 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.153 –dport 953 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.152 –dport 3389 –

j ACCEPT

        iptables -A open -p tcp -d 211.241.202.230 –dport 3389 –

j ACCEPT

        iptables -A open -p tcp -d 211.241.202.244 –dport 3389 –

j ACCEPT

        iptables -A open -p tcp -d 211.241.202.244 –dport 22 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.243 –dport 22 -j

ACCEPT

        # 기술팀 개인별 서버 : 서진우 요청

        #   211.241.202.151,153,154,155,167,168 : wts(3389/tcp)

        iptables -A open -p tcp -d 211.241.202.151 –dport 3389 –

j ACCEPT

        iptables -A open -p tcp -d 211.241.202.154 –dport 3389 –

j ACCEPT

        iptables -A open -p tcp -d 211.241.202.155 –dport 3389 –

j ACCEPT

        iptables -A open -p tcp -d 211.241.202.167 –dport 3389 –

j ACCEPT

        iptables -A open -p tcp -d 211.241.202.168 –dport 3389 –

j ACCEPT

        iptables -A open -p tcp -d 211.241.202.229 –dport 21 -j

ACCEPT

        # 조경운 test PCs :

        # 211.241.202.196 : ssh(22/tcp), EnCluster(777/tcp)

        iptables -A open -p tcp -d 211.241.202.196 –dport 22 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.196 –dport 777 -j

ACCEPT

        #공동배 개인별 서버 : 공동배 요청

        iptables -A open -p tcp -d 211.241.202.154 –dport 22 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.238 –dport 22 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.239 –dport 22 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.240 –dport 22 -j

ACCEPT

        # NAS test for alang : 211.241.202.229 : ssh(22/tcp)

        iptables -A open -p tcp -d 211.241.202.229 –dport 22 -j

ACCEPT

        # 외부 demo용 : 손명선

        iptables -A open -p tcp -d 211.241.202.243 –dport 80 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.243 –dport 3389 –

j ACCEPT

        # 김정언 개인 서버 :

        iptables -A open -p tcp -d 211.241.202.246 –dport 53 -j

ACCEPT

        iptables -A open -p udp -d 211.241.202.246 –dport 53 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.246 –dport 22 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.246 –dport 21 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.246 –dport 80 -j

ACCEPT

        iptables -A open -p tcp -d 211.241.202.246 –dport 953 -j

ACCEPT

        # Linux Expo 전시회

        #iptables -A open -p tcp -d 211.241.202.238 –dport 910 –

j ACCEPT

        #iptables -A open -p tcp -d 211.241.202.238 –dport 80 -j

ACCEPT

        #iptables -A open -p tcp -d 211.241.202.200 –dport 910 –

j ACCEPT

        

        ##########################################################

############

        # FORWARD chain rules

        ##########################################################

############

        # accept all packets from internal network ($INTERNAL_NIC)

        iptables -A FORWARD -p ALL -i $INTERNAL_NIC -j ACCEPT

        # accept all packets from in/out according to stateful-

inspection

        iptables -A FORWARD -m state –state ESTABLISHED,RELATED –

j ACCEPT

        # accept specified icmp packets by global_icmp chain

        iptables -A FORWARD -p icmp -j global_icmp

        # accept specified udp packets by global_udp chain

        iptables -A FORWARD -p udp -j global_udp

        # accept specified tcp packets by global_tcp chain

        iptables -A FORWARD -p tcp -j global_tcp

        # accept packets by server:port

        iptables -A FORWARD -j open

        # otherwise, refuse it

        iptables -A FORWARD -j refuse

        ##########################################################

############

        # INPUT/OUTPUT chain rules for firewall itself

        #                                     (211.241.202.253)

        ##########################################################

############

        #   br0 : ssh(22/tcp), global_icmp

        #   lo : accept all in/out

        #

        # accept all pkt from local loopback interface

        iptables -A INPUT -i lo -j ACCEPT

        # accept all packets by stateful-inspection

        iptables -A INPUT -m state –state ESTABLISHED,RELATED -j

ACCEPT

        # filter by global icmp pkt

        iptables -A INPUT -p icmp -j global_icmp

        # filter by  global tcp pkt

        iptables -A INPUT -p tcp -j global_tcp

        # accept only ssh(22/tcp) pkt from internal network

($INTERNAL_NIC)

        iptables -A INPUT -p tcp -i $INTERNAL_NIC –dport 22 -j

ACCEPT

        # otherwise, refuse pkt

        iptables -A INPUT -j refuse

        # accept all out pkt

        iptables -A OUTPUT -o br0 -j ACCEPT

        iptables -A OUTPUT -o lo -j ACCEPT

        ##########################################################

############

        # for NAT(masquerade) 192.168.12.0/24 -> 211.241.202.253

via firewall

        ##########################################################

############

        #

        # masquerade : not used anymore… master will do NAT for

192.168.12.0

        #

        #iptables -t nat -A POSTROUTING -s 192.168.12.0/24 -j

MASQUERADE

        # print “firewall startup” msg

        [ $? -eq 0 ] && success “firewall startup” || \\

          failure “firewall startup”

        echo

        # lock

        touch /var/lock/subsys/firewall

        

}

stop() {

        # check /var/lock/subsys/firewall file

        if [ ! -f /var/lock/subsys/firewall ] ; then

                return

        fi

        # print “stop firewall” msg

        echo -n $”Stopping Firewall: ”

        #

        # flush & delete iptables rules

        #

        chains=`cat /proc/net/ip_tables_names 2>/dev/null`

        for i in $chains

        do

                iptables -t $i -F

                iptables -t $i -X

        done

        iptables -P INPUT ACCEPT && \\

        iptables -P OUTPUT ACCEPT && \\

        iptables -P FORWARD ACCEPT && \\

        iptables -t nat -P PREROUTING ACCEPT && \\

        iptables -t nat -P POSTROUTING ACCEPT && \\

        iptables -t nat -P OUTPUT ACCEPT && \\

        iptables -t mangle -P PREROUTING ACCEPT && \\

        iptables -t mangle -P OUTPUT ACCEPT

        #

        # stop firewall & NAT

        #

        echo 0 > /proc/sys/net/ipv4/ip_forward

        rmmod ip_nat_ftp

        rmmod ip_conntrack_ftp

        # print “firewall stop” msg

        [ $? -eq 0 ] && success “firewall stop” ||

failure “firewall stop”

        echo

        # unlock

        rm -f /var/lock/subsys/firewall

}

# See how we were called.

case “$1” in

  start)

        start

        ;;

  stop)

        stop

        ;;

  status)

        /sbin/iptables -L INPUT

        /sbin/iptables -L OUTPUT

        /sbin/iptables -L FORWARD

        ;;

  restart)

        stop

        sleep 1

        start

        ;;

  *)

        echo  $”Usage: $0 {start|stop|status|restart}”

        exit 1

esac

exit $RETVAL

서진우

슈퍼컴퓨팅 전문 기업 클루닉스/ 상무(기술이사)/ 정보시스템감리사/ 시스존 블로그 운영자

You may also like...

페이스북/트위트/구글 계정으로 댓글 가능합니다.