[보안] iptables 예제 (클루닉스 방화벽)
#! /bin/sh
#
# firewall Start/Stop firewall with iptables
#
# chkconfig: 2345 99 99
# description: Clunix Firewall filtering & NAT with iptables
# eth0 : external link(onboard intel)
# eth1 : internal link(pci-realtek)
#
# Donghyun Kim <ryan at
clunix.com> 2002.09.25 #
EXTERNAL_NIC=eth0
INTERNAL_NIC=eth1
# Source function library.
. /etc/init.d/functions
# Source Network config
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = “no” ]
then
exit 0
fi
[ -x /sbin/iptables ] || exit 0
RETVAL=0
start() {
# check /var/lock/subsys/firewall file
if [ -f /var/lock/subsys/firewall ] ; then
return
fi
# print “start firewall” msg
echo -n $”Starting Firewall: ”
#
# start firewall & NAT
#
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# init iptables
#
# flush all chains
iptables -F
iptables -X
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains
do
iptables -t $i -F
iptables -t $i -X
iptables -t $i -Z
done
##########################################################
############
# set default policies
##########################################################
############
# firewall itself : output only
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# firewall filtering
iptables -P FORWARD DROP
####################################################################
##
# User defined chains
##########################################################
############
#
# refuse :
# explicit refuse chains
# logging to /var/log/firewall (via syslog kern.debug) &
reject
#
iptables -N refuse
# debug
#iptables -A refuse –src 147.46.0.0/16 -j LOG \\
# –log-prefix “refused: ” –log-level debug
#iptables -A refuse –src 211.241.202.133 -j LOG \\
# –log-prefix “refused: ” –log-level debug
iptables -A refuse -i ! $INTERNAL_NIC -m limit –limit
1/m -j LOG \\
–log-prefix “refused: ” –log-level debug
iptables -A refuse -p tcp -m limit –limit 10/s -j REJECT
\\
–reject-with tcp-reset
iptables -A refuse -p udp -m limit –limit 10/s -j REJECT
iptables -A refuse -j DROP
#
# global_icmp :
# specified ICMP packets are accepted globally
#
# accept following icmp pkt
# – 0 : echo reply
# – 3 : dest unreachable
# – 4 : source quench (by 소리바다?)
# – 5 : redirect
# – 8 : echo request
# – 11 : time exceed
iptables -N global_icmp
iptables -A global_icmp -p icmp –icmp-type 0 -j ACCEPT
iptables -A global_icmp -p icmp –icmp-type 3 -j ACCEPT
iptables -A global_icmp -p icmp –icmp-type 4 -j ACCEPT
iptables -A global_icmp -p icmp –icmp-type 5 -j ACCEPT
iptables -A global_icmp -p icmp –icmp-type 8 -j ACCEPT
iptables -A global_icmp -p icmp –icmp-type 11 -j ACCEPT
#
# global_udp :
# specified udp packets are accepted globally
#
iptables -N global_udp
# edonkey (4661-4663/tcp, 4665/udp) for all PC
iptables -A global_udp -p udp –dport 4665 -j ACCEPT
# 소리바다
#iptables -A global_udp -p udp –dport 7674 -j ACCEPT
#iptables -A global_udp -p udp –dport 22321 -j ACCEPT
#
# global_tcp :
# specified tcp packets (that is valid) are accepted
globally
#
iptables -N global_tcp
# drop new pkt that has no syn
iptables -A global_tcp -p tcp ! –syn -m state –state
NEW -j refuse
# MSN file transfer (6891-6900/tcp) for all PC
# http://support.microsoft.com/default.aspx?scid=KB;EN-
US;Q278887&
iptables -A global_tcp -p tcp –dport 6891:6900 -j ACCEPT
# edonkey (4661-4663/tcp, 4665/udp) for all PC
iptables -A global_tcp -p tcp –dport 4661:4663 -j ACCEPT
# 소리바다
#iptables -A global_tcp -p tcp –dport 7675 -j ACCEPT
#
# open :
# accept connection by each server:port
#
iptables -N open
# ares (211.241.202.129) : smtp(25/tcp), wts(3389/tcp),
pop3(110/tcp),
# imap(143/tcp)
iptables -A open -p tcp -d 211.241.202.129 –dport 25 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.129 –dport 3389 –
j ACCEPT
#iptables -A open -p tcp -d 211.241.202.129 –dport 110 –
j ACCEPT
# master (211.241.202.133) : ftp(21/tcp), ssh(22/tcp), dns
(53/udp),
# www(80/tcp), https(443/tcp)
iptables -A open -p tcp -d 211.241.202.133 –dport 21 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.133 –dport 22 -j
ACCEPT
iptables -A open -p udp -d 211.241.202.133 –dport 53 -j
ACCEPT
#iptables -A open -p tcp -d 211.241.202.133 –dport 80 -j
ACCEPT
#iptables -A open -p tcp -d 211.241.202.133 –dport 443 –
j ACCEPT
# winmaster (211.241.202.134) : wts(3389/tcp)
#iptables -A open -p tcp -d 211.241.202.134 –dport 3389 –
j ACCEPT
# temp wts (211.241.202.242) : wts(3389/tcp)
iptables -A open -p tcp -d 211.241.202.242 –dport 3389 –
j ACCEPT
# wts.clunix.com (211.241.202.245) : wts(3389/tcp)
iptables -A open -p tcp -d 211.241.202.245 –dport 3389 –
j ACCEPT
# wts.manpa.net (211.241.202.135) : http(80/tcp) wts
(3389/tcp)
iptables -A open -p tcp -d 211.241.202.135 –dport 80 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.135 –dport 3389 –
j ACCEPT
# tech (211.241.202.221) : http(80/tcp), ftp(21/tcp)
iptables -A open -p tcp -d 211.241.202.221 –dport 80 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.221 –dport 21 -j
ACCEPT
# 서진우 서버 (211.241.202.223) : ftp(21/tcp), ssh
(22/tcp), http(80/tcp)
iptables -A open -p tcp -d 211.241.202.223 –dport 21 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.223 –dport 22 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.223 –dport 80 -j
ACCEPT
# 김동현 PC (211.241.202.174) : wts(3389/tcp)
iptables -A open -p tcp -d 211.241.202.174 –dport 3389 –
j ACCEPT
# 박영광 PC (211.241.202.173) : wts(3389/tcp)
iptables -A open -p tcp -d 211.241.202.173 –dport 3389 –
j ACCEPT
# 원재관 PC (211.241.202.177) : wts(3389/tcp)
iptables -A open -p tcp -d 211.241.202.177 –dport 3389 –
j ACCEPT
# 윤영태 PC (211.241.202.176) : wts(3389/tcp)
iptables -A open -p tcp -d 211.241.202.176 –dport 3389 –
j ACCEPT
# 서진우 PC 211.241.202.152 :
# ftp(21/tcp), ssh(22/tcp), http(80/tcp), wts(3389/tcp)
iptables -A open -p tcp -d 211.241.202.152 –dport 21 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.153 –dport 21 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.152 –dport 22 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.242 –dport 21 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.242 –dport 22 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.153 –dport 22 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.152 –dport 80 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.153 –dport 80 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.153 –dport 53 -j
ACCEPT
iptables -A open -p udp -d 211.241.202.153 –dport 53 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.153 –dport 953 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.152 –dport 3389 –
j ACCEPT
iptables -A open -p tcp -d 211.241.202.230 –dport 3389 –
j ACCEPT
iptables -A open -p tcp -d 211.241.202.244 –dport 3389 –
j ACCEPT
iptables -A open -p tcp -d 211.241.202.244 –dport 22 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.243 –dport 22 -j
ACCEPT
# 기술팀 개인별 서버 : 서진우 요청
# 211.241.202.151,153,154,155,167,168 : wts(3389/tcp)
iptables -A open -p tcp -d 211.241.202.151 –dport 3389 –
j ACCEPT
iptables -A open -p tcp -d 211.241.202.154 –dport 3389 –
j ACCEPT
iptables -A open -p tcp -d 211.241.202.155 –dport 3389 –
j ACCEPT
iptables -A open -p tcp -d 211.241.202.167 –dport 3389 –
j ACCEPT
iptables -A open -p tcp -d 211.241.202.168 –dport 3389 –
j ACCEPT
iptables -A open -p tcp -d 211.241.202.229 –dport 21 -j
ACCEPT
# 조경운 test PCs :
# 211.241.202.196 : ssh(22/tcp), EnCluster(777/tcp)
iptables -A open -p tcp -d 211.241.202.196 –dport 22 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.196 –dport 777 -j
ACCEPT
#공동배 개인별 서버 : 공동배 요청
iptables -A open -p tcp -d 211.241.202.154 –dport 22 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.238 –dport 22 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.239 –dport 22 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.240 –dport 22 -j
ACCEPT
# NAS test for alang : 211.241.202.229 : ssh(22/tcp)
iptables -A open -p tcp -d 211.241.202.229 –dport 22 -j
ACCEPT
# 외부 demo용 : 손명선
iptables -A open -p tcp -d 211.241.202.243 –dport 80 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.243 –dport 3389 –
j ACCEPT
# 김정언 개인 서버 :
iptables -A open -p tcp -d 211.241.202.246 –dport 53 -j
ACCEPT
iptables -A open -p udp -d 211.241.202.246 –dport 53 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.246 –dport 22 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.246 –dport 21 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.246 –dport 80 -j
ACCEPT
iptables -A open -p tcp -d 211.241.202.246 –dport 953 -j
ACCEPT
# Linux Expo 전시회
#iptables -A open -p tcp -d 211.241.202.238 –dport 910 –
j ACCEPT
#iptables -A open -p tcp -d 211.241.202.238 –dport 80 -j
ACCEPT
#iptables -A open -p tcp -d 211.241.202.200 –dport 910 –
j ACCEPT
##########################################################
############
# FORWARD chain rules
##########################################################
############
# accept all packets from internal network ($INTERNAL_NIC)
iptables -A FORWARD -p ALL -i $INTERNAL_NIC -j ACCEPT
# accept all packets from in/out according to stateful-
inspection
iptables -A FORWARD -m state –state ESTABLISHED,RELATED –
j ACCEPT
# accept specified icmp packets by global_icmp chain
iptables -A FORWARD -p icmp -j global_icmp
# accept specified udp packets by global_udp chain
iptables -A FORWARD -p udp -j global_udp
# accept specified tcp packets by global_tcp chain
iptables -A FORWARD -p tcp -j global_tcp
# accept packets by server:port
iptables -A FORWARD -j open
# otherwise, refuse it
iptables -A FORWARD -j refuse
##########################################################
############
# INPUT/OUTPUT chain rules for firewall itself
# (211.241.202.253)
##########################################################
############
# br0 : ssh(22/tcp), global_icmp
# lo : accept all in/out
#
# accept all pkt from local loopback interface
iptables -A INPUT -i lo -j ACCEPT
# accept all packets by stateful-inspection
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j
ACCEPT
# filter by global icmp pkt
iptables -A INPUT -p icmp -j global_icmp
# filter by global tcp pkt
iptables -A INPUT -p tcp -j global_tcp
# accept only ssh(22/tcp) pkt from internal network
($INTERNAL_NIC)
iptables -A INPUT -p tcp -i $INTERNAL_NIC –dport 22 -j
ACCEPT
# otherwise, refuse pkt
iptables -A INPUT -j refuse
# accept all out pkt
iptables -A OUTPUT -o br0 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
##########################################################
############
# for NAT(masquerade) 192.168.12.0/24 -> 211.241.202.253
via firewall
##########################################################
############
#
# masquerade : not used anymore… master will do NAT for
192.168.12.0
#
#iptables -t nat -A POSTROUTING -s 192.168.12.0/24 -j
MASQUERADE
# print “firewall startup” msg
[ $? -eq 0 ] && success “firewall startup” || \\
failure “firewall startup”
echo
# lock
touch /var/lock/subsys/firewall
}
stop() {
# check /var/lock/subsys/firewall file
if [ ! -f /var/lock/subsys/firewall ] ; then
return
fi
# print “stop firewall” msg
echo -n $”Stopping Firewall: ”
#
# flush & delete iptables rules
#
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains
do
iptables -t $i -F
iptables -t $i -X
done
iptables -P INPUT ACCEPT && \\
iptables -P OUTPUT ACCEPT && \\
iptables -P FORWARD ACCEPT && \\
iptables -t nat -P PREROUTING ACCEPT && \\
iptables -t nat -P POSTROUTING ACCEPT && \\
iptables -t nat -P OUTPUT ACCEPT && \\
iptables -t mangle -P PREROUTING ACCEPT && \\
iptables -t mangle -P OUTPUT ACCEPT
#
# stop firewall & NAT
#
echo 0 > /proc/sys/net/ipv4/ip_forward
rmmod ip_nat_ftp
rmmod ip_conntrack_ftp
# print “firewall stop” msg
[ $? -eq 0 ] && success “firewall stop” ||
failure “firewall stop”
echo
# unlock
rm -f /var/lock/subsys/firewall
}
# See how we were called.
case “$1” in
start)
start
;;
stop)
stop
;;
status)
/sbin/iptables -L INPUT
/sbin/iptables -L OUTPUT
/sbin/iptables -L FORWARD
;;
restart)
stop
sleep 1
start
;;
*)
echo $”Usage: $0 {start|stop|status|restart}”
exit 1
esac
exit $RETVAL