[보안] 리눅스 Bridge Script 예제
#!/bin/sh
#
# 김서방의 firewall configuration
#
# chkconfig: 2345 60 95
# description: stone’s firewall
# probe: true
# Source function library.
. /etc/rc.d/init.d/functions
############만약 iptables가 존재하지 않으면 빠져나간다#############
if [ ! -x /sbin/iptables ];then
exit 0
fi
##################################################################
#로컬 네트웍에 대한 설정
localnet=61.81.112.0/24
########## welknow port 설정 #######
wellknown_port=”0:1023″
########### unprivileged port 설정######3
unprivileged_port=”1024:65535″
#modprobe ip_conntrack_ftp
# See how we were called.
case “$1” in
start)
echo -ne “start firewall:\\n”
#########모든 규칙과 사슬을 지운다/기본 정책을 설정한다/브릿지설정 ######
iptables -F
iptables -X
##### TOS값 설정##########
iptables -t mangle -A FORWARD -p tcp –dport 21 -j TOS –set-tos 0x10
iptables -t mangle -A FORWARD -p tcp –sport 21 -j TOS –set-tos 0x10
iptables -t mangle -A FORWARD -p tcp –dport 22 -j TOS –set-tos 0x10
iptables -t mangle -A FORWARD -p tcp –sport 22 -j TOS –set-tos 0x10
iptables -t mangle -A FORWARD -p tcp –dport 23 -j TOS –set-tos 0x10
iptables -t mangle -A FORWARD -p tcp –sport 23 -j TOS –set-tos 0x10
iptables -t mangle -A FORWARD -p tcp –dport 80 -j TOS –set-tos 0x10
iptables -t mangle -A FORWARD -p tcp –sport 80 -j TOS –set-tos 0x10
######### 비정상적 패킷은 드롭시킨다. 로그에 남긴다. ###############
iptables -A FORWARD -m state –state INVALID -j DROP
# iptables -A FORWARD -p tcp –tcp-flags ALL FIN,URG,PSH -m limit –limit 5/minute -j LOG –log-level notice –log-prefix “NMAP-XMAS:”
iptables -A FORWARD -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
# iptables -A FORWARD -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 5/minute -j LOG –log-level notice –log-prefix “SYN/FIN:”
iptables -A FORWARD -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
# iptables -A FORWARD -p tcp –tcp-flags SYN,RST SYN,RST -m limit –limit 5/minute -j LOG –log-level notice –log-prefix “SYN/RST:”
iptables -A FORWARD -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
# Drop RST/ACKs to limit OS detection through pinging
# iptables -A FORWARD -p tcp –tcp-flags RST RST,ACK -m limit –limit 5/minute -j LOG –log-level notice –log-prefix “RST/ACK:”
iptables -A FORWARD -p tcp –tcp-flags RST RST,ACK -j DROP
#Deny pings from outside
#iptables -A FORWARD -p icmp –icmp-type 0/0 -d $localnet -j ACCEPT
iptables -A FORWARD -p icmp –icmp-type echo-request -s 61.81.0.0/16 -d $localnet -j ACCEPT
iptables -A FORWARD -p icmp –icmp-type echo-request -s $localnet -j ACCEPT
iptables -A FORWARD -p icmp –icmp-type echo-request -j REJECT
# iptables -A FORWARD -p icmp –icmp-type 0/0 -m limit –limit 5/minute -j LOG –log-level notice –log-prefix “Drop Echo Reply:”
# iptables -A FORWARD -p icmp –icmp-type 0/0 -j DROP
#### Deny nimda(string패치를 이용해야 된다) ###################
iptables -A FORWARD -p tcp –tcp-flags ACK ACK –dport 80 -m string –string “/default.ida?” -j REJECT –reject-with tcp-reset
iptables -A FORWARD -p tcp –tcp-flags ACK ACK –dport 80 -m string –string “XXXXXXXX” -j REJECT –reject-with tcp-reset
iptables -A FORWARD -p tcp –tcp-flags ACK ACK –dport 80 -m string –string “cmd.exe” -j REJECT –reject-with tcp-reset
iptables -A FORWARD -p tcp –tcp-flags ACK ACK –dport 80 -m string –string “root.exe?” -j REJECT –reject-with tcp-reset
iptables -A FORWARD -m state –state RELATED,ESTABLISHED,NEW -j ACCEPT
# iptables -A FORWARD -j ACCEPT
######################################################################
##Set up UDP
######################################################################
#외부로 나가는 Traceroute
iptables -A FORWARD -p udp –dport 33434:33523 -j ACCEPT
#외부에서 들어오는 Traceroute
#iptables -A FORWARD -p udp –sport 32769:65535 –dport 33434:33523 -j ACCEPT
# 외부 DNS 서버에 질의가능하도록 셋팅
iptables -A FORWARD -p udp -s $localnet –dport 53 -j ACCEPT
iptables -A FORWARD -p udp –sport 53 -m state –state ESTABLISHED -j ACCEPT
#rdate로 시간 맞추기 위한 time서버 셋팅
iptables -A FORWARD -p udp -s $localnet –sport $unprivileged_port –dport 37 -j ACCEPT
######################################################################
## set up tcp
######################################################################
###### ftp서비스 active모드와 passive모드 설정#################
iptables -A FORWARD -p tcp –dport 20 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp –dport 20 -m state –state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp –sport $unprivileged_port –dport $unprivileged_port -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp –dport 21 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
######## ssh 서비스 #######################
iptables -A FORWARD -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
######## 메일 #############################
iptables -A FORWARD -p tcp –dport 25 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp –dport 587 -m state –state NEW,ESTABLISHED -j ACCEPT
######### 웹 /https #############################
iptables -A FORWARD -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
########## pop3 ##########################
iptables -A FORWARD -p tcp –dport 110 -m state –state NEW,ESTABLISHED -j ACCEPT
########## imap ##########################
iptables -A FORWARD -p tcp –dport 143 -m state –state NEW,ESTABLISHED -j ACCEPT
########## telnet #######################
iptables -A FORWARD -p tcp –dport 23 -m state –state NEW,ESTABLISHED -j ACCEPT
##### 내부 네트웍(서버)에서 외부로 나가는 패킷 허가함 #######
#iptables -A FORWARD -s $localnet -j ACCEPT
##### 허가 받지 않는 모든 패킷 드롭 ####################
iptables -A FORWARD -j DROP
;;
stop)
echo -ne “stop firewall:\\n”
iptables -F
;;
status)
iptables -L -v
;;
restart)
$0 stop
$0 start
;;
*)
echo -ne “Usage: firewall {start|stop|restart|status}”
exit 1
esac
exit 0