[보안] 리눅스 Bridge Script 예제

#!/bin/sh

#

# 김서방의  firewall  configuration

#

# chkconfig: 2345 60 95

# description: stone’s firewall

# probe: true

# Source function library.

. /etc/rc.d/init.d/functions

############만약 iptables가 존재하지 않으면 빠져나간다#############

if [ ! -x /sbin/iptables ];then

exit 0

fi

##################################################################

#로컬 네트웍에 대한 설정

localnet=61.81.112.0/24

########## welknow port 설정 #######

wellknown_port=”0:1023″

########### unprivileged port 설정######3

unprivileged_port=”1024:65535″

#modprobe ip_conntrack_ftp

# See how we were called.

case “$1” in

  start)

  echo -ne “start firewall:\\n”

#########모든 규칙과 사슬을 지운다/기본 정책을 설정한다/브릿지설정 ######

  iptables -F

  iptables -X

##### TOS값 설정##########

  iptables -t mangle -A FORWARD -p tcp –dport 21 -j TOS –set-tos 0x10

  iptables -t mangle -A FORWARD -p tcp –sport 21 -j TOS –set-tos 0x10

  iptables -t mangle -A FORWARD -p tcp –dport 22 -j TOS –set-tos 0x10

  iptables -t mangle -A FORWARD -p tcp –sport 22 -j TOS –set-tos 0x10

  iptables -t mangle -A FORWARD -p tcp –dport 23 -j TOS –set-tos 0x10

  iptables -t mangle -A FORWARD -p tcp –sport 23 -j TOS –set-tos 0x10

  iptables -t mangle -A FORWARD -p tcp –dport 80 -j TOS –set-tos 0x10

  iptables -t mangle -A FORWARD -p tcp –sport 80 -j TOS –set-tos 0x10

######### 비정상적 패킷은 드롭시킨다. 로그에 남긴다. ###############

  iptables -A FORWARD -m state –state INVALID -j DROP

# iptables -A FORWARD -p tcp –tcp-flags ALL FIN,URG,PSH -m limit –limit 5/minute -j LOG –log-level notice –log-prefix “NMAP-XMAS:”

  iptables -A FORWARD -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP

# iptables -A FORWARD -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 5/minute -j LOG –log-level notice –log-prefix “SYN/FIN:”

  iptables -A FORWARD -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP

# iptables -A FORWARD -p tcp –tcp-flags SYN,RST SYN,RST -m limit –limit 5/minute -j LOG –log-level notice –log-prefix “SYN/RST:”

  iptables -A FORWARD -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

# Drop RST/ACKs to limit OS detection through pinging

# iptables -A FORWARD -p tcp –tcp-flags RST RST,ACK -m limit –limit 5/minute -j LOG –log-level notice –log-prefix “RST/ACK:”

  iptables -A FORWARD -p tcp –tcp-flags RST RST,ACK -j DROP

#Deny pings from outside

  #iptables -A FORWARD -p icmp –icmp-type  0/0 -d $localnet -j ACCEPT

  iptables -A FORWARD -p icmp –icmp-type echo-request -s 61.81.0.0/16 -d $localnet  -j ACCEPT

  iptables -A FORWARD -p icmp –icmp-type echo-request -s $localnet  -j ACCEPT

  iptables -A FORWARD -p icmp –icmp-type echo-request -j REJECT

# iptables -A FORWARD -p icmp –icmp-type 0/0 -m limit –limit 5/minute -j LOG –log-level notice –log-prefix “Drop Echo Reply:”

# iptables -A FORWARD -p icmp –icmp-type 0/0 -j DROP

#### Deny nimda(string패치를 이용해야 된다) ###################

  iptables -A FORWARD -p tcp –tcp-flags ACK ACK –dport 80 -m string –string “/default.ida?” -j REJECT –reject-with tcp-reset

  iptables -A FORWARD -p tcp –tcp-flags ACK ACK –dport 80 -m string –string “XXXXXXXX” -j REJECT –reject-with tcp-reset

  iptables -A FORWARD -p tcp –tcp-flags ACK ACK –dport 80 -m string –string “cmd.exe” -j REJECT –reject-with tcp-reset

  iptables -A FORWARD -p tcp –tcp-flags ACK ACK –dport 80 -m string –string “root.exe?” -j REJECT –reject-with tcp-reset

  iptables -A FORWARD -m state –state RELATED,ESTABLISHED,NEW -j ACCEPT

# iptables -A FORWARD  -j ACCEPT

######################################################################

##Set up UDP

######################################################################

#외부로 나가는  Traceroute

  iptables -A FORWARD -p udp  –dport 33434:33523 -j ACCEPT

#외부에서 들어오는 Traceroute

#iptables -A FORWARD -p udp –sport 32769:65535 –dport 33434:33523 -j ACCEPT

# 외부 DNS 서버에 질의가능하도록 셋팅

  iptables -A FORWARD -p udp -s $localnet –dport 53 -j ACCEPT

  iptables -A FORWARD -p udp –sport 53 -m state –state ESTABLISHED -j ACCEPT

#rdate로 시간 맞추기 위한 time서버 셋팅

  iptables -A FORWARD -p udp -s $localnet –sport $unprivileged_port –dport 37 -j ACCEPT

######################################################################

## set up tcp

######################################################################

###### ftp서비스 active모드와 passive모드 설정#################

  iptables -A FORWARD -p tcp –dport 20 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

  iptables -A FORWARD -p tcp –dport 20 -m state –state ESTABLISHED -j ACCEPT

  iptables -A FORWARD -p tcp –sport $unprivileged_port –dport $unprivileged_port -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

  iptables -A FORWARD -p tcp –dport 21 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

  

######## ssh 서비스 #######################

  iptables -A FORWARD -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT

  

######## 메일 #############################

  iptables -A FORWARD -p tcp –dport 25 -m state –state NEW,ESTABLISHED -j ACCEPT

  iptables -A FORWARD -p tcp –dport 587 -m state –state NEW,ESTABLISHED -j ACCEPT

  

######### 웹 /https #############################

  iptables -A FORWARD -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT

  iptables -A FORWARD -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT

  

########## pop3 ##########################

  iptables -A FORWARD -p tcp –dport 110 -m state –state NEW,ESTABLISHED -j ACCEPT

  

########## imap ##########################

  iptables -A FORWARD -p tcp –dport 143 -m state –state NEW,ESTABLISHED -j ACCEPT

########## telnet #######################

  iptables -A FORWARD -p tcp –dport 23 -m state –state NEW,ESTABLISHED -j ACCEPT

  

##### 내부 네트웍(서버)에서 외부로 나가는 패킷 허가함 #######

#iptables -A FORWARD -s $localnet -j ACCEPT

##### 허가 받지 않는 모든 패킷 드롭 ####################

  iptables -A FORWARD -j DROP

  ;;

  stop)

  echo -ne “stop firewall:\\n”

  iptables -F

  ;;

    

  status)

  iptables -L -v

  ;;

  

  restart)

  $0 stop

  $0 start

  ;;

  

  *)

        echo -ne “Usage: firewall {start|stop|restart|status}”

        exit 1

esac

exit 0

서진우

슈퍼컴퓨팅 전문 기업 클루닉스/ 상무(기술이사)/ 정보시스템감리사/ 시스존 블로그 운영자

You may also like...

2 Responses

  1. trap music 말해보세요:

    trap music

  1. 2024년 9월 26일

    … [Trackback]

    […] Read More here on that Topic: nblog.syszone.co.kr/archives/496 […]

페이스북/트위트/구글 계정으로 댓글 가능합니다.