-
echo "초기화 단계"
systemctl stop firewalld
iptables -F
[iptables -t nat -F]
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
sysctl -w net.ipv4.ip_forward=1
echo "INPUT"
iptables -A INPUT -s 192.168.0.71 -p tcp --dport 22 -j LOG --log-prefix="fw_ssh_accept"
iptables -A INPUT -s 192.168.0.71 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.0.74 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT [-d 0.0.0.0] -p icmp -j LOG --log-prefix="fw_icmp_accept"
iptables -A INPUT [-s 0.0.0.0] -p icmp -j ACCEPT
iptables -A INPUT -s 8.8.8.8,168.126.63.1 -p udp --sport 53 -j LOG --log-prefix="fw_dns_accpet"
iptables -A INPUT -s 8.8.8.8,168.126.63.1 -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p --dport 22 -j LOG --log-prefix "fw_ssh_drop"
iptables -A INPUT -p --dport 22 -j DROP
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP"
echo "OUTPUT"
iptables -A OUTPUT -d 192.168.0.71 -p tcp --sport 22 -j LOG --log-prefix="fw_ssh_accept"
iptables -A OUTPUT -d 192.168.0.71 -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.74 -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT [-d 0.0.0.0] -p icmp -j LOG --log-prefix="fw_icmp_accept"
iptables -A OUTPUT [-d 0.0.0.0] -p icmp -j ACCEPT
iptables -A OUTPUT -d 8.8.8.8,168.126.63.1 -p udp --dport 53 -j LOG --log-prefix="fw_dns_accpet"
iptables -A OUTPUT -d 8.8.8.8,168.126.63.1 -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP"
echo "FORWARD"
iptables -A FORWARD -d 192.168.196.200 -p tcp -dport 80 -j LOG --log-prefix="web_accept"
iptables -A FORWARD -d 192.168.196.200 -p tcp -dport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.196.200 -p tcp -sport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.56.200 -d 192.168.196.200 -p tcp -dport 22 -j LOG --log-prefix="server_ssh_accpet"
iptables -A FORWARD -s 192.168.56.200 -d 192.168.196.200 -p tcp -dport 22 -j ACCEPT
iptables -A FORWARD -s 192.168.196.200 -d 192.168.56.200 -p tcp -sport 22 -j ACCEPT
iptables -A FORWARD -j LOG --log-prefix "FORWARD_DROP"
* 패킷 필터 방화벽
iptables -A FORWARD -o eth1 -s 192.168.56.200 -d 192.168.196.200 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.196.200 -d 192.168.56.200 -p tcp --sport 22 -j ACCEPT
iptables -A FORWARD -o eth1 -s 192.168.56.200 -d 192.168.196.200 -p icmp -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.196.200 -d 192.168.56.200 -p icmp -j ACCEPT
iptables -A FORWARD -o eth1 -s 192.168.56.200 -d 192.168.196.200 -p tcp --dport 23 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.196.200 -d 192.168.56.200 -p tcp --sport 23 -j ACCEPT
iptables -A FORWARD -o eth1 -s 192.168.56.200 -d 192.168.196.200 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.196.200 -d 192.168.56.200 -p tcp --sport 21 -j ACCEPT
iptables -A FORWARD -o eth1 -s 192.168.56.200 -d 192.168.196.200 -p tcp --sport 20 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.196.200 -d 192.168.56.200 -p tcp --dport 20 -j ACCEPT
* 상태기반 방화벽
ssh
pc eth1 -----------------------------------------> web
192.168.56.200 192.168.196.200:200
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j LOG --log-prefix "INPUT_state_accept"
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth1 -s 192.168.56.200 -d 192.168.196.200 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -o eth1 -s 192.168.56.200 -d 192.168.196.200 -p icmp -j ACCEPT
iptables -A FORWARD -o eth1 -s 192.168.56.200 -d 192.168.196.200 -p tcp --dport 23 -j ACCEPT
iptables -A FORWARD -o eth1 -s 192.168.56.200 -d 192.168.196.200 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -o eth1 -s 192.168.56.200 -d 192.168.196.200 -p tcp --sport 20 -j ACCEPT
ssh
pc eth1 <----------------------------------------- web
192.168.56.200 192.168.196.200:200
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -d 8.8.8.8 -p udp --dport 53 -j ACCEPT
ftp A/P
pc eth1 -----------------------------------------> ftp
192.168.56.200 49.1.218.80:21
ftp A/P
pc eth1 <----------------------------------------- ftp
192.168.56.200 49.1.218.80:21
ftp A/P
pc eth1 <----------------------------------------- ftp
192.168.56.200 49.1.218.80:20
ftp A/P
pc eth1 -----------------------------------------> ftp
192.168.56.200 49.1.218.80:20
echo "INPUT"
iptables -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP_INVALID"
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j LOG --log-prefix "accept_input"
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 192.168.0.71 -p tcp --dport 22 -j LOG --log-prefix "fw_ssh_accept"
iptables -A INPUT -s 192.168.0.71 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -d 192.168.0.72 -p icmp -j LOG --log-prefix "fw_icmp_accept"
iptables -A INPUT -d 192.168.0.72 -p icmp -j ACCEPT
echo "OUTPUT"
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j LOG --log-prefix "accept_output"
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -d 8.8.8.8,168.126.63.1 -p udp --dport 53 -j LOG --log-prefix "fw_dns_accept"
iptables -A OUTPUT -d 8.8.8.8,168.126.63.1 -p udp --dport 53 -j ACCEPT
echo "FORWARD"
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j LOG --log-prefix "accept_forward"
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 192.168.196.200 -p tcp --dport 80 -j LOG --log-prefix "web_accept"
iptables -A FORWARD -d 192.168.196.200 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.56.200 -d 192.168.196.200 -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
* 돌발 미션!
- 사무실 PC에서 구글로 ping이 되도록!
- Web서버에서 구글로 ping이 되도록!
- 사무실 PC에서 구글로 네임 쿼리가 가능하도록!
- Web서버에서 구글로 네임 쿼리가 가능하도록!
echo "forward rules"
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j LOG --log-prefix "accept_state"
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 192.168.196.200,192.168.56.200 -d 8.8.8.8 -p icmp -j ACCEPT
iptables -A FORWARD -s 192.168.196.200,192.168.56.200 -d 8.8.8.8 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -s 192.168.196.200,192.168.56.200 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.56.200 -o eth0 -j SNAT --to 192.168.0.72
iptables -t nat -A POSTROUTING -s 192.168.196.200 -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.196.200:80
iptables -t nat -A PREROUTING -p tcp --dport 8888 -i eth0 -j DNAT --to 192.168.196.201:80
iptables -A FORWARD -d 192.168.196.200 -p tcp --dport 80 -j LOG --log-prefix "web_accept"
iptables -A FORWARD -d 192.168.196.200 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.196.200 -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.56.200 -d 192.168.196.200 -p tcp --dport 22 -j LOG --log-prefix "server_ssh_accpet"
iptables -A FORWARD -s 192.168.56.200 -d 192.168.196.200 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -s 192.168.196.200 -d 192.168.56.200 -p tcp --sport 22 -j ACCEPT
iptables -A FORWARD -j LOG --log-prefix "FORWARD_DROP"
'침입차단시스템' 카테고리의 다른 글
Last 수업 (0) 2016.05.24 FW 과제 정리 (0) 2016.05.17 복습 & log (0) 2016.05.03 iptables FORWARD 체인 (0) 2016.04.26 방화벽 정책 설정 시 중요사항 (0) 2016.04.19