{"id":797,"date":"2015-01-25T11:36:30","date_gmt":"2015-01-25T02:36:30","guid":{"rendered":"http:\/\/www.freesens.com\/x\/?p=797"},"modified":"2024-01-16T09:25:59","modified_gmt":"2024-01-16T00:25:59","slug":"iptables","status":"publish","type":"post","link":"http:\/\/www.freesens.com\/x\/?p=797","title":{"rendered":"Linux F\/W (iptables)"},"content":{"rendered":"

1. iptables \ub780?<\/p>\n

iptables\ub294 \ub9ac\ub205\uc2a4\uc0c1\uc5d0\uc11c \ubc29\ud654\ubcbd\uc744 \uc124\uc815\ud558\ub294 \ub3c4\uad6c\ub85c\uc11c \ucee4\ub110 2.4 \uc774\uc804 \ubc84\uc804\uc5d0\uc11c \uc0ac\uc6a9\ub418\ub358 ipchains\ub97c \ub300\uc2e0\ud558\ub294 \ubc29\ud654\ubcbd \ub3c4\uad6c\uc774\ub2e4.
\niptables\ub294 \ucee4\ub110\uc0c1\uc5d0\uc11c\uc758 netfilter \ud328\ud0b7\ud544\ud130\ub9c1 \uae30\ub2a5\uc744 \uc0ac\uc6a9\uc790 \uacf5\uac04\uc5d0\uc11c \uc81c\uc5b4\ud558\ub294 \uc218\uc900\uc73c\ub85c \uc0ac\uc6a9\ud560 \uc218 \uc788\ub2e4.<\/p>\n

\ud328\ud0b7\ud544\ud130\ub9c1\uc774\ub780 \uc9c0\ub098\uac00\ub294 \ud328\ud0b7\uc758 \ud574\ub354\ub97c \ubcf4\uace0 \uadf8 \uc804\uccb4 \ud328\ud0b7\uc758 \uc6b4\uba85\uc744 \uacb0\uc815\ud558\ub294 \uac83\uc744 \ub9d0\ud55c\ub2e4.
\n\uc77c\ubc18\uc801\uc73c\ub85c \ud328\ud0b7\uc740 \ud574\ub354\uc640 \ub370\uc774\ud130\ub97c \uac00\uc9c4\ub2e4.
\n\ud574\ub354\uc5d0 \ud544\ud130\ub9c1\ud560 \uc815\ubcf4\uc778 \ucd9c\ubc1c\uc9c0IP:PORT, \ub3c4\ucc29\uc9c0IP:PORT, checksum, \ud504\ub85c\ud1a0\ucf5c \uc635\uc158\ub4f1\uc744 \uac00\uc9c0\uba70 \ub370\uc774\ud130\ub294 \uac01\uac01\uc758 \uc804\uc1a1\ub370\uc774\ud130\uac00 \ub4e4\uc5b4\uac04\ub2e4.<\/p>\n

\ud2b9\uc815 \uc870\uac74\uc744 \uac00\uc9c0\uace0 \uc788\ub294 \ud328\ud0b7\uc5d0 \ub300\ud574 \ud5c8\uc6a9(ACCEPT)\uacfc \ucc28\ub2e8(DROP)\ub4f1\uc744 \uc9c0\uc815\ud560 \uc218 \uc788\uc73c\uba70, \ud2b9\uc815 \uc870\uac74\ub4f1\uc744 \ud1b5\ud574 \ub2e4\uc591\ud55c \ubc29\uc2dd\uc758 \ud328\ud0b7 \ud544\ud130\ub9c1\uacfc \ucc98\ub9ac \ubc29\uc2dd\uc744 \uc9c0\uc6d0\ud55c\ub2e4.<\/p>\n

iptables \uc815\ucc45\uc740 \uc5ec\ub7ec \uad6c\ubd84\uc73c\ub85c \ub098\ub220\uc9c0\uba70 \uc911\uc694\ud55c \ubd80\ubd84\uc740 Chain\uc774\ub2e4.
\nChain\uc740 \ud328\ud0b7\uc774 \uc870\uc791\ub420 \uc0c1\ud0dc\ub97c \uc9c0\uc815\ud558\uba70 iptables\uc5d0 \ub0b4\uc7a5\ub41c \uae30\ubcf8 Chain\uc740 \ub2e4\uc74c\uacfc \uac19\ub2e4.
\n(\uae30\ubcf8 Chain\uc740 \uc601\uad6c\uc801\uc774\uba70 \uc0ad\uc81c\uac00 \ubd88\uac00\ub2a5\ud558\ub2e4. \uc774\uc678\uc5d0 -N \uc635\uc158\uc73c\ub85c \uc9c0\uc815\ud558\ub294 \uc0ac\uc6a9\uc790 \uc815\uc758 Chain\uc774 \uc788\ub2e4.)<\/p>\n

Chain INPUT : \uc11c\ubc84\ub85c \ub4e4\uc5b4\uc624\ub294 \uae30\ubcf8 \uc815\ucc45
\nChain FORWARD : \uc11c\ubc84\uc5d0\uc11c forwarding \uae30\ubcf8 \uc815\ucc45
\nChain OUTPUT : \uc11c\ubc84\uc5d0\uc11c \ub098\uac00\ub294 \uae30\ubcf8 \uc815\ucc45
\n——> INPUT ——> Linux Server ——> OUTPUT ——>
\n|\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 |
\n+————- FORWARD —————+<\/p>\n

Linux Server\ub97c \ubaa9\uc801\uc9c0\ub85c \uc0bc\ub294 \ubaa8\ub4e0 \ud328\ud0b7\uc740 INPUT Chain\uc744 \ud1b5\uacfc\ud558\uace0
\nLinux Server\uc5d0\uc11c \uc0dd\uc131\ub418 \uc678\ubd80\ub85c \ubcf4\ub0b4\uc9c0\ub294 \ubaa8\ub4e0 \ud328\ud0b7\uc740 OUTPUT Chain\uc744 \ud1b5\uacfc\ud558\uac8c \ub41c\ub2e4.
\nFORWARD Chain\uc758 \uacbd\uc6b0 \ud604\uc7ac\uc758 Linux Server\uac00 \ubaa9\uc801\uc9c0\uac00 \uc544\ub2cc \ud328\ud0b7\uc774 \ud1b5\uacfc\ud558\ub294 Chain\uc774\ub2e4.
\n(FORWARD Chain\uc740 NAT(\ub124\ud2b8\uc6cc\ud06c \uacf5\uc720) \uae30\ub2a5 \uc0ac\uc6a9\uc744 \uc704\ud574 \uc0ac\uc6a9\ub41c\ub2e4.)<\/p>\n

2 iptables\uc758 \uad6c\uc870<\/p>\n

\uba3c\uc800 iptables\uc5d0 \ub300\ud574 \uc0b4\ud3b4\ubcf4\ub3c4\ub85d \ud558\uc790.
\niptables\ub294 \ub2e4\uc74c\uc758 \uad6c\uc870\ub85c \uad6c\uc131\ub41c\ub2e4.
\niptables -A INPUT -s [\ubc1c\uc2e0\uc9c0] –sport [\ubc1c\uc2e0\uc9c0 \ud3ec\ud2b8] -d [\ubaa9\uc801\uc9c0] –dport [\ubaa9\uc801\uc9c0 \ud3ec\ud2b8] -j [\uc815\ucc45]<\/p>\n

iptables \uba85\ub839
\n-A : \uc0c8\ub85c\uc6b4 \uaddc\uce59\uc744 \ucd94\uac00\ud55c\ub2e4.
\n-D : \uaddc\uce59\uc744 \uc0ad\uc81c\ud55c\ub2e4.
\n-C : \ud328\ud0b7\uc744 \ud14c\uc2a4\ud2b8\ud55c\ub2e4.
\n-I : \uc0c8\ub85c\uc6b4 \uaddc\uce59\uc744 \uc0bd\uc785\ud55c\ub2e4.
\n-R : \uc0c8\ub85c\uc6b4 \uaddc\uce59\uc73c\ub85c \uad50\uccb4\ud55c\ub2e4.
\n-L : \uc0c8\ub85c\uc6b4 \uaddc\uce59\uc744 \ucd9c\ub825\ud55c\ub2e4.
\n-F : \uccb4\uc778\uc758 \ubaa8\ub4e0 \uaddc\uce59\uc744 \uc0ad\uc81c\ud55c\ub2e4.
\n-Z : \ubaa8\ub4e0 \uccb4\uc778\uc758 \ud328\ud0b7\uacfc \ubc14\uc774\ud2b8 \uce74\uc6b4\ud130 \uac12\uc744 0\uc73c\ub85c \ub9cc\ub4e0\ub2e4.
\n-N : \uc0c8\ub85c\uc6b4 \uccb4\uc778\uc744 \ub9cc\ub4e0\ub2e4.
\n-X : \uccb4\uc778\uc744 \uc0ad\uc81c\ud55c\ub2e4.
\n-P : \uae30\ubcf8 \uc815\ucc45\uc744 \ubcc0\uacbd\ud55c\ub2e4.<\/p>\n

iptables \uc635\uc158
\n-p : \ud328\ud0b7\uc758 \ud504\ub85c\ud1a0\ucf5c\uc758 \ud3ec\ud2b8\ubc88\ud638 \ub610\ub294 \uc774\ub984\uc744 \uba85\uc2dc\ud55c\ub2e4. (ex : tcp, udp, 21, 22)
\n-s : \ud328\ud0b7\uc758 \ubc1c\uc2e0\uc9c0\ub97c \uba85\uc2dc\ud55c\ub2e4. (ex : address[\/mask])
\n-d : \ud328\ud0b7\uc758 \ub3c4\ucc29\uc9c0\ub97c \uba85\uc2dc\ud55c\ub2e4.
\n-i : \uaddc\uce59\uc744 \uc801\uc6a9\ud560 \uc778\ud130\ud398\uc774\uc2a4 \uc774\ub984\uc744 \uba85\uc2dc\ud55c\ub2e4. (ex : eth0, eth1)
\n-j : \uaddc\uce59\uc5d0 \ub9de\ub294 \ud328\ud0b7\uc744 \uc5b4\ub5bb\uac8c \ucc98\ub9ac\ud560 \uac83\uc778\uac00\ub97c \uba85\uc2dc\ud55c\ub2e4.
\n-y : \uc811\uc18d \uc694\uccad \ud328\ud0b7\uc778 SYN \ud328\ud0b7\uc744 \ud5c8\uc6a9\ud558\uc9c0 \uc54a\ub294\ub2e4.
\n-f : \ub450 \ubc88\uc9f8 \uc774\ud6c4\uc758 \uc870\uac01\uc5d0 \ub300\ud574 \uaddc\uce59\uc744 \uba85\uc2dc\ud55c\ub2e4.<\/p>\n

3 iptables \uaddc\uce59 \ucd94\uac00<\/p>\n

\uc608\ub97c \ub4e4\uc5b4 \ub9cc\uc57d 127.0.0.1 \uc989, \ub85c\uceec\uc5d0\uc11c \uc694\uccad\ud558\ub294 \ubaa8\ub4e0 ICMP \ud328\ud0b7\uc5d0 \ub300\ud574 \ubb34\uc2dc\ud558\uace0\uc790 \ud560 \ub54c \uc5b4\ub5bb\uac8c \ud558\uba74 \ub420\uae4c?
\nping \uc694\uccad\uc5d0 \uc0ac\uc6a9\ub418\ub294 \ud504\ud1a0\ud1a0\ucf5c\uc740 ICMP \ud504\ub85c\ud1a0\ucf5c\uc774\uba70, \ubc1c\uc2e0 \uc8fc\uc18c\ub294 127.0.0.1\uc774\ub2e4.
\n\ud328\ud0b7 \ud544\ud130\uc758 \ubaa9\ud45c\ub294 \ud3d0\uae30(DROP)\uc774\uba70, \uc0ac\uc6a9\ud558\ub294 \ud504\ub85c\uadf8\ub7a8\uc740 ping\uc774\ub2e4.
\n\uc774\ub97c \uae30\ubc18\uc73c\ub85c \ub8f0\uc744 \ub9cc\ub4e4\uba74 \ub2e4\uc74c\uacfc \uac19\ub2e4.
\n\/\/ \uccb4\uc778\uc744 \ucd94\uac00\ud558\uae30 \uc804 iptables
\n# iptables -L
\nChain INPUT (policy ACCEPT)
\ntarget\u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/p>\n

Chain FORWARD (policy ACCEPT)
\ntarget\u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/p>\n

Chain OUTPUT (policy ACCEPT)
\ntarget\u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/p>\n

\/\/ 127.0.0.1 \ub85c ping\uc774 \uc815\uc0c1\uc801\uc73c\ub85c \ud5c8\uc6a9\ub428\uc744 \uc54c \uc218 \uc788\ub2e4.
\n# ping -c 3 127.0.0.1
\nPING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
\n64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.029 ms
\n64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.028 ms
\n64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.026 ms
\n— 127.0.0.1 ping statistics —
\n3 packets transmitted, 3 received, 0% packet loss, time 1998ms
\nrtt min\/avg\/max\/mdev = 0.026\/0.027\/0.029\/0.006 ms<\/p>\n

\/\/ 127.0.0.1 \ub85c \uac00\ub294 ping\uc744 \uac70\ubd80\ud558\ub294 \uccb4\uc778 \ucd94\uac00
\n# iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP<\/p>\n

\/\/ iptables\uc5d0 \uccb4\uc778\uc774 \ucd94\uac00\ub428\uc744 \ud655\uc778\ud560 \uc218 \uc788\ub2e4.
\n# iptables -L\u00a0 \/\/ \ud604\uc7ac iptables\uc5d0 icmp DROP \ub8f0\uc774 \uc801\uc6a9\ub418\uc5b4 \uc788\ub2e4.
\nChain INPUT (policy ACCEPT)
\ntarget\u00a0 \u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination
\nDROP\u00a0 \u00a0 \u00a0 icmp —\u00a0 SUNSYSTEM\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 anywhere<\/p>\n

Chain FORWARD (policy ACCEPT)
\ntarget\u00a0 \u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/p>\n

Chain OUTPUT (policy ACCEPT)
\ntarget\u00a0 \u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/p>\n

\/\/ ping\uc774 \uac70\ubd80\ub428\uc744 \ud655\uc778\ud560 \uc218 \uc788\ub2e4.
\n# ping -c 3 127.0.0.1
\nPING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.<\/p>\n

— 127.0.0.1 ping statistics —
\n3 packets transmitted, 0 received, 100% packet loss, time 2008ms<\/p>\n

4 iptables \uaddc\uce59 \uc81c\uac70<\/p>\n

iptables\uc758 \uccb4\uc778 \uc785\ub825\uacfc \ub9c8\ucc2c\uac00\uc9c0\ub85c \uc0ad\uc81c\ub97c \ud560 \ub54c\uc5d0\ub3c4 \ub3d9\uc77c\ud558\uac8c \uc785\ub825\ud558\uba74 \ub41c\ub2e4.
\niptables -D INPUT -s [\ubc1c\uc2e0\uc9c0] –sport [\ubc1c\uc2e0\uc9c0 \ud3ec\ud2b8] -d [\ubaa9\uc801\uc9c0] –dport [\ubaa9\uc801\uc9c0 \ud3ec\ud2b8] -j [\uc815\ucc45]
\niptables -D INPUT [\ud544\ud130\ub9c1 \ubc88\ud638]
\n(\ud544\ud130\ub9c1 \ubc88\ud638\ub294 service iptables stat\uc744 \ud1b5\ud574 \ud655\uc778\ud560 \uc218 \uc788\ub2e4.)
\n\u203b iptables -F INPUT \uc744 \uc785\ub825\ud560 \uacbd\uc6b0 \ubaa8\ub4e0 \uccb4\uc778\uc774 \uc0ad\uc81c\ub41c\ub2e4.<\/p>\n

\uadf8\ub7ec\uba74 \uc704\uc5d0 \uc785\ub825\ud588\ub358 \uccb4\uc778\uc744 \uc81c\uac70\ud574\ubcf4\ub3c4\ub85d \ud558\uc790.<\/p>\n

# iptables -L
\nChain INPUT (policy ACCEPT)
\ntarget\u00a0 \u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination
\nDROP\u00a0 \u00a0 \u00a0 icmp —\u00a0 SUNSYSTEM\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 anywhere<\/p>\n

Chain FORWARD (policy ACCEPT)
\ntarget\u00a0 \u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/p>\n

Chain OUTPUT (policy ACCEPT)
\ntarget\u00a0 \u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/p>\n

# iptables -D INPUT 1
\n\/\/ iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP\ub97c \uc0ac\uc6a9\ud574\uc11c \uc0ad\uc81c\ud560 \uc218\ub3c4 \uc788\ub2e4.<\/p>\n

# iptables -L
\nCain INPUT (policy ACCEPT)
\ntarget\u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/p>\n

Chain FORWARD (policy ACCEPT)
\ntarget\u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/p>\n

Chain OUTPUT (policy ACCEPT)
\ntarget\u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/p>\n

5. iptables \uc815\ucc45 \uc21c\uc11c<\/p>\n

\ubaa8\ub4e0 \ubc29\ud654\ubcbd\uc740 \uc21c\ucc28\uc801 \uc2e4\ud589\uc774\ub2e4.
\n\uc989 \ub4f1\ub85d \uc21c\uc11c\uc5d0 \uc788\uc5b4\uc11c \uba3c\uc800 \ub4f1\ub85d\ud55c \ub300\ud574\uc11c \ud6a8\ub825\uc774 \uc720\ud6a8\ud558\uae30 \ub54c\ubb38\uc5d0 \ub4f1\ub85d\uc2dc\uc5d0\ub294 \uc21c\uc11c\uac00 \ub9e4\uc6b0 \uc911\uc694\ud558\ub2e4.
\n\ubaa8\ub4e0 \uc785\ucd9c\ub825 \ud328\ud0b7\uc5d0 \ub300\ud574 \uac70\ubd80\ud558\ub294 \uc124\uc815\uc774 \uba3c\uc800 \ub4f1\ub85d\ub418\uba74 \uadf8 \uc774\ud6c4\uc5d0 \ud3ec\ud2b8\ub97c \uc5f4\uc5b4\uc8fc\ub294 \uc124\uc815\uc744 \ud558\uc5ec\ub3c4 \ud6a8\uacfc\uac00 \uc5c6\ub2e4.
\n\uadf8\ub7ec\ubbc0\ub85c \ud5c8\uc6a9\ud558\ub294 \uc815\ucc45\uc744 \uba3c\uc800 \uc815\uc758\ud55c \ub2e4\uc74c \uac70\ubd80\ud558\ub294 \uc815\ucc45\uc744 \uc124\uc815\ud574\uc57c \ud55c\ub2e4.<\/p>\n

\/\/ \uc544\ub798\uc640 \uac19\uc774 \uc124\uc815\ud558\uba74 \uc6b0\uc120\uc801\uc73c\ub85c 22\ubc88 \ud3ec\ud2b8\uac00 \uc5f4\ub9b0 \ud6c4 \ub098\uc911\uc5d0 22\ubc88~30\ubc88 \ud3ec\ud2b8\uac00 \ub9c9\ud788\uae30 \ub54c\ubb38\uc5d0 SSH \uc811\uc18d\uc774 \uac00\ub2a5\ud558\ub2e4.
\n# iptables -A INPUT -p tcp –dport 22 -j ACCEPT
\n# iptables -A INPUT -p tcp –dport 22:30 -j DROP<\/p>\n

# iptables -L
\nChain INPUT (policy ACCEPT)
\ntarget\u00a0 \u00a0 \u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination
\nACCEPT\u00a0 \u00a0 tcp\u00a0 —\u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpt:ssh
\nDROP\u00a0 \u00a0 \u00a0 \u00a0 tcp\u00a0 —\u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpts:ssh:30<\/p>\n

\/\/ \uc544\ub798\uc640 \uac19\uc774 \uc124\uc815\ud558\uba74 \uc6b0\uc120\uc801\uc73c\ub85c 22\ubc88~30\ubc88 \ud3ec\ud2b8\uac00 \ub9c9\ud788\uae30 \ub54c\ubb38\uc5d0 \ub4a4\uc5d0\uc11c \uc544\ubb34\ub9ac 22\ubc88 \ud3ec\ud2b8\ub97c \uc5f4\uc5b4\ub3c4 \uc678\ubd80\uc5d0\uc11c SSH\ub85c
\n\uc811\uc18d\ud560 \uc218 \uc5c6\uac8c \ub41c\ub2e4.
\n\/\/ iptables\ub85c \uc785\ub825\ud560 \uacbd\uc6b0 \ubc14\ub85c \uc801\uc6a9\uc774 \ub418\uae30 \ub54c\ubb38\uc5d0 \uc6d0\uaca9\uc5d0\uc11c \uc791\uc5c5\ud560 \uacbd\uc6b0\uc5d4 \uc8fc\uc758\ud558\uc790.
\n# iptables -A INPUT -p tcp –dport 22:30 -j DROP
\n# iptables -A INPUT -p tcp –dport 22 -j ACCEPT<\/p>\n

6. \uc11c\ube44\uc2a4\ub97c \uc704\ud55c \uae30\ubcf8 \uc124\uc815<\/p>\n

\ucc98\uc74c \uc124\uce58\uc2dc \ubc29\ud654\ubcbd\uc744 \uc124\uc815\ud558\uba74 \/etc\/sysconfig\/iptables \ud30c\uc77c\uc774 \uc0dd\uc131\ub41c\ub2e4.
\n\ub514\ud3f4\ud2b8 iptables \ud30c\uc77c\uc744 \uc0ad\uc81c\ud55c \ud6c4 \uc544\ub798\uc758 \ud3ec\ud2b8\ub97c \ucd94\uac00\ud558\ub3c4\ub85d \ud558\uc790
\n\/\/ \uae30\uc874 iptables \ud30c\uc77c \uc81c\uac70
\n# rm -rf \/etc\/sysconfig\/iptables
\nrm: remove \uc77c\ubc18 \ud30c\uc77c `\/etc\/sysconfig\/iptables’? y<\/p>\n

\/\/ iptables \uc815\ucc45 \ucd94\uac00
\n# iptables -A INPUT -p tcp –dport 20 -j ACCEPT\u00a0 \/\/ ftp-data
\n# iptables -A INPUT -p tcp –dport 21 -j ACCEPT\u00a0 \/\/ ftp
\n# iptables -A INPUT -p tcp –dport 22 -j ACCEPT\u00a0\u00a0\/\/ ssh
\n# iptables -A INPUT -p udp –dport 53 -j ACCEPT\u00a0 \/\/ named
\n# iptables -A INPUT -p tcp –dport 80 -j ACCEPT\u00a0 \/\/ http
\n# iptables -A INPUT -p tcp –dport 110 -j ACCEPT\u00a0 \/\/ pop3
\n# iptables -A INPUT -p tcp –dport 143 -j ACCEPT\u00a0 \/\/imap
\n# iptables -A INPUT -p tcp –dport 3306 -j ACCEPT\u00a0 \/\/ mysql
\n# iptables -A INPUT -p icmp –icmp-type echo-request -j DROP\u00a0\/\/ ping\uc5d0 \ub300\ud55c \uc751\ub2f5 \uac70\ubd80
\n# iptables -A INPUT -p tcp –dport 1:65335 -j DROP\u00a0\/\/ \uc11c\ube44\uc2a4\ud3ec\ud2b8 \ubaa8\ub450 \uac70\ubd80<\/p>\n

\/\/ iptables \ud655\uc778
\n# iptables -L
\nChain INPUT (policy ACCEPT)
\ntarget\u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination
\nACCEPT\u00a0 \u00a0 tcp\u00a0 —\u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpt:ftp-data
\nACCEPT\u00a0 \u00a0 tcp\u00a0 —\u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpt:ftp
\nACCEPT\u00a0 \u00a0 tcp\u00a0 —\u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpt:ssh
\nACCEPT\u00a0 \u00a0 udp\u00a0 —\u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 udp dpt:domain
\nACCEPT\u00a0 \u00a0 tcp\u00a0 —\u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpt:http
\nACCEPT\u00a0 \u00a0 tcp\u00a0 —\u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpt:pop3
\nACCEPT\u00a0 \u00a0 tcp\u00a0 —\u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpt:imap
\nACCEPT\u00a0 \u00a0 tcp\u00a0 —\u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpt:mysql
\nDROP\u00a0 \u00a0 \u00a0 \u00a0 icmp —\u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 icmp echo-request
\nDROP\u00a0 \u00a0 \u00a0 \u00a0 tcp\u00a0 —\u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 anywhere\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpts:tcpmux:65335<\/p>\n

Chain FORWARD (policy ACCEPT)
\ntarget\u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/p>\n

Chain OUTPUT (policy ACCEPT)
\ntarget\u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/p>\n

\/\/ iptables \ub97c \uc800\uc7a5
\n# service iptables save
\n\ubc29\ud654\ubcbd \uaddc\uce59\uc744 \/etc\/sysconfig\/iptables\uc5d0 \uc800\uc7a5 \uc911:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 [\u00a0 OK\u00a0 ]<\/p>\n

# ls \/etc\/sysconfig\/iptables*
\n\/etc\/sysconfig\/iptables\u00a0 \/etc\/sysconfig\/iptables-config<\/p>\n

\/\/ iptables \uc7ac\uc2dc\uc791
\n# service iptables start
\n\ubc29\ud654\ubcbd \uaddc\uce59\uc744 \uc0ad\uc81c\ud558\ub294 \uc911:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 [\u00a0 OK\u00a0 ]
\nchains\ub97c ACCEPT \uaddc\uce59\uc73c\ub85c \uc124\uc815\ud568: filter\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 [\u00a0 OK\u00a0 ]
\niptables \ubaa8\ub4c8\uc744 \uc81c\uac70\ud558\ub294 \uc911:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 [\u00a0 OK\u00a0 ]
\niptables \ubc29\ud654\ubcbd \uaddc\uce59\ub4e4\uc744 \uc801\uc6a9\ud558\ub294 \uc911:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 [\u00a0 OK\u00a0 ]
\n\ucd94\uac00 iptables \ubaa8\ub4c8\uc744 \uc77d\uc5b4\uc624\ub294 \uc911: ip_conntrack_netbios_ns\u00a0 [\u00a0 OK\u00a0 ]<\/p>\n

\/\/ iptables \uc0c1\ud0dc
\n# service iptables status
\n\ud14c\uc774\ube14: filter
\nChain INPUT (policy ACCEPT)
\nnum\u00a0 target\u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination
\n1\u00a0 \u00a0 ACCEPT\u00a0 \u00a0 tcp\u00a0 —\u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpt:20
\n2\u00a0 \u00a0 ACCEPT\u00a0 \u00a0 tcp\u00a0 —\u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpt:21
\n3\u00a0 \u00a0 ACCEPT\u00a0 \u00a0 tcp\u00a0 —\u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpt:22
\n4\u00a0 \u00a0 ACCEPT\u00a0 \u00a0 udp\u00a0 —\u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 udp dpt:53
\n5\u00a0 \u00a0 ACCEPT\u00a0 \u00a0 tcp\u00a0 —\u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpt:80
\n6\u00a0 \u00a0 ACCEPT\u00a0 \u00a0 tcp\u00a0 —\u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpt:110
\n7\u00a0 \u00a0 ACCEPT\u00a0 \u00a0 tcp\u00a0 —\u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpt:143
\n8\u00a0 \u00a0 ACCEPT\u00a0 \u00a0 tcp\u00a0 —\u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpt:3306
\n9\u00a0 \u00a0 DROP\u00a0 \u00a0 \u00a0 \u00a0 icmp —\u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 icmp type 8
\n10\u00a0 DROP\u00a0 \u00a0 \u00a0 \u00a0 tcp\u00a0 —\u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.0.0.0\/0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 tcp dpts:1:65335<\/p>\n

Chain FORWARD (policy ACCEPT)
\nnum\u00a0 target\u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/p>\n

Chain OUTPUT (policy ACCEPT)
\nnum\u00a0 target\u00a0 \u00a0 prot opt source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/p>\n

\/\/ nmap \ud3ec\ud2b8 \uc2a4\uce94
\n# nmap localhost
\nStarting Nmap 4.11 (\u00a0http:\/\/www.insecure.org\/nmap\/<\/a>) at 2009-04-14 13:45 KST
\nInteresting ports on SUNSYSTEM (127.0.0.1):
\nNot shown: 1673 filtered ports
\nPORT\u00a0 \u00a0 STATE\u00a0 SERVICE
\n20\/tcp\u00a0 closed ftp-data
\n21\/tcp\u00a0 closed ftp
\n22\/tcp\u00a0 open\u00a0 ssh
\n80\/tcp\u00a0 closed http
\n110\/tcp\u00a0 open\u00a0 pop3
\n143\/tcp\u00a0 closed imap
\n3306\/tcp open\u00a0 mysql<\/p>\n

7. iptables\uc758 \ud655\uc7a5
\n1\ucd08\ub3d9\uc548 80\ud3ec\ud2b8\uc5d0 \ub611\uac19\uc740 IP\uac00 10\ubc88 \uc774\uc0c1\uc758 SYN\uac00 \ub4e4\uc5b4\uc624\uba74 \ub4dc\ub78d\uc2dc\ud0a8\ub2e4.
\n(\uc989, \uc815\uc0c1\uc801\uc778 \uc694\uccad\uc774 \uc544\ub2cc \uc6f9\uc11c\ube44\uc2a4 \uacf5\uaca9\uc73c\ub85c \uac04\uc8fc\ud558\uc5ec \uc694\uccad\ud328\ud0b7\uc744 \ud3d0\uae30\uc2dc\ucf1c \uc751\ub2f5\ud558\uc9c0 \uc54a\ub3c4\ub85d \ud55c\ub2e4.)
\n\uc774\uc678\uc758 \uc790\uc138\ud55c \uc0ac\ud56d\uc740\u00a0http:\/\/netfilter.org\uc758<\/a>\u00a0HOWTO\ub97c \uc77d\uc5b4\ubcf4\uae38 \ubc14\ub780\ub2e4.
\n# iptables -A INPUT -p tcp –dport 80 -m recent –update –seconds 1 –hitcount 10 –name HTTP -j DROP<\/p>\n","protected":false},"excerpt":{"rendered":"

1. iptables \ub780? iptables\ub294 \ub9ac\ub205\uc2a4\uc0c1\uc5d0\uc11c \ubc29\ud654\ubcbd\uc744 \uc124\uc815\ud558\ub294 \ub3c4\uad6c\ub85c\uc11c \ucee4\ub110 2.4 \uc774\uc804 \ubc84\uc804\uc5d0\uc11c \uc0ac\uc6a9\ub418\ub358 ipchains\ub97c \ub300\uc2e0\ud558\ub294 \ubc29\ud654\ubcbd \ub3c4\uad6c\uc774\ub2e4. iptables\ub294 \ucee4\ub110\uc0c1\uc5d0\uc11c\uc758 netfilter \ud328\ud0b7\ud544\ud130\ub9c1 \uae30\ub2a5\uc744 \uc0ac\uc6a9\uc790 \uacf5\uac04\uc5d0\uc11c \uc81c\uc5b4\ud558\ub294 \uc218\uc900\uc73c\ub85c \uc0ac\uc6a9\ud560 \uc218 \uc788\ub2e4. \ud328\ud0b7\ud544\ud130\ub9c1\uc774\ub780 \uc9c0\ub098\uac00\ub294 \ud328\ud0b7\uc758 \ud574\ub354\ub97c \ubcf4\uace0 \uadf8 \uc804\uccb4 \ud328\ud0b7\uc758 \uc6b4\uba85\uc744 \uacb0\uc815\ud558\ub294 \uac83\uc744 \ub9d0\ud55c\ub2e4. \uc77c\ubc18\uc801\uc73c\ub85c \ud328\ud0b7\uc740 \ud574\ub354\uc640 \ub370\uc774\ud130\ub97c \uac00\uc9c4\ub2e4. \ud574\ub354\uc5d0 \ud544\ud130\ub9c1\ud560 \uc815\ubcf4\uc778 \ucd9c\ubc1c\uc9c0IP:PORT, \ub3c4\ucc29\uc9c0IP:PORT, checksum, \ud504\ub85c\ud1a0\ucf5c \uc635\uc158\ub4f1\uc744 \uac00\uc9c0\uba70 … Continue reading Linux F\/W (iptables)<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[245],"tags":[313,315,314,248,281],"class_list":["post-797","post","type-post","status-publish","format-standard","hentry","category-linux","tag-f-w","tag-firewall","tag-fw","tag-iptables","tag-linux"],"_links":{"self":[{"href":"http:\/\/www.freesens.com\/x\/index.php?rest_route=\/wp\/v2\/posts\/797","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.freesens.com\/x\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.freesens.com\/x\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.freesens.com\/x\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.freesens.com\/x\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=797"}],"version-history":[{"count":2,"href":"http:\/\/www.freesens.com\/x\/index.php?rest_route=\/wp\/v2\/posts\/797\/revisions"}],"predecessor-version":[{"id":877,"href":"http:\/\/www.freesens.com\/x\/index.php?rest_route=\/wp\/v2\/posts\/797\/revisions\/877"}],"wp:attachment":[{"href":"http:\/\/www.freesens.com\/x\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=797"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.freesens.com\/x\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=797"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.freesens.com\/x\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=797"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}