14.Linux_CentOS5_iptables_2010_0328.hwp

Linux_Service_Security Guide Firewall Server l l l l l iptables 기본구조 iptables 정책 iptables 명령어 iptables 간단한실습 iptables 방화벽정책실습 (Firewall Configuration Tools) system-config-securitylevel or system-config-securitylevel-tui or lokkit

iptables 기본구조 l 리눅스 2.4 커널버전이상에서사용하는서버방화벽이다. l 리눅스 2.2 커널버전에서는 ipchains 사용하였는데구조와사용하는방법은비슷하다. [ 그림 ] iptables Packet Filtering Process (1) iptables 개요 l iptables 논리적인 3개의사슬 (chains) 으로구성되어있고, 각각 INPUT, OUTPUT, FORWARD 라는이름을가지고있다. l 또한관리자가정의하여새로운사슬도생성할수있다. ( 기본사슬의이름은대문자이다.) iptables -L Chain INPUT (policy ACCEPT) (2) iptables 구성 l INPUT 사슬 : 리눅스박스를향해들어오는패킷들이거치는체인 l FORWARD 사슬 : 리눅스박스를거쳐 OUTPUT 체인을향하는체인 l OUTPUT 사슬 : 리눅스박스를나가는패킷들이들어가는체인

iptables 정책 (1) iptables 정책개요 l l iptables의정책 : 패킷통과허가 / 차단 ACCEPT : 패킷을허용하는옵션 REJECT : 패킷을허용하지않는다는메세지를보내면서거부한다. 사슬전체정책설정 (-P) 에서는사용할수없다. DROP : 패킷을완전히무시 [ 그림 ] 패킷허용 / 차단

iptables 명령어 l iptables 설정 - 전체사슬에대한설정 ( 대문자옵션사용 : -P, -L 등 ) - 각사슬에대한규칙을설정 ( 소문자옵션사용 : -s, -p 등 ) ( 명령어형식 ) iptables [-t <table-name>] <command><chain-name> <parameter-1><option-1> <parameter-n><option-n> (1) 전체사슬에대한작동 -N -X -P -L -F -Z 옵션 설명 -N, --new-chain chain Create a new user-defined chain by the given name. There must be no target of that name already. 새로운사슬을만든다. -X, --delete-chain [chain] Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to delete every non-builtin chain in the table. 비어있는사슬을제거한다. 3개의기본사슬은제거할수없다. -P, --policy chain target Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-userdefined) chains can have policies, and neither built-in nor user-defined chains can be policy targets. 사슬의정책을설정한다. (EX: ACCEPT, DROP) -L, --list [chain] List all rules in the selected chain. If no chain is selected, all chains are listed. As every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by iptables -t nat -n -L Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. The exact rules are suppressed until you use iptables -L -v 현재사슬의규칙을나열한다. -F, --flush [chain] Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one. 사슬으로부터규칙을제거한다. -Z, --zero [chain] Zero the packet and byte counters in all chains. It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared. (See above.) 사슬내의모든규칙들의패킷과바이트의카운트를 0 으로만든다.

(2) 사슬내부의규칙에대한작동 옵션 -A -I -R -D 설명 -A, --append chain rule-specification Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination. 사슬에새로운규칙을추가한다. 해당사슬에맨마지막규칙으로등록된다. -I, --insert chain [rulenum] rule-specification Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified. 사슬에규칙을맨첫부분에설정한다. -R, --replace chain rulenum rule-specification Replace a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules are numbered starting at 1. 사슬의규칙을교환한다. -D, --delete chain rule-specification -D, --delete chain rulenum Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match. 사슬의규칙을제거한다. (3) 필터링지정방법 옵션과관련된규칙 ( ㄱ ) -s( 발신지 ), -d( 도착지 ) 사용 -s 옵션 설명 -s, --source [!] address[/mask] Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1 s at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option. -d 출발지아이피 / 네트워크를지정할때사용한다. -d, --destination [!] address[/mask] Destination specification. See the description of the -s (source) flag for a detailed description of the syntax. The flag --dst is an alias for this option. ( 예 1) 도메인으로표시하는방법 -s www.linux.co.kr -d localhost ( 예 2) IP 주소로표시하는방법 -s 192.168.0.5 목적지아이피 / 네트워크를지정할때사용한다. ( 예 3) 넷마스크값으로표시하는방법 -s 192.168.1.0/24 -s 192.168.0.0/255.255.255.0 iptables -A INPUT -s 0/0 -j DROP 모든 IP 주소 (0/0) 로부터들어오는패킷들을모두 DROP 한다.

( ㄴ ) -j( 점프 ) 사용 -j 옵션 설명 -j, --jump target This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule (and -g is not used), then matching the rule will have no effect on the packet s fate, but the counters on the rule will be incremented. 특정한정책을설정한다. iptables -A INPUT -s 192.168.1.20 -j DROP 192.168.1.20 로부터들어오는모든패킷에대해거부한다. ( ㄷ )!(not 의미 ) 사용 Not 의의미로사용한다. iptables -A INPUT -s! localhost -d 192.168.0.100 -j ACCEPT localhost 가아닌호스트에서 192.168.0.100 호스트로가는모든패킷에대해허락한다. ( ㄹ ) -p( 프로토콜 ) 사용 -p 옵션 설명 -p, --protocol [!] protocol The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted. 프로토콜을설정할때사용한다. 보통 TCP, UDP, ICMP 같은이름들이사용된다. 대소문자를구별하지않는다.!(not) 과도같이사용할수있다. iptables -A INPUT -p tcp -dport 23 -j ACCEPT TCP 프로토콜에대한목적지포트가 23 번 (TELNET) 에대해서모든패킷을허락한다. ( ㅁ ) -i( 인바운드인터페이스 ) 사용 -i 옵션 설명 -i, --in-interface [!] name Name of an interface via which a packet was received (only for packets entering the INPUT, FORWARD and PREROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. 패킷이들어오는인터페이스를설정할때사용한다. 즉 INPUT, OUTPUT 사슬에서주로사용한다. ( ㅂ ) -o( 아웃바운드인터페이스 ) 사용 -o 옵션 설명 -o, --out-interface [!] name Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. 패킷이나가는네트워크장치를지정할때사용한다. 보통 OUTPUT, FORWARD 사슬에서사용된다.

( ㅅ ) -t( 테이블 ) 사용 옵션 설명 -t, --table table This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there. The tables are as follows: filter: This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets). -t nat: This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). mangle: This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FOR- WARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out). table 을선택할때사용한다. filter, nat, mangle 세가지중에선택할수있다. 커널에해당테이블을지원하는코드가들어있어야한다. 모듈자동적재를선택하면그와관련된커널모듈이적재된다. 기본은 filter 이므로 nat 사용하려면 nat 라고지정해야한다. (o) --sport, --dport 사용 옵션 설명 --sport --source-port,--sport [!] port[:port] --dport --destination-port,--dport [!] port[:port]

iptables 간단한실습 ( 기본적인사용법 ) iptables -L iptables -F iptables -F INPUT iptables -P INPUT DROP iptables -P INPUT ACCEPT iptables -A INPUT -p tcp --dport 23 -j ACCEPT service iptables save service iptables start service iptables stop service iptables restart service iptables status chkconfig --list iptables chkconfig iptables on [EX1] 기본적인사용법 1 현재 iptables 확인 iptables -L Chain INPUT (policy ACCEPT) 2 INPUT 체인에대한기본정책설정 iptables -P INPUT DROP iptables -L Chain INPUT (policy DROP) 3 INPUT 체인에룰 (Rules) 추가 iptables -A INPUT -p tcp --dport 23 -j ACCEPT iptables -L Chain INPUT (policy DROP) ACCEPT tcp -- anywhere anywhere tcp dpt:telnet service iptables status Table: filter Chain INPUT (policy DROP) num 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 num num

4 /etc/sysconfig/iptable 파일에저장 service iptables save Saving firewall rules to /etc/sysconfig/iptables: [ OK ] cat /etc/sysconfig/iptables Generated by iptables-save v1.3.5 on Tue Mar 30 02:44:34 2010 *filter :INPUT DROP [2:470] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [6522:278819] -A INPUT -p tcp -m tcp --dport 23 -j ACCEPT COMMIT Completed on Tue Mar 30 02:44:34 2010 -> 이파일에저장이되면부팅시에도이설정이다시올라온다. 5 iptables Flush iptables -F ( iptables -F INPUT) iptables -L Chain INPUT (policy DROP) 6 iptables 현재 start service iptables start Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]ntrack_ftp -> 서비스가 start 되면설정파일 (/etc/sysconfig/iptables) 을다시읽어메모리상으로로딩한다. iptables -L Chain INPUT (policy DROP) ACCEPT tcp -- anywhere anywhere tcp dpt:telnet 7 iptables 서비스현재 stop service iptables stop Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] -> /etc/sysconfig/iptables 파일이삭제된것은아니다. -> 따라서부팅이되면서비스가다시올라온다. chkconfig --list grep iptables iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off chkconfig iptables off chkconfig --list grep iptables iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off -> 부팅시에 iptables OFF chkconfig iptables on chkconfig --list grep iptables

iptables 방화벽정책실습 방화벽정책을세워보자. l /etc/sysconfig/iptables 파일을사용하지않고따로스크립트 (EX: /root/bin/iptables.sh) 를만들어서사용하였다. l iptables 설정은 ( ㄱ ) 네트워크방화벽 ( 예 : 라우터 ) 쪽에서설정할수있거나 ( ㄴ ) 서버방화벽쪽에서설정할수있거나 ( ㄷ ) 일반 PC에서설정할수있다. l 이문서에서는서버방화벽형태의룰 (rules) 에대한부분만을다룬다. Master 192.168.10.250 => 192.168.10.2XX (NAT) 192.168.0.250 => 172.16.7.2XX (Bridged) Client1 192.168.0.5X => 172.16.7.5X (Bridged) Client2 192.168.0.15X => 172.16.7.15X (Bridged) Window 192.168.10.2 => 172.16.7.XX [ 그림 ] 실습구성도 서버엔지니어가관리하는서버가존재한다고본다면, 그서버는여러가지접근제어서비스 (Access Control Service) 를받는경우가많다. 예를들어이런서비스는방화벽, IPS( 침입차단시스템 ), IDS( 침입탐지시스템 ), 스크리닝라우터, 라우터의 ACL 등이다. 하지만이런서비스는외부에서내부를보호하기위한목적으로주로사용하고있다. 내부에있는서버가다른내부의서버에대한접근제어에는취약한점이많다. 이런경우내부의악의적인사용자들에게서버들이노출되기때문에위험하다. 이런경우서버방화벽을켜고사용하게되면악의적인내부사용자들을쉽게방어할수있게된다. 특정한서버와만통신할수있도록설정하는것이다.

서버방화벽구성 (Server Firewall Configuration) ------------------------------------------------ 실습준비 모든서비스차단 telnet 서비스허용 rlogin 서비스허용 SSH 서비스허용 ICMP 서비스허용 WEB 서비스허용 NFS 서비스허용 NTP 서비스허용 DNS 서비스허용 FTP 서비스허용 MAIL, POP3, IMAP 서비스허용 ------------------------------------------------ ( 가정 ) 다음사항을가정한다. l CentOS 5.4 환경에서테스트한다. l 모든서버에최신의패치가적용되어있는것으로가정한다. [EX1] 실습준비 l l 방화벽서버와통신가능확인모든서버에 nmap(port Scanning) 프로그램설치 (172.16.7.5X) Client (linux5x) l 서버가통신가능한상태인지 ping 명령어를통해확인 l 대표적인서비스몇가지, telnet, ftp, 서비스가서버와통신이가능한지확인한다. 1 서버와통신가능확인 (ping) ping -c 2 172.16.7.2XX PING 192.168.10.2XX (192.168.10.2XX) 56(84) bytes of data. 64 bytes from 192.168.10.2XX: icmp_seq=1 ttl=64 time=0.916 ms 64 bytes from 192.168.10.2XX: icmp_seq=2 ttl=64 time=0.682 ms --- 192.168.10.2XX ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1533ms rtt min/avg/max/mdev = 0.682/0.799/0.916/0.117 ms 2 서버와통신가능확인 (telnet) telnet 172.16.7.2XX Trying 172.16.7.2XX... Connected to 172.16.7.2XX (172.16.7.2XX). Escape character is '^]'. linux2xx (Linux release 2.6.18-164.15.1.el5 1 SMP Wed Mar 17 11:37:14 EDT 2010) (3) login: root Password: Last login: Tue Mar 30 02:24:00 from localhost You have new mail. <CTRL + D>

3 서버와통신가능확인 (ftp) ftp 172.16.7.2XX Connected to 172.16.7.2XX. 220 (vsftpd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (172.16.7.2XX:root): root 331 Please specify the password. Password: (root 사용자암호입력 ) 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> quit 221 Goodbye. 4 서버의열린포트확인 nmap -st 172.16.7.2XX Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-03-30 03:35 KST Interesting ports on 172.16.7.2XX: Not shown: 1665 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 443/tcp open https 857/tcp open unknown 873/tcp open rsync 901/tcp open samba-swat 993/tcp open imaps 995/tcp open pop3s MAC Address: 00:0C:29:9B:6E:76 (VMware) Nmap finished: 1 IP address (1 host up) scanned in 2.306 seconds [ 참고 ] 포트번호의정의 (IANA) - http://www.iana.org/assignments/port-numbers - /etc/services [EX2] 모든서비스차단 (172.16.7.2XX) Firewall Server (linux2xx) mkdir /root/bin vi /root/bin/iptables.sh!/bin/bash iptables -F (1) Local ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT (2) Policy (3) All DROP iptables -P INPUT DROP l Statefull Tracking Using stateful rules reduces rule set complexity and increses security

chmod 755 /root/bin/iptables.sh /root/bin/iptables.sh iptables -L Chain INPUT (policy DROP) ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED (172.16.7.5X) Client (linux5x) time ping -c 1 172.16.7.2XX PING 172.16.7.2XX (172.16.7.2XX) 56(84) bytes of data. --- 172.16.7.2XX ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms real user sys 0m10.044s 0m0.005s 0m0.032s time nmap -st 172.16.7.2XX Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-03-30 03:51 KST All 1680 scanned ports on 172.16.7.2XX are filtered MAC Address: 00:0C:29:9B:6E:76 (VMware) Nmap finished: 1 IP address (1 host up) scanned in 62.734 seconds real user sys 1m2.865s 0m0.182s 0m3.634s

[EX3] telnet 서비스제어 (172.16.7.2XX) Firewall Server (linux2xx) l telnet 서비스를 open 하기위한설정을한다. l tenlet 서비스용서버용포트는 23 번를사용하고있다. vi /root/bin/iptables.sh!/bin/ksh iptables -F (1) Local ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT (2) Policy iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 172.16.7.5X -d 172.16.7.2XX --dport 23 -j ACCEPT (3) All DROP iptables -P INPUT DROP

/root/bin/iptables.sh service iptables status Table: filter Chain INPUT (policy DROP) num 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 ACCEPT tcp -- 172.16.7.5X 172.16.7.2XX state NEW tcp dpt:23 num num (172.16.7.5X) Client (linux5x) telnet 172.16.7.2XX Trying 172.16.7.2XX... Connected to 172.16.7.2XX (172.16.7.2XX). Escape character is '^]'. linux2xx (Linux release 2.6.18-164.15.1.el5 1 SMP Wed Mar 17 11:37:14 EDT 2010) (3) login: root Password: (root 사용자의암호입력 ) Last login: Tue Mar 30 03:30:11 from 172.16.7.5X You have new mail. exit nmap -st 172.16.7.2XX Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-03-30 04:12 KST Interesting ports on 172.16.7.2XX: Not shown: 1679 filtered ports PORT STATE SERVICE 23/tcp open telnet MAC Address: 00:0C:29:9B:6E:76 (VMware) Nmap finished: 1 IP address (1 host up) scanned in 39.915 seconds => 다른호스트쪽에서 telnet 서비스를 172.16.7.2XX 서버쪽으로테스트해본다.

[EX4] SSH 서비스제어 l 172.16.0.0/16 네트워크에서 ssh 명령어접속을할수있도록설정한다. l ssh 서비스는데이터를전송할때암호화하므로서버와같은네트워크를사용하고있는경우모두에게서비스가가능하도록설정한다. (172.16.7.2XX) Firewall Server (linux2xx) vi /root/bin/iptables.sh!/bin/ksh iptables -F (1) Local ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT (2) Policy iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 172.16.7.5X -d 172.16.7.2XX --dport 23 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 172.16.0.0/16 -d 172.16.7.2XX --dport 22 -j ACCEPT (3) All DROP iptables -P INPUT DROP

[EX5] ICMP 서비스허용 / 차단 (172.16.7.2XX) Firewall Server (linux2xx) vi /root/bin/iptables.sh!/bin/ksh iptables -F (1) Local ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT (2) Policy iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 172.16.7.5X -d 172.16.7.2XX --dport 23 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 172.16.0.0/16 -d 172.16.7.2XX --dport 22 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -s 172.16.7.2XX -d 0/0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -s 0/0 -d 172.16.7.2XX -j ACCEPT (3) All DROP iptables -P INPUT DROP

/root/bin/iptables.sh service iptables status Table: filter Chain INPUT (policy DROP) num 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 ACCEPT tcp -- 172.16.7.5X 172.16.7.2XX state NEW tcp dpt:23 4 ACCEPT tcp -- 172.16.0.0/16 172.16.7.2XX state NEW tcp dpt:22 5 ACCEPT icmp -- 172.16.7.2XX 0.0.0.0/0 icmp type 8 6 ACCEPT icmp -- 0.0.0.0/0 172.16.7.2XX icmp type 0 num num ICMP type Number echo-reply (ping) 0 destination-unreachable 3 network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed network-unknown host-unknown network-prohibited source-quench 4 redirect 5 echo-request (ping) 8 time-exceeded (ttl-exceeded) 10 parameter-problem 11 ping -c 2 172.16.7.5X PING 172.16.7.5X (172.16.7.5X) 56(84) bytes of data. 64 bytes from 172.16.7.5X: icmp_seq=1 ttl=64 time=1.12 ms 64 bytes from 172.16.7.5X: icmp_seq=2 ttl=64 time=1.03 ms --- 172.16.7.5X ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1523ms rtt min/avg/max/mdev = 1.030/1.077/1.125/0.057 ms (172.16.7.5X) Client (linux5x) ping -c 1 172.16.7.2XX PING 172.16.7.2XX (172.16.7.2XX) 56(84) bytes of data. --- 172.16.7.2XX ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms

[EX6] WEB 서비스허용 (172.16.7.2XX) Firewall Server (linux2xx) vi /root/bin/iptables.sh... ( 중략 )... (2) Policy iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 172.16.7.5X -d 172.16.7.2XX --dport 23 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 172.16.0.0/16 -d 172.16.7.2XX --dport 22 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -s 172.16.7.2XX -d 0/0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -s 0/0 -d 172.16.7.2XX -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 0/0 -d 172.16.7.2XX --dport 80 -j ACCEPT... ( 중략 )... /root/bin/iptables.sh service iptables status Table: filter Chain INPUT (policy DROP) num 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 ACCEPT tcp -- 172.16.7.5X 172.16.7.2XX state NEW tcp dpt:23 4 ACCEPT tcp -- 172.16.0.0/16 172.16.7.2XX state NEW tcp dpt:22 5 ACCEPT icmp -- 172.16.7.2XX 0.0.0.0/0 icmp type 8 6 ACCEPT icmp -- 0.0.0.0/0 172.16.7.2XX icmp type 0 7 ACCEPT tcp -- 0.0.0.0/0 172.16.7.2XX state NEW tcp dpt:80 num num

vi /etc/httpd/conf/httpd.conf... ( 중략 )... NameVirtualHost 172.16.7.2XX:80 <VirtualHost 172.16.7.2XX:80> ServerAdmin root@example.com DocumentRoot /www1 ServerName www.example.com <Directory /www1> Options indexes includes AllowOverride Authconfig </Directory> </VirtualHost> cd /www1 vi index.html <H1><CENTER> Kickstart </CENTER></H1> service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] (172.16.7.5X) Client (linux5x) lynx http://www.linux2xx.example.com --> iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 0/0 -d 172.16.7.2XX --dport 53 -j ACCEPT nmap -st 172.16.7.2XX => 모든클라이언트에서점검한다. index.html 파일이보여야정상이다.

[EX8] NFS 서비스허용 (172.16.7.2XX) Firewall Server (linux2xx) vi /root/bin/iptables.sh... ( 중략 )... (2) Policy iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 172.16.7.5X -d 172.16.7.2XX --dport 23 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 172.16.0.0/16 -d 172.16.7.2XX --dport 22 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -s 172.16.7.2XX -d 0/0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -s 0/0 -d 172.16.7.2XX -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 0/0 -d 172.16.7.2XX --dport 80 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 172.16.7.5X -d 172.16.7.2XX --dport 2049 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 172.16.7.5X -d 172.16.7.2XX --dport 111 -j ACCEPT iptables -A INPUT -m state --state NEW -m udp -p udp -s 172.16.7.5X -d 172.16.7.2XX --dport 111 -j ACCEPT... ( 중략 )... /root/bin/iptables.sh service iptables status Table: filter Chain INPUT (policy DROP) num 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 ACCEPT tcp -- 172.16.7.5X 172.16.7.2XX state NEW tcp dpt:23 4 ACCEPT tcp -- 172.16.0.0/16 172.16.7.2XX state NEW tcp dpt:22 5 ACCEPT icmp -- 172.16.7.2XX 0.0.0.0/0 icmp type 8 6 ACCEPT icmp -- 0.0.0.0/0 172.16.7.2XX icmp type 0

7 ACCEPT tcp -- 0.0.0.0/0 172.16.7.2XX state NEW tcp dpt:80 8 ACCEPT tcp -- 172.16.7.5X 172.16.7.2XX state NEW tcp dpt:2049 9 ACCEPT tcp -- 172.16.7.5X 172.16.7.2XX state NEW tcp dpt:111 10 ACCEPT udp -- 172.16.7.5X 172.16.7.2XX state NEW udp dpt:111 num num vi /etc/exports... ( 중략 )... /export/centos *(ro,no_root_squash) service nfs restart Shutting down NFS mountd: [ OK ] Shutting down NFS daemon: [ OK ] Shutting down NFS quotas: [ OK ] Shutting down NFS services: [ OK ] Starting NFS services: [ OK ] Starting NFS quotas: [ OK ] Starting NFS daemon: [ OK ] Starting NFS mountd: [ OK ] exportfs -v /export/centos <world>(ro,wdelay,no_root_squash,no_subtree_check,anonuid=65534,anongid=65534) (172.16.7.5X) Client (linux5x) nmap -st 172.16.7.2XX nmap -su 172.16.7.2XX -> 포트번호를검색한다. (NFS 참고 ) NFSv4 http://blog.laimbock.com/2009/05/21/nfsv4-on-centos-53-and-fedora-11/ (MAIL/POP3/IMAP4) iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT (DNS) iptables -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT (FTP) iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

[ 참고 ] system-config-securitylevel 툴을통해설정한내용 ( 선택할수있는모든서비스허용 ) Chain INPUT (policy ACCEPT) RH-Firewall-1-INPUT all -- anywhere anywhere RH-Firewall-1-INPUT all -- anywhere anywhere Chain RH-Firewall-1-INPUT (2 references) ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain REJECT all -- anywhere anywhere reject-with icmp-host-prohibited [ 참고 ] iptables-save > telnet.txt iptables-restore < telnet.txt