네트워크 서비스 보안 - Iptables 예제(1)

1. 들어오는 패킷 모두 거부하고 10.10.33.101로 부터 들어오는 모든 패킷들에 대해서만 허용

[root@server3 ~]# iptables -t filter -A INPUT -s 10.10.33.2 -j ACCEPT [root@server3 ~]# iptables -t filter -A INPUT -s 0.0.0.0/0 -j DROP or [root@server3 ~]# iptables -t filter -A INPUT -s i 10.10.33.2 -j DROP or [root@server3 ~]# iptables -P INPUT DROP [root@server3 ~]# iptables -A INPUT -s 10.10.33.2 -j ACCEPT [root@server3 ~]# iptables -L Chain INPUT (policy ACCEPT) target     prot opt source               destination         ACCEPT     all  --  10.10.33.2           anywhere            DROP       all  --  anywhere             anywhere            Chain FORWARD (policy ACCEPT) target     prot opt source               destination         Chain OUTPUT (policy ACCEPT) target     prot opt source               destination         [root@server3 ~]# 확인 [root@server3 ~]# ssh 10.10.33.2 Last login: Mon Feb  2 11:48:31 2009 from 10.10.33.3

2. 들어오는 모든 패킷을 허가하고 10.10.33.101로 부터 들어오는 모든 패킷들에 대해서 거부하기

[root@server3 ~]# iptables -t filter -A INPUT -s 10.10.33.2 -j REJECT(or DROP) [root@server3 ~]# iptables -t filter -A INPUT -s 0.0.0.0/0 -j ACCEPT [root@server3 ~]# iptables -L Chain INPUT (policy ACCEPT) target     prot opt source               destination         REJECT     all  --  10.10.33.2           anywhere            reject-with icmp-port-unreachable ACCEPT     all  --  anywhere             anywhere            Chain FORWARD (policy ACCEPT) target     prot opt source               destination         Chain OUTPUT (policy ACCEPT) target     prot opt source               destination         [root@server3 ~]# 확인 [root@server3 ~]# ssh 10.10.33.11 root@10.10.33.11's password: [root@server11 ~]# [root@server2 ~]# ssh 10.10.33.3 ssh: connet to host 10.10.33.3 port 22: Connection refused

3. 10.10.33.101로 들어오는 패킷중에 tcp 프로토콜 패킷 거부

[root@server3 ~]# iptables -t filter -A INPUT -p tcp -s 10.10.33.2 -j REJECT [root@server3 ~]# iptables -L Chain INPUT (policy ACCEPT) target     prot opt source               destination         REJECT     tcp  --  10.10.33.2           anywhere            reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target     prot opt source               destination         Chain OUTPUT (policy ACCEPT) target     prot opt source               destination         [root@server3 ~]# 확인 [root@server2 ~]# telnet 10.10.33.3 Trying 10.10.33.3... telnet: connect to address 10.10.33.3: Connection refused telnet: Unable to connect to remote host: Connection refused [root@server2 ~]# ssh 10.10.33.3 ssh: connet to host 10.10.33.3 port 22: Connection refused [root@server2 ~]# sftp 10.10.33.3 Connecting to 10.10.33.3... ssh: connect to host 10.10.33.3 port 22: Connection refused Couldn't read packet: Connection reset by peer [root@server2 ~]#

4. 포트번호 22번부터 30번 까지를 목적지로 들어오는 패킷을 거부(무시) 하고 22번 포트만 허용

[root@server3 ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT [root@server3 ~]# iptables -t filter -A INPUT -p tcp --dport 22:30 -j REJECT(or DROP) [root@server3 ~]# iptables -L Chain INPUT (policy ACCEPT) target     prot opt source               destination         ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh REJECT     tcp  --  anywhere             anywhere            tcp dpts:ssh:30 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target     prot opt source               destination         Chain OUTPUT (policy ACCEPT) target     prot opt source               destination         [root@server3 ~]# 확인 [root@server2 ~]# telnet 10.10.33.3 Trying 10.10.33.3... telnet: connect to address 10.10.33.3: Connection refused telnet: Unable to connect to remote host: Connection refused [root@server2 ~]# ssh 10.10.33.3 Last login: Mon Feb  2 14:23:59 2009 from 10.10.33.2 [root@server3 ~]#