http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=7915 [º¹»ç]
¾È³çÇϼ¼¿ä.
rootman.co.kr ¿î¿µÀÚ Á¤ÂùÈ£ÀÔ´Ï´Ù.
³¯¾¾µµ ³ª¸¥ÇÏ°í, ´ëü ¼Õ¿¡ ÀâÈ÷´Â ÀÏÀÌ ¾ø³×¿ä.
¾ÆÀÚ ¾ÆÀÚ ÈûÀ» ³»·Á Çϴµ¥.. ±×°Íµµ Àß ¾È µÇ°í.~
Ãë¹Ì»ï¾Æ »çÁø ÂïÀ¸·Á´Â °Íµµ Àß ¾È µÇ°í,, ±×³É ´õÀ§ Å¿ÇØ¾ß °Ú³×¿ä.
°³ÀÎ ¼¹ö¿¡¼ ¾²°í ÀÖ´Â ¹æȺ® °ø°³ÇÕ´Ï´Ù.
°ø°³µÇ¾î ÀÖ´Â °Íµµ ¸¹°í, ¿ì¼öÇÑ °Íµµ ¸¹ÀÌ ÀÖÁö¸¸,
±×·¡µµ À̸® Àú¸® ±Ü¾î ±Ü¾î¼ ¸¸µç.. ±×¸®°í °³ÀÎÀûÀ¸·Î Àß ¾²°í ÀÖ´Â °ÍÀ̴ϸ¸Å,
µÇ¿òµÇ½Ã¶ó°í °ø°³ÇÕ´Ï´Ù.
1. ÆÄÀÏÀº µÎ °³ÀÔ´Ï´Ù.
_firewall.sh (¾ÆÀÌÇÇ ´ë¿ª ¼³Á¤ ¹× Enable/Disabled ó¸®)
_firewall_conf.sh (À§ ÆÄÀÏ¿¡¼ ¼³Á¤µÈ ½ºÆ®¸³Æ® ¸ðÀ½)
2. ¼³Á¤ º¯°æ »çÇ×
(1) ¾ÆÀÌÇÇ ´ë¿ª º¯°æ
(2) ÇÊ¿äÇÑ ¼ºñ½º Ãß°¡ ȤÀº ºÒÇÊ¿äÇÑ ¼ºñ½º ÁÖ¼® ó¸®
(3) ÇÑ °³ ÀÌ»óÀÇ ¾ÆÀÌÇÇ Ãß°¡´Â ¶ç¿ö¾²±â·Î ±¸ºÐÇÕ´Ï´Ù.
3. °£·« ¼³¸í
(1) default policy´Â DropÀÔ´Ï´Ù.
(2) ÇÏÁö¸¸ # sh _firewall.sh stopÀ» Çϼŵµ ±âº»ÀûÀÎ ruleÀº Çã¿ëµË´Ï´Ù.(ssh,dns)
4. ¹®Á¦ ¹ß»ý ½Ã
- ¸ð¸¨´Ï´Ù. ¤Ñ¤Ñ
- ssh ¾ÆÀÌÇÇ ´ë¿ª ¸¸ÅÀ½ ²À Àß ¼³Á¤Çϼ¼¿ä.
- ¼ºñ½º ÁöÀå ½Ã, # sh _firewall.sh destroy¸¦ ÇÏ½Ã¸é ¹æȺ® Ãʱâȵ˴ϴÙ.
ºÎµð !! ¾ÈÀüÇϼ¼¿ä.
#--------------------------------------------------------------------------------------------
# ÆÄÀϸí : _firewall.sh
#--------------------------------------------------------------------------------------------
#!/bin/sh
# Last Update : 2007/08/20
# Writer : JeongChanHo(master@rootman.co.kr)
# http://www.rootman.co.kr
# FileName : _firewall.sh
#-----------------------------------------------// include source library
SW_ssh_port=22;
SW_telnet_port=23;
AllowHost_ssh="any/0 192.168.100.0/16";
AllowHost_ftp="any/0 192.168.100.0/16";
AllowHost_http="any/0";
AllowHost_telnet="192.168.100.0/16";
AllowHost_rsync="any/0";
AllowHost_icmp="any/0";
AllowHost_samba=" 192.168.100.0/16";
Drop_GeoIP="FI US IT LT CN DE CS JP";
IPADDR="`ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
function_file="/root/bin/_firewall_conf.sh";
External_Interface="eth0"; # external interface name
LoopBack_InterFace="lo"; # Loopback interface name
#-----------------------------------------------------------------------------------------
if [ ! -f ${function_file} ]; then
clear;
echo -e "\\nWe need ${function_file}\\n";
exit 0;
fi
source ${function_file};
#-----------------------------------------------------------------------------------------
case "$1" in
start)
#clear;
echo -e "Starting Firewalling.......................\\n";
#----------------------------------------------
init_firewall # Delete chain in this system.
allow_LoopBackIP # allow LoopBack IP
allow_LocalIP # allow Local IP
drop_fileIP # if you drop extra IP, set this!
#----------------------- Network IP
#-------------------------------
# user define rules
#-------------------------------
allow_dns
#drop_geoip # range (Ä¿³Î¿¡ geoip ÆÐÄ¡°¡ µÇ¾î ÀÖÀ¸¸é ÇØÁ¦)
drop_ddos
allow_ftp
allow_ssh # range
allow_selfloop # range
allow_telnet # range
proc_ipv4
allow_syslog # ¿ø°Ý ·Î±× ¼¹ö·Î »ç¿ëÁßÀÌ¸é ¼³Á¤
allow_smtp
allow_http # default·Î ssl Æ÷Æ®(443)µµ openÇÔ
allow_pop3
allow_ntp
allow_snmp
#allow_samba # range
allow_rsync
allow_mysql
allow_arreo
allow_icmp
allow_logwrite
allow_default
allow_pay
allow_output
firewall_status
;;
stop)
clear;
echo -e "Shutting Firewalling........ \\n";
echo;
#-------------------------------
# default rules
#-------------------------------
init_firewall
allow_dns
allow_ssh
allow_default
allow_output
firewall_status
;;
destroy)
destroy_firewall
;;
status)
firewall_status
;;
esac;
echo "+";
exit 0;
#--------------------------------------------------------------------------------------------
# ÆÄÀϸí : _firewall_conf.sh
#--------------------------------------------------------------------------------------------
init_firewall() {
iptables -F
iptables -X
iptables -t mangle -F
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p tcp ! --syn -j ACCEPT
}
destroy_firewall() {
iptables -F
iptables -X
iptables -t mangle -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p tcp ! --syn -j ACCEPT
}
allow_LoopBackIP() {
echo "--------------------------------";
echo ${LoopBack_InterFace};
echo "--------------------------------";
iptables -A INPUT -i ${LoopBack_InterFace} -j ACCEPT
}
allow_LocalIP() {
iptables -A INPUT -s ${IPADDR} -i ${LoopBack_InterFace} -j ACCEPT
}
drop_fileIP() {
deny_file="/root/bin/blackiplist.txt";
if [ -f ${deny_file} ]; then
for cnt in $(cat ${deny_file})
do
iptables -A INPUT -s ${cnt} -j DROP
done
fi
}
drop_spoofIP() {
iptables -A INPUT -s ${IPADDR} -j DROP
}
drop_broadcast() {
BROADCAST_SRC="0.0.0.0"; # ºê·Îµå ij½ºÆ®¼Ò½º ÁÖ¼Ò
BROADCAST_DEST="255.255.255.255"; # ºê·Îµåij½ºÆ® ¸ñÀûÁö ÁÖ¼Ò
iptables -A INPUT -s ${BROADCAST_DEST} -j DROP
iptables -A INPUT -d ${BROADCAST_SRC} -j DROP
}
drop_abcdeCLASS() {
CLASS_A="10.0.0.0/8"; # A class Privacy Area
CLASS_B="172.16.0.0/12"; # B class Privacy Area
CLASS_C="192.168.0.0/16"; # C class Privacy Area
CLASS_D_MULTICAST="224.0.0.0/4"; # D class Multicast Area
CLASS_E_RESERVED_NET="240.0.0.0/5"; # E class Reserved Area
iptables -A INPUT -s ${CLASS_A} -j DROP
iptables -A INPUT -s ${CLASS_B} -j DROP
#iptables -A INPUT -s ${CLASS_C} -j DROP
iptables -A INPUT -s ${CLASS_D_MULTICAST} -j DROP
iptables -A INPUT -s ${CLASS_E_RESERVED_NET} -j DROP
}
drop_iana() {
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
}
drop_invalid() {
iptables -A INPUT -m state --state INVALID -j DROP
#iptables -A OUTPUT -m state --state INVALID -j DROP
}
proc_ipv4() {
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
}
allow_dns() {
iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 953 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 953 -m state --state NEW,ESTABLISHED -j ACCEPT
}
drop_ddos() {
iptables -A FORWARD -m recent --name badguy --rcheck --seconds 300 -j DROP
iptables -A FORWARD -p tcp --syn --dport 80 -m connlimit --connlimit-above 30 -m recent --name badguy --set -j DROP
iptables -A FORWARD -p tcp --syn --dport 80 -m connlimit --connlimit-above 30 -j DROP
# -- Syn_Fooding
eval 'sysctl -w net.ipv4.tcp_max_syn_backlog=4096'
eval 'sysctl -w net.ipv4.tcp_syncookies=1'
eval 'sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1'
eval 'sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1'
eval 'sysctl -w net.ipv4.ip_default_ttl=64'
eval 'sysctl -w net.ipv4.ipfrag_time-=15'
eval 'sysctl -w net.ipv4.tcp_retries1=3'
eval 'sysctl -w net.ipv4.tcp_syn_retries=2'
eval 'sysctl -w net.ipv4.tcp_retries2=7'
eval 'sysctl -w net.ipv4.conf.eth0.rp_filter=1'
eval 'sysctl -w net.ipv4.conf.lo.rp_filter=1'
eval 'sysctl -w net.ipv4.conf.default.rp_filter=1'
eval 'sysctl -w net.ipv4.conf.all.rp_filter=1'
# icmp redirect deny
eval 'sysctl -w net.ipv4.conf.eth0.accept_redirects=0'
eval 'sysctl -w net.ipv4.conf.lo.accept_redirects=0'
eval 'sysctl -w net.ipv4.conf.default.accept_redirects=0'
eval 'sysctl -w net.ipv4.conf.all.accept_redirects'
# source route packet deny
eval 'sysctl -w net.ipv4.conf.eth0.accept_source_route=0'
eval 'sysctl -w net.ipv4.conf.lo.accept_source_route=0'
eval 'sysctl -w net.ipv4.conf.default.accept_source_route=0'
eval 'sysctl -w net.ipv4.conf.all.accept_source_route=0'
# bootp packet deny
eval 'sysctl -w net.ipv4.conf.eth0.bootp_relay=0'
eval 'sysctl -w net.ipv4.conf.lo.bootp_relay=0'
eval 'sysctl -w net.ipv4.conf.default.bootp_relay=0'
eval 'sysctl -w net.ipv4.conf.all.bootp_relay=0'
# redirect deny from gateway
eval 'sysctl -w netnet.ipv4.conf.eth0.secure_redirects=0'
eval 'sysctl -w netnet.ipv4.conf.lo.secure_redirects=0'
eval 'sysctl -w netnet.ipv4.conf.default.secure_redirects=0'
eval 'sysctl -w netnet.ipv4.conf.all.secure_redirects=0'
# proxy arp deny
eval 'sysctl -w net.ipv4.conf.eth0.proxy_arp=0'
eval 'sysctl -w net.ipv4.conf.lo.proxy_arp=0'
eval 'sysctl -w net.ipv4.conf.default.proxy_arp=0'
eval 'sysctl -w net.ipv4.conf.all.proxy_arp=0'
# 1M Per 280 (bucket)
eval 'sysctl -w net.ipv4.tcp_keepalive_time=30'
eval 'sysctl -w net.ipv4.tcp_fin_timeout=20'
eval 'sysctl -w net.ipv4.tcp_max_tw_buckets=5580000'
eval 'sysctl -w net.ipv4.tcp_keepalive_probes=5'
}
drop_geoip() {
#iptables -A INPUT -p tcp --dport 21:23 -m geoip ! --src-cc KR -j DROP
for Drop_GeoIPCode in ${Drop_GeoIP}
do
iptables -A INPUT -p tcp --dport 25 -m geoip --src-cc ${Drop_GeoIPCode} -j DROP
done;
}
allow_ssh() {
for AllowHost_ssh_IP in ${AllowHost_ssh}
do
iptables -A INPUT -p tcp -s ${AllowHost_ssh_IP} --dport ${SW_ssh_port} -m state --state NEW,ESTABLISHED -j ACCEPT
done;
iptables -A INPUT -p tcp --dport ${SW_ssh_port} -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport ${SW_ssh_port} -m state --state NEW -m recent --set --name SSHSCAN
iptables -A INPUT -p tcp --dport ${SW_ssh_port} -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --rttl --name SSHSCAN -j LOG --log-prefix SSH_Scan:
iptables -A INPUT -p tcp --dport ${SW_ssh_port} -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --rttl --name SSHSCAN -j DROP
}
allow_ftp() {
for AllowHost_ftp_IP in ${AllowHost_ftp}
do
iptables -A INPUT -p tcp -s ${AllowHost_ftp_IP} --sport 1024:65535 --dport 20:21 -j ACCEPT
iptables -A INPUT -p tcp -s ${AllowHost_ftp_IP} --sport 1024:65535 --dport 1024:65535 -j ACCEPT
done;
#iptables -A INPUT -p tcp --dport 20:21 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_telnet() {
for AllowHost_telnet_IP in ${AllowHost_telnet}
do
iptables -A INPUT -p tcp -s ${AllowHost_telnet_IP} --dport ${SW_telnet_port} -m state --state NEW,ESTABLISHED -j ACCEPT
done;
}
allow_syslog() {
iptables -A INPUT -p tcp --dport 514 -j ACCEPT
iptables -A INPUT -p udp --dport 514 -j ACCEPT
}
allow_smtp() {
iptables -A INPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_http() {
for AllowHost_http_IP in ${AllowHost_http}
do
iptables -A INPUT -p tcp -s ${AllowHost_http_IP} --dport 80 --sport 1024:65535 -d ${IPADDR} -j ACCEPT
done;
iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_pop3() {
iptables -A INPUT -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_ntp() {
iptables -A INPUT -p tcp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_snmp() {
iptables -A INPUT -p udp --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_samba() {
for AllowHost_samba_IP in ${AllowHost_samba}
do
iptables -A INPUT -p udp -s ${AllowHost_samba_IP} --dport 137:139 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s ${AllowHost_samba_IP} --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s ${AllowHost_samba_IP} --dport 901 -m state --state NEW,ESTABLISHED -j ACCEPT
done;
}
allow_rsync() {
for AllowHost_rsync_IP in ${AllowHost_rsync}
do
#iptables -A INPUT -p tcp -s ${AllowHost_rsync_IP} --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s ${AllowHost_rsync_IP} --dport 873 --sport 1024:65535 -d ${IPADDR} -j ACCEPT
done;
iptables -A INPUT -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_mysql() {
iptables -A INPUT -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_arreo() {
iptables -A INPUT -p tcp --dport 10201 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 10250 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_icmp() {
for AllowHost_icmp_IP in ${AllowHost_icmp}
do
#iptables -A INPUT -s ${AllowHost_icmp_IP} -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -s ${AllowHost_icmp_IP} -p icmp -j ACCEPT
done;
}
allow_logwrite() {
LOGFORMAT="-m limit --limit 1/h --limit-burst 3 -j LOG"
iptables -A INPUT -m state --state INVALID ${LOGFORMAT} --log-prefix 'ANY Packet Refuse'
#iptables -A OUTPUT -m state --state INVALID ${LOGFORMAT} --log-prefix 'OUTPUT ANY Packet Refuse'
iptables -A INPUT -p tcp --syn ${LOGFORMAT} --log-prefix 'SYN Refuse'
iptables -A INPUT -p tcp --syn ${LOGFORMAT} --log-prefix 'SYN Refuse'
iptables -A INPUT -p tcp --dport 1:65535 ${LOGFORMAT} --log-prefix 'TCP Refuse'
iptables -A INPUT -p udp --dport 1:65535 ${LOGFORMAT} --log-prefix 'UDP Refuse'
iptables -A INPUT -p udp --dport 1:65535 ${LOGFORMAT} --log-prefix 'UDP Refuse'
iptables -A INPUT -p icmp --icmp-type echo-request ${LOGFORMAT} --log-prefix 'PING Refuse'
iptables -A INPUT -p icmp --icmp-type echo-request ${LOGFORMAT} --log-prefix 'PING Refuse'
}
allow_default() {
# auth
iptables -A INPUT -p tcp --dport 113 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_pay() {
# dacom
iptables -A INPUT -p tcp --dport 7777 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 10240 -m state --state NEW,ESTABLISHED -j ACCEPT
# hankuk
iptables -A INPUT -p tcp --dport 10001 -m state --state NEW,ESTABLISHED -j ACCEPT
# kspay
iptables -A INPUT -p tcp --dport 29999 -m state --state NEW,ESTABLISHED -j ACCEPT
# teledit
iptables -A INPUT -p tcp --dport 31000 -m state --state NEW,ESTABLISHED -j ACCEPT
# name
iptables -A INPUT -p tcp --dport 81:85 -m state --state NEW,ESTABLISHED -j ACCEPT
}
allow_output() {
#iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
echo "No output";
}
firewall_status() {
iptables -L -n;
echo "-------------------------------------------------------------------------------";
echo "# Scripted By JungChanHo ";
echo "# This file easily used to adjust Firewall System. ";
echo "-------------------------------------------------------------------------------";
echo "# Deny IP Append : ${deny_file} ";
echo "-------------------------------------------------------------------------------";
echo "# /proc/net/ipt_recent/badguy : $(cat /proc/net/ipt_recent/badguy) ";
echo "-------------------------------------------------------------------------------";
}
|
Hit : 8930 Date : 2013/10/06 11:30
|