나는 Fail2ban과 같은 기능이 추가되기 전에 가장 많은 보호를 제공해야 하는 일련의 규칙을 가지고 있습니다. 문제는 테스트에서 모든 것이 확인되는 동안 테스트 service iptables restart 를 수행하면 올바르게 닫히지만 규칙을 적용하면 중단된다는 것입니다. 이것이 컬렉션이다
# Allow all traffic.
#---------------------------------------------------------
*filter
:INPUT ACCEPT [81:5076]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44:3868]
#---------------------------------------------------------
# protection based on http://thelowedown.wordpress.com/2008/07/03/iptables-how-to-use-the-limits-module/
# and https://gist.github.com/virtualstaticvoid/1024546
# and http://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html
#---------------------------------------------------------
#---------------------------------------------------------
# General rules
#---------------------------------------------------------
# it is gerenally view as best practice to drop all and add
# just what is needed. Drop and reject to prevent abuse
# of the system and sour the milk
#---------------------------------------------------------
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
# Allow incoming HTTP
#---------------------------------------------------------
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# Allow incoming HTTPS
#---------------------------------------------------------
-A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
# Allow loopback access
#---------------------------------------------------------
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Allow packets from internal network to reach external network.
# if eth1 is connected to external network (internet)
# if eth0 is connected to internal network (192.168.1.x)
#---------------------------------------------------------
-A FORWARD -i eth0 -o eth1 -j ACCEPT
# Allow outbound DNS
#---------------------------------------------------------
-A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
-A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
#---------------------------------------------------------
# DATABASE Connections
#---------------------------------------------------------
# Allow MySQL connection only from a specific network
#---------------------------------------------------------
-A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
#---------------------------------------------------------
# SSH
#---------------------------------------------------------
# Allow ALL incoming SSH
#---------------------------------------------------------
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# Allow outgoing SSH
#---------------------------------------------------------
-A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# limit ssh to 10 connections in 10mins
# note 198.255.255.255 is fake for this post
#---------------------------------------------------------
-I INPUT -p tcp -s 0/0 -d 198.255.255.255 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
-I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP
-A OUTPUT -p tcp -s 198.255.255.255 -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
#---------------------------------------------------------
# DoS
#---------------------------------------------------------
# Prevent general DoS attack
#---------------------------------------------------------
-A INPUT -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 10 -j ACCEPT
-A INPUT -p tcp --dport 80 -m limit --limit 5/minute --limit-burst 100 -j ACCEPT
-A INPUT -p tcp --dport 443 -m limit --limit 5/minute --limit-burst 100 -j ACCEPT
# Syn-flood protection
#---------------------------------------------------------
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Interface 0 incoming syn-flood protection
#---------------------------------------------------------
-N syn_flood
-A INPUT -p tcp --syn -j syn_flood
-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
-A syn_flood -j DROP
# Furtive port scanner
#---------------------------------------------------------
#-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
#-A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
#-A port-scan -j DROP
# Ping of death
#---------------------------------------------------------
#-A FORWARD -p icmp --icmp-type echo-request -m limit \ --limit 1/s -j ACCEPT
# Limiting the incoming icmp ping request
#---------------------------------------------------------
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
-A INPUT -p icmp -j DROP
-A OUTPUT -p icmp -j ACCEPT
#---------------------------------------------------------
# Logging
#---------------------------------------------------------
# Log dropped packets
#---------------------------------------------------------
-N LOGGING
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
-A LOGGING -j DROP
COMMIT
# End
port-scan테스트에 실패했기 때문에 ping and death 규칙을 제거해야 했습니다 . 이것도 수정하고 싶습니다.
테스트를 통과하면서도 항상 규칙을 적용해야 하는 이유가 무엇인지 아시나요?
고쳐 쓰다
다음을 제외하고 지금까지 모든 내용에 댓글을 달았습니다.
# Allow all traffic.
#---------------------------------------------------------
*filter
:INPUT ACCEPT [81:5076]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44:3868]
iptables백업을 시작할 때 멈추고 시작할 수 없는 등의 이상한 결과가 여전히 나타납니다 yum install *. 이제 다시 시작해서 규칙을 수정하면 됩니다!