방화벽이 비활성화된 컴퓨터에서 일부 규칙을 실행하고 있는데 rcSuSEfirewall2를 실행하면 기본적으로 많은 규칙과 정책이 적용됩니다.
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min bu rst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min bu rst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain forward_ext (0 references)
target prot opt source destination
Chain input_ext (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 3/min bu rst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2- INext-DROP-DEFLT '
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- anywhere anywhere PKTTYPE = broadcast
LOG tcp -- anywhere anywhere limit: avg 3/min bu rst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options pre fix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min bu rst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min bu rst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP -DEFLT '
DROP all -- anywhere anywhere
Chain reject_func (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-res et
REJECT udp -- anywhere anywhere reject-with icmp-po rt-unreachable
REJECT all -- anywhere anywhere reject-with icmp-pr oto-unreachable
내 질문으로 계속: 시작 시 ACCEPT 체인의 모든 정책을 표시하도록 Suse 방화벽을 설정하려면 어떻게 해야 합니까? 이와 같이:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
(my custom DROP Rule)
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
추신: 무의미하게 들리겠지만 규칙을 추가했기 때문입니다./etc/sysconfig/scripts/SuSEfirewall2-custom
SuSE Linux Enterprise Server 11 서비스 팩 3을 사용하고 있습니다.
고쳐 쓰다:
정책을 "수락"으로 설정하는 옵션이 있는지 확인하기 위해 Yast Firewall을 다시 확인했습니다.
답변1
글쎄, 저는 이 해결 방법을 공유하고 싶습니다. 제가 원하는 것만큼 우아하지는 않지만 작동합니다.
먼저 파일을 만들고 필요에 따라 호출합니다.fwsrv
#!/bin/bash
# Author: Francisco Tapia
#
# /etc/init.d/fwsrv
#
### BEGIN INIT INFO
# Provides: fwsrv
# Required-Start: network
# Should-Start: $null
# Required-Stop: $null
# Should-Stop: $null
# Default-Start: 5
# Default-Stop: 5
# Short-Description: Executes iptables rules.
# Description: this is not a service.
### END INIT INFO
. /etc/rc.status
rc_reset
case "$1" in
start)
# use colour for ease of spotting
echo -e "\E[36mRunning $0 (start)...\E[0m";
/etc/init.d/fwsrv.d/start
echo -e "\E[36mDone $0 \E[0m";
;;
stop)
echo -e "\E[36mRunning $0 (stop)...\E[0m";
/etc/init.d/fwsrv.d/stop
echo -e "\E[36mDone $0 \E[0m";
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage $0 (start|stop|restart)"
exit 1;
;;
esac
rc_exit
그런 다음 두 개의 파일을 생성합니다. 하나는 이름이 지정 start되고 다른 하나 stop는 스크립트에 이 내용이 포함됩니다.
#!/bin/bash
# run scripts with names starting 0-9 in foreground. if you want to
# put a script in start.d and you care about when it gets run in relation
# to other scripts, give it a name starting 0-9
for i in $(dirname $0)/start.d/[0-9]*;do
test -x $i && echo -e "\E[36mRunning ${i} \E[0m" && $i
done
# run scripts with names starting a-z in the background
# as this reduces the over all time this script takes to run.
for i in $(dirname $0)/start.d/[a-z]*;do
test -x $i && echo -e "\E[36mRunning ${i} \E[0m" && $i &
done
# wait for children to exit
wait;
마지막 규칙은 Rules라고 하며 여기에는 내가 원하는 모든 규칙이 포함됩니다.
#!/bin/bash
rcSuSEfirewall2 start
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
#My Desired Rules
그런 다음 터미널에서 다음 명령을 실행하십시오.
cp fwsrv /etc/init.d/fwsrv
chmod u+x /etc/init.d/fwsrv
mkdir -p /etc/init.d/fwsrv.d/start.d
mkdir -p /etc/init.d/fwsrv.d/stop.d
cp start /etc/init.d/fwsrv.d/start
cp stop /etc/init.d/fwsrv.d/stop
chmod u+x /etc/init.d/fwsrv.d/start
chmod u+x /etc/init.d/fwsrv.d/stop
cp rules /etc/init.d/fwsrv.d/start.d/rules
chmod u+x /etc/init.d/fwsrv.d/start.d/rules
insserv /etc/init.d/fwsrv
이제 머신은 부팅 시 방화벽을 시작하고 모든 규칙을 정리하고 사용자 지정 규칙을 적용합니다. 더 많은 규칙을 추가하려면 규칙 파일을 편집하세요./etc/init.d/fwsrv.d/start.d/