おい、iptablesの使い方を具体的に詳しく教えろ!
34 :1:
|
|
|
35 :login:Penguin:01/09/19 18:23 ID:R0.PPNAU
こんにちは。
こんなスクリプトはどうでしょう?
# chain policies
# set default policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
# flush tables
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -X
/sbin/iptables -F -t nat
# create DUMP table
/sbin/iptables -N DUMP > /dev/null
/sbin/iptables -F DUMP
/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A DUMP -j DROP
# Stateful table
/sbin/iptables -N STATEFUL > /dev/null
/sbin/iptables -F STATEFUL
/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A STATEFUL -m state --state NEW -i ! ppp0 -j ACCEPT
/sbin/iptables -A STATEFUL -j DUMP
# loopback rules
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# drop reserved addresses incoming
/sbin/iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DUMP
/sbin/iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DUMP
/sbin/iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DUMP
# allow certain inbound ICMP types
/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type destination-unreachable -j AC
CEPT
/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type echo-reply -j ACCEPT
# opened ports
# Set up NAT for internal network
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
# push everything else to state table
/sbin/iptables -A INPUT -j STATEFUL
こんなスクリプトはどうでしょう?
# chain policies
# set default policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
# flush tables
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -X
/sbin/iptables -F -t nat
# create DUMP table
/sbin/iptables -N DUMP > /dev/null
/sbin/iptables -F DUMP
/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A DUMP -j DROP
# Stateful table
/sbin/iptables -N STATEFUL > /dev/null
/sbin/iptables -F STATEFUL
/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A STATEFUL -m state --state NEW -i ! ppp0 -j ACCEPT
/sbin/iptables -A STATEFUL -j DUMP
# loopback rules
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# drop reserved addresses incoming
/sbin/iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DUMP
/sbin/iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DUMP
/sbin/iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DUMP
# allow certain inbound ICMP types
/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type destination-unreachable -j AC
CEPT
/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type echo-reply -j ACCEPT
# opened ports
# Set up NAT for internal network
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
# push everything else to state table
/sbin/iptables -A INPUT -j STATEFUL