ファイアウォール IPTABLES インストール

ヒント

iptablesとは、Linuxに実装されたパケットフィルタリング、ファイアウォール機能です。
firewalldiptablesは共存できません。どちらかを選んでください。
Firewalld停止
[root@centos ~]# systemctl stop firewalld
[root@centos ~]# systemctl disable firewalld
IPTABLESインストール
[root@centos ~]# yum -y install iptables-services
[root@centos ~]# systemctl start iptables
[root@centos ~]# systemctl enable iptables
[root@centos ~]# systemctl is-enabled iptables
enabled
IPTABLES実行ディレクトリ作成
[root@centos ~]# mkdir /root/iptables
CKFILTER(中国・韓国を弾く)を使用する場合
[root@centos ~]# vi /root/iptables/ckfilter_setup.sh

↓下記を記入
#!/bin/bash

COUNTRYLIST='CN KR'
wget -q http://ftp.apnic.net/stats/apnic/delegated-apnic-latest
for country in $COUNTRYLIST
do
	for ip in `cat delegated-apnic-latest | grep "apnic|$country|ipv4|"`
	do
		COUNTRY=`echo $ip | awk -F"|" '{ print $2 }'`
		DROP_IP=`echo $ip | awk -F"|" '{ print $4 }'`
		TMPCIDR=`echo $ip | awk -F"|" '{ print $5 }'`

		FLTCIDR=32
		while [ $TMPCIDR -ne 1 ];
		do
			TMPCIDR=$((TMPCIDR/2))
			FLTCIDR=$((FLTCIDR-1))
		done
		echo "$DROP_IP/$FLTCIDR" >> /root/iptables/ckip
	done
done


[root@centos ~]# chmod 700 /root/iptables/ckfilter_setup.sh
[root@centos ~]# /root/iptables/ckfilter_setup.sh
[root@centos ~]# rm -f /root/iptables/ckfilter_setup.sh
iptables設定
[root@centos ~]# vi /root/iptables/iptables_setup.sh

↓下記を記入
#!/bin/bash

################
### 初期設定 ###
################
LOCALNET=192.168.1.0/24

#####################
### IPTABLES STOP ###
#####################
systemctl stop iptables

####################
### Default Rule ###
####################
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

####################
### LOCAL ACCEPT ###
####################
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s $LOCALNET -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#####################
### FRAGMENT DROP ###
#####################
iptables -A INPUT -f -j LOG --log-level debug --log-prefix 'FRAGMENT DROP:'
iptables -A INPUT -f -j DROP

####################
### NetBIOS DROP ###
####################
iptables -A INPUT ! -s $LOCALNET -p tcp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A INPUT ! -s $LOCALNET -p udp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A OUTPUT ! -d $LOCALNET -p tcp -m multiport --sports 135,137,138,139,445 -j DROP
iptables -A OUTPUT ! -d $LOCALNET -p udp -m multiport --sports 135,137,138,139,445 -j DROP

#####################
### PING OF DEATH ###
#####################
iptables -N PINGOFDEATH
iptables -A PINGOFDEATH -m limit --limit 1/s --limit-burst 4 -j ACCEPT
iptables -A PINGOFDEATH -j LOG --log-level debug --log-prefix 'PINGDEATH DROP:'
iptables -A PINGOFDEATH -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -j PINGOFDEATH

########################
### BROAD MULTI DROP ###
########################
iptables -A INPUT -d 255.255.255.255 -j DROP
iptables -A INPUT -d 224.0.0.1 -j DROP

################
### 113IDENT ###
################
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset

###########
### SSH ###
###########
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

############
### HTTP ###
############
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

###########
### SSL ###
###########
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

###########
### FTP ###
###########
iptables -A INPUT -p tcp --sport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 4000:4029 -j ACCEPT

############
### SMTP ###
############
iptables -A INPUT -p tcp --dport 25 -j ACCEPT

#############
### SMTPS ###
#############
iptables -A INPUT -p tcp --dport 465 -j ACCEPT

############
### POP3 ###
############
iptables -A INPUT -p tcp --dport 110 -j ACCEPT

#############
### POP3S ###
#############
iptables -A INPUT -p tcp --dport 995 -j ACCEPT

############
### IMAP ###
############
iptables -A INPUT -p tcp --dport 143 -j ACCEPT

#############
### IMAPS ###
#############
iptables -A INPUT -p tcp --dport 993 -j ACCEPT

################
### CKFILTER ###
################
if [ -e "/root/iptables/ckip" ]; then
	iptables -N CKFILTER
	iptables -A CKFILTER -j DROP

	for ip in `cat /root/iptables/ckip`
	do
		iptables -I INPUT -s $ip -j CKFILTER
	done
fi

###############
### logging ###
###############
iptables -A INPUT -m limit --limit 1/s -j LOG --log-level debug --log-prefix 'INPUT DROP:'
iptables -A INPUT -j DROP
iptables -A FORWARD -m limit --limit 1/s -j LOG --log-level debug --log-prefix 'FORWARD DROP:'
iptables -A FORWARD -j DROP

/usr/libexec/iptables/iptables.init save

systemctl start iptables


[root@centos ~]# chmod 700 /root/iptables/iptables_setup.sh
[root@centos ~]# /root/iptables/iptables_setup.sh

ヒント

LOCALNETは「ip addr show」コマンドで調べられます。
CKFILTERを定期自動アップデートする場合
[root@centos ~]# vi /etc/cron.daily/ckfilter_update.sh

↓下記を記入
#!/bin/bash

COUNTRYLIST='CN KR'
wget -q -N http://ftp.apnic.net/stats/apnic/delegated-apnic-latest
switch=0
for country in $COUNTRYLIST
do
	for ip in `cat delegated-apnic-latest | grep "apnic|$country|ipv4|"`
	do
		COUNTRY=`echo $ip | awk -F"|" '{ print $2 }'`
		DROP_IP=`echo $ip | awk -F"|" '{ print $4 }'`
		TMPCIDR=`echo $ip | awk -F"|" '{ print $5 }'`

		FLTCIDR=32
		while [ $TMPCIDR -ne 1 ];
		do
			TMPCIDR=$((TMPCIDR/2))
			FLTCIDR=$((FLTCIDR-1))
		done
		echo "$DROP_IP/$FLTCIDR" >> /root/iptables/ckip_new
	done
done

diff /root/iptables/ckip /root/iptables/ckip_new > /dev/null 2>&1

if [ $? -ne 0 ]; then
	mv /root/iptables/ckip_new /root/iptables/ckip
	/root/iptables/iptables_setup.sh > /dev/null
else
	rm -f /root/iptables/ckip_new
fi


[root@centos ~]# chmod +x /etc/cron.daily/ckfilter_update.sh
Home PageTop