디지문닷넷 - Ubuntu/Debian/Gentoo용 iptables 스크립트
BLOG main image
241280 Visitors up to today!
Today 327 hit, Yesterday 330 hit
Notice
CATEGORY
전체 (281)
일상 (54)
유희 (21)
견문록 (26)
PC 탐구 (141)
축구 (28)
애니메이션 (10)
TAGS
Recent Entries
Recent Comments
Recent Trackbacks
Calendar
Archive
Link Site

디지문 호스팅

태터툴즈

이올린

올블로그

리눅스포털

SULinux

DNS Powered by DNSEver.com

너나우리

Serverchk.com

MRTG

Superuser Server Utility

rss

Ubuntu/Debian/Gentoo용 iptables 스크립트
[디지문, 2009/08/03 01:41, PC 탐구/리눅스]

참고링크:
http://ubuntuforums.org/archive/index.php/t-19106.html


vi /etc/init.d/iptables

#!/bin/sh

#This is an Ubuntu adapted iptables script from gentoo
#(http://www.gentoo.org) which was originally distributed
#under the terms of the GNU General Public License v2
#and was Copyrighted 1999-2004 by the Gentoo Foundation
#
#This adapted version was intended for and ad-hoc personal
#situation and as such no warranty is provided.

. /lib/lsb/init-functions

IPTABLES_SAVE="/etc/iptables"
SAVE_RESTORE_OPTIONS="-c"

checkrules() {
if [ ! -f ${IPTABLES_SAVE} ]
then
echo "Not starting iptables. First create some rules then run"
echo "\"/etc/init.d/iptables save\""
return 1
fi
}

save() {
/sbin/iptables-save ${SAVE_RESTORE_OPTIONS} > ${IPTABLES_SAVE}
return $?
}

start(){
checkrules || return 1
/sbin/iptables-restore ${SAVE_RESTORE_OPTIONS} < ${IPTABLES_SAVE}
return $?
}

case "$1" in
save)
echo -n "Saving iptables state..."
save
if [ $? -eq 0 ] ; then
echo " ok"
else
echo " error !"
fi
;;

start)
log_begin_msg "Loading iptables state and starting firewall..."
start
log_end_msg $?
;;
stop)
log_begin_msg "Stopping firewall..."
for a in `cat /proc/net/ip_tables_names`; do
/sbin/iptables -F -t $a
/sbin/iptables -X -t $a

if [ $a = nat ]; then
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
elif [ $a = mangle ]; then
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P INPUT ACCEPT
/sbin/iptables -t mangle -P FORWARD ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
elif [ $a = filter ]; then
/sbin/iptables -t filter -P INPUT ACCEPT
/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -t filter -P OUTPUT ACCEPT
fi
done
log_end_msg 0
;;

restart)
log_begin_msg "Restarting firewall..."
for a in `cat /proc/net/ip_tables_names`; do
/sbin/iptables -F -t $a
/sbin/iptables -X -t $a
done;
start
log_end_msg $?
;;

*)
echo "Usage: /etc/init.d/iptables {start|stop|restart|save}" >&2
exit 1
;;
esac

exit 0
chmod 700 /etc/init.d/iptables
update-rc.d iptables defaults



스크립트 작성이 끝나면 스크립트 구동 전 수동으로 iptables 룰을 먼저 작성한다.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 631 -j ACCEPT
iptables -A INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
iptables -A INPUT -p ah -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable


그 다음 init 스크립트로 현재 룰을 저장한다.
/etc/init.d/iptables save


이제부터는 수동으로 일일이 iptables 룰 입력 없이 /etc/iptables 파일을 직접 편집하면서 init 스크립트로 iptables 룰을 손쉽게 관리할 수 있다.
/etc/init.d/iptables start|stop|restart|save
2009/08/03 01:41 2009/08/03 01:41
Trackback0 : Comment0
Trackback Address :: http://www.digimoon.net/blog/trackback/336
[로그인][오픈아이디란?]
Name
Password
Homepage

Secret
*1 ... *6 *7 *8 *9 *10 *11 *12 *13 *14 ... *281