computer/linux/iptables
をテンプレートにして作成
[
トップ
] [
新規
|
一覧
|
単語検索
|
最終更新
|
ヘルプ
|
ログイン
]
開始行:
[[FrontPage]]
TCP and UDP are used as a communication protocol, and there is a concept of port in each protocol.
It should be noted that port 80 of TCP and port 80 of UDP are not same.
Following are typical protocol and port number.
|service|protocol|port|h
|http server (HTTP)|TCP|80|
|http server (SSL)|TCP|443|
|mail server (POP3)|TCP|110|
|mail server (IMAP)|TCP|143|
|mail server (SMTP)|TCP|25|
|mail server (submission port)|TCP|587|
|FTP|TCP|20, 21|
|SSH, SFTP|TCP|22|
The iptables are managed using iptables-persistent.
# aptitude install iptables-persistent
The rules.v6 and the rules.v4 are made in /etc/iptalbes/.
All ports in IPv6 should be closed if these ports are not used.
''/etc/iptables/rules.v6''
#highlighter(){{
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT
}}
In IPv4, all ports should be basically closed, except for necessary ports.
''/etc/iptables/rules.v4''
#highlighter(){{
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# たとえばHTTP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# SSHで設定したポートを指定
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_log: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
}}
In Debian 8.0 (Jessie), following command are used to reflect new setting, except for script of init.d.
# netfilter-persistent reload
----
http://www.serverlog.jp/iptables/
https://setting-tool.net/debian-install-jessie
http://www.mk-mode.com/octopress/2013/10/15/debian-7-setting-iptables/
http://nabe.blog.abk.nu/soft/Debian-jessie
http://www.yazin.info/blog/archives/2012/0321_155638.html
http://labs.opentone.co.jp/?p=6553
http://qiita.com/upamune/items/7adc03e8a87f8ce4b924
http://epian-wiki.appspot.com/wiki/Debian/iptables
ファイアウォールiptablesを簡単解説~初心者でもよくわかる!VPSによるWebサーバー運用講座(4)
http://knowledge.sakura.ad.jp/beginner/4048/
https://help.sakura.ad.jp/hc/ja/articles/206208121-iptables%E3%81%AE%E8%A8%AD%E5%AE%9A%E6%96%B9%E6%B3%95
----
終了行:
[[FrontPage]]
TCP and UDP are used as a communication protocol, and there is a concept of port in each protocol.
It should be noted that port 80 of TCP and port 80 of UDP are not same.
Following are typical protocol and port number.
|service|protocol|port|h
|http server (HTTP)|TCP|80|
|http server (SSL)|TCP|443|
|mail server (POP3)|TCP|110|
|mail server (IMAP)|TCP|143|
|mail server (SMTP)|TCP|25|
|mail server (submission port)|TCP|587|
|FTP|TCP|20, 21|
|SSH, SFTP|TCP|22|
The iptables are managed using iptables-persistent.
# aptitude install iptables-persistent
The rules.v6 and the rules.v4 are made in /etc/iptalbes/.
All ports in IPv6 should be closed if these ports are not used.
''/etc/iptables/rules.v6''
#highlighter(){{
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT
}}
In IPv4, all ports should be basically closed, except for necessary ports.
''/etc/iptables/rules.v4''
#highlighter(){{
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# たとえばHTTP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# SSHで設定したポートを指定
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_log: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
}}
In Debian 8.0 (Jessie), following command are used to reflect new setting, except for script of init.d.
# netfilter-persistent reload
----
http://www.serverlog.jp/iptables/
https://setting-tool.net/debian-install-jessie
http://www.mk-mode.com/octopress/2013/10/15/debian-7-setting-iptables/
http://nabe.blog.abk.nu/soft/Debian-jessie
http://www.yazin.info/blog/archives/2012/0321_155638.html
http://labs.opentone.co.jp/?p=6553
http://qiita.com/upamune/items/7adc03e8a87f8ce4b924
http://epian-wiki.appspot.com/wiki/Debian/iptables
ファイアウォールiptablesを簡単解説~初心者でもよくわかる!VPSによるWebサーバー運用講座(4)
http://knowledge.sakura.ad.jp/beginner/4048/
https://help.sakura.ad.jp/hc/ja/articles/206208121-iptables%E3%81%AE%E8%A8%AD%E5%AE%9A%E6%96%B9%E6%B3%95
----
ページ名: