¸¶½ºÅÍÆ÷À¯(Master4U)
Monday, 17 of January
NEWS I
NEWS II
NEWS III
NEWS IV
MEMO
½Ã½ºÅÛ
ÀÚ·á½Ç
À¥¼­¹ö
º¸¾È
DB
ZeroBoard
ÆÁ&Å×Å©
À¥µðÀÚÀÎ
µå¶óÀ̹ö
SFCookie
¸ÞÀκ¸µå
°ÔÀÓ
°ÔÀÓ¼Ò½Ä
À⵿»ç´Ï
Ķ¸°´õ
½Ã&»ýÈ°
 

Á¦¸ñ: ¿ìºÐÅõ ¹æÈ­º® iptables¼³Ä¡ ¹× ±âº»¼³Á¤
ºÐ·ù: ¸®´ª½º
À̸§: °ü¸®ÀÚ * http://www.master4u.net


µî·ÏÀÏ: 2022-11-15 18:37
Á¶È¸¼ö: 2537
 
https://blog.naver.com/webpioneer/222719774365

[Ãâó] ¿ìºÐÅõ ¹æÈ­º® iptables¼³Ä¡ ¹× ±âº»¼³Á¤|ÀÛ¼ºÀÚ ¾È´À


¿ìºÐÅõ¿¡¼± ufw°¡ ±âº»¹æÈ­º®À¸·Î ¼³Ä¡µÇ¾î ÀÖ½À´Ï´Ù.

·¹µåÇÞó·³ iptables¸¦ ¼³Ä¡ÇÏ¿© »ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù. ´Ù¸¸ ¸í·É¾î¸¦ Ä¡°í ÀúÀåÇÏ´Â ¹æ½ÄÀÌ Â÷ÀÌ°¡ ÀÖ½À´Ï´Ù.

¸ÕÀú ufw¹æÈ­º®À» ÁßÁöÇÕ´Ï´Ù.

# ufw disable

iptables ¸¦ ¼³Ä¡ÇÕ´Ï´Ù.

# apt-get install iptables-persistent netfilter-persistent

óÀ½ ¼³Ä¡½Ã ¾Æ·¡Ã³·³ ¼³Á¤ÀÌ ¾ø´Â ±âº»»óÅÂÀÔ´Ï´Ù.

# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Ãʱ⼳Á¤°ú ´Ù¸£¸é chain³» rule¸¦ »èÁ¦ÇØÁÝ´Ï´Ù.

# iptables -F

ufw¼³Á¤°ú °ãÃļ­ ufw°ü·Ã chain ÀÌ ÀÖÀ¸¸é ºÒÇÊ¿äÇϹǷΠchainÀ» »èÁ¦ÇØÁÝ´Ï´Ù.

# iptables -X

Ȥ½Ã ¾Æ·¡Ã³·³ chain »èÁ¦°¡ ¾ÈµÇ¸é INPUT µî ÀÇ chain³» ufw°ü·Ã ruleÀ» ¸ÕÀú »èÁ¦ÇØÁÖ¸é µË´Ï´Ù.

rule »èÁ¦¸í·É¾î ¿¹) iptables -D INPUT 1

iptables v1.8.7 (nf_tables): CHAIN_USER_DEL failed (Device or resource busy): chain ufw-track-output

·¹µåÇÞ¿¡¼­ ±âº»¼³Á¤µÈ °ªÀ¸·Î Ãß°¡ÇØÁÝ´Ï´Ù.

# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT <-- establish, related Çã¿ë

# iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

# iptables -A INPUT -i lo -j ACCEPT <-- ·ÎÄþÅÍÅë½Å Çã¿ë

# iptables -A INPUT -p icmp -j ACCEPT <- ÇÎ Çã¿ë

# iptables -I INPUT -p tcp --dport 22 <-- any·Î ssh ¿ÀÇÂ

# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited <-- ±×¿Ü input, forward ÆÐŶÀº reject

# iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

±âº»¼³Á¤ ÈÄ sshÁ¢¼Óµî ¼­ºñ½º¸¦ ¿ÀÇÂÇØÁÖ¸é µË´Ï´Ù.

# iptables -A INPUT -p tcp -s 10.0.0.5 --dport 22 -j ACCEPT <-- ssh ¿ÀÇÂÇØÁÙ IPÃß°¡

¼³Á¤ ÈÄ ÀúÀåÀ» ÇØÁà¾ß ¼­¹ö ¸®ºÎÆà ÈÄ¿¡µµ Àû¿ëµË´Ï´Ù.

# netfilter-persistent save

Ȥ½Ã³ª ´Ù½Ã ÀúÀåµÈ ¼³Á¤À» ´Ù½Ã ºÒ·¯¿Ã¶§..

# netfilter-persistent reload

# iptables -S <-- ¸í·É¾î»óÅ´ë·Î È®ÀÎ

# iptables -L <-- Ä÷³º° ±¸ºÐ»óÅ·Πº¸±â

# iptables -L --line-numbers <-- ·êÀÇ ¶óÀÎ ³Ñ¹ö º¸±â

INPUT ¶óÀγѹö 4¹ø¿¡ Ãß°¡ÇÏ°í ½ÍÀ»¶§

# iptables -I INPUT 4 -p tcp -s 10.0.0.6 --dport 22 -j ACCEPT

INPUT ¶óÀγѹö 5¹øÀÇ ±âÁ¸ ·êÀ» ¹Ù²Ù°í ½ÍÀ»¶§

# iptables -R INPUT 5 -p tcp -s 10.0.0.7 --dport 22 -j ACCEPT

INPUT ¶óÀγѹö 2¹øÀ» »èÁ¦ÇÏ°í ½ÍÀ»¶§

# iptables -D INPUT 2

Ãß°¡ÀûÀÎ ¼³Á¤ÆÄÀÏ À§Ä¡ ÀÔ´Ï´Ù.

# vi /etc/iptables/rules.v4 <-- save½Ã ÀúÀåÀ§Ä¡

# vi /var/log/kern.log <-- Æ®·¡ÇÈ󸮷α×

¼­ºñ½º »óŸ¦ ±âµ¿ ¹× È®ÀÎÇÒ¼ö ÀÖ½À´Ï´Ù.

systemctl status iptables

systemctl start iptables

systemctl list-unit-files |grep iptables

systemctl enable iptables

@ ¼­¹ö¸®ºÎÆà ÈÄ iptables ÀÚµ¿½ÇÇà ¾ÈµÇ´Â ¿À·ù ¹ß»ý½Ã

https://blog.naver.com/webpioneer/222720887294

       
¡â ÀÌÀü±Û: Multi-GPU ¼³Ä¡¸¦ À§ÇÑ NVIDIA µå¶óÀ̹ö À缳ġ CentOS
¡ä ´ÙÀ½±Û: [¿ìºÐÅõ(Ubuntu)] 20.04 ibus ÇÑ¿µ º¯È¯Å° ¼³Á¤
Copyright 1999-2025 Zeroboard / skin by enFree
COMPANY  |  SOLUTIONS  |  BUSINESS  |  CAREERS  |  CONTACTS
Copyright 2008, Master4U All rights reserved.