Cisco Network / Linux / 모의 해킹 / 정보 보안 :: Linux III

서버/Linux III 2016. 5. 18. 11:32

Linux III - 17. 리눅스 방화벽 (iptables)

1. iptables 패키지 설치

- iptables' 패키지 설치 유무를 확인한다.

[root@main /root]# rpm -qa | grep iptables
iptables-ipv6-1.4.7-14.el6.x86_64
iptables-1.4.7-14.el6.x86_64

[root@main /root]# yum list iptables
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* base: centos.tt.co.kr
* extras: centos.mirror.cdnetworks.com
* updates: centos.mirror.cdnetworks.com
Installed Packages
iptables.x86_64 1.4.7-14.el6 @anaconda-CentOS-201410241409.x86_64/6.6

Available Packages
iptables.i686 1.4.7-16.el6 base
iptables.x86_64 1.4.7-16.el6 base

- 'iptables' 패키지를 설치한다.

[root@main /root]# yum -y install iptables

[root@main /root]# rpm -qa | grep iptables
iptables-1.4.7-16.el6.x86_64
iptables-ipv6-1.4.7-16.el6.x86_64

2. iptables 체인 및 제어 유형

iptables는 리눅스 방화벽을 의미하며, 다음과 같이 기본적으로 3개의 논리적인 체인(Chain)으로 구성되며, 관리자에 의해서 수동으로 신규 생성이 가능하다. 이때 체인이란 방화벽에서 사용되는 Rule이 등록되는 곳을 의미한다.

[root@main /root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

체인 유형	내용
INPUT	입력되는 패켓에 대한 설정을 위한 체인
FORWARD	경유하는 패켓에 대한 설정을 위한 체인
OUTPUT	출력되는 패켓에 대한 설정을 위한 체인
사용자 정의	관리자가 수동으로 설정하는 체인

iptables는 패켓을 제어하기 위해서 다음과 같은 4가지 동작을 실시한다.

동작 유형	내용
ACCEPT	패켓을 허용한다.
DROP	패켓을 드랍한다.
REJECT	접근하는 패켓을 차단하고, 접근 경고 메세지를 출력한다.
LOG	룰이 매칭될 경우, 로그를 발생한다.

[참고] iptables 방화벽은 Cisco의 ACL과 개념이 비슷하다.

3. iptables 명령어

1) 체인 관련 명령어

- 'N' 옵션 : 신규 체인을 생성한다.

[root@main /root]# iptables -N NEW
[root@main /root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain NEW (0 references)
target prot opt source destination

- 'X' 옵션 : 비어있는 체인을 삭제한다.

[root@main /root]# iptables -X NEW
[root@main /root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

- 'P' 옵션 : 체인 정책을 설정한다. ('putty'에서 실행하면, SSH 접속이 차단되므로, Xwindow에서 진행할 것)

[root@main /root/바탕화면]# iptables -P INPUT DROP
[root@main /root/바탕화면]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

[root@main /root/바탕화면]# iptables -P INPUT ACCEPT

- 'L' 옵션 : iptables 내용을 확인한다.

[root@main /root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

[root@main /root]# iptables -L -v
Chain INPUT (policy ACCEPT 71 packets, 14132 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 59 packets, 6716 bytes)
pkts bytes target prot opt in out source destination

[root@main /root]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination

[root@main /root]# iptables -L INPUT -v
Chain INPUT (policy ACCEPT 146 packets, 19576 bytes)
pkts bytes target prot opt in out source destination

- 'F' 옵션 : 체인 안에 있는 룰을 삭제한다.

[root@main /root]# iptables -A INPUT -p icmp -j DROP
[root@main /root]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere

[root@main /root]# iptables -F INPUT
[root@main /root]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination

2) 체인 룰 관련 명령어

- 'A' 옵션 : 체인에 룰을 추가한다. 이때, 설정된 순번대로 정렬되며, 검사가 진행된다.

[root@main /root]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@main /root]# iptables -A INPUT -p tcp --sport 80 -j ACCEPT
[root@main /root]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:http
ACCEPT     tcp -- anywhere             anywhere            tcp spt:http

- 'I' 옵션 : 체인에 룰을 추가할 경우, 맨 첫번째 항목에 추가한다.

[root@main /root]# iptables -I INPUT -p icmp -j DROP
[root@main /root]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       icmp -- anywhere             anywhere
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:http
ACCEPT     tcp -- anywhere             anywhere            tcp spt:http

[root@main /root]# iptables -I INPUT 2 -p tcp --dport 23 -j DROP
[root@main /root]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       icmp -- anywhere             anywhere
DROP       tcp -- anywhere             anywhere            tcp dpt:telnet
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:http
ACCEPT     tcp -- anywhere             anywhere            tcp spt:http

- 'D' 옵션 : 체인 룰을 삭제한다.

[root@main /root]# iptables -D INPUT -p tcp --dport 23 -j DROP
[root@main /root]# iptables -D INPUT -p icmp -j DROP
[root@main /root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:http
ACCEPT     tcp -- anywhere             anywhere            tcp spt:http

3) 필터링 명령어

- 'j' 옵션 : 특정한 정책을 설정한다.

- 's' 옵션 : 출발지 IP 주소를 지정한다.

- 'd' 옵션 : 목적지 IP 주소를 지정한다.

- 'sport' 옵션 : 출발지 포트를 지정한다.

- 'dport' 옵션 : 목적지 포트를 지정한다.

- 'p' 옵션 : 프로토콜을 지정한다.

- 'i' 옵션 : 패켓이 입력되는 인터페이스를 설정한다. 주로 INPUT, OUTPUT 체인에서 사용한다.

- 'o' 옵션 : 패켓이 출력되는 인터페이스를 설정한다. 주로 OUTPUT, FORWARD 체인에서 사용한다.

- 't' 옵션 : 테이블을 선택할때 사용한다. (테이블 유형 : filter, nat, mangle)

[root@main /root]# iptables -D INPUT -p tcp --dport 80 -j ACCEPT
[root@main /root]# iptables -D INPUT -p tcp --sport 80 -j ACCEPT
[root@main /root]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination

4. iptables 실습 환경 구성

- 로그 동작 확인

[root@main /root]# tail -f /var/log/messages /var/log/secure
~ 중간 생략 ~

(ctrl+c)

- nmap 설치 (clone1, clone2에서도 설치 실시)

[root@main /root]# yum -y install nmap

[root@main /root]# rpm -qa | grep nmap
nmap-5.51-4.el6.x86_64

- 'Putty'를 이용한 텔넷, SSH 접속 허용 및 나머지 Drop 실시

[root@main /root]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[root@main /root]# iptables -P INPUT DROP

[root@main /root]# iptables -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

[root@main /root]# service iptables status
테이블: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

- 재부팅되어도 설정이 적용될 수 있도록 iptables 설정 저장 실시

[root@main /root]# ls -l /etc/sysconfig/iptables
-rw-------. 1 root root 476 2016-03-11 02:36 /etc/sysconfig/iptables

[root@main /root]# service iptables save
iptables: 방화벽 규칙을 /etc/sysconfig/iptables에 저장 중: [ OK ]

[root@main /root]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed May 18 14:02:01 2016
*filter
:INPUT DROP [2:160]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [131:13156]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Wed May 18 14:02:01 2016

- 저장된 설정 적용 확인 ('putty'에서 실행하면, SSH 접속이 차단되므로, Xwindow에서 진행할 것)

[root@main /root/바탕화면]# iptables -F

[root@main /root/바탕화면]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

[root@main /root/바탕화면]# service iptables stop
iptables: 체인을 ACCEPT 규칙으로 설정 중: filter          [ OK ]
iptables: 방화벽 규칙을 지웁니다:                          [ OK ]
iptables: 모듈을 언로드하는 중:                            [ OK ]

[root@main /root/바탕화면]# service iptables start
iptables: 방화벽 규칙 적용 중: [ OK ]

[root@main /root/바탕화면]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

- iptables 서비스 중지 및 재시작

[root@main /root/바탕화면]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

[root@main /root/바탕화면]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed May 18 14:02:01 2016
*filter
:INPUT DROP [2:160]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [131:13156]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

COMMIT
# Completed on Wed May 18 14:02:01 2016

[root@main /root/바탕화면]# service iptables start
iptables: 방화벽 규칙 적용 중: [ OK ]

- 재부팅시 iptables 서비스 자동 시작 설정 실시

[root@main /root/바탕화면]# chkconfig --list iptables
iptables 0:해제 1:해제 2:해제 3:해제 4:해제 5:해제 6:해제

[root@main /root/바탕화면]# chkconfig iptables on

[root@main /root/바탕화면]# chkconfig --list iptables
iptables 0:해제 1:해제 2:활성 3:활성 4:활성 5:활성 6:해제

[root@main /root/바탕화면]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

- clone1에서 main으로 접속 가능한 서비스를 확인하도록 한다.

[root@clone1 /root]# nmap 172.20.1.1

Starting Nmap 5.51 ( http://nmap.org ) at 2016-05-18 14:47 KST
Nmap scan report for main (172.20.1.1)
Host is up (0.00062s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:E9:9C:40 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 4.65 seconds

- clone1에서 main으로 ping, telnet 차단 확인

[root@clone1 /root]# ping -c 1 172.20.1.1
PING 172.20.1.1 (172.20.1.1) 56(84) bytes of data.

--- 172.20.1.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 10000ms

[root@clone1 /root]# telnet 172.20.1.1
Trying 172.20.1.1...

(ctrl+c)

5. iptables 실습

Ex1) 특정 인터페이스로 입력되는 패켓 허용

[root@main /root]# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 10000ms

[root@main /root]# iptables -A INPUT -i lo -j ACCEPT

[root@main /root]# iptables -L INPUT -v
Chain INPUT (policy DROP 850 packets, 37400 bytes)
pkts bytes target     prot opt in     out     source               destination
3118 246K ACCEPT   tcp -- any    any    anywhere           anywhere            tcp dpt:ssh
    0     0 ACCEPT     all --   lo     any     anywhere           anywhere

[root@main /root]# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.102 ms

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.102/0.102/0.102/0.000 ms

Ex2) Main으로 접근하는 DNS 요청 허용

[root@clone1 /root]# nslookup www.test.com
Server: 168.126.63.1
Address: 168.126.63.1#53

Non-authoritative answer:
Name: www.test.com
Address: 69.172.200.235

[root@main /root]# iptables -A INPUT -p udp --dport 53 -j ACCEPT

[root@clone1 /root]# nslookup www.test.com
Server: 172.20.1.1
Address: 172.20.1.1#53

Name: www.test.com
Address: 172.20.1.1

Ex3) main에서 나갔다가 돌아오는 DNS 응답 허용

[root@main /root]# nslookup www.naver.com
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

[root@main /root]# iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT

[root@main /root]# nslookup www.naver.com
Server: 168.126.63.1
Address: 168.126.63.1#53

Non-authoritative answer:
www.naver.com   canonical name = www.naver.com.nheos.com.
Name:   www.naver.com.nheos.com
Address: 202.179.177.22
Name:   www.naver.com.nheos.com
Address: 125.209.222.141

Ex4) main으로 접근하는 ICMP 허용

[root@clone1 /root]# ping -c 1 172.20.1.1
PING 172.20.1.1 (172.20.1.1) 56(84) bytes of data.

--- 172.20.1.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 10000ms

[root@main /root]# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

[root@clone1 /root]# ping -c 1 172.20.1.1

PING 172.20.1.1 (172.20.1.1) 56(84) bytes of data.
64 bytes from 172.20.1.1: icmp_seq=1 ttl=64 time=0.576 ms

--- 172.20.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.576/0.576/0.576/0.000 ms

Ex5) main에서 나갔다가 돌아오는 ICMP 허용

[root@main /root]# ping -c 1 172.20.1.101
PING 172.20.1.101 (172.20.1.101) 56(84) bytes of data.

--- 172.20.1.101 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 10000ms

[root@main /root]# iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

[root@main /root]# ping -c 1 172.20.1.101
PING 172.20.1.101 (172.20.1.101) 56(84) bytes of data.
64 bytes from 172.20.1.101: icmp_seq=1 ttl=64 time=0.435 ms

--- 172.20.1.101 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.435/0.435/0.435/0.000 ms

[root@main /root]# ping -c 1 168.126.63.1
PING 168.126.63.1 (168.126.63.1) 56(84) bytes of data.
64 bytes from 168.126.63.1: icmp_seq=1 ttl=128 time=2.22 ms

--- 168.126.63.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 2ms
rtt min/avg/max/mdev = 2.220/2.220/2.220/0.000 ms

Ex6) main으로 접근하는 clone1 Telnet만 허용

[root@clone1 /root]# telnet 172.20.1.1
Trying 172.20.1.1...
(ctrl + c)

[root@main /root]# iptables -A INPUT -s 172.20.1.101 -p tcp --dport 23 -j ACCEPT

[root@clone1 /root]# telnet 172.20.1.1
Trying 172.20.1.1...
Connected to 172.20.1.1.
Escape character is '^]'.
CentOS release 6.6 (Final)
Kernel 2.6.32-504.el6.x86_64 on an x86_64
login: user1
Password: centos
Last login: Wed May 18 14:36:44 from clone1
[user1@main /home/user1]$
[user1@main /home/user1]$ exit
logout
Connection closed by foreign host.

[root@clone2 /root]# telnet 172.20.1.1
Trying 172.20.1.1...

(ctrl+c)

Ex7) main에서 나갔다가 돌아오는 telnet 허용

[root@main /root]# telnet 172.20.1.101
Trying 172.20.1.101...

(ctrl+c)

[root@main /root]# iptables -A INPUT -d 172.20.1.1 -p tcp --sport 23 -j ACCEPT

[root@main /root]# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp -- anywhere            anywhere            tcp dpt:ssh
ACCEPT     all --   anywhere            anywhere
ACCEPT     udp -- anywhere           anywhere            udp dpt:domain
ACCEPT     udp -- anywhere           anywhere            udp spt:domain dpts:1024:65535
ACCEPT     icmp -- anywhere           anywhere            icmp echo-request
ACCEPT     icmp -- anywhere           anywhere            icmp echo-reply
ACCEPT     tcp --   clone1               anywhere            tcp dpt:telnet
ACCEPT     tcp --   anywhere            test.com            tcp spt:telnet

[root@main /root]# telnet 172.20.1.101
Trying 172.20.1.101...
Connected to 172.20.1.101.
Escape character is '^]'.
CentOS release 6.6 (Final)
Kernel 2.6.32-504.el6.x86_64 on an x86_64
login: user1
Password: centos
[user1@clone1 /home/user1]$ exit
logout
Connection closed by foreign host.

Ex8) main으로 접근하는 HTTP, HTTPs 허용

[root@main /root]# iptables -A INPUT -d 172.20.1.1 -p tcp --dport 80 -j ACCEPT

[root@main /root]# iptables -A INPUT -d 172.20.1.1 -p tcp --dport 443 -j ACCEPT

[root@main /root]# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp -- anywhere            anywhere            tcp dpt:ssh
ACCEPT     all --    anywhere           anywhere
ACCEPT     udp -- anywhere           anywhere            udp dpt:domain
ACCEPT     udp -- anywhere           anywhere            udp spt:domain dpts:1024:65535
ACCEPT     icmp -- anywhere           anywhere            icmp echo-request
ACCEPT     icmp -- anywhere           anywhere            icmp echo-reply
ACCEPT     tcp -- clone1                anywhere            tcp dpt:telnet
ACCEPT     tcp --  anywhere             test.com            tcp spt:telnet
ACCEPT     tcp -- anywhere             test.com            tcp dpt:http

ACCEPT tcp -- anywhere test.com tcp dpt:https

[clone1에서 main 웹-접속 실시]

Ex8) main에서 나갔다가 돌아오는 http 허용

[root@main /root]# iptables -A INPUT -p tcp --sport 80 -j ACCEPT
[root@main /root]# iptables -A INPUT -p tcp --sport 443 -j ACCEPT

[root@main /root]# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp -- anywhere            anywhere            tcp dpt:ssh
ACCEPT     all --   anywhere            anywhere
ACCEPT     udp -- anywhere           anywhere            udp dpt:domain
ACCEPT     udp -- anywhere           anywhere            udp spt:domain dpts:1024:65535
ACCEPT     icmp -- anywhere           anywhere            icmp echo-request
ACCEPT     icmp -- anywhere           anywhere            icmp echo-reply
ACCEPT     tcp -- clone1                anywhere            tcp dpt:telnet
ACCEPT     tcp -- anywhere             test.com             tcp spt:telnet
ACCEPT     tcp -- anywhere             test.com             tcp dpt:http
ACCEPT     tcp -- anywhere             test.com             tcp dpt:https
ACCEPT     tcp -- anywhere             anywhere            tcp spt:http
ACCEPT     tcp -- anywhere             anywhere            tcp spt:https

[main에서 구글 접속 실시]

[root@main /root]# service iptables restart
iptables: 체인을 ACCEPT 규칙으로 설정 중: filter          [ OK ]
iptables: 방화벽 규칙을 지웁니다:                          [ OK ]
iptables: 모듈을 언로드하는 중:                            [ OK ]
iptables: 방화벽 규칙 적용 중:                             [ OK ]

[root@main /root]# iptables -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

Ex9) 'm' 옵션 & 'ESTABLISHED' 기능 (Stateful 방화벽 기능)

[root@main /root]# iptables -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

[root@main /root]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@main /root]# iptables -A INPUT -p all -j REJECT

[root@main /root]# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp -- anywhere            anywhere            tcp dpt:ssh
ACCEPT     tcp -- anywhere            anywhere            tcp dpt:http
REJECT      all --   anywhere            anywhere            reject-with icmp-port-unreachable

- clone1에서 main으로 http 접속만 허용되며, ICMP 및 Telnet을 포함한 나머지 패켓들은 접근이 불가능하다.

[root@clone1 /root]# ping -c 1 172.20.1.1
PING 172.20.1.1 (172.20.1.1) 56(84) bytes of data.
From 172.20.1.1 icmp_seq=1 Destination Port Unreachable

--- 172.20.1.1 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

[root@clone1 /root]# telnet 172.20.1.1
Trying 172.20.1.1...
telnet: connect to address 172.20.1.1: Connection refused

[root@clone1 /root]# telnet 172.20.1.1 80
Trying 172.20.1.1...
Connected to 172.20.1.1.
Escape character is '^]'.
^
<h1> Welcome to www.test.com <h1>

Connection closed by foreign host.

- main에서 나갔다가 돌아오는 패켓을 허용하는 설정이 없기 때문에, clone1로부터 수신하는 응답이 차단된다.

[root@main /root]# ping -c 1 172.20.1.101
PING 172.20.1.101 (172.20.1.101) 56(84) bytes of data.

--- 172.20.1.101 ping statistics ---

1 packets transmitted, 0 received, 100% packet loss, time 10000ms

[root@main /root]# telnet 172.20.1.101
Trying 172.20.1.101...
(ctrl+c)

- main에서 'm' 옵션과 'ESTABLISHED' 기능을 이용하여 다음과 같은 룰 항목을 가장 앞에 추가하도록 한다.

[root@main /root]# iptables -I INPUT -m state --state ESTABLISHED,RELATED -p all -j ACCEPT

[root@main /root]# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all -- anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp -- anywhere             anywhere           tcp dpt:ssh
ACCEPT     tcp -- anywhere             anywhere           tcp dpt:http
REJECT     all -- anywhere             anywhere            reject-with icmp-port-unreachable

- 'ESTABLISHED' 기능을 이용하면 되돌아오는 패켓을 허용하기 때문에 main에서 clone1으로 ICMP, Telnet이 가능하다.

[root@main /root]# ping -c 1 172.20.1.101
PING 172.20.1.101 (172.20.1.101) 56(84) bytes of data.
64 bytes from 172.20.1.101: icmp_seq=1 ttl=64 time=0.332 ms

--- 172.20.1.101 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.332/0.332/0.332/0.000 ms

[root@main /root]# telnet 172.20.1.101
Trying 172.20.1.101...
Connected to 172.20.1.101.
Escape character is '^]'.
CentOS release 6.6 (Final)
Kernel 2.6.32-504.el6.x86_64 on an x86_64
login: user1
Password: centos
Last login: Wed May 18 16:19:17 from clone2
[user1@clone1 /home/user1]$ exit
logout
Connection closed by foreign host.

[참고] RELATED : 새 연결을 시도하는 패켓이지만 이전 연결과 관련있는 패캣

Ex) FTP DATA 전송

FTP 서비스가 방화벽에서 허용되어 있고 연결되어 있는 상태인 경우, FTP DATA 패켓도 허용이 된다.

Ex10) LOG 동작 확인

- main에서 LOG 설정 룰을 항목을 가장 앞에 추가하도록 한다.

[root@main /root]# iptables -I INPUT -p icmp --icmp-type echo-request -j LOG

[root@main /root]# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination
LOG        icmp -- anywhere           anywhere            icmp echo-request LOG level warning
ACCEPT     all -- anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp -- anywhere            anywhere            tcp dpt:ssh
ACCEPT     tcp -- anywhere            anywhere            tcp dpt:http
REJECT      all -- anywhere             anywhere            reject-with icmp-port-unreachable

- main에서 다음과 같이 실시간 로그 확인을 실행한다.

[root@main /root]# tail -f /var/log/messages /var/log/secure
~ 중간 생략 ~

- clone1에서 main으로 Ping을 실시한다.

[root@clone1 /root]# ping -c 3 172.20.1.1
PING 172.20.1.1 (172.20.1.1) 56(84) bytes of data.
From 172.20.1.1 icmp_seq=1 Destination Port Unreachable
From 172.20.1.1 icmp_seq=2 Destination Port Unreachable
From 172.20.1.1 icmp_seq=3 Destination Port Unreachable

--- 172.20.1.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2002ms

- main에서 로그를 확인한다.

[root@main /root]# tail -f /var/log/messages /var/log/secure
~ 중간 생략 ~

==> /var/log/messages <==
May 18 17:28:43 main kernel: IN=eth0 OUT= MAC=00:0c:29:e9:9c:40:00:0c:29:00:2d:b7:08:00 SRC=172.20.1.101 DST=172.20.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=6671 SEQ=1
May 18 17:28:44 main kernel: IN=eth0 OUT= MAC=00:0c:29:e9:9c:40:00:0c:29:00:2d:b7:08:00 SRC=172.20.1.101 DST=172.20.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=6671 SEQ=2
May 18 17:28:45 main kernel: IN=eth0 OUT= MAC=00:0c:29:e9:9c:40:00:0c:29:00:2d:b7:08:00 SRC=172.20.1.101 DST=172.20.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=6671 SEQ=3

(ctrl+c)

Ex11) SSH 접근 허용 룰을 제외한 나머지 룰을 삭제하도록 한다.

[root@main /root]# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination
LOG        icmp -- anywhere           anywhere            icmp echo-request LOG level warning
ACCEPT    all -- anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT    tcp -- anywhere            anywhere            tcp dpt:ssh
ACCEPT    tcp -- anywhere            anywhere            tcp dpt:http
REJECT     all -- anywhere             anywhere            reject-with icmp-port-unreachable

[root@main /root]# iptables -D INPUT 5
[root@main /root]# iptables -D INPUT 4
[root@main /root]# iptables -D INPUT 2
[root@main /root]# iptables -D INPUT 1

[root@main /root]# iptables -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

Ex12) 스크립트를 이용한 iptables 구성

[root@main /root]# mkdir -p /root/bin
[root@main /root]# vi /root/bin/iptables.sh

1 #! /bin/bash
2 iptables -F
3
4 # Local ACCPET
5 iptables -A INPUT -i lo -j ACCEPT
6 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
7 iptables -A INPUT -m state --state ESTABLISHED,RELATED -p all -j ACCEPT
8
9 # DNS ACCPET
10 iptables -A INPUT -p udp --dport 53 -j ACCEPT
11
12 # ICMP ACCPET
13 iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
14
15 # TELNET ACCPET
16 iptables -A INPUT -s 172.20.1.101 -p tcp --dport 23 -j ACCEPT
17
18 # HTTP ACCPET
19 iptables -A INPUT -d 172.20.1.1 -p tcp --dport 80 -j ACCEPT
20 iptables -A INPUT -d 172.20.1.1 -p tcp --dport 443 -j ACCEPT
21
22 # E-Mail ACCEPT
23 iptables -A INPUT -p tcp --dport 25 -j ACCEPT
24 iptables -A INPUT -p tcp --dport 110 -j ACCEPT
25 iptables -A INPUT -p tcp --dport 143 -j ACCEPT
26
27 # ALL DROP
28 iptables -P INPUT DROP

: wq!

[root@main /root]# ls /root/bin
iptables.sh

[root@main /root]# chmod 755 /root/bin/iptables.sh
[root@main /root]# /root/bin/iptables.sh

[root@main /root]# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all -- anywhere             anywhere
ACCEPT     tcp -- anywhere            anywhere            tcp dpt:ssh
ACCEPT     all -- anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp -- anywhere           anywhere            udp dpt:domain
ACCEPT     icmp -- anywhere           anywhere            icmp echo-request
ACCEPT     tcp -- clone1               anywhere            tcp dpt:telnet
ACCEPT     tcp -- anywhere            test.com              tcp dpt:http
ACCEPT     tcp -- anywhere             test.com             tcp dpt:https
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:imap

- iptables 서비스 재시작 실시

[root@main /root]# iptables -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

저작자표시 비영리 변경금지

'서버 > Linux III' 카테고리의 다른 글

Linux III - 16. Mail 서버 (Sendmail & Dovecot) (0)	2016.05.18
Linux III - 15. Syslog 서버 (0)	2016.04.19
Linux III - 14. NTP 서버 & 클라이언트 (0)	2016.04.19
Linux III - 13. Samba 서버 (0)	2016.04.08
Linux III - 12. Apache 웹-서버 (Tomcat & Tomcat-Connector) (0)	2016.04.06

Posted by 김정우 강사(카카오톡 : kim10322)

Cisco Network / Linux / 모의 해킹 / 정보 보안

'서버 > Linux III' 카테고리의 다른 글

카테고리

링크

티스토리툴바