현재 운영 중인 iptables

내가 현재 관리 중인 서버의 iptables 정책을 공개한다. 공개해서 개선/유지/보수 하는 것이 목적.
이상없이 돌아가고 있기 때문에 그대로 쓰면 된다.

#!/bin/bash
#################################################################
# Title   : A simple firewall for home users	#
# Version  : 1.1	#
# Tested-on : ubuntu 11.04//sbin/iptables v1.4.4	#
# Author  : Brian Jung (09/17/2011)	#
# Copyright : N/A 	#
# Note   : Thanks to Ubuntu Korea users	#
#################################################################

##[ COMMON ROUTINE ]##############################################
## Variables	##
##################################################################

HOME=$(ifconfig -a eth0 | awk '/(cast)/ { print $2 }' | cut -d ':' -f2 | head -1);
iPGroup_BLACKLIST="";

# Block Services - 닫을 포트를 여기에 추가한다.
portGroup_KNOWN_SERVICE="21 23 25 53 69 79 87 110 111 161 512 513 514 515 540 631 1080 1214 2000 2049 4288 5000 6000 6001 6002";

# Must be open for SSH
port_SSH="22";

##[ COMMON ROUTINE ]##############################################
## Initialize	##
##################################################################
#........................................remove previous policies

/sbin/iptables --flush;
/sbin/iptables --delete-chain;
/sbin/iptables --zero;
/sbin/iptables --table nat --flush;
/sbin/iptables --policy INPUT ACCEPT;
/sbin/iptables --policy FORWARD ACCEPT;
/sbin/iptables --policy OUTPUT ACCEPT;

#.....................................................DROP::ALL
/sbin/iptables --policy INPUT  DROP;
/sbin/iptables --policy FORWARD DROP;
/sbin/iptables --policy OUTPUT DROP;

#......................................ACCEPT::incoming traffic
/sbin/iptables --append INPUT --in-interface lo --jump ACCEPT;

#......................................ACCEPT::outgoing traffic
/sbin/iptables --append OUTPUT --jump ACCEPT;

#..............................................................
##[ COMMON ROUTINE ]##############################################
## Start using internet(TCP,UDP)	##
##################################################################
#............................................ACCEPT::INPUT::ALL
/sbin/iptables --append INPUT --in-interface eth0 --match state --state NEW,ESTABLISHED,RELATED --jump ACCEPT;
/sbin/iptables --append INPUT --in-interface eth0 --match state --state NEW,ESTABLISHED,RELATED --jump ACCEPT;


#..............................................................
###############################################################
## Customized area(WARNING::DO NOT USE '--destination-port') ##
###############################################################
#..............................................DROP::black list

for IPLIST in $iPGroup_BLACKLIST
do
/sbin/iptables --table filter --insert INPUT --protocol tcp --source $IPLIST --destination $HOME --jump DROP;
done;

#.............................................REJECT::KNOWN.PORT::STEALTH
for STEALTH_PORT in $portGroup_KNOWN_SERVICE;
do
/sbin/iptables --table filter --insert INPUT --protocol tcp --match state --state NEW,ESTABLISHED --source 0/0 --source-port $STEALTH_PORT --jump REJECT;
/sbin/iptables --table filter --insert OUTPUT --protocol tcp --match state --state ESTABLISHED --source $HOME --source-port $STEALTH_PORT --jump REJECT;
done;

#...................................................ACCEPT::ssh
for IPLIST in $iPGroup_USER_SSH;
do
/sbin/iptables --table filter --insert INPUT --protocol tcp --match state --state NEW,ESTABLISHED --source $IPLIST --source-port $port_SSH --destination $HOME --jump ACCEPT;
/sbin/iptables --table filter --insert OUTPUT --protocol tcp --match state --state ESTABLISHED   --source $HOME --source-port $port_SSH --destination $IPLIST --jump ACCEPT;
done;

##################################################################
## Block known attacks	##
##################################################################
#.............................................. DROP::port scan
/sbin/iptables --new-chain port-scan;
/sbin/iptables --append port-scan --protocol tcp --tcp-flags SYN,ACK,FIN,RST RST --match limit --limit 1/s --jump RETURN;
/sbin/iptables --append port-scan --jump DROP;

#....................................................DROP::ping
/sbin/iptables --append INPUT --protocol icmp --match icmp --icmp-type echo-request --jump DROP;
/sbin/iptables --append OUTPUT --protocol icmp --match icmp --icmp-type echo-reply  --jump DROP;

#.....................................DROP::no syn flood attack
/sbin/iptables --new-chain syn-flood;
/sbin/iptables --append syn-flood --protocol tcp --syn --match limit --limit 1/s --limit-burst 4 --jump ACCEPT;
/sbin/iptables --append syn-flood --protocol tcp --syn --jump DROP;

#..............................................................
##################################################################
## Log	##
##################################################################
#......................................................examples
#/sbin/iptables --append INPUT  --jump LOG --log-prefix "FIREWALL:INPUT ";
#/sbin/iptables --append FORWARD --jump LOG --log-prefix "FIREWALL:FORWARD";
#/sbin/iptables --append OUTPUT --jump LOG --log-prefix "FIREWALL:OUTPUT ";

#..............................................................
##[ COMMON ROUTINE ]###########################################
## End of traffic                      ##
###############################################################

#................................................can be omitted
/sbin/iptables --append INPUT --jump DROP;
/sbin/iptables --append OUTPUT --jump DROP;
#..............................................................