{"id":8084,"date":"2024-04-29T19:12:19","date_gmt":"2024-04-29T10:12:19","guid":{"rendered":"\/blog\/?p=8084"},"modified":"2024-04-30T11:15:19","modified_gmt":"2024-04-30T02:15:19","slug":"%ea%b8%b0%eb%b3%b8-iptables-%eb%b0%a9%ed%99%94%eb%b2%bd-%ec%8a%a4%ed%81%ac%eb%a6%bd%ed%8a%b8","status":"publish","type":"post","link":"https:\/\/hasu0707.duckdns.org\/blog\/?p=8084","title":{"rendered":"\uae30\ubcf8 iptables \ubc29\ud654\ubcbd \uc2a4\ud06c\ub9bd\ud2b8"},"content":{"rendered":"\n
#!\/bin\/bash\n####################################################################\n#\n# iptables Firewall Script\n#\n# by hasu0707@gmail.com\n#\n####################################################################\n\nIS_DEBUG=1\n######################################################################\n# \ud654\uc774\ud2b8 \ub9ac\uc2a4\ud2b8 (,\ub85c \uad6c\ubd84\ud55c\ub2e4)\n######################################################################\nWHITE_LIST=\"10.202.18.161,10.202.207.59,10.202.205.209\"\n\n######################################################################\n# \uae30\ubcf8 \uc815\ucc45\n######################################################################\n#DEFAULT_POLICY=\"DROP\"\nDEFAULT_POLICY=\"ACCEPT\"\n\n######################################################################\n# Linux Command Path\n######################################################################\nIP6TABLES_CMD=\"ip6tables\"\nIPTABLES_CMD=\"iptables\"\n\n######################################################################\n# Usage\n######################################################################\nfunc_usage() {\n  echo\n  echo \"Usage (as root): $0 [start | restart | stop]\"\n  echo\n  echo \"Examples:\"\n  echo \" # ${0} start\"\n  echo \" # ${0} restart\"\n  echo \" # ${0} stop\"\n  echo\n}\n\n######################################################################\n# \ub514\ubc84\uae45 \uba54\uc138\uc9c0 \ucd9c\ub825\n######################################################################\nfunc_debug_msg() {\n  if [[ ${IS_DEBUG} -eq 1 ]]\n  then\n    echo \"DEBUG:${1} ${2} ${3} ${4} ${5} ${6} ${7} ${8} ${9}\"\n  fi\n}\n\n######################################################################\n# \ucee4\ub9e8\ub4dc \ub514\ubc84\uae45 \uba54\uc138\uc9c0 \ucd9c\ub825\n######################################################################\nfunc_run_cmd() {\n  if [[ ${IS_DEBUG} -eq 1 ]]\n  then\n    echo \"CMD: ${1}\"\n    eval \"${1}\"\n    echo\n  else\n    eval \"${1}\"\n  fi\n}\n\n#############################\n# \uc2dc\uc2a4\ud15c IP\uc8fc\uc18c \uc54c\uc544\ub0b4\uae30\n#############################\nget_system_ip_addr() {\n  SYSTEM_IP_ADDR=$(hostname -I | awk '{print $1}')\n  if [ -z ${SYSTEM_IP_ADDR} ]\n  then\n    echo \"ERROR: Unknown IP Address.\"\n    exit 1\n  fi\n  echo \"IP_ADDR: ${SYSTEM_IP_ADDR}\"\n}\n\n######################################################################\n# \uae30\ubcf8 \uc815\ucc45 \uc14b\ud305\n######################################################################\nfunc_set_default_policy() {\n  func_debug_msg ${FUNCNAME[0]}\n\n  ${IPTABLES_CMD} -P INPUT ${DEFAULT_POLICY}\n  ${IPTABLES_CMD} -P OUTPUT ${DEFAULT_POLICY}\n  ${IPTABLES_CMD} -P FORWARD ${DEFAULT_POLICY}\n}\n\n######################################################################\n# Clean rules\n######################################################################\nfunc_clean_rules() {\n  func_debug_msg ${FUNCNAME[0]}\n\n  # Remove any existing rules form all chains\n  ${IPTABLES_CMD} -F\n  ${IPTABLES_CMD} -F -t nat\n  ${IPTABLES_CMD} -F -t mangle\n  ${IPTABLES_CMD} -F -t raw\n  ${IPTABLES_CMD} -F -t filter\n  # Remove any pre-existing user-defined chains\n  ${IPTABLES_CMD} -X\n  ${IPTABLES_CMD} -X -t nat\n  ${IPTABLES_CMD} -X -t mangle\n  ${IPTABLES_CMD} -X -t raw\n  ${IPTABLES_CMD} -X -t filter\n  # Zero all packet and byte counters\n  ${IPTABLES_CMD} -Z\n  ${IPTABLES_CMD} -Z -t nat\n  ${IPTABLES_CMD} -Z -t mangle\n  ${IPTABLES_CMD} -Z -t raw\n  ${IPTABLES_CMD} -Z -t filter\n}\n\nfunc_block_ipv6_traffic() {\n  func_debug_msg ${FUNCNAME[0]}\n\n  # If the ip6tables command is available, try to block all IPv6 traffic.\n  if [ -x ${IP6TABLES_CMD} ]; then\n    # Set the default policies (drop everything).\n    ${IP6TABLES_CMD} -P INPUT ${DEFAULT_POLICY} 2>\/dev\/null\n    ${IP6TABLES_CMD} -P FORWARD ${DEFAULT_POLICY} 2>\/dev\/null\n    ${IP6TABLES_CMD} -P OUTPUT ${DEFAULT_POLICY} 2>\/dev\/null\n    # Delete all rules.\n    ${IP6TABLES_CMD} -F 2>\/dev\/null\n    ${IP6TABLES_CMD} -t mangle -F 2>\/dev\/null\n    # Delete all (non-builtin) user-defined chains.\n    ${IP6TABLES_CMD} -X 2>\/dev\/null\n    ${IP6TABLES_CMD} -t mangle -X 2>\/dev\/null\n    # Zero all packet and byte counters.\n    ${IP6TABLES_CMD} -Z 2>\/dev\/null\n    ${IP6TABLES_CMD} -t mangle -Z 2>\/dev\/null\n  else\n    echo \"${IP6_TABLES} not available\"\n  fi\n}\n\n######################################################################\n# Input rules\n######################################################################\nfunc_set_default_lo_rules() {\n  func_debug_msg ${FUNCNAME[0]}\n\n  #######################################################\n  # Allow unlimited traffic on loopback interface\n  #######################################################\n  ${IPTABLES_CMD} -A INPUT -i lo -j ACCEPT\n  ${IPTABLES_CMD} -A OUTPUT -o lo -j ACCEPT\n}\n\n######################################################################\n# \uc678\ubd80\uc5d0\uc11c \ubc29\ud654\ubcbd\uc73c\ub85c \uc811\uadfc (WAN\u2192this device)\n# ${1} : \uc678\ubd80 \uc11c\ubc84 \uc8fc\uc18c\n#  ex) \"-s 123.123.123.12\/32\" : \ud2b9\uc815 \uc678\ubd80 \uc8fc\uc18c\n#      \"-m geoip --src-cc KR\" : geoip \uc801\uc6a9\n#      \"-s ${ANY_NET}\" : \ubaa8\ub4e0 \uc8fc\uc18c\n# ${2} : \ubaa9\uc801\uc9c0\n# ${3} : \ud504\ub85c\ud1a0\ucf5c\n# ${4} : \ud3ec\ud2b8 \ubc88\ud638\n# ${5} : comment\n# ${6} : ACCEPT (1=ACCEPT, 0=DENY, *=REJECT)\n# ex) \"-s ${WHITE_LIST}\" \"tcp\" \"52400:52450\" \"WAN->this device:ftp-data\" \"1\"\n######################################################################\nfunc_add_user_incoming() {\n  func_debug_msg ${FUNCNAME[0]} \"${1}\" \"${2}\" \"${3}\" \"${4}\" \"${5}\" \"${6}\"\n\n  RULE_CMD=\"${IPTABLES_CMD} -A INPUT ${1} -d ${2} -p ${3} -m ${3} --dport ${4} -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment \\\"${5}\\\"\"\n  case \"${6}\" in\n  \"0\")\n    RULE_CMD=\"${RULE_CMD} -j DROP\"\n    ;;\n  \"1\")\n    RULE_CMD=\"${RULE_CMD} -j ACCEPT\"\n    ;;\n  *)\n    RULE_CMD=\"${RULE_CMD} -j REJECT\"\n    ;;\n  esac\n  func_run_cmd \"${RULE_CMD}\"\n\n  RULE_CMD=\"${IPTABLES_CMD} -A OUTPUT -p ${3} -m ${3} --sport ${4} -m conntrack --ctstate ESTABLISHED -m comment --comment \\\"${5}\\\"\"\n  case \"${6}\" in\n  \"0\")\n    RULE_CMD=\"${RULE_CMD} -j DROP\"\n    ;;\n  \"1\")\n    RULE_CMD=\"${RULE_CMD} -j ACCEPT\"\n    ;;\n  *)\n    RULE_CMD=\"${RULE_CMD} -j REJECT\"\n    ;;\n  esac\n  func_run_cmd \"${RULE_CMD}\"\n}\n\n######################################################################\n# \uc678\ubd80\uc5d0\uc11c \ub4e4\uc5b4\uc624\ub294 \ud2b8\ub798\ud53d\uc744 \ucd94\uac00\ud55c\ub2e4.\n######################################################################\nfunc_add_incoming_rules() {\n  func_debug_msg ${FUNCNAME[0]} \"${1}\" \"${2}\" \"${3}\" \"${4}\" \"${5}\" \"${6}\"\n\n  # nslookup \ub0b4\ubd80\uc5d0\uc11c \uc678\ubd80\ub85c \ud1b5\uc2e0 \uac00\ub2a5\ud558\uac8c \uc14b\ud305\n  ${IPTABLES_CMD} -A INPUT -p udp --dport 53 -j ACCEPT\n  ${IPTABLES_CMD} -A INPUT -p udp --sport 53 -j ACCEPT\n  ${IPTABLES_CMD} -A OUTPUT -p udp --sport 53 -j ACCEPT\n  ${IPTABLES_CMD} -A OUTPUT -p udp --sport 53 -j ACCEPT\n\n  # https \ub0b4\ubd80\uc5d0\uc11c \uc678\ubd80\ub85c \ud1b5\uc2e0 \uac00\ub2a5\ud558\uac8c \uc14b\ud305\n  ${IPTABLES_CMD} -A INPUT -p tcp --dport 443 -j ACCEPT\n  ${IPTABLES_CMD} -A INPUT -p tcp --sport 443 -j ACCEPT\n  ${IPTABLES_CMD} -A OUTPUT -p tcp --sport 443 -j ACCEPT\n  ${IPTABLES_CMD} -A OUTPUT -p tcp --sport 443 -j ACCEPT\n\n  # http \ub0b4\ubd80\uc5d0\uc11c \uc678\ubd80\ub85c \ud1b5\uc2e0 \uac00\ub2a5\ud558\uac8c \uc14b\ud305\n  ${IPTABLES_CMD} -A INPUT -p tcp --dport 80 -j ACCEPT\n  ${IPTABLES_CMD} -A INPUT -p tcp --sport 80 -j ACCEPT\n  ${IPTABLES_CMD} -A OUTPUT -p tcp --sport 80 -j ACCEPT\n  ${IPTABLES_CMD} -A OUTPUT -p tcp --sport 80 -j ACCEPT\n\n  # icmp \ud5c8\uc6a9\n  #${IPTABLES_CMD} -A INPUT -p icmp -j ACCEPT\n  #${IPTABLES_CMD} -A OUTPUT -p icmp -j ACCEPT\n\n  func_add_user_incoming \"-s ${WHITE_LIST}\" \"${SYSTEM_IP_ADDR}\" \"tcp\" \"22\" \"Incoming Rule:ssh\" \"1\"\n  func_add_user_incoming \"-s ${WHITE_LIST}\" \"${SYSTEM_IP_ADDR}\" \"tcp\" \"8080\" \"Incoming Rule:ssc2\" \"1\"\n  func_add_user_incoming \"-s ${WHITE_LIST}\" \"${SYSTEM_IP_ADDR}\" \"tcp\" \"9090\" \"Incoming Rule:ssc1\" \"1\"\n}\n\n######################################################################\n# \ubaa8\ub450 \ucc28\ub2e8\n######################################################################\nfunc_final_rules() {\n  func_debug_msg ${FUNCNAME[0]} \"${1}\" \"${2}\" \"${3}\" \"${4}\" \"${5}\" \"${6}\"\n\n  ${IPTABLES_CMD} -A INPUT -j DROP\n  ${IPTABLES_CMD} -A OUTPUT -j ACCEPT\n  ${IPTABLES_CMD} -A FORWARD -j DROP\n}\n\n######################################################################\n# Main\n######################################################################\n\nif [ \"$2\" != \"\" ]; then\n  echo\n  echo \"Argument \\\"$2\\\" not recognized.\"\n  func_usage\n  echo\n  exit 1\nfi\n\nget_system_ip_addr\ncase \"$1\" in\n  start|restart)\n    func_clean_rules\n    func_set_default_policy\n    func_set_default_lo_rules\n    DEFAULT_POLICY=\"DROP\"\n    func_block_ipv6_traffic\n    func_add_incoming_rules\n    func_final_rules\n    ;;\n  stop)\n    DEFAULT_POLICY=\"ACCEPT\"\n    func_clean_rules\n    func_set_default_policy\n    func_block_ipv6_traffic\n    ;;\n  *)\n    func_usage\n    ;;\nesac\nexit 0\n<\/pre>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[39,12],"tags":[],"class_list":["post-8084","post","type-post","status-publish","format-standard","hentry","category-os_linux_unix_macos","category-computing_security"],"_links":{"self":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/8084","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8084"}],"version-history":[{"count":0,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/8084\/revisions"}],"wp:attachment":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8084"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8084"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8084"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}