今回はiptablesの設定である。
セキュリティの強化ってことで、まずはiptablesがインストールされているかをチェック。
# yum list | grep iptables iptables.x86_64 1.3.5-5.3.el5_4.1 installed iptables-ipv6.x86_64 1.3.5-5.3.el5_4.1 installed iptables-devel.i386 1.3.5-5.3.el5_4.1 base iptables-devel.x86_64 1.3.5-5.3.el5_4.1 base # rpm -qa | grep iptables iptables-ipv6-1.3.5-5.3.el5_4.1 iptables-1.3.5-5.3.el5_4.1インストールされているので、今度はiptbelsの設定を確認。
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destinationiptablesを編集する。
もちろん、root で設定を行っていく。
# su - Password: # vi /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # SSH, HTTP, FTP1, FTP2, HTTPS, MySQL -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport XXXXX -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport YYYY -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMITiptablesの編集が済んだところで、起動。
# /etc/rc.d/init.d/iptables start Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ]起動後、自動起動するようにchkconfigで設定。自動起動のiptablesサービスがどう設定されている確認。
# chkconfig iptables on # # chkconfig --list iptables iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off設定がどのように反映されている確認。よくよく考えると、ftpを使う気がないので20,21ポートは閉じてもいいかも、と思ったりしている。
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:XXXXX ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql REJECT all -- anywhere anywhere reject-with icmp-host-prohibitedこれでひとまずのセキュリティ強化は終了。
Leave your Comment