CentOS 5.1 を始めてみた 9
iptables に yum を利用できるように設定を追加する。
# iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
設定を追加し、保存する。
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:s sh REJECT all -- anywhere anywhere reject-with icmp-ho st-prohibited # cat /etc/sysconfig/iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # cp /etc/sysconfig/iptables /etc/sysconfig/.iptables.orig # .new_iptables_setting.sh # service iptables save Saving firewall rules to /etc/sysconfig/iptables: [ OK ] # /etc/rc.d/init.d/iptables restart Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_netbios_n[ OK ] # iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT icmp -- 192.168.0.0/24 192.168.0.31 icmp echo-request ACCEPT icmp -- 192.168.0.0/24 anywhere icmp echo-reply DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.0.0/24 192.168.0.31 state NEW,RELATED,ESTABLISHED tcp dpt:ssh ACCEPT udp -- anywhere 192.168.0.31 udp spt:domain DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW ACCEPT tcp -- anywhere 192.168.0.31 state NEW,RELATED,ESTABLISHED tcp dpt:http DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW ACCEPT tcp -- anywhere 192.168.0.31 state NEW,RELATED,ESTABLISHED tcp dpt:https LOGGING all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- 192.168.0.31 192.168.0.0/24 icmp echo-reply ACCEPT icmp -- 192.168.0.31 192.168.0.0/24 icmp echo-request ACCEPT tcp -- 192.168.0.31 192.168.0.0/24 tcp spt:ssh ACCEPT udp -- 192.168.0.31 anywhere udp dpt:domain ACCEPT tcp -- 192.168.0.31 anywhere tcp spt:http ACCEPT tcp -- 192.168.0.31 anywhere tcp spt:https Chain LOGGING (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/hour burst 5 LOG level warning prefix `DROP:' DROP all -- anywhere anywhere # cat /etc/sysconfig/iptables # Generated by iptables-save v1.3.5 on Thu Apr 24 22:23:20 2008 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :LOGGING - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.31 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -s 192.168.0.0/255.255.255.0 -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A INPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.31 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT -A INPUT -d 192.168.0.31 -p udp -m udp --sport 53 -j ACCEPT -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A INPUT -d 192.168.0.31 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A INPUT -d 192.168.0.31 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 443 -j ACCEPT -A INPUT -j LOGGING -A OUTPUT -o lo -j ACCEPT -A OUTPUT -s 192.168.0.31 -d 192.168.0.0/255.255.255.0 -p icmp -m icmp --icmp-type 0 -j ACCEPT -A OUTPUT -s 192.168.0.31 -d 192.168.0.0/255.255.255.0 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A OUTPUT -s 192.168.0.31 -d 192.168.0.0/255.255.255.0 -p tcp -m tcp --sport 22 -j ACCEPT -A OUTPUT -s 192.168.0.31 -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -s 192.168.0.31 -p tcp -m tcp --sport 80 -j ACCEPT -A OUTPUT -s 192.168.0.31 -p tcp -m tcp --sport 443 -j ACCEPT -A LOGGING -m limit --limit 3/hour -j LOG --log-prefix "DROP:" -A LOGGING -j DROP COMMIT # Completed on Thu Apr 24 22:23:20 2008 #
