Linode で Gentoo 2008.0 を使ってみる 05
iptables を設定する。
現在の設定
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
設定を行う
iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -d 127.0.0.0/8 -i ! lo -j REJECT --reject-with icmp-port-unreachable iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 30000 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
設定後の確認
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere REJECT all -- anywhere !loopback/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:30000 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT icmp -- anywhere anywhere icmp echo-request REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
設定変更を保存する
t# /etc/init.d/iptables save * Saving iptables state ... [ ok ] # /etc/init.d/iptables reload * Flushing firewall ... [ ok ] * Loading iptables state and starting firewall ... # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere REJECT all -- anywhere !loopback/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:30000 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT icmp -- anywhere anywhere icmp echo-request REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
「Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`).」について
iptables -A INPUT -d 127.0.0.0/8 -i ! lo -j REJECT --reject-with icmp-port-unreachable Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`).
このメッセージは、どうも iptables のバグらしい。
I have the following (perfectly correct) rules on my iptables script:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528736#5
(中略)
The error messages also dissapear if I substitute de above rules for the following stupid an wrong rules:
$IPTABLES -A INPUT ! -i lo -s $LOOPBACK_NETWORK -j DROP
$IPTABLES -A INPUT ! -i lo -d $LOOPBACK_NETWORK -j DROP
The rules actually work beyond the erroneous deprecation warning, which has been corrected for the next upstream release.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528736#12
Source: iptables
Source-Version: 1.4.4-1We believe that the bug you reported is fixed in the latest version of iptables, which is due to be installed in the Debian FTP archive:
iptables-dev_1.4.4-1_amd64.deb
to pool/main/i/iptables/iptables-dev_1.4.4-1_amd64.deb
iptables_1.4.4-1.diff.gz
to pool/main/i/iptables/iptables_1.4.4-1.diff.gz
iptables_1.4.4-1.dsc
to pool/main/i/iptables/iptables_1.4.4-1.dsc
iptables_1.4.4-1_amd64.deb
to pool/main/i/iptables/iptables_1.4.4-1_amd64.deb
iptables_1.4.4.orig.tar.gz
to pool/main/i/iptables/iptables_1.4.4.orig.tar.gzA summary of the changes between this version and the previous one is attached.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528736#22