iptables \u3067\u521d\u671f\u5316(iptables -F)\u3057\u3066\u3082\u3001\u30dd\u30ea\u30b7\u30fc\u306f\u6700\u521d\u306e\u72b6\u614b\u306b\u623b\u3089\u306a\u3044\u306e\u3067\u3059\u306d\u3002
\n\u5c11\u3057\u60a9\u307f\u307e\u3057\u305f\u3002<\/p>\n
\r\n# iptables -L\r\nChain INPUT (policy ACCEPT)\r\ntarget prot opt source destination \r\n\r\nChain FORWARD (policy ACCEPT)\r\ntarget prot opt source destination \r\n\r\nChain OUTPUT (policy ACCEPT)\r\ntarget prot opt source destination \r\n\r\n##\r\n#iptables execute\r\n##\r\n\r\n# iptables -F\r\n# iptables -L\r\nChain INPUT (policy DROP)\r\ntarget prot opt source destination \r\n\r\nChain FORWARD (policy DROP)\r\ntarget prot opt source destination \r\n\r\nChain OUTPUT (policy ACCEPT)\r\ntarget prot opt source destination \r\n<\/pre>\n\r\n#!\/bin\/bash\r\n\r\nLANG=C\r\n#\r\nLAN=eth0\r\n#\r\nLOCALNET=192.168.11.0\/24\r\nHOMENET=192.168.11.0\/24\r\n\r\n\r\n# iptables clear\r\niptables -F\r\niptables -X\r\n\r\n# default rule\r\niptables -P INPUT DROP # Input Drop\r\niptables -P OUTPUT ACCEPT # Output Accept\r\niptables -P FORWARD DROP # Forward Drop\r\n\r\n#\r\niptables -A INPUT -i lo -j ACCEPT\r\n\r\n#\r\niptables -A INPUT -s $LOCALNET -j ACCEPT\r\n\r\n#\r\niptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\r\n\r\n#\r\nsysctl -w net.ipv4.tcp_syncookies=1 > \/dev\/null\r\nsed -i '\/net.ipv4.tcp_syncookies\/d' \/etc\/sysctl.conf\r\necho \"net.ipv4.tcp_syncookies=1\" >> \/etc\/sysctl.conf\r\n\r\n#\r\n#\r\nsysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 > \/dev\/null\r\nsed -i '\/net.ipv4.icmp_echo_ignore_broadcasts\/d' \/etc\/sysctl.conf\r\necho \"net.ipv4.icmp_echo_ignore_broadcasts=1\" >> \/etc\/sysctl.conf\r\n\r\n#\r\nsed -i '\/net.ipv4.conf.*.accept_redirects\/d' \/etc\/sysctl.conf\r\nfor dev in `ls \/proc\/sys\/net\/ipv4\/conf\/`\r\ndo\r\n sysctl -w net.ipv4.conf.$dev.accept_redirects=0 > \/dev\/null\r\n echo \"net.ipv4.conf.$dev.accept_redirects=0\" >> \/etc\/sysctl.conf\r\ndone\r\n\r\n#\r\nsed -i '\/net.ipv4.conf.*.accept_source_route\/d' \/etc\/sysctl.conf\r\nfor dev in `ls \/proc\/sys\/net\/ipv4\/conf\/`\r\ndo\r\n sysctl -w net.ipv4.conf.$dev.accept_source_route=0 > \/dev\/null\r\n echo \"net.ipv4.conf.$dev.accept_source_route=0\" >> \/etc\/sysctl.conf\r\ndone\r\n\r\n# fragment\r\niptables -A INPUT -f -j LOG --log-prefix '[IPTABLES FRAGMENT] : '\r\niptables -A INPUT -f -j DROP\r\n\r\n# NetBIOS\r\niptables -A INPUT ! -s $LOCALNET -p tcp -m multiport --dports 135,137,138,139,445 -j DROP\r\niptables -A INPUT ! -s $LOCALNET -p udp -m multiport --dports 135,137,138,139,445 -j DROP\r\niptables -A OUTPUT ! -d $LOCALNET -p tcp -m multiport --sports 135,137,138,139,445 -j DROP\r\niptables -A OUTPUT ! -d $LOCALNET -p udp -m multiport --sports 135,137,138,139,445 -j DROP\r\n\r\n# Ping of Death\r\niptables -N LOG_PINGDEATH\r\niptables -A LOG_PINGDEATH -m limit --limit 1\/s --limit-burst 4 -j ACCEPT\r\niptables -A LOG_PINGDEATH -j LOG --log-prefix '[IPTABLES PINGDEATH] : '\r\niptables -A LOG_PINGDEATH -j DROP\r\niptables -A INPUT -p icmp --icmp-type echo-request -j LOG_PINGDEATH\r\n\r\n# \r\niptables -A INPUT -d 255.255.255.255 -j DROP\r\niptables -A INPUT -d 224.0.0.1 -j DROP\r\n\r\n# ident.113\r\niptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset\r\n\r\n#\r\n#\r\n#\r\n\r\n# ssh.22\r\niptables -A INPUT -p tcp -m state --state NEW -s $HOMENET --dport 22 -j ACCEPT\r\niptables -A OUTPUT -p tcp -m state --state NEW -d $HOMENET --dport 22 -j ACCEPT\r\niptables -A INPUT -p tcp -m state --state NEW -s 172.27.61.0\/255.255.255.0 --dport 22 -j ACCEPT\r\n\r\n#\r\niptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name ssh_attack\r\niptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 5 --rttl --name ssh_attack -j LOG --log-prefix 'SSH attack: '\r\niptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 5 --rttl --name ssh_attack -j DROP\r\n\r\n# dns.tcp.udp.53\r\niptables -A INPUT -p tcp --dport 53 -j ACCEPT\r\niptables -A INPUT -p udp --dport 53 -j ACCEPT\r\n\r\n# http.80\r\niptables -A INPUT -p tcp --dport 80 -j ACCEPT\r\n\r\n# https.443\r\niptables -A INPUT -p tcp --dport 443 -j ACCEPT\r\n\r\n# http.8080\r\niptables -A INPUT -p tcp --dport 8080 -j ACCEPT\r\n\r\n# ftp.21\r\niptables -A INPUT -p tcp --dport 21 -j ACCEPT\r\n\r\n# ftp\r\niptables -A INPUT -p tcp --dport 60000:60030 -j ACCEPT\r\n\r\n# smtp.25\r\niptables -A INPUT -p tcp --dport 25 -j ACCEPT\r\n\r\n# ssmtp.465\r\niptables -A INPUT -p tcp --dport 465 -j ACCEPT\r\n\r\n# pop3.110\r\niptables -A INPUT -p tcp --dport 110 -j ACCEPT\r\n\r\n# pop3s.995\r\niptables -A INPUT -p tcp --dport 995 -j ACCEPT\r\n\r\n# imap.143\r\niptables -A INPUT -p tcp --dport 143 -j ACCEPT\r\n\r\n# imaps.993\r\niptables -A INPUT -p tcp --dport 993 -j ACCEPT\r\n\r\n#\r\niptables -A INPUT -m limit --limit 1\/s -j LOG --log-prefix '[IPTABLES INPUT] : '\r\niptables -A INPUT -j DROP\r\niptables -A FORWARD -m limit --limit 1\/s -j LOG --log-prefix '[IPTABLES FORWARD] : '\r\niptables -A FORWARD -j DROP\r\n\r\n#\r\n\r\n<\/pre>\niptables -L \u304c\u9045\u3044\u5834\u5408\u306f
\niptables -nL<\/p>\n\u60c5\u5831\u5143
\nhttp:\/\/www.aconus.com\/~oyaji\/security\/iptables.htm
\n<\/a>http:\/\/fedorasrv.com\/iptables.shtml
\n<\/a>http:\/\/d.hatena.ne.jp\/Ubuntu\/20080128\/1201462048<\/a>
\nhttp:\/\/tobysoft.net\/wiki\/index.php?Ubuntu%2Fiptables(firewall)
\n<\/a>
\nhttp:\/\/cyberlib.enterbrainz.com\/1177122736.html<\/p>\n","protected":false},"excerpt":{"rendered":"iptables \u3067\u521d\u671f\u5316(iptables -F)\u3057\u3066\u3082\u3001\u30dd\u30ea\u30b7\u30fc\u306f\u6700\u521d\u306e\u72b6\u614b\u306b\u623b\u3089\u306a\u3044\u306e\u3067\u3059\u306d\u3002 \u5c11\u3057\u60a9\u307f\u307e\u3057\u305f\u3002 # iptables -L Chain INPUT (policy ACCEPT) target p…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-567","post","type-post","status-publish","format-standard","hentry","category-1"],"_links":{"self":[{"href":"https:\/\/www.asfit.net\/blog\/kan\/index.php?rest_route=\/wp\/v2\/posts\/567","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asfit.net\/blog\/kan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asfit.net\/blog\/kan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asfit.net\/blog\/kan\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asfit.net\/blog\/kan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=567"}],"version-history":[{"count":6,"href":"https:\/\/www.asfit.net\/blog\/kan\/index.php?rest_route=\/wp\/v2\/posts\/567\/revisions"}],"predecessor-version":[{"id":569,"href":"https:\/\/www.asfit.net\/blog\/kan\/index.php?rest_route=\/wp\/v2\/posts\/567\/revisions\/569"}],"wp:attachment":[{"href":"https:\/\/www.asfit.net\/blog\/kan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=567"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asfit.net\/blog\/kan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=567"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asfit.net\/blog\/kan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=567"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}