2022이전/Linux

iptables 사용하기

바로퇴장 2020. 5. 1. 16:27

iptables 사용하기

iptables란?

iptables는 Linux 운영체제용으로 제작 된 매우 유연한 방화벽 유틸리티입니다. iptables는 command-line firewall 유틸리티를 사용하여 트래픽을 허용하거나 제한을 설정할 수 있습니다.

sudo apt-get install iptables

##types of chain

  • Input : 들어오는 접속 활동을 제어 chain
  • Forward : router 와 같은 활동을 제어 chain
  • Output : outgoing connections chain
  • Docker : 도커와 관련된 chain

iptables -L -v 해당 명령어로 Chain 정보를 볼 수 있다.

ex>

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-USER  all  --  any    any     anywhere             anywhere
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    docker0  anywhere             anywhere
    0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

iptable -L 명령을 통하여 상태를 확인 할 수 있다.

Accept – 접속을 허용.

Drop – 사용하지 않는 접속. This is best if you don’t want the source to realize your system exists.

Reject – 접속을 허용하지 않음. but send back an error. This is best if you don’t want a particular source to connect to your system, but you want them to know that your firewall blocked them

예시>

Allowing the connection:

img

Dropping the connection:

img

Rejecting the connection:

img

지정한 IP 접속 설정

Connections from a single IP address

This example shows how to block all connections from the IP address 10.10.10.10.

iptables -A INPUT -s 10.10.10.10 -j DROP

Connections from a range of IP addresses

This example shows how to block all of the IP addresses in the 10.10.10.0/24 network range. You can use a netmask or standard slash notation to specify the range of IP addresses.

iptables -A INPUT -s 10.10.10.0/24 -j DROP

or

iptables -A INPUT -s 10.10.10.0/255.255.255.0 -j DROP

Connections to a specific port

This example shows how to block SSH connections from 10.10.10.10.

iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP

설정된 내용 저장하기

Ubuntu:

sudo /sbin/iptables-save

Red Hat / CentOS:

/sbin/service iptables save

Or

/etc/init.d/iptables save

참고