20111231_iptables
2011. 12. 31. 12:31localhost ~ # uname -a
Linux localhost 3.0.6-gentoo #1 SMP PREEMPT Tue Dec 27 06:23:25 KST 2011 i686 Intel(R) Pentium(R) M processor 1500MHz GenuineIntel GNU/Linux
- 준비
커널 컴파일 할 때 xtables 세부 설정 필요
matches : recent
개인적으로 xtables 관련 추가 설정
targets : tee
matches : iprange, length, limit, mac, mark, multiport, comment
- 설정 변경 전
localhost ~ # cat /sys/module/xt_recent/parameters/ip_list_tot
100
- 설정 변경 명렁어
localhost ~ # chmod u+w /sys/module/xt_recent/parameters/ip_list_tot
localhost ~ # echo 10000 > /sys/module/xt_recent/parameters/ip_list_tot
localhost ~ # chmod u-w /sys/module/xt_recent/parameters/ip_list_tot
- 설정 변경 후
localhost ~ # cat /sys/module/xt_recent/parameters/ip_list_tot
10000
- iptables rules
localhost ~ # cat /var/lib/iptables/rules-save
# Generated by iptables-save v1.4.12.1 on Thu Dec 29 19:15:06 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m recent --set --name SSH --rsource
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --name SSH --rsource -j DROP
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth0 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth0 -j DROP
COMMIT
# Completed on Thu Dec 29 19:15:06 2011
Linux localhost 3.0.6-gentoo #1 SMP PREEMPT Tue Dec 27 06:23:25 KST 2011 i686 Intel(R) Pentium(R) M processor 1500MHz GenuineIntel GNU/Linux
- 준비
커널 컴파일 할 때 xtables 세부 설정 필요
matches : recent
개인적으로 xtables 관련 추가 설정
targets : tee
matches : iprange, length, limit, mac, mark, multiport, comment
- 설정 변경 전
localhost ~ # cat /sys/module/xt_recent/parameters/ip_list_tot
100
- 설정 변경 명렁어
localhost ~ # chmod u+w /sys/module/xt_recent/parameters/ip_list_tot
localhost ~ # echo 10000 > /sys/module/xt_recent/parameters/ip_list_tot
localhost ~ # chmod u-w /sys/module/xt_recent/parameters/ip_list_tot
- 설정 변경 후
localhost ~ # cat /sys/module/xt_recent/parameters/ip_list_tot
10000
- iptables rules
localhost ~ # cat /var/lib/iptables/rules-save
# Generated by iptables-save v1.4.12.1 on Thu Dec 29 19:15:06 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m recent --set --name SSH --rsource
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --name SSH --rsource -j DROP
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth0 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth0 -j DROP
COMMIT
# Completed on Thu Dec 29 19:15:06 2011
