실습> multiport 모듈
1. 웹서버 실행
# systemctl start httpd
# echo Hello 192.168.108.3 server > /var/www/html/index.html
2. multiport 모듈을 사용하지 않은 경우
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 23 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -j DROP
# iptables -nL
| Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination |
3. multiport 모듈을 사용한 경우
multiport 모듈을 사용하기 위해서는 -m mutiport 를 사용한다.
iptables -F
iptables -A INPUT -m multiport -p tcp --dport 22,23,80,443 -j ACCEPT
iptables -A INPUT -j DROP
# iptables -nL
| Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22,23,80,443 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination |
3. 테스트
SSH로 접속해서 22번이 허용 되는지 체크한다.
웹브라우저에서 접속해서 80번이 허용 되는지 체크한다.
http://192.168.108.103
Hello 192.168.108.3 server
4. FORWARD 체인 룰 추가
-------> dport
[외부망]----------[firewall]----------[내부망서버(102.101, 102.102)]
sport <------
iptables -P FORWARD DROP
iptables -A FORWARD -m multiport -p tcp --dport 22,23,80,443 -j ACCEPT
iptables -A FORWARD -m multiport -p tcp --sport 22,23,80,443 -j ACCEPT
# iptables -nL
| Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22,23,80,443 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22,23,80,443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 22,23,80,443 Chain OUTPUT (policy ACCEPT) target prot opt source destination |
http://192.168.108.101
192.168.102.101 server!
http://192.168.108.102
192.168.102.102 server!
--dport, --sport 가 아니고 --port 하나로 inbound, outbound를 모두 처리할 수 있다.
-------> ports
[외부망]----------[firewall]----------[내부망서버(102.101, 102.102)]
ports <------
iptables -F FORWARD
iptables -A FORWARD -m multiport -p tcp --port 22,23,80,443 -j ACCEPT
# iptables -nL
| Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22,23,80,443 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 22,23,80,443 Chain OUTPUT (policy ACCEPT) target prot opt source destination |
'Linux > iptables' 카테고리의 다른 글
| [Linux] iptables 상태 추적 모듈 분석하기 (0) | 2021.11.13 |
|---|---|
| [Linux] iptables 상태 추적 모듈 사용 & 방화벽 룰 실습 (0) | 2021.11.13 |
| [Linux] Ubuntu 서버에 iptables NAT 설정 (0) | 2021.11.13 |
| [Linux] iptables NAT 구현 (0) | 2021.11.13 |
| [Linux] iptables 로그 기록 (0) | 2021.11.13 |