여태까지 설정한 것을 사용자가 사용할 수 있게 방화벽을 열어주어야 한다.
# cd /etc/sysconfig/
# vi iptables
=================================================================================================
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
=================================================================================================
여기까지가 대체로 기본으로 설정되어 있을 것이다.
위에서 사용할 포트만 남기고 삭제한다. 필요한 것은 추가도~
그리고 다음을 추가한다.
-A RH-Firewall-1-INPUT -m recent --update --seconds 60 --name TOO_MANY_REQUESTS -j DROP
-A
RH-Firewall-1-INPUT -m hashlimit --hashlimit 10/s --hashlimit-burst 24
--hashlimit-mode srcip --hashlimit-name HTTP_REQ_LIMIT -j ACCEPT
-A RH-Firewall-1-INPUT -m recent --set --name TOO_MANY_REQUESTS -j DROP
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
전체적으로 다음과 같이 될 것이다.
=================================================================================================
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -m recent --update --seconds 60 --name TOO_MANY_REQUESTS -j DROP
-A RH-Firewall-1-INPUT -m hashlimit --hashlimit 10/s --hashlimit-burst 24 --hashlimit-mode srcip --hashlimit-name HTTP_REQ_LIMIT -j ACCEPT
-A RH-Firewall-1-INPUT -m recent --set --name TOO_MANY_REQUESTS -j DROP
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
=================================================================================================
이 룰은 위의 룰을 통과하여 들어온 패킷에 대하여
각 출발지 ip에 대하여 초당 24회 이상(평균 10회 이상)의 웹 서비스 요청 패킷이 접수될 경우
해당 IP를 60초동안 접근 금지시키는 스크립트입니다.
이 60초 안에 또 요청 패킷이 접수되면 그 시점부터 60초를 다시 셉니다.
# /etc/init.d/iptables restart
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
DROP all -- anywhere anywhere recent: UPDATE seconds: 60 name: TOO_MANY_REQUESTS side: source
ACCEPT all -- anywhere anywhere limit: avg 10/sec burst 24 mode srcip
DROP all -- anywhere anywhere recent: SET name: TOO_MANY_REQUESTS side: source
REJECT all -- anywhere anywhere reject-with icmp-host-prohibite
'블라베 IT world > Linux Document' 카테고리의 다른 글
| CentOS 리눅스 yum 사용법 (0) | 2013.04.18 |
|---|---|
| centos : iptables 사용하기 (0) | 2013.04.17 |
| Centos 5/6 설치후 라이브러리 설치 (0) | 2013.04.16 |
| centos: 네트워크 설정/변경 하는 4가지 방법 (0) | 2013.04.16 |
| Net 명령어 LIST 및사용법 (0) | 2013.02.13 |