블라베의 취향편지

여태까지 설정한 것을 사용자가 사용할 수 있게 방화벽을 열어주어야 한다.

# cd /etc/sysconfig/

# vi iptables

=================================================================================================

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
=================================================================================================

여기까지가 대체로 기본으로 설정되어 있을 것이다.

위에서 사용할 포트만 남기고 삭제한다. 필요한 것은 추가도~

그리고 다음을 추가한다.

-A RH-Firewall-1-INPUT -m recent --update --seconds 60 --name TOO_MANY_REQUESTS -j DROP
-A RH-Firewall-1-INPUT -m hashlimit --hashlimit 10/s --hashlimit-burst 24 --hashlimit-mode srcip --hashlimit-name HTTP_REQ_LIMIT -j ACCEPT
-A RH-Firewall-1-INPUT -m recent --set --name TOO_MANY_REQUESTS -j DROP
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

전체적으로 다음과 같이 될 것이다.

=================================================================================================

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -m recent --update --seconds 60 --name TOO_MANY_REQUESTS -j DROP
-A RH-Firewall-1-INPUT -m hashlimit --hashlimit 10/s --hashlimit-burst 24 --hashlimit-mode srcip --hashlimit-name HTTP_REQ_LIMIT -j ACCEPT
-A RH-Firewall-1-INPUT -m recent --set --name TOO_MANY_REQUESTS -j DROP
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT
=================================================================================================

이 룰은 위의 룰을 통과하여 들어온 패킷에 대하여

각 출발지 ip에 대하여 초당 24회 이상(평균 10회 이상)의 웹 서비스 요청 패킷이 접수될 경우

해당 IP를 60초동안 접근 금지시키는 스크립트입니다.

이 60초 안에 또 요청 패킷이 접수되면 그 시점부터 60초를 다시 셉니다.

# /etc/init.d/iptables restart

# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
RH-Firewall-1-INPUT  all  --  anywhere             anywhere           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
RH-Firewall-1-INPUT  all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
DROP       all  --  anywhere             anywhere            recent: UPDATE seconds: 60 name: TOO_MANY_REQUESTS side: source
ACCEPT     all  --  anywhere             anywhere            limit: avg 10/sec burst 24 mode srcip
DROP       all  --  anywhere             anywhere            recent: SET name: TOO_MANY_REQUESTS side: source
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibite