# ssh /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT # telnet /sbin/iptables -A INPUT -p tcp --dport 23 -j ACCEPT # dns /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT # www /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT # ssl /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT # webmin /sbin/iptables -A INPUT -p tcp --dport 10000 -j ACCEPT # DROP /sbin/iptables -P INPUT DROP /sbin/iptables -L /etc/init.d/iptables save #!/bin/sh IPTABLES='/sbin/iptables' MY_IP='172.16.101.1' ${IPTABLES} -F ${IPTABLES} -P INPUT DROP ${IPTABLES} -P OUTPUT ACCEPT ${IPTABLES} -P FORWORD ACEPPT ${IPTABLES} -N tcp_block ${IPTABLES} -N udp_block ${IPTABLES} -N icmp_block # tcp rule ${IPTABLES} -A tcp_block -p tcp -d ${MY_IP} -s ${MY_IP} -j ACCEPT # すでにconnectionを張っているもの、それに付属するものを許可しています ${IPTABLES} -A tcp_block -p tcp -m state --state ESTABLISHED,RELATED -d ${MY_IP} -j ACCEPT ${IPTABLES} -A tcp_block -j ACCEPT -p tcp -d ${MY_IP} --dport ftp ${IPTABLES} -A tcp_block -j ACCEPT -p tcp -d ${MY_IP} --dport ftp ${IPTABLES} -A tcp_block -j ACCEPT -p tcp -d ${MY_IP} --dport ssh ${IPTABLES} -A tcp_block -j ACCEPT -p tcp -d ${MY_IP} --dport smtp ${IPTABLES} -A tcp_block -j ACCEPT -p tcp -d ${MY_IP} --dport domain ${IPTABLES} -A tcp_block -j ACCEPT -p tcp -d ${MY_IP} --dport www ${IPTABLES} -A tcp_block -j ACCEPT -p tcp -d ${MY_IP} --dport pop3 ${IPTABLES} -A tcp_block -j ACCEPT -p tcp -d ${MY_IP} --dport auth ${IPTABLES} -A tcp_block -j ACCEPT -p tcp -d ${MY_IP} --dport 137:139 ${IPTABLES} -A tcp_block -j ACCEPT -p tcp -d ${MY_IP} --dport ldap ${IPTABLES} -A tcp_block -j ACCEPT -p tcp -d ${MY_IP} --dport https ${IPTABLES} -A tcp_block -j ACCEPT -p tcp -d ${MY_IP} --dport 901 ${IPTABLES} -A tcp_block -j ACCEPT -p tcp -d ${MY_IP} --dport 3128 ${IPTABLES} -A tcp_block -j ACCEPT -p tcp -d ${MY_IP} --dport 10000 # udp rule # ${IPTABLES} -A udp_block -p udp -d ${MY_IP} --dport domain -j DROP # ${IPTABLES} -A udp_block -p udp -d ${MY_IP} --dport 137:139 -j DROP ${IPTABLES} -A udp_block -p udp -d ${MY_IP} --dport sunrpc -j DROP ${IPTABLES} -A udp_block -p udp -d ${MY_IP} --dport snmp -j DROP ${IPTABLES} -A udp_block -p udp -j ACCEPT # icmp rule ${IPTABLES} -A icmp_block -p icmp -d ${MY_IP} --icmp-type redirect -j DROP ${IPTABLES} -A icmp_block -p icmp -d ${MY_IP} --icmp-type address-mask-request -j DROP ${IPTABLES} -A icmp_block -p icmp -d ${MY_IP} --icmp-type router-advertisement -j DROP ${IPTABLES} -A icmp_block -p icmp -d ${MY_IP} --icmp-type router-solicitation -j DROP ${IPTABLES} -A icmp_block -p icmp -j ACCEPT #----- End of INPUT rule section ----- #----- OUTPUT rules ----- # ${IPTABLES} -A OUTPUT -o eth0 -p udp --dport 137:139 -j DROP #----- End of OUTPUT rule section ----- #packets make jumping to right chain. # 自分で定義したchainへパケットをとばします ${IPTABLES} -A INPUT -p TCP -j tcp_block ${IPTABLES} -A INPUT -p UDP -j udp_block ${IPTABLES} -A INPUT -p ICMP -j icmp_block |