내부 방화벽 설정(UFW, iptables, firewalld)

root@techsmile-13601:~# sudo ufw disable => 비활성화

sudo: unable to resolve host techsmile-13601

Firewall stopped and disabled on system startup

root@techsmile-13601:~# sudo ufw enable => 활성화

sudo: unable to resolve host techsmile-13601

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y

Firewall is active and enabled on system startup

root@techsmile-13601:~# sudo ufw status => ufw 상태확인

sudo: unable to resolve host techsmile-13601

Status: active

root@techsmile-13601:~# sudo ufw status verbose => ufw 상태 상세확인

sudo: unable to resolve host techsmile-13601

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing), disabled (routed)

New profiles: skip

root@techsmile-13601:~# sudo ufw allow 80/tcp

sudo: unable to resolve host techsmile-13601

Rule added

Rule added (v6)

root@techsmile-13601:~# sudo ufw allow 80/udp

sudo: unable to resolve host techsmile-13601

Rule added

Rule added (v6)

root@techsmile-13601:~# sudo ufw status

sudo: unable to resolve host techsmile-13601

Status: active

To Action From

— —— —-

80/tcp ALLOW Anywhere

80/udp ALLOW Anywhere

80/tcp (v6) ALLOW Anywhere (v6)

80/udp (v6) ALLOW Anywhere (v6)

root@techsmile-13601:~# sudo ufw allow from 115.68.220.225

sudo: unable to resolve host techsmile-13601

Rule added

root@techsmile-13601:~# sudo ufw status

sudo: unable to resolve host techsmile-13601

Status: active

To Action From

— —— —-

80/tcp ALLOW Anywhere

80/udp ALLOW Anywhere

Anywhere ALLOW 115.68.220.225

80/tcp (v6) ALLOW Anywhere (v6)

80/udp (v6) ALLOW Anywhere (v6)

root@techsmile-13601:~# sudo ufw deny from 115.68.220.225 to any port 22

sudo: unable to resolve host techsmile-13601

Rule added

root@techsmile-13601:~# sudo ufw status

sudo: unable to resolve host techsmile-13601

Status: active

To Action From

— —— —-

80/tcp ALLOW Anywhere

80/udp ALLOW Anywhere

Anywhere ALLOW 115.68.220.225

22 DENY 115.68.220.225

80/tcp (v6) ALLOW Anywhere (v6)

80/udp (v6) ALLOW Anywhere (v6)

root@techsmile-13601:~# sudo ufw delete allow 80/tcp

sudo: unable to resolve host techsmile-13601

Rule deleted

Rule deleted (v6)

root@techsmile-13601:~# sudo ufw status

sudo: unable to resolve host techsmile-13601

Status: active

To Action From

— —— —-

80/udp ALLOW Anywhere

Anywhere ALLOW 115.68.220.225

22 DENY 115.68.220.225

80/udp (v6) ALLOW Anywhere (v6)

root@techsmile-13601:~# sudo ufw reset

sudo: unable to resolve host techsmile-13601

Resetting all rules to installed defaults. This may disrupt existing ssh

connections. Proceed with operation (y|n)? y

Backing up ‘before.rules’ to ‘/etc/ufw/before.rules.20180201_214445’

Backing up ‘after.rules’ to ‘/etc/ufw/after.rules.20180201_214445’

Backing up ‘user.rules’ to ‘/etc/ufw/user.rules.20180201_214445’

Backing up ‘after6.rules’ to ‘/etc/ufw/after6.rules.20180201_214445’

Backing up ‘before6.rules’ to ‘/etc/ufw/before6.rules.20180201_214445’

Backing up ‘user6.rules’ to ‘/etc/ufw/user6.rules.20180201_214445’

root@techsmile-13601:~# sudo ufw status

sudo: unable to resolve host techsmile-13601

Status: inactive

–source (-s) => 출발지 ip 주소

–destination (-d) => 목적지 ip 주소

–protocol (-p) => 특정 프로토콜과의 매칭

–in-interface (-i) => 입력 인터페이스

–out-interface (-o) => 출력 인터페이스

–state => 연결 상태와의 매칭

–syn (-y) => SYN 패킷을 허용하지 않는다

SYN 패킷 : TCP 에서 세션을 성립할 때 가장먼저 보내는 패킷

SYN 패킷을 이용하여 SYN Flooding 공격을 할 수 있습니다.

SYN Flooding 공격이란 TCP 세션이 연결될 때의 취약성을 이용한 서버공격 입니다.

ex)

TCP의 기본적인 연결단계는 아래와 같습니다.

1) A(소스서버) 가 B(목적지서버)에게 접속을 요청하는 SYN 패킷을 보낸다

2) B는 요청을 수락한다는 SYN과 ACK패킷을 A에게 보낸다

3) A가 B에게 ACK를 보내면 연결이 이루어지고 본격적인 데이터교환이 이루어 진다

위의 2번 단계에서 목적지서버(B)는 소스서버(A)가 ACK패킷을 보내주기를 계속적으로 기다리는 것이 아니라 일정시간 후 요청이 오지 않으면 백로그큐(Backlog Queue)가 허용하는 공간에 연결 정보(로그)를 보관하게 됩니다.

이러한 상태가 지속적으로 요청되어 연결정보(로그)가 쌓이게 되면 목적지서버(B)의 특정서비스가 마비될 수 있습니다.

ACCEPT => 패킷을 받아들인다

DROP => 패킷을 버린다

REJECT => 패킷을 버리고 동시에 적절한 응답 패킷을 전송한다

LOG => 패킷을 syslog에 기록한다

RETURN => 호출 체인 내에서 패킷 처리를 계속한다

-A => 새로운 규칙을 추가

-D => 규칙을 삭제

-C => 패킷을 테스트

-R => 새로운 규칙으로 교체

-I => 새로운 규칙을 삽입

-L => 규칙을 출력

-F => chain으로 부터 규칙을 모두 삭제

-Z => 모든 chain의 패킷과 바이트 카운터 값을 0으로 만든다

-N => 새로운 chain을 만든다

-X => chain을 삭제

-P => 기본정책을 변경

[root@techsmile-13601 ~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

RH-Firewall-1-INPUT all — 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)

target prot opt source destination

RH-Firewall-1-INPUT all — 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)

target prot opt source destination

ACCEPT all — 0.0.0.0/0 0.0.0.0/0

ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 255

ACCEPT all — 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20

ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21

ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22

ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25

ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80

ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110

ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143

ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443

ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:50001:50005

REJECT all — 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

[root@techsmile-13601 ~]# iptables -A INPUT -s 115.68.220.225 -j DROP

=> 출발 ip가 115.68.220.225인 패킷을 차단

[root@techsmile-13601 ~]# iptables -A INPUT -d 115.68.220.225 -j DROP

=> 목적지 ip가 115.68.220.225인 패킷을 차단

[root@techsmile-13601 ~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

RH-Firewall-1-INPUT all — 0.0.0.0/0 0.0.0.0/0

DROP all — 115.68.220.225 0.0.0.0/0

DROP all — 0.0.0.0/0 115.68.220.225

[root@techsmile-13601 ~]# iptables -A INPUT -s 115.68.220/24 -j DROP

=> 축발 ip 대역이 115.68.220 대역인 패킷을 차단

[root@techsmile-13601 ~]# iptables -A INPUT -d 115.68.220/24 -j DROP

=> 목적지 ip 대역이 115.68.220 대역인 패킷을 차단

[root@techsmile-13601 ~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

RH-Firewall-1-INPUT all — 0.0.0.0/0 0.0.0.0/0

DROP all — 115.68.220.225 0.0.0.0/0

DROP all — 0.0.0.0/0 115.68.220.225

DROP all — 115.68.220.0/24 0.0.0.0/0

DROP all — 0.0.0.0/0 115.68.220.0/24

[root@techsmile-13601 ~]# iptables -A INPUT -p tcp -s 115.68.220.225 -m state –state NEW -m tcp –dport 80 -j ACCEPT

=> 115.68.220.225 ip에 대해 접속패킷 80번 포트 허용

[root@techsmile-13601 ~]# iptables -A INPUT -p tcp -s 115.68.220/24 -m state –state NEW -m tcp –dport 80 -j ACCEPT

=> 115.68.220 대역에 대해 접속패킷 80번 포트 허용

[root@techsmile-13601 ~]# iptables -A INPUT -p tcp -s 115.68.220.225 -m state –state NEW -m tcp –dport 80 -j DROP

=> 115.68.220.225 ip에 대해 접속패킷 80번 포트 거부

[root@techsmile-13601 ~]# iptables -A INPUT -p tcp -s 115.68.220/24 -m state –state NEW -m tcp –dport 80 -j DROP

=> 115.68.220 대역에 대해 접속 접속패킷 80번 포트 거부

[root@techsmile-13601 ~]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

RH-Firewall-1-INPUT all — 0.0.0.0/0 0.0.0.0/0

DROP all — 115.68.220.225 0.0.0.0/0

DROP all — 0.0.0.0/0 115.68.220.225

DROP all — 115.68.220.0/24 0.0.0.0/0

DROP all — 0.0.0.0/0 115.68.220.0/24

ACCEPT tcp — 115.68.220.225 0.0.0.0/0 state NEW tcp dpt:80

ACCEPT tcp — 115.68.220.0/24 0.0.0.0/0 state NEW tcp dpt:80

DROP tcp — 115.68.220.225 0.0.0.0/0 state NEW tcp dpt:80

DROP tcp — 115.68.220.0/24 0.0.0.0/0 state NEW tcp dpt:80

[root@techsmile-13601 ~]# /etc/init.d/iptables save

iptables: 방화벽 규칙을 /etc/sysconfig/iptables에 저장 중: [ OK ]

=> 위에 명령어로 저장을 하는 이유는 iptables 명령어로 룰을 적용시켰을 경우 방화벽을 재시작 하거나, 서버를 재부팅 했을 경우 룰이 저장되지 않고 전부 날아가기 때문입니다.

저장을 하고 vi /etc/sysconfig/iptables를 열어보면 명령어로 입력한 룰들이 들어가 있는 것을 확인할 수 있습니다.

# Generated by iptables-save v1.4.7 on Thu Feb 1 22:31:48 2018

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [37:6224]

:RH-Firewall-1-INPUT – [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A INPUT -s 115.68.220.225/32 -j DROP

-A INPUT -d 115.68.220.225/32 -j DROP

-A INPUT -s 115.68.220.0/24 -j DROP

-A INPUT -d 115.68.220.0/24 -j DROP

-A INPUT -s 115.68.220.225/32 -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT

-A INPUT -s 115.68.220.0/24 -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT

-A INPUT -s 115.68.220.225/32 -p tcp -m state –state NEW -m tcp –dport 80 -j DROP

-A INPUT -s 115.68.220.0/24 -p tcp -m state –state NEW -m tcp –dport 80 -j DROP

-A INPUT -s 115.68.220.225/32 -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 20 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 21 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 25 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 110 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 143 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 50001:50005 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited

COMMIT

# Completed on Thu Feb 1 22:31:48 2018

[root@techsmile-13601 ~]# firewall-cmd –state

not running => firewalld가 실행중이지 않음

[root@techsmile-13601 ~]# systemctl start firewalld => firewalld 실행

[root@techsmile-13601 ~]# firewall-cmd –state

running => 실행중

[root@techsmile-13601 ~]# firewall-cmd –permanent –zone=public –add-port=80/tcp

success

=> 위 명령어로 80번 포트를 추가하였습니다.

[root@techsmile-13601 ~]# firewall-cmd –permanent –zone=public –remove-port=80/tcp

=> 80번 포트 삭제

[root@techsmile-13601 ~]# firewall-cmd –list-port

80/tcp

[root@techsmile-13601 ~]# firewall-cmd –get-services

RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

=> 위 명령어로 추가 가능한 서비스를 출력하여 확인합니다.

[root@techsmile-13601 ~]# firewall-cmd –permanent –zone=public –add-service=http

success

=> http 서비스 추가

[root@techsmile-13601 ~]# firewall-cmd –permanent –zone=public –remove-service=http

=> http 서비스 삭제

[root@techsmile-13601 ~]# firewall-cmd –reload => 재시작

success

[root@techsmile-13601 ~]# firewall-cmd –list-service

dhcpv6-client ssh http

=> 재시작 후 http 서비스가 들어가 있는 것을 확인 할 수 있습니다.

<?xml version=”1.0″ encoding=”utf-8″?>

<zone>

<short>Public</short>

<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

<service name=”dhcpv6-client”/>

<service name=”ssh”/>

<service name=”http”/>

<service name=”ftp”/> => 추가

<service name=”mysql”/> => 추가

<port protocol=”tcp” port=”80″/>

</zone>

[root@techsmile-13601 ~]# firewall-cmd –reload => 재시작

success

[root@techsmile-13601 ~]# firewall-cmd –list-service

dhcpv6-client ssh http ftp mysql => 추가가 된 것을 확인 할 수 있습니다.