FC20 Linuxサーバー構築

IPTABLESで行うFirewall設定例

すべてのアクセスログ保管を行う(debug)
できるだけ、汎用性があるような、ルール作りを行ったつもりです。

Firewall設定例 (iptablesは、省略しています)

内部のネットワークを192.168.1.0/24
内部のネットワークアダプタをeth0
外部接続のインターフェイスをppp0

-P INPUT   DROP                                        <-原則破棄
-P OUTPUT  DROP                                        <-原則破棄
-P FORWARD DROP                                        <-原則破棄

チェッカールールーは、必要に応じ設定
```
-N HTTP_CHECKER
-N MAIL_CHECKER
-N NAME_CHECKER
```

ログを保管して、DROPかACCEPT。ログの先頭文字を変えたいためいくつも作っています。

-N LOG_FRAGMENT
-A LOG_FRAGMENT -j LOG --log-prefix "[IPTABLES FRAGMENT] : " --log-level debug --log-ip-options --log-tcp-options --log-tcp-sequence
-A LOG_FRAGMENT -j DROP

-N LOG_SPOOFING
-A LOG_SPOOFING -j LOG --log-prefix "[IPTABLES SPOOFING] : " --log-level debug --log-ip-options --log-tcp-options --log-tcp-sequence
-A LOG_SPOOFING -j DROP

-N LOG_IN_ACCEPT
-A LOG_IN_ACCEPT -j LOG --log-prefix "[IPTABLES IN ACCEPT] : " --log-level debug --log-ip-options --log-tcp-options --log-tcp-sequence
-A LOG_IN_ACCEPT -j ACCEPT

-N LOG_HTTP_ACCEPT
-A LOG_HTTP_ACCEPT -j LOG --log-prefix "[IPTABLES HTTP_ACCEPT] : " --log-level debug --log-ip-options --log-tcp-options --log-tcp-sequence
-A LOG_HTTP_ACCEPT -j ACCEPT

-N LOG_MAIL_ACCEPT
-A LOG_MAIL_ACCEPT -j LOG --log-prefix "[IPTABLES MAIL_ACCEPT] : " --log-level debug --log-ip-options --log-tcp-options --log-tcp-sequence
-A LOG_MAIL_ACCEPT -j ACCEPT

-N LOG_NAME_ACCEPT
-A LOG_NAME_ACCEPT -j LOG --log-prefix "[IPTABLES NAME_ACCEPT] : " --log-level debug --log-ip-options --log-tcp-options --log-tcp-sequence
-A LOG_NAME_ACCEPT -j ACCEPT

-N LOG_FW_ACCEPT
-A LOG_FW_ACCEPT -j LOG --log-prefix "[IPTABLES FW ACCEPT] : " --log-level debug --log-ip-options --log-tcp-options --log-tcp-sequence
-A LOG_FW_ACCEPT -j ACCEPT

-N LOG_OUT_DROP
-A LOG_OUT_DROP -j LOG --log-prefix "[IPTABLES OUT DROP] : " --log-level debug --log-ip-options --log-tcp-options --log-tcp-sequence
-A LOG_OUT_DROP -j DROP

-N LOG_OUT_ACCEPT
-A LOG_OUT_ACCEPT -j LOG --log-prefix "[IPTABLES OUT ACCEPT] : " --log-level debug --log-ip-options --log-tcp-options --log-tcp-sequence
-A LOG_OUT_ACCEPT -j ACCEPT

-N LOG_PING_ACCEPT
-A LOG_PING_ACCEPT -j LOG --log-prefix "[IPTABLES PING ACCEPT] : " --log-level debug --log-ip-options --log-tcp-options --log-tcp-sequence
-A LOG_PING_ACCEPT -j ACCEPT

-N LOG_PINGDEATH
-A LOG_PINGDEATH -m limit --limit 1/s --limit-burst 4 -j LOG_PING_ACCEPT
-A LOG_PINGDEATH -m limit --limit 12/m --limit-burst 5 -j LOG_PING_ACCEPT
-A LOG_PINGDEATH -j LOG --log-prefix "[IPTABLES PINGDEATH] : " --log-level debug --log-ip-options --log-tcp-options --log-tcp-sequence
-A LOG_PINGDEATH -j DROP

-N LOG_INGRESS
-A LOG_INGRESS -j LOG --log-prefix "[IPTABLES INGRESS] : " --log-level debug --log-tcp-options --log-ip-options --log-tcp-sequence
-A LOG_INGRESS -j DROP

チェッカールール用

-N HTTP_CHECK
-A HTTP_CHECK -m state --state NEW                     -j HTTP_CHECKER
-A HTTP_CHECK -m state --state NEW,RELATED,ESTABLISHED -j LOG_HTTP_ACCEPT
-A HTTP_CHECK                                          -j LOG_IN_DROP
-N MAIL_CHECK
-A MAIL_CHECK -m state --state NEW                     -j MAIL_CHECKER
-A MAIL_CHECK -m state --state NEW,RELATED,ESTABLISHED -j LOG_MAIL_ACCEPT
-A MAIL_CHECK                                          -j LOG_IN_DROP
-N NAME_CHECK
-A NAME_CHECK -m state --state NEW -j NAME_CHECKER
-A NAME_CHECK                      -j LOG_NAME_ACCEPT

INPUT用Firewall

-N Firewall-INPUT
-A Firewall-INPUT -i ppp0 -p tcp -m multiport --dports 135,137,138,139,445 -j LOG_IN_DROP
-A Firewall-INPUT -i ppp0 -p udp -m multiport --dports 135,137,138,139,445 -j LOG_IN_DROP
-A Firewall-INPUT -p tcp -m tcp --dport 80             -j HTTP_CHECK
-A Firewall-INPUT -p tcp -m tcp --dport 443            -j HTTP_CHECK
-A Firewall-INPUT -p tcp -m tcp --dport 25             -j MAIL_CHECK
-A Firewall-INPUT -p tcp -m tcp --dport 53             -j NAME_CHECK
-A Firewall-INPUT -p udp -m udp --dport 53             -j NAME_CHECK
-A Firewall-INPUT -i lo                                -j LOG_IN_ACCEPT
-A Firewall-INPUT -i eth0                              -j LOG_IN_ACCEPT

INPUT用ルール

-A INPUT -f                        -j LOG_FRAGMENT         <-
-A INPUT -s 127.0.0.0/8    -i ppp0 -j LOG_SPOOFING         <-
-A INPUT -s 10.0.0.0/8     -i ppp0 -j LOG_SPOOFING
-A INPUT -s 172.16.0.0/12  -i ppp0 -j LOG_SPOOFING
-A INPUT -s 192.168.0.0/16 -i ppp0 -j LOG_SPOOFING
-A INPUT -j Firewall-INPUT
-A INPUT -p icmp -m icmp --icmp-type echo-request   -j LOG_PINGDEATH
-A INPUT -j LOG --log-prefix "[IPTABLES INPUT DROP] : " --log-level debug --log-tcp-options --log-ip-options --log-tcp-sequence   <-ログ保管

FORWARD用Firewall　

-N Firewall-FORWARD
-A Firewall-FORWARD -i ppp0 -p tcp -m multiport --dports 135,137,138,139,445 -j LOG_OUT_DROP    <-NETBIOS
-A Firewall-FORWARD -i ppp0 -p udp -m multiport --dports 135,137,138,139,445 -j LOG_OUT_DROP    <-NETBIOS
-A Firewall-FORWARD -o ppp0 -p tcp -m multiport --sports 135,137,138,139,445 -j LOG_OUT_DROP
-A Firewall-FORWARD -o ppp0 -p udp -m multiport --sports 135,137,138,139,445 -j LOG_OUT_DROP
-A Firewall-FORWARD -p tcp -m tcp --dport 80             -j HTTP_CHECK    <-http
-A Firewall-FORWARD -p tcp -m tcp --dport 443            -j HTTP_CHECK    <-https
-A Firewall-FORWARD -p tcp -m tcp --dport 25             -j MAIL_CHECK    <-smtp
-A Firewall-FORWARD -p tcp -m tcp --dport 53             -j NAME_CHECK    <-name-domain server
-A Firewall-FORWARD -p udp -m udp --dport 53             -j NAME_CHECK
-A Firewall-FORWARD -i lo                                -j LOG_FW_ACCEPT
-A Firewall-FORWARD -i eth0 -m state --state NEW         -j LOG_FW_ACCEPT
-A Firewall-FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j LOG_FW_ACCEPT

FORWARD用ルール

-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -f                        -j LOG_FRAGMENT                          
-A FORWARD -s 127.0.0.0/8    -i ppp0 -j LOG_SPOOFING
-A FORWARD -s 10.0.0.0/8     -i ppp0 -j LOG_SPOOFING
-A FORWARD -s 172.16.0.0/12  -i ppp0 -j LOG_SPOOFING
-A FORWARD -s 192.168.0.0/16 -i ppp0 -j LOG_SPOOFING
-A FORWARD ! -s 192.168.1.0/24 -i eth0 -j LOG_INGRESS

-A FORWARD -j Firewall-FORWARD
-A FORWARD -j LOG --log-prefix "[IPTABLES FORWARD DROP] : " --log-level debug --log-tcp-options --log-ip-options --log-tcp-sequence    <-ログ保管

OUTPUT用Firewall　NETBIO関係をはじめにDROP

-N Firewall-OUTPUT
-A Firewall-OUTPUT -o ppp0 -p tcp -m multiport --dports 135,137,138,139,445 -j LOG_OUT_DROP    <-NETBIOS
-A Firewall-OUTPUT -o ppp0 -p udp -m multiport --dports 135,137,138,139,445 -j LOG_OUT_DROP    <-NETBIOS
-A Firewall-OUTPUT -o ppp0 -p tcp -m multiport --sports 135,137,138,139,445 -j LOG_OUT_DROP
-A Firewall-OUTPUT -o ppp0 -p udp -m multiport --sports 135,137,138,139,445 -j LOG_OUT_DROP
-A Firewall-OUTPUT -p tcp  -m tcp --dport 80       -j LOG_HTTP_ACCEPT    <-http
-A Firewall-OUTPUT -p tcp  -m tcp --sport 80       -j LOG_HTTP_ACCEPT
-A Firewall-OUTPUT -p tcp  -m tcp --dport 443      -j LOG_HTTP_ACCEPT    <-https
-A Firewall-OUTPUT -p tcp  -m tcp --sport 443      -j LOG_HTTP_ACCEPT
-A Firewall-OUTPUT -p tcp  -m tcp --dport 25       -j LOG_MAIL_ACCEPT    <-smtp
-A Firewall-OUTPUT -p tcp  -m tcp --sport 25       -j LOG_MAIL_ACCEPT
-A Firewall-OUTPUT -p udp  -m udp --dport 53       -j LOG_NAME_ACCEPT    <-name-domain server
-A Firewall-OUTPUT -p udp  -m udp --sport 53       -j LOG_NAME_ACCEPT
-A Firewall-OUTPUT -p udp  -m udp --dport 123      -j LOG_OUT_ACCEPT     <-ntp
-A Firewall-OUTPUT -p icmp -m icmp --icmp-type any -j LOG_OUT_ACCEPT
-A Firewall-OUTPUT -o lo                           -j LOG_OUT_ACCEPT
-A Firewall-OUTPUT -o eth0                         -j LOG_OUT_ACCEPT

OUTPUT用ルール

-A OUTPUT -j Firewall-OUTPUT
-A OUTPUT -j LOG --log-prefix "[IPTABLES OUTPUT DROP] : " --log-level debug --log-tcp-options --log-ip-options --log-tcp-sequence    <-ログ保管

最後に、間違った設定があるかも知れません。ご利用は自己責任でお願いいたします。
すべてのアクセスログ保管を行う(debug)様に、記述していますが、実際の運用で行うと、とんでもない量のアクセスログになってしまいます。必要ないログは、-Dで削除してくださいね。

本ホームページの転載・複製を禁じます。