セキュリティ設定
iptables によってソフトウェア的に Firewall を実現できる。不要なポートは開けないことが重要。下記コマンドで iptables の設定を確認。
# /sbin/iptables -L
ssh 以外のサービスは外部からの通信が止められていることを確認。
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
2 ACCEPT icmp — anywhere anywhere
3 ACCEPT all — anywhere anywhere
4 ACCEPT tcp — anywhere anywhere state NEW tcp dpt:ssh
5 REJECT all — anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all — anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
ここでは、HTTP と HTTPS の通信を許可。
# /sbin/iptables -I INPUT 5 -p tcp –dport http -j ACCEPT #HTTP
- /sbin/iptables -I INPUT 5 -p tcp –dport https -j ACCEPT #HTTPS
設定内容を確認。
# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
2 ACCEPT icmp — anywhere anywhere
3 ACCEPT all — anywhere anywhere
4 ACCEPT tcp — anywhere anywhere state NEW tcp dpt:ssh
5 ACCEPT tcp — anywhere anywhere tcp dpt:https
6 ACCEPT tcp — anywhere anywhere tcp dpt:http
7 REJECT all — anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all — anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
設定を保存。
# /sbin/service iptables save
設定が保存できたか確認。
# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Sun Mar 18 19:09:59 2012 *filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [51:5844]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
# Completed on Sun Mar 18 19:09:59 2012
返信
コメントを投稿するにはログインしてください。