{"id":472,"date":"2005-12-18T23:40:47","date_gmt":"2005-12-18T14:40:47","guid":{"rendered":"http:\/\/zone.maple4ever.net\/blog\/archives\/472\/"},"modified":"2005-12-19T00:06:38","modified_gmt":"2005-12-18T15:06:38","slug":"iptables-aeuth","status":"publish","type":"post","link":"http:\/\/zone.maple4ever.net\/blog\/archives\/472\/","title":{"rendered":"iptables \u3067\u82e6\u3057\u3080"},"content":{"rendered":"

\u4eca\u65e5\u306f Linux \u30ab\u30fc\u30cd\u30eb\u6a19\u6e96\u306e\u30d1\u30b1\u30c3\u30c8\u30d5\u30a3\u30eb\u30bf\u30fc\/NAT \u6a5f\u80fd\u3067\u3042\u308b\u3001iptables \u3067\u82e6\u3057\u307f\u307e\u3057\u305f\u3002<\/p>\n

\u3084\u308a\u305f\u304b\u3063\u305f\u3053\u3068\u306f\u3001\u5bb6\u306eLinux PC \u306b\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u8d8a\u3057\u3001”IP \u30a2\u30c9\u30ec\u30b9\u6307\u5b9a” \u3067\u63a5\u7d9a\u8a31\u53ef\u3092\u3057\u305f\u3044\u3068\u3044\u3046\u3053\u3068\u3067\u3057\u305f\u3002\u3000\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u63a5\u7d9a\u306b\u4f7f\u3063\u3066\u3044\u308b\u3001\u3044\u308f\u3086\u308b\u30d6\u30ed\u30fc\u30c9\u30d0\u30f3\u30c9\u30eb\u30fc\u30bf\u306b\u3082\u30d5\u30a3\u30eb\u30bf\u30fc\u6a5f\u80fd\u304c\u3042\u308a\u307e\u3059\u304c\u3001\u5bb6\u306e\u306f\u30dd\u30fc\u30c8\u30d5\u30a3\u30eb\u30bf\u30fc\u3060\u3051\u306e\u3088\u3046\u3067 IP \u30a2\u30c9\u30ec\u30b9\u306f\u6307\u5b9a\u3067\u304d\u307e\u305b\u3093\u3002<\/p>\n

\u3068\u3044\u3046\u3053\u3068\u3067\u3001Linux \u306e iptables \u3092\u767b\u5834\u3055\u305b\u307e\u3057\u305f\u3002\u3000\u63a5\u7d9a\u3057\u305f\u3044 Linux \u81ea\u4f53\u306b iptables \u3067\u30d5\u30a3\u30eb\u30bf\u30fc\u30eb\u30fc\u30eb\u3092\u767b\u9332\u3057\u3066\u307f\u307e\u3057\u305f\u3002\uff08\u30db\u30f3\u30c8\u306f\u9055\u3046\u30de\u30b7\u30f3\u3067\u52d5\u304b\u3057\u305f\u65b9\u304c\u3044\u3044\u306e\u3067\u3059\u304c\u3001\u3053\u308c\u4ee5\u4e0a PC \u8d77\uff08\u3042\uff09\u3052\u305f\u3089\u30d6\u30ec\u30fc\u30ab\u843d\u3061\u307e\u3059 \ud83d\ude1b<\/p>\n

\u4f55\u3068\u304b\u8a2d\u5b9a\u3067\u304d\u305f\u3088\u3046\u306a\u306e\u3067\u3059\u304c\u3001\u307e\u3060\u3044\u307e\u3044\u3061\u5206\u304b\u3063\u3066\u3044\u306a\u3044\u306e\u3067\u4eca\u5f8c\u306e\u305f\u3081\u306b\u3001\u30e1\u30e2\u3002<\/p>\n

\u307e\u305a\u306f\u57fa\u672c\u7684\u306a\u30b3\u30de\u30f3\u30c9\u3002<\/p>\n

\niptables -nvxL : ACCEPT\/DROP \u30d1\u30b1\u30c3\u30c8\u7d71\u8a08\u3092\u307f\u308b
\niptables -F : \u73fe\u5728\u30e1\u30e2\u30ea\u306b\u5b58\u5728\u3057\u3066\u3044\u308b\u30eb\u30fc\u30eb\u3092\u30d5\u30e9\u30c3\u30b7\u30e5\u3059\u308b
\niptables -L : \u73fe\u5728\u30e1\u30e2\u30ea\u306b\u5b58\u5728\u3057\u3066\u3044\u308b\u30eb\u30fc\u30eb\u3092\u8868\u793a\u3059\u308b
\n\/etc\/init.d\/iptables save : \u30e1\u30e2\u30ea\u306e\u5185\u5bb9\u3092\u30d5\u30a1\u30a4\u30eb\u306b\u4fdd\u5b58\u3059\u308b\n<\/p><\/blockquote>\n

\u3068\u308a\u3042\u3048\u305a\u4e0a\u8a18\u304c\u3042\u308c\u3070\u4f55\u3068\u304b\u306a\u308a\u305d\u3046\u3067\u3059\u3002\u3000\u3042\u3068\u306f iptable \u30b3\u30de\u30f3\u30c9\u3067\u3072\u3068\u3064\u305a\u3064\u30eb\u30fc\u30eb\u3092\u8ffd\u52a0\u3057\u3066\u3044\u304d\u307e\u3059\u3002\u3000\u8a2d\u5b9a\u306f\u5373\u5ea7\u306b\u53cd\u6620\u3055\u308c\u307e\u3059\u306e\u3067\u3001\u30ea\u30e2\u30fc\u30c8\u304b\u3089\u8a2d\u5b9a\u3059\u308b\u5834\u5408\u306f\u6ce8\u610f\u3057\u3066\u304f\u3060\u3055\u3044\u3002\u3000\u9593\u9055\u3046\u3068\u30ea\u30e2\u30fc\u30c8\u304b\u3089\u8a2d\u5b9a\u4e0d\u80fd\u306b\u306a\u308a\u3001\u30e2\u30cb\u30bf\u3084\u3089\u30ad\u30fc\u30dc\u30fc\u30c9\u3092\u3064\u306a\u3050\u306f\u3081\u306b\u306a\u308a\u307e\u3059\u3002\uff08\u2190\u9593\u9055\u3048\u305f\u3084\u3064<\/p>\n

\u307e\u305a\u306f\u3001\u30d5\u30a3\u30eb\u30bf\u30fc\u306e INPUT \/ OUTPUT \/ FORWARD \u306b\u5bfe\u3057\u3066\u5168\u4f53\u30dd\u30ea\u30b7\u30fc\u3092\u6c7a\u3081\u307e\u3059\u3002 Apache  .htaccess \u306e deny from all \u3068\u304b accept from all \u307f\u305f\u3044\u306a\u3082\u3093\u3067\u3059\u3002<\/p>\n

  1.  \/<\/span>sbin<\/span>\/i<\/span>ptables<\/span> -<\/span>P INPUT DROP<\/span>\r<\/span><\/li>\n
  2.  \/<\/span>sbin<\/span>\/i<\/span>ptables<\/span> -<\/span>P FORWARD DROP<\/span>\r<\/span><\/li>\n
  3.  \/<\/span>sbin<\/span>\/i<\/span>ptables<\/span> -<\/span>P OUTPUT ACCEPT<\/span><\/li><\/ol><\/div>\n

    INPUT \u306b\u5bfe\u3057\u3066\u57fa\u672c DROP (\u63a5\u7d9a\u30c0\u30e1\uff09\u306e\u8a2d\u5b9a\u3092\u3057\u307e\u3059\u3002\u3000\u3053\u308c\u3067\u3053\u306e Linux \u306b\u5bfe\u3057\u3066\u306e\u5168\u3066\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u63a5\u7d9a\u304c\u4e0d\u8a31\u53ef\u306b\u306a\u308a\u307e\u3059\u3002 \u9006\u306b OUTPUT \u306f\u57fa\u672c ACCEPT (\u8a31\u53ef) \u306b\u3057\u3066\u3044\u307e\u3059\u3002 FORWARD \u306f\u4f7f\u308f\u306a\u3044\u306e\u3067 DROP\u3002<\/p>\n

    \u6b21\u306b INPUT\u306b\u5bfe\u3057\u3066\u63a5\u7d9a\u306e\u8a31\u53ef\u3092\u3072\u3068\u3064\u305a\u3064\u8ffd\u52a0\u3057\u3066\u3044\u304d\u307e\u3059\u3002\u307e\u305a\u306f\u30ed\u30fc\u30ab\u30eb\u30eb\u30fc\u30d7\u30d0\u30c3\u30af\u3068\u3001\u63a5\u7d9a\u6e08\u307f\u30bb\u30c3\u30b7\u30e7\u30f3\u3092\u8a31\u53ef\u3059\u308b\u8a2d\u5b9a\u3092\u3057\u307e\u3059\u3002<\/p>\n

    1.  \/<\/span>sbin<\/span>\/i<\/span>ptables<\/span> -<\/span>A INPUT<\/span> -<\/span>i lo<\/span> -<\/span>s <\/span>127.0.0.1<\/span> \r<\/span><\/li>\n
    2.    -<\/span>d <\/span>127.0.0.1<\/span> -<\/span>j ACCEPT<\/span>\r<\/span><\/li>\n
    3.  \/<\/span>sbin<\/span>\/i<\/span>ptables<\/span> -<\/span>A INPUT<\/span> -<\/span>i eth1<\/span>\r<\/span><\/li>\n
    4.    -<\/span>m state<\/span> --<\/span>state ESTABLISH<\/span>,<\/span>RELATED<\/span> -<\/span>j ACCEPT<\/span><\/li><\/ol><\/div>\n

      1\u884c\u76ee\u306f Linux \u30b5\u30fc\u30d0”\u5185”\u3067\u306e\u30ed\u30fc\u30ab\u30eb\u901a\u4fe1\u3092\u8a31\u53ef\u3057\u3066\u3044\u307e\u3059\u3002\u30002\u884c\u76ee\u304c\u65e2\u306b\u63a5\u7d9a\u304c\u78ba\u7acb\u3055\u308c\u3066\u3044\u308b\u30bb\u30c3\u30b7\u30e7\u30f3(ESTABLISH) \u3068\u3001\u305d\u308c\u306b\u95a2\u9023\u3059\u308b\u901a\u4fe1(RELATED) \u306e\u901a\u4fe1\u3092\u8a31\u53ef\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n

      \u5b9f\u306f2\u884c\u76ee\u306e\u8a18\u8ff0\u304c\u3044\u307e\u3044\u3061\u5206\u304b\u3089\u306a\u304f\u30fb\u30fb\u30fb\u3001\u3068\u308a\u3042\u3048\u305a\u3053\u306e\u8a18\u8ff0\u304c\u306a\u3044\u3068\u30bb\u30c3\u30b7\u30e7\u30f3\u958b\u59cb\u6642\u5f8c\u306e\u53cd\u5fdc\u304c\u3082\u306e\u3059\u3054\u3044\u60aa\u304f\u306a\u308a\u307e\u3057\u305f\u3002\u3000\u306a\u304f\u3066\u3082\u3044\u3044\u3088\u3046\u306a\u6c17\u304c\u3059\u308b\u306e\u3067\u3059\u304c\u3001\u6280\u8853\u529b\u4e0d\u8db3\u3067\u8b0e\u306e\u307e\u307e\u3067\u3059\u3002\u3000\u5206\u304b\u308b\u65b9\u3044\u307e\u3057\u305f\u3089\u662f\u975e\u6559\u3048\u3066\u304f\u3060\u3055\u3044\u3002 \ud83d\ude42<\/p>\n

      \u6b21\u3067 LAN \u4e0a\u306e PC \u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef\u3059\u308b\u8a2d\u5b9a\u3092\u3057\u307e\u3057\u305f\u3002<\/p>\n

      1.  \/<\/span>sbin<\/span>\/i<\/span>ptables<\/span> -<\/span>A INPUT<\/span> -<\/span>i eth1<\/span>\r<\/span><\/li>\n
      2.    -<\/span>s <\/span>192.168.0.0<\/span>\/<\/span>24 -p all -j ACCEPT<\/span><\/li><\/ol><\/div>\n

        \u666e\u901a\u306f eth1 \u3058\u3083\u306a\u304f\u3066 eth0 \u3060\u3068\u601d\u3046\u306e\u3067\u6ce8\u610f\u3067\u3059\u3002\uff08LAN \u30ab\u30fc\u30c92\u679a\u3055\u3057\u3066\u3044\u308b\u306e\u3067\u3059\uff09<\/p>\n

        \u3067\u3082\u3063\u3066\u3001\u4eca\u56de\u306e\u76ee\u7684\u306e WAN \u306e IP \u30a2\u30c9\u30ec\u30b9\u3068\u30dd\u30fc\u30c8\u30d5\u30a3\u30eb\u30bf\u30fc\u306e\u8a2d\u5b9a\u3067\u3059\u3002<\/p>\n

        1.  \/<\/span>sbin<\/span>\/i<\/span>ptables<\/span> -<\/span>A INPUT<\/span> -<\/span>i eth1<\/span> \r<\/span><\/li>\n
        2.    -<\/span>s <\/span>[<\/span>\u8a31\u53ef\u3059\u308b<\/span>IP Address<\/span>]<\/span>\r<\/span><\/li>\n
        3.    -<\/span>d <\/span>[<\/span>\u81ea\u5206\u306e<\/span>IP Address<\/span>]<\/span>\r<\/span><\/li>\n
        4.    -<\/span>p tcp<\/span>\r<\/span><\/li>\n
        5.    --<\/span>dport <\/span>[<\/span>PORT<\/span>\u756a\u53f7<\/span>]<\/span> -<\/span>j ACCEPT<\/span><\/li><\/ol><\/div>\n

          \u3053\u3093\u306a\u611f\u3058\u3067\u3057\u3066\u307f\u307e\u3059\u3002<\/p>\n

          \u6700\u5f8c\u306b DROP \u30ed\u30b0\u3092\u53d6\u5f97\u3059\u308b\u8a2d\u5b9a\u3092\u3057\u3066\u307f\u307e\u3057\u305f\u3002<\/p>\n

          1.  \/<\/span>sbin<\/span>\/i<\/span>ptables<\/span> -<\/span>A INPUT<\/span> -<\/span>j LOG<\/span> \r<\/span><\/li>\n
          2.    --<\/span>log<\/span>-<\/span>prefix <\/span>"<\/span>iptables: <\/span>"<\/span> --<\/span>log<\/span>-<\/span>level<\/span>=<\/span>3<\/span> -<\/span>m limit<\/span>\r<\/span><\/li>\n
          3.    --<\/span>limit <\/span>1<\/span>\/<\/span>s --limit-burst 10<\/span><\/li><\/ol><\/div>\n

            \u3053\u308c\u3067\u3001\/var\/log\/messages \u3068\u304b\u306b iptabels \u306b\u305f\u305f\u304d\u304a\u3068\u3055\u308c\u305f\u30ed\u30b0\u304c\u51fa\u307e\u3059\u3002\u3000\u3042\u3068\u306f\u3001save \u3057\u3066 restart \u3057\u3066\u304a\u3057\u307e\u3044\u3067\u3059\u3002<\/p>\n

            \u4e00\u5fdc\u81ea\u5206\u3067\u30a2\u30bf\u30c3\u30af\u3057\u305f\u9650\u308a\u306f\u5927\u4e08\u592b\u3067\u3057\u305f\u304c\u30fb\u30fb\u30fb\u3002\u3000\u3042\u3093\u307e\u308a\u77e5\u8b58\u304c\u306a\u3044\u306e\u3067\u4e0d\u5b89\u3067\u3059\u3002\u3000\u8a73\u3057\u3044\u65b9\u3044\u3089\u3063\u3057\u3083\u3063\u305f\u3089\u6559\u3048\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"

            \u4eca\u65e5\u306f Linux \u30ab\u30fc\u30cd\u30eb\u6a19\u6e96\u306e\u30d1\u30b1\u30c3\u30c8\u30d5\u30a3\u30eb\u30bf\u30fc\/NAT \u6a5f\u80fd\u3067\u3042\u308b\u3001iptables \u3067\u82e6\u3057\u307f\u307e\u3057\u305f\u3002 \u3084\u308a\u305f\u304b\u3063\u305f\u3053\u3068\u306f\u3001\u5bb6\u306eLinux PC \u306b\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u8d8a\u3057\u3001”IP \u30a2\u30c9\u30ec\u30b9\u6307\u5b9a” \u3067\u63a5\u7d9a\u8a31\u53ef\u3092\u3057\u305f\u3044\u3068\u3044\u3046\u3053\u3068\u3067\u3057\u305f\u3002\u3000\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u63a5\u7d9a\u306b\u4f7f\u3063\u3066\u3044\u308b\u3001\u3044\u308f\u3086\u308b\u30d6\u30ed\u30fc\u30c9\u30d0\u30f3\u30c9\u30eb\u30fc\u30bf\u306b\u3082…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/zone.maple4ever.net\/blog\/wp-json\/wp\/v2\/posts\/472"}],"collection":[{"href":"http:\/\/zone.maple4ever.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/zone.maple4ever.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/zone.maple4ever.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/zone.maple4ever.net\/blog\/wp-json\/wp\/v2\/comments?post=472"}],"version-history":[{"count":0,"href":"http:\/\/zone.maple4ever.net\/blog\/wp-json\/wp\/v2\/posts\/472\/revisions"}],"wp:attachment":[{"href":"http:\/\/zone.maple4ever.net\/blog\/wp-json\/wp\/v2\/media?parent=472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/zone.maple4ever.net\/blog\/wp-json\/wp\/v2\/categories?post=472"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/zone.maple4ever.net\/blog\/wp-json\/wp\/v2\/tags?post=472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}