[iptables]

TA/Common 2012. 12. 24. 11:15

1. hosts.allow, hosts.deny 파일에 적용된 접속 차단 사례가 있는지 확인

 

2. iptables disable

    $> /etc/sysconfig/iptables stop

 

3. 새로운 규칙 적용 (예)

    $> vi /etc/sysconfig/iptables

    # Generated by iptables-save v1.3.5 on Tue Sep 18 17:55:36 2012

    *filter

    :INPUT ACCEPT [454:58836]

    :FORWARD ACCEPT [0:0]

    :OUTPUT ACCEPT [735:221237]

    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    -A INPUT -p icmp -j ACCEPT

    -A INPUT -i lo -j ACCEPT

    -A INPUT -s XXX.XXX.XXX.XXX -j ACCEPT                  #특정 IP에 대해 접속 허용

    -A INPUT -s XXX.XXX.XXX.0/255.255.255.0 -j ACCEPT   # c클래스 접속 허용

    -A INPUT -m iprange --src-range XXX.XXX.XXX.1-XXX.XXX.XXX.60 -j ACCEPT   #IP범위 지정해서 접속 허용 (1~60번)

    -A INPUT -m tcp -p tcp --dport 7201 -j ACCEPT            #특정 포트에 대해 모든 IP에서 접속 허용

    -A INPUT -j LOG --log-level 4

    -A INPUT -j REJECT --reject-with icmp-host-prohibited

    -A FORWARD -j REJECT --reject-with icmp-host-prohibited

    COMMIT

4. run level 적용

    $> chkconfig --level 345 iptables on

 

5. chattr 적용

    $> chattr +i /etc/sysconfig/iptables

 

6. iptables 시작

    $> /etc/init.d/iptables  start

 

7. iptables 적용 확인

    $> iptables -vnL

 

<rocks cluster 경우>

1. master 의 적용은 위와 같이 해결

2. computing node에 적용

  $> cp /etc/syscofig/iptables /export/

  $> rocks run host "mount -t nfs XXX.XXX.XXX(마스터아이피):/export /mnt"

  $> chmod 644 /export/iptables

  $> rocks run host "cp /mnt/iptables /etc/sysconfig/"

  $> rocks run host "umount /mnt"

  $> rocks run host "chkconfig --level 345 iptables on"

  $> rocks run host "chattr +i /etc/sysconfig/iptables"

  $> rocks run host "/etc/init.d/iptables start"

  $> rocks run host "hostname;iptables -nvL | grep someting"

Posted by 옥탑방람보
,