<<参考>>
http://homeserver.seesaa.net/article/5049375.html
外からターミナルをつなぐ為に後日設定しよう
http://yakinikunotare.boo.jp/orebase/index.php?Linux%2F%A5%D5%A5%A1%A5%A4%A5%A2%A1%BC%A5%A6%A5%A9%A1%BC%A5%EB%A4%CE%C0%DF%C4%EA
結果
#■設定確認
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-------------------------------------------------------------------
説明
Chain INPUT (Policy ACCEPT)
target prot opt source destination
Chain FORWARD (Policy ACCEPT)
target prot opt source destination
Chain OUTPUT (Policy ACCEPT)
target prot opt source destination
・Chain INPUT:入ってくるパケットの設定
・Chain FORWARD:転送するパケットの設定
・Chain OUTPUT:出ていくパケットの設定
Policy ACCEPT となっておりデフォルトでは全て許可されています。
-------------------------------------------------------------------
まったく同じ(゚◇゚;)mgd?
何も設定してないから当たり前だよね。。。
sudo iptables -A INPUT -p tcp --dport 20 -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 20 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 21 -j ACCEPT
#■↓追加した結果
========================================================================
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
========================================================================
#■WEB(80ポート) /WEBサーバーへの通過を許可
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 80 -j ACCEPT
↓追加した結果
========================================================================
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp spt:www
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
========================================================================
POP(110ポート) /受信メールの許可
sudo iptables -A INPUT -p tcp --dport 110 -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 110 -j ACCEPT
↓■追加した結果
========================================================================
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp spt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp spt:pop3
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
========================================================================
SMTP(25ポート) /送信メールの許可
sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 25 -j ACCEPT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp spt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp spt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp spt:smtp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
■FTP用
sudo iptables -A OUTPUT -p tcp -m state --state NEW --dport 20 -j ACCEPT
sudo iptables -A OUTPUT -p udp -m state --state NEW --dport 20 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT
sudo iptables -A OUTPUT -p udp -m state --state NEW --dport 21 -j ACCEPT
■結果
-L は一覧で, -nはIPアドレスから,DNSで逆引きしない設定。なくても良いがあれば表示が速くなる
sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:25
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21
この状態だと最初全開放してるっぽいので意味が無いんじゃないかとか思ってみる。。。( ゚д゚)ポカーン
"-A"はappendの略で追加のoptionコマンドです。設定したルールを削除する場合は"-A"の部分を"-D"(delete)にします。
■追記
http://murayama.hatenablog.com/entry/20100206/1265444193
iptablesの初期化
iptables --flushコマンドを実行します。
[root@localhost ~]# iptables --flush
iptables --listの実行結果から設定情報が初期化されたのがわかります。
http://sato-si.at.webry.info/200703/article_2.html
ルールのクリアー
iptables -F
接続があったとき,全て受け付ける
iptables -P INPUT ACCEPT
ルーター用のものなので,受け付けない
iptables -P FORWARD DROP
こちらから,他のサーバへの接続をするのは,全て受け付ける
iptables -P OUTPUT ACCEPT
無効なときの設定を保存
/etc/init.d/iptables save inactive
■結果
/etc/init.d/iptables: そのようなファイルやディレクトリはありません
効かない・・・だと?
続く