{"id":202,"date":"2023-03-26T08:16:49","date_gmt":"2023-03-25T23:16:49","guid":{"rendered":"https:\/\/shugomatsuzawa.com\/techblog\/?p=202"},"modified":"2023-03-22T10:07:53","modified_gmt":"2023-03-22T01:07:53","slug":"debian%e3%81%a7iptables%e3%82%92%e4%bd%bf%e3%81%86","status":"publish","type":"post","link":"https:\/\/shugomatsuzawa.com\/techblog\/2023\/03\/26\/202\/","title":{"rendered":"Debian\u3067iptables\u3092\u4f7f\u3046"},"content":{"rendered":"\n<p>\u4ee5\u524d<a href=\"https:\/\/shugomatsuzawa.com\/techblog\/2022\/05\/08\/ubuntu-server%e3%81%a7%e3%83%95%e3%82%a1%e3%82%a4%e3%82%a2%e3%82%a6%e3%82%a9%e3%83%bc%e3%83%ab%ef%bc%88ufw%ef%bc%89%e3%82%92%e4%bd%bf%e3%81%86\/\" data-type=\"post\" data-id=\"52\"><code>ufw<\/code>\u3092\u4f7f\u3063\u305f\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u306e\u8a2d\u5b9a<\/a>\u306f\u3084\u3063\u3066\u3044\u308b\u304c\u3001Lightsail\u306eDebian\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306b<code>iptables<\/code>\u304c\u5165\u3063\u3066\u3044\u305f\u306e\u3067\u4f7f\u3063\u3066\u307f\u305f\u3002<br>AWS\u3067\u306f<a rel=\"noreferrer noopener\" href=\"https:\/\/aws.amazon.com\/jp\/premiumsupport\/knowledge-center\/lightsail-secure-linux-server\/\" data-type=\"URL\" data-id=\"https:\/\/aws.amazon.com\/jp\/premiumsupport\/knowledge-center\/lightsail-secure-linux-server\/\" target=\"_blank\">Lightsail\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u3068OS\u30ec\u30d9\u30eb\u306e\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u306e\u4e21\u65b9\u3092\u304b\u3051\u308b\u3053\u3068\u3092\u63a8\u5968\u3057\u3066\u3044\u308b<\/a>\u3002<\/p>\n\n\n\n<p>IPv4\u3067\u306f<code>iptables<\/code>\u3001IPv6\u3067\u306f<code>ip6tables<\/code>\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3059\u308b\u3002<\/p>\n\n\n\n<p>\u6b21\u306e\u30b3\u30de\u30f3\u30c9\u3067\u73fe\u5728\u306e\u8a2d\u5b9a\u3092\u8868\u793a\u3059\u308b\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo iptables -L<\/code><\/pre>\n\n\n\n<p>\u4f55\u3082\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u306a\u3044\u3068\u304d\u306f\u3001\u6b21\u306e\u3088\u3046\u306a\u7d50\u679c\u304c\u8868\u793a\u3055\u308c\u308b\u306f\u305a\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Chain INPUT (policy ACCEPT) \ntarget     prot opt source               destination \n \nChain FORWARD (policy ACCEPT) \ntarget     prot opt source               destination \n \nChain OUTPUT (policy ACCEPT) \ntarget     prot opt source               destination <\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u8a2d\u5b9a\u306e\u4f5c\u6210<\/h2>\n\n\n\n<p>\u901a\u5e38\u306e\u4f7f\u3044\u65b9\u3067\u3042\u308c\u3070\u3001\u30dd\u30ea\u30b7\u30fc\u306f<code>INPUT<\/code>\u3092<code>DROP<\/code>\u306b\u3057\u3066\u5fc5\u8981\u306a\u3082\u306e\u3060\u3051\u8a31\u53ef\u3001<code>OUTPUT<\/code>\u306f<code>ACCEPT<\/code>\u3001<code>FORWARD<\/code>\u306f\u7279\u306b\u4f7f\u308f\u306a\u3044\u306e\u3067<code>DROP<\/code>\u306b\u8a2d\u5b9a\u3059\u308c\u3070\u3044\u3044\u3068\u601d\u3046\u3002<\/p>\n\n\n\n<p><strong>\u3053\u3053\u3067\u7d76\u5bfe\u306b\u3044\u304d\u306a\u308a<code>iptables -P INPUT DROP<\/code>\u3068\u304b\u3057\u3066\u306f\u3044\u3051\u306a\u3044\u3002<\/strong><br>\u81ea\u5206\u306f\u30d0\u30ab\u306a\u306e\u3067\u6253\u3063\u305f\u77ac\u9593\u5373\u8a2d\u5b9a\u304c\u53cd\u6620\u3055\u308c\u308b\u3053\u3068\u3092\u77e5\u3089\u305a\u306bSSH\u7de0\u3081\u51fa\u3055\u308c\u305f\u3002<br>\u307e\u3041\u3001\u307e\u3060\u8a2d\u5b9a\u4fdd\u5b58\u3055\u308c\u3066\u3044\u306a\u3044\u306e\u3067\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u518d\u8d77\u52d5\u3059\u308c\u3070\u5fa9\u6d3b\u3067\u304d\u308b\u306e\u3060\u3051\u3069\u3002<\/p>\n\n\n\n<p>\u7d50\u5c40\u4e00\u500b\u4e00\u500b\u8a2d\u5b9a\u3059\u308b\u3088\u308a\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u306b\u3057\u3066\u4e00\u6c17\u306b\u884c\u3063\u305f\u307b\u3046\u304c\u3044\u3044\u304b\u3068\u601d\u3044\u3001\u4f5c\u3063\u305f\u3002<br>\u5185\u5bb9\u306f<a href=\"https:\/\/knowledge.sakura.ad.jp\/4048\/\" data-type=\"URL\" data-id=\"https:\/\/knowledge.sakura.ad.jp\/4048\/\" target=\"_blank\" rel=\"noreferrer noopener\">\u3055\u304f\u3089\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u304c\u7d39\u4ecb\u3057\u3066\u3044\u308b\u3082\u306e<\/a>\u3092\u305d\u306e\u307e\u307e\u53c2\u8003\u306b\u3057\u3066\u3044\u308b\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#!\/bin\/bash\n\n# \u8a2d\u5b9a\u3092\u30af\u30ea\u30a2\niptables -F\niptables -X\n\n# (1) \u30dd\u30ea\u30b7\u30fc\u306e\u8a2d\u5b9a OUTPUT\u306e\u307fACCEPT\u306b\u3059\u308b\niptables -P INPUT   DROP\niptables -P FORWARD DROP\niptables -P OUTPUT  ACCEPT\n\n# (2) \u30eb\u30fc\u30d7\u30d0\u30c3\u30af(\u81ea\u5206\u81ea\u8eab\u304b\u3089\u306e\u901a\u4fe1)\u3092\u8a31\u53ef\u3059\u308b\niptables -A INPUT -i lo -j ACCEPT\n\n# (3) \u30c7\u30fc\u30bf\u3092\u6301\u305f\u306a\u3044\u30d1\u30b1\u30c3\u30c8\u306e\u63a5\u7d9a\u3092\u7834\u68c4\u3059\u308b\niptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP\n\n# (4) SYNflood\u653b\u6483\u3068\u601d\u308f\u308c\u308b\u63a5\u7d9a\u3092\u7834\u68c4\u3059\u308b\niptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP\n\n# (5) \u30b9\u30c6\u30eb\u30b9\u30b9\u30ad\u30e3\u30f3\u3068\u601d\u308f\u308c\u308b\u63a5\u7d9a\u3092\u7834\u68c4\u3059\u308b\niptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP\n\n# (6) icmp(ping)\u306e\u8a2d\u5b9a\n# hashlimit\u3092\u4f7f\u3046\n# -m hashlimit                   hashlimit\u30e2\u30b8\u30e5\u30fc\u30eb\u3092\u4f7f\u7528\u3059\u308b\n# \u2014hashlimit-name t_icmp  \u8a18\u9332\u3059\u308b\u30d5\u30a1\u30a4\u30eb\u540d\n# \u2014hashlimit 1\/m               \u30ea\u30df\u30c3\u30c8\u6642\u306b\u306f1\u5206\u9593\u306b1\u30d1\u30b1\u30c3\u30c8\u3092\u4e0a\u9650\u3068\u3059\u308b\n# \u2014hashlimit-burst 10        \u898f\u5b9a\u6642\u9593\u5185\u306b10\u30d1\u30b1\u30c3\u30c8\u53d7\u4fe1\u3059\u308c\u3070\u30ea\u30df\u30c3\u30c8\u3092\u6709\u52b9\u306b\u3059\u308b\n# \u2014hashlimit-mode srcip    \u30bd\u30fc\u30b9IP\u3092\u5143\u306b\u30a2\u30af\u30bb\u30b9\u3092\u5236\u9650\u3059\u308b\n# \u2014hashlimit-htable-expire 120000   \u30ea\u30df\u30c3\u30c8\u306e\u6709\u52b9\u671f\u9593\u3002\u5358\u4f4d\u306fms\niptables -A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-name t_icmp --hashlimit 1\/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000 -j ACCEPT\n\n# (7) \u78ba\u7acb\u6e08\u307f\u306e\u901a\u4fe1\u306f\u3001\u30dd\u30fc\u30c8\u756a\u53f7\u306b\u95a2\u4fc2\u306a\u304f\u8a31\u53ef\u3059\u308b\niptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT\n\n# (8) \u4efb\u610f\u3078\u306eDNS\u30a2\u30af\u30bb\u30b9\u306e\u623b\u308a\u30d1\u30b1\u30c3\u30c8\u3092\u53d7\u3051\u4ed8\u3051\u308b\niptables -A INPUT -p udp --sport 53 -j ACCEPT\n\n# (9) SSH\u3092\u8a31\u53ef\u3059\u308b\u8a2d\u5b9a\n# hashlimit\u3092\u4f7f\u3046\n# -m hashlimit                   hashlimit\u30e2\u30b8\u30e5\u30fc\u30eb\u3092\u4f7f\u7528\u3059\u308b\n# \u2014hashlimit-name t_sshd \u8a18\u9332\u3059\u308b\u30d5\u30a1\u30a4\u30eb\u540d\n# \u2014hashlimit 1\/m              \u30ea\u30df\u30c3\u30c8\u6642\u306b\u306f1\u5206\u9593\u306b1\u30d1\u30b1\u30c3\u30c8\u3092\u4e0a\u9650\u3068\u3059\u308b\n# \u2014hashlimit-burst 10       \u898f\u5b9a\u6642\u9593\u5185\u306b10\u30d1\u30b1\u30c3\u30c8\u53d7\u4fe1\u3059\u308c\u3070\u30ea\u30df\u30c3\u30c8\u3092\u6709\u52b9\u306b\u3059\u308b\n# \u2014hashlimit-mode srcip   \u30bd\u30fc\u30b9IP\u3092\u5143\u306b\u30a2\u30af\u30bb\u30b9\u3092\u5236\u9650\u3059\u308b\n# \u2014hashlimit-htable-expire 120000   \u30ea\u30df\u30c3\u30c8\u306e\u6709\u52b9\u671f\u9593\u3002\u5358\u4f4d\u306fms\niptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m hashlimit --hashlimit-name t_sshd --hashlimit 1\/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000 -j ACCEPT\n\n# (10) \u500b\u5225\u306b\u8a31\u53ef\u3059\u308b\u30d7\u30ed\u30c8\u30b3\u30eb\u3068\u30dd\u30fc\u30c8\u3092\u3053\u3053\u306b\u66f8\u304d\u8fbc\u3080\u3002\n# \u3053\u306e\u4f8b\u3067\u306f\u3001HTTP(TCP 80)\u3068HTTPS(TCP 443)\u3092\u8a31\u53ef\u3057\u3066\u3044\u308b\u3002\niptables -A INPUT -p tcp --dport 80   -j ACCEPT\niptables -A INPUT -p tcp --dport 443  -j ACCEPT\n<\/code><\/pre>\n\n\n\n<p>chmod\u3057\u3066\u304b\u3089\u5b9f\u884c<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>chmod 700 firewall.sh\nsudo .\/firewall.sh<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u8a2d\u5b9a\u306e\u4fdd\u5b58<\/h2>\n\n\n\n<p>\u3055\u3063\u304d\u3082\u8a00\u3063\u305f\u901a\u308a\u3053\u306e\u307e\u307e\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u3092\u518d\u8d77\u52d5\u3059\u308b\u3068\u8a2d\u5b9a\u306f\u5143\u306b\u623b\u3063\u3066\u3057\u307e\u3046\u3002<br>Debian\u3067\u306f<a href=\"https:\/\/wiki.debian.org\/iptables\" data-type=\"URL\" data-id=\"https:\/\/wiki.debian.org\/iptables\" target=\"_blank\" rel=\"noreferrer noopener\"><code>iptables-persistent<\/code>\u306e\u4f7f\u7528\u3092\u63a8\u5968<\/a>\u3057\u3066\u3044\u308b\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install iptables-persistent<\/code><\/pre>\n\n\n\n<p>\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3068\u81ea\u52d5\u7684\u306b\u30a6\u30a3\u30b6\u30fc\u30c9\u304c\u59cb\u307e\u308b\u306e\u3067\u3001\u6307\u793a\u306b\u5f93\u3063\u3066\u9032\u3081\u308c\u3070OK\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u53c2\u8003<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/eng-entrance.com\/linux-firewall\" data-type=\"URL\" data-id=\"https:\/\/eng-entrance.com\/linux-firewall\" target=\"_blank\" rel=\"noreferrer noopener\">\u3010\u4e01\u5be7\u89e3\u8aac\u3011Linux\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb iptables\u306e\u4f7f\u3044\u65b9<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/knowledge.sakura.ad.jp\/4048\/#i-2\" data-type=\"URL\" data-id=\"https:\/\/knowledge.sakura.ad.jp\/4048\/#i-2\" target=\"_blank\" rel=\"noreferrer noopener\">\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30ebiptables\u3092\u7c21\u5358\u89e3\u8aac\uff5e\u521d\u5fc3\u8005\u3067\u3082\u3088\u304f\u308f\u304b\u308b\uff01VPS\u306b\u3088\u308bWeb\u30b5\u30fc\u30d0\u30fc\u904b\u7528\u8b1b\u5ea7(4) | \u3055\u304f\u3089\u306e\u30ca\u30ec\u30c3\u30b8<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"\u4ee5\u524dufw\u3092\u4f7f\u3063\u305f\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u306e\u8a2d\u5b9a\u306f\u3084\u3063\u3066\u3044\u308b\u304c\u3001Lightsail\u306eDebian\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306biptables\u304c\u5165\u3063\u3066\u3044\u305f\u306e\u3067\u4f7f\u3063\u3066\u307f\u305f\u3002AWS\u3067\u306fLightsail\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u3068OS\u30ec\u30d9\u30eb\u306e\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb [&hellip;]","protected":false},"author":1,"featured_media":60,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[8],"tags":[65,64,9,10],"class_list":["post-202","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-system-management","tag-debian","tag-iptables","tag-linux","tag-memo"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/shugomatsuzawa.com\/techblog\/wp-content\/uploads\/sites\/3\/2022\/05\/cybersecurity-gbec52d8fe_1920.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/shugomatsuzawa.com\/techblog\/wp-json\/wp\/v2\/posts\/202","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/shugomatsuzawa.com\/techblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shugomatsuzawa.com\/techblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shugomatsuzawa.com\/techblog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shugomatsuzawa.com\/techblog\/wp-json\/wp\/v2\/comments?post=202"}],"version-history":[{"count":3,"href":"https:\/\/shugomatsuzawa.com\/techblog\/wp-json\/wp\/v2\/posts\/202\/revisions"}],"predecessor-version":[{"id":205,"href":"https:\/\/shugomatsuzawa.com\/techblog\/wp-json\/wp\/v2\/posts\/202\/revisions\/205"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shugomatsuzawa.com\/techblog\/wp-json\/wp\/v2\/media\/60"}],"wp:attachment":[{"href":"https:\/\/shugomatsuzawa.com\/techblog\/wp-json\/wp\/v2\/media?parent=202"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shugomatsuzawa.com\/techblog\/wp-json\/wp\/v2\/categories?post=202"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shugomatsuzawa.com\/techblog\/wp-json\/wp\/v2\/tags?post=202"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}