{"id":257,"date":"2009-02-27T10:12:25","date_gmt":"2009-02-27T01:12:25","guid":{"rendered":"https:\/\/deskplate.net\/blog\/2009\/02\/27\/iptables-%e8%b5%b7%e5%8b%95%e7%94%a8%e3%82%b7%e3%82%a7%e3%83%ab%e3%80%80%e8%a9%b3%e7%b4%b0%e7%89%88\/"},"modified":"2009-02-27T10:12:25","modified_gmt":"2009-02-27T01:12:25","slug":"iptables-%e8%b5%b7%e5%8b%95%e7%94%a8%e3%82%b7%e3%82%a7%e3%83%ab%e3%80%80%e8%a9%b3%e7%b4%b0%e7%89%88","status":"publish","type":"post","link":"https:\/\/deskplate.net\/blog\/archives\/257","title":{"rendered":"iptables \u8d77\u52d5\u7528\u30b7\u30a7\u30eb\u3000\u8a73\u7d30\u7248"},"content":{"rendered":"<p>\u4ee5\u4e0b\u3059\u3079\u3066\u30b3\u30d4\u30fc\u3057\u3066\u4f7f\u3044\u307e\u3059<br \/>\n#!\/bin\/bash<br \/>\n#&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;#<br \/>\n# \u8a2d\u5b9a\u958b\u59cb                              #<br \/>\n#&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;#<br \/>\n# \u30a4\u30f3\u30bf\u30d5\u30a7\u30fc\u30b9\u540d\u5b9a\u7fa9<br \/>\nLAN=eth0<br \/>\n#&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;#<br \/>\n# \u8a2d\u5b9a\u7d42\u4e86                              #<br \/>\n#&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;#<br \/>\n# \u5185\u90e8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306e\u30cd\u30c3\u30c8\u30de\u30b9\u30af\u53d6\u5f97<br \/>\nLOCALNET_MASK=`ifconfig $LAN|sed -e &#8216;s\/^.*Mask:\\([^ ]*\\)$\/\\1\/p&#8217; -e d`<br \/>\n# \u5185\u90e8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30a2\u30c9\u30ec\u30b9\u53d6\u5f97<br \/>\nLOCALNET_ADDR=`netstat -rn|grep $LAN|grep $LOCALNET_MASK|cut -f1 -d&#8217; &#8216;`<br \/>\nLOCALNET=$LOCALNET_ADDR\/$LOCALNET_MASK<br \/>\n# \u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u505c\u6b62(\u3059\u3079\u3066\u306e\u30eb\u30fc\u30eb\u3092\u30af\u30ea\u30a2)<br \/>\n\/etc\/rc.d\/init.d\/iptables stop<br \/>\n# \u30c7\u30d5\u30a9\u30eb\u30c8\u30eb\u30fc\u30eb(\u4ee5\u964d\u306e\u30eb\u30fc\u30eb\u306b\u30de\u30c3\u30c1\u3057\u306a\u304b\u3063\u305f\u5834\u5408\u306b\u9069\u7528\u3059\u308b\u30eb\u30fc\u30eb)\u8a2d\u5b9a<br \/>\niptables -P INPUT   DROP   # \u53d7\u4fe1\u306f\u3059\u3079\u3066\u7834\u68c4<br \/>\niptables -P OUTPUT  ACCEPT # \u9001\u4fe1\u306f\u3059\u3079\u3066\u8a31\u53ef<br \/>\niptables -P FORWARD DROP   # \u901a\u904e\u306f\u3059\u3079\u3066\u7834\u68c4<br \/>\n# \u81ea\u30db\u30b9\u30c8\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u3059\u3079\u3066\u8a31\u53ef<br \/>\niptables -A INPUT -i lo -j ACCEPT<br \/>\n# \u5185\u90e8\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u3059\u3079\u3066\u8a31\u53ef<br \/>\niptables -A INPUT -s $LOCALNET -j ACCEPT<br \/>\n# \u5185\u90e8\u304b\u3089\u884c\u3063\u305f\u30a2\u30af\u30bb\u30b9\u306b\u5bfe\u3059\u308b\u5916\u90e8\u304b\u3089\u306e\u8fd4\u7b54\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef<br \/>\niptables -A INPUT -m state &#8211;state ESTABLISHED,RELATED -j ACCEPT<br \/>\n# SYN Cookies\u3092\u6709\u52b9\u306b\u3059\u308b<br \/>\n# \u203bTCP SYN Flood\u653b\u6483\u5bfe\u7b56<br \/>\nsysctl -w net.ipv4.tcp_syncookies=1 > \/dev\/null<br \/>\nsed -i &#8216;\/net.ipv4.tcp_syncookies\/d&#8217; \/etc\/sysctl.conf<br \/>\necho &#8220;net.ipv4.tcp_syncookies=1&#8221; >> \/etc\/sysctl.conf<br \/>\n# \u30d6\u30ed\u30fc\u30c9\u30ad\u30e3\u30b9\u30c8\u30a2\u30c9\u30ec\u30b9\u5b9bping\u306b\u306f\u5fdc\u7b54\u3057\u306a\u3044<br \/>\n# \u203bSmurf\u653b\u6483\u5bfe\u7b56<br \/>\nsysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 > \/dev\/null<br \/>\nsed -i &#8216;\/net.ipv4.icmp_echo_ignore_broadcasts\/d&#8217; \/etc\/sysctl.conf<br \/>\necho &#8220;net.ipv4.icmp_echo_ignore_broadcasts=1&#8221; >> \/etc\/sysctl.conf<br \/>\n# ICMP Redirect\u30d1\u30b1\u30c3\u30c8\u306f\u62d2\u5426<br \/>\nsed -i &#8216;\/net.ipv4.conf.*.accept_redirects\/d&#8217; \/etc\/sysctl.conf<br \/>\nfor dev in `ls \/proc\/sys\/net\/ipv4\/conf\/`<br \/>\ndo<br \/>\nsysctl -w net.ipv4.conf.$dev.accept_redirects=0 > \/dev\/null<br \/>\necho &#8220;net.ipv4.conf.$dev.accept_redirects=0&#8221; >> \/etc\/sysctl.conf<br \/>\ndone<br \/>\n# Source Routed\u30d1\u30b1\u30c3\u30c8\u306f\u62d2\u5426<br \/>\nsed -i &#8216;\/net.ipv4.conf.*.accept_source_route\/d&#8217; \/etc\/sysctl.conf<br \/>\nfor dev in `ls \/proc\/sys\/net\/ipv4\/conf\/`<br \/>\ndo<br \/>\nsysctl -w net.ipv4.conf.$dev.accept_source_route=0 > \/dev\/null<br \/>\necho &#8220;net.ipv4.conf.$dev.accept_source_route=0&#8221; >> \/etc\/sysctl.conf<br \/>\ndone<br \/>\n# \u30d5\u30e9\u30b0\u30e1\u30f3\u30c8\u5316\u3055\u308c\u305f\u30d1\u30b1\u30c3\u30c8\u306f\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4<br \/>\niptables -A INPUT -f -j LOG &#8211;log-prefix &#8216;[IPTABLES FRAGMENT] : &#8216;<br \/>\niptables -A INPUT -f -j DROP<br \/>\n# \u5916\u90e8\u3068\u306eNetBIOS\u95a2\u9023\u306e\u30a2\u30af\u30bb\u30b9\u306f\u30ed\u30b0\u3092\u8a18\u9332\u305b\u305a\u306b\u7834\u68c4<br \/>\n# \u203b\u4e0d\u8981\u30ed\u30b0\u8a18\u9332\u9632\u6b62<br \/>\niptables -A INPUT -s ! $LOCALNET -p tcp -m multiport &#8211;dports 135,137,138,139,445 -j DROP<br \/>\niptables -A INPUT -s ! $LOCALNET -p udp -m multiport &#8211;dports 135,137,138,139,445 -j DROP<br \/>\niptables -A OUTPUT -d ! $LOCALNET -p tcp -m multiport &#8211;sports 135,137,138,139,445 -j DROP<br \/>\niptables -A OUTPUT -d ! $LOCALNET -p udp -m multiport &#8211;sports 135,137,138,139,445 -j DROP<br \/>\n# 1\u79d2\u9593\u306b4\u56de\u3092\u8d85\u3048\u308bping\u306f\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4<br \/>\n# \u203bPing of Death\u653b\u6483\u5bfe\u7b56<br \/>\niptables -N LOG_PINGDEATH<br \/>\niptables -A LOG_PINGDEATH -m limit &#8211;limit 1\/s &#8211;limit-burst 4 -j ACCEPT<br \/>\niptables -A LOG_PINGDEATH -j LOG &#8211;log-prefix &#8216;[IPTABLES PINGDEATH] : &#8216;<br \/>\niptables -A LOG_PINGDEATH -j DROP<br \/>\niptables -A INPUT -p icmp &#8211;icmp-type echo-request -j LOG_PINGDEATH<br \/>\n# \u5168\u30db\u30b9\u30c8(\u30d6\u30ed\u30fc\u30c9\u30ad\u30e3\u30b9\u30c8\u30a2\u30c9\u30ec\u30b9\u3001\u30de\u30eb\u30c1\u30ad\u30e3\u30b9\u30c8\u30a2\u30c9\u30ec\u30b9)\u5b9b\u30d1\u30b1\u30c3\u30c8\u306f\u30ed\u30b0\u3092\u8a18\u9332\u305b\u305a\u306b\u7834\u68c4<br \/>\n# \u203b\u4e0d\u8981\u30ed\u30b0\u8a18\u9332\u9632\u6b62<br \/>\niptables -A INPUT -d 255.255.255.255 -j DROP<br \/>\niptables -A INPUT -d 224.0.0.1 -j DROP<br \/>\n# 113\u756a\u30dd\u30fc\u30c8(IDENT)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u306b\u306f\u62d2\u5426\u5fdc\u7b54<br \/>\n# \u203b\u30e1\u30fc\u30eb\u30b5\u30fc\u30d0\u7b49\u306e\u30ec\u30b9\u30dd\u30f3\u30b9\u4f4e\u4e0b\u9632\u6b62<br \/>\niptables -A INPUT -p tcp &#8211;dport 113 -j REJECT &#8211;reject-with tcp-reset<br \/>\n# ACCEPT_COUNTRY_MAKE\u95a2\u6570\u5b9a\u7fa9<br \/>\n# \u6307\u5b9a\u3055\u308c\u305f\u56fd\u306eIP\u30a2\u30c9\u30ec\u30b9\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef\u3059\u308b\u30e6\u30fc\u30b6\u5b9a\u7fa9\u30c1\u30a7\u30a4\u30f3\u4f5c\u6210<br \/>\nACCEPT_COUNTRY_MAKE(){<br \/>\nfor addr in `cat cidr.txt|grep ^$1|awk &#8216;{print $2}&#8217;`<br \/>\ndo<br \/>\niptables -A ACCEPT_COUNTRY -s $addr -j ACCEPT<br \/>\ndone<br \/>\n}<br \/>\n# DROP_COUNTRY_MAKE\u95a2\u6570\u5b9a\u7fa9<br \/>\n# \u6307\u5b9a\u3055\u308c\u305f\u56fd\u306eIP\u30a2\u30c9\u30ec\u30b9\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u7834\u68c4\u3059\u308b\u30e6\u30fc\u30b6\u5b9a\u7fa9\u30c1\u30a7\u30a4\u30f3\u4f5c\u6210<br \/>\nDROP_COUNTRY_MAKE(){<br \/>\nfor addr in `cat cidr.txt|grep ^$1|awk &#8216;{print $2}&#8217;`<br \/>\ndo<br \/>\niptables -A DROP_COUNTRY -s $addr -m limit &#8211;limit 1\/s -j LOG &#8211;log-prefix &#8216;[IPTABLES DENY_COUNTRY] : &#8216;<br \/>\niptables -A DROP_COUNTRY -s $addr -j DROP<br \/>\ndone<br \/>\n}<br \/>\n# iptables\u8a2d\u5b9a\u30b9\u30af\u30ea\u30d7\u30c8\u5916\u90e8\u95a2\u6570\u53d6\u308a\u8fbc\u307f<br \/>\n. \/root\/iptables_functions<br \/>\n# IP\u30a2\u30c9\u30ec\u30b9\u30ea\u30b9\u30c8\u53d6\u5f97<br \/>\nIPLISTGET<br \/>\n# \u65e5\u672c\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef\u3059\u308b\u30e6\u30fc\u30b6\u5b9a\u7fa9\u30c1\u30a7\u30a4\u30f3ACCEPT_COUNTRY\u4f5c\u6210<br \/>\niptables -N ACCEPT_COUNTRY<br \/>\nACCEPT_COUNTRY_MAKE JP<br \/>\n# \u4ee5\u964d,\u65e5\u672c\u304b\u3089\u306e\u307f\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef\u3057\u305f\u3044\u5834\u5408\u306fACCEPT\u306e\u304b\u308f\u308a\u306bACCEPT_COUNTRY\u3092\u6307\u5b9a\u3059\u308b<br \/>\n# \u4e2d\u56fd\u30fb\u97d3\u56fd\u30fb\u53f0\u6e7e\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u7834\u68c4\u3059\u308b\u30e6\u30fc\u30b6\u5b9a\u7fa9\u30c1\u30a7\u30a4\u30f3DROP_COUNTRY\u4f5c\u6210<br \/>\niptables -N DROP_COUNTRY<br \/>\nDROP_COUNTRY_MAKE CN<br \/>\nDROP_COUNTRY_MAKE KR<br \/>\nDROP_COUNTRY_MAKE TW<br \/>\n# \u4ee5\u964d,\u4e2d\u56fd\u30fb\u97d3\u56fd\u30fb\u53f0\u6e7e\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u7834\u68c4\u3057\u305f\u3044\u5834\u5408\u306fDROP\u306e\u304b\u308f\u308a\u306bDROP_COUNTRY\u3092\u6307\u5b9a\u3059\u308b<br \/>\n# IP\u30a2\u30c9\u30ec\u30b9\u30ea\u30b9\u30c8\u524a\u9664<br \/>\nrm -f cidr.txt<br \/>\n# \u4e2d\u56fd\u30fb\u97d3\u56fd\u30fb\u53f0\u6e7e\u203b\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4<br \/>\n# \u203b\u5168\u56fd\u8b66\u5bdf\u65bd\u8a2d\u3078\u306e\u653b\u6483\u5143\u4e0a\u4f4d\uff13\u30ab\u56fd(\u65e5\u672c\u30fb\u30a2\u30e1\u30ea\u30ab\u3092\u9664\u304f)<br \/>\n# http:\/\/www.cyberpolice.go.jp\/detect\/observation.html\u3088\u308a<br \/>\niptables -A INPUT -j DROP_COUNTRY<br \/>\n#&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-#<br \/>\n# \u5404\u7a2e\u30b5\u30fc\u30d3\u30b9\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u8a2d\u5b9a(\u3053\u3053\u304b\u3089)               #<br \/>\n#&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-#<br \/>\n# \u5916\u90e8\u304b\u3089\u306eTCP22\u756a\u30dd\u30fc\u30c8(SSH)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef<br \/>\n# \u203bSSH\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f<br \/>\niptables -A INPUT -p tcp &#8211;dport 22 -j ACCEPT<br \/>\n# \u5916\u90e8\u304b\u3089\u306eTCP\/UDP53\u756a\u30dd\u30fc\u30c8(DNS)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef<br \/>\n# \u203b\u5916\u90e8\u5411\u3051DNS\u30b5\u30fc\u30d0\u30fc\u3092\u904b\u7528\u3059\u308b\u5834\u5408\u306e\u307f<br \/>\niptables -A INPUT -p tcp &#8211;dport 53 -j ACCEPT<br \/>\niptables -A INPUT -p udp &#8211;dport 53 -j ACCEPT<br \/>\n# \u5916\u90e8\u304b\u3089\u306eTCP80\u756a\u30dd\u30fc\u30c8(HTTP)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef<br \/>\n# \u203bWeb\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f<br \/>\niptables -A INPUT -p tcp &#8211;dport 80 -j ACCEPT<br \/>\n# \u5916\u90e8\u304b\u3089\u306eTCP443\u756a\u30dd\u30fc\u30c8(HTTPS)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef<br \/>\n# \u203bWeb\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f<br \/>\niptables -A INPUT -p tcp &#8211;dport 443 -j ACCEPT<br \/>\n# \u5916\u90e8\u304b\u3089\u306eTCP21\u756a\u30dd\u30fc\u30c8(FTP)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef<br \/>\n# \u203bFTP\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f<br \/>\niptables -A INPUT -p tcp &#8211;dport 21 -j ACCEPT<br \/>\n# \u5916\u90e8\u304b\u3089\u306ePASV\u7528\u30dd\u30fc\u30c8(FTP-DATA)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef<br \/>\n# \u203bFTP\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f<br \/>\n# \u203bPASV\u7528\u30dd\u30fc\u30c860000:60030\u306f\u5f53\u30b5\u30a4\u30c8\u306e\u8a2d\u5b9a\u4f8b<br \/>\niptables -A INPUT -p tcp &#8211;dport 60000:60030 -j ACCEPT<br \/>\n# \u5916\u90e8\u304b\u3089\u306eTCP25\u756a\u30dd\u30fc\u30c8(SMTP)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef<br \/>\n# \u203bSMTP\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f<br \/>\niptables -A INPUT -p tcp &#8211;dport 25 -j ACCEPT<br \/>\n# \u5916\u90e8\u304b\u3089\u306eTCP465\u756a\u30dd\u30fc\u30c8(SMTPS)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef<br \/>\n# \u203bSMTPS\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f<br \/>\niptables -A INPUT -p tcp &#8211;dport 465 -j ACCEPT<br \/>\n# \u5916\u90e8\u304b\u3089\u306eTCP110\u756a\u30dd\u30fc\u30c8(POP3)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef<br \/>\n# \u203bPOP3\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f<br \/>\niptables -A INPUT -p tcp &#8211;dport 110 -j ACCEPT<br \/>\n# \u5916\u90e8\u304b\u3089\u306eTCP995\u756a\u30dd\u30fc\u30c8(POP3S)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef<br \/>\n# \u203bPOP3S\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f<br \/>\niptables -A INPUT -p tcp &#8211;dport 995 -j ACCEPT<br \/>\n# \u5916\u90e8\u304b\u3089\u306eTCP143\u756a\u30dd\u30fc\u30c8(IMAP)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef<br \/>\n# \u203bIMAP\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f<br \/>\niptables -A INPUT -p tcp &#8211;dport 143 -j ACCEPT<br \/>\n# \u5916\u90e8\u304b\u3089\u306eTCP993\u756a\u30dd\u30fc\u30c8(IMAPS)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef<br \/>\n# \u203bIMAPS\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f<br \/>\niptables -A INPUT -p tcp &#8211;dport 993 -j ACCEPT<br \/>\n# \u5916\u90e8\u304b\u3089\u306eUDP1194\u756a\u30dd\u30fc\u30c8(OpenVPN)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef<br \/>\n# \u203bOpenVPN\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f<br \/>\niptables -A INPUT -p udp &#8211;dport 1194 -j ACCEPT<br \/>\n# \u5916\u90e8\u304b\u3089\u306eTCP5432\u756a\u30dd\u30fc\u30c8\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef<br \/>\n# \u203bPostgreSQL\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f<br \/>\niptables -A INPUT -p tcp &#8211;dport 5432 -j ACCEPT<br \/>\n#NFS\u7528<br \/>\niptables -A INPUT -p tcp &#8211;dport 111 -j ACCEPT<br \/>\niptables -A INPUT -p tcp &#8211;dport 2049 -j ACCEPT<br \/>\niptables -A INPUT -p tcp &#8211;dport 4001 -j ACCEPT<br \/>\niptables -A INPUT -p tcp &#8211;dport 4002 -j ACCEPT<br \/>\niptables -A INPUT -p tcp &#8211;dport 4003 -j ACCEPT<br \/>\niptables -A INPUT -p udp &#8211;dport 111 -j ACCEPT<br \/>\niptables -A INPUT -p udp &#8211;dport 2049 -j ACCEPT<br \/>\niptables -A INPUT -p udp &#8211;dport 4001 -j ACCEPT<br \/>\niptables -A INPUT -p udp &#8211;dport 4002 -j ACCEPT<br \/>\niptables -A INPUT -p udp &#8211;dport 4003 -j ACCEPT<br \/>\n# VPN\u30a4\u30f3\u30bf\u30d5\u30a7\u30fc\u30b9\u7528\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u8a2d\u5b9a<br \/>\n# \u203bOpenVPN\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f<br \/>\n[ -f \/etc\/openvpn\/openvpn-startup ] &#038;&#038; \/etc\/openvpn\/openvpn-startup<br \/>\n#&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-#<br \/>\n# \u5404\u7a2e\u30b5\u30fc\u30d3\u30b9\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u8a2d\u5b9a(\u3053\u3053\u307e\u3067)               #<br \/>\n#&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-#<br \/>\n# \u62d2\u5426IP\u30a2\u30c9\u30ec\u30b9\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u306f\u30ed\u30b0\u3092\u8a18\u9332\u305b\u305a\u306b\u7834\u68c4<br \/>\n# \u203b\u62d2\u5426IP\u30a2\u30c9\u30ec\u30b9\u306f\/root\/deny_ip\u306b1\u884c\u3054\u3068\u306b\u8a18\u8ff0\u3057\u3066\u304a\u304f\u3053\u3068<br \/>\n# (\/root\/deny_ip\u304c\u306a\u3051\u308c\u3070\u306a\u306b\u3082\u3057\u306a\u3044)<br \/>\nif [ -s \/root\/deny_ip ]; then<br \/>\niptables -N DENY_HOST<br \/>\nfor ip in `cat \/root\/deny_ip`<br \/>\ndo<br \/>\niptables -A DENY_HOST -s $ip -m limit &#8211;limit 1\/s -j LOG &#8211;log-prefix &#8216;[IPTABLES DENY_HOST] : &#8216;<br \/>\niptables -A DENY_HOST -s $ip -j DROP<br \/>\niptables -I INPUT -j DENY_HOST<br \/>\ndone<br \/>\nfi<br \/>\n# \u4e0a\u8a18\u306e\u30eb\u30fc\u30eb\u306b\u30de\u30c3\u30c1\u3057\u306a\u304b\u3063\u305f\u30a2\u30af\u30bb\u30b9\u306f\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4<br \/>\niptables -A INPUT -m limit &#8211;limit 1\/s -j LOG &#8211;log-prefix &#8216;[IPTABLES INPUT] : &#8216;<br \/>\niptables -A INPUT -j DROP<br \/>\niptables -A FORWARD -m limit &#8211;limit 1\/s -j LOG &#8211;log-prefix &#8216;[IPTABLES FORWARD] : &#8216;<br \/>\niptables -A FORWARD -j DROP<br \/>\n# \u30b5\u30fc\u30d0\u30fc\u518d\u8d77\u52d5\u6642\u306b\u3082\u4e0a\u8a18\u8a2d\u5b9a\u304c\u6709\u52b9\u3068\u306a\u308b\u3088\u3046\u306b\u30eb\u30fc\u30eb\u3092\u4fdd\u5b58<br \/>\n\/etc\/rc.d\/init.d\/iptables save<br \/>\n# \u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u8d77\u52d5<br \/>\n\/etc\/rc.d\/init.d\/iptables start<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4ee5\u4e0b\u3059\u3079\u3066\u30b3\u30d4\u30fc\u3057\u3066\u4f7f\u3044\u307e\u3059 #!\/bi<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-257","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/deskplate.net\/blog\/wp-json\/wp\/v2\/posts\/257","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deskplate.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deskplate.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deskplate.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/deskplate.net\/blog\/wp-json\/wp\/v2\/comments?post=257"}],"version-history":[{"count":0,"href":"https:\/\/deskplate.net\/blog\/wp-json\/wp\/v2\/posts\/257\/revisions"}],"wp:attachment":[{"href":"https:\/\/deskplate.net\/blog\/wp-json\/wp\/v2\/media?parent=257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deskplate.net\/blog\/wp-json\/wp\/v2\/categories?post=257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deskplate.net\/blog\/wp-json\/wp\/v2\/tags?post=257"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}