実践Linux
CentOS8 CentOS8 目次へ TOP(HOME)へ
ダイレクトルールを使ったFirewallの強化 2020年7月
●ダイレクトルール CentOS7/8の新機能 firewalled参照
ダイレクトルールの書式
# firewall-cmd [--permanent] --direct --add-rule {ipv4|ipv6|eb} <テーブル> <チェイン> <優先順位> <引数>
テーブル filter、nat、mangle
チェイン INPUT、OUTPUT、FORWARD、PREROUTING、POSTROUTING
引数部分
stateモジュール
-m state --state NEW
INVALID 既存のコネクションとは関係のないパケット
NEW 新しいコネクションの接続に関するパケット
ESTABLISHD 接続済みのコネクションのパケット
RELATED 接続済みのコネクションに関連して発生した新たなコネクションのパケット
オプション
-s <address>
-d <address>
--sport <port>
--dport <port>
-i <interface>
-o <interface>
-j <target>
-m <module>
プロトコル tcp、udp、icpm(ipv6のときはicmpv6)、all
ターゲット ACCEPT、DROP、RETURN、REJECT、REDIRECT、SNAT、DNAT、MASQUERADE、LOG
削除は、--add-ruleを--remove-ruleに。
ダイレクトルールの表示
# firewall-cmd --direct --get-all-rules
●チェインの作成
# firewall-cmd --direct --add-chain ipv4 filter <チェイン名>
●チェイン
# iptables -L -n --line-number で見てみると、チェインの最後に作成したチェインが表示される。
チェインは以下のとおり
INPUT
FORWARD
OUTPUT
FORWARD_IN_ZONES、FORWARD_IN_ZONES_SOURCE、FORWARD_OUT_ZONES、FORWARD_OUT_ZONES_SOURCE
FORWARD_direct
FWDI_external 〜 FWDO_trusted_log
INPUT_ZONES、INPUT_ZONES_SOURCE
INPUT_direct
IN_external 〜 IN_trusted_log
OUTPUT_direct
最後に作成したチェイン
このFORWARD_direct、INPUT_direct、OUTPUT_directチェインにダイレクトルールが記入されていく。
OUTPUTに関しては、ゾーンの設定部分がないことに注意。
●start-my-firewalldスクリプトの作成
#! /bin/sh
######syn-flood:DROP######
firewall-cmd --permanent --direct --add-chain ipv4 filter syn-flood
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 100 -i enp0 -p icmp --icmp-type echo-request -j syn-flood
firewall-cmd --permanent --direct --add-rule ipv4 filter syn-flood 150 -m limit --limit 1/s --limit-burst 4 -j RETURN
firewall-cmd --permanent --direct --add-rule ipv4 filter syn-flood 151 -j LOG --log-prefix "IPTABLES SYN-FLOOD:"
firewall-cmd --permanent --direct --add-rule ipv4 filter syn-flood 152 -j DROP
######Make sure NEW tcp connections are SYN packets:DROP######
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 200 -i enp0 -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPTABLES SYN-FLOOD:"
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 201 -p tcp ! --syn -m state --state NEW -j DROP
######ping of death:DROP######
firewall-cmd --permanent --direct --add-chain ipv4 filter ping-death
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 300 -i enp0 -p icmp --icmp-type echo-request -j ping-death
firewall-cmd --permanent --direct --add-rule ipv4 filter ping-death 350 -m limit --limit 1/s --limit-burst 4 -j RETURN
firewall-cmd --permanent --direct --add-rule ipv4 filter ping-death 351 -j LOG --log-prefix "IPTABLES PING-DEATH:"
firewall-cmd --permanent --direct --add-rule ipv4 filter ping-death 352 -j DROP
######port-scan:DROP######
firewall-cmd --permanent --direct --add-chain ipv4 filter port-scan
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 400 -i enp0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan
firewall-cmd --permanent --direct --add-rule ipv4 filter port-scan 450 -m limit --limit 1/s --limit-burst 4 -j RETURN
firewall-cmd --permanent --direct --add-rule ipv4 filter port-scan 451 -j LOG --log-prefix "IPTABLES PORT-SCAN:"
firewall-cmd --permanent --direct --add-rule ipv4 filter port-scan 452 -j DROP
######spoofing:DROP######
firewall-cmd --permanent --direct --add-chain ipv4 filter spoofing
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 500 -i enp0 -s 127.0.0.0/8 -j spoofing
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 501 -i enp0 -d 127.0.0.0/8 -j spoofing
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 502 -i enp0 -s 10.0.0.0/8 -j spoofing
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 503 -i enp0 -s 172.16.0.0/12 -j spoofing
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 504 -i enp0 -s 192.168.0.0/16 -j spoofing
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 505 -i enp0 -s 192.0.2.0/24 -j spoofing
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 506 -i enp0 -s 169.254.0.0/16 -j spoofing
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 507 -i enp0 -s 224.0.0.0/4 -j spoofing
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 508 -i enp0 -s 240.0.0.0/5 -j spoofing
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 509 -i enp0 -s 0.0.0.0/8 -j spoofing
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 510 -i enp0 -s 255.255.255.255 -j spoofing
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 511 -i enp0 -s 333.333.333.210 -j spoofing
firewall-cmd --permanent --direct --add-rule ipv4 filter spoofing 550 -j LOG --log-prefix "IPTABLES SPOOFING:"
firewall-cmd --permanent --direct --add-rule ipv4 filter spoofing 551 -j DROP
######win FORWARDING:DROP######
firewall-cmd --permanent --direct --add-chain ipv4 filter win
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 600 -p tcp -m multiport --sport 135,137,138,139,445 -j win
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 601 -p udp -m multiport --sport 135,137,138,139,445 -j win
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 602 -p tcp -m multiport --dport 135,137,138,139,445 -j win
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 603 -p udp -m multiport --dport 135,137,138,139,445 -j win
firewall-cmd --permanent --direct --add-rule ipv4 filter win 650 -j LOG --log-prefix "USING WIN PORT:"
firewall-cmd --permanent --direct --add-rule ipv4 filter win 651 -j DROP
firewall-cmd --reload
●停止スクリプトstop-my-firewalld
停止は逆から行えばOK
#! /bin/sh
firewall-cmd --permanent --direct --remove-rule ipv4 filter win 651 -j DROP
firewall-cmd --permanent --direct --remove-rule ipv4 filter win 650 -j LOG --log-prefix "USING WIN PORT:"
firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 603 -p udp -m multiport --dport 135,137,138,139,445 -j win
firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 602 -p tcp -m multiport --dport 135,137,138,139,445 -j win
firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 601 -p udp -m multiport --sport 135,137,138,139,445 -j win
firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 600 -p tcp -m multiport --sport 135,137,138,139,445 -j win
firewall-cmd --permanent --direct --remove-chain ipv4 filter win
firewall-cmd --permanent --direct --remove-rule ipv4 filter spoofing 551 -j DROP
firewall-cmd --permanent --direct --remove-rule ipv4 filter spoofing 550 -j LOG --log-prefix "IPTABLES SPOOFING:"
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 511 -i enp0 -s 333.333.333.210 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 510 -i enp0 -s 255.255.255.255 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 509 -i enp0 -s 0.0.0.0/8 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 508 -i enp0 -s 240.0.0.0/5 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 507 -i enp0 -s 224.0.0.0/4 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 506 -i enp0 -s 169.254.0.0/16 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 505 -i enp0 -s 192.0.2.0/24 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 504 -i enp0 -s 192.168.0.0/16 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 503 -i enp0 -s 172.16.0.0/12 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 502 -i enp0 -s 10.0.0.0/8 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 501 -i enp0 -d 127.0.0.0/8 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 500 -i enp0 -s 127.0.0.0/8 -j spoofing
firewall-cmd --permanent --direct --remove-chain ipv4 filter spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter port-scan 452 -j DROP
firewall-cmd --permanent --direct --remove-rule ipv4 filter port-scan 451 -j LOG --log-prefix "IPTABLES PORT-SCAN:"
firewall-cmd --permanent --direct --remove-rule ipv4 filter port-scan 450 -m limit --limit 1/s --limit-burst 4 -j RETURN
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 400 -i enp0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan
firewall-cmd --permanent --direct --remove-chain ipv4 filter port-scan
firewall-cmd --permanent --direct --remove-rule ipv4 filter ping-death 352 -j DROP
firewall-cmd --permanent --direct --remove-rule ipv4 filter ping-death 351 -j LOG --log-prefix "IPTABLES PING-DEATH:"
firewall-cmd --permanent --direct --remove-rule ipv4 filter ping-death 350 -m limit --limit 1/s --limit-burst 4 -j RETURN
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 300 -i enp0 -p icmp --icmp-type echo-request -j ping-death
firewall-cmd --permanent --direct --remove-chain ipv4 filter ping-death
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 201 -p tcp ! --syn -m state --state NEW -j DROP
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 200 -i enp0 -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPTABLES SYN-FLOOD:"
firewall-cmd --permanent --direct --remove-rule ipv4 filter syn-flood 152 -j DROP
firewall-cmd --permanent --direct --remove-rule ipv4 filter syn-flood 151 -j LOG --log-prefix "IPTABLES SYN-FLOOD:"
firewall-cmd --permanent --direct --remove-rule ipv4 filter syn-flood 150 -m limit --limit 1/s --limit-burst 4 -j RETURN
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 100 -i enp0 -p icmp --icmp-type echo-request -j syn-flood
firewall-cmd --permanent --direct --remove-chain ipv4 filter syn-flood
firewall-cmd --reload
firewall-cmd --permanent --direct --remove-rule ipv4 filter win 651 -j DROP
firewall-cmd --permanent --direct --remove-rule ipv4 filter win 650 -j LOG --log-prefix "USING WIN PORT:"
firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 603 -p udp -m multiport --dport 135,137,138,139,445 -j win
firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 602 -p tcp -m multiport --dport 135,137,138,139,445 -j win
firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 601 -p udp -m multiport --sport 135,137,138,139,445 -j win
firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 600 -p tcp -m multiport --sport 135,137,138,139,445 -j win
firewall-cmd --permanent --direct --remove-chain ipv4 filter win
firewall-cmd --permanent --direct --remove-rule ipv4 filter spoofing 551 -j DROP
firewall-cmd --permanent --direct --remove-rule ipv4 filter spoofing 550 -j LOG --log-prefix "IPTABLES SPOOFING:"
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 511 -i enp0 -s 333.333.333.210 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 510 -i enp0 -s 255.255.255.255 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 509 -i enp0 -s 0.0.0.0/8 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 508 -i enp0 -s 240.0.0.0/5 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 507 -i enp0 -s 224.0.0.0/4 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 506 -i enp0 -s 169.254.0.0/16 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 505 -i enp0 -s 192.0.2.0/24 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 504 -i enp0 -s 192.168.0.0/16 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 503 -i enp0 -s 172.16.0.0/12 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 502 -i enp0 -s 10.0.0.0/8 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 501 -i enp0 -d 127.0.0.0/8 -j spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 500 -i enp0 -s 127.0.0.0/8 -j spoofing
firewall-cmd --permanent --direct --remove-chain ipv4 filter spoofing
firewall-cmd --permanent --direct --remove-rule ipv4 filter port-scan 452 -j DROP
firewall-cmd --permanent --direct --remove-rule ipv4 filter port-scan 451 -j LOG --log-prefix "IPTABLES PORT-SCAN:"
firewall-cmd --permanent --direct --remove-rule ipv4 filter port-scan 450 -m limit --limit 1/s --limit-burst 4 -j RETURN
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 400 -i enp0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan
firewall-cmd --permanent --direct --remove-chain ipv4 filter port-scan
firewall-cmd --permanent --direct --remove-rule ipv4 filter ping-death 352 -j DROP
firewall-cmd --permanent --direct --remove-rule ipv4 filter ping-death 351 -j LOG --log-prefix "IPTABLES PING-DEATH:"
firewall-cmd --permanent --direct --remove-rule ipv4 filter ping-death 350 -m limit --limit 1/s --limit-burst 4 -j RETURN
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 300 -i enp0 -p icmp --icmp-type echo-request -j ping-death
firewall-cmd --permanent --direct --remove-chain ipv4 filter ping-death
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 201 -p tcp ! --syn -m state --state NEW -j DROP
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 200 -i enp0 -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPTABLES SYN-FLOOD:"
firewall-cmd --permanent --direct --remove-rule ipv4 filter syn-flood 152 -j DROP
firewall-cmd --permanent --direct --remove-rule ipv4 filter syn-flood 151 -j LOG --log-prefix "IPTABLES SYN-FLOOD:"
firewall-cmd --permanent --direct --remove-rule ipv4 filter syn-flood 150 -m limit --limit 1/s --limit-burst 4 -j RETURN
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 100 -i enp0 -p icmp --icmp-type echo-request -j syn-flood
firewall-cmd --permanent --direct --remove-chain ipv4 filter syn-flood
firewall-cmd --reload
TOP(HOME)へ