관리 메뉴
kjh00n의 기록저장소
방화벽 구성 본문
ifconfig ens224:1 40.40.1.201 netmask 255.255.255.0
ifconfig ens224:2 40.40.1.202 netmask 255.255.255.0
iptables -t nat -F
iptables -t filter -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD ACCEPT
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
iptables -t filter -A FORWARD -p icmp -j ACCEPT
#LOG 130.0 ↔ MasterDB
iptables -A FORWARD -p tcp --sport 22 -s 192.168.170.2 -d 30.30.30.1 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[130MDB-INCOMING]"
iptables -A FORWARD -p tcp --dport 22 -s 30.30.30.1 -d 192.168.170.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[130MDB-OUTCOMING]"
iptables -A FORWARD -p tcp --sport 22 -s 192.168.171.2 -d 30.30.30.1 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[130MDB-INCOMING]"
iptables -A FORWARD -p tcp --dport 22 -s 30.30.30.1 -d 192.168.171.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[130MDB-OUTCOMING]"
#LOG 130.0 ↔ SlaveDB
iptables -A FORWARD -p tcp --sport 22 -s 192.168.170.2 -d 30.30.30.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[130SDB-INCOMING]"
iptables -A FORWARD -p tcp --dport 22 -s 30.30.30.2 -d 192.168.170.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[130SDB-OUTCOMING]"
iptables -A FORWARD -p tcp --sport 22 -s 192.168.171.2 -d 30.30.30.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[130SDB-INCOMING]"
iptables -A FORWARD -p tcp --dport 22 -s 30.30.30.2 -d 192.168.171.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[130SDB-OUTCOMING]"
#LOG Corporation ↔ MasterDB
iptables -A FORWARD -p tcp --dport 22 -s 180.180.180.2 -d 30.30.30.1 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[SSH-MDB-INCOMING]"
iptables -A FORWARD -p tcp --sport 22 -s 30.30.30.1 -d 180.180.180.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[SSH-MDB-OUTCOMING]"
iptables -A FORWARD -p tcp --dport 3306 -s 180.180.180.2 -d 30.30.30.1 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[CMDB-INCOMING]"
iptables -A FORWARD -p tcp --sport 3306 -s 30.30.30.1 -d 180.180.180.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[CMDB-OUTCOMING]"
iptables -A FORWARD -p tcp --dport 22 -s 181.181.181.2 -d 30.30.30.1 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[SSH-MDB-INCOMING]"
iptables -A FORWARD -p tcp --sport 22 -s 30.30.30.1 -d 181.181.181.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[SSH-MDB-OUTCOMING]"
iptables -A FORWARD -p tcp --dport 3306 -s 181.181.181.2 -d 30.30.30.1 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[CMDB-INCOMING]"
iptables -A FORWARD -p tcp --sport 3306 -s 30.30.30.1 -d 181.181.181.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[CMDB-OUTCOMING]"
#LOG Corporation ↔ SlaveDB
iptables -A FORWARD -p tcp --dport 22 -s 180.180.180.2 -d 30.30.30.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[SSH-SDB-INCOMING]"
iptables -A FORWARD -p tcp --sport 22 -s 30.30.30.2 -d 180.180.180.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[SSH-SDB-OUTCOMING]"
iptables -A FORWARD -p tcp --dport 3306 -s 180.180.180.2 -d 30.30.30.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[CSDB-INCOMING]"
iptables -A FORWARD -p tcp --sport 3306 -s 30.30.30.2 -d 180.180.180.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[CSDB-OUTCOMING]"
iptables -A FORWARD -p tcp --dport 22 -s 181.181.181.2 -d 30.30.30.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[SSH-SDB-INCOMING]"
iptables -A FORWARD -p tcp --sport 22 -s 30.30.30.2 -d 181.181.181.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[SSH-SDB-OUTCOMING]"
iptables -A FORWARD -p tcp --dport 3306 -s 181.181.181.2 -d 30.30.30.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[CSDB-INCOMING]"
iptables -A FORWARD -p tcp --sport 3306 -s 30.30.30.2 -d 181.181.181.2 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[CSDB-OUTCOMING]"
#LOG https ↔ MasterDB
iptables -A FORWARD -p tcp -m multiport --sports 80,443 -m multiport --dports 3306 -s 192.168.150.201 -d 30.30.30.1 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[DB-CONNECT]"
iptables -A FORWARD -p tcp -m multiport --sports 3306 -m multiport --dports 80,443 -s 30.30.30.1 -d 192.168.150.201 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[WEB-CONNECT]"
#LOG ftps ↔ MasterDB
iptables -A FORWARD -p tcp -m multiport --dports 21,22222,50000:50003 -s 30.30.30.1 -d 192.168.160.201 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[FTPS-BACKUP]"
iptables -A FORWARD -p tcp -m multiport --sports 21,22222,50000:50003 -s 192.168.160.201 -d 30.30.30.1 -m limit --limit-burst 50 --limit 6/m -j LOG --log-prefix "[FTPS-CHECK]"
# ping error solution
sysctl net.ipv4.conf.default.rp_filter=0
sysctl net.ipv4.conf.ens160.rp_filter=0
sysctl net.ipv4.conf.ens224.rp_filter=0
#ospf
iptables -A INPUT -p 89 -j ACCEPT
iptables -A OUTPUT -p 89 -j ACCEPT
#nat
iptables -t nat -A PREROUTING -d 40.40.1.201 -j DNAT --to 30.30.30.1
iptables -t nat -A PREROUTING -d 40.40.1.202 -j DNAT --to 30.30.30.2
#130.0 ↔ MasterDB
iptables -A FORWARD -p tcp --dport 22 -s 192.168.170.2 -d 30.30.30.1 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 22 -s 30.30.30.1 -d 192.168.170.2 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -s 192.168.171.2 -d 30.30.30.1 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 22 -s 30.30.30.1 -d 192.168.171.2 -m state --state ESTABLISHED -j ACCEPT
#130.0 ↔ SlaveDB
iptables -A FORWARD -p tcp --dport 22 -s 192.168.170.2 -d 30.30.30.2 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 22 -s 30.30.30.2 -d 192.168.170.2 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -s 192.168.171.2 -d 30.30.30.2 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 22 -s 30.30.30.2 -d 192.168.171.2 -m state --state ESTABLISHED -j ACCEPT
#3T group ssh firewall
iptables -A INPUT -p tcp --dport 22 -s 192.168.170.2 -d 40.40.1.50 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 192.168.171.2 -d 40.40.1.50 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -s 40.40.1.50 -d 192.168.170.2 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -s 40.40.1.50 -d 192.168.171.2 -m state --state ESTABLISHED -j ACCEPT
#3T group MDB ssh
iptables -A FORWARD -p tcp --dport 22 -s 192.168.170.2 -d 30.30.30.1 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -s 192.168.171.2 -d 30.30.30.1 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 22 -s 30.30.30.1 -d 192.168.170.2 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 22 -s 30.30.30.1 -d 192.168.171.2 -m state --state ESTABLISHED -j ACCEPT
#logi team MDB ssh
iptables -A FORWARD -p tcp --dport 22 -s 30.30.30.1 -d 70.70.70.0/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 22 -s 70.70.70.0/24 -d 30.30.30.1 -j ACCEPT
#3T group SDB ssh
iptables -A FORWARD -p tcp --dport 22 -s 192.168.170.2 -d 30.30.30.2 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -s 192.168.171.2 -d 30.30.30.2 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 22 -s 30.30.30.2 -d 192.168.170.2 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 22 -s 30.30.30.2 -d 192.168.171.2 -m state --state ESTABLISHED -j ACCEPT
#Corporation ↔ MasterDB (보안팀만 SSH로 접근)
iptables -A FORWARD -p tcp --dport 22 -s 180.180.180.2 -d 30.30.30.1 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 22 -s 30.30.30.1 -d 180.180.180.2 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -s 181.181.181.2 -d 30.30.30.1 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 22 -s 30.30.30.1 -d 181.181.181.2 -m state --state ESTABLISHED -j ACCEPT
#Corporation ↔ MasterDB
iptables -A FORWARD -p tcp --dport 3306 -s 180.180.180.2 -d 30.30.30.1 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 3306 -s 30.30.30.1 -d 180.180.180.2 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --dport 3306 -s 181.181.181.2 -d 30.30.30.1 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 3306 -s 30.30.30.1 -d 181.181.181.2 -m state --state ESTABLISHED -j ACCEPT
#Corporation ↔ SlaveDB (보안팀만 SSH로 접근)
iptables -A FORWARD -p tcp --dport 22 -s 180.180.180.2 -d 30.30.30.2 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 22 -s 30.30.30.2 -d 180.180.180.2 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -s 181.181.181.2 -d 30.30.30.2 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 22 -s 30.30.30.2 -d 181.181.181.2 -m state --state ESTABLISHED -j ACCEPT
#Corporation ↔ SlaveDB
iptables -A FORWARD -p tcp --dport 3306 -s 180.180.180.2 -d 30.30.30.2 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 3306 -s 30.30.30.2 -d 180.180.180.2 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --dport 3306 -s 181.181.181.2 -d 30.30.30.2 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 3306 -s 30.30.30.2 -d 181.181.181.2 -m state --state ESTABLISHED -j ACCEPT
#ftps ↔ MasterDB
iptables -A FORWARD -p tcp -m multiport --dports 21,22222,50000:50003 -s 30.30.30.1 -d 20.20.20.1 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --sports 21,22222,50000:50003 -s 20.20.20.1 -d 30.30.30.1 -m state --state ESTABLISHED -j ACCEPT
#https ↔ MasterDB
iptables -A FORWARD -p tcp --dport 3306 -s 10.10.10.1 -d 30.30.30.1 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 3306 -s 30.30.30.1 -d 10.10.10.1 -m state --state ESTABLISHED -j ACCEPT
#https ↔ SlaveDB
iptables -A FORWARD -p tcp --dport 3306 -s 10.10.10.1 -d 30.30.30.2 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 3306 -s 30.30.30.2 -d 10.10.10.1 -m state --state ESTABLISHED -j ACCEPT
iptables -L
iptables -t nat -L
71,1 바닥'세미프로젝트' 카테고리의 다른 글
| DB 계정 권한 정리 (0) | 2024.12.04 |
|---|---|
| DB EVENT (0) | 2024.12.03 |
| DB 구성 (0) | 2024.12.03 |
| DB 이중화 옵션 (SLAVE에서 설정) (0) | 2024.11.28 |
| RAID에 DB구성하기 (0) | 2024.11.28 |
'세미프로젝트' Related Articles
more
