iptablesフィルタ設定ファイル新規作成
vi /etc/sysconfig/iptables
インバウンドはフィルタ、アウトバンドは全て開放
いずれのフィルタにもマッチしなかったらログ出力
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # SSH, HTTP, HTTPS -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT # LOG -A RH-Firewall-1-INPUT -m limit --limit 1/s -j LOG --log-prefix "[iptables firewall] : " --log-level=info -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
rsyslogの設定
vi /etc/rsyslog.conf
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console kern.info /var/log/iptables.log
iptables,rsyslog再起動
/etc/init.d/iptables restart /etc/init.d/rsyslog restart
許可していないポートにアクセスしてログ確認
Jan 28 18:44:26 hogehoge kernel: [iptables firewall] : IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=yyy.yyy.yyy.yyy DST=zzz.zzz.zzz.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=116 ID=23725 DF PROTO=TCP SPT=37967 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0 Jan 28 18:44:26 hogehoge kernel: [iptables firewall] : IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=yyy.yyy.yyy.yyy DST=zzz.zzz.zzz.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=116 ID=23726 DF PROTO=TCP SPT=38761 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0 Jan 28 18:44:26 hogehoge kernel: [iptables firewall] : IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=yyy.yyy.yyy.yyy DST=zzz.zzz.zzz.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=44998 PROTO=TCP SPT=37967 DPT=8080 WINDOW=1024 RES=0x00 ACK RST URGP=0 Jan 28 18:44:26 hogehoge kernel: [iptables firewall] : IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=yyy.yyy.yyy.yyy DST=zzz.zzz.zzz.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=45000 PROTO=TCP SPT=38761 DPT=8080 WINDOW=1024 RES=0x00 ACK RST URGP=0 Jan 28 18:44:26 hogehoge kernel: [iptables firewall] : IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=yyy.yyy.yyy.yyy DST=zzz.zzz.zzz.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=116 ID=23728 DF PROTO=TCP SPT=41488 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0 Jan 28 18:44:33 hogehoge kernel: [iptables firewall] : IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=yyy.yyy.yyy.yyy DST=zzz.zzz.zzz.zzz LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=23734 DF PROTO=TCP SPT=52180 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0 Jan 28 18:44:33 hogehoge kernel: [iptables firewall] : IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=yyy.yyy.yyy.yyy DST=zzz.zzz.zzz.zzz LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=23733 DF PROTO=TCP SPT=47279 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0 Jan 28 18:44:33 hogehoge kernel: [iptables firewall] : IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=yyy.yyy.yyy.yyy DST=zzz.zzz.zzz.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=45028 PROTO=TCP SPT=52180 DPT=8080 WINDOW=1024 RES=0x00 ACK RST URGP=0 Jan 28 18:44:33 hogehoge kernel: [iptables firewall] : IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=yyy.yyy.yyy.yyy DST=zzz.zzz.zzz.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=45030 PROTO=TCP SPT=47279 DPT=8080 WINDOW=1024 RES=0x00 ACK RST URGP=0 Jan 28 18:44:33 hogehoge kernel: [iptables firewall] : IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=yyy.yyy.yyy.yyy DST=zzz.zzz.zzz.zzz LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=23748 DF PROTO=TCP SPT=56318 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0