{"id":917,"date":"2016-02-02T05:34:04","date_gmt":"2016-02-01T20:34:04","guid":{"rendered":"http:\/\/www.kinryo.net\/?p=917"},"modified":"2016-05-13T13:50:17","modified_gmt":"2016-05-13T04:50:17","slug":"%ef%bc%98%ef%bc%9a%e3%83%95%e3%82%a1%e3%82%a4%e3%82%a2%e3%82%a6%e3%82%a9%e3%83%bc%e3%83%ab%e6%a7%8b%e7%af%89iptables","status":"publish","type":"post","link":"https:\/\/www.kinryo.net\/?p=917","title":{"rendered":"\uff18\uff1a\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u69cb\u7bc9(iptables)"},"content":{"rendered":"<p>\u53c2\u8003URL\uff1a<a href=\"http:\/\/centossrv.com\/iptables.shtml\" target=\"_blank\">http:\/\/centossrv.com\/iptables.shtml<\/a><br \/>\n\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u4f5c\u6210\uff08\uff12\uff10\uff11\uff16\u30fc\uff15\u30fc\uff11\uff10\u3001\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u5909\u66f4\u3057\u307e\u3057\u305f\u3002\uff09<br \/>\n<span style=\"color: #008000;\"><span style=\"color: #ff6600;\">#<\/span> gedit iptables.sh<\/span><\/p>\n<pre><span style=\"color: #0000ff;\"><code>#!\/bin\/bash<\/code>\r\n\r\n#---------------------------------------#\r\n# \u8a2d\u5b9a\u958b\u59cb #\r\n#---------------------------------------#\r\n\r\n# \u5185\u90e8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30a2\u30c9\u30ec\u30b9\u5b9a\u7fa9\r\nLOCALNET=192.168.XXX.0\/24\r\n\r\n# XXX\u306f\u81ea\u8eab\u306eIP\u306b\u5909\u66f4\u306e\u4e8b\r\n\r\n#---------------------------------------#\r\n# \u8a2d\u5b9a\u7d42\u4e86 #\r\n#---------------------------------------#\r\n\r\n# \u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u505c\u6b62(\u3059\u3079\u3066\u306e\u30eb\u30fc\u30eb\u3092\u30af\u30ea\u30a2)\r\nif [ -f \/usr\/libexec\/iptables\/iptables.init ]; then\r\n\/usr\/libexec\/iptables\/iptables.init stop\r\nelse\r\n\/etc\/rc.d\/init.d\/iptables stop\r\nfi\r\n\r\n# \u30c7\u30d5\u30a9\u30eb\u30c8\u30eb\u30fc\u30eb(\u4ee5\u964d\u306e\u30eb\u30fc\u30eb\u306b\u30de\u30c3\u30c1\u3057\u306a\u304b\u3063\u305f\u5834\u5408\u306b\u9069\u7528\u3059\u308b\u30eb\u30fc\u30eb)\u8a2d\u5b9a\r\nIPTABLES_CONFIG=`mktemp`\r\necho \"*filter\" &gt;&gt; $IPTABLES_CONFIG\r\necho \":INPUT DROP [0:0]\" &gt;&gt; $IPTABLES_CONFIG # \u53d7\u4fe1\u306f\u3059\u3079\u3066\u7834\u68c4\r\necho \":FORWARD DROP [0:0]\" &gt;&gt; $IPTABLES_CONFIG # \u901a\u904e\u306f\u3059\u3079\u3066\u7834\u68c4\r\necho \":OUTPUT ACCEPT [0:0]\" &gt;&gt; $IPTABLES_CONFIG # \u9001\u4fe1\u306f\u3059\u3079\u3066\u8a31\u53ef\r\necho \":ACCEPT_COUNTRY - [0:0]\" &gt;&gt; $IPTABLES_CONFIG # \u6307\u5b9a\u3057\u305f\u56fd\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef\r\necho \":DROP_COUNTRY - [0:0]\" &gt;&gt; $IPTABLES_CONFIG # \u6307\u5b9a\u3057\u305f\u56fd\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u7834\u68c4\r\necho \":LOG_PINGDEATH - [0:0]\" &gt;&gt; $IPTABLES_CONFIG # Ping of Death\u653b\u6483\u306f\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\r\n\r\n# \u81ea\u30db\u30b9\u30c8\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u3059\u3079\u3066\u8a31\u53ef\r\necho \"-A INPUT -i lo -j ACCEPT\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u5185\u90e8\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u3059\u3079\u3066\u8a31\u53ef\r\necho \"-A INPUT -s $LOCALNET -j ACCEPT\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u5185\u90e8\u304b\u3089\u884c\u3063\u305f\u30a2\u30af\u30bb\u30b9\u306b\u5bfe\u3059\u308b\u5916\u90e8\u304b\u3089\u306e\u8fd4\u7b54\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef\r\necho \"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# SYN Cookies\u3092\u6709\u52b9\u306b\u3059\u308b\r\n# \u203bTCP SYN Flood\u653b\u6483\u5bfe\u7b56\r\nsysctl -w net.ipv4.tcp_syncookies=1 &gt; \/dev\/null\r\nsed -i '\/net.ipv4.tcp_syncookies\/d' \/etc\/sysctl.conf\r\necho \"net.ipv4.tcp_syncookies=1\" &gt;&gt; \/etc\/sysctl.conf\r\n\r\n# \u30d6\u30ed\u30fc\u30c9\u30ad\u30e3\u30b9\u30c8\u30a2\u30c9\u30ec\u30b9\u5b9bping\u306b\u306f\u5fdc\u7b54\u3057\u306a\u3044\r\n# \u203bSmurf\u653b\u6483\u5bfe\u7b56\r\nsysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 &gt; \/dev\/null\r\nsed -i '\/net.ipv4.icmp_echo_ignore_broadcasts\/d' \/etc\/sysctl.conf\r\necho \"net.ipv4.icmp_echo_ignore_broadcasts=1\" &gt;&gt; \/etc\/sysctl.conf\r\n\r\n# ICMP Redirect\u30d1\u30b1\u30c3\u30c8\u306f\u62d2\u5426\r\nsed -i '\/net.ipv4.conf.*.accept_redirects\/d' \/etc\/sysctl.conf\r\nfor dev in `ls \/proc\/sys\/net\/ipv4\/conf\/`\r\ndo\r\nsysctl -w net.ipv4.conf.$dev.accept_redirects=0 &gt; \/dev\/null\r\necho \"net.ipv4.conf.$dev.accept_redirects=0\" &gt;&gt; \/etc\/sysctl.conf\r\ndone\r\n\r\n# Source Routed\u30d1\u30b1\u30c3\u30c8\u306f\u62d2\u5426\r\nsed -i '\/net.ipv4.conf.*.accept_source_route\/d' \/etc\/sysctl.conf\r\nfor dev in `ls \/proc\/sys\/net\/ipv4\/conf\/`\r\ndo\r\nsysctl -w net.ipv4.conf.$dev.accept_source_route=0 &gt; \/dev\/null\r\necho \"net.ipv4.conf.$dev.accept_source_route=0\" &gt;&gt; \/etc\/sysctl.conf\r\ndone\r\n\r\n# \u30d5\u30e9\u30b0\u30e1\u30f3\u30c8\u5316\u3055\u308c\u305f\u30d1\u30b1\u30c3\u30c8\u306f\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\r\necho \"-A INPUT -f -j LOG --log-prefix \\\"[IPTABLES FRAGMENT] : \\\"\" &gt;&gt; $IPTABLES_CONFIG\r\necho \"-A INPUT -f -j DROP\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u5916\u90e8\u3068\u306eNetBIOS\u95a2\u9023\u306e\u30a2\u30af\u30bb\u30b9\u306f\u30ed\u30b0\u3092\u8a18\u9332\u305b\u305a\u306b\u7834\u68c4\r\n# \u203b\u4e0d\u8981\u30ed\u30b0\u8a18\u9332\u9632\u6b62\r\necho \"-A INPUT ! -s $LOCALNET -p tcp -m multiport --dports 135,137,138,139,445 -j DROP\" &gt;&gt; $IPTABLES_CONFIG\r\necho \"-A INPUT ! -s $LOCALNET -p udp -m multiport --dports 135,137,138,139,445 -j DROP\" &gt;&gt; $IPTABLES_CONFIG\r\necho \"-A OUTPUT ! -d $LOCALNET -p tcp -m multiport --sports 135,137,138,139,445 -j DROP\" &gt;&gt; $IPTABLES_CONFIG\r\necho \"-A OUTPUT ! -d $LOCALNET -p udp -m multiport --sports 135,137,138,139,445 -j DROP\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# 1\u79d2\u9593\u306b4\u56de\u3092\u8d85\u3048\u308bping\u306f\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\r\n# \u203bPing of Death\u653b\u6483\u5bfe\u7b56\r\necho \"-A LOG_PINGDEATH -m limit --limit 1\/s --limit-burst 4 -j ACCEPT\" &gt;&gt; $IPTABLES_CONFIG\r\necho \"-A LOG_PINGDEATH -j LOG --log-prefix \\\"[IPTABLES PINGDEATH] : \\\"\" &gt;&gt; $IPTABLES_CONFIG\r\necho \"-A LOG_PINGDEATH -j DROP\" &gt;&gt; $IPTABLES_CONFIG\r\necho \"-A INPUT -p icmp --icmp-type echo-request -j LOG_PINGDEATH\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u5168\u30db\u30b9\u30c8(\u30d6\u30ed\u30fc\u30c9\u30ad\u30e3\u30b9\u30c8\u30a2\u30c9\u30ec\u30b9\u3001\u30de\u30eb\u30c1\u30ad\u30e3\u30b9\u30c8\u30a2\u30c9\u30ec\u30b9)\u5b9b\u30d1\u30b1\u30c3\u30c8\u306f\u30ed\u30b0\u3092\u8a18\u9332\u305b\u305a\u306b\u7834\u68c4\r\n# \u203b\u4e0d\u8981\u30ed\u30b0\u8a18\u9332\u9632\u6b62\r\necho \"-A INPUT -d 255.255.255.255 -j DROP\" &gt;&gt; $IPTABLES_CONFIG\r\necho \"-A INPUT -d 224.0.0.1 -j DROP\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# 113\u756a\u30dd\u30fc\u30c8(IDENT)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u306b\u306f\u62d2\u5426\u5fdc\u7b54\r\n# \u203b\u30e1\u30fc\u30eb\u30b5\u30fc\u30d0\u7b49\u306e\u30ec\u30b9\u30dd\u30f3\u30b9\u4f4e\u4e0b\u9632\u6b62\r\necho \"-A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# ACCEPT_COUNTRY_MAKE\u95a2\u6570\u5b9a\u7fa9\r\n# \u6307\u5b9a\u3055\u308c\u305f\u56fd\u306eIP\u30a2\u30c9\u30ec\u30b9\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef\u3059\u308b\u30e6\u30fc\u30b6\u5b9a\u7fa9\u30c1\u30a7\u30a4\u30f3\u4f5c\u6210\r\nACCEPT_COUNTRY_MAKE(){\r\nfor addr in `cat \/tmp\/cidr.txt|grep ^$1|awk '{print $2}'`\r\ndo\r\necho \"-A ACCEPT_COUNTRY -s $addr -j ACCEPT\" &gt;&gt; $IPTABLES_CONFIG\r\ndone\r\ngrep ^$1 $IP_LIST &gt;&gt; $CHK_IP_LIST\r\n}\r\n\r\n# DROP_COUNTRY_MAKE\u95a2\u6570\u5b9a\u7fa9\r\n# \u6307\u5b9a\u3055\u308c\u305f\u56fd\u306eIP\u30a2\u30c9\u30ec\u30b9\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u7834\u68c4\u3059\u308b\u30e6\u30fc\u30b6\u5b9a\u7fa9\u30c1\u30a7\u30a4\u30f3\u4f5c\u6210\r\nDROP_COUNTRY_MAKE(){\r\nfor addr in `cat \/tmp\/cidr.txt|grep ^$1|awk '{print $2}'`\r\ndo\r\necho \"-A DROP_COUNTRY -s $addr -m limit --limit 1\/s -j LOG --log-prefix \\\"[IPTABLES DENY_COUNTRY] : \\\"\" &gt;&gt; $IPTABLES_CONFIG\r\necho \"-A DROP_COUNTRY -s $addr -j DROP\" &gt;&gt; $IPTABLES_CONFIG\r\ndone\r\ngrep ^$1 $IP_LIST &gt;&gt; $CHK_IP_LIST\r\n}\r\n\r\n# IP\u30a2\u30c9\u30ec\u30b9\u30ea\u30b9\u30c8\u53d6\u5f97\r\nIP_LIST=\/tmp\/cidr.txt\r\nCHK_IP_LIST=\/tmp\/IPLIST\r\nif [ ! -f $IP_LIST ]; then\r\nwget -q http:\/\/nami.jp\/ipv4bycc\/cidr.txt.gz\r\ngunzip -c cidr.txt.gz &gt; $IP_LIST\r\nrm -f cidr.txt.gz\r\nfi\r\nrm -f $CHK_IP_LIST\r\n\r\n# \u65e5\u672c\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef\u3059\u308b\u30e6\u30fc\u30b6\u5b9a\u7fa9\u30c1\u30a7\u30a4\u30f3ACCEPT_COUNTRY\u4f5c\u6210\r\nACCEPT_COUNTRY_MAKE JP\r\n# \u4ee5\u964d,\u65e5\u672c\u304b\u3089\u306e\u307f\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef\u3057\u305f\u3044\u5834\u5408\u306fACCEPT\u306e\u304b\u308f\u308a\u306bACCEPT_COUNTRY\u3092\u6307\u5b9a\u3059\u308b\r\n\r\n# \u5168\u56fd\u8b66\u5bdf\u65bd\u8a2d\u3078\u306e\u653b\u6483\u5143\u4e0a\u4f4d\uff15\u30ab\u56fd(\u65e5\u672c\u30fb\u30a2\u30e1\u30ea\u30ab\u3092\u9664\u304f)\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\r\n# http:\/\/www.cyberpolice.go.jp\/detect\/observation.html\u3088\u308a\r\nDROP_COUNTRY_MAKE CN\r\nDROP_COUNTRY_MAKE CA\r\nDROP_COUNTRY_MAKE IR\r\nDROP_COUNTRY_MAKE NL\r\nDROP_COUNTRY_MAKE TW\r\necho \"-A INPUT -j DROP_COUNTRY\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n#----------------------------------------------------------#\r\n# \u5404\u7a2e\u30b5\u30fc\u30d3\u30b9\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u8a2d\u5b9a(\u3053\u3053\u304b\u3089) #\r\n#----------------------------------------------------------#\r\n\r\n# \u5916\u90e8\u304b\u3089\u306eTCP22\u756a\u30dd\u30fc\u30c8(SSH)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u65e5\u672c\u304b\u3089\u306e\u307f\u8a31\u53ef\r\n# \u203bSSH\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f\r\necho \"-A INPUT -p tcp --dport 22 -j ACCEPT_COUNTRY\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u5916\u90e8\u304b\u3089\u306eTCP\/UDP53\u756a\u30dd\u30fc\u30c8(DNS)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef\r\n# \u203b\u5916\u90e8\u5411\u3051DNS\u30b5\u30fc\u30d0\u30fc\u3092\u904b\u7528\u3059\u308b\u5834\u5408\u306e\u307f\r\n#echo \"-A INPUT -p tcp --dport 53 -j ACCEPT\" &gt;&gt; $IPTABLES_CONFIG\r\n#echo \"-A INPUT -p udp --dport 53 -j ACCEPT\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u5916\u90e8\u304b\u3089\u306eTCP80\u756a\u30dd\u30fc\u30c8(HTTP)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef\r\n# \u203bWeb\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f\r\n#echo \"-A INPUT -p tcp --dport 80 -j ACCEPT\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u5916\u90e8\u304b\u3089\u306eTCP443\u756a\u30dd\u30fc\u30c8(HTTPS)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef\r\n# \u203bWeb\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f\r\n#echo \"-A INPUT -p tcp --dport 443 -j ACCEPT\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u5916\u90e8\u304b\u3089\u306eTCP21\u756a\u30dd\u30fc\u30c8(FTP)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u65e5\u672c\u304b\u3089\u306e\u307f\u8a31\u53ef\r\n# \u203bFTP\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f\r\n#echo \"-A INPUT -p tcp --dport 21 -j ACCEPT_COUNTRY\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u5916\u90e8\u304b\u3089\u306ePASV\u7528\u30dd\u30fc\u30c8(FTP-DATA)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u65e5\u672c\u304b\u3089\u306e\u307f\u8a31\u53ef\r\n# \u203bFTP\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f\r\n# \u203bPASV\u7528\u30dd\u30fc\u30c860000:60030\u306f\u5f53\u30b5\u30a4\u30c8\u306e\u8a2d\u5b9a\u4f8b\r\n#echo \"-A INPUT -p tcp --dport 60000:60030 -j ACCEPT_COUNTRY\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u5916\u90e8\u304b\u3089\u306eTCP25\u756a\u30dd\u30fc\u30c8(SMTP)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef\r\n# \u203bSMTP\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f\r\n#echo \"-A INPUT -p tcp --dport 25 -j ACCEPT\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u5916\u90e8\u304b\u3089\u306eTCP465\u756a\u30dd\u30fc\u30c8(SMTPS)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u65e5\u672c\u304b\u3089\u306e\u307f\u8a31\u53ef\r\n# \u203bSMTPS\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f\r\n#echo \"-A INPUT -p tcp --dport 465 -j ACCEPT_COUNTRY\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u5916\u90e8\u304b\u3089\u306eTCP110\u756a\u30dd\u30fc\u30c8(POP3)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u65e5\u672c\u304b\u3089\u306e\u307f\u8a31\u53ef\r\n# \u203bPOP3\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f\r\n#echo \"-A INPUT -p tcp --dport 110 -j ACCEPT_COUNTRY\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u5916\u90e8\u304b\u3089\u306eTCP995\u756a\u30dd\u30fc\u30c8(POP3S)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u65e5\u672c\u304b\u3089\u306e\u307f\u8a31\u53ef\r\n# \u203bPOP3S\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f\r\n#echo \"-A INPUT -p tcp --dport 995 -j ACCEPT_COUNTRY\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u5916\u90e8\u304b\u3089\u306eTCP143\u756a\u30dd\u30fc\u30c8(IMAP)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u65e5\u672c\u304b\u3089\u306e\u307f\u8a31\u53ef\r\n# \u203bIMAP\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f\r\n#echo \"-A INPUT -p tcp --dport 143 -j ACCEPT_COUNTRY\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u5916\u90e8\u304b\u3089\u306eTCP993\u756a\u30dd\u30fc\u30c8(IMAPS)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u65e5\u672c\u304b\u3089\u306e\u307f\u8a31\u53ef\r\n# \u203bIMAPS\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f\r\n#echo \"-A INPUT -p tcp --dport 993 -j ACCEPT_COUNTRY\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u5916\u90e8\u304b\u3089\u306eUDP1194\u756a\u30dd\u30fc\u30c8(OpenVPN)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u65e5\u672c\u304b\u3089\u306e\u307f\u8a31\u53ef\r\n# \u203bOpenVPN\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f\r\n#echo \"-A INPUT -p udp --dport 1194 -j ACCEPT_COUNTRY\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# VPN\u30a4\u30f3\u30bf\u30d5\u30a7\u30fc\u30b9\u7528\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u8a2d\u5b9a\r\n# \u203bOpenVPN\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u307f\r\n#[ -f \/etc\/openvpn\/openvpn-startup ] &amp;&amp; \\\r\n#grep ^iptables \/etc\/openvpn\/openvpn-startup|sed -e 's\/iptables \/\/p' -e d &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# vnc server\r\necho \"-A INPUT -p tcp --dport 5900:5910 -j ACCEPT_COUNTRY\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# bacula-fd --\u5185\u90e8\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u3059\u3079\u3066\u8a31\u53ef\u3057\u3066\u3044\u308b\u306e\u3067\u5fc5\u8981\u306a\u3044--\r\n#echo \"-A INPUT -p tcp --dport 9102 -j ACCEPT_COUNTRY\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# zabbix server --\u81ea\u30db\u30b9\u30c8\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u3059\u3079\u3066\u8a31\u53ef\u3057\u3066\u3044\u308b\u306e\u3067\u5fc5\u8981\u306a\u3044--\r\n#echo \"-A INPUT -p tcp --dport 10051 -j ACCEPT_COUNTRY\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n#----------------------------------------------------------#\r\n# \u5404\u7a2e\u30b5\u30fc\u30d3\u30b9\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306e\u8a2d\u5b9a(\u3053\u3053\u307e\u3067) #\r\n#----------------------------------------------------------#\r\n\r\n# \u62d2\u5426IP\u30a2\u30c9\u30ec\u30b9\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u306f\u30ed\u30b0\u3092\u8a18\u9332\u305b\u305a\u306b\u7834\u68c4\r\n# \u203b\u62d2\u5426IP\u30a2\u30c9\u30ec\u30b9\u306f\/root\/deny_ip\u306b1\u884c\u3054\u3068\u306b\u8a18\u8ff0\u3057\u3066\u304a\u304f\u3053\u3068\r\n# (\/root\/deny_ip\u304c\u306a\u3051\u308c\u3070\u306a\u306b\u3082\u3057\u306a\u3044)\r\nif [ -s \/root\/deny_ip ]; then\r\nfor ip in `cat \/root\/deny_ip`\r\ndo\r\necho \"-I INPUT -s $ip -j DROP\" &gt;&gt; $IPTABLES_CONFIG\r\ndone\r\nfi\r\n\r\n# \u4e0a\u8a18\u306e\u30eb\u30fc\u30eb\u306b\u30de\u30c3\u30c1\u3057\u306a\u304b\u3063\u305f\u30a2\u30af\u30bb\u30b9\u306f\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\r\necho \"-A INPUT -m limit --limit 1\/s -j LOG --log-prefix \\\"[IPTABLES INPUT] : \\\"\" &gt;&gt; $IPTABLES_CONFIG\r\necho \"-A INPUT -j DROP\" &gt;&gt; $IPTABLES_CONFIG\r\necho \"-A FORWARD -m limit --limit 1\/s -j LOG --log-prefix \\\"[IPTABLES FORWARD] : \\\"\" &gt;&gt; $IPTABLES_CONFIG\r\necho \"-A FORWARD -j DROP\" &gt;&gt; $IPTABLES_CONFIG\r\n\r\n# \u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u8a2d\u5b9a\u53cd\u6620\r\necho \"COMMIT\" &gt;&gt; $IPTABLES_CONFIG\r\ncat $IPTABLES_CONFIG | iptables-restore\r\nif [ -f \/usr\/libexec\/iptables\/iptables.init ]; then\r\n\/usr\/libexec\/iptables\/iptables.init save\r\nelse\r\n\/etc\/rc.d\/init.d\/iptables save\r\nfi\r\nrm -f $IPTABLES_CONFIG<\/span><\/pre>\n<p>\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u8a2d\u5b9a\u30b9\u30af\u30ea\u30d7\u30c8\u5916\u90e8\u95a2\u6570\u4f5c\u6210<\/p>\n<p><span style=\"color: #008000;\"><span style=\"color: #ff6600;\">#<\/span> gedit iptables_functions<\/span><\/p>\n<div class=\"xoopsCode\">\n<pre><code><span style=\"color: #0000ff;\"># IP\u30a2\u30c9\u30ec\u30b9\u30ea\u30b9\u30c8\u53d6\u5f97\u95a2\u6570\u5b9a\u7fa9\r\nIPLISTGET(){\r\n    # http:\/\/nami.jp\/ipv4bycc\/\u304b\u3089\u6700\u65b0\u7248IP\u30a2\u30c9\u30ec\u30b9\u30ea\u30b9\u30c8\u3092\u53d6\u5f97\u3059\u308b\r\n    wget -q http:\/\/nami.jp\/ipv4bycc\/cidr.txt.gz\r\n    gunzip cidr.txt.gz\r\n    # \u6700\u65b0\u7248IP\u30a2\u30c9\u30ec\u30b9\u30ea\u30b9\u30c8\u304c\u53d6\u5f97\u3067\u304d\u306a\u304b\u3063\u305f\u5834\u5408\r\n    if [ ! -f cidr.txt ]; then\r\n        if [ -f \/tmp\/cidr.txt ]; then\r\n            # \u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u304c\u3042\u308b\u5834\u5408\u306f\u305d\u306e\u65e8\u3092root\u5b9b\u306b\u30e1\u30fc\u30eb\u901a\u77e5\u3057\u3066\u51e6\u7406\u3092\u6253\u3061\u5207\u308b\r\n            echo cidr.txt was read from the backup! | mail -s $0 root\r\n            return\r\n        else\r\n            # \u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u304c\u306a\u3044\u5834\u5408\u306f\u305d\u306e\u65e8\u3092root\u5b9b\u306b\u30e1\u30fc\u30eb\u901a\u77e5\u3057\u3066\u51e6\u7406\u3092\u6253\u3061\u5207\u308b\r\n            echo cidr.txt not found!|mail -s $0 root\r\n            exit 1<\/span>\r\n<span style=\"color: #0000ff;\">        fi\r\n    fi\r\n    # \u6700\u65b0\u7248IP\u30a2\u30c9\u30ec\u30b9\u30ea\u30b9\u30c8\u3092 \/tmp\u3078\u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u3059\u308b\r\n    \/bin\/mv cidr.txt \/tmp\/cidr.txt\r\n}<\/span><\/code><\/pre>\n<\/div>\n<p>IP\u30a2\u30c9\u30ec\u30b9\u30ea\u30b9\u30c8\u30c1\u30a7\u30c3\u30af\u30b9\u30af\u30ea\u30d7\u30c8\u4f5c\u6210<br \/>\n<span style=\"color: #008000;\"><span style=\"color: #ff6600;\">#<\/span> gedit \/etc\/cron.daily\/iplist_check.sh<\/span><\/p>\n<div class=\"xoopsCode\">\n<pre><span style=\"color: #0000ff;\"><code><span style=\"color: #0000ff;\">#!\/bin\/bash\r\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\r\n# \u65b0\u65e7IPLIST\u5dee\u5206\u30c1\u30a7\u30c3\u30af\u4ef6\u6570(0\u3092\u6307\u5b9a\u3059\u308b\u3068\u30c1\u30a7\u30c3\u30af\u3057\u306a\u3044)\r\n# \u203b\u65b0\u65e7IPLIST\u5dee\u5206\u304cSABUN_CHK\u3067\u6307\u5b9a\u3057\u305f\u4ef6\u6570\u3092\u8d8a\u3048\u308b\u5834\u5408\u306fiptables\u8a2d\u5b9a\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u5b9f\u884c\u3057\u306a\u3044\r\n# \u203b\u65b0\u65e7IPLIST\u5dee\u5206\u30c1\u30a7\u30c3\u30af\u7406\u7531\u306fhttp:\/\/centossrv.com\/bbshtml\/webpatio\/1592.shtml\u3092\u53c2\u7167\r\nSABUN_CHK=100\r\n[ $# -ne 0 ] &amp;&amp; SABUN_CHK=${1}\r\n\r\n# \u30c1\u30a7\u30c3\u30af\u56fd\u30b3\u30fc\u30c9\r\nCOUNTRY_CODE='JP CN IR RU CA NL TW'\r\n\r\n# iptables\u8a2d\u5b9a\u30b9\u30af\u30ea\u30d7\u30c8\u30d1\u30b9\r\nIPTABLES=\/root\/iptables.sh\r\n\r\n# iptables\u8a2d\u5b9a\u30b9\u30af\u30ea\u30d7\u30c8\u5916\u90e8\u95a2\u6570\u53d6\u308a\u8fbc\u307f\r\n. \/root\/iptables_functions\r\n\r\n# IP\u30a2\u30c9\u30ec\u30b9\u30ea\u30b9\u30c8\u6700\u65b0\u5316\r\nrm -f IPLIST.new<\/span>\r\n<span style=\"color: #0000ff;\">IPLISTGET\r\nfor country in $COUNTRY_CODE\r\ndo\r\n    if [ -f \/tmp\/cidr.txt ]; then\r\n        grep ^$country \/tmp\/cidr.txt &gt;&gt; IPLIST.new\r\n    else\r\n        grep ^$country \/tmp\/IPLIST &gt;&gt; IPLIST.new\r\n    fi\r\ndone\r\n[ ! -f \/tmp\/IPLIST ] &amp;&amp; cp IPLIST.new \/tmp\/IPLIST\r\n\r\n# IP\u30a2\u30c9\u30ec\u30b9\u30ea\u30b9\u30c8\u66f4\u65b0\u30c1\u30a7\u30c3\u30af\r\ndiff -q \/tmp\/IPLIST IPLIST.new &gt; \/dev\/null 2&gt;&amp;1\r\nif [ $? -ne 0 ]; then\r\n    if [ ${SABUN_CHK} -ne 0 ]; then\r\n        if [ $(diff \/tmp\/IPLIST IPLIST.new | egrep -c '&lt;|&gt;') -gt ${SABUN_CHK} ]; then\r\n            (\r\n             diff \/tmp\/IPLIST IPLIST.new\r\n             echo\r\n             echo \"$IPTABLES not executed.\"\r\n            ) | mail -s 'IPLIST UPDATE' root\r\n            rm -f IPLIST.new\r\n            exit\r\n        fi \r\n    fi\r\n    \/bin\/mv IPLIST.new \/tmp\/IPLIST\r\n    sh $IPTABLES &gt; \/dev\/null\r\nelse\r\n    rm -f IPLIST.new\r\nfi<\/span><\/code><\/span><\/pre>\n<\/div>\n<p>IP\u30a2\u30c9\u30ec\u30b9\u30ea\u30b9\u30c8\u30c1\u30a7\u30c3\u30af\u30b9\u30af\u30ea\u30d7\u30c8\u306b\u5b9f\u884c\u6a29\u9650\u4ed8\u52a0<br \/>\n<span style=\"color: #008000;\"><span style=\"color: #ff6600;\">#<\/span> chmod +x \/etc\/cron.daily\/iplist_check.sh<\/span><br \/>\n\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u8a2d\u5b9a\u30b9\u30af\u30ea\u30d7\u30c8\u5b9f\u884c<br \/>\n<span style=\"color: #008000;\"><span style=\"color: #ff6600;\">#<\/span> sh iptables.sh<\/span><br \/>\niptables\u81ea\u52d5\u8d77\u52d5\u8a2d\u5b9a<br \/>\n<span style=\"color: #008000;\"><span style=\"color: #ff6600;\">#<\/span> chkconfig iptables on<\/span><br \/>\n\u958b\u3044\u3066\u3044\u308b\u30dd\u30fc\u30c8\u3092\u8abf\u3079\u308b\u70ba\u306bnmap\u3068\u305d\u306eGUI\u30d5\u30ed\u30f3\u30c8\u30a8\u30f3\u30c9\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b<br \/>\n<span style=\"color: #008000;\"><span style=\"color: #ff6600;\">#<\/span> yum -y install nmap nmap-frontend<\/span><br \/>\n\u305d\u306e\u5f8c\u3001\u30dd\u30fc\u30c8\u3092\u30c1\u30a7\u30c3\u30af\u3059\u308b\u304cnmap\u306e\u4f7f\u3044\u65b9\u306fgoogle\u3067\u8abf\u3079\u3066\u306d<br \/>\n\u3053\u3053\u306a\u3093\u304b\u306f\u826f\u3055\u3052<a href=\"http:\/\/knowledge.sakura.ad.jp\/tech\/97\/\" target=\"_blank\">http:\/\/knowledge.sakura.ad.jp\/tech\/97\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u53c2\u8003URL\uff1ahttp:\/\/centossrv.com\/iptables.shtml \u30b9\u30af\u30ea\u30d7\u30c8\u306e\u4f5c\u6210\uff08\uff12\uff10\uff11\uff16\u30fc\uff15\u30fc\uff11\uff10\u3001\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u5909\u66f4\u3057\u307e\u3057\u305f\u3002\uff09 # gedit iptables.sh #!\/bin\/bash #- &hellip; <a href=\"https:\/\/www.kinryo.net\/?p=917\">\u7d9a\u304d\u3092\u8aad\u3080 <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"vkexunit_cta_each_option":"","footnotes":""},"categories":[8],"tags":[],"class_list":["post-917","post","type-post","status-publish","format-standard","hentry","category-server"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/posts\/917","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=917"}],"version-history":[{"count":9,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/posts\/917\/revisions"}],"predecessor-version":[{"id":1112,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/posts\/917\/revisions\/1112"}],"wp:attachment":[{"href":"https:\/\/www.kinryo.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=917"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=917"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=917"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}