\uc694\uc998 \uacf5\ubd80\ud558\uace0 \uc788\ub294 iptables \ub97c \uc774\uc6a9\ud55c \ubc29\ud654\ubcbd \uad6c\ucd95 \uad00\ub828\ud558\uc5ec…<\/p>\n
\ud55c\uac00\uc9c0 \ubb38\uc81c\uac00 \ub418\ub294 \ubd80\ubd84\uc774 \uc788\uc5c8\ub2e4.<\/p>\n
\uadf8\uac83\uc740 \ubc14\ub85c \ubc29\ud654\ubcbd\uc744 \uc124\uc815\ud558\uac8c \ub418\uba74 \uc774\uc0c1\ud558\uac8c \ub124\uc784\uc11c\ubc84 \uc9c8\uc758\uac00 \uc548\ub418\ub294 \uac83.<\/p>\n
\ubb38\uc81c\uc758 \ubc1c\ub2e8\uc740 \ub2e4\uc74c\uc758 \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc774\uc6a9\ud558\uc5ec \ubc29\ud654\ubcbd\uc744 \uc124\uc815\ud558\ub294 \uac83 \ubd80\ud130 \uc2dc\uc791\uc774\uc5c8\ub2e4.<\/p>\n
#!\/bin\/sh<\/p>\n
IPTABLES=\/sbin\/iptables
MODPROBE=\/sbin\/modprobe<\/p>\n### \uae30\uc874 \uaddc\uce59\uc744 \uc81c\uac70\ud558\uace0 \uccb4\uc778 \uc815\ucc45\uc744 DROP\uc73c\ub85c \uc124\uc815\ud55c\ub2e4.
echo “[+] Flushing existing iptables rules…”
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
### load connection-tracking modules
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp<\/p>\n###### INPUT \uccb4\uc778 ######
echo “[+] Setting up INPUT chain…”
### \uc0c1\ud0dc \ucd94\uc801 \uaddc\uce59
$IPTABLES -A INPUT -m state –state INVALID -j LOG –log-prefix “DROP INVALID ” –log-ip-options –log-tcp-options
$IPTABLES -A INPUT -m state –state INVALID -j DROP
$IPTABLES -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT<\/p>\n### ACCEPT \uaddc\uce59
#ftp
$IPTABLES -A INPUT -i eth0 -p tcp –dport 20 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp –dport 21 –syn -m state –state NEW -j ACCEPT
#ssh
$IPTABLES -A INPUT -i eth0 -p tcp –dport 22 –syn -m state –state NEW -j ACCEPT
#whois
$IPTABLES -A INPUT -i eth0 -p tcp –dport 43 –syn -m state –state NEW -j ACCEPT
#domain
$IPTABLES -A INPUT -i eth0 -p tcp –dport 53 –syn -m state –state NEW -j ACCEPT
#http
$IPTABLES -A INPUT -i eth0 -p tcp –dport 80 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp –dport 80 -m state –state NEW -j ACCEPT
#https
$IPTABLES -A INPUT -i eth0 -p tcp –dport 443 –syn -m state –state NEW -j ACCEPT
#rsync
$IPTABLES -A INPUT -i eth0 -p tcp –dport 873 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp –dport 873 -m state –state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -i ! lo -j LOG –log-prefix “DROP ” –log-ip-options –log-tcp-options<\/p>\n###### OUTPUT \uccb4\uc778 ######
echo “[+] Setting up OUTPUT chain…”<\/p>\n### \uc0c1\ud0dc \ucd94\uc801 \uaddc\uce59
$IPTABLES -A OUTPUT -m state –state INVALID -j LOG –log-prefix “DROP INVALID ” –log-ip-options –log-tcp-options
$IPTABLES -A OUTPUT -m state –state INVALID -j DROP
$IPTABLES -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT<\/p>\n### \uc678\ubd80\ub85c \ub098\uac00\ub294 \uc5f0\uacb0\uc744 \ud5c8\uc6a9\ud558\uae30 \uc704\ud55c ACCEPT \uaddc\uce59
#ftp
$IPTABLES -A OUTPUT -p tcp –dport 20 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –dport 21 –syn -m state –state NEW -j ACCEPT
#ssh
$IPTABLES -A OUTPUT -p tcp –dport 22 –syn -m state –state NEW -j ACCEPT
#whois
$IPTABLES -A OUTPUT -p tcp –dport 43 –syn -m state –state NEW -j ACCEPT
#domain
$IPTABLES -A OUTPUT -p tcp –dport 53 –syn -m state –state NEW -j ACCEPT
#http
$IPTABLES -A OUTPUT -p tcp –dport 80 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp –dport 80 -m state –state NEW -j ACCEPT
#https
$IPTABLES -A OUTPUT -p tcp –dport 443 –syn -m state –state NEW -j ACCEPT
#rsync
$IPTABLES -A OUTPUT -p tcp –dport 873 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp –dport 873 -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT<\/p>\n### \uae30\ubcf8 OUTPUT LOG \uaddc\uce59
$IPTABLES -A OUTPUT -o ! lo -j LOG –log-prefix “DROP ” –log-ip-options –log-tcp-options<\/p><\/blockquote>\n\ubcf4\uae30\uc5d0\ub294 \ubcc4 \ubb38\uc81c\uac00 \uc5c6\ub294 \ubc29\ud654\ubcbd \uc2a4\ud06c\ub9bd\ud2b8\uc774\ub2e4.<\/p>\n
\uae30\ubcf8\uc801\uc73c\ub85c \ubaa8\ub4e0 \uc785\ub825\uc5d0 \ub300\ud574 DROP \uc815\ucc45\uc744 \uace0\uc218\ud558\uace0 \uc11c\ube44\uc2a4\ud558\ub294 \ud2b9\uc815 \ud3ec\ud2b8\ub4e4\uc5d0 \ub300\ud574 \uc811\uadfc\uc744 \ud5c8\uac00\ud558\ub294 \ub0b4\uc6a9\uc778\ub370… \ud2b9\uc774\uc810\uc73c\ub85c ftp\uc5d0 \ub300\ud55c \ud3ec\ud2b8\uc640 rsync\ub97c \uc704\ud55c \ud3ec\ud2b8\ub97c \uac1c\ubc29\ud55c \ubd80\ubd84\uc5d0 \uc788\ub2e4.<\/p>\n
\uc774\ub294 \ub3d9\uc544\ub9ac\uc5d0\uc11c \uc11c\ube44\uc2a4 \uc911\uc778 \ubbf8\ub7ec\ub9c1 \uc0ac\uc774\ud2b8 \uc720\uc9c0\ub97c \uc704\ud574 \ud544\uc694\ud55c \ubd80\ubd84\uc774\uc5c8\uae30 \ub54c\ubb38\uc5d0 \ud2b9\ubcc4\ud788 \uc2e0\uacbd\uc37c\ub358 \ubd80\ubd84\uc774\uc5c8\ub2e4.<\/p>\n
\ud574\ub2f9 \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc801\uc6a9\uc2dc\ud0a8 \ud6c4, ssh \uc811\uc18d \ubc0f ftp, http \uc811\uc18d\uc774 \uc815\uc0c1\uc801\uc73c\ub85c \uc774\ub8e8\uc5b4\uc9c0\ub294 \uac83\uc744 \ud655\uc778\ud558\uc5ec \uc544\ubb34\ub7f0 \ubb38\uc81c\uac00 \uc5c6\ub294 \uc904 \uc54c\uc558\ub2e4.<\/p>\n
\ud558\uc9c0\ub9cc… \ubbf8\ub7ec\ub9c1\uc744 \uc704\ud55c rsync \uc2a4\ud06c\ub9bd\ud2b8\ub97c \ub3cc\ub9ac\uc790\ub9c8\uc790 \ub2e4\uc74c\uc758 \uc624\ub958\ub97c \ubc1c\uc0dd\ud558\uba70 \ud504\ub85c\uc138\uc2a4\uac00 \uc815\uc9c0\uac00 \ub418\ub294 \uac83\uc774\uc5c8\ub2e4.
<\/p>\nrsync: getaddrinfo: releases.ubuntu.com 873: Temporary failure in name resolution
rsync error: error in socket IO (code 10) at clientserver.c(122) [receiver=3.0.3]<\/p><\/blockquote>\n\uc5d0\ub7ec \ubc1c\uc0dd \uba54\uc2dc\uc9c0\uac00 \ub298 \uadf8\ub807\ub4ef\uc774 \ucc98\uc74c\ubcf4\ub294 \uc5d0\ub7ec\uba54\uc2dc\uc9c0\uc600\ub2e4. \ud558\uc9c0\ub9cc \uc5d0\ub7ec \uba54\uc2dc\uc9c0 \uc911 \uc775\uc219\ud55c \ubd80\ubd84\uc774 \ub208\uc5d0 \ub4e4\uc5b4\uc654\ub2e4. \ubc14\ub85c “getaddrinfo” \ub77c\ub294 \ubd80\ubd84\uacfc “socket IO” \ubd80\ubd84.<\/p>\n
\uadf8\ub807\ub2e4. \ub124\ud2b8\uc6cc\ud06c \ud504\ub85c\uadf8\ub798\ubc0d\uc5d0\uc11c \uc8fc\uc18c\ub97c \ubc1b\uc544\uc624\ub294 \ud568\uc218\ubd80\ubd84\uc778 \uac83\uc774\ub2e4. \ub2e4\ub978\uacf3\ub3c4 \uc544\ub2c8\uace0 \uc8fc\uc18c\ub97c \uc54c\uc544\ub0b4\ub294 \ubaa8\ub4c8\uc774 \uc2e4\ud328\ub97c \ud588\ub2e4\ub294 \uba54\uc2dc\uc9c0\uac00 \ub098\uc624\ub2c8 \uadf8\ub798\uc11c..\uc124\ub9c8\ud558\ub294 \ub9c8\uc74c\uc73c\ub85c dig \uba85\ub839\uc5b4\ub97c \uc774\uc6a9\ud55c IP \uc9c8\uc758\ub97c \ud574\ubcf4\uc558\ub2e4.<\/p>\n
\uc5ed\uc2dc\ub098\uc600\ub2e4. dig, nslookup \ub4f1\ub4f1\uc758 \uba85\ub839\uc5b4\uac00 \uba39\ud788\uc9c0 \uc54a\ub294\ub2e4. \uc774\uc0c1\ud588\ub2e4.<\/p>\n
resolve \uc9c8\uc758\ub97c \uc704\ud55c \ubd80\ubd84 \uc5ed\uc2dc \uc2a4\ud06c\ub9bd\ud2b8\uc5d0\uc11c\ub294 \uba85\ubc31\ud788 \uba85\uc2dc\ub97c \ud574\ub193\uc558\uae30 \ub54c\ubb38\uc774\ub2e4. \ubb34\uc5c7\uc774 \ubb38\uc81c\uc77c\uae4c. \uad6c\uae00\ub9c1 \ubc0f kldp\ub97c \ube44\ub86f\ud558\uc5ec \uc5ec\ub7ec\uacf3\uc744 \ub4a4\uc838\ubcf4\uc544\ub3c4 \uc18d\uc2dc\uc6d0\ud55c \ub2f5\uc744 \ucc3e\uc744 \uc218 \uc5c6\uc5c8\ub2e4.<\/p>\n
\ub2e8 \ud558\ub098, \ub611\uac19\uc740 \uc0c1\ud669\uc774 \uc788\uc5c8\ub294\ub370 \ub124\uc784\uc11c\ubc84 \uc124\uc815\uc774 \uc798\ubabb\ub418\uc788\ub294 \uacbd\uc6b0 \uadf8\ub7f0 \uc5d0\ub7ec\uac00 \ubc1c\uc0dd\ud55c\ub2e4\ub294 \uac83\ub9cc \uc54c \uc218 \uc788\uc5c8\ub2e4.<\/p>\n
\ud558\uc9c0\ub9cc \uc774\ubbf8 \ub124\uc784\uc11c\ubc84\ub294 \uc124\uc815\uc774 \uc815\uc0c1\uc801\uc73c\ub85c \ub418\uc5b4 \uc788\ub294 \uc0c1\ud669\uc774\uc5c8\uace0, \uac19\uc740 \ub124\uc784\uc11c\ubc84\ub97c \uc124\uc815\ud574\ub193\uc740 \ub2e4\ub978 \ubcf4\ud1b5\uc758 \uc11c\ubc84(\uc704\uc758 \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc801\uc6a9\uc2dc\ud0a4\uc9c0 \uc54a\uc740)\ub4e4\uc740 \uc544\ubb34 \ubb38\uc81c\uc5c6\uc774 \uc9c8\uc758\uac00 \uc774\ub8e8\uc5b4\uc9c0\ub294 \uc0c1\ud669\uc774\uc5c8\ub2e4.<\/p>\n
\ud55c\ucc38….\uc744 \ud5e4\uba58\ud6c4\uc5d0\uc57c \uadf8 \ud574\ub2f5\uc744 \uc54c \uc218 \uc788\uc5c8\ub294\ub370..<\/p>\n
\uadf8 \uc815\ub2f5\uc740 \ubc14\ub85c \ub2e4\uc74c\uc758 \ub77c\uc778\uc774\uc5c8\ub2e4.<\/p>\n
$IPTABLES -A INPUT -p udp –dport 53 -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp –dport 53 -m state –state NEW -j ACCEPT<\/p><\/blockquote>\n\ucc28\uc774\ub97c \uc54c\uaca0\ub294\uac00? \ubc14\ub85c \ud504\ub85c\ud1a0\ucf5c \uc124\uc815\ubd80\ubd84\uc774\uc5c8\ub2e4. \uae30\uc874\uc758 \uc2a4\ud06c\ub9bd\ud2b8\ub294 -p tcp \ub9cc\uc744 \uc635\uc158\uc73c\ub85c \ud558\uc600\uae30 \ub54c\ubb38\uc5d0 udp\uc758 \uacbd\uc6b0\ub294 \ubc29\ud654\ubcbd\uc5d0 \ucc28\ub2e8\ub2f9\ud588\ub358 \uac83\uc774\uc5c8\ub2e4.<\/p>\n
\ub298 \uadf8\ub807\ub2e4. \uc54c\uace0\ub098\uba74 \ubcc4\uac83\uc544\ub2cc\uac83. \uc5d0\ud6a8… \uc9c4\uc989\uc5d0 service \ud30c\uc77c\uc880 \uc0b4\ud3b4\ubcfc\uaec4… \ubcc4\uac83\uc544\ub2cc \uc5d0\ub7ec\uc5d0 \uc774\ub807\uac8c \uace4\ub780\uc744 \ub290\ub080\uac83\uc774 \ubd80\ub044\ub7fd\uae30\ub9cc \ud558\ub2e4.<\/p>\n","protected":false},"excerpt":{"rendered":"
\uc694\uc998 \uacf5\ubd80\ud558\uace0 \uc788\ub294 iptables \ub97c \uc774\uc6a9\ud55c \ubc29\ud654\ubcbd \uad6c\ucd95 \uad00\ub828\ud558\uc5ec… \ud55c\uac00\uc9c0 \ubb38\uc81c\uac00 \ub418\ub294 \ubd80\ubd84\uc774 \uc788\uc5c8\ub2e4. \uadf8\uac83\uc740 \ubc14\ub85c \ubc29\ud654\ubcbd\uc744 \uc124\uc815\ud558\uac8c \ub418\uba74 \uc774\uc0c1\ud558\uac8c \ub124\uc784\uc11c\ubc84 \uc9c8\uc758\uac00 \uc548\ub418\ub294 \uac83. \ubb38\uc81c\uc758 \ubc1c\ub2e8\uc740 \ub2e4\uc74c\uc758 \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc774\uc6a9\ud558\uc5ec \ubc29\ud654\ubcbd\uc744 \uc124\uc815\ud558\ub294 \uac83 \ubd80\ud130 \uc2dc\uc791\uc774\uc5c8\ub2e4. #!\/bin\/sh IPTABLES=\/sbin\/iptablesMODPROBE=\/sbin\/modprobe ### \uae30\uc874 \uaddc\uce59\uc744 \uc81c\uac70\ud558\uace0 … Continue reading