{"id":1731,"date":"2013-10-31T09:00:25","date_gmt":"2013-10-31T00:00:25","guid":{"rendered":"https:\/\/www.united-bears.co.jp\/blog\/?p=1731"},"modified":"2013-10-30T18:44:28","modified_gmt":"2013-10-30T09:44:28","slug":"iptables-%e3%81%ae%e8%a8%ad%e5%ae%9a%e7%a2%ba%e8%aa%8d","status":"publish","type":"post","link":"https:\/\/www.united-bears.co.jp\/blog\/archives\/1731","title":{"rendered":"iptables \u306e\u8a2d\u5b9a\u78ba\u8a8d"},"content":{"rendered":"

\u524d\u524d\u56de<\/a>\u3068\u524d\u56de<\/a>\u3067\u3001iptables\/ip6tables \u306e\u8a2d\u8a08\u30fb\u8a2d\u5b9a\u3092\u884c\u3063\u305f\u3002\u4eca\u56de\u306f\u3001iptables\/ip6tables \u306e\u8a2d\u5b9a\u3092\u78ba\u8a8d\u3057\u3066\u3044\u304f\u3002<\/p>\n

\u78ba\u8a8d\u306f\u3059\u3079\u3066su \u3067 root \u306b\u306a\u3063\u3066\u5b9f\u65bd\u3057\u3066\u3044\u308b\u3002<\/p>\n

\u5bfe\u8c61<\/strong>
\n\u5185\u90e8\u7528\u30b5\u30fc\u30d0\u30fc
\n\u5916\u90e8\u7528\u30b5\u30fc\u30d0\u30fc
\nOS<\/strong>
\nCentOS release 5.10<\/p>\n

iptables\/ip6tables \u306e\u8a2d\u5b9a\u5185\u5bb9\u3092\u78ba\u8a8d\u3059\u308b<\/h2>\n

iptables\/ip6tables \u306e\u8a2d\u5b9a\u5185\u5bb9\u306e\u78ba\u8a8d\u306f\u3001iptables\/ip6tables \u306b\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30fc\u30b9\u3092\u8868\u793a\u3059\u308b\u8a73\u7d30\u30aa\u30d7\u30b7\u30e7\u30f3(-v)\u3068\u3001\u30c1\u30a7\u30a4\u30f3\u3092\u8868\u793a\u3059\u308b\u30aa\u30d7\u30b7\u30e7\u30f3(-L)\u3001\u30a2\u30c9\u30ec\u30b9\u7b49\u3092\u6570\u5024\u3067\u8868\u793a\u3059\u308b\u30aa\u30d7\u30b7\u30e7\u30f3(-n)\u3092\u3064\u3051\u3066\u884c\u3063\u305f\u3002\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30fc\u30b9\u306e\u8868\u793a\u304c\u4e0d\u8981\u3067\u3042\u308c\u3070\u3001\u8d77\u52d5\u30b9\u30af\u30ea\u30d7\u30c8\u306b\u300cstatus\u300d\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u6e21\u3057\u3066\u8868\u793a\u3059\u308b\u3053\u3068\u3082\u3067\u304d\u308b\u3002<\/p>\n

\u8a2d\u8a08\u3057\u305f\u8a2d\u5b9a\u3068\u3001\u78ba\u8a8d\u7d50\u679c\u304c\u4e00\u81f4\u3057\u3066\u3044\u308c\u3070\u554f\u984c\u306a\u3044\u3002\u306a\u304a\u3001\u51fa\u529b\u7d50\u679c\u306f\u30d6\u30e9\u30a6\u30b6\u3067\u898b\u3084\u3059\u3044\u3088\u3046\u306b\u6574\u5f62\u3057\u3066\u3044\u308b\u3002<\/p>\n

IPv4\u306e\u8a2d\u5b9a\u78ba\u8a8d<\/h3>\n
\r\n[root@server ~]# iptables -nvL\r\nChain INPUT (policy ACCEPT 0 packets, 0 bytes)\r\n pkts bytes target               prot opt in out source    destination\r\n1069K  120M RH-Firewall-1-INPUT  all  --  *  *   0.0.0.0\/0 0.0.0.0\/0\r\n\r\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\r\n pkts bytes target               prot opt in out source    destination\r\n    0     0 RH-Firewall-1-INPUT  all  --  *  *   0.0.0.0\/0 0.0.0.0\/0\r\n\r\nChain OUTPUT (policy ACCEPT 1392K packets, 1591M bytes)\r\n pkts bytes target prot opt in out source destination\r\n\r\nChain RH-Firewall-1-INPUT (2 references)\r\n pkts bytes target prot opt in out source    destination\r\n26836   13M ACCEPT all  --  lo *   0.0.0.0\/0 0.0.0.0\/0\r\n 1971  116K ACCEPT icmp --  *  *   0.0.0.0\/0 0.0.0.0\/0 icmp type 255\r\n    0     0 ACCEPT esp  --  *  *   0.0.0.0\/0 0.0.0.0\/0\r\n    0     0 ACCEPT ah   --  *  *   0.0.0.0\/0 0.0.0.0\/0\r\n    0     0 ACCEPT udp  --  *  *   0.0.0.0\/0 224.0.0.251 udp dpt:5353\r\n 961K  102M ACCEPT all  --  *  *   0.0.0.0\/0 0.0.0.0\/0 state RELATED,ESTABLISHED\r\n   14   728 ACCEPT tcp  --  *  *   0.0.0.0\/0 0.0.0.0\/0 state NEW tcp dpt:[port]\r\n10294 1253K REJECT all  --  *  *   0.0.0.0\/0 0.0.0.0\/0 reject-with icmp-host-prohibited\r\n<\/pre>\n
IPv6\u306e\u8a2d\u5b9a\u78ba\u8a8d<\/h3>\n
\r\n[root@server ~]# ip6tables -nvL\r\nChain INPUT (policy ACCEPT 0 packets, 0 bytes)\r\n pkts bytes target               prot opt in out source destination\r\n   57  5672 RH-Firewall-1-INPUT  all      *  *   ::\/0   ::\/0\r\n\r\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\r\n pkts bytes target               prot opt in out source destination\r\n    0     0 RH-Firewall-1-INPUT  all      *  *   ::\/0   ::\/0\r\n\r\nChain OUTPUT (policy ACCEPT 57 packets, 5704 bytes)\r\n pkts bytes target prot opt in out source destination\r\n\r\nChain RH-Firewall-1-INPUT (2 references)\r\n pkts bytes target prot opt in  out source destination\r\n   38  3952 ACCEPT all      lo  *   ::\/0   ::\/0\r\n   19  1720 ACCEPT icmpv6   *   *   ::\/0   ::\/0\r\n    0     0 ACCEPT esp      *   *   ::\/0   ::\/0\r\n    0     0 ACCEPT ah       *   *   ::\/0   ::\/0\r\n    0     0 ACCEPT udp      *   *   ::\/0   ff02::fb\/128 udp dpt:5353\r\n    0     0 ACCEPT all      *   *   ::\/0   ::\/0 state RELATED,ESTABLISHED\r\n    0     0 ACCEPT tcp      *   *   ::\/0   ::\/0 state NEW tcp dpt:[port]\r\n    0     0 REJECT all      *   *   ::\/0   ::\/0 reject-with icmp6-adm-prohibited\r\n<\/pre>\n
\u5916\u90e8\u304b\u3089 nmap \u3067\u78ba\u8a8d\u3059\u308b<\/h2>\n
\u8a2d\u5b9a\u3057\u305f\u5185\u5bb9\u304c\u6b63\u3057\u304f\u9069\u7528\u3067\u304d\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3001\u5916\u90e8\u304b\u3089\u78ba\u304b\u3081\u308b\u305f\u3081\u306b\u306f nmap \u3092\u5229\u7528\u3059\u308c\u3070\u3088\u3044\u3002nmap \u306f\u3001\u5e83\u304f\u5229\u7528\u3055\u308c\u3066\u3044\u308b\u30dd\u30fc\u30c8\u30b9\u30ad\u30e3\u30f3\u30c4\u30fc\u30eb\u3067\u3001\u30dd\u30fc\u30c8\u30b9\u30ad\u30e3\u30f3\u3092\u884c\u3046\u3068\u3068\u3082\u306b\u3001\u5229\u7528\u3057\u3066\u3044\u308b OS \u3084\u52d5\u4f5c\u3057\u3066\u3044\u308b\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u7c21\u5358\u306b\u8abf\u3079\u308b\u3053\u3068\u304c\u3067\u304d\u308b\u3002<\/p>\n
\u81ea\u5206\u306e\u7ba1\u7406\u3057\u3066\u3044\u308b\u30db\u30b9\u30c8\u4ee5\u5916\u306b\u3001\u30dd\u30fc\u30c8\u30b9\u30ad\u30e3\u30f3\u3092\u884c\u3063\u3066\u306f\u306a\u3089\u306a\u3044\u3002\u30dd\u30fc\u30c8\u30b9\u30ad\u30e3\u30f3\u306f\u653b\u6483\u3092\u884c\u3046\u524d\u306b\u884c\u3046\u6e96\u5099\u4f5c\u696d\u3067\u3042\u308a\u3001\u30db\u30b9\u30c8\u306b\u5bfe\u3059\u308b\u653b\u6483\u3092\u884c\u304a\u3046\u3068\u3057\u3066\u3044\u308b\u3068\u5224\u65ad\u3055\u308c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/p>\n
IPv4\u306e\u8a2d\u5b9a\u78ba\u8a8d<\/h3>\n
IPv4\u306e\u5834\u5408\u306f\u3001\u7279\u5225\u306a\u30aa\u30d7\u30b7\u30e7\u30f3\u306f\u5fc5\u8981\u306a\u3044\u3002\u30dd\u30fc\u30c8\u756a\u53f7\u30921\uff5e65535\u307e\u3067\u8abf\u3079\u308b\u3088\u3046\u306b\u3057\u3066\u304a\u3051\u3070\u3001\u3059\u3079\u3066\u3092\u30c1\u30a7\u30c3\u30af\u3067\u304d\u308b\u3002<\/p>\n
\r\nnmap -p1-65535 [host]\r\n<\/pre>\n
\u7d50\u679c\u306f\u3001\u4ee5\u4e0b\u306e\u901a\u308a\u3060\u3002<\/p>\n
\r\nStarting Nmap 5.51 ( http:\/\/nmap.org ) at 2013-10-30 17:01 JST\r\nNmap scan report for [host] ([host ip address])\r\nHost is up (0.060s latency).\r\nNot shown: 65531 filtered ports\r\nPORT      STATE SERVICE\r\n[port]\/tcp open  unknown\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 245.11 seconds\r\n<\/pre>\n
\u306a\u304a\u300c-A\u300d\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u3064\u3051\u308b\u3068\u3001\u5229\u7528\u3057\u3066\u3044\u308b OS \u3084\u52d5\u4f5c\u3057\u3066\u3044\u308b\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u63a8\u6e2c\u3059\u308b\u3002iptables \u3067\u958b\u3051\u3066\u3044\u308b\u30dd\u30fc\u30c8\u304c\u3001 OpenSSH 4.X \u304c\u30b5\u30fc\u30d3\u30b9\u3057\u3066\u3044\u308b\u3068\u5224\u65ad\u3055\u308c\u305f\u3002<\/p>\n
\r\nnmap -A -p[port] [host]\r\n\r\nStarting Nmap 5.51 ( http:\/\/nmap.org ) at 2013-10-30 17:12 JST\r\nNmap scan report for [host] ([host ip address])\r\nHost is up (0.016s latency).\r\nPORT      STATE SERVICE VERSION\r\n[port]\/tcp open  ssh     OpenSSH 4.X (protocol 2.0)\r\n| ssh-hostkey: 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx (DSA)\r\n|_2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx (RSA)\r\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\r\nDevice type: general purpose|specialized|WAP|storage-misc\r\nRunning (JUST GUESSING): Linux 2.6.X|2.4.X (91%), Crestron 2-Series (90%), Netgear embedded (90%), IBM embedded (89%), Ruckus embedded (89%), TP-Link embedded (89%), Linksys Linux 2.4.X (89%), Asus Linux 2.6.X (89%)\r\nAggressive OS guesses: Linux 2.6.9 - 2.6.18 (91%), Crestron XPanel control system (90%), Netgear DG834G WAP (90%), Linux 2.6.9 (89%), IBM System Storage DS4700 NAS device (89%), Linux 2.6.18 (89%), Linux 2.6.21 (89%), Linux 2.6.22 (89%), Linux 2.6.28 (Gentoo) (89%), Linux 2.6.5 (SUSE Enterprise Server 9) (89%)\r\nNo exact OS matches for host (test conditions non-ideal).\r\nNetwork Distance: 13 hops\r\n\r\nTRACEROUTE (using port [port]\/tcp)\r\nHOP RTT      ADDRESS\r\n1   1.81 ms  ...\r\n2   5.95 ms  ...\r\n...\r\n13  15.83 ms [host] ([host ip address])\r\n\r\nOS and Service detection performed. Please report any incorrect results at http:\/\/nmap.org\/submit\/ .\r\nNmap done: 1 IP address (1 host up) scanned in 13.03 seconds\r\n<\/pre>\n
IPv6\u306e\u8a2d\u5b9a\u78ba\u8a8d<\/h3>\n
\u524d\u56de<\/a>\u8a18\u8ff0\u3057\u305f\u3088\u3046\u306b\u3001\u30ea\u30f3\u30af\u30ed\u30fc\u30ab\u30eb\u30a2\u30c9\u30ec\u30b9\u3057\u304b\u6301\u3063\u3066\u3044\u306a\u3044\u306e\u3067\u3001\u5916\u90e8\u304b\u3089\u8abf\u67fb\u3059\u308b\u3053\u3068\u306f\u3067\u304d\u306a\u304b\u3063\u305f\u3002\u8a72\u5f53\u306e\u30b5\u30fc\u30d0\u30fc\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3067\u304d\u308b nmap \u3082\u53e4\u3044\u305f\u3081(\u30d0\u30fc\u30b8\u30e7\u30f36\u3067\u30d5\u30eb\u30b5\u30dd\u30fc\u30c8)\u3001IPv6\u306e\u74b0\u5883\u3092\u6574\u3048\u3066\u304b\u3089\u5b9f\u65bd\u3059\u308b\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u524d\u524d\u56de\u3068\u524d\u56de\u3067\u3001iptables\/ip6tables \u306e\u8a2d\u8a08\u30fb\u8a2d\u5b9a\u3092\u884c\u3063\u305f\u3002\u4eca\u56de\u306f\u3001iptables\/ip6tables \u306e\u8a2d\u5b9a\u3092\u78ba\u8a8d\u3057\u3066\u3044\u304f\u3002 \u78ba\u8a8d\u306f\u3059\u3079\u3066su \u3067 root \u306b\u306a\u3063\u3066\u5b9f\u65bd\u3057\u3066\u3044\u308b\u3002 \u5bfe\u8c61 \u5185\u90e8\u7528\u30b5\u30fc\u30d0 […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,30,28],"tags":[],"class_list":["post-1731","post","type-post","status-publish","format-standard","hentry","category-server","category-public_server_default","category-public_server"],"_links":{"self":[{"href":"https:\/\/www.united-bears.co.jp\/blog\/wp-json\/wp\/v2\/posts\/1731","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.united-bears.co.jp\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.united-bears.co.jp\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.united-bears.co.jp\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.united-bears.co.jp\/blog\/wp-json\/wp\/v2\/comments?post=1731"}],"version-history":[{"count":12,"href":"https:\/\/www.united-bears.co.jp\/blog\/wp-json\/wp\/v2\/posts\/1731\/revisions"}],"predecessor-version":[{"id":1752,"href":"https:\/\/www.united-bears.co.jp\/blog\/wp-json\/wp\/v2\/posts\/1731\/revisions\/1752"}],"wp:attachment":[{"href":"https:\/\/www.united-bears.co.jp\/blog\/wp-json\/wp\/v2\/media?parent=1731"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.united-bears.co.jp\/blog\/wp-json\/wp\/v2\/categories?post=1731"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.united-bears.co.jp\/blog\/wp-json\/wp\/v2\/tags?post=1731"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}