[t:/]$ 지식_

복잡한 iptables 룰 저장/복구

2009/06/25

네떡 실험을 이것저것 하다보면 iptables 로 다양한 허접질을 하게 되는데.

막상 잘 돌아가게 꾸몄던 룰을 나도 모르게 날려 먹을 때가 있다 -_-;

저장 및 복구하기다.

iptables-save > my.rules
iptables-restore < my.rules

아 쉽네 -_-;

다 까먹은 사람을 위해서 참고하면

iptables -L  -> 룰 목록 보기
iptables -F -> 룰 다 지우기; (원격으로 작업하다 끊겨서 IDC에 전화하는 일 없도록 주의 -_-)

다음은 eth0 내부망, eth1 외부망 매스커레이딩 및 프락시 우회 적용한 룰.

# Generated by iptables-save v1.3.8 on Mon Jun 15 14:27:22 2009
*nat
:PREROUTING ACCEPT [224:34237]
:POSTROUTING ACCEPT [42:3161]
:OUTPUT ACCEPT [42:3161]
-A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j DNAT –to-destination 168.메롱.메롱.메롱:8080
-A PREROUTING -i eth0 -p tcp -m tcp –dport 53 -j DNAT –to-destination 168.메롱.메롱.메롱:8080
-A POSTROUTING -s 192.168.123.0/255.255.255.0 -o eth1 -j MASQUERADE
COMMIT
# Completed on Mon Jun 15 14:27:22 2009
# Generated by iptables-save v1.3.8 on Mon Jun 15 14:27:22 2009
*mangle
:PREROUTING ACCEPT [4654:3117570]
:INPUT ACCEPT [414:265373]
:FORWARD ACCEPT [4096:2828295]
:OUTPUT ACCEPT [286:31216]
:POSTROUTING ACCEPT [4384:2860018]
COMMIT
# Completed on Mon Jun 15 14:27:22 2009
# Generated by iptables-save v1.3.8 on Mon Jun 15 14:27:22 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j LOG
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -d 255.255.255.255 -i eth0 -j ACCEPT
-A INPUT -s 192.168.123.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -i eth0 -p ! tcp -j ACCEPT
-A INPUT -s 192.168.123.0/255.255.255.0 -i eth1 -j LOG
-A INPUT -s 192.168.123.0/255.255.255.0 -i eth1 -j DROP
-A INPUT -d 255.255.255.255 -i eth1 -j ACCEPT
-A INPUT -d 168.뮥뮥.뮥뮥.뮥뮥 -i eth1 -j ACCEPT
-A INPUT -d 168.219.185.255 -i eth1 -j ACCEPT
-A INPUT -d 224.0.0.1 -j DROP
-A INPUT -j LOG
-A INPUT -j DROP
-A FORWARD -s 192.168.123.0/255.255.255.0 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.123.0/255.255.255.0 -o eth1 -j LOG
-A FORWARD -d 192.168.123.0/255.255.255.0 -o eth1 -j DROP
-A FORWARD -d 224.0.0.1 -j DROP
-A FORWARD -j LOG
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 255.255.255.255 -o eth0 -j ACCEPT
-A OUTPUT -d 192.168.123.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -d 224.0.0.0/240.0.0.0 -o eth0 -p ! tcp -j ACCEPT
-A OUTPUT -d 192.168.123.0/255.255.255.0 -o eth1 -j LOG
-A OUTPUT -d 192.168.123.0/255.255.255.0 -o eth1 -j DROP
-A OUTPUT -d 255.255.255.255 -o eth1 -j ACCEPT
-A OUTPUT -s 168.뮥뮥.뮥뮥.뮥뮥 -o eth1 -j ACCEPT
-A OUTPUT -s 168.219.185.255 -o eth1 -j ACCEPT
-A OUTPUT -d 224.0.0.1 -j DROP
-A OUTPUT -j LOG
-A OUTPUT -j DROP
COMMIT
# Completed on Mon Jun 15 14:27:22 2009




공유하기













[t:/] is not "technology - root". dawnsea, rss