\ud83d\udc49\ud83c\udffb \ub9ac\ub205\uc2a4\uc5d0\uc11c \ubc29\ud654\ubcbd\uc740 iptables\ub97c \uc0ac\uc6a9\ud569\ub2c8\ub2e4.
In Linux, the firewall uses iptables.<\/p>\n\n\n\n
\ud83d\udc49\ud83c\udffb \uc6b0\ubd84\ud22c24.04\uc5d0\uc11c\ub294 nftables\ub97c \uae30\ubcf8\uc73c\ub85c \uc0ac\uc6a9\ud569\ub2c8\ub2e4. \ubb3c\ub860 iptables\ub97c \uc0ac\uc6a9 \ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.
Ubuntu 24.04 uses nftables by default. You can of course use iptables.<\/p>\n\n\n\n
\ud83d\udc49\ud83c\udffb \ub9ce\uc740 \ubd84\ub4e4\uc774 \ub3c4\ucee4\ub97c \uc0ac\uc6a9\ud558\uace0 \uc788\uace0 \ub3c4\ucee4\uac00 \ucee8\ud14c\uc774\ub108 \uc0ac\uc6a9\uc2dc iptables\ub97c \uc218\uc815\ud569\ub2c8\ub2e4.
Many people use Docker, and Docker modifies iptables when using containers.<\/p>\n\n\n\n
\ud83d\udc49\ud83c\udffb \ub3c4\ucee4\uc5d0\uc11c nftables\ub294 \uc2e4\ud5d8\uc801\uc778 \uae30\ub2a5\ub9cc \uc81c\uacf5\ud558\uace0 \uc815\uc2dd\uc73c\ub85c \uc0ac\uc6a9\ub418\uace0 \uc788\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.
In Docker, nftables provides only experimental features and is not officially used.<\/p>\n\n\n\n
\ud83d\udc49\ud83c\udffb \uadf8\ub798\uc11c \uc77c\ub2e8 iptables\uc5d0 \ub300\ud574\uc11c \uacf5\ubd80\ub97c \ud558\uace0 \ub098\uc911\uc5d0 \ub2e4\uc2dc nftables\uc5d0 \ub300\ud574\uc11c \uacf5\ubd80\ud558\uc2dc\uba74 \ub420\uac83 \uac19\uc2b5\ub2c8\ub2e4.
So, I think it would be good to study iptables first and then study nftables later.<\/p>\n\n\n\n
\ud83d\udc49\ud83c\udffb UFW\ub294 iptables\ub098 nftables\uc758 \ud504\ub860\ud130 \uc5d4\ub4dc \uac1c\ub150\uc785\ub2c8\ub2e4. \uc27d\uac8c \ubc29\ud654\ubcbd\uc744 \uc124\uc815\ud574 \uc8fc\ub294 \ub3c4\uad6c\ub77c\uace0 \uc0dd\uac01\ud558\uc2dc\uba74 \ub429\ub2c8\ub2e4.
UFW is a front-end concept for iptables and nftables. Think of it as a tool that makes it easy to configure a firewall.<\/p>\n\n\n\n
\ud83d\udc49\ud83c\udffb UFW\uac00 \uc798\ub418\ub294 \uacbd\uc6b0\ub3c4 \uc788\uc9c0\ub9cc \ub3c4\ucee4\ub97c \uc0ac\uc6a9\ud558\ub294 \uacbd\uc6b0 UFW\uc5d0\uc11c \ucc28\ub2e8\ud574\ub3c4 \ud3ec\ud2b8\uac00 \uc678\ubd80\uc5d0\uc11c \uc811\uc18d\uc774 \uac00\ub2a5\ud558\ub2e4\ub358\uac00 \ud3ec\ud2b8\uac00 \uc5f4\ub9ac\uc9c0 \uc54a\ub294\ub2e4\ub358\uac00 \ud558\ub294 \ubcf4\uc548\uc774\uc288\uac00 \uc788\uc2b5\ub2c8\ub2e4.
Although UFW may work well in some cases, when using Docker, there are security issues such as ports being accessible from the outside or ports not being opened even when blocked by UFW.<\/p>\n\n\n\n
\ud83d\udc49\ud83c\udffb \uadf8\ub798\uc11c UFW\uac00 \uc0ac\uc6a9\uac00\ub2a5\ud558\uba74 UFW\ub97c \uc0ac\uc6a9\ud558\uc2dc\uace0 \ub9cc\uc57d\uc5d0 \ubb38\uc81c\uac00 \ubc1c\uc0dd\ud558\uc2dc\uba74 UFW\ub294 disable\ud558\uace0 iptables\uc4f0\uc2dc\uba74 \ub420\uac83 \uac19\uc2b5\ub2c8\ub2e4
So, if UFW is available, use UFW. If you encounter any problems, disable UFW and use iptables.<\/p>\n\n\n\n
\ud83d\udc49\ud83c\udffb \ub3c4\ucee4\uc758 \ud3ec\ud2b8 \uc678\ubd80\uc811\uc18d\uacfc \uad00\ub828\ub41c \ubcf4\uc548 \uc774\uc288\uc5d0 \ub300\ud574\uc11c \uc81c\uac00 \ub300\uc751\ud558\ub294 \ubc29\ubc95\uc740 \ub530\ub85c \uc18c\uac1c\ud558\uaca0\uc2b5\ub2c8\ub2e4.
I will separately introduce how I deal with security issues related to external access to Docker ports.<\/p>\n\n\n\n
\ud83d\udc49\ud83c\udffb \uc544\ub798\ub294 \uac00\uc7a5 \ub9ce\uc774 \uc0ac\uc6a9\ub418\ub294 iptables\uc0ac\uc6a9 \ubc29\ubc95\uc785\ub2c8\ub2e4.
Below are the most commonly used iptables usage methods.<\/p>\n\n\n\n
\u2714\ufe0f iptables persistant\uc124\uce58(\uc124\uce58\ub418\uc5b4 \uc788\uc9c0 \uc54a\uc740 \uacbd\uc6b0)
Install iptables persistant (if not already installed)<\/p>\n\n\n\n
— iptables\ub294 \uc14b\ud305 \ud6c4 \uc11c\ubc84\uac00 \uc7ac\ubd80\ud305\ub418\uba74 \ucd08\uae30\ud654 \ub418\uae30 \ub54c\ubb38\uc5d0 iptables persistant\ub97c \ud1b5\ud574\uc11c \uc124\uc815\uc744 \uc800\uc7a5 \ud574\uc57c \ud569\ub2c8\ub2e4.
Since iptables is initialized when the server is rebooted after setting, you must save the settings through iptables persistant.<\/p>\n\n\n\n
sudo apt update\nsudo apt install iptables-persistent<\/code><\/pre>\n\n\n\n\u2714\ufe0f \ubc29\ud654\ubcbd \uc124\uc815\ubcf4\uae30
View firewall settings<\/p>\n\n\n\n
sudo iptables -L INPUT --line-numbers -v -n<\/code><\/pre>\n\n\n\n–\uc635\uc158\ubcc4 \uc0c1\uc138 \uc758\ubbf8 \/ Detailed meaning of each option
-L INPUT (List):
INPUT \uccb4\uc778\uc5d0 \ub4f1\ub85d\ub41c \uaddc\uce59\ub4e4\ub9cc \ub9ac\uc2a4\ud2b8 \ud615\ud0dc\ub85c \ubcf4\uc5ec\ub2ec\ub77c\ub294 \ub73b\uc785\ub2c8\ub2e4. (\uc9c0\uc815\ud558\uc9c0 \uc54a\uc73c\uba74 \ubaa8\ub4e0 \uccb4\uc778 \ucd9c\ub825)
This means that only rules registered in the INPUT chain will be displayed in list form. (If not specified, all chains will be displayed.)
–line-numbers:
\uac01 \uaddc\uce59\uc758 \ub9e8 \uc55e\uc5d0 \ud589 \ubc88\ud638(1, 2, 3\u2026)<\/strong>\ub97c \ubd99\uc5ec\uc90d\ub2c8\ub2e4. \ub098\uc911\uc5d0 \ud2b9\uc815 \uaddc\uce59\uc744 \uc0ad\uc81c(-D)\ud558\uac70\ub098 \ud2b9\uc815 \uc704\uce58\uc5d0 \uc0bd\uc785(-I)\ud560 \ub54c \uc774 \ubc88\ud638\uac00 \uaf2d \ud544\uc694\ud569\ub2c8\ub2e4.
Add a line number (1, 2, 3\u2026) to the beginning of each rule. This number is essential when you later delete (-D) or insert (-I) a specific rule at a specific location.
-v (Verbose):
‘\uc0c1\uc138\ud788’ \ucd9c\ub825\ud558\ub77c\ub294 \uc635\uc158\uc785\ub2c8\ub2e4. \ub2e8\uc21c\ud788 \uaddc\uce59\ub9cc \ubcf4\uc5ec\uc8fc\ub294 \uac8c \uc544\ub2c8\ub77c, \ud574\ub2f9 \uaddc\uce59\uc5d0 \uac78\ub824 \ud1b5\uacfc\ud558\uac70\ub098 \ucc28\ub2e8\ub41c \ud328\ud0b7 \uc218(pkts)<\/strong>\uc640 \ub370\uc774\ud130 \uc591(bytes)<\/strong>\uae4c\uc9c0 \ubcf4\uc5ec\uc90d\ub2c8\ub2e4.
This option displays “detailed” output. It doesn’t simply display the rule, but also shows the number of packets (pkts) and the amount of data (bytes) that passed or were blocked by the rule.
-n (Numeric):
\uc8fc\uc18c\uc640 \ud3ec\ud2b8\ub97c \uc774\ub984(localhost, http \ub4f1)\uc774 \uc544\ub2cc \uc22b\uc790(127.0.0.1, 80 \ub4f1)<\/strong>\ub85c \ud45c\uc2dc\ud569\ub2c8\ub2e4. DNS \uc870\ud68c\ub97c \uc0dd\ub7b5\ud558\uae30 \ub54c\ubb38\uc5d0 \uacb0\uacfc\uac00 \ud6e8\uc52c \ube60\ub974\uac8c \ucd9c\ub825\ub429\ub2c8\ub2e4.
Display addresses and ports as numbers (e.g., 127.0.0.1, 80) rather than names (e.g., localhost, http). This skips the DNS lookup, resulting in much faster results.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n\u2714\ufe0f \ubc29\ud654\ubcbd \uc804\uccb4 \uc124\uc815 \ubcf4\uae30<\/p>\n\n\n\n
# \uc124\uc815\ub41c \ubaa8\ub4e0 \uaddc\uce59\uc744 \uba85\ub839\uc5b4 \ud615\ud0dc\ub85c \ucd9c\ub825 (\uac00\uc7a5 \uba85\ud655\ud568)\n# Print all set rules in command form (most clear)\n\nsudo iptables -S \n\n# \ub610\ub294 or\n\n# \ubaa8\ub4e0 \uccb4\uc778(INPUT, FORWARD, OUTPUT \ub4f1)\uc744 \ud45c \ud615\ud0dc\ub85c \ucd9c\ub825\n# Print all chains (INPUT, FORWARD, OUTPUT, etc.) in table format\n\nsudo iptables -L -v -n --line-numbers <\/code><\/pre>\n\n\n\n\u2714\ufe0f iptables\uc5d0\uc11c \uae30\ubcf8\uc124\uc815\ud558\uae30 \uc804\uc5d0 \uba3c\uc800 \uc124\uc815\ud574\uc57c \ud558\ub294 \uac83
What you need to set first before setting the default settings in iptables<\/p>\n\n\n\n
— iptables\ub294 \uc21c\uc11c\uac00 \ub9e4\uc6b0 \uc911\uc694\ud558\ubbc0\ub85c 1\ubc88\uacfc2\ubc88\uc5d0 \uc544\ub798\uc758 \uaddc\uce59\uc744 \ucd94\uac00\ud569\ub2c8\ub2e4.
Since the order is very important in iptables, add the rules below to 1 and 2.<\/p>\n\n\n\n
— \uc9c0\uae08 \uc811\uc18d\ub41c \uc5f0\uacb0\ud5c8\uc6a9 \ubc0f \ub85c\uceec\ud638\uc2a4\ud2b8 \uc811\uc18d \ud5c8\uc6a9\uc124\uc815\uc785\ub2c8\ub2e4.
These are the settings to allow currently connected connections and allow local host access.<\/p>\n\n\n\n
# \uc774\ubbf8 \uc5f0\uacb0\ub41c \uc0c1\ud0dc\uc774\uac70\ub098 \uad00\ub828\ub41c \ud328\ud0b7\uc740 \ubb34\uc870\uac74 \ud1b5\uacfc (DNS \uc751\ub2f5, \ud328\ud0a4\uc9c0 \uc5c5\ub370\uc774\ud2b8 \ub4f1)\n# Packets that are already connected or related are unconditionally passed (DNS responses, package updates, etc.)\n\nsudo iptables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\nsudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n\n# \ub85c\uceec\ud638\uc2a4\ud2b8(127.0.0.1) \ud1b5\uc2e0 \ud5c8\uc6a9 (\uc774\uac8c \uc5c6\uc73c\uba74 \ub0b4\ubd80 DB \uc5f0\uacb0 \ub4f1\uc774 \ub04a\uae38 \uc218 \uc788\uc74c)\n# Allow communication with localhost (127.0.0.1) (without this, internal DB connection, etc. may be disconnected)\n\nsudo iptables -I INPUT 2 -i lo -j ACCEPT<\/code><\/pre>\n\n\n\n\u2714\ufe0f \uc11c\ube44\uc2a4 \ud3ec\ud2b8 \uc624\ud508
Service port open<\/p>\n\n\n\n
— ssh,http,https\uc124\uc815\uc785\ub2c8\ub2e4.
These are ssh, http, and https settings.<\/p>\n\n\n\n
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT<\/code><\/pre>\n\n\n\n— \uc6b0\uc120\uc21c\uc704\ub97c \uc9c0\uc815\ud574\uc11c \uc124\uc815\ud558\uae30(7\ubc88\uc5d0 \uaddc\uce59\uc785\ub825,\ub098\uba38\uc9c0\ub294 \ubc88\ud638\uac00 \ubc00\ub9bc)
Set by specifying priority (enter rule in number 7, the rest are numbered backwards)<\/p>\n\n\n\n
sudo iptables -I INPUT 7 -p tcp --dport 3000 -j ACCEPT<\/code><\/pre>\n\n\n\n\u2714\ufe0f \uaddc\uce59 \uc0ad\uc81c \/ Delete rule<\/p>\n\n\n\n
sudo iptables -D [\uccb4\uc778\uba85 \/ Chain name] [\uaddc\uce59\ubc88\ud638 \/ rule number]<\/code><\/pre>\n\n\n\nsudo iptables -D INPUT 7<\/code><\/pre>\n\n\n\n\u2714\ufe0f iptables \uae30\ubcf8\uc815\ucc45\uc744 \ucc28\ub2e8(Drop)\uc73c\ub85c\uc124\uc815(\uc6b0\uc120 \uc21c\uc704\uc5d0 \uc801\uc6a9 \ubc1b\uc9c0 \uc54a\uc74c)
Set the iptables default policy to Block (Drop) (not subject to priority)<\/p>\n\n\n\n
— iptables\ub294 \uae30\uc874\uc815\ucc45\uc744 \ubaa8\ub450 \ud5c8\uc6a9\uc124\uc815\ub418\uc5b4\uc788\uc2b5\ub2c8\ub2e4.
iptables is set to allow all existing policies.<\/p>\n\n\n\n
— \uc704\uc640 \uac19\uc774 \ud5c8\uc6a9\uc124\uc815\uc744\ud558\uace0 \ub2e4\uc74c\uacfc \uac19\uc774 \uae30\ubcf8\uc124\uc815\uc744 \ucc28\ub2e8\uc73c\ub85c \uc124\uc815\ud558\uba74 \ub2e4\ub978 \ud3ec\ud2b8\ub294 \ubaa8\ub450 \ub9c9\ud799\ub2c8\ub2e4.
If you set the allow setting as above and block the default setting as below, all other ports will be blocked.<\/p>\n\n\n\n
sudo iptables -P INPUT DROP\nsudo iptables -P FORWARD DROP\nsudo iptables -P OUTPUT ACCEPT<\/code><\/pre>\n\n\n\n\u2714\ufe0f \uc124\uc815 \uacb0\uacfc \/ Setting result<\/p>\n\n\n\n
[ubuntu@...]$ sudo iptables -L INPUT --line-numbers -n -v\n\nChain INPUT (policy DROP 60 packets, 3344 bytes)\nnum pkts bytes target prot opt in out source destination \n1 2708 236K ACCEPT 0 -- * * 0.0.0.0\/0 0.0.0.0\/0 ctstate RELATED,ESTABLISHED\n2 8 844 ACCEPT 0 -- lo * 0.0.0.0\/0 0.0.0.0\/0 \n3 140K 18M ACCEPT 6 -- * * 0.0.0.0\/0 0.0.0.0\/0 tcp dpt:3306\n4 1008K 137M ACCEPT 6 -- * * 0.0.0.0\/0 0.0.0.0\/0 tcp dpt:22\n5 2728 130K ACCEPT 6 -- * * 0.0.0.0\/0 0.0.0.0\/0 tcp dpt:443\n6 350 17148 ACCEPT 6 -- * * 0.0.0.0\/0 0.0.0.0\/0 tcp dpt:8000\n7 847 39538 ACCEPT 6 -- * * 0.0.0.0\/0 0.0.0.0\/0 tcp dpt:3000<\/code><\/pre>\n\n\n\n\u2714\ufe0f \uaddc\uce59\uc800\uc7a5 \/ save rule<\/p>\n\n\n\n
sudo netfilter-persistent save<\/code><\/pre>\n\n\n\n\u2b50\ufe0f \ud2b9\uc815 \uc544\uc774\ud53c \uc8fc\uc18c \ucc28\ub2e8\ud558\uae30
Block specific IP addresses<\/p>\n\n\n\n
iptables -A INPUT -s 192.168.1.100 -j DROP<\/code><\/pre>\n\n\n\n\ud83d\udc49\ud83c\udffb iptables \uc124\uc815 \ud615\uc2dd
iptables configuration format<\/p>\n\n\n\n
\u2714\ufe0f \uae30\ubcf8 \uac1c\ub150 \/ basic concepts<\/p>\n\n\n\n
–iptables\ub294 \ud2b8\ub798\ud53d\uc774 \uc774\ub3d9\ud558\ub294 \uacbd\ub85c\uc5d0 \ub530\ub77c \uccb4\uc778(Chain)<\/strong>\uc774\ub77c\ub294 \ub2e8\uacc4\ub85c \uad6c\ubd84\ud569\ub2c8\ub2e4.
iptables divides traffic into steps called chains based on the path it takes.<\/p>\n\n\n\nINPUT:
\uc11c\ubc84\ub85c \ub4e4\uc5b4\uc624\ub294 \ud328\ud0b7 (\uac00\uc7a5 \ub9ce\uc774 \uc124\uc815\ud568)
Packets coming into the server (most commonly set)
FORWARD:
\uc11c\ubc84\ub97c \uac70\uccd0 \ub2e4\ub978 \uacf3\uc73c\ub85c \uac00\ub294 \ud328\ud0b7 (\ub77c\uc6b0\ud130 \uc5ed\ud560 \uc2dc \uc0ac\uc6a9)
Packets that pass through the server to go somewhere else (used when acting as a router)
OUTPUT:
\uc11c\ubc84\uc5d0\uc11c \ub098\uac00\ub294 \ud328\ud0b7
packets leaving the server<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n\u2714\ufe0f \uae30\ubcf8 \uba85\ub839\uc5b4 \uad6c\uc870 \/ Basic command structure<\/p>\n\n\n\n
–\uba85\ub839\uc5b4\ub294 \ubcf4\ud1b5 \ub2e4\uc74c\uacfc \uac19\uc740 \ud615\uc2dd\uc744 \ub530\ub985\ub2c8\ub2e4. iptables [\ud14c\uc774\ube14] [\ub3d9\uc791] [\uccb4\uc778] [\ub9e4\uce6d \uc870\uac74] [\ud0c0\uac9f]
Commands usually follow this format: iptables [table] [action] [chain] [matching condition] [target]<\/p>\n\n\n\n\ub3d9\uc791: -A(\ucd94\uac00), -D(\uc0ad\uc81c), -L(\ub9ac\uc2a4\ud2b8 \ud655\uc778)
Actions: -A (add), -D (delete), -L (check list)
\ub9e4\uce6d \uc870\uac74: -p(\ud504\ub85c\ud1a0\ucf5c), –dport(\ud3ec\ud2b8 \ubc88\ud638), -s(\ucd9c\ubc1c\uc9c0 IP)
Matching conditions: -p (protocol), –dport (port number), -s (source IP)
\ud0c0\uac9f: -j ACCEPT(\ud5c8\uc6a9), -j DROP(\ucc28\ub2e8), -j REJECT(\uac70\uc808 \ud6c4 \uc751\ub2f5)
Target: -j ACCEPT, -j DROP, -j REJECT<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n\u2714\ufe0f \uc635\uc158 \/ Option<\/p>\n\n\n\n
1. \uc8fc\uc694 \ud14c\uc774\ube14 (-t \uc635\uc158) \/ Main table (-t option)<\/p>\n\n\n\n\uc0dd\ub7b5\ud560 \uacbd\uc6b0 \uae30\ubcf8\uac12\uc740 filter \ud14c\uc774\ube14\uc785\ub2c8\ub2e4.
If omitted, the default is the filter table.
filter:
\uae30\ubcf8 \ud14c\uc774\ube14. \ud328\ud0b7 \ud544\ud130\ub9c1(\ud5c8\uc6a9\/\ucc28\ub2e8) \ub2f4\ub2f9.
Basic table. Responsible for packet filtering (allow\/block).
nat:
\uc8fc\uc18c \ubcc0\ud658(SNAT\/DNAT) \ub2f4\ub2f9. \ud3ec\ud2b8 \ud3ec\uc6cc\ub529 \ub4f1\uc5d0 \uc0ac\uc6a9.
Responsible for address translation (SNAT\/DNAT). Used for port forwarding, etc.
mangle:
\ud328\ud0b7\uc758 \ud5e4\ub354 \uc815\ubcf4(TOS, TTL \ub4f1)\ub97c \uc218\uc815.
Modify the packet header information (TOS, TTL, etc.).
raw:
\uc5f0\uacb0 \ucd94\uc801(Connection Tracking) \uc81c\uc678 \uc124\uc815.
Exclude Connection Tracking settings.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n2.\uae30\ubcf8 \uc561\uc158 \uc635\uc158 \/ Commands<\/p>\n\n\n\n
— \uccb4\uc778(Chain)\uc744 \uad00\ub9ac\ud558\uac70\ub098 \uaddc\uce59\uc744 \ucd94\uac00\/\uc0ad\uc81c\ud560 \ub54c \uc0ac\uc6a9\ud569\ub2c8\ub2e4.
Used to manage chains or add\/delete rules.<\/p>\n\n\n\n\uc635\uc158<\/strong> \/ optioon<\/td>\uc124\uba85<\/strong> \/ description<\/td><\/tr><\/thead>-A (–append)<\/strong><\/td>\uccb4\uc778\uc758 \ub9e8 \ub05d\uc5d0 \uc0c8\ub85c\uc6b4 \uaddc\uce59\uc744 \ucd94\uac00\ud569\ub2c8\ub2e4.
Add a new rule at the very end of the chain.<\/td><\/tr> -I (–insert)<\/strong><\/td>\uccb4\uc778\uc758 \ud2b9\uc815 \ubc88\ud638(\uae30\ubcf8\uac12 1)\uc5d0 \uaddc\uce59\uc744 \uc0bd\uc785\ud569\ub2c8\ub2e4.
Inserts a rule at a specific number in the chain (default 1).<\/td><\/tr> -D (–delete)<\/strong><\/td>\ud2b9\uc815 \uaddc\uce59\uc744 \uc0ad\uc81c\ud569\ub2c8\ub2e4 (\ubc88\ud638\ub098 \ub0b4\uc6a9 \uc9c0\uc815).
Deletes a specific rule (specify number or content).<\/td><\/tr> -R (–replace)<\/strong><\/td>\ud2b9\uc815 \ubc88\ud638\uc758 \uaddc\uce59\uc744 \uad50\uccb4\ud569\ub2c8\ub2e4.
Replaces a rule with a specific number.<\/td><\/tr> -L (–list)<\/strong><\/td>\ud604\uc7ac \uc124\uc815\ub41c \ubaa8\ub4e0 \uaddc\uce59\uc744 \ucd9c\ub825\ud569\ub2c8\ub2e4.
Prints all currently set rules.<\/td><\/tr> -F (–flush)<\/strong><\/td>\ud574\ub2f9 \uccb4\uc778\uc758 \ubaa8\ub4e0 \uaddc\uce59\uc744 \uc0ad\uc81c\ud569\ub2c8\ub2e4.
Delete all rules in that chain.<\/td><\/tr> -P (–policy)<\/strong><\/td>\uae30\ubcf8 \uc815\ucc45\uc744 \uc124\uc815\ud569\ub2c8\ub2e4 (\uc608: INPUT\uc744 DROP\uc73c\ub85c \uc124\uc815).
Set the default policy (e.g. set INPUT to DROP).<\/td><\/tr> -N (–new-chain)<\/strong><\/td>\uc0ac\uc6a9\uc790 \uc815\uc758 \uccb4\uc778\uc744 \uc0dd\uc131\ud569\ub2c8\ub2e4.
Create a custom chain.<\/td><\/tr> -X (–delete-chain)<\/strong><\/td>\ube44\uc5b4 \uc788\ub294 \uc0ac\uc6a9\uc790 \uc815\uc758 \uccb4\uc778\uc744 \uc0ad\uc81c\ud569\ub2c8\ub2e4.
Delete an empty custom chain.<\/td><\/tr> -Z (–zero)<\/strong><\/td>\ubaa8\ub4e0 \uaddc\uce59\uc758 \ud328\ud0b7\/\ubc14\uc774\ud2b8 \uce74\uc6b4\ud130\ub97c 0\uc73c\ub85c \ucd08\uae30\ud654\ud569\ub2c8\ub2e4.
Resets the packet\/byte counters of all rules to 0.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n3.\ub9e4\uce6d \ubc0f \uc870\uac74 \uc635\uc158 \/ Parameters<\/p>\n\n\n\n
\uc5b4\ub5a4 \ud328\ud0b7\uc5d0 \uaddc\uce59\uc744 \uc801\uc6a9\ud560\uc9c0 \uc0c1\uc138\ud788 \uc124\uc815\ud569\ub2c8\ub2e4.
Specify in detail which packets the rule will be applied to.<\/p>\n\n\n\n\uc635\uc158<\/strong> \/ option<\/td>\uc124\uba85<\/strong> \/ description<\/td>\uc608\uc2dc<\/strong> \/ example<\/td><\/tr><\/thead>-p (–protocol)<\/strong><\/td>\ud2b9\uc815 \ud504\ub85c\ud1a0\ucf5c \uc9c0\uc815
Specify a specific protocol<\/td> -p tcp<\/code>, -p udp<\/code>, -p icmp<\/code><\/td><\/tr>-s (–source)<\/strong><\/td>\ucd9c\ubc1c\uc9c0 \uc8fc\uc18c (IP \ub610\ub294 \ub124\ud2b8\uc6cc\ud06c)
Source address (IP or network)<\/td> -s 192.168.1.0\/24<\/code><\/td><\/tr>-d (–destination)<\/strong><\/td>\ubaa9\uc801\uc9c0 \uc8fc\uc18c
destination address<\/td> -d 8.8.8.8<\/code><\/td><\/tr>-i (–in-interface)<\/strong><\/td>\ud328\ud0b7\uc774 \ub4e4\uc5b4\uc624\ub294 \uc778\ud130\ud398\uc774\uc2a4
Interface where packets come in<\/td> -i eth0<\/code><\/td><\/tr>-o (–out-interface)<\/strong><\/td>\ud328\ud0b7\uc774 \ub098\uac00\ub294 \uc778\ud130\ud398\uc774\uc2a4
Interface where packets go out<\/td> -o wlan0<\/code><\/td><\/tr>–sport<\/strong><\/td>\ucd9c\ubc1c\uc9c0 \ud3ec\ud2b8 (\uba85\uc2dc\uc801 \ud504\ub85c\ud1a0\ucf5c \ud544\uc694)
Source port (explicit protocol required)<\/td> --sport 80<\/code><\/td><\/tr>–dport<\/strong><\/td>\ubaa9\uc801\uc9c0 \ud3ec\ud2b8 (\uba85\uc2dc\uc801 \ud504\ub85c\ud1a0\ucf5c \ud544\uc694)
Destination port (explicit protocol required)<\/td> --dport 22<\/code><\/td><\/tr>! (not)<\/strong><\/td>\uc870\uac74\uc744 \ubc18\uc804\uc2dc\ud0b4
Invert the conditions<\/td> -s ! 127.0.0.1<\/code>
(\ub85c\uceec \uc81c\uc678 \/ Except local)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n4.\ud0c0\uac9f \uc635\uc158 (-j Target)<\/p>\n\n\n\n
\uc870\uac74\uc5d0 \ub9de\ub294 \ud328\ud0b7\uc744 \uc5b4\ub5bb\uac8c \ucc98\ub9ac\ud560\uc9c0 \uacb0\uc815\ud569\ub2c8\ub2e4.<\/p>\n\n\n\nACCEPT<\/strong>:
\ud328\ud0b7\uc744 \ud5c8\uc6a9\ud569\ub2c8\ub2e4.
Allow packets.
DROP<\/strong>:
\ud328\ud0b7\uc744 \ucc28\ub2e8\ud569\ub2c8\ub2e4 (\uc751\ub2f5 \uc5c6\uc74c).
Block packets (no response).
REJECT<\/strong>:
\ud328\ud0b7\uc744 \ucc28\ub2e8\ud558\uace0 \uac70\ubd80 \uba54\uc2dc\uc9c0\ub97c \ubcf4\ub0c5\ub2c8\ub2e4.
Blocks packets and sends reject messages.
LOG<\/strong>:
\ud328\ud0b7 \uc815\ubcf4\ub97c \ucee4\ub110 \ub85c\uadf8(\/var\/log\/messages<\/code>)\uc5d0 \uae30\ub85d\ud569\ub2c8\ub2e4.
Logs packet information to the kernel log (\/var\/log\/messages).
SNAT \/ DNAT<\/strong>:
\ucd9c\ubc1c\uc9c0\/\ubaa9\uc801\uc9c0 \uc8fc\uc18c\ub97c \ubcc0\ud658\ud569\ub2c8\ub2e4 (nat \ud14c\uc774\ube14 \uc804\uc6a9).
Converts source\/destination addresses (nat table only).
MASQUERADE<\/strong>:
\uc720\ub3d9 IP \ud658\uacbd\uc5d0\uc11c SNAT\ub97c \uc801\uc6a9\ud569\ub2c8\ub2e4.
Apply SNAT in a dynamic IP environment.
RETURN<\/strong>:
\ud604\uc7ac \uccb4\uc778\uc5d0\uc11c\uc758 \ucc98\ub9ac\ub97c \uc911\ub2e8\ud558\uace0 \uc774\uc804 \uccb4\uc778\uc73c\ub85c \ub3cc\uc544\uac11\ub2c8\ub2e4.
Stops processing on the current chain and returns to the previous chain.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n5.\uc790\uc8fc \uc0ac\uc6a9\ud558\ub294 \uae30\ud0c0 \uc635\uc158<\/p>\n\n\n\n-v (–verbose)<\/strong>:
\uc0c1\uc138\ud55c \uc815\ubcf4\ub97c \ucd9c\ub825\ud569\ub2c8\ub2e4 (\uc778\ud130\ud398\uc774\uc2a4, \uce74\uc6b4\ud130 \ub4f1).
Print detailed information (interfaces, counters, etc.).
-n (–numeric)<\/strong>:
IP \uc8fc\uc18c\uc640 \ud3ec\ud2b8 \ubc88\ud638\ub97c \uc774\ub984\uc774 \uc544\ub2cc \uc22b\uc790\ub85c \ud45c\uc2dc\ud569\ub2c8\ub2e4 (\uc18d\ub3c4\uac00 \ube60\ub984).
Display IP addresses and port numbers as numbers, not names (faster).
–line-numbers<\/strong>:
\uaddc\uce59 \uc55e\uc5d0 \ubc88\ud638\ub97c \ud568\uaed8 \ud45c\uc2dc\ud569\ub2c8\ub2e4 (\uc0ad\uc81c \uc2dc \uc720\uc6a9).
Number rules before them (useful for deleting).<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n\u2714\ufe0f \uae30\ud0c0 \/ etc.<\/p>\n\n\n\n
— \uc774\uc678\uc5d0\ub3c4 \ub9ce\uc740 \uae30\ub2a5\uc744 \uac00\uc9c0\uace0 \uc788\uc2b5\ub2c8\ub2e4.
It has many other features as well.<\/p>\n\n\n\n
— ddos\ubc29\uc5b4\ub97c \uc704\ud574 ping(ICMP) \ucc28\ub2e8\uc774\ub098 \ud3ec\ud2b8 \ud3ec\uc6cc\ub529 \uadf8\ub9ac\uace0 \ud328\ud0b7 \ubc1c\uc0dd\uac74\uc218 \uc81c\ud55c\uc744 \ud558\uae30\ub3c4 \ud569\ub2c8\ub2e4.
To protect against DDoS, ping (ICMP) blocking, port forwarding, and packet generation limiting are also used.<\/p>\n\n\n\n
— oci\uac19\uc740 \ud074\ub77c\uc6b0\ub4dc \uc11c\ubc84\uc758 \uacbd\uc6b0\ub294 \ub9ac\ub205\uc2a4 os\ub808\ubca8 \uc774\uc804\uc5d0 \ud074\ub77c\uc6b0\ub4dc \uc790\uccb4 \ubc29\ud654\ubcbd\uc774 \uc788\uc5b4\uc11c ping\uac19\uc740 \ucc28\ub2e8\uc124\uc815\uc740 \uc774\ubbf8 \ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4.
In the case of cloud servers such as OCI, there is a cloud firewall before the Linux OS level, so blocking settings such as ping are already in place.<\/p>\n\n\n\n
\ud83d\udc49\ud83c\udffb \uacb0\ub860 \/ conclusion<\/p>\n\n\n\n
\u2714\ufe0f iptables\ub97c \uc0ac\uc6a9\ud558\uac8c \ub418\uba74 \uc704\uc758 \uc124\uc815\uc774 \uac00\uc7a5 \ub9ce\uc774 \uc0ac\uc6a9\ub429\ub2c8\ub2e4.
If you use iptables, the above settings are the most commonly used.<\/p>\n\n\n\n
\u2714\ufe0f \uc5ec\ub7ec\uac00\uc9c0 \ubcf4\uc548 \uc124\uc815\uc5d0 \uad00\ud574\uc11c\ub294 \ub098\uc911\uc5d0 \ub530\ub85c \ud3ec\uc2a4\ud305\ud558\uaca0\uc2b5\ub2c8\ub2e4.
I will post separately about various security settings later.<\/p>\n","protected":false},"excerpt":{"rendered":"
\ud83d\udc49\ud83c\udffb \ub9ac\ub205\uc2a4\uc5d0\uc11c \ubc29\ud654\ubcbd\uc740 iptables\ub97c \uc0ac\uc6a9\ud569\ub2c8\ub2e4. In Linux, the firewall uses iptables. \ud83d\udc49\ud83c\udffb \uc6b0\ubd84\ud22c24.04\uc5d0\uc11c\ub294 nftables\ub97c \uae30\ubcf8\uc73c\ub85c \uc0ac\uc6a9\ud569\ub2c8\ub2e4. \ubb3c\ub860 iptables\ub97c \uc0ac\uc6a9 \ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.Ubuntu 24.04 uses nftables by default. You can of course use iptables. \ud83d\udc49\ud83c\udffb \ub9ce\uc740 \ubd84\ub4e4\uc774 \ub3c4\ucee4\ub97c \uc0ac\uc6a9\ud558\uace0 \uc788\uace0 \ub3c4\ucee4\uac00 \ucee8\ud14c\uc774\ub108 \uc0ac\uc6a9\uc2dc iptables\ub97c \uc218\uc815\ud569\ub2c8\ub2e4.Many people use Docker, and Docker modifies iptables when using containers. \ud83d\udc49\ud83c\udffb […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,20,1],"tags":[],"class_list":["post-3761","post","type-post","status-publish","format-standard","hentry","category-linux","category-oci","category-uncategorized","missing-thumbnail"],"_links":{"self":[{"href":"https:\/\/www.freelifemakers.org\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/3761","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.freelifemakers.org\/wordpress\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.freelifemakers.org\/wordpress\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.freelifemakers.org\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.freelifemakers.org\/wordpress\/index.php\/wp-json\/wp\/v2\/comments?post=3761"}],"version-history":[{"count":84,"href":"https:\/\/www.freelifemakers.org\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/3761\/revisions"}],"predecessor-version":[{"id":5020,"href":"https:\/\/www.freelifemakers.org\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/3761\/revisions\/5020"}],"wp:attachment":[{"href":"https:\/\/www.freelifemakers.org\/wordpress\/index.php\/wp-json\/wp\/v2\/media?parent=3761"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.freelifemakers.org\/wordpress\/index.php\/wp-json\/wp\/v2\/categories?post=3761"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.freelifemakers.org\/wordpress\/index.php\/wp-json\/wp\/v2\/tags?post=3761"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}