리눅스 Firewall 설정

목차

1. 리눅스 Firewall 설정

1-1 생성 서버 별 시스템 방화벽 설정

 

 

 

1. 리눅스 Firewall 설정

1-1 생성 서버 별 시스템 방화벽 설정

네트워크 구성

 

위의 네트워크 구성에 맞게 web, dns, oracle 서버의 시스템 방화벽을 설정한다.

~.11.3과 ~.0.0/24는 각각 trusted host(신뢰적인 호스트), trusted network(신뢰적인 네트워크)로 모든 서비스를 허용해도 보안상의 문제는 없다.

 

● ORACLE 서버

[st09@ora19c ~]# cat fir.txt
firewall-cmd --permanent --service=oracle --set-short=oracle
firewall-cmd --permanent --service=oracle --add-port=1521/tcp
firewall-cmd --permanent --service=oracle --add-port=1522/tcp
firewall-cmd --permanent --service=oracle --add-port=1523/tcp

firewall-cmd --permanent --zone=public --remove-service=cockpit
firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=public --remove-service=ssh

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.12.11" service name="oracle" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.11.3" service name="oracle" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.11.3" service name="ssh" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.11.3" service name="ftp" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.11.3" service name="samba" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="ssh" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="samba" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="oracle" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="ftp" accept'


[st09@ora19c ~]# firewall-cmd --reload


[st09@ora19c ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services:
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.0.0/24" service name="ftp" accept
        rule family="ipv4" source address="192.168.11.3" service name="samba" accept
        rule family="ipv4" source address="192.168.0.0/24" service name="samba" accept
        rule family="ipv4" source address="192.168.0.0/24" service name="ssh" accept
        rule family="ipv4" source address="192.168.0.0/24" service name="oracle" accept
        rule family="ipv4" source address="192.168.11.3" service name="ftp" accept
        rule family="ipv4" source address="192.168.11.3" service name="oracle" accept
        rule family="ipv4" source address="192.168.12.11" service name="oracle" accept
        rule family="ipv4" source address="192.168.11.3" service name="ssh" accept

- ftp와 samba 중 하나만 허용해도 파일의 업로드가 가능하므로 굳이 위와 같이 중복 허용할 필요는 없다.

 

● WEB 서버

[st09@d_web ~]# cat fir.txt
firewall-cmd --permanent --zone=public --remove-service=ftp
firewall-cmd --permanent --zone=public --remove-service=http
firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --permanent --zone=public --remove-service=samba

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.11.3" service name="ssh" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.11.3" service name="telnet" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.11.3" service name="ftp" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.11.3" service name="samba" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="ssh" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="telnet" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="ftp" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="samba" accept'


[st09@d_web ~]# firewall-cmd --reload


[st09@d_web ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: http https
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.11.3" service name="ssh" accept
        rule family="ipv4" source address="192.168.11.3" service name="ftp" accept
        rule family="ipv4" source address="192.168.0.0/24" service name="ssh" accept
        rule family="ipv4" source address="192.168.0.0/24" service name="samba" accept
        rule family="ipv4" source address="192.168.0.0/24" service name="telnet" accept
        rule family="ipv4" source address="192.168.11.3" service name="telnet" accept
        rule family="ipv4" source address="192.168.0.0/24" service name="ftp" accept
        rule family="ipv4" source address="192.168.11.3" service name="samba" accept

- http와 https 서비스는 누구나 이용할 수 있도록 허용한다.

- ssh와 telnet 중 하나만 허용해도 원격 접속이 가능하므로 굳이 위와 같이 중복 허용할 필요는 없다.

 

● DNS 서버

[st09@d_dns ~]# cat fir.txt
firewall-cmd --permanent --zone=public --remove-service=cockpit
firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=public --remove-service=ssh

firewall-cmd --permanent --zone=public --add-service=dns

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.11.3" service name="ssh" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="ssh" accept'


[st09@d_dns ~]# firewall-cmd --reload


[st09@d_dns ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: dns
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.0.0/24" service name="ssh" accept
        rule family="ipv4" source address="192.168.11.3" service name="ssh" accept

- dns 서비스는 누구나 이용할 수 있도록 허용한다.