hoge のバックアップ(No.2)

• バックアップ一覧
• ソース を表示
• hoge は削除されています。
  • 1 (2026-03-09 (月) 19:26:24)
  • 2 (2026-03-09 (月) 19:40:49)
  • 3 (2026-03-09 (月) 19:44:52)

---

Game

[root@akiszk-dmz01 bin]# more ./* :::::::::::::: ./firewall-cmd.sh ::::::::::::::

#!/bin/bash

#-----------------------------------------------------------------------------------------------

# 一般用途

# public デフォルトのゾーン。公共領域での利用を想定。受信コネクションを選択的に許可。

# ssh, dhcppv6-clinet

# work 業務での利用を想定したゾーン。ほとんどのコンピュータが信頼できる環境での利用を想定。受信コネクションを選択的に許可。

# ssh, ipp-clinet, dhcpv6-client

# home 家庭での利用を想定したゾーン。ほとんどのコンピュータが信頼できる環境での利用を想定。受信コネクションを選択的に許可。

# ssh, ipp-clinet, mdns, samba-client, dhcpv6-client

#

#

#----------------------------------------------------------------------------------------------- firewall-cmd --add-source=192.168.0.0/24 --zone=drop --permanent :::::::::::::: ./ipdrop.sh ::::::::::::::

#!/bin/bash -x

# ----------------------------------------------------------------------------------------

#

# 外国からのアクセスをDropするスクリプト

#

# ----------------------------------------------------------------------------------------

export PATH=$PATH:$HOME/bin:/usr/local/bin:/usr/sbin:/opt/rbenv/bin

# ----------------------------------------------------------------------------------------

# システムメッセージからDropする対象を含むIPアドレスを抽出

# ---------------------------------------------------------------------------------------- TEMP=/home/scripts/iptables/tmp

grep -v SRC=192.168.2 /var/log/messages | grep -v 0.0.0.0 | grep "SRC=" | awk '{print $9}' | sort -u | awk -F= '{print $2}' > ${TEMP}/ipchk.tmp

# ----------------------------------------------------------------------------------------

# 日本以外と国籍不明のIPアドレスをDropする仕組み

# ----------------------------------------------------------------------------------------

for i in `cat ${TEMP}/ipchk.tmp`

do
  whois ${i} > ${TEMP}/chkip.tmp 2>&1
  CNT=`grep -i "country" ${TEMP}/chkip.tmp | head -1 | awk '{print $2}'`
  if [ "${CNT}" = "JP" ]; then
     echo "ip: ${i} Country is ${CNT} status:OK" >> ${TEMP}/ok.lst
  elif [ "${CNT}" = "" ]; then
     echo "ip: ${i} Country is null status:NG" >> ${TEMP}/drop.lst
     iptables -A INPUT -s ${i} -j DROP
  else
     echo "ip: ${i} Country is ${CNT} status:NG" >> ${TEMP}/drop.lst
     iptables -A INPUT -s ${i} -j DROP
  fi

done :::::::::::::: ./iprup.sh ::::::::::::::

#!/bin/bash

# ----------------------------------------------------------------------------------------

#

# ファイアーウォール構築スクリプト

#

# ----------------------------------------------------------------------------------------

export PATH=$PATH:$HOME/bin:/usr/local/bin:/usr/sbin:/opt/rbenv/bin SCRLOG="/root/tools/iptables/log/iprup.log"

# ----------------------------------------------------------------------------------------

# ベースファイアーウォール構築

# ----------------------------------------------------------------------------------------

echo "iptables.sh" > ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo "--- script log start ---" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo " START: `date '+%Y/%m/%d %Ti'`" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 /root/tools/iptables/bin/iptables.sh >> ${SCRLOG} 2>&1 iptables -L -n -v --line-number >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo " END : `date '+%Y/%m/%d %Ti'`" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo "--- script log end ---" >> ${SCRLOG} 2>&1

# ----------------------------------------------------------------------------------------

# Drop 設定

# ----------------------------------------------------------------------------------------

echo "" >> ${SCRLOG} 2>&1 echo "ipdrop.sh" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo "--- script log start ---" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo " START: `date '+%Y/%m/%d %Ti'`" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 /root/tools/iptables/bin/ipdrop.sh >> ${SCRLOG} 2>&1 iptables -L -n -v --line-number >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo " END : `date '+%Y/%m/%d %Ti'`" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo "--- script log end ---" >> ${SCRLOG} 2>&1

# ----------------------------------------------------------------------------------------

# 設定を登録及び再起動

# ----------------------------------------------------------------------------------------

/usr/libexec/iptables/iptables.init save >> ${SCRLOG} 2>&1 systemctl reload iptables.service >> ${SCRLOG} 2>&1

# ----------------------------------------------------------------------------------------

# 設定内容を確認

# ----------------------------------------------------------------------------------------

echo "" >> ${SCRLOG} 2>&1 echo "--- last iptables status ---" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 iptables -L -n -v --line-number >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo "--- last nmap status ---" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 nmap as-mark.ddo.jp 192.168.2.112 >> ${SCRLOG} 2>&1 :::::::::::::: ./iptables.sh ::::::::::::::

#!/bin/bash -x

# ------------------------------------------------------------------------------

#

# ローカルファイアーウォール設定

#

# ------------------------------------------------------------------------------

# 参考資料：

# URL : http://www.rapidsite.jp/support/manual/rv_custom/e_4210.html

# URL : http://www.virment.com/linux/iptables/183/

# URL : http://www.aconus.com/~oyaji/security/iptables.htm

# URL : https://qiita.com/Tocyuki/items/6d90a1ec4dd8e991a1ce

# ------------------------------------------------------------------------------

export PATH=$PATH:$HOME/bin:/usr/local/bin:/usr/sbin:/opt/rbenv/bin

# ------------------------------------------------------------------------------

# 全てのルールを初期化（全削除）する場合

# ------------------------------------------------------------------------------

# -F 何も指定されてない場合すべてのフィルタルールを削除する。

# -X 何も指定されてない場合デフォルト以外のすべてのチェインを削除する。

# ------------------------------------------------------------------------------ iptables -F iptables -t nat -F iptables -X

# ------------------------------------------------------------------------------

# 基本ポリシー設定

# ------------------------------------------------------------------------------

# チェイン

# INPUT 入ってくるパケットに関して

# OUTPUT 出てゆくパケットに関して

# FORWARD パケットの転送

# PREROUTING 受信時にアドレスを変換

# POSTROUTING 送信時にアドレスを変換

# ------------------------------------------------------------------------------ iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT

# ------------------------------------------------------------------------------

# 個別ポリシー設定(ほかACCEPTやDROPなどユーザによる設定)

# ------------------------------------------------------------------------------

# こちらから求めたパケットは許可する。 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# ローカルループバックの接続を許可する。 iptables -A INPUT -i lo -j ACCEPT

# ------------------------------------------------------------------------------

# 個別サーバ登録

# ------------------------------------------------------------------------------

L_HOST=`hostname -s` case ${L_HOST} in

  akiszk-wp01 )
     iptables -A INPUT -i eth0 -m multiport -p tcp --dports 25,443 -j ACCEPT
     ;;
  akiszk-samba01 )
     iptables -A INPUT -i eth0 -m multiport -p tcp --dports 139,445 -j ACCEPT
     iptables -A INPUT -i eth1 -m multiport -p tcp --dports 139,445 -j ACCEPT
     iptables -A INPUT -i eth0 -m multiport -p udp --dports 137,138 -j ACCEPT
     iptables -A INPUT -i eth1 -m multiport -p udp --dports 137,138 -j ACCEPT
     ;;
  akiszk-repo01 )
     iptables -A INPUT -i eth0 -m multiport -p tcp --dports 80 -j ACCEPT
     ;;
  akiszk-dns01 )
     iptables -A INPUT -i eth0 -m multiport -p tcp --dports 53 -j ACCEPT
     iptables -A INPUT -i eth1 -m multiport -p tcp --dports 53 -j ACCEPT
     ;;
  akiszk-dmz01 )
     iptables -A INPUT -i ens160 -m multiport -p tcp --dports 25,443 -j ACCEPT

     ### Nat Setting 1 Minecraft Server

### iptables -t nat -A PREROUTING -m tcp -p tcp --dst 192.168.2.112 --dport 25565 -j DNAT --to-destination 192.168.2.125:25565

### iptables -A FORWARD -m tcp -p tcp --dst 192.168.2.125 --dport 25565 -j ACCEPT

     ;;

esac

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

### AkiSzk PC iptables -A INPUT -s 192.168.2.25 -p tcp --dport 22 -j ACCEPT

###iptables -A INPUT -s 192.168.0.25/24 -p tcp --dport 22 -j ACCEPT

### SynSzk PC iptables -A INPUT -s 192.168.2.30 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -m multiport -p tcp --dports 10050,10051,10055,10061 -j ACCEPT iptables -A INPUT -m multiport -p udp --dports 10050,10051,10055,10061 -j ACCEPT

### lenovo-PC iptables -A INPUT -s 192.168.2.125 -p tcp --dport 22 -j ACCEPT

### ------------------------------------------------------------------------------

### ゲームサーバ設定

### ------------------------------------------------------------------------------

iptables -t nat -A PREROUTING -m tcp -p tcp --dst 192.168.2.112 --dport 25565 -j DNAT --to-destination 192.168.2.25:25565 iptables -t nat -A PREROUTING -p tcp --dport 25565 -j DNAT --to-destination 192.168.2.25:25565 iptables -t nat -A POSTROUTING -p tcp -d 192.168.2.25 --dport 25565 -j MASQUERADE iptables -A FORWARD -p tcp -d 192.168.2.25 --dport 25565 -j ACCEPT iptables -A FORWARD -p tcp ! --syn -m state --state ESTABLISHED -s 192.168.2.25 --sport 25565 -j ACCEPT

###iptables -t nat -A PREROUTING -m tcp -p tcp --dst 192.168.2.112 --dport 25565 -j DNAT --to-destination 192.168.2.125:25565

###iptables -t nat -A PREROUTING -p tcp --dport 25565 -j DNAT --to-destination 192.168.2.125:25565

###iptables -t nat -A POSTROUTING -p tcp -d 192.168.2.125 --dport 25565 -j MASQUERADE

###iptables -A FORWARD -p tcp -d 192.168.2.125 --dport 25565 -j ACCEPT

###iptables -A FORWARD -p tcp ! --syn -m state --state ESTABLISHED -s 192.168.2.125 --sport 25565 -j ACCEPT

### Nat Setting 2 Journey Map MAPPORT=10000 iptables -t nat -A PREROUTING -m tcp -p tcp --dst 192.168.2.112 --dport ${MAPPORT} -j DNAT --to-destination 192.168.2.25:${MAPPORT} iptables -t nat -A PREROUTING -p tcp --dport ${MAPPORT} -j DNAT --to-destination 192.168.2.25:${MAPPORT} iptables -t nat -A POSTROUTING -p tcp -d 192.168.2.25 --dport ${MAPPORT} -j MASQUERADE iptables -A FORWARD -m tcp -p tcp --dst 192.168.2.25 --dport ${MAPPORT} -j ACCEPT iptables -A FORWARD -p tcp ! --syn -m state --state ESTABLISHED -s 192.168.2.25 --sport ${MAPPORT} -j ACCEPT

### ------------------------------------------------------------------------------

### Remote Desktop Port

### ------------------------------------------------------------------------------ RDPPORT=13389 iptables -t nat -A PREROUTING -m tcp -p tcp --dst 192.168.2.112 --dport ${RDPPORT} -j DNAT --to-destination 192.168.2.25:${RDPPORT} iptables -t nat -A PREROUTING -p tcp --dport ${RDPPORT} -j DNAT --to-destination 192.168.2.25:${RDPPORT} iptables -t nat -A POSTROUTING -p tcp -d 192.168.2.25 --dport ${RDPPORT} -j MASQUERADE iptables -A FORWARD -m tcp -p tcp --dst 192.168.2.25 --dport ${RDPPORT} -j ACCEPT iptables -A FORWARD -p tcp ! --syn -m state --state ESTABLISHED -s 192.168.2.25 --sport ${RDPPORT} -j ACCEPT

### ------------------------------------------------------------------------------

### 特定の国からの接続を許可

### ------------------------------------------------------------------------------

###

###L_DW_PATH=http://nami.jp/ipv4bycc/cidr.txt.gz

###L_DW_FILE=/tmp/cidr.txt.gz

###L_DW_LOG=/tmp/download.log

###L_IP_LIST=/tmp/ip.lst

###

###wget -O ${L_DW_FILE} -o ${L_DW_LOG} ${L_DW_PATH} && zcat ${L_DW_FILE} > ${L_IP_LIST} && rm -f ${L_DW_FILE}

###

### 特定の国からのアクセスを許可する

###if [ -s ${L_IP_LIST} ]; then

### iptables -N ACCEPT_JP_FILTER

### sed -n 's/^JP\t//p' ${L_IP_LIST} | while read address;

### do

### iptables -A ACCEPT_JP_FILTER -s ${address} -m state --state NEW -m multiport -p tcp --dports 8887,443 -j ACCEPT

### done

###fi

### ------------------------------------------------------------------------------

# ------------------------------------------------------------------------------

# IP Spoofing攻撃対策

# ------------------------------------------------------------------------------

# 外部（WAN側）からプライベートIPアドレスに成りすました通信を破棄します。 iptables -N IP_SPOOFING iptables -A IP_SPOOFING -i ens160 -s 127.0.0.1/8 -j DROP iptables -A IP_SPOOFING -i ens160 -s 10.0.0.0/8 -j DROP iptables -A IP_SPOOFING -i ens160 -s 172.16.0.0/12 -j DROP iptables -A IP_SPOOFING -i ens160 -s 192.168.0.0/16 -j DROP iptables -A IP_SPOOFING -i ens160 -s 192.168.0.0/24 -j DROP

# ------------------------------------------------------------------------------

# Ping攻撃対策

# ------------------------------------------------------------------------------ iptables -N PING_ATTACK iptables -A PING_ATTACK -m length --length :85 -j ACCEPT iptables -A PING_ATTACK -j LOG --log-prefix "[IPTABLES PINGATTACK] : " --log-level=debug iptables -A PING_ATTACK -j DROP iptables -A INPUT -p icmp --icmp-type 8 -j PING_ATTACK

# ------------------------------------------------------------------------------

# Ping攻撃対策 + Ping Flood攻撃対策

# ------------------------------------------------------------------------------ iptables -A PING_ATTACK -p icmp --icmp-type 8 -m length --length :85 -m limit --limit 1/s --limit-burst 4 -j ACCEPT

# ------------------------------------------------------------------------------

# サーバー攻撃への対処

# syn信号とPING攻撃の無効化(1秒に1回だけ受信)

# ------------------------------------------------------------------------------ iptables -A INPUT -i ppp+ -p tcp --syn -m limit --limit 1/s -j ACCEPT iptables -A INPUT -i ppp+ -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# ------------------------------------------------------------------------------

# Smurf攻撃対策+不要ログ破棄

# ------------------------------------------------------------------------------ iptables -N SMURF iptables -A SMURF -d 255.255.255.255 -j DROP iptables -A SMURF -d 224.0.0.1 -j DROP iptables -A SMURF -d 192.168.0.255 -j DROP iptables -A SMURF -d 192.168.2.255 -j DROP

# ------------------------------------------------------------------------------

# SYNflood攻撃と思われる接続を破棄する

# ------------------------------------------------------------------------------ iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP

# ------------------------------------------------------------------------------

# データを持たないパケットの接続を破棄する

# ------------------------------------------------------------------------------ iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP

# ------------------------------------------------------------------------------

# ステルススキャンと思われる接続を破棄する

# ------------------------------------------------------------------------------ iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP

# ------------------------------------------------------------------------------

# それ以外はログを残す。

# ------------------------------------------------------------------------------ iptables -A INPUT -j LOG --log-prefix "drop_packet:"

# ------------------------------------------------------------------------------

# 設定を登録及び再起動

# ------------------------------------------------------------------------------

###/usr/libexec/iptables/iptables.init save

###systemctl reload iptables.service

# ----------------------------------------------------------------------------------------

# 設定内容を確認

# ----------------------------------------------------------------------------------------

###iptables -L -n -v --line-number

###echo ""

###echo -------------------------------------------------------------------------------------

###echo ""

###nmap as-mark.ddo.jp 192.168.2.112

#!/bin/bash

# ----------------------------------------------------------------------------------------

#

# ファイアーウォール構築スクリプト

#

# ----------------------------------------------------------------------------------------

export PATH=$PATH:$HOME/bin:/usr/local/bin:/usr/sbin:/opt/rbenv/bin SCRLOG="/root/tools/iptables/log/iprup.log"

# ----------------------------------------------------------------------------------------

# ベースファイアーウォール構築

# ----------------------------------------------------------------------------------------

echo "iptables.sh" > ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo "--- script log start ---" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo " START: `date '+%Y/%m/%d %Ti'`" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 /root/tools/iptables/bin/iptables.sh >> ${SCRLOG} 2>&1 iptables -L -n -v --line-number >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo " END : `date '+%Y/%m/%d %Ti'`" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo "--- script log end ---" >> ${SCRLOG} 2>&1

# ----------------------------------------------------------------------------------------

# Drop 設定

# ----------------------------------------------------------------------------------------

echo "" >> ${SCRLOG} 2>&1 echo "ipdrop.sh" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo "--- script log start ---" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo " START: `date '+%Y/%m/%d %Ti'`" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 /root/tools/iptables/bin/ipdrop.sh >> ${SCRLOG} 2>&1 iptables -L -n -v --line-number >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo " END : `date '+%Y/%m/%d %Ti'`" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo "--- script log end ---" >> ${SCRLOG} 2>&1

# ----------------------------------------------------------------------------------------

# 設定を登録及び再起動

# ----------------------------------------------------------------------------------------

/usr/libexec/iptables/iptables.init save >> ${SCRLOG} 2>&1 systemctl reload iptables.service >> ${SCRLOG} 2>&1

# ----------------------------------------------------------------------------------------

# 設定内容を確認

# ----------------------------------------------------------------------------------------

echo "" >> ${SCRLOG} 2>&1 echo "--- last iptables status ---" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 iptables -L -n -v --line-number >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 echo "--- last nmap status ---" >> ${SCRLOG} 2>&1 echo "" >> ${SCRLOG} 2>&1 nmap as-mark.ddo.jp 192.168.2.112 >> ${SCRLOG} 2>&1