Whitelist iptables (한국 외 국가 접근 차단)

1. GeoIPCountryWhois.csv 구하기 

$ grep KR GeoIPCountryWhois.csv | head
"1.11.0.0","1.11.255.255","17498112","17563647","KR","Korea, Republic of"
"1.16.0.0","1.19.255.255","17825792","18087935","KR","Korea, Republic of"
"1.96.0.0","1.111.255.255","23068672","24117247","KR","Korea, Republic of"
"1.176.0.0","1.177.255.255","28311552","28442623","KR","Korea, Republic of"
"1.201.0.0","1.201.255.255","29949952","30015487","KR","Korea, Republic of"
"1.208.0.0","1.255.255.255","30408704","33554431","KR","Korea, Republic of"
"14.0.48.0","14.0.55.255","234893312","234895359","KR","Korea, Republic of"
"14.0.62.0","14.0.62.255","234896896","234897151","KR","Korea, Republic of"
"14.0.64.0","14.0.127.255","234897408","234913791","KR","Korea, Republic of"
"14.4.0.0","14.7.255.255","235143168","235405311","KR","Korea, Republic of"
... 생략

 

2. Whitelist 방식의 iptables 설정 

$ cat whitelist.sh
#!/bin/bash
#현재 접속중인 IP는 허용
MY_IP=`w -s | awk '{match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/); ip = substr($0,RSTART,RLENGTH); print ip}' | sed '/^$/d' | sort | uniq`
for ip in ${MY_IP}
do
  sudo iptables -I INPUT -p tcp -s ${ip} -j ACCEPT
  sudo iptables -I OUTPUT -p tcp -s ${ip} -j ACCEPT
done

#화이트리스트 방식 : 한국 IP는 허용
for IP_RANGE in `egrep Korea GeoIPCountryWhois.csv | gawk -F, '{ print $1,$2 }' | gawk -F\" '{ print $2"-"$4 }'`
do
  sudo iptables -I INPUT -p all -m iprange --src-range $IP_RANGE -j ACCEPT
done

#나머지는 모두 차단
sudo iptables -P INPUT DROP

 

3. 수정(예)

$ sudo iptables-save > imsiro
$ vi imsiro # 파일 수정
$ sudo iptables-restore < imsiro # 적용

 

4. 서비스 포트 허용 (멀티)

sudo iptables -A INPUT -p tcp -m multiport --dports 3000,5000,8000:9000,3306,6379,27017,5601,9200,9300 -j ACCEPT