[참조](https://help.iwinv.kr/manual/read.html?idx=97)
1. GeoIPCountryWhois.csv 구하기
$ grep KR GeoIPCountryWhois.csv | head
"1.11.0.0","1.11.255.255","17498112","17563647","KR","Korea, Republic of"
"1.16.0.0","1.19.255.255","17825792","18087935","KR","Korea, Republic of"
"1.96.0.0","1.111.255.255","23068672","24117247","KR","Korea, Republic of"
"1.176.0.0","1.177.255.255","28311552","28442623","KR","Korea, Republic of"
"1.201.0.0","1.201.255.255","29949952","30015487","KR","Korea, Republic of"
"1.208.0.0","1.255.255.255","30408704","33554431","KR","Korea, Republic of"
"14.0.48.0","14.0.55.255","234893312","234895359","KR","Korea, Republic of"
"14.0.62.0","14.0.62.255","234896896","234897151","KR","Korea, Republic of"
"14.0.64.0","14.0.127.255","234897408","234913791","KR","Korea, Republic of"
"14.4.0.0","14.7.255.255","235143168","235405311","KR","Korea, Republic of"
... 생략
2. Whitelist 방식의 iptables 설정
$ cat whitelist.sh
#!/bin/bash
#현재 접속중인 IP는 허용
MY_IP=`w -s | awk '{match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/); ip = substr($0,RSTART,RLENGTH); print ip}' | sed '/^$/d' | sort | uniq`
for ip in ${MY_IP}
do
sudo iptables -I INPUT -p tcp -s ${ip} -j ACCEPT
sudo iptables -I OUTPUT -p tcp -s ${ip} -j ACCEPT
done
#화이트리스트 방식 : 한국 IP는 허용
for IP_RANGE in `egrep Korea GeoIPCountryWhois.csv | gawk -F, '{ print $1,$2 }' | gawk -F\" '{ print $2"-"$4 }'`
do
sudo iptables -I INPUT -p all -m iprange --src-range $IP_RANGE -j ACCEPT
done
#나머지는 모두 차단
sudo iptables -P INPUT DROP
3. 수정(예)
$ sudo iptables-save > imsiro
$ vi imsiro # 파일 수정
$ sudo iptables-restore < imsiro # 적용
4. 서비스 포트 허용 (멀티)
sudo iptables -A INPUT -p tcp -m multiport --dports 3000,5000,8000:9000,3306,6379,27017,5601,9200,9300 -j ACCEPT'OS' 카테고리의 다른 글
| Mac에서 USB 포맷하기 (0) | 2025.02.06 |
|---|