secure/ufw

UFW

C/H 2015. 4. 1. 08:30

 

 

 

sudo ufw allow in 80,443/tcp 
sudo ufw allow in 3690/tcp 
# sudo ufw delete allow 80,443/tcp # 삭제 
# sudo ufw delete allow out 80,443/tcp # 삭제 
# sudo ufw allow in http 
# sudo ufw allow in https 
sudo ufw allow from xxx.xxx.xxx.xxx to any port 22 
sudo ufw allow from xxx.xxx.xxx.1/24 to any port 22 
sudo ufw allow out 53,137,138/udp 
sudo ufw allow out 3690/tcp 
sudo ufw delete allow out 3690/tcp # 삭제 
sudo ufw allow out 22,80,443,5900,8001/tcp 
sudo ufw allow out ntp 
sudo ufw delete deny out to any 
sudo ufw deny out to any 
# sudo ufw deny out any 가 항상 마지막에 있도록 설정 
sudo ufw status numbered

포워딩 forward

# sudo vi /etc/ufw/before.rules

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 222
COMMIT

DNAT

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d {PUBLIC_IP} --dport 80 -j DNAT --to 192.168.1.100:80
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d {PUBLIC_IP} --dport 443 -j DNAT --to 192.168.1.100:443
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE
# sudo vi /etc/ufw/before.rules

*nat
:PREROUTING ACCEPT [0:0]
# forward {PUBLIC_IP}  port 80 to 192.168.1.100:80
# forward {PUBLIC_IP}  port 443 to 192.168.1.100:443
-A PREROUTING -i eth0 -d {PUBLIC_IP}   -p tcp --dport 80 -j  DNAT --to-destination 192.168.1.100:80
-A PREROUTING -i eth0 -d {PUBLIC_IP}   -p tcp --dport 443 -j  DNAT --to-destination 192.168.1.100:443
# setup routing
-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE
COMMIT

 

Love It
반응형