iptables-persistent をインストール。IPv4とIPv6の設定を保存するか聞かれるので両方ともYesで回答。
# apt-get install iptables-persistent Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: iptables-persistent 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 10.3 kB of archives. After this operation, 61.4 kB of additional disk space will be used. Get:1 http://ftp.jp.debian.org/debian/ wheezy/main iptables-persistent all 0.5.7 [10.3 kB] Fetched 10.3 kB in 0s (35.2 kB/s) Preconfiguring packages ... Selecting previously unselected package iptables-persistent. (Reading database ... 22594 files and directories currently installed.) Unpacking iptables-persistent (from .../iptables-persistent_0.5.7_all.deb) ... update-rc.d: using dependency based boot sequencing Setting up iptables-persistent (0.5.7) ... Loading iptables rules... IPv4... IPv6...done.
初期状態の確認。何もフィルタリングされていない。
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
こんな感じのスクリプトを使って初期設定。
# cat iptables.sh #!/bin/bash IPTABLES=/sbin/iptables $IPTABLES -F $IPTABLES -X $IPTABLES -Z $IPTABLES -t nat -F $IPTABLES -t nat -X $IPTABLES -t nat -Z echo 1 > /proc/sys/net/ipv4/ip_forward $IPTABLES -t nat -A POSTROUTING -j MASQUERADE $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED #$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 22 #$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 22 -m state --state ESTABLISHED,RELATED $IPTABLES -A INPUT -j ACCEPT -p tcp --dport 22 -m hashlimit --hashlimit 3/minute --hashlimit-burst 3 --hashlimit-name out_ssh --hashlimit-mode srcip,dstip --hashlimit-htable-expire 60000 $IPTABLES -A INPUT -j DROP -p tcp --dport 22 $IPTABLES -A INPUT -j ACCEPT -i lo $IPTABLES -A INPUT -j ACCEPT -i eth0 $IPTABLES -A OUTPUT -j DROP -o wlan0 -d 10.0.0.0/8 $IPTABLES -A OUTPUT -j DROP -o wlan0 -d 176.16.0.0/12 $IPTABLES -A OUTPUT -j DROP -o wlan0 -d 192.168.0.0/16 $IPTABLES -A OUTPUT -j DROP -o wlan0 -d 127.0.0.0/8 exit # grep -v -e '^$' -e '#' /etc/sysctl.d/*.conf /etc/sysctl.conf net.ipv4.ip_forward=1
設定後のiptables -Lの結果が以下。
# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere # iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh limit: up to 3/min burst 3 mode srcip-dstip DROP tcp -- anywhere anywhere tcp dpt:ssh ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP all -- anywhere 10.0.0.0/8 DROP all -- anywhere 176.16.0.0/12 DROP all -- anywhere 192.168.0.0/16 DROP all -- anywhere loopback/8
これでOKなら設定を保存し、起動時に読み込むように設定。
# iptables-save > /etc/iptables/rules.v4 # update-rc.d iptables-persistent defaults
これで外に出ることが可能になり、同じネットワークの中の機器同士も通信可能。