¿ä±¸Á¶°Ç
OS : Linux
Netfilter (ipt_iprange)
iptables
±¹Á¦Ç¥ÁØȱⱸ¿¡¼ Á¤ÇÑ ±¹°¡ÄÚµå¿Í MaxMind ¿¡¼ ¹èÆ÷ÇÏ´Â ±¹°¡¾ÆÀÌÇÇ µ¥ÀÌŸ¸¦ °¡Áö°í ½Ã½ºÅÛ¿¡¼ Â÷´Ü/Çã¿ë À¯¹«¸¦ Àû¿ëÇÏ´Â ½ºÅ©¸³Æ®ÀÔ´Ï´Ù.
MaxMind ¿¡¼ ¹èÆ÷ÇÏ´Â µ¥ÀÌŸ´Â »ó¿ë¹öÀü°ú Free ¹øÀ¸·Î ±¸ºÐµÇ¾îÁö¸ç Free ¹öÀüÀº 1´Þ¿¡ Çѹø(¸Å¿ùÃÊ) ¾ÆÀÌÇÇ µ¥ÀÌŸ°¡ ¾÷µ¥ÀÌÆ® µË´Ï´Ù.
Âü°í : http://www.maxmind.com/app/geolitecountry
¸Å¿ù µ¥ÀÌŸ¸¦ ¾÷µ¥ÀÌÆ®Çؼ »ç¿ëÇϽǰÍÀ» ±ÇÀåÇϸç Çش罺ũ¸³Æ®¸¦ º¯ÇüÇؼ CRON °ú ÇÔ²² ÀÌ¿ëÇÏ½Ã¸é ¸Å´Þ ¾÷µ¥ÀÌÆ®µÈ µ¥ÀÌŸ¸¦ »ç¿ëÇÒ¼ö ÀÖ½À´Ï´Ù.
Çö¹æȺ® Á¤Ã¥Àº ipt_backup Æú´õ¿¡ ½Ã°£º°·Î ÀúÀåµÇ¸ç ±âÁ¸·ê º¹±¸¹æ¹ýÀº º¹±¸½ÃÁ¡¿¡ ÆÄÀϸíÀ¸·Î ¾Æ·¡¿Í°°ÀÌ ÇØÁÖ½Ã¸é µË´Ï´Ù.
[root@mojily ipt_backup]# iptables-restore > IPTABLES.2010-0331-1754-29
ÇØ´ç ¹æȺ® Á¤Ã¥Àº ±¹°¡º°·Î üÀÎÀ» ³ª´²¼ ¾ÆÀÌÇÇ ´ë¿ªÀ» °ü¸®ÇÕ´Ï´Ù.
¼³Á¤ÇÑ ±¹°¡¿¡ ¼³Á¤ÀÌ ÇÊ¿äÇÏÁö ¾ÊÀ»°æ¿ì¿¡´Â ±âÁ¸½ÃÁ¡À¸·Î º¹±¸ÇϽôøÁö ¾Æ·¡ ¸í·É¾î¸¦ ÅëÇؼµµ °¡´ÉÇÕ´Ï´Ù.
EX) Áß±¹ ±¹°¡ÄÚµå : CN
[root@mojily ]# iptables -nL |more Çö ¹æȺ® Á¤Ã¥È®ÀÎ
[root@mojily ]# iptables -D INPUT -j CN_ZONE
[root@mojily ]# iptables -F CN_ZONE
[root@mojily ]# iptables -X CN_ZONE
¡Ø ±¹³»»ç¿ëÀÚ ÀÌ¿Ü¿¡ Â÷´ÜÀ» ÇÏ°í ½ÍÀ¸½Ã¸é ¾Æ·¡ºÎºÐ¿¡ DROP --> ACCEPT ·Î ¼öÁ¤ÇϽðí KR ·Î ±¹°¡Äڵ带 »ðÀÔÇÏ½Ã°í ±×¿Ü¿¡ ¸·´Â·êÀ» Ãß°¡ÇÏ½Ã¸é µË´Ï´Ù.
iptables -A KR_ZONE -j DROP
cat $CUR_DIR/iplist_range|while read ip ;do iptables -A "$COUNTRY"_ZONE -m iprange --src-range $ip -j DROP ;done
¡Ø ½ºÅ©¸³Æ®¸¦ »ç¿ëÇÔÀ¸·Î½á ¹ß»ýµÇ´Â ÇÇÇØ¿¡ ´ëÇؼ´Â Ã¥ÀÓÀ» ÁöÁö ¾Ê½À´Ï´Ù.
Àû¿ëÀü/ÈÄ ÇÊÈ÷ È®ÀÎÇغ¸½Ã±â ¹Ù¶ø´Ï´Ù.
#!/bin/bash
#
# Author : SMILESERV Security & Monitoring Team
# Mail :
securitymon@smileserv.com# Last modified : May 31, 2010
#
# Requirement
# £ª OS : Linux
# £ª Netfilter (ipt_iprange)
# £ª iptable
# directory ipt_backup : iptable backup data
#
DATE=`date +'%Y-%m%d-%H%M-%S'`
IPTABLES=`which iptables`
IPTABLES_SAVE=`which iptables-save`
CUR_DIR=`pwd`
### ÇöÀç ¼³Á¤ ¹é¾÷ ###
RULE_BACKUP=$CUR_DIR/ipt_backup
if [ ! -d $RULE_BACKUP ]
then
mkdir -p $RULE_BACKUP
fi
$IPTABLES_SAVE > $RULE_BACKUP/IPTABLES.$DATE
### ±¹°¡Äڵ尪 üũ
function code_check
{
echo -n "Insert CountryCode (ex : CN): "
read COUNTRY
change=`echo $COUNTRY |tr a-z A-Z`
check=`echo $change |grep [^A-Za-z]`
char_count=`expr length $change`
if [ $char_count -ne 2 ] ; then
echo "Error : Countrycode is made up 2 Alphabet character."
echo ""
code_check
fi
if [ "$check" ] ; then
echo "Error : Not Alphabet."
echo ""
code_check
fi
}
### ±¹°¡ÄÚµå Áߺ¹Á¡°Ë ¹× ÃʱâÈ ###
function iptable_check
{
CHECK=`$IPTABLES -nL |grep $COUNTRY |wc -l`
if [ "$CHECK" -ne "0" ] ; then
$IPTABLES -D INPUT -j $COUNTRY"_ZONE"
$IPTABLES -F $COUNTRY"_ZONE"
$IPTABLES -X $COUNTRY"_ZONE"
fi
}
### ÇØ´ç±¹°¡ÄÚµå Á¸ÀçÀ¯¹« È®ÀÎ
function code_match {
cat $CUR_DIR/GeoIPCountryWhois.csv | grep $COUNTRY > $CUR_DIR/iplist
if [ ! -s $CUR_DIR/iplist ] ; then
echo "Error : The Countrycode does not match."
exit
fi
}
code_check
wget -O $CUR_DIR/IP_DB.zip
http://www.maxmind.com/download/geoip/database/GeoIPCountryCSV.zipunzip $CUR_DIR/IP_DB.zip
code_match
### Àû¿ë ###
iptable_check
$IPTABLES -N $COUNTRY"_ZONE"
$IPTABLES -A INPUT -j $COUNTRY"_ZONE"
cat $COUR_DIR iplist | perl -pi -e 's/,/ /g' | perl -pi -e 's/"/ /g' | awk '{print $1"-" $2}' > iplist_range
cat $CUR_DIR/iplist_range |while read ip ;do iptables -A "$COUNTRY"_ZONE -m iprange --src-range $ip -j DROP ;done
### ·Î±×»èÁ¦ ###
rm -rf $CUR_DIR/iplist
rm -rf $CUR_DIR/iplist_range
