openssl-0.9.7.tar.gzからbuildする。OpenSSLのデフォルトインストール先は/usr/local/ssl/になる。
[yano@portage yano]$ tar zxvf openssl-0.9.7.tar.gz
[yano@portage yano]$ cd openssl-0.9.7
[yano@portage openssl-0.9.7]$ ./config
[yano@portage openssl-0.9.7]$ make
[yano@portage openssl-0.9.7]$ make test
[yano@portage openssl-0.9.7]$ sudo make install
不特定多数を対象とするような商用サイトならばVeriSignなどの一般的な認証局からサーバ証明書にお墨付き(署名)を貰っておいた方が良いのだが、信頼性が低いぶん志を高くもっていわゆるプライベートの認証局(Certification Authority:CA)を自前で開設する。
ちなみにデフォルトではCAの有効期限が365日になっているので、/usr/local/ssl/misc/CA.shのDAYS="-days 365"のとこを適当に変更すると良いが、今回は何となく400日とした。プライベート認証局の証明書は/usr/local/ssl/demoCA/cacert.pemに生成される。
[yano@portage openssl-0.9.7]# cd /usr/local/ssl
[root@portage ssl]# ./misc/CA.sh -newca
CA certificate filename (or enter to create)
[Enter]のみ
Making CA certificate ...
Using configuration from /usr/share/ssl/openssl.cnf
Generating a 1024 bit RSA private key
...++++++
....................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:******* ←CAのパスフレーズ…ここでは任意
Verifying password - Enter PEM pass phrase:*******
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Fukuoka
Locality Name (eg, city) [Newbury]:Hakozaki
Organization Name (eg, company) [My Company Ltd]:bravotouring.com
Organizational Unit Name (eg, section) []:Certification Authority
Common Name (eg, your name or your server's hostname) []:bravotouring.com certification authority
Email Address []:webmaster@bravotouring.com
[root@portage ssl]#
/usr/share/ssl/openssl.cnfのnsCertTypeを"server"にしたserver.cnfと"client, email"にしたuser.cnfを作成する。
apacheと一緒にOpenSSLが初期導入済みの Fedora Core 2 はこちらで、CA抜きにサーバーの秘密鍵と証明書のみ作成。
[root@fedora yano]# cd /etc/httpd/conf/
[root@fedora conf]# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
...++++++
...........++++++
e is 65537 (0x10001)
Enter pass phrase:******* ←CAのパスフレーズ…ここでは任意
Verifying - Enter pass phrase:*******
[root@fedora conf]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:*******
writing RSA key
[root@fedora conf]# make server.csr
umask 77 ; \
/usr/bin/openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Fukuoka
Locality Name (eg, city) [Newbury]:Fukuoka
Organization Name (eg, company) [My Company Ltd]:bravotouring.com
Organizational Unit Name (eg, section) []:[Enter]のみ
Common Name (eg, your name or your server's hostname) []:fedora
Email Address []:webmaster@bravotouring.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter]のみ
An optional company name []:[Enter]のみ
[root@fedora conf]# openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 400
Signature ok
subject=/C=JP/ST=Fukuoka/L=Fukuoka/O=bravotouring.com/CN=bravotouring.com/emailAddress=webmaster@fedora
Getting Private key
[root@fedora conf]# chmod 400 /etc/httpd/conf/server.*
秘密鍵(privatekey.pem)を作る。-randは乱数タネとなるファイル指定なんで何でも良い。
[yano@portage yano]$ /usr/local/ssl/bin/openssl genrsa \
-rand /var/log/messages -des3 -out privatekey.pem 1024
0 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.....................++++++
..++++++
e is 65537 (0x10001)
Enter PEM pass phrase:******* ←秘密鍵のパスフレーズ…ここでは任意
Verifying password - Enter PEM pass phrase:******* ←再入力
[yano@portage yano]$
個人証明申請書(yano.csr)を作成する。opensslに-newkeyを指定すれば同時に秘密鍵も作成できるらしい。
[yano@portage yano]$ /usr/local/ssl/bin/openssl req -new -config /usr/local/ssl/user.cnf \
-key privatekey.pem -out yano.csr
Using configuration from /usr/local/ssl/user.cnf
Enter PEM pass phrase:******* ←秘密鍵のパスフレーズ
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Fukuoka
Locality Name (eg, city) []:[Enter]のみ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:bravotouring.com
Organizational Unit Name (eg, section) []:personal
Common Name (eg, YOUR name) []:Yoshihisa Yano
Email Address []:yano@bravotouring.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter]のみ
An optional company name []:[Enter]のみ
[yano@portage yano]$
個人証明申請書(yano.csr)から証明書(yano.crt)を作成する。
[yano@portage yano]$ sudo /usr/local/ssl/bin/openssl ca -config /usr/local/ssl/user.cnf \
-policy policy_anything -in yano.csr -out yano.crt
Using configuration from /usr/local/ssl/user.cnf
Enter PEM pass phrase:******* ←CAのパスフレーズ
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'Fukuoka'
organizationName :PRINTABLE:'bravotouring.com'
commonName :PRINTABLE:'personal'
emailAddress :IA5STRING:'yano@bravotouring.com'
Certificate is to be certified until Feb 1 06:59:11 2004 GMT (400 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[yano@portage yano]$
証明書および個人鍵の配布ファイル(PKCS#12)の作成。Exportパスフレーズは自分のパソコンにインストールする時に必要となるが、他人に通知する必要は無いので秘密鍵のパスフレーズと同じでも良い。
[yano@portage yano]$ /usr/local/ssl/bin/openssl x509 -in yano.crt -out yano.crt.txt
[yano@portage yano]$ /usr/local/ssl/bin/openssl pkcs12 -export \
-inkey privatekey.pem -in yano.crt.txt -out yano.p12
Enter PEM pass phrase:******* ←秘密鍵のパスフレーズ
Enter Export Password:******* ←Exportパスフレーズ
Verifying password - Enter Export Password:******* ←再入力
[yano@portage yano]$
| 参照 | |
|---|---|
| OpenSSL | http://www.openssl.org/ |
| OpenSSL日本語サイト | http://www.infoscience.co.jp/technical/openssl/ |
| 電子認証局市民ネットワーク福岡 | http://www.cacanet.org/ |
| FreeCA | http://freeca.digion.com/ |
| 日本ベリサイン (商業認証局) | http://www.verisign.co.jp/ |
| Fedoraで自宅サーバー構築 | http://fedora.zive.net/ |
apache-1.3.33.tar.gz, mod_ssl-2.8.22-1.3.33.tar.gzをそれぞれtar -zxvfで展開してmod_ssl, apacheの順にbuildする。
※ OpenSSLは先にbuildしておく事 ※
[yano@portage software]$ cp -f apache_1.3.29/mod_gzip.c apache_1.3.33
[yano@portage software]$ cd mod_ssl-2.8.22-1.3.33
[yano@portage mod_ssl-2.8.22-1.3.33]$ ./configure --with-apache=../apache_1.3.33 \
--with-ssl=/usr/local/ssl --enable-rule=SHARED_CORE --with-layout=RedHat \
--enable-module=so --enable-module=status --enable-module=info \
--enable-module=rewrite --enable-module=usertrack --enable-module=log_referer \
--add-module=mod_gzip.c
[yano@portage mod_ssl-2.8.22-1.3.33]$ cd ../apache_1.3.33
[yano@portage apache_1.3.33]$ make
[yano@portage apache_1.3.33]$ sudo make install
| 参照 | |
|---|---|
| Apache | http://www.apache.org/ |
| Japanized Apache Server Project | http://www.apache.jp/ |
| The mod_ssl Project | http://www.modssl.org/ |
| 連載 ApacheによるWebサーバ構築 | http://www.atmarkit.co.jp/flinux/index/indexfiles/index-linux.html#apache13 |
| 安全な RedHat Apache サーバの構築方法 | http://www.linux.or.jp/JF/JFdocs/SSL-RedHat-HOWTO.html |
秘密鍵(serverkey_with_phrase.pem)を作る。-randは乱数タネとなるファイル指定なんで何でも良い。
[root@portage ssl]# cd /usr/local/ssl
[root@portage ssl]#
[root@portage ssl]# サーバ秘密鍵を生成
[root@portage ssl]#
[root@portage ssl]# ./bin/openssl genrsa -rand /var/log/messages \
-des3 -out private/serverkey_with_phrase.pem 1024
627536 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
......................++++++
...................++++++
e is 65537 (0x10001)
Enter PEM pass phrase:******* ←任意のパスフレーズ
Verifying password - Enter PEM pass phrase:******* ←パスフレーズ
[root@portage ssl]#
セキュリティ的には▲だが、apacheのboot時に入力待ちにならないようにパスフレーズを削除した秘密鍵serverkey.pemを作成する。
[root@portage ssl]# ./bin/openssl rsa -in private/serverkey_with_phrase.pem \
-out private/serverkey.pem
read RSA key
Enter PEM pass phrase:******* ←パスフレーズ
writing RSA key
[root@portage ssl]#
サーバ証明申請書(Certificate Signing Request:CSR)を作成する。ここでも証明書の有効期限を設定できるが、当然ながら認証局(Certification Authority:CA)の有効期限を越える事はできないのでここも400日。CAを設置しないお手軽モードの時は-x509パラメータを付ければ直接ルート証明書(CRT)が出力される。
SSL化するWebメールサービスはhttps://mail.bravotouring.com/というFQDNにするので「Common Name」に注目。なお、一つの秘密鍵に対してwww.bravotouring.com用とmail.bravotouring.com用の複数の証明書を作る事も可能。
[root@portage ssl]# ./bin/openssl req -new -config server.cnf \
-days 400 -key private/serverkey.pem -out ./mail.csr
Using configuration from server.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Fukuoka
Locality Name (eg, city) []:[Enter]のみ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:bravotouring.com
Organizational Unit Name (eg, section) []:webmailer
Common Name (eg, YOUR name) []:mail.bravotouring.com ←FQDNに合わせておく事!!
Email Address []:webmaster@bravotouring.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter]のみ
An optional company name []:[Enter]のみ
[root@portage ssl]#
サーバ証明申請書(mail.csr)から証明書(mail.crt)を作成する。
[root@portage ssl]# ./bin/openssl ca -config server.cnf -policy policy_anything \
-days 400 -in ./mail.csr -out certs/mail.crt
Using configuration from server.cnf
Enter PEM pass phrase:******* ←CAのパスフレーズ
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'Fukuoka'
organizationName :PRINTABLE:'bravotouring.com'
organizationalUnitName:PRINTABLE:'webmailer'
commonName :PRINTABLE:'mail.bravotouring.com'
emailAddress :IA5STRING:'webmaster@bravotouring.com'
Certificate is to be certified until Feb 1 07:03:49 2004 GMT (400 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@portage ssl]#
証明書と秘密鍵は/etc/httpd/conf/配下のssl.keyとssl.crtから/usr/local/ssl/にシンボリックリンクを張る。
[root@portage ssl]# ln -s /usr/local/ssl/certs/mail.crt /etc/httpd/conf/ssl.crt/mail.crt
[root@portage ssl]# ln -s /usr/local/ssl/private/serverkey.pem /etc/httpd/conf/ssl.key/bravotouring.key
/etc/httpd/conf/httpd.confにSSLの<IfDefine SSL>ディレクティブを追加し、portを80と844に修正し、SSLCertificateFile(サーバ証明書)とSSLCertificateKeyFile(サーバ秘密鍵)に上のシンボリックリンクを設定。
#
# Some MIME-types for downloading Certificates and CRLs
#
<IfDefine SSL>
AddType application/x-x509-ca-cert .cer
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
…中略…
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time. Keep in mind that if you've both a RSA and a DSA
# certificate you can configure both in parallel (to also allow
# the use of DSA ciphers, etc.)
SSLCertificateFile /etc/httpd/conf/ssl.crt/mail.crt
#SSLCertificateFile /etc/httpd/conf/ssl.crt/server-dsa.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/bravotouring.key
#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server-dsa.key
/usr/sbin/apachectl startsslで起動確認。問題なければ毎回SSLモードで起動するよう/etc/rc.d/init.d/httpdにオプション-DSSLを追加して確認しておく。バーチャルホストmail.bravotouring.comの設定もSSLのディレクティブへ移動するが、SSLではNameベースのVirtualHostは意図通りに動作しないので、ポート443のバーチャルホストはmail.bravotouring.comだけにする事。
最後にプライベート認証局の証明書をDERエンコードしてDocumentRootに置く。で、ユーザーにはここから手作業でダウンロード&インストールしてもらう事になる。
[yano@portage yano]# cd /usr/local/ssl
[root@portage ssl]# ./bin/openssl x509 -inform PEM -outform DER \
-in demoCA/cacert.pem -out ~apache/html/bravotouring.cer
[root@portage ssl]# chown apache:apache ~apache/html/bravotouring.cer
| 参照 | |
|---|---|
| UNICO Homepage | http://www.unico-net.co.jp/ |
| セキュアウェブサーバー(HTTP over SSL on FreeBSD) の導入 | http://www.unico-net.co.jp/Apache_SSL/ |
SMTPやPOP3のセッションをSSLで暗号化する。
sslwrap.tar.gzをダウンロード。cd sslwrap206して安易にmakeすると"warning: extra tokens at end of #include directive"となってincludeがうまいこといかないので、Makefileを下のように修正。
SRC = s_server.c s_socket.c s_cb.c※ OpenSSLの 0.9.7 ではSSL_OP_NON_EXPORT_FIRST識別子が無くなったようでコンパイルエラーが発生するので、取り敢えずs_server.cの471行目を下のように修正する。
# For Solaris2.6
#EXTLIBS = -lxnet
# Debug/Optimizations
#OPT = -g
OPT = -O2
# Define
#OPENSSL="\"openssl/\""
OPENSSL=""
all :
gcc -o sslwrap ${SRC} ${OPT} -DFLAT_INC -DOPENSSL=${OPENSSL} \
-L/usr/local/ssl/lib -lssl -lcrypto \
-I/usr/local/ssl/include \
-I/usr/local/ssl/include/openssl \
${EXTLIBS}
clean:
rm -f sslwrap *.o *~
471 #ifdef SSL_OP_NON_EXPORT_FIRSTで、/usr/share/ssl/binにコピー。
472 if (hack) SSL_CTX_set_options(ctx,SSL_OP_NON_EXPORT_FIRST);
473 #endif /*SSL_OP_NON_EXPORT_FIRST cut for OpenSSL 0.9.7 */
cp sslwrap /usr/share/ssl/bin実行アカウントを作成。???は/etc/passwdを確認して、空いているuidを指定する。
/usr/sbin/useradd -d /usr/share/ssl/ -s /bin/false -g nofiles -u ??? sslwrap
まだ使わんけどftps-data,ftpsのポート定義を追加。pop3sとsmtpsは登録済みのはずなので、それだけで良かったら/etc/servicesの編集は不要。
ftps-data 989/tcp # ftp protocol, data, over TLS/SSL
ftps 990/tcp # ftp protocol, control, over TLS/SSL
eth0:465(smtps)/tcpで受けた暗号化データをSSLWrapで復号化してlocalhost:25(smtp)/tcpにバウンスする。
SSLPATH "/usr/share/ssl/"の追加
[yano@nx9030 yano]$ su
[root@nx9030 yano]# cd /etc/sslwrap-smtpd/
[root@nx9030 sslwrap-smtpd]# echo "0" > env/IP
[root@nx9030 sslwrap-smtpd]# echo "nx9030.bravotouring.com" > env/HOST
[root@nx9030 sslwrap-smtpd]# echo "/usr/share/ssl/" > env/SSLPATH
Apache/mod_sslで作ったサーバ証明書/usr/share/ssl/certs/mail.crtとサーバ秘密鍵/usr/share/ssl/private/serverkey.pemを使う。
#!/bin/sh
PATH=/usr/local/bin:/usr/bin:/bin:
exec envdir ./env sh -c '
exec softlimit -d6000000 \
tcpserver -g nofiles -u sslwrap \
-vhR -l"$HOST" -c40 -- "$IP" smtps \
"$SSLPATH"/bin/sslwrap -port 25 \
-key "$SSLPATH"/private/serverkey.pem \
-cert "$SSLPATH"/certs/mail.crt 2>&1
'
#!/bin/shログ用のディレクトリを作成
exec /usr/local/bin/setuidgid sslwrap /usr/local/bin/multilog t /var/log/sslwrap-smtpd
# mkdir /var/log/sslwrap-smtpd ; chown sslwrap:nofiles /var/log/sslwrap-smtpd
#!/bin/sh
# /service/smtpd/run SMTP-Auth 対応 powerd by qmail-vida
# -x /etc/tcpserver/smtp_auth.cdbでlocalhostをSMTP-Auth対象外とする
# Set environment variables IP and HOST.
# If it is virtual domain, set DOMAINOWNER.
# If it is necessary, set ALLOWPLAIN, FORCEAUTH and TEMPRELAYCLIENT, too.
# If it is not necessary, remove 'recordio' line.
# recordio fixcrio \
PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin:
exec envdir ./env sh -c '
exec softlimit -d6000000 \
relay-ctrl-chdir \
tcpserver -x /etc/tcpserver/smtp_auth.cdb \
-vhR -l"$HOST" -c40 -- "$IP" smtp \
rblsmtpd -r relays.ordb.org \
qmail-smtpup "$HOST" \
checkpassword \
relay-ctrl-check \
qmail-smtpd 2>&1
'
SSLWrapからの復号化パケットを平文認証させる為、localhost:smtpにはALLOWPLAINを設定。eth0:smtpは平文不許可でMD5認証。
[yano@nx9030 tcpserver]$ echo '127.0.0.1:allow,RELAYCLIENT="",ALLOWPLAIN=""' > smtp_auth.rules
[yano@nx9030 tcpserver]$ echo '192.168.:allow,RBLSMTPD="",MFCHECK=""' >> smtp_auth.rules
[yano@nx9030 tcpserver]$ /usr/local/bin/tcprules smtp_auth.cdb smtp_auth.tmp <smtp_auth.rules
[yano@nx9030 tcpserver]$ sudo cp smtp_auth.cdb /etc/tcpserver/
eth0:995(pop3s)/tcpで受けた暗号化データをSSLWrapで復号化してlocalhost:110(pop3)/tcpにバウンスする。
SSLPATH "/usr/share/ssl/"の追加
[yano@nx9030 yano]$ su
[root@nx9030 yano]# cd /etc/sslwrap-pop3d/
[root@nx9030 sslwrap-pop3d]# echo "0" > env/IP
[root@nx9030 sslwrap-pop3d]# echo "nx9030.bravotouring.com" > env/HOST
[root@nx9030 sslwrap-pop3d]# echo "/usr/share/ssl/" > env/SSLPATH
Apache/mod_sslで作ったサーバ証明書/usr/share/ssl/certs/mail.crtとサーバ秘密鍵/usr/share/ssl/private/serverkey.pemを使う。
#!/bin/sh
PATH=/usr/local/bin:/bin:/usr/bin
exec envdir ./env sh -c '
exec softlimit -d6000000 \
tcpserver -g nofiles -u sslwrap \
-vhR -l"$HOST" -c40 -- "$IP" pop3s \
"$SSLPATH"/bin/sslwrap -port 110 \
-key "$SSLPATH"/private/serverkey.pem \
-cert "$SSLPATH"/certs/mail.crt 2>&1
'
#!/bin/shログ用のディレクトリを作成
exec /usr/local/bin/setuidgid sslwrap /usr/local/bin/multilog t /var/log/sslwrap-pop3d
# mkdir /var/log/sslwrap-pop3d ; chown sslwrap:nofiles /var/log/sslwrap-pop3d
!/bin/sh
# /service/pop3d/run SMTP-Auth 対応 powerd by qmail-vida
# Set environment variables IP and HOST.
# If it is virtual domain, set DOMAINOWNER.
# If it is necessary, set ALLOWPLAIN, too.
# If it is not necessay, remove 'recordio' line.
PATH=/var/qmail/bin:/usr/local/bin:/bin:/usr/bin
exec envdir ./env sh -c '
exec softlimit -d6000000 \
relay-ctrl-chdir \
tcpserver -x /etc/tcpserver/pop3.cdb \
-vhR -l "$HOST" -c40 -- "$IP" pop3 \
qmail-popup "$HOST" \
checkpassword \
relay-ctrl-allow \
qmail-pop3d Maildir 2>&1
'
SSLWrapからの復号化パケットを平文認証させる為、localhost:pop3にはALLOWPLAINを設定。eth0:pop3は平文不許可でMD5認証。
[yano@nx9030 tcpserver]$ cat pop3.rules
127.:allow,ALLOWPLAIN=""
192.168.199.:allow
=.infoweb.ne.jp:allow # @nifty用
=.prin.ne.jp:allow # Air"H PHONE用
:deny
[yano@nx9030 tcpserver]$ /usr/local/bin/tcprules pop3.cdb pop3.tmp <pop3.rules
[yano@nx9030 tcpserver]$ sudo cp pop3.cdb /etc/tcpserver/
最後にファイヤーウォールのsmtps,pop3sのポートを開放する必要がある。RH7はipchains、Fedora Codeはiptablesだ。
:input ACCEPT変更したらreload。
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
# http
-A input -s 0/0 -d 0/0 http -p tcp -j ACCEPT
-A input -s 0/0 -d 0/0 https -p tcp -j ACCEPT
# smtp - guard by tcpserver
-A input -s 0/0 -d 0/0 smtp -p tcp -j ACCEPT
-A input -s 0/0 -d 0/0 smtps -p tcp -j ACCEPT
# pop3 - guard by tcpserver
-A input -s 0/0 -d 0/0 pop3 -p tcp -j ACCEPT
-A input -s 0/0 -d 0/0 pop3s -p tcp -j ACCEPT
# DNS
-A input -s 0/0 -d 0/0 domain -p tcp -j ACCEPT
-A input -s 0/0 -d 0/0 domain -p udp -j ACCEPT
#-A output -s 192.168.199.0/24 -d 0/0 domain -p tcp -j ACCEPT
#-A output -s 192.168.199.0/24 -d 0/0 domain -p udp -j ACCEPT
# ftp - guard by tcpserver
-A input -s 0/0 -d 0/0 ftp -p tcp -j ACCEPT
-A input -s 0/0 -d 0/0 ftps -p tcp -j ACCEPT
-A input -s 0/0 -d 0/0 ftps-data -p tcp -j ACCEPT
# ssh - guard by tcpserver
-A input -s 0/0 -d 0/0 ssh -p tcp -j ACCEPT
# telnet
#-A input -s 192.168.199.0/255.255.255.0 -d 0/0 telnet -p tcp -j ACCEPT
#
# NFS # NFSを使う時はlocalアドレスを全ポート開ける
#
#-A input -s 192.168.199.0/255.255.255.0 -d 192.168.199.0/255.255.255.0 -j ACCEPT
# ntp
-A input -s 0/0 -d 0/0 ntp -p udp -j ACCEPT
# syslog
-A input -s 0/0 -d 0/0 syslog -p udp -j ACCEPT
#
-A input -s 0/0 -d 0/0 0:1023 -p tcp -j REJECT -y -l
-A input -s 0/0 -d 0/0 2049:2049 -p tcp -j REJECT -y
-A input -s 0/0 -d 0/0 0:1023 -p udp -j REJECT
-A input -s 0/0 -d 0/0 2049:2049 -p udp -j REJECT
-A input -s 0/0 -d 0/0 6000:6009 -p tcp -j REJECT -y
-A input -s 0/0 -d 0/0 7100:7100 -p tcp -j REJECT -y
# /sbin/service ipchains reload
[root@fedora sslwrap-smtpd]# /sbin/iptables --insert RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport smtps -j ACCEPT接続がうまくいったら/sbin/iptables-saveで書き出して編集すれば良い。行の位置に注意。
[root@fedora sslwrap-smtpd]# /sbin/iptables --insert RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport pop3s -j ACCEPT
[root@fedora sslwrap-smtpd]# /sbin/service iptables reload
[root@fedora sslwrap-smtpd]# /sbin/iptables-save > /etc/sysconfig/iptables
[root@fedora sslwrap-smtpd]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.9 on Fri Nov 19 16:48:52 2004
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4948:2774976]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -s 192.168.199.254 -p udp -m udp --sport 123 --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Nov 19 16:48:52 2004
| 参照 | |
|---|---|
| SSLWrap | http://www.rickk.com/sslwrap/ |