na0AaooQ/Lightsail仮想マシン(WordPressサーバ)のiptables設定

## file0.txt
root@ip-172-26-XXX-XXX:~# uname -a
Linux ip-172-26-XXX-XXX 3.13.0-107-generic #154-Ubuntu SMP Tue Dec 20 09:57:27 UTC 2016 x86_64 x86_64 x86_64 GN
U/Linux

## file1.txt
bitnami@ip-172-26-XXX-XXX:~$ cat /home/bitnami/bitnami_application_password
初期パスワード
bitnami@ip-172-26-XXX-XXX:~$

## file10.txt
PC001:~ user$ nc -z -v 54.173.XXX.XXX 22
found 0 associations
found 1 connections:
     1: flags=82<CONNECTED,PREFERRED>
    outif en0
    src 198.51.100.21 port 52095
    dst 54.173.XXX.XXX port 22
    rank info not available
    TCP aux info available

Connection to 54.173.XXX.XXX port 22 [tcp/ssh] succeeded!
PC001:~ user$

## file11.txt
PC001:~ user$ ssh -i SSH鍵ファイル bitnami@54.173.XXX.XXX
ssh: connect to host 54.173.XXX.XXX port 22: Connection refused
PC001:~ user$

## file12.txt
PC001:~ user$ nc -z -v 54.173.XXX.XXX 22
nc: connectx to 54.173.XXX.XXX port 22 (tcp) failed: Connection refused
PC001:~ user$

## file2.txt
bitnami@ip-172-26-XXX-XXX:~$ sudo su -

## file3.txt
root@ip-172-26-XXX-XXX:~# uname -a
Linux ip-172-26-XXX-XXX 3.13.0-107-generic #154-Ubuntu SMP Tue Dec 20 09:57:27 UTC 2016 x86_64 x86_64 x86_64 GN
U/Linux
root@ip-172-26-XXX-XXX:~#

## file4.txt
root@ip-172-26-12-149:~# apt-get install iptables-persistent

## file5.txt
root@ip-172-26-XXX-XXX:~# ls -lrta /etc/iptables/
total 12
drwxr-xr-x 92 root root 4096 Feb 26 10:01 ..
-rw-r--r--  1 root root  199 Feb 26 10:01 rules.v4
drwxr-xr-x  2 root root 4096 Feb 26 10:01 .
root@ip-172-26-XXX-XXX:~#

## file6.txt


## (4) Amazon Lightsail仮想マシンでiptablesによるアクセス制限を有効化します。

以下のコマンドを実行します。


## file7.txt
root@ip-172-26-XXX-XXX:~# /etc/init.d/iptables-persistent save
 * Saving rules...
 *  IPv4...
 *  IPv6...       [ OK ]
root@ip-172-26-XXX-XXX:~#

## file8.txt
root@ip-172-26-XXX-XXX:~# /etc/init.d/iptables-persistent reload
 * Loading iptables rules...
 *  IPv4...
 *  IPv6...       [ OK ]
root@ip-172-26-XXX-XXX:~#

## file9.txt
PC001:~ user$ ssh 54.173.XXX.XXX
The authenticity of host '54.173.XXX.XXX (54.173.XXX.XXX)' can't be established.
　(中略)

## Lightsail仮想マシン(WordPressサーバ)のiptables設定
root@ip-172-26-XXX-XXX:~# iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
root@ip-172-26-XXX-XXX:~# iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

root@ip-172-26-XXX-XXX:~# iptables -A OUTPUT -p tcp --dport 123 -j ACCEPT
root@ip-172-26-XXX-XXX:~# iptables -A OUTPUT -p udp --dport 123 -j ACCEPT

root@ip-172-26-XXX-XXX:~# iptables -A INPUT -p tcp -s 192.0.2.0/24 --dport 22 -j ACCEPT
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -p tcp -s 198.51.100.0/24 --dport 22 -j ACCEPT
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -p tcp -s 203.0.113.11/32 --dport 22 -j ACCEPT
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -p tcp -s 72.21.217.0/24 --dport 22 -j ACCEPT
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -p tcp --dport 22 -j REJECT

root@ip-172-26-XXX-XXX:~# iptables -A INPUT -p tcp -s 192.0.2.0/24 --dport 80 -j ACCEPT
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -p tcp -s 198.51.100.0/24 --dport 80 -j ACCEPT
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -p tcp -s 203.0.113.11/32 --dport 80 -j ACCEPT
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -p tcp --dport 80 -j REJECT

root@ip-172-26-XXX-XXX:~# iptables -A INPUT -p tcp -s 192.0.2.0/24 --dport 443 -j ACCEPT
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -p tcp -s 198.51.100.0/24 --dport 443 -j ACCEPT
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -p tcp -s 203.0.113.11/32 --dport 443 -j ACCEPT
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -p tcp --dport 443 -j REJECT

root@ip-172-26-XXX-XXX:~# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

root@ip-172-26-XXX-XXX:~# iptables -A INPUT -i lo -j ACCEPT

root@ip-172-26-XXX-XXX:~# iptables -A INPUT -s 10.0.0.0/8 -j DROP
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -s 172.16.0.0/12 -j DROP
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -s 192.168.0.0/16 -j DROP
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -s 127.0.0.0/8 -j DROP
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -s 169.254.0.0/16 -j DROP
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -s 192.0.2.0/24 -j DROP
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -s 224.0.0.0/4 -j DROP
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -s 240.0.0.0/5 -j DROP
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -d 0.0.0.0/8 -j DROP
root@ip-172-26-XXX-XXX:~# iptables -A INPUT -d 255.255.255.255/32 -j DROP
	root@ip-172-26-XXX-XXX:~# uname -a
	Linux ip-172-26-XXX-XXX 3.13.0-107-generic #154-Ubuntu SMP Tue Dec 20 09:57:27 UTC 2016 x86_64 x86_64 x86_64 GN
	U/Linux
	bitnami@ip-172-26-XXX-XXX:~$ cat /home/bitnami/bitnami_application_password
	初期パスワード
	bitnami@ip-172-26-XXX-XXX:~$
	PC001:~ user$ nc -z -v 54.173.XXX.XXX 22
	found 0 associations
	found 1 connections:
	1: flags=82<CONNECTED,PREFERRED>
	outif en0
	src 198.51.100.21 port 52095
	dst 54.173.XXX.XXX port 22
	rank info not available
	TCP aux info available

	Connection to 54.173.XXX.XXX port 22 [tcp/ssh] succeeded!
	PC001:~ user$
	PC001:~ user$ ssh -i SSH鍵ファイル bitnami@54.173.XXX.XXX
	ssh: connect to host 54.173.XXX.XXX port 22: Connection refused
	PC001:~ user$
	PC001:~ user$ nc -z -v 54.173.XXX.XXX 22
	nc: connectx to 54.173.XXX.XXX port 22 (tcp) failed: Connection refused
	PC001:~ user$
	root@ip-172-26-XXX-XXX:~# ls -lrta /etc/iptables/
	total 12
	drwxr-xr-x 92 root root 4096 Feb 26 10:01 ..
	-rw-r--r-- 1 root root 199 Feb 26 10:01 rules.v4
	drwxr-xr-x 2 root root 4096 Feb 26 10:01 .
	root@ip-172-26-XXX-XXX:~#


	## (4) Amazon Lightsail仮想マシンでiptablesによるアクセス制限を有効化します。

	以下のコマンドを実行します。
	root@ip-172-26-XXX-XXX:~# /etc/init.d/iptables-persistent save
	* Saving rules...
	* IPv4...
	* IPv6... [ OK ]
	root@ip-172-26-XXX-XXX:~#
	root@ip-172-26-XXX-XXX:~# /etc/init.d/iptables-persistent reload
	* Loading iptables rules...
	* IPv4...
	* IPv6... [ OK ]
	root@ip-172-26-XXX-XXX:~#
	PC001:~ user$ ssh 54.173.XXX.XXX
	The authenticity of host '54.173.XXX.XXX (54.173.XXX.XXX)' can't be established.
	(中略)