³×Æ®¿öÅ© ±¸Á¶¸¦ º¯°æÇÏÁö ¾Ê°í ½±°Ô ¹æȺ®À» ¼³Ä¡ÇÒ ¼ö ÀÖ´Â Bridge FirewallÀ» ¸¸µé¾î¼ »ç¿ëÇÏÀÚ.
º»ÀÎÀº ¹æȺ®À» ¸¸µé¸é¼ ¼ö¸¹Àº ½ÃÇà Âø¿À¸¦ °Þ¾ú°í ¸¹Àº ¹®¼µéÀ» º¸¾Æ ¿Ô´Ù. ÇÏÁö¸¸ ¿ö³« ³×Æ®¿öÅ©
»óȲÀÌ ´Ù¾çÇÏ´Ù º¸´Ï ¹®¼´ë·Î Àß µÇÁö ¾Ê´Â °æ¿ìµµ ¸¹¾Ò°í ȯ°æµµ ¸¹ÀÌ ´Ù¸¥ °Íµµ ¸¹¾Ò´Ù.
ÀÌ ¹®¼¸¦ º¸°í Çѹø¿¡ ¾Ë¸Â´Â ¹æȺ®À» ¸¸µç´Ù°í´Â Àå´ã ÇÒ ¼ö ¾ø´Ù.
ÇÏÁö¸¸ Á¶±ÝÀ̳ª¸¶ óÀ½ Çغ¸´Â »ç¶÷µé¿¡°Ô µµ¿òÀÌ µÇ°íÀÚ ÀÌ ¹®¼¸¦ ÀÛ¼º ÇÑ´Ù.
ÀÌ ¹®¼´Â º¸È£ÇÒ ³×Æ®¿öÅ©´Â °øÀÎ IP¸¦ »ç¿ëÇÑ´Ù´Â ÀüÁ¦ ÇÏ¿¡ ¸¸µé¾îÁø ¹®¼ÀÌ´Ù.
º»ÀÎÀÌ NAT¸¦ »ç¿ëÇغ¸Áö ¾Ê¾Æ NAT¿¡ °üÇÑ ¹®¼´Â Â÷ÈÄ ÁغñÇÏ°Ú´Ù.
Copyright (C) 2003 ÀÌÀçÈ«
ÀÌ ¹®¼´Â GNU Free
Documentation License ¹öÀü 1.1 ȤÀº ÀÚÀ¯ ¼ÒÇÁÆ®¿þ¾î Àç´Ü¿¡¼
¹ßÇàÇÑ ÀÌÈÄ ÆÇÀÇ ±ÔÁ¤¿¡ µû¸£¸ç ÀúÀ۱ǿ¡ ´ëÇÑ º» »çÇ×ÀÌ ¸í½ÃµÇ´Â ÇÑ
¾î¶°ÇÑ Á¤º¸ ¸Åü¿¡ ÀÇÇÑ º»¹®ÀÇ ÀüÀ糪 ¹ßÃéµµ ¹«»óÀ¸·Î Çã¿ëµË´Ï´Ù.
º» ÀúÀÚ´Â ¹®¼ÀÇ ³»¿ëÀÌ ¾ß±âÇÒ ¼ö ÀÖ´Â ¾î¶°ÇÑ °á°ú¿¡ ´ëÇؼµµ
Ã¥ÀÓÀ» ÁöÁö ¾Ê½À´Ï´Ù. º» ¹®¼¿¡¼ ³»Æ÷ÇÏ°í ÀÖ´Â Á¤º¸µé ¹× ¿¹Á¦µéÀº
¿©·¯ºÐÀÌ ¾Ë¾Æ¼ È°¿ëÇϽʽÿÀ. ºñ·Ï ÃÖ¼±À» ´ÙÇßÀ¸³ª ÀÌ ¹®¼´Â Ʋ¸°
Á¡À̳ª ¿À·ù°¡ ÀÖÀ» ¼öµµ ÀÖ½À´Ï´Ù. ¸¸¾à ¿©·¯ºÐÀÌ Æ²¸° Á¡À»
¹ß°ßÇß´Ù¸é ²À Àú¿¡°Ô ¾Ë·Á Áֽñ⠹ٶø´Ï´Ù.
ÀÌ ¹®¼¸¦ ÀÛ¼ºÇϴµ¥ µµ¿òÀ» ÁֽŠ¸¹Àº ºÐµé¿¡°Ô °¨»çµå¸³´Ï´Ù.
KLDPÀÇ ³×Æ®¿öÅ·/¹æȺ® µð·ºÅ丮ÀÇ ±ÛµéÀÇ µµ¿òÀ» ¸¹ÀÌ ¹Þ¾Ò½À´Ï´Ù. ±×°÷ÀÇ ±ÛÀ» ½áÁÖ½Ã°í º¯¿ªÇØÁֽŠ¸ðµç ºÐµé²²
Áø½ÉÀ¸·Î °¨»ç µå¸³´Ï´Ù.
ÀÌ ¹®¼¿¡ ´ëÇÑ ¹ßÀüÀûÀÎ Á¦¾ÈÀ̳ª ¼öÁ¤»çÇ×, ¹®Á¦Á¡ µî¿¡ ´ëÇÑ
Çǵå¹éÀº ¾ðÁ¦µçÁö ȯ¿µÇÕ´Ï´Ù. <pyrasis (at) chol.com>
·Î
¸ÞÀÏÀ» º¸³» ÁֽʽÿÀ.
¸®´ª½º Ä¿³Î¿¡ iptables¿Í bridgeÆÐÄ¡¸¦ ÇÏ°í ÄÄÆÄÀÏÀ» ÇÒ °ÍÀÌ´Ù. ¸ðµç ÀÛ¾÷Àº root·Î ÇÑ´Ù.
Ä¿³Î ¼Ò½º´Â /usr/src/linux ¿¡ Ç®¾î ³õ´Â´Ù.
# mv linux-2.4.19.tar.bz2 /usr/src
#cd /usr/src
/usr/src# tar vjxf linux-2.4.19.tar.bz2 ¾ÐÃàÀ» Ǭ´Ù. bunzip2 ÆÐÅ°Áö°¡ ÇÊ¿äÇÏ´Ù.
/usr/src# ln -s linux-2.4.19 linux ¾ÐÃàÀÌ Ç®¸° µð·ºÅ丮¸¦ linux¶ó´Â À̸§À¸·Î ½Éº¼¸¯ ¸µÅ©¸¦ »ý¼ºÇÑ´Ù. |
bridge ÆÐÄ¡¸¦ ÆÐÄ¡ÇÑ´Ù.
# mv bridge-nf-0.0.7-against-2.4.19.diff /usr/src
# cd /usr/src/linux
/usr/src/linux# patch -p1 < ../bridge-nf-0.0.7-against-2.4.19.diff |
iptable ÆÐÄ¡´Â patch-o-matic À̶ó´Â ¹æ½ÄÀ¸·Î Ä¿³Î ÆÐÄ¡¸¦ ÇÑ´Ù.
# tar vjxf patch-o-matic-20030107.tar.bz2
# cd cd patch-o-matic-20030107
# ./runme extra
Hey! KERNEL_DIR is not set.
Where is your kernel? [/usr/src/linux] Ä¿³Î ¼Ò½º¸¦ /usr/src¿¡ Ç®¾î¼ linux¶ó°í ¸µÅ©¸¦ °É¾ú´Ù¸é ¿£Å͸¦ Ä£´Ù
¾Æ´Ï¸é ½ÇÁ¦ Ä¿³ÎÀÌ ÀÖ´Â °æ·Î¸¦ Àû¾îÁØ´Ù
´ÙÀ½°ú °°ÀÌ ³ª¿Ã °ÍÀÌ´Ù.
Welcome to Rusty's Patch-o-matic!
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------
Already applied: submitted/01_2.4.19
Testing... 02_2.4.20.patch NOT APPLIED ( 17 missing files)
The submitted/02_2.4.20 patch:
Authors: Various (see below)
Status: Included in stock 2.4.20 kernel
This big patch contains all netfilter/iptables changes between stock kernel
versions 2.4.19 and 2.4.20.
submitted/DSCP.patch
+ New DSCP target to mangle table (Harald Welte + Matthew G. Marsh)
submitted/ECN.patch
+ New ECN target to mangle table (Harald Welte)
submitted/REJECT_mark.patch
+ Don't copy nfmark value of old packet (Henrik Nordstrom)
submitted/ahesp-static.patch
+ Fix static build of ahesp match (Paul P Komkoff Jr)
submitted/conntrack+nat-helper-unregister.patch
+ Fix helper unregister in case of clashing ports (Harald Welte)
submitted/conntrack.patch
+ Add new 'conntrack' match (Marc Boucher)
submitted/dscp.patch
+ New 'dscp' match (Harald Welte)
submitted/ecn.patch
+ New 'ecn' match (Harald Welte)
submitted/helper.patch
+ New 'helper' match (Martin Josefsson, Harald Welte)
submitted/ip6tables-exthdr-bug.patch.ipv6
+ Fix broken ipv6 extensionheader parser (Andras Kis-Szabo)
submitted/ipv6-agr.patch.ipv6
+ New ip6tables 'eui64' match (Andras Kis-Szabo)
submitted/length.patch.ipv6
+ New ip6tables 'length' match (Imran Patel, James Morris)
submitted/log-tunnel-fix.patch.ipv6
+ Fix ip6tables 'LOG' target MAC address in case of tunnels
(Peter Bieringer, Andras Kis-Szabo)
submitted/nat-memoryleak-fix.patch
+ Fix memoryleak at iptable_nat unload time (zhongyu)
submitted/ownercmd.patch
+ Extend 'owner' match to match cmdline (Marc Boucher)
submitted/pkttype.patch
+ New 'pkttype' match (Michal Ludvig)
submitted/ulog-nlgroup-shift-fix.patch
+ Fix error with shifting nlgroup in ULOG target (Harald Welte)
submitted/ulog-sparc-bitops-fix.patch
+ Include linux/bitops.h instead of asm/bitops.h
submitted/z-newnat16.patch
+ Redesign of conntrack and nat helper framework, for more info see http://cvs.netfilter.org/cgi-bin/cvsweb/netfilter/documentation/newnat-summary.txt
(Harald Welte, Jozsef Kadlecsik, and others)
submitted/z-newnat_assertfix.patch
+ Fix erroneously printed ASSERT messages when debugging of newnat
enabled (Martin Josefsson)
submitted/z-newnat_changeexpect-lockfix.patch
+ Fix locking bug in ip_conntrack_change_expect() (Martin Josefsson)
Further changes, not previuosly in patch-o-matic:
+ ip6tables usage counter fix (Harald Welte)
+ ip_queue cleanup (James Morris)
+ minor spelling fixes
+ __constant_htons() macro changes
+ ipt_unclean: srcport _can_ be zero
+ yet another ipchains GFP_ATOMIC fix
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?]
¿£Å͸¦ Ä£´Ù |
iptableÆÐÄ¡¿¡´Â ³»¿ëÀÌ ¿©·¯ °¡Áö°¡ Á¸ÀçÇÑ´Ù. y¸¦ ´©¸£¸é ÆÐÄ¡°¡ µÈ´Ù. ±×·¯³ª ÀüºÎ ÆÐÄ¡¸¦ ÇÏ¸é ¾È µÈ´Ù.
³ªÁß¿¡ Ä¿³ÎÀ» ÄÄÆÄÀÏ ÇÏ¸é ¿¡·¯°¡ ³ª±â ¶§¹®¿¡ ²À ÇÊ¿äÇÑ °Í¸¸ y¸¦ ´·¯ ÆÐÄ¡ ÇÑ´Ù.
b ¸¦ ´©¸£¸é µÚ·Î µ¹¾Æ°¥ ¼ö ÀÖ´Ù.
Áö±Ý ÆÐÄ¡ ÇÒ °ÍÀº ÆÐŶ¿¡¼ StringÀ» °Ë»öÇÏ¿© ÆÐŶÀ» ¹ö¸®°Å³ª °ÅºÎ ÇÏ´Â
String match support ÀÌ´Ù.
ÀÌ°ÍÀ» ÀÌ¿ëÇϸé Nimda, CodeRed µîÀÇ ¿úÀ̳ª ¹ÙÀÌ·¯½ºÀÇ ÆÐŶÀ» Â÷´Ü ÇÒ ¼ö ÀÖ´Ù.
°è¼Ó ¿£Å͸¦ Ãļ °¡´Ù º¸¸é ¾Æ·¡¿Í °°Àº ȸéÀÌ ³ª¿Ã°Í ÀÌ´Ù.
Welcome to Rusty's Patch-o-matic!
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------
Already applied: submitted/01_2.4.19
Testing... string.patch NOT APPLIED ( 2 missing files)
The extra/string patch:
Author: Emmanuel Roger <winfield@freegates.be>
Status: Working, not with kernel 2.4.9
This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to
match a string in a whole packet.
THIS PATCH DOES NOT WORK WITH KERNEL 2.4.9 !!!
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?]
¿©±â¼ y¸¦ ´©¸£¸é String match°¡ ÆÐÄ¡ µÈ´Ù.
°è¼Ó ¿£Å͸¦ Ä¡¸é ´Ù¸¥ ÆÐÄ¡µéÀÌ ³ª¿Â´Ù. ÇÊ¿äÇÑ °ÍµéÀÌ ÀÖÀ¸¸é ÆÐÄ¡ÇÑ´Ù. |
iptables ¿Í bridge±â´ÉÀ» »ç¿ëÇÒ ¼ö ÀÖ°Ô Ä¿³Î ¿É¼ÇÀ» ¼³Á¤ÇÑ´Ù. »ç¿ë ÇÒ ·£Ä«µå 2°³µµ ¼³Á¤À» ÇÒ °ÍÀÌ´Ù.
Ä¿³Î ¿É¼ÇÀº ´ÙÀ½°ú °°ÀÌ ¼³Á¤ÇÑ´Ù. menuconfig ¸¦ ÀÌ¿ëÇÏ·Á¸é µ¥ºñ¾È¿¡¼´Â libncurses5-dev ÆÐÅ°Áö°¡ ²À ÇÊ¿äÇÏ´Ù.
µ¥ºñ¾È¿¡¼ ÆÐÅ°Áö´Â apt-get ³ª dselect¸¦ ÀÌ¿ëÇÏ¿© ¼³Ä¡ÇÑ´Ù.
´Ù¸¥ ¹èÆ÷Æǵµ ¸¶Âù°¡Áö ÀÌ´Ù. ´ëºÎºÐÀÇ ¹èÆ÷ÆÇ¿¡¼´Â ±âº»ÀûÀ¸·Î ¼³Ä¡µÇ¾î ÀÖÀ» °ÍÀÌ´Ù.
# cd /usr/src/linux
/usr/src/linux# make menuconfig |
Ä¿³Î ¼º¼÷µµ ¿É¼Ç. ÀÌ ºÎºÐÀ» üũ ÇØ¾ß ¾Æ·¡ ¿É¼ÇµéÀÌ ¸ðµÎ ³ª¿À°Ô µÈ´Ù.
Code maturity level options --->
[*] Prompt for development and/or incomplete code/drivers |
·£Ä«µå µå¶óÀ̹ö ¼³Á¤. º»ÀÎÀÌ »ç¿ëÇÏ°í ÀÖ´Â ·£Ä«µå´Â 3Com 590, Intel EtherPress/100 ÀÌ´Ù.
°¢ÀÚ °¡Áö°í ÀÖ´Â ·£Ä«µå¸¦ ¼³Á¤ÇÏÀÚ.
Network device support --->
Ethernet (10 or 100Mbit) --->
[*] Ethernet (10 or 100Mbit)
< > Sun Happy Meal 10/100baseT support
< > Sun GEM support
[*] 3COM cards
< > 3c501 "EtherLink" support
< > 3c503 "EtherLink II" support
< > 3c505 "EtherLink Plus" support
< > 3c507 "EtherLink 16" support (EXPERIMENTAL)
< > 3c509/3c529 (MCA)/3c579 "EtherLink III" support
< > 3c515 ISA "Fast EtherLink"
<*> 3c590/3c900 series (592/595/597) "Vortex/Boomerang" support
< > AMD LANCE and PCnet (AT1500 and NE2100) support
[ ] Western Digital/SMC cards
[ ] Racal-Interlan (Micom) NI cards
< > AT1700/1720 support (EXPERIMENTAL)
< > DEPCA, DE10x, DE200, DE201, DE202, DE422 support
< > HP 10/100VG PCLAN (ISA, EISA, PCI) support
[ ] Other ISA cards
[*] EISA, VLB, PCI and on board controllers
< > AMD PCnet32 PCI support
< > Adaptec Starfire/DuraLAN support
< > Ansel Communications EISA 3200 support (EXPERIMENTAL)
< > Apricot Xen-II on board Ethernet
< > CS89x0 support
< > DECchip Tulip (dc21x4x) PCI support
< > TOSHIBA TC35815 Ethernet support
< > Generic DECchip & DIGITAL EtherWORKS PCI/EISA
< > Digi Intl. RightSwitch SE-X support
< > Davicom DM910x/DM980x support
<*> EtherExpressPro/100 support
< > Myson MTD-8xx PCI Ethernet support
< > National Semiconductor DP8381x series PCI Ethernet support
< > PCI NE2000 and clones support (see help)
< > RealTek RTL-8139 C+ PCI Fast Ethernet Adapter support (EXPERIMENTAL)
< > RealTek RTL-8139 PCI Fast Ethernet Adapter support
< > SiS 900/7016 PCI Fast Ethernet Adapter support
< > SMC EtherPower II
< > Sundance Alta support
< > TI ThunderLAN support
< > VIA Rhine support
< > Winbond W89c840 Ethernet support
[ ] Pocket and portable adapters |
bridge ±â´ÉÀ» »ç¿ëÇϱâ À§ÇÑ ¼³Á¤
Networking options --->
<*> Packet socket
[ ] Packet socket: mmapped IO
< > Netlink device emulation
[*] Network packet filtering (replaces ipchains)
[ ] Network packet filtering debugging
[*] Socket Filtering
<*> Unix domain sockets
[*] TCP/IP networking
[*] IP: multicasting
[ ] IP: advanced router
[ ] IP: kernel level autoconfiguration
< > IP: tunneling
< > IP: GRE tunnels over IP
[ ] IP: multicast routing
[ ] IP: ARP daemon support (EXPERIMENTAL)
[ ] IP: TCP Explicit Congestion Notification support
[ ] IP: TCP syncookie support (disabled per default)
IP: Netfilter Configuration --->
< > The IPv6 protocol (EXPERIMENTAL)
< > Kernel httpd acceleration (EXPERIMENTAL)
[ ] Asynchronous Transfer Mode (ATM) (EXPERIMENTAL)
< > 802.1Q VLAN Support
---
< > The IPX protocol
< > Appletalk protocol support
Appletalk devices --->
< > DECnet Support
<*> 802.1d Ethernet Bridging
[*] netfilter (firewalling) support
< > CCITT X.25 Packet Layer (EXPERIMENTAL)
< > LAPB Data Link Driver (EXPERIMENTAL)
[ ] 802.2 LLC (EXPERIMENTAL)
[ ] Frame Diverter (EXPERIMENTAL)
< > Acorn Econet/AUN protocols (EXPERIMENTAL)
< > WAN router
[ ] Fast switching (read help!)
[ ] Forwarding between high speed interfaces
QoS and/or fair queueing --->
Network testing ---> |
iptables¿¡¼ »ç¿ë ÇÒ °¢°¢ÀÇ ±â´ÉµéÀ» ¸ðµâ·Î ¼³Á¤ÇÑ´Ù. ¸ðµâ ¼³Á¤Àº ½ºÆäÀ̽º ¹Ù·Î µÎ ¹ø ¼±ÅÃÇϸé MÀ̶ó°í Ç¥½ÃµÈ´Ù.
ÀÌ°ÍÀÌ ¸ðµâ¼³Á¤ÀÌ´Ù. *·Î ¼³Á¤À» Çϸé Ä¿³Î·Î ¿ÏÀüÈ÷ Æ÷ÇԵȴÙ. ¸ðµâ·Î ¼³Á¤ÇÏ¸é ²À ÇÊ¿äÇÑ °Í¸¸ ¾µ ¼ö ÀÖ°Ô ÇϹǷΠ¸Þ¸ð¸®
³¶ºñ¸¦ ¸·À» ¼ö ÀÖ´Ù.
Networking options --->
IP: Netfilter Configuration --->
<M> Connection tracking (required for masq/NAT)
<M> FTP protocol support
<M> IRC protocol support
<M> Userspace queueing via NETLINK (EXPERIMENTAL)
<*> IP tables support (required for filtering/masq/NAT)
<M> limit match support
<M> MAC address match support
<M> netfilter MARK match support
<M> Multiple port match support
<M> TOS match support
<M> AH/ESP match support
<M> LENGTH match support
<M> TTL match support
<M> tcpmss match support
<M> Connection state match support
<M> Unclean match support (EXPERIMENTAL)
<M> String match support (EXPERIMENTAL)
<M> Owner match support (EXPERIMENTAL)
<M> Packet filtering
<M> REJECT target support
<M> MIRROR target support (EXPERIMENTAL)
<M> Full NAT
<M> MASQUERADE target support
<M> REDIRECT target support
[*] NAT of local connections (READ HELP)
<M> Basic SNMP-ALG support (EXPERIMENTAL) |
ÀÌÁ¦ ÆÐÄ¡ÇÑ Ä¿³ÎÀ» ÄÄÆÄÀÏ ÇÒ Â÷·Ê ÀÌ´Ù.
¸®´ª½º ¹èÆ÷ÆÇÀÌ µ¥ºñ¾ÈÀÏ °æ¿ì Ä¿³Î ÆÐÅ°Áö¸¦ ¸¸µé¾î¼ Ä¿³ÎÀ» ¼³Ä¡ÇÏ´Â °ÍÀÌ ÆíÇÏ´Ù.
kernel-package ¶ó´Â ÆÐÅ°Áö°¡ ÇÊ¿äÇÏ´Ù.
# cd /usr/src/linux
/usr/src/linux# make-kpkg --revision=1.0 binary-arch ÀÌ·¸°Ô Çϸé /usr/src¿¡ Ä¿³Î Çì´õ¿Í Ä¿³Î À̹ÌÁö ÆÐÅ°Áö°¡ »ý¼ºµÈ´Ù.
/usr/src/linux# cd ..
/usr/src# ls
-rw-r--r-- 1 root root 30158 Mar 27 20:39 bridge-nf-0.0.7-against-2.4.19.diff
-rw-r--r-- 1 root src 3961230 Apr 9 22:58 kernel-headers-2.4.19_1.0_i386.deb Ä¿³Î Çì´õ
-rw-r--r-- 1 root src 1274482 Apr 9 22:58 kernel-image-2.4.19_1.0_i386.deb Ä¿³Î À̹ÌÁö
lrwxrwxrwx 1 root src 12 May 14 04:24 linux -> linux-2.4.19
drwxr-xr-x 15 573 573 888 Jun 29 06:38 linux-2.4.19
/usr/src# dpkg -i kernel-headers-2.4.19_1.0_i386.deb
/usr/src# dpkg -i kernel-image-2.4.19_1.0_i386.deb
Ä¿³Î À̹ÌÁö¸¦ ¼³Ä¡ ÇÒ ¶§ ºÎÆà µð½ºÅ©¸¦ ¸¸µé¶ó´Â °÷¿¡´Â NÀ¸·Î Ãë¼Ò¸¦ ÇÏ°í /vmlinuz ¶ó°í ¸µÅ©¸¦ ¸¸µç´Ù°í ÇÒ ¶§´Â Y¸¦ ´·¯
¸µÅ©¸¦ ¸¸µç´Ù
ºÎÆ®·Î´õ·Î lilo¸¦ »ç¿ëÇÒ °æ¿ì
# lilo
Grub¸¦ »ç¿ëÇÒ °æ¿ì /boot/grub/menu.lst ÆÄÀÏÀ» ¼öÁ¤Çؼ »õ Ä¿³Î·Î ºÎÆà µÉ ¼ö ÀÖµµ·Ï ÇÑ´Ù |
µ¥ºñ¾ÈÀÌ ¾Æ´Ñ ¸®´ª½º ¹èÆ÷ÆÇÀÇ °æ¿ì
# cd /usr/src/linux
/usr/src/linux# make dep && make bzImage && make modules && make modules_install
/usr/src/linux# cd arch/i386/boot/
/usr/src/linux/arch/i386/boot# cp bzImage /boot/vmlinuz-2.4.19
ºÎÆ®·Î´õ¸¦ lilo¸¦ »ç¿ëÇÒ °æ¿ì
/etc/lilo.conf ¼³Á¤À» º¯°æ ÇÑ´Ù. ¾Æ·¡¿Í °°Àº ºÎºÐÀÌ ÀÖÀ» °ÍÀÌ´Ù.
image=/boot/vmlinuz-2.4.19
label=Linux
ÀúÀåÀ» ÇÏ°í
# lilo
Grub¸¦ »ç¿ëÇÒ °æ¿ì
/boot/grub/menu.lst ¾Æ·¡¿Í °°Àº ºÎºÐÀÌ Àִµ¥ ÄÄÆÄÀÏÇÑ Ä¿³Î À̹ÌÁöÀÇ °æ·Î¸¦ Àû¾îÁØ´Ù.
title Linux
root (hd0,1)¤Ä
kernel /boot/vmlinuz-2.4.19 root=/dev/hda2 |
bridge ±â´ÉÀ» »ç¿ëÇϱâ À§ÇÑ ÇÁ·Î±×·¥ ¼³Ä¡
bridge utils ¼Ò½º ÄÄÆÄÀÏ ¹× ¼³Ä¡
# tar vxzf bridge-utils-0.9.6.tar.gz
# cd bridge-utils
~/bridge-utils# ./configure
~/bridge-utils# make
~/bridge-utils# make install |
ÆÐŶÁ¦¾î ¸í·ÉÀ» ³»¸®±âÀ§ÇÑ iptables¼³Ä¡
iptables ¼Ò½º ÄÄÆÄÀÏ ¹× ¼³Ä¡, KERNEL_DIR=/usr/src/linux ¿¡´Â Ä¿³Î ¼Ò½º°¡ ÀÖ´Â °æ·Î¸¦ Àû¾îÁØ´Ù.
# tar vjxf iptables-1.2.8.tar.bz2
# cd iptables-1.2.8
~/iptables-1.2.8# make KERNEL_DIR=/usr/src/linux
~/iptables-1.2.8# make install KERNEL_DIR=/usr/src/linux
~/iptables-1.2.8# make install-devel |
ÆÐŶ(packet)À̶õ Çѱ۷Π¹ø¿ªÇÏÀÚ¸é ¼ÒÆ÷, ÆíÁö¹À½ À̶ó´Â ¶æÀ» °¡Áö°í ÀÖ´Ù. ±×·¸´Ù¸é ÆÐŶÀ̶õ
µµ´ëü ¹«¾úÀΰ¡.
ÀüÈ Åë½ÅÀ» ¿¹·Î µé¾î º¸°Ú´Ù. Áö±ÝÀÇ ¾Æ³¯·Î±× Àüȴ ȸ¼± ¹æ½ÄÀÌ´Ù. ¿ì¸®°¡ Àüȸ¦ °É¸é ±³È¯±â¸¦
ÅëÇØ ´Ù¸¥ ÁýÀÇ ÀüÈ·Î ¿¬°áµÈ´Ù. Àüȸ¦ ¹Þµç ¾È ¹Þµç ÀÏ´Ü ¿¬°áÀ» ÇÑ´Ù. ±×·¸´Ù¸é ¿¬°á µÈ ȸ¼±À»
Á¡À¯ÇÏ°í ÀÖ´Ù´Â °Í ÀÌ´Ù. Àüȸ¦ ¹ÞÁö ¾Ê¾Æ Åëȸ¦ ÇÏÁö ¾Ê´Â´Ù Çصµ ¿¬°áÀÌ µÇ¾ú±â ¶§¹®¿¡ ȸ¼±À»
¾²°í ÀÖ´Â °ÍÀÌ µÈ´Ù.
±×·±µ¥ ÀÌ°ÍÀ» ÀÎÅͳݿ¡ Àû¿ë½ÃŲ´Ù¸é ¾öû³ª°Ô ºñÈ¿À²ÀûÀ¸·Î µÈ´Ù. ±×·¡¼ ÀÎÅͳݿ¡¼´Â ÆÐŶÀ» »ç¿ëÇÑ´Ù.
ÆÐŶÀº ÀÛÀº µ¥ÀÌÅÍÀÇ µ¢¾î¸® ÀÌ´Ù. FTP¸¦ ÅëÇؼ ÆÄÀÏÀ» ¹Þ´Â´Ù°í ÇÒ ¶§. ¿ì¸® ´«À¸·Î º¼¶§´Â ÆÄÀÏÀÌ
ÇѲ¨¹ø¿¡ ¹Þ¾ÆÁø´Ù. ÇÏÁö¸¸ ½ÇÁ¦·Î ÆÄÀϵéÀº ¼ö¹é ¼öõ°³ÀÇ ÆÐŶµé·Î Á¶°¢³ª ¿ì¸®¿¡°Ô·Î Àü¼ÛµÇ´Â °ÍÀÌ´Ù.
ÄÄÇ»ÅÍ´Â ±× ÆÐŶÀ» ¹Þ¾Æ Á¶¸³ÇÏ¿© ´Ù½Ã ÆÄÀÏÀ» ¸¸µé¾î ³½´Ù.
¿ì¸®°¡ ÀÎÅͳÝÀ» ÇÑ´Ù¸é À¥ ºê¶ó¿ìÀú·Î À¥¼Çεµ ÇÏ°í FTP·Î ÆÄÀϵµ ¹Þ°í ¸Þ½ÅÀú·Î ¸Þ½ÃÁöµµ ÁÖ°í ¹ÞÀ»
°ÍÀÌ´Ù. ¿ì¸® ÄÄÇ»ÅÍ¿¡ ¿¬°áµÈ ·£¼±¿¡´Â À¥ ºê¶ó¿ìÀú¿¡¼ ¿äûÇÑ HTMLÆÄÀÏÀÇ ÆÐŶ, FTP¿¡¼ Àü¼ÛÇÏ°í ÀÖ´Â
ÆÄÀÏ ÆÐŶµé, ¸Þ½ÅÀú¿¡¼ ÁÖ°í ¹Þ´Â ¸Þ½ÃÁö ÆÐŶµéÀÌ ¼·Î µÚ¼¯¿© ¿À°í °£´Ù. ÀÌ·¸°Ô ¼¯¿©¼ ¿À°í °£´ÙÇصµ
ÆÐŶµé¿¡´Â °¢°¢ÀÇ Á¤º¸°¡ Á¸Àç ÇÑ´Ù. ±×·¡¼ ÆÐŶÀÌ ¼¯ÀÌÁö ¾Ê°í ¿©·¯°¡Áö ÀÏÀ» µ¿½Ã¿¡ ÇÒ ¼ö ÀÖ´Â °ÍÀÌ´Ù.
ÀüÈ °°À¸¸é ȸ¼±À» ¿ÏÀü Á¡À¯Çؼ »ç¿ëÇϱ⠶§¹®¿¡ ÇÑ°¡Áö ÀÏ ¹Û¿¡ ÇÒ ¼ö°¡ ¾ø´Ù.
ÀÌÁ¦ ¹æȺ®ÀÇ ¿ø¸®¸¦ ¾Ë¾Æº¸ÀÚ. ¹æȺ®Àº ÆÐŶÀ» ±¸ºÐÇÏ¿© ±× ÆÐŶÀ» Åë°ú ½Ãų °ÍÀÎÁö ¾Æ´Ï¸é °ÅºÎ, ȤÀº
¹ö¸± °ÍÀÎÁö¸¦ °áÁ¤Çϴ°ÍÀÌ´Ù. iptables¸¦ ÅëÇؼ ÆÐŶÀ» ¾î¶»°Ô Á¦¾î ÇÏ´À³Ä¿¡ µû¶ó¼ Á¢¼ÓÀ» ¸·°Å³ª
ȤÀº ¿°Å³ª, ½ºÆ®¸µ °Ë»öÀ» ÅëÇؼ ¿úÀÇ ÆÐŶÀ» ¸·À» ¼ö ÀÖ´Â °ÍÀÌ´Ù.
iptables´Â ¸í·ÉÀ» ³»·ÁÁ൵ ¸Þ¸ð¸®¿¡¸¸ ¿Ã¶ó°¡ Àֱ⠶§¹®¿¡ ÀçºÎÆÃÀ» ÇÏ¸é ¼³Á¤ ³»¿ëÀÌ »ç¶óÁø´Ù.
µû¶ó¼ ºÎÆÃÇÒ ¶§ ½ÇÇàµÇµµ·Ï ½ºÅ©¸³Æ®¸¦ ¸¸µé¾î Áà¾ß ÇÑ´Ù.
iptables ¸í·É ½ºÅ©¸³Æ®´Â ÀÎÅÍ³Ý »ó¿¡ ¸¹Àº ¿¹Á¦µéÀÌ ¿Ã¶ó¿Í ÀÖ´Ù. º»Àεµ óÀ½¿¡´Â ±×´ë·Î º¹»çÇؼ
»ç¿ëÀ» ÇßÁö¸¸. ³»¿ëÀ» ÀÌÇØÇÏÁö ¾Ê°í »ç¿ëÀ» Çؼ Á¦´ë·Î ÀÛµ¿ÇÏÁö ¾Ê¾Ò´Ù. °¡Àå Áß¿äÇÑ ºÎºÐÀº ÆÐŶ¿¡ ´ëÇÑ
ÀÌÇØ¿Í ÇÁ·ÎÅäÄÝ¿¡ ´ëÇÑ ±âº»ÀûÀÎ Áö½ÄÀ» °®Ãß¾î¾ß ÇÑ´Ù´Â °ÍÀÌ´Ù. Áö±Ý ¸¸µç ¹æȺ®ÀÌ ¼³Ä¡µÇ´Â
³×Æ®¿öÅ©°¡ º»ÀÎÀÌ »ç¿ëÇÏ°í ÀÖ´Â ³×Æ®¿öÅ©ÇÏ°í ¶È°°´Ù°í ÇÒ ¼ö´Â ¾øÀ» °ÍÀÌ´Ù, ±×·¯¹Ç·Î ÀÚ½ÅÀÇ ³×Æ®¿öÅ©
»óȲ¿¡ ¸Â°Ô ½ºÅ©¸³Æ®¸¦ ÀçÀÛ¼º ÇØ¾ß ÇÒ °ÍÀÌ´Ù.
¾Æ·¡ ½ºÅ©¸³Æ®´Â ºÎÆÃµÉ ¶§ ½ÇÇàµÉ ¼ö ÀÖµµ·Ï /etc/init.d/bridgefirewall ·Î ÀúÀåÇÑ´Ù.
½ºÅ©¸³Æ®ÀÇ ÁÖ¼®À» º¸°í °¢ÀÚ ³×Æ®¿öÅ© »óȲ¿¡ ¸Â°Ô ¼³Á¤Çϱ⠹ٶõ´Ù.
³×Æ®¿öÅ© ¼³Á¤Àº ÀÚ½ÅÀÇ ³×Æ®¿öÅ©¿¡ ¸Â°Ô ¼³Á¤Çϱ⠹ٶõ´Ù. ¾ÕÀ¸·Î ¿¹¸¦ µé ³×Æ®¿öÅ© ±¸¼ºÀº´ÙÀ½°ú °°´Ù.
¹°·Ð Á¸ÀçÇÏÁö ¾Ê´Â IPÀÌ´Ù. ¹æȺ®°ú ¹æȺ® µÚ¿¡¼ º¸È£¹Þ´Â ³×Æ®¿öÅ© ¸ðµÎ °øÀÎ IP¸¦ »ç¿ëÇÑ´Ù.
¹æȺ® ÀÚü IP : 234.234.200.10
ºê·Îµåij½ºÆ® : 234.234.200.255
»ç¿ëÁßÀÎ IP : 234.234.200.0 ~ 234.234.200.255
#!/bin/sh
BR_IP="234.234.200.10"
# ¹æȺ®ÀÇ ÀÚü IP. ¿ø·¡ Bridge firewallÀº IP ÁÖ¼Ò°¡ ¾ø´Ù. ÇÏÁö¸¸ IP¸¦
# ÇÒ´çÇÏÁö ¾ÊÀ¸¸é ¿ø°Ý¿¡¼ Á¢¼ÓÇÒ ¼ö ¾ø°í Á÷Á¢ ¹æȺ® ¸Ó½Å ¾Õ¿¡ ¾É¾Æ¼
# ÀÛ¾÷À» ÇØ¾ß Çϱ⠶§¹®¿¡ °ü¸®ÇϱⰡ ºÒÆíÇÏ´Ù. ±×·¡¼ °ü¸®¸¦ À§ÇØ
# IP¸¦ ÇÒ´çÇÑ´Ù. ³»ºÎ³×Æ®¿öÅ© ¿¡¼¸¸ Á¢¼ÓÀÌ °¡´ÉÇϵµ·Ï ¼³Á¤ ÇÒ °ÍÀÌ´Ù.
# º¸¾È»ó °ÆÁ¤ÀÌ µÈ´Ù¸é IPÁÖ¼Ò¸¦ ÇÒ´çÇÏÁö ¾Ê¾Æµµ µÈ´Ù. ±×·¯¸é ¿ø°Ý¿¡¼´Â
# Àý´ë Á¢¼ÓÇÒ ¼ö ¾ø´Ù.
BR_IFACE="pyrasis-br" # ºê¸®Áö À̸§, ¸¶À½¿¡ µå´Â À̸§À» ÁØ´Ù.
LAN_BCAST_ADDRESS="234.234.200.255" # ºê·Îµå ij½ºÆ®
INTERNAL_ADDRESS_RANGE="234.234.200.0/24" # ³×Æ®¿öÅ© ¹üÀ§.
INTERNAL_ADDRESS="255.255.255.0" # ³Ý ¸¶½ºÅ©
INET_IFACE="eth0" # ¿ÜºÎ¿¡¼ µé¾î¿À´Â ¼±À» ¿¬°á ÇÒ ·£Ä«µå
LAN_IFACE="eth1" # ³»ºÎ·Î ³ª°¡´Â ¼±À» ¿¬°áÇÏ´Â ·£Ä«µå
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPTABLES="/usr/local/sbin/iptables" # iptables ÀÇ Àý´ë °æ·Î
#########
/sbin/depmod -a
# ¾Æ·¡ ºÎºÐÀº iptables¿¡¼ »ç¿ë ÇÒ ¸ðµâÀ» ÀûÀçÇÏ´Â ÀÛ¾÷ÀÌ´Ù.
# µ¥ºñ¾È ¸®´ª½ºÀÇ °æ¿ì modconf¿¡¼ ÀûÀçÇÒ ¸ðµâÀ» ¼±ÅÃÀ» Çϸé
# ºÎÆà ÇÒ ¶§¸¶´Ù ¾Æ·¡¿Í °°ÀÌ Àû¾îÁÙ ÇÊ¿ä´Â ¾ø´Ù.
# ´Ù¸¥ ¹èÆ÷ÆÇÀÇ °æ¿ì ¾Æ·¡¿Í °°ÀÌ ÇÊ¿äÇÑ ¸ðµâµéÀ» ¿Ã·ÁÁà¾ß iptables¿¡¼
# °¢°¢ÀÇ ¸í·ÉµéÀÌ ÀÎ½Ä µÉ °ÍÀÌ´Ù.
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/iptable_filter.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_conntrack.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/iptable_nat.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_conntrack_irc.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ipt_string.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ipt_state.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ipt_REJECT.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ipt_REDIRECT.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_nat_snmp_basic.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_nat_ftp.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_nat_irc.o
ifconfig $INET_IFACE down # ¸ðµç ·£Ä«µåÀÇ ¼³Á¤À» ÃʱâÈ
ifconfig $LAN_IFACE down
ifconfig $BR_IFACE down
ifconfig $INET_IFACE 0.0.0.0 # ºê¸®Áö°¡ µÉ ·£Ä«µå¿¡ 0.0.0.0ÀÇ ¾ÆÀÌÇǸ¦ ÁØ´Ù.
ifconfig $LAN_IFACE 0.0.0.0
$IPTABLES -F # üÀÎÀÇ ±ÔÄ¢µéÀ» Áö¿î´Ù.
$IPTABLES -X # üÀÎÀ» Áö¿î´Ù, ÃʱâÈ ÀÛ¾÷.
# Ãʱâ Á¤Ã¥.
# INPUT(µé¾î¿À´Â °Í) DROP(¹ö¸°´Ù)
# OUTPUT(³ª°¡´Â °Í) ACCEPT(Çã¿ë), INPUT OUTPUTÀº ¹æȺ® ÀÚü¿¡¼ ¿À°í ³ª°¡´Â ÆÐŶÀ» ¶æÇÔ.
# FORWARD DROP : °¡Àå Áß¿äÇÑ ºÎºÐÀÌ´Ù.
# ºê¸®Áö ¹æȺ®À» ÅëÇØ Áö³ª°¡´Â ¸ðµç ÆÐŶÀº FORWARD¿¡¼ Á¦¾îÇÑ´Ù.
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
# ºê¸®Áö ¼³Á¤
/usr/local/sbin/brctl addbr $BR_IFACE
/usr/local/sbin/brctl addif $BR_IFACE $INET_IFACE
/usr/local/sbin/brctl addif $BR_IFACE $LAN_IFACE
# ºê¸®Áö IP ¼³Á¤
if [ "$BR_IP" != "" ] ; then
ifconfig $BR_IFACE $BR_IP broadcast $LAN_BCAST_ADDRESS netmask $INTERNAL_ADDRESS
else
ifconfig $BR_IFACE up
fi
# Firewall SSH
# ¹æȺ® ÄÄÇ»ÅÍ ÀÚüÀÇ ¼³Á¤.
# 234.234.200.0 ºÎÅÍ 255 ±îÁö ¾ÆÀÌÇÇ¿¡¼ ¹æȺ® 22¹ø Æ÷Æ®·Î Á¢¼ÓÇÏ´Â °ÍÀ» Çã¿ë
# µû¶ó¼ ȸ»ç³»ºÎ¿¡¼¸¸ Á¢¼ÓÀÌ °¡´ÉÇϸç SSH·Î¸¸ Á¢¼ÓÀÌ °¡´ÉÇÏ´Ù.
# °ü¸®ÀÚÀÇ Æ¯Á¤ IP¸¸ Çã¿ëÇÏ·Á¸é 234.234.200.0/24´ë½Å 234.234.200.12 ÀÌ·±½ÄÀ¸·Î
# Àû¾îÁÖ¸é µÈ´Ù
$IPTABLES -A INPUT -p tcp -s 234.234.200.0/24 --dport 22 -j ACCEPT
# Deny IP list
# ÀÌ°ÍÀº ¿¹¸¦ µç °ÍÀÌ´Ù. »ç¿ëÇÏ°í ½ÍÀº »ç¶÷Àº »ç¿ëÇϱ⠹ٶõ´Ù.
# ù¹ø°´Â 10.105.4.202¿¡¼ ¿À´Â icmp ÆÐŶÀ» ¹ö¸°´Ù´Â ¶æ, tcp, udp¸¦ »ç¿ëÇÒ ¼ö ÀÖ´Ù
# µÎ¹ø°´Â MAC ÁÖ¼Ò¸¦ Â÷´ÜÇÏ´Â ¹æ¹ýÀ¸·Î ¾Æ·¡ÀÇ MAC ÁÖ¼Ò¿¡¼ ¿À´Â ÆÐŶÀº Â÷´ÜµÈ´Ù.
#$IPTABLES -A FORWARD -p icmp -s 10.105.4.202 -j DROP
#$IPTABLES -A FORWARD -m mac --mac-source 00:02:2A:C4:86:17 -j DROP
# Nimda, CodeRed
# ´Ô´Ù ÆÐŶ ¹× Äڵ巹µå ÆÐŶ Â÷´ÜÇÏ´Â ¸í·É
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "/default.ida?" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "XXXXXXXX" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "root.exe?" -j REJECT --reject-with tcp-reset
# SQL Slammer
# SQL ½½·¡¸Ó ¿úÀÇ ÆÐŶÀ» Â÷´ÜÇÏ´Â ¸í·É
$IPTABLES -A FORWARD -p udp -m string --string "Qh.dllhel32hkern" -j REJECT
# 80¹ø Æ÷Æ®¸¸ »ç¿ëÇÏ´Â À¥ ¼¹öÀÇ °æ¿ì 80¹øÆ÷Æ®¸¸ ¿°í ³ª¸ÓÁö 80Æ÷Æ®·Î ¿À°í °¡´Â ÆÐŶ¿¡ ´ëÇÑ
# ½ºÆ®¸µ °Ë»ç¸¦ Çؼ Nimda, CodeRedÀÇ ÆÐŶÀ» ¸·´Â´Ù.
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "/default.ida?" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "XXXXXXXX" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "root.exe?" -j REJECT --reject-with tcp-reset
# MSN
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 1863:1864 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6901 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 7801:7825 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6891:6900 -j ACCEPT
# KTiman
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10020 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10250 -j ACCEPT
# IRC
$IPTABLES -A FORWARD -p tcp --dport 6667 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 6667 -j ACCEPT
# Remote
$IPTABLES -A FORWARD -p tcp --sport 6009 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 6009 -j ACCEPT
# FTP Client
$IPTABLES -A FORWARD -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 113 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 113 -j ACCEPT
# syn packet drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 -j DROP
# net send drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 139 -j DROP
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 2603 -j DROP
$IPTABLES -A FORWARD -p udp -d 234.234.200.0/24 --dport 135 -j DROP
$IPTABLES -A FORWARD -p ALL -j ACCEPT |
³×Æ®¿öÅ© ¹üÀ§ ¼³Á¤ÀÇ ¶æ
¿ì¸®´Â ¾Õ¿¡¼ ³×Æ®¿öÅ© ¹üÀ§ ¼³Á¤À̶ó´Â ºÎºÐÀ» ÇÏ¿´´Ù. 234.234.200.0 ºÎÅÍ 255±îÁö¸¦ 234.234.200.0/24¶ó°í ¼³Á¤ ÇÏ¿´´Ù.
ÀÌ°ÍÀÌ ¿Ö ÀÌ·¸°Ô ¼³Á¤µÇ´ÂÁö ¾Ë¾Æº¸ÀÚ
표 1. IP ÁÖ¼ÒÀÇ ¹üÀ§ Ç¥Çö
1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | . | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | . | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | . | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | . | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | . | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | . | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |
À§ÀÇ Ç¥´Â 255.255.255.255¸¦ 2Áø¼ö·Î Ç¥ÇöÇÑ °ÍÀÌ°í µÎ¹ø° ÁÙÀº °¢ ºñÆ®ÀÇ ¼ø¼ÀÌ´Ù.
234.234.200.0/24¶ó°í ÇÒ¶§ 234.234.200.0ºÎÅÍ 234.234.200.255±îÁö µÇ´Â ÀÌÀ¯´Â
0/24 ¿¡¼ 24¹ø° ºñÆ®±îÁö¸¦ ÀǹÌÇÑ´Ù.
표 2. 0/24
. | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
. | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |
24 ¹ø° ºñÆ®±îÁö À̸é 1 1 1 1 1 1 1 1Áï 255´Ù. 0ºÎÅÍ 255±îÁö¶ó´Â ¸»ÀÌ´Ù
0/25¶ó°í Çϸé 0 1 1 1 1 1 1 1·Î 128ÀÌ µÈ´Ù. 0ºÎÅÍ 128ÀÌ µÈ´Ù.
0/26À̸é 0 0 1 1 1 1 1 1·Î 0ºÎÅÍ 64
128/25¶ó¸é. 128 ºÎÅÍ 255±îÁö »ç¿ëÇÑ´Ù´Â °ÍÀÌ´Ù.
¹æȺ®À» ºÎÆÃÀ» Çسõ°í Á¤Ã¥À» ¼öÁ¤ÇÒ ¼ö ÀÖ¾î¾ß ÇÑ´Ù. ±×·¯·Á¸é ½ºÅ©¸³Æ®¸¦ Çϳª ´õ ¸¸µé¾î Áà¾ß Çϴµ¥..
¸Å¿ì ½±°Ô ÇÒ ¼ö ÀÖ´Ù. À§ÀÇ ºÎÆà ½ºÅ©¸³Æ®¿¡¼ ºê¸®Áö ¼³Á¤ ºÎºÐ¸¸ »« iptables¸í·É ºÎºÐ¸¸ À߶ó¼
½ºÅ©¸³Æ®·Î ¸¸µé¸é ½ºÅ©¸³Æ® ½ÇÇุÀ¸·Î °£´ÜÇÑ Á¤Ã¥ º¯°æÀÌ °¡´ÉÇÏ°Ô µÈ´Ù.
´ÙÀ½Àº ¹æȺ®ÀÌ ºÎÆõǰí Á¤Ã¥À» º¯°æ ÇÒ ¼ö ÀÖ´Â ½ºÅ©¸³Æ®ÀÌ´Ù.
ipt-sh¶ó°í ÀúÀåÇÏ°í chmod 755 ipt-sh ÇÑµÚ ./ipt-sh ¶ó°í ½ÇÇàÇÏ¸é µÈ´Ù.
IPTABLES="/usr/local/sbin/iptables"
$IPTABLES -F # üÀÎÀÇ ±ÔÄ¢µéÀ» Áö¿î´Ù.
$IPTABLES -X # üÀÎÀ» Áö¿î´Ù, ÃʱâÈ ÀÛ¾÷.
# Firewall SSH
$IPTABLES -A INPUT -p tcp -s 234.234.200.0/24 --dport 22 -j ACCEPT
#$IPTABLES -A FORWARD -p icmp -s 10.105.4.202 -j DROP
#$IPTABLES -A FORWARD -m mac --mac-source 00:02:2A:C4:86:17 -j DROP
# Nimda, CodeRed
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "/default.ida?" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "XXXXXXXX" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "root.exe?" -j REJECT --reject-with tcp-reset
# SQL Slammer
$IPTABLES -A FORWARD -p udp -m string --string "Qh.dllhel32hkern" -j REJECT
# WebServer
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "/default.ida?" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "XXXXXXXX" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "root.exe?" -j REJECT --reject-with tcp-reset
# MSN
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 1863:1864 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6901 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 7801:7825 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6891:6900 -j ACCEPT
# KTiman
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10020 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10250 -j ACCEPT
# IRC
$IPTABLES -A FORWARD -p tcp --dport 6667 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 6667 -j ACCEPT
# Remote
$IPTABLES -A FORWARD -p tcp --sport 6009 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 6009 -j ACCEPT
# FTP Client
$IPTABLES -A FORWARD -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 113 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 113 -j ACCEPT
# syn packet drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 -j DROP
# net send drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 139 -j DROP
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 2603 -j DROP
$IPTABLES -A FORWARD -p udp -d 234.234.200.0/24 --dport 135 -j DROP
$IPTABLES -A FORWARD -p ALL -j ACCEPT
$IPTABLES -L |
iptables¿¡ ¸í·ÉÀ» ³»·Á ¾î¶»°Ô ÆÐŶµéÀ» Á¶ÀÛÇÏ´ÂÁö ±âº»ÀûÀÎ °ÍµéÀ» ¾Ë¾Æº¸ÀÚ.
-A FORWARD : FORWARDüÀο¡ Á¤Ã¥ Ãß°¡, °¡Àå ¸¹ÀÌ »ç¿ëÇÑ´Ù.
-A INPUT, -A OUTPUT : INPUT, OUTPUT üÀο¡ Á¤Ã¥ Ãß°¡, ¹æȺ® ÀÚüÀÇ ¿À°í ³ª°¡´Â ÆÐŶÁ¤Ã¥. °ÅÀÇ »ç¿ëÇÏÁö ¾Ê´Â´Ù.
-p tcp : TCPÇÁ·ÎÅäÄÝ, Web, FTP, Telnet, SSH, µî
-p udp : UDPÇÁ·ÎÅäÄÝ
-p icmp : ICMPÇÁ·ÎÅäÄÝ, PING
-d : Destination IP, ¸ñÀûÁö IP ¿¹) -d 234.234.200.123
-s : Source IP, ¹ß»ýÁö IP ¿¹) -s 234.234.200.123
--dport : Destination Port, ¸ñÀûÁö Æ÷Æ® ¿¹) --dport 80 ȤÀº --dport 80:90 80¹øºÎÅÍ 90¹ø±îÁö
--sport : Source Port, ¹ß»ýÁö Æ÷Æ® ¿¹) --sport 80 ȤÀº --sport 80:90 80¹øºÎÅÍ 90¹ø±îÁö
¾Õ¿¡¼ ¿ì¸®´Â INTERNAL_ADDRESS_RANGE="234.234.200.0/24" ¶ó°í ¼³Á¤Çß´Ù. ³»ºÎ ³×Æ®¿öÅ©¸¦ ¶æÇϴµ¥
¾Æ·¡ µÎÁÙÀÇ ¸í·ÉÀº °°´Ù. ´ÜÁö INTERNAL_ADDRESS_RANGE¶ó°í º¯¼ö¸¦ ÁÖ°í IP¸¦ ´ëÀÔ½ÃÄÑ ÁÖ¾ú´Âµ¥
ÀÌÇظ¦ µ½±â À§ÇØ IP¸¦ ±×´ë·Î ³Ö´Â ¹æ½ÄÀ¸·Î ÇÏ°Ú´Ù. º¯¼ö¸¸ ÇÑ°¡µæÈ÷ ³ª¿À¸é óÀ½ º¸´Â »ç¶÷Àº
Àß ÀÌÇØ°¡ °¡Áö ¾Ê±â ¶§¹®ÀÌ´Ù. óÀ½¿¡´Â IP¸¦ ±×´ë·Î ³Ö°í º¯¼ö¸¦ »ç¿ëÇÏ°í ½ÍÀº »ç¶÷Àº »ç¿ëÇصµ
»ó°ü ¾ø´Ù.
$IPTABLES -A FORWARD -p tcp -d $INTERNAL_ADDRESS_RANGE --dport 80 -j DROP
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 80 -j DROP |
iptables ¿¡¼ FORWARDüÀÎÀ» ±âº»ÀûÀ¸·Î DROPÀ¸·Î Çسù¾ú´Ù. ±×·¸°Ô µÇ¸é ¸ðµÎ ¸·È÷°Ô µÈ´Ù.
Á¤Ã¥À» ¼³Á¤ ÇÒ ¶§ ¿¾îÁÙ Æ÷Æ®¸¦ ¸ÕÀú ¿°í ¸ðµÎ ¸·¾Æ¾ß ÇÑ´Ù. ¸ðµÎ ¸·°í ¿¾îÁÙ °ÍÀ» ¿¸é ¿¸®Áö ¾Ê°Ô µÈ´Ù.
À§ÀÇ ºÎÆà ½ºÅ©¸³Æ®¿¡¼´Â syn ÆÐŶÀ» µå·Ó ÇÑ´Ù. ÀÌ ¸»Àº FORWARDüÀο¡ (-A FORWARD) TCPÇÁÅä·ÎÄÝ (-p tcp)
synÆÐŶ (--syn) ¸ñÀûÁö IP°¡ 234.234.200.0/24ÀÏ ¶§ (-d 234.234.200.0/24) µå·ÓÇÑ´Ù. (-j DROP)
# syn packet drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 -j DROP
$IPTABLES -A FORWARD -p ALL -j ACCEPT |
syn ÆÐŶÀ» µå·Ó ÇÏ´Â ÀÌÀ¯´Â 234.234.200.0/24¶ó´Â ³»ºÎ ³×Æ®¿öÅ©¿¡ TCP Á¢¼ÓÀ» ¸·±â À§ÇؼÀÌ´Ù. TCP¸¦ »ç¿ëÇÏ´Â
telnet, web, FTPµî ³»ºÎ·ÎÀÇ Á¢¼ÓÀ» ¸·´Â °ÍÀÌ´Ù. synÆÐŶÀº TCPÇÁ·ÎÅäÄÝÀÇ Ãʱâ Á¢¼Ó ¿ä±¸ ÆÐŶÀÌ´Ù.
¸ñÀûÁö IP°¡ ³»ºÎ ³×Æ®¿öÅ©·Î µÅÀÖ°í ±×°ÍÀ» µå·ÓÇÑ´Ù. ³»ºÎ¿¡¼ ¿ÜºÎ·Î ³ª°¡´Â °ÍÀº ¸·È÷Áö ¾Ê´Â´Ù.
ÁÖÀÇÇÒ Á¡Àº syn ÆÐŶÀ» ¸·Áö ¾Ê°í ±×³É ¸ñÀûÁö°¡ ³»ºÎ ³×Æ®¿öÅ©ÀÎ TCPÇÁ·ÎÅäÄÝÀ» ¸·´Â °æ¿ì À¥À» Æ÷ÇÔÇÑ ¸ðµç
TCP¸¦ »ç¿ëÇÏ´Â °ÍµéÀº Åë½ÅÀ» ÇÏÁö ¸øÇÑ´Ù. ¿ÜºÎ·Î ³ª°¥ ¼ö´Â ÀÖÁö¸¸ ±× °á°ú¸¦ ³»ºÎ·Î °¡Á® ¿Ã ¼ö ¾ø±â ¶§¹®¿¡
Åë½ÅÀÌ µÇÁö ¾Ê´Â °ÍÀÌ´Ù. µÎ¹ø° ÁÙÀÇ ¸ðµç ÇÁ·ÎÅäÄÝÀ» Çã¿ëÇÑ´Ù´Â ¸í·ÉÀε¥ Àú°ÍÀ» ÇÏÁö ¾ÊÀ¸¸é Åë½ÅÀÌ µÇÁö
¾Ê´Â´Ù. ²À ÇØÁÖ¾î¾ß ÇÑ´Ù. FORWARDÀÇ ±âº» Á¤Ã¥ÀÌ DROPÀ̱⠶§¹®ÀÌ´Ù.
ƯÁ¤ Æ÷Æ® ¿±â¿Í ƯÁ¤ Æ÷Æ® ¸·±â
# 21¹ø Æ÷Æ® ¸·±â, ¸ñÀûÁöIP°¡ ³»ºÎ, ¸ñÀûÁö Æ÷Æ®°¡ 21¹øÀÎ ÆÐŶÀ» µå·Ó, È¿°ú´Â TCPÇÁ·ÎÅäÄÝ 21¹ø Æ÷Æ®¸¦ »ç¿ëÇÏ´Â
# ÇÁ·Î±×·¥Àº ³»ºÎ¿¡¼ Åë½ÅÀ» ÇÒ¼ö ¾ø´Ù. -s 234.234.200.0/24·Î ÇÏ´õ¶óµµ È¿°ú´Â °°´Ù. ¹ß»ýÁö IP°¡ ³»ºÎÀÌ°í ¸ñÀûÁö°¡ ¿ÜºÎ
# 21¹ø Æ÷Æ® À̹ǷΠȿ°ú´Â °°´Ù.
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 21 -j DROP
# 21¹ø Æ÷Æ® ¿±â, ¸ñÀûÁö IP°¡ ³»ºÎ, ¸ñÀûÁö Æ÷Æ®°¡ 21¹øÀÎ ÆÐŶÀ» Çã¿ë, È¿°ú´Â ¿ÜºÎ¿¡¼ ³»ºÎ·Î TCP¿¬°áÀ» ÇÒ ¼ö ÀÖ°Ô µÈ´Ù.
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 21 -j ACCEPT
# Á¤Ã¥ ¸¶Áö¸· ÁÙ¿¡´Â Ç×»ó À§ÀÇ synÆÐŶ µå·ÓÀ» ÇØÁÖ¾î¾ß ÇÑ´Ù. ±×·¯Áö ¾ÊÀ¸¸é ¾Æ¹«¸® ¿°í ´Ý´Â´Ù Çصµ FORWARDüÀÎÀÇ ±âº»
# Á¤Ã¥À» DROP·Î Çسù±â ¶§¹®¿¡ Åë½ÅÀÌ ¾È µÈ´Ù. |
ƯÁ¤ Æ÷Æ®¸¦ ¸·´Â °ÍÀº ȸ»ç °°Àº °÷¿¡¼ ƯÁ¤ Æ÷Æ®¸¦ »ç¿ëÇÏ´Â ÇÁ·Î±×·¥(P2P µî)ÀÇ »ç¿ëÀ» ¸·°íÀÚ ÇÒ ¶§ »ç¿ëÇÑ´Ù.
ƯÁ¤ Æ÷Æ®¸¦ ¿°íÀÚ ÇÏ´Â °ÍÀº ¹æȺ® µÚ¿¡ ¸ÞÀϼ¹ö, À¥¼¹ö µîÀÌ ÀÖÀ»¶§ ±× ¼¹öµéÀÌ »ç¿ëÇÏ´Â Æ÷Æ®¸¦ ¿¾î ÁÙ¶§
»ç¿ëÇÑ´Ù.
¹æȺ®À» »ç¿ëÇÏ´Ù º¸¸é ÀÚÁÖ »ý±â´Â ÀϵéÀÌ ÀÖ´Ù. ÀνºÅÏÆ® ¸Þ½ÅÁ®, FTPµîÀÇ ¼³Á¤À» ¾Ë¾Æº¸ÀÚ.
ÀνºÅÏÆ® ¸Þ½ÅÁ®. MSN µî. °¢°¢ ¸Þ½ÅÀúÀÇ È¨ÆäÀÌÁö¿¡ »ç¿ëÇÏ´Â Æ÷Æ®¸¦ Ç¥½Ã Çسõ°í ÀÖ´Ù.
±× Æ÷Æ®¸¦ º¸°í ¾Ë¸Â°Ô °íÄ¡¸é µÈ´Ù. ¸Þ½ÅÀú°¡ »ç¿ëÇÏ´Â Æ÷Æ®¸¦ ¿¾îÁÖÁö ¾Ê¾Ò´Ù°í Çصµ ¸Þ½ÅÀú´Â µ¿ÀÛ ÇÒ °ÍÀÌ´Ù. ±×·¯³ª
ÆÄÀÏÀü¼Û °°Àº °ÍÀÌ µ¿ÀÛÀÌ µÇÁö ¾Ê´Â °æ¿ì°¡ ¹ß»ýÇÑ´Ù.
# MSN
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 1863:1864 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6901 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 7801:7825 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6891:6900 -j ACCEPT
# KTiman
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10020 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10250 -j ACCEPT |
FTPŬ¶óÀ̾ðÆ®¸¦ »ç¿ëÇÒ ¼ö ÀÖ°Ô ¼³Á¤
# FTP Client
$IPTABLES -A FORWARD -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 113 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 113 -j ACCEPT |
ÆÐŶ ½ºÆ®¸µ °Ë»ö String match Support, Nimda, CodeRed Packets
#$IPTABLES -A FORWARD -p tcp -d 234.234.200.1 --tcp-flags ACK ACK --dport 80 -m string --string "/default.ida?" -j REJECT --reject-with tcp-reset
#$IPTABLES -A FORWARD -p tcp -d 234.234.200.1 --tcp-flags ACK ACK --dport 80 -m string --string "XXXXXXXX" -j REJECT --reject-with tcp-reset
#$IPTABLES -A FORWARD -p tcp -d 234.234.200.1 --tcp-flags ACK ACK --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset
#$IPTABLES -A FORWARD -p tcp -d 234.234.200.1 --tcp-flags ACK ACK --dport 80 -m string --string "root.exe?" -j REJECT --reject-with tcp-reset |
À§ÀÇ ¸í·É¿¡¼ --string "cmd.exe" ´Â ÆÐŶ ¼Ó¿¡ cmd.exe¶ó´Â ½ºÆ®¸µÀ» Æ÷ÇÔÇÏ°í ÀÖÀ¸¸é Â÷´ÜÇϰųª °ÅºÎÇÑ´Ù´Â °ÍÀÌ´Ù
--tcp-flags ACK ACK ´Â TCPÇÁ·ÎÅäÄÝ¿¡¼ Ãʱ⠿¬°áÇÏ´Â ÆÐŶÀ» ¶æÇÑ´Ù.
net send (Æ˾÷ ½ºÆÔ) À©µµ¿ì2000ÀÌ»óÀÇ ¿î¿µÃ¼Á¦¿¡ ¸Þ¼¼Áö âÀÌ ¶ß´Â ½ºÆÔÀ» ¸·´Â ¹æ¹ý
# net send drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 139 -j DROP
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 2603 -j DROP
$IPTABLES -A FORWARD -p udp -d 234.234.200.0/24 --dport 135 -j DROP |
¹æȺ®À» »ç¿ëÇÏ´Ù º¸¸é ȸ鿡 ¼ö¸¹Àº ¸Þ¼¼Áö°¡ Ãâ·Â µÉ°ÍÀÔ´Ï´Ù. À̰Ͷ§¹®¿¡ ¸í·ÉÀ» ÀÔ·ÂÇϱⰡ ºÒÆíÇÑ °æ¿ì Ä¿³Î ·Î±× µ¥¸óÀÇ ¼³Á¤À»
¹Ù²Ù¾î ÁÝ´Ï´Ù.
/sbin/klogd_start ÆÄÀÏÀ» ¸¸µé¾î ÁÝ´Ï´Ù. Ä¿³Î ·Î±× µ¥¸óÀÇ ·Î±ë ·¹º§À» ¼³Á¤ÇÕ´Ï´Ù.
·¹º§¿¡ µû¶ó ȸ鿡 Ãâ·ÂµÇ´Â ¸Þ¼¼Áö¸¦ Á¶ÀýÇÒ ¼ö ÀÖ½À´Ï´Ù.
#!/bin/sh
/sbin/klogd -c 1 |
/etc/init.d/klogd ÆÄÀÏÀÔ´Ï´Ù. ÀÌ ÆÄÀÏÀº ºÎÆÃÇÒ¶§ Ä¿³Î ·Î±× µ¥¸óÀ» ½ÇÇàÇÕ´Ï´Ù.
#! /bin/sh
# /etc/init.d/klogd: start the kernel log daemon.
PATH=/bin:/usr/bin:/sbin:/usr/sbin
pidfile=/var/run/klogd.pid
#binpath=/sbin/klogd
binpath=/sbin/klogd
binpath_start=/sbin/klogd_start #À§¿¡¼ ¸¸µç ½ºÅ©¸³Æ® ÀÔ´Ï´Ù.
test -f $binpath || exit 0
# Use KLOGD="-k /boot/System.map-$(uname -r)" to specify System.map
#
KLOGD=""
running()
{
# No pidfile, probably no daemon present
#
if [ ! -f $pidfile ]
then
return 1
fi
pid=`cat $pidfile`
# No pid, probably no daemon present
#
if [ -z "$pid" ]
then
return 1
fi
cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -1`
# No syslogd?
#
if [ "$cmd" != "$binpath" ]
then
return 1
fi
return 0
}
case "$1" in
start)
echo -n "Starting kernel log daemon: klogd"
start-stop-daemon --start --quiet --exec $binpath_start -- $KLOGD
# ½ÃÀÛÇÒ¶§ À§¿¡¼ ¸¸µç ½ºÅ©¸³Æ®¸¦ ½ÇÇàÇϵµ·Ï ¸¸µì´Ï´Ù.
echo "."
;;
stop)
echo -n "Stopping kernel log daemon: klogd"
start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
echo "."
;;
restart|force-reload)
echo -n "Stopping kernel log daemon: klogd"
start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
echo "."
sleep 1
echo -n "Starting kernel log daemon: klogd"
start-stop-daemon --start --quiet --exec $binpath --exec $binpath -- $KLOGD
echo "."
;;
reload-or-restart)
if running
then
start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
else
start-stop-daemon --start --quiet --exec $binpath -- $KLOGD
fi
;;
*)
echo "Usage: /etc/init.d/klogd {start|stop|restart|force-reload|reload-or-restart}"
exit 1
esac
exit 0 |
À§ÀÇ ½ÃÀÛ ½ºÅ©¸³Æ®´Â ¹èÆ÷ÆÇ ¸¶´Ù ´Ù¸¦¼ö ÀÖÁö¸¸ klogd_start ½ºÅ©¸³Æ®¸¦ ½ÇÇàÇÏ°Ô¸¸ ÇÏ¸é µË´Ï´Ù.
ÀÌÁ¤µµ·Î ¸¶Ä¡µµ·Ï ÇÏ°Ú½À´Ï´Ù. óÀ½ ¸®´ª½º¸¦ Á¢ÇÏ´Â »ç¶÷Àº ¾Æ¹«·¡µµ Ä¿³Î ÄÄÆÄÀÏÀ̳ª ¼³Á¤ ºÎºÐÀÌ ¾î·Á¿ï °ÍÀÔ´Ï´Ù.
ºÎÁ·ÇÑ ¹®¼ÀÌÁö¸¸ ¸¹Àº µµ¿òÀÌ µÇ¾úÀ¸¸é ÇÕ´Ï´Ù. ¹®¼ÀÇ À߸øµÈ Á¡ÀÌ ÀÖ´Ù¸é ¹Ù·Î ¸ÞÀÏÀ» º¸³» Áֽñ⠹ٶø´Ï´Ù.