· KLDP.org · KLDP.net · KLDP Wiki · KLDP BBS ·
Docbook Sgml/Bridge Firewall-HOWTO

¸®´ª½º·Î Bridge Firewall ¸¸µé±â

¸®´ª½º·Î Bridge Firewall ¸¸µé±â

ÀÌÀçÈ«

            
          

¸®´ª½º·Î Bridge FirewallÀ» ¸¸µé¾î º¸ÀÚ

고친 과정
고침 0.12003-06-28고친이 pyrasis
ÃÖÃÊ ÀÛ¼º
고침 0.22003-08-29고친이 pyrasis
Ä¿³Î ¿É¼Ç ºÎºÐ¿¡¼­ ºüÁø ºÎºÐ Ãß°¡. Code maturity level options ºÎºÐ
고침 0.32003-09-16고친이 pyrasis
Ä¿³Î ·Î±× µ¥¸ó ¼³Á¤ (È­¸é¿¡ Ãâ·ÂµÇ´Â ¸Þ¼¼Áö Á¶Àý)

1. ¼­¹®

³×Æ®¿öÅ© ±¸Á¶¸¦ º¯°æÇÏÁö ¾Ê°í ½±°Ô ¹æÈ­º®À» ¼³Ä¡ÇÒ ¼ö ÀÖ´Â Bridge FirewallÀ» ¸¸µé¾î¼­ »ç¿ëÇÏÀÚ.

º»ÀÎÀº ¹æÈ­º®À» ¸¸µé¸é¼­ ¼ö¸¹Àº ½ÃÇà Âø¿À¸¦ °Þ¾ú°í ¸¹Àº ¹®¼­µéÀ» º¸¾Æ ¿Ô´Ù. ÇÏÁö¸¸ ¿ö³« ³×Æ®¿öÅ© »óȲÀÌ ´Ù¾çÇÏ´Ù º¸´Ï ¹®¼­´ë·Î Àß µÇÁö ¾Ê´Â °æ¿ìµµ ¸¹¾Ò°í ȯ°æµµ ¸¹ÀÌ ´Ù¸¥ °Íµµ ¸¹¾Ò´Ù. ÀÌ ¹®¼­¸¦ º¸°í Çѹø¿¡ ¾Ë¸Â´Â ¹æÈ­º®À» ¸¸µç´Ù°í´Â Àå´ã ÇÒ ¼ö ¾ø´Ù. ÇÏÁö¸¸ Á¶±ÝÀ̳ª¸¶ óÀ½ Çغ¸´Â »ç¶÷µé¿¡°Ô µµ¿òÀÌ µÇ°íÀÚ ÀÌ ¹®¼­¸¦ ÀÛ¼º ÇÑ´Ù.

ÀÌ ¹®¼­´Â º¸È£ÇÒ ³×Æ®¿öÅ©´Â °øÀÎ IP¸¦ »ç¿ëÇÑ´Ù´Â ÀüÁ¦ ÇÏ¿¡ ¸¸µé¾îÁø ¹®¼­ÀÌ´Ù. º»ÀÎÀÌ NAT¸¦ »ç¿ëÇغ¸Áö ¾Ê¾Æ NAT¿¡ °üÇÑ ¹®¼­´Â Â÷ÈÄ ÁغñÇÏ°Ú´Ù.


1.1. ÀúÀÛ±Ç Á¤º¸

Copyright (C) 2003 ÀÌÀçÈ«

ÀÌ ¹®¼­´Â GNU Free Documentation License ¹öÀü 1.1 ȤÀº ÀÚÀ¯ ¼ÒÇÁÆ®¿þ¾î Àç´Ü¿¡¼­ ¹ßÇàÇÑ ÀÌÈÄ ÆÇÀÇ ±ÔÁ¤¿¡ µû¸£¸ç ÀúÀ۱ǿ¡ ´ëÇÑ º» »çÇ×ÀÌ ¸í½ÃµÇ´Â ÇÑ ¾î¶°ÇÑ Á¤º¸ ¸Åü¿¡ ÀÇÇÑ º»¹®ÀÇ ÀüÀ糪 ¹ßÃéµµ ¹«»óÀ¸·Î Çã¿ëµË´Ï´Ù.


1.2. Ã¥ÀÓÀÇ ÇÑ°è

º» ÀúÀÚ´Â ¹®¼­ÀÇ ³»¿ëÀÌ ¾ß±âÇÒ ¼ö ÀÖ´Â ¾î¶°ÇÑ °á°ú¿¡ ´ëÇؼ­µµ Ã¥ÀÓÀ» ÁöÁö ¾Ê½À´Ï´Ù. º» ¹®¼­¿¡¼­ ³»Æ÷ÇÏ°í ÀÖ´Â Á¤º¸µé ¹× ¿¹Á¦µéÀº ¿©·¯ºÐÀÌ ¾Ë¾Æ¼­ È°¿ëÇϽʽÿÀ. ºñ·Ï ÃÖ¼±À» ´ÙÇßÀ¸³ª ÀÌ ¹®¼­´Â Ʋ¸° Á¡À̳ª ¿À·ù°¡ ÀÖÀ» ¼öµµ ÀÖ½À´Ï´Ù. ¸¸¾à ¿©·¯ºÐÀÌ Æ²¸° Á¡À» ¹ß°ßÇß´Ù¸é ²À Àú¿¡°Ô ¾Ë·Á Áֽñ⠹ٶø´Ï´Ù.


1.3. °¨»çÀÇ ±Û

ÀÌ ¹®¼­¸¦ ÀÛ¼ºÇϴµ¥ µµ¿òÀ» ÁֽŠ¸¹Àº ºÐµé¿¡°Ô °¨»çµå¸³´Ï´Ù.

KLDPÀÇ ³×Æ®¿öÅ·/¹æÈ­º® µð·ºÅ丮ÀÇ ±ÛµéÀÇ µµ¿òÀ» ¸¹ÀÌ ¹Þ¾Ò½À´Ï´Ù. ±×°÷ÀÇ ±ÛÀ» ½áÁÖ½Ã°í º¯¿ªÇØÁֽŠ¸ðµç ºÐµé²² Áø½ÉÀ¸·Î °¨»ç µå¸³´Ï´Ù.


1.4. Çǵå¹é

ÀÌ ¹®¼­¿¡ ´ëÇÑ ¹ßÀüÀûÀÎ Á¦¾ÈÀ̳ª ¼öÁ¤»çÇ×, ¹®Á¦Á¡ µî¿¡ ´ëÇÑ Çǵå¹éÀº ¾ðÁ¦µçÁö ȯ¿µÇÕ´Ï´Ù. ·Î ¸ÞÀÏÀ» º¸³» ÁֽʽÿÀ.


2. ¼³Ä¡ Áغñ ÀÛ¾÷

¼³Ä¡¸¦ À§ÇØ ÁغñÇØ¾ß ÇÒ °Íµé.


2.1. ³×Æ®¿öÅ© ±¸¼º

¹æÈ­º®ÀÌ ¾ø´Â ³×Æ®¿öÅ© ±¸¼º

       ¶ó¿ìÅÍ --------- ½ºÀ§Äª Çãºê ----------- PC
                                    |
                                    ----------- ¼­¹ö 

¹æÈ­º®ÀÌ ¼³Ä¡ µÉ ³×Æ®¿öÅ© ±¸¼º

      ¶ó¿ìÅÍ ------------- eth0-(Bridge Firewall)-eth1 --- ½ºÀ§Äª Çãºê -------- PC
             (Cross Cable)                                             |
                                                                       -------- ¼­¹ö 


2.2. ÁغñÇÒ °Íµé

º»ÀÎÀÌ Bridge Firewall À» ¼³Ä¡ÇÑ ¸®´ª½º ¹èÆ÷ÆÇÀº µ¥ºñ¾È ¸®´ª½º 3.0 r1(2003³â 6¿ù)À̸ç Ä¿³Î ¹öÀüÀº 2.4.19ÀÌ´Ù. ´Ù¸¥ ¹èÆ÷ÆÇ¿¡¼­µµ ¹«¸® ¾øÀÌ ¼³Ä¡ÇÒ ¼ö ÀÖ´Ù.

Å×½ºÆ® Çغ» Çϵå¿þ¾î »ç¾çÀº ¼¿·¯·Ð 1GHz 256RAM À̾ú°í ÇöÀç 50´ë Á¤µµÀÇ ÄÄÇ»ÅÍ°¡ ¹æÈ­º® µÚ¿¡¼­ ÀÎÅͳÝÀ» »ç¿ëÇÏ°í ÀÖ´Ù. »ç¿ëÇÏ°í ÀÖ´Â ·£Ä«µå´Â 3Com 3c590, Intel EtherExpress/100ÀÌ´Ù.

²À ÇÊ¿äÇÑ °Íµé

  • ¸®´ª½º Ä¿³Î 2.4.19

  • ·£Ä«µå 2Àå

  • Å©·Î½º ÄÉÀ̺í, ´ÙÀÌ·ºÆ® ÄÉÀ̺í

  • bridge Ä¿³Î ÆÐÄ¡

  • bridge utils

  • iptables Ä¿³Î ÆÐÄ¡

  • iptables ¼Ò½º


2.3. »ç¿ë ÇÒ °¢°¢ÀÇ ÆÄÀÏµé ±¸Çϱâ

bridge Ä¿³Î ÆÐÄ¡ ¹× bridge utils

Linux ethernet bridging http://bridge.sourceforge.net

bridge-nf-0.0.7-against-2.4.19.diff

bridge-utils-0.9.6.tar.gz

iptables Ä¿³Î ÆÐÄ¡ ¹× iptables

netfilter/iptables http://www.netfilter.org

patch-o-matic-20030107.tar.bz2

iptables-1.2.8.tar.bz2

¸®´ª½º Ä¿³Î ¼Ò½º

The Linux Kernel Archives http://www.kernel.org

linux-2.4.19.tar.bz2

À§ÀÇ ÆÄÀϵéÀ» /root¿¡ ¹Þ´Â´Ù.


3. ¼³Ä¡Çϱâ

¸®´ª½º Ä¿³Î¿¡ iptables¿Í bridgeÆÐÄ¡¸¦ ÇÏ°í ÄÄÆÄÀÏÀ» ÇÒ °ÍÀÌ´Ù. ¸ðµç ÀÛ¾÷Àº root·Î ÇÑ´Ù.


3.1. ¸®´ª½º Ä¿³Î ÆÐÄ¡

Ä¿³Î ¼Ò½º´Â /usr/src/linux ¿¡ Ç®¾î ³õ´Â´Ù.

# mv linux-2.4.19.tar.bz2 /usr/src
#cd /usr/src
/usr/src# tar vjxf linux-2.4.19.tar.bz2            ¾ÐÃàÀ» Ǭ´Ù. bunzip2 ÆÐÅ°Áö°¡ ÇÊ¿äÇÏ´Ù.
/usr/src# ln -s linux-2.4.19 linux                 ¾ÐÃàÀÌ Ç®¸° µð·ºÅ丮¸¦ linux¶ó´Â À̸§À¸·Î ½Éº¼¸¯ ¸µÅ©¸¦ »ý¼ºÇÑ´Ù.

bridge ÆÐÄ¡¸¦ ÆÐÄ¡ÇÑ´Ù.

# mv bridge-nf-0.0.7-against-2.4.19.diff /usr/src
# cd /usr/src/linux
/usr/src/linux# patch -p1 < ../bridge-nf-0.0.7-against-2.4.19.diff

iptable ÆÐÄ¡´Â patch-o-matic À̶ó´Â ¹æ½ÄÀ¸·Î Ä¿³Î ÆÐÄ¡¸¦ ÇÑ´Ù.

# tar vjxf patch-o-matic-20030107.tar.bz2
# cd cd patch-o-matic-20030107
# ./runme extra
Hey! KERNEL_DIR is not set.
Where is your kernel? [/usr/src/linux]              Ä¿³Î ¼Ò½º¸¦ /usr/src¿¡ Ç®¾î¼­ linux¶ó°í ¸µÅ©¸¦ °É¾ú´Ù¸é ¿£Å͸¦ Ä£´Ù
                                                    ¾Æ´Ï¸é ½ÇÁ¦ Ä¿³ÎÀÌ ÀÖ´Â °æ·Î¸¦ Àû¾îÁØ´Ù
´ÙÀ½°ú °°ÀÌ ³ª¿Ã °ÍÀÌ´Ù.
Welcome to Rusty's Patch-o-matic!

Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------
Already applied: submitted/01_2.4.19

Testing... 02_2.4.20.patch NOT APPLIED ( 17 missing files)
The submitted/02_2.4.20 patch:
   Authors: Various (see below)
   Status: Included in stock 2.4.20 kernel
   
   This big patch contains all netfilter/iptables changes between stock kernel
   versions 2.4.19 and 2.4.20.
   
   submitted/DSCP.patch
   + New DSCP target to mangle table (Harald Welte + Matthew G. Marsh)
   submitted/ECN.patch
   + New ECN target to mangle table (Harald Welte)
   submitted/REJECT_mark.patch
   + Don't copy nfmark value of old packet (Henrik Nordstrom)
   submitted/ahesp-static.patch
   + Fix static build of ahesp match (Paul P Komkoff Jr)
   submitted/conntrack+nat-helper-unregister.patch
   + Fix helper unregister in case of clashing ports (Harald Welte)
   submitted/conntrack.patch
   + Add new 'conntrack' match (Marc Boucher)
   submitted/dscp.patch
   + New 'dscp' match (Harald Welte)
   submitted/ecn.patch
   + New 'ecn' match (Harald Welte)
   submitted/helper.patch
   + New 'helper' match (Martin Josefsson, Harald Welte)
   submitted/ip6tables-exthdr-bug.patch.ipv6
   + Fix broken ipv6 extensionheader parser (Andras Kis-Szabo)
   submitted/ipv6-agr.patch.ipv6
   + New ip6tables 'eui64' match (Andras Kis-Szabo)
   submitted/length.patch.ipv6
   + New ip6tables 'length' match (Imran Patel, James Morris)
   submitted/log-tunnel-fix.patch.ipv6
   + Fix ip6tables 'LOG' target MAC address in case of tunnels
   (Peter Bieringer, Andras Kis-Szabo)
   submitted/nat-memoryleak-fix.patch
   + Fix memoryleak at iptable_nat unload time (zhongyu)
   submitted/ownercmd.patch
   + Extend 'owner' match to match cmdline (Marc Boucher)
   submitted/pkttype.patch
   + New 'pkttype' match (Michal Ludvig)
   submitted/ulog-nlgroup-shift-fix.patch
   + Fix error with shifting nlgroup in ULOG target (Harald Welte)
   submitted/ulog-sparc-bitops-fix.patch
   + Include linux/bitops.h instead of asm/bitops.h
   submitted/z-newnat16.patch
   + Redesign of conntrack and nat helper framework, for more info see http://cvs.netfilter.org/cgi-bin/cvsweb/netfilter/documentation/newnat-summary.txt
   (Harald Welte, Jozsef Kadlecsik, and others)
   submitted/z-newnat_assertfix.patch
   + Fix erroneously printed ASSERT messages when debugging of newnat
   enabled (Martin Josefsson)
   submitted/z-newnat_changeexpect-lockfix.patch
   + Fix locking bug in ip_conntrack_change_expect() (Martin Josefsson)
   Further changes, not previuosly in patch-o-matic:
   + ip6tables usage counter fix (Harald Welte)
   + ip_queue cleanup (James Morris)
   + minor spelling fixes
   + __constant_htons() macro changes
   + ipt_unclean: srcport _can_ be zero
   + yet another ipchains GFP_ATOMIC fix
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?]
¿£Å͸¦ Ä£´Ù

iptableÆÐÄ¡¿¡´Â ³»¿ëÀÌ ¿©·¯ °¡Áö°¡ Á¸ÀçÇÑ´Ù. y¸¦ ´©¸£¸é ÆÐÄ¡°¡ µÈ´Ù. ±×·¯³ª ÀüºÎ ÆÐÄ¡¸¦ ÇÏ¸é ¾È µÈ´Ù. ³ªÁß¿¡ Ä¿³ÎÀ» ÄÄÆÄÀÏ ÇÏ¸é ¿¡·¯°¡ ³ª±â ¶§¹®¿¡ ²À ÇÊ¿äÇÑ °Í¸¸ y¸¦ ´­·¯ ÆÐÄ¡ ÇÑ´Ù. b ¸¦ ´©¸£¸é µÚ·Î µ¹¾Æ°¥ ¼ö ÀÖ´Ù.

Áö±Ý ÆÐÄ¡ ÇÒ °ÍÀº ÆÐŶ¿¡¼­ StringÀ» °Ë»öÇÏ¿© ÆÐŶÀ» ¹ö¸®°Å³ª °ÅºÎ ÇÏ´Â String match support ÀÌ´Ù. ÀÌ°ÍÀ» ÀÌ¿ëÇϸé Nimda, CodeRed µîÀÇ ¿úÀ̳ª ¹ÙÀÌ·¯½ºÀÇ ÆÐŶÀ» Â÷´Ü ÇÒ ¼ö ÀÖ´Ù.

°è¼Ó ¿£Å͸¦ Ãļ­ °¡´Ù º¸¸é ¾Æ·¡¿Í °°Àº È­¸éÀÌ ³ª¿Ã°Í ÀÌ´Ù.

Welcome to Rusty's Patch-o-matic!

Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------
Already applied: submitted/01_2.4.19

Testing... string.patch NOT APPLIED ( 2 missing files)
The extra/string patch:
   Author: Emmanuel Roger <winfield@freegates.be>
   Status: Working, not with kernel 2.4.9
   
   This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to
   match a string in a whole packet.
   
   THIS PATCH DOES NOT WORK WITH KERNEL 2.4.9 !!!
   
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?] 

¿©±â¼­ y¸¦ ´©¸£¸é String match°¡ ÆÐÄ¡ µÈ´Ù.

°è¼Ó ¿£Å͸¦ Ä¡¸é ´Ù¸¥ ÆÐÄ¡µéÀÌ ³ª¿Â´Ù. ÇÊ¿äÇÑ °ÍµéÀÌ ÀÖÀ¸¸é ÆÐÄ¡ÇÑ´Ù.


3.2. Ä¿³Î ¿É¼Ç ¼³Á¤Çϱâ

iptables ¿Í bridge±â´ÉÀ» »ç¿ëÇÒ ¼ö ÀÖ°Ô Ä¿³Î ¿É¼ÇÀ» ¼³Á¤ÇÑ´Ù. »ç¿ë ÇÒ ·£Ä«µå 2°³µµ ¼³Á¤À» ÇÒ °ÍÀÌ´Ù.

Ä¿³Î ¿É¼ÇÀº ´ÙÀ½°ú °°ÀÌ ¼³Á¤ÇÑ´Ù. menuconfig ¸¦ ÀÌ¿ëÇÏ·Á¸é µ¥ºñ¾È¿¡¼­´Â libncurses5-dev ÆÐÅ°Áö°¡ ²À ÇÊ¿äÇÏ´Ù. µ¥ºñ¾È¿¡¼­ ÆÐÅ°Áö´Â apt-get ³ª dselect¸¦ ÀÌ¿ëÇÏ¿© ¼³Ä¡ÇÑ´Ù. ´Ù¸¥ ¹èÆ÷Æǵµ ¸¶Âù°¡Áö ÀÌ´Ù. ´ëºÎºÐÀÇ ¹èÆ÷ÆÇ¿¡¼­´Â ±âº»ÀûÀ¸·Î ¼³Ä¡µÇ¾î ÀÖÀ» °ÍÀÌ´Ù.

# cd /usr/src/linux
/usr/src/linux# make menuconfig

Ä¿³Î ¼º¼÷µµ ¿É¼Ç. ÀÌ ºÎºÐÀ» üũ ÇØ¾ß ¾Æ·¡ ¿É¼ÇµéÀÌ ¸ðµÎ ³ª¿À°Ô µÈ´Ù.

Code maturity level options  --->
  [*] Prompt for development and/or incomplete code/drivers

·£Ä«µå µå¶óÀ̹ö ¼³Á¤. º»ÀÎÀÌ »ç¿ëÇÏ°í ÀÖ´Â ·£Ä«µå´Â 3Com 590, Intel EtherPress/100 ÀÌ´Ù. °¢ÀÚ °¡Áö°í ÀÖ´Â ·£Ä«µå¸¦ ¼³Á¤ÇÏÀÚ.

Network device support  --->
  Ethernet (10 or 100Mbit)  --->
    [*] Ethernet (10 or 100Mbit)                                                                    
    < >   Sun Happy Meal 10/100baseT support                                                            
    < >   Sun GEM support                                                                               
    [*]   3COM cards                                                                                
    < >     3c501 "EtherLink" support                                                                   
    < >     3c503 "EtherLink II" support                                                                
    < >     3c505 "EtherLink Plus" support                                                              
    < >     3c507 "EtherLink 16" support (EXPERIMENTAL)                                                 
    < >     3c509/3c529 (MCA)/3c579 "EtherLink III" support                                             
    < >     3c515 ISA "Fast EtherLink"                                                                  
    <*>     3c590/3c900 series (592/595/597) "Vortex/Boomerang" support                                 
    < >   AMD LANCE and PCnet (AT1500 and NE2100) support                                               
    [ ]   Western Digital/SMC cards                                                                 
    [ ]   Racal-Interlan (Micom) NI cards                                                           
    < >   AT1700/1720 support (EXPERIMENTAL)                                                            
    < >   DEPCA, DE10x, DE200, DE201, DE202, DE422 support                                              
    < >   HP 10/100VG PCLAN (ISA, EISA, PCI) support                                                    
    [ ]   Other ISA cards                                                                           
    [*]   EISA, VLB, PCI and on board controllers                                                   
    < >     AMD PCnet32 PCI support                                                                     
    < >     Adaptec Starfire/DuraLAN support                                                            
    < >     Ansel Communications EISA 3200 support (EXPERIMENTAL)                                       
    < >     Apricot Xen-II on board Ethernet                                                            
    < >     CS89x0 support                                                                              
    < >     DECchip Tulip (dc21x4x) PCI support                                                         
    < >     TOSHIBA TC35815 Ethernet support                                                            
    < >     Generic DECchip & DIGITAL EtherWORKS PCI/EISA                                               
    < >     Digi Intl. RightSwitch SE-X support                                                         
    < >     Davicom DM910x/DM980x support                                                               
    <*>     EtherExpressPro/100 support                                                                 
    < >     Myson MTD-8xx PCI Ethernet support                                                          
    < >     National Semiconductor DP8381x series PCI Ethernet support                                  
    < >     PCI NE2000 and clones support (see help)                                                    
    < >     RealTek RTL-8139 C+ PCI Fast Ethernet Adapter support (EXPERIMENTAL)                        
    < >     RealTek RTL-8139 PCI Fast Ethernet Adapter support                                          
    < >     SiS 900/7016 PCI Fast Ethernet Adapter support                                              
    < >     SMC EtherPower II                                                                           
    < >     Sundance Alta support                                                                       
    < >     TI ThunderLAN support                                                                       
    < >     VIA Rhine support                                                                           
    < >     Winbond W89c840 Ethernet support                                                            
    [ ]   Pocket and portable adapters

bridge ±â´ÉÀ» »ç¿ëÇϱâ À§ÇÑ ¼³Á¤

Networking options  --->
  <*> Packet socket                                                                        
    [ ]   Packet socket: mmapped IO                                                          
    < > Netlink device emulation                                                             
    [*] Network packet filtering (replaces ipchains)                                         
    [ ]   Network packet filtering debugging                                                   
    [*] Socket Filtering                                                                     
    <*> Unix domain sockets                                                                  
    [*] TCP/IP networking                                                                    
    [*]   IP: multicasting                                                                   
    [ ]   IP: advanced router                                                                
    [ ]   IP: kernel level autoconfiguration                                                 
    < >   IP: tunneling                                                                        
    < >   IP: GRE tunnels over IP                                                            
    [ ]   IP: multicast routing                                                              
    [ ]   IP: ARP daemon support (EXPERIMENTAL)                                              
    [ ]   IP: TCP Explicit Congestion Notification support                                     
    [ ]   IP: TCP syncookie support (disabled per default)                                     
      IP: Netfilter Configuration  --->                                                        
    < >   The IPv6 protocol (EXPERIMENTAL)                                                     
    < >   Kernel httpd acceleration (EXPERIMENTAL)                                             
    [ ] Asynchronous Transfer Mode (ATM) (EXPERIMENTAL)                                        
    < > 802.1Q VLAN Support                                                                    
    ---                                                                                        
    < > The IPX protocol                                                                       
    < > Appletalk protocol support                                                           
    Appletalk devices  --->
    < > DECnet Support                                                                         
    <*> 802.1d Ethernet Bridging                                                             
    [*]   netfilter (firewalling) support                                                    
    < > CCITT X.25 Packet Layer (EXPERIMENTAL)                                               
    < > LAPB Data Link Driver (EXPERIMENTAL)                                                 
    [ ] 802.2 LLC (EXPERIMENTAL)                                                             
    [ ] Frame Diverter (EXPERIMENTAL)                                                        
    < > Acorn Econet/AUN protocols (EXPERIMENTAL)                                            
    < > WAN router                                                                           
    [ ] Fast switching (read help!)                                                          
    [ ] Forwarding between high speed interfaces                                             
    QoS and/or fair queueing  --->                                                           
    Network testing  --->

iptables¿¡¼­ »ç¿ë ÇÒ °¢°¢ÀÇ ±â´ÉµéÀ» ¸ðµâ·Î ¼³Á¤ÇÑ´Ù. ¸ðµâ ¼³Á¤Àº ½ºÆäÀ̽º ¹Ù·Î µÎ ¹ø ¼±ÅÃÇϸé MÀ̶ó°í Ç¥½ÃµÈ´Ù. ÀÌ°ÍÀÌ ¸ðµâ¼³Á¤ÀÌ´Ù. *·Î ¼³Á¤À» Çϸé Ä¿³Î·Î ¿ÏÀüÈ÷ Æ÷ÇԵȴÙ. ¸ðµâ·Î ¼³Á¤ÇÏ¸é ²À ÇÊ¿äÇÑ °Í¸¸ ¾µ ¼ö ÀÖ°Ô ÇϹǷΠ¸Þ¸ð¸® ³¶ºñ¸¦ ¸·À» ¼ö ÀÖ´Ù.

Networking options  --->
  IP: Netfilter Configuration  --->
    <M> Connection tracking (required for masq/NAT)                                             
    <M>   FTP protocol support                                                                  
    <M>   IRC protocol support                                                                  
    <M> Userspace queueing via NETLINK (EXPERIMENTAL)                                           
    <*> IP tables support (required for filtering/masq/NAT)                                     
    <M>   limit match support                                                                   
    <M>   MAC address match support                                                             
    <M>   netfilter MARK match support                                                          
    <M>   Multiple port match support                                                           
    <M>   TOS match support                                                                     
    <M>   AH/ESP match support                                                                  
    <M>   LENGTH match support                                                                  
    <M>   TTL match support                                                                     
    <M>   tcpmss match support                                                                  
    <M>   Connection state match support                                                        
    <M>   Unclean match support (EXPERIMENTAL)                                                  
    <M>   String match support (EXPERIMENTAL)                                                   
    <M>   Owner match support (EXPERIMENTAL)                                                    
    <M>   Packet filtering                                                                      
    <M>     REJECT target support                                                               
    <M>     MIRROR target support (EXPERIMENTAL)                                                
    <M>   Full NAT                                                                              
    <M>     MASQUERADE target support                                                           
    <M>     REDIRECT target support                                                             
    [*]     NAT of local connections (READ HELP)                                            
    <M>     Basic SNMP-ALG support (EXPERIMENTAL)


3.3. Ä¿³Î ÄÄÆÄÀÏ

ÀÌÁ¦ ÆÐÄ¡ÇÑ Ä¿³ÎÀ» ÄÄÆÄÀÏ ÇÒ Â÷·Ê ÀÌ´Ù.

¸®´ª½º ¹èÆ÷ÆÇÀÌ µ¥ºñ¾ÈÀÏ °æ¿ì Ä¿³Î ÆÐÅ°Áö¸¦ ¸¸µé¾î¼­ Ä¿³ÎÀ» ¼³Ä¡ÇÏ´Â °ÍÀÌ ÆíÇÏ´Ù. kernel-package ¶ó´Â ÆÐÅ°Áö°¡ ÇÊ¿äÇÏ´Ù.

# cd /usr/src/linux
/usr/src/linux# make-kpkg --revision=1.0 binary-arch              ÀÌ·¸°Ô Çϸé /usr/src¿¡ Ä¿³Î Çì´õ¿Í Ä¿³Î À̹ÌÁö ÆÐÅ°Áö°¡ »ý¼ºµÈ´Ù.
/usr/src/linux# cd ..
/usr/src# ls
-rw-r--r--    1 root     root        30158 Mar 27 20:39 bridge-nf-0.0.7-against-2.4.19.diff
-rw-r--r--    1 root     src       3961230 Apr  9 22:58 kernel-headers-2.4.19_1.0_i386.deb            Ä¿³Î Çì´õ
-rw-r--r--    1 root     src       1274482 Apr  9 22:58 kernel-image-2.4.19_1.0_i386.deb              Ä¿³Î À̹ÌÁö
lrwxrwxrwx    1 root     src            12 May 14 04:24 linux -> linux-2.4.19
drwxr-xr-x   15 573      573           888 Jun 29 06:38 linux-2.4.19
/usr/src# dpkg -i kernel-headers-2.4.19_1.0_i386.deb
/usr/src# dpkg -i kernel-image-2.4.19_1.0_i386.deb

Ä¿³Î À̹ÌÁö¸¦ ¼³Ä¡ ÇÒ ¶§ ºÎÆà µð½ºÅ©¸¦ ¸¸µé¶ó´Â °÷¿¡´Â NÀ¸·Î Ãë¼Ò¸¦ ÇÏ°í /vmlinuz ¶ó°í ¸µÅ©¸¦ ¸¸µç´Ù°í ÇÒ ¶§´Â Y¸¦ ´­·¯
¸µÅ©¸¦ ¸¸µç´Ù

ºÎÆ®·Î´õ·Î lilo¸¦ »ç¿ëÇÒ °æ¿ì
# lilo
Grub¸¦ »ç¿ëÇÒ °æ¿ì /boot/grub/menu.lst ÆÄÀÏÀ» ¼öÁ¤Çؼ­ »õ Ä¿³Î·Î ºÎÆà µÉ ¼ö ÀÖµµ·Ï ÇÑ´Ù

µ¥ºñ¾ÈÀÌ ¾Æ´Ñ ¸®´ª½º ¹èÆ÷ÆÇÀÇ °æ¿ì

# cd /usr/src/linux
/usr/src/linux# make dep && make bzImage && make modules && make modules_install
/usr/src/linux# cd arch/i386/boot/
/usr/src/linux/arch/i386/boot# cp bzImage /boot/vmlinuz-2.4.19

ºÎÆ®·Î´õ¸¦ lilo¸¦ »ç¿ëÇÒ °æ¿ì
/etc/lilo.conf ¼³Á¤À» º¯°æ ÇÑ´Ù. ¾Æ·¡¿Í °°Àº ºÎºÐÀÌ ÀÖÀ» °ÍÀÌ´Ù.
image=/boot/vmlinuz-2.4.19
        label=Linux
ÀúÀåÀ» ÇÏ°í
# lilo

Grub¸¦ »ç¿ëÇÒ °æ¿ì
/boot/grub/menu.lst ¾Æ·¡¿Í °°Àº ºÎºÐÀÌ Àִµ¥ ÄÄÆÄÀÏÇÑ Ä¿³Î À̹ÌÁöÀÇ °æ·Î¸¦ Àû¾îÁØ´Ù.
title Linux
root (hd0,1)¤Ä
kernel /boot/vmlinuz-2.4.19 root=/dev/hda2


3.4. Bridge utils ¼³Ä¡

bridge ±â´ÉÀ» »ç¿ëÇϱâ À§ÇÑ ÇÁ·Î±×·¥ ¼³Ä¡

bridge utils ¼Ò½º ÄÄÆÄÀÏ ¹× ¼³Ä¡

# tar vxzf bridge-utils-0.9.6.tar.gz
# cd bridge-utils
~/bridge-utils# ./configure
~/bridge-utils# make
~/bridge-utils# make install


3.5. iptables ¼³Ä¡

ÆÐŶÁ¦¾î ¸í·ÉÀ» ³»¸®±âÀ§ÇÑ iptables¼³Ä¡

iptables ¼Ò½º ÄÄÆÄÀÏ ¹× ¼³Ä¡, KERNEL_DIR=/usr/src/linux ¿¡´Â Ä¿³Î ¼Ò½º°¡ ÀÖ´Â °æ·Î¸¦ Àû¾îÁØ´Ù.

# tar vjxf iptables-1.2.8.tar.bz2
# cd iptables-1.2.8
~/iptables-1.2.8# make KERNEL_DIR=/usr/src/linux
~/iptables-1.2.8# make install KERNEL_DIR=/usr/src/linux
~/iptables-1.2.8# make install-devel


4. ½ÇÇà ½ºÅ©¸³Æ® ¹× ¼¼ºÎ ¼³Á¤

4.1. ÆÐŶ¿¡ ´ëÇÑ ±âº»ÀûÀÎ ÀÌÇØ

ÆÐŶ(packet)À̶õ Çѱ۷Π¹ø¿ªÇÏÀÚ¸é ¼ÒÆ÷, ÆíÁö¹­À½ À̶ó´Â ¶æÀ» °¡Áö°í ÀÖ´Ù. ±×·¸´Ù¸é ÆÐŶÀ̶õ µµ´ëü ¹«¾úÀΰ¡.

ÀüÈ­ Åë½ÅÀ» ¿¹·Î µé¾î º¸°Ú´Ù. Áö±ÝÀÇ ¾Æ³¯·Î±× ÀüÈ­´Â ȸ¼± ¹æ½ÄÀÌ´Ù. ¿ì¸®°¡ ÀüÈ­¸¦ °É¸é ±³È¯±â¸¦ ÅëÇØ ´Ù¸¥ ÁýÀÇ ÀüÈ­·Î ¿¬°áµÈ´Ù. ÀüÈ­¸¦ ¹Þµç ¾È ¹Þµç ÀÏ´Ü ¿¬°áÀ» ÇÑ´Ù. ±×·¸´Ù¸é ¿¬°á µÈ ȸ¼±À» Á¡À¯ÇÏ°í ÀÖ´Ù´Â °Í ÀÌ´Ù. ÀüÈ­¸¦ ¹ÞÁö ¾Ê¾Æ ÅëÈ­¸¦ ÇÏÁö ¾Ê´Â´Ù Çصµ ¿¬°áÀÌ µÇ¾ú±â ¶§¹®¿¡ ȸ¼±À» ¾²°í ÀÖ´Â °ÍÀÌ µÈ´Ù.

±×·±µ¥ ÀÌ°ÍÀ» ÀÎÅͳݿ¡ Àû¿ë½ÃŲ´Ù¸é ¾öû³ª°Ô ºñÈ¿À²ÀûÀ¸·Î µÈ´Ù. ±×·¡¼­ ÀÎÅͳݿ¡¼­´Â ÆÐŶÀ» »ç¿ëÇÑ´Ù. ÆÐŶÀº ÀÛÀº µ¥ÀÌÅÍÀÇ µ¢¾î¸® ÀÌ´Ù. FTP¸¦ ÅëÇؼ­ ÆÄÀÏÀ» ¹Þ´Â´Ù°í ÇÒ ¶§. ¿ì¸® ´«À¸·Î º¼¶§´Â ÆÄÀÏÀÌ ÇѲ¨¹ø¿¡ ¹Þ¾ÆÁø´Ù. ÇÏÁö¸¸ ½ÇÁ¦·Î ÆÄÀϵéÀº ¼ö¹é ¼öõ°³ÀÇ ÆÐŶµé·Î Á¶°¢³ª ¿ì¸®¿¡°Ô·Î Àü¼ÛµÇ´Â °ÍÀÌ´Ù. ÄÄÇ»ÅÍ´Â ±× ÆÐŶÀ» ¹Þ¾Æ Á¶¸³ÇÏ¿© ´Ù½Ã ÆÄÀÏÀ» ¸¸µé¾î ³½´Ù.

¿ì¸®°¡ ÀÎÅͳÝÀ» ÇÑ´Ù¸é À¥ ºê¶ó¿ìÀú·Î À¥¼­Çεµ ÇÏ°í FTP·Î ÆÄÀϵµ ¹Þ°í ¸Þ½ÅÀú·Î ¸Þ½ÃÁöµµ ÁÖ°í ¹ÞÀ» °ÍÀÌ´Ù. ¿ì¸® ÄÄÇ»ÅÍ¿¡ ¿¬°áµÈ ·£¼±¿¡´Â À¥ ºê¶ó¿ìÀú¿¡¼­ ¿äûÇÑ HTMLÆÄÀÏÀÇ ÆÐŶ, FTP¿¡¼­ Àü¼ÛÇÏ°í ÀÖ´Â ÆÄÀÏ ÆÐŶµé, ¸Þ½ÅÀú¿¡¼­ ÁÖ°í ¹Þ´Â ¸Þ½ÃÁö ÆÐŶµéÀÌ ¼­·Î µÚ¼¯¿© ¿À°í °£´Ù. ÀÌ·¸°Ô ¼¯¿©¼­ ¿À°í °£´ÙÇصµ ÆÐŶµé¿¡´Â °¢°¢ÀÇ Á¤º¸°¡ Á¸Àç ÇÑ´Ù. ±×·¡¼­ ÆÐŶÀÌ ¼¯ÀÌÁö ¾Ê°í ¿©·¯°¡Áö ÀÏÀ» µ¿½Ã¿¡ ÇÒ ¼ö ÀÖ´Â °ÍÀÌ´Ù. ÀüÈ­ °°À¸¸é ȸ¼±À» ¿ÏÀü Á¡À¯Çؼ­ »ç¿ëÇϱ⠶§¹®¿¡ ÇÑ°¡Áö ÀÏ ¹Û¿¡ ÇÒ ¼ö°¡ ¾ø´Ù.

ÀÌÁ¦ ¹æÈ­º®ÀÇ ¿ø¸®¸¦ ¾Ë¾Æº¸ÀÚ. ¹æÈ­º®Àº ÆÐŶÀ» ±¸ºÐÇÏ¿© ±× ÆÐŶÀ» Åë°ú ½Ãų °ÍÀÎÁö ¾Æ´Ï¸é °ÅºÎ, ȤÀº ¹ö¸± °ÍÀÎÁö¸¦ °áÁ¤Çϴ°ÍÀÌ´Ù. iptables¸¦ ÅëÇؼ­ ÆÐŶÀ» ¾î¶»°Ô Á¦¾î ÇÏ´À³Ä¿¡ µû¶ó¼­ Á¢¼ÓÀ» ¸·°Å³ª ȤÀº ¿­°Å³ª, ½ºÆ®¸µ °Ë»öÀ» ÅëÇؼ­ ¿úÀÇ ÆÐŶÀ» ¸·À» ¼ö ÀÖ´Â °ÍÀÌ´Ù.


4.2. bridge ¹× iptables ½ºÅ©¸³Æ® ÀÛ¼º

iptables´Â ¸í·ÉÀ» ³»·ÁÁ൵ ¸Þ¸ð¸®¿¡¸¸ ¿Ã¶ó°¡ Àֱ⠶§¹®¿¡ ÀçºÎÆÃÀ» ÇÏ¸é ¼³Á¤ ³»¿ëÀÌ »ç¶óÁø´Ù. µû¶ó¼­ ºÎÆÃÇÒ ¶§ ½ÇÇàµÇµµ·Ï ½ºÅ©¸³Æ®¸¦ ¸¸µé¾î Áà¾ß ÇÑ´Ù.

iptables ¸í·É ½ºÅ©¸³Æ®´Â ÀÎÅÍ³Ý »ó¿¡ ¸¹Àº ¿¹Á¦µéÀÌ ¿Ã¶ó¿Í ÀÖ´Ù. º»Àεµ óÀ½¿¡´Â ±×´ë·Î º¹»çÇؼ­ »ç¿ëÀ» ÇßÁö¸¸. ³»¿ëÀ» ÀÌÇØÇÏÁö ¾Ê°í »ç¿ëÀ» Çؼ­ Á¦´ë·Î ÀÛµ¿ÇÏÁö ¾Ê¾Ò´Ù. °¡Àå Áß¿äÇÑ ºÎºÐÀº ÆÐŶ¿¡ ´ëÇÑ ÀÌÇØ¿Í ÇÁ·ÎÅäÄÝ¿¡ ´ëÇÑ ±âº»ÀûÀÎ Áö½ÄÀ» °®Ãß¾î¾ß ÇÑ´Ù´Â °ÍÀÌ´Ù. Áö±Ý ¸¸µç ¹æÈ­º®ÀÌ ¼³Ä¡µÇ´Â ³×Æ®¿öÅ©°¡ º»ÀÎÀÌ »ç¿ëÇÏ°í ÀÖ´Â ³×Æ®¿öÅ©ÇÏ°í ¶È°°´Ù°í ÇÒ ¼ö´Â ¾øÀ» °ÍÀÌ´Ù, ±×·¯¹Ç·Î ÀÚ½ÅÀÇ ³×Æ®¿öÅ© »óȲ¿¡ ¸Â°Ô ½ºÅ©¸³Æ®¸¦ ÀçÀÛ¼º ÇØ¾ß ÇÒ °ÍÀÌ´Ù.

¾Æ·¡ ½ºÅ©¸³Æ®´Â ºÎÆÃµÉ ¶§ ½ÇÇàµÉ ¼ö ÀÖµµ·Ï /etc/init.d/bridgefirewall ·Î ÀúÀåÇÑ´Ù. ½ºÅ©¸³Æ®ÀÇ ÁÖ¼®À» º¸°í °¢ÀÚ ³×Æ®¿öÅ© »óȲ¿¡ ¸Â°Ô ¼³Á¤Çϱ⠹ٶõ´Ù. ³×Æ®¿öÅ© ¼³Á¤Àº ÀÚ½ÅÀÇ ³×Æ®¿öÅ©¿¡ ¸Â°Ô ¼³Á¤Çϱ⠹ٶõ´Ù. ¾ÕÀ¸·Î ¿¹¸¦ µé ³×Æ®¿öÅ© ±¸¼ºÀº´ÙÀ½°ú °°´Ù. ¹°·Ð Á¸ÀçÇÏÁö ¾Ê´Â IPÀÌ´Ù. ¹æÈ­º®°ú ¹æÈ­º® µÚ¿¡¼­ º¸È£¹Þ´Â ³×Æ®¿öÅ© ¸ðµÎ °øÀÎ IP¸¦ »ç¿ëÇÑ´Ù.

  • ¹æÈ­º® ÀÚü IP : 234.234.200.10

  • ºê·Îµåij½ºÆ® : 234.234.200.255

  • »ç¿ëÁßÀÎ IP : 234.234.200.0 ~ 234.234.200.255

#!/bin/sh

BR_IP="234.234.200.10"  
# ¹æÈ­º®ÀÇ ÀÚü IP. ¿ø·¡ Bridge firewallÀº IP ÁÖ¼Ò°¡ ¾ø´Ù. ÇÏÁö¸¸ IP¸¦ 
# ÇÒ´çÇÏÁö ¾ÊÀ¸¸é ¿ø°Ý¿¡¼­ Á¢¼ÓÇÒ ¼ö ¾ø°í Á÷Á¢ ¹æÈ­º® ¸Ó½Å ¾Õ¿¡ ¾É¾Æ¼­
# ÀÛ¾÷À» ÇØ¾ß Çϱ⠶§¹®¿¡ °ü¸®ÇϱⰡ ºÒÆíÇÏ´Ù. ±×·¡¼­ °ü¸®¸¦ À§ÇØ
# IP¸¦ ÇÒ´çÇÑ´Ù. ³»ºÎ³×Æ®¿öÅ© ¿¡¼­¸¸ Á¢¼ÓÀÌ °¡´ÉÇϵµ·Ï ¼³Á¤ ÇÒ °ÍÀÌ´Ù.
# º¸¾È»ó °ÆÁ¤ÀÌ µÈ´Ù¸é IPÁÖ¼Ò¸¦ ÇÒ´çÇÏÁö ¾Ê¾Æµµ µÈ´Ù. ±×·¯¸é ¿ø°Ý¿¡¼­´Â
# Àý´ë Á¢¼ÓÇÒ ¼ö ¾ø´Ù.

BR_IFACE="pyrasis-br"     # ºê¸®Áö À̸§, ¸¶À½¿¡ µå´Â À̸§À» ÁØ´Ù.

LAN_BCAST_ADDRESS="234.234.200.255"       # ºê·Îµå ij½ºÆ®
INTERNAL_ADDRESS_RANGE="234.234.200.0/24" # ³×Æ®¿öÅ© ¹üÀ§.
INTERNAL_ADDRESS="255.255.255.0"          # ³Ý ¸¶½ºÅ© 

INET_IFACE="eth0" # ¿ÜºÎ¿¡¼­ µé¾î¿À´Â ¼±À» ¿¬°á ÇÒ ·£Ä«µå
LAN_IFACE="eth1"  # ³»ºÎ·Î ³ª°¡´Â ¼±À» ¿¬°áÇÏ´Â ·£Ä«µå

LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="/usr/local/sbin/iptables" # iptables ÀÇ Àý´ë °æ·Î

#########
/sbin/depmod -a

# ¾Æ·¡ ºÎºÐÀº iptables¿¡¼­ »ç¿ë ÇÒ ¸ðµâÀ» ÀûÀçÇÏ´Â ÀÛ¾÷ÀÌ´Ù.
# µ¥ºñ¾È ¸®´ª½ºÀÇ °æ¿ì modconf¿¡¼­ ÀûÀçÇÒ ¸ðµâÀ» ¼±ÅÃÀ» Çϸé
# ºÎÆà ÇÒ ¶§¸¶´Ù ¾Æ·¡¿Í °°ÀÌ Àû¾îÁÙ ÇÊ¿ä´Â ¾ø´Ù.
# ´Ù¸¥ ¹èÆ÷ÆÇÀÇ °æ¿ì ¾Æ·¡¿Í °°ÀÌ ÇÊ¿äÇÑ ¸ðµâµéÀ» ¿Ã·ÁÁà¾ß iptables¿¡¼­
# °¢°¢ÀÇ ¸í·ÉµéÀÌ ÀÎ½Ä µÉ °ÍÀÌ´Ù.
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/iptable_filter.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_conntrack.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/iptable_nat.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_conntrack_irc.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ipt_string.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ipt_state.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ipt_REJECT.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ipt_REDIRECT.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_nat_snmp_basic.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_nat_ftp.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_nat_irc.o

ifconfig $INET_IFACE down   # ¸ðµç ·£Ä«µåÀÇ ¼³Á¤À» ÃʱâÈ­
ifconfig $LAN_IFACE down
ifconfig $BR_IFACE down

ifconfig $INET_IFACE 0.0.0.0  # ºê¸®Áö°¡ µÉ ·£Ä«µå¿¡ 0.0.0.0ÀÇ ¾ÆÀÌÇǸ¦ ÁØ´Ù.
ifconfig $LAN_IFACE 0.0.0.0

$IPTABLES -F  # üÀÎÀÇ ±ÔÄ¢µéÀ» Áö¿î´Ù.
$IPTABLES -X  # üÀÎÀ» Áö¿î´Ù, ÃʱâÈ­ ÀÛ¾÷.

# Ãʱâ Á¤Ã¥. 
# INPUT(µé¾î¿À´Â °Í) DROP(¹ö¸°´Ù)
# OUTPUT(³ª°¡´Â °Í) ACCEPT(Çã¿ë), INPUT OUTPUTÀº ¹æÈ­º® ÀÚü¿¡¼­ ¿À°í ³ª°¡´Â ÆÐŶÀ» ¶æÇÔ.
# FORWARD DROP : °¡Àå Áß¿äÇÑ ºÎºÐÀÌ´Ù. 
# ºê¸®Áö ¹æÈ­º®À» ÅëÇØ Áö³ª°¡´Â ¸ðµç ÆÐŶÀº FORWARD¿¡¼­ Á¦¾îÇÑ´Ù.
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# ºê¸®Áö ¼³Á¤
/usr/local/sbin/brctl addbr $BR_IFACE
/usr/local/sbin/brctl addif $BR_IFACE $INET_IFACE
/usr/local/sbin/brctl addif $BR_IFACE $LAN_IFACE

# ºê¸®Áö IP ¼³Á¤
if [ "$BR_IP" != "" ] ; then
    ifconfig $BR_IFACE $BR_IP broadcast $LAN_BCAST_ADDRESS netmask $INTERNAL_ADDRESS
    else
        ifconfig $BR_IFACE up
fi

# Firewall SSH
# ¹æÈ­º® ÄÄÇ»ÅÍ ÀÚüÀÇ ¼³Á¤.
# 234.234.200.0 ºÎÅÍ 255 ±îÁö ¾ÆÀÌÇÇ¿¡¼­ ¹æÈ­º® 22¹ø Æ÷Æ®·Î Á¢¼ÓÇÏ´Â °ÍÀ» Çã¿ë
# µû¶ó¼­ ȸ»ç³»ºÎ¿¡¼­¸¸ Á¢¼ÓÀÌ °¡´ÉÇϸç SSH·Î¸¸ Á¢¼ÓÀÌ °¡´ÉÇÏ´Ù.
# °ü¸®ÀÚÀÇ Æ¯Á¤ IP¸¸ Çã¿ëÇÏ·Á¸é 234.234.200.0/24´ë½Å 234.234.200.12 ÀÌ·±½ÄÀ¸·Î
# Àû¾îÁÖ¸é µÈ´Ù
$IPTABLES -A INPUT -p tcp -s 234.234.200.0/24 --dport 22 -j ACCEPT

# Deny IP list
# ÀÌ°ÍÀº ¿¹¸¦ µç °ÍÀÌ´Ù. »ç¿ëÇÏ°í ½ÍÀº »ç¶÷Àº »ç¿ëÇϱ⠹ٶõ´Ù.
# ù¹ø°´Â 10.105.4.202¿¡¼­ ¿À´Â icmp ÆÐŶÀ» ¹ö¸°´Ù´Â ¶æ, tcp, udp¸¦ »ç¿ëÇÒ ¼ö ÀÖ´Ù
# µÎ¹ø°´Â MAC ÁÖ¼Ò¸¦ Â÷´ÜÇÏ´Â ¹æ¹ýÀ¸·Î ¾Æ·¡ÀÇ MAC ÁÖ¼Ò¿¡¼­ ¿À´Â ÆÐŶÀº Â÷´ÜµÈ´Ù.
#$IPTABLES -A FORWARD -p icmp -s 10.105.4.202 -j DROP
#$IPTABLES -A FORWARD -m mac --mac-source 00:02:2A:C4:86:17 -j DROP

# Nimda, CodeRed
# ´Ô´Ù ÆÐŶ ¹× Äڵ巹µå ÆÐŶ Â÷´ÜÇÏ´Â ¸í·É
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "/default.ida?" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "XXXXXXXX" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "root.exe?" -j REJECT --reject-with tcp-reset

# SQL Slammer
# SQL ½½·¡¸Ó ¿úÀÇ ÆÐŶÀ» Â÷´ÜÇÏ´Â ¸í·É
$IPTABLES -A FORWARD -p udp -m string --string "Qh.dllhel32hkern" -j REJECT

# 80¹ø Æ÷Æ®¸¸ »ç¿ëÇÏ´Â À¥ ¼­¹öÀÇ °æ¿ì 80¹øÆ÷Æ®¸¸ ¿­°í ³ª¸ÓÁö 80Æ÷Æ®·Î ¿À°í °¡´Â ÆÐŶ¿¡ ´ëÇÑ
# ½ºÆ®¸µ °Ë»ç¸¦ Çؼ­ Nimda, CodeRedÀÇ ÆÐŶÀ» ¸·´Â´Ù.
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "/default.ida?" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "XXXXXXXX" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "root.exe?" -j REJECT --reject-with tcp-reset

# MSN
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 1863:1864 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6901 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 7801:7825 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6891:6900 -j ACCEPT

# KTiman
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10020 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10250 -j ACCEPT

# IRC
$IPTABLES -A FORWARD -p tcp --dport 6667 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 6667 -j ACCEPT

# Remote
$IPTABLES -A FORWARD -p tcp --sport 6009 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 6009 -j ACCEPT

# FTP Client
$IPTABLES -A FORWARD -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 113 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 113 -j ACCEPT

# syn packet drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 -j DROP

# net send drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 139 -j DROP
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 2603 -j DROP
$IPTABLES -A FORWARD -p udp -d 234.234.200.0/24 --dport 135 -j DROP

$IPTABLES -A FORWARD -p ALL -j ACCEPT

³×Æ®¿öÅ© ¹üÀ§ ¼³Á¤ÀÇ ¶æ

¿ì¸®´Â ¾Õ¿¡¼­ ³×Æ®¿öÅ© ¹üÀ§ ¼³Á¤À̶ó´Â ºÎºÐÀ» ÇÏ¿´´Ù. 234.234.200.0 ºÎÅÍ 255±îÁö¸¦ 234.234.200.0/24¶ó°í ¼³Á¤ ÇÏ¿´´Ù. ÀÌ°ÍÀÌ ¿Ö ÀÌ·¸°Ô ¼³Á¤µÇ´ÂÁö ¾Ë¾Æº¸ÀÚ

표 1. IP ÁÖ¼ÒÀÇ ¹üÀ§ Ç¥Çö

11111111.11111111.11111111.11111111
.101112131415.1617181920212223.2425262728293031

À§ÀÇ Ç¥´Â 255.255.255.255¸¦ 2Áø¼ö·Î Ç¥ÇöÇÑ °ÍÀÌ°í µÎ¹ø° ÁÙÀº °¢ ºñÆ®ÀÇ ¼ø¼­ÀÌ´Ù.

234.234.200.0/24¶ó°í ÇÒ¶§ 234.234.200.0ºÎÅÍ 234.234.200.255±îÁö µÇ´Â ÀÌÀ¯´Â 0/24 ¿¡¼­ 24¹ø° ºñÆ®±îÁö¸¦ ÀǹÌÇÑ´Ù.

표 2. 0/24

.11111111
.2425262728293031

24 ¹ø° ºñÆ®±îÁö À̸é 1 1 1 1 1 1 1 1Áï 255´Ù. 0ºÎÅÍ 255±îÁö¶ó´Â ¸»ÀÌ´Ù

0/25¶ó°í Çϸé 0 1 1 1 1 1 1 1·Î 128ÀÌ µÈ´Ù. 0ºÎÅÍ 128ÀÌ µÈ´Ù.

0/26À̸é 0 0 1 1 1 1 1 1·Î 0ºÎÅÍ 64

128/25¶ó¸é. 128 ºÎÅÍ 255±îÁö »ç¿ëÇÑ´Ù´Â °ÍÀÌ´Ù.


4.3. Á¤Ã¥º¯°æ

¹æÈ­º®À» ºÎÆÃÀ» Çسõ°í Á¤Ã¥À» ¼öÁ¤ÇÒ ¼ö ÀÖ¾î¾ß ÇÑ´Ù. ±×·¯·Á¸é ½ºÅ©¸³Æ®¸¦ Çϳª ´õ ¸¸µé¾î Áà¾ß Çϴµ¥.. ¸Å¿ì ½±°Ô ÇÒ ¼ö ÀÖ´Ù. À§ÀÇ ºÎÆà ½ºÅ©¸³Æ®¿¡¼­ ºê¸®Áö ¼³Á¤ ºÎºÐ¸¸ »« iptables¸í·É ºÎºÐ¸¸ Àß¶ó¼­ ½ºÅ©¸³Æ®·Î ¸¸µé¸é ½ºÅ©¸³Æ® ½ÇÇุÀ¸·Î °£´ÜÇÑ Á¤Ã¥ º¯°æÀÌ °¡´ÉÇÏ°Ô µÈ´Ù.

´ÙÀ½Àº ¹æÈ­º®ÀÌ ºÎÆõǰí Á¤Ã¥À» º¯°æ ÇÒ ¼ö ÀÖ´Â ½ºÅ©¸³Æ®ÀÌ´Ù. ipt-sh¶ó°í ÀúÀåÇÏ°í chmod 755 ipt-sh ÇÑµÚ ./ipt-sh ¶ó°í ½ÇÇàÇÏ¸é µÈ´Ù.

IPTABLES="/usr/local/sbin/iptables"

$IPTABLES -F  # üÀÎÀÇ ±ÔÄ¢µéÀ» Áö¿î´Ù.
$IPTABLES -X  # üÀÎÀ» Áö¿î´Ù, ÃʱâÈ­ ÀÛ¾÷.

# Firewall SSH
$IPTABLES -A INPUT -p tcp -s 234.234.200.0/24 --dport 22 -j ACCEPT

#$IPTABLES -A FORWARD -p icmp -s 10.105.4.202 -j DROP
#$IPTABLES -A FORWARD -m mac --mac-source 00:02:2A:C4:86:17 -j DROP

# Nimda, CodeRed
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "/default.ida?" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "XXXXXXXX" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "root.exe?" -j REJECT --reject-with tcp-reset

# SQL Slammer
$IPTABLES -A FORWARD -p udp -m string --string "Qh.dllhel32hkern" -j REJECT

# WebServer
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "/default.ida?" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "XXXXXXXX" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "root.exe?" -j REJECT --reject-with tcp-reset

# MSN
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 1863:1864 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6901 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 7801:7825 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6891:6900 -j ACCEPT

# KTiman
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10020 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10250 -j ACCEPT

# IRC
$IPTABLES -A FORWARD -p tcp --dport 6667 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 6667 -j ACCEPT

# Remote
$IPTABLES -A FORWARD -p tcp --sport 6009 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 6009 -j ACCEPT

# FTP Client
$IPTABLES -A FORWARD -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 113 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 113 -j ACCEPT

# syn packet drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 -j DROP

# net send drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 139 -j DROP
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 2603 -j DROP
$IPTABLES -A FORWARD -p udp -d 234.234.200.0/24 --dport 135 -j DROP

$IPTABLES -A FORWARD -p ALL -j ACCEPT

$IPTABLES -L


4.4. ±âº»ÀûÀÎ ¸í·É »ç¿ë¹ý

iptables¿¡ ¸í·ÉÀ» ³»·Á ¾î¶»°Ô ÆÐŶµéÀ» Á¶ÀÛÇÏ´ÂÁö ±âº»ÀûÀÎ °ÍµéÀ» ¾Ë¾Æº¸ÀÚ.

-A FORWARD : FORWARDüÀο¡ Á¤Ã¥ Ãß°¡, °¡Àå ¸¹ÀÌ »ç¿ëÇÑ´Ù.

-A INPUT, -A OUTPUT : INPUT, OUTPUT üÀο¡ Á¤Ã¥ Ãß°¡, ¹æÈ­º® ÀÚüÀÇ ¿À°í ³ª°¡´Â ÆÐŶÁ¤Ã¥. °ÅÀÇ »ç¿ëÇÏÁö ¾Ê´Â´Ù.

-p tcp : TCPÇÁ·ÎÅäÄÝ, Web, FTP, Telnet, SSH, µî

-p udp : UDPÇÁ·ÎÅäÄÝ

-p icmp : ICMPÇÁ·ÎÅäÄÝ, PING

-d : Destination IP, ¸ñÀûÁö IP ¿¹) -d 234.234.200.123

-s : Source IP, ¹ß»ýÁö IP ¿¹) -s 234.234.200.123

--dport : Destination Port, ¸ñÀûÁö Æ÷Æ® ¿¹) --dport 80 ȤÀº --dport 80:90 80¹øºÎÅÍ 90¹ø±îÁö

--sport : Source Port, ¹ß»ýÁö Æ÷Æ® ¿¹) --sport 80 ȤÀº --sport 80:90 80¹øºÎÅÍ 90¹ø±îÁö

¾Õ¿¡¼­ ¿ì¸®´Â INTERNAL_ADDRESS_RANGE="234.234.200.0/24" ¶ó°í ¼³Á¤Çß´Ù. ³»ºÎ ³×Æ®¿öÅ©¸¦ ¶æÇϴµ¥ ¾Æ·¡ µÎÁÙÀÇ ¸í·ÉÀº °°´Ù. ´ÜÁö INTERNAL_ADDRESS_RANGE¶ó°í º¯¼ö¸¦ ÁÖ°í IP¸¦ ´ëÀÔ½ÃÄÑ ÁÖ¾ú´Âµ¥ ÀÌÇظ¦ µ½±â À§ÇØ IP¸¦ ±×´ë·Î ³Ö´Â ¹æ½ÄÀ¸·Î ÇÏ°Ú´Ù. º¯¼ö¸¸ ÇÑ°¡µæÈ÷ ³ª¿À¸é óÀ½ º¸´Â »ç¶÷Àº Àß ÀÌÇØ°¡ °¡Áö ¾Ê±â ¶§¹®ÀÌ´Ù. óÀ½¿¡´Â IP¸¦ ±×´ë·Î ³Ö°í º¯¼ö¸¦ »ç¿ëÇÏ°í ½ÍÀº »ç¶÷Àº »ç¿ëÇصµ »ó°ü ¾ø´Ù.

$IPTABLES -A FORWARD -p tcp -d $INTERNAL_ADDRESS_RANGE --dport 80 -j DROP
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 80 -j DROP

iptables ¿¡¼­ FORWARDüÀÎÀ» ±âº»ÀûÀ¸·Î DROPÀ¸·Î Çسù¾ú´Ù. ±×·¸°Ô µÇ¸é ¸ðµÎ ¸·È÷°Ô µÈ´Ù. Á¤Ã¥À» ¼³Á¤ ÇÒ ¶§ ¿­¾îÁÙ Æ÷Æ®¸¦ ¸ÕÀú ¿­°í ¸ðµÎ ¸·¾Æ¾ß ÇÑ´Ù. ¸ðµÎ ¸·°í ¿­¾îÁÙ °ÍÀ» ¿­¸é ¿­¸®Áö ¾Ê°Ô µÈ´Ù.

À§ÀÇ ºÎÆà ½ºÅ©¸³Æ®¿¡¼­´Â syn ÆÐŶÀ» µå·Ó ÇÑ´Ù. ÀÌ ¸»Àº FORWARDüÀο¡ (-A FORWARD) TCPÇÁÅä·ÎÄÝ (-p tcp) synÆÐŶ (--syn) ¸ñÀûÁö IP°¡ 234.234.200.0/24ÀÏ ¶§ (-d 234.234.200.0/24) µå·ÓÇÑ´Ù. (-j DROP)

# syn packet drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 -j DROP
$IPTABLES -A FORWARD -p ALL -j ACCEPT

syn ÆÐŶÀ» µå·Ó ÇÏ´Â ÀÌÀ¯´Â 234.234.200.0/24¶ó´Â ³»ºÎ ³×Æ®¿öÅ©¿¡ TCP Á¢¼ÓÀ» ¸·±â À§Çؼ­ÀÌ´Ù. TCP¸¦ »ç¿ëÇÏ´Â telnet, web, FTPµî ³»ºÎ·ÎÀÇ Á¢¼ÓÀ» ¸·´Â °ÍÀÌ´Ù. synÆÐŶÀº TCPÇÁ·ÎÅäÄÝÀÇ Ãʱâ Á¢¼Ó ¿ä±¸ ÆÐŶÀÌ´Ù. ¸ñÀûÁö IP°¡ ³»ºÎ ³×Æ®¿öÅ©·Î µÅÀÖ°í ±×°ÍÀ» µå·ÓÇÑ´Ù. ³»ºÎ¿¡¼­ ¿ÜºÎ·Î ³ª°¡´Â °ÍÀº ¸·È÷Áö ¾Ê´Â´Ù. ÁÖÀÇÇÒ Á¡Àº syn ÆÐŶÀ» ¸·Áö ¾Ê°í ±×³É ¸ñÀûÁö°¡ ³»ºÎ ³×Æ®¿öÅ©ÀÎ TCPÇÁ·ÎÅäÄÝÀ» ¸·´Â °æ¿ì À¥À» Æ÷ÇÔÇÑ ¸ðµç TCP¸¦ »ç¿ëÇÏ´Â °ÍµéÀº Åë½ÅÀ» ÇÏÁö ¸øÇÑ´Ù. ¿ÜºÎ·Î ³ª°¥ ¼ö´Â ÀÖÁö¸¸ ±× °á°ú¸¦ ³»ºÎ·Î °¡Á® ¿Ã ¼ö ¾ø±â ¶§¹®¿¡ Åë½ÅÀÌ µÇÁö ¾Ê´Â °ÍÀÌ´Ù. µÎ¹ø° ÁÙÀÇ ¸ðµç ÇÁ·ÎÅäÄÝÀ» Çã¿ëÇÑ´Ù´Â ¸í·ÉÀε¥ Àú°ÍÀ» ÇÏÁö ¾ÊÀ¸¸é Åë½ÅÀÌ µÇÁö ¾Ê´Â´Ù. ²À ÇØÁÖ¾î¾ß ÇÑ´Ù. FORWARDÀÇ ±âº» Á¤Ã¥ÀÌ DROPÀ̱⠶§¹®ÀÌ´Ù.

ƯÁ¤ Æ÷Æ® ¿­±â¿Í ƯÁ¤ Æ÷Æ® ¸·±â

# 21¹ø Æ÷Æ® ¸·±â, ¸ñÀûÁöIP°¡ ³»ºÎ, ¸ñÀûÁö Æ÷Æ®°¡ 21¹øÀÎ ÆÐŶÀ» µå·Ó, È¿°ú´Â TCPÇÁ·ÎÅäÄÝ 21¹ø Æ÷Æ®¸¦ »ç¿ëÇÏ´Â
# ÇÁ·Î±×·¥Àº ³»ºÎ¿¡¼­ Åë½ÅÀ» ÇÒ¼ö ¾ø´Ù. -s 234.234.200.0/24·Î ÇÏ´õ¶óµµ È¿°ú´Â °°´Ù. ¹ß»ýÁö IP°¡ ³»ºÎÀÌ°í ¸ñÀûÁö°¡ ¿ÜºÎ
# 21¹ø Æ÷Æ® À̹ǷΠȿ°ú´Â °°´Ù.
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 21 -j DROP

# 21¹ø Æ÷Æ® ¿­±â, ¸ñÀûÁö IP°¡ ³»ºÎ, ¸ñÀûÁö Æ÷Æ®°¡ 21¹øÀÎ ÆÐŶÀ» Çã¿ë, È¿°ú´Â ¿ÜºÎ¿¡¼­ ³»ºÎ·Î TCP¿¬°áÀ» ÇÒ ¼ö ÀÖ°Ô µÈ´Ù.
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 21 -j ACCEPT

# Á¤Ã¥ ¸¶Áö¸· ÁÙ¿¡´Â Ç×»ó À§ÀÇ synÆÐŶ µå·ÓÀ» ÇØÁÖ¾î¾ß ÇÑ´Ù. ±×·¯Áö ¾ÊÀ¸¸é ¾Æ¹«¸® ¿­°í ´Ý´Â´Ù Çصµ FORWARDüÀÎÀÇ ±âº»
# Á¤Ã¥À» DROP·Î Çسù±â ¶§¹®¿¡ Åë½ÅÀÌ ¾È µÈ´Ù. 

ƯÁ¤ Æ÷Æ®¸¦ ¸·´Â °ÍÀº ȸ»ç °°Àº °÷¿¡¼­ ƯÁ¤ Æ÷Æ®¸¦ »ç¿ëÇÏ´Â ÇÁ·Î±×·¥(P2P µî)ÀÇ »ç¿ëÀ» ¸·°íÀÚ ÇÒ ¶§ »ç¿ëÇÑ´Ù.

ƯÁ¤ Æ÷Æ®¸¦ ¿­°íÀÚ ÇÏ´Â °ÍÀº ¹æÈ­º® µÚ¿¡ ¸ÞÀϼ­¹ö, À¥¼­¹ö µîÀÌ ÀÖÀ»¶§ ±× ¼­¹öµéÀÌ »ç¿ëÇÏ´Â Æ÷Æ®¸¦ ¿­¾î ÁÙ¶§ »ç¿ëÇÑ´Ù.


4.5. ÀÚÁÖ »ç¿ëµÇ´Â °Íµé

¹æÈ­º®À» »ç¿ëÇÏ´Ù º¸¸é ÀÚÁÖ »ý±â´Â ÀϵéÀÌ ÀÖ´Ù. ÀνºÅÏÆ® ¸Þ½ÅÁ®, FTPµîÀÇ ¼³Á¤À» ¾Ë¾Æº¸ÀÚ.

ÀνºÅÏÆ® ¸Þ½ÅÁ®. MSN µî. °¢°¢ ¸Þ½ÅÀúÀÇ È¨ÆäÀÌÁö¿¡ »ç¿ëÇÏ´Â Æ÷Æ®¸¦ Ç¥½Ã Çسõ°í ÀÖ´Ù. ±× Æ÷Æ®¸¦ º¸°í ¾Ë¸Â°Ô °íÄ¡¸é µÈ´Ù. ¸Þ½ÅÀú°¡ »ç¿ëÇÏ´Â Æ÷Æ®¸¦ ¿­¾îÁÖÁö ¾Ê¾Ò´Ù°í Çصµ ¸Þ½ÅÀú´Â µ¿ÀÛ ÇÒ °ÍÀÌ´Ù. ±×·¯³ª ÆÄÀÏÀü¼Û °°Àº °ÍÀÌ µ¿ÀÛÀÌ µÇÁö ¾Ê´Â °æ¿ì°¡ ¹ß»ýÇÑ´Ù.

# MSN
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 1863:1864 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6901 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 7801:7825 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6891:6900 -j ACCEPT

# KTiman
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10020 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10250 -j ACCEPT

FTPŬ¶óÀ̾ðÆ®¸¦ »ç¿ëÇÒ ¼ö ÀÖ°Ô ¼³Á¤

# FTP Client
$IPTABLES -A FORWARD -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 113 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 113 -j ACCEPT

ÆÐŶ ½ºÆ®¸µ °Ë»ö String match Support, Nimda, CodeRed Packets

#$IPTABLES -A FORWARD -p tcp -d 234.234.200.1 --tcp-flags ACK ACK --dport 80 -m string --string "/default.ida?" -j REJECT --reject-with tcp-reset
#$IPTABLES -A FORWARD -p tcp -d 234.234.200.1 --tcp-flags ACK ACK --dport 80 -m string --string "XXXXXXXX" -j REJECT --reject-with tcp-reset
#$IPTABLES -A FORWARD -p tcp -d 234.234.200.1 --tcp-flags ACK ACK --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset
#$IPTABLES -A FORWARD -p tcp -d 234.234.200.1 --tcp-flags ACK ACK --dport 80 -m string --string "root.exe?" -j REJECT --reject-with tcp-reset

À§ÀÇ ¸í·É¿¡¼­ --string "cmd.exe" ´Â ÆÐŶ ¼Ó¿¡ cmd.exe¶ó´Â ½ºÆ®¸µÀ» Æ÷ÇÔÇÏ°í ÀÖÀ¸¸é Â÷´ÜÇϰųª °ÅºÎÇÑ´Ù´Â °ÍÀÌ´Ù --tcp-flags ACK ACK ´Â TCPÇÁ·ÎÅäÄÝ¿¡¼­ Ãʱ⠿¬°áÇÏ´Â ÆÐŶÀ» ¶æÇÑ´Ù.

net send (Æ˾÷ ½ºÆÔ) À©µµ¿ì2000ÀÌ»óÀÇ ¿î¿µÃ¼Á¦¿¡ ¸Þ¼¼Áö âÀÌ ¶ß´Â ½ºÆÔÀ» ¸·´Â ¹æ¹ý

# net send drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 139 -j DROP
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 2603 -j DROP
$IPTABLES -A FORWARD -p udp -d 234.234.200.0/24 --dport 135 -j DROP


4.6. Ä¿³Î ·Î±× µ¥¸ó ¼³Á¤

¹æÈ­º®À» »ç¿ëÇÏ´Ù º¸¸é È­¸é¿¡ ¼ö¸¹Àº ¸Þ¼¼Áö°¡ Ãâ·Â µÉ°ÍÀÔ´Ï´Ù. À̰Ͷ§¹®¿¡ ¸í·ÉÀ» ÀÔ·ÂÇϱⰡ ºÒÆíÇÑ °æ¿ì Ä¿³Î ·Î±× µ¥¸óÀÇ ¼³Á¤À» ¹Ù²Ù¾î ÁÝ´Ï´Ù.

/sbin/klogd_start ÆÄÀÏÀ» ¸¸µé¾î ÁÝ´Ï´Ù. Ä¿³Î ·Î±× µ¥¸óÀÇ ·Î±ë ·¹º§À» ¼³Á¤ÇÕ´Ï´Ù. ·¹º§¿¡ µû¶ó È­¸é¿¡ Ãâ·ÂµÇ´Â ¸Þ¼¼Áö¸¦ Á¶ÀýÇÒ ¼ö ÀÖ½À´Ï´Ù.

#!/bin/sh
/sbin/klogd -c 1

/etc/init.d/klogd ÆÄÀÏÀÔ´Ï´Ù. ÀÌ ÆÄÀÏÀº ºÎÆÃÇÒ¶§ Ä¿³Î ·Î±× µ¥¸óÀ» ½ÇÇàÇÕ´Ï´Ù.

#! /bin/sh
# /etc/init.d/klogd: start the kernel log daemon.

PATH=/bin:/usr/bin:/sbin:/usr/sbin

pidfile=/var/run/klogd.pid
#binpath=/sbin/klogd
binpath=/sbin/klogd
binpath_start=/sbin/klogd_start #À§¿¡¼­ ¸¸µç ½ºÅ©¸³Æ® ÀÔ´Ï´Ù.

test -f $binpath || exit 0

#  Use KLOGD="-k /boot/System.map-$(uname -r)" to specify System.map
#
KLOGD=""

running()
{
    # No pidfile, probably no daemon present
    #
    if [ ! -f $pidfile ]
    then
        return 1
    fi

    pid=`cat $pidfile`

    # No pid, probably no daemon present
    #
    if [ -z "$pid" ]
    then
        return 1
    fi

    cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -1`

    # No syslogd?
    #
    if [ "$cmd" != "$binpath" ]
    then
        return 1
    fi

    return 0
   }

case "$1" in
  start)
    echo -n "Starting kernel log daemon: klogd"
    start-stop-daemon --start --quiet --exec $binpath_start -- $KLOGD
    # ½ÃÀÛÇÒ¶§ À§¿¡¼­ ¸¸µç ½ºÅ©¸³Æ®¸¦ ½ÇÇàÇϵµ·Ï ¸¸µì´Ï´Ù.
    echo "."
    ;;
  stop)
    echo -n "Stopping kernel log daemon: klogd"
    start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
    echo "."
    ;;
  restart|force-reload)
    echo -n "Stopping kernel log daemon: klogd"
    start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
    echo "."
    sleep 1
    echo -n "Starting kernel log daemon: klogd"
    start-stop-daemon --start --quiet --exec $binpath --exec $binpath -- $KLOGD
    echo "."
    ;;
  reload-or-restart)
    if running
    then
        start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
    else
        start-stop-daemon --start --quiet --exec $binpath -- $KLOGD
    fi
    ;;
  *)
    echo "Usage: /etc/init.d/klogd {start|stop|restart|force-reload|reload-or-restart}"
    exit 1
esac

exit 0

À§ÀÇ ½ÃÀÛ ½ºÅ©¸³Æ®´Â ¹èÆ÷ÆÇ ¸¶´Ù ´Ù¸¦¼ö ÀÖÁö¸¸ klogd_start ½ºÅ©¸³Æ®¸¦ ½ÇÇàÇÏ°Ô¸¸ ÇÏ¸é µË´Ï´Ù.

ÀÌÁ¤µµ·Î ¸¶Ä¡µµ·Ï ÇÏ°Ú½À´Ï´Ù. óÀ½ ¸®´ª½º¸¦ Á¢ÇÏ´Â »ç¶÷Àº ¾Æ¹«·¡µµ Ä¿³Î ÄÄÆÄÀÏÀ̳ª ¼³Á¤ ºÎºÐÀÌ ¾î·Á¿ï °ÍÀÔ´Ï´Ù. ºÎÁ·ÇÑ ¹®¼­ÀÌÁö¸¸ ¸¹Àº µµ¿òÀÌ µÇ¾úÀ¸¸é ÇÕ´Ï´Ù. ¹®¼­ÀÇ À߸øµÈ Á¡ÀÌ ÀÖ´Ù¸é ¹Ù·Î ¸ÞÀÏÀ» º¸³» Áֽñ⠹ٶø´Ï´Ù.


ID
Password
Join
Mistakes are oft the stepping stones to failure.


sponsored by andamiro
sponsored by cdnetworks
sponsored by HP

Valid XHTML 1.0! Valid CSS! powered by MoniWiki
last modified 2004-11-06 13:48:01
Processing time 0.0022 sec