· KLDP.org · KLDP.net · KLDP Wiki · KLDP BBS ·
Docbook Sgml/Bridge Firewall-HOWTO

¸®´ª½º·Î Bridge Firewall ¸¸µé±â

¸®´ª½º·Î Bridge Firewall ¸¸µé±â

ÀÌÀçÈ«

            
          

¸®´ª½º·Î Bridge FirewallÀ» ¸¸µé¾î º¸ÀÚ

고친 과정
고침 0.12003-06-28고친이 pyrasis
ÃÖÃÊ ÀÛ¼º
고침 0.22003-08-29고친이 pyrasis
Ä¿³Î ¿É¼Ç ºÎºÐ¿¡¼­ ºüÁø ºÎºÐ Ãß°¡. Code maturity level options ºÎºÐ
고침 0.32003-09-16고친이 pyrasis
Ä¿³Î ·Î±× µ¥¸ó ¼³Á¤ (È­¸é¿¡ Ãâ·ÂµÇ´Â ¸Þ¼¼Áö Á¶Àý)

1. ¼­¹®

³×Æ®¿öÅ© ±¸Á¶¸¦ º¯°æÇÏÁö ¾Ê°í ½±°Ô ¹æÈ­º®À» ¼³Ä¡ÇÒ ¼ö ÀÖ´Â Bridge FirewallÀ» ¸¸µé¾î¼­ »ç¿ëÇÏÀÚ.

º»ÀÎÀº ¹æÈ­º®À» ¸¸µé¸é¼­ ¼ö¸¹Àº ½ÃÇà Âø¿À¸¦ °Þ¾ú°í ¸¹Àº ¹®¼­µéÀ» º¸¾Æ ¿Ô´Ù. ÇÏÁö¸¸ ¿ö³« ³×Æ®¿öÅ© »óȲÀÌ ´Ù¾çÇÏ´Ù º¸´Ï ¹®¼­´ë·Î Àß µÇÁö ¾Ê´Â °æ¿ìµµ ¸¹¾Ò°í ȯ°æµµ ¸¹ÀÌ ´Ù¸¥ °Íµµ ¸¹¾Ò´Ù. ÀÌ ¹®¼­¸¦ º¸°í Çѹø¿¡ ¾Ë¸Â´Â ¹æÈ­º®À» ¸¸µç´Ù°í´Â Àå´ã ÇÒ ¼ö ¾ø´Ù. ÇÏÁö¸¸ Á¶±ÝÀ̳ª¸¶ óÀ½ Çغ¸´Â »ç¶÷µé¿¡°Ô µµ¿òÀÌ µÇ°íÀÚ ÀÌ ¹®¼­¸¦ ÀÛ¼º ÇÑ´Ù.

ÀÌ ¹®¼­´Â º¸È£ÇÒ ³×Æ®¿öÅ©´Â °øÀÎ IP¸¦ »ç¿ëÇÑ´Ù´Â ÀüÁ¦ ÇÏ¿¡ ¸¸µé¾îÁø ¹®¼­ÀÌ´Ù. º»ÀÎÀÌ NAT¸¦ »ç¿ëÇغ¸Áö ¾Ê¾Æ NAT¿¡ °üÇÑ ¹®¼­´Â Â÷ÈÄ ÁغñÇÏ°Ú´Ù.


1.1. ÀúÀÛ±Ç Á¤º¸

Copyright (C) 2003 ÀÌÀçÈ«

ÀÌ ¹®¼­´Â GNU Free Documentation License ¹öÀü 1.1 ȤÀº ÀÚÀ¯ ¼ÒÇÁÆ®¿þ¾î Àç´Ü¿¡¼­ ¹ßÇàÇÑ ÀÌÈÄ ÆÇÀÇ ±ÔÁ¤¿¡ µû¸£¸ç ÀúÀ۱ǿ¡ ´ëÇÑ º» »çÇ×ÀÌ ¸í½ÃµÇ´Â ÇÑ ¾î¶°ÇÑ Á¤º¸ ¸Åü¿¡ ÀÇÇÑ º»¹®ÀÇ ÀüÀ糪 ¹ßÃéµµ ¹«»óÀ¸·Î Çã¿ëµË´Ï´Ù.


1.2. Ã¥ÀÓÀÇ ÇÑ°è

º» ÀúÀÚ´Â ¹®¼­ÀÇ ³»¿ëÀÌ ¾ß±âÇÒ ¼ö ÀÖ´Â ¾î¶°ÇÑ °á°ú¿¡ ´ëÇؼ­µµ Ã¥ÀÓÀ» ÁöÁö ¾Ê½À´Ï´Ù. º» ¹®¼­¿¡¼­ ³»Æ÷ÇÏ°í ÀÖ´Â Á¤º¸µé ¹× ¿¹Á¦µéÀº ¿©·¯ºÐÀÌ ¾Ë¾Æ¼­ È°¿ëÇϽʽÿÀ. ºñ·Ï ÃÖ¼±À» ´ÙÇßÀ¸³ª ÀÌ ¹®¼­´Â Ʋ¸° Á¡À̳ª ¿À·ù°¡ ÀÖÀ» ¼öµµ ÀÖ½À´Ï´Ù. ¸¸¾à ¿©·¯ºÐÀÌ Æ²¸° Á¡À» ¹ß°ßÇß´Ù¸é ²À Àú¿¡°Ô ¾Ë·Á Áֽñ⠹ٶø´Ï´Ù.


1.3. °¨»çÀÇ ±Û

ÀÌ ¹®¼­¸¦ ÀÛ¼ºÇϴµ¥ µµ¿òÀ» ÁֽŠ¸¹Àº ºÐµé¿¡°Ô °¨»çµå¸³´Ï´Ù.

KLDPÀÇ ³×Æ®¿öÅ·/¹æÈ­º® µð·ºÅ丮ÀÇ ±ÛµéÀÇ µµ¿òÀ» ¸¹ÀÌ ¹Þ¾Ò½À´Ï´Ù. ±×°÷ÀÇ ±ÛÀ» ½áÁÖ½Ã°í º¯¿ªÇØÁֽŠ¸ðµç ºÐµé²² Áø½ÉÀ¸·Î °¨»ç µå¸³´Ï´Ù.


1.4. Çǵå¹é

ÀÌ ¹®¼­¿¡ ´ëÇÑ ¹ßÀüÀûÀÎ Á¦¾ÈÀ̳ª ¼öÁ¤»çÇ×, ¹®Á¦Á¡ µî¿¡ ´ëÇÑ Çǵå¹éÀº ¾ðÁ¦µçÁö ȯ¿µÇÕ´Ï´Ù. ·Î ¸ÞÀÏÀ» º¸³» ÁֽʽÿÀ.


2. ¼³Ä¡ Áغñ ÀÛ¾÷

¼³Ä¡¸¦ À§ÇØ ÁغñÇØ¾ß ÇÒ °Íµé.


2.1. ³×Æ®¿öÅ© ±¸¼º

¹æÈ­º®ÀÌ ¾ø´Â ³×Æ®¿öÅ© ±¸¼º

       ¶ó¿ìÅÍ --------- ½ºÀ§Äª Çãºê ----------- PC
                                    |
                                    ----------- ¼­¹ö 

¹æÈ­º®ÀÌ ¼³Ä¡ µÉ ³×Æ®¿öÅ© ±¸¼º

      ¶ó¿ìÅÍ ------------- eth0-(Bridge Firewall)-eth1 --- ½ºÀ§Äª Çãºê -------- PC
             (Cross Cable)                                             |
                                                                       -------- ¼­¹ö 


2.2. ÁغñÇÒ °Íµé

º»ÀÎÀÌ Bridge Firewall À» ¼³Ä¡ÇÑ ¸®´ª½º ¹èÆ÷ÆÇÀº µ¥ºñ¾È ¸®´ª½º 3.0 r1(2003³â 6¿ù)À̸ç Ä¿³Î ¹öÀüÀº 2.4.19ÀÌ´Ù. ´Ù¸¥ ¹èÆ÷ÆÇ¿¡¼­µµ ¹«¸® ¾øÀÌ ¼³Ä¡ÇÒ ¼ö ÀÖ´Ù.

Å×½ºÆ® Çغ» Çϵå¿þ¾î »ç¾çÀº ¼¿·¯·Ð 1GHz 256RAM À̾ú°í ÇöÀç 50´ë Á¤µµÀÇ ÄÄÇ»ÅÍ°¡ ¹æÈ­º® µÚ¿¡¼­ ÀÎÅͳÝÀ» »ç¿ëÇÏ°í ÀÖ´Ù. »ç¿ëÇÏ°í ÀÖ´Â ·£Ä«µå´Â 3Com 3c590, Intel EtherExpress/100ÀÌ´Ù.

²À ÇÊ¿äÇÑ °Íµé

  • ¸®´ª½º Ä¿³Î 2.4.19

  • ·£Ä«µå 2Àå

  • Å©·Î½º ÄÉÀ̺í, ´ÙÀÌ·ºÆ® ÄÉÀ̺í

  • bridge Ä¿³Î ÆÐÄ¡

  • bridge utils

  • iptables Ä¿³Î ÆÐÄ¡

  • iptables ¼Ò½º


2.3. »ç¿ë ÇÒ °¢°¢ÀÇ ÆÄÀÏµé ±¸Çϱâ

bridge Ä¿³Î ÆÐÄ¡ ¹× bridge utils

Linux ethernet bridging http://bridge.sourceforge.net

bridge-nf-0.0.7-against-2.4.19.diff

bridge-utils-0.9.6.tar.gz

iptables Ä¿³Î ÆÐÄ¡ ¹× iptables

netfilter/iptables http://www.netfilter.org

patch-o-matic-20030107.tar.bz2

iptables-1.2.8.tar.bz2

¸®´ª½º Ä¿³Î ¼Ò½º

The Linux Kernel Archives http://www.kernel.org

linux-2.4.19.tar.bz2

À§ÀÇ ÆÄÀϵéÀ» /root¿¡ ¹Þ´Â´Ù.


3. ¼³Ä¡Çϱâ

¸®´ª½º Ä¿³Î¿¡ iptables¿Í bridgeÆÐÄ¡¸¦ ÇÏ°í ÄÄÆÄÀÏÀ» ÇÒ °ÍÀÌ´Ù. ¸ðµç ÀÛ¾÷Àº root·Î ÇÑ´Ù.


3.1. ¸®´ª½º Ä¿³Î ÆÐÄ¡

Ä¿³Î ¼Ò½º´Â /usr/src/linux ¿¡ Ç®¾î ³õ´Â´Ù.

# mv linux-2.4.19.tar.bz2 /usr/src
#cd /usr/src
/usr/src# tar vjxf linux-2.4.19.tar.bz2            ¾ÐÃàÀ» Ǭ´Ù. bunzip2 ÆÐÅ°Áö°¡ ÇÊ¿äÇÏ´Ù.
/usr/src# ln -s linux-2.4.19 linux                 ¾ÐÃàÀÌ Ç®¸° µð·ºÅ丮¸¦ linux¶ó´Â À̸§À¸·Î ½Éº¼¸¯ ¸µÅ©¸¦ »ý¼ºÇÑ´Ù.

bridge ÆÐÄ¡¸¦ ÆÐÄ¡ÇÑ´Ù.

# mv bridge-nf-0.0.7-against-2.4.19.diff /usr/src
# cd /usr/src/linux
/usr/src/linux# patch -p1 < ../bridge-nf-0.0.7-against-2.4.19.diff

iptable ÆÐÄ¡´Â patch-o-matic À̶ó´Â ¹æ½ÄÀ¸·Î Ä¿³Î ÆÐÄ¡¸¦ ÇÑ´Ù.

# tar vjxf patch-o-matic-20030107.tar.bz2
# cd cd patch-o-matic-20030107
# ./runme extra
Hey! KERNEL_DIR is not set.
Where is your kernel? [/usr/src/linux]              Ä¿³Î ¼Ò½º¸¦ /usr/src¿¡ Ç®¾î¼­ linux¶ó°í ¸µÅ©¸¦ °É¾ú´Ù¸é ¿£Å͸¦ Ä£´Ù
                                                    ¾Æ´Ï¸é ½ÇÁ¦ Ä¿³ÎÀÌ ÀÖ´Â °æ·Î¸¦ Àû¾îÁØ´Ù
´ÙÀ½°ú °°ÀÌ ³ª¿Ã °ÍÀÌ´Ù.
Welcome to Rusty's Patch-o-matic!

Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------
Already applied: submitted/01_2.4.19

Testing... 02_2.4.20.patch NOT APPLIED ( 17 missing files)
The submitted/02_2.4.20 patch:
   Authors: Various (see below)
   Status: Included in stock 2.4.20 kernel
   
   This big patch contains all netfilter/iptables changes between stock kernel
   versions 2.4.19 and 2.4.20.
   
   submitted/DSCP.patch
   + New DSCP target to mangle table (Harald Welte + Matthew G. Marsh)
   submitted/ECN.patch
   + New ECN target to mangle table (Harald Welte)
   submitted/REJECT_mark.patch
   + Don't copy nfmark value of old packet (Henrik Nordstrom)
   submitted/ahesp-static.patch
   + Fix static build of ahesp match (Paul P Komkoff Jr)
   submitted/conntrack+nat-helper-unregister.patch
   + Fix helper unregister in case of clashing ports (Harald Welte)
   submitted/conntrack.patch
   + Add new 'conntrack' match (Marc Boucher)
   submitted/dscp.patch
   + New 'dscp' match (Harald Welte)
   submitted/ecn.patch
   + New 'ecn' match (Harald Welte)
   submitted/helper.patch
   + New 'helper' match (Martin Josefsson, Harald Welte)
   submitted/ip6tables-exthdr-bug.patch.ipv6
   + Fix broken ipv6 extensionheader parser (Andras Kis-Szabo)
   submitted/ipv6-agr.patch.ipv6
   + New ip6tables 'eui64' match (Andras Kis-Szabo)
   submitted/length.patch.ipv6
   + New ip6tables 'length' match (Imran Patel, James Morris)
   submitted/log-tunnel-fix.patch.ipv6
   + Fix ip6tables 'LOG' target MAC address in case of tunnels
   (Peter Bieringer, Andras Kis-Szabo)
   submitted/nat-memoryleak-fix.patch
   + Fix memoryleak at iptable_nat unload time (zhongyu)
   submitted/ownercmd.patch
   + Extend 'owner' match to match cmdline (Marc Boucher)
   submitted/pkttype.patch
   + New 'pkttype' match (Michal Ludvig)
   submitted/ulog-nlgroup-shift-fix.patch
   + Fix error with shifting nlgroup in ULOG target (Harald Welte)
   submitted/ulog-sparc-bitops-fix.patch
   + Include linux/bitops.h instead of asm/bitops.h
   submitted/z-newnat16.patch
   + Redesign of conntrack and nat helper framework, for more info see http://cvs.netfilter.org/cgi-bin/cvsweb/netfilter/documentation/newnat-summary.txt
   (Harald Welte, Jozsef Kadlecsik, and others)
   submitted/z-newnat_assertfix.patch
   + Fix erroneously printed ASSERT messages when debugging of newnat
   enabled (Martin Josefsson)
   submitted/z-newnat_changeexpect-lockfix.patch
   + Fix locking bug in ip_conntrack_change_expect() (Martin Josefsson)
   Further changes, not previuosly in patch-o-matic:
   + ip6tables usage counter fix (Harald Welte)
   + ip_queue cleanup (James Morris)
   + minor spelling fixes
   + __constant_htons() macro changes
   + ipt_unclean: srcport _can_ be zero
   + yet another ipchains GFP_ATOMIC fix
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?]
¿£Å͸¦ Ä£´Ù

iptableÆÐÄ¡¿¡´Â ³»¿ëÀÌ ¿©·¯ °¡Áö°¡ Á¸ÀçÇÑ´Ù. y¸¦ ´©¸£¸é ÆÐÄ¡°¡ µÈ´Ù. ±×·¯³ª ÀüºÎ ÆÐÄ¡¸¦ ÇÏ¸é ¾È µÈ´Ù. ³ªÁß¿¡ Ä¿³ÎÀ» ÄÄÆÄÀÏ ÇÏ¸é ¿¡·¯°¡ ³ª±â ¶§¹®¿¡ ²À ÇÊ¿äÇÑ °Í¸¸ y¸¦ ´­·¯ ÆÐÄ¡ ÇÑ´Ù. b ¸¦ ´©¸£¸é µÚ·Î µ¹¾Æ°¥ ¼ö ÀÖ´Ù.

Áö±Ý ÆÐÄ¡ ÇÒ °ÍÀº ÆÐŶ¿¡¼­ StringÀ» °Ë»öÇÏ¿© ÆÐŶÀ» ¹ö¸®°Å³ª °ÅºÎ ÇÏ´Â String match support ÀÌ´Ù. ÀÌ°ÍÀ» ÀÌ¿ëÇϸé Nimda, CodeRed µîÀÇ ¿úÀ̳ª ¹ÙÀÌ·¯½ºÀÇ ÆÐŶÀ» Â÷´Ü ÇÒ ¼ö ÀÖ´Ù.

°è¼Ó ¿£Å͸¦ Ãļ­ °¡´Ù º¸¸é ¾Æ·¡¿Í °°Àº È­¸éÀÌ ³ª¿Ã°Í ÀÌ´Ù.

Welcome to Rusty's Patch-o-matic!

Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------
Already applied: submitted/01_2.4.19

Testing... string.patch NOT APPLIED ( 2 missing files)
The extra/string patch:
   Author: Emmanuel Roger <winfield@freegates.be>
   Status: Working, not with kernel 2.4.9
   
   This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to
   match a string in a whole packet.
   
   THIS PATCH DOES NOT WORK WITH KERNEL 2.4.9 !!!
   
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?] 

¿©±â¼­ y¸¦ ´©¸£¸é String match°¡ ÆÐÄ¡ µÈ´Ù.

°è¼Ó ¿£Å͸¦ Ä¡¸é ´Ù¸¥ ÆÐÄ¡µéÀÌ ³ª¿Â´Ù. ÇÊ¿äÇÑ °ÍµéÀÌ ÀÖÀ¸¸é ÆÐÄ¡ÇÑ´Ù.


3.2. Ä¿³Î ¿É¼Ç ¼³Á¤Çϱâ

iptables ¿Í bridge±â´ÉÀ» »ç¿ëÇÒ ¼ö ÀÖ°Ô Ä¿³Î ¿É¼ÇÀ» ¼³Á¤ÇÑ´Ù. »ç¿ë ÇÒ ·£Ä«µå 2°³µµ ¼³Á¤À» ÇÒ °ÍÀÌ´Ù.

Ä¿³Î ¿É¼ÇÀº ´ÙÀ½°ú °°ÀÌ ¼³Á¤ÇÑ´Ù. menuconfig ¸¦ ÀÌ¿ëÇÏ·Á¸é µ¥ºñ¾È¿¡¼­´Â libncurses5-dev ÆÐÅ°Áö°¡ ²À ÇÊ¿äÇÏ´Ù. µ¥ºñ¾È¿¡¼­ ÆÐÅ°Áö´Â apt-get ³ª dselect¸¦ ÀÌ¿ëÇÏ¿© ¼³Ä¡ÇÑ´Ù. ´Ù¸¥ ¹èÆ÷Æǵµ ¸¶Âù°¡Áö ÀÌ´Ù. ´ëºÎºÐÀÇ ¹èÆ÷ÆÇ¿¡¼­´Â ±âº»ÀûÀ¸·Î ¼³Ä¡µÇ¾î ÀÖÀ» °ÍÀÌ´Ù.

# cd /usr/src/linux
/usr/src/linux# make menuconfig

Ä¿³Î ¼º¼÷µµ ¿É¼Ç. ÀÌ ºÎºÐÀ» üũ ÇØ¾ß ¾Æ·¡ ¿É¼ÇµéÀÌ ¸ðµÎ ³ª¿À°Ô µÈ´Ù.

Code maturity level options  --->
  [*] Prompt for development and/or incomplete code/drivers

·£Ä«µå µå¶óÀ̹ö ¼³Á¤. º»ÀÎÀÌ »ç¿ëÇÏ°í ÀÖ´Â ·£Ä«µå´Â 3Com 590, Intel EtherPress/100 ÀÌ´Ù. °¢ÀÚ °¡Áö°í ÀÖ´Â ·£Ä«µå¸¦ ¼³Á¤ÇÏÀÚ.

Network device support  --->
  Ethernet (10 or 100Mbit)  --->
    [*] Ethernet (10 or 100Mbit)                                                                    
    < >   Sun Happy Meal 10/100baseT support                                                            
    < >   Sun GEM support                                                                               
    [*]   3COM cards                                                                                
    < >     3c501 "EtherLink" support                                                                   
    < >     3c503 "EtherLink II" support                                                                
    < >     3c505 "EtherLink Plus" support                                                              
    < >     3c507 "EtherLink 16" support (EXPERIMENTAL)                                                 
    < >     3c509/3c529 (MCA)/3c579 "EtherLink III" support                                             
    < >     3c515 ISA "Fast EtherLink"                                                                  
    <*>     3c590/3c900 series (592/595/597) "Vortex/Boomerang" support                                 
    < >   AMD LANCE and PCnet (AT1500 and NE2100) support                                               
    [ ]   Western Digital/SMC cards                                                                 
    [ ]   Racal-Interlan (Micom) NI cards                                                           
    < >   AT1700/1720 support (EXPERIMENTAL)                                                            
    < >   DEPCA, DE10x, DE200, DE201, DE202, DE422 support                                              
    < >   HP 10/100VG PCLAN (ISA, EISA, PCI) support                                                    
    [ ]   Other ISA cards                                                                           
    [*]   EISA, VLB, PCI and on board controllers                                                   
    < >     AMD PCnet32 PCI support                                                                     
    < >     Adaptec Starfire/DuraLAN support                                                            
    < >     Ansel Communications EISA 3200 support (EXPERIMENTAL)                                       
    < >     Apricot Xen-II on board Ethernet                                                            
    < >     CS89x0 support                                                                              
    < >     DECchip Tulip (dc21x4x) PCI support                                                         
    < >     TOSHIBA TC35815 Ethernet support                                                            
    < >     Generic DECchip & DIGITAL EtherWORKS PCI/EISA                                               
    < >     Digi Intl. RightSwitch SE-X support                                                         
    < >     Davicom DM910x/DM980x support                                                               
    <*>     EtherExpressPro/100 support                                                                 
    < >     Myson MTD-8xx PCI Ethernet support                                                          
    < >     National Semiconductor DP8381x series PCI Ethernet support                                  
    < >     PCI NE2000 and clones support (see help)                                                    
    < >     RealTek RTL-8139 C+ PCI Fast Ethernet Adapter support (EXPERIMENTAL)                        
    < >     RealTek RTL-8139 PCI Fast Ethernet Adapter support                                          
    < >     SiS 900/7016 PCI Fast Ethernet Adapter support                                              
    < >     SMC EtherPower II                                                                           
    < >     Sundance Alta support                                                                       
    < >     TI ThunderLAN support                                                                       
    < >     VIA Rhine support                                                                           
    < >     Winbond W89c840 Ethernet support                                                            
    [ ]   Pocket and portable adapters

bridge ±â´ÉÀ» »ç¿ëÇϱâ À§ÇÑ ¼³Á¤

Networking options  --->
  <*> Packet socket                                                                        
    [ ]   Packet socket: mmapped IO                                                          
    < > Netlink device emulation                                                             
    [*] Network packet filtering (replaces ipchains)                                         
    [ ]   Network packet filtering debugging                                                   
    [*] Socket Filtering                                                                     
    <*> Unix domain sockets                                                                  
    [*] TCP/IP networking                                                                    
    [*]   IP: multicasting                                                                   
    [ ]   IP: advanced router                                                                
    [ ]   IP: kernel level autoconfiguration                                                 
    < >   IP: tunneling                                                                        
    < >   IP: GRE tunnels over IP                                                            
    [ ]   IP: multicast routing                                                              
    [ ]   IP: ARP daemon support (EXPERIMENTAL)                                              
    [ ]   IP: TCP Explicit Congestion Notification support                                     
    [ ]   IP: TCP syncookie support (disabled per default)                                     
      IP: Netfilter Configuration  --->                                                        
    < >   The IPv6 protocol (EXPERIMENTAL)                                                     
    < >   Kernel httpd acceleration (EXPERIMENTAL)                                             
    [ ] Asynchronous Transfer Mode (ATM) (EXPERIMENTAL)                                        
    < > 802.1Q VLAN Support                                                                    
    ---                                                                                        
    < > The IPX protocol                                                                       
    < > Appletalk protocol support                                                           
    Appletalk devices  --->
    < > DECnet Support                                                                         
    <*> 802.1d Ethernet Bridging                                                             
    [*]   netfilter (firewalling) support                                                    
    < > CCITT X.25 Packet Layer (EXPERIMENTAL)                                               
    < > LAPB Data Link Driver (EXPERIMENTAL)                                                 
    [ ] 802.2 LLC (EXPERIMENTAL)                                                             
    [ ] Frame Diverter (EXPERIMENTAL)                                                        
    < > Acorn Econet/AUN protocols (EXPERIMENTAL)                                            
    < > WAN router                                                                           
    [ ] Fast switching (read help!)                                                          
    [ ] Forwarding between high speed interfaces                                             
    QoS and/or fair queueing  --->                                                           
    Network testing  --->

iptables¿¡¼­ »ç¿ë ÇÒ °¢°¢ÀÇ ±â´ÉµéÀ» ¸ðµâ·Î ¼³Á¤ÇÑ´Ù. ¸ðµâ ¼³Á¤Àº ½ºÆäÀ̽º ¹Ù·Î µÎ ¹ø ¼±ÅÃÇϸé MÀ̶ó°í Ç¥½ÃµÈ´Ù. ÀÌ°ÍÀÌ ¸ðµâ¼³Á¤ÀÌ´Ù. *·Î ¼³Á¤À» Çϸé Ä¿³Î·Î ¿ÏÀüÈ÷ Æ÷ÇԵȴÙ. ¸ðµâ·Î ¼³Á¤ÇÏ¸é ²À ÇÊ¿äÇÑ °Í¸¸ ¾µ ¼ö ÀÖ°Ô ÇϹǷΠ¸Þ¸ð¸® ³¶ºñ¸¦ ¸·À» ¼ö ÀÖ´Ù.

Networking options  --->
  IP: Netfilter Configuration  --->
    <M> Connection tracking (required for masq/NAT)                                             
    <M>   FTP protocol support                                                                  
    <M>   IRC protocol support                                                                  
    <M> Userspace queueing via NETLINK (EXPERIMENTAL)                                           
    <*> IP tables support (required for filtering/masq/NAT)                                     
    <M>   limit match support                                                                   
    <M>   MAC address match support                                                             
    <M>   netfilter MARK match support                                                          
    <M>   Multiple port match support                                                           
    <M>   TOS match support                                                                     
    <M>   AH/ESP match support                                                                  
    <M>   LENGTH match support                                                                  
    <M>   TTL match support                                                                     
    <M>   tcpmss match support                                                                  
    <M>   Connection state match support                                                        
    <M>   Unclean match support (EXPERIMENTAL)                                                  
    <M>   String match support (EXPERIMENTAL)                                                   
    <M>   Owner match support (EXPERIMENTAL)                                                    
    <M>   Packet filtering                                                                      
    <M>     REJECT target support                                                               
    <M>     MIRROR target support (EXPERIMENTAL)                                                
    <M>   Full NAT                                                                              
    <M>     MASQUERADE target support                                                           
    <M>     REDIRECT target support                                                             
    [*]     NAT of local connections (READ HELP)                                            
    <M>     Basic SNMP-ALG support (EXPERIMENTAL)


3.3. Ä¿³Î ÄÄÆÄÀÏ

ÀÌÁ¦ ÆÐÄ¡ÇÑ Ä¿³ÎÀ» ÄÄÆÄÀÏ ÇÒ Â÷·Ê ÀÌ´Ù.

¸®´ª½º ¹èÆ÷ÆÇÀÌ µ¥ºñ¾ÈÀÏ °æ¿ì Ä¿³Î ÆÐÅ°Áö¸¦ ¸¸µé¾î¼­ Ä¿³ÎÀ» ¼³Ä¡ÇÏ´Â °ÍÀÌ ÆíÇÏ´Ù. kernel-package ¶ó´Â ÆÐÅ°Áö°¡ ÇÊ¿äÇÏ´Ù.

# cd /usr/src/linux
/usr/src/linux# make-kpkg --revision=1.0 binary-arch              ÀÌ·¸°Ô Çϸé /usr/src¿¡ Ä¿³Î Çì´õ¿Í Ä¿³Î À̹ÌÁö ÆÐÅ°Áö°¡ »ý¼ºµÈ´Ù.
/usr/src/linux# cd ..
/usr/src# ls
-rw-r--r--    1 root     root        30158 Mar 27 20:39 bridge-nf-0.0.7-against-2.4.19.diff
-rw-r--r--    1 root     src       3961230 Apr  9 22:58 kernel-headers-2.4.19_1.0_i386.deb            Ä¿³Î Çì´õ
-rw-r--r--    1 root     src       1274482 Apr  9 22:58 kernel-image-2.4.19_1.0_i386.deb              Ä¿³Î À̹ÌÁö
lrwxrwxrwx    1 root     src            12 May 14 04:24 linux -> linux-2.4.19
drwxr-xr-x   15 573      573           888 Jun 29 06:38 linux-2.4.19
/usr/src# dpkg -i kernel-headers-2.4.19_1.0_i386.deb
/usr/src# dpkg -i kernel-image-2.4.19_1.0_i386.deb

Ä¿³Î À̹ÌÁö¸¦ ¼³Ä¡ ÇÒ ¶§ ºÎÆà µð½ºÅ©¸¦ ¸¸µé¶ó´Â °÷¿¡´Â NÀ¸·Î Ãë¼Ò¸¦ ÇÏ°í /vmlinuz ¶ó°í ¸µÅ©¸¦ ¸¸µç´Ù°í ÇÒ ¶§´Â Y¸¦ ´­·¯
¸µÅ©¸¦ ¸¸µç´Ù

ºÎÆ®·Î´õ·Î lilo¸¦ »ç¿ëÇÒ °æ¿ì
# lilo
Grub¸¦ »ç¿ëÇÒ °æ¿ì /boot/grub/menu.lst ÆÄÀÏÀ» ¼öÁ¤Çؼ­ »õ Ä¿³Î·Î ºÎÆà µÉ ¼ö ÀÖµµ·Ï ÇÑ´Ù

µ¥ºñ¾ÈÀÌ ¾Æ´Ñ ¸®´ª½º ¹èÆ÷ÆÇÀÇ °æ¿ì

# cd /usr/src/linux
/usr/src/linux# make dep && make bzImage && make modules && make modules_install
/usr/src/linux# cd arch/i386/boot/
/usr/src/linux/arch/i386/boot# cp bzImage /boot/vmlinuz-2.4.19

ºÎÆ®·Î´õ¸¦ lilo¸¦ »ç¿ëÇÒ °æ¿ì
/etc/lilo.conf ¼³Á¤À» º¯°æ ÇÑ´Ù. ¾Æ·¡¿Í °°Àº ºÎºÐÀÌ ÀÖÀ» °ÍÀÌ´Ù.
image=/boot/vmlinuz-2.4.19
        label=Linux
ÀúÀåÀ» ÇÏ°í
# lilo

Grub¸¦ »ç¿ëÇÒ °æ¿ì
/boot/grub/menu.lst ¾Æ·¡¿Í °°Àº ºÎºÐÀÌ Àִµ¥ ÄÄÆÄÀÏÇÑ Ä¿³Î À̹ÌÁöÀÇ °æ·Î¸¦ Àû¾îÁØ´Ù.
title Linux
root (hd0,1)¤Ä
kernel /boot/vmlinuz-2.4.19 root=/dev/hda2


3.4. Bridge utils ¼³Ä¡

bridge ±â´ÉÀ» »ç¿ëÇϱâ À§ÇÑ ÇÁ·Î±×·¥ ¼³Ä¡

bridge utils ¼Ò½º ÄÄÆÄÀÏ ¹× ¼³Ä¡

# tar vxzf bridge-utils-0.9.6.tar.gz
# cd bridge-utils
~/bridge-utils# ./configure
~/bridge-utils# make
~/bridge-utils# make install


3.5. iptables ¼³Ä¡

ÆÐŶÁ¦¾î ¸í·ÉÀ» ³»¸®±âÀ§ÇÑ iptables¼³Ä¡

iptables ¼Ò½º ÄÄÆÄÀÏ ¹× ¼³Ä¡, KERNEL_DIR=/usr/src/linux ¿¡´Â Ä¿³Î ¼Ò½º°¡ ÀÖ´Â °æ·Î¸¦ Àû¾îÁØ´Ù.

# tar vjxf iptables-1.2.8.tar.bz2
# cd iptables-1.2.8
~/iptables-1.2.8# make KERNEL_DIR=/usr/src/linux
~/iptables-1.2.8# make install KERNEL_DIR=/usr/src/linux
~/iptables-1.2.8# make install-devel


4. ½ÇÇà ½ºÅ©¸³Æ® ¹× ¼¼ºÎ ¼³Á¤

4.1. ÆÐŶ¿¡ ´ëÇÑ ±âº»ÀûÀÎ ÀÌÇØ

ÆÐŶ(packet)À̶õ Çѱ۷Π¹ø¿ªÇÏÀÚ¸é ¼ÒÆ÷, ÆíÁö¹­À½ À̶ó´Â ¶æÀ» °¡Áö°í ÀÖ´Ù. ±×·¸´Ù¸é ÆÐŶÀ̶õ µµ´ëü ¹«¾úÀΰ¡.

ÀüÈ­ Åë½ÅÀ» ¿¹·Î µé¾î º¸°Ú´Ù. Áö±ÝÀÇ ¾Æ³¯·Î±× ÀüÈ­´Â ȸ¼± ¹æ½ÄÀÌ´Ù. ¿ì¸®°¡ ÀüÈ­¸¦ °É¸é ±³È¯±â¸¦ ÅëÇØ ´Ù¸¥ ÁýÀÇ ÀüÈ­·Î ¿¬°áµÈ´Ù. ÀüÈ­¸¦ ¹Þµç ¾È ¹Þµç ÀÏ´Ü ¿¬°áÀ» ÇÑ´Ù. ±×·¸´Ù¸é ¿¬°á µÈ ȸ¼±À» Á¡À¯ÇÏ°í ÀÖ´Ù´Â °Í ÀÌ´Ù. ÀüÈ­¸¦ ¹ÞÁö ¾Ê¾Æ ÅëÈ­¸¦ ÇÏÁö ¾Ê´Â´Ù Çصµ ¿¬°áÀÌ µÇ¾ú±â ¶§¹®¿¡ ȸ¼±À» ¾²°í ÀÖ´Â °ÍÀÌ µÈ´Ù.

±×·±µ¥ ÀÌ°ÍÀ» ÀÎÅͳݿ¡ Àû¿ë½ÃŲ´Ù¸é ¾öû³ª°Ô ºñÈ¿À²ÀûÀ¸·Î µÈ´Ù. ±×·¡¼­ ÀÎÅͳݿ¡¼­´Â ÆÐŶÀ» »ç¿ëÇÑ´Ù. ÆÐŶÀº ÀÛÀº µ¥ÀÌÅÍÀÇ µ¢¾î¸® ÀÌ´Ù. FTP¸¦ ÅëÇؼ­ ÆÄÀÏÀ» ¹Þ´Â´Ù°í ÇÒ ¶§. ¿ì¸® ´«À¸·Î º¼¶§´Â ÆÄÀÏÀÌ ÇѲ¨¹ø¿¡ ¹Þ¾ÆÁø´Ù. ÇÏÁö¸¸ ½ÇÁ¦·Î ÆÄÀϵéÀº ¼ö¹é ¼öõ°³ÀÇ ÆÐŶµé·Î Á¶°¢³ª ¿ì¸®¿¡°Ô·Î Àü¼ÛµÇ´Â °ÍÀÌ´Ù. ÄÄÇ»ÅÍ´Â ±× ÆÐŶÀ» ¹Þ¾Æ Á¶¸³ÇÏ¿© ´Ù½Ã ÆÄÀÏÀ» ¸¸µé¾î ³½´Ù.

¿ì¸®°¡ ÀÎÅͳÝÀ» ÇÑ´Ù¸é À¥ ºê¶ó¿ìÀú·Î À¥¼­Çεµ ÇÏ°í FTP·Î ÆÄÀϵµ ¹Þ°í ¸Þ½ÅÀú·Î ¸Þ½ÃÁöµµ ÁÖ°í ¹ÞÀ» °ÍÀÌ´Ù. ¿ì¸® ÄÄÇ»ÅÍ¿¡ ¿¬°áµÈ ·£¼±¿¡´Â À¥ ºê¶ó¿ìÀú¿¡¼­ ¿äûÇÑ HTMLÆÄÀÏÀÇ ÆÐŶ, FTP¿¡¼­ Àü¼ÛÇÏ°í ÀÖ´Â ÆÄÀÏ ÆÐŶµé, ¸Þ½ÅÀú¿¡¼­ ÁÖ°í ¹Þ´Â ¸Þ½ÃÁö ÆÐŶµéÀÌ ¼­·Î µÚ¼¯¿© ¿À°í °£´Ù. ÀÌ·¸°Ô ¼¯¿©¼­ ¿À°í °£´ÙÇصµ ÆÐŶµé¿¡´Â °¢°¢ÀÇ Á¤º¸°¡ Á¸Àç ÇÑ´Ù. ±×·¡¼­ ÆÐŶÀÌ ¼¯ÀÌÁö ¾Ê°í ¿©·¯°¡Áö ÀÏÀ» µ¿½Ã¿¡ ÇÒ ¼ö ÀÖ´Â °ÍÀÌ´Ù. ÀüÈ­ °°À¸¸é ȸ¼±À» ¿ÏÀü Á¡À¯Çؼ­ »ç¿ëÇϱ⠶§¹®¿¡ ÇÑ°¡Áö ÀÏ ¹Û¿¡ ÇÒ ¼ö°¡ ¾ø´Ù.

ÀÌÁ¦ ¹æÈ­º®ÀÇ ¿ø¸®¸¦ ¾Ë¾Æº¸ÀÚ. ¹æÈ­º®Àº ÆÐŶÀ» ±¸ºÐÇÏ¿© ±× ÆÐŶÀ» Åë°ú ½Ãų °ÍÀÎÁö ¾Æ´Ï¸é °ÅºÎ, ȤÀº ¹ö¸± °ÍÀÎÁö¸¦ °áÁ¤Çϴ°ÍÀÌ´Ù. iptables¸¦ ÅëÇؼ­ ÆÐŶÀ» ¾î¶»°Ô Á¦¾î ÇÏ´À³Ä¿¡ µû¶ó¼­ Á¢¼ÓÀ» ¸·°Å³ª ȤÀº ¿­°Å³ª, ½ºÆ®¸µ °Ë»öÀ» ÅëÇؼ­ ¿úÀÇ ÆÐŶÀ» ¸·À» ¼ö ÀÖ´Â °ÍÀÌ´Ù.


4.2. bridge ¹× iptables ½ºÅ©¸³Æ® ÀÛ¼º

iptables´Â ¸í·ÉÀ» ³»·ÁÁ൵ ¸Þ¸ð¸®¿¡¸¸ ¿Ã¶ó°¡ Àֱ⠶§¹®¿¡ ÀçºÎÆÃÀ» ÇÏ¸é ¼³Á¤ ³»¿ëÀÌ »ç¶óÁø´Ù. µû¶ó¼­ ºÎÆÃÇÒ ¶§ ½ÇÇàµÇµµ·Ï ½ºÅ©¸³Æ®¸¦ ¸¸µé¾î Áà¾ß ÇÑ´Ù.

iptables ¸í·É ½ºÅ©¸³Æ®´Â ÀÎÅÍ³Ý »ó¿¡ ¸¹Àº ¿¹Á¦µéÀÌ ¿Ã¶ó¿Í ÀÖ´Ù. º»Àεµ óÀ½¿¡´Â ±×´ë·Î º¹»çÇؼ­ »ç¿ëÀ» ÇßÁö¸¸. ³»¿ëÀ» ÀÌÇØÇÏÁö ¾Ê°í »ç¿ëÀ» Çؼ­ Á¦´ë·Î ÀÛµ¿ÇÏÁö ¾Ê¾Ò´Ù. °¡Àå Áß¿äÇÑ ºÎºÐÀº ÆÐŶ¿¡ ´ëÇÑ ÀÌÇØ¿Í ÇÁ·ÎÅäÄÝ¿¡ ´ëÇÑ ±âº»ÀûÀÎ Áö½ÄÀ» °®Ãß¾î¾ß ÇÑ´Ù´Â °ÍÀÌ´Ù. Áö±Ý ¸¸µç ¹æÈ­º®ÀÌ ¼³Ä¡µÇ´Â ³×Æ®¿öÅ©°¡ º»ÀÎÀÌ »ç¿ëÇÏ°í ÀÖ´Â ³×Æ®¿öÅ©ÇÏ°í ¶È°°´Ù°í ÇÒ ¼ö´Â ¾øÀ» °ÍÀÌ´Ù, ±×·¯¹Ç·Î ÀÚ½ÅÀÇ ³×Æ®¿öÅ© »óȲ¿¡ ¸Â°Ô ½ºÅ©¸³Æ®¸¦ ÀçÀÛ¼º ÇØ¾ß ÇÒ °ÍÀÌ´Ù.

¾Æ·¡ ½ºÅ©¸³Æ®´Â ºÎÆÃµÉ ¶§ ½ÇÇàµÉ ¼ö ÀÖµµ·Ï /etc/init.d/bridgefirewall ·Î ÀúÀåÇÑ´Ù. ½ºÅ©¸³Æ®ÀÇ ÁÖ¼®À» º¸°í °¢ÀÚ ³×Æ®¿öÅ© »óȲ¿¡ ¸Â°Ô ¼³Á¤Çϱ⠹ٶõ´Ù. ³×Æ®¿öÅ© ¼³Á¤Àº ÀÚ½ÅÀÇ ³×Æ®¿öÅ©¿¡ ¸Â°Ô ¼³Á¤Çϱ⠹ٶõ´Ù. ¾ÕÀ¸·Î ¿¹¸¦ µé ³×Æ®¿öÅ© ±¸¼ºÀº´ÙÀ½°ú °°´Ù. ¹°·Ð Á¸ÀçÇÏÁö ¾Ê´Â IPÀÌ´Ù. ¹æÈ­º®°ú ¹æÈ­º® µÚ¿¡¼­ º¸È£¹Þ´Â ³×Æ®¿öÅ© ¸ðµÎ °øÀÎ IP¸¦ »ç¿ëÇÑ´Ù.

  • ¹æÈ­º® ÀÚü IP : 234.234.200.10

  • ºê·Îµåij½ºÆ® : 234.234.200.255

  • »ç¿ëÁßÀÎ IP : 234.234.200.0 ~ 234.234.200.255

#!/bin/sh

BR_IP="234.234.200.10"  
# ¹æÈ­º®ÀÇ ÀÚü IP. ¿ø·¡ Bridge firewallÀº IP ÁÖ¼Ò°¡ ¾ø´Ù. ÇÏÁö¸¸ IP¸¦ 
# ÇÒ´çÇÏÁö ¾ÊÀ¸¸é ¿ø°Ý¿¡¼­ Á¢¼ÓÇÒ ¼ö ¾ø°í Á÷Á¢ ¹æÈ­º® ¸Ó½Å ¾Õ¿¡ ¾É¾Æ¼­
# ÀÛ¾÷À» ÇØ¾ß Çϱ⠶§¹®¿¡ °ü¸®ÇϱⰡ ºÒÆíÇÏ´Ù. ±×·¡¼­ °ü¸®¸¦ À§ÇØ
# IP¸¦ ÇÒ´çÇÑ´Ù. ³»ºÎ³×Æ®¿öÅ© ¿¡¼­¸¸ Á¢¼ÓÀÌ °¡´ÉÇϵµ·Ï ¼³Á¤ ÇÒ °ÍÀÌ´Ù.
# º¸¾È»ó °ÆÁ¤ÀÌ µÈ´Ù¸é IPÁÖ¼Ò¸¦ ÇÒ´çÇÏÁö ¾Ê¾Æµµ µÈ´Ù. ±×·¯¸é ¿ø°Ý¿¡¼­´Â
# Àý´ë Á¢¼ÓÇÒ ¼ö ¾ø´Ù.

BR_IFACE="pyrasis-br"     # ºê¸®Áö À̸§, ¸¶À½¿¡ µå´Â À̸§À» ÁØ´Ù.

LAN_BCAST_ADDRESS="234.234.200.255"       # ºê·Îµå ij½ºÆ®
INTERNAL_ADDRESS_RANGE="234.234.200.0/24" # ³×Æ®¿öÅ© ¹üÀ§.
INTERNAL_ADDRESS="255.255.255.0"          # ³Ý ¸¶½ºÅ© 

INET_IFACE="eth0" # ¿ÜºÎ¿¡¼­ µé¾î¿À´Â ¼±À» ¿¬°á ÇÒ ·£Ä«µå
LAN_IFACE="eth1"  # ³»ºÎ·Î ³ª°¡´Â ¼±À» ¿¬°áÇÏ´Â ·£Ä«µå

LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="/usr/local/sbin/iptables" # iptables ÀÇ Àý´ë °æ·Î

#########
/sbin/depmod -a

# ¾Æ·¡ ºÎºÐÀº iptables¿¡¼­ »ç¿ë ÇÒ ¸ðµâÀ» ÀûÀçÇÏ´Â ÀÛ¾÷ÀÌ´Ù.
# µ¥ºñ¾È ¸®´ª½ºÀÇ °æ¿ì modconf¿¡¼­ ÀûÀçÇÒ ¸ðµâÀ» ¼±ÅÃÀ» Çϸé
# ºÎÆà ÇÒ ¶§¸¶´Ù ¾Æ·¡¿Í °°ÀÌ Àû¾îÁÙ ÇÊ¿ä´Â ¾ø´Ù.
# ´Ù¸¥ ¹èÆ÷ÆÇÀÇ °æ¿ì ¾Æ·¡¿Í °°ÀÌ ÇÊ¿äÇÑ ¸ðµâµéÀ» ¿Ã·ÁÁà¾ß iptables¿¡¼­
# °¢°¢ÀÇ ¸í·ÉµéÀÌ ÀÎ½Ä µÉ °ÍÀÌ´Ù.
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/iptable_filter.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_conntrack.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/iptable_nat.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_conntrack_irc.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ipt_string.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ipt_state.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ipt_REJECT.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ipt_REDIRECT.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_nat_snmp_basic.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_nat_ftp.o
/sbin/insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_nat_irc.o

ifconfig $INET_IFACE down   # ¸ðµç ·£Ä«µåÀÇ ¼³Á¤À» ÃʱâÈ­
ifconfig $LAN_IFACE down
ifconfig $BR_IFACE down

ifconfig $INET_IFACE 0.0.0.0  # ºê¸®Áö°¡ µÉ ·£Ä«µå¿¡ 0.0.0.0ÀÇ ¾ÆÀÌÇǸ¦ ÁØ´Ù.
ifconfig $LAN_IFACE 0.0.0.0

$IPTABLES -F  # üÀÎÀÇ ±ÔÄ¢µéÀ» Áö¿î´Ù.
$IPTABLES -X  # üÀÎÀ» Áö¿î´Ù, ÃʱâÈ­ ÀÛ¾÷.

# Ãʱâ Á¤Ã¥. 
# INPUT(µé¾î¿À´Â °Í) DROP(¹ö¸°´Ù)
# OUTPUT(³ª°¡´Â °Í) ACCEPT(Çã¿ë), INPUT OUTPUTÀº ¹æÈ­º® ÀÚü¿¡¼­ ¿À°í ³ª°¡´Â ÆÐŶÀ» ¶æÇÔ.
# FORWARD DROP : °¡Àå Áß¿äÇÑ ºÎºÐÀÌ´Ù. 
# ºê¸®Áö ¹æÈ­º®À» ÅëÇØ Áö³ª°¡´Â ¸ðµç ÆÐŶÀº FORWARD¿¡¼­ Á¦¾îÇÑ´Ù.
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# ºê¸®Áö ¼³Á¤
/usr/local/sbin/brctl addbr $BR_IFACE
/usr/local/sbin/brctl addif $BR_IFACE $INET_IFACE
/usr/local/sbin/brctl addif $BR_IFACE $LAN_IFACE

# ºê¸®Áö IP ¼³Á¤
if [ "$BR_IP" != "" ] ; then
    ifconfig $BR_IFACE $BR_IP broadcast $LAN_BCAST_ADDRESS netmask $INTERNAL_ADDRESS
    else
        ifconfig $BR_IFACE up
fi

# Firewall SSH
# ¹æÈ­º® ÄÄÇ»ÅÍ ÀÚüÀÇ ¼³Á¤.
# 234.234.200.0 ºÎÅÍ 255 ±îÁö ¾ÆÀÌÇÇ¿¡¼­ ¹æÈ­º® 22¹ø Æ÷Æ®·Î Á¢¼ÓÇÏ´Â °ÍÀ» Çã¿ë
# µû¶ó¼­ ȸ»ç³»ºÎ¿¡¼­¸¸ Á¢¼ÓÀÌ °¡´ÉÇϸç SSH·Î¸¸ Á¢¼ÓÀÌ °¡´ÉÇÏ´Ù.
# °ü¸®ÀÚÀÇ Æ¯Á¤ IP¸¸ Çã¿ëÇÏ·Á¸é 234.234.200.0/24´ë½Å 234.234.200.12 ÀÌ·±½ÄÀ¸·Î
# Àû¾îÁÖ¸é µÈ´Ù
$IPTABLES -A INPUT -p tcp -s 234.234.200.0/24 --dport 22 -j ACCEPT

# Deny IP list
# ÀÌ°ÍÀº ¿¹¸¦ µç °ÍÀÌ´Ù. »ç¿ëÇÏ°í ½ÍÀº »ç¶÷Àº »ç¿ëÇϱ⠹ٶõ´Ù.
# ù¹ø°´Â 10.105.4.202¿¡¼­ ¿À´Â icmp ÆÐŶÀ» ¹ö¸°´Ù´Â ¶æ, tcp, udp¸¦ »ç¿ëÇÒ ¼ö ÀÖ´Ù
# µÎ¹ø°´Â MAC ÁÖ¼Ò¸¦ Â÷´ÜÇÏ´Â ¹æ¹ýÀ¸·Î ¾Æ·¡ÀÇ MAC ÁÖ¼Ò¿¡¼­ ¿À´Â ÆÐŶÀº Â÷´ÜµÈ´Ù.
#$IPTABLES -A FORWARD -p icmp -s 10.105.4.202 -j DROP
#$IPTABLES -A FORWARD -m mac --mac-source 00:02:2A:C4:86:17 -j DROP

# Nimda, CodeRed
# ´Ô´Ù ÆÐŶ ¹× Äڵ巹µå ÆÐŶ Â÷´ÜÇÏ´Â ¸í·É
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "/default.ida?" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "XXXXXXXX" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "root.exe?" -j REJECT --reject-with tcp-reset

# SQL Slammer
# SQL ½½·¡¸Ó ¿úÀÇ ÆÐŶÀ» Â÷´ÜÇÏ´Â ¸í·É
$IPTABLES -A FORWARD -p udp -m string --string "Qh.dllhel32hkern" -j REJECT

# 80¹ø Æ÷Æ®¸¸ »ç¿ëÇÏ´Â À¥ ¼­¹öÀÇ °æ¿ì 80¹øÆ÷Æ®¸¸ ¿­°í ³ª¸ÓÁö 80Æ÷Æ®·Î ¿À°í °¡´Â ÆÐŶ¿¡ ´ëÇÑ
# ½ºÆ®¸µ °Ë»ç¸¦ Çؼ­ Nimda, CodeRedÀÇ ÆÐŶÀ» ¸·´Â´Ù.
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "/default.ida?" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "XXXXXXXX" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "root.exe?" -j REJECT --reject-with tcp-reset

# MSN
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 1863:1864 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6901 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 7801:7825 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6891:6900 -j ACCEPT

# KTiman
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10020 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10250 -j ACCEPT

# IRC
$IPTABLES -A FORWARD -p tcp --dport 6667 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 6667 -j ACCEPT

# Remote
$IPTABLES -A FORWARD -p tcp --sport 6009 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 6009 -j ACCEPT

# FTP Client
$IPTABLES -A FORWARD -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 113 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 113 -j ACCEPT

# syn packet drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 -j DROP

# net send drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 139 -j DROP
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 2603 -j DROP
$IPTABLES -A FORWARD -p udp -d 234.234.200.0/24 --dport 135 -j DROP

$IPTABLES -A FORWARD -p ALL -j ACCEPT

³×Æ®¿öÅ© ¹üÀ§ ¼³Á¤ÀÇ ¶æ

¿ì¸®´Â ¾Õ¿¡¼­ ³×Æ®¿öÅ© ¹üÀ§ ¼³Á¤À̶ó´Â ºÎºÐÀ» ÇÏ¿´´Ù. 234.234.200.0 ºÎÅÍ 255±îÁö¸¦ 234.234.200.0/24¶ó°í ¼³Á¤ ÇÏ¿´´Ù. ÀÌ°ÍÀÌ ¿Ö ÀÌ·¸°Ô ¼³Á¤µÇ´ÂÁö ¾Ë¾Æº¸ÀÚ

표 1. IP ÁÖ¼ÒÀÇ ¹üÀ§ Ç¥Çö

11111111.11111111.11111111.11111111
.101112131415.1617181920212223.2425262728293031

À§ÀÇ Ç¥´Â 255.255.255.255¸¦ 2Áø¼ö·Î Ç¥ÇöÇÑ °ÍÀÌ°í µÎ¹ø° ÁÙÀº °¢ ºñÆ®ÀÇ ¼ø¼­ÀÌ´Ù.

234.234.200.0/24¶ó°í ÇÒ¶§ 234.234.200.0ºÎÅÍ 234.234.200.255±îÁö µÇ´Â ÀÌÀ¯´Â 0/24 ¿¡¼­ 24¹ø° ºñÆ®±îÁö¸¦ ÀǹÌÇÑ´Ù.

표 2. 0/24

.11111111
.2425262728293031

24 ¹ø° ºñÆ®±îÁö À̸é 1 1 1 1 1 1 1 1Áï 255´Ù. 0ºÎÅÍ 255±îÁö¶ó´Â ¸»ÀÌ´Ù

0/25¶ó°í Çϸé 0 1 1 1 1 1 1 1·Î 128ÀÌ µÈ´Ù. 0ºÎÅÍ 128ÀÌ µÈ´Ù.

0/26À̸é 0 0 1 1 1 1 1 1·Î 0ºÎÅÍ 64

128/25¶ó¸é. 128 ºÎÅÍ 255±îÁö »ç¿ëÇÑ´Ù´Â °ÍÀÌ´Ù.


4.3. Á¤Ã¥º¯°æ

¹æÈ­º®À» ºÎÆÃÀ» Çسõ°í Á¤Ã¥À» ¼öÁ¤ÇÒ ¼ö ÀÖ¾î¾ß ÇÑ´Ù. ±×·¯·Á¸é ½ºÅ©¸³Æ®¸¦ Çϳª ´õ ¸¸µé¾î Áà¾ß Çϴµ¥.. ¸Å¿ì ½±°Ô ÇÒ ¼ö ÀÖ´Ù. À§ÀÇ ºÎÆà ½ºÅ©¸³Æ®¿¡¼­ ºê¸®Áö ¼³Á¤ ºÎºÐ¸¸ »« iptables¸í·É ºÎºÐ¸¸ Àß¶ó¼­ ½ºÅ©¸³Æ®·Î ¸¸µé¸é ½ºÅ©¸³Æ® ½ÇÇุÀ¸·Î °£´ÜÇÑ Á¤Ã¥ º¯°æÀÌ °¡´ÉÇÏ°Ô µÈ´Ù.

´ÙÀ½Àº ¹æÈ­º®ÀÌ ºÎÆõǰí Á¤Ã¥À» º¯°æ ÇÒ ¼ö ÀÖ´Â ½ºÅ©¸³Æ®ÀÌ´Ù. ipt-sh¶ó°í ÀúÀåÇÏ°í chmod 755 ipt-sh ÇÑµÚ ./ipt-sh ¶ó°í ½ÇÇàÇÏ¸é µÈ´Ù.

IPTABLES="/usr/local/sbin/iptables"

$IPTABLES -F  # üÀÎÀÇ ±ÔÄ¢µéÀ» Áö¿î´Ù.
$IPTABLES -X  # üÀÎÀ» Áö¿î´Ù, ÃʱâÈ­ ÀÛ¾÷.

# Firewall SSH
$IPTABLES -A INPUT -p tcp -s 234.234.200.0/24 --dport 22 -j ACCEPT

#$IPTABLES -A FORWARD -p icmp -s 10.105.4.202 -j DROP
#$IPTABLES -A FORWARD -m mac --mac-source 00:02:2A:C4:86:17 -j DROP

# Nimda, CodeRed
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "/default.ida?" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "XXXXXXXX" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "root.exe?" -j REJECT --reject-with tcp-reset

# SQL Slammer
$IPTABLES -A FORWARD -p udp -m string --string "Qh.dllhel32hkern" -j REJECT

# WebServer
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "/default.ida?" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "XXXXXXXX" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -d 234.234.200.5 --tcp-flags ACK ACK --dport 80 -m string --string "root.exe?" -j REJECT --reject-with tcp-reset

# MSN
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 1863:1864 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6901 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 7801:7825 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6891:6900 -j ACCEPT

# KTiman
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10020 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10250 -j ACCEPT

# IRC
$IPTABLES -A FORWARD -p tcp --dport 6667 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 6667 -j ACCEPT

# Remote
$IPTABLES -A FORWARD -p tcp --sport 6009 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 6009 -j ACCEPT

# FTP Client
$IPTABLES -A FORWARD -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 113 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 113 -j ACCEPT

# syn packet drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 -j DROP

# net send drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 139 -j DROP
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 2603 -j DROP
$IPTABLES -A FORWARD -p udp -d 234.234.200.0/24 --dport 135 -j DROP

$IPTABLES -A FORWARD -p ALL -j ACCEPT

$IPTABLES -L


4.4. ±âº»ÀûÀÎ ¸í·É »ç¿ë¹ý

iptables¿¡ ¸í·ÉÀ» ³»·Á ¾î¶»°Ô ÆÐŶµéÀ» Á¶ÀÛÇÏ´ÂÁö ±âº»ÀûÀÎ °ÍµéÀ» ¾Ë¾Æº¸ÀÚ.

-A FORWARD : FORWARDüÀο¡ Á¤Ã¥ Ãß°¡, °¡Àå ¸¹ÀÌ »ç¿ëÇÑ´Ù.

-A INPUT, -A OUTPUT : INPUT, OUTPUT üÀο¡ Á¤Ã¥ Ãß°¡, ¹æÈ­º® ÀÚüÀÇ ¿À°í ³ª°¡´Â ÆÐŶÁ¤Ã¥. °ÅÀÇ »ç¿ëÇÏÁö ¾Ê´Â´Ù.

-p tcp : TCPÇÁ·ÎÅäÄÝ, Web, FTP, Telnet, SSH, µî

-p udp : UDPÇÁ·ÎÅäÄÝ

-p icmp : ICMPÇÁ·ÎÅäÄÝ, PING

-d : Destination IP, ¸ñÀûÁö IP ¿¹) -d 234.234.200.123

-s : Source IP, ¹ß»ýÁö IP ¿¹) -s 234.234.200.123

--dport : Destination Port, ¸ñÀûÁö Æ÷Æ® ¿¹) --dport 80 ȤÀº --dport 80:90 80¹øºÎÅÍ 90¹ø±îÁö

--sport : Source Port, ¹ß»ýÁö Æ÷Æ® ¿¹) --sport 80 ȤÀº --sport 80:90 80¹øºÎÅÍ 90¹ø±îÁö

¾Õ¿¡¼­ ¿ì¸®´Â INTERNAL_ADDRESS_RANGE="234.234.200.0/24" ¶ó°í ¼³Á¤Çß´Ù. ³»ºÎ ³×Æ®¿öÅ©¸¦ ¶æÇϴµ¥ ¾Æ·¡ µÎÁÙÀÇ ¸í·ÉÀº °°´Ù. ´ÜÁö INTERNAL_ADDRESS_RANGE¶ó°í º¯¼ö¸¦ ÁÖ°í IP¸¦ ´ëÀÔ½ÃÄÑ ÁÖ¾ú´Âµ¥ ÀÌÇظ¦ µ½±â À§ÇØ IP¸¦ ±×´ë·Î ³Ö´Â ¹æ½ÄÀ¸·Î ÇÏ°Ú´Ù. º¯¼ö¸¸ ÇÑ°¡µæÈ÷ ³ª¿À¸é óÀ½ º¸´Â »ç¶÷Àº Àß ÀÌÇØ°¡ °¡Áö ¾Ê±â ¶§¹®ÀÌ´Ù. óÀ½¿¡´Â IP¸¦ ±×´ë·Î ³Ö°í º¯¼ö¸¦ »ç¿ëÇÏ°í ½ÍÀº »ç¶÷Àº »ç¿ëÇصµ »ó°ü ¾ø´Ù.

$IPTABLES -A FORWARD -p tcp -d $INTERNAL_ADDRESS_RANGE --dport 80 -j DROP
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 80 -j DROP

iptables ¿¡¼­ FORWARDüÀÎÀ» ±âº»ÀûÀ¸·Î DROPÀ¸·Î Çسù¾ú´Ù. ±×·¸°Ô µÇ¸é ¸ðµÎ ¸·È÷°Ô µÈ´Ù. Á¤Ã¥À» ¼³Á¤ ÇÒ ¶§ ¿­¾îÁÙ Æ÷Æ®¸¦ ¸ÕÀú ¿­°í ¸ðµÎ ¸·¾Æ¾ß ÇÑ´Ù. ¸ðµÎ ¸·°í ¿­¾îÁÙ °ÍÀ» ¿­¸é ¿­¸®Áö ¾Ê°Ô µÈ´Ù.

À§ÀÇ ºÎÆà ½ºÅ©¸³Æ®¿¡¼­´Â syn ÆÐŶÀ» µå·Ó ÇÑ´Ù. ÀÌ ¸»Àº FORWARDüÀο¡ (-A FORWARD) TCPÇÁÅä·ÎÄÝ (-p tcp) synÆÐŶ (--syn) ¸ñÀûÁö IP°¡ 234.234.200.0/24ÀÏ ¶§ (-d 234.234.200.0/24) µå·ÓÇÑ´Ù. (-j DROP)

# syn packet drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 -j DROP
$IPTABLES -A FORWARD -p ALL -j ACCEPT

syn ÆÐŶÀ» µå·Ó ÇÏ´Â ÀÌÀ¯´Â 234.234.200.0/24¶ó´Â ³»ºÎ ³×Æ®¿öÅ©¿¡ TCP Á¢¼ÓÀ» ¸·±â À§Çؼ­ÀÌ´Ù. TCP¸¦ »ç¿ëÇÏ´Â telnet, web, FTPµî ³»ºÎ·ÎÀÇ Á¢¼ÓÀ» ¸·´Â °ÍÀÌ´Ù. synÆÐŶÀº TCPÇÁ·ÎÅäÄÝÀÇ Ãʱâ Á¢¼Ó ¿ä±¸ ÆÐŶÀÌ´Ù. ¸ñÀûÁö IP°¡ ³»ºÎ ³×Æ®¿öÅ©·Î µÅÀÖ°í ±×°ÍÀ» µå·ÓÇÑ´Ù. ³»ºÎ¿¡¼­ ¿ÜºÎ·Î ³ª°¡´Â °ÍÀº ¸·È÷Áö ¾Ê´Â´Ù. ÁÖÀÇÇÒ Á¡Àº syn ÆÐŶÀ» ¸·Áö ¾Ê°í ±×³É ¸ñÀûÁö°¡ ³»ºÎ ³×Æ®¿öÅ©ÀÎ TCPÇÁ·ÎÅäÄÝÀ» ¸·´Â °æ¿ì À¥À» Æ÷ÇÔÇÑ ¸ðµç TCP¸¦ »ç¿ëÇÏ´Â °ÍµéÀº Åë½ÅÀ» ÇÏÁö ¸øÇÑ´Ù. ¿ÜºÎ·Î ³ª°¥ ¼ö´Â ÀÖÁö¸¸ ±× °á°ú¸¦ ³»ºÎ·Î °¡Á® ¿Ã ¼ö ¾ø±â ¶§¹®¿¡ Åë½ÅÀÌ µÇÁö ¾Ê´Â °ÍÀÌ´Ù. µÎ¹ø° ÁÙÀÇ ¸ðµç ÇÁ·ÎÅäÄÝÀ» Çã¿ëÇÑ´Ù´Â ¸í·ÉÀε¥ Àú°ÍÀ» ÇÏÁö ¾ÊÀ¸¸é Åë½ÅÀÌ µÇÁö ¾Ê´Â´Ù. ²À ÇØÁÖ¾î¾ß ÇÑ´Ù. FORWARDÀÇ ±âº» Á¤Ã¥ÀÌ DROPÀ̱⠶§¹®ÀÌ´Ù.

ƯÁ¤ Æ÷Æ® ¿­±â¿Í ƯÁ¤ Æ÷Æ® ¸·±â

# 21¹ø Æ÷Æ® ¸·±â, ¸ñÀûÁöIP°¡ ³»ºÎ, ¸ñÀûÁö Æ÷Æ®°¡ 21¹øÀÎ ÆÐŶÀ» µå·Ó, È¿°ú´Â TCPÇÁ·ÎÅäÄÝ 21¹ø Æ÷Æ®¸¦ »ç¿ëÇÏ´Â
# ÇÁ·Î±×·¥Àº ³»ºÎ¿¡¼­ Åë½ÅÀ» ÇÒ¼ö ¾ø´Ù. -s 234.234.200.0/24·Î ÇÏ´õ¶óµµ È¿°ú´Â °°´Ù. ¹ß»ýÁö IP°¡ ³»ºÎÀÌ°í ¸ñÀûÁö°¡ ¿ÜºÎ
# 21¹ø Æ÷Æ® À̹ǷΠȿ°ú´Â °°´Ù.
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 21 -j DROP

# 21¹ø Æ÷Æ® ¿­±â, ¸ñÀûÁö IP°¡ ³»ºÎ, ¸ñÀûÁö Æ÷Æ®°¡ 21¹øÀÎ ÆÐŶÀ» Çã¿ë, È¿°ú´Â ¿ÜºÎ¿¡¼­ ³»ºÎ·Î TCP¿¬°áÀ» ÇÒ ¼ö ÀÖ°Ô µÈ´Ù.
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 21 -j ACCEPT

# Á¤Ã¥ ¸¶Áö¸· ÁÙ¿¡´Â Ç×»ó À§ÀÇ synÆÐŶ µå·ÓÀ» ÇØÁÖ¾î¾ß ÇÑ´Ù. ±×·¯Áö ¾ÊÀ¸¸é ¾Æ¹«¸® ¿­°í ´Ý´Â´Ù Çصµ FORWARDüÀÎÀÇ ±âº»
# Á¤Ã¥À» DROP·Î Çسù±â ¶§¹®¿¡ Åë½ÅÀÌ ¾È µÈ´Ù. 

ƯÁ¤ Æ÷Æ®¸¦ ¸·´Â °ÍÀº ȸ»ç °°Àº °÷¿¡¼­ ƯÁ¤ Æ÷Æ®¸¦ »ç¿ëÇÏ´Â ÇÁ·Î±×·¥(P2P µî)ÀÇ »ç¿ëÀ» ¸·°íÀÚ ÇÒ ¶§ »ç¿ëÇÑ´Ù.

ƯÁ¤ Æ÷Æ®¸¦ ¿­°íÀÚ ÇÏ´Â °ÍÀº ¹æÈ­º® µÚ¿¡ ¸ÞÀϼ­¹ö, À¥¼­¹ö µîÀÌ ÀÖÀ»¶§ ±× ¼­¹öµéÀÌ »ç¿ëÇÏ´Â Æ÷Æ®¸¦ ¿­¾î ÁÙ¶§ »ç¿ëÇÑ´Ù.


4.5. ÀÚÁÖ »ç¿ëµÇ´Â °Íµé

¹æÈ­º®À» »ç¿ëÇÏ´Ù º¸¸é ÀÚÁÖ »ý±â´Â ÀϵéÀÌ ÀÖ´Ù. ÀνºÅÏÆ® ¸Þ½ÅÁ®, FTPµîÀÇ ¼³Á¤À» ¾Ë¾Æº¸ÀÚ.

ÀνºÅÏÆ® ¸Þ½ÅÁ®. MSN µî. °¢°¢ ¸Þ½ÅÀúÀÇ È¨ÆäÀÌÁö¿¡ »ç¿ëÇÏ´Â Æ÷Æ®¸¦ Ç¥½Ã Çسõ°í ÀÖ´Ù. ±× Æ÷Æ®¸¦ º¸°í ¾Ë¸Â°Ô °íÄ¡¸é µÈ´Ù. ¸Þ½ÅÀú°¡ »ç¿ëÇÏ´Â Æ÷Æ®¸¦ ¿­¾îÁÖÁö ¾Ê¾Ò´Ù°í Çصµ ¸Þ½ÅÀú´Â µ¿ÀÛ ÇÒ °ÍÀÌ´Ù. ±×·¯³ª ÆÄÀÏÀü¼Û °°Àº °ÍÀÌ µ¿ÀÛÀÌ µÇÁö ¾Ê´Â °æ¿ì°¡ ¹ß»ýÇÑ´Ù.

# MSN
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 1863:1864 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6901 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 7801:7825 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 6891:6900 -j ACCEPT

# KTiman
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10020 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 234.234.200.0/24 --dport 10250 -j ACCEPT

FTPŬ¶óÀ̾ðÆ®¸¦ »ç¿ëÇÒ ¼ö ÀÖ°Ô ¼³Á¤

# FTP Client
$IPTABLES -A FORWARD -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 113 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 113 -j ACCEPT

ÆÐŶ ½ºÆ®¸µ °Ë»ö String match Support, Nimda, CodeRed Packets

#$IPTABLES -A FORWARD -p tcp -d 234.234.200.1 --tcp-flags ACK ACK --dport 80 -m string --string "/default.ida?" -j REJECT --reject-with tcp-reset
#$IPTABLES -A FORWARD -p tcp -d 234.234.200.1 --tcp-flags ACK ACK --dport 80 -m string --string "XXXXXXXX" -j REJECT --reject-with tcp-reset
#$IPTABLES -A FORWARD -p tcp -d 234.234.200.1 --tcp-flags ACK ACK --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset
#$IPTABLES -A FORWARD -p tcp -d 234.234.200.1 --tcp-flags ACK ACK --dport 80 -m string --string "root.exe?" -j REJECT --reject-with tcp-reset

À§ÀÇ ¸í·É¿¡¼­ --string "cmd.exe" ´Â ÆÐŶ ¼Ó¿¡ cmd.exe¶ó´Â ½ºÆ®¸µÀ» Æ÷ÇÔÇÏ°í ÀÖÀ¸¸é Â÷´ÜÇϰųª °ÅºÎÇÑ´Ù´Â °ÍÀÌ´Ù --tcp-flags ACK ACK ´Â TCPÇÁ·ÎÅäÄÝ¿¡¼­ Ãʱ⠿¬°áÇÏ´Â ÆÐŶÀ» ¶æÇÑ´Ù.

net send (Æ˾÷ ½ºÆÔ) À©µµ¿ì2000ÀÌ»óÀÇ ¿î¿µÃ¼Á¦¿¡ ¸Þ¼¼Áö âÀÌ ¶ß´Â ½ºÆÔÀ» ¸·´Â ¹æ¹ý

# net send drop
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 139 -j DROP
$IPTABLES -A FORWARD -p tcp --syn -d 234.234.200.0/24 --sport 2603 -j DROP
$IPTABLES -A FORWARD -p udp -d 234.234.200.0/24 --dport 135 -j DROP


4.6. Ä¿³Î ·Î±× µ¥¸ó ¼³Á¤

¹æÈ­º®À» »ç¿ëÇÏ´Ù º¸¸é È­¸é¿¡ ¼ö¸¹Àº ¸Þ¼¼Áö°¡ Ãâ·Â µÉ°ÍÀÔ´Ï´Ù. À̰Ͷ§¹®¿¡ ¸í·ÉÀ» ÀÔ·ÂÇϱⰡ ºÒÆíÇÑ °æ¿ì Ä¿³Î ·Î±× µ¥¸óÀÇ ¼³Á¤À» ¹Ù²Ù¾î ÁÝ´Ï´Ù.

/sbin/klogd_start ÆÄÀÏÀ» ¸¸µé¾î ÁÝ´Ï´Ù. Ä¿³Î ·Î±× µ¥¸óÀÇ ·Î±ë ·¹º§À» ¼³Á¤ÇÕ´Ï´Ù. ·¹º§¿¡ µû¶ó È­¸é¿¡ Ãâ·ÂµÇ´Â ¸Þ¼¼Áö¸¦ Á¶ÀýÇÒ ¼ö ÀÖ½À´Ï´Ù.

#!/bin/sh
/sbin/klogd -c 1

/etc/init.d/klogd ÆÄÀÏÀÔ´Ï´Ù. ÀÌ ÆÄÀÏÀº ºÎÆÃÇÒ¶§ Ä¿³Î ·Î±× µ¥¸óÀ» ½ÇÇàÇÕ´Ï´Ù.

#! /bin/sh
# /etc/init.d/klogd: start the kernel log daemon.

PATH=/bin:/usr/bin:/sbin:/usr/sbin

pidfile=/var/run/klogd.pid
#binpath=/sbin/klogd
binpath=/sbin/klogd
binpath_start=/sbin/klogd_start #À§¿¡¼­ ¸¸µç ½ºÅ©¸³Æ® ÀÔ´Ï´Ù.

test -f $binpath || exit 0

#  Use KLOGD="-k /boot/System.map-$(uname -r)" to specify System.map
#
KLOGD=""

running()
{
    # No pidfile, probably no daemon present
    #
    if [ ! -f $pidfile ]
    then
        return 1
    fi

    pid=`cat $pidfile`

    # No pid, probably no daemon present
    #
    if [ -z "$pid" ]
    then
        return 1
    fi

    cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -1`

    # No syslogd?
    #
    if [ "$cmd" != "$binpath" ]
    then
        return 1
    fi

    return 0
   }

case "$1" in
  start)
    echo -n "Starting kernel log daemon: klogd"
    start-stop-daemon --start --quiet --exec $binpath_start -- $KLOGD
    # ½ÃÀÛÇÒ¶§ À§¿¡¼­ ¸¸µç ½ºÅ©¸³Æ®¸¦ ½ÇÇàÇϵµ·Ï ¸¸µì´Ï´Ù.
    echo "."
    ;;
  stop)
    echo -n "Stopping kernel log daemon: klogd"
    start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
    echo "."
    ;;
  restart|force-reload)
    echo -n "Stopping kernel log daemon: klogd"
    start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
    echo "."
    sleep 1
    echo -n "Starting kernel log daemon: klogd"
    start-stop-daemon --start --quiet --exec $binpath --exec $binpath -- $KLOGD
    echo "."
    ;;
  reload-or-restart)
    if running
    then
        start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
    else
        start-stop-daemon --start --quiet --exec $binpath -- $KLOGD
    fi
    ;;
  *)
    echo "Usage: /etc/init.d/klogd {start|stop|restart|force-reload|reload-or-restart}"
    exit 1
esac

exit 0

À§ÀÇ ½ÃÀÛ ½ºÅ©¸³Æ®´Â ¹èÆ÷ÆÇ ¸¶´Ù ´Ù¸¦¼ö ÀÖÁö¸¸ klogd_start ½ºÅ©¸³Æ®¸¦ ½ÇÇàÇÏ°Ô¸¸ ÇÏ¸é µË´Ï´Ù.

ÀÌÁ¤µµ·Î ¸¶Ä¡µµ·Ï ÇÏ°Ú½À´Ï´Ù. óÀ½ ¸®´ª½º¸¦ Á¢ÇÏ´Â »ç¶÷Àº ¾Æ¹«·¡µµ Ä¿³Î ÄÄÆÄÀÏÀ̳ª ¼³Á¤ ºÎºÐÀÌ ¾î·Á¿ï °ÍÀÔ´Ï´Ù. ºÎÁ·ÇÑ ¹®¼­ÀÌÁö¸¸ ¸¹Àº µµ¿òÀÌ µÇ¾úÀ¸¸é ÇÕ´Ï´Ù. ¹®¼­ÀÇ À߸øµÈ Á¡ÀÌ ÀÖ´Ù¸é ¹Ù·Î ¸ÞÀÏÀ» º¸³» Áֽñ⠹ٶø´Ï´Ù.


ID
Password
Join
Beauty and harmony are as necessary to you as the very breath of life.


sponsored by andamiro
sponsored by cdnetworks
sponsored by HP

Valid XHTML 1.0! Valid CSS! powered by MoniWiki
last modified 2004-11-06 13:48:01
Processing time 0.0051 sec