Bridge Server Install
StudyRoom/Linux_Server### 클루닉스 Bridge Server Install #######################
# 제작일 : 2004.5.6 작성자 : 서진우 < alang@clunix.com>
#
1. Bridge 네트워크 구성
- 먼저 bridge 서버의 물리적 네트워크 구성은 다음과 같다.
라우터 ----- 브리지서버(eth0)|브리지서버(eth1) ---- 백본스위치 ----- 클라이언트
-------------------------------------------------------------------------------
라우터 -> 브리지서버(eth0) : cross cable
브리지서버(eth1) -> 백본스위치 : direct cable
-------------------------------------------------------------------------------
- 외부회선 ---- 브리지서버(eth0)|브리지서버(eth1) ---- 스위치 --- 클라이언트
-------------------------------------------------------------------------------
외부회선 -> 브리지서버(eth0) : direct cable
브리지서버(eth1) -> 스위치 : direct cable
-------------------------------------------------------------------------------
2. 구축 준비 패키지
H/W :
랜카드 2장 달린 시스템
S/W :
리눅스커널 : 2.4.26
브리지 커널 패치 : ebtables-brnf-5_vs_2.4.25.diff
브리지 유틸 : bridge-utils-0.9.6.tar.gz iptables
커널 패치 : patch-o-matic-20031219.tar.bz2 iptables
유틸 : iptables-1.2.9.tar.bz2
bridge 커널 패치 및 bridge utils
Linux ethernet bridging http://bridge.sourceforge.net
bridge-nf-0.0.7-against-2.4.19.diff
bridge-utils-0.9.6.tar.gz
iptables 커널 패치 및 iptables
netfilter/iptables http://www.netfilter.org
patch-o-matic-20030107.tar.bz2
iptables-1.2.8.tar.bz2
리눅스 커널 소스
The Linux Kernel Archives http://www.kernel.org
linux-2.4.19.tar.bz2
ftp://syszone.co.kr/pub/linux/kernel
3. 커널 패치
- kernel patch
# cd /usr/src
# tar jxvf linux-2.4.26.tar.bz2
# ln -sf linux-2.4.26 linux
# cd linux
# patch -p1 < ../ebtables-brnf-5_vs_2.4.25.diff
- iptables patch ( string )
# tar jxvf patch-o-matic-20031219.tar.bz2
# cd patch-o-matic
# ./runme extra
Hey! KERNEL_DIR is not set.
Where is your kernel? [/usr/src/linux] -> Y ( 링크 재대로 걸어야 함 )
그럼 아래와 같이..다음과 같은 패치 한다고 물어봄
.
.
+ New 'helper' match (Martin Josefsson, Harald Welte)
submitted/ip6tables-exthdr-bug.patch.ipv6
+ Fix broken ipv6 extensionheader parser (Andras Kis-Szabo)
submitted/ipv6-agr.patch.ipv6
+ New ip6tables 'eui64' match (Andras Kis-Szabo)
submitted/length.patch.ipv6
+ New ip6tables 'length' match (Imran Patel, James Morris)
submitted/log-tunnel-fix.patch.ipv6
+ Fix ip6tables 'LOG' target MAC address in case of tunnels
(Peter Bieringer, Andras Kis-Szabo)
submitted/nat-memoryleak-fix.patch
+ Fix memoryleak at iptable_nat unload time (zhongyu)
submitted/ownercmd.patch
+ Extend 'owner' match to match cmdline (Marc Boucher)
submitted/pkttype.patch
+ New 'pkttype' match (Michal Ludvig)
submitted/ulog-nlgroup-shift-fix.patch
+ Fix error with shifting nlgroup in ULOG target (Harald Welte)
submitted/ulog-sparc-bitops-fix.patch
+ Include linux/bitops.h instead of asm/bitops.h
submitted/z-newnat16.patch
+ Redesign of conntrack and nat helper framework, for more info see
http://cvs.netfilter.org/cgi-bin/cvsweb/netfilter/documentation/newnat-summary.txt
(Harald Welte, Jozsef Kadlecsik, and others)
submitted/z-newnat_assertfix.patch
+ Fix erroneously printed ASSERT messages when debugging of newnat
enabled (Martin Josefsson)
submitted/z-newnat_changeexpect-lockfix.patch
+ Fix locking bug in ip_conntrack_change_expect() (Martin Josefsson)
Further changes, not previuosly in patch-o-matic:
+ ip6tables usage counter fix (Harald Welte)
+ ip_queue cleanup (James Morris)
+ minor spelling fixes
+ __constant_htons() macro changes
+ ipt_unclean: srcport _can_ be zero
+ yet another ipchains GFP_ATOMIC fix
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?]
그냥 엔터 ..
iptable패치에는 내용이 여러 가지가 존재한다. y를 누르면 패치가 된다.
그러나 전부 패치를 하면 안 된다. 나중에 커널을 컴파일 하면 에러가 나기
때문에 꼭 필요한 것만 y를 눌러 패치 한다. b를 누르면 뒤로 돌아갈 수 있다.
지금 패치 할 것은 패킷에서 String을 검색하여 패킷을 버리거나 거부 하는
String match support 이다. 이것을 이용하면 Nimda, CodeRed 등의 웜이나
바이러스의 패킷을 차단 할 수 있다.
그리고 메일의 string 을 검색하여 스팸 메일 차단에 이용할 것이다.
계속 엔터를 쳐서 가다 보면 아래와 같은 화면이 나올것 이다.
Welcome to Rusty's Patch-o-matic!
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------
Already applied: submitted/01_2.4.19
Testing... string.patch NOT APPLIED ( 2 missing files) The extra/string patch:
Author: Emmanuel Roger <winfield@freegates.be>
Status: Working, not with kernel 2.4.9
This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to
match a string in a whole packet.
THIS PATCH DOES NOT WORK WITH KERNEL 2.4.9 !!!
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?]
여기서 y를 누르면 String match가 패치 된다.
계속 엔터를 치면 다른 패치들이 나온다. 필요한 것들이 있으면 패치한다.
- 커널 설정
# cd /usr/src/linux
# make menuconfig
network option 으로 가서 netfilter 관련 설정과 bridge 관련 설정을 한다.
Networking options
x x <*> Packet socket x x
x x [*] Packet socket: mmapped IO x x
x x < > Netlink device emulation x x
x x [*] Network packet filtering (replaces ipchains) x x
x x [ ] Network packet filtering debugging x x
x x [*] Socket Filtering x x
x x <*> Unix domain sockets x x
x x [*] TCP/IP networking x x
x x [*] IP: multicasting x x
x x [ ] IP: advanced router x x
x x [ ] IP: kernel level autoconfiguration x x
x x < > IP: tunneling x x
x x < > IP: GRE tunnels over IP x x
x x [*] IP: multicast routing x x
x x [ ] IP: PIM-SM version 1 support x x
x x [ ] IP: PIM-SM version 2 support x x
x x [ ] IP: ARP daemon support (EXPERIMENTAL) x x
x x [ ] IP: TCP Explicit Congestion Notification support x x
x x [*] IP: TCP syncookie support (disabled per default) x x
x x IP: Netfilter Configuration ---> x x
x x IP: Virtual Server Configuration ---> x x
x x < > The IPv6 protocol (EXPERIMENTAL) x x
x x < > Kernel httpd acceleration (EXPERIMENTAL) x x
x x SCTP Configuration (EXPERIMENTAL) ---> x x
x x < > Asynchronous Transfer Mode (ATM) (EXPERIMENTAL) x x
x x < > 802.1Q VLAN Support x x
x x --- x x
x x < > The IPX protocol x x
x x < > Appletalk protocol support x x
x x Appletalk devices ---> x x
x x < > DECnet Support x x
x x <*> 802.1d Ethernet Bridging x x
x x <M> Bridge: ebtables x x
x x <M> ebt: filter table support x x
x x <M> ebt: nat table support x x
x x <M> ebt: broute table support x x
x x <M> ebt: log support x x
x x <M> ebt: IP filter support x x
x x <M> ebt: ARP filter support x x
x x <M> ebt: among filter support x x
x x <M> ebt: limit filter support x x
x x <M> ebt: 802.1Q VLAN filter support x x
x x <M> ebt: 802.3 filter support x x
x x <M> ebt: packet type filter support x x
x x <M> ebt: STP filter support x x
x x <M> ebt: mark filter support x x
x x <M> ebt: arp reply target support x x
x x <M> ebt: snat target support x x
x x <M> ebt: dnat target support x x
x x <M> ebt: redirect target support x x
x x <M> ebt: mark target support x x
x x < > CCITT X.25 Packet Layer (EXPERIMENTAL) x x
x x < > LAPB Data Link Driver (EXPERIMENTAL) x x
x x [ ] 802.2 LLC (EXPERIMENTAL) x x
x x [ ] Frame Diverter (EXPERIMENTAL) x x
x x < > Acorn Econet/AUN protocols (EXPERIMENTAL) x x
x x < > WAN router x x
x x [ ] Fast switching (read help!) x x
x x [ ] Forwarding between high speed interfaces x x
x x QoS and/or fair queueing ---> x x
x x Network testing ---> x x
IP: Netfilter Configuration
x x <*> Connection tracking (required for masq/NAT) x x
x x <M> FTP protocol support x x
x x <M> Amanda protocol support x x
x x <M> TFTP protocol support x x
x x <M> IRC protocol support x x
x x <M> Userspace queueing via NETLINK (EXPERIMENTAL) x x
x x <*> IP tables support (required for filtering/masq/NAT) x x
x x <M> limit match support x x
x x <M> MAC address match support x x
x x <M> Packet type match support x x
x x <M> netfilter MARK match support x x
x x <M> Multiple port match support x x
x x <M> TOS match support x x
x x <M> recent match support x x
x x <M> ECN match support x x
x x <M> DSCP match support x x
x x <M> AH/ESP match support x x
x x <M> LENGTH match support x x
x x <M> TTL match support x x
x x <M> tcpmss match support x x
x x <M> Helper match support x x
x x <M> Connection state match support x x
x x <M> Connection tracking match support x x
x x <M> Unclean match support (EXPERIMENTAL) x x
x x <M> String match support (EXPERIMENTAL) x x
x x <M> Owner match support (EXPERIMENTAL) x x
x x <M> Physdev match support x x
x x <M> Packet filtering x x
x x <M> REJECT target support x x
x x <M> MIRROR target support (EXPERIMENTAL) x x
x x <M> Full NAT x x
x x <M> MASQUERADE target support x x
x x <M> REDIRECT target support x x
x x [*] NAT of local connections (READ HELP) x x
x x <M> Basic SNMP-ALG support (EXPERIMENTAL) x x
x x <M> Packet mangling x x
x x <M> TOS target support x x
x x <M> ECN target support x x
x x <M> DSCP target support x x
x x <M> MARK target support x x
x x <M> LOG target support x x
x x <M> ULOG target support x x
x x <M> TCPMSS target support x x
x x <M> ARP tables support x x
x x <M> ARP packet filtering x x
x x <M> ARP payload mangling x x
다른것은 커널 컴파일 문서를 참고하세요.
P-III / IDE HDD / intel, realtec ethernet Card 시스템의 커널 설정 파일을
다운 받아서 수정후 사용하셔도 됨.
# make dep && make clean
# make bzImage && make modules && make modules_install
# cp System.map /boot/System.map-2.4.26
# cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.26
# cd /boot
# ln -sf System.map-2.4.26 System.map
# ln -sf vmlinuz-2.4.26 vmlinuz
하신후 /etc/lilo.conf 수정하고 lilo 실행
# vi /etc/lilo.conf
----------------------------------------------------------------------------
prompt
timeout=50
default=bridge
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
message=/boot/message
linear
image=/boot/vmlinuz-2.4.20-8
label=linux
initrd=/boot/initrd-2.4.20-8.img
read-only
append="root=LABEL=/"
image=/boot/vmlinuz
label=bridge
read-only
root=/dev/hda2
---------------------------------------------------------------------------
리부팅 하세요..
4. Bridge utiles, iptables 설치 하기
# tar xzvf bridge-utils-0.9.6.tar.gz
# cd bridge-utils
# ./configure
# make
# make install
# tar xjvf iptables-1.2.9.tar.bz2
# cd iptables-1.2.9
# make KERNEL_DIR=/usr/src/linux
# make install KERNEL_DIR=/usr/src/linux # make install-devel
iptables 설치 하고 난 후 rpm 으로 설치된 iptables 와 충돌이 안나게 기존 명령어 을 막아 놓으세요.
레드헷의 경우 /sbin/iptables 위치함. 적당한 다른 이름으로 변경해둠. 그런후 ..
# ln -sf /usr/local/sbin/iptables /sbin/iptables
5. Bridge 네트워크 설정하기
Bridge device 추가함
# /usr/local/sbin/brctl addbr clxbr0
# /usr/local/sbin/brctl addif clxbr0 eth0 # /usr/local/sbin/brctl addif clxbr0 eth1
# vi /etc/sysconfig/network-scripts/ifcfg-clxbr0
----------------------------------------------------------------------------
DEVICE=clxbr0
IPADDR=211.241.202.142
NETMASK=255.255.255.128
ONBOOT=yes
----------------------------------------------------------------------------
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
----------------------------------------------------------------------------
DEVICE=eth0
ONBOOT=no
----------------------------------------------------------------------------
# vi /etc/sysconfig/network-scripts/ifcfg-eth1
----------------------------------------------------------------------------
DEVICE=eth1
ONBOOT=no
----------------------------------------------------------------------------
# ifdown lo
# ifdown eth0
# ifdown eth1
# ifup lo
# ifconfig ifconfig
# ifconfig eth0 0.0.0.0
# ifconfig eth1 0.0.0.0
# ifup clxbr0
하면 Bridge Network 설정이 마무리 됨.
Bridge Server 외부와 내부로 ping 이 되는지 확인 함.
매번 리부팅 될때 마다 위와 같은 작업을 해야 하기 때문에 다음 init script을
이용 하여 부팅 시마다 자동으로 적용되도록 함.
# vi /etc/rc.d/init.d/bridge
---------------------------------------------------------------------------
#! /bin/sh
#
# bridge Start/Stop Ethernet Bridge interface with 2 ethernet NIC
#
# description: Ethernet Bridge for transparent(bridge) Firewall
# make bridge interface(clxbr0) and tie 2 NIC to clxbr0 and
# setup firewall & NAT(MASQUERADE) of iptables
#
# Clunix.inc <alang@clunix.com> 2004.5.1 #
# Source function library.
. /etc/init.d/functions
# Source Network config
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
[ -x /usr/local/sbin/brctl ] || exit 0
RETVAL=0
start() {
# check /var/lock/subsys/bridge file
if [ -f /var/lock/subsys/bridge ] ; then
return
fi
# make bridge interface
echo -n $"Starting Bridge: "
/usr/local/sbin/brctl addbr clxbr0 > /dev/null 2>&1 &&
/usr/local/sbin/brctl addif clxbr0 eth0 > /dev/null 2>&1 &&
/usr/local/sbin/brctl addif clxbr0 eth1 > /dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
success "bridge startup"
else
failure "bridge startup"
fi
echo
# start networking of bridge
echo -n $"Starting Network of Bridge: "
ifup lo && ifconfig eth0 0.0.0.0 && \\
ifconfig eth1 0.0.0.0 && ifup clxbr0
RETVAL=$?
[ $RETVAL -eq 0 ] && success "Network of bridge startup" \\
|| failure "Network of bridge startup"
echo
touch /var/lock/subsys/bridge
return $RETVAL
}
stop() {
# check /var/lock/subsys/bridge file
if [ ! -f /var/lock/subsys/bridge ] ; then
return
fi
# stop networking of bridge
echo -n $"Stopping Network of bridge: "
ifdown clxbr0 && ifconfig eth1 down && ifconfig eth0 down && ifdown lo
RETVAL=$?
[ $RETVAL -eq 0 ] && success "Network of bridge stopping" \\
|| failure "Network of bridge stopping"
echo
# stop bridge interface
echo -n $"Stopping Bridge: "
/usr/local/sbin/brctl delif clxbr0 eth1 > /dev/null 2>&1 &&
/usr/local/sbin/brctl delif clxbr0 eth0 > /dev/null 2>&1 &&
/usr/local/sbin/brctl delbr clxbr0 > /dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
success "bridge stopping"
else
failure "bridge stopping"
fi
echo
rm -f /var/lock/subsys/bridge
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
/usr/local/sbin/brctl show
;;
restart)
stop
sleep 2
start
;;
*)
echo $"Usage: $0 {start|stop|status|restart}"
exit 1
esac
exit $RETVAL
------------------------------------------------------------------------------
# ln -sf /etc/rc.d/init.d/bridge /etc/rc3.d/S11bridge # chkconfig --add bridge
5. iptables script 사용하기
# vi /etc/rc.d/init.d/brctl
------------------------------------------------------------------------------
#! /bin/sh
#
# iptables Start/Stop firewall with iptables
#
# description: Clunix Firewall filtering & NAT with iptables
#
# Clunix.inc <alang@clunix.com> 2004.05.01
#
# Source function library.
. /etc/init.d/functions
# Source Network config
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
[ -x /usr/local/sbin/iptables ] || exit 0
RETVAL=0
start() {
# check /var/lock/subsys/firewall file
if [ -f /var/lock/subsys/firewall ] ; then
return
fi
# print "start firewall" msg
echo -n $"Starting Firewall: "
#
# start firewall & NAT
#
# 내부 네트워크 영역 설정
INTER_AREA="211.241.202.128/25"
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ipt_string
modprobe ipt_state
modprobe ipt_REJECT
modprobe ipt_REDIRECT
modprobe ipt_MASQUERADE
modprobe ip_nat_snmp_basic
modprobe ip_nat_ftp
modprobe ip_nat_irc
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# init iptables
#
# flush all chains
iptables -F
iptables -X
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains
do
iptables -t $i -F
iptables -t $i -X
iptables -t $i -Z
done
# 기본 정책 설정
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# firewall filtering
iptables -P FORWARD DROP
######################################################################
# User defined chains
######################################################################
#
# refuse :
# explicit refuse chains
# logging to /var/log/firewall (via syslog kern.debug) & reject
#
iptables -N refuse
iptables -A refuse ! -i eth1 -m limit --limit 1/m -j LOG \\
--log-prefix "refused: " --log-level debug
iptables -A refuse -p tcp -m limit --limit 10/s -j REJECT \\
--reject-with tcp-reset
iptables -A refuse -p udp -m limit --limit 10/s -j REJECT
iptables -A refuse -j DROP
#
# global_icmp :
# specified ICMP packets are accepted globally
#
# accept following icmp pkt
# - 0 : echo reply
# - 3 : dest unreachable
# - 5 : redirect
# - 8 : echo request
# - 11 : time exceed
iptables -N global_icmp
iptables -A global_icmp -p icmp --icmp-type 0 -j ACCEPT
iptables -A global_icmp -p icmp --icmp-type 3 -j ACCEPT
iptables -A global_icmp -p icmp --icmp-type 5 -j ACCEPT
iptables -A global_icmp -p icmp --icmp-type 8 -j ACCEPT
iptables -A global_icmp -p icmp --icmp-type 11 -j ACCEPT
#
# global_udp :
# specified udp packets are accepted globally
#
iptables -N global_udp
# edoneky (4661-4663/tcp, 4665/udp) for all PC
iptables -A global_udp -p udp --dport 4665 -j ACCEPT
#
# global_tcp :
# specified tcp packets (that is valid) are accepted globally
#
# specified tcp packets (that is valid) are accepted globally
#
iptables -N global_tcp
# accept tcp syn pkt
# iptables -A global_tcp -p tcp --syn -j ACCEPT
# drop new pkt that has no syn
iptables -A global_tcp -p tcp ! --syn -m state --state NEW -j DROP
# MSN file transfer (6891-6900/tcp) for all PC
# http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q278887&
iptables -A global_tcp -p tcp --dport 6891:6900 -j ACCEPT
# edoneky (4661-4663/tcp, 4665/udp) for all PC
iptables -A global_tcp -p tcp --dport 4661:4663 -j ACCEPT
#
# open :
# accept connection by each server:port
#
iptables -N open
iptables -A open -p tcp -d 211.241.202.153 --dport 22 -j ACCEPT
iptables -A open -p tcp -d 211.241.202.152 --dport 25 -j ACCEPT
# String Rule
# Nimda, CodeRed
iptables -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string \\
--string "/default.ida?" -j REJECT --reject-with tcp-reset
iptables -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string \\
--string "XXXXXXXX" -j REJECT --reject-with tcp-reset
iptables -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string \\
--string "cmd.exe" -j REJECT --reject-with tcp-reset
iptables -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string \\
--string "root.exe?" -j REJECT --reject-with tcp-reset
# Mail Subject,Content String
iptables -A FORWARD -p tcp --dport 25 -m string --string "test" -j REJECT \\
--reject-with tcp-reset
iptables -A FORWARD -p tcp --dport 25 -m string --string "광고" -j REJECT \\
--reject-with tcp-reset
# SQL Slammer
iptables -A FORWARD -p udp -m string --string "Qh.dllhel32hkern" -j REJECT
######################################################################
# FORWARD chain rules
######################################################################
# accept all packets from internal network (eth1)
iptables -A FORWARD -p ALL -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# New Rules Forward
iptables -A FORWARD -p icmp -j global_icmp
iptables -A FORWARD -p udp -j global_udp
iptables -A FORWARD -p tcp -j global_tcp
iptables -A FORWARD -j open
# otherwise, refuse it
iptables -A FORWARD -j refuse
# accept all pkt from local loopback interface
iptables -A INPUT -i lo -j ACCEPT
# accept all packets by stateful-inspection
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# filter by global icmp pkt
iptables -A INPUT -p icmp -j global_icmp
# filter by global tcp pkt
iptables -A INPUT -p tcp -j global_tcp
# accept only ssh(22/tcp) pkt
iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
# otherwise, refuse pkt
iptables -A INPUT -j refuse
#
# accept all out pkt
#
iptables -A OUTPUT -o br0 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
######################################################################
# for NAT(masquerade)
######################################################################
#
# masquerade
#
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
# print "firewall startup" msg
[ $? -eq 0 ] && success "firewall startup" || \\
# print "firewall startup" msg
[ $? -eq 0 ] && success "firewall startup" || \\
failure "firewall startup"
echo
# lock
touch /var/lock/subsys/firewall
}
stop() {
# check /var/lock/subsys/firewall file
if [ ! -f /var/lock/subsys/firewall ] ; then
return
fi
# print "stop firewall" msg
echo -n $"Stopping Firewall: "
#
# flush & delete iptables rules
#
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains
do
iptables -t $i -F
iptables -t $i -X
done
iptables -P INPUT ACCEPT && \\
iptables -P OUTPUT ACCEPT && \\
iptables -P FORWARD ACCEPT && \\
iptables -t nat -P PREROUTING ACCEPT && \\
iptables -t nat -P POSTROUTING ACCEPT && \\
iptables -t nat -P OUTPUT ACCEPT && \\
iptables -t mangle -P PREROUTING ACCEPT && \\
iptables -t mangle -P OUTPUT ACCEPT
#
# start firewall & NAT
#
echo 0 > /proc/sys/net/ipv4/ip_forward
# rmmod ip_conntrack_ftp
# rmmod ip_conntrack_irc
rmmod ipt_string
rmmod ipt_state
rmmod ipt_REJECT
rmmod ipt_REDIRECT
rmmod ipt_MASQUERADE
rmmod ip_nat_snmp_basic
rmmod ip_nat_ftp
rmmod ip_nat_irc
# print "firewall stop" msg
[ $? -eq 0 ] && success "firewall stop" || failure "firewall stop"
echo
# unlock
rm -f /var/lock/subsys/firewall
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
/sbin/iptables -L INPUT
/sbin/iptables -L OUTPUT
/sbin/iptables -L FORWARD
;;
restart)
stop
sleep 1
start
;;
*)
echo $"Usage: $0 {start|stop|status|restart}"
exit 1
esac
exit $RETVAL
---------------------------------------------------------------------------------
# ln -sf /etc/rc.d/init.d/brctl /etc/rc3.d/S70brctl
그런 후 리부팅 후에도 자동으로 Brige Server 로 작동하는지를 확인한다.
# ifconfig
# iptables -L ( /etc/rc.d/init.d/brctl status )
# 제작일 : 2004.5.6 작성자 : 서진우 < alang@clunix.com>
#
1. Bridge 네트워크 구성
- 먼저 bridge 서버의 물리적 네트워크 구성은 다음과 같다.
라우터 ----- 브리지서버(eth0)|브리지서버(eth1) ---- 백본스위치 ----- 클라이언트
-------------------------------------------------------------------------------
라우터 -> 브리지서버(eth0) : cross cable
브리지서버(eth1) -> 백본스위치 : direct cable
-------------------------------------------------------------------------------
- 외부회선 ---- 브리지서버(eth0)|브리지서버(eth1) ---- 스위치 --- 클라이언트
-------------------------------------------------------------------------------
외부회선 -> 브리지서버(eth0) : direct cable
브리지서버(eth1) -> 스위치 : direct cable
-------------------------------------------------------------------------------
2. 구축 준비 패키지
H/W :
랜카드 2장 달린 시스템
S/W :
리눅스커널 : 2.4.26
브리지 커널 패치 : ebtables-brnf-5_vs_2.4.25.diff
브리지 유틸 : bridge-utils-0.9.6.tar.gz iptables
커널 패치 : patch-o-matic-20031219.tar.bz2 iptables
유틸 : iptables-1.2.9.tar.bz2
bridge 커널 패치 및 bridge utils
Linux ethernet bridging http://bridge.sourceforge.net
bridge-nf-0.0.7-against-2.4.19.diff
bridge-utils-0.9.6.tar.gz
iptables 커널 패치 및 iptables
netfilter/iptables http://www.netfilter.org
patch-o-matic-20030107.tar.bz2
iptables-1.2.8.tar.bz2
리눅스 커널 소스
The Linux Kernel Archives http://www.kernel.org
linux-2.4.19.tar.bz2
ftp://syszone.co.kr/pub/linux/kernel
3. 커널 패치
- kernel patch
# cd /usr/src
# tar jxvf linux-2.4.26.tar.bz2
# ln -sf linux-2.4.26 linux
# cd linux
# patch -p1 < ../ebtables-brnf-5_vs_2.4.25.diff
- iptables patch ( string )
# tar jxvf patch-o-matic-20031219.tar.bz2
# cd patch-o-matic
# ./runme extra
Hey! KERNEL_DIR is not set.
Where is your kernel? [/usr/src/linux] -> Y ( 링크 재대로 걸어야 함 )
그럼 아래와 같이..다음과 같은 패치 한다고 물어봄
.
.
+ New 'helper' match (Martin Josefsson, Harald Welte)
submitted/ip6tables-exthdr-bug.patch.ipv6
+ Fix broken ipv6 extensionheader parser (Andras Kis-Szabo)
submitted/ipv6-agr.patch.ipv6
+ New ip6tables 'eui64' match (Andras Kis-Szabo)
submitted/length.patch.ipv6
+ New ip6tables 'length' match (Imran Patel, James Morris)
submitted/log-tunnel-fix.patch.ipv6
+ Fix ip6tables 'LOG' target MAC address in case of tunnels
(Peter Bieringer, Andras Kis-Szabo)
submitted/nat-memoryleak-fix.patch
+ Fix memoryleak at iptable_nat unload time (zhongyu)
submitted/ownercmd.patch
+ Extend 'owner' match to match cmdline (Marc Boucher)
submitted/pkttype.patch
+ New 'pkttype' match (Michal Ludvig)
submitted/ulog-nlgroup-shift-fix.patch
+ Fix error with shifting nlgroup in ULOG target (Harald Welte)
submitted/ulog-sparc-bitops-fix.patch
+ Include linux/bitops.h instead of asm/bitops.h
submitted/z-newnat16.patch
+ Redesign of conntrack and nat helper framework, for more info see
http://cvs.netfilter.org/cgi-bin/cvsweb/netfilter/documentation/newnat-summary.txt
(Harald Welte, Jozsef Kadlecsik, and others)
submitted/z-newnat_assertfix.patch
+ Fix erroneously printed ASSERT messages when debugging of newnat
enabled (Martin Josefsson)
submitted/z-newnat_changeexpect-lockfix.patch
+ Fix locking bug in ip_conntrack_change_expect() (Martin Josefsson)
Further changes, not previuosly in patch-o-matic:
+ ip6tables usage counter fix (Harald Welte)
+ ip_queue cleanup (James Morris)
+ minor spelling fixes
+ __constant_htons() macro changes
+ ipt_unclean: srcport _can_ be zero
+ yet another ipchains GFP_ATOMIC fix
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?]
그냥 엔터 ..
iptable패치에는 내용이 여러 가지가 존재한다. y를 누르면 패치가 된다.
그러나 전부 패치를 하면 안 된다. 나중에 커널을 컴파일 하면 에러가 나기
때문에 꼭 필요한 것만 y를 눌러 패치 한다. b를 누르면 뒤로 돌아갈 수 있다.
지금 패치 할 것은 패킷에서 String을 검색하여 패킷을 버리거나 거부 하는
String match support 이다. 이것을 이용하면 Nimda, CodeRed 등의 웜이나
바이러스의 패킷을 차단 할 수 있다.
그리고 메일의 string 을 검색하여 스팸 메일 차단에 이용할 것이다.
계속 엔터를 쳐서 가다 보면 아래와 같은 화면이 나올것 이다.
Welcome to Rusty's Patch-o-matic!
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------
Already applied: submitted/01_2.4.19
Testing... string.patch NOT APPLIED ( 2 missing files) The extra/string patch:
Author: Emmanuel Roger <winfield@freegates.be>
Status: Working, not with kernel 2.4.9
This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to
match a string in a whole packet.
THIS PATCH DOES NOT WORK WITH KERNEL 2.4.9 !!!
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?]
여기서 y를 누르면 String match가 패치 된다.
계속 엔터를 치면 다른 패치들이 나온다. 필요한 것들이 있으면 패치한다.
- 커널 설정
# cd /usr/src/linux
# make menuconfig
network option 으로 가서 netfilter 관련 설정과 bridge 관련 설정을 한다.
Networking options
x x <*> Packet socket x x
x x [*] Packet socket: mmapped IO x x
x x < > Netlink device emulation x x
x x [*] Network packet filtering (replaces ipchains) x x
x x [ ] Network packet filtering debugging x x
x x [*] Socket Filtering x x
x x <*> Unix domain sockets x x
x x [*] TCP/IP networking x x
x x [*] IP: multicasting x x
x x [ ] IP: advanced router x x
x x [ ] IP: kernel level autoconfiguration x x
x x < > IP: tunneling x x
x x < > IP: GRE tunnels over IP x x
x x [*] IP: multicast routing x x
x x [ ] IP: PIM-SM version 1 support x x
x x [ ] IP: PIM-SM version 2 support x x
x x [ ] IP: ARP daemon support (EXPERIMENTAL) x x
x x [ ] IP: TCP Explicit Congestion Notification support x x
x x [*] IP: TCP syncookie support (disabled per default) x x
x x IP: Netfilter Configuration ---> x x
x x IP: Virtual Server Configuration ---> x x
x x < > The IPv6 protocol (EXPERIMENTAL) x x
x x < > Kernel httpd acceleration (EXPERIMENTAL) x x
x x SCTP Configuration (EXPERIMENTAL) ---> x x
x x < > Asynchronous Transfer Mode (ATM) (EXPERIMENTAL) x x
x x < > 802.1Q VLAN Support x x
x x --- x x
x x < > The IPX protocol x x
x x < > Appletalk protocol support x x
x x Appletalk devices ---> x x
x x < > DECnet Support x x
x x <*> 802.1d Ethernet Bridging x x
x x <M> Bridge: ebtables x x
x x <M> ebt: filter table support x x
x x <M> ebt: nat table support x x
x x <M> ebt: broute table support x x
x x <M> ebt: log support x x
x x <M> ebt: IP filter support x x
x x <M> ebt: ARP filter support x x
x x <M> ebt: among filter support x x
x x <M> ebt: limit filter support x x
x x <M> ebt: 802.1Q VLAN filter support x x
x x <M> ebt: 802.3 filter support x x
x x <M> ebt: packet type filter support x x
x x <M> ebt: STP filter support x x
x x <M> ebt: mark filter support x x
x x <M> ebt: arp reply target support x x
x x <M> ebt: snat target support x x
x x <M> ebt: dnat target support x x
x x <M> ebt: redirect target support x x
x x <M> ebt: mark target support x x
x x < > CCITT X.25 Packet Layer (EXPERIMENTAL) x x
x x < > LAPB Data Link Driver (EXPERIMENTAL) x x
x x [ ] 802.2 LLC (EXPERIMENTAL) x x
x x [ ] Frame Diverter (EXPERIMENTAL) x x
x x < > Acorn Econet/AUN protocols (EXPERIMENTAL) x x
x x < > WAN router x x
x x [ ] Fast switching (read help!) x x
x x [ ] Forwarding between high speed interfaces x x
x x QoS and/or fair queueing ---> x x
x x Network testing ---> x x
IP: Netfilter Configuration
x x <*> Connection tracking (required for masq/NAT) x x
x x <M> FTP protocol support x x
x x <M> Amanda protocol support x x
x x <M> TFTP protocol support x x
x x <M> IRC protocol support x x
x x <M> Userspace queueing via NETLINK (EXPERIMENTAL) x x
x x <*> IP tables support (required for filtering/masq/NAT) x x
x x <M> limit match support x x
x x <M> MAC address match support x x
x x <M> Packet type match support x x
x x <M> netfilter MARK match support x x
x x <M> Multiple port match support x x
x x <M> TOS match support x x
x x <M> recent match support x x
x x <M> ECN match support x x
x x <M> DSCP match support x x
x x <M> AH/ESP match support x x
x x <M> LENGTH match support x x
x x <M> TTL match support x x
x x <M> tcpmss match support x x
x x <M> Helper match support x x
x x <M> Connection state match support x x
x x <M> Connection tracking match support x x
x x <M> Unclean match support (EXPERIMENTAL) x x
x x <M> String match support (EXPERIMENTAL) x x
x x <M> Owner match support (EXPERIMENTAL) x x
x x <M> Physdev match support x x
x x <M> Packet filtering x x
x x <M> REJECT target support x x
x x <M> MIRROR target support (EXPERIMENTAL) x x
x x <M> Full NAT x x
x x <M> MASQUERADE target support x x
x x <M> REDIRECT target support x x
x x [*] NAT of local connections (READ HELP) x x
x x <M> Basic SNMP-ALG support (EXPERIMENTAL) x x
x x <M> Packet mangling x x
x x <M> TOS target support x x
x x <M> ECN target support x x
x x <M> DSCP target support x x
x x <M> MARK target support x x
x x <M> LOG target support x x
x x <M> ULOG target support x x
x x <M> TCPMSS target support x x
x x <M> ARP tables support x x
x x <M> ARP packet filtering x x
x x <M> ARP payload mangling x x
다른것은 커널 컴파일 문서를 참고하세요.
P-III / IDE HDD / intel, realtec ethernet Card 시스템의 커널 설정 파일을
다운 받아서 수정후 사용하셔도 됨.
# make dep && make clean
# make bzImage && make modules && make modules_install
# cp System.map /boot/System.map-2.4.26
# cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.26
# cd /boot
# ln -sf System.map-2.4.26 System.map
# ln -sf vmlinuz-2.4.26 vmlinuz
하신후 /etc/lilo.conf 수정하고 lilo 실행
# vi /etc/lilo.conf
----------------------------------------------------------------------------
prompt
timeout=50
default=bridge
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
message=/boot/message
linear
image=/boot/vmlinuz-2.4.20-8
label=linux
initrd=/boot/initrd-2.4.20-8.img
read-only
append="root=LABEL=/"
image=/boot/vmlinuz
label=bridge
read-only
root=/dev/hda2
---------------------------------------------------------------------------
리부팅 하세요..
4. Bridge utiles, iptables 설치 하기
# tar xzvf bridge-utils-0.9.6.tar.gz
# cd bridge-utils
# ./configure
# make
# make install
# tar xjvf iptables-1.2.9.tar.bz2
# cd iptables-1.2.9
# make KERNEL_DIR=/usr/src/linux
# make install KERNEL_DIR=/usr/src/linux # make install-devel
iptables 설치 하고 난 후 rpm 으로 설치된 iptables 와 충돌이 안나게 기존 명령어 을 막아 놓으세요.
레드헷의 경우 /sbin/iptables 위치함. 적당한 다른 이름으로 변경해둠. 그런후 ..
# ln -sf /usr/local/sbin/iptables /sbin/iptables
5. Bridge 네트워크 설정하기
Bridge device 추가함
# /usr/local/sbin/brctl addbr clxbr0
# /usr/local/sbin/brctl addif clxbr0 eth0 # /usr/local/sbin/brctl addif clxbr0 eth1
# vi /etc/sysconfig/network-scripts/ifcfg-clxbr0
----------------------------------------------------------------------------
DEVICE=clxbr0
IPADDR=211.241.202.142
NETMASK=255.255.255.128
ONBOOT=yes
----------------------------------------------------------------------------
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
----------------------------------------------------------------------------
DEVICE=eth0
ONBOOT=no
----------------------------------------------------------------------------
# vi /etc/sysconfig/network-scripts/ifcfg-eth1
----------------------------------------------------------------------------
DEVICE=eth1
ONBOOT=no
----------------------------------------------------------------------------
# ifdown lo
# ifdown eth0
# ifdown eth1
# ifup lo
# ifconfig ifconfig
# ifconfig eth0 0.0.0.0
# ifconfig eth1 0.0.0.0
# ifup clxbr0
하면 Bridge Network 설정이 마무리 됨.
Bridge Server 외부와 내부로 ping 이 되는지 확인 함.
매번 리부팅 될때 마다 위와 같은 작업을 해야 하기 때문에 다음 init script을
이용 하여 부팅 시마다 자동으로 적용되도록 함.
# vi /etc/rc.d/init.d/bridge
---------------------------------------------------------------------------
#! /bin/sh
#
# bridge Start/Stop Ethernet Bridge interface with 2 ethernet NIC
#
# description: Ethernet Bridge for transparent(bridge) Firewall
# make bridge interface(clxbr0) and tie 2 NIC to clxbr0 and
# setup firewall & NAT(MASQUERADE) of iptables
#
# Clunix.inc <alang@clunix.com> 2004.5.1 #
# Source function library.
. /etc/init.d/functions
# Source Network config
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
[ -x /usr/local/sbin/brctl ] || exit 0
RETVAL=0
start() {
# check /var/lock/subsys/bridge file
if [ -f /var/lock/subsys/bridge ] ; then
return
fi
# make bridge interface
echo -n $"Starting Bridge: "
/usr/local/sbin/brctl addbr clxbr0 > /dev/null 2>&1 &&
/usr/local/sbin/brctl addif clxbr0 eth0 > /dev/null 2>&1 &&
/usr/local/sbin/brctl addif clxbr0 eth1 > /dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
success "bridge startup"
else
failure "bridge startup"
fi
echo
# start networking of bridge
echo -n $"Starting Network of Bridge: "
ifup lo && ifconfig eth0 0.0.0.0 && \\
ifconfig eth1 0.0.0.0 && ifup clxbr0
RETVAL=$?
[ $RETVAL -eq 0 ] && success "Network of bridge startup" \\
|| failure "Network of bridge startup"
echo
touch /var/lock/subsys/bridge
return $RETVAL
}
stop() {
# check /var/lock/subsys/bridge file
if [ ! -f /var/lock/subsys/bridge ] ; then
return
fi
# stop networking of bridge
echo -n $"Stopping Network of bridge: "
ifdown clxbr0 && ifconfig eth1 down && ifconfig eth0 down && ifdown lo
RETVAL=$?
[ $RETVAL -eq 0 ] && success "Network of bridge stopping" \\
|| failure "Network of bridge stopping"
echo
# stop bridge interface
echo -n $"Stopping Bridge: "
/usr/local/sbin/brctl delif clxbr0 eth1 > /dev/null 2>&1 &&
/usr/local/sbin/brctl delif clxbr0 eth0 > /dev/null 2>&1 &&
/usr/local/sbin/brctl delbr clxbr0 > /dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
success "bridge stopping"
else
failure "bridge stopping"
fi
echo
rm -f /var/lock/subsys/bridge
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
/usr/local/sbin/brctl show
;;
restart)
stop
sleep 2
start
;;
*)
echo $"Usage: $0 {start|stop|status|restart}"
exit 1
esac
exit $RETVAL
------------------------------------------------------------------------------
# ln -sf /etc/rc.d/init.d/bridge /etc/rc3.d/S11bridge # chkconfig --add bridge
5. iptables script 사용하기
# vi /etc/rc.d/init.d/brctl
------------------------------------------------------------------------------
#! /bin/sh
#
# iptables Start/Stop firewall with iptables
#
# description: Clunix Firewall filtering & NAT with iptables
#
# Clunix.inc <alang@clunix.com> 2004.05.01
#
# Source function library.
. /etc/init.d/functions
# Source Network config
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
[ -x /usr/local/sbin/iptables ] || exit 0
RETVAL=0
start() {
# check /var/lock/subsys/firewall file
if [ -f /var/lock/subsys/firewall ] ; then
return
fi
# print "start firewall" msg
echo -n $"Starting Firewall: "
#
# start firewall & NAT
#
# 내부 네트워크 영역 설정
INTER_AREA="211.241.202.128/25"
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ipt_string
modprobe ipt_state
modprobe ipt_REJECT
modprobe ipt_REDIRECT
modprobe ipt_MASQUERADE
modprobe ip_nat_snmp_basic
modprobe ip_nat_ftp
modprobe ip_nat_irc
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# init iptables
#
# flush all chains
iptables -F
iptables -X
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains
do
iptables -t $i -F
iptables -t $i -X
iptables -t $i -Z
done
# 기본 정책 설정
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# firewall filtering
iptables -P FORWARD DROP
######################################################################
# User defined chains
######################################################################
#
# refuse :
# explicit refuse chains
# logging to /var/log/firewall (via syslog kern.debug) & reject
#
iptables -N refuse
iptables -A refuse ! -i eth1 -m limit --limit 1/m -j LOG \\
--log-prefix "refused: " --log-level debug
iptables -A refuse -p tcp -m limit --limit 10/s -j REJECT \\
--reject-with tcp-reset
iptables -A refuse -p udp -m limit --limit 10/s -j REJECT
iptables -A refuse -j DROP
#
# global_icmp :
# specified ICMP packets are accepted globally
#
# accept following icmp pkt
# - 0 : echo reply
# - 3 : dest unreachable
# - 5 : redirect
# - 8 : echo request
# - 11 : time exceed
iptables -N global_icmp
iptables -A global_icmp -p icmp --icmp-type 0 -j ACCEPT
iptables -A global_icmp -p icmp --icmp-type 3 -j ACCEPT
iptables -A global_icmp -p icmp --icmp-type 5 -j ACCEPT
iptables -A global_icmp -p icmp --icmp-type 8 -j ACCEPT
iptables -A global_icmp -p icmp --icmp-type 11 -j ACCEPT
#
# global_udp :
# specified udp packets are accepted globally
#
iptables -N global_udp
# edoneky (4661-4663/tcp, 4665/udp) for all PC
iptables -A global_udp -p udp --dport 4665 -j ACCEPT
#
# global_tcp :
# specified tcp packets (that is valid) are accepted globally
#
# specified tcp packets (that is valid) are accepted globally
#
iptables -N global_tcp
# accept tcp syn pkt
# iptables -A global_tcp -p tcp --syn -j ACCEPT
# drop new pkt that has no syn
iptables -A global_tcp -p tcp ! --syn -m state --state NEW -j DROP
# MSN file transfer (6891-6900/tcp) for all PC
# http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q278887&
iptables -A global_tcp -p tcp --dport 6891:6900 -j ACCEPT
# edoneky (4661-4663/tcp, 4665/udp) for all PC
iptables -A global_tcp -p tcp --dport 4661:4663 -j ACCEPT
#
# open :
# accept connection by each server:port
#
iptables -N open
iptables -A open -p tcp -d 211.241.202.153 --dport 22 -j ACCEPT
iptables -A open -p tcp -d 211.241.202.152 --dport 25 -j ACCEPT
# String Rule
# Nimda, CodeRed
iptables -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string \\
--string "/default.ida?" -j REJECT --reject-with tcp-reset
iptables -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string \\
--string "XXXXXXXX" -j REJECT --reject-with tcp-reset
iptables -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string \\
--string "cmd.exe" -j REJECT --reject-with tcp-reset
iptables -A FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string \\
--string "root.exe?" -j REJECT --reject-with tcp-reset
# Mail Subject,Content String
iptables -A FORWARD -p tcp --dport 25 -m string --string "test" -j REJECT \\
--reject-with tcp-reset
iptables -A FORWARD -p tcp --dport 25 -m string --string "광고" -j REJECT \\
--reject-with tcp-reset
# SQL Slammer
iptables -A FORWARD -p udp -m string --string "Qh.dllhel32hkern" -j REJECT
######################################################################
# FORWARD chain rules
######################################################################
# accept all packets from internal network (eth1)
iptables -A FORWARD -p ALL -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# New Rules Forward
iptables -A FORWARD -p icmp -j global_icmp
iptables -A FORWARD -p udp -j global_udp
iptables -A FORWARD -p tcp -j global_tcp
iptables -A FORWARD -j open
# otherwise, refuse it
iptables -A FORWARD -j refuse
# accept all pkt from local loopback interface
iptables -A INPUT -i lo -j ACCEPT
# accept all packets by stateful-inspection
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# filter by global icmp pkt
iptables -A INPUT -p icmp -j global_icmp
# filter by global tcp pkt
iptables -A INPUT -p tcp -j global_tcp
# accept only ssh(22/tcp) pkt
iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
# otherwise, refuse pkt
iptables -A INPUT -j refuse
#
# accept all out pkt
#
iptables -A OUTPUT -o br0 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
######################################################################
# for NAT(masquerade)
######################################################################
#
# masquerade
#
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
# print "firewall startup" msg
[ $? -eq 0 ] && success "firewall startup" || \\
# print "firewall startup" msg
[ $? -eq 0 ] && success "firewall startup" || \\
failure "firewall startup"
echo
# lock
touch /var/lock/subsys/firewall
}
stop() {
# check /var/lock/subsys/firewall file
if [ ! -f /var/lock/subsys/firewall ] ; then
return
fi
# print "stop firewall" msg
echo -n $"Stopping Firewall: "
#
# flush & delete iptables rules
#
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains
do
iptables -t $i -F
iptables -t $i -X
done
iptables -P INPUT ACCEPT && \\
iptables -P OUTPUT ACCEPT && \\
iptables -P FORWARD ACCEPT && \\
iptables -t nat -P PREROUTING ACCEPT && \\
iptables -t nat -P POSTROUTING ACCEPT && \\
iptables -t nat -P OUTPUT ACCEPT && \\
iptables -t mangle -P PREROUTING ACCEPT && \\
iptables -t mangle -P OUTPUT ACCEPT
#
# start firewall & NAT
#
echo 0 > /proc/sys/net/ipv4/ip_forward
# rmmod ip_conntrack_ftp
# rmmod ip_conntrack_irc
rmmod ipt_string
rmmod ipt_state
rmmod ipt_REJECT
rmmod ipt_REDIRECT
rmmod ipt_MASQUERADE
rmmod ip_nat_snmp_basic
rmmod ip_nat_ftp
rmmod ip_nat_irc
# print "firewall stop" msg
[ $? -eq 0 ] && success "firewall stop" || failure "firewall stop"
echo
# unlock
rm -f /var/lock/subsys/firewall
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
/sbin/iptables -L INPUT
/sbin/iptables -L OUTPUT
/sbin/iptables -L FORWARD
;;
restart)
stop
sleep 1
start
;;
*)
echo $"Usage: $0 {start|stop|status|restart}"
exit 1
esac
exit $RETVAL
---------------------------------------------------------------------------------
# ln -sf /etc/rc.d/init.d/brctl /etc/rc3.d/S70brctl
그런 후 리부팅 후에도 자동으로 Brige Server 로 작동하는지를 확인한다.
# ifconfig
# iptables -L ( /etc/rc.d/init.d/brctl status )
'StudyRoom > Linux_Server' 카테고리의 다른 글
| VSFTP 설정 (0) | 2011.09.06 |
|---|---|
| RED5 + FFMPEG + FFserver 스트리밍 서버 구축하기 (0) | 2011.09.06 |
| 모바일웹용 mp4 동영상 스트리밍 재생 방법 (0) | 2011.09.06 |
| 아파치 웹서버 로그파일 상세분석 (0) | 2011.01.05 |
| GeoIP 데이터 업데이트 (0) | 2011.01.05 |