| 20 번 글: [iptables] simple MASQ |
| 글쓴이: 산이
[홈페이지]
|
글쓴날: 2004년 02월 01일 18:33:42 일(저녁) |
조회: 7765 |
###################################################
## -- /etc/sysctl.conf
##
net.ipv4.ip_forward = 1
net.ipv4.ip_dynaddr = 1
##
###################################################
#!/bin/sh
#
# chkconfig: 2345 100 130
#
# IP MASQ SCRIPT
# add 2003.11.20
#
start()
{
/sbin/depmod -a
/sbin/insmod ip_tables
/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp
/sbin/insmod ip_nat_ftp
/sbin/insmod iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
## eth0 : WAN (Internet) xxx.xxx.xxx.xxx
## eth1 : LAN (intranet) 192.168.0.1
##
## default policy ACCEPT.
##
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -j LOG
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
}
stop()
{
iptables -F # remove all existing rules
iptables -X # delete all chanin
rmmod -a iptable_nat ip_nat_ftp ip_conntrack_ftp ip_conntrack ip_tables
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
esac
exit 0
--------------
ex)
eth0 : WAN : 123.123.5.8
eth1 : LAN : 192.168.0.1
*주1) PCI 이더넷인 경우 보통 AGP 슬롯에 가까운 쪽이 eth0 임.
*주2) HUB 의 uplink 포트에 연결할 경우는 cross cable 사용
방법1)
+-------------+
----[modem]-------(eth0)| Linux box |
+----(eth1)| (MASQURADE) | (방화벽 기능포함)
| +-------------+
[ HUB ]
[modem] <--- direct cable ---> [eth0]
[ HUB ] <--- direct cable ---> [eth1] (HUB 의 일반 포트에 연결할
경우)
[ HUB ] <--- cross cable ---> [eth1] (HUB 의 uplink 포트에 연결할
경우)
방법2)
----[modem]--------------[ HUB ]
|||
---+++----
[modem] <--- direct cable ---> [ HUB ] (HUB 의 일반 포트에 연결할
경우)
[modem] <--- cross cable ---> [ HUB ] (HUB 의 uplink 포트에 연결할
경우)
[ HUB ] <--- direct cable ---> [ ethN ] (eth0, eth1, ... 기타 윈도우)
####################################################
Networking options --->
<*> Packet socket
CONFIG_PACKET=Y
[*] Packet socket: mmapped IO
CONFIG_PACKET_MMAP=Y
[*] Network packet filtering (replaces ipchains)
CONFIG_NETFILTER=Y
<*> Unix domain sockets
CONFIG_UNIX=Y
[*] TCP/IP networking
CONFIG_INET=Y
[*] IP: advanced router
CONFIG_IP_ADVANCED_ROUTER=Y
/***
to 'On'(if this not set, same as:)
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
***/
[*] IP: TCP syncookie support (disabled per default)
CONFIG_SYN_COOKIES=Y
IP: Netfilter Configuration --->
<M> Connection tracking (required for masq/NAT)
CONFIG_IP_NF_CONNTRACK=m
<M> FTP protocol support
CONFIG_IP_NF_FTP=m
<M> IRC protocol support
CONFIG_IP_NF_IRC=m
<M> Userspace queueing via NETLINK (EXPERIMENTAL)
CONFIG_IP_NF_QUEUE=m
<M> IP tables support (required for filtering/masq/NAT)
CONFIG_IP_NF_IPTABLES=m
<M> limit match support
CONFIG_IP_NF_MATCH_LIMIT=m
<M> MAC address match support
CONFIG_IP_NF_MATCH_MAC=m
<M> netfilter MARK match support
CONFIG_IP_NF_MATCH_MARK=m
<M> Multiple port match support
CONFIG_IP_NF_MATCH_MULTIPORT=m
<M> TOS match support
CONFIG_IP_NF_MATCH_TOS=m
<M> AH/ESP match support
CONFIG_IP_NF_MATCH_AH_ESP=m
<M> LENGTH match support
CONFIG_IP_NF_MATCH_LENGTH=m
<M> TTL match support
CONFIG_IP_NF_MATCH_TTL=m
<M> tcpmss match support
CONFIG_IP_NF_MATCH_TCPMSS=m
<M> Connection state match support
CONFIG_IP_NF_MATCH_STATE=m
<M> Unclean match support (EXPERIMENTAL)
CONFIG_IP_NF_MATCH_UNCLEAN=m
<M> Owner match support (EXPERIMENTAL)
CONFIG_IP_NF_MATCH_OWNER=m
<M> Packet filtering
CONFIG_IP_NF_FILTER=m
<M> REJECT target support
CONFIG_IP_NF_TARGET_REJECT=m
<M> MIRROR target support (EXPERIMENTAL)
CONFIG_IP_NF_TARGET_MIRROR=m
<M> Full NAT
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y /*** auto ***/
<M> MASQUERADE target support
CONFIG_IP_NF_TARGET_MASQUERADE=m
<M> REDIRECT target support
CONFIG_IP_NF_TARGET_REDIRECT=m
[*] NAT of local connections (READ HELP)
CONFIG_IP_NF_NAT_LOCAL=y
<M> Basic SNMP-ALG support (EXPERIMENTAL)
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m /*** auto ***/
CONFIG_IP_NF_NAT_FTP=m /*** auto ***/
<M> Packet mangling
CONFIG_IP_NF_MANGLE=m
<M> TOS target support
CONFIG_IP_NF_TARGET_TOS=m
<M> MARK target support
CONFIG_IP_NF_TARGET_MARK=m
<M> LOG target support
CONFIG_IP_NF_TARGET_LOG=m
<M> ULOG target support
CONFIG_IP_NF_TARGET_ULOG=m
<M> TCPMSS target support
CONFIG_IP_NF_TARGET_TCPMSS=m
<M> ARP tables support
CONFIG_IP_NF_ARPTABLES=m
<M> ARP packet filtering
CONFIG_IP_NF_ARPFILTER=m
<M> ipchains (2.2-style) support
CONFIG_IP_NF_COMPAT_IPCHAINS=m
CONFIG_IP_NF_NAT_NEEDED=y /*** auto ***/
< > ipfwadm (2.0-style) support
# CONFIG_IP_NF_COMPAT_IPFWADM is not set
[kernel 2.4.x configuration]
+-----------------------------------+----------+----------+----------+----------+
| config(generic) | Firewall | DHCP | DMZ | UTIN |
+-----------------------------------+----------+----------+----------+----------+
|CONFIG_PACKET=Y | Y | Y | Y | Y |
+-----------------------------------+----------+----------+----------+----------+
|CONFIG_PACKET_MMAP=Y | | | | |
+-----------------------------------+----------+----------+----------+----------+
|CONFIG_NETFILTER=Y | Y | Y | Y | Y |
+-----------------------------------+----------+----------+----------+----------+
|CONFIG_UNIX=Y | | | | |
+-----------------------------------+----------+----------+----------+----------+
|CONFIG_INET=Y | | | | |
+-----------------------------------+----------+----------+----------+----------+
|CONFIG_IP_ADVANCED_ROUTER=Y | | | | |
+-----------------------------------+----------+----------+----------+----------+
|CONFIG_SYN_COOKIES=Y | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_CONNTRACK=m | m | m | m | m |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_FTP=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_IRC=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_QUEUE=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_IPTABLES=m | m | m | m | m |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_MATCH_LIMIT=m | m | m | m | m |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_MATCH_MAC=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_MATCH_MARK=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_MATCH_MULTIPORT=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_MATCH_TOS=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_MATCH_AH_ESP=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_MATCH_LENGTH=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_MATCH_TTL=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_MATCH_TCPMSS=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_MATCH_STATE=m | m | m | m | m |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_MATCH_UNCLEAN=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_MATCH_OWNER=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_FILTER=m | m | m | m | m |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_TARGET_REJECT=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_TARGET_MIRROR=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_NAT=m | m | m | m | m |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_NAT_NEEDED=auto | auto | auto | auto | auto |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_TARGET_MASQUERADE=m | | m | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_TARGET_REDIRECT=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_NAT_LOCAL=y | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_NAT_SNMP_BASIC=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_NAT_IRC=auto | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_NAT_FTP=auto | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_MANGLE=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_TARGET_TOS=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_TARGET_MARK=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_TARGET_LOG=m | m | m | m | m |
|-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_TARGET_ULOG=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_TARGET_TCPMSS=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_ARPTABLES=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_ARPFILTER=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_COMPAT_IPCHAINS=m | | | | |
+-----------------------------------+----------+----------+----------+----------+
| CONFIG_IP_NF_NAT_NEEDED=auto | | | | |
+-----------------------------------+----------+----------+----------+----------+
[load of modules: dependency]
/lib/modules/`uname -r`/kernel/net/ipv4/netfilter
|-- ip_conntrack
| |-- ip_conntrack_ftp
| |-- ip_conntrack_irc
| `--------------------------+
|-- ip_queue |
|-- ip_tables |
| |-- ipt_limit |
| |-- ipt_mac |
| |-- ipt_mark |
| |-- ipt_multiport |
| |-- ipt_tos |
| |-- ipt_ah |
| |-- ipt_esp |
| |-- ipt_length |
| |-- ipt_ttl |
| |-- ipt_tcpmss |
| |-- ipt_state -------------|
| |-- ipt_unclean |
| |-- ipt_owner |
| |-- iptable_filter |
| | |-- ipt_REJECT |
| | `-- ipt_MIRROR |
| |-- iptable_nat -----------+
| | |-- ipt_MASQUERADE
| | |-- ipt_REDIRECT
| | |-- ip_nat_snmp_basic
| | |-- ip_nat_ftp
| | `-- ip_nat_irc
| |-- iptable_mangle
| | |-- ipt_TOS
| | `-- ipt_MARK
| |-- ipt_LOG
| |-- ipt_ULOG
| `-- ipt_TCPMSS
|-- arp_tables
| `-- arptable_filter
`-- ipchains
-- all-flsh.sh ------------------------------------------
#!/bin/sh
#
# Configurations
#
IPTABLES="/usr/sbin/iptables"
#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
-----------------------------------------------------------------
[Forwarded packets]
|
이전글 : [PHP] include and require
다음글 : Re: tables_traverse.jpg
|
from 61.254.75.228
JS(Redhands)Board 0.4 +@
|
sun's longitude:244 38 34.92
/board/read.php:소스보기 
