-----------------------------------------
´äº¯ÀÚ°¡ ±âº»ÀûÀ¸·Î Âü°íÇÒ ³»¿ëÀÔ´Ï´Ù.
- ¹èÆ÷ÆÇ(¿É¼Ç) : Æäµµ¶óÄÚ¾î4
- Ä¿³Î¹öÀü(¿É¼Ç) : 2.6.14-1.1644_FC4
- µ¥¸ó¹öÀü(¿¹:apache 1.3.27) : bind-9.3.1-14_FC4
- µ¥¸ó¼³Ä¡À¯Çü(RPM/ÄÄÆÄÀÏ/±âŸ)
: RPM
-----------------------------------------
¾È³çÇϼ¼¿ä.
ÀϺ»¿¡ ¼ÂÆÃÇÑ ¼¹ö°¡ ¹®Á¦°¡ »ý°Ü ¹®Àǵ帳´Ï´Ù.
ÀÏ´Ü Áõ»óÀ» ¸»¾¸ µå¸®ÀÚ¸é...
www.abc.com
www.abc.co.jp
ÀÌ·± µµ¸ÞÀÎÀÌ µÎ°³°¡ ÀÖ½À´Ï´Ù. bind ¼³Á¤À» ÇÏ°í..
nslookup ¶Ç´Â dig ¸¦ »ç¿ëÇؼ ÁúÀǸ¦ Çغ¸¸é..
(dig @168.126.63.1 www.abc.co.jp)
¿øÇÏ´Â ip¸¦ °¡Áö°í ¿É´Ï´Ù.
·ÎÄÃ,¿ÜºÎ ¸ðµÎ Á¤»óÀûÀ¸·Î ip¸¦ °¡Áö°í ¿É´Ï´Ù.
±×·±µ¥ À§ µµ¸ÞÀÎÀ¸·Î À¥ÆäÀÌÁö Á¢¼Ó½Ã ¹®Á¦°¡ ¹ß»ýÇÕ´Ï´Ù.
PC¿¡ µû¶ó¼ À¥ÆäÀÌÁö¸¦ Á¤»óÀûÀ¸·Î Ç¥½ÃÇÏ´Â PC°¡ Àִ¹ݸé...
ÆäÀÌÁö¸¦ ãÀ»¼ö ¾ø´Ù°í ³ª¿À´Â PC°¡ ÀÖ½À´Ï´Ù.
¹°·Ð ÆäÀÌÁö¸¦ ¸øã´Â PC¿¡¼ nslookupµîÀ¸·Î µµ¸ÞÀÎÀ» °Ë»öÇغ¸¸é...
Á¤»óÀûÀ¸·Î IP¸¦ ¾ò¾î¿É´Ï´Ù.
¾à°£ ÀǽɵǴ ºÎºÐÀÌ Àִµ¥..
Apache´Â iptableÀ» »ç¿ëÇؼ Æ÷Æ®Æ÷¿öµùÀ¸·Î ³»ºÎ¿¡¼ ¼ºñ½º µÇ°í ÀÖ½À´Ï´Ù.
Æ÷Æ®Æ÷¿öµùÀÌ µÆ´Ù ¾ÈµÆ´Ù ÇÏ´Â ¹®Á¦ Àϼöµµ ÀÖ´Ù°í »ý°¢Àº µì´Ï´Ù.
iptable rule À» ¿Ã·Áº¾´Ï´Ù. ¾Æ·¡ ·êÀº Ä¿³Î 2.4¹öÀü¿¡¼ ½ÇÁ¦·Î »ç¿ëÇÏ°í ¿î¿µÇÏ´ø
³»¿ëÀ» °¡Á®´Ù°¡ 2.6¹öÀü¿¡¼ ±×³É »ç¿ëÇß½À´Ï´Ù.
³Ê¹« µÎ¼¾øÀÌ Áú¹®À» µå¸°°Ç ¾Æ´ÑÁö ¸ð¸£°Ú³×¿ä.
Áú¹®¿¡ ºÎÁ·ÇÑ ³»¿ëÀÖÀ¸¸é ¾Ë·ÁÁÖ¼¼¿ä.
±×·³ ¼ö°íÇϼ¼¿ä :)
#!/bin/sh
FWVER=0.73s
echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"
IPTABLES=/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig
EXTIF0="ppp0"
INTIF0="eth1"
INTIF1="eth2"
INTIF2="eth0"
echo " External Interface: $EXTIF0"
echo " External Interface: $INTIF0"
echo " Internal Interface: $INTIF1"
echo " DMZ Interface: $INTIF2"
echo " ---"
EXTIP0="`$IFCONFIG $EXTIF0 | $GREP 'inet addr' | $AWK '{print $2}' | \
$SED -e 's/.*://'`"
echo " External IP: $EXTIP0"
echo " ---"
INTNET0="192.168.1.0/24"
INTIP0="192.168.1.1/24"
echo " Internal Network: $INTNET0"
echo " Internal IP: $INTIP0"
echo " ---"
INTNET1="192.168.2.0/24"
INTIP1="192.168.2.1/24"
echo " Internal Network: $INTNET1"
echo " Internal IP: $INTIP1"
echo " ---"
INTNET2="192.168.0.0/24"
INTIP2="192.168.0.1/24"
echo " DMZ Network: $INTNET2"
echo " DMZ IP: $INTIP2"
echo " ---"
UNIVERSE="0.0.0.0/0"
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
echo -en " Loading kernel modules: "
echo -en "ip_tables, "
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
$INSMOD ip_tables
fi
echo -en "ip_conntrack, "
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
$INSMOD ip_conntrack
fi
echo -e "ip_conntrack_ftp, "
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
$INSMOD ip_conntrack_ftp
fi
echo -en " ip_conntrack_irc, "
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
$INSMOD ip_conntrack_irc
fi
echo -en "iptable_nat, "
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
$INSMOD iptable_nat
fi
echo -e "ip_nat_ftp"
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
$INSMOD ip_nat_ftp
fi
echo " ---"
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " ---"
echo " Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -Z
echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG
$IPTABLES -A drop-and-log-it -j DROP
echo -e "\n - Loading INPUT rulesets"
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF0 -s $INTNET0 -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF1 -s $INTNET1 -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF2 -s $INTNET2 -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF0 -s $UNIVERSE -d $EXTIP0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF0 -s $INTNET0 -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF0 -s $INTNET1 -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF0 -s $INTNET2 -d $UNIVERSE -j drop-and-log-it
# NameServer
#
echo -e " - Allowing EXTERNAL access to the Name server"
$IPTABLES -A INPUT -i $EXTIF0 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s
$UNIVERSE -d $EXTIP0 --dport 42 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF0 -m state --state NEW,ESTABLISHED,RELATED -p udp -s
$UNIVERSE -d $EXTIP0 --dport 42 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF0 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s
$UNIVERSE -d $EXTIP0 --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF0 -m state --state NEW,ESTABLISHED,RELATED -p udp -s
$UNIVERSE -d $EXTIP0 --dport 53 -j ACCEPT
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF0 -s $EXTIP0 -d $INTNET0 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF0 -s $EXTIP0 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF0 -s $EXTIP0 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -s $EXTIP0 -d $INTNET0 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -s $EXTIP0 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -s $EXTIP0 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $EXTIP0 -d $INTNET0 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $EXTIP0 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $EXTIP0 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF0 -s $INTIP1 -d $INTNET0 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF0 -s $INTIP1 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF0 -s $INTIP1 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTNET0 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $INTIP2 -d $INTNET0 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $INTIP2 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $INTIP2 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF0 -s $UNIVERSE -d $INTNET0 -j drop-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF0 -s $UNIVERSE -d $INTNET1 -j drop-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF0 -s $UNIVERSE -d $INTNET2 -j drop-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF0 -s $EXTIP0 -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading FORWARD rulesets"
echo " - FWD: Allow all connections OUT and only existing/related IN"
#PORTFWIPHTTP="192.168.0.11:80-192.168.0.12:80"
#PORTFWIPFTP="192.168.0.11:21-192.168.0.12:21"
PORTFWIPHTTP="192.168.0.11:80"
PORTFWIPFTP="192.168.0.11:21"
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP0 --dport 80 -j DNAT --to
$PORTFWIPHTTP
$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF2 -p tcp --dport 80 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP0 --dport 21 -j DNAT --to
$PORTFWIPFTP
$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF2 -p tcp --dport 21 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF1 -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF2 -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF0 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF0 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $INTIF0 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $INTIF0 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF0 -o $INTIF1 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $INTIF1 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF0 -o $INTIF2 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $INTIF2 -j ACCEPT
$IPTABLES -A FORWARD -j drop-and-log-it
echo -e "\nDone.\n"
|