[½¸µ¹]´ÔÀÌ ³²±â½Å ±Û:
>-----------------------------------------
>´äº¯ÀÚ°¡ ±âº»ÀûÀ¸·Î Âü°íÇÒ ³»¿ëÀÔ´Ï´Ù.
>- ¹èÆ÷ÆÇ(¿É¼Ç) : Æäµµ¶óÄÚ¾î4
>- Ä¿³Î¹öÀü(¿É¼Ç) : 2.6.14-1.1644_FC4
>- µ¥¸ó¹öÀü(¿¹:apache 1.3.27) : bind-9.3.1-14_FC4
>- µ¥¸ó¼³Ä¡À¯Çü(RPM/ÄÄÆÄÀÏ/±âŸ)
: RPM
>-----------------------------------------
>
>¾È³çÇϼ¼¿ä.
>
>ÀϺ»¿¡ ¼ÂÆÃÇÑ ¼¹ö°¡ ¹®Á¦°¡ »ý°Ü ¹®Àǵ帳´Ï´Ù.
>ÀÏ´Ü Áõ»óÀ» ¸»¾¸ µå¸®ÀÚ¸é...
>
>www.abc.com
>www.abc.co.jp
>
>ÀÌ·± µµ¸ÞÀÎÀÌ µÎ°³°¡ ÀÖ½À´Ï´Ù. bind ¼³Á¤À» ÇÏ°í..
>nslookup ¶Ç´Â dig ¸¦ »ç¿ëÇؼ ÁúÀǸ¦ Çغ¸¸é..
>(dig @168.126.63.1 www.abc.co.jp)
>
>¿øÇÏ´Â ip¸¦ °¡Áö°í ¿É´Ï´Ù.
>·ÎÄÃ,¿ÜºÎ ¸ðµÎ Á¤»óÀûÀ¸·Î ip¸¦ °¡Áö°í ¿É´Ï´Ù.
>
´äº¯ÀÌ ´Ê¾ú½À´Ï´Ù.
dig +trace ....
ÀÌ·±½ÄÀ¸·Î +trace ¿©·¯¹ø Å×½ºÆ®ÇØ º¸¼¼¿ä.
¾Æ¸¶µµ 2Â÷ ³×ÀÓ¼¹ö°¡ ÀÖ´Ù¸é Master/Slave µ¿±âÈ ¹®Á¦Àΰ͵µ
°°³×¿ä.
>±×·±µ¥ À§ µµ¸ÞÀÎÀ¸·Î À¥ÆäÀÌÁö Á¢¼Ó½Ã ¹®Á¦°¡ ¹ß»ýÇÕ´Ï´Ù.
>PC¿¡ µû¶ó¼ À¥ÆäÀÌÁö¸¦ Á¤»óÀûÀ¸·Î Ç¥½ÃÇÏ´Â PC°¡ Àִ¹ݸé...
>ÆäÀÌÁö¸¦ ãÀ»¼ö ¾ø´Ù°í ³ª¿À´Â PC°¡ ÀÖ½À´Ï´Ù.
>
>¹°·Ð ÆäÀÌÁö¸¦ ¸øã´Â PC¿¡¼ nslookupµîÀ¸·Î µµ¸ÞÀÎÀ» °Ë»öÇغ¸¸é...
>Á¤»óÀûÀ¸·Î IP¸¦ ¾ò¾î¿É´Ï´Ù.
>
>¾à°£ ÀǽɵǴ ºÎºÐÀÌ Àִµ¥..
>Apache´Â iptableÀ» »ç¿ëÇؼ Æ÷Æ®Æ÷¿öµùÀ¸·Î ³»ºÎ¿¡¼ ¼ºñ½º µÇ°í ÀÖ½À´Ï´Ù.
Æ÷Æ®Æ÷¿öµùÀÌ µÆ´Ù ¾ÈµÆ´Ù ÇÏ´Â ¹®Á¦ Àϼöµµ ÀÖ´Ù°í »ý°¢Àº µì´Ï´Ù.
>
>iptable rule À» ¿Ã·Áº¾´Ï´Ù. ¾Æ·¡ ·êÀº Ä¿³Î 2.4¹öÀü¿¡¼ ½ÇÁ¦·Î »ç¿ëÇÏ°í ¿î¿µÇÏ´ø
³»¿ëÀ» °¡Á®´Ù°¡ 2.6¹öÀü¿¡¼ ±×³É »ç¿ëÇß½À´Ï´Ù.
>
>³Ê¹« µÎ¼¾øÀÌ Áú¹®À» µå¸°°Ç ¾Æ´ÑÁö ¸ð¸£°Ú³×¿ä.
>Áú¹®¿¡ ºÎÁ·ÇÑ ³»¿ëÀÖÀ¸¸é ¾Ë·ÁÁÖ¼¼¿ä.
>
>±×·³ ¼ö°íÇϼ¼¿ä :)
>
>
>#!/bin/sh
>FWVER=0.73s
>echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"
>IPTABLES=/sbin/iptables
>LSMOD=/sbin/lsmod
>DEPMOD=/sbin/depmod
>INSMOD=/sbin/insmod
>GREP=/bin/grep
>AWK=/bin/awk
>SED=/bin/sed
>IFCONFIG=/sbin/ifconfig
>
>EXTIF0="ppp0"
>
>INTIF0="eth1"
>INTIF1="eth2"
>INTIF2="eth0"
>echo " External Interface: $EXTIF0"
>echo " External Interface: $INTIF0"
>echo " Internal Interface: $INTIF1"
>echo " DMZ Interface: $INTIF2"
>echo " ---"
>
>EXTIP0="`$IFCONFIG $EXTIF0 | $GREP 'inet addr' | $AWK '{print $2}' |
\
>$SED -e 's/.*://'`"
>
>echo " External IP: $EXTIP0"
>echo " ---"
>
>INTNET0="192.168.1.0/24"
>INTIP0="192.168.1.1/24"
>echo " Internal Network: $INTNET0"
>echo " Internal IP: $INTIP0"
>echo " ---"
>INTNET1="192.168.2.0/24"
>INTIP1="192.168.2.1/24"
>echo " Internal Network: $INTNET1"
>echo " Internal IP: $INTIP1"
>echo " ---"
>INTNET2="192.168.0.0/24"
>INTIP2="192.168.0.1/24"
>echo " DMZ Network: $INTNET2"
>echo " DMZ IP: $INTIP2"
>echo " ---"
>
>UNIVERSE="0.0.0.0/0"
>
>echo " - Verifying that all kernel modules are ok"
>$DEPMOD -a
>
>echo -en " Loading kernel modules: "
>
>echo -en "ip_tables, "
>if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ];
then
> $INSMOD ip_tables
>fi
>
>echo -en "ip_conntrack, "
>if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ];
then
> $INSMOD ip_conntrack
>fi
>
>echo -e "ip_conntrack_ftp, "
>if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ];
then
> $INSMOD ip_conntrack_ftp
>fi
>
>echo -en " ip_conntrack_irc, "
>if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ];
then
> $INSMOD ip_conntrack_irc
>fi
>
>echo -en "iptable_nat, "
>if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ];
then
> $INSMOD iptable_nat
>fi
>
>echo -e "ip_nat_ftp"
>if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ];
then
> $INSMOD ip_nat_ftp
>fi
>
>echo " ---"
>
>echo " Enabling forwarding.."
>echo "1" > /proc/sys/net/ipv4/ip_forward
>
>echo " Enabling DynamicAddr.."
>echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
>echo " ---"
>
>echo " Clearing any existing rules and setting default policy to
DROP.."
>$IPTABLES -P INPUT DROP
>$IPTABLES -F INPUT
>$IPTABLES -P OUTPUT DROP
>$IPTABLES -F OUTPUT
>$IPTABLES -P FORWARD DROP
>$IPTABLES -F FORWARD
>$IPTABLES -F -t nat
>
>if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
> $IPTABLES -F drop-and-log-it
>fi
>$IPTABLES -X
>$IPTABLES -Z
>
>echo " Creating a DROP chain.."
>$IPTABLES -N drop-and-log-it
>$IPTABLES -A drop-and-log-it -j LOG
>$IPTABLES -A drop-and-log-it -j DROP
>
>echo -e "\n - Loading INPUT rulesets"
>
>$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
>
>$IPTABLES -A INPUT -i $INTIF0 -s $INTNET0 -d $UNIVERSE -j ACCEPT
>$IPTABLES -A INPUT -i $INTIF1 -s $INTNET1 -d $UNIVERSE -j ACCEPT
>$IPTABLES -A INPUT -i $INTIF2 -s $INTNET2 -d $UNIVERSE -j ACCEPT
>
>$IPTABLES -A INPUT -i $EXTIF0 -s $UNIVERSE -d $EXTIP0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
>
>$IPTABLES -A INPUT -i $EXTIF0 -s $INTNET0 -d $UNIVERSE -j
drop-and-log-it
>$IPTABLES -A INPUT -i $EXTIF0 -s $INTNET1 -d $UNIVERSE -j
drop-and-log-it
>$IPTABLES -A INPUT -i $EXTIF0 -s $INTNET2 -d $UNIVERSE -j
drop-and-log-it
>
># NameServer
>#
>echo -e " - Allowing EXTERNAL access to the Name server"
>$IPTABLES -A INPUT -i $EXTIF0 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s
$UNIVERSE -d $EXTIP0 --dport 42 -j ACCEPT
>$IPTABLES -A INPUT -i $EXTIF0 -m state --state NEW,ESTABLISHED,RELATED -p udp -s
$UNIVERSE -d $EXTIP0 --dport 42 -j ACCEPT
>$IPTABLES -A INPUT -i $EXTIF0 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s
$UNIVERSE -d $EXTIP0 --dport 53 -j ACCEPT
>$IPTABLES -A INPUT -i $EXTIF0 -m state --state NEW,ESTABLISHED,RELATED -p udp -s
$UNIVERSE -d $EXTIP0 --dport 53 -j ACCEPT
>$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
>
>echo -e " - Loading OUTPUT rulesets"
>
>$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
>
>$IPTABLES -A OUTPUT -o $INTIF0 -s $EXTIP0 -d $INTNET0 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF0 -s $EXTIP0 -d $INTNET1 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF0 -s $EXTIP0 -d $INTNET2 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF1 -s $EXTIP0 -d $INTNET0 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF1 -s $EXTIP0 -d $INTNET1 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF1 -s $EXTIP0 -d $INTNET2 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF2 -s $EXTIP0 -d $INTNET0 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF2 -s $EXTIP0 -d $INTNET1 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF2 -s $EXTIP0 -d $INTNET2 -j ACCEPT
>
>$IPTABLES -A OUTPUT -o $INTIF0 -s $INTIP1 -d $INTNET0 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF0 -s $INTIP1 -d $INTNET1 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF0 -s $INTIP1 -d $INTNET2 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTNET0 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTNET1 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTNET2 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF2 -s $INTIP2 -d $INTNET0 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF2 -s $INTIP2 -d $INTNET1 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF2 -s $INTIP2 -d $INTNET2 -j ACCEPT
>
>$IPTABLES -A OUTPUT -o $EXTIF0 -s $UNIVERSE -d $INTNET0 -j
drop-and-log-it
>$IPTABLES -A OUTPUT -o $EXTIF0 -s $UNIVERSE -d $INTNET1 -j
drop-and-log-it
>$IPTABLES -A OUTPUT -o $EXTIF0 -s $UNIVERSE -d $INTNET2 -j
drop-and-log-it
>
>$IPTABLES -A OUTPUT -o $EXTIF0 -s $EXTIP0 -d $UNIVERSE -j ACCEPT
>
>$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
>
>echo -e " - Loading FORWARD rulesets"
>
>echo " - FWD: Allow all connections OUT and only existing/related
IN"
>#PORTFWIPHTTP="192.168.0.11:80-192.168.0.12:80"
>#PORTFWIPFTP="192.168.0.11:21-192.168.0.12:21"
>PORTFWIPHTTP="192.168.0.11:80"
>PORTFWIPFTP="192.168.0.11:21"
>$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP0 --dport 80 -j DNAT --to
$PORTFWIPHTTP
>$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF2 -p tcp --dport 80 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
>$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP0 --dport 21 -j DNAT --to
$PORTFWIPFTP
>$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF2 -p tcp --dport 21 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
>
>$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
>$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF1 -m state --state ESTABLISHED,RELATED -j
ACCEPT
>$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF2 -m state --state ESTABLISHED,RELATED -j
ACCEPT
>
>$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF0 -j ACCEPT
>$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF0 -j ACCEPT
>
>$IPTABLES -A FORWARD -i $INTIF1 -o $INTIF0 -j ACCEPT
>$IPTABLES -A FORWARD -i $INTIF2 -o $INTIF0 -j ACCEPT
>$IPTABLES -A FORWARD -i $INTIF0 -o $INTIF1 -j ACCEPT
>$IPTABLES -A FORWARD -i $INTIF2 -o $INTIF1 -j ACCEPT
>$IPTABLES -A FORWARD -i $INTIF0 -o $INTIF2 -j ACCEPT
>$IPTABLES -A FORWARD -i $INTIF1 -o $INTIF2 -j ACCEPT
>
>$IPTABLES -A FORWARD -j drop-and-log-it
>
>echo -e "\nDone.\n"
========================================
|