[보안] 클루닉스 bridge Server 구축

### 클루닉스 Bridge Server Install #######################

#   제작일 : 2004.5.6  작성자 : 서진우 < alang@clunix.com>

#

1. Bridge 네트워크 구성

– 먼저 bridge 서버의 물리적 네트워크 구성은 다음과 같다.

라우터 —– 브리지서버(eth0)|브리지서버(eth1) —- 백본스위치 —– 클라이언트

——————————————————————————-

라우터 -> 브리지서버(eth0) : cross cable

브리지서버(eth1) -> 백본스위치 : direct cable

——————————————————————————-

– 외부회선 —- 브리지서버(eth0)|브리지서버(eth1) —- 스위치 — 클라이언트

——————————————————————————-

외부회선 -> 브리지서버(eth0) : direct cable

브리지서버(eth1) -> 스위치 : direct cable

——————————————————————————-

2. 구축 준비 패키지

H/W :

랜카드 2장 달린 시스템

S/W :

리눅스커널 : 2.4.26

브리지 커널 패치 : ebtables-brnf-5_vs_2.4.25.diff

브리지 유틸 : bridge-utils-0.9.6.tar.gz iptables

커널 패치 : patch-o-matic-20031219.tar.bz2 iptables

유틸 : iptables-1.2.9.tar.bz2

bridge 커널 패치 및 bridge utils

Linux ethernet bridging http://bridge.sourceforge.net

bridge-nf-0.0.7-against-2.4.19.diff

bridge-utils-0.9.6.tar.gz

iptables 커널 패치 및 iptables

netfilter/iptables http://www.netfilter.org

patch-o-matic-20030107.tar.bz2

iptables-1.2.8.tar.bz2

리눅스 커널 소스

The Linux Kernel Archives http://www.kernel.org

linux-2.4.19.tar.bz2

ftp://syszone.co.kr/pub/linux/kernel

3. 커널 패치

– kernel patch

# cd /usr/src

# tar jxvf linux-2.4.26.tar.bz2

# ln -sf linux-2.4.26 linux

# cd linux

# patch -p1 < ../ebtables-brnf-5_vs_2.4.25.diff

– iptables patch ( string )

# tar jxvf patch-o-matic-20031219.tar.bz2

# cd patch-o-matic

# ./runme extra

Hey! KERNEL_DIR is not set.

Where is your kernel? [/usr/src/linux]   ->  Y ( 링크 재대로 걸어야 함 )

그럼 아래와 같이..다음과 같은 패치 한다고 물어봄

.

.

   + New ‘helper’ match (Martin Josefsson, Harald Welte)

   submitted/ip6tables-exthdr-bug.patch.ipv6

   + Fix broken ipv6 extensionheader parser (Andras Kis-Szabo)

   submitted/ipv6-agr.patch.ipv6

   + New ip6tables ‘eui64’ match (Andras Kis-Szabo)

   submitted/length.patch.ipv6

   + New ip6tables ‘length’ match (Imran Patel, James Morris)

   submitted/log-tunnel-fix.patch.ipv6

   + Fix ip6tables ‘LOG’ target MAC address in case of tunnels

   (Peter Bieringer, Andras Kis-Szabo)

   submitted/nat-memoryleak-fix.patch

   + Fix memoryleak at iptable_nat unload time (zhongyu)

   submitted/ownercmd.patch

   + Extend ‘owner’ match to match cmdline (Marc Boucher)

   submitted/pkttype.patch

   + New ‘pkttype’ match (Michal Ludvig)

   submitted/ulog-nlgroup-shift-fix.patch

   + Fix error with shifting nlgroup in ULOG target (Harald Welte)

   submitted/ulog-sparc-bitops-fix.patch

   + Include linux/bitops.h instead of asm/bitops.h

   submitted/z-newnat16.patch

   + Redesign of conntrack and nat helper framework, for more info see

http://cvs.netfilter.org/cgi-bin/cvsweb/netfilter/documentation/newnat-summary.txt

   (Harald Welte, Jozsef Kadlecsik, and others)

   submitted/z-newnat_assertfix.patch

   + Fix erroneously printed ASSERT messages when debugging of newnat

   enabled (Martin Josefsson)

   submitted/z-newnat_changeexpect-lockfix.patch

   + Fix locking bug in ip_conntrack_change_expect() (Martin Josefsson)

   Further changes, not previuosly in patch-o-matic:

   + ip6tables usage counter fix (Harald Welte)

   + ip_queue cleanup (James Morris)

   + minor spelling fixes

   + __constant_htons() macro changes

   + ipt_unclean: srcport _can_ be zero

   + yet another ipchains GFP_ATOMIC fix

—————————————————————–

Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?]

그냥 엔터 ..

iptable패치에는 내용이 여러 가지가 존재한다. y를 누르면 패치가 된다.

그러나 전부 패치를 하면 안 된다. 나중에 커널을 컴파일 하면 에러가 나기

때문에 꼭 필요한 것만 y를 눌러 패치 한다. b를 누르면 뒤로 돌아갈 수 있다.

지금 패치 할 것은 패킷에서 String을 검색하여 패킷을 버리거나 거부 하는

String match support 이다. 이것을 이용하면 Nimda, CodeRed 등의 웜이나

바이러스의 패킷을 차단 할 수 있다.

그리고 메일의 string 을 검색하여 스팸 메일 차단에 이용할 것이다.

계속 엔터를 쳐서 가다 보면 아래와 같은 화면이 나올것 이다.

Welcome to Rusty’s Patch-o-matic!

Each patch is a new feature: many have minimal impact, some do not.

Almost every one has bugs, so I don’t recommend applying them all!

——————————————————-

Already applied: submitted/01_2.4.19

Testing… string.patch NOT APPLIED ( 2 missing files) The extra/string patch:

   Author: Emmanuel Roger <winfield@freegates.be>

   Status: Working, not with kernel 2.4.9

  

   This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to

   match a string in a whole packet.

  

   THIS PATCH DOES NOT WORK WITH KERNEL 2.4.9 !!!

  

—————————————————————–

Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?]

여기서 y를 누르면 String match가 패치 된다.

계속 엔터를 치면 다른 패치들이 나온다. 필요한 것들이 있으면 패치한다.

– 커널 설정

# cd /usr/src/linux

# make menuconfig

network option 으로 가서 netfilter 관련 설정과 bridge 관련 설정을 한다.

Networking options

  x x      <*> Packet socket                                              x x  

  x x      [*]   Packet socket: mmapped IO                                x x  

  x x      < > Netlink device emulation                                   x x  

  x x      [*] Network packet filtering (replaces ipchains)               x x  

  x x      [ ]   Network packet filtering debugging                       x x  

  x x      [*] Socket Filtering                                           x x  

  x x      <*> Unix domain sockets                                        x x  

  x x      [*] TCP/IP networking                                          x x  

  x x      [*]   IP: multicasting                                         x x  

  x x      [ ]   IP: advanced router                                      x x  

  x x      [ ]   IP: kernel level autoconfiguration                       x x  

  x x      < >   IP: tunneling                                            x x  

  x x      < >   IP: GRE tunnels over IP                                  x x  

  x x      [*]   IP: multicast routing                                    x x  

  x x      [ ]     IP: PIM-SM version 1 support                           x x  

  x x      [ ]     IP: PIM-SM version 2 support                           x x  

  x x      [ ]   IP: ARP daemon support (EXPERIMENTAL)                    x x  

  x x      [ ]   IP: TCP Explicit Congestion Notification support         x x  

  x x      [*]   IP: TCP syncookie support (disabled per default)         x x  

  x x        IP: Netfilter Configuration  —>                            x x  

  x x        IP: Virtual Server Configuration  —>                       x x  

  x x      < >   The IPv6 protocol (EXPERIMENTAL)                         x x  

  x x      < >   Kernel httpd acceleration (EXPERIMENTAL)                 x x  

  x x         SCTP Configuration (EXPERIMENTAL)  —>                     x x  

  x x      < > Asynchronous Transfer Mode (ATM) (EXPERIMENTAL)            x x  

  x x      < > 802.1Q VLAN Support                                        x x  

  x x      —                                                            x x  

  x x      < > The IPX protocol                                           x x  

  x x      < > Appletalk protocol support                                 x x  

  x x      Appletalk devices  —>                                        x x  

  x x      < > DECnet Support                                             x x  

  x x      <*> 802.1d Ethernet Bridging                                   x x  

  x x      <M>   Bridge: ebtables                                         x x  

  x x      <M>     ebt: filter table support                              x x  

  x x      <M>     ebt: nat table support                                 x x  

  x x      <M>     ebt: broute table support                              x x  

  x x      <M>     ebt: log support                                       x x  

  x x      <M>     ebt: IP filter support                                 x x  

  x x      <M>     ebt: ARP filter support                                x x  

  x x      <M>     ebt: among filter support                              x x  

  x x      <M>     ebt: limit filter support                              x x  

  x x      <M>     ebt: 802.1Q VLAN filter support                        x x  

  x x      <M>     ebt: 802.3 filter support                              x x  

  x x      <M>     ebt: packet type filter support                        x x  

  x x      <M>     ebt: STP filter support                                x x  

  x x      <M>     ebt: mark filter support                               x x  

  x x      <M>     ebt: arp reply target support                          x x  

  x x      <M>     ebt: snat target support                               x x  

  x x      <M>     ebt: dnat target support                               x x  

  x x      <M>     ebt: redirect target support                           x x  

  x x      <M>     ebt: mark target support                               x x  

  x x      < > CCITT X.25 Packet Layer (EXPERIMENTAL)                     x x  

  x x      < > LAPB Data Link Driver (EXPERIMENTAL)                       x x  

  x x      [ ] 802.2 LLC (EXPERIMENTAL)                                   x x  

  x x      [ ] Frame Diverter (EXPERIMENTAL)                              x x  

  x x      < > Acorn Econet/AUN protocols (EXPERIMENTAL)                  x x  

  x x      < > WAN router                                                 x x  

  x x      [ ] Fast switching (read help!)                                x x  

  x x      [ ] Forwarding between high speed interfaces                   x x  

  x x      QoS and/or fair queueing  —>                                 x x  

  x x      Network testing  —>                                          x x  

IP: Netfilter Configuration

  x x      <*> Connection tracking (required for masq/NAT)                x x  

  x x      <M>   FTP protocol support                                     x x  

  x x      <M>   Amanda protocol support                                  x x  

  x x      <M>   TFTP protocol support                                    x x  

  x x      <M>   IRC protocol support                                     x x  

  x x      <M> Userspace queueing via NETLINK (EXPERIMENTAL)              x x  

  x x      <*> IP tables support (required for filtering/masq/NAT)        x x  

  x x      <M>   limit match support                                      x x  

  x x      <M>   MAC address match support                                x x  

  x x      <M>   Packet type match support                                x x  

  x x      <M>   netfilter MARK match support                             x x  

  x x      <M>   Multiple port match support                              x x  

  x x      <M>   TOS match support                                        x x  

  x x      <M>   recent match support                                     x x  

  x x      <M>   ECN match support                                        x x  

  x x      <M>   DSCP match support                                       x x  

  x x      <M>   AH/ESP match support                                     x x  

  x x      <M>   LENGTH match support                                     x x  

  x x      <M>   TTL match support                                        x x  

  x x      <M>   tcpmss match support                                     x x  

  x x      <M>   Helper match support                                     x x  

  x x      <M>   Connection state match support                           x x  

  x x      <M>   Connection tracking match support                        x x  

  x x      <M>   Unclean match support (EXPERIMENTAL)                     x x  

  x x      <M>   String match support (EXPERIMENTAL)                      x x  

  x x      <M>   Owner match support (EXPERIMENTAL)                       x x  

  x x      <M>   Physdev match support                                    x x  

  x x      <M>   Packet filtering                                         x x  

  x x      <M>     REJECT target support                                  x x  

  x x      <M>     MIRROR target support (EXPERIMENTAL)                   x x  

  x x      <M>   Full NAT                                                 x x  

  x x      <M>     MASQUERADE target support                              x x  

  x x      <M>     REDIRECT target support                                x x  

  x x      [*]     NAT of local connections (READ HELP)                   x x  

  x x      <M>     Basic SNMP-ALG support (EXPERIMENTAL)                  x x  

  x x      <M>   Packet mangling                                          x x  

  x x      <M>     TOS target support                                     x x  

  x x      <M>     ECN target support                                     x x  

  x x      <M>     DSCP target support                                    x x  

  x x      <M>     MARK target support                                    x x  

  x x      <M>   LOG target support                                       x x  

  x x      <M>   ULOG target support                                      x x  

  x x      <M>   TCPMSS target support                                    x x  

  x x      <M> ARP tables support                                         x x    

  x x      <M>   ARP packet filtering                                     x x  

  x x      <M>   ARP payload mangling                                     x x  

다른것은 커널 컴파일 문서를 참고하세요.

P-III / IDE HDD / intel, realtec ethernet Card 시스템의 커널 설정 파일을

다운 받아서 수정후 사용하셔도 됨.

# make dep && make clean

# make bzImage && make modules && make modules_install

# cp System.map /boot/System.map-2.4.26

# cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.26

# cd /boot

# ln -sf System.map-2.4.26 System.map

# ln -sf vmlinuz-2.4.26 vmlinuz

하신후 /etc/lilo.conf 수정하고 lilo 실행

# vi /etc/lilo.conf

—————————————————————————-

prompt

timeout=50

default=bridge

boot=/dev/hda

map=/boot/map

install=/boot/boot.b

message=/boot/message

linear

image=/boot/vmlinuz-2.4.20-8

        label=linux

        initrd=/boot/initrd-2.4.20-8.img

        read-only

        append=”root=LABEL=/”

image=/boot/vmlinuz

        label=bridge

        read-only

        root=/dev/hda2

—————————————————————————

리부팅 하세요..

4. Bridge utiles, iptables 설치 하기

# tar xzvf bridge-utils-0.9.6.tar.gz

# cd bridge-utils

# ./configure

# make

# make install

# tar xjvf iptables-1.2.9.tar.bz2

# cd iptables-1.2.9

# make KERNEL_DIR=/usr/src/linux

# make install KERNEL_DIR=/usr/src/linux # make install-devel

iptables 설치 하고 난 후 rpm 으로 설치된 iptables 와 충돌이 안나게 기존 명령어 을 막아 놓으세요.

레드헷의 경우 /sbin/iptables 위치함. 적당한 다른 이름으로 변경해둠. 그런후 ..

# ln -sf /usr/local/sbin/iptables /sbin/iptables

5. Bridge 네트워크 설정하기

Bridge device 추가함

# /usr/local/sbin/brctl addbr clxbr0

# /usr/local/sbin/brctl addif clxbr0 eth0 # /usr/local/sbin/brctl addif clxbr0 eth1

# vi /etc/sysconfig/network-scripts/ifcfg-clxbr0

—————————————————————————-

DEVICE=clxbr0

IPADDR=211.241.202.142

NETMASK=255.255.255.128

ONBOOT=yes

—————————————————————————-

# vi /etc/sysconfig/network-scripts/ifcfg-eth0

—————————————————————————-

DEVICE=eth0

ONBOOT=no

—————————————————————————-

# vi /etc/sysconfig/network-scripts/ifcfg-eth1

—————————————————————————-

DEVICE=eth1

ONBOOT=no

—————————————————————————-

# ifdown lo

# ifdown eth0

# ifdown eth1

# ifup lo

# ifconfig ifconfig

# ifconfig eth0 0.0.0.0

# ifconfig eth1 0.0.0.0

# ifup clxbr0

하면 Bridge Network 설정이 마무리 됨.

Bridge Server 외부와 내부로 ping 이 되는지 확인 함.

매번 리부팅 될때 마다 위와 같은 작업을 해야 하기 때문에 다음 init script을

이용 하여 부팅 시마다 자동으로 적용되도록 함.

# vi /etc/rc.d/init.d/bridge

—————————————————————————

#! /bin/sh

#

# bridge        Start/Stop Ethernet Bridge interface with 2 ethernet NIC

#

# description:  Ethernet Bridge for transparent(bridge) Firewall

#               make bridge interface(clxbr0) and tie 2 NIC to clxbr0 and

#               setup firewall & NAT(MASQUERADE) of iptables

#

# Clunix.inc <alang@clunix.com> 2004.5.1 #

# Source function library.

. /etc/init.d/functions

# Source Network config

. /etc/sysconfig/network

# Check that networking is up.

if [ ${NETWORKING} = “no” ]

then

        exit 0

fi

[ -x /usr/local/sbin/brctl ] || exit 0

RETVAL=0

start() {

        # check /var/lock/subsys/bridge file

        if [ -f /var/lock/subsys/bridge ] ; then

                return

        fi

        # make bridge interface

        echo -n $”Starting Bridge: ”

        /usr/local/sbin/brctl addbr clxbr0 > /dev/null 2>&1 &&

        /usr/local/sbin/brctl addif clxbr0 eth0 > /dev/null 2>&1 &&

        /usr/local/sbin/brctl addif clxbr0 eth1 > /dev/null 2>&1

        RETVAL=$?

        if [ $RETVAL -eq 0 ] ; then

                success “bridge startup”

        else

                failure “bridge startup”

        fi

        echo

        # start networking of bridge

        echo -n $”Starting Network of Bridge: ”

        ifup lo && ifconfig eth0 0.0.0.0 && \\

          ifconfig eth1 0.0.0.0 && ifup clxbr0

        RETVAL=$?

        [ $RETVAL -eq 0 ] && success “Network of bridge startup” \\

        || failure “Network of bridge startup”

        echo

        touch /var/lock/subsys/bridge

        return $RETVAL

}

stop() {

        # check /var/lock/subsys/bridge file

        if [ ! -f /var/lock/subsys/bridge ] ; then

                return

        fi

        # stop networking of bridge

        echo -n $”Stopping Network of bridge: ”

        ifdown clxbr0 && ifconfig eth1 down && ifconfig eth0 down && ifdown lo

        RETVAL=$?

        [ $RETVAL -eq 0 ] && success “Network of bridge stopping” \\

        || failure “Network of bridge stopping”

        echo

        # stop bridge interface

        echo -n $”Stopping Bridge: ”

        /usr/local/sbin/brctl delif clxbr0 eth1 > /dev/null 2>&1 &&

        /usr/local/sbin/brctl delif clxbr0 eth0 > /dev/null 2>&1 &&

        /usr/local/sbin/brctl delbr clxbr0 > /dev/null 2>&1

        RETVAL=$?

        if [ $RETVAL -eq 0 ] ; then

                success “bridge stopping”

        else

                failure “bridge stopping”

        fi

        echo

        rm -f /var/lock/subsys/bridge

        return $RETVAL

}

# See how we were called.

case “$1” in

  start)

        start

        ;;

  stop)

        stop

        ;;

  status)

        /usr/local/sbin/brctl show

        ;;

  restart)

        stop

        sleep 2

        start

        ;;

  *)

        echo  $”Usage: $0 {start|stop|status|restart}”

        exit 1

esac

exit $RETVAL

——————————————————————————

# ln -sf /etc/rc.d/init.d/bridge /etc/rc3.d/S11bridge # chkconfig –add bridge

5. iptables script 사용하기

# vi /etc/rc.d/init.d/brctl

——————————————————————————

#! /bin/sh

#

# iptables      Start/Stop firewall with iptables

#

# description:  Clunix Firewall filtering & NAT with iptables

#

# Clunix.inc <alang@clunix.com> 2004.05.01

#

# Source function library.

. /etc/init.d/functions

# Source Network config

. /etc/sysconfig/network

# Check that networking is up.

if [ ${NETWORKING} = “no” ]

then

        exit 0

fi

[ -x /usr/local/sbin/iptables ] || exit 0

RETVAL=0

start() {

        # check /var/lock/subsys/firewall file

        if [ -f /var/lock/subsys/firewall ] ; then

                return

        fi

        # print “start firewall” msg

        echo -n $”Starting Firewall: ”

        #

        # start firewall & NAT

        #

        # 내부 네트워크 영역 설정

        INTER_AREA=”211.241.202.128/25″

        modprobe ip_conntrack_ftp

        modprobe ip_conntrack_irc

        modprobe ipt_string

        modprobe ipt_state

        modprobe ipt_REJECT

        modprobe ipt_REDIRECT

        modprobe ipt_MASQUERADE

        modprobe ip_nat_snmp_basic

        modprobe ip_nat_ftp

        modprobe ip_nat_irc

        

        echo 1 > /proc/sys/net/ipv4/ip_forward

        #

        # init iptables

        #

        # flush all chains

        iptables -F

        iptables -X

        chains=`cat /proc/net/ip_tables_names 2>/dev/null`

        for i in $chains

        do

                iptables -t $i -F

                iptables -t $i -X

                iptables -t $i -Z

        done

        # 기본 정책 설정

        iptables -P INPUT DROP

        iptables -P OUTPUT ACCEPT

        # firewall filtering

        iptables -P FORWARD DROP

        ######################################################################

        # User defined chains

        ######################################################################

        #

        # refuse :

        # explicit refuse chains

        # logging to /var/log/firewall (via syslog kern.debug) & reject

        #

        iptables -N refuse

        iptables -A refuse ! -i eth1 -m limit –limit 1/m -j LOG \\

          –log-prefix “refused: ” –log-level debug

        iptables -A refuse -p tcp -m limit –limit 10/s -j REJECT \\

          –reject-with tcp-reset

        iptables -A refuse -p udp -m limit –limit 10/s -j REJECT

        iptables -A refuse -j DROP

        #

        # global_icmp :

        # specified ICMP packets are accepted globally

        #

        # accept following icmp pkt

        #  –  0 : echo reply

        #  –  3 : dest unreachable

        #  –  5 : redirect

        #  –  8 : echo request

        #  – 11 : time exceed

        iptables -N global_icmp

        iptables -A global_icmp -p icmp –icmp-type 0 -j ACCEPT

        iptables -A global_icmp -p icmp –icmp-type 3 -j ACCEPT

        iptables -A global_icmp -p icmp –icmp-type 5 -j ACCEPT

        iptables -A global_icmp -p icmp –icmp-type 8 -j ACCEPT

        iptables -A global_icmp -p icmp –icmp-type 11 -j ACCEPT

        #

        # global_udp :

        # specified udp packets are accepted globally

        #

        iptables -N global_udp

        # edoneky (4661-4663/tcp, 4665/udp) for all PC

        iptables -A global_udp -p udp –dport 4665 -j ACCEPT

        #

        # global_tcp :

        # specified tcp packets (that is valid) are accepted globally

        #

        # specified tcp packets (that is valid) are accepted globally

        #

        iptables -N global_tcp

        # accept tcp syn pkt

        # iptables -A global_tcp -p tcp –syn -j ACCEPT

        # drop new pkt that has no syn

        iptables -A global_tcp -p tcp ! –syn -m state –state NEW -j DROP

        # MSN file transfer (6891-6900/tcp) for all PC

        # http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q278887&

        iptables -A global_tcp -p tcp –dport 6891:6900 -j ACCEPT

        # edoneky (4661-4663/tcp, 4665/udp) for all PC

        iptables -A global_tcp -p tcp –dport 4661:4663 -j ACCEPT

        #

        # open :

        # accept connection by each server:port

        #

        iptables -N open

        iptables -A open -p tcp -d 211.241.202.153 –dport 22 -j ACCEPT

        iptables -A open -p tcp -d 211.241.202.152 –dport 25 -j ACCEPT

        # String Rule

        # Nimda, CodeRed

        iptables -A FORWARD -p tcp –tcp-flags ACK ACK –dport 80 -m string \\

        –string “/default.ida?” -j REJECT –reject-with tcp-reset

        iptables -A FORWARD -p tcp  –tcp-flags ACK ACK –dport 80 -m string \\

        –string “XXXXXXXX” -j REJECT –reject-with tcp-reset

        iptables -A FORWARD -p tcp  –tcp-flags ACK ACK –dport 80 -m string \\

        –string “cmd.exe” -j REJECT –reject-with tcp-reset

        iptables -A FORWARD -p tcp  –tcp-flags ACK ACK –dport 80 -m string \\

        –string “root.exe?” -j REJECT –reject-with tcp-reset

        # Mail Subject,Content String

        iptables -A FORWARD -p tcp –dport 25 -m string –string “test” -j REJECT \\

        –reject-with tcp-reset

        iptables -A FORWARD -p tcp –dport 25 -m string –string “광고” -j REJECT \\

        –reject-with tcp-reset

        # SQL Slammer

        iptables -A FORWARD -p udp -m string –string “Qh.dllhel32hkern” -j REJECT

        ######################################################################

        # FORWARD chain rules

        ######################################################################

        # accept all packets from internal network (eth1)

        iptables -A FORWARD -p ALL -i eth1 -j ACCEPT

        iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

        

        # New Rules Forward

        iptables -A FORWARD -p icmp -j global_icmp

        iptables -A FORWARD -p udp -j global_udp

        iptables -A FORWARD -p tcp -j global_tcp

        iptables -A FORWARD -j open

        # otherwise, refuse it

        iptables -A FORWARD -j refuse

        # accept all pkt from local loopback interface

        iptables -A INPUT -i lo -j ACCEPT

        # accept all packets by stateful-inspection

        iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

        # filter by global icmp pkt

        iptables -A INPUT -p icmp -j global_icmp

        # filter by  global tcp pkt

        iptables -A INPUT -p tcp -j global_tcp

        # accept only ssh(22/tcp) pkt

        iptables -A INPUT -p tcp -i eth1 –dport 22 -j ACCEPT

        iptables -A INPUT -p tcp -i eth0 –dport 22 -j ACCEPT

        # otherwise, refuse pkt

        iptables -A INPUT -j refuse

        #

        # accept all out pkt

        #

        iptables -A OUTPUT -o br0 -j ACCEPT

        iptables -A OUTPUT -o lo -j ACCEPT

        ######################################################################

        # for NAT(masquerade)

        ######################################################################

        #

        # masquerade

        #

        iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

        # print “firewall startup” msg

        [ $? -eq 0 ] && success “firewall startup” || \\

        # print “firewall startup” msg

        [ $? -eq 0 ] && success “firewall startup” || \\

          failure “firewall startup”

        echo

        # lock

        touch /var/lock/subsys/firewall

}

stop() {

        # check /var/lock/subsys/firewall file

        if [ ! -f /var/lock/subsys/firewall ] ; then

                return

        fi

        # print “stop firewall” msg

        echo -n $”Stopping Firewall: ”

        #

        # flush & delete iptables rules

        #

        chains=`cat /proc/net/ip_tables_names 2>/dev/null`

        for i in $chains

        do

                iptables -t $i -F

                iptables -t $i -X

        done

        iptables -P INPUT ACCEPT && \\

        iptables -P OUTPUT ACCEPT && \\

        iptables -P FORWARD ACCEPT && \\

        iptables -t nat -P PREROUTING ACCEPT && \\

        iptables -t nat -P POSTROUTING ACCEPT && \\

        iptables -t nat -P OUTPUT ACCEPT && \\

        iptables -t mangle -P PREROUTING ACCEPT && \\

        iptables -t mangle -P OUTPUT ACCEPT

        #

        # start firewall & NAT

        #

        echo 0 > /proc/sys/net/ipv4/ip_forward

#        rmmod ip_conntrack_ftp

#        rmmod ip_conntrack_irc

        rmmod ipt_string

        rmmod ipt_state

        rmmod ipt_REJECT

        rmmod ipt_REDIRECT

        rmmod ipt_MASQUERADE

        rmmod ip_nat_snmp_basic

        rmmod ip_nat_ftp

        rmmod ip_nat_irc

        # print “firewall stop” msg

        [ $? -eq 0 ] && success “firewall stop” || failure “firewall stop”

        echo

        # unlock

        rm -f /var/lock/subsys/firewall

}

# See how we were called.

case “$1” in

  start)

        start

        ;;

  stop)

        stop

        ;;

  status)

        /sbin/iptables -L INPUT

        /sbin/iptables -L OUTPUT

        /sbin/iptables -L FORWARD

        ;;

  restart)

        stop

        sleep 1

        start

        ;;

  *)

        echo  $”Usage: $0 {start|stop|status|restart}”

        exit 1

esac

exit $RETVAL

———————————————————————————

# ln -sf /etc/rc.d/init.d/brctl /etc/rc3.d/S70brctl

그런 후 리부팅 후에도 자동으로 Brige Server 로 작동하는지를 확인한다.

# ifconfig

# iptables -L ( /etc/rc.d/init.d/brctl status )

서진우

슈퍼컴퓨팅 전문 기업 클루닉스/ 상무(기술이사)/ 정보시스템감리사/ 시스존 블로그 운영자

You may also like...

페이스북/트위트/구글 계정으로 댓글 가능합니다.