본문 바로가기

지식/Network

bridge and iptable 설정

일단 브릿지는 아래처럼 구성했고 내부 네트워크에서만 접속되도록 서버 IP를 10.50.0.1 로 지정해두었습니다.

cat /etc/init.d/bridge 
#! /bin/bash
#
# bridge       Bring up/down bridge
#
# chkconfig: 2345 9 91
# description: Activates/Deactivates all bridge interfaces configured to \
#              start at boot time.
# probe: true
### BEGIN INIT INFO
# Provides: $bridge
### END INIT INFO

# See how we were called.
case "$1" in
  start)
        brctl addbr br
        brctl addif br eth0
        brctl addif br eth1
        /sbin/ifconfig eth0 0.0.0.0 up
        /sbin/ifconfig eth1 0.0.0.0 up
        /sbin/ifconfig br up
        /sbin/ifconfig br 10.50.0.1 up
        ;;
  stop)
        brctl delif br eth1
        brctl delif br eth0
        brctl delbr br
        ;;
  status)
        brctl showmacs br
        ;;
  restart|reload)
        cd $CWD
        $0 stop
        $0 start
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart|reload|status}"
        exit 1
esac

exit 0

iptables 은 아래처럼 설정해두었습니다.

cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.9 on Thu Dec  9 10:08:33 2004
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [242:27601]
:OUTPUT ACCEPT [4445:1628609]
:RH-Firewall-1-INPUT - [0:0]

################################################################################
# Chain create
################################################################################
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT


################################################################################
# Public
################################################################################
# 잘못된 패킷 차단
#-A RH-Firewall-1-INPUT -m state --state INVALID -j DROP

# 로컬호스트에서의 모든패킷허용
-A RH-Firewall-1-INPUT -i lo -j ACCEPT

# 서브넷에서의 내,외부로 모든패킷허용
-A RH-Firewall-1-INPUT -s 211.212.213.0/255.255.255.0 -j ACCEPT

# 서브넷에서의 내,외부로 ping 허용
-A RH-Firewall-1-INPUT -s 211.212.213.0/255.255.255.0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.50.0.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT

# 내부에서 외부로 나가는 tcp 모두허용
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state ESTABLISHED -m tcp --sport 1:65535 --dport 1:65535 -j ACCEPT

# 내부서브넷에서 외부로 나가는 udp 모두허용
-A RH-Firewall-1-INPUT -p udp -m udp --sport 1:65535 -j ACCEPT


################################################################################
# Firewall level
################################################################################
# SSH
-A RH-Firewall-1-INPUT -d 10.50.0.1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT

# ntop
-A RH-Firewall-1-INPUT -d 10.50.0.1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3000 -j ACCEPT


################################################################################
# Desktop level
################################################################################
# MSN
-A RH-Firewall-1-INPUT -p tcp -d 211.212.213.0/255.255.255.0 --dport 1863:1864 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -d 211.212.213.0/255.255.255.0 --dport 6901 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -d 211.212.213.0/255.255.255.0 --dport 7801:7825 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -d 211.212.213.0/255.255.255.0 --dport 6891:6900 -j ACCEPT

# edonkey
-A RH-Firewall-1-INPUT -p tcp -d 211.212.213.0/255.255.255.0 --dport 4662 -j ACCEPT


################################################################################
# Server level
################################################################################

# SMTP/WWW/POP3
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 110 -j ACCEPT

# DNS
-A RH-Firewall-1-INPUT -d 211.212.213.214 -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 -j ACCEPT

# SSH
-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT

# Samba
-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 139 -j ACCEPT

# 윈도우 네트워크 드라이브
#-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 139 -j ACCEPT
#-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 445 -j ACCEPT
#-A RH-Firewall-1-INPUT -d 211.212.213.214 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 137 -j ACCEPT
#-A RH-Firewall-1-INPUT -d 211.212.213.214 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 138 -j ACCEPT

# FTP
-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 21 -j ACCEPT

# ms-sql
#-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 1433 -j ACCEPT
#-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m udp --dport 1433 -j ACCEPT

# oracle
#-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 1522 -j ACCEPT

# Terminal service
-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3389 -j ACCEPT


################################################################################
# DROP
################################################################################

# 외부에서 내부로의 TCP 를 차단.  내부에서 외부로의 TCP 는 막지않음.
-A RH-Firewall-1-INPUT -p tcp --syn -d 211.212.213.0/255.255.255.0 -j DROP

# ping 차단
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-port-unreachable

COMMIT
# Completed on Thu Dec  9 10:08:33 2004