일단 브릿지는 아래처럼 구성했고 내부 네트워크에서만 접속되도록 서버 IP를 10.50.0.1 로 지정해두었습니다.
cat /etc/init.d/bridge #! /bin/bash # # bridge Bring up/down bridge # # chkconfig: 2345 9 91 # description: Activates/Deactivates all bridge interfaces configured to \ # start at boot time. # probe: true ### BEGIN INIT INFO # Provides: $bridge ### END INIT INFO # See how we were called. case "$1" in start) brctl addbr br brctl addif br eth0 brctl addif br eth1 /sbin/ifconfig eth0 0.0.0.0 up /sbin/ifconfig eth1 0.0.0.0 up /sbin/ifconfig br up /sbin/ifconfig br 10.50.0.1 up ;; stop) brctl delif br eth1 brctl delif br eth0 brctl delbr br ;; status) brctl showmacs br ;; restart|reload) cd $CWD $0 stop $0 start ;; *) echo $"Usage: $0 {start|stop|restart|reload|status}" exit 1 esac exit 0
iptables 은 아래처럼 설정해두었습니다.
cat /etc/sysconfig/iptables # Generated by iptables-save v1.2.9 on Thu Dec 9 10:08:33 2004 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [242:27601] :OUTPUT ACCEPT [4445:1628609] :RH-Firewall-1-INPUT - [0:0] ################################################################################ # Chain create ################################################################################ -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT ################################################################################ # Public ################################################################################ # 잘못된 패킷 차단 #-A RH-Firewall-1-INPUT -m state --state INVALID -j DROP # 로컬호스트에서의 모든패킷허용 -A RH-Firewall-1-INPUT -i lo -j ACCEPT # 서브넷에서의 내,외부로 모든패킷허용 -A RH-Firewall-1-INPUT -s 211.212.213.0/255.255.255.0 -j ACCEPT # 서브넷에서의 내,외부로 ping 허용 -A RH-Firewall-1-INPUT -s 211.212.213.0/255.255.255.0 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.50.0.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT # 내부에서 외부로 나가는 tcp 모두허용 -A RH-Firewall-1-INPUT -p tcp -m tcp --sport 20 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state ESTABLISHED -m tcp --sport 1:65535 --dport 1:65535 -j ACCEPT # 내부서브넷에서 외부로 나가는 udp 모두허용 -A RH-Firewall-1-INPUT -p udp -m udp --sport 1:65535 -j ACCEPT ################################################################################ # Firewall level ################################################################################ # SSH -A RH-Firewall-1-INPUT -d 10.50.0.1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT # ntop -A RH-Firewall-1-INPUT -d 10.50.0.1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3000 -j ACCEPT ################################################################################ # Desktop level ################################################################################ # MSN -A RH-Firewall-1-INPUT -p tcp -d 211.212.213.0/255.255.255.0 --dport 1863:1864 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -d 211.212.213.0/255.255.255.0 --dport 6901 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -d 211.212.213.0/255.255.255.0 --dport 7801:7825 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -d 211.212.213.0/255.255.255.0 --dport 6891:6900 -j ACCEPT # edonkey -A RH-Firewall-1-INPUT -p tcp -d 211.212.213.0/255.255.255.0 --dport 4662 -j ACCEPT ################################################################################ # Server level ################################################################################ # SMTP/WWW/POP3 -A RH-Firewall-1-INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 110 -j ACCEPT # DNS -A RH-Firewall-1-INPUT -d 211.212.213.214 -p udp -m udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 -j ACCEPT # SSH -A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 139 -j ACCEPT # 윈도우 네트워크 드라이브 #-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 139 -j ACCEPT #-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 445 -j ACCEPT #-A RH-Firewall-1-INPUT -d 211.212.213.214 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 137 -j ACCEPT #-A RH-Firewall-1-INPUT -d 211.212.213.214 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 138 -j ACCEPT # FTP -A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 20 -j ACCEPT -A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 21 -j ACCEPT # ms-sql #-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 1433 -j ACCEPT #-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m udp --dport 1433 -j ACCEPT # oracle #-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 1522 -j ACCEPT # Terminal service -A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3389 -j ACCEPT ################################################################################ # DROP ################################################################################ # 외부에서 내부로의 TCP 를 차단. 내부에서 외부로의 TCP 는 막지않음. -A RH-Firewall-1-INPUT -p tcp --syn -d 211.212.213.0/255.255.255.0 -j DROP # ping 차단 -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Thu Dec 9 10:08:33 2004