ÀÌ ÀýÀº ÀÎÁõ°ÔÀÌÆ®¿þÀÌÀÇ °¢ ´Ü°èº° ¼³Á¤¹æ¹ýÀ» ±â¼úÇÑ´Ù. »ç¿ëµÈ ¿¹´Â ¼ºê³Ý 10.0.1.0ÀÇ ºñ°øÀÎ ip¸¦ ´ë»óÀ¸·Î ÇÏ¿´À¸¸ç, eth0´Â ³»ºÎ³×Æ®¿öÅ©¿Í ¿¬°áµÈ NICÀ̰í, °ø¿ë ³×Æ®¿öÅ©¿Í ¿¬°áµÈ ÀåÄ¡´Â eth1ÀÌ´Ù. eth1¿¡ ´ëÇÏ¿© »ç¿ëµÈ IP ÁÖ¼Ò´Â 10.0.1.1ÀÌÁö¸¸, ¿©·¯ºÐµéÀÇ È¯°æ¿¡ µû¶ó ÀûÀýÈ÷ ¼³Á¤Çϱ⠹ٶõ´Ù. °ÔÀÌÆ®¿þÀÌ ¹Ú½º·Î ·¹µåÇÞ 7.1ÀÌ »ç¿ëÇ߱⠶§¹®¿¡, ¿¹Á¦ÀÇ »ó´ç ºÎºÐÀº ·¹µåÇÞÀ» Áß½ÉÀ¸·Î ¼³¸íÇÏ¿´´Ù.
netfilter¸¦ ¼³Ä¡Çϱâ À§Çؼ´Â Ä¿³ÎÀÌ ³ÝÇÊÅ͸¦ Áö¿øÇϵµ·Ï ¹Ýµå½Ã »õ·Î ÄÄÆÄÀÏÇØ¾ßÇÑ´Ù. Ä¿³ÎÀ» ±¸¼ºÇÏ°í »õ·Î ÄÄÆÄÀÏÇÏ´Â ¹æ¹ýÀº Kernel-HOWTO¸¦ Âü°íÇϱ⠹ٶõ´Ù.
´ÙÀ½Àº ÇÊÀÚÀÇ Ä¿³Î ±¸¼ºÁß ÀϺθ¦ º¸ÀÎ °ÍÀÌ´Ù.
# # Networking options # CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set # CONFIG_NETLINK is not set CONFIG_NETFILTER=y CONFIG_NETFILTER_DEBUG=y CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_IP_PNP is not set # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_IP_MROUTE is not set # CONFIG_INET_ECN is not set # CONFIG_SYN_COOKIES is not set # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_FTP=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_LIMIT=y CONFIG_IP_NF_MATCH_MAC=y CONFIG_IP_NF_MATCH_MARK=y CONFIG_IP_NF_MATCH_MULTIPORT=y CONFIG_IP_NF_MATCH_TOS=y CONFIG_IP_NF_MATCH_TCPMSS=y CONFIG_IP_NF_MATCH_STATE=y CONFIG_IP_NF_MATCH_UNCLEAN=y CONFIG_IP_NF_MATCH_OWNER=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_MIRROR=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y CONFIG_IP_NF_NAT_FTP=y CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=y CONFIG_IP_NF_TARGET_MARK=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_TARGET_TCPMSS=y |
iptables¸¦ ¼³Ä¡ÇؾßÇϸç, ¹èÆ÷¹ÝÀÇ ÆÐŰÁö·Î ¼³Ä¡Çϰųª ¼Ò½º·Î ¼³Ä¡¸¦ ÇØµµ ¹«¹æÇÏ´Ù. ÀÏ´Ü À§ÀÇ ¿É¼ÇÀ¸·Î »õ·Î¿î Ä¿³ÎÀ» ÄÄÆÄÀÏÇϰí iptables¸¦ ¼³Ä¡ÇÑ ÈÄ, ÇÊÀÚ´Â ´ÙÀ½À» ¹æÈº® ±âº»·ê·Î ¼³Á¤ÇÏ¿´´Ù.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -i eth0 -m state --state NEW, INVALID -j DROP iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP iptables -I FORWARD -o eth0 -j DROP iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.1 -j ACCEPT |
¼¹ö°¡ ºÎÆÃÇÒ ¶§ À§ÀÇ ½ºÅ©¸³Æ®°¡ µ¿ÀÛÇϵµ·Ï ÇÏ·Á¸é init ½ºÅ©¸³Æ®¿¡ À§ÀÇ ¸í·ÉÀ» Æ÷ÇÔ½ÃÄѵµ µÈ´Ù. ·êÀÌ Ãß°¡ µÇ¾ú´ÂÁö È®ÀÎÇÏ·Á¸é ´ÙÀ½°ú °°Àº ¸í·ÉÀ» ½ÇÇà½ÃŰ¸é µÈ´Ù:
iptables -v -t nat -L iptables -v -t filter -L |
ÀÌ·¯ÇÑ ·êÀ» ÀúÀåÇϰíÀÚ ÇÒ °æ¿ì, ÇÊÀÚ´Â ·¹µåÇÞÀÇ init ½ºÅ©¸³Æ®¸¦ »ç¿ëÇß´Ù.
/etc/init.d/iptables save /etc/init.d/iptables restart |
·êÀÌ Ãß°¡µÇ¾úÀ¸¸é, ´ÙÀ½°ú °°Àº ¸í·ÉÀ» ¼öÇàÇÏ¿© IP forwardingÀ» °¡´ÉÇÏ°Ô ÇÑ´Ù.
echo 1 > /proc/sys/net/ipv4/ip_forward |
¸Ó½ÅÀÌ ¸®ºÎÆÃÇÒ ¶§ ip forwardingÀÌ °¡´ÉÇϵµ·Ï ÇÏ·Á¸é, /etc/sysctl.conf¿¡ ´ÙÀ½ ¶óÀÎÀ» Ãß°¡ÇÏ¸é µÈ´Ù.
net.ipv4.ip_forward = 1 |
ÀÌÁ¦ °ÔÀÌÆ®¿þÀÌ ¹Ú½º´Â NAT¸¦ ÇÒ ¼ö ÀÖÁö¸¸, °ø¿ë ³×Æ®¿öÅ© ³»ºÎ¿Í °ÔÀÌÆ®¿þÀÌ·Î ÇâÇÏ¿© µé¾î¿À´Â forwarding ÆÐŶÀ» Á¦¿ÜÇÑ ¸ðµç forwarding ÆÐŶÀ» ¹ö¸± °ÍÀÌ´Ù(DROP).
¹æÈº® ·êÀ» Ãß°¡ÇÏ´Â PAM ¼¼¼Ç ¸ðµâ·Î, ÀÎÁõµÈ Ŭ¶óÀÌ¾ðÆ®¿¡ ´ëÇÏ¿© forwardingÀ» Çã¿ëÇϱâ À§ÇØ ÇÊ¿äÇÏ´Ù. À̸¦ ¼³Á¤ÇϰíÀÚ ÇÏ´Â °æ¿ì´Â ´Ü¼øÈ÷ ¼Ò½º¸¦ ±¸ÇÏ¿© ´ÙÀ½ ¸í·ÉÀ» ÀÌ¿ëÇÏ¿© ÄÄÆÄÀÏÇÏ¸é µÈ´Ù.
gcc -fPIC -c pam_iptables.c ld -x --shared -o pam_iptables.so pam_iptables.o |
ÀÌÁ¦ pam_iptables.so°ú pam_iptables.oÀ̶ó°í ÇÏ´Â ¹ÙÀ̳ʸ® ÆÄÀÏÀÌ »ý°åÀ» °ÍÀÌ´Ù. pam_iptables.soÀ» /lib/security/pam_iptables.soÀ¸·Î º¹»çÇϱ⠹ٶõ´Ù.
cp pam_iptables.so /lib/security/pam_iptables.so |
°ÔÀÌÆ®¿þÀÌ¿¡ ´ëÇÏ¿© ÀÎÁõ Ŭ¶óÀÌ¾ðÆ®·Î ¼±ÅÃµÈ °ÍÀº sshÀÌ°í µû¶ó¼ ÇÊÀÚ´Â ´ÙÀ½ ¶óÀÎÀ» /etc/pam.d/sshd¿¡ Ãß°¡ÇÏ¿´´Ù.
session required /lib/security/pam_iptables.so |
ÀÌÁ¦´Â, »ç¿ëÀÚ°¡ ssh¸¦ ÀÌ¿ëÇÏ¿© ·Î±×ÀÎÇÒ °æ¿ì, ¹æÈº® ·êÀÌ Ãß°¡µÉ °ÍÀÌ´Ù.
pam_iptables¿¡ ´ëÇÑ ±âº» ÀÎÅÍÆäÀ̽º´Â eth0ÀÌÁö¸¸, ÀÎÅÍÆäÀ̽º ÆÄ¶ó¹ÌÅ͸¦ Ãß°¡ÇÏ¿© ±âº»¼³Á¤°ªÀ» º¯°æÇÒ ¼ö ÀÖ´Ù.
session required /lib/security/pam_iptables.so interface=eth1 |
ÀÌ °æ¿ì´Â ¿ÜºÎ ³×Æ®¿öÅ©¿Í ¿¬°áµÈ ÀÎÅÍÆäÀ̽º À̸§ÀÌ eth0°¡ ¾Æ´Ñ °æ¿ì¿¡¸¸ ÇÊ¿äÇÏ´Ù.
pam_iptables ¸ðµâÀÌ Àß µ¿ÀÛÇϰí ÀÖ´Â Áö È®ÀÎÇÏ·Á¸é ´ÙÀ½°ú °°Àº ´Ü°è¸¦ ¼öÇàÇÏ¸é µÈ´Ù.
ssh¸¦ ÀÌ¿ëÇÏ¿© °ÔÀÌÆ®¿þÀÌ ¹Ú½º¿¡ ·Î±×ÀÎ ÇÑ´Ù.
`iptables -L'À» ÀÌ¿ëÇÏ¿© ·êÀÌ Ãß°¡ µÇ¾ú´ÂÁö È®ÀÎ ÇÑ´Ù.
·êÀÌ Á¦°ÅµÇµµ·Ï ÇϱâÀ§ÇØ °ÔÀÌÆ®¿þÀÌ ¹Ú½º·ÎºÎÅÍ ·Î±×¾Æ¿ô ÇÑ´Ù.
ÇÊÀÚ´Â ´ÙÀ½°ú °°Àº dhcpd.conf ÆÄÀÏÀ» ÀÌ¿ëÇÏ¿© DHCP¸¦ ¼³Á¤ÇÏ¿´´Ù.
subnet 10.0.1.0 netmask 255.255.255.0 { # --- default gateway option routers 10.0.1.1; option subnet-mask 255.255.255.0; option broadcast-address 10.0.1.255; option domain-name-servers 10.0.1.1; range 10.0.1.3 10.0.1.254; option time-offset -5; # Eastern Standard Time default-lease-time 21600; max-lease-time 43200; } |
¼¹ö´Â °ø¿ë ³×Æ®¿öÅ©¿Í ¿¬°áµÈ eth1À» ÀÌ¿ëÇÏ¿© µ¿ÀÛÇÏ¿´´Ù.
/usr/sbin/dhcpd eth1 |
¾Õ Àý¿¡¼µµ ¼³¸íÇÏ¿´Áö¸¸, ÇÊÀÚ´Â ÀÎÁõÀ¸·Î LDAP¸¦ »ç¿ëÇϵµ·Ï °ÔÀÌÆ®¿þÀ̸¦ ¼³Á¤ÇÏ¿´´Ù. ÇÏÁö¸¸, ¿©·¯ºÐµéÀº PAMÀÌ Çã¿ëÇÏ´Â ¾î¶°ÇÑ ÀÎÁõ¹æ¹ýÀ» »ç¿ëÇØµµ ¹«¹æÇÏ´Ù. ´õ ¸¹Àº Á¤º¸¸¦ ¾òÀ¸·Á¸é 2.4Àý¸¦ º¸±â ¹Ù¶õ´Ù.
PAM LDAPÀ¸·Î ÀÎÁõÀ» ±¸ÇöÇϱâ À§ÇÏ¿©, ÇÊÀÚ´Â OpenLDAPÀ» ¼³Ä¡Çϰí /etc/ldap.conf¿¡ ´ÙÀ½°ú °°Àº ³»¿ëÀ¸·Î ±¸¼ºÇÏ¿´´Ù.
# Your LDAP server. Must be resolvable without using LDAP. host itc.musc.edu # The distinguished name of the search base. base dc=musc,dc=edu ssl no |
´ÙÀ½¿¡ º¸ÀÌ´Â ÆÄÀÏÀº LDAP ÀÎÁõÀ» Çϵµ·Ï PAMÀ» ±¸¼ºÇϱâ À§ÇØ »ç¿ëÇÏ¿´À¸¸ç, ÀÌ ÆÄÀϵéÀº ·¹µåÇÞÀÇ configuration À¯Æ¿¸®Æ¼·Î »ý¼ºµÈ °ÍÀÌ´Ù.
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so account [default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so |
#%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth #this line is added for firewall rule insertion upon login session required /lib/security/pam_iptables.so debug session optional /lib/security/pam_console.so |
·¹µåÇÞ 7.1¿¡ Æ÷ÇÔµÈ BIND¸¦ ¼³Ä¡Çß°í, caching-nameserver RPMÀ» °°ÀÌ ¼³Ä¡Çß´Ù. DHCP ¼¹ö´Â °ø¿ë ³×Æ®¿öÅ©»óÀÇ ¸Ó½®µéÀÌ °ÔÀÌÆ®¿þÀÌ ¹Ú½º¸¦ ³×ÀÓ¼¹ö·Î »ç¿ëÇϵµ·Ï ¾Ë¸®´Â ¿ªÇÒÀ» ÇÑ´Ù.