[Bridge 방화벽 구축하기]
[root@jo:/usr/src/kernels/2.6.18-128.el5-i686]#make menuconfig
차례대로 들어가서 "Bridged IP/ARP packets filetering" 이 체크 되어 있는지 보자.
--
[root@jo:/]#iptables -A OUTPUT -p tcp --sport 1024: -m multiport --dports 80,443 -m state --state NEW -j ACCEPT à yum으로 브릿지 유틸을 설치하기 위해 80번 나가는 포트가 가능하게 해준다.
[root@jo:/]#yum install bridge-utils* -y à yum으로 bridge를 구축하기 위해 bridge-util*을 설치
[root@jo:/]#br brctl break à 설치 후 br "탭" 명령을 치니깐 실행 명령어가 제대로 나온다. |
--
[root@jo:/]#brctl Usage: brctl [commands] commands: addbr <bridge> add bridge delbr <bridge> delete bridge addif <bridge> <device> add interface to bridge delif <bridge> <device> delete interface from bridge setageing <bridge> <time> set ageing time setbridgeprio <bridge> <prio> set bridge priority setfd <bridge> <time> set bridge forward delay sethello <bridge> <time> set hello time setmaxage <bridge> <time> set max message age setpathcost <bridge> <port> <cost> set path cost setportprio <bridge> <port> <prio> set port priority show show a list of bridges showmacs <bridge> show a list of mac addrs showstp <bridge> show bridge stp info stp <bridge> {on|off} turn stp on/off à brctl에 관련한 옵션 및 명령들을 살펴봤다. |
--
[root@jo:/]#brctl addbr br0
[root@jo:/]#brctl show bridge name bridge id STP enabled interfaces br0 8000.000000000000 no |
--
[root@jo:/]#brctl stp br0 on à 루핑도는 구조일 경우 stp를 적용한다.
지금은 아니므로 적용하지 않는다.
--
브릿지 인터페이스에 장치 추가
--
[root@jo:~]#netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 127.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 lo 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 0.0.0.0 192.168.10.1 0.0.0.0 UG 0 0 0 br0 |
--
à 이러면 브리지가 지워진다.
--
[root@jo:~]#vi bridgefw.sh #!/bin/sh ######## make Bridge ######### brctl addbr br0
## Add interfaces For br0 ### brctl addif br0 eth0 brctl addif br0 eth1
## Interface Promiscous Mode ## ifconfig eth0 down ifconfig eth1 down ifconfig eth0 0.0.0.0 promisc up ifocnfig eth1 0.0.0.0 promisc up
## Management br0 IP#### # 1. lo interface up ifconfig lo 127.0.0.1 up # 2. add route lo route add -host 127.0.0.1 dev lo # 3. br0 interface up ifconfig br0 192.168.10.181 promisc up # 4. add default route route add default gw 192.168.10.1 ## The End ### :wq |
--
[root@jo:~]#vi delbridge.sh #!/bin/sh
## Delete Bridge Setting ## brctl delif br0 eth0 brctl delif br0 eth1 ifconfig br0 down brctl delbr br0 service network restart :wq |
--
[root@jo:~]#ll *.sh -rw-r--r-- 1 root root 515 Oct 29 16:57 bridgefw.sh -rw-r--r-- 1 root root 139 Oct 29 17:00 delbridge.sh [root@jo:~]#chmod 744 *.sh [root@jo:~]#ll *.sh -rwxr--r-- 1 root root 515 Oct 29 16:57 bridgefw.sh -rwxr--r-- 1 root root 139 Oct 29 17:00 delbridge.sh |
--
--
이렇게 하면 이제 "Bridge Firewall"이 되는 것이다.
--
서버 구성 수정 후테스트
[메일서버]
네트워크 IP를 nat(192.168.100.100) 에서 bridged ip(192.168.10.186) 로 바꿨다. #vi /etc/sysconfig/network-scripts/ifcfg-eth0 에서 바꿈. #service network restart . [방화벽서버:192.168.10.181] [root@jo:~]#iptables -P INPUT ACCEPT [root@jo:~]#iptables -P OUTPUT ACCEPT [root@jo:~]#iptables -P FORWARD ACCEPT . 이제 [메일서버] 로 xshell(192.168.10.186)접속한다 |
.--
[root@woo:~]#iptables –F 방화벽 정한 것을 날린다. |
--
[메일서버]에 DNS 정보를 바꾼다.
Internal 쪽 정방향 [root@woo:/var/named]#vi rain.zone $TTL 1D @ IN SOA ns.cho.iss. woo.cho.iss.( 1 21600 1800 1209600 86400 ) IN NS ns.cho.iss. IN MX 10 mail ns IN A 192.168.10.186 mail IN A 192.168.10.186 mailx IN A 192.168.10.181 www IN A 192.168.10.186 ftp IN A 192.168.10.186 |
--
Internal 쪽 역방향 [root@woo:/var/named]#vi rain.rev $TTL 1D @ IN SOA ns.cho.iss. jo.cho.iss.( 1 21600 1800 1209600 86400 ) IN NS ns.cho.iss. 186 IN PTR ns.cho.iss. 181 IN PTR mailx.cho.iss. 186 IN PTR mail.cho.iss. 186 IN PTR www.cho.iss. 186 IN PTR ftp.cho.iss.
[root@woo:/var/named]#vi /etc/named.conf 30 acl "internal-zone" {127.0.0.1; 192.168.10.0/24;}; 53 zone "10.168.192.in-addr.arpa" IN{ 54 type master; 55 file "rain.rev"; 56 allow-update {none;}; 57 allow-transfer { none;}; 58 }; |
--
[root@woo:/var/named]#service named restart Stopping named: . [ OK ] Starting named: [ OK ] |
--
dns 주소 바꿈. 내 자신으로 [root@woo:/var/named]#vi /etc/resolv.conf search cho.iss #nameserver 168.126.63.1 #nameserver 192.168.100.1 nameserver 127.0.0.1 |
--
Dns test [root@woo:/var/named]#nslookup > server Default server: 127.0.0.1 Address: 127.0.0.1#53 > mail.cho.iss Server: 127.0.0.1 Address: 127.0.0.1#53
Name: mail.cho.iss Address: 192.168.10.186 > www.cho.iss Server: 127.0.0.1 Address: 127.0.0.1#53
Name: www.cho.iss Address: 192.168.10.186 > www.daum.net Server: 127.0.0.1 Address: 127.0.0.1#53
Non-authoritative answer: www.daum.net canonical name = top.g.daum.net. Name: top.g.daum.net Address: 211.115.77.213 Name: top.g.daum.net Address: 211.115.77.214 Name: top.g.daum.net Address: 211.32.117.30 Name: top.g.daum.net Address: 211.115.77.211 Name: top.g.daum.net Address: 211.115.77.212 > |
--
[xp에서 dns 테스트]
브릿지로 해도 마찬가지로 "internal", "external"로 나눌 수 있다. |
--
[방화벽서버:192.168.10.181설정] [root@jo:/]#vi /etc/resolv.conf search cho.iss #nameserver 168.126.63.1 #nameserver 192.168.100.100 #nameserver 192.168.10.181 nameserver 192.168.10.186 ~ Dns 주소 바꿈. |
--
방화벽 기본 설정 [root@jo:/]#iptables -A INPUT -i lo -j ACCEPT [root@jo:/]#iptables -A OUTPUT -o lo -j ACCEPT [root@jo:/]#iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT [root@jo:/]#iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT [root@jo:/]#iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 방화벽 최초 설정시 기본적으로 맨 먼저 넣어 준다. |
--
방화벽 룰 적용 파일 만들기 [root@jo:/]#vi fwrule.sh
#!/bin/sh ## Firewall Rule Set ##
## 1. Exist Rule Flush ## iptables -t mangle -F iptables -t nat -F iptables -t filter -F
## 2. Iptables Default Policy ## iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
## 3. Allow Loopback Traffic ## iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
## 4. Related or Established Traffic Allow ## iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
## 5. INVALID Traffic DROP iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP |
--
## 6. TCP Flags Check ## iptables -N check_flags iptables -F check_flags #flags Rule iptables -A check_flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A check_flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A check_flags -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A check_flags -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A check_flags -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A check_flags -p tcp --tcp-flags ALL NONE -j DROP iptables -A check_flags -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP
# INPUT & FORWARD APPLY iptables -A INPUT -p tcp -j check_flags iptables -A FORWARD -p tcp -j check_flags
## 7. BRIDGE F/W Rule # any -> FW ssh connect iptables -A INPUT -p tcp --sport 1024: --dport 22 -m state --state NEW -j ACCEPT # any -> FW mail send iptables -A INPUT -p tcp --sport 1024: --dport 25 -m state --state NEW -j ACCEPT # FW -> any mail Send iptables -A OUTPUT -p tcp --sport 1024: --dport 25 -m state --state NEW -j ACCEPT # FW -> mail server DNS Query iptables -A OUTPUT -p udp --sport 1024: -d 192.168.10.186 --dport 53 -m state --state NEW -j ACCEPT #FW -> any Web Connect iptables -A OUTPUT -p tcp --sport 1024: -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
## 8. Forwarding RULE ## # DNS Query any -> mail (Authoratative) iptables -A FORWARD -p udp --sport 1024: -d 192.168.10.186 --dport 53 -m state --state -j NEW -j ACCEPT # DNS Query mail -> any (Resolving) iptables -A FORWARD -p udp -s 192.168.10.186 --sport 1024: --dport 53 -m state --state NEW -j ACCEPT # any -> Mail ssh connect iptables -A FORWARD -p tcp --sport 1024: -d 192.168.10.186 --dport 22 -m state --state NEW -j ACCEPT # any -> Mail Server HTTP(Web) Connect iptables -A FORWARD -p tcp --sport 1024: -d 192.168.10.186 -m multiport --dports 80,443 -m state --state NEW -j ACCEPT #internal Client -> any Web Connect iptables -A FORWARD -p tcp -s 192.168.10.0/24 --sport 1024: -m multiport --dports 80,443 -m state --state NEW -j ACCEPT #any -> Mail Server FTP Connect iptables -A FORWARD -p tcp --sport 1024: -d 192.168.10.186 --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --sport 1024: -d 192.168.10.186 --dport 49000:50000 -m state --state NEW -j ACCEPT # External Client Outlook -> Mail Connect (SMTP,POP3) iptables -A FORWARD -p tcp --sport 1024: -d 192.168.10.186 -m multiport --dports 25,110 -m state --state NEW -j ACCEPT
# 9. ICMP echo-request & reply Allow iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT |
--
실행하기 [root@jo:/]#chmod 700 fwrule.sh [root@jo:~]#./fwrule.sh 됐다. |
--
이제 테스트해보자 윈도우xp에서 메일 테스트해보고 cmd창 à telnet mail.cho.iss 25
|
--
Mail test
[root@jo:~]#sendmail -q –v 메일 큐에 쌓여 안 보내질 수 도 있다. 큐에 쌓여있는 거 다 보내버리자.
[자기 자신한테 outlook으로 보내기]
자기 자신한테 보내본 결과 잘 보내지고 잘 받아진다. |
--
[외부로 메일 보내기]
|
--
#tail –f /var/log/maillog ==> /var/log/maillog <== Oct 30 00:49:52 woo sendmail[4592]: n9TFnfLY004592: Milter (spamassassin): to error state. Oct 30 00:49:52 woo sendmail[4592]: n9TFnfLY004592: Milter add: header: X-Virus-Scanned: clamav-milter 0.95.2 at woo.cho.iss Oct 30 00:49:52 woo sendmail[4592]: n9TFnfLY004592: Milter add: header: X-Virus-Status: Clean Oct 30 00:49:53 woo sendmail[4600]: n9TFnfLY004592: to=<tack7001@nate.com>, ctladdr=<kkk@cho.iss> (508/508), delay=00:00:11, xdelay=00:00:01, mailer=relay, pri=121290, relay=mailx.cho.iss. [192.168.10.181], dsn=2.0.0, stat=Sent (n9TFdxi0008544 Message accepted for delivery) Oct 30 00:49:53 woo spamd[3349]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /home/spamd/.spamassassin/auto- whitelist.lock.woo.cho.iss.3349 for /home/spamd/.spamassassin/auto-whitelist.lock: No such file or directory Oct 30 00:49:53 woo spamd[3349]: spamd: clean message (5.3/7.5) for spamd:512 in 10.4 seconds, 1567 bytes. Oct 30 00:49:53 woo spamd[3349]: spamd: result: . 5 – ALL_TRUSTED,DATE_IN_FUTURE_96_XX,HTML_MESSAGE,MIME_BASE64_TEXT scantime=10.4,size=1567,user=spamd,uid=512,required_score=7.5,rhost=woo.cho.iss,raddr=127.0.0 .1,rport=60864,mid=<47ABE10B283A443A8591CA881DD63BA3@microsofocxtgv>,autolearn=no Oct 30 00:49:53 woo dovecot: pop3-login: Login: user=<kkk>, method=PLAIN, rip=192.168.10.26, lip=192.168.10.186 Oct 30 00:49:53 woo spamd[2957]: prefork: child states: II Oct 30 00:49:53 woo dovecot: POP3(kkk): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0 |
--
<에러:메일 보내기>
메일테스트 할 때 외부로 메일이 안 보내 졌는데 "/etc/mail/access" 파일에서 문제가 됐었다. [방화벽서버쪽_큐잉 메일 서버:192.168.10.181] #vi /etc/mail/access # Check the /usr/share/doc/sendmail/README.cf file for a description # of the format of this file. (search for access_db in that file) # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... Connect:localhost.localdomain RELAY Connect:localhost RELAY Connect:127.0.0.1 RELAY Connect:cho.iss RELAY Connect:mailx.cho.iss RELAY Connect:192.168.10 RELAY
[샌드메일서버쪽:192.168.10.186] 예전에 192.168.100.100 대를 쓰는 것 때매 그 쪽 IP대역만 RELAY해준 것 때문에 문제가 됐고, [큐잉메일서버 "mailx.cho.iss" ] RELAY가 안 되어 있었다. 그래서 이렇게 만들어 줬다. #vi /etc/mail/access # Check the /usr/share/doc/sendmail/README.cf file for a description # of the format of this file. (search for access_db in that file) # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... Connect:localhost.localdomain RELAY Connect:localhost RELAY Connect:127.0.0.1 RELAY Connect:cho.iss RELAY Connect:mail.cho.iss RELAY Connect:192.168.10 RELAY |
--
