[t:/]$ 지식_

NAT망 구성과 내부에 있는 웹서버 접근하기

2008/12/12

1.

NAT : Network Address Translation

IP공유, 사설망 구성은 모두 NAT 기능이다.
이에 대한 상세한 내역을 생략.

NAT망 안에 있는 웹서버 지역을 DMZ (비무장지대 -_-)라고 한다.
NAT로 포트별 (서비스별) 포워딩을 하는 것은 사실 상의 L4스위치이다.

2.

우분투에서 NAT망을 구성하는 것은 쉽다.
ipmasq 를 깔고 실행하면 된다.

실제 iptables 가 어떻게 구성되는지 보려면 다음과 같이 한다.

ipmasq -v > my.dat  
cat my.dat  

3.

iptables -L // 테이블 현황 조회
iptables -F // 테이블 모두 삭제

4.

ipmasq 가 어떻게 구성했는지 보자.

root@dawnsea-linux:/home/keeptalk# iptables -F
root@dawnsea-linux:/home/keeptalk# ipmasq -v
#: Interfaces found:
-e #:   eth1    168.219.187.183/255.255.255.0
-e #:   eth1    168.219.187.183/255.255.255.0
-e #:   eth0    192.168.123.123/255.255.255.0
-e #:   eth2    192.168.1.1/255.255.255.0
echo "0" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -F PREROUTING
/sbin/iptables -t mangle -F OUTPUT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F OUTPUT
/sbin/iptables -A FORWARD -j ACCEPT -s 192.168.1.1/255.255.255.0 -d 192.168.123.123/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s 192.168.123.123/255.255.255.0 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0
/sbin/iptables -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -d 255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -s 192.168.123.123/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -s 192.168.1.1/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 224.0.0.0/4 -p ! 6
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -d 224.0.0.0/4 -p ! 6
/sbin/iptables -A INPUT -j LOG -i eth1 -s 192.168.123.123/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth1 -s 192.168.123.123/255.255.255.0
/sbin/iptables -A INPUT -j LOG -i eth1 -s 192.168.1.1/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth1 -s 192.168.1.1/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 168.219.187.183/32
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 168.219.187.255/32
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.123.123/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -s 192.168.123.123/255.255.255.0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.1/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth2 -o eth1 -s 192.168.1.1/255.255.255.0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d 255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 192.168.123.123/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 224.0.0.0/4 -p ! 6
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d 224.0.0.0/4 -p ! 6
/sbin/iptables -A FORWARD -j LOG -o eth1 -d 192.168.123.123/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth1 -d 192.168.123.123/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth1 -d 192.168.123.123/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth1 -d 192.168.123.123/255.255.255.0
/sbin/iptables -A FORWARD -j LOG -o eth1 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth1 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth1 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth1 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d 255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -s 168.219.187.183/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -s 168.219.187.255/32
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -A INPUT -j DROP -d 224.0.0.1
/sbin/iptables -A OUTPUT -j DROP -d 224.0.0.1
/sbin/iptables -A FORWARD -j DROP -d 224.0.0.1
/sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0

나온 파일에 실행 권한 주고 일부 실행해서 스크립트 처럼 써도 된다.

5.

eth1 : 외부망
eth0 : DMZ
eth2 : 내부망인 경우 다음과 같이 한다.

root@dawnsea-linux:/home/keeptalk# cat ipmasq.dat 
#: Interfaces found:
#:   eth1    168.219.187.183/255.255.255.0
#:   eth1    168.219.187.183/255.255.255.0
#:   eth0    192.168.123.123/255.255.255.0
#:   eth2    192.168.1.1/255.255.255.0
echo "0" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -F PREROUTING
/sbin/iptables -t mangle -F OUTPUT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F OUTPUT
/sbin/iptables -A FORWARD -j ACCEPT -s 192.168.1.1/255.255.255.0 -d 192.168.123.0/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s 192.168.123.0/255.255.255.0 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0
#/sbin/iptables -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -d 255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -s 192.168.123.0/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -s 192.168.1.1/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 224.0.0.0/4 -p ! 6
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -d 224.0.0.0/4 -p ! 6
#/sbin/iptables -A INPUT -j LOG -i eth1 -s 192.168.123.123/255.255.255.0
#/sbin/iptables -A INPUT -j DROP -i eth1 -s 192.168.123.123/255.255.255.0
#/sbin/iptables -A INPUT -j LOG -i eth1 -s 192.168.1.1/255.255.255.0
#/sbin/iptables -A INPUT -j DROP -i eth1 -s 192.168.1.1/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 168.219.187.183/32
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 168.219.187.255/32
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 192.168.123.150:80
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.123.0/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -s 192.168.123.0/255.255.255.0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.1/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth2 -o eth1 -s 192.168.1.1/255.255.255.0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d 255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 192.168.123.0/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 224.0.0.0/4 -p ! 6
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d 224.0.0.0/4 -p ! 6
#/sbin/iptables -A FORWARD -j LOG -o eth1 -d 192.168.123.123/255.255.255.0
#/sbin/iptables -A FORWARD -j DROP -o eth1 -d 192.168.123.123/255.255.255.0
#/sbin/iptables -A OUTPUT -j LOG -o eth1 -d 192.168.123.123/255.255.255.0
#/sbin/iptables -A OUTPUT -j DROP -o eth1 -d 192.168.123.123/255.255.255.0
#/sbin/iptables -A FORWARD -j LOG -o eth1 -d 192.168.1.1/255.255.255.0
#/sbin/iptables -A FORWARD -j DROP -o eth1 -d 192.168.1.1/255.255.255.0
#/sbin/iptables -A OUTPUT -j LOG -o eth1 -d 192.168.1.1/255.255.255.0
#/sbin/iptables -A OUTPUT -j DROP -o eth1 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d 255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -s 168.219.187.183/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -s 168.219.187.255/32
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -A INPUT -j DROP -d 224.0.0.1
/sbin/iptables -A OUTPUT -j DROP -d 224.0.0.1
/sbin/iptables -A FORWARD -j DROP -d 224.0.0.1
/sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0

여기서 잘 관찰해보면.
ipmasq는 IP주소를 지정했고 (192.168.123.123), 수정한 스크립트는 네트웍을 지정했다(192.168.123.0/255.255.255.0)

네트웍 클래스에 대해서 까먹었다면 다시 찾아보자.

6.

앞의 스크립트에서 다시 살펴보면.

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 192.168.123.150:80
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.123.0/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -s 192.168.123.0/255.255.255.0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.1/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth2 -o eth1 -s 192.168.1.1/255.255.255.0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT

첫 줄과 마지막 줄을 주의깊게 보자.

eth1 (외부망)에서 들어오는 80포트 TCP 패킷은 전부 192.168.123.150:80 (웹서버)로 보낸다.
그 아래줄은 192.168.123.0 네트웍에서 내보내는 패킷의 소스 주소를 전부 eth1 의 주소로 교체한다.
맨 아래줄은 80포트에 대하여 SYN패킷 포워딩을 허용한다.

iptables 규칙을 저장해보자.

http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/ko-KR/Deployment_Guide/s1-iptables-saving.html









[t:/] is not "technology - root". dawnsea, rss