-----------------------------------------
답변자가 기본적으로 참고할 내용입니다.
- 배포판(옵션) : 페도라코어4
- 커널버전(옵션)
: 2.6.14-1.1644_FC4
- 데몬버전(예:apache
1.3.27) : bind-9.3.1-14_FC4
- 데몬설치유형(RPM/컴파일/기타)
: RPM
-----------------------------------------
안녕하세요.
일본에 셋팅한 서버가 문제가 생겨 문의드립니다.
일단 증상을 말씀 드리자면...
www.abc.com
www.abc.co.jp
이런 도메인이 두개가 있습니다. bind 설정을 하고..
nslookup 또는 dig 를 사용해서 질의를 해보면..
(dig @168.126.63.1 www.abc.co.jp)
원하는 ip를 가지고 옵니다.
로컬,외부 모두 정상적으로 ip를 가지고 옵니다.
그런데 위 도메인으로 웹페이지 접속시 문제가 발생합니다.
PC에 따라서 웹페이지를 정상적으로 표시하는 PC가 있는반면...
페이지를 찾을수 없다고 나오는 PC가 있습니다.
물론 페이지를 못찾는 PC에서 nslookup등으로 도메인을
검색해보면...
정상적으로 IP를 얻어옵니다.
약간 의심되는 부분이 있는데..
Apache는 iptable을 사용해서 포트포워딩으로
내부에서 서비스 되고 있습니다. 포트포워딩이 됐다 안됐다
하는 문제 일수도 있다고 생각은 듭니다.
iptable rule 을 올려봅니다. 아래 룰은 커널 2.4버전에서 실제로
사용하고 운영하던 내용을 가져다가 2.6버전에서 그냥
사용했습니다.
너무 두서없이 질문을 드린건 아닌지 모르겠네요.
질문에 부족한 내용있으면 알려주세요.
그럼 수고하세요 :)
#!/bin/sh
FWVER=0.73s
echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"
IPTABLES=/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig
EXTIF0="ppp0"
INTIF0="eth1"
INTIF1="eth2"
INTIF2="eth0"
echo " External Interface: $EXTIF0"
echo " External Interface: $INTIF0"
echo " Internal Interface: $INTIF1"
echo " DMZ Interface: $INTIF2"
echo " ---"
EXTIP0="`$IFCONFIG $EXTIF0 | $GREP 'inet addr' | $AWK '{print $2}' | \
$SED -e 's/.*://'`"
echo " External IP: $EXTIP0"
echo " ---"
INTNET0="192.168.1.0/24"
INTIP0="192.168.1.1/24"
echo " Internal Network: $INTNET0"
echo " Internal IP: $INTIP0"
echo " ---"
INTNET1="192.168.2.0/24"
INTIP1="192.168.2.1/24"
echo " Internal Network: $INTNET1"
echo " Internal IP: $INTIP1"
echo " ---"
INTNET2="192.168.0.0/24"
INTIP2="192.168.0.1/24"
echo " DMZ Network: $INTNET2"
echo " DMZ IP: $INTIP2"
echo " ---"
UNIVERSE="0.0.0.0/0"
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
echo -en " Loading kernel modules: "
echo -en "ip_tables, "
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
$INSMOD ip_tables
fi
echo -en "ip_conntrack, "
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
$INSMOD ip_conntrack
fi
echo -e "ip_conntrack_ftp, "
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
$INSMOD ip_conntrack_ftp
fi
echo -en " ip_conntrack_irc, "
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
$INSMOD ip_conntrack_irc
fi
echo -en "iptable_nat, "
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
$INSMOD iptable_nat
fi
echo -e "ip_nat_ftp"
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
$INSMOD ip_nat_ftp
fi
echo " ---"
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " ---"
echo " Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -Z
echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG
$IPTABLES -A drop-and-log-it -j DROP
echo -e "\n - Loading INPUT rulesets"
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF0 -s $INTNET0 -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF1 -s $INTNET1 -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF2 -s $INTNET2 -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF0 -s $UNIVERSE -d $EXTIP0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF0 -s $INTNET0 -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF0 -s $INTNET1 -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF0 -s $INTNET2 -d $UNIVERSE -j drop-and-log-it
# NameServer
#
echo -e " - Allowing EXTERNAL access to the Name server"
$IPTABLES -A INPUT -i $EXTIF0 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s
$UNIVERSE -d $EXTIP0 --dport 42 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF0 -m state --state NEW,ESTABLISHED,RELATED -p udp -s
$UNIVERSE -d $EXTIP0 --dport 42 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF0 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s
$UNIVERSE -d $EXTIP0 --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF0 -m state --state NEW,ESTABLISHED,RELATED -p udp -s
$UNIVERSE -d $EXTIP0 --dport 53 -j ACCEPT
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF0 -s $EXTIP0 -d $INTNET0 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF0 -s $EXTIP0 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF0 -s $EXTIP0 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -s $EXTIP0 -d $INTNET0 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -s $EXTIP0 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -s $EXTIP0 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $EXTIP0 -d $INTNET0 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $EXTIP0 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $EXTIP0 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF0 -s $INTIP1 -d $INTNET0 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF0 -s $INTIP1 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF0 -s $INTIP1 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTNET0 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $INTIP2 -d $INTNET0 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $INTIP2 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $INTIP2 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF0 -s $UNIVERSE -d $INTNET0 -j drop-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF0 -s $UNIVERSE -d $INTNET1 -j drop-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF0 -s $UNIVERSE -d $INTNET2 -j drop-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF0 -s $EXTIP0 -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading FORWARD rulesets"
echo " - FWD: Allow all connections OUT and only existing/related IN"
#PORTFWIPHTTP="192.168.0.11:80-192.168.0.12:80"
#PORTFWIPFTP="192.168.0.11:21-192.168.0.12:21"
PORTFWIPHTTP="192.168.0.11:80"
PORTFWIPFTP="192.168.0.11:21"
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP0 --dport 80 -j DNAT --to
$PORTFWIPHTTP
$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF2 -p tcp --dport 80 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP0 --dport 21 -j DNAT --to
$PORTFWIPFTP
$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF2 -p tcp --dport 21 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF1 -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF2 -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF0 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF0 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $INTIF0 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $INTIF0 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF0 -o $INTIF1 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $INTIF1 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF0 -o $INTIF2 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $INTIF2 -j ACCEPT
$IPTABLES -A FORWARD -j drop-and-log-it
echo -e "\nDone.\n"
|
오늘은 대한입니다.
/board/read.php:소스보기 
