Ä¿³Î 2.4¿¡¼­ NAT
(network address translation) ±¸Çö (2)

- Åõ¸í ÇÁ¶ô½Ã ¼³Á¤ -

ÇÊÀÚ : ¹èö¼ö / ¸®´ª½º¿ùµå ¹ßÇàÀÎ

 

     

    3¿ùÈ£ÀÇ NAT  ±â»çÁß Åõ¸í ÇÁ¶ô½Ã ¼³Á¤¿¡ ´ëÇÑ ³»¿ëÀÌ ºüÁ® ÀÖ¾î Ãß°¡ÇÑ´Ù. Åõ¸íÇÁ¶ô½Ã´Â ³»ºÎ ·£ÀÇ À©µµ¿ì À¥ ºê¶ó¿ìÀú¿¡¼­ ÇÁ¶ô½Ã ¼­¹ö ÁöÁ¤À» ¾Ê¾Æµµ °­Á¦·Î ÇÁ¶ô½Ã¸¦ »ç¿ëÇÏ°Ô ÇÏ´Â ¼³Á¤ÀÌ´Ù. ÇÁ¶ô½Ã¸¦ ¼³Á¤ÇÏ´Â °æ¿ìÀÇ ÀÌÁ¡Àº ij½Ã¸¦ »ç¿ëÇÏ°Ô ÇϹǷΠÀ©µµ¿ì¿¡¼­ ÀÎÅÍ³Ý Á¢¼Ó¼Óµµ¸¦ »¡¸®ÇÒ ¼ö ÀÖ´Ù´Â Á¡ÀÌ´Ù.

     

VI. Åõ¸í ÇÁ¶ô½Ã ±¸¼º

     

    1. Ä¿³Î ¼³Á¤

    ¡Þ Networking support
    ¡Þ Sysctl support
    ¡Þ Network packet filtering
    ¡Þ TCP/IP networking
    ¡Þ Connection tracking (Under ``IP : Netfilter Configuration'' in menuconfig)
    ¡Þ IP tables support
    ¡Þ Full NAT
    ¡Þ REDIRECT target support
    ¡Þ /proc filesystem support

     

    2. squid ¼³Ä¡

    2.1  ÄÄÆÄÀÏ

      1) ./configure --prefix=/usr/local/squid
      2) make
      3) make install

    2.2  /usr/local/squid/etc/squid.conf ¼öÁ¤

      1) ttpd_accel_host virtual
      2) httpd_accel_port 80
      3) httpd_accel_with_proxy on
      4) httpd_accel_uses_host_header on

          #Default configuration:
          http_access allow manager localhost
          http_access deny manager
          http_access deny !Safe_ports
          http_access deny CONNECT !SSL_ports
          http_access deny all

      5) http_access allow all

    2.3  uid nobody È®ÀÎ

    2.4  gid nogroup È®ÀÎ

    2.5  /usr/local/squid/cache µð·ºÅ丮¸¦ ¸¸µé°í¼­

      - µð·ºÅ丮 ¼ÒÀ¯ÀÚ nobody,
        ±×·ì nogroup, ¸ðµå´Â 2755

      drwxr-sr-x   18 nobody   nogroup      
      4096 Mar   2 11:17 cache

    2.6  squid -z ¸í·ÉÀ¸·Î ij½Ã µð·ºÅ丮¸¦ ÃʱâÈ­ÇÑ´Ù.
          ¾Æ·¡ ¸Þ½ÃÁö°¡ ³ª¿Â´Ù.

      2001/03/02 03:43:53| Creating Swap Directories

      * ¸¸¾à ¾Æ·¡ ¸Þ½ÃÁö°¡ ³ª¿À¸é µð·ºÅ丮 ¼ÒÀ¯ÀÚ³ª Çã°¡¸ðµå°¡ À߸ø µÇ¾ú´Ù.
       

      2001/03/02 03:29:39| Creating Swap Directories
      FATAL: Failed to make swap directory /usr/local/squid/cache: (13) Permission denied
      Squid Cache (Version 2.3.STABLE4): Terminated abnormally.
      CPU Usage: 0.000 seconds = 0.000 user + 0.000 sys
      Maximum Resident Size: 0 KB
      Page faults with physical i/o: 8

     

    2.7  /usr/local/squid/logs µð·ºÅ丮¸¦ ¸¸µé°í
          ¼ÒÀ¯ÀÚ, Çã°¡¸ðµå¸¦ À§ÀÇ cache µð·ºÅ丮ó·³ ÁØ´Ù.

      drwxr-sr-x    2 nobody   nogroup      
      4096 Mar  2 04:16 logs

    2.8  /usr/local/squid/bin/ ¿¡¼­  RunCache¸¦ ½ÇÇàÇÑ´Ù.

      /usr/local/squid/bin/RunCache/usr/local/squid/etc/squid.conf

    2.9  ½ÇÇà È®ÀÎ

      1) Á¤»óÀûÀ¸·Î ½ÇÇàµÇ¸é ps ax ¸í·ÉÀ» ÁÖ¸é ¾Æ·¡ ¶óÀÎÀÌ ³ª¿Â´Ù.

      147 ?   S  0:08 squid -NsY -f /usr/local/squid/etc/squid.conf

      2) /usr/local/squid/squid.out ¿¡ ¾Æ·¡ ¶óÀÎÀÌ ³ª¿Â´Ù.

      Startup: Fri Mar  2 11:17:27 KST 2001

      * ¾Æ·¡ ¿¡·¯°¡ ³ª¸é logs µð·ºÅ丮¸¦ üũ

      Running: squid -sY -f /usr/local/squid/etc/squid.conf >> /usr/local/squid/squid.out 2>&1 : 5ȸ
      RunCache: EXITING DUE TO REPEATED, FREQUENT FAILURES

      Á¤»óÀûÀ¸·Î ½ÇÇàÀÌ ¾ÈµÇ¸é /usr/local/squid/squid.out ÆÄÀÏ¿¡ ¿¡·¯ ³»¿ëÀÌ ±â·ÏµÈ´Ù.

    2.10  ºÎÆýà ÀÚµ¿½ÇÇà

      squid´Â ºÎÆýà ÀÚµ¿À¸·Î ½ÇÇàµÇ¾ß ÇϹǷΠµ¥ºñ¾ÈÀÇ °æ¿ì /etc/rc.boot µð·ºÅ丮¿¡(·¹µåÇÞÀº rc.local¿¡) ¾Æ·¡ ³»¿ëÀÌ µé¾î °¡´Â ½ºÅ©¸³Æ®¸¦ ¸¸µç´Ù. (¸ðµå¸¦ 755·Î ÇØ¾ß ÇÑ´Ù.)

      dongcom:/etc/rc.boot# cat 20Squid
      #!/bin/bash
      /usr/local/squid/bin/RunCache/usr/local/squid/etc/squid.conf > /dev/null &

      (20Squid´Â ÆÄÀÏ À̸§ÀÌ´Ù.)

       

    3. iptables ¼³Á¤

    3.1 ¼³Á¤ ¿¹

      ¿¹¸¦ µé¾î ¸®´ª½º ¼­¹öÀÇ ÀÎÅÍ³Ý ÂÊ¿¡ ¿¬°áµÈ ·£Ä«µåÀÇ ÀÎÅÍÆäÀ̽º ¸íÀÌ eth0ÀÌ°í IP ÁÖ¼Ò°¡ 192.168.1.9, ³»ºÎ·£Àº ³×Æ®¿öÅ© ÁÖ¼Ò°¡ 192.168.2.0 ÀÌ°í ¸®´ª½ºÀÇ eth1 ·£Ä«µå¿¡ ¿¬°áµÇ¾î ÀÖ´Ù¸é(eth1ÀÇ ÁÖ¼Ò´Â 192.168.2.1) Åõ¸í ÇÁ¶ô½Ã ¼³Á¤ ¸í·ÉÀº ´ÙÀ½°ú °°´Ù.

      /usr/local/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 ¡¬
      -j REDIRECT --to-port 3128

      °¢°¢ÀÇ ¿É¼ÇÀ» ÀÚ¼¼È÷ ¼³¸íÇϸé

      1) -t nat : Åõ¸í ÇÁ¶ô½Ãµµ ÆÐŶÀÇ ³»¿ëÀ» º¯°æÇÏ´Â ¼³Á¤À̹ǷΠnat ÀÌ´Ù.

      2) -A PREROUTING : Åõ¸í Ǫ¶ô½Ã´Â ÆÐŶÀÇ ³»¿ëÀ» º¯°æÇÏ´Â ÀÛ¾÷ÀÌ °æ·Î¸¦ ã´Â
          °Í º¸´Ù ¿ì¼±ÇÑ´Ù.
          (Áï ¶ó¿ìÆú¸´Ù ¿ì¼±ÇÑ´Ù : pre routing)

      3) -i eth1 : º¯°æÇÒ ÆÐŶÀÌ µé¾î¿À´Â ÀåÄ¡¸¦ ÁöÁ¤ÇÑ´Ù. ³»ºÎ ·£(192.168.2.0)ÀÌ eth1¿¡
          ¿¬°áµÇ¾î ÀÖ°í ÀÌ ·£¿¡ ¿¬°áµÈ ´Ù¸¥ À©µµ¿ì Çǽÿ¡¼­ ¸®´ª½º¸¦ ÅëÇØ ÀÎÅͳÝÀ»
          »ç¿ëÇϹǷΠµé¾î¿À´Â ÆÐŶÀÇ ÀåÄ¡¸íÀº eth1ÀÌ´Ù.

      4) -p tcp : µé¾î¿À´Â ÆÐŶ Áß tcp ÇÁ·ÎÅäÄݸ¸ nat¸¦ Àû¿ëÇÑ´Ù´Â ¶æÀÌ´Ù.
          www (80) ¿¬°áÀº tcp¸¦ »ç¿ëÇÑ´Ù.

      5) --dport 80 : µé¾î¿À´Â ÆÐŶÀÇ ¸ñÀûÁö Æ÷Æ®°¡ 80¹ø(www) ÀÎ °æ¿ì¿¡¸¸ nat¸¦
          Àû¿ëÇÑ´Ù´Â ¶æÀÌ´Ù. µû¶ó¼­ ftp ³ª telnet ´Â Àû¿ëÀ» ¾È ¹Þ´Â´Ù.

      6) -j REDIRECT : Åõ¸í ÇÁ¶ô½Ã´Â ¸®´ª½º ³»ºÎ¿¡¼­ ÆÐŶÀÇ ÀÔ·Â Æ÷Æ® ¹øÈ£¸¦ º¯°æÇØ
          ÁÖ´Â ¹æ¹ýÀÌ´Ù.

      7) --to-port 3128 : µé¾î¿À´Â ÆÐŶÀÇ ¸ñÀûÁö Æ÷Æ® ¹øÈ£¸¦ 3128¹øÀ¸·Î º¯°æÇÑ´Ù´Â
          ¶æÀÌ´Ù. ¸ñÀûÁöÀÇ IP ÁÖ¼Ò´Â ÁöÁ¤ÇÏÁö ¾Ê¾ÒÀ¸¹Ç·Î ¸ðµç ÀÎÅÍ³Ý À¥ °Ë»ö¿¡ ´ëÇØ
          Åõ¸íÇÁ¶ô½Ã°¡ Àû¿ëµÈ´Ù.

      3128¹ø Æ÷Æ®´Â squid °¡ µðÆúÆ®·Î »ç¿ëÇÏ´Â Æ÷Æ® ¹øÈ£ÀÌ´Ù.

      squid.conf ¿¡ ¾Æ·¡ ³»¿ëÀÌ ÀÖ´Ù.
      (º°µµ·Î ÁöÁ¤ÇÏÁö ¾Ê¾Æµµ ÀÌ ¹øÈ£¸¦ »ç¿ëÇÑ´Ù.)

      http_port 3128

      ÀÌ ¸í·ÉÀ» ¼³¸íÇÏ¸é ¾Æ·¡¿Í °°´Ù.

      eth1(³»ºÎ·£)À» ÅëÇØ µé¾î¿À´Â ÆÐŶ Áß ÇÁ·ÎÅäÄÝÀÌ tcpÀÌ°í ¸ñÀûÁö Æ÷Æ® ¹øÈ£°¡ 80¹øÀÎ °æ¿ì´Â(¸ñÀûÁö ÁÖ¼Ò´Â ºÒ¹®) ÆÐŶÀ» ¸®´ª½ºÀÇ 3128¹ø Æ÷Æ®·Î ³Ñ°ÜÁÖ¶ó´Â ¶æÀÌ´Ù. ±×·¯¸é 3128¹ø Æ÷Æ®¸¦ °¨½ÃÇÏ°í ÀÖ´Â squid°¡ ´ë½Å ÆÐŶÀÇ ÀÎÅͳÝÀÇ ¸ñÀûÁö ÁÖ¼Ò »çÀÌÆ®¸¦ ¿¬°áÇØ ÇØ´ç ÆäÀÌÁö¸¦ ã¾Æ ¿ø·¡ÀÇ ÁÖ¼Ò·Î ³Ñ°ÜÁØ´Ù. ¹°·Ð ÀÌ °úÁ¤¿¡¼­ ij½Ã¿¡ µé¾î ÀÖ´ÂÁö¸¦ ¸ÕÀú È®ÀÎÇÑ´Ù.(ij½Ã »ç¿ë ¿©ºÎ´Â squid ¼³Á¤¿¡ ´Þ·Á ÀÖ´Ù. iptables¿¡´Â À̸¦ ÁöÁ¤ÇÏÁö ¾Ê´Â´Ù.)

      °á±¹ ³»ºÎ ·£ÀÇ À©µµ¿ì Çǽÿ¡¼­ ÇÁ¶ô½Ã ¼³Á¤À» ÁöÁ¤ÇÏÁö ¾Ê¾Ò´Âµ¥µµ ÆÐŶÀÇ °æ·Î°¡ 3128¹øÀ¸·Î º¯°æµÇ¾î °­Á¦·Î ÇÁ¶ô½Ã¼­¹ö(squid)¸¦ »ç¿ëÇÏ°Ô µÈ °ÍÀÌ´Ù. Áï À©µµ¿ìÀÇ À¥ºê¶ó¿ìÀú¿¡ http proxy ¼­¹öÀÇ ÁÖ¼Ò¸¦ 192.168.2.1(À§ÀÇ °æ¿ì) Æ÷Æ®¹øÈ£¸¦ 3128·Î ÁöÁ¤ÇÑ °Í°ú °°Àº °á°ú°¡ ³ª¿Â´Ù. (¸®´ª½º¿¡ Åõ¸í ÇÁ¶ô½Ã¸¦ ¼³Á¤ÇÏ°í¼­ À©µµ¿ì¿¡¼­ ÀÌ·¸°Ô ÇÁ¶ô½Ã ¼­¹ö ¼³Á¤À» Çصµ ¹®Á¦¾ø´Ù. ´ÜÁö ºÒÇÊ¿äÇÑ ÀÛ¾÷À» ÇÑ °Í»ÓÀÌ´Ù.)

    3.2 È®ÀÎ

      dongcom:~# iptables -t nat -L
      Chain PREROUTING (policy ACCEPT)
      target   prot opt source        destination
      REDIRECT   tcp  --  anywhere       anywhere      tcp dpt:www redir ports 3128

    3.3 ´Ù¸¥ ¿¹

      Åõ¸í ÇÁ¶ô½Ã°¡ ¼³Ä¡µÈ ¸®´ª½º ¼­¹ö¿¡ À¥¼­¹ö¸¦ ¼³Ä¡Çصµ »ó°ü¾ø´Ù. ±×·±µ¥ 192.168.2.X ³×Æ®¿öÅ©¿¡¼­ ÀÚ½ÅÀÇ À¥¼­¹ö µ¥ÀÌÅ͸¦ Á¢±ÙÇÒ ¶§µµ ÇÁ¶ô½Ã ¼­¹ö¸¦ °æÀ¯ÇÑ´Ù´Â °ÍÀº ¾Æ¹«·± Àǹ̰¡ ¾ø´Ù. À¥¼­¹ö¿¡¼­ ÀÐÀ» ¶§´Â ȨÆäÀÌÁö µð·ºÅ丮¿¡¼­ ã°í ÇÁ¶ô½Ã ¼­¹ö¿¡¼­ ãÀ» ¶§´Â ÇÁ¶ô½Ã¼­¹öÀÇ Ä³½Ã µð·ºÅ丮¿¡¼­ ã´Â Â÷À̹ۿ¡ ¾ø´Ù.

      ÀÚ½ÅÀÇ È¨ÆäÀÌÁö µ¥ÀÌÅ͸¦ ³»ºÎ ·£¿¡¼­ ¼ö½Ã·Î º¯°æÇÏ´Â °æ¿ì´Â ¿ÀÈ÷·Á ÇÁ¶ô½Ã¼­¹ö ij½Ã µð·ºÅ丮¿¡¼­ ãÀ¸¸é ¹®Á¦°¡ µÈ´Ù. ij½Ã°¡ Áö¿öÁöÁö ¾Ê´Â ÇÑ º¯°æµÈ ȨÆäÀÌÁö µ¥ÀÌÅ͸¦ º¼ ¼ö ¾ø±â ¶§¹®ÀÌ´Ù. ±×·¡¼­ ³»ºÎ ·£(192.168.2.X)ÀÇ À©µµ¿ì¿¡¼­ 192.168.2.1 ¸®´ª½º¼­¹öÀÇ º¯°æµÈ ȨÆäÀÌÁö µ¥ÀÌÅ͸¦ Áï½Ã È®ÀÎÇØ¾ß ÇÑ´Ù¸é http://192.168.2.1 ¸í·É½Ã¿¡´Â Åõ¸í ÇÁ¶ô½Ã°¡ ÀÛ¿ëÇÏÁö ¾Ê¾Æ¾ß ÇÑ´Ù. ¾Æ·¡ ¹æ¹ýÀ» »ç¿ëÇÏ¸é µÈ´Ù.

      /usr/local/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -d ! ¡¬
      192.168.2.1 --dport 80 -j REDIRECT --to-port 3128

      * À§ÀÇ ±âº» ¼³Á¤¿¡ -d ! 192.168.2.1 À» Ãß°¡Çß´Ù.( ! °ú 192.168.2.1 »çÀÌ¿¡ °ø¹é
         ÇÊ¿ä) Áï µé¾î¿À´Â ÆÐŶÀÇ ¸ñÀûÁö ÁÖ¼Ò(°Ë»ö »çÀÌÆ®)°¡ 192.168.2.1 À̸é
         Åõ¸í ÇÁ¶ô½Ã¸¦ Àû¿ëÇÏÁö ¸»¶õ ¶æÀÌ´Ù.

    3.4 ¼³Á¤ ÇØÁ¦

      ±âÁ¸¿¡ ¼³Á¤µÈ Åõ¸í ÇÁ¶ô½Ã¸¦ ÇØÁ¦ÇÏ·Á¸é ¾Æ·¡ ¸í·ÉÀ» ÁØ´Ù. ´Ü iptables ¸í·É¸¸ ÇØÁ¦µÉ »ÓÀ̸ç squid ´Â °è¼ÓÇؼ­ µ¿ÀÛÇÑ´Ù. (squid °¡ ÀÛµ¿Çصµ iptables¿¡¼­ Æ÷Æ® ¹æÇâ º¯°æÀ» ¾ÊÀ¸¸é Åõ¸í ÇÁ¶ô½Ã´Â ÀÛµ¿ÇÏÁö ¾Ê´Â´Ù.)

       iptables -t nat -F

       

    4.  www ¿ÜÀÇ ÀÎÅÍ³Ý ¿¬°á¿¡ ´ëÇÑ nat ¼³Á¤

    ÁÖÀÇÇÒ °ÍÀº Åõ¸íÇÁ¶ô½Ã´Â ¿ÀÁ÷ http Áï www(80) °Ë»ö¸¸ ÇØ´çµÇ°í (port °¡ 80ÀÎ ÆÐŶ) telnet À̳ª ftp ´Â Àû¿ëµÇÁö ¾ÊÀ¸¹Ç·Î ³»ºÎ·£¿¡¼­ ÀÎÅͳÝÀÇ ´Ù¸¥ È£½ºÆ®¿¡ telnet ¹× ftp ¸¦ »ç¿ëÇÏ·Á¸é Ãß°¡·Î SNAT¸¦ ¼³Á¤ÇØ ÁÖ¾î¾ß ÇÑ´Ù. ¾Æ·¡ ¸í·ÉÀÌ ÇÊ¿äÇÏ´Ù.

    #!/bin/bash
    /usr/local/sbin/iptables -t nat -A POSTROUTING -s 192.168.2.0/24 ¡¬
    -o eth0 -j SNAT --to 192.168.1.9

      1) -A POSTROUTING : SNAT ´Â ¶ó¿ìÆà º¸´Ù ³ªÁß¿¡ ÇàÇØÁø´Ù.

      2) -s 192.168.2.0/24 : 192.168.2.0 ³×Æ®¿öÅ© ·ÎºÎÅÍÀÇ ÆÐŶ¿¡¸¸ SNAT¸¦ Àû¿ëÇÑ´Ù.

      3) -o eth0 : ÆÐŶÀÌ ³ª°¡´Â ÀåÄ¡¸¦ ÁöÁ¤ÇÑ´Ù. (eth0°¡ ÀÎÅͳݿ¡ ¿¬°áµÅ ÀÖ´Ù.)

      4) -j SNAT : Source NAT ¸¦ ¸»ÇÔ. ¼Ò½º ÁÖ¼Ò(192.168.2.x)¸¦ º¯°æÇÑ´Ù´Â ¶æ.

      5) --to 192.168.1.9 : ¼Ò½º ÁÖ¼Ò¸¦ 192.168.1.9 ·Î º¯°æÇ϶ó´Â ¶æ.

    È®ÀÎ : ÀÌ»ó°ú °°ÀÌ ¼³Á¤Çß´Ù¸é iptables -t nat -L ¸í·ÉÀ» ÁÖ¸é ¾Æ·¡Ã³·³ ³ª¿Â´Ù.

    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source         destination
    SNAT       all  --  192.168.2.0/24       anywhere           to:192.168.1.9

     

    5. ¸¶Áö¸·À¸·Î

    ³×Æ®¿öÅ©¿¡ ´ëÇÑ Áö½ÄÀÌ ÀÖ´Ù¸é ±º´õ´õ±â¿¡ ºÒ°úÇÏÁö¸¸ Åõ¸íÇÁ¶ô½Ã°¡ ÀÛ¿ëÇÏ·Á¸é ÀÎÅÍ³Ý ÂÊÀ¸·Î ³ª°¡´Â ÆÐŶÀÌ Åõ¸í ÇÁ¶ô½Ã°¡ ¼³Á¤µÇ¾î ÀÖ´Â ¸®´ª½º¸¦ Åë°úÇØ¾ß ÇÑ´Ù. Åë°úÇÏÁö ¾Ê´Â ÆÐŶ¿¡ ´ëÇؼ­´Â Æ÷Æ®ÀÇ ¹æÇâÀ» º¯°æÇÒ ¹æ¹ýÀÌ ¾ø´Ù. µû¶ó¼­ Åõ¸í ÇÁ¶ô½Ã¸¦ »ç¿ëÇÏ´Â ¸ðµç ³»ºÎ ÄÄÇ»ÅÍÀÇ µðÆúÆ® °ÔÀÌÆ®¿þÀÌ´Â ¸®´ª½º¿¡ ºÎ¿©µÈ ³»ºÎ IP ÁÖ¼Ò¿©¾ß ÇÑ´Ù.




¡ã top

homeÀ¸·Î...