이야기 마을

nslookup 이라는 명령을 실행한다
server 네임서버 를 입력하여 실행한다
ls -d 도메인 을 입력하여 실행한다

예를 들자면

커맨드라인 > nslookup 엔터
Default Server:  ns.xxxx.xxx
Address:  xxx.xxx.xxx.xxx

> server ns.zekill.pe.kr  (질의서버를 변경)
Default Server:  ns.zekill.pe.kr
Address:  xxx.xxx.xxx.xxx

> ls -d zekill.pe.kr (리스트 내놔~)
이러면 도메인 리스트가 좌악~

뭐 zekill.pe.kr 이라는 도메인은 호스팅이라 이걸로 보이지는 않지만
해당서버가 직접 운영관리되는 서버에서는 주욱 잘 나온다.

무슨 필요가 있겠냐고 할수 있겠지만..간혹 필요할때가 생길때가 있었다...
그럴때마다 명령어가 머였떠라...ㅡㅡ;;;;; 커맨드 입력해보다가 나중에 명령어 찾고나서도
옵션이 머였더라....하다 help 뒤저서 보고...아..맞다~~~하는...참
기억력도 안좋은 나로선...이렇게 적어놓기라도 해야...자주 사용하는것도 아니니 뭐...ㅋㅋㅋ

net use 명령을 사용하여 드라이브를 매핑하거나 연결을 끊으려면 다음과 같이 하십시오.  

//연결하기
1. 시작을 누르고 실행을 누릅니다.
2. 열기 상자에 cmd라고 입력합니다.
3. net use x:\\computer name \ share name을 입력합니다.
    여기서 x:는 공유 리소스에 할당할 드라이브 문자입니다.  
    매핑된 드라이브에서 연결을 끊으려면 다음과 같이 하십시오.

//연결끊기
1. 시작을 누르고 실행을 누릅니다.
2. 열기 상자에 cmd라고 입력합니다.
3. net use x: /delete를 입력합니다. 여기서 x:는 공유 리소스의 드라이브 문자입니다.

=================================================

음 다름이 아니라 간혹 서버에 내 로컬 pc와 같은 계정을 만들어놓았을 경우
한번 공유 폴더를 열어 놓으면 다른 계정으로 다시 접속하려하는데
그럴 수 없을때가 있었다.
간혹 정말 필요할때는 컴터 리부팅까지 하는 무식한 방법까지 동원했는데
연결하는것 같이 net use * /delete 모든 연결을 그냥 끊어버리는 명령이면
다시 접속하려할때 계정을 묻는다.....아...좀만 생각하면 당연한건데....
일케 바보같을까...ㅡㅡ;;;;;;;

옛날옛적 집에 리눅스두고 한번 공부해본다하고 끄적댔던...ㅋㅋ
이런거 지금 정리하면서 보니까 새로운데...ㅋㅋ

=====================================

/etc/named.conf
######################################################
// generated by named-bootconf.pl

options {
        directory "/var/named";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;
};

//
// a caching only nameserver config
//
zone "." IN {
        type hint;
        file "named.root";
};

zone "localhost" IN {
        type master;
        file "zone-localhost";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "zone-0.0.127.in-addr.arpa";
        allow-update { none; };
};

zone "zekill.pe.kr" IN {
        type master;
        file "zone-zekill.pe.kr";
        allow-transter { none; };
};

zone "xxx.xxx.xxx.in-addr.arpa" IN {
        type master;
        file "zone-xxx.xxx.xxx.in-addr.arpa";
        allow-transter { none; };
};

key "key" {
        algorithm hmac-md5;
        secret "mtkPOlnHDiZLQQRFkDuFhBIxEPpSaEFZoWUpjhoTrBOcZaQdbYRhhryEMOpf";
};
######################################################

/var/named/zone-zekill.pe.kr
############################################
$TTL    86400
$ORIGIN ns.zekill.pe.kr.
@               IN      SOA     ns.zekill.pe.kr.    root.zekill.pe.kr.
(
                        20020613      ;Serial
                        10800           ;Refresh
                        3600            ;Retry
                        3600000         ;Expire
                        43200           ;Minimum
)

                IN      NS      ns.zekill.pe.kr.

                IN      A       xxx.xxx.xxx.xxx
                IN      HINFO   "Intel Pentium" "Linux"


localhost       IN      A       127.0.0.1
ns              IN      A       xxx.xxx.xxx.xxx
maruta          IN      A       xxx.xxx.xxx.xxx
www             IN      A       xxx.xxx.xxx.xxx
ftp             IN      CNAME   @
###########################################


/var/named/zone-xxx.xxx.xxx.in.addr.arpa
###########################################
$TTL    86400
@       IN      SOA     ns.zekill.pe.kr. root.ns.zekill.pe.kr.  (
                                      20020613 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
              IN      NS      ns.zekill.pe.kr.

20       IN      PTR     ns.zekill.pe.kr.
###########################################


/var/named/zone-localhost
###########################################
$TTL    86400
$ORIGIN localhost.
@                       1D IN SOA       @ root (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                        1D IN NS        @
                        1D IN A         127.0.0.1
###########################################


/var/named/zone-0.0.127.in-addr.arpa
###########################################
$TTL    86400
@       IN      SOA     localhost. root.localhost.  (
                                      1997022700 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
              IN      NS      localhost.

1       IN      PTR     localhost.
###########################################


/etc/host.conf
###########################################
# Lookup names via /etc/hosts first, then by DNS query
order hosts, bind
# We don't have machines with multiple addresses
multi on
###########################################


/etc/hosts
###########################################
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               maruta localhost.localdomain localhost
xxx.xxx.xxx.20          maruta ns.zekill.pe.kr ns
###########################################

의헌이형 방화벽 베끼기...카카카 좀 낳아보이려낭...ㅜㅜ
음...의헌이형한테 혼날려낭..-0-a

#!/bin/sh
#############################################
#
# 방화벽 구성 -- zekill@shinbiro.com
#
#############################################
# Main configuration
IPTABLES="/usr/local/sbin/iptables"

# INTERNET IP
INTERNET_PRIV7="xxx.xxx.xxx.234"
INTERNET_PRIV6="xxx.xxx.xxx.235"
INTERNET_PRIV5="xxx.xxx.xxx.236"
INTERNET_PRIV4="xxx.xxx.xxx.237"
INTERNET_PRIV3="xxx.xxx.xxx.238"
INTERNET_PRIV2="xxx.xxx.xxx.239"
INTERNET_PRIV1="xxx.xxx.xxx.240"
INTERNET_USER="xxx.xxx.xxx.241"

INTERNET_FILE="xxx.xxx.xxx.248"
INTERNET_HTTP2="xxx.xxx.xxx.249"
INTERNET_HTTP1="xxx.xxx.xxx.250"
INTERNET_LCL="xxx.xxx.xxx.251"
INTERNET_DNS_SUB="xxx.xxx.xxx.252" #sub dns
INTERNET_SMTP="xxx.xxx.xxx.253"
INTERNET_POP3="xxx.xxx.xxx.253"
INTERNET_DNS_MAIN="xxx.xxx.xxx.253" #main dns

# INTERNAL IP
INTERNAL_LAN="100.100.100.0/24"
INTERNAL_LCL="100.100.100.1"
INTERNAL_DNS="100.100.100.2"
INTERNAL_SMTP="100.100.100.2"
INTERNAL_POP3="100.100.100.2"
INTERNAL_DOTNET="100.100.100.3"
INTERNAL_HTTP1="100.100.100.4"
INTERNAL_HTTP2="100.100.100.5"
INTERNAL_FILE="100.100.100.6"
INTERNAL_IBFILE="100.100.100.7"
INTERNAL_XP="100.100.100.8"

INTERNAL_USER="100.100.100.11-100.100.100.250"


# Let's load it!
echo "Loading zekill firewall:"

# iptables이 설치되어있는지 체크
echo -n "Checking configuration..."
if ! [ -x $IPTABLES ] ; then
    echo
    echo "ERROR IN CONFIGURATION: IPTABLES doesn't exist or isn't executable!"
    exit 1
fi
echo "passed"

# IP 포워딩 허용
if [ -e /proc/sys/net/ipv4/ip_forward ] ; then
    echo 1 > /proc/sys/net/ipv4/ip_forward
else
    echo "ip_forward not found"
fi
# 위에것 보다는 아래 한번 실행
#/etc/sysctl.conf 파일안에 net.ipv4.ip_forward=1 라고 추가하면 위의 내용

# Enable TCP Syncookies
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
else
    echo "tcp_syncookies support not found"
fi

# 정의되지 않은 에러 메시지를 막음
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] ; then
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
else
    echo "icmp_ignore_bogus_error_responses support not found"
fi

# ip 주소를 스푸핑한다고 예상되는 경우 로그에 기록하기
if [ -e /proc/sys/net/ipv4/conf/all/log_martians ] ; then
    echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
else
    echo "log_martians support not found"
fi

# 스프핑 막기
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
  for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do
       echo 1 > $f
  done
else
    echo "rp_filter support not found"
fi

# 브로드캐스트, 멀티캐스트 주소에 ICMP 메시지 보내는것 막기
# "smurf" 공격 방지용
# 커널 2.2 이상에 해당
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] ; then
   echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
    echo "icmp_echo_ignore_broadcasts support not found"
fi


#########################################################
# 체인 플러시
#########################################################
${IPTABLES} -F
${IPTABLES} -X
${IPTABLES} -t nat -F
${IPTABLES} -t nat -X
${IPTABLES} -t filter -F INPUT
${IPTABLES} -t filter -F OUTPUT
${IPTABLES} -t filter -F FORWARD
${IPTABLES} -t nat    -F PREROUTING
${IPTABLES} -t nat    -F OUTPUT
${IPTABLES} -t nat    -F POSTROUTING
${IPTABLES} -t mangle -F PREROUTING
${IPTABLES} -t mangle -F OUTPUT


#########################################################
# 기본 정책
#########################################################
${IPTABLES} -t filter -P INPUT DROP
${IPTABLES} -t filter -P OUTPUT DROP
${IPTABLES} -t filter -P FORWARD DROP

#########################################################
# 127.0.0.0/8 used to need an entry in INTERNAL_LAN
#########################################################
${IPTABLES} -t filter -A INPUT -s 127.0.0.1 -j ACCEPT


#########################################################
# Local traffic to internet or crossing subnets
#########################################################
${IPTABLES} -t filter -A INPUT   -s ${INTERNAL_LAN}  -d 0/0             -j ACCEPT
${IPTABLES} -t filter -A INPUT   -s 0/0              -d ${INTERNAL_LAN} -j ACCEPT
${IPTABLES} -t filter -A FORWARD -s ${INTERNAL_LAN}  -d 0/0             -j ACCEPT
${IPTABLES} -t filter -A FORWARD -s 0/0              -d ${INTERNAL_LAN} -j ACCEPT
#${IPTABLES} -t filter -A FORWARD -d ${INTERNAL_LAN} -m state --state ESTABLISHED,RELATED -j ACCEPT


#########################################################
# Source NAT
#########################################################
${IPTABLES} -t nat -A POSTROUTING -s ${INTERNAL_DNS}     -o eth0 -j SNAT --to ${INTERNET_DNS_MAIN}
${IPTABLES} -t nat -A POSTROUTING -s ${INTERNAL_SMTP}    -o eth0 -j SNAT --to ${INTERNET_SMTP}
${IPTABLES} -t nat -A POSTROUTING -s ${INTERNAL_POP3}    -o eth0 -j SNAT --to ${INTERNET_POP3}
${IPTABLES} -t nat -A POSTROUTING -s ${INTERNAL_HTTP1}   -o eth0 -j SNAT --to ${INTERNET_HTTP1}
${IPTABLES} -t nat -A POSTROUTING -s ${INTERNAL_HTTP2}   -o eth0 -j SNAT --to ${INTERNET_HTTP2}
${IPTABLES} -t nat -A POSTROUTING -s ${INTERNAL_LAN}     -o eth0 -j SNAT --to ${INTERNET_USER}



#########################################################
# Masquerading
#########################################################
#${IPTABLES} -t nat -A POSTROUTING -s ${INTERNAL_LAN}     -o eth0 -j MASQUERADE


#########################################################
# Port Forwarding
#########################################################
# SMTP
${IPTABLES} -t nat -A PREROUTING -i eth0 -m tcp -p TCP -s 0/0 -d ${INTERNET_SMTP}  --dport 25 -j DNAT --to ${INTERNAL_SMTP}:25
# DNS
${IPTABLES} -t nat -A PREROUTING -i eth0 -m tcp -p TCP -s 0/0 -d ${INTERNET_DNS_MAIN}   --dport 53 -j DNAT --to ${INTERNAL_DNS}:53
${IPTABLES} -t nat -A PREROUTING -i eth0 -m udp -p UDP -s 0/0 -d ${INTERNET_DNS_MAIN}   --dport 53 -j DNAT --to ${INTERNAL_DNS}:53
${IPTABLES} -t nat -A PREROUTING -i eth0 -m tcp -p TCP -s 0/0 -d ${INTERNET_DNS_SUB}    --dport 53 -j DNAT --to ${INTERNAL_DNS}:53
${IPTABLES} -t nat -A PREROUTING -i eth0 -m udp -p UDP -s 0/0 -d ${INTERNET_DNS_SUB}    --dport 53 -j DNAT --to ${INTERNAL_DNS}:53
# HTTP
${IPTABLES} -t nat -A PREROUTING -i eth0 -m tcp -p TCP -s 0/0 -d ${INTERNET_HTTP1} --dport 80 -j DNAT --to ${INTERNAL_HTTP1}:80
${IPTABLES} -t nat -A PREROUTING -i eth0 -m tcp -p TCP -s 0/0 -d ${INTERNET_HTTP2} --dport 8000 -j DNAT --to ${INTERNAL_HTTP2}:8000
# POP3
${IPTABLES} -t nat -A PREROUTING -i eth0 -m tcp -p TCP -s 0/0 -d ${INTERNET_POP3} --dport 110 -j DNAT --to ${INTERNAL_POP3}:110

# MMS
${IPTABLES} -t nat -A PREROUTING -i eth0 -m tcp -p TCP -s 0/0 -d ${INTERNET_FILE} --dport 1755 -j DNAT --to ${INTERNAL_FILE}:1755
${IPTABLES} -t nat -A PREROUTING -i eth0 -m udp -p UDP -s 0/0 -d ${INTERNET_FILE} --dport 1755 -j DNAT --to ${INTERNAL_FILE}:1755

${IPTABLES} -t nat -A PREROUTING -i eth0 -m tcp -p TCP -s 0/0 -d ${INTERNET_HTTP2} --dport 1755 -j DNAT --to ${INTERNAL_HTTP2}:1755
${IPTABLES} -t nat -A PREROUTING -i eth0 -m udp -p UDP -s 0/0 -d ${INTERNET_HTTP2} --dport 1755 -j DNAT --to ${INTERNAL_HTTP2}:1755


# msn-dcc
${IPTABLES} -t nat -A PREROUTING -i eth0 -m tcp -p TCP -s 0/0 -d ${INTERNET_USER} --dport 6891:6901 -j DNAT --to-destination ${INTERNAL_USER}:6891-6901
# soribada-dcc
${IPTABLES} -t nat -A PREROUTING -i eth0 -m tcp -p TCP -s 0/0 -d ${INTERNET_USER} --dport 9001:9004 -j DNAT --to-destination ${INTERNAL_USER}:9001-9004
# soribada-dcc
${IPTABLES} -t nat -A PREROUTING -i eth0 -m udp -p UDP -s 0/0 -d ${INTERNET_USER} --dport 9001:9004 -j DNAT --to-destination ${INTERNAL_USER}:9001-9004
# Terminal
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d  ${INTERNET_HTTP2}   --dport 3389 -j DNAT --to ${INTERNAL_HTTP2}:3389
# FTP
#${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d  ${INTERNET_LCL}   --dport 21 -j DNAT --to 100.100.100.113:21
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d  ${INTERNET_HTTP2}   --dport 209 -j DNAT --to ${INTERNAL_HTTP2}:209
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d  ${INTERNET_HTTP2}   --dport 210 -j DNAT --to ${INTERNAL_HTTP2}:210


#PRIV1
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV1}   --dport 20   -j DNAT --to 100.100.100.111:20
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV1}   --dport 21   -j DNAT --to 100.100.100.111:21
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV1}   --dport 53   -j DNAT --to 100.100.100.111:53
${IPTABLES} -t nat -A PREROUTING -p UDP -s 0/0 -d ${INTERNET_PRIV1}   --dport 53   -j DNAT --to 100.100.100.111:53
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV1}   --dport 88   -j DNAT --to 100.100.100.111:88
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV1}   --dport 3389 -j DNAT --to 100.100.100.111:3389

#PRIV2
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV2}   --dport 20   -j DNAT --to 100.100.100.113:20
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV2}   --dport 21   -j DNAT --to 100.100.100.113:21

#PRIV3
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV3}   --dport 20   -j DNAT --to 100.100.100.108:20
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV3}   --dport 21   -j DNAT --to 100.100.100.108:21
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV3}   --dport 8080 -j DNAT --to 100.100.100.108:80
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV3}   --dport 3389 -j DNAT --to 100.100.100.108:3389

#PRIV4
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV4}   --dport 20   -j DNAT --to 100.100.100.106:20
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV4}   --dport 21   -j DNAT --to 100.100.100.106:21
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV4}   --dport 3389 -j DNAT --to 100.100.100.106:3389

#PRIV5
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV5}   --dport 3389 -j DNAT --to 100.100.100.107:3389
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV5}   --dport 8000 -j DNAT --to 100.100.100.107:8000

#PRIV6
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV6}   --dport 20   -j DNAT --to 100.100.100.112:20
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV6}   --dport 21   -j DNAT --to 100.100.100.112:21
${IPTABLES} -t nat -A PREROUTING -p TCP -s 0/0 -d ${INTERNET_PRIV6}   --dport 4000 -j DNAT --to 100.100.100.112:4000


#########################################################
# eth0 으로 들어오는 패킷에 대한 기본정책(모든 프로토콜과 포트)
#########################################################
${IPTABLES} -N Gl-In
${IPTABLES} -A INPUT -i eth0 -j Gl-In
# Ping Floods (ICMP echo-request)
${IPTABLES} -A Gl-In -m icmp -p ICMP  --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# pong accept
${IPTABLES} -A Gl-In -m icmp -p ICMP  --icmp-type echo-reply                        -j ACCEPT
# Allowing the rest of the ICMP messages in...
${IPTABLES} -A Gl-In -m icmp -p ICMP  --icmp-type ! echo-request                    -j ACCEPT
# SYN Packet DROP
${IPTABLES} -A Gl-In -m tcp  -p TCP ! --syn                                         -j ACCEPT
# ftp
${IPTABLES} -A Gl-In -m tcp -p TCP --dport 20                                       -j ACCEPT
${IPTABLES} -A Gl-In -m tcp -p TCP --dport 21                                       -j ACCEPT
# SMTP accept
${IPTABLES} -A Gl-In -m tcp -p TCP --dport 25                                       -j ACCEPT
# dns c/s accept
${IPTABLES} -A Gl-In -m tcp -p TCP --dport 53                                       -j ACCEPT
${IPTABLES} -A Gl-In -m udp -p UDP --dport 53                                       -j ACCEPT
# http
${IPTABLES} -A Gl-In -m tcp -p TCP --dport 80                                       -j ACCEPT
${IPTABLES} -A Gl-In -m tcp -p TCP --dport 8000                                       -j ACCEPT

# pop3
${IPTABLES} -A Gl-In -m tcp -p TCP --dport 110                                      -j ACCEPT

# msn
${IPTABLES} -A Gl-In -m tcp -p TCP --dport 6891:6901                                      -j ACCEPT


#########################################################
# eth0 으로 나가는 기본정책
#########################################################
${IPTABLES} -N Gl-Out
${IPTABLES} -t filter -A OUTPUT -o eth0 -j Gl-Out
${IPTABLES} -A Gl-Out -m state --state ESTABLISHED,RELATED      -j ACCEPT
${IPTABLES} -A Gl-Out -s 0/0                -d ${INTERNAL_LAN}  -j ACCEPT
${IPTABLES} -A Gl-Out -s ${INTERNAL_LAN}    -d 0/0              -j ACCEPT
${IPTABLES} -A Gl-Out                                           -j DROP


#########################################################
# eth1 으로 들어오는 기본정책
#########################################################
${IPTABLES} -N zk-In
${IPTABLES} -A INPUT -i eth1 -j zk-In
${IPTABLES} -A zk-In -p TCP  -m state --state NEW -s ${INTERNAL_LAN} -j ACCEPT
${IPTABLES} -A zk-In         -m state --state ESTABLISHED,RELATED    -j ACCEPT
${IPTABLES} -A zk-In -s ${INTERNAL_LAN} -d 0/0                       -j ACCEPT
${IPTABLES} -A zk-In -s 0/0             -d ${INTERNAL_LAN}           -j ACCEPT
${IPTABLES} -A zk-In                                                 -j DROP


#########################################################
# eth1 으로 나가는 기본정책
#########################################################
${IPTABLES} -N zk-Out
${IPTABLES} -t filter -A OUTPUT -o eth1 -j zk-Out
${IPTABLES} -A zk-Out -m state --state ESTABLISHED,RELATED               -j ACCEPT
${IPTABLES} -A zk-Out -p TCP -s 0/0                -d ${INTERNAL_LAN}    -j ACCEPT
${IPTABLES} -A zk-Out -p TCP -s ${INTERNAL_LAN}    -d 0/0                -j ACCEPT
${IPTABLES} -A zk-Out                                                    -j DROP


#########################################################
#포워딩되는 기본정책
#########################################################
${IPTABLES} -N zk-FORWARD                                                        
${IPTABLES} -t filter -A FORWARD -j zk-FORWARD                                                                    
${IPTABLES} -A zk-FORWARD -m state --state ESTABLISHED,RELATED          -j ACCEPT                                          
${IPTABLES} -A zk-FORWARD -d 0/0 -i eth0 -p tcp --syn --dport 6891:6901 -j ACCEPT # msn-dcc                      
${IPTABLES} -A zk-FORWARD -d 0/0 -i eth0 -p tcp --syn --dport 9001:9004 -j ACCEPT # 소리바다                      
${IPTABLES} -A zk-FORWARD -d 0/0 -i eth0 -p udp       --dport 9001:9004 -j ACCEPT # 소리바다                      

# 스트링 검사
${IPTABLES} -A zk-FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "default.ida" -j REJECT --reject-with tcp-reset
${IPTABLES} -A zk-FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "cmd.exe"     -j REJECT --reject-with tcp-reset
${IPTABLES} -A zk-FORWARD -p tcp --tcp-flags ACK ACK --dport 80 -m string --string "root.exe"    -j REJECT --reject-with tcp-reset

${IPTABLES} -A zk-FORWARD                                               -j ACCEPT


#########################################################
# Service mangle optimizations
#########################################################
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Minimize-Cost
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay


#########################################################
# Include Modules
#########################################################
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp


#All done!
echo "Done loading the firewall!"


# -- zekill@shinbiro.com

##################################################
# iptables script                                #
# written by zekill                              #
# DO NOT USE THE -t (table) OPTION IN THIS FILE! #
##################################################

*filter
# default
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# loopback accept
-A INPUT -s 127.0.0.1 -j ACCEPT

# local ip accept
-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -j ACCEPT
-A FORWARD -d 192.168.0.0/24 -j ACCEPT

# syn packet drop
-A INPUT -i eth0 -m tcp -p TCP ! --syn -j ACCEPT

# dns c/s accept
#-A INPUT -i eth0 -m udp -p TCP --dport 53 -j ACCEPT
#-A INPUT -i eth0 -m udp -p UDP --dport 53 -j ACCEPT

# ftp
-A INPUT -i eth0 -m tcp -p TCP --dport 209 -j ACCEPT
-A INPUT -i eth0 -m tcp -p TCP --dport 210 -j ACCEPT

# http & ssl
-A INPUT -i eth0 -m tcp -p TCP --dport 8000 -j ACCEPT
#-A INPUT -i eth0 -m tcp -p TCP --dport 443 -j ACCEPT

# pong accept
-A INPUT -i eth0 -m icmp -p ICMP --icmp-type echo-reply -j ACCEPT

# established & related Accept (ex: ftp-data connect)
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# my IB com
-A INPUT -s xxx.xxx.xxx.0/24 -j ACCEPT

COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# start address change
#-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to xxx.xxx.xxx.20

# Masquerade
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

# ftp posting
#-A PREROUTING -i eth0 -m tcp -p TCP --dport 209 -j DNAT --to 192.168.0.2:209
#-A PREROUTING -i eth0 -m tcp -p TCP --dport 210 -j DNAT --to 192.168.0.2:210

# http & ssl posting
#-A PREROUTING -i eth0 -m tcp -p TCP --dport 8000 -j DNAT --to 192.168.0.2:80
#-A PREROUTING -i eth0 -m tcp -p TCP --dport 443 -j DNAT --to 192.168.0.2:443

# Terminal Service posting
-A PREROUTING -i eth0 -m tcp -p TCP --dport 3389 -j DNAT --to 192.168.0.2:3389

COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A PREROUTING -p tcp --sport 22 -j TOS --set-tos Minimize-Delay
-A PREROUTING -p tcp --sport 210 -j TOS --set-tos Minimize-Delay
-A PREROUTING -p tcp --sport 209 -j TOS --set-tos Maximize-Throughput

-A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
-A OUTPUT -p tcp --dport 210 -j TOS --set-tos Minimize-Delay
-A OUTPUT -p tcp --dport 209 -j TOS --set-tos Maximize-Throughput

COMMIT