방화벽,dhcp, nat, mutilayer 스위치, GW 한개에 ip 두개 설정하기

 

 

****

ip helper-address 적용하는 것

리눅스에 nat를 걸어야 하는 것

리눅스에 ip route 설정

각 라우터마다 default 라우트 설정 

multi layer, 라우터 gw 설정

 

 

-> relay agent(dhcp가는데 지나갈 라우터가 1개 초과) 가 되어 있으니까 dhcp 67포트가 열려있다. 

내부에서만 68번이다..

그래서  지나가는 라우터들은 = 67 port 

dhcp server = 67 port 

 

R1
conf t
vlan 10
name v10
vlan 20
name v20
exit
int fa 3/0
switchport mode access
switchport access vlan 10
int fa 3/1
switchport mode access
switchport access vlan 20
int fa 3/2
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,1002-1005

R2
conf t
vlan 10
name v10
vlan 20
name v20
exit
int fa 3/0
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,1002-1005
int fa 0/0
ip addr 50.50.50.2 255.255.255.0
no shu
int vlan 10
ip addr 10.10.10.254 255.255.255.0
ip helper-address 100.100.100.254
no shu
int vlan 20
ip addr 20.20.20.254 255.255.255.0
ip helper-address 100.100.100.254
no shu
ip route 0.0.0.0 0.0.0.0 50.50.50.3
router ospf 1
network 10.10.10.0 0.0.0.255 area 1
network 20.20.20.0 0.0.0.255 area 1
network 50.50.50.0 0.0.0.255 area 1

R3
conf t
int fa 0/0
ip addr 50.50.50.3 255.255.255.0
no shu
int fa 0/1
ip addr 80.80.80.3 255.255.255.0
no shu
int fa 1/0
ip addr 70.70.70.3 255.255.255.0
no shu
ip route 0.0.0.0 0.0.0.0 80.80.80.7
router ospf 1
network 50.50.50.0 0.0.0.255 area 1
network 70.70.70.0 0.0.0.255 area 1
network 80.80.80.0 0.0.0.255 area 1


R4
conf t
int fa 0/0
ip addr 60.60.60.4 255.255.255.0
no shu
int fa 0/1
ip addr 90.90.90.4 255.255.255.0
no shu
int fa 1/0
ip addr 70.70.70.4 255.255.255.0
no shu
ip route 0.0.0.0 0.0.0.0 90.90.90.7
router ospf 1
network 60.60.60.0 0.0.0.255 area 1
network 70.70.70.0 0.0.0.255 area 1
network 90.90.90.0 0.0.0.255 area 1

R5
conf t
vlan 30
name v30
vlan 40
name v40
exit
int fa 3/0
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,30,40,1002-1005
int fa 0/0
ip addr 60.60.60.5 255.255.255.0
no shu
int vlan 30
ip addr 30.30.30.254 255.255.255.0
ip helper-address 100.100.100.254
no shu
int vlan 40
ip addr 40.40.40.254 255.255.255.0
ip helper-address 100.100.100.254
no shu
ip route 0.0.0.0 0.0.0.0 60.60.60.4
router ospf 1
network 30.30.30.0 0.0.0.255 area 1
network 40.40.40.0 0.0.0.255 area 1
network 60.60.60.0 0.0.0.255 area 1


R6
conf t
vlan 30
name v30
vlan 40
name v40
exit
int fa 3/0
switchport mode access
switchport access vlan 30
int fa 3/1
switchport mode access
switchport access vlan 40
int fa 3/2
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,30,40,1002-1005
 
R7
conf t
int fa 0/0
ip addr 80.80.80.7 255.255.255.0
no shu
int fa 0/1
ip addr 90.90.90.7 255.255.255.0
no shu
int fa 1/0
ip addr 100.100.100.7 255.255.255.0
no shu
ip route 0.0.0.0 0.0.0.0 100.100.100.254
router ospf 1
network 80.80.80.0 0.0.0.255 area 1
network 90.90.90.0 0.0.0.255 area 1
network 100.100.100.0 0.0.0.255 area 1

firewall + DHCP
vim /root/iptables.sh

#!/bin/bash

sysctl net.ipv4.ip_forward=1

#해당 설정은 한번만 입력하고 주석처리
#route add -net 10.10.10.0 netmask 255.255.255.0 gw 100.100.100.7
#route add -net 20.20.20.0 netmask 255.255.255.0 gw 100.100.100.7
#route add -net 30.30.30.0 netmask 255.255.255.0 gw 100.100.100.7
#route add -net 40.40.40.0 netmask 255.255.255.0 gw 100.100.100.7

iptables -F
iptables -t nat -F

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -p udp --sport 67 --dport 67 -s 10.10.10.254 -d 100.100.100.254 -j ACCEPT
iptables -A OUTPUT -p udp --sport 67 --dport 67 -s 100.100.100.254 -d 10.10.10.254 -j ACCEPT
iptables -A INPUT -p udp --sport 67 --dport 67 -s 20.20.20.254 -d 100.100.100.254 -j ACCEPT
iptables -A OUTPUT -p udp --sport 67 --dport 67 -s 100.100.100.254 -d 20.20.20.254 -j ACCEPT
iptables -A INPUT -p udp --sport 67 --dport 67 -s 30.30.30.254 -d 100.100.100.254 -j ACCEPT
iptables -A OUTPUT -p udp --sport 67 --dport 67 -s 100.100.100.254 -d 30.30.30.254 -j ACCEPT
iptables -A INPUT -p udp --sport 67 --dport 67 -s 40.40.40.254 -d 100.100.100.254 -j ACCEPT
iptables -A OUTPUT -p udp --sport 67 --dport 67 -s 100.100.100.254 -d 40.40.40.254 -j ACCEPT

iptables -A FORWARD -p icmp -s 10.10.10.0/24 -d 8.8.8.8 --icmp-type 8 -j ACCEPT
iptables -A FORWARD -p icmp -s 8.8.8.8 -d 10.10.10.0/24 --icmp-type 0 -j ACCEPT
iptables -A FORWARD -p icmp -s 20.20.20.0/24 -d 8.8.8.8 --icmp-type 8 -j ACCEPT
iptables -A FORWARD -p icmp -s 8.8.8.8 -d 20.20.20.0/24 --icmp-type 0 -j ACCEPT
iptables -A FORWARD -p icmp -s 30.30.30.0/24 -d 8.8.8.8 --icmp-type 8 -j ACCEPT
iptables -A FORWARD -p icmp -s 8.8.8.8 -d 30.30.30.0/24 --icmp-type 0 -j ACCEPT
iptables -A FORWARD -p icmp -s 40.40.40.0/24 -d 8.8.8.8 --icmp-type 8 -j ACCEPT
iptables -A FORWARD -p icmp -s 8.8.8.8 -d 40.40.40.0/24 --icmp-type 0 -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o ens224 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 20.20.20.0/24 -o ens224 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 30.30.30.0/24 -o ens224 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 40.40.40.0/24 -o ens224 -j MASQUERADE

iptables -A FORWARD -p udp --dport 53 -s 10.10.10.0/24 -d 8.8.8.8 -j ACCEPT
iptables -A FORWARD -p udp --sport 53 -s 8.8.8.8 -d 10.10.10.0/24 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -s 20.20.20.0/24 -d 8.8.8.8 -j ACCEPT
iptables -A FORWARD -p udp --sport 53 -s 8.8.8.8 -d 20.20.20.0/24 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -s 30.30.30.0/24 -d 8.8.8.8 -j ACCEPT
iptables -A FORWARD -p udp --sport 53 -s 8.8.8.8 -d 30.30.30.0/24 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -s 40.40.40.0/24 -d 8.8.8.8 -j ACCEPT
iptables -A FORWARD -p udp --sport 53 -s 8.8.8.8 -d 40.40.40.0/24 -j ACCEPT

iptables -A FORWARD -p tcp -m multiport --dport 80,443 -s 10.10.10.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --sport 80,443 -d 10.10.10.0/24 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --dport 80,443 -s 20.20.20.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --sport 80,443 -d 20.20.20.0/24 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --dport 80,443 -s 30.30.30.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --sport 80,443 -d 30.30.30.0/24 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --dport 80,443 -s 40.40.40.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --sport 80,443 -d 40.40.40.0/24 -m state --state ESTABLISHED -j ACCEPT

iptables -L
iptables -t nat -L

vim /etc/dhcp/dhcpd.conf

subnet 10.10.10.0 netmask 255.255.255.0 {
  range 10.10.10.1 10.10.10.20;
  option domain-name-servers 8.8.8.8;
  option routers 10.10.10.254;
  option broadcast-address 10.10.10.255;
  default-lease-time 600;
  max-lease-time 7200;
}

subnet 20.20.20.0 netmask 255.255.255.0 {
  range 20.20.20.1 20.20.20.20;
  option domain-name-servers 8.8.8.8;
  option routers 20.20.20.254;
  option broadcast-address 20.20.20.255;
  default-lease-time 600;
  max-lease-time 7200;
}

subnet 30.30.30.0 netmask 255.255.255.0 {
  range 30.30.30.1 30.30.30.20;
  option domain-name-servers 8.8.8.8;
  option routers 30.30.30.254;
  option broadcast-address 30.30.30.255;
  default-lease-time 600;
  max-lease-time 7200;
}

subnet 40.40.40.0 netmask 255.255.255.0 {
  range 40.40.40.1 40.40.40.20;
  option domain-name-servers 8.8.8.8;
  option routers 40.40.40.254;
  option broadcast-address 40.40.40.255;
  default-lease-time 600;
  max-lease-time 7200;
}

subnet 100.100.100.0 netmask 255.255.255.0 {
  range 100.100.100.1 100.100.100.20;
  option domain-name-servers 8.8.8.8;
  option routers 100.100.100.254;
  option broadcast-address 100.100.100.255;
  default-lease-time 600;
  max-lease-time 7200;
}

subnet 192.168.50.0 netmask 255.255.255.0 {
  range 192.168.50.210 192.168.50.220;
  option domain-name-servers 8.8.8.8;
  option routers 192.168.50.2;
  option broadcast-address 192.168.50.255;
  default-lease-time 600;
  max-lease-time 7200;
}