²Ä 7³¹. ¨¾¤õÀð

¸ê°T¦w¥þ³Q¤@¯ë¤j²³»{©w¬O¤@ºØµ{§Ç¦Ó¤£¬O¤@ºØ²£«~¡AµM¦Ó¡A¼Ð·Çªº¦w¥þ©Ê¹ê§@³q±`§Q¥Î¬YºØ®æ¦¡ªº¬J©w¾÷¨î¨Ó ±±¨î¦s¨úªºÅv­­¥H¤Î­­¨îºô¸ô¸ê·½µ¹¸g¹L±ÂÅv¡B¥i³Q¿ëÃÑ¥B¥i°l¬d¬ö¿ýªº¨Ï¥ÎªÌ¡C Red Hat Enterprise Linux ¤¤§t¦³³\¦hºØ¥\¯à±j ¤jªº¤u¨ã¡A¥i¥Î¨ÓÀ°§U¨t²ÎºÞ²z­û»P¦w¥þ©Ê¤uµ{®v¸Ñ¨Mºô¸ô¼h¯Åªº¦s¨ú±±¨î°ÝÃD¡C

°£¤F¨Ò¦p CIPE ©Î IPsec ¡]©ó ²Ä6³¹ ¤w°Q½×¡^µ¥ VPN ¸Ñ¨M¤è®×¥~¡A¨¾¤õÀð¬Oºô¸ô ¦w¥þ¹ê§@ªº®Ö¤ß¤¸¥ó¤§¤@¡C ³\¦hªº¼t°Ó¾Ö¦³¾A¥Î©ó©Ò¦³¥«³õ¼h¯Åªº¨¾¤õÀð¸Ñ¨M¤è®×¡Aªx±q«OÅ@¤@³¡ PC ªº ®a¥Î¨Ï¥ÎªÌ¡A¨ì«O½Ã­«­n¥ø·~¸ê°Tªº¼Æ¾Ú¤¤¤ß¸Ñ¨M¤è®×¡C ¨¾¤õÀð¥i¥H¬O³æ¾÷ªºµwÅé¸Ñ¨M¤è®×¡A¨Ò¦p¥Ñ Cisco, Nokia »P Sonicwall ´£¨Ñªº¨¾¤õÀð¸Ë¸m¡C ¨Ò¦p Checkpoint, McAfee »P Symantec µ¥¼t°Ó¡A¤]¦³¬°®a®x»P °Ó¥Î¥«³õ¶}µoªº±M§QÅv³nÅ騾¤õÀð¸Ñ¨M¤è®×¡C

°£¤FµwÅé»P³nÅ騾¤õÀ𪺤£¦P³B¤§¥~¡A¨¾¤õÀð§@¥Îªº¤è¦¡¤]¦³¤£¦P¡A¥H°Ï¤À¤£¦Pªº¸Ñ¨M¤è®×¡C ªí®æ 7-1 ¸Ô²Ó¦C¥X¤TºØ¤£¦PÃþ«¬ªº¨¾¤õÀð¥H¤Î¥¦­Ìªº§@¥Î¤è¦¡¡G

¤èªk»¡©úÀuÂI¯ÊÂI
NATºô¸ô¦ì§}ÂàĶ (NAT)±N¤º³¡ºô¸ôªº IP ¤lºô¸ô©ñ¸m¦b¤@­Ó©Î¤@¸s¥~³¡ IP ¦ì§}¥H¤º¡A °°¸Ë©Ò¦³ªº­n¨D³£¨Ó¦Û³æ¤@¨Ó·½¡A¦Ó«D¨Ó¦Û³\¦h¨Ó·½¡C

· ¹ï°Ïºô¤¤ªº¾÷¾¹¨Ó»¡¡A¥i¥H¦b¥¦­Ì¤£ª¾±¡ªº±¡ªp¤U¶i¦æ³]©w
· «OÅ@¤@­Ó©Î³\¦h¥~³¡ IP ¦ì§}¥H¤ºªº³\¦h¾÷¾¹»PªA°È¡A¥i¥H²¤Æ¨t²ÎºÞ²zªº¤u§@
· ¥i¥H¸g¥Ñ¦b NAT ¨¾¤õÀð/¹h¹D¾¹¶}±Ò»PÃö³¬³s±µ°ð¨Ó­­¨î©¹¨Ó°Ï°ìºô¸ôªº¨Ï¥ÎªÌ¦s¨ú

· ¤@¥¹¨Ï¥ÎªÌ³s½u¨ì¨¾¤õÀ𤧥~ªº¤@¶µªA°È®É¡A±NµLªk¨¾¤î´c·Nªº¦æ¬°µo¥Í

«Ê¥]¹LÂo¾¹«Ê¥]¹LÂoªº¨¾¤õÀð·|Ū¨ú¨C¤@­Ó¦b°Ïºô¤º¥~¶Ç¿éªº¼Æ¾Ú«Ê¥]¡A¥¦¥i¥H®Ú¾ÚªíÀY¸ê°T¨ÓŪ¨ú»P³B²z«Ê¥]¡A¨Ã¥B¨Ì¾Ú ¨¾¤õÀðºÞ²z­û©Ò¹ê§@¥i³]­pªº³W«h²Õ¨Ó¹LÂo«Ê¥]¡C Linux ®Ö¤ß¾Ö¦³´O¤J¦¡ªº«Ê¥]¹LÂo¥\¯à©Ê¡]³z¹L netfilter ®Ö¤ß¤l¨t²Î¡^¡C

· ³z¹L iptables «eºÝ¤u¨ãµ{¦¡¨Ó¦Û­q
· ¥Î¤áºÝ¤£»Ý­n¥ô¦óªº¦Û­q³]©w¡A¦]¬°©Ò¦³ªººô¸ô¦æ¬°³£©ó¸ô¥Ñ¾¹¼h¯Å¹LÂo¤F¡A¦Ó¤£¬O¦bÀ³¥Î µ{¦¡¼h¯Å
· ¦]¬°«Ê¥]¨Ã¥¼³z¹L¥N²z¦øªA¾¹¶i¦æ¶Ç¿é¡A¥Ñ©óª½±µ±q¥Î¤áºÝ¶Ç°e¨ì»·ºÝ ¥D¾÷¡A¦]¦¹ºô¸ôªº¶Ç¿é®Ä¯à±N·|§ó§Ö

· µLªk¹LÂo¨Ò¦p¥N²z¨¾¤õÀ𪺫ʥ]¤º®e
· ¦b³q°T ¨ó©w¶¥¼h³B²z«Ê¥]¡A¤£¹LµLªk¦bÀ³¥Îµ{¦¡¶¥¼h¹LÂo«Ê¥]
· ½ÆÂøªººô¸ô¬[ºc±N·| ¨Ï±o«Ø¥ß«Ê¥]¹LÂo³W«h§ó¥[§xÃø¡A¯S§O¬O§t¦³ ¡yIP °°¸Ë¡z ©Î¥»¦aºÝ¤lºô¸ô¥H¤Î DMZ ºô¸ô®É

¥N²z¦øªA¾¹¥N²z¨¾¤õÀð·|¹LÂo±q°Ïºô¥Î¤áºÝ¶Ç°e¨ì¤@³¡¥N²z¾÷¾¹¬YºØ³q°T¨ó©w©ÎÃþ«¬ªº©Ò¦³«Ê¥]¡A¥¦±N·|¥N²z¥»¦a¥Î¤áºÝ ¦Vºô»Úºô¸ôµo¥X­n¨D¡C ¤@³¡¥N²z¾÷¾¹±N§êºt´c·Nªº»·ºÝ¨Ï¥ÎªÌ»P¤º³¡ºô¸ô¥Î¤áºÝ¾÷¾¹¶¡ªº¤@­Ó½w½Ä°Ï¡C

· µ¹¤©¨t²ÎºÞ²z­û±±¨î°Ïºô¤§¥~ªºÀ³¥Îµ{¦¡»P³q°T¨ó©wªº¥\¯à
· ¦³¨Ç¥N²z¦øªA¾¹¥i¥H§Ö¨ú¸ê®Æ¡A¥H¨Ï±o¥Î¤áºÝ¥i¥H±q¥»¦aºÝªº§Ö¨ú¦s¨ú±`¥Îªº­n¨D¸ê®Æ¡A ¦Ó¤£¥²¨Ï¥Îºô»Úºô¸ô³s½u¨Ó­n¨D¥¦¡A³o±N¥i¤j¤j¦a´î¤Ö«D¥²­nªºÀW¼e¥Î¶q
·¥i¥H ±K¤Á¦a¬ö¿ý»PºÊ±±¥N²z¦øªA¾¹ªA°È¡A¨Ï±o¥i¥H§óÄY±K¦a±±¨îºô¸ô¤¤¸ê·½ªº¨Ï¥Î

· ¥N²z¦øªA¾¹³q±`¬OÀ³¥Îµ{¦¡¯S©wªº¡]HTTP »P telnet µ¥µ¥¡^¡A©Î¨ü­­©ó³q°T ¨ó©w¡]¤j³¡¤Àªº¥N²z¦øªA¾¹¶È¥i¨Ï¥Î¦b TCP ³s½uªºªA°È¡^
· À³¥Îµ{¦¡ªA°ÈµLªk¦b ¥N²z¦øªA¾¹¥H¤º°õ¦æ¡A©Ò¥H±zªºÀ³¥Îµ{¦¡¦øªA¾¹¥²¶·¨Ï¥Î¥t¤@ºØ§Î¦¡ªººô¸ô«O¥þ¤è¦¡
¥N²z¦øªA¾¹¥i¯à·|¾É­P¤@­Óºô¸ôªº²~ÀV¡A¦]¬°©Ò¦³ªº­n¨D»P¶Ç¿é³£¸g¹L³æ¤@¨Ó·½¡A¦Ó¤£¬O¤Þ¾É¥Î¤áºÝ¨ì»·ºÝ ªA°Èªº³s½u

ªí®æ 7-1. ¨¾¤õÀðÃþ«¬

7.1. Netfilter »P IPTables

Linux ®Ö¤ß§t¦³ºÙ¬° netfilter ªº¤@­Ó¥\¯à±j¤jªººô¸ô³s½u¤l¨t²Î¡Anetfilter ¤l¨t²Î ´£¨Ñª¬ºA©ÎµLª¬ºAªº«Ê¥]¹LÂo¥H¤Î NAT »P IP °°¸ËªA°È¡C Netfilter ¤]¾Ö¦³¬°¶i¶¥¸ô¥Ñ¿ï¾Ü»P³s½uª¬ºAºÞ²z ²V²c IP ªíÀY¸ê°Tªº¯à¤O¡A±z¥i¥H³z¹L IPTables ¤u¨ãµ{¦¡¨Ó±±¨î Netfilter¡C

7.1.1. IPTables ·§­n

netfilter ªº±j¤j¥\¯à»PÆF¬¡«×¬O³z¹L IPTables ¤¶­±¹ê§@ªº¡A³o­Ó©R¥O¦C¤u¨ã»P¥¦ªº«e½ú IPChains ªº»yªk Ãþ¦ü¡AµM¦Ó IPTables ¨Ï¥Î netfilter ¤l¨t²Î¨Ó±j¤Æºô¸ôªº³s½u¡BÀËÅç»P³B²z¡A¦Ó IPChains ¨Ï¥Î½ÆÂøªº³W«h ²Õ¨Ó¹LÂo¨Ó·½»P¥Øªº¦aªº¸ô®|¡A¥H¤Î¨âªÌªº³s±µ°ð¡C IPTables ¾Ö¦³¶i¶¥¬ö¿ý¡B¨Æ¥ý»P¨Æ«á¸ô®|¿ï¾Üªº°Ê§@¡B ºô¸ô¦ì§}ÂàĶ¥H¤Î³s±µ°ðÂà±µ(port forwarding)µ¥¯S¦â¡A³£¥i¦b¤@­Ó©R¥O¦Cªº¤¶­±¨Ó§¹¦¨¡C

³o­Ó³¡¥÷´£¨ÑÃö©ó IPTables ªº¤@­Ó·§­n¡A¦p»ÝÃö©ó IPTables ªº§ó¦h¸Ô²Ó¸ê°T¡A½Ð°Ñ¦Ò Red Hat Enterprise Linux °Ñ¦Ò¤â¥U¡C