14. 다음은 xinetd 관련 로그 기록을 별도의 파일에 저장하도록 설정하는 과정이다. 아래의 조건을 참조하여 ( 괄호 ) 안에 알맞은 내용을 적으시오.
# vi ( ① )
( ② ) = ( ③ ) ( ④ )
<조 건>
- ① : 관련 파일명을 절대 경로로 적는다.
- ② ~ ④ : 관련 로그는 /var/log/xinetd.log에 기록하도록 설정한다.
/etc/xinetd.conf : xinted로 동작하는 서비스 전체에 대한 설정 파일
xinted 방식 : 서비스 요청시 실행하는 방식(서비스 요청이 적을때 효율적 / telnet, ftp 등)
log_type : SYSLOG와 FILE 두 가지 설정이 가능 / 로그 기록을 syslog에 위임 할지, 별도 파일로 지정할지 선택
ex) log_type = FILE /var/logs/xinet.log
[root@server1 ~]# find / -name xinetd*
/run/xinetd.pid
/sys/fs/cgroup/devices/system.slice/xinetd.service
/sys/fs/cgroup/systemd/system.slice/xinetd.service
/etc/systemd/system/multi-user.target.wants/xinetd.service
/etc/sysconfig/xinetd
/etc/xinetd.d
/etc/xinetd.conf
/usr/sbin/xinetd
/usr/lib/systemd/system/xinetd.service
/usr/lib/python2.7/site-packages/sos/plugins/xinetd.py
/usr/lib/python2.7/site-packages/sos/plugins/xinetd.pyc
/usr/lib/python2.7/site-packages/sos/plugins/xinetd.pyo
/usr/share/doc/xinetd-2.3.15
/usr/share/augeas/lenses/dist/xinetd.aug
/usr/share/man/man5/xinetd.conf.5.gz
/usr/share/man/man5/xinetd.log.5.gz
/usr/share/man/man8/xinetd.8.gz
/usr/share/vim/vim74/ftplugin/xinetd.vim
/usr/share/vim/vim74/indent/xinetd.vim
/usr/share/vim/vim74/syntax/xinetd.vim
[root@server1 ~]# vi /etc/xinetd.conf
# This is the master xinetd configuration file. Settings in the
# default section will be inherited by all service configurations
# unless explicitly overridden in the service configuration. See
# xinetd.conf in the man pages for a more detailed explanation of
# these attributes.
defaults
{
# The next two items are intended to be a quick access place to
# temporarily enable or disable services.
#
# enabled =
# disabled =
# Define general logging characteristics.
log_type = SYSLOG daemon info
log_on_failure = HOST
log_on_success = PID HOST DURATION EXIT
# Define access restriction defaults
#
# no_access =
# only_from =
# max_load = 0
cps = 50 10
instances = 50
per_source = 10
# Address and networking defaults
#
# bind =
# mdns = yes
v6only = no
# setup environmental attributes
#
# passenv =
groups = yes
umask = 002
# Generally, banners are not used. This sets up their global defaults
#
# banner =
# banner_fail =
# banner_success =
}
includedir /etc/xinetd.d
① /etc/xinetd.conf
② log_type
③ FILE
④ /var/log/xinetd.log
15. 다음은 DHCP 서버의 설정 과정이다. 아래의 조건을 참조하여 ( 괄호 ) 안에 알맞은 내용을 적으시오.
( ① ) ( ② ) {
( ③ ) 08:00:07:26:c0:a5;
( ④ ) 192.168.1.22;
}
<조 건>
- 맥(MAC) 주소가 08:00:07:26:c0:a5인 경우에는 고정적으로 192.168.1.22번 IP 주소를 할당한다.
- 호스트명은 ihd_pc로 관리한다.
/etc/dhcp/dhcpd.conf : DHCP 환경 설정 파일
DHCP 서버를 통한 고정 IP 설정 방법
host linux {
option host-name "linux.example.com";
hardware ethernet 00:A0:78:8E:9E:AA;
fixed-address 192.168.1.1;
}
[root@server1 ~]# find / -name dhcp*
/sys/fs/selinux/booleans/dhcpc_exec_iptables
/sys/fs/selinux/booleans/dhcpd_use_ldap
/etc/selinux/targeted/modules/active/modules/dhcp.pp
/etc/sysconfig/dhcpd
/etc/openldap/schema/dhcp.schema
/etc/dhcp
/etc/dhcp/dhcpd.conf
/etc/dhcp/dhcpd6.conf
/var/lib/dhcpd
/var/lib/dhcpd/dhcpd.leases
/var/lib/dhcpd/dhcpd6.leases
/usr/sbin/dhcpd
/usr/lib/systemd/system/dhcpd.service
/usr/lib/systemd/system/dhcpd6.service
/usr/lib/python2.7/site-packages/sos/plugins/dhcp.py
/usr/lib/python2.7/site-packages/sos/plugins/dhcp.pyc
/usr/lib/python2.7/site-packages/sos/plugins/dhcp.pyo
/usr/lib/dracut/modules.d/40network/dhcp-root.sh
/usr/lib/firewalld/services/dhcp.xml
/usr/lib/firewalld/services/dhcpv6-client.xml
/usr/lib/firewalld/services/dhcpv6.xml
/usr/share/doc/dhcp-common-4.2.5
/usr/share/doc/dhcp-4.2.5
/usr/share/doc/dhcp-4.2.5/dhcpd.conf.example
/usr/share/doc/dhcp-4.2.5/dhcpd6.conf.example
/usr/share/doc/dhcp-4.2.5/ldap/dhcp.schema
/usr/share/doc/dhcp-4.2.5/ldap/dhcpd-conf-to-ldap
/usr/share/augeas/lenses/dist/dhcpd.aug
/usr/share/man/man5/dhcp-eval.5.gz
/usr/share/man/man5/dhcp-options.5.gz
/usr/share/man/man5/dhcpd.conf.5.gz
/usr/share/man/man5/dhcpd.leases.5.gz
/usr/share/man/man8/dhcpd.8.gz
/usr/share/systemtap/tapset/dhcpd.stp
[root@server1 ~]# vi /etc/dhcp/dhcpd.conf
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.example
# see dhcpd.conf(5) man page
#
[root@server1 ~]# man dhcpd
Options
DHCP (and also BOOTP with Vendor Extensions) provide a mechanism whereby the server can provide the
client with information about how to configure its network interface (e.g., subnet mask), and also how
the client can access various network services (e.g., DNS, IP routers, and so on).
These options can be specified on a per-subnet basis, and, for BOOTP clients, also on a per-client
basis. In the event that a BOOTP client declaration specifies options that are also specified in its
subnet declaration, the options specified in the client declaration take precedence. A reasonably com‐
plete DHCP configuration might look something like this:
subnet 239.252.197.0 netmask 255.255.255.0 {
range 239.252.197.10 239.252.197.250;
default-lease-time 600 max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 239.252.197.255;
option routers 239.252.197.1;
option domain-name-servers 239.252.197.2, 239.252.197.3;
option domain-name "isc.org";
}
A bootp host on that subnet that needs to be in a different domain and use a different name server might
be declared as follows:
host haagen {
hardware ethernet 08:00:2b:4c:59:23;
fixed-address 239.252.197.9;
filename "/tftpboot/haagen.boot";
option domain-name-servers 192.5.5.1;
option domain-name "vix.com";
}
A more complete description of the dhcpd.conf file syntax is provided in dhcpd.conf(5).
① host
② ihd_pc
③ hadware ethernet
④ fixed-address
16. 다음은 하나의 공인 IP 주소를 공유해서 다수의 컴퓨터의 인터넷 사용이 가능하도록 설정하는 과정이다.
( 괄호 ) 안에 알맞은 내용을 적으시오.
# iptables –t ( ① ) –A ( ② ) ( ③ ) eth0 –j ( ④ ) --to 203.247.40.100
<조 건>
- 해당 시스템에는 이더넷 카드가 두 개가 장착되어 있는데, 첫 번째 이더넷 카드에서 나가는 패킷에 대해 공인 IP 주소인 203.247.40.100을 할당한다.
iptables : 패킷 필터링 도구 / 방화벽 구성이나 NAT에 사용
-A : APPEND : 정책 추가
-o : 출력 인터페이스와 매칭(––out-interface)
-j : 매치되는 패킷을 어떻게 처리할지 지정 (--jump)
DNAT : PREROUTING / 목적지 IP를 변환(NAT)한다.
SNAT : POSTROUTING / 소스 IP를 [변환(NAT)|NAT]한다.
[root@server1 ~]# iptables [-t 테이블] [액션] [체인] [매치] [-j 타겟]
[root@server1 ~]# iptables -help
iptables v1.4.21
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] maximum wait to acquire xtables lock before give up
--wait-interval -W [usecs] wait time to try to acquire xtables lock
default is 1 second
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
[root@server1 ~]# man iptables
TABLES
There are currently five independent tables (which tables are present at any time depends on the kernel
configuration options and which modules are present).
-t, --table table
This option specifies the packet matching table which the command should operate on. If the ker‐
nel is configured with automatic module loading, an attempt will be made to load the appropriate
module for that table if it is not already there.
The tables are as follows:
filter:
This is the default table (if no -t option is passed). It contains the built-in chains INPUT
(for packets destined to local sockets), FORWARD (for packets being routed through the box),
and OUTPUT (for locally-generated packets).
nat:
This table is consulted when a packet that creates a new connection is encountered. It con‐
sists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT
(for altering locally-generated packets before routing), and POSTROUTING (for altering pack‐
ets as they are about to go out). IPv6 NAT support is available since kernel 3.7.
mangle:
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-
in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering
locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains
are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering
packets being routed through the box), and POSTROUTING (for altering packets as they are
about to go out).
raw:
This table is used mainly for configuring exemptions from connection tracking in combination
with the NOTRACK target. It registers at the netfilter hooks with higher priority and is
thus called before ip_conntrack, or any other IP tables. It provides the following built-in
chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets gen‐
erated by local processes)
security:
This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled
by the SECMARK and CONNSECMARK targets. Mandatory Access Control is implemented by Linux
Security Modules such as SELinux. The security table is called after the filter table,
allowing any Discretionary Access Control (DAC) rules in the filter table to take effect
before MAC rules. This table provides the following built-in chains: INPUT (for packets com‐
ing into the box itself), OUTPUT (for altering locally-generated packets before routing), and
FORWARD (for altering packets being routed through the box).
iptables 확인
[root@server1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (2 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
① nat
② POSTROUTING
③ -o
④ SNAT
'ETC > 자격증' 카테고리의 다른 글
[리눅스마스터]제1701회 리눅스마스터 1급 2차 시험 단답식 풀이 2 (0) | 2022.04.01 |
---|---|
[리눅스마스터]제1701회 리눅스마스터 1급 2차 시험 단답식 풀이 1 (0) | 2022.04.01 |
[리눅스마스터]제1602회 리눅스마스터 1급 2차 시험 작업식 풀이 1 (0) | 2022.03.30 |
[리눅스마스터]제1602회 리눅스마스터 1급 2차 시험 단답식 풀이 3 (0) | 2022.03.27 |
[리눅스마스터]제1602회 리눅스마스터 1급 2차 시험 단답식 풀이 2 (0) | 2022.03.27 |