6.6. CIPE¿¡ »ç¿ëµÉ Ŭ¶óÀÌ¾ðÆ® ¼³Á¤

CIPE ¼­¹ö¸¦ ¼º°øÀûÀ¸·Î ¼³Á¤ÇϽŠÈÄ ±â´É °Ë»ç¸¦ ¸¶Ä¡¼ÌÀ¸¸é Ŭ¶óÀÌ¾ðÆ® ½Ã½ºÅÛ »ó¿¡¼­ ¿¬°áÇÏ½Ç ¼ö ÀÖ½À´Ï´Ù.

CIPE Ŭ¶óÀÌ¾ðÆ®´Â ÀÚµ¿È­µÈ ¹æ½ÄÀ¸·Î CIPE Á¢¼ÓÀ» ¿¬°áÇÏ°í ¿¬°á ÇØÁ¦ÇÒ ¼ö ÀÖ½À´Ï´Ù. µû¶ó¼­ CIPE´Â °³º° »ç¿ëÀÚÀÇ Çʿ信 µû¶ó »ç¿ëÀÚ Á¤ÀÇÇÒ ¼ö ÀÖ´Â ±â´ÉÀÌ ³»ÀåµÇ¾î ÀÖ½À´Ï´Ù. ¿¹¸¦ µé¸é ¿ø°ÝÀûÀ¸·Î ±Ù¹«ÇÏ´Â Á÷¿øÀº ´ÙÀ½ ¸í·ÉÀ» ÀÔ·ÂÇÏ¿© LAN »ó CIPE ÀåÄ¡¿¡ ¿¬°áÇÒ ¼ö ÀÖ½À´Ï´Ù:

/sbin/ifup cipcb0

ÀåÄ¡°¡ ÀÚµ¿ÀûÀ¸·Î ³ªÅ¸³¯ °ÍÀÔ´Ï´Ù; ¹æÈ­º® ±ÔÄ¢°ú ¶ó¿ìÆÃ Á¤º¸µµ Á¢¼ÓµÇ¸é ÀÚµ¿À¸·Î ¼³Á¤µË´Ï´Ù. ¿ø°Ý ±Ù¹«ÇÏ´Â Á÷¿øÀÌ Á¢¼ÓÀ» ²÷À¸·Á¸é ´ÙÀ½ ¸í·ÉÀ» ½ÇÇàÇÏ¸é µË´Ï´Ù:

/sbin/ifdown cipcb0

Ŭ¶óÀÌ¾ðÆ®¸¦ ¼³Á¤Çϱâ À§Çؼ­´Â ÀåÄ¡°¡ ·ÎµùµÈ ÈÄ ½ÇÇàµÉ Áö¿ª ½ºÅ©¸³Æ®¸¦ ¸¸µå¼Å¾ß ÇÕ´Ï´Ù. ÀåÄ¡ ¼³Á¤Àº »ç¿ëÀÚ°¡ Á÷Á¢ /etc/sysconfig/network-scripts/ifcfg-cipcb0 ÆÄÀÏÀ» »ç¿ëÇÏ¿© ¼³Á¤ÇÒ ¼ö ÀÖ½À´Ï´Ù. ÀÌ ÆÄÀÏÀº ºÎÆÃ½Ã CIPE°¡ ¿¬°áµÉ °ÍÀÎÁö, CIPE ÀåÄ¡ÀÇ À̸§ÀÌ ¹«¾ùÀÎÁö µîÀ» ÁöÁ¤ÇÏ´Â ¸Å°³ º¯¼öµéÀ» Æ÷ÇÔÇÕ´Ï´Ù. ´ÙÀ½Àº CIPE ¼­¹ö¿¡ Á¢¼ÓÇÏ´Â ¿ø°Ý Ŭ¶óÀ̾ðÆ®ÀÇ ifcfg-cipcb0 ÆÄÀÏÀÔ´Ï´Ù:

DEVICE=cipcb0
ONBOOT=yes
BOOTPROTO=none
USERCTL=no

# This is the device for which we add a host route to our CIPE peer through.
# You may hard code this, but if left blank, we will try to guess from
# the routing table in the /etc/cipe/ip-up.local file.
PEERROUTEDEV=

# We need to use internal DNS when connected via cipe. 
DNS=192.168.1.254

CIPE ÀåÄ¡ÀÇ À̸§Àº cipcb0 ÀÔ´Ï´Ù.CIPE ÀåÄ¡´Â ºÎÆÃ½Ã Ȱ¼ºÈ­µÇ°í (ONBOOT º¯¼ö¸¦ ÅëÇØ ¼³Á¤µÊ) ÀåÄ¡ÀÇ IP ÁÖ¼Ò¸¦ °Ë»öÇϱâ À§ÇØ ºÎÆ® ÇÁ·ÎÅäÄÝ (¿¹, DHCP)À» »ç¿ëÇÏÁö ¾Ê½À´Ï´Ù. PEERROUTEDEV ¶õÀº Ŭ¶óÀÌ¾ðÆ®¿¡ ¿¬°áÇÏ´Â CIPE ¼­¹ö ÀåÄ¡¸íÀ» ÁöÁ¤ÇÕ´Ï´Ù. ¸¸ÀÏ ÀÌ ÀԷ¶õ¿¡ ¾Æ¹«·± ÀåÄ¡µµ ÁöÁ¤µÇÁö ¾Ê´Â´Ù¸é ÀåÄ¡°¡ ·ÎµùµÈ ÈÄ °áÁ¤µË´Ï´Ù.

¸¸ÀÏ ³»ºÎ ³×Æ®¿öÅ©°¡ ¹æÈ­º® µÚ¿¡ À§Ä¡ÇÑ´Ù¸é Ŭ¶óÀÌ¾ðÆ® ½Ã½ºÅÛ »ó CIPE ÀÎÅÍÆäÀ̽º¿¡¼­ UDP ÆÐŶÀ» º¸³»°í ¹ÞÀ» ¼ö ÀÖµµ·Ï ±ÔÄ¢À» ¼³Á¤ÇϽʽÿÀ. ¹æÈ­º® ¼³Á¤¿¡ ´ëÇÑ Á¤º¸´Â 7 ÀåÀ» ÂüÁ¶ÇϽñ⠹ٶø´Ï´Ù. ÀÌ ¼³Á¤ ¿¹½Ã¿¡¼­´Â iptables ±ÔÄ¢À» »ç¿ëÇÕ´Ï´Ù.

¾Ë¸²¾Ë¸²
 

¸ðµç Áö¿ª ¸Å°³ º¯¼ö°¡ »ç¿ëÀÚ°¡ »ý¼ºÇÑ /etc/cipe/ip-up.local ÆÄÀÏ¿¡ À§Ä¡Çϵµ·Ï Ŭ¶óÀÌ¾ðÆ®¸¦ ¼³Á¤ÇÏ¼Å¾ß ÇÕ´Ï´Ù. CIPE ¼¼¼ÇÀÌ Á¾·áµÇ¸é /etc/cipe/ip-down.localÀ» »ç¿ëÇÏ¿© Áö¿ª ¸Å°³ º¯¼ö °ªÀÌ º¹±¸µÇ¾î¾ß ÇÕ´Ï´Ù.

Ŭ¶óÀÌ¾ðÆ® ½Ã½ºÅÛ¿¡´Â CIPE UDP ĸ½¶È­µÈ ÆÐŶÀ» ¼ö¿ëÇϵµ·Ï ¹æÈ­º®À» ¼³Á¤ÇØ¾ß ÇÕ´Ï´Ù. ¹æÈ­º® ±ÔÄ¢Àº Å©°Ô ´Ù¸¦ ¼ö ÀÖÀ¸³ª CIPE ¿¬°áÀ» À§Çؼ­´Â ±âº»ÀûÀ¸·Î UDP ÆÐŶÀ» ¼ö¿ëÇÏ´Â °ÍÀÌ Áß¿äÇÕ´Ï´Ù. ´ÙÀ½ iptables ±ÔÄ¢Àº LAN¿¡ ¿¬°áÇÏ´Â ¿ø°Ý Ŭ¶óÀÌ¾ðÆ® ½Ã½ºÅÛÀ¸·Î UDP CIPE Àü¼ÛÀ» Çã¿ëÇØÁÝ´Ï´Ù; ¸¶Áö¸· ±ÔÄ¢Àº ¿ø°Ý Ŭ¶óÀÌ¾ðÆ®°¡ LAN°ú ÀÎÅͳÝÀ» ÅëÇØ ¼ÒÅëÇÒ ¼ö ÀÖµµ·Ï IP ¸¶½ºÄ¿·¹À̵ù ±â´ÉÀ» Ãß°¡ÇÕ´Ï´Ù:

/sbin/modprobe iptables
/sbin/service iptables stop
/sbin/iptables -P INPUT DROP
/sbin/iptables -F INPUT
/sbin/iptables -A INPUT -j ACCEPT -p udp -s 10.0.1.1
/sbin/iptables -A INPUT -j ACCEPT -i cipcb0
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

Ŭ¶óÀÌ¾ðÆ® ½Ã½ºÅÛÀÌ CIPE·Î ¿¬°áµÇ´Â ½Ã½ºÅÛÀ» ¸¶Ä¡ Áö¿ª ³×Æ®¿öÅ©ÀÎ °Íó·³ ¾×¼¼½ºÇÒ ¼ö ÀÖµµ·Ï ¶ó¿ìÆÃ ±ÔÄ¢À» Ãß°¡ÇϽʽÿÀ. route ¸í·ÉÀ» »ç¿ëÇÏ¿© ±ÔÄ¢À» Ãß°¡ÇÏ½Ç ¼ö ÀÖ½À´Ï´Ù. ÀÌ ¿¹½Ã¿¡¼­´Â Ŭ¶óÀÌ¾ðÆ® ¿öÅ©½ºÅ×À̼ǿ¡ ´ÙÀ½°ú °°Àº ³×Æ®¿öÅ© ¶ó¿ìÆ®¸¦ ¼³Á¤ÇÏ¼Å¾ß ÇÕ´Ï´Ù:

route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.1.2

´ÙÀ½Àº Ŭ¶óÀÌ¾ðÆ® ¿öÅ©½ºÅ×À̼ÇÀÇ ¸¶Áö¸· /etc/cipe/ip-up.local ½ºÅ©¸³Æ®¸¦ º¸¿©ÁÝ´Ï´Ù:

#!/bin/bash -v
if [ -f /etc/sysconfig/network-scripts/ifcfg-$1 ] ; then
        . /etc/sysconfig/network-scripts/ifcfg-$1
else
        cat <<EOT | logger
Cannot find config file ifcfg-$1. Exiting.
EOF
        exit 1
fi

if [ -n ${PEERROUTEDEV} ]; then
        cat <<EOT | logger
Cannot find a default route to send cipe packets through!
Punting and hoping for the best.
EOT
        # Use routing table to determine peer gateway
        export PEERROUTEDEV=`/sbin/route -n | grep ^0.0.0.0 | head -n 1 \
           | awk '{ print $NF }'`

fi

####################################################
# Add The routes for the remote local area network #
####################################################

route add -host 10.0.1.2 dev $PEERROUTEDEV
route add -net 192.168.1.0 netmask 255.255.255.0 dev $1

####################################################
# IP TABLES Rules to restrict traffic              #
####################################################

/sbin/modprobe iptables
/sbin/service iptables stop
/sbin/iptables -P INPUT DROP
/sbin/iptables -F INPUT
/sbin/iptables -A INPUT -j ACCEPT -p udp -s 10.0.1.2
/sbin/iptables -A INPUT -j ACCEPT -i $1
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE