  Linux IPCHAINS-HOWTO
  Rusty Russell
  v1.0.8, Tue Jul  4 14:20:53 EST 2000
  {: JF Project (jf@linux.or.jp)
  v1.0.1j  Nov. 21, 2000

  ́̕ALinux ̊gꂽ IP t@CAEH[O`FC\t
  gEFAǂ̂悤ɓ肵ACXg[Aݒ肵AāAp
  ACfBÅڏq邱ƂړIƂ܂B
  ______________________________________________________________________

  ڎ

  1. n߂
     1.1 ?
     1.2 Ȃ?
     1.3 ǂ?
     1.4 ǂ?

  2. pPbgtB^O̊b
     2.1 pPbgtB^Ƃ͉?
     2.2 Ȃ?
     2.3 ǂ?
        2.3.1 pPbgtB^O@\LɂJ[l
        2.3.2 ipchains
        2.3.3 tB^KPvIɂɂ

  3. Aė! [eBÓA}XJ[fBÓA|[gtH[fBÓAtH[fBO(ipautofw)̂ācB
     3.1 Rusty ̃}XJ[fBOɊւ 3̎wj
     3.2 IȐ`:  WatchGuard ŋK
     3.3 t@CAEH[IɋʂȐݒ
        3.3.1 [Jlbg[N: `IȃvLV
        3.3.2 vCx[glbg[N: ߓIȃvLV
        3.3.3 vCx[glbg[N: }XJ[fBO
        3.3.4 pubNlbg[N
        3.3.5 ꂽT[rX
     3.4 }XJ[fBOɑ΂邻̑̏

  4. IP t@CAEH[O`FC
     4.1 ǂ̂悤ɃpPbgtB^ʉ߂̂
        4.1.1 ipchains g
        4.1.2 Ȃ̃Rs[^N鎞Ɍ
        4.1.3 P̃[ł̑
        4.1.4 tB^O̎dl
           4.1.4.1 \[Xƈ IP AhX̎w
           4.1.4.2 ے̎w
           4.1.4.3 vgR̎w
              4.1.4.3.1 UDP  TCP |[g̎w
              4.1.4.3.2 ICMP ^CvƃR[h̎w
           4.1.4.4 C^[tFCX̎w
           4.1.4.5 TCP SYN pPbĝ݂w肷
           4.1.4.6 tOg̏
        4.1.5 tB^O̕I
           4.1.5.1 ^[Qbg̎w
           4.1.5.2 pPbg̃OL^
           4.1.5.3 T[rX̌^𑀍삷
           4.1.5.4 pPbg̃}[LO
           4.1.5.5 `FC̑
           4.1.5.6 V`FC
           4.1.5.7 `FC폜
           4.1.5.8 `FCɂ
           4.1.5.9 `FC̓eXgAbv
           4.1.5.10 JE^[([)Zbg
           4.1.5.11 |V[ݒ肷
        4.1.6 }XJ[fBȎ
        4.1.7 pPbg`FbN
        4.1.8 xɕ̃[ƉN̂
     4.2 W
        4.2.1 ipchains-save g
        4.2.2 ipchains-restore g

  5. ̑̏
     5.1 t@CAEH[[ǂ̂悤ɍ\z邩
     5.2 tB^OŔjĂ͂ȂpPbg
        5.2.1 ICMP pPbg
        5.2.2 DNS (l[T[o[) ւ TCP ڑ
        5.2.3 FTP ̈
     5.3 Ping of Death r
     5.4 Teardrop  Bonk r
     5.5 tOgr
     5.6 t@CAEH[[ύX
     5.7 IP Uی(IP Spoof Protection)Aǂ̂悤ɐݒ肵悢ł?
     5.8 ŐṼvWFNg
        5.8.1 SPF: Xe[gtpPbgtB^O
        5.8.2 Michael Hasenstein  ftp-data nbN
     5.9 ̉ۑ

  6. ʓIȖ
     6.1 ipchains -L gƃt[Y܂!
     6.2 ]ł܂!
     6.3 Masquerading ܂ Forwarding ܂!
     6.4 -j REDIR ܂!
     6.5 ChJ[hC^[tF[X܂!
     6.6 TOS (Type of Service) ܂!
     6.7 ipautofw ipportfw ܂!
     6.8 xosview Ă܂!
     6.9 `-j REDIRECT'  Segmentation G[ɂȂ܂!
     6.10 }XJ[fBÕ^CAEglݒł܂!
     6.11 IPX t@CAEH[ł!

  7. pIȗ
     7.1 \
     7.2 ړI
     7.3 pPbgtB^OsO
     7.4 pPbgʉ߂邽߂̃pPbgtB^O
        7.4.1 forward `FCWv
        7.4.2 icmp-acc `FC`
        7.4.3 GOOD (lbg[N)  DMZ (T[olbg[N)
        7.4.4 BAD (Olbg[N) DMZ (T[olbg[N)
        7.4.5 GOOD (lbg[N) BAD (Olbg[N)
        7.4.6 DMZ  GOOD (lbg[N)
        7.4.7 DMZ  BAD (Olbg[N)
        7.4.8 BAD (Olbg[N) GOOD (lbg[N)
        7.4.9 Linux }Vgɑ΂pPbgtB^O
           7.4.9.1 BAD (Olbg[N) C^[tF[X
           7.4.9.2 DMZ C^tF[X
           7.4.9.3 GOOD (lbg[N)C^[tF[X
     7.5 Ō

  8. t^: ipchains  ipfwadm Ƃ̈Ⴂ
     8.1 NBbNt@Xꗗ
     8.2 ipfwadm R}h̕ϊ

  9. t^: ipfwadm-wrapper XNvgg
  10. t^: ӎ
     10.1 |

  11. {ɂ

  ______________________________________________________________________

  1.  n߂

  ̕ IPCHAINS-HOWTO łBŐVł}X^[TCg ``ǂ?''
  QƂĉB LINUX NET-3-HOWTO ǂ񂾕悢ł傤B IP-
  Masquerading HOWTO, PPP-HOWTO, Ethernet-HOWTO  Firewall HOTO ʔ
  ł傤B (āAJԂ܂A alt.fan.bigfoot FAQ )B

  (: alt.fan.bigfoot FAQ  <- [j̃j[XO[vAMO?])

  pPbgtB^OɂĊɒmĂĺA ``Ȃ?'' ̏́A ``
  ǂ?'' ̏͂ǂŁA ``IP t@CAEH[O`FC'' ̏
  ̒̃^Cgƒ߂Ă݂܂傤B
  ipfwadm ڍsĺA ``n߂'' ̏́A ``ǂ?'' ̏́A
  ĕt^ ``ipchains  ipfwadm Ƃ̈Ⴂ'' ̏͂ƁA ```ipfwadm-
  wrapper' XNvgg'' ̏͂ǂ݂܂傤B

  1.1.  ?

  Linux ipchains  Linux IPv4 t@CAEH[ÕR[h ( BSD 
  ̃pN)̏łAipfwadm ̏ł܂B
  ipfwadm ́A BSD  ipfw ̏łƁA͐MĂ܂B
  Linux o[W 2.1.102 ȍ~ IP pPbgtB^AǗɕKv
  B

  1.2.  Ȃ?

  ȑO Linux ̃t@CAEH[̃R[h fragment ܂񂵁A (
  ȂƂ Intel pł) 32 rbg̃JE^܂񂵁A
  TCP/UDP/ICMP ȊO̎dl̃vgRlĂ܂񂵁AAg~bN(u
  ԓI)ɑ傫([)ύX邱Ƃł܂񂵁At[𖞂
  񂵁AȕȂ܂AǗɂ̂ł(p҂
  ~X₷)B

  (: ŗpuAg~bN( `atomically')v́A
  ipchains ƂR}h̖O̗RɂȂĂƂ낾Ǝv܂B
  [U``FCɕ̃[`ĂÃ`FC
  ǉA͊̃`FCV``FCƒu邱
  ŁAuɂăt@CAEH[̍pύX邱Ƃł܂B)

  1.3.  ǂ?

  ݁AJ[l̃R[h̎嗬 2.1.102 ȍ~łB 2.0 J[lV[Y
  ł́A web y[Wpb`_E[hKv܂BA
  莝 2.0 J[l web ɂēpb`VȂ΁A
  ̌Âpb`͑ OK ł傤B 2.0 J[l̊Y͂悻
  Ă܂B(Ⴆ΁A 2.0.34 J[l̃pb` 2.0.35 J[lɂ
  蓖Ă܂) 2.0 pb` ipportfw  ipautofw pb`Ƃ̌݊
  Ȃ̂ŁA ipchains L̋@\{ɕKvƂȂȂ΁Apb`
  ͂E߂܂B

  1.4.  ǂ?

  y[W3ӏ܂B Penguin Computing Ɋӂ܂B
  <http://netfilter.filewatcher.org/ipchains> the SAMBA Team Ɋӂ
  B <http://www.samba.org/netfilter/ipchains> Jim Pick Ɋӂ܂B
  <http://netfilter.kernelnotes.org/ipchains>

  oO񍐁Ac_AJAgb[OXg܂B[
  OXgւ̓ɂ́AbZ[W ``subscribe ipchains-list'' 
  āA east.balius.com Ƀ[ĉB[OXg̃
  o[SɃ[oɂ́A east.balius.com  ipchains-list g
  B

  2.  pPbgtB^O̊b

  2.1.  pPbgtB^Ƃ͉?

  lbg[NʂSẴgtBbŃApPbǧ`őo܂B
  Ⴆ΁ÃpbP[W(50KoCg͂ł傤)_E[h邱
  ŁA1460oCg̃pPbg36قǂM邱ƂɂȂł傤(ۂɂ
  ̂ƂǂɂČTCY͈قȂ܂)B

  (: ݂ł͂̕100KBzĂ܂:))

  epPbg͂ꂪǂɌꂽ̂Lq镔n܂Aǂ
  痈̂AꂩpPbg̎ނƊǗKvȏڍדe܂ł
  ܂BpPbĝ̊JńAwb_ƌĂ΂Ă܂B܂A`
  Ăۂ̃f[^܂񂾃pPbg̎ć̕Aʏ{fBƌĂ΂
  ܂B

  EFuEgtBbNA[ƃ[gOĈ߂Ɏg邢
  ̃vgR(Ⴆ TCP) `ڑ(RlNV)'Ƃ΂TOg
  Bۂ̃f[^pPbgoOɁA`́Aڑ'A`OK'A
  `肪Ƃ'ƂA(ʂȃwb_𔺂)FXȃZbgAbvEp
  Pbg܂B

  pPbgEtB^́ApPbg̃wb_āÃpPbgŜǂ̂
  Ɏ舵肷鏬ȃ\tgEFAłBpPbg͋(deny)(
  Ȃ킿AMȂ̂悤ɁApPbĝĂ)ƂɌ߂
  ȂA(accept)(Ȃ킿ApPbgʉ߂)邱Ƃ
  Ȃ邩ȂApPbgԋp(reject)(""ƎĂ邯ǁAp
  Pbg̔Mɂ̂Ƃʒm)邩܂B

  Linux ɂẮApPbgEtB^O̓J[lɑgݍ܂Ă
  BāApPbg̎戵Ɋւď΂gbNd|邱Ƃ
  ł܂Å{IȋK͂܂Ńwb_āApPbg̎舵
  肷Ƃ̂łB

  2.2.  Ȃ?

  Rg[BZLeBBĎB

     Rg[:
        Ȃ Linux {bNX̃lbg[Nƕʂ̃lbg[N(
        ΁AC^[lbg)q߂ɎgĂȂA Ȃɂ́A
        ̃gtBbNāÂ̂Ȃ悤ɂ`
        X܂BႦ΁ApPbg̃wb_[ɂ͂ĐAhX 
        ܂ĂāAOlbg[N̂Ƃ鏊֌pPbgۂ
        Ƃł܂Bʂ̗ƂāANetscape g Dilbert ̃A[J
        Cu (: Dilbert ƂGWjAl̕h̃TCgA
        Ȃ݂ dilbert ̈Ӗ'΂') ɃANZXꍇłBy[W
        ɂ doubleclick.net ̍LA Netscape ͂
        _E[h邽߂Ɏ̎ԂQ܂BpPbgtB^[
        doubleclick.net L̃AhX̂ǂȃpPbgȂ
        ɎwΖ͉܂(Ƃ@܂:
        Junkbuster (: http://internet.junkbuster.com
        <http://internet.junkbuster.com> ) ĉ)B

     ZLeB:
        Ȃ Linux {bNXC^[lbgׂ̍ƁA
        ̂Ăȃlbg[N̊ԂɂB̕ȂA΂炵
        ɁAȂ͉ɂė҂hÂƂŐ邱Ƃł
        ܂BႦ΁AȂ̃lbg[Nočŝ͉ł
        ɂāAӂ̂Ô悭mꂽ `Ping of Death' U
        x悤ɂł܂Bʂ̗ƂāAȂ Linux {bNX
        ɁAƂSẴAJEgɃpX[htĂƂĂAO
        ̎҂ telnet Ă邱Ƃ]܂Ȃ܂BԂA
        (̐lX̂悤)C^[lbg߂ĂŁA
        T[o[(DނƍD܂ɂ炸)Ȃ肽Ȃ̂łBPɁA
        pPbgtB^[ŐڑJnpPbg̗ۂāA
        ɂڑȂ悤ɂĉB

        (: "ping" ُɒ ICMP pPbgȂǂlbg[N
        ꂽRs[^ɑāAVXeNbVT[rX
        ~NÛƁB)

     Ď:
        Ƃǂ[Jlbg[NɊݒ̈}VAO
        EɃpPbgRo悤ɂȂĂ邱Ƃ܂B΂炵
        ƂɁApPbgtB^[ُ͉ȂƂNƂɂ
        ɒm点Ă܂Bɂĉ炩̑Ώł邱Ƃm
        A邢͂PɎFDȐiƒm邾܂
        B

  2.3.  ǂ?

  2.3.1.  pPbgtB^O@\LɂJ[l

  V IP t@CAEH[E`F[@\J[lKvłB
  삵ĂJ[lA̋@\gݍ񂾂̂ǂfɂ́A
  /proc/net/ip_fwchains TĂ݂܂傤Bꂪ݂Ȃ΁Aɑg
  ݍ܂Ă܂B

  (: 2.2.xȍ~̃J[lg̏ꍇ́Aɑgݍ܂Ă邱
  Ƃł傤B)

  łȂ΁AȂ IP t@CAEH[E`F[J[l
  Kv܂BŏɁAȂ~J[l̃\[X_E
  [h܂傤BȂ̃J[l o[W 2.1.102 ȍ~̂̂
  Aݎ嗬̃J[lł̂ŁA߂ăpb`𓖂ĂKv͂܂
  BłȂɂ͑Oo Web y[Wpb`肵ēKpA
  ĎɎ悤ȐݒŃJ[l\ĉBAȂ
  @mȂĂAQĂȂ Kernel-HOWTO ǂ݂܂傤B

  (: Kernel-HOWTO̖M http://www.linux.or.jp/JF/JFdocs/Kernel-
  HOWTO.html <http://www.linux.or.jp/JF/JFdocs/Kernel-HOWTO.html> ɂ
  ܂B)

  Ȃ2.0-V[ỸJ[lɐݒ肷KvRtBO[V
  IvV́Aȉ̒ʂł:

  ______________________________________________________________________
          CONFIG_EXPERIMENTAL=y
          CONFIG_FIREWALL=y
          CONFIG_IP_FIREWALL=y
          CONFIG_IP_FIREWALL_CHAINS=y
  ______________________________________________________________________

  2.1  2.2 ̃V[YEJ[l̏ꍇ͎̒ʂł:

  ______________________________________________________________________
          CONFIG_FIREWALL=y
          CONFIG_IP_FIREWALL=y
  ______________________________________________________________________

  c[ł ipchains vÓAJ[lɑ΂ĂǂȃpPbg
  tB^ׂɂĒʒm邽߂̂̂łBȂvO}
  邩AȐlԂłȂAꂪpPbgtB^O𐧌䂷
  @ƂȂ܂B

  2.3.2.  ipchains

  ipchains c[́AJ[l̃pPbgEtB^OɊւZNV
  烋[}폜肵܂B́AȂƂ
  肵ĂAꂪċNɂďĂ܂ƂӖĂ܂BA
  Linux u[gۂɁAmɖ߂@ɂẮA̐
  ``tB^KPvIɂɂ'' QƂĉB

  ipchains ͈ȑO܂IPt@CAEH[邽߂ɎgĂ
  ipfwadm ƒu邱ƂɂȂ܂BɗXNvg̃ZbgA
   ipchains ̃AhX\ł:

  http://netfilter.filewatcher.org/ipchains/ipchains-
  scripts-1.1.2.tar.gz
  <http://netfilter.filewatcher.org/ipchains/ipchains-
  scripts-1.1.2.tar.gz>

  ɂ͈ȑOsĂ̂Ɠ悤ȃX^CŃpPbgEtB^
  Os킹邽߂ ipfwadm-wrapper ƌĂ΂ĂVFXNvg
  ł܂BȂ ipfwadm (ipchainsƔׁAxāAȂ
  `FbNȂ̂)gVXeAbvO[h葁
  @~ȂAȂ͑̃XNvggׂł͂Ȃ
  傤Bɂ͂܂肱 HOWTO KvƂ͂ȂƂƎv
  B

  ipfwadm ֘ȀڍׂɂẮAt^: ``ipchains  ipfwadm Ƃ̈Ⴂ''
  t^: ```ipfwadm-wrapper'XNvgg'' B

  2.3.3.  tB^KPvIɂɂ

  Ȃ݂̌̃t@CAEH[ݒ́AJ[lɊi[āÂ悤
  ċNɂ͎Ă܂܂BȂ̃[PvIɂ邽߂
  `ipchains-save'  `ipchains-restore' XNvggƂ߂
  Bgɂ́A܂Ȃ̃[ݒ肵āÂ悤ɃR}h
  s܂(root ƂĎsĉ):

       # ipchains-save > /etc/ipchains.rules
       #

  XNvĝ͎悤ɍĂ܂:

  #! /bin/sh
  # pPbgtB^̂߂̃XNvg

  # [ȂΉȂ
  [ -f /etc/ipchains.rules ] || exit 0

  case "$1" in
      start)
          echo -n "Turning on packet filtering:"
          /sbin/ipchains-restore < /etc/ipchains.rules || exit 1
          echo 1 > /proc/sys/net/ipv4/ip_forward
          echo "."
          ;;
      stop)
          echo -n "Turning off packet filtering:"
          echo 0 > /proc/sys/net/ipv4/ip_forward
          /sbin/ipchains -F
          /sbin/ipchains -X
          /sbin/ipchains -P input ACCEPT
          /sbin/ipchains -P output ACCEPT
          /sbin/ipchains -P forward ACCEPT
          echo "."
          ;;
      *)
          echo "Usage: /etc/init.d/packetfilter {start|stop}"
          exit 1
          ;;
  esac

  exit 0

  ꂪN̍ŏ̂Ɏs悤ɂ܂BM҂̃P[X (Debian
  2.1) ł́A `S39packetfilter' ƂV{bNN `/etc/rcS.d'
  fBNgɍĂ܂(́A S40network ̑OɎs܂)B

  (: uŏ̂vƂ̂́ANAlbg[Nɑ΂ĒʐM
  \ƂȂԈȑOɍsƂӖłBlbg[N̑̃T[rXȂǂ
  NƂɃt@CAEI[ݒ肷ƁASݒ肳ĂȂ킸
  ȏuԂ""荞ފ댯܂B)

  3.  Aė! [eBÓA}XJ[fBÓA|[
  gtH[fBÓAtH[fBO(ipautofw)̂ācB

   HOWTO ́ApPbgEtB^Oɂďqׂ̂łB
  pPbgʉ߂̂ǂɂČ߂邱ƂӖĂ܂B
  ȂALinux͂΃nbJ[B̗Vя̂悤Ȃ̂ł̂ŁA
  炭ȏ̋@\ƎvƂł傤B

  1̖́A{ʂȊTOł͂̃}XJ[fBOƓߓIȃv
  LV̐̂߂ɓc[ (``ipchains'') g邱Ƃł(݂
  Linux ł̎ł́A炪sRȂłɂȂĂA
  炪ڂɊ֘AƂۂ^Ă܂܂)B

  (: J[l 2.4.x nł́A̋@\͂ɓĂ
  B̃J[lǵ̕ALinux 2.4 NAT
  HOWTO(http://netfilter.kernelnotes.org/unreliable-guides/NAT-
  HOWTO.html
  <http://netfilter.kernelnotes.org/unreliable-guides/NAT-HOWTO.html>)
  B JFvWFNgɂM
  (http://www.linux.or.jp/JF/JFdocs/NAT-HOWTO.html
  <http://www.linux.or.jp/JF/JFdocs/NAT-HOWTO.html>)܂B)

  }XJ[fBOƃvLVɂĂ͕ʁX HOWTO ȂǂɂĖ
  AtH[fBOƃ|[gEtH[fBO@\͕ʁX̃c[
  Ő䂳܂BA̐lX炻ɂĂ̖₢킹
  Ă܂̂ŁAł͈ÄʓIƂViIƁA
  ̂悤ɂ΂悢Ƃݒ񎦂܂BȂAeZbgAbṽZ
  LeBɊւ钷ɂẮAŘ_c܂B

  3.1.  Rusty ̃}XJ[fBOɊւ 3̎wj

  ́AȂ̊OC^tF[X `ppp0' łƉ肵Ă܂B
  ifconfig R}hāAȂ̊ɍ悤ɓǂݑւĉ
  B

       # ipchains -P forward DENY
       # ipchains -A forward -i ppp0 -j MASQ
       # echo 1 > /proc/sys/net/ipv4/ip_forward

  3.2.  IȐ`:  WatchGuard ŋK

  ŝ̃t@CAEH[p@w邱Ƃł܂BDꂽp@̂
  ƂƂāAWatchGuard Ђ FireBox ܂B FireBox DĂ
  Ǝv̂́A킽CɓĂ邩łAꂪSł
  ALinux x[Xœ삵Ă邩łB܂ẢЂ́Aipchains 
  CeiXƁA(2.4 nJ[lp)Vt@CAEH[̃R[h
  ߂Ɏ񋟂ĂꂽłB܂A킽F̂߂ɍƂ
  ĂԁA WatchGuard Ђ́A킽̐xĂꂽ킯łB
  킯ŁAނ̐iɂĂl肢܂B

  http://www.watchguard.com <http://www.watchguard.com>

  (: WatchGuardЂ̓{̃Z[Ãy[WJ邱Ƃ
  ł܂B)

  3.3.  t@CAEH[IɋʂȐݒ

  Ȃ́A littlecorp.com ƂhCŃVXe𓮂Ă܂B
  ēlbg[NAC^[lbgɑ΂āAIPAhX
  1.2.3.4 ł (firewall.littlecorp.com) ƂRs[^1̃_
  CAbv(PPP)RlNVĂ܂BȂ̓C[Tlbgɂ
  郍[Jlbg[N\zĂAȂ̌lpRs[^
  "myhost" ƌĂ΂Ă܂B

  ̃ZNVł́AʓIƂ邢̔zuł̐ݒɂ
  ڂ܂B͔ɈقȂ܂̂ŁAӐ[ǂݐi߂ĉ
  B

  3.3.1.  [Jlbg[N: `IȃvLV

  ̃ViIł́A[Jlbg[ÑpPbǵAC^[lbg
  s邱Ƃ͂܂B[Jlbg[N IP AhX́A
  RFC1918 ɂăvCx[gȃC^[lbg̂߂ɗpӂĂAh
  X(Ȃ킿 10.*.*.*, 172.16.*.*-172.31.*.* ܂ 192.168.*.*)
  蓖ĂȂ΂Ȃ܂B

  C^[lbgɐڑB̕@̓t@CAEH[ɐڑ邱ƂŁA
  ̃Rs[^̃lbg[N(: C^[lbgƃ[J
  lbg[N)ɒڂȂĂ܂B̃t@CAEH[̏ŃvL
  VƌĂ΂\tg𓮂ƂɂȂ܂( FTP AEFuEANZ
  XA telnet A RealAudio A Usenet News ⑼̃T[rXɂāA"㗝"
  Ƃē܂)BڍׂɂĂ Firewall HOWTO ܂傤B

  (:  "Firewall HOWTO" ̌
  http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html
  <http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html> ɂ܂B JFv
  WFNgɂM͂܂ƒłB)

  ȂC^[lbgւ̃ANZXŖ]ރT[rXɂẮAKt@C
  AEH[̃vLVŃT|[gꂽT[rXłȂ΂Ȃ܂(
  Aq ``ꂽT[rX'' QƂĉ)B

  : vCx[glbg[NC^[lbgւ̃EFuEANZX
  

  1. vCx[glbg[ŃA192.168.1.*蓖Ăꂽ̔Ԓn
     ȂAIPAhX192.168.1.100"myhost"ɁAt@CAEH[
     C[TlbgEC^tF[Xɂ192.168.1.1蓖ĂĂ܂B

  2. EFuEvLV(Ⴆ"squid")́At@CAEH[̏ɃCXg[
     Ă|[g8080œĂ܂B

  3. vCx[glbg[NNetscapéAvLVƂăt@CAEH[
     ̃|[g8080g悤ɐݒ肳Ă܂B

  4. DNŚAvCx[glbg[N̒Őݒ肳Kv͂܂B

  5. DNŚAt@CAEH[̏Őݒ肳Kv܂B

  6. ftHgE[g(ʖAQ[gEFC)́AvCx[glbg[N
     ̒Őݒ肳Kv͂܂B

  myhost  Netscape A http://slashdot.org ̃y[W

  1.  Netscape ̓t@CAEH[̃|[g8080ɐڑA myhost ̃|[
     g1050g "http://slashdot.org" ̃EFuEy[W悤
     t@CAEH[Ɉ˗܂B

  2. vLV "slashdot.org" ƂO𒲂ׂāA "207.218.152.131" 
     IPAhX𓾂܂Bꂩt@CAEH[̊OC^tF[
     X(: ppp0 Ȃ)̏Ń|[g1025gāA IP AhXɑ΂
     ăEFuET[o(|[g80)ŃEFuEy[Wv܂B

  3. ̃EFuET[oɑ΂ڑEFuEy[W󂯎ƁA
     Netscapeւ̐ڑփf[^Rs[܂B

  4. NetscapéAy[W\܂B

  ܂A slashdot.org ̑猩ƁA 1.2.3.4 (t@CAEH[ PPP
  C^tF[X)|[g1025A 207.218.152.131 (slashdot.org)|[g80
  ܂Őڑ邱ƂɂȂ܂B myhost ̑猩ƁA 192.168.1.1 (
  t@CAEH[̃C[TlbgEC^tF[X)̃|[g8080
  192.168.1.100(myhost)̃|[g1050ڑ邱ƂɂȂ܂B

  3.3.2.  vCx[glbg[N: ߓIȃvLV

  ̃ViIł́A[Jlbg[ÑpPbǵAC^[lbg
  s邱Ƃ͂܂B[Jlbg[N IP AhX́A
  RFC1918 ɂăvCx[gȃC^[lbg̂߂ɗpӂĂAh
  X(Ȃ킿 10.*.*.* A 172.16.*.*-172.31.*.* ܂ 192.168.*.*)
  蓖ĂȂ΂Ȃ܂B

  C^[lbgɐڑB̕@̓t@CAEH[ɐڑ邱ƂŁA
  ̃Rs[^̃lbg[N(: C^[lbgƃ[J
  lbg[N)ɒڂȂĂ܂B̃t@CAEH[̏"ߓI
  ȃvLV"ƌĂ΂\tg𓮂ƂɂȂ܂Ał̓J[l
  o̓pPbgOɑɁAߓIȃvLVɑoƂɂȂ
  ܂ (Ȃ킿AŨ[eBOs悤ɂȂ܂)B

  ߓIȃvLV𓮂ƂƂ́ANCAg̓vLV݂̑
  ȂĂ悢ƂƂłB

  ȂC^[lbgւ̃ANZXŖ]ރT[rXɂẮAKt@C
  AEH[̃vLVŃT|[gꂽT[rXłȂ΂Ȃ܂(
  Aq ``ꂽT[rX'' QƂĉ)B

  : vCx[glbg[NC^[lbgւ̃EFuEANZX
  

  1. vCx[glbg[ŃA 192.168.1.* 蓖Ăꂽ̔Ԓn
     ȂA IP AhX 192.168.1.100  myhost ɁAt@CAEH[
     ̃C[TlbgEC^tF[Xɂ 192.168.1.1 蓖ĂĂ
     ܂B

  2. ߓIȃEFuEvLV(squid ɑ΂邱̗pr̂߂̃pb`
     Ǝv܂B邢 "transproxy" ̂)̓C
     Xg[āAt@CAEH[̏Ń|[g8080ɂēĂ܂B

  3. J[l ipchains gă|[g80̐ڑvLVɌȂ
     ɎwĂ܂B

  4. vCx[glbg[N Netscape ́Aڐڑ悤
     ݒ肵܂B

  5. DNS ́AvCx[glbg[Nɐݒ肳ĂKv܂(
     Ȃ킿AȂ̓t@CAEH[̏ł́u㗝vƂ DNS T[o
     sKv܂)B

     (:  ܂ANCAg̖ȌׂăvCx[
     glbg[N DNS ŘdȂ΂ȂȂƂƂłB
     ƁAÔ߂̃pPbgNCAgC^[lbgɏo
     Ă܂܂B)

  6. t@CAEH[ɃpPbg𑗂邽߂ɃvCx[glbg[N
     ftHgE[g(ʖAQ[gEFC)ݒ肷Kv܂B

  myhost  Netscape Ahttp://slashdot.org B

  1. NetscapéA "slashdot.org" ƂO𒲂ׂāA 207.218.152.131 
      IP AhX𓾂܂BāA IP AhXɑ΂ă|[
     g1050ɂĐڑAEFuT[o(|[g80)փy[Wf[^v
     B

  2. slashdot.org (|[g80)ւ myhost (|[g1050)̃pPbg̓t@
     CAEH[oR܂A̓|[g8080̏ő҂Ă铧
     IȃvLVɌ܂BߓIȃvLV́A 207.218.152.131
     ̃|[g80(ƂƃNCAg̃pPbgɎw肳Ă)
     ɑ΂āA([Jȃ|[g1025g)ڑs܂B

  3. vLV͂̐ڑɂăEFuET[oy[W󂯎A
     Netscape ɑ΂ڑɂ̃f[^Rs[܂B

  4. NetscapéAy[W\܂B

  ܂A slashdot.org 猩ƁAڑ 1.2.3.4 (t@CAEH[
  PPP C^tF[X)|[g1025A 207.218.152.131 (slashdot.org)
  |[g80܂ł̊ԂōsĂ܂B myhost 猩ƁA 207.218.152.131
  (slashdot.org)̃|[g80ɑ΂āA 192.168.1.100 (myhost)|[g1050
  ł̊ԂōsĂ܂BA͎ۂɂ͓ߓIȃvLVƂ肵
  Ă邱ƂɂȂ܂B

  3.3.3.  vCx[glbg[N: }XJ[fBO

  ̃ViIł́A[Jlbg[ÑpPbǵAʂȈ
  ΃C^[lbgs邱Ƃ͂܂B[Jlbg[N
   IP AhX́A RFC1918 ɂăvCx[gȃC^[lbg̂
  ɗpӂĂAhX(Ȃ킿 10.*.*.* A 172.16.*.*-172.31.*.* 
   192.168.*.*)蓖ĂȂ΂Ȃ܂B

  vLVgɁA "}XJ[fBO" ƌĂ΂ʂȃJ[l
  @\g܂B}XJ[fBÓAt@CAEH[oR̂
  ɃpPbĝŁÃpPbg͏Ƀt@CAEH[
  g炫悤Ɍ܂BꂩA{̗v֑悤ɏ
  ܂B

  }XJ[fBO͂ "gbL[" vgR߂̌
  ʂ̃W[Ă܂BႦ΁AFTP, RealAudio, Quake ȂǂłB
  {Ɏ舵vgR̂߂ɂ́A "tH[fBO" @
  \ɂāA֘A|[g̓]Iɐݒ肷邱ƂɂÄꕔ
  舵Ƃł܂BڍׂɂĂ ``ipportfw'' (2.0nJ[l)
  ܂ ``ipmasqadm'' (2.1nJ[l)𒲂ׂĂ݂ĉB

  ȂC^[lbgւ̃ANZXŖ]ރT[rXɂẮAKt@C
  AEH[̃vLVŃT|[gꂽT[rXłȂ΂Ȃ܂(
  Aq ``ꂽT[rX'' QƂĉ)B

  : vCx[glbg[NC^[lbgւ̃EFuEANZX
  

  1. vCx[glbg[ŃA 192.168.1.* ̔̕ԒnȂA
     myhost ɂ 192.168.1.100 蓖ĂAt@CAEH[̃C[T
     lbgC^[tF[Xɂ 192.168.1.1 蓖ĂĂ܂B

  2. t@CAEH[́AvCx[glbg[NC^[lbg̏
     ̃zXg̃|[g80ւׂ̂ẴpPbg}XJ[h悤ݒ肳
     Ă܂B

  3. Netscape ́Aڐڑ悤ɐݒ肳Ă܂B

  4. DNS ́AvCx[glbg[N̏Őݒ肳ĂȂ΂
     ܂B

  5. t@CAEH[́AvCx[glbg[N̂߂̃ftHgE
     [g(ʖAQ[gEFC)łȂ΂Ȃ܂B

  myhost  Netscape A http://slashdot.org ǂށB

  1. Netscape ́A "slashdot.org" ƂO𒲂ׂāA 207.218.152.131
     Ƃ IP AhX𓾂܂Bꂩ烍[Jȃ|[g1050gāA
      IP AhX̃EFuET[o(|[g80)ɑ΂ĐڑsAEF
     uEy[Wv܂B

  2. slashdot.org (|[g80)ւ myhost (|[g1050)̃pPbg̓t@
     CAEH[ɓnAŃt@CAEH[(|[g65000) PPP C
     ^tF[X痈̂悤ɏ܂B slashdot.org 
     pPbgԂƂ\ƂȂ悤ɁAt@CAEH[͗L
     C^[lbgAhX(1.2.3.4)Ă܂B

  3. firewall.littlecorp.com (|[g65000)ɑ΂ slashdot.org (|[
     g80)̃pPbgԂA myhost (|[g1050)֑邽
     ɏ܂B}XJ[fBO邽߂ "@" ̐
     Ƃ̂́A܂AƂɁA𐳂߂悤ɁAo
     ̓pPbgƂɊoĂƂƂłB

  4. NetscapéAy[W\܂B

  slashdot.org ̑猩ƁAڑ 1.2.3.4 (t@CAEH[ PPP C
  ^tF[X)|[g65000A 207.218.152.131 (slashdot.org)|[g80
  ܂ōsĂ܂B myhost ̑猩ƁAڑ 207.218.152.131
  (slashdot.org)|[g80ɑ΂āA 192.168.1.100 (myhost)|[g1050
  sĂ܂B

  3.3.4.  pubNlbg[N

  ̃ViIł́AȂ̌l̃lbg[N̓C^[lbg̈ꕔ
  : pPbg͕ύX邱ƂȂ̃lbg[N𗬂邱Ƃł
  Blbg[N IP AhX́A IP AhX̃ubN\
  ƂɂĊ蓖Ăꂽ̂̂͂ł̂ŁÃlbg[ŃAǂ
  ĂȂ̌փpPbg͂邩mĂł傤B͌p
  Iɐڑ邱ƂӖĂ܂B

  (: Ⴆ΁A INTERNIC  JPNIC Ȃǂɑ΂鐳葱ɂē
  ꂽpIɎgpł IP AhXȂLĂȂ΂ȂȂ
  ƂƂłB)

  ̏ʂŃpPbgEtB^ÓAǂ̂悤ȃpPbgȂ̃lb
  g[NƂȊÕC^[lbgƂ̊Ԃł肳邩𐧌邽
  ߂ȂǂɎg܂BႦ΁AC^[lbg̑̏ꏊƂ̃pPbĝ
  Ȃ̃EFuT[oɑ΂Ă݂̂Ɍ肳邱Ƃł܂B

  vCx[glbg[NC^[lbgւ̃EFuEANZX

  1. Ȃ̓lbg[ŃAȂo^ IP AhXEub
     N(1.2.3.* Ƃ܂)ɉAhX蓖ĂĂ܂B

  2. t@CAEH[́ASẴgtBbN悤ݒ肳Ă܂B

     (: ŎꂽViI͐̂߂̕֋XIȃP[XłB
     ̃P[Xł́A̐("T[rX̌")Ŏꂽ悤ɁAT[r
     X肷ȂǁAȂ̃lbg[N邽߂ɁAo肷p
     PbgɂēK؂ȋ^ۂ̂߂̏ݒ肵ĂȂ΂
     ܂B)

  3. NetscapéAC^[lbgɒڐڑ悤ɐݒ肳Ă܂B

  4. DNŚAȂ̃lbg[N̏Őݒ肳ĂȂ΂Ȃ܂
     B

  5. t@CAEH[́AvCx[glbg[N̂߂̃ftHgE
     [g(Q[gEFC)łȂ΂Ȃ܂B

  myhost  Netscape Ahttp://slashdot.org B

  1. NetscapéA "slashdot.org" ƂO𒲂ׂāA 207.218.152.131 
      IP AhX𓾂܂Bꂩ烍[Jȃ|[g1050gāA
      IP AhX̃EFuET[o(|[g80)ɑ΂ĐڑsAEF
     uEy[Wv܂B

  2. pPbg͂Ȃ̃lbg[N slashdot.org ̊Ԃ̑̂
     [^[ʂ蔲̂Ɠ悤ɁAȂ̃t@CAEH[ʂ
     Ă肳܂B

  3. NetscapéAy[W\܂B

  ܂Ȁꍇ 207.218.152.131 (slashdot.org)|[g80ƁA
  1.2.3.100 (myhost)|[g1050̊Ԃ̂ЂƂ̐ڑ݂܂B

  3.3.5.  ꂽT[rX

  ÕC^[lbg炠Ȃ̓T[rXɑ΂āAt@CAEH[
  ŃT[rXsȊO̕@Ƃ邱Ƃ̂łgbN΂肠
  ܂B̕@ł̓vLV}XJ[fBOÕRlNV
  ̂߂ɎgpƂAv[`Ƃ܂B

  łPȃAv[` "_CN^[" (͗^ꂽ|[g̏
  ڑ҂Ƃ"n"vLVł)𓮍삳邱ƂłB͂
  炩ߌ߂ꂽzXgƃ|[gɑ΂ĐڑsAf[^
  ڑ̊ԂŃRs[܂B "redir" vOgƁAÕC
  ^[lbg猩ƁAڑ͂Ȃ̃t@CAEH[ɑ΂čs
  ܂B̃T[ȏ猩ƁAt@CAEH[Ƃ̃T[oɑ΂Đ
  s悤ɂȂ܂B

  ̃Av[`(ɂ ipportfw ̂߂Ƀpb`𓖂Ăꂽ 2.0
  nJ[lA邢 2.1 nȍ~̃J[lKvł)̓J[lł
  |[gEtH[fBOgƂłB́A "redir" Ɠ
  ʂȕ@ōs܂B܂AJ[l͓nꂽpPbgɑ΂āA̖
  IAhXƃ|[g̃zXgƃ|[gɑ΂Čꂽ悤ɏ
  ܂BÕC^[lbg猩ƁAȂ̃t@CAEH[ɑ΂
  Đڑꂽ悤Ɍ܂B܂AȂ̓̃T[o猩ƁAC
  ^[lbgEzXgT[o܂ŒڐڑĂ悤Ɍ܂B

  3.4.  }XJ[fBOɑ΂邻̑̏

  David Ranch ̓}XJ[fBOɊւDꂽV HOWTO ܂
  B HOWTO Ƃ͑̏d܂Ãy[W猩
  Ƃł܂B

  http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html
  <http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html>

  }XJ[fBǑy[Ŵ͎ƂłB

  http://ipmasq.cjb.net <http://ipmasq.cjb.net>

  4.  IP t@CAEH[O`FC

  ̏͂́AȂ̕KvɊpPbgtB^\z邽߂ɁAۂ
  mĂȂ΂ȂȂƂSĐ܂B

  4.1.  ǂ̂悤ɃpPbgtB^ʉ߂̂

  J[l͋N 3̃[XgێĂ܂B̃Xg
  t@CAEH[`FCA܂͒PɃ`FCƌĂ΂܂B 3̃`FC
  ́A input, output  forward ƌĂ΂܂BpPbg (Ⴆ΁A
  C[TlbgJ[hʂ) ėƁAJ[l͂̃pPbǵu^
  v肷邽߂ input `FCg܂BpPbg̃Xebv
  ŐcƁAJ[l̓pPbgɂǂɑ邩肵܂B(
  [eBOƌĂт܂B) pPbg̃}V֍sƒ߂Ă
  Ȃ΁A forward `FC𒲂ׂ܂BŌɁApPbgo͂O
  ɁAJ[l output `FC𒲂ׂ܂B

  1̃`FC͕̃[̃`FbNXg\Ă܂BeX
  ̃[́uApPbg̃wb_[ȂApPbĝ
  ɂȂvƎw܂BA郋[pPbgƃ}b`Ȃ
  ΁A`FC̎̃[ׂ܂BŏIIɁAׂ郋[
  ȂAJ[l͂̃`FC̃|V[(j)ĉ邩߂
  BZLeBӎ̋VXeł́Ã|V[͕ʁApPbg
  DROP 悤ɃJ[lɎw܂B

  ASCII A[gt@̂߂ɁA}VɓpPbg̊SȒʂ蓹
  ɋL܂B

  (: ̕ł͓{ꕶR[hp "JIS A[g" 쐬Ă
  ܂B
  SpƔp݂ "JIS A[g" A Netscape
  Navigator/Communicator  Microsoft Internet Explorer ŕ\ƁA
  p̕ƑSp̔̕䂪vȂׂɁAwK^K^ɕꂽ}
  ʁxɂȂĂ܂܂B
  html  ۂɂ́A lynx  w3m ̃eLXguEUE߂
  B)

      
                                                       lo C^[tF[X
                  ACCEPT/                                                 
                 REDIRECT                 ACCEPT
  `}[eBforward 
    F     input    X  Ǒ    `FC output 
    b    `FC  J    `FC
    N                                  
    T                [                                
                    h  [JvZX                
                    O                   DENY/         DENY/
     DENY    DENY/                        REJECT        REJECT
            REJECT                                  
   DENY                           
                          

  ȉɊeX̒iKł̐𒀈L܂B

     `FbNT:
        pPbg̕@ɂĉ󂳂ĂȂeXg܂BpPb
        gĂ΁Aے肳܂B

     :
        eX̃t@CAEH[`FC̑Oɂ̃pPbg̐
        `FbN܂BA input `FĈꂪłdv
        łBُ̈ȃpPbg͋K`FbNR[h鋰
        ܂B͂Ŕے肳܂B (ꂪ
        syslog ɃbZ[WL^܂B)
     input `FC:
        pPbgeXgŏ̃t@CAEH[`FCłB`FC
        ̔f DENY (ے) ܂ REJECT () łȂ΁ApPbg
        ̓͑܂B

     f}XJ[h(}XJ[hO):
        pPbgȑOɃ}XJ[hꂽpPbgɑ΂鉞ȂA}X
        J[hOA output `FC܂ňCɏ΂܂B
        IP }XJ[hgĂȂ΁AӐ}IɏL̐}ł
        ܂B

     [eBǑ:
        (pPbg)tB[h̓[eBOR[hɂāÃp
        Pbg[JvZXɍsׂȂ̂ ([JvZX̏͂
        QƂĉ) A[g}Vɓ]̂ (tH[h`F
        C̏͂QƂĉ) 肷邽߂ɒׂ܂B

     [JvZX:
        }VŉғvZX̓[eBǑ̒iǨ̃pPb
        g󂯎ƋɁApPbg𑗐Mł܂B (MpPbg
        [eBOXebvoāA output `FCʉ߂܂B)

     lo C^[tF[X:
        [JvZX̃pPbg[JvZXɍŝȂ
        ΁A `lo' Ɛݒ肳ꂽC^[tF[X output `FC
        ʂ蔲AĂ `lo' C^[tF[X input `FCɓ
        B lo C^[tF[X͒ʏ탋[vobNC^[tF[XƌĂ
        ܂B

     [J:
        pPbg[JvZXŐꂽ̂łȂȂA forward
        `FC`FbNAȂ΁ApPbg output `FC
        s܂B

     forward `FC:
        ̃`FCɂ͂̃}V瑼֓]SẴpPbgʉ
        ܂B

     output `FC:
        ̃`FCɂ͏o͂钼ȎSẴpPbgʉ߂܂B

  4.1.1.  ipchains g

  悸A̕ɂĈ莝 ipchains ̃o[WAȉ̂悤
  QƂ܂傤:

       $ ipchains --version
       ipchains 1.3.9, 17-Mar-1999

  LƂāA1.3.4 (`--sport' ̂悤ȒIvV܂) A
  1.3.8 ȍ~E߂܂; ͑ψ肵Ă܂B

  X̎ɂĂ̂ƏڂKvȂAipchains ɂ͂Ȃ
  }jAy[W (man ipchains) ܂Bɏڂem肽
  ȂAvO~OC^[tF[X(man 4 ipfw) A 2.1.x 
  J[l\[X net/ipv4/ip_fw.c t@C𒲂ׂƗǂł傤B
   (炩) Mł܂B

  \[XpbP[Wɂ Scott Bronson ɂf炵NBbNt@
  XJ[h܂B A4܂ US ^[TCY PostScript(TM) ̗
  ܂B

  ipchains gĐFXȂƂł܂B悸AŜ̃`FCǗ
  BȂ 3̑gݍݍς݃`FCłA input, output,
  forward (͍폜ł܂)n߂܂B

  1. V`FC (-N)

  2. ̃`FC폜 (-X)

  3. gݍݍς݃`FC̃|V[ύX (-P)

  4. `FC̃[XgAbv (-L)

  5. `FC烋[Sď (-F)

  6. `FC̑SẴ[̃pPbgƃoCg̃JE^[[ɂ
     (-Z)

  `FC̃[𑀍삷ɂ͗lXȕ@܂:

  1. `FCɐV[ǉ (-A)

  2. `FĈʒuɐV[} (-I)

  3. `FĈʒũ[u (-R)

  4. `FĈʒũ[폜 (-D)

  5. `FC̓Kŏ̃[폜 (-D)

  }XJ[fBOɊւ鑀삪ȂȂ炠܂Bzu
  ɑꏊ̗v]ׂ̈ ipchains Ɋ܂܂Ă܂B

  1. ݂̃}XJ[hꂽڑ̈ꗗ\ (-M -L)

  2. }XJ[fBÕ^CAEglݒ肷 (-M -S) (ł ``}XJ
     [fBÕ^CAEglݒł܂!'' ĉB)

  Ō (ċ炭ł֗) @\́Aw肵pPbgw肵`F
  Cʉ߂ȂÃpPbgǂȂ̂Ƀ`FbNł邱
  ƂłB

  4.1.2.  Ȃ̃Rs[^N鎞Ɍ

  ipchains R}hNO (: ̃fBXgr[V
  ł͏XNvg ipchains NĂ܂) ́Agݍݍς݂
  [ (`input', `forward'  `output') ȊOɂ͉܂B
  eX̃`FC ACCEPT () ̃|V[ɐݒ肳Ă܂B͑S
  Ă󂯓邱ƂƓłB

  4.1.3.  P̃[ł̑

  [𑀍삷邱 \  ipchains ̊{łBقƂǂ̏ꍇA
  ʁAȂ͒ǉ (-A) ƍ폜 (-D) R}hgƂɂȂł傤Bc
  ̃R}h(} -I ƒu -R )́ÅTOP(@\)g
  ̂łB

  eX̃[ɂ́ApPbgׂ̃ZbgƁAꂽ
  Ƃɂ邱(e^[Qbgf)w肵܂BႦ΁AIP AhX
  127.0.0.1 ėSĂ ICMP pPbgjƂ܂B
  ꍇ̏̓vgR ICMP ŁA\[XAhX 127.0.0.1 ŁA^[
  Qbg `DENY'(ے) łB

  127.0.0.1  `[vobN' C^[tFCXŁA͂Ȃ̃}V
  ۂ̃lbg[NɌqĂȂĂ݂܂B `ping' vO
  ̂悤ȃpPbg (ping  P ICMP ^Cv8 (GR[v)𑗂AS
  Ă͓̋IȃzXg͐e؂ɂ ICMP ^Cv 0 (GR[)̃pPbgł
  ɉ܂)𔭐̂Ɏg܂B̓eXgɖ𗧂܂B

       # ping -c 1 127.0.0.1
       PING 127.0.0.1 (127.0.0.1): 56 data bytes
       64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms

       --- 127.0.0.1 ping statistics ---
       1 packets transmitted, 1 packets received, 0% packet loss
       round-trip min/avg/max = 0.2/0.2/0.2 ms
       # ipchains -A input -s 127.0.0.1 -p icmp -j DENY
       # ping -c 1 127.0.0.1
       PING 127.0.0.1 (127.0.0.1): 56 data bytes

       --- 127.0.0.1 ping statistics ---
       1 packets transmitted, 0 packets received, 100% packet loss
       #

  ̂Ƃŏ ping Ă܂(`-c 1'  ping ɃpPbg 1
  悤ɎwĂ܂)B

  Ƀ[ `INPUT' `FCɒǉ (-A) ܂B[̎ẃA
  127.0.0.1  (`-s 127.0.0.1') ŃvgR ICMP (`-p icmp') ̃pPb
  ǵADENY փWv (`-j DENY') łB

  ꂩ 2Ԗڂ ping Ń[eXg܂BAėȂ҂
   ping ~߂܂ŏ̊Ԃł傤B

  [폜ɂ 2ʂ̕@܂B 1Ԗڂ́AႦ΁A input
  `FCɂ̓[ 1Ȃ̂𕪂Ăꍇł́Aԍg
  Ĉȉ̂悤ɍ폜ł܂:

               # ipchains -D input 1
               #

  INPUT `FC̃[ԍ 1 폜B
  2Ԗڂ̕@ -A R}hʂ -A  -D ɒû
  B̓[Gȃ`FC̏ꍇŁAႦ΁A菜̂[
   37 ƒTĂ邽߂Ƀ[𐔂ȂꍇɗLłB̏
  Â悤Ɏg܂:

               # ipchains -D input -s 127.0.0.1 -p icmp -j DENY
               #

  -D ̏́A -A (܂ -I  -R) R}h̎ƐmɓIvV
  łȂ΂Ȃ܂BA`FCɕ̃}b`郋[
  Aŏ̂̂폜܂B

  4.1.4.  tB^O̎dl

  ܂łɁAvgRw肷 `-p' IvVƁA\[XAhXw
  肷 `-s' IvVĂ܂ȂɂpPbg̓w
  lXȃIvV܂BꂩÅTv܂ƂȂ
  b܂B

  4.1.4.1.  \[Xƈ IP AhX̎w

  \[X (-s) yш (-d) IP AhX 4ʂ̎w@܂B
  ƂʓIȕ@͊SɋLqꂽO(FQDN)gƂŁAႦ
  ΁A`localhost' Ƃ `www.linuxhq.com' łB 2Ԗڂ̕@
  `127.0.0.1'̂悤 IP AhXw肷@łB

  3Ԗڂ 4Ԗڂ̕@ IP AhX̃O[vw肷@ŁA
  `199.95.207.0/24' Ƃ `199.95.207.0/255.255.255.0' ̂悤ɏ܂B
  Ƃ 199.95.207.0  199.95.207.255 ܂ł̂ǂ IP AhX܂
  wŁÂƂ `/'  IP AhX̂ǂ̕܂ŗL
  Ă܂Bȗ `/32' ܂ `/255.255.255.255' (IP AhX̊S
  v)łBǂ IP AhXł悢ꍇ́Aȉ̂悤 `/0' g
  ܂:

               # ipchains -A input -s 0/0 -j DENY
               #

  Ľʂ `-s' IvVw肵Ȃ̂ƑSȂ̂ŁAȎg
  ͂߂ɂ܂B

  4.1.4.2.  ے̎w

  `-s'  `-d' ܂ޑ̃tÓA`!' (ے̐錾) ̈̑Oɒu
  Ƃł܂B `-s'  `-d' ̏ꍇ͗^ꂽAhXƓȂ
  AhXƃ}b`܂BႦ΁A `-s ! localhost' ̓[JzXg
  łȂSẴpPbgƃ}b`܂B

  `!' ̑OɃXy[X̂YȂŉB{ɕKvȂ̂łB

  4.1.4.3.  vgR̎w

  vgR `-p' tOŎw肵܂BvgR̒l͔ԍ(Ȃ IP
  ̃vgR̐lԍmĂꍇ) `TCP', `UDP' ܂ `ICMP'
  Ƃ̖̂Ŏw肵܂B啶̋ʂ͂܂񂩂A`tcp'
   `TCP' Ɠ܂B

  vgR̂͂ے肷邽߂ `!' Oɕt邱Ƃł܂B
  Ⴆ΁A`-p ! TCP'  TCP łȂpPbgw肵܂B

  4.1.4.3.1.  UDP  TCP |[g̎w

  ʂȏꍇł TCP  UDP ̃vgRw肳ꂽɂ́A TCP 
   UDP ̃|[gA͊܂܂|[g͈̔ (Aq ``tO
  g̏''QƂĉ) wg݂܂B͈͕͂
   `:' ŕ\܂BႦ `6000:6010'  6000  6010 ͈̔͂Ɋ
  ܂11̃|[gԍ܂Blȗ΁AftHg
   0 Ӗ܂Blȗ΁AftHg 65535 Ӗ
  BłA1024Ԉȉ̃|[g TCP ڑw肷ɂ́A
  `-p TCP -s 0.0.0.0/0 :1023' Ƃ܂B|[gԍ `www' ̂悤ɁA
  Ołwł܂B

  LƂāA|[gw̑Oɂ͔ےӖ `!' uƂł
  BłA WWW pPbgȊȎSĂ TCP pPbgw肷ɂ́A
  ̂悤Ɏw肵܂B

  -p TCP -d 0.0.0.0/0 ! www

  ȉ̎wƁA

  -p TCP -d ! 192.168.1.1 www

  ȉ̎w͑SႤƂFĉB

  -p TCP -d 192.168.1.1 ! www

  ŏ̗́A 192.168.1.1 ȊȎSẴ}V WWW |[gւ TCP p
  Pbgw肵܂B̗́A WWW |[gSẴ|[gɂ
  192.168.1.1 ւ TCP ڑw肵܂B

  ŌɁÃP[X WWW |[głȂA 192.168.1.1 łȂƂӖ
  ܂:

  -p TCP -d ! 192.168.1.1 ! www

  4.1.4.3.2.  ICMP ^CvƃR[h̎w

  ICMP ɂ܂IvV܂A ICMP ̓|[g܂
  B (ICMP ɂ̓^CvƃR[h܂) ɂ͈قȂӖ
  B

  `-s' IvV̌ ICMP l[p (ipchains -h icmp pāA
  l[ꗗ\܂) A ICMP ^CvƃR[h̐lp邩ŁA
  w肵܂B^Cv `-s' IvV̌ɁAR[h `-d' Iv
  V̌Ɏw肵܂B

  ICMP l[͂Ȃ蒷ł: Ƃ͂ʂł镪̒
  łΏ\łB

  łʓI ICMP pPbg̏ȈꗗȉɎ܂:

       ԍ    l[                   KvƂ

       0       echo-reply               ping
       3       destination-unreachable  SĂ TCP/UDP gtBbN
       5       redirect                 [eBOf[삵ĂȂ
                                        [eBO
       8       echo-request             ping
       11      time-exceeded            traceroute

  ICMP l[ `!' uȂƂɒӂĉB

  ΂ɐ΂ɐ΂ɁA ICMP ^Cv3 bZ[W̑SubNȂ!!
  (q``ICMP pPbg''QƂĉ)

  4.1.4.4.  C^[tFCX̎w

  `-i' IvV̓}b`ׂC^[tFCX̖Ow肵܂BC
  ^[tFCXƂ́ApPbgė邩A܂͏očsfoCX
  Bifconig R}hg `up' ł (Ȃ킿AĂ)C
  ^[tFCXXgAbvł܂B

  pPbg (Ȃ킿A input `FCʉ߂pPbg) ̃C
  ^[tF[X́A炪ꍞŗC^[tF[Xł̂ƌ
  ܂B_Iɂ́AočspPbg (output `FCʉ߂p
  Pbg) ̃C^[tF[X́A炪očsł낤C^[tF[X
  ł܂B forward `FCʉ߂pPbg̃C^[tF[X
  A炪očsł낤C^[tF[Xł; ɂ́A͑S
  ƒfɎv܂B

  (: Œ҂ forward `FC̃C^[tF[Xo̓C^[
  tF[XɂƂɍRcĂ悤Ɏv܂BԂ񒘎҂͓͂Əo
  ̗włق悢ƎvĂāAłA ipchains ɂ̓C^[
  tFCXw肷IvV -i ̂PȂ̂ŁAǂ炩ɂ
  ȂBƌbƎv܂B ipchains ̌pł iptables 
  ́A FORWARD `FCŁA͂Əo̗͂̃C^[tFCXwł
  悤ɂȂĂ܂B)

  ݑ݂ĂȂC^[tFCXw肷邱Ƃ͑S肪܂
  Aw肵C^[tFCX up ė܂Ń[}b`邱Ƃ
  ܂B̓_CAAbv PPP N(ʏC^[tFCX
  ppp0 )⓯l̂̂ɂĔɗLłB

  ʂȃP[XƂāAC^[tF[X̍Ōオ `+' ŏÎ́A (
  ݑ݂Ă悤ƂȂ낤) ̕񂩂n܂SẴC^[
  tF[XɃ}b`܂BႦ΁ASĂ PPP C^[tF[XɃ}b`
  郋[w肷ɂ́A -i ppp+ IvVg܂B

  w肵C^[tFCXƈvȂpPbgɃ}b`悤ɃC^[
  tFCX̑Oɂ `!' uƂł܂B

  4.1.4.5.  TCP SYN pPbĝ݂w肷

   TCP RlNVA͋Ȃ悤ɂ邱Ƃ
  XɂėLłBႦ΁AȂO WWW T[o[Ɛڑ
  ÃT[o[̐ڑȂƂłB

  ̃T[o[痈 TCP pPbgubN邱Ƃ͎Rȕ@łB
  cOȂƂɁATCP RlNVɂ͂Ƃɂ̃pPbgs
  ƂKvłB

  ̉@́ARlNVvɗppPbĝ݂ubN
  ƂłB̂悤ȃpPbg SYN pPbgƌĂ΂܂B (ZpI
  ́ASYN tOݒ肳ĂāA FIN  ACK tONAĂp
  Pbgw܂AX͂ SYN pPbgƌĂт܂B) ̃p
  PbgȂƂŁȀ̐ڑv~߂܂B

  `-y' tO͂̂߂Ɏg܂:  TCP vgRw肳Ă
  ꍇɂĂ̂ݗLłBႦ΁A 192.168.1.1 v TCP R
  lNVw肷ɂ:

  -p TCP -s 192.168.1.1 -y

  xÃtO͂̑O `!' uƂɂ (: ! -y Ƃ
  ) ے肷邱ƂłA͐ڑJñpPbgSẴpPbg
  Ӗ܂B

  4.1.4.6.  tOg̏

  ɁAxɃP[uɑoɂ̓pPbg傫߂邱Ƃ܂B
  ȂƂ́ApPbg̓tOgɕÃpPbgő
  ܂BM_ł̃tOgĂяW߂ĊSȃpPbgɍč\
  ܂B

  tOg̖_́AXgAbvdl̊ (ɁA\[X
  |[gA|[gA ICMP ^CvA ICMP R[hA TCP SYN tO)
  ́AJ[lɁAŏ̃tOgɂ܂܂ĂpPbg̎n߂̕
  `悤ɗvĂ_ɂ܂B

  Ȃ̃}VOlbg[Nɂ̂ݐڑȂAJ[l "IP:
  ɃftOg"  Y ɐݒ肵ăRpC邱ƂɂAʉ
  SẴtOgč\z悤 Linux J[lɖ邱Ƃ
  ł܂B͖܂܂B

  łȂ΁AtB^O[tOgǂ̂悤Ɉ
  邱ƂdvłB񂪖΂ǂȃtB^O[}b
  `܂B̈ӖƂ 1Ԗڂ̃tOg͑̃pPbgƓ
  悤Ɉ܂B 2Ԗڈȍ~̃tOg͈قȂ܂B]āA -p
  TCP -s 192.168.1.1 www Ƃ[ (\[X|[g `www' ̎w)́A
  tOg(1Ԗڂ̃tOgȊO)ƌă}b`܂Blɔ
  ̃[ -p TCP -s 192.168.1.1 ! www }b`܂B

  Ƃ͂A`-f' tOpāA 2Ԗڋyтȍ~̃tOgɍv
  郋[wł܂B炩ɁÂ悤ȃtOg[ɂ
  TCP  UDP |[gA ICMP ^CvA ICMP R[h TCP SYN tOw
  ̂͊ԈႢłB

  ܂A`!'  `-f' ̑OɕtāA 2Ԗڈȍ~̃tOgƓKȂ
  [̎wł܂B

  ʏAtB^O 1Ԗڂ̃tOgɌ͂̂ŁAړĨzX
  gł̃tOg̍đgݗĂW邽߁A2Ԗڈȍ~̃tOg
  ʉ߂邱Ƃ͈SƂ݂ȂĂ܂BƂ͂AtOg𑗂邱
  ƂɂȒPɃ}VNbV邱ƂłoOmĂ
  BׂĉˁB

  lbg[NǗ҂̂߂̒L: ُȃpPbg(TCP, UDP  ICMP 
  pPbgŒZăt@CA[EH[̃R[h|[gԍ܂ ICMP 
  R[hƎނǂ߂Ȃ)́AtOgƓlɎ舵܂Bt
  Og̈ʒu 8 n܂TCP pPbgɃt@CAEH[
  R[hɂĔj܂B(ꂪ syslog ɃbZ[W
  ܂B)

  Ⴆ΁Ã[ 192.168.1.1 ֍stOg͂ǂłj
  :

       # ipchains -A output -f -d 192.168.1.1 -j DENY
       #

  4.1.5.  tB^O̕I

  āAX̓[păpPbgɃ}b`@̑SĂm܂
  BpPbg[Ƀ}b`ƁAȉɋLƂN܂:

  1. Y郋[̃oCgJE^̓pPbg̃TCY(wb_Ƃ̑S
     ) ɂđ܂B

  2. Y郋[̃pPbgJE^pPbg̐ɂ1 Z
     B

  3. [vȂApPbgOɋL^܂B

  4. [vȂApPbg Type Of Service (TOS) tB[h
     ύX܂B

  5. [vȂApPbgɈ󂪕t܂B(2.0 J[lV
     [Yɂ͂܂B)

  6. pPbgɑ΂Aɉs킹邩肷ׂA[^[Qbg
     ܂B

  ȊO̎ނɂẮAdvxɉĎtƎv܂B

  4.1.5.1.  ^[Qbg̎w

  ^[Qbg̓[Ƀ}b`pPbgɑ΂ׂJ[lɎw
  ܂B ipchains ̓^[Qbg̎w `-j' p܂B(`Wv
  'ƍlĉ) ^[Qbg 8ȉłȂ΂Ȃ炸A܂召
  ʂ܂: "RETURN"  "return" ͑SʕłB

  łPȃP[X͎w肳^[QbgSȂꍇłB̃[
  ^Cv (΂ `v' [ƌĂ΂܂) ͒PɈ̃pPbg̃^
  CvJEĝɕ֗łB̃[Ƀ}b`邩ۂɂ
  AJ[l͒PɃ`FC̎̃[܂BႦ΁A
  192.168.1.1 ̃pPbg̐𐔂ɂ́Aȉ̂悤ɂł܂:

       # ipchains -A input -s 192.168.1.1
       #

  (`ipchains -L -v' pāAeX̃[Ɋ֘AtꂽoCgyуp
  PbgJE^܂B)

  6̓ʂȃ^[Qbg܂Bŏ 3 ACCEPT, REJECT  DENY
  ͂ƂĂPłB ACCEPT ̓pPbg̒ʉ߂܂B DENY ͂
  pPbg󂯎ĂȂ̂悤ɔj܂B REJECT ̓pPbg
  j܂A(ꂪ ICMP pPbgłȂȂ) ͖Bł
  Ƃm点 ICMP ԓA\[Xɑ΂Đ܂B

  ̈A MASQ ̓J[lɃpPbg}XJ[h邱Ƃm点
  B𓮍삳ɂ́AJ[l IP }XJ[fBOLɂ
  RpCĂKv܂BڍׂɂẮA Masquerading-
  HOWTO ƁAt^``ipchains  ipfwadm Ƃ̈Ⴂ''ĉB̃^[
  Qbg forward `FCʉ߂pPbgɂĂ̂ݗLłB

  ̎vȓʂȃ^[QbǵAJ[lɑ΂āA甭
  킸ɃpPbg[J|[g֑A REDIRECT łB̓vgR
   TCP ܂ UDP w肵Ă郋[ɂĂ̂ݎwł܂BC
  ɁA|[g (O͔ԍ)  `-j REDIRECT' Ǝwł܂B̓p
  Pbg̃|[gփAhXĂƂẴ|[g֓]
  ʂ܂B̃^[Qbg input `FCʉ߂pPbgɂ
  Ă̂ݗLłB

  Ō̓ʂȃ^[Qbg RETURN ŁAɃ`FC̍Ōɗނ
  ƓłB(q``|V[ݒ肷''QƂĉB)

  ̃^[Qbg̓[U[w̃`FC܂B (q```FC
  ''ŐĂ܂B) pPbg͂̃`FC̃[ʉ߂n
  ܂B̃[U``FCł̌SďIĂpPbg̉^
  Ȃ΁Ã݂`FCɖ߂A̎̃[猟ĊJ܂B

  ASCII A[g̎ԂłB2(΂)`FC: input (gݍݍ
  ݃`FC) test ([U``FC)ōl܂傤B

           `input'                          `test'
           
          [ 1: -p ICMP -j REJECT  [ 1: -s 192.168.1.1  
           
          [ 2: -p TCP -j Test     [ 2: -d 192.168.1.1  
           
          [ 3: -p UDP -j DENY    
          

  192.168.1.1 痈 1.2.3.4 ֌ TCP pPbgɂčl܂
  BpPbg input `FCɓA܂A[ 1 ܂\
  }b`܂B[ 2 }b`āÃ^[Qbg Test Ȃ̂ŁA
  Ɍ郋[ Test ̐擪łB Test ̃[ 1 ̓}b`
  A^[Qbgw肵ĂȂ̂ŁÃ[ł郋[ 2 
  ܂B̓}b`Ȃ̂ŁA`FC̏IɒB܂B
  [ 2 ̂ input `FCɖ߂Aōx̓[ 3 
  ܂A܂}b`܂B

  ŁApPbǧoĤ͎悤ɂȂ܂:

                                  v    __________________________
           `input'                |   /     `Test'               v
          |/     |
          [ 1              | /    [ 1            |  
          |/-    |
          [ 2              /      [ 2            |  
          -    v
          [ 3              /\_______________________/
          |
                                  v

  [U``FCʓIɎg@́A``t@CAEH[[ǂ
  悤ɍ\z邩''̏͂QƂĉB

  4.1.5.2.  pPbg̃OL^

  ̓[Ƀ}b`邱Ƃ̕Iʂł; }b`pPbg
  `-l' tOpăOɋL^邱Ƃł܂BʁAʏ̃pPbg
  ɂăOL^͂Ȃł傤ǁAOIȃCxg
  ɕ֗ȓłB

  ̏̃J[l̃O͈ȉ̂悤Ȋł:

       Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025
         L=34 S=0x00 I=18 F=0x0000 T=254

  ̃ObZ[W͊Ȍɐ݌vĂAlbg[ŇЎ҂ׂ̈
  ɕ֗ȋZp܂ł܂AƂ̉XɂLpłBȒPɐ
  ƈȉ̂悤ɂȂ܂:

  1. `input' ̓pPbgɃ}b`[܂ރ`FCŁAObZ[
     W𔭐Ă܂B

  2. `DENY' ̓[pPbgɉ邩Ă܂Bꂪ `-'
     ȂA[̓pPbgɉs܂B (v[łB)

  3. `eth0' ̓C^[tF[Xł.  ̂Ȃ΂ input `FC
     , pPbg `eth0' ėƂӖ邩łB

  4. `PROTO=17' ̓pPbgvgR 17 łƂӖ܂Bv
     gRԍ̃Xg /etc/protocols ɂė^܂BłʓI
     ̂ 1 (ICMP), 6 (TCP)  17 (UDP) łB

  5. `192.168.2.1' ̓pPbg̃\[X IP AhX 192.168.2.1 ł
     ƂӖ܂B

  6. `:53' ̓\[X|[g̓|[g 53 ԂłƂӖ܂B
     `/etc/services' ΁Aꂪ `domain' |[gł邱ƂJ
     Ă܂B(Ȃ킿A͋炭 DNS ̕ԓłB) UDP  TCP ɂ
     ẮA̔ԍ̓\[X|[głB ICMP ɂẮA ICMP ^Cv
     łBȊOł́A 65535 ɂȂł傤B

  7. `192.168.1.1' ͈ IP AhXłB

  8. `:1025' ͈|[g 1025 łƂӖ܂B UDP  TCP
     ɂẮA̔ԍ͈|[głB ICMPɂẮA ICMP R[h
     łBȊOł́A 65535 ɂȂł傤B

  9. `L=34' ́ApPbg͍v 34 oCgłƂӖ܂B

  10.
     `S=0x00'  TOS tB[hӖ܂B (4 ŊāA ipchains 
     pT[rX̌^܂B)

  11.
     `I=18'  IP  ID łB

  12.
     `F=0x0000'  16 rbg̃tOgItZbgƃtỎZłB
     `0x4'  `0x5' Ŏn܂l utOgĂȂvrbg
     肳Ă邱Ƃ܂B `0x2'  `0x3'  `XɃtOg
     Ă' rbgݒ肳Ă邱Ƃ܂; ̌ɍXȂt
     Og\܂Bc̐l͂̃tOg̃ItZbg
     ŁA 8 ŊlłB

  13.
     `T=254' ̓pPbg̎ԂłB̒l͑SẴzbvɌ
     AT 15  255 Ŏn܂܂B

  14.
     `(#5)' ́AuPbg̍Ō̔ԍVJ[lł낤
     Ƃ܂B(炭 2.2.9 ȍ~ł傤B) ŌɁAV
     J[l(Ԃ 2.2.9 ȍ~)ŁAʂň͂܂ꂽԍł傤B

     (: ɂ This is the rule number which caused the packet
     log.  ƏĂ܂A finally there may be a number ...
     Ǝv܂B)

  WI Linux VXeł́AJ[l̏o͂ klogd (J[lMO
  f[) ɂĕߑA syslogd (VXeMOf[) ɓn
  B `/etc/syslog.conf' ́AeX `facility' (X̏ꍇ́Afacility
   "J[l"ł) ̈ƁA `level' (ipchains ׂ̈ɁAg level
   "info" ł)w肷邱ƂɂāA syslogd ̐U镑𐧌䂵
  B

  Ⴆ΁A (Debian) /etc/syslog.conf  `kern.info' Ƀ}b` 2s
  ܂ł܂:

       kern.*                          -/var/log/kern.log
       *.=info;*.=notice;*.=warn;\
               auth,authpriv.none;\
               cron,daemon.none;\
               mail,news.none          -/var/log/messages

  ̓bZ[W `/var/log/kern.log'  `/var/log/messages' ɕ
  邱ƂĂ܂Bڍׂ `man syslog.conf' ĉB

  4.1.5.3.  T[rX̌^𑀍삷

  IP wb_ɂ͖őɎgȂ 4̃rbgAuT[rX̌^v
  (TOS) rbgƌĂ΂Ă܂B̓pPbg舵prɉe
  ܂; 4̃rbg "Minimum Delay"(ŏx), "Maximum Throughput"
  (ő又\), "Maximum Reliability"(őMl)  "Minimum
  Cost" (ŏRXg) łB̃rbg̈ݒ܂B
  TOS R[h̍҂ Rob van Nieuwkerk ͈ȉ̂悤ɏqׂĂ܂:

        "Minimum Delay"(ŏx) ɂƂďdvłB͏
        (Linux) [^"Θb^"pPbgׂ̈ɂ̃XCb`I
       Ă܂B̃}V 33.6k fŊOƐڑĂ
       ܂B Linux ̓pPbg 3̃L[ŗD揇ʂtĂ
       B̕@Ŏ͑ʂ̃_E[hƓɋełΘbI
       ȃptH[}X𓾂Ă܂B (̓VAhCoɂ
       悤ȋȃL[ȂΗǂ̂łA҂Ԃ1.5b
       ܂B)

  : 炩ɁAȂ͓ėpPbgɑ΂Đ͂ł܂B
  Ȃ͎g Linux box ĂpPbg̗D揇ʂ𐧌ł
  B̕@ŗD揇ʂ肭肷ȂA RSVP ̂悤ȃvgRK
  vłB(ɊւĂ͎͉mȂ̂ŁAɂ͕ȂŉB)

  łʓIȎgp@ telnet  ftp ̃Rg[RlNV
  "Minimum Delay" ݒ肵A FTP f[^ "Maximum Throughput" ݒ肷
  ̂łBȉ̂悤ɂȂ܂:

       ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10
       ipchains -A output -p tcp -d 0.0.0.0/0 ftp -t 0x01 0x10
       ipchains -A output -p tcp -s 0.0.0.0/0 ftp-data -t 0x01 0x08

  `-t' tO 2̓ʂȃp[^A16iŎw肵܂B
  TOS rbg𕡎Gɂ񂵂܂: ŏ̃}XN̓pPbǧ
  ݂ TOS  AND (_)܂B 2Ԗڂ̃}XN͂ɑ΂ XOR (r
  I_a)܂BŌ̂łAȉ̈ꗗg
  ĉ:

       TOS                   l              ʓIȗpr

       Minimum Delay           0x01 0x10       ftp, telnet
       Maximum Throughput      0x01 0x08       ftp-data
       Maximum Reliability     0x01 0x04       snmp
       Minimum Cost            0x01 0x02       nntp

  Andi Kleen ͈ȉ̂悤ɎwEĂ܂B (XɎc߂ɕ\
  Ă܂B)

       ATOS rbg̋c_ɂẮA ifconfig  txqueuelen p
       [^̎QƂǉ̂ɕ֗ł傤BfoCX̃L[
       ̏l̓C[TlbgJ[ḧׂɒAfɂĂ
       ͒āA (TOSɑL[) 3oh̃XPW[
       쐬A͔̓X̂łBfVO b
       `l ISDN ڑɂāA̒l 4-10 ̊Ԃɐݒ肷
       ͗ǂƎv܂; foCXȂ蒷L[KvłB
       ̓J[lo[W 2.0  2.1 ̖łA 2.1 
       Ă (ŐV nettools p) ifconfig tOŉ
       \ɂȂA 2.0 ɂĂ̓foCXhCõ\[XɃpb`
       Kpĉ\ɂȂ܂B

  ł̂ŁAfł PPP ڑɂ TOS ̍ő̉b𓾂ɂ́A
  Ȃ̃}V /etc/ppp/ip-up XNvg `ifconfig $1
  txqueuelen' s邱ƂłBgۂ̒l̓f̑xƃf
  ̃obt@̑ʂɈˑ܂; ȉ Andi ̎ւ̕ԓ̂܂܍ēx
  fڂ܂:

       ^ꂽRtBM[V̍œKl͌oKvłB
       [^̃L[ZƁApPbg肱ڂĂ܂
       ܂BĖܘ_ TOS ̏Ȃʂ𓾂邱ƂɂȂA
       P TOS ͔̏񋦗͓IȃvOɌʂ炵
       B (SĂ̕WI Linux VXevO͓͋I
       łB)

  4.1.5.4.  pPbg̃}[LO

   Alexey Kuznetsov ɂV"iʐM"̎ɂāAG
  ͂ȑݍpLɂ܂B 2.1 V[YJ[lȍ~markx[X
  tH[fBOƓlɗǍDłBXȂj[XƂĂ͂ꂪg
  ɂȂƂłB̃IvV 2.0 J[lV[Ył͑S
  ܂B

  (: Quality of Service ́A QoS ƗAlbg[Nʐw
  ܂B̓J[l̃RtBM[VXCb`
  CONFIG_NET_QOS Ƃđ݂܂B)

  4.1.5.5.  `FC̑

  ipchains ̂ƂĂLȓ́A`FC̊֘A郋[O[v
  ł邱ƂłB]݂̃`FC͉łĂяo܂Agݍݍς
  `FC (input, output  forward) ^[Qbg (MASQ, REDIRECT,
  ACCEPT, DENY, REJECT  RETURN) 󂳂ȂׂɁA\Og
  B̊gɔāAx̑Sɑ啶gȂƂ
  ߂܂B`FC̖O͍ő 8܂Ŏg܂B

  4.1.5.6.  V`FC

  V`FC܂傤B͂ƂĂn͂ɕx񂾖YȂ̂ŁA
   test Ɩt܂B

       # ipchains -N test
       #

  ͊ȒPłBāAȂ͂܂ŏڍׂɏqׂĂ悤ɁA
  [邱Ƃł܂B

  4.1.5.7.  `FC폜

  `FC폜̂lɊȒPłB

       # ipchains -X test
       #

  Ȃ `-X' ?  [A悢SĎĂ܂̂łB

  `FC폜ɂ 2̐܂: ̃`FC͋łKv
  (q```FCɂ''ĉ)AAĂǂ
  [̃^[QbgɂȂĂȂƂłBgݍݍς݂ 3̃`FC
  ͂ǂ폜ł܂B

  4.1.5.8.  `FCɂ

  `FCSẴ[苎ɂ̂͊ȒPŁA`-F' R}h
  g܂B

               # ipchains -F forward
               #

  A`FCw肵Ȃ΁ASẴ`FCɂ܂B

  4.1.5.9.  `FC̓eXgAbv

  `FC̑SẴ[XgAbvɂ́A`-L' R}hg
  B

  # ipchains -L input
  Chain input (refcnt = 1): (policy ACCEPT)
  target     prot opt    source                destination           ports
  ACCEPT     icmp -----  anywhere              anywhere              any
  # ipchains -L test
  Chain test (refcnt = 0):
  target     prot opt    source                destination           ports
  DENY       icmp -----  localnet/24           anywhere              any
  #

  test ɕ\Ă `refcnt' ́Atest ^[QbgɎw肵Ă郋[
  ̐łB̐ 0 łȂ(`FCł邱)Ã`F
  C폜邱Ƃ͂ł܂B

  A`FCw肵Ȃ΁Â܂߂đSẴ`FCɂă
  XgAbv܂B

  `-L' ɂ 3̃IvV܂B (̐lX DNS gĂ܂
  ) DNS K؂ɐݒ肳ĂȂꍇ DNS ̗vtB^[AEg
  Ăꍇ́A ipchains  IP AhX𒲂ׂ悤ƂƂɒ҂
  ܂Bĥ `-n' (l)IvV͂ƂĂLłB̃Iv
  V TCP  UDP |[gɂĂOł͂Ȃԍŕ\܂B

  `-v' IvV̓[̏ڍׂSāAႦ΁ApPbgoCg̃JE
  ^[ATOS }XNAC^[tFCXAăpPbg}[N\܂B
  ̃IvVw肵Ȃ΁A̒l͏ȗ܂B

       # ipchains -v -L input
       Chain input (refcnt = 1): (policy ACCEPT)
        pkts bytes target     prot opt   tosa tosx  ifname    mark        source                destination           ports
          10   840 ACCEPT     icmp ----- 0xFF 0x00  lo                    anywhere              anywhere              any

  LƂāApPbgƃoCg̃JE^[́A1000, 1,000,000 
  1,000,000,000 Aꂼ `K', `M'  `G' ̐ڔgĕ\
  ܂B `-x' (gl)IvVgƁAl̑傫ɂ炸S
  l𓯗lɕ\܂B

  4.1.5.10.  JE^[([)Zbg

  JE^[Zbgłƕ֗łB `-Z' (JE^[ɂ
  ) IvVłł܂BႦ:

  # ipchains -v -L input
  Chain input (refcnt = 1): (policy ACCEPT)
   pkts bytes target     prot opt   tosa tosx  ifname    mark        source                destination           ports
     10   840 ACCEPT     icmp ----- 0xFF 0x00  lo                    anywhere              anywhere              any
  # ipchains -Z input
  # ipchains -v -L input
  Chain input (refcnt = 1): (policy ACCEPT)
   pkts bytes target     prot opt   tosa tosx  ifname    mark        source                destination           ports
      0     0 ACCEPT     icmp ----- 0xFF 0x00  lo                    anywhere              anywhere              any
  #

  ̂ł́AZbg钼ÕJE^lmKvƂɖ
  ɂȂ܂BL̕@ł́A`-L'  `-Z' R}h܂ł̊Ԃɂ
  ̃pPbgʉ߂邩܂B̂߁AJE^[ǂނƓ
  Zbgɂ́A`-L'  `-Z' 𓯎Ɏg܂BcOȂAȂ
  gƁAP̃`FC𑀍ł܂: USẴ`FCX
  gAbvă[ɂKv܂B

       # ipchains -L -v -Z
       Chain input (policy ACCEPT):
        pkts bytes target     prot opt   tosa tosx  ifname    mark        source                destination           ports
          10   840 ACCEPT     icmp ----- 0xFF 0x00  lo                    anywhere              anywhere              any

       Chain forward (refcnt = 1): (policy ACCEPT)
       Chain output (refcnt = 1): (policy ACCEPT)
       Chain test (refcnt = 0):
           0     0 DENY       icmp ----- 0xFF 0x00  ppp0                  localnet/24           anywhere              any
       # ipchains -L -v
       Chain input (policy ACCEPT):
        pkts bytes target     prot opt   tosa tosx  ifname    mark        source                destination           ports
          10   840 ACCEPT     icmp ----- 0xFF 0x00  lo                    anywhere              anywhere              any

       Chain forward (refcnt = 1): (policy ACCEPT)
       Chain output (refcnt = 1): (policy ACCEPT)
       Chain test (refcnt = 0):
           0     0 DENY       icmp ----- 0xFF 0x00  ppp0                  localnet/24           anywhere              any
       #

  4.1.5.11.  |V[ݒ肷

  ȑOɃpPbgǂ̂悤Ƀ`FCʂ蔲̂AOq ``^[
  Qbg̎w''ɂĘ_ƂApPbggݍݍς݃`FC̏I
  BɉN̂̏qׂ܂B̏ꍇA`FC̃|V[
  ̃pPbg̉^肵܂Bgݍݍς݃`FC(input, output
   forward)|V[Ă܂BȂȂApPbg[
  U``FC̏I܂ŉ藎ƁAÕ`FCɖ߂čs
  B

  |V[͍ŏ 4܂ł̓ʂȃ^[Qbĝꂩł: ACCEPT,
  DENY, REJECT  MASQ łB MASQ  `forward' `FCɂĂ̂ݗL
  łB

  ܂AdvȒӓ_ƂāAgݍݍς݃`FC̃[ɂ
  RETURN ^[QbǵApPbg[Ƀ}b`ɖIɃ`FC
  ̃|V[^[Qbgɂ邽ߕ֗łB

  4.1.6.  }XJ[fBȎ

  IP }XJ[fBO̃p[^܂B
   ipchains ɑgݍ܂Ă܂B̂ȂA̋@\ׂ̈ɕʂ̃c[
  ̂͗ǂȂłB (͕ύXł傤B)

  IP }XJ[fBÕR}h `-M' ŁA}XJ[hĂR
  lNVXgAbv邽߂  `-L' Ƒgݍ킹A}XJ[
  fBO̒l𒲐邽߂ `-S' Ƒgݍ킹܂B

  `-L' R}h `-n' (zXg|[gł͂ȂAl\܂B)
  A܂ `-v' (܂ɂȂӂA}XJ[hRlNV
  V[PXԍ̏ڍׂ\܂B)𔺂܂B

  `-S' R}h͈ȉ 3̃^CAEglݒ肵܂A͕bP
  ł: TCP ZbVA FIN pPbg TCP ZbVƁA UDP pPb
  głB̒l̈ύXȂȂ΁AP `0' ^
  ܂B

  l `/usr/src/linux/include/net/ip_masq.h' ɃXgAbvĂ
  A ݂͂ꂼ 15 bA 2b  5błB

  ύXłʓIȒĺA ftp ׂ̈ɕύXŏ̒lłB (q
  ``FTP ̈''QƂĉB)

  ``}XJ[fBÕ^CAEglݒł܂!''ɗ񋓂^C
  AEg̐ݒɊւɒӂĉB

  4.1.7.  pPbg`FbN

  ɂȂ̃}VɈ̃pPbg荞ލۂɉN̂
  ƎvƂł傤BȂ̃t@CAEH[`FCfobO鎞
  ǁB ipchains ͂Lɂ `-C' R}h𑕔Ă܂B
  ہAJ[l{̃pPbgff̂ɗp郋[`Ɛmɓ
  [`p܂B

  pPbgeXg`FĆA `-C' ̌ɃpPbg̃eXg
  `FC̖Ow肵܂BJ[l͏ input, output ܂
  forward `FCAƈڂčs܂AeXg͂ǂ̃`FCłn
  邱Ƃł܂B

  `packet' ̏ڍׂ́At@CAEH[[w肷ׂɗp̂
  pĎw肵܂BɁAvgR (`-p') A\[XAhX
  (`-s') AAhX (`-d') ƃC^[tF[X (`-i')͕K{łB
  vgR TCP  UDP ȂAP̃\[XƒP̈|[gw肳
  Ȃ΂Ȃ܂񂵁A ICMP vgRɂĂ ICMP ^Cvw肳
  Ȃ΂Ȃ܂B (tOg `-f' tOw肵ĂȂ
  ΁Bw肵Ăꍇ͂̃IvV͕słB)

  vgR TCP Ȃ ( `-f' tOĂĂȂ)
  AeXgpPbg SYN rbgZbĝ `-y' tOw肵Ă
  悢ł傤B

  ȉ 192.168.1.1 60000 |[g 192.168.1.2  www |[gցA
  eth0 C^[tF[XɓA `input' `FCɓB TCP SYN p
  PbgeXgłB (͓T^I WWW ̐ڑJn̓ł)

       # ipchains -C input -p tcp -y -i eth0 -s 192.168.1.1 60000 -d 192.168.1.2 www
       packet accepted
       #

  4.1.8.  xɕ̃[ƉN̂

  ɒP̃R}hC̃[ɉe邱Ƃł܂B
  ɂ͓̕@܂BŏɁA(DNS p) IP AhXɉ
  zXgw肷ƁA ipchains ͂ȂeX̃AhX̑gݍ
  킹ɑ΂ĕ̃R}h𔭍ŝƓ悤ɐU镑܂B

  łAzXg `www.foo.com'  3 IP AhXɉAz
  Xg `www.bar.com'  2 IP AhXɉꍇAR}h
  `ipchains -A input -j reject -s www.bar.com -d www.foo.com' ́A input
  `FC 6̃[ǉ邱ƂƂȂ܂B

  ipchains ɕ̓s킹̕@́AotO(`-b') 
  p܂B̃tÓA ipchains ɃR}h 2͂̂Ɠl
  U镑킹܂B̍ۂ 2ڂ̃R}h `-s'  `-d' ̈𔽓]
  ƂɂȂ܂Bł̂ŁA 192.168.1.1 ɑ݂ɃtH[h邱
  Ƃւɂ́Aȉ̂悤ɂł܂:

       # ipchains -b -A forward -j reject -s 192.168.1.1
       #

  lIɂ́A `-b' IvV͍DłȂł; ƕ֗ɂȂA
  q``ipchains-save g''ĉB

  -b IvV } (`-I') A 폜 (`-D') (ł[io[̊g
  ͂܂B) Aǉ (`-A') ƃ`FbN (`-C') R}hƋɎg
  B

  ֗̕ȃtO `-v' (璷) ܂B ipchains 
  Ȃ̃R}hɂĉĂ̂𐳊mɃvgAEg܂B
  Ȃ̃[R}h{Ă̂ȂAꂪ֗łBႦ
  ΁Aȉ 192.168.1.1  192.168.1.2 Ƃ̊ԂŃtOg̐U镑
  `FbNłB

  # ipchains -v -b -C input -p tcp -f -s 192.168.1.1 -d 192.168.1.2 -i lo
    tcp opt   ---f- tos 0xFF 0x00  via lo    192.168.1.1  -> 192.168.1.2    * ->   *
  packet accepted
    tcp opt   ---f- tos 0xFF 0x00  via lo    192.168.1.2  -> 192.168.1.1    * ->   *
  packet accepted
  #

  4.2.  W

   PC ̓C^[lbgփ_CAbv PPP ڑ܂B (-i ppp0)
  ̓_CAbv̓xɃlbgj[X (-p TCP -s
  news.virtual.net.au nntp) ƃ[ (-p TCP -s mail.virtual.net.au
  pop-3)  PC Ɏ荞݂܂B Debian  FTP ɂ PC ̍XVƂ
  Iɍs܂B (-p TCP -y -s ftp.debian.org.au ftp-data)  ISP
  ̃vLV web ւ̃ANZXs܂ (-p TCP -d
  proxy.virtual.net.au 8080) A Dilbert A[JC doubleclick.net
  ̍Loi[܂B (-p TCP -y -d 199.95.207.0/24  -p TCP
  -y -d 199.95.208.0/24)

   PC IC̍ۂɒN PC ɑ΂ ftp ݂邱ƂɊ
  Ă͋Cɂ܂B (-p TCP -d $LOCALIP ftp) ǂAO̒NɎ
  ̓lbg[N (-s 192.168.1.0/24)  IP AhXUꂽ
  ܂B͒ʏA IP Xv[tBO (: U) ƌĂ΂Ao[
  W 2.1.x ȍ~̃J[lɂ͂hǂ@܂: ``IP U
  ی(IP Spoof Protection)Aǂ̂悤ɐݒ肵悢ł?''QƂ
  ĉB

  ̃ZbgAbv͂ƂĂPŁÂȂ獡̓lbg[Nɂ͑
  Ƀ}VȂłB

  ͂郍[JvZX(Ȃ킿AlbgXP[vA lynx ) 
  doubleclick.net ɐڑ܂B

       # ipchains -A output -d 199.95.207.0/24 -j REJECT
       # ipchains -A output -d 199.95.208.0/24 -j REJECT
       #

  āA͊O֏očslXȃpPbgɗD揇ʂݒ肵łB (
  ėpPbgɑ΂Ăs̃bg͂܂B) 
  [̂ŁAppp-out Ɩt`FCɂSĂ邱
  Ƃ͈Ӗ̂邱ƂłB

       # ipchains -N ppp-out
       # ipchains -A output -i ppp0 -j ppp-out
       #

  web ̃gtBbN telnet ֍ŏxݒ肵܂B

       # ipchains -A ppp-out -p TCP -d proxy.virtual.net.au 8080 -t 0x01 0x10
       # ipchains -A ppp-out -p TCP -d 0.0.0.0/0 telnet -t 0x01 0x10
       #

  ftp f[^, nntp, pop-3 ɒRXgݒ肵܂:

       # ipchains -A ppp-out -p TCP -d 0.0.0.0/0 ftp-data -t 0x01 0x02
       # ipchains -A ppp-out -p TCP -d 0.0.0.0/0 nntp -t 0x01 0x02
       # ipchains -A ppp-out -p TCP -d 0.0.0.0/0 pop-3 -t 0x01 0x02
       #

  ppp0 C^[tF[XɓėpPbgɂ͊̐܂:
  `ppp-in' Ƃ`FC܂傤:

       # ipchains -N ppp-in
       # ipchains -A input -i ppp0 -j ppp-in
       #

  āA ppp0 ɓėpPbg 192.168.1.* ̃\[XAhX咣
  ׂł͂܂BłAX͂OɋL^Ĕے
  (deny) ܂:

       # ipchains -A ppp-in -s 192.168.1.0/24 -l -j DENY
       #

   DNS  UDP pPbg (͑SĂ̗v 203.29.16.1 ֓]
  LbVl[T[o𓮂Ă̂ŁA̗v炻 DNS 
  ԓ邱Ƃ\܂B)  ė ftp ƋAė ftp-
  data (1023Ԉȏ̃|[ĝ݂gA6000ԋߕӂ X11
  |[gg܂B)  TCP pPbĝ݂܂B

       # ipchains -A ppp-in -p UDP -s 203.29.16.1 -d $LOCALIP dns -j ACCEPT
       # ipchains -A ppp-in -p TCP -s 0.0.0.0/0 ftp-data -d $LOCALIP 1024:5999 -j ACCEPT
       # ipchains -A ppp-in -p TCP -s 0.0.0.0/0 ftp-data -d $LOCALIP 6010: -j ACCEPT
       # ipchains -A ppp-in -p TCP -d $LOCALIP ftp -j ACCEPT
       #

  AĂ TCP ̕ԓpPbg܂B

       # ipchains -A ppp-in -p TCP ! -y -j ACCEPT
       #

  ŌɁA[Jƃ[Jm̃pPbg OK ł:

       # ipchains -A input -i lo -j ACCEPT
       #

  āA input `FCɂ|V[ DENY (ے) ł̂ŁA
  q̂̈ȊO͑SĔj܂:

       # ipchains -P input DENY
       #

  : ͂̏ԂŃ`FCZbgAbv܂łBZbgAbv
  ̍ŒɃpPbg荞ŗ邩łBłSȂ͍̂ŏ DENY 
  |V[ݒ肷邱ƂłBܘ_AȂ̃[zXg
   DNS ̎QƂvȂA肪邱Ƃł傤B

  4.2.1.  ipchains-save g

  ܂ɂȂ̂]ݒʂ̃t@CAEH[`FCZbgAbvA
  ĎɂƂvoƂ̂͐hƂłB

  ŁAZbgAbvȂ̃`FCǂ݁At@CɕۑA
  ipchains-save ƂXNvgłB ipchains-restore 邩Ɋ
  Ă͂Ƒ҂ĂĉˁB

  ipchains-save ͒P̃`FC (`FCw肳Ȃ) S
  ̃`FCZ[uł܂BIvVƂĂ `-v' ݂̂A
  ̓Z[uꂽ[ (WG[o͂) vg܂B input,
  output  forward `FC̃|V[lɃZ[u܂B

       # ipchains-save > my_firewall
       Saving `input'.
       Saving `output'.
       Saving `forward'.
       Saving `ppp-in'.
       Saving `ppp-out'.
       #

  4.2.2.  ipchains-restore g

  ipchains-restore  ipchains-save ŕۑꂽ`FC𕜌܂B
   2̃IvV܂: `-v' ͊eX̃[ǉ悤
  ɐ܂B `-f' ͈ȉɐ悤ɁAɑ݂郆[U[
  ``FCIɏ܂B

  A input `FCɃ[U[``FC΁A ipchains-
  restore ͂ꂪ̃`FCȂ̂`FbN܂Bł΁Av
  vg\A`FC (SẴ[) A
  XLbvČ݂̐ݒێ邩̑I߂܂BR}
  hC `-f' w肷΁Avvg͕\܂: `FC͏
  ܂B

  :

       # ipchains-restore < my_firewall
       Restoring `input'.
       Restoring `output'.
       Restoring `forward'.
       Restoring `ppp-in'.
       Chain `ppp-in' already exists. Skip or flush? [S/f]? s
       Skipping `ppp-in'.
       Restoring `ppp-out'.
       Chain `ppp-out' already exists. Skip or flush? [S/f]? f
       Flushing `ppp-out'.
       #

  5.  ̑̏

  ̍͏q̐ꂽׂĂ̏ FAQ W܂B

  5.1.  t@CAEH[[ǂ̂悤ɍ\z邩

  ̖ɂ͂̕jKvłBxœK(łʂ̃pPbg
  ΂郋[`FbNŏɂƂǂ߂)č\z邩AǗ߂
  \z邱Ƃł܂B

  PPP NƌԌIȃNgĂȂAN input `FC
  ̍ŏ̃[ `-i ppp0 -jDENY' ɐݒ肵Ǝv܂B
  ̏ꍇ́A ip-up XNvgt@CŎ̂悤ɂ܂B

  (: foCX ppp0 ̃pPbgjB_CAbvȂ
  ̐Nh~ꍇɐݒ肷B)

       #  `ppp-in' `FCĐB
       ipchains-restore -f < ppp-in.firewall

       # ppp-handling `FCɊ荞 DENY [uB
       ipchains -R input 1 -i ppp0 -j ppp-in

  ip-down ͎̂悤ɂȂ܂B

       ipchains -R input 1 -i ppp0 -j DENY

  5.2.  tB^OŔjĂ͂ȂpPbg

  KvłȂpPbgtB^OŔjOɒӂĂȂ΂
  Ȃ܂B

  5.2.1.  ICMP pPbg

  ICMP pPbǵA(TCP  UDP ̂悤)ʂ̃vgRɑ΂āAs\
   (̑̂̂Ȃ) ̂ɎgĂ܂BƂ킯 `ړIn
  ɓBȂ' pPbg\܂B̃pPbgubNƁA
  `zXgɓB܂'  `zXgւ̌oH܂' ƂG[
  󂯎邱ƂłȂȂ܂Bǂ̂悤Ȑڑ͂̂Ȃԓ
  ɂȂ܂B͂炢炵܂vIł͂܂B

  ɈƂ MTU oł ICMP pPbg̖łBׂĂ̗ǍD
  TCP ̎(Linux ܂߂)́AȂԂ(ƃptH[
  }XቺAƂ킯AƂǂꂽfЂƂɒ
  ܂)ړInɓBő̃pPbgTCYo߂ MTU o
  gĂ܂B MTU óA܂pPbg "s" ̃rbgݒ
  đA 'KvȂݒ(DF)Ă'ƂG[
   ICMP pPbg󂯎Aقǂ̂̂菬TCỸpPb
  g𑗂蒼AƂ肩œ삵܂B́A`ړIn֓Bs\'
  pPbg̃^CvŁA󂯂ȂȂA[JzXg MTU ቺ
  ȂŁAs͂ЂǂȂ邩A݂ȂƂɂȂł傤B

  :

     ICMP: Internet Control Message Protocol
        IP ݐڑlbg[Ñm[hŃG[ʒBAffÂ
        ̃bZ[W𑗂vgR

     MTU: maximum transmission unit
        lbg[NC^[tF[Xxɑ邱Ƃłő̃f[^
        

  ׂĂ ICMP oHύXvbZ[W(type 5)ubN͕̂ʂ
  ƂɒӂĉB́AoH蓮ݒ肷ׂɎgƂo
  ܂(ǍD IP X^bN͈SuĂ܂)A΂΂댯
  ƒmĂ܂B

  5.2.2.  DNS (l[T[o[) ւ TCP ڑ

  O TCP ڑubN悤ɂĂȂA DNS ͂ UDP
  gȂƂɒӂĉBT[o̕ԓ 512 oCgz
  ƁANCAg̓f[^𓾂̂ TCP ڑ(͂ 53 ԃ|[gԍ) 
  g܂B

  :

     UDP: User Datagram Protocol
        f[^pPbg̓]svOBUDP  TCP ɔׂƍ
        łAMႭApPbg̓Bۏ؂܂B

  TCP ]֎~ĂĂA DNS  `قƂǓ' ̂Ńn}܂B
  悤ɂĂȂAsȒx₻̑̂Ƃǂ DNS 
  o邱ƂɂȂł傤B

  DNS ̖₢킹A̊Õ\[X(/etc/resolv.conf ɏ
  s̃l[T[o𒼐ڎgAtH[h[hŃLbṼl[
  T[o[ĝǂ炩)ɂĂȂA(LbVgĂ
  )[J domain |[gA /etc/resolv.conf gĂȂnC
  |[g(>1023)Ãl[T[o domain |[gւ TCP ڑ
  Kvł܂܂B

  : domain  /etc/services Ɏ̍ڂ`Ă邩mFĂ
  ܂B̂悤ɂĒׂ邱Ƃł܂B

        $ grep domain /etc/services
        domain          53/tcp          nameserver      # name-domain server
        domain          53/udp          nameserver

  5.2.3.  FTP ̈

  T^IȃpPbgtB^O̖ FTP łBFTP ɂ͂Q̃[h
  ܂B`IȂ̂ ANeBu[h ƌ̂ŁAŋ
  ̂̂́A pbVu[h ƌ܂B Web uEU͒ʏpbVu
  [hftHgłAR}h FTP vO͒ʏANeBu
  [hftHgłB

  ANeBu[hł́A[gzXgt@C𑗐MƂ(邢
  ́A ls  dir R}ȟʂł)A[J}Vւ TCP ڑ
  I[v悤Ƃ܂B̓ANeBu FTP ؒfȂȂA
   TCP ڑrłȂƂƂłB

  pbVu[hgIvVȂAǂƂłBpbVu[h
  ͓̓f[^ɑ΂ĂANCAgT[oɃf[^ڑ܂B
  pbVu[hgȂȂATCP ڑ 1024 zA6000  6010
  ͈̔͂ɖ|[gɑ΂ TCP ڑ邱Ƃ𐄏܂B(6000
   X-Window System ɎgĂ܂B)

  5.3.  Ping of Death r

  Linux }V͂܂L Ping of Death Sz邱Ƃ͂܂B
  Ping of Death ͕s@ɑ傫 ICMP pPbg𑗐MA͎󂯎葤
  TCP X^bNɂobt@[ꂳAǰɂȂ܂B

  Ǝȃ}Vی삷ȂAP ICMP tOgubNł
  Bʏ ICMP pPbg͕vقǑ傫͂܂񂩂A
   ping rȊOɂ͉e^܂B (smł)
  ́AICMP tOg𗎂߂ɁATCYI[o[ ICMP pPbg̍
  ̃tOgvǍʁAŏ̃tOgub
  NVXeƂ񍐂𕷂Ƃ܂Aŏ̃tO
  gubN悤ȃVXe͂߂ł܂B

   ICMP gׂẴvOĂ܂ATCP  UDP tO
  g(邢͕s̃vgR)́Â悤ȍUɑ΂ĎgƂ
  ȂƂRȂ̂ŁA ICMP tOgubN̂́AԂ
  킹̉ł܂B

  5.4.  Teardrop  Bonk r

  Teardrop  Bonk ƌ̂́AdtOgړIɂĂ
   2ނ̍U(Microsoft Windows NT }Vɑ΂)łB Linux
  [^ftO@\Ă邩AU₷}VɂׂẴt
  Og֎~͕̂ʂ̃IvVłB

  5.5.  tOgr

  M̒Ⴂ TCP X^bŃApPbg̃tOgɂȂĂ
  āAׂĎMłȂƂAʂ̃tOĝɖ
  Ă̂ƌĂ܂B Linux ͂̂悤Ȗ肪
  BtOgj(Ɏgpꂽ̂󂷂܂)
  A܂́A `IP: always defragment'  `Y' (Ȃ Linux }V
  ̃pPbgɑ΂ėB蓾oHłꍇ̂)IJ[l
  RpC邱ƂŔrł܂B

  5.6.  t@CAEH[[ύX

  t@CAEH[[ύXƂA^C~O̖肪܂Bs
  ۂƁAύX̓rłɃpPbgʂĂ܂܂BՂȂ肩
  Ă͎̂悤ȕ@܂:

       # ipchains -I input 1 -j DENY
       # ipchains -I output 1 -j DENY
       # ipchains -I forward 1 -j DENY

       . ύX܂ ...

       # ipchains -D input 1
       # ipchains -D output 1
       # ipchains -D forward 1
       #

  ύXĂԁAׂẴpPbgj܂B

  ύXP̃`FCɌ肳ꂽ̂ȂAV[ŐV`FC
  肽܂BV`FĈƁAÂ`FC
  [u܂(`-R')B΁AÂ`FC폜ł܂B
  ̒u̓Ag~bN(̂̂ɂ͉eȂ)s܂B

  5.7.  IP Uی(IP Spoof Protection)Aǂ̂悤ɐݒ肵悢ł
  ?

  IP ÚAzXgʂ̃zXg琿pPbg𑗂oZp
  BpPbgtB^ÓÃ\[XAhXƂɔ肷̂ŁA
  IP U̓pPbgtB^[܂߂ɎĝłB SYN U₵
  (Teardrop)A܂ Ping(Ping of Death) ₻Ɏ(
  炪҂mȂȂSz͕spł)gĂU҂̐gB
  ߂ɂ܂g܂B

  IP Uh䂷Ƃ悢@́A\[XAhXF(Source Address
  Verification)ƌ̂ŁA̓[eBOR[hɂčs
  ̂ŁASt@CAEH[ł͂܂B
  /proc/sys/net/ipv4/conf/all/rp_filter Ƃt@CTĉB
  ꂪȂAn邽тɃ\[XAhXF(Source Address
  Verification)L邱ƂɂȂ܂B̂悤ɂ邽
  ߁Aꂩ̃lbg[NC^[tF[XOɁAg
  init XNvĝǂɎ̍s܂B

       # ꂪƂǂ@ł: \[XAhXF
       # (Source Address Verification) LɂÂ݂Ƃꂩ
       # gׂẴC^[tF[XɋUی܂B

       if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
         echo -n "Setting up IP spoofing protection..."
         for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
             echo 1 > $f
         done
         echo "done."
       else
         echo PROBLEMS SETTING UP IP SPOOFING PROTECTION.  BE WORRIED.
         echo "CONTROL-D will exit from this shell and continue system startup."
         echo
         # R\[ŃVO[UVFN܂B
         /sbin/sulogin $CONSOLE
       fi

  ꂪłȂȂAׂẴC^[tF[Xی삷邽߂Ɏ蓮Ń[
  ܂B̏ꍇ͂ꂼ̃C^[tF[XɂĂ̒m
  KvłBJ[l 2.1 ͎I127.* ̃AhX([J[vobN
  C^[tF[X lo ɗ\񂳂ꂽ)vpPbgۂ
  B

  Ⴆ eth0, eth1  ppp0  3̃C^[tF[X܂BC
  ^[tF[X̃AhXƃlbg}XNm邽߂ ifconfig gƂ
  ł܂BႦ΁A eth0 lbg}XN 255.255.255.0 ̃lbg[N
  192.168.1.0 ɃA^b`A eth1 ̓lbg}XN 255.0.0.0 ̃lbg
  [N 10.0.0.0 ɃA^b`A ppp0 C^[lbg(\񂳂ꂽv
  Cx[g IP AhXāAǂȃAhXł܂)B̂悤
  ȃ[Ƃ悢ł傤B

       # ipchains -A input -i eth0 -s ! 192.168.1.0/255.255.255.0 -j DENY
       # ipchains -A input -i ! eth0 -s 192.168.1.0/255.255.255.0 -j DENY
       # ipchains -A input -i eth1 -s ! 10.0.0.0/255.0.0.0 -j DENY
       # ipchains -A input -i ! eth1 -s 10.0.0.0/255.0.0.0 -j DENY
       #

  ̕@͂g̃lbg[NςƁA܂܂ł̂̏Ԃێ
  ߂ɂȂ̓t@CAEH[[ύXȂ΂Ȃ̂ŁA\[
  XAhXF(Source Address Verification)ōsقǗǂ܂B

  2.0 ñJ[lgȂAɎ悤ȃ[gāA[vob
  NC^[tF[X܂ی삵܂B̂悤Ƀ[g
  ܂:

       # ipchains -A input -i ! lo -s 127.0.0.0/255.0.0.0 -j DENY
       #

  5.8.  ŐṼvWFNg

  ̓[UXy[XCuĂA`libfw' ƌĂ΂\[
  XfBXgr[V܂ł܂B ipchains ̃o[W
  1.3 ȏ̔\͂gp(IP_FIREWALL_NETLINK ̃RtBOIvV
  g)[UXy[XɃpPbgRs[܂B

  }[Nl̓pPbĝ߂ Service ̎ (QoS) p[^߂邽߂
  gA邢́ApPbgǂ̂悤Ƀ|[gɒp邩߂邽
  ɎgƂł܂B͂ǂpĂ܂񂪁AȂɂ
  ďĂ݂悤ƎvȂAǂɘAĉB

  Ԋώ@(stateful inspection)(̓_Ci~bNt@CAEH[Ƃ
  t񏥂܂)̂悤ȂƂ́ÃCug[UXy[XŎ
  ł傤B̑̑f炵ACfBÁA[UXy[Xf[
  ŒTƂŃ[UƂ̊ՏŃpPbgRg[܂B
  ƂĂȒPłȂ΂Ȃ܂B

  5.8.1.  SPF: Xe[gtpPbgtB^O

  ftp://ftp.interlinx.bc.ca/pub/spf <ftp://ftp.interlinx.bc.ca/pub/spf>
  ĹA Brian Murrell  SPF vWFNg̃TCgŁA̓[UX
  y[XŐڑ̒ǐՂ܂Boh̃TCgɏdvȃZLeB
  Ă܂B

  ݁ASPF ɂĂ͂̕قƂǂ܂񂪁Â̂ Brian 
  ɓ̂[OXgɓêłB

        > ꂱɎ̖]ނƂsȂƐMĂ܂B
        > Oւ̗ṽX|XƂăpPbgʂ悤
        > ꎞI''t(backward)''̃[CXg[Ă܂B

       ͂A̒ʂłB
       vgRɂė΂قǁA "t(backward)" ̃[͂ƐȂ܂B
       ̂Ƃ́A (oŏĂ܂AG[蔲肪Ăĉ)
       FTP(ANeBuƃpbVuAƊO̗)ARealAudioA tracerouteA
       ICMP ďI ICQ( ICQ T[óAāAړI TCP ڑ̂́AȂt@C]̂悤ȂƂɊւ2 ̒ړI TCP ڑȂǂ͂܂܂)T|[gĂ܂B

       > SPF  ipchains ûłAƂ⑫̂łB

       ⑫̂łB
       ipchains  Linux }Vzē`pPbgAh肷铹łB
       SPF ̓hCołAgtBbNĎāAǂ̂悤ɕύX邩 ipchains ɓ`A ipchains ́AύXgtBbNp^[ɓ`܂B

  5.8.2.  Michael Hasenstein  ftp-data nbN

  SuSE  Michael Hasenstein  ipchains  ftp ڑ̒ǐՋ@\ǉ
  J[lpb`Ă܂B̂Ƃɂ܂B
  http://www.suse.de/~mha/patch.ftp-data-2.gz
  <http://www.suse.de/~mha/patch.ftp-data-2.gz>

  5.9.  ̉ۑ

  t@CAEH[ NAT  2.4 ōĐ݌vĂ܂BvƋc_
  netfilter ̃[OXgŗpł܂B ( http://lists.samba.org
  <http://lists.samba.org>ĉ) ̂悤ȋ̗͑֐̖
  A(ہAt@CAEH[}XJ[h͂̂悤ȍ ͂
  ͂ł)AĂƂ͂邩ɏ_̂t@CAEH[̔W
  ͂łB

  6.  ʓIȖ

  6.1.  ipchains -L gƃt[Y܂!

  DNS 󂯕tȂ̂ł傤Bǂ̓^CAEgɂȂĂ܂
  B ipchains ɑ΂ `-n' (l)tOgĂ݂܂傤B `-n' ́A
  l[ł̌s܂B

  6.2.  ]ł܂!

  `!'IvV̗ɃXy[XāA`!' IvVPƂŎgȂ
  ΂܂B (4.1.4.1 Œӂ܂)T^IȊԈႢłB

       # ipchains -A input -i !eth0 -j DENY
       #

  `!eth0' ƌĂ΂C^[tF[X݂͑܂񂪁A ipchains ͂ꂪ
  킩Ȃ̂łB

  (: `!' ̎gɊւ钍ӂ́A 4͂QƁB `!' IvV̑O
  Xy[XYȂŉB)

  6.3.  Masquerading ܂ Forwarding ܂!

  pPbg forwarding \ɂȂĂ̂ǂmFĉ(
  ߂̃J[lł́AftHg `gpȂ'ɂȂĂ܂BpPbg
  `forward' chain z邱ƂȂƂƂł)B root Ŏ
  悤ɓ͂ΕύXł܂B

       # echo 1 > /proc/sys/net/ipv4/ip_forward
       #

  ł܂ȂAA\ɂȂ悤ɁAg̋NXNvg
  ǂɂ̍sĂƂł܂B̃R}hOɃt@C
  AEH[ݒ肵͂łBȂƁA(jׂ)pPbg
  ߂Ă܂@^Ă܂܂B

  6.4.  -j REDIR ܂!

  _CNg𓮂߂ɂ̓pPbg forwarding (qĉ)
  Ȃ΂܂BȂƁA[eBÕR[h̓pPbg
  𗎂܂BŁA_CNĝ݂gĂătH[fBO͑SR
  gĂȂȂ΁ÂƂɒӂĉB

  REDIRECT (input `FCɂ)́A[JvZX̐ڑɂ͌
  ȂƂɒӂĉB

  (: ipchains ̃IvVɂẮAman ipchains ŊmFĉ
  B)

  6.5.  ChJ[hC^[tF[X܂!

  J[l 2.1.102  2.1.103 (Ď̌Âpb`)
  ɂ̓oO܂B̃J[lł́A(-i ppp+ ̂悤)Ch
  J[hC^[tF[X܂ȂG[𖾎 ipchains R}
  h𐶐܂B

  ̌́AŐṼJ[l web TCgɂ 2.0.34 ̃pb`ł͏C
  Ă܂BJ[l\[XŏCȂA include/linux/ip_fw.h
  t@C 63ŝ悤ɕύX܂:

       #define IP_FW_F_MASK    0x002F  /* All possible flag bits mask   */

   ``0x003F'' ǂނׂłBCAJ[lč\z
  B

  6.6.  TOS (Type of Service) ܂!

  ͎̊ԈႢłB Service field ̃^Cvݒ́A 2.1.102 
  2.1.111 ł̃J[lł͎ۂɂ Service ̃^CvݒłȂ̂
  B̖́A2.1.112 ł͏C܂B

  6.7.  ipautofw ipportfw ܂!

  2.0.x ł͓܂B ipchains ipautofw 邢 ipportfw ɑ΂
  傫ȃpb`쐬Aێ鎞Ԃ܂B

  2.1.x ɑ΂ẮÂƂ납 Juan Ciarlante  ipmasqadm _E
  [hĉB http://juanjox.linuxhq.com/
  <http://juanjox.linuxhq.com/> āAipautofw ipportfw gƂA
  ipportfw ̂ ipmasqadm portfw ͂AāA ipautofw ̂
  ipmasqadm autofw ͂āAƎgĉB

  6.8.  xosview Ă܂!

  1.6.0 łAȍ~̂̂ɂĉB̔łł́AJ[l 2.1.x
  ɑ΂Ăǂ̂悤 firewall rule v܂B 1.6.1 ł܂
  ĂƎvȂȀꍇ͒҂ɃoO񍐂ĉ(́A
  ̎sł͂܂)B

  6.9.  `-j REDIRECT'  Segmentation G[ɂȂ܂!

   ipchains 1.3.3 ł̃oOł̂ŁAVłɃAbvO[hĉ
  B

  6.10.  }XJ[fBÕ^CAEglݒł܂!

  (J[l 2.1.x ɂ) 2.1.123 ȍ~ł͓܂B 2.1.124 Őݒ
  Ă݂ƁA masquerading timeouts ̓J[lbNĂ܂܂
  (net/ipv4/ip_fw.c t@C 1328 sɂ return  ret =  ɕύX
  )B 2.1.125 ł́AƓ܂B

  : 4.1.1 ĉB

  6.11.  IPX t@CAEH[ł!

  ɂ悤Ȃ]Ǝv܂BcOȂÃR[h IP 
  ׂĖԗĂ邾łAKȂƂɁAIPXt@CAEI[
  ̂ɕKvȋ@\ׂ͂ĂĂ܂B𗘗pĂȂgŃR[
  hKv܂A\Ȕ͈͂Ŏ͊ł`܂傤B

  : IPX Ƃ̂́ANovell ɂ MS-DOS ̃lbg[NvgR
  łB IPX ɂẮAIPX-HOWTOQƂĉB
  http://www.linux.or.jp/JF/JFdocs/IPX-HOWTO.html

  7.  pIȗ

  ̔͗́A1999 N 3 ɊJÂꂽ LinuxWorld  Michael Neuling
  Ǝ\`[gAp܂B́A^ꂽ
  邽߂̗B̕@ł͂ȂłAłPȂ̂łB̔
  LvȂ̂ƎvĒ΍KłB

  7.1.  \

  o  }XJ[hꂽlbg[N(lX OS ݂Ă܂) 
     ݂A"GOOD" ƌĂт܂B

  o  ꂽlbg[NɌJT[o݂Ă܂(񕐑n
     "Demilitarized Zone" ƂƂ "DMZ" ƌĂт܂)B

  o  C^[lbg PPP ڑĂ܂( "BAD" ƌĂт܂)B

     Olbg[N (BAD)
             
             
         ppp0
     
     192.84.219.1               T[olbg[N (DMZ)
                   eth0
                   
                   192.84.219.250                        
                                                         
     192.168.1.250                                       
                       
              eth1              SMTP      DNS       WWW  
                                       
                           192.84.219.128  192.84.219.129  192.84.218.130
             
     lbg[N (GOOD)

  7.2.  ړI

  pPbgtB^[}V:

     SẴlbg[Nɑ΂ PING \
        }V_EĂ邩ǂm̂ɑϖɗ܂B

     SẴlbg[Nɑ΂ TRACEROUTE \
        ܂A͂ɖɗ܂B

     DNS ւ̃ANZX\
        ping  DNS g₷邽߂łB

  DMZ :

  [T[o

  o  Olbg[Nւ SMTP \

  o  ƊOlbg[N SMTP ̃ANZvg(󂯓)\

  o  lbg[N POP-3 ̃ANZvg\

  l[T[o

  o  Olbg[Nւ DNS ̗v\

  o  ƊOlbg[NApPbgtB^[}V DNS ̃ANZ
     vg\
  EFuT[o

  o  ƊOlbg[N HTTP ̃ANZvg\

  o  lbg[N Rsync ɂANZX\

  lbg[N:

     Olbg[Nւ WWW, ftp ,traceroute, ssh 
        ́A̑ΏۂƂĂ͂ȂWIȂƂłBlbg
        [Ñ}Vɑ΂ĂقڑSĂ邱Ƃn߂܂A
        ł͐Ă܂B

     [T[oւ SMTP 
        RA[͊O֑Mł悤ɂłB

      [T[oւ POP-3 
        [ǂޕ@łB

      l[T[oւ DNS 
        WWW  ftp, traceroute, ssh 𗘗pۂɁAOl[̌
        ̂ɕKvłB

      EFuT[oւ rsync 
        OEFuT[oƓEFuT[o𓯊@łB

      EFuT[oւ WWW 
        RAOEFuT[o֐ڑłׂłB

      pPbgtB^[}Vւ ping 
        ́AʓIɍLeFĂ邱ƂłB܂t@CAEH[
        }V_EĂ邩ǂAmFł悤ɂ邽߂
        (ŊOTCgĂꍇ́A܂̂)B

  7.3.  pPbgtB^OsO

  o  IP Uی (Anti-spoofing)

     ȂΏ̂̃[eBOĂȂ̂ŁASẴC^[
     tF[Xɑ΂ IP UیPɃIł܂B

       # for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
       #

  o  tB^Õ[ƂđSĂۂɂ

     ܂Œʂ胍[J̃[vobNgtBbN͋܂A
     ȎSĂۂ܂B

       # ipchains -A input -i ! lo -j DENY
       # ipchains -A output -i ! lo -j DENY
       # ipchains -A forward -j DENY
       #

  o  C^[tF[X̃ZbgAbv

     C^[tF[X̃ZbgAbv́Au[g̃XNvgŎs
     ܂BtB^Õ[KpOɃpPbgRꂾ
     ƂhׂɁAC^[tF[Xݒ肳OɏL̃Xebvs
     Ă邱ƂmFĉB

  o  vgRʂɃ}XJ[hW[gݍ

     FTP 𗘗pۂɂ́A}XJ[hW[gݍޕKv
     B邱ƂŁAlbg[ÑANeBuƃpbVu FTP
      `Ɠ삵܂'B

       # insmod ip_masq_ftp
       #

  7.4.  pPbgʉ߂邽߂̃pPbgtB^O

  }XJ[hgpāAforward `FCŃtB^[邱Ƃ͍ŗ
  ̕@łB

  forward `FC\[X^Đ C^[tF[Xɍ킹ėlXȃ[
  U``FCɕĉB܂A戵₷Pʂɕ
  ̂łB

       ipchains -N good-dmz
       ipchains -N bad-dmz
       ipchains -N good-bad
       ipchains -N dmz-good
       ipchains -N dmz-bad
       ipchains -N bad-good

  ICMP ̕WG[ANZvg邱Ƃ́Aʂ̓ełBāA
  ̂߂̃`FC܂B

  ipchains -N icmp-acc

  7.4.1.  forward `FCWv

  cOȂƂɁA(forward `FCł)o̓C^[tF[X܂
  BāApPbgǂ̃C^[tF[XĂ邩
  ߂ɁA\[XAhXgp܂(Uی삪AhX̂Ȃ肷܂h
  ł̂ővł)B

  ̂ɂ}b`ȂpPbg(炩ɁÂ悤ȂƂ͋N
  Ȃ͂ł)͑SăO邱ƂɒӂĉB

       ipchains -A forward -s 192.168.1.0/24 -i eth0 -j good-dmz
       ipchains -A forward -s 192.168.1.0/24 -i ppp0 -j good-bad
       ipchains -A forward -s 192.84.219.0/24 -i ppp0 -j dmz-bad
       ipchains -A forward -s 192.84.219.0/24 -i eth1 -j dmz-good
       ipchains -A forward -i eth0 -j bad-dmz
       ipchains -A forward -i eth1 -j bad-good
       ipchains -A forward -j DENY -l

  7.4.2.  icmp-acc `FC`

  pPbg(ȉ)G[ ICMP ̂ꂩȂANZvg܂B
  ΁A}b`ȂpPbgɑ΂鐧 icmp-acc `FC甲
  āAďõ`FCɖ߂邱ƂɂȂ܂B

       ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
       ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
       ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
       ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT

  7.4.3.  GOOD (lbg[N)  DMZ (T[olbg[N)

  lbg[Nɑ΂鐧 :

  o  Olbg[Nւ WWW, ftp, traceroute, ssh 

  o  [T[oւ SMTP 

  o  [T[oւ POP-3 

  o  l[T[oւ DNS 

  o  EFuT[oւ rsync 

  o  EFuT[oւ WWW 

  o  pPbgtB^[}Vւ ping 

  lbg[N DMZ ̍ۂɃ}XJ[h͂ł܂Ał͍s
  ܂Blbg[N̂ǂ̃}Vӂ̂邱ƂȂ͂Ȃ
  ŁAۂSẴpPbg̃O܂B

  Debian ̌Âo[Wł́A/etc/services  `pop3' `pop-3' ƌ
  Ԃ̂ŒӂĉB̂Ƃ RFC1700 ƈvĂ܂B

       ipchains -A good-dmz -p tcp -d 192.84.219.128 smtp -j ACCEPT
       ipchains -A good-dmz -p tcp -d 192.84.219.128 pop3 -j ACCEPT
       ipchains -A good-dmz -p udp -d 192.84.219.129 domain -j ACCEPT
       ipchains -A good-dmz -p tcp -d 192.84.219.129 domain -j ACCEPT
       ipchains -A good-dmz -p tcp -d 192.84.218.130 www -j ACCEPT
       ipchains -A good-dmz -p tcp -d 192.84.218.130 rsync -j ACCEPT
       ipchains -A good-dmz -p icmp -j icmp-acc
       ipchains -A good-dmz -j DENY -l

  7.4.4.  BAD (Olbg[N) DMZ (T[olbg[N)

  o  DMZ ɑ΂鐧:

     o  [T[o

        o  Olbg[Nւ SMTP \

        o  ƊOlbg[N SMTP ̃ANZvg\

        o  lbg[N POP-3 ̃ANZvg\

     o  l[T[o

        o  Olbg[Nւ DNS ̗v\

        o  ƊOlbg[NApPbgtB^[}V DNS 
           ANZvg\

     o  EFuT[o

        o  ƊOlbg[N HTTP ̃ANZvg\

        o  lbg[N Rsync ̃ANZvg\

  o  Olbg[N DMZ ֋邱

     o  NQsׂɂẮAO͂Ƃ炸̂܂܂ɂ

  ipchains -A bad-dmz -p tcp -d 192.84.219.128 smtp -j ACCEPT
  ipchains -A bad-dmz -p udp -d 192.84.219.129 domain -j ACCEPT
  ipchains -A bad-dmz -p tcp -d 192.84.219.129 domain -j ACCEPT
  ipchains -A bad-dmz -p tcp -d 192.84.218.130 www -j ACCEPT
  ipchains -A bad-dmz -p icmp -j icmp-acc
  ipchains -A bad-dmz -j DENY

  7.4.5.  GOOD (lbg[N) BAD (Olbg[N)

  o  lbg[Nɑ΂鐧:

     o  Olbg[Nւ WWW, ftp ,traceroute, ssh 

     o  [T[oւ SMTP 

     o  [T[oւ POP-3 

     o  l[T[oւ DNS 

     o  EFuT[oւ rsync 

     o  EFuT[oւ WWW 

     o  pPbgtB^[}Vւ ping 

  o  ʂɁAlbg[NOlbg[Nɑ΂ẮASĂ
     Aꂩ琧܂BX́At@VXgȂ̂łB

     o  NQsׂ̃O

     o  pbVu FTP ́A}XJ[hW[ŏ

     o  UDP  Đ|[g 33434 ȍ~  traceroute Ŏgp

       ipchains -A good-bad -p tcp --dport www -j MASQ
       ipchains -A good-bad -p tcp --dport ssh -j MASQ
       ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
       ipchains -A good-bad -p tcp --dport ftp -j MASQ
       ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
       ipchains -A good-bad -j REJECT -l

  7.4.6.  DMZ  GOOD (lbg[N)

  o  lbg[Nɑ΂鐧:

     o  Olbg[Nւ WWW, ftp ,traceroute, ssh 

     o  [T[oւ SMTP 

     o  [T[oւ POP-3 

     o  l[T[oւ DNS 

     o  EFuT[oւ rsync 

     o  EFuT[oւ WWW 

     o  pPbgtB^[}Vւ ping 

  o  lbg[N DMZ ̍ۂɃ}XJ[hꍇAPɂȊO
     pPbgۂĉB̂ƂAPɃRlNVmꂽ
     ꕔ̃pPbĝ݋邾łB

       ipchains -A dmz-good -p tcp ! -y -s 192.84.219.128 smtp -j ACCEPT
       ipchains -A dmz-good -p udp -s 192.84.219.129 domain -j ACCEPT
       ipchains -A dmz-good -p tcp ! -y -s 192.84.219.129 domain -j ACCEPT
       ipchains -A dmz-good -p tcp ! -y -s 192.84.218.130 www -j ACCEPT
       ipchains -A dmz-good -p tcp ! -y -s 192.84.218.130 rsync -j ACCEPT
       ipchains -A dmz-good -p icmp -j icmp-acc
       ipchains -A dmz-good -j DENY -l

  7.4.7.  DMZ  BAD (Olbg[N)

  o  DMZ ɑ΂鐧:

     o  [T[o

        o  Olbg[Nւ SMTP \

        o  ƊOlbg[N SMTP ̃ANZvg\

        o  Olbg[N POP-3 ̃ANZvg\

     o  l[T[o

        o  Olbg[Nւ DNS ̑M\

        o  ƊOlbg[NApPbgtB^[}V DNS 
           ANZvg\

     o  EFuT[o

        o  ƊOlbg[N HTTP ̃ANZvg\

        o  lbg[N Rsync ̃ANZvg\

  o

       ipchains -A dmz-bad -p tcp -s 192.84.219.128 smtp -j ACCEPT
       ipchains -A dmz-bad -p udp -s 192.84.219.129 domain -j ACCEPT
       ipchains -A dmz-bad -p tcp -s 192.84.219.129 domain -j ACCEPT
       ipchains -A dmz-bad -p tcp ! -y -s 192.84.218.130 www -j ACCEPT
       ipchains -A dmz-bad -p icmp -j icmp-acc
       ipchains -A dmz-bad -j DENY -l

  7.4.8.  BAD (Olbg[N) GOOD (lbg[N)

  o  Olbg[Nlbg[N֓ė̑S(}XJ[
     hĂȂ)܂B

       ipchains -A bad-good -j REJECT

  7.4.9.  Linux }Vgɑ΂pPbgtB^O

  o  pPbgtB^[}VgɓėpPbbgɂApPbg
     tB^OsȂAinput `FCŃpPbgtB^
     OsKv܂BĐC^[tF[XɁA`FC
     ܂B

       ipchains -N bad-if
       ipchains -N dmz-if
       ipchains -N good-if

  o  `FCɃWv܂B

       ipchains -A input -d 192.84.219.1 -j bad-if
       ipchains -A input -d 192.84.219.250 -j dmz-if
       ipchains -A input -d 192.168.1.250 -j good-if

  7.4.9.1.  BAD (Olbg[N) C^[tF[X

  o  pPbgtB^[}V:

     o  SẴlbg[Nɑ΂ PING \

     o  SẴlbg[Nɑ΂ TRACEROUTE \

     o  DNS ւ̃ANZX\

  o  ܂Olbg[Np̃C^[tF[X́A}XJ[hꂽp
     Pbg(}XJ[h́A\[X|[gƂ 61000  65095 gp
     ܂)ւ̃vC ICMP G[APING ̃vC󂯓܂B

  ipchains -A bad-if -i ! ppp0 -j DENY -l
  ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT
  ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT
  ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT
  ipchains -A bad-if -j icmp-acc
  ipchains -A bad-if -j DENY

  7.4.9.2.  DMZ C^tF[X

  o  pPbgtB^[}Vɑ΂鐧:

     o  SẴlbg[Nɑ΂ PING \

     o  SẴlbg[Nɑ΂ TRACEROUTE \

     o  DNS ւ̃ANZX\

  o  DMZ C^[tF[X́ADNS ̃vC ping ̃vCAG
     [ ICMP 󂯓܂B

       ipchains -A dmz-if -i ! eth0 -j DENY
       ipchains -A dmz-if -p TCP ! -y -s 192.84.219.129 53 -j ACCEPT
       ipchains -A dmz-if -p UDP -s 192.84.219.129 53 -j ACCEPT
       ipchains -A dmz-if -p ICMP --icmp-type pong -j ACCEPT
       ipchains -A dmz-if -j icmp-acc
       ipchains -A dmz-if -j DENY -l

  7.4.9.3.  GOOD (lbg[N)C^[tF[X

  o  pPbgtB^[}Vɑ΂鐧:

     o  SẴlbg[Nɑ΂ PING \

     o  SẴlbg[Nɑ΂ TRACEROUTE \

     o  DNS ւ̃ANZX\

  o  lbg[Nɑ΂鐧:

     o  Olbg[Nւ WWW, ftp ,traceroute, ssh 

     o  [T[oւ SMTP 

     o  [T[oւ POP-3 

     o  l[T[oւ DNS 

     o  EFuT[oւ rsync 

     o  EFuT[oւ WWW 

     o  pPbgtB^[}Vւ ping 

  o  lbg[NC^[tF[X́Aping  ping ̃vCAG[
     ICMP 󂯓܂B

       ipchains -A good-if -i ! eth1 -j DENY
       ipchains -A good-if -p ICMP --icmp-type ping -j ACCEPT
       ipchains -A good-if -p ICMP --icmp-type pong -j ACCEPT
       ipchains -A good-if -j icmp-acc
       ipchains -A good-if -j DENY -l

  7.5.  Ō

  o  ubLÕ[폜܂B

       ipchains -D input 1
       ipchains -D forward 1
       ipchains -D output 1

  8.  t^: ipchains  ipfwadm Ƃ̈Ⴂ

  ̕ύX̊̓J[l̕ύX̌ʂłA܂
  ipchains  ipfwadm Ƃ̈Ⴂ̌ʂłB

  1. ͍̈Ĕzu܂: ݁A啶̓R}hA
     ̓IvV܂B

  2. Cӂ̃`FCT|[g܂̂ŁAgݍ݃`FClɃt
     Oł͂Ȃtl[ŋLڂKv܂B (. `-I' ł͂Ȃ
     `input' ƋLڂ܂).

  3. `-k' IvV͂ȂȂ܂B `! -y' gĉB

  4. `-b' IvV́AP `o' [ƂAނۂ
     2̃[ɑ΂đ}/ǉ/폜s܂B

  5. `-b' IvV 2̃`FbNs߂ɁA `-C' IvVɂĖ
     ܂B(eX̕1)

  6. `-l' ɑ΂ `-x' IvV `-v' ɕύX܂B

  7. ȂMƎM̃|[g̓T|[g܂B]܂
     ́A|[gےł邱ƂŁA̖͂ړI₤ł傤B

  8. C^[tF[X(AhXłȂ)OɂĂ̂ݎwł܂B
     ܂Aǂ݂̂AȑÖӖt 2.1 J[lV[YŐÂɕύX
     ꂽƂłB

  9. pPbg̒fЉ͌܂̂ŁAIɂ͑fʂ肵܂B

  10.
     IȌv`FC͔p~܂B
  11.
     IP̔Cӂ̃vgReXgł܂B

  12.
     SYN  ACK ̑gɑ΂ȑO̐U (ȑO͔ TCP pPbg͖
     Ă܂) ͕ύX܂; SYN IvV́A TCP Ɠ
     [ɑ΂Ă͖łB

  13.
     ݁A32rbg}ṼJE^ 64rbgłA32rbgł͂
     ܂B

  14.
     ݁A]IvVT|[gĂ܂B

  15.
     ݁A ICMP R[hT|[gĂ܂B

  16.
     ݁AChJ[hC^[tF[XT|[gĂ܂B

  17.
     ݁ATOS ͕ʃ`FbN܂: ÂJ[lR[h `[
     Ȃ΂ȂȂ' TOS rbg(s)삳邱ƂŁAÂɎ~
     ܂Ă܂Ă܂; ݁A ipchains  ̂悤Ȏ݂ɑ΂āA
     ̕sȏꍇƓlɃG[Ԃ܂B

  8.1.  NBbNt@Xꗗ

  [ ɁAR}h͑啶ŁAIvV͏łB]

  ӂׂ_ƂāA }XJ[fBO `-j MASQ' ƋLڂ܂; 
   `-j ACCEPT' ƑSقȂA܂ ipfwadm ̂悤ȕIʂƂĂ
  舵܂B

  ================================================================
  | ipfwadm      | ipchains              | 
  ----------------------------------------------------------------
  | -A [both]    | -N acct               | `acct' `FC𐶐A
  |              |& -I 1 input -j acct   | o͂Ɠ̓pPbg
  |              |& -I 1 output -j acct  | ɒʉ߂܂B
  |              |& acct                 |
  ----------------------------------------------------------------
  | -A in        | input                 | ^[QbgȂ̃[
  ----------------------------------------------------------------
  | -A out       | output                | ^[QbgȂ̃[
  ----------------------------------------------------------------
  | -F           | forward               | [`FC]Ƃėp܂B
  ----------------------------------------------------------------
  | -I           | input                 | [`FC]Ƃėp܂B
  ----------------------------------------------------------------
  | -O           | output                | [`FC]Ƃėp܂B
  ----------------------------------------------------------------
  | -M -l        | -M -L                 |
  ----------------------------------------------------------------
  | -M -s        | -M -S                 |
  ----------------------------------------------------------------
  | -a policy    | -A [chain] -j POLICY  | (ł -r  -m ĉ
  |              |                       | ).
  ----------------------------------------------------------------
  | -d policy    | -D [chain] -j POLICY  | (ł -r  -m ĉ
  |              |                       | ).
  ----------------------------------------------------------------
  | -i policy    | -I 1 [chain] -j POLICY| (ł -r  -m ĉ
  |              |                       | ).
  ----------------------------------------------------------------
  | -l           | -L                    |
  ----------------------------------------------------------------
  | -z           | -Z                    |
  ----------------------------------------------------------------
  | -f           | -F                    |
  ----------------------------------------------------------------
  | -p           | -P                    |
  ----------------------------------------------------------------
  | -c           | -C                    |
  ----------------------------------------------------------------
  | -P           | -p                    |
  ----------------------------------------------------------------
  | -S           | -s                    | 1|[g܂̓Wɑ
  |              |                       | Ă̂݋@\A
  |              |                       | ͂܂B
  ----------------------------------------------------------------
  | -D           | -d                    | 1|[g܂̓Wɑ
  |              |                       | Ă̂݋@\A
  |              |                       | ͂܂B
  ----------------------------------------------------------------
  | -V           | <none>                | -i [O] ŗp܂B
  ----------------------------------------------------------------
  | -W           | -i                    |
  ----------------------------------------------------------------
  | -b           | -b                    | ݁Aۂɂ2[
  |              |                       | 쐬܂B
  ----------------------------------------------------------------
  | -e           | -v                    |
  ----------------------------------------------------------------
  | -k           | ! -y                  | -p tcp ƋɎw肵Ȃ
  |              |                       | Ƌ@\܂B
  ----------------------------------------------------------------
  | -m           | -j MASQ               |
  ----------------------------------------------------------------
  | -n           | -n                    |
  ----------------------------------------------------------------
  | -o           | -l                    |
  ----------------------------------------------------------------
  | -r [redirpt] | -j REDIRECT [redirpt] |
  ----------------------------------------------------------------
  | -t           | -t                    |
  ----------------------------------------------------------------
  | -v           | -v                    |
  ----------------------------------------------------------------
  | -x           | -x                    |
  ----------------------------------------------------------------
  | -y           | -y                    | -p tcp ƋɎw肵Ȃ
  |              |                       | Ƌ@\܂B
  ----------------------------------------------------------------

  8.2.  ipfwadm R}h̕ϊ

  R}h: ipfwadm -F -p deny

  VR}h: ipchains -P forward DENY

  R}h: ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0

  VR}h: ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0

  R}h: ipfwadm -I -a accept -V 10.1.2.1 -S 10.0.0.0/8 -D
  0.0.0.0/0

  VR}h: ipchains -A input -j ACCEPT -i eth0 -s 10.0.0.0/8 -d
  0.0.0.0/0

  (C^[tF[XAhXɂĎw肷̂Ƃ͈ႤƂɒӂĉ
  : C^[tF[XpĉB̃}Vł́A 10.1.2.1 
  eth0 ɑ܂)B

  9.  t^: ipfwadm-wrapper XNvgg

  ipfwadm-wrapper VFXNvǵAipfwadm ƃvOCɂĒu
  ׂɂA ipfwadm 2.3a Ƃ̉ʌ݊܂B

  BAǂĂłȂ@\ `-V' IvVłBꂪp
  鎞́A[jOo͂܂B `-W' IvVgȂA
  `-V' IvV͖܂B̓_ł́AXNvg ifconfig p
  āAC^[tF[X蓖ĂĂAhX猩悤Ƃ
  ܂BɎs(Ⴆ΃C^[tF[X_EĂ
  )AG[bZ[W𔺂ďI܂B

  ̃[jO `-V'  `-W' ɕύX邩AXNvg̕Wo͂
  /dev/null ɑΗ}܂B

  ̃XNvg̃~X ipfwadm Ƃ̑_𔭌AƂAoO
  |[gɉ: TuWFNg "BUG-REPORT" ƏāA
  rusty@linuxcare.com Ƀ[B莝̌Â ipfwadm ̃o[
  W (ipfwadm -h) ƁA ipchains ̃o[W (ipchains --version)
  ƁA ipfwadm wrapper XNvg̃o[W (ipfwadm-wrapper
  --version) 񋓂ĉBɁA ipchains-save ̏o͂ĉ
  BX肢܂B
   ipfwadm-wrapper XNvg ipchains ƍpۂɂ́AȐӔC
  ɂĂ肢܂B

  10.  t^: ӎ

  Michael Neuling ɑ̊ӂȂ΂Ȃ܂Bނ͎̂߂ɍŏ
   IP `FC̃R[hĂ܂Bނ̃UgLbṼAC
  fBAۂƂɂāAɌɎӍߒv܂B͌ Alan
  Cox ACfBAĂAԈႢɋCÂ͌ǁAɂƂ肩
  邱ƂɂȂ̂łB

  Alan Cox 24ԑ̐̃[ɂZpT|[gƌɊӂ܂B

  ipfw  ipfwadm ̃R[h̍ґSĂɊӂ܂B Jos VosBľ
  ̏ɗAđSācB Linus Torvalds ƃJ[l⃆[U[
  Ԃ̃nbJ[SĂɓĂ͂܂܂B

  (:uľ̏ɗvƂ̂́Aj[gLȌt
  BL͂̔ƂƐт𐬂ꂽ̂́Al () 
  ̌̏ɗĂɂȂAƁB{l^̌̔
  ˁB)

  Oȃx[^eX^[ƃoOn^[Ɋӂ܂A Jordan
  Mendelson, Shaw Carruthers, Kevin Moule, Dr. Liviu Daia, Helmut Adams,
  Franck Sicard, Kevin Littlejohn, Matt Kemner, John D. Hardin, Alexey
  Kuznetsov, Leos Bitto, Jim Kunzman, Gerard Gerritsen, Serge Sivkov,
  Andrew Burgess, Steve Schmidtke, Richard Offer, Bernhard Weisshuhn,
  Larry Auton, Ambrose Li, Pavel Krauz, Steve Chadsey, Francesco
  Potorti`, Alain Knaff, Casper Boden-Cummins,  Henry Hollenberg
  ɁB

  10.1.  |

  |󂷂l͎ӎy[W̖`ɖ|҈ꗗfڂĉBႦ: `
  ̉pꂩSĂ𐳊mɖ|󂵂ĂꂽXXXɊӂ܂B' āA
  ̕Ɋ܂߂lɁAȂ̖|󕶂ĉB

  Arnaud Launay, asl@launay.org:
  http://www.freenix.fr/unix/linux/HOWTO/IPCHAINS-HOWTO.html
  <http://www.freenix.fr/unix/linux/HOWTO/IPCHAINS-HOWTO.html>

  Giovanni Bortolozzo, borto@pluto.linux.it:
  http://www.pluto.linux.it/ildp/HOWTO/IPCHAINS-HOWTO.html
  <http://www.pluto.linux.it/ildp/HOWTO/IPCHAINS-HOWTO.html>

  Herman Rodrguez, herman@maristas.dhis.org:
  http://netfilter.kernelnotes.org/ipchains/spanish/HOWTO.html
  <http://netfilter.kernelnotes.org/ipchains/spanish/HOWTO.html>

  JF Project, jf@linux.or.jp: http://www.linux.or.jp/JF/JFdocs/IPCHAINS-
  HOWTO.html <http://www.linux.or.jp/JF/JFdocs/IPCHAINS-HOWTO.html>

  11.  {ɂ

  { : 2000N 11 21
  JF Project u`[ ipchainsv |҈ꗗ(h̗A50):
  o  T <daisuke@terra.dti.ne.jp> 7

  o  㓡됰 <magotou@fubyshare.gr.jp> 2,3

  o  JG <jeanne@mbox.kyoto-inet.or.jp> 5,6

  o  ތÉL <nagoya@cc.hit-u.ac.jp> 1`4

  o  cz <yoh@coolmail.net> 1,4,8`10͋yт܂Ƃ

  ̕|󂷂ɂARX_K <h-yamamo@db3.so-net.ne.jp>
   Linux 2.4 Packet Filtering HOWTO {
  <http://www.linux.or.jp/JF/JFdocs/packet-filtering-HOWTO.html> 瑽
  pv܂B܂AԏO <akamatsu@kobedenshi.ac.jp> ́A
  LinuxJAPAN ւ̓eLQlɂĒ܂B

  ̕|yѕҏWɂAȉ̕XAhoCX𒸂܂
  B(50)
  {ɂ肪Ƃ܂B

  o  ɓSꂳ <kade@kadesoft.com>

  o  ΒqV <kto@interlink.or.jp>

  o  zꂳ <void@merope.pleiades.or.jp>

  o  ēc <shibata@luky.org>

  o  ˌ <setzer@mx3.tiki.ne.jp>

  o  UTi <ysenda@pop01.odn.ne.jp>

  o  L <takei@webmasters.gr.jp>

  o  ci <wnishida@skyfree.org>

  o   <mizuhara@acm.org>

  o  RX_K <h-yamamo@db3.so-net.ne.jp>

