  Linux 2.4 Packet Filtering HOWTO
  Rusty Russell, mailing list netfilter@lists.samba.org
  $Revision: 1.24 $ $Date: 2002/01/14 09:35:13 $
  {: RX _K (h-yamamo@db3.so-net.ne.jp)
  v1.24j  Jan. 20, 2002

  ́̕A2.4n Linux J[lɂAsȃpPbgtB^[A
  Eg iptables ̎gɂďqׂĂ܂B
  ______________________________________________________________________

  ڎ

  1. ͂߂
  2. EFuTCg͂ǂɂ܂? [OXg͂܂?
  3. ŁApPbgtB^[ĉł?
     3.1 ȂApPbgtB^[KvȂ̂ł傤?
     3.2 Linux ŃpPbgtB^[͂ǂ̂悤ɂ?
        3.2.1 iptables
        3.2.2 [i

  4. ܂͒NȂ񂾁AĂȂ̃J[lŗVł?
  5. Rusty ̃pPbgtB^OA{ɃNCbNKCh
  6. ǂ̂悤ɃpPbg̓tB^[ʂ蔲邩
  7. iptables g
     7.1 Rs[^NƂׂ
     7.2 [̑
     7.3 tB^O̎dl
        7.3.1 \[XƂĐ IP AhX̎w
        7.3.2 ے̎w
        7.3.3 vgR̎w
        7.3.4 C^[tFCX̎w
        7.3.5 tOg̎w
        7.3.6 iptables ւ̊g V}b`
           7.3.6.1 TCP g
              7.3.6.1.1 TCP tO̐
           7.3.6.2 UDP g
           7.3.6.3 ICMP g
           7.3.6.4 ̑̃}b`̊g
           7.3.6.5 Ԃ̃}b`
     7.4 ^[Qbg̎dl
        7.4.1 [U``FC
        7.4.2 iptables ւ̊g V^[Qbg
        7.4.3 ʂȑgݍݍς݃^[Qbg
     7.5 `FC̑
        7.5.1 V`FC
        7.5.2 `FC폜
        7.5.3 `FCɂ
        7.5.4 `FC̓eXgAbv
        7.5.5 JE^[Zbg([)
        7.5.6 |V[ݒ肷

  8. ipchains  ipfwadm g
  9. NAT ƃpPbgtB^O̍
  10. iptables  ipchains ̈Ⴂ
  11. pPbgtB^[ݒ̃AhoCX
  12. {ɂ

  ______________________________________________________________________

  [1m1.  ͂߂[0m

  悤Aǎ҂݂̂ȂB

  ł́AIP AhXAlbg[NAhXAlbg}XNA[eB
  O DNS ł邩mĂ邱ƂOɂĂ܂BA
  Ȃ̂ł΁ANetwork Concepts HOWTO (: ̌̕J
  Ăꏊɂ Linux Networking-concepts HOWTO) ǂނƂ
  ܂B

   HOWTO  2̊Ă܂B₳发̉ӏł́Aǎ
  ƂȂS܂AĚɂ͋CtȂ܂܂łB
  Aו܂łނoɂĉBɓ`悤Ƃӏł́AOꗝɋ
  ߂Ȃǎ҂AsɂAOꕐĂ܂Ƃł傤B

  Ȃ̃lbg[N͌[1mS[22mł͂܂Bŕ֗ȒʐMm
  āAPǂȗp҂ɂ񋟂Aӂ̂҂ߏo
  ̂́AɕȂ 1łBႦ΁A_̎Rۏ؂
  Ȃ̉fقŁuΎ[IvȂǂƋяo댯Ȍւ悤
  Ƃ̂ƓƂłB HOWTO ł́Ả@ɂ
  Ă܂ŉXy[X͂܂B

  łAǂőË邩߂̂́AȂgȂ̂łB
  ł́ALȂ̃c[ЉAmĂׂ_Ȃǂ𒍈ӂ
  Ă܂Bp邱ƂȂAړÎ߂ɎgĂ
  B̂悤Șb邱Ǝ̂Ap̉\cĂ܂̈
  łˁB

  (C) 2000 Paul `Rusty' Russell.  Licenced under the GNU GPL.

  [1m2.  EFuTCg͂ǂɂ܂? [OXg͂܂?[0m

  3̌TCg܂:

  o  Filewatcher <http://netfilter.filewatcher.org/> Ɋӂ܂B

  o  Samba `[ SGI <http://netfilter.samba.org/> Ɋӂ܂B

  o  Harald Welte <http://netfilter.gnumonks.org/> Ɋӂ܂B

  LSĂ <http://www.netfilter.org/>   <http://www.iptables.org/>
  AEhr DNS QƂēBł܂B

   netfilter [OXg͂: netfilter Xg
  <http://www.netfilter.org/contact.html#list> ĂB

  [1m3.  ŁApPbgtB^[ĉł?[0m

  pPbgtB^[Ƃ̂́AčspPbg̃wb_[ǂŁA
  ̃pPbg̉^߂\tgEFAłBpPbg [1mDROP[22m(܂Ŏ
  ĂȂ̂悤ɔj)A [1mACCEPT [22m(pPbgʉ߂)
  AݒɂĂ͂ƕGȏ肵܂B

  Linux ɂāApPbgtB^O̓J[lɑgݍ܂ (J[l
  W[ƂāA܂͒ɑgݍ܂)܂BpPbgɑ΂đ
  ̋Ȍ|IȂƂł܂ApPbg̃wb_[Ẳ^肷
  ƌʌɂ܂B

  [1m3.1.  ȂApPbgtB^[KvȂ̂ł傤?[0m

  Rg[BZLeBBĎB

     [1mRg[:[0m
        Ȃ Linux {bNX̃lbg[Nƕʂ̃lbg[N(
        ΁AC^[lbg)q߂ɎgĂȂAȂɂ́A
        ̃gtBbNāÂ̂Ȃ悤ɂ`
        X܂BႦ΁ApPbg̃wb_[ɂ͂ĐAhX܂
        ĂāAOlbg[N̂Ƃ鏊֌pPbgۂ邱
        Ƃł܂Bʂ̗ƂāANetscape g Dilbert ̃A[JC
        u (: Dilbert ƂGWjAl̕h̃TCgA
        Ȃ݂ dilbert ̈Ӗ͂΂) ɃANZXꍇłBy[Wɂ
        doubleclick.net ̍LA Netscape ͂ƃ_E
        [h邽߂Ɏ̎ԂQ܂BpPbgtB^[
        doubleclick.net L̃AhX̂ǂȃpPbgȂ
        ɎwΖ͉܂(Ƃ@܂:
        Junkbuster(: http://internet.junkbuster.com) Ă
        )B

     [1mZLeB:[0m
        Ȃ Linux {bNXC^[lbgׂ̍ƁAiCXŒ
        Ȃ̃lbg[N̊ԂɂB̕ȂA΂炵
        ɁAȂ͉ɂė҂hÂƂŐ邱Ƃł
        ܂BႦ΁AȂ̃lbg[Nočŝ͉ł
        ɂāAӂ̂Ô悭mꂽ `Ping of Death' U
        CɊ|悤ɂł܂Bʂ̗ƂāAȂ Linux {bN
        XɁAƂSẴAJEgɃpX[htĂƂĂAO
        ̎҂ telnet Ă邱Ƃ]܂Ȃ܂BԂA
        Ȃ (Ă̐lX̂悤)C^[lbg߂Ă
        ŁAT[o[(DނƍD܂ɂ炸)Ȃ肽Ȃ̂łB
        PɁApPbgtB^[ŐڑJnpPbg̗ۂ
        āAɂڑȂ悤ɂĂB

     [1mĎ:[0m
        Ƃǂ[Jlbg[NɊݒ̈}VAO
        EɃpPbgRo悤ɂȂĂ邱Ƃ܂B΂炵
        ƂɁApPbgtB^[ُ͉ȂƂNƂɂ
        ɒm点Ă܂BԂ񂠂Ȃ͉炩̑Ώłł傤
        A邢͂Ȃ̐APɋ܂B

  [1m3.2.  Linux ŃpPbgtB^[͂ǂ̂悤ɂ?[0m

  Linux J[lɂ 1.1npPbgtB^O܂B1
  ́A1994N Alan Cox ɂABSD  ipfw bɂĈڐA
  BLinux 2.0 ł́AJos Vos ߂ƂlBɂgAJ[l
  ̃tB^O[Rg[郆[Uԃc[ `ipfwadm' 
  ܂܂B1998NALinux 2.2 ł́A Michael Neuling ̉
  𓾂ăJ[lSǂƍ蒼A[Uԃc[ `ipchains' 
  ܂BŏIIɁA1999NA Linux 2.4 ł́A4c[
  `iptables' ƃJ[l̕ʂ̕܂B HOWTO W
  qׂĂ̂͂ iptables ɂĂłB

  netfilter ƂՂJ[lKvł  Linux J[lɂ͒ǉ
  @\(Ⴆ iptables W[)ނƂł܂A netfilter
  ͂̈ʓIȘgg݂̒Ɋ܂܂Ă܂B́AJ[l 2.3.15 
  ȍ~KvŁAJ[lRtBM[V CONFIG_NETFILTER 
  `Y' ƓKv܂B

  iptables Ƃc[́AJ[lɘbāAJ[lǂ̃pPbg
  tB^[ׂ`̂łBvO}[ɍDSȐl
  ʂłAʂ͂găpPbgtB^[Rg[܂B

  [1m3.2.1.  iptables[0m

  iptables ̓J[l̃pPbgtB^Oe[uɃ[}
  폜肵܂B́AȂݒ肵̂̓u[gƎ
  邱ƂӖĂ܂BALinux u[gƂݒ񕜂m
  ȕ@ ``[i'' ĂB

  iptables  ipfwadm  ipchains ̒ułBAȂ݂
  ̂ǂ炩̃c[gĂāAJ邽 iptables g
  ɍς܂@ ``ipchains  ipfwadm g'' ĂB

  [1m3.2.2.  [i[0m

  Ȃ݂̌̃t@CA[EH[̐ݒ̓J[lɂ邾Ȃ̂ŁA
  u[gƎĂ܂܂Biptables-save  iptables-restore XN
  vgg΁Aݒt@CɕۑĂǍÃt@C
  񕜂邱Ƃł܂B

  ʂ̕@́A[ݒ肷邽߂ɕKvȃR}hXNvg
  ƂłBR}h̓ 1sȂAiĂ낤
  Ă邱Ƃm߂Ă(ʁA`/sbin/sulogin' săVO
  [U[hōƂ܂)B

  [1m4.  ܂͒NȂ񂾁AĂȂ̃J[lŗVł?[0m

   Rusty RussellBLinux  IP t@CA[EH[̃Cei[ƁA
  ̂ 1Aʂ̉ӏ̃R[fBOSĂ܂A͂܂
  K؂ȎɓK؂ȏꏊɂɂ܂B ipchains ܂
   (ۂɍƂlXɏ̎^͂炢A``Linux ŃpPbgtB^[͂
  ̂悤ɂ?'' Ă)BĂ̂ƂpPbgtB^
  O̐\Ɋwт܂B邱Ƃ]ł܂B

  WatchGuard <http://www.watchguard.com>A{ɃiCXȃvOC
  Firebox (: Linux ̃t@CA[EH[i)𔄂Ă邷΂炵
  t@CA[EH[̉ЂŁAȂɋ𕥂ĂāA
  ͑SĂ̎Ԃ̂̂ƂɁAĈȑÔ̂̃ei
  Xɔ₷Ƃł܂B 6Ɨ\āA12܂
  AK؂Ȃ̂ɂƌړIʂƊ܂B̏
  An[hfBXÑNbVAbvgbv̓At@CVXe
  sɑăXN[̌̏A܂B

  ɂԂɁAl̐lX̌Ăł  ̓J[l
  ̐_lł͂܂Bƌ̂́A̓J[l̎d̂ɔނ:
  David S. Miller, Alexey Kuznetsov, Andi Kleen, Alan Cox ̉lƐڐG
  邱ƂɂȂłBƂ͌Aނ͊F[}WbN̂ɖZ
  āA͂܂Ă炦SȐ󂢐̉JĐił܂B

  [1m5.  Rusty ̃pPbgtB^OA{ɃNCbNKCh[0m

  قƂǂ̐l̓C^[lbgɂ 1 PPP RlNVŌqł
  A玩̃lbg[NɒNĂ邱Ƃ]ސl͒N
  ܂BȂ킿t@CA[EH[̏oԂłB

       ## RlNVǐՃW[̑}(J[lgݍ݂̏ꍇ͕sv)
       # insmod ip_conntrack
       # insmod ip_conntrack_ftp

       ## ̂̈ȊO̐VRlNVubN`FC̍쐬
       # iptables -N block
       # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
       # iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
       # iptables -A block -j DROP

       ## INPUT  FORWARD `FCL̃`FCփWv
       # iptables -A INPUT -j block
       # iptables -A FORWARD -j block

  [1m6.  ǂ̂悤ɃpPbg̓tB^[ʂ蔲邩[0m

  J[l͋N `filter' e[uƂ 3̃[Xgێ
  Ă܂B̃Xg[1mt@CA[EH[`FC[22mA܂͒P[1m`F[0m
  [1mC[22mƌĂ΂܂B3̃`FC [1mINPUT[22m, [1mOUTPUT [22m [1mFORWARD [22mƌĂ
  Ă܂B

  ASCII A[gt@̂߂ɁA`FC͂̂悤ɔzuĂ܂ [1m([0m
  [1ḿA2.0  2.2 J[l̔zuƑψقȂĂ܂!) [22m:

  ė^PPP_        očs
        [eBObFORWARD b
            ̌      _QQQ^

                     ^PP_
                  ^PP_                    bOUTPUTb
                 bINPUT b                    _QQ^
                  _QQ^

                     [J vZX

  (: ̑ NAT p̃`FCƂāA[eBǑ̎O
  `PREROUTING' `FCAočs̎O `POSTROUTING' `FC
  ܂B)

  3̉~́Aŏqׂ 3̃`FC\킵Ă܂BpPbg}
  1̉~ɒBÃ`FCăpPbg̉^߂܂B
  A`FCpPbg DROP(j)ƌApPbg͂
  E܂AA`FCpPbg ACCEPT(󂯓)ƌ
  ApPbg͐}ڂčs܂B

  1̃`FC͕[1m[[22m̃`FbNXg\Ă܂BeX
  ̃[́uApPbg̃wb_[ȂApPbĝ
  ɂȂvƎw܂BA郋[pPbgƃ}b`Ȃ
  ΁A`FC̎̃[ׂ܂BŏIIɁAׂ郋[
  ȂAJ[l͂̃`FC[1m|V[ [22m(j)ĉ邩
  ܂BZLeBӎ̋VXeł́Ã|V[͕ʁApPbg
   DROP 悤ɃJ[lɎw܂B

  1. pPbgėƂ(Ⴆ΁AC[TlbgJ[h)AJ[l
     ͍ŏɃpPbg̍s܂B̓[eBOƌĂ΂܂B

  2. As悪 Linux {bNXȂApPbg͐}ł͉ɍ~
     INPUT `FCɓ܂BAʉ߂΁ApPbg͂
     ҂ĂvZXɎ󂯎܂B

  3. łȂȂAJ[l̃tH[h(])@\LɂȂĂȂ
     ꍇA邢̓J[l̃pPbg̃tH[h̕@mȂ
     ApPbg͔j܂BtH[h@\LɂȂĂāAp
     Pbg̍s悪ʂ̃lbg[NC^[tFCX( 1Ȃ)
     ł΁A}ł̓pPbg͉E̕֐i FORWARD `FCɓ܂B
     AACCEPT ΁ApPbg͑o܂B

  4. ŌɂȂ܂A̔œĂvO̓lbg[Nփp
     Pbg𑗂邱Ƃł܂B̃pPbg͒ OUTPUT `FC
     ɓ܂BA ACCEPT ƌ΁ApPbg͂̍s
     ɏ]C^[tFCXočs܂B

  [1m7.  iptables g[0m

  X̎ɂĂ̂ƏڂKvȂAiptables ɂ͂Ȃ
  }jAy[W(man iptables)܂B ipchains ɐʂĂ
  l͂ɂł``iptables  ipchains ̈Ⴂ''ɂ܂
  BہA 2͂ƂĂĂ܂B

  iptables gĐFXȂƂł܂B܂A3̑gݍݍς݃`FC
  INPUT, OUTPUT  FORWARD (͍폜ł܂)n߂܂B
  ́A`FCĂ݂܂傤:

  1. V`FC (-N)

  2. ̃`FC폜 (-X)

  3. gݍݍς݃`FC̃|V[ύX (-P)

  4. `FC̃[XgAbv (-L)

  5. `FC烋[Sď (-F)

  6. `FC̑SẴ[̃pPbgƃoCg̃JE^[[ɂ
     (-Z)

  `FC̃[𑀍삷ɂ͗lXȕ@܂:

  1. `FCɐV[ǉ (-A)

  2. `FĈʒuɐV[} (-I)

  3. `FĈʒũ[u (-R)

  4. `FĈʒúA܂͋Lqƈvŏ̃[폜
     (-D)

  [1m7.1.  Rs[^NƂׂ[0m

  iptables ͂Ԃ񃂃W[ɂȂĂ܂BO(`iptable_filter.o')
  ŁAŏ iptables sƂɎIɃ[h͂łB
  AJ[lɍPIɑgݍނƂł܂B

  S iptables R}hsĂȂԂł(ӂ܂傤: 
  XNvg iptables sfBXgr[V܂)Ag
  ݍݍς݃`FC(`INPUT', `FORWARD'  `OUTPUT')̂ǂɂ[
  ݂͑ASẴ`FC̃|V[ ACCEPT łB
  Aiptable_filter W[̃IvV `forward=0' ^΁A
  FORWARD `FC̃|V[̏l(: DROP )ς邱Ƃł
  B

  [1m7.2.  [̑[0m

  [𑀍삷邱  ̓pPbgtB^O̊{łBقƂ
  ̏ꍇAʁAȂ͒ǉ (-A) ƍ폜 (-D) R}hgƂɂȂ
  傤Bc̃R}h(} -I ƒu -R )͂̊TOPɉ
  ̂łB

  eX̃[ɂ́ApPbgׂ̃ZbgƁAꂽ
  Ƃɂ邱(^[Qbg)w肵܂BႦ΁AIP AhX 127.0.0.1
  ėSĂ ICMP pPbgjƂ܂B̏ꍇ̏
  ̓vgR ICMP Ń\[XAhX 127.0.0.1 ŁA^[Qbg
  `DROP' łB

  127.0.0.1 ̓[vobNC^[tFCXŁA͂Ȃ̃}V
  ̃lbg[NɌqĂȂĂ݂܂B`ping' vO͂
  悤ȃpPbg𔭐̂Ɏg܂(ping  P ICMP ^Cv 8 (
  GR[v)𑗂ASĂ͓̋IȃzXg͐e؂ɂ ICMP ^Cv 0 (G
  R[)̃pPbgłɉ܂)B̓eXgɖ𗧂܂B

       # ping -c 1 127.0.0.1
       PING 127.0.0.1 (127.0.0.1): 56 data bytes
       64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms

       --- 127.0.0.1 ping statistics ---
       1 packets transmitted, 1 packets received, 0% packet loss
       round-trip min/avg/max = 0.2/0.2/0.2 ms
       # iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
       # ping -c 1 127.0.0.1
       PING 127.0.0.1 (127.0.0.1): 56 data bytes

       --- 127.0.0.1 ping statistics ---
       1 packets transmitted, 0 packets received, 100% packet loss
       #

  ̂Ƃŏ ping Ă܂(`-c 1'  ping ɃpPbg 1
  悤ɎwĂ܂)B

  Ƀ[ `INPUT' `FCɒǉ (-A) ܂B[̎ẃA
  127.0.0.1  (`-s 127.0.0.1') ŃvgR ICMP (`-p icmp') ̃pPb
  ǵADROP փWv (`-j DROP') łB

  ꂩ 2Ԗڂ ping Ń[eXg܂BAėȂ҂
   ping ~߂܂ŏ̊Ԃł傤B

  [폜ɂ 2ʂ̕@܂B1Ԗڂ́AႦ΁Ainput
  `FCɂ̓[ 1Ȃ̂𕪂Ăꍇł́Aԍg
  Ĉȉ̂悤ɍ폜ł܂:

               # iptables -D INPUT 1
               #

  INPUT `FC̃[ԍ 1 폜B

  2Ԗڂ̕@ -A R}hʂ -A  -D ɒû
  B̓[Gȃ`FC̏ꍇŁAႦ΁A菜̂[
   37 ƒTĂ邽߂Ƀ[𐔂ȂꍇɗLłB̏
  Â悤Ɏg܂:

               # iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP
               #

  -D ̏́A-A (܂ -I  -R) R}ĥƂƐmɓIvV
  łȂ΂Ȃ܂BA`FCɕ̃}b`郋[
  Aŏ̂폜܂B

  [1m7.3.  tB^O̎dl[0m

  ܂łɁAvgRw肷 `-p' IvVƁA\[XAhXw
  肷 `-s' IvVĂ܂ȂɂpPbg̓w
  lXȃIvV܂BꂩÅTv܂ƂȂ
  b܂B

  [1m7.3.1.  \[XƂĐ IP AhX̎w[0m

  \[X(`-s', `--source' ܂ `--src') сAĐ(`-d',
  `--destination' ܂ `--dst') IP AhX 4ʂ̎w@
  BƂʓIȕ@͊SɋLqꂽO(FQDN)gƂŁAႦ
  ΁A`localhost' Ƃ `www.linuxhq.com' łB2Ԗڂ̕@ `127.0.0.1'
  ̂悤 IP AhXw肷@łB

  3Ԗڂ 4Ԗڂ̕@ IP AhX̃O[vw肷@ŁA
  `199.95.207.0/24' Ƃ `199.95.207.0/255.255.255.0' ̂悤ɏ܂B
  Ƃ 199.95.207.0  199.95.207.255 ܂ł̂ǂ IP AhX܂
  wŁÂƂ `/'  IP AhX̂ǂ̕܂ŗL
  Ă܂Bȗ `/32' ܂ `/255.255.255.255' (IP AhX̊S
  v)łBǂ IP AhXł悢ꍇ́Aȉ̂悤 `/0' g
  ܂:

               [ L: `-s 0/0' ͂ł͏璷łB]
               # iptables -A INPUT -s 0/0 -j DROP
               #

  Ľʂ `-s' IvVw肵Ȃ̂ƑSȂ̂ŁAȎg
  ͂߂ɂ܂B

  [1m7.3.2.  ے̎w[0m

  `-s' (܂ `--source')  `-d' (`--destination') IvV܂߂
  ̃IvV́A`!' (ے̐錾)̈̑OɒuƂł
  B`-s'  `-d' ̏ꍇ͗^ꂽAhXƓȂAhXƃ}b
  `܂BႦ΁A`-s ! localhost'  localhost [1młȂ[22mpPbg
  }b`܂B

  [1m7.3.3.  vgR̎w[0m

  vgR `-p' (܂ `--protocol') IvVŎw肵܂Bvg
  R̒l͔ԍ(Ȃ IP ̃vgR̐lԍmĂꍇ)
  `TCP', `UDP' ܂ `ICMP' Ƃ̖̂Ŏw肵܂B啶
  ̋ʂ͂܂񂩂A`tcp'  `TCP' Ɠ܂B

  vgR̂͂ے肷邽߂ `!' Oɕt邱Ƃł܂B
  Ⴆ΁A`-p ! TCP'  TCP [1młȂ[22mpPbgw肵܂B

  [1m7.3.4.  C^[tFCX̎w[0m

  `-i' (܂ `--in-interface')  `-o' (܂ `--out-interface') Iv
  V̓}b`ׂ[1mC^[tFCX[22m̖Ow肵܂BC^[tFC
  XƂ́ApPbgė (`-i') ܂͏očs (`-o') foCX
  łB`ifconfig' R}hg `up' ł (Ȃ킿AĂ)
  C^[tFCXXgAbvł܂B

  INPUT `FCɓėpPbgɂ output C^[tFCX
  ŁÃ`FC `-o' g[͌ă}b`܂Bl
  ɁAOUTPUT `FCɓėpPbgɂ input C^[tFCX
  ̂ŁÃ`FC `-i' g[͌ă}b`܂B

  FORWARD `FCɓėpPbgAinput  output ̗̃C
  ^[tFCXĂ܂B

  ݑ݂ĂȂC^[tFCXw肷邱Ƃ͑S肪܂
  Aw肵C^[tFCX up ė܂Ń[}b`邱Ƃ
  ܂B̓_CAAbv PPP N(ʏC^[tFCX
  ppp0 )⓯l̂̂ɂĔɗLłB

  ʂȃP[XƂāAC^[tFCX̌ `+' t̂͂
  񂩂n܂SẴC^[tFCX(ݑ݂Ă悤ƂȂ낤)
  Ƀ}b`܂BႦ΁ASĂ PPP C^[tFCXɃ}b`郋[
  ̎ẃA-i ppp+ IvVg܂B

  w肵C^[tFCXƈv[1mȂ[22mpPbgɃ}b`悤ɃC^[
  tFCX̑Oɂ͑Oɋ󔒂 `!' uƂł܂BႦ
  ΁A-i ! ppp+ Ƃ܂B

  [1m7.3.5.  tOg̎w[0m

  ƂǂpPbgAxɃP[uɑoɂ͑傫߂邱Ƃ
  BȂƂ́ApPbg̓tOgɕÃpPbgő
  ܂BM_ł̃tOgĂяW߂ĊSȃpPbgɍč\
  ܂B

  tOg̖_́A擪̃tOgɂ͊Sȃwb_[tB[
  h(IP + TCP, UDP  ICMP)茟ł܂A㑱̃pPbgɂ
  wb_[SĂĂ܂(IP wb_[Œǉ̃vgRtB[
  h͖)B]Č㑱̃tOg̃vgRŗLwb_[(TCP, UDP
   ICMP Ŋgꂽ)̂ނƂ͂ł܂B

  ARlNVǐՂ NAT sĂȂASẴtOg̓p
  PbgtB^ÕR[hɓ͂OɃ}[WČʂɂ̂ŁA
  tOgɂĐSzKv͂܂B

  łȂ΁AtB^O[tOgǂ̂悤Ɉ
  邱ƂdvłB񂪖΂ǂȃtB^O[}b
  `܂B̈ӖƂ 1Ԗڂ̃tOg͑̃pPbgƓ
  悤Ɉ܂B2Ԗڈȍ~̃tOg͈قȂ܂B] -p TCP
  --sport www Ƃ[(\[X|[g `www' ̎w)̓tOg(1
  Ԗڂ̃tOgȊO)ƌă}b`܂Blɔے̃[ -p
  TCP --sport ! www }b`܂B

  Ƃ͂A`-f' (܂ `--fragment')IvVg 2Ԗڈȍ~̃t
  Og肷郋[wł܂B܂A` ! '  `-f' ̑Oɕt
  (: ! -f Ƃ) 2Ԗڈȍ~̃tOgƓKȂ[̎w
  ł܂B

  ʏAtB^O 1Ԗڂ̃tOgɌ͂̂ŁAړĨzX
  gł̃tOg̍đgݗĂW邽߁A2Ԗڈȍ~̃tOg
  ʉ߂邱Ƃ͈SƂ݂ȂĂ܂BƂ͂AtOg𑗂邱
  ƂɂȒPɃ}VNbV邱ƂłoOmĂ
  BׂĂˁB

  lbg[NǗ҂̂߂̒L: ُȃpPbg(TCP, UDP  ICMP 
  pPbgŒZăt@CA[EH[̃R[h|[gԍ܂ ICMP 
  R[hƎނǂ߂Ȃ)݂͂̌Ƃj
  B TCP pPbg̃tOg̈ʒu͍Œł 8 n܂
  B

  Ⴆ΁Ã[ 192.168.1.1 ֍stOg͂ǂłj
  :

       # iptables -A OUTPUT -f -d 192.168.1.1 -j DROP
       #

  [1m7.3.6.  iptables ւ̊g  V}b`[0m

  iptables [1mg[22mɕxł܂ÄӖƂ́AJ[l
  iptables c[̗V@\񋟂邽߂Ɋg\łƌ
  ƂłB

  ̊gɂ͕WIȂ̂܂AƕςȂ̂
  BBȊO̐lXgēȗp҂Ɍʂɔzz邱Ƃł
  ܂B

  J[l̊ǵAʏJ[lW[̃TufBNgAႦ
  /lib/modules/2.4.0-test10/kernel/net/ipv4/netfilter ɑ݂܂B
  ̓J[l CONFIG_KMOD ZbgăRpCĂΗv
  [h܂B

  iptables vOւ̊ǵALCuŒʏ
  /usr/local/lib/iptables/ ɑ݂܂BfBXgr[Vɂ
   /lib/iptables ܂ /usr/lib/iptables ɒu܂B

  gɂ 2ނ܂: V^[QbgAĐV}b`ł (V
  ^[QbgɂẮAłb܂)B̃vgR
  ͎IɐV񋟂܂: ݂̂ƂȉɎ TCP, UDP 
   ICMP ܂B

   `-p' IvVŊg[hǍ̃R}hCŐV
  wł܂BVw肷ɂ́A`-m' IvVg
  Ɗg[hāAgꂽIvVLɂȂ܂B

  g̃wvɂ́Ag[h(`-p', `-j' ܂ `-m')
  `-h' ܂ `--help' IvVg܂BႦ:

       # iptables -p tcp --help
       #

  [1m7.3.6.1.  TCP g[0m

  TCP g `-p tcp' w肷ƎIɃ[h܂Bȉ̃IvV
  񋟂Ă܂(tOg͌ă}b`܂)B

     [1m--tcp-flags[0m
         `!' IvVwŁA2̃tOƂAw肵
        TCP tOŃtB^[ł܂B1Ԗڂ̓̕}XNtO
        ŁAtOׂ܂B2Ԗڂ̕(: 1Ԗ
        ̂̕)ZbgĂׂtOw肵܂BႦ
        ΁A

          # iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

     ͑SẴtO(`ALL'  `SYN,ACK,FIN,RST,URG,PSH' Ɠ
     Ӗ)ASYN  ACK ZbgĂׂƂĂ܂B
     ܂ `NONE' ͂ǂ̃tOZbgĂȂƂӖ܂ (:
     `NONE' ĝ͕ʁA2Ԗڂ̕ŁA1ԖڂŎw肵tOS
     Itł邱Ƃ܂)B

     [1m--syn[0m
        O `!' IvVwŁA `--tcp-flags SYN,RST,ACK
        SYN' ̏ȗ\łB

     [1m--source-port[0m
         `!' IvVwŁA1 TCP |[gA܂̓|[g̔
        ͂̂ǂłwł܂B|[g /etc/services Ɉꗗ
        閼OłAԍłwł܂B͈͂̎w 2̃|[g
        `:' ŋ؂邩A `:' t (w肵|[gԍȏ
        )AO `:' t (w肵|[gԍȉ)̂
        ꂩłB

     [1m--sport[0m
         `--source-port' ƓӖłB

     [1m--destination-port[0m
        

     [1m--dport[0m
        ͏LƓlŁA\[X̑ɁAPɂĐ̃|[gƃ}b`
        ̎włB

     [1m--tcp-option[0m
         `!' IvVwŁAlw肵ApPbg TCP Iv
        V(: IvVtB[h 1oCgڂ̎) wl
        Ƃ}b`܂BTCP IvV̌悤ƂƂA
        pPbg TCP wb_[SɊ܂܂ĂȂ΃pPbg͎
        Iɔj܂B

  [1m7.3.6.1.1.  TCP tO̐[0m

   TCP RlNVA͋Ȃ悤ɂ邱Ƃ
  XɂėLłBႦ΁AȂO WWW T[o[Ɛڑ
  ÃT[o[̐ڑȂƂłB

  ̃T[o[痈 TCP pPbgubN邱Ƃ͎Rȕ@łB
  cOȂƂɁATCP RlNVɂ͂Ƃɂ̃pPbgs
  ƂKvłB

  ̉́AڑvpPbgubN邱ƂłB̂
  ȃpPbg [1mSYN [22mpPbgƌĂ΂Ă܂(I[P[AZpIɂ SYN
  tOZbgĂāARST  ACK tONAĂpPbg
  łAZk SYN pPbgƌĂł܂)B̃pPbg
  Ȃ悤ɂ΁ApPbgtɂǂĐڑė̂~߂邱Ƃ
  ł܂B

  `--syn' IvV͂̂߂Ɏg܂B̃IvV TCP vg
  Rw肳Ă郋[ɂLłBႦ΁A192.168.1.1 
  TCP ڑ݂̎̎w:

       -p TCP -s 192.168.1.1 --syn

  ̃IvV `!' Oɕt(: ! --syn Ƃ)ے肷邱Ƃ
  łÄӖ͐ڑJñpPbgSẴpPbgłB

  [1m7.3.6.2.  UDP g[0m

  ̊g `-p udp' w肷ƎIɃ[h܂BIvV
  `--source-port' ܂ `--sport'  `--destination-port' ܂
  `--dport' 񋟂Aڍׂ TCP ƓlłB

  [1m7.3.6.3.  ICMP g[0m

  ̊g `-p icmp' w肷ƎIɃ[h܂BVIv
  V 1񋟂܂:

     [1m--icmp-type[0m
         `!' IvVwŁAICMP ̎ނ𖼑O (Ⴆ
        `host-unreachable')A܂͎ނ𐔒l(Ⴆ `3')A܂͎
        ƃR[h `/' ŋ؂(Ⴆ `3/3')w肵܂B ICMP
        ̎ނŎwł閼ÕXg `-p icmp --help' œ܂B

  [1m7.3.6.4.  ̑̃}b`̊g[0m

  netfilter pbP[Ŵ̑̊g͎ؓIgŁACXg[ς݂Ȃ
  `-m' IvVŌĂяoƂł܂B

     [1mmac[0m
        ̃W[͖I `-m mac' ܂ `--match mac' Ŏw肳
        Ȃ΂Ȃ܂B͓ėpPbg̔MC[Tlb
        g(MAC)AhXƂ̃}b`OɎgÂ߁APREROUTING 
        INPUT `FCɓėpPbgɂLłB̃W[
        ̓IvV 1񋟂܂:

        [1m--mac-source[0m
            `!' IvVwŁAC[TlbgAhXRŋ
           ؂ 16i\LŎw肵܂BႦ΁A `--mac-source
           00:60:08:91:CC:B7'

     [1mlimit[0m
        ̃W[͖I `-m limit' ܂ `--match limit' Ŏw
        肳Ȃ΂Ȃ܂B̓}b`郌[g (px)𐧌
        邽߂ɎgAႦ΁AObZ[W}~邽߂Ɏg܂B
        ̃IvV͒PʎԂɎw肳ꂽ񐔕}b`
        (l 1Ԃ 3̃}b`ŁAo[Xg 5 ł)B
         2̃IvVƂ܂:

        [1m--limit[0m
           ɐlw肵܂BPʎԂɋ镽σ}b`
           ̍őlw肵܂BwĺA`/second', `/minute', `/hour'
           ܂ `/day' gāA邢͂̈ꕔ( `5/second' 
           `5/s' Ɠ)ŒPʂ𖾎邱Ƃł܂B

        [1m--limit-burst[0m
           ɐlw肵܂B͏L limit 쓮n߂O
           őo[Xgl(: eł˔IȑWŁAσ[g
           ̔{)w肵܂B

        ̃}b`́A΂΃Õ[g(px)邽߂ LOG
        ^[QbgƋɎg܂Bǂ̂悤ɓ̂邽߂ɁA
        l limit p[^ŃpPbgO鎟̃[Ă݂
        傤:
          # iptables -A FORWARD -m limit -j LOG

     ŏɂ̃[ɒBƂApPbg̓O܂BہAl
     ̃o[Xg 5 Ȃ̂ŁAŏ 5pPbgO܂B̂ƁA
     ̃pPbg͂ɂ͊֌WȂA20Ԃ͂̃[ɂ胍O
     邱Ƃ͂܂BāA20o߂閈Ƀ}b`pPbg
     ΁Ao[Xg 1 Â񕜂܂BA100ԂɃ[Ƀqbg
     pPbgȂ΁Ao[Xg͊Sɉ񕜂An߂Ɠɖ߂
     B

     L: ݂̂Ƃ 59Ԃ𒴂񕜎Ԃ̃[͍Ȃ̂ŁA
     Aσ[g 1 1ɐݒ肵ꍇAo[Xg[g 3 
     ȂĂ͂Ȃ܂B

     ̃W[́A܂A[g̊߂邱ƂŁAe
     T[rXۍU(DoS)hƂł܂B

     SYN pPbgւ̖h:

          # iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

     `̃|[gXLi[:

          # iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

     Ping of death:

          # iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

     ̃W[́ÃOtɎ悤ɁAqXeVXhÂ悤
     ܂B

            [g(pPbg^b)
                       ^         .---.
                       |        / DoS \
                       |       /       \
          DoS̎n܂ -|......:.........\.......................
           = (limit *  |     /:          \
          limit-burst) |    / :           \         .-.
                       |   /  :            \       /   \
                       |  /   :             \     /     \
          DoS̏I -|./....:..............:.../.......\..../.
           = limit     |/     :              :`-'         `--'
          -------------+------+--------------+------------------>  (b)
              _  }b`| }b`Ȃ |  }b`

     Ⴆ΁A1b 1pPbgŃo[Xg 5pPbg̃}b`w肵
     ƂɁA1b 4pPbgė 3bԑAꂩ
     A3bԂōĂуpPbgėƂ܂B

                   1 2

          g[^^                         QP    YNNN
          pPbg|               CQYNNN
                |           [gQYNNN
               10 |        ő QY
                  |         QY
                  |     QY
                  | QYNNN
                  |-    YNNN
                5 |    Y
                  |   Y                             L[: Y [Ƀ}b`
                  |  Y                                    N [Ƀ}b`Ȃ
                  | Y
                  |Y
                0 +-------------------------------------------------->  (b)
                   0   1   2   3   4   5   6   7   8   9  10  11  12

     ŏ 5pPbg 1b 1pPbg𒴂̂ɋĂ܂A
     ̌AĂ邱Ƃ܂BAr₦Ă
     ΁A[ɐݒ肳ꂽő僌[g͈͓̔ŁA܂o[Xg
      (o[Xg쓮 1b 1pPbg)B

     [1mowner[0m
        ̃W[́A[JɐꂽpPbg̍쐬҂̊e̓
        ƃ}b`݂܂B OUTPUT `FCł̂ݗLłA
        ̃pPbg(Ⴆ΁AICMP ping ̉)ɂ͏L҂Ȃ̂ŁA
        䂦ă}b`܂B

        [1m--uid-owner userid[0m
           pPbg𐶐vZX̎s[U id (l)Ƀ}b`
           B

        [1m--uid-owner groupid[0m
           pPbg𐶐vZX̎sO[v id (l) Ƀ}b`
           ܂B

        [1m--pid-owner processid[0m
           pPbg𐶐vZX̃vZX id Ƀ}b`܂B

        [1m--sid-owner sessionid[0m
           pPbg𐶐vZX̃ZbVO[vɃ}b`
           B

     [1munclean[0m
        ̎IW[ `-m unclean ܂ `--match unclean' 
        IɎw肷Kv܂B̓pPbgɂĎ蓖肵
        lX̐`FbN܂B̃W[͌ĂȂ
        ̂ŁAZLeBuƂĎgׂł͂܂ (oO悭
        ̂ŁAƂɂƎԂ܂)BIvV͂܂B

  [1m7.3.6.5.  Ԃ̃}b`[0m

  łɗ}b` `state' gɂĒ񋟂A
  `ip_conntrack' W[̃RlNVǐՂ͌̕ʂȒPɗpł
  悤ɂ܂B͔ɂ߂łB

  `-m state' w肷ƒǉ `--state' IvVwłA
  }b`ׂԂ̃XgJ}ŋ؂Ďw肵܂(`!' IvV
  w肵ԂɃ}b`[1mȂ[22mƂ܂)BԂɂ͈ȉ̂̂
  :

     [1mNEW[0m
        VRlNVpPbgłB

     [1mESTABLISHED[0m
        ̃RlNVɑpPbgł (Ȃ킿ApPbgA
        邢̓RlNVm̉̂ߏočspPbg)B

     [1mRELATED[0m
        ̃RlNV̈ꕔł͂ȂĊ֌WpPbgAႦ΁AICMP
        G[ƂA܂(FTP W[}ς݂Ȃ)Aftp f[^Rl
        NV̊mpPbgłB

     [1mINVALID[0m
        ̗R  ɂ̓sAǂ̃RlNVɂΉ
        ̂Ȃ ICMP G[ ܂݂܂Ags̃pPbg
        ܂BʓIɂ̃pPbg͔jׂłB

  ̋͂ȃ}b`g̎gp͈ȉ̂悤ɂȂ܂:

       # iptables -A FORWARD -i ppp0 -m state ! --state NEW -j DROP

  [1m7.4.  ^[Qbg̎dl[0m

  AB̓pPbgɊւĂǂȌł邩mĂ܂BɕKv
  Ȃ̂͌Ƀ}b`pPbgɑ΂ĉ邩w@łB
  ̓[[1m^[Qbg[22mƌĂ΂Ă܂B

  ƂĂP 2̑gݍݍς݃^[Qbg: DROP  ACCEPT ܂B
  ɂĂ͑Oɏqׂ܂BA[pPbgɃ}b`A^[
  Qbg 2̂ǂ炩ȂApPbg̉^肳āA
  ȏニ[ׂ邱Ƃ͂܂B

  gݍݍς݃^[QbgȊO 2ނ̃^[Qbg: g^[Qbgƃ[U
  ``FC܂B

  [1m7.4.1.  [U``FC[0m

  ipchains p iptables ̋͂ȓ 1́A3̑gݍݍς
  `FC(INPUT, FORWARD  OUTPUT)ɉāA[UV`FC
  邱ƂłƂƂłBŁA[U``FC͑gݍ
  ς݃`FCƋʂ邽߂ɏɂ܂(V[U``FC
  ́Aȉ```FC̑''Ő܂)B
  pPbg[Ƀ}b`Ã^[Qbg[U``FCł
  ΁ApPbg͂̃[U``FCɈڂA[̌n߂܂B
  ̃[U``FCł̌SďIĂpPbg̉^܂Ȃ
  ΁Ã݂`FCɖ߂A̎̃[猟ĊJ܂B

  ASCII A[g̎ԂłB2(΂)`FC: INPUT (gݍݍ
  ݃`FC) test ([U``FC)ōl܂傤B

                `INPUT'                          `test'

               [ 1: -p ICMP -j DROP [ 1: -s 192.168.1.1

               [ 2: -p TCP -j test  [ 2: -d 192.168.1.1

               [ 3: -p UDP -j DROP

  192.168.1.1 痈 1.2.3.4 ֌ TCP pPbgɂčl܂
  BpPbg INPUT `FCɓA܂A[ 1 ܂
  }b`܂B[ 2 }b`āÃ^[Qbg test Ȃ̂ŁA
  Ɍ郋[ test ̐擪łBtest ̃[ 1 ̓}b`܂
  A^[Qbgw肵ĂȂ̂ŁÃ[ł郋[ 2 
  ܂B̓}b`Ȃ̂ŁA`FC̏IɒB܂B
  [ 2 ̂ INPUT `FCɖ߂Aōx̓[ 3 
  ܂A܂}b`܂B

  ŁApPbǧoĤ͎悤ɂȂ܂:

                                       v    __________________________
                `INPUT'                |   /     `test'               v
               |/     |
               [ 1              | /[ 1            |
               |/-|
               [ 2              /  [ 2            |
               -v
               [ 3              /\_______________________/
               |
                                       v

  [U``FC͑̃[U``FCփWvł܂ (A
  [vĂ͂܂B[vĂ邱ƂƃpPbg͔j
  )B

  [1m7.4.2.  iptables ւ̊g  V^[Qbg[0m

  ĝ 1̎ނ̓^[QbgłB^[Qbg̊g̓J[l
  W[琬Aiptables ւ̃IvV̊g͐VR}hC
  IvVɂĒ񋟂܂Bnetfilter ̔zzɂ͎n߂琔X̊g
  ܂:

     [1mLOG[0m
        ̃W[̓}b`pPbg̃J[lMO񋟂
        Bȉ̒ǉIvV񋟂܂:

        [1m--log-level[0m
           ɃxԍO𑱂܂BLȖO(啶
           킸) `debug', `info', `notice', `warning', `err', `crit',
           `alert'  `emerg' ŁAꂼԍ 7  0 ɊY
           B̃x̐ syslog.conf  man y[WĂ
           Bl `warning' łB

        [1m--log-prefix[0m
           ɍő 29܂ł̕𑱂܂B̃bZ[W̓O
           bZ[W̊Jnɑ̂ŁAʂł܂B

        ̃W[ limit }b`̌ōłLŁA̓O
        ̂h܂B

     [1mREJECT[0m
        ̃W[ `DROP' Ɠʂ܂AM҂ ICMP 
        `|[gB' G[bZ[W𑗂ԂƂ낪Ⴂ܂BL
        ƂāAȉ̏ꍇ(RFC 1122 Ă) ICMP G[bZ[
        W͑܂:

        o  tB^[悤ƂĂpPbgŏ ICMP G[b
           Z[Wł邩A܂ ICMP ̎ނsȂ̂łB

        o  tB^[悤ƂĂpPbg擪ȊÕtOg
           B

        o  OɁÂĐɂ܂ɑ ICMP G[bZ[W
            (/proc/sys/net/ipv4/icmp_ratelimit Ă)B

        REJECT ͂܂Ag鉞pPbgύX̂ `--reject-
        with' IvVƂ܂: }jAy[WĂB

  [1m7.4.3.  ʂȑgݍݍς݃^[Qbg[0m

  2̓ʂȑgݍݍς݃^[Qbg: RETURN  QUEUE ܂B

  RETURN ̓`FC̖܂ŗ̂Ɠʂ܂ gݍݍ
  ݃`FC̃[̏ꍇ́Ã`FC̃|V[s܂B
  [U``FC̃[̏ꍇ́Ã`FCĂяo`FC
  ɖ߂AĂяõ[̒ォ猟s܂B

  QUEUE ̓pPbg[UԂŏ邽߂ɃL[ɓƂʂ
  ^[QbgłBLɂɂ́A 2̍\Kvł:

  o  L[nh[̓pPbgJ[l烆[UԂɓnۂ̋@\
     ܂BāA

  o  [UԃAvP[V̓pPbg󂯎AꍇɂĂ͑
     AăpPbgɔ܂B

     IPv4 iptables ̕WL[nh[ ip_queue W[ŁAJ[
     lƈꏏɔzzAJ(experimental)Ƃă}[NĂ
     B

  [UԂŏ邽߂ɃL[փpPbg iptables ̎g
  ȒPȗȉɎ܂:

       # modprobe iptable_filter
       # modprobe ip_queue
       # iptables -A OUTPUT -p icmp -j QUEUE

  ̃[ł́A[JɐꂽOɏočs ICMP pPbg(Ⴆ
  ΁A ping Őꂽ) ip_queue W[ɓn܂Bꂩ
  Aip_queue ̓pPbg[UԂ̃AvP[Vɓ͂悤Ƃ
  BAҋ@Ă郆[UԃAvP[V΁ApPbg
  j܂B

  [UԃAvP[V߂ɂ́Alibipq API g܂B
   iptables ƈꏏɔzzĂ܂B̃R[h CVS 
  testsuite c[(Ⴆ΁Aredirect.c)̒Ō܂B

  ip_queue ̏Ԃ͈ȉŃ`FbNł܂:

       /proc/net/ip_queue

  L[̍ő咷(Ȃ킿A[UԂɓ͂ĂāA܂肪Ȃ
  ĂȂpPbg̐)͈ȉŃRg[ł܂:

       /proc/sys/net/ipv4/ip_queue_maxlen

  L[̍ő咷̏l 1024 łBǓElɒBAL[
  ElႭȂ܂ŐVpPbg͔j܂BTCP ̂悤
  ΂炵vgŔAGŗڂꂽpPbgoāAL[
  tɂȂƂAđ݂܂BƂ͂A^ꂽ󋵉ŏl
  ߂邩Ȃ̂ŁAzIȍőL[肷̂ɂ炩
  Ƃ悢ł傤B

  [1m7.5.  `FC̑[0m

  iptables ̂ƂĂLȓ́A`FC̊֘A郋[O[v
  ł邱ƂłB]݂̃`FC͉łĂяo܂Agݍݍς
  `FC^[Qbgƍ邽ߏgƂ߂܂B
  `FC̖O͍ő 31܂Ŏg܂B

  [1m7.5.1.  V`FC[0m

  V`FC܂傤B͂ƂĂn͂ɕx񂾖YȂ̂ŁA
   test Ɩt܂B`-N' ܂ `--new-chain' IvVg
  :

  # iptables -N test
  #

  ͊ȒPłBAȂ͂܂ŏڍׂɏqׂĂ悤ɁA
  [邱Ƃł܂B

  [1m7.5.2.  `FC폜[0m

  `FC폜̂lɊȒPŁA`-X' ܂ `--delete-chain' Iv
  Vg܂BȂ `-X' ?  [A悢SĎĂ
  łB

       # iptables -X test
       #

  `FC폜ɂ 2̐܂  ̃`FC͋łKv
  (L```FCɂ''Ă)AAĂǂ
  [̃^[QbgɂȂĂȂƂłBgݍݍς݂ 3̃`FC
  ͂ǂ폜ł܂B

  A`FCw肵Ȃ΁ASẴ[U``FC\Ȍ
  폜܂B

  [1m7.5.3.  `FCɂ[0m

  `FCSẴ[苎ɂ̂͊ȒPŁA`-F' (܂
  `--flush') R}hg܂B

       # iptables -F FORWARD
       #

  A`FCw肵Ȃ΁ASẴ`FCɂ܂B

  [1m7.5.4.  `FC̓eXgAbv[0m

  `FC̑SẴ[XgAbvɂ́A`-L' (܂ `--list')
  R}hg܂B

  eX̃[U``FCɕ\ `refcnt' ́A^[QbgɎw
  肵Ă郋[̐łB̐ 0 łȂ(`FCł邱
  )Ã`FC폜邱Ƃ͂ł܂B

  A`FCw肵Ȃ΁Â܂߂đSẴ`FCɂă
  XgAbv܂B
  `-L' ɂ 3̃IvV܂B (Ă̐lX DNS gĂ
  ܂) DNS K؂ɐݒ肳ĂȂꍇ DNS ̗vtB^[AE
  gĂꍇ́A iptables  IP AhX𒲂ׂ悤ƂƂɒ
  ܂Bĥ `-n' (l)IvV͂ƂĂLłB
  IvV͂܂ATCP  UDP |[g𖼑Oł͂Ȃԍŕ\܂B

  `-v' IvV̓[̏ڍׂSāAႦ΁ApPbgoCg̃JE
  ^[ATOS }XNAăC^[tFCXA\܂B̃IvV
  w肵Ȃ΁A̒l͏ȗ܂B

  LƂāApPbgƃoCg̃JE^[́A1000, 1,000,000 
  1,000,000,000 Aꂼ `K', `M'  `G' ̐ڔgĕ\
  ܂B`-x' (gl)IvVgƁAl̑傫ɂ炸S
  l𓯗lɕ\܂B

  [1m7.5.5.  JE^[Zbg([)[0m

  JE^[Zbgłƕ֗łB `-Z' (܂ `--zero') I
  vVłł܂B

  ȉɂčlĂ݂܂傤:

       # iptables -L FORWARD
       # iptables -Z FORWARD
       #

  L̕@ł́A`-L'  `-Z' R}h܂ł̊Ԃɂ̃pPbg
  ʉ߂邩܂B̂߁AJE^[ǂނƓɃZbg
  ɂ́A`-L'  `-Z' 𓯎Ɏg܂B

  [1m7.5.6.  |V[ݒ肷[0m

  ȑOɃpPbgǂ̂悤Ƀ`FCʂ蔲̂_ƂApPbg
  gݍݍς݃`FC̏IɒBƂN̂̏qׂ܂
  B̏ꍇA`FC[1m|V[[22m̃pPbg̉^肵܂Bg
  ݍς݃`FC(INPUT, OUTPUT  FORWARD)|V[Ă
  ܂BȂȂApPbg[U``FC̏I܂ŉ藎ƁA
  Õ`FCɖ߂čsłB

  |V[ ACCEPT  DROP ̂ǂ炩łBႦ:

       # iptables -P FORWARD DROP
       #

  [1m8.  ipchains  ipfwadm g[0m

  netfilter ̔zz̒ɁAipchains.o  ipfwadm.o ƂÕW[
  ܂BJ[lɁÂ̈}Ă (L: 
  ́Aip_tables.o ƓɎg܂!)B΁AÂǂ̂悤
   ipchains ܂ ipfwadm g܂B

  ́A܂łT|[g킯ł͂܂Bl鍇I
  Ȍ́Äłpł悤ɂȂ 2 *mʍ -
  ŏ[Xn̊ԂłB́AԂALinux 2.6  2.8 ŃT|[
  gł؂邱ƂӖ܂B

  [1m9.  NAT ƃpPbgtB^O̍[0m

  lbg[NAhXϊ(NAT HOWTO Ă(: {󂪂
  ܂))ƃpPbgtB^O𓯎ɂ肽Ƃ悭܂B悢
  m点ł  2͎ɂ悭a܂B

  Ȃ NAT ̂Ƃ͊SɖYāApPbgtB^O̐݌v
  BpPbgtB^[ɂƂẴ\[XƂĐ͎ۂ̃\[XƂ
  ĐłBႦ΁AIP AhX 1.2.3.4 |[gԍ 80 ɐڑĂ
  ͉ł IP AhX 10.1.1.1 |[gԍ 8080 ֓] DNAT(: 
  Đ NATAʓI NAT ̂)ȂApPbgtB^[
  ́A1.2.3.4  80 ł͂ȂāA10.1.1.1  8080 (ۂ̂Đ)ցAp
  Pbgs悤Ɍ܂BlɁAIP }XJ[ĥƂY邱
  ł܂  pPbgۂ̓ IP AhX(Ⴆ 10.1.1.1)痈
  āApPbg֖߂čs悤Ɍ܂B

  NAT ɂ́AƂɂRlNVǐՂKvȂ̂ŁApPbgtB^[ɗ]
  Ȏd `state' }b`gƂł܂BNAT HOWTO ̊
  Pȃ}XJ[h̗𑝋 ppp0 C^[tFCXėǂ
  ȐVRlNV֎~邽߂ɂ́Â悤ɂ܂:

       # ppp0 očŝ}XJ[h
       iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

       # ppp0 ėpPbgŐVKƖ̂̂͂ƃtH[hŋ֎~
       iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
       iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP

       # IP tH[fBO ON ɂ
       echo 1 > /proc/sys/net/ipv4/ip_forward

  [1m10.  iptables  ipchains ̈Ⴂ[0m

  o  ܂߂ɁAgݍݍς݃`FC̖O啶ɕύX
     B̗ŔAINPUT  OUTPUT `FĈ́Ał͊eXA
     s悪[J̃pPbgƃ[JŐꂽpPbgA
     ȂłB 2̃`FĆASĂ̓͂ёSĂ̏o̓p
     Pbgꂼꌩ邽߂Ɏg܂B

  o  `-i' IvV͍ł͓̓C^[tFCXӖA INPUT
      FORWARD `FCł̂ݗLłBFORWARD  OUTPUT `FC
     `-i' gpĂ郋[ `-o' ɕύXĂB

  o  TCP  UDP ̃|[g͍ł́A--source-port ܂ --sport (܂
      --destination-port/--dport) ƂXyŃIvVKv
     ATCP ܂ UDP ̊gꂼꃍ[h邽߂ɁA`-p tcp' 
      `-p udp' IvV̌ɒuKv܂B
  o  TCP  -y IvV͍ł --syn ɂȂA`-p tcp' ̌ɒuKv
     ܂B

  o  DENY ^[QbǵAǂ̂Ƃ덡ł DROP ɂȂ܂B

  o  xɃ`FC̓ẽXgAbvƃZbgł悤ɂȂ܂
     B

  o  gݍݍς݃`FCZbgƃ|V[JE^[(: |
     V[KpꂽpPbǧƃoCg)NA[܂B

  o  `FC̓ẽXgAbv́ȀuԂ̃JE^[\܂B

  o  REJECT  LOG ͍ł͊g^[QbgɂȂAXɃJ[lW[
     ɂȂ܂B

  o  `FC 31܂Ŏg悤ɂȂ܂B

  o  MASQ ͍ł MASQUERADE ŁAႤɂȂ܂BREDIRECT ͖O
     ͕ς܂񂪁A܂ς܂BƂAݒ@
     ɂĂ̂葽̏񂪕KvȂANAT HOWTO ĂB

  o  -o IvV͂͂A[UԃfoCXɃpPbgړIɎg
     Ă܂(L -i Ă)Bł́ApPbg QUEUE
     ^[Qbgɂ胆[UԂɑ܂B

  o  炭ȂɎYĂ邱Ƃ񂠂ł傤B

  [1m11.  pPbgtB^[ݒ̃AhoCX[0m

  Rs[^̃ZLeBł̏펯́ASĂubNǍɕK
  vƂ錊󂯂邱ƂłB͒ʏułȂׂ̋炸v
  ƁApŌ܂BZLeBȂ̍ő̊֐SȂÃA
  v[`߂܂B

  KvłȂT[rX͓Ă͂܂  ƂAȂւ̃A
  NZXubNĂ邩vƎvĂĂB

  Ȃt@CA[EH[p@ĂȂAASĂ
  pPbgubNƂ납n߂ĂBꂩT[rXǉ
  KvȃpPbgʉ߂悤ɂĂB

  ̂̂gݍ킹ăZLeB[߂邱Ƃ߂܂: TCP
  Wrappers (pPbgtB^[gւ̐ڑɑ΂)AvLV[(pPbg
  tB^[ʂ蔲ڑɑ΂) (: ̃pPbgtB^[Ƃ
  L` Linux {bNXƉ߂ق悢ł傤)A[g(oH)؁A
  āApPbgtB^OB[g؂Ƃ͗\ȂC^[tFC
  X痈pPbgj邱Ƃł(: J[lRtBM[
  V CONFIG_IP_ADVANCED_ROUTER Q)BႦ΁Albg[NAh
  X 10.1.1.0/24 łƂāAOC^[tFCXėp
  PbgŃ\[XAhXlbg[NAhXɂȂĂ΁A
  j܂BC^[tFCX(ppp0)ŗLɂ邽߂ɂ͈ȉ
  ̂悤ɂ܂:

       # echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter
       #

  邢́ASĂ݂̑邻ď̃C^[tFCX̂߂ɂ́Â
  ɂ܂:

       # for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
       #     echo 1 > $f
       # done
       #

  Debian ł́A\ȂftHgŏL̂悤ɐݒ肵܂BAȂ
  Ώ̃[eBOsĂȂ(Ȃ킿AςpPb
  ĝ҂Ă)ÃC^[tFCXł͂̃tB^
  O𖳌ɂł傤B

  t@CA[EH[̍쐬΂ł͂ȂAǂȂƂ낪
  t@CA[EH[̐ݒ𒲐ĂƂAO邱Ƃ͖ɗ
  Bǂ̃Oӂ̂h߂ɁAK `limit' }b`Ƒgݍ
  킹܂傤B

  S߂VXeł̓RlNVǐՂɂ߂łB
  ͎኱̃I[o[wbh܂ASĂ̐ڑǐՂ̂ŁAȂ
  ̃lbg[Nւ̃ANZXɂƂĂLłBAJ[l
  W[IɃ[hȂꍇAJ[lɒɑgݍł
  ȂꍇA`ip_conntrack.o' W[[hKv邩
  BȂۂɕGȃvgRǐՂȂAׂw
  p[W[(Ⴆ `ip_conntrack_ftp.o')[hKv
  B

       # iptables -N no-conns-from-ppp0
       # iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
       # iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT
       # iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix "Bad packet from ppp0:"
       # iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix "Bad packet not from ppp0:"
       # iptables -A no-conns-from-ppp0 -j DROP

       # iptables -A INPUT -j no-conns-from-ppp0
       # iptables -A FORWARD -j no-conns-from-ppp0

  悢t@CA[EH[\z邱Ƃ́A HOWTO ͈̔͂zĂ
  Ȁ́uŏ`҂łvłBȂ̔eX
  gȂT邽߂̂葽̏񂪕KvȂA Security HOWTO
  ĂB

  [1m12.  {ɂ[0m

  ̌̕ъ֘A HOWTO ́ANetfilter Project ``EFu
  TCg''ɂ܂B
  ̓IȌ̏ꏊ 1́A <http://netfilter.samba.org/unreliable-
  guides/packet-filtering-HOWTO.linuxdoc.sgml> łB
  ܂A̕ CVS ŊǗĂAŐVłXV
  <http://cvs.samba.org/cgi-bin/cvsweb/netfilter/HOWTO/> ȉQƂ
  ܂B

  ̕|󂷂ɂAȉ̕XAhoCX܂B
  {ɂ肪Ƃ܂B

  o  UTi <ysenda@pop01.odn.ne.jp>

  o  R聗Ox  <hiro@atm.ox.ac.uk>

  o  l <isao@m05.htmnet.ne.jp>

  o  Konkiti  <konkiti@lares.dti.ne.jp>

  o  T <daisuke@terra.dti.ne.jp>

  o  L <takei@webmasters.gr.jp>

  { : 2000N 9 20 RX _K <h-yamamo@db3.so-net.ne.jp>
  @@@ 2 : 2001N 8 13
  @@@ 3 : 2001N 8 16
  @@@ 4 : 2002N 1 20

