1 <!doctype linuxdoctr system>
3 <!-- This is the Linux Packet Filtering HOWTO.
6 <!-- $Id: packet-filtering-HOWTO.sgml,v 1.24 2002/01/14 09:35:13 laforge Exp $ -->
10 <!-- Title information -->
12 <title>Linux 2.4 Packet Filtering HOWTO
13 <author>Rusty Russell, mailing list <tt>netfilter@lists.samba.org</tt>
14 <date>$Revision: 1.24 $ $Date: 2002/01/14 09:35:13 $
16 <trans>ÆüËܸìÌõ: »³¿¹ ¹À¹¬ (<tt>h-yamamo@db3.so-net.ne.jp</tt>)
17 <tdate>v1.24j Jan. 20, 2002
21 This document describes how to use iptables to filter out bad packets
22 for the 2.4 Linux kernels.
24 ¤³¤Îʸ½ñ¤Ï¡¢2.4·Ï Linux ¥«¡¼¥Í¥ë¤Ë¤ª¤±¤ë¡¢ÉÔÅö¤Ê¥Ñ¥±¥Ã¥È¤ò¥Õ¥£¥ë¥¿¡¼¥¢¥¦¥È
25 ¤¹¤ë iptables ¤Î»È¤¤Êý¤Ë¤Ä¤¤¤Æ½Ò¤Ù¤Æ¤¤¤Þ¤¹¡£
28 <!-- Table of contents -->
31 <!-- Begin the document -->
34 <sect>Introduction<label id="intro">
36 <sect>¤Ï¤¸¤á¤Ë<label id="intro">
40 Welcome, gentle reader.
42 ¤è¤¦¤³¤½¡¢ÆɼԤΤߤʤµ¤ó¡£
46 It is assumed you know what an IP address, a network address, a
47 netmask, routing and DNS are. If not, I recommend that you read the
48 Network Concepts HOWTO.
50 ¤³¤³¤Ç¤Ï¡¢IP ¥¢¥É¥ì¥¹¡¢¥Í¥Ã¥È¥ï¡¼¥¯¥¢¥É¥ì¥¹¡¢¥Í¥Ã¥È¥Þ¥¹¥¯¡¢¥ë¡¼¥Æ¥£¥ó¥°
51 ¤½¤·¤Æ DNS ¤¬²¿¤Ç¤¢¤ë¤«ÃΤäƤ¤¤ë¤³¤È¤òÁ°Äó¤Ë¤·¤Æ¤¤¤Þ¤¹¡£¤â¤·¡¢Ê¬¤«¤é¤Ê¤¤
52 ¤Î¤Ç¤¢¤ì¤Ð¡¢Network Concepts HOWTO (ÌõÃí: ¤³¤Îʸ½ñ¤Î¸¶Ê¸¤¬
53 ¸ø³«¤µ¤ì¤Æ¤¤¤ë¾ì½ê¤Ë¤¢¤ë Linux Networking-concepts HOWTO)
54 ¤òÆɤळ¤È¤ò¤ª´«¤á¤·¤Þ¤¹¡£
58 This HOWTO flips between a gentle introduction (which will leave you
59 feeling warm and fuzzy now, but unprotected in the Real World) and raw
60 full-disclosure (which would leave all but the hardiest souls
61 confused, paranoid and seeking heavy weaponry).
63 ¤³¤Î HOWTO ¤Ï 2¤Ä¤Î´é¤ò»ý¤Ã¤Æ¤¤¤Þ¤¹¡£¤ä¤µ¤·¤¤ÆþÌç½ñÉ÷¤Î²Õ½ê¤Ç¤Ï¡¢ÆɼԤò
64 ²¿¤È¤Ê¤¯°Â¿´¤µ¤»¤Þ¤¹¤¬¡¢¸½¼ÂÀ¤³¦¤Î¸·¤·¤µ¤Ë¤Ïµ¤ÉÕ¤«¤Ê¤¤¤Þ¤Þ¤Ç¤¹¡£
65 ¤·¤«¤·¡¢ºÙÉô¤Þ¤Ç¤à¤½Ð¤·¤Ë¤·¤Æ±£¤µ¤º¤ËÅÁ¤¨¤è¤¦¤È¤¹¤ë²Õ½ê¤Ç¤Ï¡¢Å°ÄìÍý²ò
66 ¤Ë¶Ð¤á¤Ê¤¤ÆɼԤòº®Í𤵤»¡¢É԰¤ˤ·¡¢Å°ÄìÉðÁõ¤µ¤»¤Æ¤·¤Þ¤¦¤³¤È¤Ç¤·¤ç¤¦¡£
70 Your network is not <bf>secure</bf>. The problem of allowing rapid,
71 convenient communication while restricting its use to good, and not
72 evil intents is congruent to other intractable problems such as
73 allowing free speech while disallowing a call of ``Fire!'' in a
74 crowded theater. It will not be solved in the space of this HOWTO.
76 ¤¢¤Ê¤¿¤Î¥Í¥Ã¥È¥ï¡¼¥¯¤Ï·è¤·¤Æ<bf>°ÂÁ´</bf>¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¡£¹â®¤Ç
77 ÊØÍø¤ÊÄÌ¿®¤ò³ÎÊݤ·¤Æ¡¢¤½¤ì¤òÁ±ÎɤÊÍøÍѼԤˤÀ¤±Ä󶡤·¡¢¤·¤«¤â°°Õ
78 ¤Î¤¢¤ë¼Ô¤òÄù¤á½Ð¤½¤¦¤È¸À¤¦¤Î¤Ï¡¢¿ô¤¢¤ë¼ê¤ËÉ館¤Ê¤¤ÌäÂê¤Î 1¤Ä¤Ç¤¹¡£
79 Î㤨¤Ð¡¢¸ÀÏÀ¤Î¼«Í³¤òÊݾڤ·¤Ê¤¬¤é¤âËþ°÷¤Î±Ç²è´Û¤Ç¡Ö²Ð»ö¤À¡¼¡ª¡×¤Ê¤É
80 ¤È¶«¤Ó½Ð¤¹´í¸±¤Ê¸ÀÆ°¤ò¶Ø¤¸¤è¤¦¤È¤¹¤ë¤Î¤ÈƱ¤¸¤³¤È¤Ç¤¹¡£
81 ¤³¤Î HOWTO ¤Ç¤Ï¡¢¤½¤¦¤·¤¿ÌäÂê¤Î²ò·èÊýË¡¤Ë¤Ä¤¤¤Æ¤Þ¤Ç²òÀ⤹¤ë¥¹¥Ú¡¼¥¹
83 <!-- Â裱ʸ¤ÏÆɼԤËÃí°Õ¤ò¸þ¤±¤Æ¤¤¤ë¤È¹Í¤¨Ä¾ÌõÉ÷¤Î¤Þ¤Þ¤Ë¤·¤Þ¤·¤¿¡£
84 rapid ¤Ï¹â®¤Ê¤Î¤«¼ê´Ö¤¤¤é¤º¤Ê¤Î¤«Ê¬¤«¤ê¤Þ¤»¤ó¡£-->
88 So only you can decide where the compromise will be. I will try to
89 instruct you in the use of some of the tools available and some
90 vulnerabilities to be aware of, in the hope that you will use them for
91 good, and not evil purposes. Another equivalent problem.
93 ¤Ç¤¹¤«¤é¡¢¤É¤³¤ÇÂŶ¨¤¹¤ë¤«¤ò·è¤á¤é¤ì¤ë¤Î¤Ï¡¢¤¢¤Ê¤¿¼«¿È¤À¤±¤Ê¤Î¤Ç¤¹¡£
94 °Ê²¼¤Ç¤Ï¡¢Í¸ú¤Ê¤¤¤¯¤Ä¤«¤Î¥Ä¡¼¥ë¤ò¾Ò²ð¤·¡¢ÃΤäƤª¤¯¤Ù¤¼åÅÀ¤Ê¤É¤ò
95 Ãí°Õ¤·¤Æ¤¤¤¤Þ¤¹¡£¤³¤ì¤é¤ò°ÍѤ¹¤ë¤³¤È¤Ê¤¯¡¢Àµ¤·¤¤ÌÜŪ¤Î¤¿¤á¤Ë»È¤Ã¤Æ
96 ¤¯¤À¤µ¤¤¡£¤³¤Î¤è¤¦¤ÊÏäò¤¹¤ë¤³¤È¼«ÂΤ⡢°ÍѤβÄǽÀ¤¬»Ä¤Ã¤Æ¤·¤Þ¤¦
98 <!-- Â裲ʸ: available ¤À¤¬ vulnerabilities ¤È¹Í¤¨¤Þ¤·¤¿¡£-->
100 <p>(C) 2000 Paul `Rusty' Russell. Licenced under the GNU GPL.
103 <sect>Where is the official Web Site? Is there a Mailing List?
105 <sect>¸ø¼°¥¦¥§¥Ö¥µ¥¤¥È¤Ï¤É¤³¤Ë¤¢¤ê¤Þ¤¹¤«? ¥á¡¼¥ê¥ó¥°¥ê¥¹¥È¤Ï¤¢¤ê¤Þ¤¹¤«?
109 <p>There are three official sites:
111 <p>3¤Ä¤Î¸ø¼°¥µ¥¤¥È¤¬¤¢¤ê¤Þ¤¹:
114 <item>Thanks to <url url="http://netfilter.filewatcher.org/" name="Filewatcher">.
115 <item>Thanks to <url url="http://netfilter.samba.org/" name="The Samba Team and SGI">.
116 <item>Thanks to <url url="http://netfilter.gnumonks.org/" name="Harald Welte">.
118 <item><url url="http://netfilter.filewatcher.org/" name="Filewatcher">
120 <item><url url="http://netfilter.samba.org/" name="Samba ¥Á¡¼¥à¤È SGI">
122 <item><url url="http://netfilter.gnumonks.org/" name="Harald Welte">
126 <p> You can reach all of them using round-robin DNS via
127 <url url="http://www.netfilter.org/"> and <url url="http://www.iptables.org">
130 <url url="http://www.netfilter.org/"> ¤È <url url="http://www.iptables.org/">
131 ¤«¤é¡¢¥é¥¦¥ó¥É¥í¥Ó¥ó DNS ¤ò»²¾È¤·¤ÆÅþã¤Ç¤¤Þ¤¹¡£
134 <p>For the official netfilter mailing list, see
136 <p>¸ø¼° netfilter ¥á¡¼¥ê¥ó¥°¥ê¥¹¥È¤Ï¤³¤Á¤é:
138 <url url="http://www.netfilter.org/contact.html#list"> name="netfilter List">.
140 <url url="http://www.netfilter.org/contact.html#list" name="netfilter ¥ê¥¹¥È">
144 <sect>So What's A Packet Filter?
146 <sect>¤½¤ì¤Ç¡¢¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¡¼¤Ã¤Æ²¿¤Ç¤¹¤«?
150 A packet filter is a piece of software which looks at the
151 <em>header</em> of packets as they pass through, and decides the fate
152 of the entire packet. It might decide to <bf>DROP</bf> the packet
153 (i.e., discard the packet as if it had never received it),
154 <bf>ACCEPT</bf> the packet (i.e., let the packet go through), or
155 something more complicated.
157 ¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¡¼¤È¤¤¤¦¤Î¤Ï¡¢Î®¤ì¤Æ¹Ô¤¯¥Ñ¥±¥Ã¥È¤Î<em>¥Ø¥Ã¥À¡¼</em>
158 ¤òÆɤó¤Ç¡¢¤½¤Î¥Ñ¥±¥Ã¥È¤Î±¿Ì¿¤ò·è¤á¤ë¥½¥Õ¥È¥¦¥§¥¢¤Ç¤¹¡£
159 ¥Ñ¥±¥Ã¥È¤ò <bf>DROP</bf>(¤Þ¤ë¤Ç¼õ¤±¼è¤Ã¤Æ¤¤¤Ê¤¤¤«¤Î¤è¤¦¤ËÇË´þ)¤·¤¿¤ê¡¢
160 <bf>ACCEPT</bf> (¥Ñ¥±¥Ã¥È¤òÄ̲ᤵ¤»¤ë)¤·¤¿¤ê¡¢ÀßÄê¤Ë¤è¤Ã¤Æ¤Ï
161 ¤â¤Ã¤ÈÊ£»¨¤Ê½èÍý¤ò¤·¤¿¤ê¤·¤Þ¤¹¡£
162 <!-- ¤ä¤Ï¤ê¸¶Ê¸¤Ë¶á¤¯¤Ê¤ë¤è¤¦¤Ë¤·¤Þ¤·¤¿¡£-->
166 Under Linux, packet filtering is built into the kernel (as a kernel
167 module, or built right in), and there are a few trickier things we can
168 do with packets, but the general principle of looking at the headers
169 and deciding the fate of the packet is still there.
171 Linux ¤Ë¤ª¤¤¤Æ¡¢¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Ï¥«¡¼¥Í¥ë¤ËÁȤ߹þ¤Þ¤ì¤Æ
172 (¥«¡¼¥Í¥ë¥â¥¸¥å¡¼¥ë¤È¤·¤Æ¡¢¤Þ¤¿¤Ïľ¤ËÁȤ߹þ¤Þ¤ì¤Æ)¤¤¤Þ¤¹¡£
173 ¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ¿¾¯¤Î¶Ê·ÝŪ¤Ê¤³¤È¤â¤Ç¤¤Þ¤¹¤¬¡¢¥Ñ¥±¥Ã¥È¤Î¥Ø¥Ã¥À¡¼
174 ¤ò¸«¤Æ¤½¤Î±¿Ì¿¤ò·èÄꤹ¤ë¤È¸À¤¦°ìÈ̸¶Â§¤¬¾ï¤Ë¤¢¤ê¤Þ¤¹¡£
177 <sect1>Why Would I Want to Packet Filter?
179 <sect1>¤Ê¤¼¡¢¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¡¼¤¬É¬ÍפʤΤǤ·¤ç¤¦?
183 Control. Security. Watchfulness.
185 ¥³¥ó¥È¥í¡¼¥ë¡£¥»¥¥å¥ê¥Æ¥£¡£´Æ»ë¡£
190 <tag/Control:/ when you are using a Linux box to connect your internal
191 network to another network (say, the Internet) you have an opportunity
192 to allow certain types of traffic, and disallow others. For example,
193 the header of a packet contains the destination address of the packet,
194 so you can prevent packets going to a certain part of the outside
195 network. As another example, I use Netscape to access the Dilbert
196 archives. There are advertisements from doubleclick.net on the page,
197 and Netscape wastes my time by cheerfully downloading them.
198 Telling the packet filter not to allow any packets to or from the
199 addresses owned by doubleclick.net solves that problem (there are
200 better ways of doing this though: see Junkbuster).
202 <tag/¥³¥ó¥È¥í¡¼¥ë:/¤¢¤Ê¤¿¤¬ Linux ¥Ü¥Ã¥¯¥¹¤òÆâÉô¤Î¥Í¥Ã¥È¥ï¡¼¥¯¤ÈÊ̤Î
203 ¥Í¥Ã¥È¥ï¡¼¥¯(Î㤨¤Ð¡¢¥¤¥ó¥¿¡¼¥Í¥Ã¥È)¤ò·Ò¤°¤¿¤á¤Ë»È¤Ã¤Æ¤¤¤ë¤Ê¤é¡¢
204 ¤¢¤Ê¤¿¤Ë¤Ï¡¢ÆÃÄê¤Î¥È¥é¥Õ¥£¥Ã¥¯¤À¤±µö²Ä¤·¤Æ¡¢Â¾¤Î¤â¤Î¤òµö¤µ¤Ê¤¤¤è¤¦¤Ë
205 ¤¹¤ë¥Á¥ã¥ó¥¹¤¬¤¢¤ê¤Þ¤¹¡£Î㤨¤Ð¡¢¥Ñ¥±¥Ã¥È¤Î¥Ø¥Ã¥À¡¼¤Ë¤Ï¤¢¤ÆÀ襢¥É¥ì¥¹
206 ¤¬´Þ¤Þ¤ì¤Æ¤¤¤Æ¡¢³°Éô¥Í¥Ã¥È¥ï¡¼¥¯¤Î¤È¤¢¤ë½ê¤Ø¸þ¤«¤¦¥Ñ¥±¥Ã¥È¤òµñÈݤ¹¤ë
207 ¤³¤È¤¬¤Ç¤¤Þ¤¹¡£Ê̤ÎÎã¤È¤·¤Æ¡¢Netscape ¤ò»È¤Ã¤Æ Dilbert ¤Î¥¢¡¼¥«¥¤¥Ö
208 (ÌõÃí: Dilbert ¤È¤¤¤¦¥¨¥ó¥¸¥Ë¥¢¤¬¼ç¿Í¸ø¤ÎÉ÷»ÉÌ¡²è¤Î¥µ¥¤¥È¡¢¤Á¤Ê¤ß¤Ë
209 dilbert ¤Î°ÕÌ£¤Ï¡Æ¤Ð¤«¡Ç)
210 ¤Ë¥¢¥¯¥»¥¹¤¹¤ë¾ì¹ç¤Ç¤¹¡£¥Ú¡¼¥¸¤Ë¤Ï doubleclick.net ¤Î¹¹ð¤¬¤¢¤ê¡¢
211 Netscape ¤Ï¤½¤ì¤ò¤¤¤½¤¤¤½¤È¥À¥¦¥ó¥í¡¼¥É¤¹¤ë¤¿¤á¤Ë»ä¤Î»þ´Ö¤òϲÈñ¤·¤Þ¤¹¡£
212 ¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¡¼¤Ë doubleclick.net ½êͤΥ¢¥É¥ì¥¹¤«¤é¤Î¤É¤ó¤Ê
213 ¥Ñ¥±¥Ã¥È¤âµö²Ä¤·¤Ê¤¤¤è¤¦¤Ë»Ø¼¨¤¹¤ì¤ÐÌäÂê¤Ï²ò·è¤·¤Þ¤¹(¤â¤Ã¤È¤¤¤¤ÊýË¡¤¬
214 ¤¢¤ê¤Þ¤¹¤±¤ì¤É: Junkbuster(ÌõÃí: http://internet.junkbuster.com) ¤ò
216 <!-- destination ¤ÎÌõ¤È¤·¤Æ¡¢Á÷¿®Àè¡¢½ªÅÀ¡¢¤Ê¤É¤¢¤ê¤Þ¤¹¤¬¡¢
217 ¤¢¤ÆÀè¤È¤·¤Þ¤·¤¿¡£-->
220 <tag/Security:/ when your Linux box is the only thing between the
221 chaos of the Internet and your nice, orderly network, it's nice to
222 know you can restrict what comes tromping in your door. For example,
223 you might allow anything to go out from your network, but you might be
224 worried about the well-known `Ping of Death' coming in from malicious
225 outsiders. As another example, you might not want outsiders
226 telnetting to your Linux box, even though all your accounts have
227 passwords. Maybe you want (like most people) to be an observer on the
228 Internet, and not a server (willing or otherwise). Simply don't let
229 anyone connect in, by having the packet filter reject incoming packets
230 used to set up connections.
232 <tag/¥»¥¥å¥ê¥Æ¥£:/¤¢¤Ê¤¿¤Î Linux ¥Ü¥Ã¥¯¥¹¤¬¥¤¥ó¥¿¡¼¥Í¥Ã¥È¤Îº®Æ٤ȡ¢
233 ¥Ê¥¤¥¹¤ÇÃá½øÀµ¤·¤¤¤¢¤Ê¤¿¤Î¥Í¥Ã¥È¥ï¡¼¥¯¤Î´Ö¤Ë¤¢¤ëÍ£°ì¤Îʪ¤Ê¤é¡¢
234 ¤¹¤Ð¤é¤·¤¤¤³¤È¤Ë¡¢¤¢¤Ê¤¿¤Ï²¥¤ê¤Ë¤ä¤Ã¤ÆÍè¤ë¼Ô¤ò¥É¥¢¤Î¤È¤³¤í¤ÇÀ©¸Â¤¹¤ë
235 ¤³¤È¤¬¤Ç¤¤Þ¤¹¡£Î㤨¤Ð¡¢¤¢¤Ê¤¿¤Î¥Í¥Ã¥È¥ï¡¼¥¯¤«¤é½Ð¤Æ¹Ô¤¯¤â¤Î¤Ï²¿¤Ç¤â
236 µö¤¹¤è¤¦¤Ë¤·¤Æ¡¢°°Õ¤Î¤¢¤ë³°Éô¤«¤é¤Î¤è¤¯ÃΤé¤ì¤¿ `Ping of Death' ¹¶·â
237 ¤òµ¤¤Ë³Ý¤±¤ë¤è¤¦¤Ë¤Ç¤¤Þ¤¹¡£Ê̤ÎÎã¤È¤·¤Æ¡¢¤¢¤Ê¤¿¤Î Linux ¥Ü¥Ã¥¯¥¹¤Ë¡¢
238 ¤¿¤È¤¨Á´¤Æ¤Î¥¢¥«¥¦¥ó¥È¤Ë¥Ñ¥¹¥ï¡¼¥É¤¬ÉÕ¤¤¤Æ¤¤¤ë¤È¤·¤Æ¤â¡¢³°Éô¤Î¼Ô¤¬
239 telnet ¤·¤Æ¤¯¤ë¤³¤È¤ò˾¤Þ¤Ê¤¤¤«¤â¤·¤ì¤Þ¤»¤ó¡£¤¿¤Ö¤ó¡¢¤¢¤Ê¤¿¤Ï
240 (¤¿¤¤¤Æ¤¤¤Î¿Í¡¹¤Î¤è¤¦¤Ë)¥¤¥ó¥¿¡¼¥Í¥Ã¥È¤ò¤¿¤Àį¤á¤Æ¤¤¤¿¤¤¤À¤±¤Ç¡¢
241 ¥µ¡¼¥Ð¡¼¤Ë(¹¥¤à¤È¹¥¤Þ¤º¤Ë¤«¤«¤ï¤é¤º)¤Ê¤ê¤¿¤¯¤Ê¤¤¤Î¤Ç¤¹¡£Ã±½ã¤Ë¡¢
242 ¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¡¼¤ÇÀܳ¤ò³«»Ï¤¹¤ë¥Ñ¥±¥Ã¥È¤ÎήÆþ¤òµñÈݤ·¤Æ¡¢¤À¤ì¤Ë¤â
243 Àܳ¤µ¤ì¤Ê¤¤¤è¤¦¤Ë¤·¤Æ¤¯¤À¤µ¤¤¡£
246 <tag/Watchfulness:/ sometimes a badly configured machine on the local
247 network will decide to spew packets to the outside world. It's nice
248 to tell the packet filter to let you know if anything abnormal occurs;
249 maybe you can do something about it, or maybe you're just curious by
252 <tag/´Æ»ë:/¤È¤¤É¤¥í¡¼¥«¥ë¥Í¥Ã¥È¥ï¡¼¥¯Ãæ¤Ë´Ä¶ÀßÄê¤Î°¤¤¥Þ¥·¥ó¤¬¤¢¤ê¡¢
253 ³°¤ÎÀ¤³¦¤Ë¥Ñ¥±¥Ã¥È¤¬Ï³¤ì½Ð¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£
254 ¤¹¤Ð¤é¤·¤¤¤³¤È¤Ë¡¢¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¡¼¤Ï²¿¤«°Û¾ï¤Ê¤³¤È¤¬µ¯¤³¤Ã¤¿¤È¤¤Ë
255 ¤¢¤Ê¤¿¤ËÃΤ餻¤Æ¤¯¤ì¤Þ¤¹¡£¤¿¤Ö¤ó¤¢¤Ê¤¿¤Ï²¿¤é¤«¤ÎÂн褬¤Ç¤¤ë¤Ç¤·¤ç¤¦¤·¡¢
256 ¤¢¤ë¤¤¤Ï¤¢¤Ê¤¿¤ÎÀ¼Á¾å¡¢Ã±¤Ë¶½Ì£¤ò»ý¤Ä¤À¤±¤«¤â¤·¤ì¤Þ¤»¤ó¡£
260 <sect1>How Do I Packet Filter Under Linux?<label id="filter-linux">
262 <sect1>Linux ¤Ç¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¡¼¤Ï¤É¤Î¤è¤¦¤Ë¤ä¤ë¤Î?<label id="filter-linux">
265 <p>Linux kernels have had packet filtering since the 1.1 series. The
266 first generation, based on ipfw from BSD, was ported by Alan Cox in
267 late 1994. This was enhanced by Jos Vos and others for Linux 2.0; the
268 userspace tool `ipfwadm' controlled the kernel filtering rules. In
269 mid-1998, for Linux 2.2, I reworked the kernel quite heavily, with the
270 help of Michael Neuling, and introduced the userspace tool `ipchains'.
271 Finally, the fourth-generation tool, `iptables', and another kernel
272 rewrite occurred in mid-1999 for Linux 2.4. It is this iptables which
273 this HOWTO concentrates on.
275 <p>Linux ¥«¡¼¥Í¥ë¤Ë¤Ï 1.1·Ï¤«¤é¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤¬¤¢¤ê¤Þ¤·¤¿¡£
276 Âè1À¤Âå¤Ï¡¢1994ǯ¸å´ü¤Ë Alan Cox ¤Ë¤è¤ê¡¢BSD ¤Î ipfw ¤ò´ðÁäˤ·¤Æ
277 °Ü¿¢¤µ¤ì¤Þ¤·¤¿¡£Linux 2.0 ¤Ç¤Ï¡¢Jos Vos ¤ò½é¤á¤È¤¹¤ë¿Íã¤Ë¤è¤ê³ÈÄ¥
278 ¤µ¤ì¡¢¥«¡¼¥Í¥ë¤Î¥Õ¥£¥ë¥¿¥ê¥ó¥°¥ë¡¼¥ë¤ò¥³¥ó¥È¥í¡¼¥ë¤¹¤ë¥æ¡¼¥¶¶õ´Ö¥Ä¡¼¥ë
279 `ipfwadm' ¤¬À¸¤Þ¤ì¤Þ¤·¤¿¡£1998ǯÃæ´ü¡¢Linux 2.2 ¤Ç¤Ï¡¢»ä¤Ï
280 Michael Neuling ¤Î±ç½õ¤òÆÀ¤Æ¥«¡¼¥Í¥ë¤òÁ´¤¯¤É¤Ã¤µ¤ê¤Èºî¤êľ¤·¡¢
281 ¥æ¡¼¥¶¶õ´Ö¥Ä¡¼¥ë `ipchains' ¤òƳÆþ¤·¤Þ¤·¤¿¡£ºÇ½ªÅª¤Ë¡¢1999ǯÃæ´ü¡¢
282 Linux 2.4 ¤Ç¤Ï¡¢Âè4À¤Âå¥Ä¡¼¥ë `iptables' ¤È¥«¡¼¥Í¥ë¤ÎÊ̤ÎÉôʬ¤ò
283 ½ñ¤´¹¤¨¤Þ¤·¤¿¡£¤³¤Î HOWTO ¤¬½¸Ã椷¤Æ½Ò¤Ù¤Æ¤¤¤ë¤Î¤Ï¤³¤Î iptables
288 You need a kernel which has the netfilter infrastructure in it:
289 netfilter is a general framework inside the Linux kernel which other
290 things (such as the iptables module) can plug into. This means you
291 need kernel 2.3.15 or beyond, and answer `Y' to CONFIG_NETFILTER in
292 the kernel configuration.
294 netfilter ¤È¤¤¤¦´ðÈפò»ý¤Ã¤¿¥«¡¼¥Í¥ë¤¬É¬ÍפǤ¹ ¡½ Linux ¥«¡¼¥Í¥ë
295 ¤Ë¤ÏÄɲõ¡Ç½(Î㤨¤Ð iptables ¥â¥¸¥å¡¼¥ë)¤òº¹¤·¹þ¤à¤³¤È¤¬¤Ç¤¤Þ¤¹¤¬¡¢
296 netfilter ¤Ï¤³¤Î°ìÈÌŪ¤ÊÏÈÁȤߤÎÃæ¤Ë´Þ¤Þ¤ì¤Æ¤¤¤Þ¤¹¡£¤³¤ì¤Ï¡¢
297 ¥«¡¼¥Í¥ë 2.3.15 ¤«¤½¤ì°Ê¹ß¤¬É¬Íפǡ¢¥«¡¼¥Í¥ë¥³¥ó¥Õ¥£¥®¥å¥ì¡¼¥·¥ç¥ó
298 ¤Î CONFIG_NETFILTER ¤Ë `Y' ¤ÈÅú¤¨¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£
302 The tool <tt>iptables</tt> talks to the kernel and tells it what
303 packets to filter. Unless you are a programmer, or overly curious,
304 this is how you will control the packet filtering.
306 <tt>iptables</tt> ¤È¤¤¤¦¥Ä¡¼¥ë¤Ï¡¢¥«¡¼¥Í¥ë¤ËÏ䫤±¤Æ¡¢¥«¡¼¥Í¥ë¤¬¤É¤Î
307 ¥Ñ¥±¥Ã¥È¤ò¥Õ¥£¥ë¥¿¡¼¤¹¤Ù¤¤«¤òÅÁ¤¨¤ë¤â¤Î¤Ç¤¹¡£¥×¥í¥°¥é¥Þ¡¼¤äÆä˹¥´ñ¿´
308 ²¢À¹¤Ê¿Í¤ÏÊ̤Ǥ¹¤¬¡¢ÉáÄ̤Ϥ³¤ì¤ò»È¤Ã¤Æ¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¡¼¤ò¥³¥ó¥È¥í¡¼¥ë
315 The <tt>iptables</tt> tool inserts and deletes rules from the kernel's
316 packet filtering table. This means that whatever you set up, it will
317 be lost upon reboot; see <ref id="permanent" name="Making Rules
318 Permanent"> for how to make sure they are restored the next time Linux
321 iptables ¤Ï¥«¡¼¥Í¥ë¤Î¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¥Æ¡¼¥Ö¥ë¤Ë¥ë¡¼¥ë¤òÁÞÆþ
322 ¤·¤¿¤êºï½ü¤·¤¿¤ê¤·¤Þ¤¹¡£¤³¤ì¤Ï¡¢¤¢¤Ê¤¿¤¬ÀßÄꤷ¤¿¤â¤Î¤Ï¥ê¥Ö¡¼¥È¤¹¤ë¤È
323 ¼º¤ï¤ì¤ë¤³¤È¤ò°ÕÌ£¤·¤Æ¤¤¤Þ¤¹¡£¼¡²ó¡¢Linux ¤¬¥Ö¡¼¥È¤·¤¿¤È¤ÀßÄê¤ò
324 ²óÉü¤µ¤»¤ë³Î¤«¤ÊÊýË¡¤Ï <ref id="permanent" name="¥ë¡¼¥ë¤ò±Ê³¤µ¤»¤ë">
329 <tt>iptables</tt> is a replacement for <tt>ipfwadm</tt> and
330 <tt>ipchains</tt>: see
331 <ref id="oldstyle" name="Using ipchains and ipfwadm"> for how to painlessly
332 avoid using iptables if you're using one of those tools.
334 <tt>iptables</tt> ¤Ï ipfwadm ¤È ipchains ¤ÎÃÖ¤´¹¤¨¤Ç¤¹¡£
335 ¤â¤·¡¢¤¢¤Ê¤¿¤¬¸½ºß¤³¤ì¤é¤Î¤É¤Á¤é¤«°ìÊý¤Î¥Ä¡¼¥ë¤ò»È¤Ã¤Æ¤¤¤Æ¡¢
336 ¶ìÏ«¤òÈò¤±¤ë¤¿¤á iptables ¤ò»È¤ï¤º¤ËºÑ¤Þ¤¹ÊýË¡¤Ï
337 <ref id="oldstyle" name="ipchains ¤È ipfwadm ¤ò»È¤¦"> ¤ò¸«¤Æ¤¯¤À¤µ¤¤¡£
340 <sect2> Making Rules Permanent<label id="permanent">
342 <sect2>¥ë¡¼¥ë¤ò±Ê³¤µ¤»¤ë<label id="permanent">
345 <p>Your current firewall setup is stored in the kernel, and thus will
346 be lost on reboot. You can try the iptables-save and iptables-restore
347 scripts to save them to, and restore them from a file.
349 <p>¤¢¤Ê¤¿¤Î¸½ºß¤Î¥Õ¥¡¥¤¥¢¡¼¥¦¥©¡¼¥ë¤ÎÀßÄê¤Ï¥«¡¼¥Í¥ëÃæ¤Ë¤¢¤ë¤À¤±¤Ê¤Î¤Ç¡¢
350 ¥ê¥Ö¡¼¥È¤¹¤ë¤È¼º¤ï¤ì¤Æ¤·¤Þ¤¤¤Þ¤¹¡£iptables-save ¤È iptables-restore
351 ¥¹¥¯¥ê¥×¥È¤ò»È¤¨¤Ð¡¢ÀßÄê¤ò¥Õ¥¡¥¤¥ë¤ËÊݸ¤·¤Æ¤ª¤¡¢¤½¤Î¸å¡¢¤½¤Î¥Õ¥¡¥¤¥ë
352 ¤«¤é²óÉü¤¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
355 <p>The other way is to put the commands required to set up your rules
356 in an initialization script. Make sure you do something intelligent
357 if one of the commands should fail (usually `exec /sbin/sulogin').
359 <p>Ê̤ÎÊýË¡¤Ï¡¢¥ë¡¼¥ë¤òÀßÄꤹ¤ë¤¿¤á¤ËɬÍפʥ³¥Þ¥ó¥É¤ò½é´ü²½
360 ¥¹¥¯¥ê¥×¥ÈÃæ¤Ë½ñ¤¯¤³¤È¤Ç¤¹¡£Ëü°ì¥³¥Þ¥ó¥É¤ÎÆâ¤Î 1¤Ä¤¬¼ºÇÔ¤·¤¿¤Ê¤é¡¢
361 Ƭ¤ò¹Ê¤Ã¤Æ¤ä¤í¤¦¤È¤·¤Æ¤¤¤ë¤³¤È¤ò³Î¤«¤á¤Æ¤¯¤À¤µ¤¤(ÉáÄÌ¡¢`/sbin/sulogin'
362 ¤ò¼Â¹Ô¤·¤Æ¥·¥ó¥°¥ë¥æ¡¼¥¶¥â¡¼¥É¤Çºî¶È¤·¤Þ¤¹)¡£
363 <!-- ¥«¥Ã¥³¤Î¤³¤È¤Ï¥·¥ó¥°¥ë¥æ¡¼¥¶¥â¡¼¥É¤Çºî¶È¤·¤Ê¤µ¤¤¡¢¤È¸À¤¦¤³¤È¤«? -->
366 <sect>Who the hell are you, and why are you playing with my kernel?
368 <sect>¤¤¤Ã¤¿¤¤¤ª¤Þ¤¨¤Ïï¤Ê¤ó¤À¡¢¤½¤·¤Æ¤Ê¤¼»ä¤Î¥«¡¼¥Í¥ë¤ÇÍ·¤ó¤Ç¤ë¤ó¤À?
372 I'm Rusty Russell; the Linux IP Firewall maintainer and just another
373 working coder who happened to be in the right place at the right time.
374 I wrote ipchains (see <ref id="filter-linux" name="How Do I Packet
375 Filter Under Linux?"> above for due credit to the people who did the
376 actual work), and learnt enough to get packet filtering right this
379 »ä¤Ï Rusty Russell¡£Linux ¤Î IP ¥Õ¥¡¥¤¥¢¡¼¥¦¥©¡¼¥ë¤Î¥á¥¤¥ó¥Æ¥Ê¡¼¤È¡¢¤Û¤ó¤Î
380 ¤â¤¦ 1¤Ä¡¢Ê̤βսê¤Î¥³¡¼¥Ç¥£¥ó¥°¤òôÅö¤·¤Æ¤¤¤Þ¤¹¤¬¡¢¤½¤ì¤Ï¤¿¤Þ¤¿¤Þ
381 ŬÀڤʻþ´ü¤ËŬÀڤʾì½ê¤Ë¤¤¤¿¤«¤é¤Ë¤¹¤®¤Þ¤»¤ó¡£»ä¤Ï ipchains ¤ò½ñ¤¤Þ¤·¤¿
382 (¼ÂºÝ¤Ëºî¶È¤·¤¿¿Í¡¹¤Ë¾Î»¿¤ò¤Ï¤é¤¤¡¢<ref id="filter-linux" name="Linux
383 ¤Ç¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¡¼¤Ï¤É¤Î¤è¤¦¤Ë¤ä¤ë¤Î?"> ¤ò¸«¤Æ¤¯¤À¤µ¤¤)¡£¤½¤·¤Æ
384 ¤³¤Î¤È¤¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤ÎÀµ¤·¤¤¤¢¤êÊý¤ò½½Ê¬¤Ë³Ø¤Ó¤Þ¤·¤¿¡£
385 ¤½¤¦¤¢¤ë¤³¤È¤ò˾¤ó¤Ç¤¤¤Þ¤¹¡£
389 <url url="http://www.watchguard.com" name="WatchGuard">, an excellent
390 firewall company who sell the really nice plug-in Firebox, offered to
391 pay me to do nothing, so I could spend all my time writing this stuff,
392 and maintaining my previous stuff. I predicted 6 months, and it took
393 12, but I felt by the end that it had been done Right. Many rewrites,
394 a hard-drive crash, a laptop being stolen, a couple of corrupted
395 filesystems and one broken screen later, here it is.
397 <url url="http://www.watchguard.com" name="WatchGuard">¡¢ËÜÅö¤Ë¥Ê¥¤¥¹¤Ê
398 ¥×¥é¥°¥¤¥ó¤Î Firebox (ÌõÃí: Linux Æ⢤Υե¡¥¤¥¢¡¼¥¦¥©¡¼¥ëÀ½ÉÊ)¤ò
399 Çä¤Ã¤Æ¤¤¤ë¤¹¤Ð¤é¤·¤¤¥Õ¥¡¥¤¥¢¡¼¥¦¥©¡¼¥ë¤Î²ñ¼Ò¤Ç¡¢²¿¤â¤·¤Ê¤¤»ä¤ËµëÎÁ¤ò
400 ʧ¤Ã¤Æ¤¯¤ì¤Æ¡¢¤½¤ì¤Ç»ä¤ÏÁ´¤Æ¤Î»þ´Ö¤ò¤³¤Î¤·¤í¤â¤Î¤ò½ñ¤¯¤³¤È¤Ë¡¢¤½¤·¤Æ
401 °ÊÁ°¤Î¤â¤Î¤Î¥á¥ó¥Æ¥Ê¥ó¥¹¤ËÈñ¤ä¤¹¤³¤È¤¬¤Ç¤¤Þ¤·¤¿¡£»ä¤Ï 6¤«·î¤Èͽ¬
402 ¤·¤Æ¡¢12¤«·î¤«¤«¤ê¤Þ¤·¤¿¤¬¡¢¤½¤ì¤òŬÀڤʤâ¤Î¤Ë¤¹¤ë¤È¸À¤¦ÌÜŪ¤ò
403 ²Ì¤¿¤»¤¿¤È´¶¤¸¤Þ¤·¤¿¡£Â¿¤¯¤Î½ñ¤Ä¾¤·¡¢¥Ï¡¼¥É¥Ç¥£¥¹¥¯¤Î¥¯¥é¥Ã¥·¥å¡¢
404 ¥é¥Ã¥×¥È¥Ã¥×¤ÎÅðÆñ¡¢¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥àÉÔÀµ¤Ë³¤±¤Æ¥¹¥¯¥ê¡¼¥ó¤Î¸Î¾ã¡¢
406 <!-- ¥é¥Ã¥×¥È¥Ã¥×¤Ê¤Î¤Ç¥¹¥¯¥ê¡¼¥ó? -->
410 While I'm here, I want to clear up some people's misconceptions: I am
411 no kernel guru. I know this, because my kernel work has brought me
412 into contact with some of them: David S. Miller, Alexey Kuznetsov,
413 Andi Kleen, Alan Cox. However, they're all busy doing the deep magic,
414 leaving me to wade in the shallow end where it's safe.
416 »ä¤¬¤³¤³¤Ë¤¤¤ë´Ö¤Ë¡¢²¿¿Í¤«¤Î¿Í¡¹¤Î¸í²ò¤ò²ò¤¤¤Æ¤ª¤¤¿¤¤¤Ç¤¹ ¡½ »ä¤Ï
417 ¥«¡¼¥Í¥ë¤Î¿ÀÍͤǤϤ¢¤ê¤Þ¤»¤ó¡£¤È¸À¤¦¤Î¤Ï¡¢»ä¤Ï¥«¡¼¥Í¥ë¤Î»Å»ö¤ò¤¹¤ë¤Î¤Ë
418 Èà¤é: David S. Miller, Alexey Kuznetsov, Andi Kleen, Alan Cox ¤Î²¿¿Í
419 ¤«¤ÈÀÜ¿¨¤¹¤ë¤³¤È¤Ë¤Ê¤Ã¤¿¤«¤é¤Ç¤¹¡£¤È¤Ï¸À¤¨¡¢Èà¤é¤Ï³§Ä쿼¤¤¥Þ¥¸¥Ã¥¯¤ò
420 ¤¹¤ë¤Î¤ËË»¤·¤¯¤Æ¡¢»ä¤Ï¤«¤Þ¤Ã¤Æ¤â¤é¤¨¤º°ÂÁ´¤ÊÀõ¤¤Àî¤Î±ï¤ò¶ìÏ«¤·¤Æ¿Ê¤ó¤Ç
423 <!-- This is probably no longer true; somewhere in writing all this
424 kernel code and documentation I seem to have picked up a fair number
425 of kernel tricks. But I'm still nowhere near as clever as I think I
427 <!-- (ÌõÃí: ¸¶Ê¸¤â¥³¥á¥ó¥È) ¤¿¤Ö¤ó¡¢¤³¤ì¤Ï¤â¤Ï¤äËÜÅö¤Ç¤Ï¤Ê¤¤¤Ç¤¹ ¡½
428 ¤³¤Î¥«¡¼¥Í¥ë¥³¡¼¥ÉÁ´¤Æ¤ä¥É¥¥å¥á¥ó¥È¤ò½ñ¤¤¤Æ¤¤¤ë¤È¤¡¢¤É¤³¤«¤Ë
429 »ä¤Ï¤«¤Ê¤ê¤Î¿ô¤Î¥«¡¼¥Í¥ë¥È¥ê¥Ã¥¯¤ò¸«¤Ä¤±¤Þ¤·¤¿¡£
430 ¤·¤«¤·¡¢»ä¤Ï¤Þ¤À¤Þ¤À¸¤¤¤È¸À¤¦¤Ë¤Ï¤Û¤É±ó¤¤¤Ç¤¹¡£
434 <sect> Rusty's Really Quick Guide To Packet Filtering
436 <sect>Rusty ¤Î¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¡¢ËÜÅö¤Ë¥¯¥¤¥Ã¥¯¥¬¥¤¥É
440 Most people just have a single PPP connection to the Internet, and
441 don't want anyone coming back into their network, or the firewall:
443 ¤Û¤È¤ó¤É¤Î¿Í¤Ï¥¤¥ó¥¿¡¼¥Í¥Ã¥È¤Ë¤¿¤À 1¤Ä¤Î PPP ¥³¥Í¥¯¥·¥ç¥ó¤Ç·Ò¤¤¤Ç
444 ¤¤¤Þ¤¹¤¬¡¢¤½¤³¤«¤é¼«Ê¬¤Î¥Í¥Ã¥È¥ï¡¼¥¯¤Ë狼¤¬Æþ¤Ã¤Æ¤¯¤ë¤³¤È¤ò˾¤à
445 ¿Í¤Ïï¤â¤¤¤Þ¤»¤ó¡£¤¹¤Ê¤ï¤Á¥Õ¥¡¥¤¥¢¡¼¥¦¥©¡¼¥ë¤Î½ÐÈ֤Ǥ¹¡£
449 ## Insert connection-tracking modules (not needed if built into kernel).
450 # insmod ip_conntrack
451 # insmod ip_conntrack_ftp
453 ## Create chain which blocks new connections, except if coming from inside.
455 # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
456 # iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
457 # iptables -A block -j DROP
459 ## Jump to that chain from INPUT and FORWARD chains.
460 # iptables -A INPUT -j block
461 # iptables -A FORWARD -j block
465 ## ¥³¥Í¥¯¥·¥ç¥óÄÉÀץ⥸¥å¡¼¥ë¤ÎÁÞÆþ(¥«¡¼¥Í¥ëľÁȤ߹þ¤ß¤Î¾ì¹ç¤ÏÉÔÍ×)
466 # insmod ip_conntrack
467 # insmod ip_conntrack_ftp
469 ## ÆâÉô¤«¤é¤Î¤â¤Î°Ê³°¤Î¿·¤·¤¤¥³¥Í¥¯¥·¥ç¥ó¤ò¥Ö¥í¥Ã¥¯¤¹¤ë¥Á¥§¥¤¥ó¤ÎºîÀ®
471 # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
472 # iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
473 # iptables -A block -j DROP
475 ## INPUT ¤ª¤è¤Ó FORWARD ¥Á¥§¥¤¥ó¤«¤é¾åµ¤Î¥Á¥§¥¤¥ó¤Ø¥¸¥ã¥ó¥×¤¹¤ë
476 # iptables -A INPUT -j block
477 # iptables -A FORWARD -j block
479 <!-- block ¤ÎÌõ¤Ï¡¢¼×¤ë¡¢Ë¸¤²¤ë¡¢¤Ê¤É¤¬¤¢¤ê¤Þ¤¹¤¬¡¢¥Ö¥í¥Ã¥¯¤ÇÄ̤¸¤ë
483 <sect> How Packets Traverse The Filters
485 <sect>¤É¤Î¤è¤¦¤Ë¥Ñ¥±¥Ã¥È¤Ï¥Õ¥£¥ë¥¿¡¼¤òÄ̤êÈ´¤±¤ë¤«
489 The kernel starts with three lists of rules in the `filter' table;
490 these lists are called <bf>firewall chains</bf> or just
491 <bf>chains</bf>. The three chains are called <bf>INPUT</bf>,
492 <bf>OUTPUT</bf> and <bf>FORWARD</bf>.
494 ¥«¡¼¥Í¥ë¤Ïµ¯Æ°»þ¤Ë `filter' ¥Æ¡¼¥Ö¥ë¤È¤¤¤¦½ê¤Ë 3¤Ä¤Î¥ë¡¼¥ë¥ê¥¹¥È¤ò
495 ÊÝ»ý¤·¤Æ¤¤¤Þ¤¹¡£¤³¤ì¤é¤Î¥ê¥¹¥È¤Ï<bf>¥Õ¥¡¥¤¥¢¡¼¥¦¥©¡¼¥ë¥Á¥§¥¤¥ó</bf>¡¢
496 ¤Þ¤¿¤Ïñ¤Ë<bf>¥Á¥§¥¤¥ó</bf>¤È¸Æ¤Ð¤ì¤Þ¤¹¡£3¤Ä¤Î¥Á¥§¥¤¥ó¤Ï
497 <bf>INPUT</bf>, <bf>OUTPUT</bf> ¤½¤·¤Æ <bf>FORWARD</bf> ¤È¸Æ¤Ð¤ì¤Æ
502 For ASCII-art fans, the chains are arranged like so: <bf>(Note: this
503 is a very different arrangement from the 2.0 and 2.2 kernels!)</bf>
505 ASCII ¥¢¡¼¥È¥Õ¥¡¥ó¤Î¤¿¤á¤Ë¡¢¥Á¥§¥¤¥ó¤Ï¤³¤Î¤è¤¦¤ËÇÛÃÖ¤µ¤ì¤Æ¤¤¤Þ¤¹
506 <bf>(¤³¤ì¤Ï¡¢2.0 ¤ª¤è¤Ó 2.2 ¥«¡¼¥Í¥ë¤ÎÇÛÃÖ¤ÈÂçÊѰۤʤäƤ¤¤Þ¤¹!)</bf> :
510 Incoming / \ Outgoing
511 -->[Routing ]--->|FORWARD|------->
520 ----> Local Process ----
524 Æþ¤Ã¤ÆÍè¤ë¨£¨¡¨¡¨¡¨¡¨¡¨¡¨¤ ¡¿¡±¡±¡±¡À ½Ð¤Æ¹Ô¤¯
525 ¡½¢ª¨¢¥ë¡¼¥Æ¥£¥ó¥°¨¢¢ª¡ÃFORWARD ¡Ã¡½¡½¢ª
526 ¨¢¤Î·èÄê ¨¢ ¡À¡²¡²¡²¡¿ ¢¬
534 ¨¦¨¡¢ª ¥í¡¼¥«¥ë ¥×¥í¥»¥¹ ¨¡¨¡¨¥
536 <!-- JIS ¥¢¡¼¥È¤Ë¤·¤Þ¤·¤¿¡£¸µ¤Î³¨¤Ç¥³¥á¥ó¥ÈÃæ¤ÎϢ³¥Ï¥¤¥Õ¥ó¤Ï -¡õ¡ô045¡¨
537 ¤ËÃÖ¤´¹¤¨¤Þ¤·¤¿¡£-->
538 (ÌõÃí: ¤³¤Î¾¤Ë NAT ÍѤΥÁ¥§¥¤¥ó¤È¤·¤Æ¡¢¡Æ¥ë¡¼¥Æ¥£¥ó¥°¤Î·èÄê¡Ç¤Î¼êÁ°¤Ë
539 `PREROUTING' ¥Á¥§¥¤¥ó¤¬¡¢¡Æ½Ð¤Æ¹Ô¤¯¡Ç¤Î¼êÁ°¤Ë `POSTROUTING' ¥Á¥§¥¤¥ó¤¬
543 <p>The three circles represent the three chains mentioned above. When
544 a packet reaches a circle in the diagram, that chain is examined to
545 decide the fate of the packet. If the chain says to DROP the packet,
546 it is killed there, but if the chain says to ACCEPT the packet, it
547 continues traversing the diagram.
549 <p>3¤Ä¤Î±ß¤Ï¡¢¾å¤Ç½Ò¤Ù¤¿ 3¤Ä¤Î¥Á¥§¥¤¥ó¤òɽ¤ï¤·¤Æ¤¤¤Þ¤¹¡£¥Ñ¥±¥Ã¥È¤¬¿Þ¾å
550 ¤Î 1¤Ä¤Î±ß¤Ë㤷¤¿¤é¡¢¤½¤Î¥Á¥§¥¤¥ó¤¬¸¡ºº¤µ¤ì¤Æ¥Ñ¥±¥Ã¥È¤Î±¿Ì¿¤ò·è¤á¤Þ¤¹¡£
551 ¤â¤·¡¢¥Á¥§¥¤¥ó¤¬¥Ñ¥±¥Ã¥È¤ò DROP(ÇË´þ)¤¹¤ë¤È¸À¤Ã¤¿¤é¡¢¥Ñ¥±¥Ã¥È¤Ï¤½¤³¤Ç
552 Ëõ»¦¤µ¤ì¤Þ¤¹¤¬¡¢¤â¤·¡¢¥Á¥§¥¤¥ó¤¬¥Ñ¥±¥Ã¥È¤ò ACCEPT(¼õ¤±Æþ¤ì)¤¹¤ë¤È¸À¤Ã¤¿¤é¡¢
553 ¥Ñ¥±¥Ã¥È¤Ï¿Þ¾å¤ò°Ü¤Ã¤Æ¹Ô¤¤Þ¤¹¡£
557 A chain is a checklist of <bf>rules</bf>. Each rule says `if the packet
558 header looks like this, then here's what to do with the packet'. If
559 the rule doesn't match the packet, then the next rule in the chain is
560 consulted. Finally, if there are no more rules to consult, then the
561 kernel looks at the chain <bf>policy</bf> to decide what to do. In a
562 security-conscious system, this policy usually tells the kernel to
565 1¤Ä¤Î¥Á¥§¥¤¥ó¤ÏÊ£¿ô¤Î<bf>¥ë¡¼¥ë</bf>¤Î¥Á¥§¥Ã¥¯¥ê¥¹¥È¤«¤é¹½À®¤µ¤ì¤Æ
566 ¤¤¤Þ¤¹¡£³Æ¡¹¤Î¥ë¡¼¥ë¤Ï¡Ö¤â¤·¡¢¥Ñ¥±¥Ã¥È¤Î¥Ø¥Ã¥À¡¼¤¬¤³¤ó¤Ê¤À¤Ã¤¿¤é¡¢
567 ¥Ñ¥±¥Ã¥È¤ò¤³¤Î¤è¤¦¤Ë¤·¤Ê¤µ¤¤¡×¤È»Ø¼¨¤·¤Þ¤¹¡£¤â¤·¡¢¤¢¤ë¥ë¡¼¥ë¤¬¥Ñ¥±¥Ã¥È
568 ¤È¥Þ¥Ã¥Á¤·¤Ê¤±¤ì¤Ð¡¢¥Á¥§¥¤¥óÆâ¤Î¼¡¤Î¥ë¡¼¥ë¤¬Ä´¤Ù¤é¤ì¤Þ¤¹¡£ºÇ½ªÅª¤Ë¡¢
569 Ä´¤Ù¤ë¥ë¡¼¥ë¤¬Ìµ¤¯¤Ê¤Ã¤¿¤é¡¢¥«¡¼¥Í¥ë¤Ï¤½¤Î¥Á¥§¥¤¥ó¤Î<bf>¥Ý¥ê¥·¡¼</bf>
570 (Êý¿Ë)¤ò¸«¤Æ²¿¤ò¤¹¤ë¤«·è¤á¤Þ¤¹¡£¥»¥¥å¥ê¥Æ¥£°Õ¼±¤Î¶¯¤¤¥·¥¹¥Æ¥à¤Ç¤Ï¡¢
571 ¤³¤Î¥Ý¥ê¥·¡¼¤ÏÉáÄÌ¡¢¥Ñ¥±¥Ã¥È¤ò DROP ¤¹¤ë¤è¤¦¤Ë¥«¡¼¥Í¥ë¤Ë»Ø¼¨¤·¤Þ¤¹¡£
576 <item>When a packet comes in (say, through the Ethernet card) the kernel
577 first looks at the destination of the packet: this is called
580 <item>¥Ñ¥±¥Ã¥È¤¬Æþ¤Ã¤ÆÍ褿¤È¤(Î㤨¤Ð¡¢¥¤¡¼¥µ¥Í¥Ã¥È¥«¡¼¥É¤«¤é)¡¢
581 ¥«¡¼¥Í¥ë¤ÏºÇ½é¤Ë¥Ñ¥±¥Ã¥È¤Î¹Ô¤Àè¤ò¸«¤Þ¤¹¡£¤³¤ì¤Ï¡Æ¥ë¡¼¥Æ¥£¥ó¥°¡Ç
585 <item>If it's destined for this box, the packet passes downwards
586 in the diagram, to the INPUT chain. If it passes this, any processes
587 waiting for that packet will receive it.
589 <item>¤â¤·¡¢¹Ô¤À褬¼«Ê¬¤Î Linux ¥Ü¥Ã¥¯¥¹¤Ê¤é¡¢¥Ñ¥±¥Ã¥È¤Ï¿Þ¤Ç¤Ï²¼¤Ë
590 ¹ß¤ê¤Æ INPUT ¥Á¥§¥¤¥ó¤ËÆþ¤ê¤Þ¤¹¡£¤â¤·¡¢¤½¤³¤òÄ̲᤹¤ì¤Ð¡¢¥Ñ¥±¥Ã¥È¤Ï
591 ¤½¤ì¤òÂԤäƤ¤¤ë¥×¥í¥»¥¹¤Ë¼õ¤±¼è¤é¤ì¤Þ¤¹¡£
594 <item>Otherwise, if the kernel does not have forwarding enabled, or it
595 doesn't know how to forward the packet, the packet is dropped. If
596 forwarding is enabled, and the packet is destined for another network
597 interface (if you have another one), then the packet goes rightwards
598 on our diagram to the FORWARD chain. If it is ACCEPTed, it will be
601 <item>¤½¤¦¤Ç¤Ê¤¤¤Ê¤é¡¢¥«¡¼¥Í¥ë¤Î¥Õ¥©¥ï¡¼¥É(žÁ÷)µ¡Ç½¤¬Í¸ú¤Ë
602 ¤Ê¤Ã¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢¤¢¤ë¤¤¤Ï¥«¡¼¥Í¥ë¤¬¤½¤Î¥Ñ¥±¥Ã¥È¤Î¥Õ¥©¥ï¡¼¥É¤ÎÊýË¡¤ò
603 ÃΤé¤Ê¤¤¾ì¹ç¡¢¥Ñ¥±¥Ã¥È¤ÏÇË´þ¤µ¤ì¤Þ¤¹¡£¥Õ¥©¥ï¡¼¥Éµ¡Ç½¤¬Í¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤Æ¡¢
604 ¥Ñ¥±¥Ã¥È¤Î¹Ô¤À褬Ê̤Υͥåȥ¥¯¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹(¤â¤¦
605 1¤Ä¤¢¤ë¤Ê¤é)¤Ç¤¢¤ì¤Ð¡¢¿Þ¤Ç¤Ï¥Ñ¥±¥Ã¥È¤Ï±¦¤ÎÊý¤Ø¿Ê¤ß FORWARD ¥Á¥§¥¤¥ó
606 ¤ËÆþ¤ê¤Þ¤¹¡£¤â¤·¡¢ACCEPT ¤µ¤ì¤ì¤Ð¡¢¥Ñ¥±¥Ã¥È¤ÏÁ÷¤ê½Ð¤µ¤ì¤Þ¤¹¡£
607 <!-- ¤¯¤É¤¤¤Î¤Ç ¤â¤·¡¢ ¤ò¼è¤ê¤Þ¤·¤¿¡£-->
610 <item>Finally, a program running on the box can send network packets.
611 These packets pass through the OUTPUT chain immediately: if it says
612 ACCEPT, then the packet continues out to whatever interface it is
615 <item>ºÇ¸å¤Ë¤Ê¤ê¤Þ¤¹¤¬¡¢¤³¤ÎÈ¢¤ÇÆ°¤¤¤Æ¤¤¤ë¥×¥í¥°¥é¥à¤Ï
616 ¥Í¥Ã¥È¥ï¡¼¥¯¤Ø¥Ñ¥±¥Ã¥È¤òÁ÷¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£¤³¤ì¤é¤Î¥Ñ¥±¥Ã¥È¤Ï
617 ľÀÜ OUTPUT ¥Á¥§¥¤¥ó¤ËÆþ¤ê¤Þ¤¹¡£¤â¤·¡¢¤½¤³¤Ç ACCEPT ¤È¸À¤ï¤ì¤ì¤Ð¡¢
618 ¥Ñ¥±¥Ã¥È¤Ï¤½¤Î¹Ô¤Àè¤Ë½¾¤Ã¤¿¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤«¤é½Ð¤Æ¹Ô¤¤Þ¤¹¡£
624 <sect>iptables ¤ò»È¤¦
628 iptables has a fairly detailed manual page (<tt>man iptables</tt>),
629 and if you need more detail on particulars. Those of you familiar
630 with ipchains may simply want to look at <ref id="Appendix-A"
631 name="Differences Between iptables and ipchains">; they are very
634 ¸Ä¡¹¤Î»ö¹à¤Ë¤Ä¤¤¤Æ¤Î¤â¤Ã¤È¾Ü¤·¤¤ÀâÌÀ¤¬É¬Íפʤ顢iptables ¤Ë¤Ï¤«¤Ê¤ê
635 ¾Ü¤·¤¤¥Þ¥Ë¥å¥¢¥ë¥Ú¡¼¥¸(<tt>man iptables</tt>)¤¬¤¢¤ê¤Þ¤¹¡£
636 ipchains ¤ËÀºÄ̤·¤Æ¤¤¤ë¿Í¤Ï¤¹¤°¤Ë¤Ç¤â<ref id="Appendix-A" name=
637 "iptables ¤È ipchains ¤Î°ã¤¤">¤ò¸«¤¿¤¤¤Ë¤Á¤¬¤¤¤¢¤ê¤Þ¤»¤ó¡£¼ÂºÝ¡¢
638 2¤Ä¤Ï¤È¤Æ¤â»÷¤Æ¤¤¤Þ¤¹¡£
642 There are several different things you can do with <tt>iptables</tt>.
643 You start with three built-in chains <tt>INPUT</tt>, <tt>OUTPUT</tt>
644 and <tt>FORWARD</tt> which you can't delete. Let's look at the
645 operations to manage whole chains:
647 <tt>iptables</tt> ¤ò»È¤Ã¤Æ¿§¡¹¤Ê¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
648 ¤Þ¤º¡¢3¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó <tt>INPUT</tt>, <tt>OUTPUT</tt>
649 ¤½¤·¤Æ <tt>FORWARD</tt> (¤³¤ì¤é¤Ïºï½ü¤Ç¤¤Þ¤»¤ó)¤«¤é»Ï¤á¤Þ¤¹¡£
650 ¤Ç¤Ï¡¢¥Á¥§¥¤¥ó¤ò°·¤¦Áàºî¤ò¸«¤Æ¤ß¤Þ¤·¤ç¤¦:
654 <item> Create a new chain (-N).
655 <item> Delete an empty chain (-X).
656 <item> Change the policy for a built-in chain. (-P).
657 <item> List the rules in a chain (-L).
658 <item> Flush the rules out of a chain (-F).
659 <item> Zero the packet and byte counters on all rules in a chain (-Z).
661 <item>¿·¤·¤¤¥Á¥§¥¤¥ó¤òºî¤ë (-N)
662 <item>¶õ¤Î¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ë (-X)
663 <item>ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Î¥Ý¥ê¥·¡¼¤òÊѹ¹¤¹¤ë (-P)
664 <item>¥Á¥§¥¤¥óÆâ¤Î¥ë¡¼¥ë¤ò¥ê¥¹¥È¥¢¥Ã¥×¤¹¤ë (-L)
665 <item>¥Á¥§¥¤¥ó¤«¤é¥ë¡¼¥ë¤òÁ´¤Æ¾Ã¤·µî¤ë (-F)
666 <item>¥Á¥§¥¤¥óÆâ¤ÎÁ´¤Æ¤Î¥ë¡¼¥ë¤Î¥Ñ¥±¥Ã¥È¤È¥Ð¥¤¥È¤Î¥«¥¦¥ó¥¿¡¼¤ò¥¼¥í¤Ë¤¹¤ë (-Z)
670 There are several ways to manipulate rules inside a chain:
672 ¥Á¥§¥¤¥óÆâ¤Î¥ë¡¼¥ë¤òÁàºî¤¹¤ë¤Ë¤ÏÍÍ¡¹¤ÊÊýË¡¤¬¤¢¤ê¤Þ¤¹:
676 <item> Append a new rule to a chain (-A).
677 <item> Insert a new rule at some position in a chain (-I).
678 <item> Replace a rule at some position in a chain (-R).
679 <item> Delete a rule at some position in a chain, or the first that matches (-D).
681 <item>¥Á¥§¥¤¥ó¤Ë¿·¤·¤¤¥ë¡¼¥ë¤òÄɲ乤ë (-A)
682 <item>¥Á¥§¥¤¥óÆâ¤Î¤¢¤ë°ÌÃ֤˿·¤·¤¤¥ë¡¼¥ë¤òÁÞÆþ¤¹¤ë (-I)
683 <item>¥Á¥§¥¤¥óÆâ¤Î¤¢¤ë°ÌÃ֤Υ롼¥ë¤òÃÖ¤´¹¤¨¤ë (-R)
684 <item>¥Á¥§¥¤¥óÆâ¤Î¤¢¤ë°ÌÃ֤Ρ¢¤Þ¤¿¤Ïµ½Ò¤È°ìÃפ·¤¿ºÇ½é¤Î¥ë¡¼¥ë¤òºï½ü¤¹¤ë (-D)
688 <sect1> What You'll See When Your Computer Starts Up
690 <sect1>¥³¥ó¥Ô¥å¡¼¥¿¤òµ¯Æ°¤·¤¿¤È¤¸«¤ë¤Ù¤¤³¤È
694 iptables may be a module, called (`iptable_filter.o'), which should be
695 automatically loaded when you first run <tt>iptables</tt>. It can
696 also be built into the kernel permenantly.
698 iptables ¤Ï¤¿¤Ö¤ó¥â¥¸¥å¡¼¥ë¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£Ì¾Á°¤Ï(`iptable_filter.o')
699 ¤Ç¡¢ºÇ½é¤Ë <tt>iptables</tt> ¤ò¼Â¹Ô¤·¤¿¤È¤¤Ë¼«Æ°Åª¤Ë
700 ¥í¡¼¥É¤µ¤ì¤ë¤Ï¤º¤Ç¤¹¡£¤Þ¤¿¡¢¥«¡¼¥Í¥ë¤Ë¹±¾ïŪ¤ËÁȤ߹þ¤à¤³¤È¤â¤Ç¤¤Þ¤¹¡£
703 <p>Before any iptables commands have been run (be careful: some
704 distributions will run iptables in their initialization scripts),
705 there will be no rules in any of the built-in chains (`INPUT',
706 `FORWARD' and `OUTPUT'), all the chains will have a policy of ACCEPT.
707 You can alter the default policy of the FORWARD chain by providing the
708 `forward=0' option to the iptable_filter module.
710 <p>Á´¤¯ iptables ¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤·¤Æ¤¤¤Ê¤¤¾õÂ֤ǤÏ(Ãí°Õ¤·¤Þ¤·¤ç¤¦:
711 ½é´ü²½¥¹¥¯¥ê¥×¥È¤Ç iptables ¤ò¼Â¹Ô¤¹¤ë¥Ç¥£¥¹¥È¥ê¥Ó¥å¡¼¥·¥ç¥ó¤¬¤¢¤ê¤Þ¤¹)¡¢
712 ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó(`INPUT', `FORWARD' ¤ª¤è¤Ó `OUTPUT')¤Î¤É¤ì¤Ë¤â
713 ¥ë¡¼¥ë¤Ï¸ºß¤»¤º¡¢Á´¤Æ¤Î¥Á¥§¥¤¥ó¤Î¥Ý¥ê¥·¡¼¤Ï ACCEPT ¤Ç¤¹¡£
714 ¤·¤«¤·¡¢iptable_filter ¥â¥¸¥å¡¼¥ë¤Î¥ª¥×¥·¥ç¥ó¤Ë `forward=0' ¤òÍ¿¤¨¤ì¤Ð¡¢
715 FORWARD ¥Á¥§¥¤¥ó¤Î¥Ý¥ê¥·¡¼¤Î½é´üÃͤò(ÌõÃí: DROP ¤Ë)ÊѤ¨¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
716 <!-- ¤·¤«¤· ¤òÄɲà -->
719 <sect1> Operations on a Single Rule
722 <!-- ¾¤Î¸«½Ð¤·¤È¤Î¥Ð¥é¥ó¥¹¤«¤é Single ¤ò¾Êά¤·¤Þ¤·¤¿¡£-->
726 This is the bread-and-butter of packet filtering; manipulating rules.
727 Most commonly, you will probably use the append (-A) and delete (-D)
728 commands. The others (-I for insert and -R for replace) are simple
729 extensions of these concepts.
731 ¥ë¡¼¥ë¤òÁàºî¤¹¤ë¤³¤È ¡½ ¤½¤ì¤Ï¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Î´ðËܤǤ¹¡£
732 ¤Û¤È¤ó¤É¤Î¾ì¹ç¡¢ÉáÄÌ¡¢¤¢¤Ê¤¿¤ÏÄɲà (-A) ¤Èºï½ü (-D) ¥³¥Þ¥ó¥É¤ò»È¤¦¤³¤È
733 ¤Ë¤Ê¤ë¤Ç¤·¤ç¤¦¡£»Ä¤ê¤Î¥³¥Þ¥ó¥É(ÁÞÆþ¤Î -I ¤ÈÃÖ´¹¤Î -R )¤Ï¤³¤ì¤é¤Î³µÇ°¤ò
734 ñ½ã¤Ë±äŤ·¤¿¤â¤Î¤Ç¤¹¡£
735 <!-- bread-and-butter ¤ÎÌõ¤Ï ¥¤¥í¥Ï ¤Ç¤â¤è¤¤¤«¤â¤·¤ì¤Þ¤»¤ó¤¬¡¢
740 Each rule specifies a set of conditions the packet must meet, and what
741 to do if it meets them (a `target'). For example, you might want to
742 drop all ICMP packets coming from the IP address 127.0.0.1. So in
743 this case our conditions are that the protocol must be ICMP and that
744 the source address must be 127.0.0.1. Our target is `DROP'.
746 ³Æ¡¹¤Î¥ë¡¼¥ë¤Ë¤Ï¡¢¥Ñ¥±¥Ã¥È¤¬Ëþ¤¿¤¹¤Ù¤¾ò·ï¤Î¥»¥Ã¥È¤È¡¢¾ò·ï¤¬Ëþ¤¿¤µ¤ì¤¿
747 ¤È¤¤Ë¤¹¤ë¤³¤È(¡Æ¥¿¡¼¥²¥Ã¥È¡Ç)¤ò»ØÄꤷ¤Þ¤¹¡£Î㤨¤Ð¡¢IP ¥¢¥É¥ì¥¹ 127.0.0.1
748 ¤«¤é¤ä¤Ã¤ÆÍè¤ëÁ´¤Æ¤Î ICMP ¥Ñ¥±¥Ã¥È¤òÇË´þ¤·¤¿¤¤¤È¤·¤Þ¤¹¡£¤½¤Î¾ì¹ç¤Î¾ò·ï¤Ï
749 ¥×¥í¥È¥³¥ë¤¬ ICMP ¤Ç¥½¡¼¥¹¥¢¥É¥ì¥¹¤¬ 127.0.0.1 ¤Ç¡¢¥¿¡¼¥²¥Ã¥È¤Ï `DROP'
751 <!-- source ¤ÎÌõ¤È¤·¤Æ¡¢È¯¿®¸µ¡¢Á÷¿®¸µ¡¢»ÏÅÀ¤Ê¤É¤¬¤¢¤ê¤Þ¤¹¤¬¡¢
752 ¥«¥¿¥«¥Ê¤Ç½½Ê¬Ä̤¸¤ë¤È»×¤ï¤ì¤ë¤Î¤Ç¡¢¤³¤³¤Ç¤Ï¥½¡¼¥¹¤È¤·¤Þ¤¹¡£-->
756 127.0.0.1 is the `loopback' interface, which you will have even if you
757 have no real network connection. You can use the `ping' program to
758 generate such packets (it simply sends an ICMP type 8 (echo request)
759 which all cooperative hosts should obligingly respond to with an ICMP
760 type 0 (echo reply) packet). This makes it useful for testing.
762 127.0.0.1 ¤Ï¡Æ¥ë¡¼¥×¥Ð¥Ã¥¯¡Ç¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤Ç¡¢¤½¤ì¤Ï¤¢¤Ê¤¿¤Î¥Þ¥·¥ó¤¬
763 ¼ÂºÝ¤Î¥Í¥Ã¥È¥ï¡¼¥¯¤Ë·Ò¤¬¤Ã¤Æ¤¤¤Ê¤¯¤Æ¤â¸ºß¤·¤Þ¤¹¡£`ping' ¥×¥í¥°¥é¥à¤Ï
764 ¤½¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤òȯÀ¸¤µ¤»¤ë¤Î¤Ë»È¤¤¤Þ¤¹(ping ¤Ï ñ½ã¤Ë ICMP ¥¿¥¤¥×
765 8 (¥¨¥³¡¼Í×µá)¤òÁ÷¤ê¡¢Á´¤Æ¤Î¶¨ÎÏŪ¤Ê¥Û¥¹¥È¤Ï¿ÆÀڤˤâ ICMP ¥¿¥¤¥× 0
766 (¥¨¥³¡¼±þÅú)¤Î¥Ñ¥±¥Ã¥È¤Ç¤½¤ì¤Ë±þ¤¨¤Þ¤¹)¡£¤³¤ì¤Ï¥Æ¥¹¥È¤ËÌòΩ¤Á¤Þ¤¹¡£
767 <!-- loopback ¤Ï±Ñ¸ì¤Î¤Þ¤Þ¤È¥«¥¿¥«¥Ê¤Î¤É¤Á¤é¤¬¤è¤¤¤Ç¤·¤ç¤¦? -->
770 # ping -c 1 127.0.0.1
771 PING 127.0.0.1 (127.0.0.1): 56 data bytes
772 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms
774 --- 127.0.0.1 ping statistics ---
775 1 packets transmitted, 1 packets received, 0% packet loss
776 round-trip min/avg/max = 0.2/0.2/0.2 ms
777 # iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
778 # ping -c 1 127.0.0.1
779 PING 127.0.0.1 (127.0.0.1): 56 data bytes
781 --- 127.0.0.1 ping statistics ---
782 1 packets transmitted, 0 packets received, 100% packet loss
787 You can see here that the first ping succeeds (the `-c 1' tells ping
788 to only send a single packet).
790 ¤´Í÷¤Î¤È¤ª¤êºÇ½é¤Î ping ¤¬À®¸ù¤·¤Æ¤¤¤Þ¤¹(`-c 1' ¤Ï ping ¤Ë¥Ñ¥±¥Ã¥È¤ò
791 1¸Ä¤À¤±Á÷¤ë¤è¤¦¤Ë»Ø¼¨¤·¤Æ¤¤¤Þ¤¹)¡£
795 Then we append (-A) to the `INPUT' chain, a rule specifying that for
796 packets from 127.0.0.1 (`-s 127.0.0.1') with protocol ICMP (`-p icmp')
797 we should jump to DROP (`-j DROP').
799 ¼¡¤Ë¥ë¡¼¥ë¤ò `INPUT' ¥Á¥§¥¤¥ó¤ËÄɲà (-A) ¤·¤Þ¤¹¡£¥ë¡¼¥ë¤Î»ØÄê¤Ï¡¢
800 127.0.0.1 ¤«¤é (`-s 127.0.0.1') ¤Ç¥×¥í¥È¥³¥ë ICMP (`-p icmp')
801 ¤Î¥Ñ¥±¥Ã¥È¤Ï¡¢DROP ¤Ø¥¸¥ã¥ó¥×¤¹¤ë (`-j DROP') ¤Ç¤¹¡£
805 Then we test our rule, using the second ping. There will be a pause
806 before the program gives up waiting for a response that will never
809 ¤½¤ì¤«¤é 2ÈÖÌܤΠping ¤Ç¥ë¡¼¥ë¤ò¥Æ¥¹¥È¤·¤Þ¤¹¡£µ¢¤Ã¤ÆÍè¤Ê¤¤±þÅú¤òÂԤĤΤò
810 ping ¤¬»ß¤á¤ë¤Þ¤Ç¾¯¤·¤Î´Ö¤¬¤¢¤ë¤Ç¤·¤ç¤¦¡£
814 We can delete the rule in one of two ways. Firstly, since we know
815 that it is the only rule in the input chain, we can use a numbered
818 ¥ë¡¼¥ë¤òºï½ü¤¹¤ë¤Ë¤Ï 2Ä̤ê¤ÎÊýË¡¤¬¤¢¤ê¤Þ¤¹¡£1ÈÖÌܤϡ¢Î㤨¤Ð¡¢input
819 ¥Á¥§¥¤¥ó¤Ë¤Ï¥ë¡¼¥ë¤¬ 1¸Ä¤À¤±¤·¤«¤Ê¤¤¤Î¤òʬ¤Ã¤Æ¤¤¤ë¾ì¹ç¤Ç¤Ï¡¢ÈÖ¹æ¤ò
820 »È¤Ã¤Æ°Ê²¼¤Î¤è¤¦¤Ëºï½ü¤Ç¤¤Þ¤¹:
822 # iptables -D INPUT 1
826 To delete rule number 1 in the INPUT chain.
828 INPUT ¥Á¥§¥¤¥ó¤Î¥ë¡¼¥ëÈÖ¹æ 1 ¤òºï½ü¡£
832 The second way is to mirror the -A command, but replacing the -A with
833 -D. This is useful when you have a complex chain of rules and you
834 don't want to have to count them to figure out that it's rule 37 that
835 you want to get rid of. In this case, we would use:
837 2ÈÖÌܤÎÊýË¡¤Ï -A ¥³¥Þ¥ó¥É¤ò¤½¤Ã¤¯¤ê¼Ì¤·¤Æ -A ¤ò -D ¤ËÃÖ¤´¹¤¨¤¿¤â¤Î¤Ç¤¹¡£
838 ¤³¤ì¤Ï¥ë¡¼¥ë¤¬Ê£»¨¤Ê¥Á¥§¥¤¥ó¤Î¾ì¹ç¤Ç¡¢Î㤨¤Ð¡¢¼è¤ê½ü¤¤¿¤¤¤Î¤¬¥ë¡¼¥ë
839 37 ¤À¤Èõ¤·Åö¤Æ¤ë¤¿¤á¤Ë¥ë¡¼¥ë¤ò¿ô¤¨¤¿¤¯¤Ê¤¤¾ì¹ç¤Ë͸ú¤Ç¤¹¡£¤³¤Î¾ì¹ç¡¢
842 # iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP
846 The syntax of -D must have exactly the same options as the -A (or -I
847 or -R) command. If there are multiple identical rules in the same
848 chain, only the first will be deleted.
850 -D ¤Î½ñ¤Êý¤Ï¡¢-A (¤Þ¤¿¤Ï -I ¤« -R) ¥³¥Þ¥ó¥É¤Î¤È¤¤ÈÀµ³Î¤ËƱ¤¸
851 ¥ª¥×¥·¥ç¥ó¤Ç¤Ê¤±¤ì¤Ð¤Ê¤ê¤Þ¤»¤ó¡£¤â¤·¡¢Æ±°ì¥Á¥§¥¤¥óÃæ¤ËÊ£¿ô¤Î¥Þ¥Ã¥Á
852 ¤¹¤ë¥ë¡¼¥ë¤¬¤¢¤Ã¤¿¤é¡¢ºÇ½é¤Î¤À¤±¤¬ºï½ü¤µ¤ì¤Þ¤¹¡£
855 <sect1>Filtering Specifications
857 <sect1>¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Î»ÅÍÍ
861 We have seen the use of `-p' to specify protocol, and `-s' to specify
862 source address, but there are other options we can use to specify
863 packet characteristics. What follows is an exhaustive compendium.
865 ¤³¤ì¤Þ¤Ç¤Ë¡¢¥×¥í¥È¥³¥ë¤ò»ØÄꤹ¤ë `-p' ¥ª¥×¥·¥ç¥ó¤È¡¢¥½¡¼¥¹¥¢¥É¥ì¥¹¤ò
866 »ØÄꤹ¤ë `-s' ¥ª¥×¥·¥ç¥ó¤ò¸«¤Æ¤¤Þ¤·¤¿¤¬¡¢¤³¤Î¾¤Ë¤â¥Ñ¥±¥Ã¥È¤ÎÆÃħ¤ò
867 »ØÄꤹ¤ëÍÍ¡¹¤Ê¥ª¥×¥·¥ç¥ó¤¬¤¢¤ê¤Þ¤¹¡£¤³¤ì¤«¤é¡¢¤½¤Î³µÍפò¤¢¤Þ¤¹¤È¤³¤í¤Ê¤¯
871 <sect2>Specifying Source and Destination IP Addresses
873 <sect2>¥½¡¼¥¹¤È¤¢¤ÆÀè IP ¥¢¥É¥ì¥¹¤Î»ØÄê
877 Source (`-s', `--source' or `--src') and destination (`-d',
878 `--destination' or `--dst') IP addresses can be specified in four
879 ways. The most common way is to use the full name, such as
880 `localhost' or `www.linuxhq.com'. The second way is to specify the IP
881 address such as `127.0.0.1'.
883 ¥½¡¼¥¹(`-s', `--source' ¤Þ¤¿¤Ï `--src') ¤ª¤è¤Ó¡¢¤¢¤ÆÀè(`-d',
884 `--destination' ¤Þ¤¿¤Ï `--dst') IP ¥¢¥É¥ì¥¹¤Ï 4Ä̤ê¤Î»ØÄêÊýË¡¤¬
885 ¤¢¤ê¤Þ¤¹¡£¤â¤Ã¤È¤â°ìÈÌŪ¤ÊÊýË¡¤Ï´°Á´¤Ëµ½Ò¤µ¤ì¤¿Ì¾Á°(FQDN)¤ò»È¤¦¤³¤È¤Ç¡¢
886 Î㤨¤Ð¡¢`localhost' ¤È¤« `www.linuxhq.com' ¤Ç¤¹¡£2ÈÖÌܤÎÊýË¡¤Ï `127.0.0.1'
887 ¤Î¤è¤¦¤Ê IP ¥¢¥É¥ì¥¹¤ò»ØÄꤹ¤ëÊýË¡¤Ç¤¹¡£
891 The third and fourth ways allow specification of a group of IP
892 addresses, such as `199.95.207.0/24' or `199.95.207.0/255.255.255.0'.
893 These both specify any IP address from 199.95.207.0 to 199.95.207.255
894 inclusive; the digits after the `/' tell which parts of the IP address
895 are significant. `/32' or `/255.255.255.255' is the default (match
896 all of the IP address). To specify any IP address at all `/0' can be
899 3ÈÖÌÜ¤È 4ÈÖÌܤÎÊýË¡¤Ï IP ¥¢¥É¥ì¥¹¤Î¥°¥ë¡¼¥×¤ò»ØÄꤹ¤ëÊýË¡¤Ç¡¢
900 `199.95.207.0/24' ¤È¤« `199.95.207.0/255.255.255.0' ¤Î¤è¤¦¤Ë½ñ¤¤Þ¤¹¡£
901 ξÊý¤È¤â 199.95.207.0 ¤«¤é 199.95.207.255 ¤Þ¤Ç¤Î¤É¤Î IP ¥¢¥É¥ì¥¹¤â
902 ´Þ¤Þ¤ì¤ë»ØÄê¤Ç¡¢¿ô»ú¤Î¤¢¤È¤Î `/' ¤Ï IP ¥¢¥É¥ì¥¹¤Î¤É¤ÎÉôʬ¤Þ¤Ç͸ú¤«¤ò
903 ¼¨¤·¤Æ¤¤¤Þ¤¹¡£¾Êά»þ¤Ï `/32' ¤Þ¤¿¤Ï `/255.255.255.255' (IP ¥¢¥É¥ì¥¹¤Î
904 ´°Á´°ìÃ×)¤Ç¤¹¡£¤É¤ó¤Ê IP ¥¢¥É¥ì¥¹¤Ç¤â¤è¤¤¾ì¹ç¤Ï¡¢°Ê²¼¤Î¤è¤¦¤Ë `/0' ¤¬
908 [ NOTE: `-s 0/0' is redundant here. ]
909 # iptables -A INPUT -s 0/0 -j DROP
913 [ Ãíµ: `-s 0/0' ¤Ï¤³¤³¤Ç¤Ï¾éŤǤ¹¡£]
914 # iptables -A INPUT -s 0/0 -j DROP
919 This is rarely used, as the effect above is the same as not specifying
920 the `-s' option at all.
922 ¾åµ¤Î¸ú²Ì¤Ï `-s' ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤷ¤Ê¤¤¤Î¤ÈÁ´¤¯Æ±¤¸¤Ê¤Î¤Ç¡¢
923 ¤³¤ó¤Ê»È¤¤Êý¤Ï¤á¤Ã¤¿¤Ë¤·¤Þ¤»¤ó¡£
926 <sect2>Specifying Inversion
932 Many flags, including the `-s' (or `--source') and `-d'
933 (`--destination') flags can have their arguments preceded by `!'
934 (pronounced `not') to match addresses NOT equal to the ones given.
935 For example. `-s ! localhost' matches any packet <bf>not</bf> coming
938 `-s' (¤Þ¤¿¤Ï `--source') ¤ä `-d' (`--destination') ¥ª¥×¥·¥ç¥ó
939 ¤ò´Þ¤á¤Æ¿¤¯¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢`!' (ÈÝÄê¤ÎÀë¸À)¤ò
940 ¤½¤Î°ú¿ô¤ÎÁ°¤ËÃÖ¤¯¤³¤È¤¬¤Ç¤¤Þ¤¹¡£`-s' ¤ä `-d' ¤Î¾ì¹ç¤ÏÍ¿¤¨¤é¤ì¤¿
941 ¥¢¥É¥ì¥¹¤ÈÅù¤·¤¯¤Ê¤¤¥¢¥É¥ì¥¹¤È¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
942 Î㤨¤Ð¡¢`-s ! localhost' ¤Ï localhost ¤«¤é<bf>¤Ç¤Ê¤¤</bf>¥Ñ¥±¥Ã¥È¤È
946 <sect2>Specifying Protocol
948 <sect2>¥×¥í¥È¥³¥ë¤Î»ØÄê
952 The protocol can be specified with the `-p' (or `--protocol') flag.
953 Protocol can be a number (if you know the numeric protocol values for
954 IP) or a name for the special cases of `TCP', `UDP' or `ICMP'. Case
955 doesn't matter, so `tcp' works as well as `TCP'.
957 ¥×¥í¥È¥³¥ë¤Ï `-p' (¤Þ¤¿¤Ï `--protocol') ¥ª¥×¥·¥ç¥ó¤Ç»ØÄꤷ¤Þ¤¹¡£
958 ¥×¥í¥È¥³¥ë¤ÎÃͤÏÈÖ¹æ(¤¢¤Ê¤¿¤¬ IP ¤Î¥×¥í¥È¥³¥ë¤Î¿ôÃÍÈÖ¹æ¤òÃΤäÆ
959 ¤¤¤ë¾ì¹ç)¤« `TCP', `UDP' ¤Þ¤¿¤Ï `ICMP' ¤È¤¤¤¦ÆÃÄê¤Î̾¾Î¤Ç»ØÄꤷ¤Þ¤¹¡£
960 Âçʸ»ú¾®Ê¸»ú¤Î¶èÊ̤Ϥ·¤Þ¤»¤ó¤«¤é¡¢`tcp' ¤â `TCP' ¤ÈƱ¤¸Æ¯¤¤ò¤·¤Þ¤¹¡£
964 The protocol name can be prefixed by a `!', to invert it, such as `-p
965 ! TCP' to specify packets which are <bf>not</bf> TCP.
967 ¥×¥í¥È¥³¥ë̾¾Î¤Ï¤½¤ì¤òÈÝÄꤹ¤ë¤¿¤á¤Ë `!' ¤òÁ°¤ËÉÕ¤±¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
968 Î㤨¤Ð¡¢`-p ! TCP' ¤Ï TCP <bf>¤Ç¤Ê¤¤</bf>¥Ñ¥±¥Ã¥È¤ò»ØÄꤷ¤Þ¤¹¡£
971 <sect2>Specifying an Interface
973 <sect2>¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤Î»ØÄê
977 The `-i' (or `--in-interface') and `-o' (or `--out-interface') options
978 specify the name of an <bf>interface</bf> to match. An interface is
979 the physical device the packet came in on (`-i') or is going out on
980 (`-o'). You can use the <tt>ifconfig</tt> command to list the
981 interfaces which are `up' (i.e., working at the moment).
983 `-i' (¤Þ¤¿¤Ï `--in-interface') ¤È `-o' (¤Þ¤¿¤Ï `--out-interface')
984 ¥ª¥×¥·¥ç¥ó¤Ï¥Þ¥Ã¥Á¤¹¤Ù¤<bf>¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹</bf>¤Î̾Á°¤ò»ØÄꤷ¤Þ¤¹¡£
985 ¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤È¤Ï¡¢¥Ñ¥±¥Ã¥È¤¬Æþ¤Ã¤ÆÍè¤ë (`-i') ¤Þ¤¿¤Ï½Ð¤Æ¹Ô¤¯
986 (`-o') ʪÍý¥Ç¥Ð¥¤¥¹¤Ç¤¹¡£`ifconfig' ¥³¥Þ¥ó¥É¤ò»È¤Ã¤Æ `up' ¤Ç¤¢¤ë
987 (¤¹¤Ê¤ï¤Á¡¢º£Æ°¤¤¤Æ¤¤¤ë)¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤ò¥ê¥¹¥È¥¢¥Ã¥×¤Ç¤¤Þ¤¹¡£
991 Packets traversing the <tt>INPUT</tt> chain don't have an output
992 interface, so any rule using `-o' in this chain will never match.
993 Similarly, packets traversing the <tt>OUTPUT</tt> chain don't have an
994 input interface, so any rule using `-i' in this chain will never match.
996 <tt>INPUT</tt> ¥Á¥§¥¤¥ó¤ËÆþ¤Ã¤ÆÍè¤ë¥Ñ¥±¥Ã¥È¤Ë¤Ï output ¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹
997 ¤¬Ìµ¤¤¤Î¤Ç¡¢¤³¤Î¥Á¥§¥¤¥ó¤Ç `-o' ¤ò»È¤Ã¤¿¥ë¡¼¥ë¤Ï·è¤·¤Æ¥Þ¥Ã¥Á¤·¤Þ¤»¤ó¡£
998 ƱÍͤˡ¢<tt>OUTPUT</tt> ¥Á¥§¥¤¥ó¤ËÆþ¤Ã¤ÆÍè¤ë¥Ñ¥±¥Ã¥È¤Ë¤Ï
999 input ¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤¬Ìµ¤¤¤Î¤Ç¡¢¤³¤Î¥Á¥§¥¤¥ó¤Ç `-i' ¤ò»È¤Ã¤¿¥ë¡¼¥ë¤Ï
1000 ·è¤·¤Æ¥Þ¥Ã¥Á¤·¤Þ¤»¤ó¡£
1003 <p>Only packets traversing the <tt>FORWARD</tt> chain have both an
1004 input and output interface.
1006 <p><tt>FORWARD</tt> ¥Á¥§¥¤¥ó¤ËÆþ¤Ã¤ÆÍè¤ë¥Ñ¥±¥Ã¥È¤À¤±¤¬¡¢input ¤È output
1007 ¤ÎξÊý¤Î¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤ò»ý¤Ã¤Æ¤¤¤Þ¤¹¡£
1011 It is perfectly legal to specify an interface that currently does not
1012 exist; the rule will not match anything until the interface comes up.
1013 This is extremely useful for dial-up PPP links (usually interface
1014 <tt>ppp0</tt>) and the like.
1016 ¸½ºß¸ºß¤·¤Æ¤¤¤Ê¤¤¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤ò»ØÄꤹ¤ë¤³¤È¤ÏÁ´¤¯ÌäÂ꤬¤¢¤ê¤Þ¤»¤ó
1017 ¤¬¡¢»ØÄꤷ¤¿¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤¬ up ¤·¤ÆÍè¤ë¤Þ¤Ç¥ë¡¼¥ë¤¬¥Þ¥Ã¥Á¤¹¤ë¤³¤È¤Ï
1018 ¤¢¤ê¤Þ¤»¤ó¡£¤³¤ì¤Ï¥À¥¤¥¢¥ë¥¢¥Ã¥× PPP ¥ê¥ó¥¯(Ä̾磻¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤Ï
1019 <tt>ppp0</tt> )¤äƱÍͤΤâ¤Î¤Ë¤Ä¤¤¤ÆÈó¾ï¤Ë͸ú¤Ç¤¹¡£
1023 As a special case, an interface name ending with a `+' will match all
1024 interfaces (whether they currently exist or not) which begin with that
1025 string. For example, to specify a rule which matches all PPP
1026 interfaces, the <tt>-i ppp+</tt> option would be used.
1028 ÆÃÊ̤ʥ±¡¼¥¹¤È¤·¤Æ¡¢¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹Ì¾¤Î¸å¤í¤Ë `+' ¤òÉÕ¤±¤¿¤â¤Î¤Ï¤½¤Î
1029 ʸ»úÎ󤫤é»Ï¤Þ¤ëÁ´¤Æ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹(¸½ºß¸ºß¤·¤Æ¤è¤¦¤È¤Ê¤«¤í¤¦¤È)
1030 ¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£Î㤨¤Ð¡¢Á´¤Æ¤Î PPP ¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë
1031 ¤Î»ØÄê¤Ï¡¢<tt>-i ppp+</tt> ¥ª¥×¥·¥ç¥ó¤ò»È¤¤¤Þ¤¹¡£
1035 The interface name can be preceded by a `!' with spaces around it, to
1036 match a packet which does <bf>not</bf> match the specified
1037 interface(s), eg <tt>-i ! ppp+</tt>.
1039 »ØÄꤷ¤¿¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤È°ìÃ×<bf>¤·¤Ê¤¤</bf>¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¤è¤¦¤Ë
1040 ¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹Ì¾¤ÎÁ°¤Ë¤ÏÁ°¸å¤Ë¶õÇò¤ò¶´¤ó¤Ç `!' ¤òÃÖ¤¯¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
1041 Î㤨¤Ð¡¢<tt>-i ! ppp+</tt> ¤È¤·¤Þ¤¹¡£
1044 <sect2>Specifying Fragments
1046 <sect2>¥Õ¥é¥°¥á¥ó¥È¤Î»ØÄê
1050 Sometimes a packet is too large to fit down a wire all at once. When
1051 this happens, the packet is divided into <bf>fragments</bf>, and sent
1052 as multiple packets. The other end reassembles these fragments to
1053 reconstruct the whole packet.
1055 ¤È¤¤É¤¥Ñ¥±¥Ã¥È¤¬¡¢°ìÅ٤˥±¡¼¥Ö¥ë¤ËÁ÷¤ê½Ð¤¹¤Ë¤ÏÂ礲᤮¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£
1056 ¤³¤ó¤Ê¤È¤¤Ï¡¢¥Ñ¥±¥Ã¥È¤Ï¥Õ¥é¥°¥á¥ó¥È¤Ëʬ³ä¤µ¤ì¡¢Ê£¿ô¤Î¥Ñ¥±¥Ã¥È¤ÇÁ÷¤é¤ì
1057 ¤Þ¤¹¡£¼õ¿®ÅÀ¤Ç¤³¤ì¤é¤Î¥Õ¥é¥°¥á¥ó¥È¤òºÆ¤Ó½¸¤á¤Æ´°Á´¤Ê¥Ñ¥±¥Ã¥È¤ËºÆ¹½À®
1062 The problem with fragments is that the initial fragment has the
1063 complete header fields (IP + TCP, UDP and ICMP) to examine, but
1064 subsequent packets only have a subset of the headers (IP without the
1065 additional protocol fields). Thus looking inside subsequent fragments
1066 for protocol headers (such as is done by the TCP, UDP and ICMP
1067 extensions) is not possible.
1069 ¥Õ¥é¥°¥á¥ó¥È¤ÎÌäÂêÅÀ¤Ï¡¢ÀèƬ¤Î¥Õ¥é¥°¥á¥ó¥È¤Ë¤Ï´°Á´¤Ê
1070 ¥Ø¥Ã¥À¡¼¥Õ¥£¡¼¥ë¥É(IP + TCP, UDP ¤ª¤è¤Ó ICMP)¤¬¤¢¤ê¸¡ºº¤Ç¤¤Þ¤¹¤¬¡¢
1071 ¸å³¤Î¥Ñ¥±¥Ã¥È¤Ë¤Ï¥Ø¥Ã¥À¡¼Á´¤Æ¤¬Â·¤Ã¤Æ¤¤¤Þ¤»¤ó(IP ¥Ø¥Ã¥À¡¼¤À¤±¤Ç
1072 ÄɲäΥץí¥È¥³¥ë¥Õ¥£¡¼¥ë¥É¤Ï̵¤·)¡£½¾¤Ã¤Æ¸å³¤Î¥Õ¥é¥°¥á¥ó¥È¤Î
1073 ¥×¥í¥È¥³¥ë¸ÇͥإåÀ¡¼(TCP, UDP ¤ª¤è¤Ó ICMP ¤Ç³ÈÄ¥¤µ¤ì¤¿)¤ò¤Î¤¾¤¹þ¤à
1078 If you are doing connection tracking or NAT, then all fragments will
1079 get merged back together before they reach the packet filtering code,
1080 so you need never worry about fragments.
1082 ¤â¤·¡¢¥³¥Í¥¯¥·¥ç¥óÄÉÀפä NAT ¤ò¹Ô¤Ã¤Æ¤¤¤ë¤Ê¤é¡¢Á´¤Æ¤Î¥Õ¥é¥°¥á¥ó¥È¤Ï
1083 ¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Î¥³¡¼¥É¤ËÆϤ¯Á°¤Ë¥Þ¡¼¥¸¤µ¤ì¤Æ¸µÄ̤ê¤Ë¤µ¤ì¤ë
1084 ¤Î¤Ç¡¢¥Õ¥é¥°¥á¥ó¥È¤Ë¤Ä¤¤¤Æ¿´ÇÛ¤¹¤ëɬÍפϤ¢¤ê¤Þ¤»¤ó¡£
1088 Otherwise, it is important to understand how fragments get treated by
1089 the filtering rules. Any filtering rule that asks for information we
1090 don't have will <em>not</em> match. This means that the first fragment is
1091 treated like any other packet. Second and further fragments won't be.
1092 Thus a rule <tt>-p TCP --sport www</tt> (specifying a source port of
1093 `www') will never match a fragment (other than the first fragment).
1094 Neither will the opposite rule <tt>-p TCP --sport ! www</tt>.
1096 ¤½¤¦¤Ç¤Ê¤±¤ì¤Ð¡¢¥Õ¥£¥ë¥¿¥ê¥ó¥°¥ë¡¼¥ë¤¬¥Õ¥é¥°¥á¥ó¥È¤ò¤É¤Î¤è¤¦¤Ë°·¤¦¤«
1097 ¤òÍý²ò¤¹¤ë¤³¤È¤¬½ÅÍפǤ¹¡£¾ðÊó¤¬Ìµ¤±¤ì¤Ð¤É¤ó¤Ê¥Õ¥£¥ë¥¿¥ê¥ó¥°¥ë¡¼¥ë¤â
1098 ¥Þ¥Ã¥Á<em>¤·¤Þ¤»¤ó</em>¡£¤³¤Î°ÕÌ£¤¹¤ë¤È¤³¤í¤Ï 1ÈÖÌܤΥե饰¥á¥ó¥È¤Ï
1099 ¾¤Î¥Ñ¥±¥Ã¥È¤ÈƱ¤¸¤è¤¦¤Ë°·¤ï¤ì¤Þ¤¹¡£2ÈÖÌܰʹߤΥե饰¥á¥ó¥È¤Ï°Û¤Ê¤ê
1100 ¤Þ¤¹¡£½¾¤Ã¤Æ <tt>-p TCP --sport www</tt> ¤È¤¤¤¦¥ë¡¼¥ë(¥½¡¼¥¹¥Ý¡¼¥È¤¬
1101 `www' ¤Î»ØÄê)¤Ï¥Õ¥é¥°¥á¥ó¥È(1ÈÖÌܤΥե饰¥á¥ó¥È°Ê³°)¤È·è¤·¤Æ¥Þ¥Ã¥Á
1102 ¤·¤Þ¤»¤ó¡£Æ±ÍͤËÈÝÄê¤Î¥ë¡¼¥ë <tt>-p TCP --sport ! www</tt> ¤â¥Þ¥Ã¥Á
1107 However, you can specify a rule specifically for second and further
1108 fragments, using the `-f' (or `--fragment') flag. It is also legal to
1109 specify that a rule does <em>not</em> apply to second and further
1110 fragments, by preceding the `-f' with ` ! '.
1112 ¤È¤Ï¤¤¤¨¡¢`-f' (¤Þ¤¿¤Ï `--fragment')¥ª¥×¥·¥ç¥ó¤ò»È¤Ã¤Æ 2ÈÖÌܰʹߤÎ
1113 ¥Õ¥é¥°¥á¥ó¥È¤òÆÃÄꤹ¤ë¥ë¡¼¥ë¤ò»ØÄê¤Ç¤¤Þ¤¹¡£¤Þ¤¿¡¢` ! ' ¤ò `-f' ¤Î
1114 Á°¤ËÉÕ¤±¤Æ(ÌõÃí: <tt/! -f/ ¤È¤·¤Æ) 2ÈÖÌܰʹߤΥե饰¥á¥ó¥È¤ÈŬ¹ç
1115 <em>¤·¤Ê¤¤</em>¥ë¡¼¥ë¤Î»ØÄê¤â¤Ç¤¤Þ¤¹¡£
1119 Usually it is regarded as safe to let second and further fragments
1120 through, since filtering will effect the first fragment, and thus
1121 prevent reassembly on the target host; however, bugs have been known
1122 to allow crashing of machines simply by sending fragments. Your call.
1124 Ä̾¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Ï 1ÈÖÌܤΥե饰¥á¥ó¥È¤Ë¸úÎϤ¬¤¢¤ë¤Î¤Ç¡¢ÌÜŪ¤Î
1125 ¥Û¥¹¥È¤Ç¤Î¥Õ¥é¥°¥á¥ó¥È¤ÎºÆÁȤßΩ¤Æ¤ò˸¤²¤ë¤¿¤á¡¢2ÈÖÌܰʹߤΥե饰¥á¥ó¥È
1126 ¤òÄ̲ᤵ¤»¤ë¤³¤È¤Ï°ÂÁ´¤È¤ß¤Ê¤µ¤ì¤Æ¤¤¤Þ¤¹¡£¤È¤Ï¤¤¤¨¡¢¥Õ¥é¥°¥á¥ó¥È¤òÁ÷¤ë
1127 ¤³¤È¤Ë¤è¤ê´Êñ¤Ë¥Þ¥·¥ó¤ò¥¯¥é¥Ã¥·¥å¤µ¤»¤ë¤³¤È¤¬¤Ç¤¤ë¥Ð¥°¤¬ÃΤé¤ì¤Æ
1128 ¤¤¤Þ¤¹¡£Ä´¤Ù¤Æ¤¯¤À¤µ¤¤¤Í¡£
1129 <!-- Your call ¤¢¤Ê¤¿¤ÎÍ׵ᡢ¤«¤é°ÕÌõ¡£¼«¿®¤Ê¤·¡£ -->
1133 Note for network-heads: malformed packets (TCP, UDP and ICMP packets
1134 too short for the firewalling code to read the ports or ICMP code and
1135 type) are dropped when such examinations are attempted. So are TCP
1136 fragments starting at position 8.
1138 ¥Í¥Ã¥È¥ï¡¼¥¯´ÉÍý¼Ô¤Î¤¿¤á¤ÎÃíµ: °Û¾ï¤Ê¥Ñ¥±¥Ã¥È(TCP, UDP ¤ª¤è¤Ó ICMP ¤Î
1139 ¥Ñ¥±¥Ã¥È¤Çû¤¹¤®¤Æ¥Õ¥¡¥¤¥¢¡¼¥¦¥©¡¼¥ë¤Î¥³¡¼¥É¤¬¥Ý¡¼¥ÈÈÖ¹æ¤Þ¤¿¤Ï ICMP ¤Î
1140 ¥³¡¼¥É¤È¼ïÎà¤òÆɤá¤Ê¤¤¤â¤Î)¤Ï¤½¤ì¤é¤Î¸¡ºº¤¬»î¤ß¤é¤ì¤ë¤È¤ÇË´þ¤µ¤ì¤Þ¤¹¡£
1141 ¤½¤ì¤Ç TCP ¥Ñ¥±¥Ã¥È¤Î¥Õ¥é¥°¥á¥ó¥È¤Î°ÌÃ֤ϺÇÄã¤Ç¤â 8 ¤«¤é»Ï¤Þ¤ê¤Þ¤¹¡£
1142 <!-- ÌõÃí¤¬É¬Íפ«? ICMP: ¼ïÎà(1)+¥³¡¼¥É(1)
1143 TCP: ¥½¡¼¥¹¥Ý¡¼¥È(2)+¤¢¤ÆÀè¥Ý¡¼¥È(2)+¥·¡¼¥±¥ó¥¹ÈÖ¹æ(4)
1148 As an example, the following rule will drop any fragments going to
1151 Î㤨¤Ð¡¢¼¡¤Î¥ë¡¼¥ë¤Ï 192.168.1.1 ¤Ø¹Ô¤¯¥Õ¥é¥°¥á¥ó¥È¤Ï¤É¤ì¤Ç¤âÇË´þ¤·¤Þ¤¹:
1154 # iptables -A OUTPUT -f -d 192.168.1.1 -j DROP
1159 <sect2>Extensions to iptables: New Matches
1161 <sect2>iptables ¤Ø¤Î³ÈÄ¥ ¡½ ¿·¤·¤¤¥Þ¥Ã¥Á
1164 <p><tt>iptables</tt> is <bf>extensible</bf>, meaning that both the
1165 kernel and the iptables tool can be extended to provide new features.
1167 <p><tt>iptables</tt> ¤Ï<bf>³ÈÄ¥À</bf>¤ËÉÙ¤ó¤Ç¤¤¤Þ¤¹¡¢¤½¤Î°ÕÌ£¤¹¤ë
1168 ¤È¤³¤í¤Ï¡¢¥«¡¼¥Í¥ë¤È iptables ¥Ä¡¼¥ë¤ÎξÊý¤¬¿·¤·¤¤µ¡Ç½¤òÄ󶡤¹¤ë¤¿¤á¤Ë
1169 ³ÈÄ¥²Äǽ¤Ç¤¢¤ë¤È¸À¤¦¤³¤È¤Ç¤¹¡£
1172 <p>Some of these extensions are standard, and other are more exotic.
1173 Extensions can be made by other people and distributed separately for
1176 <p>¤³¤ì¤é¤Î³ÈÄ¥¤Ë¤Ïɸ½àŪ¤Ê¤â¤Î¤â¤¢¤ê¤Þ¤¹¤¬¡¢¤â¤Ã¤ÈÉ÷ÊѤï¤ê¤Ê¤â¤Î¤â
1177 ¤¢¤ê¤Þ¤¹¡£»äã°Ê³°¤Î¿Í¡¹¤¬³ÈÄ¥¤òºî¤Ã¤ÆÆüì¤ÊÍøÍѼԤ˸ÄÊ̤ËÇÛÉÛ¤¹¤ë
1181 <p>Kernel extensions normally live in the kernel module subdirectory,
1182 such as /lib/modules/2.4.0-test10/kernel/net/ipv4/netfilter. They are demand loaded if your
1183 kernel was compiled with CONFIG_KMOD set, so you should not need to
1184 manually insert them.
1186 <p>¥«¡¼¥Í¥ë¤Î³ÈÄ¥¤Ï¡¢Ä̾參¡¼¥Í¥ë¥â¥¸¥å¡¼¥ë¤Î¥µ¥Ö¥Ç¥£¥ì¥¯¥È¥ê¡¢
1187 Î㤨¤Ð /lib/modules/2.4.0-test10/kernel/net/ipv4/netfilter ¤Ë¸ºß¤·¤Þ¤¹¡£
1189 CONFIG_KMOD ¤ò¥»¥Ã¥È¤·¤Æ¥³¥ó¥Ñ¥¤¥ë¤µ¤ì¤Æ¤¤¤ì¤ÐÍ×µá»þ¤Ë¥í¡¼¥É¤µ¤ì¤Þ¤¹¡£
1192 <p>Extensions to the iptables program are shared libraries which
1193 usually live in /usr/local/lib/iptables/, although a distribution
1194 would put them in /lib/iptables or /usr/lib/iptables.
1196 <p>iptables ¥×¥í¥°¥é¥à¤Ø¤Î³ÈÄ¥¤Ï¡¢¶¦Í¥é¥¤¥Ö¥é¥ê¤ÇÄ̾ï¤Ï
1197 /usr/local/lib/iptables/ ¤Ë¸ºß¤·¤Þ¤¹¡£¥Ç¥£¥¹¥È¥ê¥Ó¥å¡¼¥·¥ç¥ó¤Ë
1198 ¤è¤Ã¤Æ¤Ï /lib/iptables ¤Þ¤¿¤Ï /usr/lib/iptables ¤ËÃÖ¤«¤ì¤Þ¤¹¡£
1201 <p>Extensions come in two types: new targets, and new matches (we'll
1202 talk about new targets a little later). Some protocols automatically
1203 offer new tests: currently these are TCP, UDP and ICMP as shown below.
1205 <p>³ÈÄ¥¤Ë¤Ï 2¼ïÎढ¤ê¤Þ¤¹: ¿·¤·¤¤¥¿¡¼¥²¥Ã¥È¡¢¤½¤·¤Æ¿·¤·¤¤¥Þ¥Ã¥Á¤Ç¤¹
1206 (¿·¤·¤¤¥¿¡¼¥²¥Ã¥È¤Ë¤Ä¤¤¤Æ¤Ï¡¢¤â¤¦¾¯¤·¸å¤Ç¤ªÏä·¤Þ¤¹)¡£¤¤¤¯¤Ä¤«¤Î
1207 ¥×¥í¥È¥³¥ë¤Ï¼«Æ°Åª¤Ë¿·¤·¤¤¸¡ºº¤òÄ󶡤·¤Þ¤¹: ¸½ºß¤Î¤È¤³¤í°Ê²¼¤Ë¼¨¤¹
1208 TCP, UDP ¤ª¤è¤Ó ICMP ¤¬¤¢¤ê¤Þ¤¹¡£
1209 <!-- 2000/9/13 ( ) ¤Î¤È¤³¤í¤¬Êѹ¹¤µ¤ì¤Þ¤·¤¿¡£-->
1212 <p>For these you will be able to specify the new tests on the command
1213 line after the `-p' option, which will load the extension. For
1214 explicit new tests, use the `-m' option to load the extension, after
1215 which the extended options will be available.
1217 <p>¤³¤ì¤é¤Ï `-p' ¥ª¥×¥·¥ç¥ó¤Ç³ÈÄ¥¤¬¥í¡¼¥É¤µ¤ì¡¢¤½¤Î¸å¤Î¥³¥Þ¥ó¥É¥é¥¤¥ó¤Ç
1218 ¿·¤·¤¤¸¡ºº¤ò»ØÄê¤Ç¤¤Þ¤¹¡£¿·¤·¤¤¸¡ºº¤ò»ØÄꤹ¤ë¤Ë¤Ï¡¢`-m' ¥ª¥×¥·¥ç¥ó¤ò
1219 »È¤¦¤È³ÈÄ¥¤¬¥í¡¼¥É¤µ¤ì¤Æ¡¢³ÈÄ¥¤µ¤ì¤¿¥ª¥×¥·¥ç¥ó¤¬Í¸ú¤Ë¤Ê¤ê¤Þ¤¹¡£
1222 <p>To get help on an extension, use the option to load it (`-p', `-j' or
1223 `-m') followed by `-h' or `--help', eg:
1225 <p>³ÈÄ¥¤Î¥Ø¥ë¥×¤ò¸«¤ë¤Ë¤Ï¡¢³ÈÄ¥¤ò¥í¡¼¥É(`-p', `-j' ¤Þ¤¿¤Ï `-m')¤·¤¿¸å¤Ë
1226 `-h' ¤Þ¤¿¤Ï `--help' ¥ª¥×¥·¥ç¥ó¤ò»È¤¤¤Þ¤¹¡£Î㤨¤Ð:
1228 # iptables -p tcp --help
1233 <sect3>TCP Extensions
1239 The TCP extensions are automatically loaded if `-p tcp' is specified.
1240 It provides the following options (none of which match fragments).
1242 TCP ³ÈÄ¥¤Ï `-p tcp' ¤ò»ØÄꤹ¤ë¤È¼«Æ°Åª¤Ë¥í¡¼¥É¤µ¤ì¤Þ¤¹¡£
1243 °Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤Æ¤¤¤Þ¤¹(¥Õ¥é¥°¥á¥ó¥È¤Ï·è¤·¤Æ¥Þ¥Ã¥Á¤·¤Þ¤»¤ó)¡£
1248 <tag>--tcp-flags</tag> Followed by an optional `!', then two strings
1249 of flags, allows you to filter on specific TCP flags. The first
1250 string of flags is the mask: a list of flags you want to examine. The
1251 second string of flags tells which one(s) should be set. For example,
1253 <tag>--tcp-flags</tag> ¸å¤Ë `!' ¥ª¥×¥·¥ç¥ó»ØÄê²Ä¤Ç¡¢2¤Ä¤Î¥Õ¥é¥°Ê¸»úÎó
1254 ¤ò¤È¤ê¡¢»ØÄꤷ¤¿ TCP ¥Õ¥é¥°¤Ç¥Õ¥£¥ë¥¿¡¼¤Ç¤¤Þ¤¹¡£1ÈÖÌܤÎʸ»úÎó¤Ï¥Þ¥¹¥¯
1255 ¤¹¤ë¥Õ¥é¥°¤Ç¡¢¸¡ºº¤·¤¿¤¤¥Õ¥é¥°¤ò½ñ¤Ê¤٤ޤ¹¡£2ÈÖÌܤÎʸ»úÎó¤Ï(ÌõÃí:
1256 1ÈÖÌܤÎʸ»úÎó¤Î¤¦¤Á¤Ç)¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ë¤Ù¤¥Õ¥é¥°¤ò»ØÄꤷ¤Þ¤¹¡£Î㤨¤Ð¡¢
1259 # iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
1263 This indicates that all flags should be examined (`ALL' is synonymous
1264 with `SYN,ACK,FIN,RST,URG,PSH'), but only SYN and ACK should be set.
1265 There is also an argument `NONE' meaning no flags.
1267 ¤³¤ì¤ÏÁ´¤Æ¤Î¥Õ¥é¥°¤ò¸¡ºº¤·(`ALL' ¤Ï `SYN,ACK,FIN,RST,URG,PSH' ¤ÈƱ¤¸
1268 °ÕÌ£)¡¢SYN ¤È ACK ¤À¤±¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ë¤Ù¤¤³¤È¤ò¼¨¤·¤Æ¤¤¤Þ¤¹¡£
1269 ¤Þ¤¿ `NONE' ¤Ï¤É¤Î¥Õ¥é¥°¤â¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¤³¤È¤ò°ÕÌ£¤·¤Þ¤¹
1270 (ÌõÃí: `NONE' ¤ò»È¤¦¤Î¤ÏÉáÄÌ¡¢2ÈÖÌܤÎʸ»úÎó¤Ç¡¢1ÈÖÌܤǻØÄꤷ¤¿¥Õ¥é¥°¤¬
1271 Á´¤Æ¥ª¥Õ¤Ç¤¢¤ë¤³¤È¤ò¸¡ºº¤·¤Þ¤¹)¡£
1274 <tag>--syn</tag> Optionally preceded by a `!', this is shorthand
1275 for `--tcp-flags SYN,RST,ACK SYN'.
1277 <tag>--syn</tag> Á°¤Ë `!' ¥ª¥×¥·¥ç¥ó»ØÄê²Ä¤Ç¡¢¤³¤ì¤Ï
1278 `--tcp-flags SYN,RST,ACK SYN' ¤Î¾Êάɽ¸½¤Ç¤¹¡£
1281 <tag>--source-port</tag> followed by an optional `!', then either a
1282 single TCP port, or a range of ports. Ports can be port names, as
1283 listed in /etc/services, or numeric. Ranges are either two port names
1284 separated by a `:', or (to specify greater than or equal to a given
1285 port) a port with a `:' appended, or (to specify less than or equal to
1286 a given port), a port preceded by a `:'.
1288 <tag>--source-port</tag> ¸å¤Ë `!' ¥ª¥×¥·¥ç¥ó»ØÄê²Ä¤Ç¡¢1¤Ä¤Î TCP
1289 ¥Ý¡¼¥È¡¢¤Þ¤¿¤Ï¥Ý¡¼¥È¤ÎÈϰϤΤɤÁ¤é¤Ç¤â»ØÄê¤Ç¤¤Þ¤¹¡£¥Ý¡¼¥È¤Ï
1290 /etc/services ¤Ë°ìÍ÷¤µ¤ì¤Æ¤¤¤ë̾Á°¤Ç¤â¡¢ÈÖ¹æ¤Ç¤â»ØÄê¤Ç¤¤Þ¤¹¡£
1291 ÈϰϤλØÄê¤Ï 2¤Ä¤Î¥Ý¡¼¥È¤ò `:' ¤Ç¶èÀڤ뤫¡¢¸å¤í¤Ë `:' ¤òÉÕ¤±¤ë
1292 (»ØÄꤷ¤¿¥Ý¡¼¥ÈÈÖ¹æ°Ê¾å¤ò¼¨¤¹)¤«¡¢Á°¤Ë `:' ¤òÉÕ¤±¤ë
1293 (»ØÄꤷ¤¿¥Ý¡¼¥ÈÈÖ¹æ°Ê²¼¤ò¼¨¤¹)¤«¤Î¤¤¤º¤ì¤«¤Ç¤¹¡£
1296 <tag>--sport</tag> is synonymous with `--source-port'.
1298 <tag>--sport</tag> ¤Ï `--source-port' ¤ÈƱ¤¸°ÕÌ£¤Ç¤¹¡£
1301 <tag>--destination-port</tag> and <tag>--dport</tag> are the same as
1302 above, only they specify the destination, rather than source, port to
1305 <tag>--destination-port</tag> ¤È <tag>--dport</tag> ¤Ï¾åµ¤ÈƱÍͤǡ¢
1306 ¥½¡¼¥¹¤ÎÂå¤ï¤ê¤Ë¡¢Ã±¤Ë¤¢¤ÆÀè¤Î¥Ý¡¼¥È¤È¥Þ¥Ã¥Á¤¹¤ë¤«¤Î»ØÄê¤Ç¤¹¡£
1309 <tag>--tcp-option</tag> followed by an optional `!' and a number,
1310 matches a packet with a TCP option equaling that number. A packet
1311 which does not have a complete TCP header is dropped automatically if
1312 an attempt is made to examine its TCP options.
1314 <tag>--tcp-option</tag> ¸å¤Ë `!' ¥ª¥×¥·¥ç¥ó»ØÄê²Ä¤Ç¡¢¿ôÃͤò»ØÄꤷ¡¢
1315 ¥Ñ¥±¥Ã¥È¤Î TCP ¥ª¥×¥·¥ç¥ó(ÌõÃí: ¥ª¥×¥·¥ç¥ó¥Õ¥£¡¼¥ë¥É¤Î 1¥Ð¥¤¥ÈÌܤμïÊÌ)
1316 ¤¬»ØÄêÃͤÈÅù¤·¤¤¤È¤¥Þ¥Ã¥Á¤·¤Þ¤¹¡£TCP ¥ª¥×¥·¥ç¥ó¤Î¸¡ºº¤ò¤·¤è¤¦¤È¤¹¤ë
1317 ¤È¤¡¢¥Ñ¥±¥Ã¥È¤Ë TCP ¥Ø¥Ã¥À¡¼¤¬´°Á´¤Ë´Þ¤Þ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¥Ñ¥±¥Ã¥È¤Ï
1318 ¼«Æ°Åª¤ËÇË´þ¤µ¤ì¤Þ¤¹¡£
1319 <!-- ¥ª¥×¥·¥ç¥ó¥Õ¥£¡¼¥ë¥É¤Ï²ÄÊÑĹ¡¢Äɲ媥ץ·¥ç¥ó¤Ç MSS ³ÈÄ¥¤¬¤¢¤ë¡£-->
1323 <sect4>An Explanation of TCP Flags
1325 <sect4>TCP ¥Õ¥é¥°¤ÎÀâÌÀ
1329 It is sometimes useful to allow TCP connections in one direction, but
1330 not the other. For example, you might want to allow connections to an
1331 external WWW server, but not connections from that server.
1333 °ìÊý¸þ¤À¤± TCP ¥³¥Í¥¯¥·¥ç¥ó¤òµö²Ä¤·¡¢Â¾Êý¤Ïµö²Ä¤·¤Ê¤¤¤è¤¦¤Ë¤¹¤ë¤³¤È¤Ï
1334 ±ý¡¹¤Ë¤·¤Æ͸ú¤Ç¤¹¡£Î㤨¤Ð¡¢¤¢¤Ê¤¿¤¬³°Éô¤Î WWW ¥µ¡¼¥Ð¡¼¤ÈÀܳ¤·¤¿¤¤¤¬¡¢
1335 ¤½¤Î¥µ¡¼¥Ð¡¼¤«¤é¤ÎÀܳ¤òµö²Ä¤·¤¿¤¯¤Ê¤¤¤È¤¤Ç¤¹¡£
1339 The naive approach would be to block TCP packets coming from the
1340 server. Unfortunately, TCP connections require packets going in both
1341 directions to work at all.
1343 ¤½¤Î¥µ¡¼¥Ð¡¼¤«¤éÍè¤ë TCP ¥Ñ¥±¥Ã¥È¤ò¥Ö¥í¥Ã¥¯¤¹¤ë¤³¤È¤Ï¼«Á³¤ÊÊýË¡¤Ç¤¹¡£
1344 »ÄÇ°¤Ê¤³¤È¤Ë¡¢TCP ¥³¥Í¥¯¥·¥ç¥ó¤Ë¤Ï¤È¤Ë¤«¤¯Î¾Êý¸þ¤Î¥Ñ¥±¥Ã¥È¤¬¹Ô¤Í褹¤ë
1349 The solution is to block only the packets used to request a
1350 connection. These packets are called <bf>SYN</bf> packets (ok,
1351 technically they're packets with the SYN flag set, and the RST and ACK
1352 flags cleared, but we call them SYN packets for short). By
1353 disallowing only these packets, we can stop attempted connections in
1356 ¤½¤Î²ò·èÊý¤Ï¡¢Àܳ¤òÍ׵᤹¤ë¥Ñ¥±¥Ã¥È¤À¤±¤ò¥Ö¥í¥Ã¥¯¤¹¤ë¤³¤È¤Ç¤¹¡£
1357 ¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤Ï <bf>SYN</bf> ¥Ñ¥±¥Ã¥È¤È¸Æ¤Ð¤ì¤Æ¤¤¤Þ¤¹(¥ª¡¼¥±¡¼¡¢
1358 µ»½ÑŪ¤Ë¤Ï SYN ¥Õ¥é¥°¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤Æ¡¢RST ¤È ACK ¥Õ¥é¥°¤¬¥¯¥ê¥¢
1359 ¤µ¤ì¤Æ¤¤¤ë¥Ñ¥±¥Ã¥È¤Ç¤¹¤¬¡¢Ã»½Ì¤·¤Æ SYN ¥Ñ¥±¥Ã¥È¤È¸Æ¤ó¤Ç¤¤¤Þ¤¹)¡£
1360 ¤³¤ì¤é¤Î¥Ñ¥±¥Ã¥È¤À¤±µö²Ä¤·¤Ê¤¤¤è¤¦¤Ë¤¹¤ì¤Ð¡¢¥Ñ¥±¥Ã¥È¤òµÕ¤Ë¤¿¤É¤Ã¤Æ
1361 Àܳ¤·¤ÆÍè¤ë¤Î¤ò»ß¤á¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
1365 The `--syn' flag is used for this: it is only valid for rules which
1366 specify TCP as their protocol. For example, to specify TCP connection
1367 attempts from 192.168.1.1:
1369 `--syn' ¥ª¥×¥·¥ç¥ó¤Ï¤³¤Î¤¿¤á¤Ë»È¤ï¤ì¤Þ¤¹¡£¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï TCP ¥×¥í¥È¥³¥ë¤¬
1370 »ØÄꤵ¤ì¤Æ¤¤¤ë¥ë¡¼¥ë¤Ë¤À¤±Í¸ú¤Ç¤¹¡£Î㤨¤Ð¡¢192.168.1.1 ¤«¤é¤Î TCP Àܳ
1373 -p TCP -s 192.168.1.1 --syn
1378 This flag can be inverted by preceding it with a `!', which means
1379 every packet other than the connection initiation.
1381 ¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï `!' ¤òÁ°¤ËÉÕ¤±¤Æ(ÌõÃí: <tt/! --syn/ ¤È¤·¤Æ)ÈÝÄꤹ¤ë¤³¤È
1382 ¤¬¤Ç¤¡¢¤½¤Î°ÕÌ£¤ÏÀܳ³«»Ï¤Î¥Ñ¥±¥Ã¥È¤ò½ü¤¯Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¤Ç¤¹¡£
1385 <sect3>UDP Extensions
1391 These extensions are automatically loaded if `-p udp' is specified.
1392 It provides the options `--source-port', `--sport',
1393 `--destination-port' and `--dport' as detailed for TCP above.
1395 ¤³¤Î³ÈÄ¥¤Ï `-p udp' ¤ò»ØÄꤹ¤ë¤È¼«Æ°Åª¤Ë¥í¡¼¥É¤µ¤ì¤Þ¤¹¡£¥ª¥×¥·¥ç¥ó¤Ï
1396 `--source-port' ¤Þ¤¿¤Ï `--sport' ¤È `--destination-port' ¤Þ¤¿¤Ï `--dport'
1397 ¤¬Ä󶡤µ¤ì¡¢¾ÜºÙ¤Ï TCP ¤ÈƱÍͤǤ¹¡£
1400 <sect3>ICMP Extensions
1406 This extension is automatically loaded if `-p icmp' is specified. It
1407 provides only one new option:
1409 ¤³¤Î³ÈÄ¥¤Ï `-p icmp' ¤ò»ØÄꤹ¤ë¤È¼«Æ°Åª¤Ë¥í¡¼¥É¤µ¤ì¤Þ¤¹¡£¿·¤·¤¤
1410 ¥ª¥×¥·¥ç¥ó¤¬ 1¤Ä¤À¤±Ä󶡤µ¤ì¤Þ¤¹:
1415 <tag>--icmp-type</tag> followed by an optional `!', then either an
1416 icmp type name (eg `host-unreachable'), or a numeric type (eg. `3'),
1417 or a numeric type and code separated by a `/' (eg. `3/3'). A list
1418 of available icmp type names is given using `-p icmp --help'.
1420 <tag>--icmp-type</tag> ¸å¤Ë `!' ¥ª¥×¥·¥ç¥ó»ØÄê²Ä¤Ç¡¢ICMP ¤Î¼ïÎà¤ò̾Á°¤Ç
1421 (Î㤨¤Ð `host-unreachable')¡¢¤Þ¤¿¤Ï¼ïÎà¤ò¿ôÃͤÇ(Î㤨¤Ð `3')¡¢¤Þ¤¿¤Ï¼ïÎà
1422 ¤È¥³¡¼¥É¤ò `/' ¤Ç¶èÀڤ俤â¤Î(Î㤨¤Ð `3/3')¤ò»ØÄꤷ¤Þ¤¹¡£
1423 ICMP ¤Î¼ïÎà¤Ç»ØÄê¤Ç¤¤ë̾Á°¤Î¥ê¥¹¥È¤Ï `-p icmp --help' ¤ÇÆÀ¤é¤ì¤Þ¤¹¡£
1427 <sect3>Other Match Extensions
1429 <sect3>¤½¤Î¾¤Î¥Þ¥Ã¥Á¤Î³ÈÄ¥
1433 The other extensions in the netfilter package are demonstration
1434 extensions, which (if installed) can be invoked with the `-m' option.
1436 netfilter ¥Ñ¥Ã¥±¡¼¥¸¤Î¤½¤Î¾¤Î³ÈÄ¥¤Ï¼Â¾ÚŪ³ÈÄ¥¤Ç¡¢¥¤¥ó¥¹¥È¡¼¥ëºÑ¤ß
1437 ¤Ê¤é `-m' ¥ª¥×¥·¥ç¥ó¤Ç¸Æ¤Ó½Ð¤¹¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
1438 <!-- demonstration ¤¬¤è¤¯Ê¬¤«¤ê¤Þ¤»¤ó¡£-->
1442 <tag>mac</tag> This module must be explicitly specified with `-m mac'
1443 or `--match mac'. It is used for matching incoming packet's source
1444 Ethernet (MAC) address, and thus only useful for packets traversing
1445 the PREROUTING and INPUT chains. It provides only one option:
1447 <tag>mac</tag> ¤³¤Î¥â¥¸¥å¡¼¥ë¤ÏÌÀ¼¨Åª¤Ë `-m mac' ¤Þ¤¿¤Ï `--match mac'
1448 ¤Ç»ØÄꤵ¤ì¤Ê¤±¤ì¤Ð¤Ê¤ê¤Þ¤»¤ó¡£¤³¤ì¤ÏÆþ¤Ã¤ÆÍè¤ë¥Ñ¥±¥Ã¥È¤Îȯ¿®¸µ
1449 ¥¤¡¼¥µ¥Í¥Ã¥È(MAC)¥¢¥É¥ì¥¹¤È¤Î¥Þ¥Ã¥Á¥ó¥°¤Ë»È¤¤¡¢¤½¤Î¤¿¤á¡¢PREROUTING ¤È
1450 INPUT ¥Á¥§¥¤¥ó¤ËÆþ¤Ã¤ÆÍè¤ë¥Ñ¥±¥Ã¥È¤Ë¤À¤±Í¸ú¤Ç¤¹¡£¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï
1451 ¥ª¥×¥·¥ç¥ó¤ò 1¤Ä¤À¤±Ä󶡤·¤Þ¤¹:
1452 <!-- ¤¤¤¤Ê¤ê PREROUTING ¤È¤Ï¡£Á°¾Ï¤ËÌõÃí¤òÄɲä·¤Þ¤·¤¿¡£-->
1456 <tag>--mac-source</tag> followed by an optional `!', then an
1457 ethernet address in colon-separated hexbyte notation, eg
1458 `--mac-source 00:60:08:91:CC:B7'.
1460 <tag>--mac-source</tag> ¸å¤Ë `!' ¥ª¥×¥·¥ç¥ó»ØÄê²Ä¤Ç¡¢¥¤¡¼¥µ¥Í¥Ã¥È
1461 ¥¢¥É¥ì¥¹¤ò¥³¥í¥ó¤Ç¶èÀڤä¿ 16¿Êɽµ¤Ç»ØÄꤷ¤Þ¤¹¡£Î㤨¤Ð¡¢
1462 `--mac-source 00:60:08:91:CC:B7'
1466 <tag>limit</tag> This module must be explicitly specified with `-m
1467 limit' or `--match limit'. It is used to restrict the rate of
1468 matches, such as for suppressing log messages. It will only match a
1469 given number of times per second (by default 3 matches per hour,
1470 with a burst of 5). It takes two optional arguments:
1472 <tag>limit</tag> ¤³¤Î¥â¥¸¥å¡¼¥ë¤ÏÌÀ¼¨Åª¤Ë `-m limit' ¤Þ¤¿¤Ï
1473 `--match limit' ¤Ç»ØÄꤵ¤ì¤Ê¤±¤ì¤Ð¤Ê¤ê¤Þ¤»¤ó¡£¤³¤ì¤Ï¥Þ¥Ã¥Á¤¹¤ë¥ì¡¼¥È
1474 (ÉÑÅÙ)¤òÀ©¸Â¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¡¢Î㤨¤Ð¡¢¥í¥°¥á¥Ã¥»¡¼¥¸¤òÍ޻ߤ¹¤ë¤¿¤á¤Ë
1475 »È¤¤¤Þ¤¹¡£¤³¤Î¥ª¥×¥·¥ç¥ó¤Ïñ°Ì»þ´Ö¤¢¤¿¤ê¤Ë»ØÄꤵ¤ì¤¿²ó¿ôʬ¤À¤±¥Þ¥Ã¥Á
1476 ¤·¤Þ¤¹(½é´üÃÍ¤Ï 1»þ´Ö¤¢¤¿¤ê 3²ó¤Î¥Þ¥Ã¥Á¤Ç¡¢¥Ð¡¼¥¹¥È¤Ï 5 ¤Ç¤¹)¡£¤³¤ì¤Ï
1477 2¤Ä¤Î¥ª¥×¥·¥ç¥ó°ú¿ô¤ò¤È¤ê¤Þ¤¹:
1478 <!-- per second ¤Ï 1É䢤¿¤ê ¤À¤È¸å¤ÈÏä·¤¬¹ç¤ï¤Ê¤¤¤Î¤Ç ñ°Ì»þ´Ö? -->
1482 <tag>--limit</tag> followed by a number; specifies the maximum
1483 average number of matches to allow per second. The number can
1484 specify units explicitly, using `/second', `/minute', `/hour' or
1485 `/day', or parts of them (so `5/second' is the same as `5/s').
1487 <tag>--limit</tag> ¸å¤Ë¿ôÃͤò»ØÄꤷ¤Þ¤¹¡£Ã±°Ì»þ´Ö¤¢¤¿¤ê¤Ëµö¤µ¤ì¤ë
1488 Ê¿¶Ñ¥Þ¥Ã¥Á²ó¿ô¤ÎºÇÂçÃͤò»ØÄꤷ¤Þ¤¹¡£»ØÄêÃͤϡ¢`/second', `/minute',
1489 `/hour' ¤Þ¤¿¤Ï `/day' ¤ò»È¤Ã¤Æ¡¢¤¢¤ë¤¤¤Ï¤½¤Î°ìÉô(¤½¤ì¤Ç `5/second'
1490 ¤Ï `5/s' ¤ÈƱ¤¸)¤Çñ°Ì¤òÌÀ¼¨¤¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
1493 <tag>--limit-burst</tag> followed by a number, indicating the
1494 maximum burst before the above limit kicks in.
1496 <tag>--limit-burst</tag> ¸å¤Ë¿ôÃͤò»ØÄꤷ¤Þ¤¹¡£¤³¤ì¤Ï¾åµ¤Î limit ¤¬
1497 ºîÆ°¤·»Ï¤á¤ë¼êÁ°¤ÎºÇÂç¥Ð¡¼¥¹¥ÈÃÍ(ÌõÃí: µöÍƤǤ¤ëÆÍȯŪ¤ÊÁýÂç·¸¿ô¤Ç¡¢
1498 Ê¿¶Ñ¥ì¡¼¥È¤ÎÇÜ¿ô)¤ò»ØÄꤷ¤Þ¤¹¡£
1502 This match can often be used with the LOG target to do rate-limited
1503 logging. To understand how it works, let's look at the following
1504 rule, which logs packets with the default limit parameters:
1506 ¤³¤Î¥Þ¥Ã¥Á¤Ï¡¢¤·¤Ð¤·¤Ð¥í¥°¤Î¥ì¡¼¥È(ÉÑÅÙ)À©¸Â¤ò¤¹¤ë¤¿¤á¤Ë LOG ¥¿¡¼¥²¥Ã¥È
1507 ¤È¶¦¤Ë»È¤ï¤ì¤Þ¤¹¡£¤É¤Î¤è¤¦¤ËƯ¤¯¤Î¤«Íý²ò¤¹¤ë¤¿¤á¤Ë¡¢½é´üÃͤΠlimit
1508 ¥Ñ¥é¥á¡¼¥¿¤Ç¥Ñ¥±¥Ã¥È¤ò¥í¥°¤¹¤ë¼¡¤Î¥ë¡¼¥ë¤ò¸«¤Æ¤ß¤Þ¤·¤ç¤¦:
1511 # iptables -A FORWARD -m limit -j LOG
1515 The first time this rule is reached, the packet will be logged; in
1516 fact, since the default burst is 5, the first five packets will be
1517 logged. After this, it will be twenty minutes before a packet will be
1518 logged from this rule, regardless of how many packets reach it. Also,
1519 every twenty minutes which passes without matching a packet, one of
1520 the burst will be regained; if no packets hit the rule for 100
1521 minutes, the burst will be fully recharged; back where we started.
1523 ºÇ½é¤Ë¤³¤Î¥ë¡¼¥ë¤Ë㤷¤¿¤È¤¡¢¥Ñ¥±¥Ã¥È¤Ï¥í¥°¤µ¤ì¤Þ¤¹¡£¼ÂºÝ¡¢½é´üÃͤÎ
1524 ¥Ð¡¼¥¹¥È¤Ï 5 ¤Ê¤Î¤Ç¡¢ºÇ½é¤Î 5¥Ñ¥±¥Ã¥È¤¬¥í¥°¤µ¤ì¤Þ¤¹¡£¤³¤Î¤¢¤È¡¢²¿¸Ä¤Î
1525 ¥Ñ¥±¥Ã¥È¤¬ÆϤ¯¤«¤Ë¤Ï´Ø·¸¤Ê¤¯¡¢20ʬ´Ö¤Ï¤³¤Î¥ë¡¼¥ë¤Ë¤è¤ê¥í¥°¤µ¤ì¤ë¤³¤È¤Ï
1526 ¤¢¤ê¤Þ¤»¤ó¡£¤½¤·¤Æ¡¢20ʬ·Ð²á¤¹¤ëËè¤Ë¥Þ¥Ã¥Á¤¹¤ë¥Ñ¥±¥Ã¥È¤¬¤Ê¤±¤ì¤Ð¡¢
1527 ¥Ð¡¼¥¹¥È¤Ï 1 ¤Å¤Ä²óÉü¤·¤Þ¤¹¡£¤â¤·¡¢100ʬ´Ö¤Ë¥ë¡¼¥ë¤Ë¥Ò¥Ã¥È¤¹¤ë¥Ñ¥±¥Ã¥È
1528 ¤¬¤Ê¤±¤ì¤Ð¡¢¥Ð¡¼¥¹¥È¤Ï´°Á´¤Ë²óÉü¤·¡¢»Ï¤á¤ÈƱ¤¸¤ËÌá¤ê¤Þ¤¹¡£
1531 <p>Note: you cannot currently create a rule with a recharge time
1532 greater than about 59 hours, so if you set an average rate of one per
1533 day, then your burst rate must be less than 3.
1535 <p>Ãíµ: ¸½ºß¤Î¤È¤³¤íÌó 59»þ´Ö¤òĶ¤¨¤ë²óÉü»þ´Ö¤Î¥ë¡¼¥ë¤Ïºî¤ì¤Ê¤¤¤Î¤Ç¡¢
1536 ¤â¤·¡¢Ê¿¶Ñ¥ì¡¼¥È¤ò 1Æü 1²ó¤ËÀßÄꤷ¤¿¾ì¹ç¡¢¥Ð¡¼¥¹¥È¥ì¡¼¥È¤Ï 3 ̤Ëþ¤Ç
1537 ¤Ê¤¯¤Æ¤Ï¤Ê¤ê¤Þ¤»¤ó¡£
1540 <p>You can also use this module to avoid various denial of service
1541 attacks (DoS) with a faster rate to increase responsiveness.
1543 <p>¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¤Þ¤¿¡¢Â®¤¤¥ì¡¼¥È¤Î´¶±þÀ¤ò¹â¤á¤ë¤³¤È¤Ç¡¢³Æ¼ï¤Î
1544 ¥µ¡¼¥Ó¥¹µñÈݹ¶·â(DoS)¤òËɤ°¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
1547 <p>Syn-flood protection:
1549 <p>SYN ¥Ñ¥±¥Ã¥È°î¤ì¤Ø¤ÎËɸæ:
1551 # iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
1555 Furtive port scanner:
1557 ¤³¤Ã¤½¤êÇÁ¤¤Î¥Ý¡¼¥È¥¹¥¥ã¥Ê¡¼:
1559 # iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
1564 # iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
1568 This module works like a "hysteresis door", as shown in the graph
1571 ¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢²¼¤Î¥°¥é¥Õ¤Ë¼¨¤¹¤è¤¦¤Ë¡¢¡È¥Ò¥¹¥Æ¥ê¥·¥¹¥É¥¢¡É
1580 Edge of DoS -|.....:.........\.......................
1582 limit-burst) | / : \ .-.
1585 End of DoS -|/....:..............:.../.......\..../.
1586 = limit | : :`-' `--'
1587 -------------+-----+--------------+------------------> time (s)
1588 LOGIC => Match | Didn't Match | Match
1591 ¥ì¡¼¥È(¥Ñ¥±¥Ã¥È¿ô¡¿ÉÃ)
1595 DoS¤Î»Ï¤Þ¤ê -|......:.........\.......................
1597 limit-burst) | / : \ .-.
1600 DoS¤Î½ª¤ï¤ê -|./....:..............:.../.......\..../.
1601 = limit |/ : :`-' `--'
1602 -------------+------+--------------+------------------> »þ´Ö (ÉÃ)
1603 ÏÀÍý ¢Í ¥Þ¥Ã¥Á| ¥Þ¥Ã¥Á¤·¤Ê¤¤ | ¥Þ¥Ã¥Á
1607 Say we say match one packet per second with a five packet
1608 burst, but packets start coming in at four per second, for three
1609 seconds, then start again in another three seconds.
1611 Î㤨¤Ð¡¢1É䢤¿¤ê 1¥Ñ¥±¥Ã¥È¤Ç¥Ð¡¼¥¹¥È¤¬ 5¥Ñ¥±¥Ã¥È¤Î¥Þ¥Ã¥Á¤ò»ØÄꤷ¤Æ¤¤¤ë
1612 ¤È¤³¤í¤Ë¡¢1É䢤¿¤ê 4¥Ñ¥±¥Ã¥È¤¬¤ä¤Ã¤ÆÍè¤Æ 3ÉôÖ³¤¡¢¤½¤ì¤«¤é¡¢3Éô֤Ç
1613 ºÆ¤Ó¥Ñ¥±¥Ã¥È¤¬¤ä¤Ã¤ÆÍè¤ë¤È¤·¤Þ¤¹¡£
1618 <--Flood 1--> <---Flood 2--->
1620 Total ^ Line __-- YNNN
1621 Packets| Rate __-- YNNN
1622 | mum __-- YNNN
1623 10 | Maxi __-- Y
1629 | Y Key: Y -> Matched Rule
1630 | Y N -> Didn't Match Rule
1633 0 +--------------------------------------------------> Time (seconds)
1634 0 1 2 3 4 5 6 7 8 9 10 11 12
1638 ¢«¡½°î¤ì 1¡½¢ª ¢«¡½ °î¤ì 2 ¡½¢ª
1640 ¥È¡¼¥¿¥ë^ ¡²¡½¡± YNNN
1641 ¥Ñ¥±¥Ã¥È| ¥é¥¤¥ó¡²¡½ YNNN
1642 ¿ô | ¥ì¡¼¥È¡²¡½ YNNN
1649 | Y ¥¡¼: Y ¢Í ¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤¹¤ë
1650 | Y N ¢Í ¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤Ê¤¤
1653 0 +--------------------------------------------------> »þ´Ö (ÉÃ)
1654 0 1 2 3 4 5 6 7 8 9 10 11 12
1658 You can see that the first five packets are allowed to exceed the one
1659 packet per second, then the limiting kicks in. If there is a pause,
1660 another burst is allowed but not past the maximum rate set by the
1661 rule (1 packet per second after the burst is used).
1663 ºÇ½é¤Î 5¥Ñ¥±¥Ã¥È¤Ï 1ÉÃ¤Ë 1¥Ñ¥±¥Ã¥È¤òĶ¤¨¤ë¤Î¤Ëµö²Ä¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢
1664 ¤½¤Î¸å¡¢À©¸Â¤¬Æ¯¤¤¤Æ¤¤¤ë¤³¤È¤¬Ê¬¤«¤ê¤Þ¤¹¡£¤â¤·¡¢¾¯¤·ÅÓÀ䤨¤Æ¤¤¤ì¤Ð¡¢
1665 ¥ë¡¼¥ë¤ËÀßÄꤵ¤ì¤¿ºÇÂç¥ì¡¼¥È¤ÎÈÏ°ÏÆâ¤Ç¡¢¤Þ¤¿¥Ð¡¼¥¹¥È¤¬µö¤µ¤ì¤Þ¤¹
1666 (¥Ð¡¼¥¹¥ÈºîÆ°¸å¤Ï 1Éà 1¥Ñ¥±¥Ã¥È)¡£
1670 This module attempts to match various characteristics of the packet
1671 creator, for locally-generated packets. It is only valid in the
1672 OUTPUT chain, and even then some packets (such as ICMP ping responses)
1673 may have no owner, and hence never match.
1675 ¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥í¡¼¥«¥ë¤ËÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ÎºîÀ®¼Ô¤Î³Æ¼ï¤ÎÆüÁ¤È
1676 ¥Þ¥Ã¥Á¤ò»î¤ß¤Þ¤¹¡£¤³¤ì¤Ï OUTPUT ¥Á¥§¥¤¥ó¤Ç¤Î¤ß͸ú¤Ç¤¹¤¬¡¢¤¤¤¯¤Ä¤«¤Î
1677 ¥Ñ¥±¥Ã¥È(Î㤨¤Ð¡¢ICMP ping ¤Î±þÅú)¤Ë¤Ï½êͼԤ¬¤Ê¤¤¤Î¤Ç¡¢¤½¤ì¤æ¤¨·è¤·¤Æ
1681 <tag>--uid-owner userid</tag>
1683 Matches if the packet was created by a process with the given
1684 effective (numerical) user id.
1686 ¥Ñ¥±¥Ã¥È¤òÀ¸À®¤·¤¿¥×¥í¥»¥¹¤Î¼Â¹Ô¥æ¡¼¥¶ id (¿ôÃÍ)¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
1688 <tag>--uid-owner groupid</tag>
1690 Matches if the packet was created by a process with the given
1691 effective (numerical) group id.
1693 ¥Ñ¥±¥Ã¥È¤òÀ¸À®¤·¤¿¥×¥í¥»¥¹¤Î¼Â¹Ô¥°¥ë¡¼¥× id (¿ôÃÍ) ¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
1695 <tag>--pid-owner processid</tag>
1697 Matches if the packet was created by a process with the given
1700 ¥Ñ¥±¥Ã¥È¤òÀ¸À®¤·¤¿¥×¥í¥»¥¹¤Î¥×¥í¥»¥¹ id ¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
1702 <tag>--sid-owner sessionid</tag>
1703 <!-- 2000/9/13 Êѹ¹¤µ¤ì¤Þ¤·¤¿¡£-->
1705 Matches if the packet was created by a process in the given session
1708 ¥Ñ¥±¥Ã¥È¤òÀ¸À®¤·¤¿¥×¥í¥»¥¹¤Î¥»¥Ã¥·¥ç¥ó¥°¥ë¡¼¥×¤Ë¥Þ¥Ã¥Á¤·¤Þ¤¹¡£
1712 <tag>unclean</tag> This experimental module must be explicitly
1713 specified with `-m unclean or `--match unclean'. It does various
1714 random sanity checks on packets. This module has not been audited,
1715 and should not be used as a security device (it probably makes things
1716 worse, since it may well have bugs itself). It provides no options.
1718 <tag>unclean</tag> ¤³¤Î¼Â¸³Åª¥â¥¸¥å¡¼¥ë¤Ï `-m unclean ¤Þ¤¿¤Ï
1719 `--match unclean' ¤òÌÀ¼¨Åª¤Ë»ØÄꤹ¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£¤³¤ì¤Ï¥Ñ¥±¥Ã¥È
1720 ¤Ë¤Ä¤¤¤Æ¼êÅö¤¿¤ê¤·¤À¤¤ÍÍ¡¹¤ÎÀµÅöÀ¤ò¥Á¥§¥Ã¥¯¤·¤Þ¤¹¡£¤³¤Î¥â¥¸¥å¡¼¥ë
1721 ¤Ï¸¡ºº¤µ¤ì¤Æ¤¤¤Ê¤¤¤Î¤Ç¡¢¥»¥¥å¥ê¥Æ¥£ÁõÃ֤Ȥ·¤Æ»È¤¦¤Ù¤¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó
1722 (¥Ð¥°¤¬¤è¤¯¤¢¤ë¤Î¤Ç¡¢¤³¤È¤Ë¤è¤ë¤È»öÂÖ¤¬°²½¤·¤Þ¤¹)¡£¥ª¥×¥·¥ç¥ó¤Ï¤¢¤ê¤Þ
1727 <sect3>The State Match
1732 <p>The most useful match criterion is supplied by the `state'
1733 extension, which interprets the connection-tracking analysis of the
1734 `ip_conntrack' module. This is highly recommended.
1736 <p>ºÇ¤âÌò¤ËΩ¤Ä¥Þ¥Ã¥ÁȽÄê´ð½à¤Ï `state' ³ÈÄ¥¤Ë¤è¤Ã¤ÆÄ󶡤µ¤ì¡¢
1737 `ip_conntrack' ¥â¥¸¥å¡¼¥ë¤Î¥³¥Í¥¯¥·¥ç¥óÄÉÀפÎʬÀÏ·ë²Ì¤ò´Êñ¤ËÍøÍÑ
1738 ¤Ç¤¤ë¤è¤¦¤Ë¤·¤Þ¤¹¡£¤³¤ì¤ÏÈó¾ï¤Ë¤ª´«¤á¤Ç¤¹¡£
1741 <p>Specifying `-m state' allows an additional `--state' option, which
1742 is a comma-separated list of states to match (the `!' flag indicates
1743 <bf>not</bf> to match those states). These states are:
1745 <p>`-m state' ¤ò»ØÄꤹ¤ë¤ÈÄɲä·¤Æ `--state' ¥ª¥×¥·¥ç¥ó¤¬»ØÄê¤Ç¤¡¢
1746 ¤½¤³¤Ë¥Þ¥Ã¥Á¤¹¤Ù¤¾õÂ֤Υꥹ¥È¤ò¥«¥ó¥Þ¤Ç¶èÀڤäƻØÄꤷ¤Þ¤¹(`!' ¥ª¥×¥·¥ç¥ó
1747 ¤Ï»ØÄꤷ¤¿¾õÂ֤˥ޥåÁ<bf>¤·¤Ê¤¤</bf>¤³¤È¤ò¼¨¤·¤Þ¤¹)¡£¾õÂ֤ˤϰʲ¼¤Î
1752 <tag>NEW</tag> A packet which creates a new connection.
1754 <tag>NEW</tag> ¿·¤·¤¤¥³¥Í¥¯¥·¥ç¥ó¤òºî¤ë¥Ñ¥±¥Ã¥È¤Ç¤¹¡£
1757 <tag>ESTABLISHED</tag> A packet which belongs to an existing
1758 connection (i.e., a reply packet, or outgoing packet on a connection
1759 which has seen replies).
1761 <tag>ESTABLISHED</tag> ´û¸¤Î¥³¥Í¥¯¥·¥ç¥ó¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¹
1762 (¤¹¤Ê¤ï¤Á¡¢±þÅú¥Ñ¥±¥Ã¥È¡¢¤¢¤ë¤¤¤Ï¥³¥Í¥¯¥·¥ç¥ó³ÎΩÃæ¤Î±þÅú¤Î¤¿¤á
1766 <tag>RELATED</tag> A packet which is related to, but not part of, an
1767 existing connection, such as an ICMP error, or (with the FTP module
1768 inserted), a packet establishing an ftp data connection.
1770 <tag>RELATED</tag> ´û¸¤Î¥³¥Í¥¯¥·¥ç¥ó¤Î°ìÉô¤Ç¤Ï¤Ê¤¯¤Æ´Ø·¸¤¹¤ë¥Ñ¥±¥Ã¥È¡¢
1771 Î㤨¤Ð¡¢ICMP ¥¨¥é¡¼¤È¤«¡¢¤Þ¤¿¤Ï(FTP ¥â¥¸¥å¡¼¥ë¤¬ÁÞÆþºÑ¤ß¤Ê¤é)¡¢ftp
1772 ¥Ç¡¼¥¿¥³¥Í¥¯¥·¥ç¥ó¤Î³ÎΩ¥Ñ¥±¥Ã¥È¤Ç¤¹¡£
1775 <tag>INVALID</tag> A packet which could not be identified for some
1776 reason: this includes running out of memory and ICMP errors which
1777 don't correspond to any known connection. Generally these packets
1780 <tag>INVALID</tag> ¤¤¤¯¤Ä¤«¤ÎÍýͳ¤«¤é ¡½ ¤³¤ì¤Ë¤Ï¥á¥â¥êÉÔ¡¢¤É¤Î
1781 ¥³¥Í¥¯¥·¥ç¥ó¤Ë¤âÂбþ¤¹¤ë¤â¤Î¤¬¤Ê¤¤ ICMP ¥¨¥é¡¼ ¤ò´Þ¤ß¤Þ¤¹¤¬¡¢¿È¸µÉÔÌÀ
1782 ¤Î¥Ñ¥±¥Ã¥È¤¬¤¢¤ê¤Þ¤¹¡£°ìÈÌŪ¤Ë¤³¤ì¤é¤Î¥Ñ¥±¥Ã¥È¤ÏÇË´þ¤¹¤Ù¤¤Ç¤¹¡£
1786 An example of this powerful match extension would be:
1788 ¤³¤Î¶¯ÎϤʥޥåÁ³ÈÄ¥¤Î»ÈÍÑÎã¤Ï°Ê²¼¤Î¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹:
1790 # iptables -A FORWARD -i ppp0 -m state ! --state NEW -j DROP
1794 <sect1>Target Specifications
1796 <sect1>¥¿¡¼¥²¥Ã¥È¤Î»ÅÍÍ
1799 <p>Now we know what examinations we can do on a packet, we need a way
1800 of saying what to do to the packets which match our tests. This is
1801 called a rule's <bf>target</bf>.
1803 <p>º£¤ä¡¢»äã¤Ï¥Ñ¥±¥Ã¥È¤Ë´Ø¤·¤Æ¤É¤ó¤Ê¸¡ºº¤¬¤Ç¤¤ë¤«ÃΤäƤ¤¤Þ¤¹¡£
1804 ¼¡¤ËɬÍפʤΤϸ¡ºº¤Ë¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ²¿¤ò¤¹¤ë¤«»Ø¼¨¤¹¤ëÊýË¡¤Ç¤¹¡£
1805 ¤³¤ì¤Ï¥ë¡¼¥ë¤Î<bf>¥¿¡¼¥²¥Ã¥È</bf>¤È¸Æ¤Ð¤ì¤Æ¤¤¤Þ¤¹¡£
1808 <p>There are two very simple built-in targets: DROP and ACCEPT. We've
1809 already met them. If a rule matches a packet and its target is one of
1810 these two, no further rules are consulted: the packet's fate has been
1813 <p>¤È¤Æ¤âñ½ã¤Ê 2¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥¿¡¼¥²¥Ã¥È: DROP ¤È ACCEPT ¤¬¤¢¤ê¤Þ¤¹¡£
1814 ¤³¤ì¤é¤Ë¤Ä¤¤¤Æ¤ÏÁ°¤Ë½Ò¤Ù¤Þ¤·¤¿¡£¤â¤·¡¢¥ë¡¼¥ë¤¬¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤·¡¢
1815 ¥¿¡¼¥²¥Ã¥È¤¬¤³¤ì¤é 2¤Ä¤Î¤É¤Á¤é¤«°ìÊý¤Ê¤é¡¢¥Ñ¥±¥Ã¥È¤Î±¿Ì¿¤¬·èÄꤵ¤ì¤Æ¡¢
1816 ¤³¤ì°Ê¾å¥ë¡¼¥ë¤¬Ä´¤Ù¤é¤ì¤ë¤³¤È¤Ï¤¢¤ê¤Þ¤»¤ó¡£
1819 <p>There are two types of targets other than the built-in ones:
1820 extensions and user-defined chains.
1822 <p>ÁȤ߹þ¤ßºÑ¤ß¥¿¡¼¥²¥Ã¥È°Ê³°¤Ë 2¼ïÎà¤Î¥¿¡¼¥²¥Ã¥È: ³ÈÄ¥¥¿¡¼¥²¥Ã¥È
1823 ¤È¥æ¡¼¥¶ÄêµÁ¥Á¥§¥¤¥ó¤¬¤¢¤ê¤Þ¤¹¡£
1826 <sect2>User-defined chains
1828 <sect2>¥æ¡¼¥¶ÄêµÁ¥Á¥§¥¤¥ó
1832 One powerful feature which <tt>iptables</tt> inherits from
1833 <tt>ipchains</tt> is the ability for the user to create new chains, in
1834 addition to the three built-in ones (INPUT, FORWARD and OUTPUT). By
1835 convention, user-defined chains are lower-case to distinguish them
1836 (we'll describe how to create new user-defined chains below in <ref
1837 id="chain-ops" name="Operations on an Entire Chain">).
1839 <!-- 2000/9/13 ºÇ½ªÊ¸¤¬Êѹ¹¤µ¤ì¤Þ¤·¤¿¡£-->
1840 <tt>ipchains</tt> ¤«¤é·Ñ¾µ¤·¤¿ <tt>iptables</tt> ¤Î¶¯ÎϤÊÆÃħ¤Î 1¤Ä
1841 ¤Ï¡¢3¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó(INPUT, FORWARD ¤½¤·¤Æ OUTPUT)¤Ë²Ã¤¨¤Æ¡¢
1842 ¥æ¡¼¥¶¤¬¿·¤·¤¤¥Á¥§¥¤¥ó¤òºî¤ë¤³¤È¤¬¤Ç¤¤ë¤È¤¤¤¦¤³¤È¤Ç¤¹¡£´·Îã¤Ç¡¢
1843 ¥æ¡¼¥¶ÄêµÁ¥Á¥§¥¤¥ó¤ÏÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤È¶èÊ̤¹¤ë¤¿¤á¤Ë¾®Ê¸»ú¤Ë
1844 ¤·¤Þ¤¹(¿·¤·¤¤¥æ¡¼¥¶ÄêµÁ¥Á¥§¥¤¥ó¤Îºî¤êÊý¤Ï¡¢°Ê²¼¤Î<ref id="chain-ops"
1845 name="¥Á¥§¥¤¥ó¤ÎÁàºî">¤ÇÀâÌÀ¤·¤Þ¤¹)¡£
1849 When a packet matches a rule whose target is a user-defined chain, the
1850 packet begins traversing the rules in that user-defined chain. If
1851 that chain doesn't decide the fate of the packet, then once traversal
1852 on that chain has finished, traversal resumes on the next rule in the
1855 ¥Ñ¥±¥Ã¥È¤¬¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¡¢¤½¤Î¥¿¡¼¥²¥Ã¥È¤¬¥æ¡¼¥¶ÄêµÁ¥Á¥§¥¤¥ó¤Ç¤¢¤ì¤Ð¡¢
1856 ¥Ñ¥±¥Ã¥È¤Ï¤½¤Î¥æ¡¼¥¶ÄêµÁ¥Á¥§¥¤¥ó¤Ë°Ü¤ê¡¢¥ë¡¼¥ë¤Î¸¡ºº¤ò»Ï¤á¤Þ¤¹¡£¤½¤Î
1857 ¥æ¡¼¥¶ÄêµÁ¥Á¥§¥¤¥ó¤Ç¤Î¸¡ºº¤¬Á´¤Æ½ª¤Ã¤Æ¤â¥Ñ¥±¥Ã¥È¤Î±¿Ì¿¤¬·è¤Þ¤é¤Ê¤±¤ì¤Ð¡¢
1858 ¸½ºß¤Î¥Á¥§¥¤¥ó¤ËÌá¤ê¡¢¤½¤Î¼¡¤Î¥ë¡¼¥ë¤«¤é¸¡ºº¤òºÆ³«¤·¤Þ¤¹¡£
1862 Time for more ASCII art. Consider two (silly) chains: <tt>INPUT</tt> (the
1863 built-in chain) and <tt>test</tt> (a user-defined chain).
1865 ASCII ¥¢¡¼¥È¤Î»þ´Ö¤Ç¤¹¡£2¤Ä¤Î(¤ª¤Ð¤«¤µ¤ó¤Ê)¥Á¥§¥¤¥ó: <tt>INPUT</tt>
1866 (ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó)¤È <tt>test</tt> (¥æ¡¼¥¶ÄêµÁ¥Á¥§¥¤¥ó)¤Ç¹Í¤¨¤Þ
1872 ---------------------------- ----------------------------
1873 | Rule1: -p ICMP -j DROP | | Rule1: -s 192.168.1.1 |
1874 |--------------------------| |--------------------------|
1875 | Rule2: -p TCP -j test | | Rule2: -d 192.168.1.1 |
1876 |--------------------------| ----------------------------
1877 | Rule3: -p UDP -j DROP |
1878 ----------------------------
1882 ¨£¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¤ ¨£¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¤
1883 ¨¢¥ë¡¼¥ë 1: -p ICMP -j DROP ¨¢ ¨¢¥ë¡¼¥ë 1: -s 192.168.1.1 ¨¢
1884 ¨§¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨© ¨§¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨©
1885 ¨¢¥ë¡¼¥ë 2: -p TCP -j test ¨¢ ¨¢¥ë¡¼¥ë 2: -d 192.168.1.1 ¨¢
1886 ¨§¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨© ¨¦¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¥
1887 ¨¢¥ë¡¼¥ë 3: -p UDP -j DROP ¨¢
1888 ¨¦¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¥
1893 Consider a TCP packet coming from 192.168.1.1, going to 1.2.3.4. It
1894 enters the <tt>INPUT</tt> chain, and gets tested against Rule1 - no match.
1895 Rule2 matches, and its target is <tt>test</tt>, so the next rule examined
1896 is the start of <tt>test</tt>. Rule1 in <tt>test</tt> matches, but doesn't
1897 specify a target, so the next rule is examined, Rule2. This doesn't
1898 match, so we have reached the end of the chain. We return to the
1899 <tt>INPUT</tt> chain, where we had just examined Rule2, so we now examine
1900 Rule3, which doesn't match either.
1902 192.168.1.1 ¤«¤éÍè¤Æ 1.2.3.4 ¤Ø¸þ¤«¤¦ TCP ¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¹Í¤¨¤Þ¤·¤ç¤¦¡£
1903 ¥Ñ¥±¥Ã¥È¤Ï <tt>INPUT</tt> ¥Á¥§¥¤¥ó¤ËÆþ¤ê¡¢¤Þ¤º¡¢¥ë¡¼¥ë 1 ¤¬¸¡ºº¤µ¤ì¤Þ¤¹
1904 ¡½ ¥Þ¥Ã¥Á¤·¤Þ¤»¤ó¡£¥ë¡¼¥ë 2 ¤¬¥Þ¥Ã¥Á¤·¤Æ¡¢¤½¤Î¥¿¡¼¥²¥Ã¥È¤Ï <tt>test</tt>
1905 ¤Ê¤Î¤Ç¡¢¼¡¤Ë¸¡ºº¤µ¤ì¤ë¥ë¡¼¥ë¤Ï <tt>test</tt> ¤ÎÀèƬ¤Ç¤¹¡£<tt>test</tt>
1906 ¤Î¥ë¡¼¥ë 1 ¤Ï¥Þ¥Ã¥Á¤·¤Þ¤¹¤¬¡¢¥¿¡¼¥²¥Ã¥È¤ò»ØÄꤷ¤Æ¤¤¤Ê¤¤¤Î¤Ç¡¢¼¡¤Î¥ë¡¼¥ë
1907 ¤Ç¤¢¤ë¥ë¡¼¥ë 2 ¤¬¸¡ºº¤µ¤ì¤Þ¤¹¡£¤³¤ì¤Ï¥Þ¥Ã¥Á¤·¤Ê¤¤¤Î¤Ç¡¢¥Á¥§¥¤¥ó¤Î½ª¤ï¤ê¤Ë
1908 㤷¤Þ¤·¤¿¡£ÀèÄø¸¡ºº¤·¤¿¥ë¡¼¥ë 2 ¤Î¤¢¤ë <tt>INPUT</tt> ¥Á¥§¥¤¥ó¤ËÌá¤ê¡¢
1909 ¤½¤ì¤Çº£Å٤ϥ롼¥ë 3 ¤¬¸¡ºº¤µ¤ì¤Þ¤¹¤¬¡¢¤³¤ì¤â¤Þ¤¿¥Þ¥Ã¥Á¤·¤Þ¤»¤ó¡£
1913 So the packet path is:
1915 ¤½¤ì¤Ç¡¢¥Ñ¥±¥Ã¥È¤Î·ÐÏ©¤Ï¼¡¤Î¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹:
1918 v __________________________
1919 `INPUT' | / `test' v
1920 ------------------------|--/ -----------------------|----
1921 | Rule1 | /| | Rule1 | |
1922 |-----------------------|/-| |----------------------|---|
1923 | Rule2 / | | Rule2 | |
1924 |--------------------------| -----------------------v----
1925 | Rule3 /--+___________________________/
1926 ------------------------|---
1930 v __________________________
1931 `INPUT' | / `test' v
1932 ¨£¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡|¨¡/ ¨£¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡|¨¡¨¤
1933 ¨¢¥ë¡¼¥ë 1 | /¨¢ ¨¢¥ë¡¼¥ë 1 | ¨¢
1934 ¨§¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡|/-¨© ¨§¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡|¨¡¨©
1935 ¨¢¥ë¡¼¥ë 2 / ¨¢ ¨¢¥ë¡¼¥ë 2 | ¨¢
1936 ¨§¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡-¨¡¨© ¨¦¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡v¨¡¨¥
1937 ¨¢¥ë¡¼¥ë 3 /¨¡¨«¨¡\_______________________/
1938 ¨¦¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡¨¡|¨¡¨¥
1943 <p>User-defined chains can jump to other user-defined chains (but
1944 don't make loops: your packets will be dropped if they're found to
1947 <p>¥æ¡¼¥¶ÄêµÁ¥Á¥§¥¤¥ó¤Ï¾¤Î¥æ¡¼¥¶ÄêµÁ¥Á¥§¥¤¥ó¤Ø¥¸¥ã¥ó¥×¤Ç¤¤Þ¤¹
1948 (¤·¤«¤·¡¢¥ë¡¼¥×¤·¤Æ¤Ï¤¤¤±¤Þ¤»¤ó¡£¥ë¡¼¥×¤·¤Æ¤¤¤ë¤³¤È¤¬È½¤ë¤È
1949 ¥Ñ¥±¥Ã¥È¤ÏÇË´þ¤µ¤ì¤Þ¤¹)¡£
1952 <sect2>Extensions to iptables: New Targets
1954 <sect2>iptables ¤Ø¤Î³ÈÄ¥ ¡½ ¿·¤·¤¤¥¿¡¼¥²¥Ã¥È
1957 <p>The other type of extension is a target. A target extension
1958 consists of a kernel module, and an optional extension to
1959 <tt>iptables</tt> to provide new command line options. There are
1960 several extensions in the default netfilter distribution:
1962 <p>³ÈÄ¥¤Î¤â¤¦ 1¤Ä¤Î¼ïÎà¤Ï¥¿¡¼¥²¥Ã¥È¤Ç¤¹¡£¥¿¡¼¥²¥Ã¥È¤Î³ÈÄ¥
1963 ¤Ï¥«¡¼¥Í¥ë¥â¥¸¥å¡¼¥ë¤«¤éÀ®¤ê¡¢<tt>iptables</tt> ¤Ø¤Î¥ª¥×¥·¥ç¥ó¤Î
1964 ³ÈÄ¥¤Ï¿·¤·¤¤¥³¥Þ¥ó¥É¥é¥¤¥ó¥ª¥×¥·¥ç¥ó¤Ë¤è¤Ã¤ÆÄ󶡤µ¤ì¤Þ¤¹¡£netfilter
1965 ¤ÎÇÛÉÛʪ¤Ë¤Ï»Ï¤á¤«¤é¿ô¡¹¤Î³ÈÄ¥¤¬¤¢¤ê¤Þ¤¹:
1969 <tag>LOG</tag> This module provides kernel logging of matching
1970 packets. It provides these additional options:
1972 <tag>LOG</tag> ¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤Î¥«¡¼¥Í¥ë¥í¥®¥ó¥°
1973 ¤òÄ󶡤·¤Þ¤¹¡£°Ê²¼¤ÎÄɲ媥ץ·¥ç¥ó¤òÄ󶡤·¤Þ¤¹:
1977 <tag>--log-level</tag> Followed by a level number or name. Valid
1978 names are (case-insensitive) `debug', `info', `notice', `warning',
1979 `err', `crit', `alert' and `emerg', corresponding to numbers 7
1980 through 0. See the man page for syslog.conf for an explanation of
1981 these levels. The default is `warning'.
1983 <tag>--log-level</tag> ¸å¤Ë¥ì¥Ù¥ëÈֹ椫̾Á°¤ò³¤±¤Þ¤¹¡£Í¸ú¤Ê̾Á°
1984 ¤Ï(Âçʸ»ú¾®Ê¸»ú¤òÌä¤ï¤º) `debug', `info', `notice', `warning',
1985 `err', `crit', `alert' ¤ª¤è¤Ó `emerg' ¤Ç¡¢¤½¤ì¤¾¤ìÈÖ¹æ¤Î 7 ¤«¤é 0
1986 ¤Ë³ºÅö¤·¤Þ¤¹¡£¤³¤ì¤é¤Î¥ì¥Ù¥ë¤ÎÀâÌÀ¤Ï syslog.conf ¤Î man ¥Ú¡¼¥¸¤ò¸«¤Æ
1987 ¤¯¤À¤µ¤¤¡£½é´üÃÍ¤Ï `warning' ¤Ç¤¹¡£
1990 <tag>--log-prefix</tag> Followed by a string of up to 29 characters,
1991 this message is sent at the start of the log message, to allow it to
1992 be uniquely identified.
1994 <!-- 2000/9/13 Êѹ¹¤µ¤ì¤Þ¤·¤¿¡£-->
1995 <tag>--log-prefix</tag> ¸å¤ËºÇÂç 29ʸ»ú¤Þ¤Ç¤Îʸ»úÎó¤ò³¤±¤Þ¤¹¡£
1996 ¤³¤Î¥á¥Ã¥»¡¼¥¸¤Ï¥í¥°¥á¥Ã¥»¡¼¥¸¤Î³«»Ï»þ¤ËÁ÷¤é¤ì¤ë¤Î¤Ç¡¢¤½¤ì¤ò¼±ÊÌ
2001 This module is most useful after a limit match, so you don't flood
2004 <!-- 2000/9/13 Êѹ¹¤µ¤ì¤Þ¤·¤¿¡£-->
2005 ¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï limit ¥Þ¥Ã¥Á¤Î¸å¤ÇºÇ¤â͸ú¤Ç¡¢¤½¤ì¤Ï¥í¥°¤¬¤¢¤Õ¤ì¤ë
2009 <tag>REJECT</tag> This module has the same effect as `DROP', except
2010 that the sender is sent an ICMP `port unreachable' error message.
2011 Note that the ICMP error message is not sent if (see RFC 1122):
2013 <tag>REJECT</tag> ¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï `DROP' ¤ÈƱ¤¸¸ú²Ì¤¬¤¢¤ê¤Þ¤¹¤¬¡¢
2014 Á÷¿®¼Ô¤Ë ICMP ¤Î `¥Ý¡¼¥È̤Åþã' ¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤òÁ÷¤êÊÖ¤¹¤È¤³¤í¤¬
2015 °ã¤¤¤Þ¤¹¡£Ãíµ¤È¤·¤Æ¡¢°Ê²¼¤Î¾ì¹ç(RFC 1122 ¤ò¸«¤Æ¤¯¤À¤µ¤¤) ICMP
2016 ¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤ÏÁ÷¤é¤ì¤Þ¤»¤ó:
2020 <item> The packet being filtered was an ICMP error message in the
2021 first place, or some unknown ICMP type.
2023 <item>¥Õ¥£¥ë¥¿¡¼¤·¤è¤¦¤È¤·¤Æ¤¤¤ë¥Ñ¥±¥Ã¥È¤¬ºÇ½é¤«¤é ICMP ¥¨¥é¡¼
2024 ¥á¥Ã¥»¡¼¥¸¤Ç¤¢¤ë¤«¡¢¤Þ¤¿¤Ï ICMP ¤Î¼ïÎबÉÔÌÀ¤Ê¤â¤Î¤Ç¤¢¤ë¡£
2027 <item> The packet being filtered was a non-head fragment.
2029 <item>¥Õ¥£¥ë¥¿¡¼¤·¤è¤¦¤È¤·¤Æ¤¤¤ë¥Ñ¥±¥Ã¥È¤¬ÀèƬ°Ê³°¤Î¥Õ¥é¥°¥á¥ó¥È¤Ç¤¢¤ë¡£
2032 <item> We've sent too many ICMP error messages to that destination
2033 recently (see /proc/sys/net/ipv4/icmp_ratelimit).
2035 <item>ľÁ°¤Ë¡¢¤½¤Î¤¢¤ÆÀè¤Ë¤¢¤Þ¤ê¤Ë¿¤¯¤Î ICMP ¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤òÁ÷¤Ã¤¿
2036 (/proc/sys/net/ipv4/icmp_ratelimit ¤ò¸«¤Æ¤¯¤À¤µ¤¤)¡£
2040 REJECT also takes a `--reject-with' optional argument which alters the
2041 reply packet used: see the manual page.
2043 REJECT ¤Ï¤Þ¤¿¡¢»È¤ï¤ì¤ë±þÅú¥Ñ¥±¥Ã¥È¤òÊѹ¹¤¹¤ë¤Î¤Ë `--reject-with'
2044 ¥ª¥×¥·¥ç¥ó°ú¿ô¤ò¤È¤ê¤Þ¤¹: ¥Þ¥Ë¥å¥¢¥ë¥Ú¡¼¥¸¤ò¸«¤Æ¤¯¤À¤µ¤¤¡£
2048 <sect2>Special Built-In Targets
2050 <sect2>ÆÃÊ̤ÊÁȤ߹þ¤ßºÑ¤ß¥¿¡¼¥²¥Ã¥È
2053 <p>There are two special built-in targets: <tt>RETURN</tt> and
2056 <p>2¤Ä¤ÎÆÃÊ̤ÊÁȤ߹þ¤ßºÑ¤ß¥¿¡¼¥²¥Ã¥È: <tt>RETURN</tt> ¤È <TT>QUEUE</tt>
2060 <p><tt>RETURN</tt> has the same effect of falling off the end of a
2061 chain: for a rule in a built-in chain, the policy of the chain is
2062 executed. For a rule in a user-defined chain, the traversal continues
2063 at the previous chain, just after the rule which jumped to this chain.
2065 <p><tt>RETURN</tt> ¤Ï¥Á¥§¥¤¥ó¤ÎËöÈø¤Þ¤ÇÍî¤Ã¤³¤Á¤ë¤Î¤ÈƱ¤¸¸ú²Ì¤¬¤¢¤ê¤Þ¤¹
2066 ¡½ ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥óÆâ¤Î¥ë¡¼¥ë¤Î¾ì¹ç¤Ï¡¢¤½¤Î¥Á¥§¥¤¥ó¤Î¥Ý¥ê¥·¡¼
2067 ¤¬¼Â¹Ô¤µ¤ì¤Þ¤¹¡£¥æ¡¼¥¶ÄêµÁ¥Á¥§¥¤¥óÆâ¤Î¥ë¡¼¥ë¤Î¾ì¹ç¤Ï¡¢¤½¤Î¥Á¥§¥¤¥ó¤ò
2068 ¸Æ¤Ó½Ð¤·¤¿¥Á¥§¥¤¥ó¤ËÌá¤ê¡¢¸Æ¤Ó½Ð¤·¸µ¤Î¥ë¡¼¥ë¤Îľ¸å¤«¤é¸¡ºº¤¬Â³¹Ô¤µ¤ì¤Þ¤¹¡£
2071 <p><tt>QUEUE</tt> is a special target, which queues the packet for
2072 userspace processing. For this to be useful, two further components are
2075 <p><tt>QUEUE</tt> ¤Ï¥Ñ¥±¥Ã¥È¤ò¥æ¡¼¥¶¶õ´Ö¤Ç½èÍý¤¹¤ë¤¿¤á¤Ë¥¥å¡¼¤ËÆþ¤ì¤ë
2076 ¤È¤¤¤¦ÆÃÊ̤ʥ¿¡¼¥²¥Ã¥È¤Ç¤¹¡£¤³¤ì¤ò͸ú¤Ë¤¹¤ë¤Ë¤Ï¡¢¤µ¤é¤Ë 2¤Ä¤Î¹½À®Êª¤¬
2081 <item>a "queue handler", which deals with the actual mechanics of
2082 passing packets between the kernel and userspace; and
2084 <item>¡È¥¥å¡¼¥Ï¥ó¥É¥é¡¼¡É¤Ï¥Ñ¥±¥Ã¥È¤ò¥«¡¼¥Í¥ë¤«¤é¥æ¡¼¥¶¶õ´Ö
2085 ¤ËÅϤ¹¼ÂºÝ¤Îµ¡¹½¤ò°·¤¤¤Þ¤¹¡£¤½¤·¤Æ¡¢
2087 <item>a userspace application to receive, possibly manipulate, and
2088 issue verdicts on packets.
2090 <item>¥æ¡¼¥¶¶õ´Ö¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤Ï¥Ñ¥±¥Ã¥È¤ò¼õ¤±¼è¤ê¡¢¾ì¹ç¤Ë¤è¤Ã¤Æ¤Ï
2091 Áàºî¤·¡¢¤½¤·¤Æ¥Ñ¥±¥Ã¥È¤ËȽÄê¤ò²¼¤·¤Þ¤¹¡£
2094 The standard queue handler for IPv4 iptables is the ip_queue module,
2095 which is distributed with the kernel and marked as experimental.
2097 IPv4 iptables ¤Îɸ½à¥¥å¡¼¥Ï¥ó¥É¥é¡¼¤Ï ip_queue ¥â¥¸¥å¡¼¥ë¤Ç¡¢¥«¡¼¥Í¥ë
2098 ¤È°ì½ï¤ËÇÛÉÛ¤µ¤ì¡¢³«È¯Ãæ(experimental)¤È¤·¤Æ¥Þ¡¼¥¯¤µ¤ì¤Æ¤¤¤Þ¤¹¡£
2101 The following is a quick example of how to use iptables to queue packets
2102 for userspace processing:
2104 ¥æ¡¼¥¶¶õ´Ö¤Ç½èÍý¤¹¤ë¤¿¤á¤Ë¥¥å¡¼¤Ø¥Ñ¥±¥Ã¥È¤òÆþ¤ì¤ë iptables ¤Î»È¤¤Êý¤Î
2105 ´Êñ¤ÊÎã¤ò°Ê²¼¤Ë¼¨¤·¤Þ¤¹:
2107 # modprobe iptable_filter
2109 # iptables -A OUTPUT -p icmp -j QUEUE
2112 With this rule, locally generated outgoing ICMP packets (as created with,
2113 say, ping) are passed to the ip_queue module, which then attempts to deliver
2114 the packets to a userspace application. If no userspace application is
2115 waiting, the packets are dropped.
2117 ¤³¤Î¥ë¡¼¥ë¤Ç¤Ï¡¢¥í¡¼¥«¥ë¤ËÀ¸À®¤µ¤ì¤¿³°¤Ë½Ð¤Æ¹Ô¤¯ ICMP ¥Ñ¥±¥Ã¥È(Î㤨¤Ð¡¢
2118 ping ¤ÇÀ¸À®¤µ¤ì¤¿)¤Ï ip_queue ¥â¥¸¥å¡¼¥ë¤ËÅϤµ¤ì¤Þ¤¹¡£¤½¤ì¤«¤é¡¢ip_queue
2119 ¤Ï¥Ñ¥±¥Ã¥È¤ò¥æ¡¼¥¶¶õ´Ö¤Î¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤ËÆϤ±¤è¤¦¤È¤·¤Þ¤¹¡£¤â¤·¡¢ÂÔµ¡
2120 ¤·¤Æ¤¤¤ë¥æ¡¼¥¶¶õ´Ö¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤¬Ìµ¤±¤ì¤Ð¡¢¥Ñ¥±¥Ã¥È¤ÏÇË´þ¤µ¤ì¤Þ¤¹¡£
2123 <p>To write a userspace application, use the libipq API. This is
2124 distributed with iptables. Example code may be found in the testsuite
2125 tools (e.g. redirect.c) in CVS.
2127 <p>¥æ¡¼¥¶¶õ´Ö¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤ò½ñ¤¯¤¿¤á¤Ë¤Ï¡¢libipq API ¤ò»È¤¤¤Þ¤¹¡£
2128 ¤³¤ì¤Ï iptables ¤È°ì½ï¤ËÇÛÉÛ¤µ¤ì¤Æ¤¤¤Þ¤¹¡£¼ÂÎã¤Î¥³¡¼¥É¤Ï CVS Ãæ¤Î
2129 testsuite ¥Ä¡¼¥ë(Î㤨¤Ð¡¢redirect.c)¤ÎÃæ¤Ç¸«¤Ä¤±¤é¤ì¤Þ¤¹¡£
2132 <p>The status of ip_queue may be checked via:
2134 <p>ip_queue ¤Î¾õÂ֤ϰʲ¼¤Ç¥Á¥§¥Ã¥¯¤Ç¤¤Þ¤¹:
2139 The maximum length of the queue (i.e. the number packets delivered
2140 to userspace with no verdict issued back) may be controlled via:
2142 ¥¥å¡¼¤ÎºÇÂçĹ(¤¹¤Ê¤ï¤Á¡¢¥æ¡¼¥¶¶õ´Ö¤ËÆϤ±¤é¤ì¤Æ¤¤¤Æ¡¢¤Þ¤ÀȽÄ꤬¤Ê¤µ¤ì¤Æ
2143 ¤¤¤Ê¤¤¥Ñ¥±¥Ã¥È¤Î¿ô)¤Ï°Ê²¼¤Ç¥³¥ó¥È¥í¡¼¥ë¤Ç¤¤Þ¤¹:
2145 /proc/sys/net/ipv4/ip_queue_maxlen
2148 The default value for the maximum queue length is 1024. Once this limit
2149 is reached, new packets will be dropped until the length of the queue falls
2150 below the limit again. Nice protocols such as TCP interpret dropped packets
2151 as congestion, and will hopefully back off when the queue fills up. However,
2152 it may take some experimenting to determine an ideal maximum queue length
2153 for a given situation if the default value is too small.
2155 ¥¥å¡¼¤ÎºÇÂçĹ¤Î½é´üÃÍ¤Ï 1024 ¤Ç¤¹¡£°ìö¤³¤Î¸Â³¦ÃͤË㤷¤¿¤é¡¢¥¥å¡¼¤Î
2156 Ťµ¤¬¸Â³¦Ãͤè¤êÄ㤯¤Ê¤ë¤Þ¤Ç¿·¤·¤¤¥Ñ¥±¥Ã¥È¤ÏÇË´þ¤µ¤ì¤Þ¤¹¡£TCP ¤Î¤è¤¦¤Ê
2157 ¤¹¤Ð¤é¤·¤¤¥×¥í¥È¥³¥ë¤Ï¡¢º®»¨¤ÇÍî¤Á¤³¤Ü¤ì¤¿¥Ñ¥±¥Ã¥È¤ò¸¡½Ð¤·¤Æ¡¢¥¥å¡¼¤¬
2158 °ìÇդˤʤ俤Ȥ¡¢ºÆÁ÷¤ò»î¤ß¤Þ¤¹¡£¤È¤Ï¤¤¤¨¡¢Í¿¤¨¤é¤ì¤¿¾õ¶·²¼¤Ç½é´üÃͤÏ
2159 ¾®¤µ²á¤®¤ë¤«¤â¤·¤ì¤Ê¤¤¤Î¤Ç¡¢ÍýÁÛŪ¤ÊºÇÂ祥塼Ťò·èÄꤹ¤ë¤Î¤Ë¤¤¤¯¤é¤«
2160 ¼Â¸³¤¹¤ë¤È¤è¤¤¤Ç¤·¤ç¤¦¡£
2161 <!-- hopefully back off ¤ÎÌõ¡¢¼«¿®¤Ê¤·¡£-->
2164 <sect1>Operations on an Entire Chain<label id="chain-ops">
2166 <sect1>¥Á¥§¥¤¥ó¤ÎÁàºî<label id="chain-ops">
2170 A very useful feature of <tt>iptables</tt> is the ability to group
2171 related rules into chains. You can call the chains whatever you want,
2172 but I recommend using lower-case letters to avoid confusion with the
2173 built-in chains and targets. Chain names can be up to 31 letters
2176 <tt>iptables</tt> ¤Î¤È¤Æ¤â͸ú¤ÊÆÃħ¤Ï¡¢¥Á¥§¥¤¥óÃæ¤Î´ØÏ¢¤¹¤ë¥ë¡¼¥ë¤ò
2177 ¥°¥ë¡¼¥×²½¤Ç¤¤ë¤³¤È¤Ç¤¹¡£¤ªË¾¤ß¤Î¥Á¥§¥¤¥ó¤Ï²¿¤Ç¤â¸Æ¤Ó½Ð¤»¤Þ¤¹¤¬¡¢
2178 ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤ä¥¿¡¼¥²¥Ã¥È¤Èº®Æ±¤òÈò¤±¤ë¤¿¤á¾®Ê¸»ú¤ò»È¤¦
2179 ¤³¤È¤ò¤ª´«¤á¤·¤Þ¤¹¡£¥Á¥§¥¤¥ó¤Î̾Á°¤ÏºÇÂç 31ʸ»ú¤Þ¤Ç»È¤¨¤Þ¤¹¡£
2182 <sect2>Creating a New Chain
2184 <sect2>¿·¤·¤¤¥Á¥§¥¤¥ó¤òºî¤ë
2188 Let's create a new chain. Because I am such an imaginative fellow,
2189 I'll call it <tt>test</tt>. We use the `-N' or `--new-chain' options:
2191 ¿·¤·¤¤¥Á¥§¥¤¥ó¤òºî¤ê¤Þ¤·¤ç¤¦¡£»ä¤Ï¤È¤Ã¤Æ¤âÁϤÎϤËÉÙ¤ó¤ÀÌîϺ¤Ê¤Î¤Ç¡¢
2192 ¤½¤ì¤ò <tt>test</tt> ¤È̾ÉÕ¤±¤Þ¤¹¡£`-N' ¤Þ¤¿¤Ï `--new-chain' ¥ª¥×¥·¥ç¥ó
2202 It's that simple. Now you can put rules in it as detailed above.
2204 ¤³¤ì¤Ï´Êñ¤Ç¤¹¡£º£¤ä¡¢¤¢¤Ê¤¿¤Ï¤³¤ì¤Þ¤Ç¾ÜºÙ¤Ë½Ò¤Ù¤Æ¤¤¿¤è¤¦¤Ë¡¢¤³¤ì¤Ë
2205 ¥ë¡¼¥ë¤òÆþ¤ì¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
2208 <sect2>Deleting a Chain
2210 <sect2>¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ë
2214 Deleting a chain is simple as well, using the `-X' or `--delete-chain'
2215 options. Why `-X'? Well, all the good letters were taken.
2217 ¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ë¤Î¤âƱÍͤ˴Êñ¤Ç¡¢`-X' ¤Þ¤¿¤Ï `--delete-chain'
2218 ¥ª¥×¥·¥ç¥ó¤ò»È¤¤¤Þ¤¹¡£¤Ê¤¼ `-X' ¤«¤Ã¤Æ? ¤¦¡¼¤ó¡¢¤è¤¤Ê¸»ú¤¬Á´¤Æ
2228 There are a couple of restrictions to deleting chains: they must be
2229 empty (see <ref id="flushing" name="Flushing a Chain"> below) and they
2230 must not be the target of any rule. You can't delete any of the three
2233 ¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ë¤Ë¤Ï 2¤Ä¤ÎÀ©¸Â¤¬¤¢¤ê¤Þ¤¹ ¡½ ¤½¤Î¥Á¥§¥¤¥ó¤Ï¶õ¤Ç¤¢¤ëɬÍ×
2234 ¤¬¤¢¤ê(²¼µ¤Î<ref id="flushing" name="¥Á¥§¥¤¥ó¤ò¶õ¤Ë¤¹¤ë">¤ò¸«¤Æ¤¯¤À¤µ
2235 ¤¤)¡¢¤·¤«¤â¡¢·è¤·¤Æ¤É¤Î¥ë¡¼¥ë¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤â¤Ê¤Ã¤Æ¤¤¤Ê¤¤¤³¤È¤Ç¤¹¡£
2236 ÁȤ߹þ¤ßºÑ¤ß¤Î 3¤Ä¤Î¥Á¥§¥¤¥ó¤Ï¤É¤ì¤âºï½ü¤Ç¤¤Þ¤»¤ó¡£
2240 If you don't specify a chain, then <em>all</em> user-defined chains
2241 will be deleted, if possible.
2243 ¤â¤·¡¢¥Á¥§¥¤¥ó̾¤ò»ØÄꤷ¤Ê¤±¤ì¤Ð¡¢<em>Á´¤Æ</em>¤Î¥æ¡¼¥¶ÄêµÁ¥Á¥§¥¤¥ó¤¬
2244 ²Äǽ¤Ê¸Â¤êºï½ü¤µ¤ì¤Þ¤¹¡£
2247 <sect2> Flushing a Chain<label id="flushing">
2249 <sect2>¥Á¥§¥¤¥ó¤ò¶õ¤Ë¤¹¤ë<label id="flushing">
2253 There is a simple way of emptying all rules out of a chain, using the
2254 `-F' (or `--flush') commands.
2256 ¥Á¥§¥¤¥ó¤«¤éÁ´¤Æ¤Î¥ë¡¼¥ë¤ò¼è¤êµî¤ê¶õ¤Ë¤¹¤ë¤Î¤Ï´Êñ¤Ç¡¢`-F' (¤Þ¤¿¤Ï
2257 `--flush') ¥³¥Þ¥ó¥É¤ò»È¤¤¤Þ¤¹¡£
2260 # iptables -F FORWARD
2263 <!-- 2000/9/13 Êѹ¹¤µ¤ì¤Þ¤·¤¿¡£-->
2267 If you don't specify a chain, then <em>all</em> chains will be flushed.
2269 ¤â¤·¡¢¥Á¥§¥¤¥ó̾¤ò»ØÄꤷ¤Ê¤±¤ì¤Ð¡¢<em>Á´¤Æ</em>¤Î¥Á¥§¥¤¥ó¤ò¶õ¤Ë¤·¤Þ¤¹¡£
2272 <sect2>Listing a Chain
2274 <sect2>¥Á¥§¥¤¥ó¤ÎÆâÍƤò¥ê¥¹¥È¥¢¥Ã¥×¤¹¤ë
2278 You can list all the rules in a chain by using the `-L' (or `--list')
2281 ¥Á¥§¥¤¥óÃæ¤ÎÁ´¤Æ¤Î¥ë¡¼¥ë¤ò¥ê¥¹¥È¥¢¥Ã¥×¤¹¤ë¤Ë¤Ï¡¢`-L' (¤Þ¤¿¤Ï `--list')
2282 ¥³¥Þ¥ó¥É¤ò»È¤¤¤Þ¤¹¡£
2286 The `refcnt' listed for each user-defined chain is the number of rules
2287 which have that chain as their target. This must be zero (and the
2288 chain be empty) before this chain can be deleted.
2290 ³Æ¡¹¤Î¥æ¡¼¥¶ÄêµÁ¥Á¥§¥¤¥ó¤Ëɽ¼¨¤µ¤ì¤ë `refcnt' ¤Ï¡¢¤½¤ì¤ò¥¿¡¼¥²¥Ã¥È¤Ë
2291 »ØÄꤷ¤Æ¤¤¤ë¥ë¡¼¥ë¤Î¿ô¤Ç¤¹¡£¤³¤Î¿ô¤¬ 0 ¤Ç¤Ê¤¤¤È(¤«¤Ä¥Á¥§¥¤¥ó¤¬¶õ¤Ç¤¢¤ë
2292 ¤³¤È)¡¢¤½¤Î¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ë¤³¤È¤Ï¤Ç¤¤Þ¤»¤ó¡£
2296 If the chain name is omitted, all chains are listed, even empty ones.
2298 ¤â¤·¡¢¥Á¥§¥¤¥ó̾¤ò»ØÄꤷ¤Ê¤±¤ì¤Ð¡¢¶õ¤Î¤â´Þ¤á¤ÆÁ´¤Æ¤Î¥Á¥§¥¤¥ó¤Ë¤Ä¤¤¤Æ
2299 ¥ê¥¹¥È¥¢¥Ã¥×¤µ¤ì¤Þ¤¹¡£
2303 There are three options which can accompany `-L'. The `-n' (numeric)
2304 option is very useful as it prevents <tt>iptables</tt> from trying to
2305 lookup the IP addresses, which (if you are using DNS like most people)
2306 will cause large delays if your DNS is not set up properly, or you
2307 have filtered out DNS requests. It also causes TCP and UDP ports to
2308 be printed out as numbers rather than names.
2310 `-L' ¤Ë¤Ï 3¤Ä¤Î¥ª¥×¥·¥ç¥ó¤¬¤¢¤ê¤Þ¤¹¡£
2311 (¤¿¤¤¤Æ¤¤¤Î¿Í¡¹¤Ï DNS ¤ò»È¤Ã¤Æ¤¤¤Þ¤¹¤¬) DNS ¤¬Å¬ÀÚ¤ËÀßÄê
2312 ¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤ä DNS ¤ÎÍ×µá¤ò¥Õ¥£¥ë¥¿¡¼¥¢¥¦¥È¤·¤Æ¤¤¤ë¾ì¹ç¤Ï¡¢
2313 <tt>iptables</tt> ¤¬ IP ¥¢¥É¥ì¥¹¤òÄ´¤Ù¤è¤¦¤È¤¹¤ë¤È¤¤ËŤ¯ÂÔ¤¿¤µ¤ì¤Þ¤¹¡£
2314 ¤½¤ì¤òËɤ°¤Î¤Ë `-n' (¿ôÃÍ)¥ª¥×¥·¥ç¥ó¤Ï¤È¤Æ¤â͸ú¤Ç¤¹¡£¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï
2315 ¤Þ¤¿¡¢TCP ¤ä UDP ¥Ý¡¼¥È¤ò̾Á°¤Ç¤Ï¤Ê¤¯ÈÖ¹æ¤Çɽ¼¨¤·¤Þ¤¹¡£
2319 The `-v' options shows you all the details of the rules, such as the
2320 the packet and byte counters, the TOS comparisons, and the interfaces.
2321 Otherwise these values are omitted.
2323 `-v' ¥ª¥×¥·¥ç¥ó¤Ï¥ë¡¼¥ë¤Î¾ÜºÙ¤òÁ´¤Æ¡¢Î㤨¤Ð¡¢¥Ñ¥±¥Ã¥È¤ä¥Ð¥¤¥È¤Î
2324 ¥«¥¦¥ó¥¿¡¼¡¢TOS ¥Þ¥¹¥¯¡¢¤½¤·¤Æ¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¡¢¤òɽ¼¨¤·¤Þ¤¹¡£
2325 ¤³¤Î¥ª¥×¥·¥ç¥ó¤ò»ØÄꤷ¤Ê¤±¤ì¤Ð¡¢¤³¤ì¤é¤ÎÃͤϾÊά¤µ¤ì¤Þ¤¹¡£
2326 <!-- TOS comparisons ¤¬Ê¬¤«¤ê¤Þ¤»¤ó¡£man ¤«¤é¡¢°ì±þ ¥Þ¥¹¥¯ ¤Ë -->
2330 Note that the packet and byte counters are printed out using the
2331 suffixes `K', `M' or `G' for 1000, 1,000,000 and 1,000,000,000
2332 respectively. Using the `-x' (expand numbers) flag as well prints the
2333 full numbers, no matter how large they are.
2335 Ãíµ¤È¤·¤Æ¡¢¥Ñ¥±¥Ã¥È¤È¥Ð¥¤¥È¤Î¥«¥¦¥ó¥¿¡¼¤Ï¡¢1000, 1,000,000 ¤ª¤è¤Ó
2336 1,000,000,000 ¤ò¡¢¤½¤ì¤¾¤ì `K', `M' ¤ª¤è¤Ó `G' ¤ÎÀÜÈø¼¤ò»È¤Ã¤Æɽ¼¨
2337 ¤·¤Þ¤¹¡£`-x' (³ÈÄ¥¿ôÃÍ)¥ª¥×¥·¥ç¥ó¤ò»È¤¦¤È¡¢ÃͤÎÂ礤µ¤Ë¤«¤«¤ï¤é¤º´°Á´¤Ê¿ôÃÍ
2338 ¤òƱÍͤËɽ¼¨¤·¤Þ¤¹¡£
2341 <sect2>Resetting (Zeroing) Counters
2343 <sect2>¥«¥¦¥ó¥¿¡¼¤ò¥ê¥»¥Ã¥È(¥¼¥í¤Ë)¤¹¤ë
2347 It is useful to be able to reset the counters. This can be done with
2348 the `-Z' (or `--zero') option.
2350 ¥«¥¦¥ó¥¿¡¼¤ò¥ê¥»¥Ã¥È¤Ç¤¤ë¤ÈÊØÍø¤Ç¤¹¡£¤³¤ì¤Ï `-Z' (¤Þ¤¿¤Ï `--zero')
2351 ¥ª¥×¥·¥ç¥ó¤Ç¤Ç¤¤Þ¤¹¡£
2355 Consider the following:
2357 °Ê²¼¤Ë¤Ä¤¤¤Æ¹Í¤¨¤Æ¤ß¤Þ¤·¤ç¤¦:
2360 # iptables -L FORWARD
2361 # iptables -Z FORWARD
2366 In the above example, some packets could pass through between the `-L'
2367 and `-Z' commands. For this reason, you can use the `-L' and `-Z'
2368 <em>together</em>, to reset the counters while reading them.
2370 <!-- 2000/9/13 Êѹ¹¤µ¤ì¤Þ¤·¤¿¡£-->
2372 ¤³¤Î¤ä¤êÊý¤Ç¤Ï¡¢¥ê¥»¥Ã¥È¤¹¤ëľÁ°¤Î¥«¥¦¥ó¥¿¡¼ÃͤòÃΤëɬÍפ¬¤¢¤ë¤È¤¤Ë
2374 ¾åµ¤ÎÊýË¡¤Ç¤Ï¡¢`-L' ¤«¤é `-Z' ¥³¥Þ¥ó¥É¤Þ¤Ç¤Î´Ö¤Ë
2375 ¤¤¤¯¤Ä¤«¤Î¥Ñ¥±¥Ã¥È¤¬Ä̲᤹¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¡£¤½¤Î¤¿¤á¡¢¥«¥¦¥ó¥¿¡¼¤ò
2376 Æɤà¤ÈƱ»þ¤Ë¥ê¥»¥Ã¥È¤¹¤ë¤Ë¤Ï¡¢`-L' ¤È `-Z' ¤ò<em>Ʊ»þ¤Ë</em>»È¤¤¤Þ¤¹¡£
2379 <sect2>Setting Policy<label id="policy">
2381 <sect2>¥Ý¥ê¥·¡¼¤òÀßÄꤹ¤ë<label id="policy">
2385 We glossed over what happens when a packet hits the end of a built-in
2386 chain when we discussed how a packet walks through chains earlier. In
2387 this case, the <bf>policy</bf> of the chain determines the fate of the
2388 packet. Only built-in chains (<tt>INPUT</tt>, <tt>OUTPUT</tt> and
2389 <tt>FORWARD</tt>) have policies, because if a packet falls off the end
2390 of a user-defined chain, traversal resumes at the previous chain.
2392 °ÊÁ°¤Ë¥Ñ¥±¥Ã¥È¤¬¤É¤Î¤è¤¦¤Ë¥Á¥§¥¤¥ó¤òÄ̤êÈ´¤±¤ë¤Î¤«ÏÀ¤¸¤¿¤È¤¡¢¥Ñ¥±¥Ã¥È¤¬
2393 ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Î½ª¤ï¤ê¤Ë㤷¤¿¤È¤²¿¤¬µ¯¤¤ë¤Î¤«ÂçÂνҤ٤ޤ·¤¿¡£
2394 ¤³¤Î¾ì¹ç¡¢¥Á¥§¥¤¥ó¤Î<bf>¥Ý¥ê¥·¡¼</bf>¤¬¤½¤Î¥Ñ¥±¥Ã¥È¤Î±¿Ì¿¤ò·èÄꤷ¤Þ¤¹¡£
2395 ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó(<tt>INPUT</tt>, <tt>OUTPUT</tt> ¤ª¤è¤Ó
2396 <tt>FORWARD</tt>)¤À¤±¤¬¥Ý¥ê¥·¡¼¤ò»ý¤Ã¤Æ¤¤¤Þ¤¹¡£¤Ê¤¼¤Ê¤é¡¢¥Ñ¥±¥Ã¥È¤¬
2397 ¥æ¡¼¥¶ÄêµÁ¥Á¥§¥¤¥ó¤Î½ª¤ï¤ê¤Þ¤Ç²¼¤êÍî¤Á¤ë¤È¡¢Á°¤Î¥Á¥§¥¤¥ó¤ËÌá¤Ã¤Æ¹Ô¤¯
2402 The policy can be either <tt>ACCEPT</tt> or <tt>DROP</tt>, for
2405 ¥Ý¥ê¥·¡¼¤Ï <tt>ACCEPT</tt> ¤« <tt>DROP</tt> ¤Î¤É¤Á¤é¤«¤Ç¤¹¡£
2407 <!-- 2000/9/13 Äɲ䵤ì¤Þ¤·¤¿¡£-->
2410 # iptables -P FORWARD DROP
2415 <sect> Using ipchains and ipfwadm<label id="oldstyle">
2417 <sect>ipchains ¤È ipfwadm ¤ò»È¤¦<label id="oldstyle">
2420 <p> There are modules in the netfilter distribution called ipchains.o
2421 and ipfwadm.o. Insert one of these in your kernel (NOTE: they are
2422 incompatible with ip_tables.o!). Then you can use ipchains or ipfwadm
2423 just like the good old days.
2425 <p>netfilter ¤ÎÇÛÉÛʪ¤ÎÃæ¤Ë¡¢ipchains.o ¤È ipfwadm.o ¤È¤¤¤¦Ì¾Á°¤Î
2426 ¥â¥¸¥å¡¼¥ë¤¬¤¢¤ê¤Þ¤¹¡£¥«¡¼¥Í¥ë¤Ë¡¢¤³¤Î¤¦¤Á¤Î°ìÊý¤òÁÞÆþ¤·¤Æ¤¯¤À¤µ¤¤
2427 (Ãíµ: ¤³¤ì¤é¤Ï¡¢ip_tables.o
2428 ¤ÈƱ»þ¤Ë»È¤¨¤Þ¤»¤ó!)¡£¤½¤¦¤¹¤ì¤Ð¡¢¸Å¤Îɤ»þÂå¤Î¤è¤¦¤Ë ipchains
2429 ¤Þ¤¿¤Ï ipfwadm ¤¬»È¤¨¤Þ¤¹¡£
2430 <!-- Rusty ¤Ë¥â¥¸¥å¡¼¥ë̾¤òÌ䤤¹ç¤ï¤»Ãæ - 9/19 ÄûÀµ¤µ¤ì¤Þ¤·¤¿¡£-->
2433 <p> This will be supported for some time yet. I think a reasonable
2434 formula is 2 * [notice of replacement - initial stable release],
2435 beyond the date that a stable release of the replacement is available.
2436 This means that support will probably be dropped in Linux 2.6 or 2.8.
2438 <p>¤³¤ì¤é¤Ï¡¢¤¤¤Ä¤Þ¤Ç¤â¥µ¥Ý¡¼¥È¤µ¤ì¤ë¤ï¤±¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¡£»ä¤¬¹Í¤¨¤ë
2439 ¹çÍýŪ¤Ê¸ø¼°¤Ï¡¢Âå¤ï¤ê¤Î°ÂÄêÈǤ¬ÍøÍѤǤ¤ë¤è¤¦¤Ë¤Ê¤Ã¤¿Æü¤«¤é
2440 2 *¡Î¸òÂåÄ̹ð - °ÂÄêÈǽé¥ê¥ê¡¼¥¹¡Ï¤Î´Ö¤Ç¤¹¡£
2441 ¤³¤ì¤Ï¡¢¤¿¤Ö¤ó¡¢Linux 2.6 ¤« 2.8 ¤Ç¥µ¥Ý¡¼¥È¤¬ÂǤÁÀÚ¤é¤ì¤ë¤³¤È¤ò°ÕÌ£¤·¤Þ¤¹¡£
2443 <!-- 2001/08/15 ¥µ¥Ý¡¼¥È´ü´Ö¤Î¼°¤¬ºï½ü¤µ¤ì¤Þ¤·¤¿¡£-->
2446 <sect> Mixing NAT and Packet Filtering
2448 <sect>NAT ¤È¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Îº®¹ç
2452 It's common to want to do Network Address Translation (see the NAT
2453 HOWTO) and packet filtering. The good news is that they mix extremely
2456 ¥Í¥Ã¥È¥ï¡¼¥¯¥¢¥É¥ì¥¹ÊÑ´¹(NAT HOWTO ¤ò¸«¤Æ¤¯¤À¤µ¤¤(ÌõÃí: ÆüËܸìÌõ¤¬
2457 ¤¢¤ê¤Þ¤¹))¤È¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤òƱ»þ¤Ë¤ä¤ê¤¿¤¤¤È¤¤¬¤è¤¯¤¢¤ê¤Þ¤¹¡£
2458 ¤è¤¤¤ªÃΤ餻¤Ç¤¹ ¡½ 2¤Ä¤Ï¼Â¤Ë¤è¤¯Ä´Ï¤·¤Þ¤¹¡£
2461 <p>You design your packet filtering completely ignoring any NAT you
2462 are doing. The sources and destinations seen by the packet filter
2463 will be the `real' sources and destinations. For example, if you are
2464 doing DNAT to send any connections to 1.2.3.4 port 80 through to
2465 10.1.1.1 port 8080, the packet filter would see packets going to
2466 10.1.1.1 port 8080 (the real destination), not 1.2.3.4 port 80.
2467 Similarly, you can ignore masquerading: packets will seem to come from
2468 their real internal IP addresses (say 10.1.1.1), and replies will seem
2471 <p>¤¢¤Ê¤¿¤Ï NAT ¤Î¤³¤È¤Ï´°Á´¤Ë˺¤ì¤Æ¡¢¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤ÎÀ߷פò
2472 ¤·¤Æ¤¯¤À¤µ¤¤¡£¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¡¼¤Ë¤È¤Ã¤Æ¤Î¥½¡¼¥¹¤È¤¢¤ÆÀè¤Ï
2473 ¡Æ¼ÂºÝ¤Î¡Ç¥½¡¼¥¹¤È¤¢¤ÆÀè¤Ç¤¹¡£Î㤨¤Ð¡¢IP ¥¢¥É¥ì¥¹ 1.2.3.4 ¥Ý¡¼¥ÈÈÖ¹æ 80
2474 ¤ËÀܳ¤·¤Æ¤¯¤ë¤â¤Î¤Ï²¿¤Ç¤â IP ¥¢¥É¥ì¥¹ 10.1.1.1 ¥Ý¡¼¥ÈÈÖ¹æ 8080 ¤ØžÁ÷
2475 ¤¹¤ë DNAT(ÌõÃí: ¤¢¤ÆÀè NAT¡¢°ìÈÌŪ¤Ê NAT ¤Î¤³¤È)¤ò¤¹¤ë¤Ê¤é¡¢¥Ñ¥±¥Ã¥È
2476 ¥Õ¥£¥ë¥¿¡¼¤Ë¤Ï¡¢1.2.3.4 ¤Î 80 ¤Ç¤Ï¤Ê¤¯¤Æ¡¢10.1.1.1 ¤Î 8080 (¼ÂºÝ¤Î
2477 ¤¢¤ÆÀè)¤Ø¡¢¥Ñ¥±¥Ã¥È¤¬¹Ô¤¯¤è¤¦¤Ë¸«¤¨¤Þ¤¹¡£Æ±Íͤˡ¢IP ¥Þ¥¹¥«¥ì¡¼¥É¤Î
2478 ¤³¤È¤â˺¤ì¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹ ¡½ ¥Ñ¥±¥Ã¥È¤¬¼ÂºÝ¤ÎÆâÉô IP ¥¢¥É¥ì¥¹(Î㤨¤Ð
2479 10.1.1.1)¤«¤éÍè¤Æ¡¢±þÅú¥Ñ¥±¥Ã¥È¤â¤½¤³¤ØÌá¤Ã¤Æ¹Ô¤¯¤è¤¦¤Ë¸«¤¨¤Þ¤¹¡£
2482 <p>You can use the `state' match extension without making the packet
2483 filter do any extra work, since NAT requires connection tracking
2484 anyway. To enhance the simple masquerading example in the NAT HOWTO
2485 to disallow any new connections from coming in the ppp0 interface, you
2488 <p>NAT ¤Ë¤Ï¡¢¤È¤Ë¤«¤¯¥³¥Í¥¯¥·¥ç¥óÄÉÀפ¬É¬ÍפʤΤǡ¢¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¡¼¤Ë
2489 ;ʬ¤Ê»Å»ö¤ò¤µ¤»¤º¤Ë `state' ¥Þ¥Ã¥Á¤ò»È¤¦¤³¤È¤¬¤Ç¤¤Þ¤¹¡£NAT HOWTO ¤Î
2490 ´Êñ¤Ê¥Þ¥¹¥«¥ì¡¼¥É¤ÎÎã¤òÁý¶¯¤·¤Æ ppp0 ¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤«¤éÆþ¤Ã¤ÆÍè¤ë
2491 ¤É¤ó¤Ê¿·¤·¤¤¥³¥Í¥¯¥·¥ç¥ó¤â¶Ø»ß¤¹¤ë¤¿¤á¤Ë¤Ï¡¢¤³¤Î¤è¤¦¤Ë¤·¤Þ¤¹:
2495 # Masquerade out ppp0
2496 iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
2498 # Disallow NEW and INVALID incoming or forwarded packets from ppp0.
2499 iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
2500 iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP
2502 # Turn on IP forwarding
2503 echo 1 > /proc/sys/net/ipv4/ip_forward
2506 # ppp0 ¤«¤é½Ð¤Æ¹Ô¤¯¤â¤Î¤ò¥Þ¥¹¥«¥ì¡¼¥É¤¹¤ë
2507 iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
2509 # ppp0 ¤«¤éÆþ¤Ã¤ÆÍè¤ë¥Ñ¥±¥Ã¥È¤Ç¿·µ¬¤È̵¸ú¤Î¤â¤Î¤òÆþÎϤȥե©¥ï¡¼¥É¤Ç¶Ø»ß¤¹¤ë
2510 iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
2511 iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP
2513 # IP ¥Õ¥©¥ï¡¼¥Ç¥£¥ó¥°¤ò ON ¤Ë¤¹¤ë
2514 echo 1 > /proc/sys/net/ipv4/ip_forward
2518 <sect> Differences Between iptables and ipchains<label id="Appendix-A">
2520 <sect>iptables ¤È ipchains ¤Î°ã¤¤<label id="Appendix-A">
2525 <item> Firstly, the names of the built-in chains have changed from
2526 lower case to UPPER case, because the INPUT and OUTPUT chains now only
2527 get locally-destined and locally-generated packets. They used to see
2528 all incoming and all outgoing packets respectively.
2530 <item>¤Þ¤º½é¤á¤Ë¡¢ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Î̾Á°¤ò¾®Ê¸»ú¤«¤éÂçʸ»ú¤ËÊѹ¹
2531 ¤·¤Þ¤·¤¿¡£¤½¤ÎÍýͳ¤Ï¡¢INPUT ¤È OUTPUT ¥Á¥§¥¤¥ó¤¬°·¤¦¤Î¤Ï¡¢º£¤Ç¤Ï³Æ¡¹¡¢
2532 ¹Ô¤À褬¥í¡¼¥«¥ë¤Î¥Ñ¥±¥Ã¥È¤È¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¡¢¤À¤±¤Ë
2533 ¤Ê¤Ã¤¿¤«¤é¤Ç¤¹¡£¤³¤Î 2¤Ä¤Î¥Á¥§¥¤¥ó¤Ï¡¢Á´¤Æ¤ÎÆþÎϤª¤è¤ÓÁ´¤Æ¤Î½ÐÎÏ
2534 ¥Ñ¥±¥Ã¥È¤ò¤½¤ì¤¾¤ì¸«¤ë¤¿¤á¤Ë»È¤ï¤ì¤Þ¤¹¡£
2537 <item> The `-i' flag now means the incoming interface, and only works
2538 in the INPUT and FORWARD chains. Rules in the FORWARD or OUTPUT
2539 chains that used `-i' should be changed to `-o'.
2541 <item>`-i' ¥ª¥×¥·¥ç¥ó¤Ïº£¤Ç¤ÏÆþÎÏ¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤ò°ÕÌ£¤·¡¢¤·¤«¤â INPUT ¤È
2542 FORWARD ¥Á¥§¥¤¥ó¤Ç¤Î¤ß͸ú¤Ç¤¹¡£FORWARD ¤« OUTPUT ¥Á¥§¥¤¥ó¤Ç `-i' ¤ò
2543 »ÈÍѤ·¤Æ¤¤¤ë¥ë¡¼¥ë¤Ï `-o' ¤ËÊѹ¹¤·¤Æ¤¯¤À¤µ¤¤¡£
2546 <item> TCP and UDP ports now need to be spelled out with the
2547 --source-port or --sport (or --destination-port/--dport) options, and
2548 must be placed after the `-p tcp' or `-p udp' options, as this loads
2549 the TCP or UDP extensions respectively.
2551 <item>TCP ¤ª¤è¤Ó UDP ¤Î¥Ý¡¼¥È¤Ïº£¤Ç¤Ï¡¢--source-port ¤Þ¤¿¤Ï --sport
2552 (¤Þ¤¿¤Ï --destination-port/--dport) ¤È¤¤¤¦¥¹¥Ú¥ë¤Ç¥ª¥×¥·¥ç¥ó¤ò½ñ¤¯É¬Í×
2553 ¤¬¤¢¤ê¡¢TCP ¤Þ¤¿¤Ï UDP ¤Î³ÈÄ¥¤ò¤½¤ì¤¾¤ì¥í¡¼¥É¤¹¤ë¤¿¤á¤Ë¡¢`-p tcp' ¤Þ¤¿¤Ï
2554 `-p udp' ¥ª¥×¥·¥ç¥ó¤Î¸å¤ËÃÖ¤¯É¬Íפ¬¤¢¤ê¤Þ¤¹¡£
2557 <item> The TCP -y flag is now --syn, and must be after `-p tcp'.
2559 <item>TCP ¤Î -y ¥ª¥×¥·¥ç¥ó¤Ïº£¤Ç¤Ï --syn ¤Ë¤Ê¤ê¡¢`-p tcp' ¤Î¸å¤ËÃÖ¤¯É¬Íפ¬
2563 <item> The DENY target is now DROP, finally.
2565 <item>DENY ¥¿¡¼¥²¥Ã¥È¤Ï¡¢·ë¶É¤Î¤È¤³¤íº£¤Ç¤Ï DROP ¤Ë¤Ê¤ê¤Þ¤·¤¿¡£
2568 <item> Zeroing single chains while listing them works.
2570 <item>°ìÅ٤˥Á¥§¥¤¥ó¤ÎÆâÍƤΥꥹ¥È¥¢¥Ã¥×¤È¥ê¥»¥Ã¥È¤¬¤Ç¤¤ë¤è¤¦¤Ë¤Ê¤ê¤Þ¤·¤¿¡£
2571 <!-- single ¤Ï Zeroing ¤Ë¤«¤«¤ëÉû»ì¤È¹Í¤¨¤Þ¤·¤¿¡£-->
2574 <item> Zeroing built-in chains also clears policy counters.
2576 <item>ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤ò¥ê¥»¥Ã¥È¤¹¤ë¤È¥Ý¥ê¥·¡¼¥«¥¦¥ó¥¿¡¼(ÌõÃí:
2577 ¥Ý¥ê¥·¡¼¤¬Å¬ÍѤµ¤ì¤¿¥Ñ¥±¥Ã¥È¤Î¸Ä¿ô¤È¥Ð¥¤¥È¿ô)¤â¥¯¥ê¥¢¡¼¤µ¤ì¤Þ¤¹¡£
2580 <item> Listing chains gives you the counters as an atomic snapshot.
2582 <item>¥Á¥§¥¤¥ó¤ÎÆâÍƤΥꥹ¥È¥¢¥Ã¥×¤Ï¡¢¤½¤Î½Ö´Ö¤Î¥«¥¦¥ó¥¿¡¼¤òɽ¼¨¤·¤Þ¤¹¡£
2585 <item> REJECT and LOG are now extended targets, meaning they are
2586 separate kernel modules.
2588 <item>REJECT ¤È LOG ¤Ïº£¤Ç¤Ï³ÈÄ¥¥¿¡¼¥²¥Ã¥È¤Ë¤Ê¤ê¡¢¸Ä¡¹¤Ë¥«¡¼¥Í¥ë
2589 ¥â¥¸¥å¡¼¥ë¤Ë¤Ê¤ê¤Þ¤·¤¿¡£
2592 <item> Chain names can be up to 31 characters.
2594 <item>¥Á¥§¥¤¥ó̾¤Ï 31ʸ»ú¤Þ¤Ç»È¤¨¤ë¤è¤¦¤Ë¤Ê¤ê¤Þ¤·¤¿¡£
2597 <item> MASQ is now MASQUERADE and uses a different syntax. REDIRECT,
2598 while keeping the same name, has also undergone a syntax change. See
2599 the NAT-HOWTO for more information on how to configure both of these.
2601 <item>MASQ ¤Ïº£¤Ç¤Ï MASQUERADE ¤Ç¡¢°ã¤¦½ñ¼°¤Ë¤Ê¤ê¤Þ¤·¤¿¡£REDIRECT ¤Ï
2602 ̾Á°¤ÏÊѤï¤ê¤Þ¤»¤ó¤¬¡¢¤³¤ì¤â¤Þ¤¿½ñ¼°¤¬ÊѤï¤ê¤Þ¤·¤¿¡£Î¾Êý¤È¤â¡¢
2603 ÀßÄêÊýË¡¤Ë¤Ä¤¤¤Æ¤Î¤è¤ê¿¤¯¤Î¾ðÊó¤¬É¬Íפʤ顢NAT HOWTO ¤ò¸«¤Æ¤¯¤À¤µ¤¤¡£
2606 <item> The -o option is no longer used to direct packets to the userspace
2607 device (see -i above). Packets are now sent to userspace via the QUEUE
2610 <item>-o ¥ª¥×¥·¥ç¥ó¤Ï¤â¤Ï¤ä¡¢¥æ¡¼¥¶¶õ´Ö¥Ç¥Ð¥¤¥¹¤Ë¥Ñ¥±¥Ã¥È¤ò¸þ¤±¤ëÌÜŪ¤Ë
2611 »È¤ï¤ì¤Æ¤¤¤Þ¤»¤ó(¾åµ¤Î -i ¤ò¸«¤Æ¤¯¤À¤µ¤¤)¡£º£¤Ç¤Ï¡¢¥Ñ¥±¥Ã¥È¤Ï QUEUE
2612 ¥¿¡¼¥²¥Ã¥È¤Ë¤è¤ê¥æ¡¼¥¶¶õ´Ö¤ËÁ÷¤é¤ì¤Þ¤¹¡£
2615 <item> Probably heaps of other things I forgot.
2617 <item>¤ª¤½¤é¤¯¡¢¤³¤Î¾¤Ë»ä¤¬Ëº¤ì¤Æ¤¤¤ë¤³¤È¤¬¤¿¤¯¤µ¤ó¤¢¤ë¤Ç¤·¤ç¤¦¡£
2621 <sect> Advice on Packet Filter Design
2623 <sect>¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¡¼ÀßÄê¤Î¥¢¥É¥Ð¥¤¥¹
2627 Common wisdom in the computer security arena is to block everything,
2628 then open up holes as neccessary. This is usually phrased `that which
2629 is not explicitly allowed is prohibited'. I recommend this approach
2630 if security is your maximal concern.
2632 ¥³¥ó¥Ô¥å¡¼¥¿¤Î¥»¥¥å¥ê¥Æ¥£Ê¬Ìî¤Ç¤Î¾ï¼±¤Ï¡¢Á´¤Æ¤ò¥Ö¥í¥Ã¥¯¤·¡¢¤½¤Î¸å¤Ë
2633 ɬÍפȤ¹¤ë·ê¤ò¶õ¤±¤ë¤³¤È¤Ç¤¹¡£¤³¤ì¤ÏÄ̾ï¡ÖÌÀÇò¤Ç¤Ê¤¤â¤Îµö¤¹¤Ù¤«¤é¤º¡×
2634 ¤È¡¢´·ÍѶç¤Ç¸À¤ï¤ì¤Þ¤¹¡£¥»¥¥å¥ê¥Æ¥£¤¬¤¢¤Ê¤¿¤ÎºÇÂç¤Î´Ø¿´»ö¤Ê¤é¡¢¤³¤Î
2635 ¥¢¥×¥í¡¼¥Á¤ò¤ª´«¤á¤·¤Þ¤¹¡£
2636 <!-- ¤³¤Î´·ÍѶç¤Ï¥Æ¥¥È¡¼¤Ç¤¹¡£-->
2639 <p>Do not run any services you do not need to, even if you think you
2640 have blocked access to them.
2642 <p>ɬÍפǤʤ¤¥µ¡¼¥Ó¥¹¤ÏÆ°¤«¤·¤Æ¤Ï¤¤¤±¤Þ¤»¤ó ¡½ ¤¿¤È¤¨¡¢¤¢¤Ê¤¿¤¬¤½¤ì¤é
2643 ¤Ø¤Î¥¢¥¯¥»¥¹¤ò¥Ö¥í¥Ã¥¯¤·¤Æ¤¤¤ë¤«¤éÂç¾æÉפȻפäƤ¤¤Æ¤â¡£
2646 <p>If you are creating a dedicated firewall, start by running nothing,
2647 and blocking all packets, then add services and let packets through as
2650 <p>¤¢¤Ê¤¿¤¬¥Õ¥¡¥¤¥¢¡¼¥¦¥©¡¼¥ëÀìÍѵ¡¤òºî¤Ã¤Æ¤¤¤ë¤Ê¤é¡¢²¿¤âÆ°¤«¤µ¤º¡¢Á´¤Æ¤Î
2651 ¥Ñ¥±¥Ã¥È¤ò¥Ö¥í¥Ã¥¯¤¹¤ë¤È¤³¤í¤«¤é»Ï¤á¤Æ¤¯¤À¤µ¤¤¡£¤½¤ì¤«¤é¥µ¡¼¥Ó¥¹¤òÄɲä·
2652 ɬÍפʥѥ±¥Ã¥È¤òÄ̲ᤵ¤»¤ë¤è¤¦¤Ë¤·¤Æ¤¯¤À¤µ¤¤¡£
2655 <p>I recommend security in depth: combine tcp-wrappers (for
2656 connections to the packet filter itself), proxies (for connections
2657 passing through the packet filter), route verification and packet
2658 filtering. Route verification is where a packet which comes from an
2659 unexpected interface is dropped: for example, if your internal network
2660 has addresses 10.1.1.0/24, and a packet with that source address comes
2661 in your external interface, it will be dropped. This can be enabled
2662 for one interface (ppp0) like so:
2664 <p>¼¡¤Î¤â¤Î¤òÁȤ߹ç¤ï¤»¤Æ¥»¥¥å¥ê¥Æ¥£¤ò¤è¤ê¿¼¤á¤ë¤³¤È¤ò¤ª´«¤á¤·¤Þ¤¹:
2665 TCP Wrappers (¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¡¼¼«¿È¤Ø¤ÎÀܳ¤ËÂФ·¤Æ)¡¢
2666 ¥×¥í¥¥·¡¼(¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¡¼¤òÄ̤êÈ´¤±¤ëÀܳ¤ËÂФ·¤Æ)
2667 (ÌõÃí: ¤³¤Î¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¡¼¤È¤Ï¹µÁ¤Ë Linux ¥Ü¥Ã¥¯¥¹¤È²ò¼á¤¹¤ë
2668 ¤Û¤¦¤¬¤è¤¤¤Ç¤·¤ç¤¦)¡¢
2669 ¥ë¡¼¥È(·ÐÏ©)¸¡¾Ú¡¢¤½¤·¤Æ¡¢¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¡£
2670 ¥ë¡¼¥È¸¡¾Ú¤È¤Ïͽ´ü¤·¤Ê¤¤¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤«¤éÍè¤ë¥Ñ¥±¥Ã¥È¤òÇË´þ¤¹¤ë
2671 ¤³¤È¤Ç¤¹(ÌõÃí: ¥«¡¼¥Í¥ë¥³¥ó¥Õ¥£¥®¥å¥ì¡¼¥·¥ç¥ó¤Î
2672 CONFIG_IP_ADVANCED_ROUTER »²¾È)¡£
2673 Î㤨¤Ð¡¢ÆâÉô¥Í¥Ã¥È¥ï¡¼¥¯¥¢¥É¥ì¥¹¤¬ 10.1.1.0/24 ¤Ç¤¢¤ë¤È¤·¤Æ¡¢
2674 ³°Éô¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤«¤éÆþ¤Ã¤ÆÍè¤ë¥Ñ¥±¥Ã¥È¤Ç¥½¡¼¥¹¥¢¥É¥ì¥¹¤¬
2675 ÆâÉô¥Í¥Ã¥È¥ï¡¼¥¯¥¢¥É¥ì¥¹¤Ë¤Ê¤Ã¤Æ¤¤¤ì¤Ð¡¢¤½¤ì¤ÏÇË´þ¤µ¤ì¤Þ¤¹¡£
2676 ¤³¤ì¤ò¤¢¤ë¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹(ppp0)¤Ç͸ú¤Ë¤¹¤ë¤¿¤á¤Ë¤Ï°Ê²¼¤Î¤è¤¦¤Ë¤·¤Þ¤¹:
2677 <!-- Route Verification ¤Î·è¤Þ¤Ã¤¿Ìõ¸ì¤¬¤¢¤ì¤Ð¡¢¶µ¤¨¤Æ¤¯¤À¤µ¤¤¡£-->
2680 # echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter
2685 Or for all existing and future interfaces like this:
2687 ¤¢¤ë¤¤¤Ï¡¢Á´¤Æ¤Î¸ºß¤¹¤ë¤½¤·¤Æ¾Íè¤Î¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤Î¤¿¤á¤Ë¤Ï¡¢
2691 # for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
2698 Debian does this by default where possible. If you have asymmetric
2699 routing (ie. you expect packets coming in from strange directions),
2700 you will want to disable this filtering on those interfaces.
2702 Debian ¤Ç¤Ï¡¢²Äǽ¤Ê¤é¥Ç¥Õ¥©¥ë¥È¤Ç¾åµ¤Î¤è¤¦¤ËÀßÄꤷ¤Þ¤¹¡£¤â¤·¡¢¤¢¤Ê¤¿¤¬
2703 ÈóÂоΥ롼¥Æ¥£¥ó¥°¤ò¹Ô¤Ã¤Æ¤¤¤ë¤Ê¤é(¤¹¤Ê¤ï¤Á¡¢ÊѤï¤Ã¤¿Êý¸þ¤«¤é
2704 ¥Ñ¥±¥Ã¥È¤¬Íè¤ë¤Î¤ò´üÂÔ¤·¤Æ¤¤¤ë)¡¢¤½¤ì¤é¤Î¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤Ç¤Ï
2705 ¤³¤Î¥Õ¥£¥ë¥¿¥ê¥ó¥°¤ò̵¸ú¤Ë¤·¤¿¤¤¤Ç¤·¤ç¤¦¡£
2708 <p>Logging is useful when setting up a firewall if something isn't
2709 working, but on a production firewall, always combine it with the
2710 `limit' match, to prevent someone from flooding your logs.
2712 <p>¥Õ¥¡¥¤¥¢¡¼¥¦¥©¡¼¥ë¤ÎºîÀ®»þ¤Ð¤«¤ê¤Ç¤Ï¤Ê¤¯¡¢¤É¤³¤«Æ°¤«¤Ê¤¤¤È¤³¤í¤¬
2713 ¤¢¤Ã¤Æ¥Õ¥¡¥¤¥¢¡¼¥¦¥©¡¼¥ë¤ÎÀßÄê¤òÄ´À°¤·¤Æ¤¤¤ë¤È¤¡¢¥í¥°¤ò¼è¤ë¤³¤È¤Ï
2714 Ìò¤ËΩ¤Á¤Þ¤¹¡£¤É¤³¤«¤Î¥í¥°¤¬¤¢¤Õ¤ì¤ë¤Î¤òËɤ°¤¿¤á¤Ë¡¢É¬¤º `limit'
2715 ¥Þ¥Ã¥Á¤ÈÁȤ߹ç¤ï¤»¤Þ¤·¤ç¤¦¡£
2718 <p>I highly recommend connection tracking for secure systems: it
2719 introduces some overhead, as all connections are tracked, but is very
2720 useful for controlling access to your networks. You may need to load
2721 the `ip_conntrack.o' module if your kernel does not load modules
2722 automatically, and it's not built into the kernel. If you want to
2723 accurately track complex protocols, you'll need to load the
2724 appropriate helper module (eg. `ip_conntrack_ftp.o').
2726 <p>°ÂÁ´À¤¬µá¤á¤é¤ì¤ë¥·¥¹¥Æ¥à¤Ç¤Ï¥³¥Í¥¯¥·¥ç¥óÄÉÀפ¬Èó¾ï¤Ë¤ª´«¤á¤Ç¤¹¡£
2727 ¤½¤ì¤Ï¼ã´³¤Î¥ª¡¼¥Ð¡¼¥Ø¥Ã¥É¤¬¤¢¤ê¤Þ¤¹¤¬¡¢Á´¤Æ¤ÎÀܳ¤¬ÄÉÀפµ¤ì¤ë¤Î¤Ç¡¢
2728 ¤¢¤Ê¤¿¤Î¥Í¥Ã¥È¥ï¡¼¥¯¤Ø¤Î¥¢¥¯¥»¥¹À©¸æ¤Ë¤È¤Æ¤â͸ú¤Ç¤¹¡£¤â¤·¡¢¥«¡¼¥Í¥ë¤¬
2729 ¥â¥¸¥å¡¼¥ë¤ò¼«Æ°Åª¤Ë¥í¡¼¥É¤·¤Ê¤¤¾ì¹ç¤ä¡¢¤½¤ì¤ò¥«¡¼¥Í¥ë¤Ëľ¤ËÁȤ߹þ¤ó¤Ç
2730 ¤¤¤Ê¤¤¾ì¹ç¡¢`ip_conntrack.o' ¥â¥¸¥å¡¼¥ë¤ò¥í¡¼¥É¤¹¤ëɬÍפ¬¤¢¤ë¤«¤â¤·¤ì
2731 ¤Þ¤»¤ó¡£¤¢¤Ê¤¿¤¬¼ÂºÝ¤ËÊ£»¨¤Ê¥×¥í¥È¥³¥ë¤òÄÉÀפ·¤¿¤¤¤Ê¤é¡¢¤·¤«¤ë¤Ù¤
2732 ¥Ø¥ë¥Ñ¡¼¥â¥¸¥å¡¼¥ë(Î㤨¤Ð `ip_conntrack_ftp.o')¤ò¥í¡¼¥É¤¹¤ëɬÍפ¬¤¢¤ê
2736 # iptables -N no-conns-from-ppp0
2737 # iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
2738 # iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT
2739 # iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix "Bad packet from ppp0:"
2740 # iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix "Bad packet not from ppp0:"
2741 # iptables -A no-conns-from-ppp0 -j DROP
2743 # iptables -A INPUT -j no-conns-from-ppp0
2744 # iptables -A FORWARD -j no-conns-from-ppp0
2748 <p>Building a good firewall is beyond the scope of this HOWTO, but my
2749 advice is `always be minimalist'. See the Security HOWTO for more
2750 information on testing and probing your box.
2752 <p>¤è¤¤¥Õ¥¡¥¤¥¢¡¼¥¦¥©¡¼¥ë¤ò¹½ÃÛ¤¹¤ë¤³¤È¤Ï¡¢¤³¤Î HOWTO ¤ÎÈϰϤò±Û¤¨¤Æ
2753 ¤¤¤Þ¤¹¤¬¡¢»ä¤«¤é¤Î½õ¸À¤Ï¡Ö¤¤¤Ä¤âºÇ¾®¸Â¼çµÁ¼Ô¤Ç¤¢¤ì¡×¤Ç¤¹¡£¤¢¤Ê¤¿¤ÎÈ¢¤ò
2754 ¥Æ¥¹¥È¤·È´¤±·ê¤¬¤Ê¤¤¤«Ãµ¤ë¤¿¤á¤Î¤è¤ê¿¤¯¤Î¾ðÊó¤¬É¬Íפʤ顢
2755 Security HOWTO ¤ò¸«¤Æ¤¯¤À¤µ¤¤¡£
2757 <sect>ÆüËܸìÌõ¤Ë¤Ä¤¤¤Æ
2760 ¤³¤Îʸ½ñ¤Î¸¶Ê¸¤ª¤è¤Ó´ØÏ¢¤Î HOWTO ¤Ï¡¢Netfilter Project ¤Î<ref id="website"
2761 name="¸ø¼°¥¦¥§¥Ö¥µ¥¤¥È">¤Ë¤¢¤ê¤Þ¤¹¡£
2763 ¶ñÂÎŪ¤Ê¸¶Ê¸¤Î¾ì½ê¤Î 1¤Ä¤Ï¡¢
2764 <url url="http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO.linuxdoc.sgml">
2767 ¤Þ¤¿¡¢¤³¤ì¤é¤Îʸ½ñ¤Ï CVS ¤Ç´ÉÍý¤µ¤ì¤Æ¤ª¤ê¡¢ºÇ¿·ÈǤ乹¿·ÍúÎò¤ò
2768 <url url="http://cvs.samba.org/cgi-bin/cvsweb/netfilter/HOWTO/">
2769 °Ê²¼¤«¤é»²¾È¤Ç¤¤Þ¤¹¡£
2772 ¤³¤Îʸ½ñ¤òËÝÌõ¤¹¤ë¤Ë¤¢¤¿¤ê¡¢°Ê²¼¤ÎÊý¡¹¤«¤é¥¢¥É¥Ð¥¤¥¹¤ò¤¤¤¿¤À¤¤Þ¤·¤¿¡£
2774 ËÜÅö¤Ë¤¢¤ê¤¬¤È¤¦¤´¤¶¤¤¤Þ¤·¤¿¡£
2777 <item>Àéö͵»Ê¤µ¤ó <ysenda@pop01.odn.ne.jp>
2778 <item>»³ºê¡÷Ox ¤µ¤ó <hiro@atm.ox.ac.uk>
2779 <item>»ÍÄ⤵¤ó <isao@m05.htmnet.ne.jp>
2780 <item>Konkiti ¤µ¤ó <konkiti@lares.dti.ne.jp>
2781 <item>²ÃÆ£Âçŵ¤µ¤ó <daisuke@terra.dti.ne.jp>
2782 <item>Éð°æ¿¸÷¤µ¤ó <takei@webmasters.gr.jp>
2786 ÆüËܸìÌõ ½éÈÇ: 2000ǯ 9·î 20Æü »³¿¹ ¹À¹¬ <h-yamamo@db3.so-net.ne.jp>
2788 ¡¡¡¡¡¡Âè 2 ÈÇ: 2001ǯ 8·î 13Æü
2790 ¡¡¡¡¡¡Âè 3 ÈÇ: 2001ǯ 8·î 16Æü
2792 ¡¡¡¡¡¡Âè 4 ÈÇ: 2002ǯ 1·î 20Æü
OSDN Git Service
