Import translated manuals from JM CVS Repository.

[linuxjm/jm.git] / manual / iptables / release / man8 / iptables.8

.\"
.\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
.\" It is based on ipchains page.
.\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG)
.\"
.\" ipchains page by Paul ``Rusty'' Russell March 1997
.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
.\"
.\"     This program is free software; you can redistribute it and/or modify
.\"     it under the terms of the GNU General Public License as published by
.\"     the Free Software Foundation; either version 2 of the License, or
.\"     (at your option) any later version.
.\"
.\"     This program is distributed in the hope that it will be useful,
.\"     but WITHOUT ANY WARRANTY; without even the implied warranty of
.\"     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
.\"     GNU General Public License for more details.
.\"
.\"     You should have received a copy of the GNU General Public License
.\"     along with this program; if not, write to the Free Software
.\"     Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\"
.\" Japanese Version Copyright (c) 2001, 2004 Yuichi SATO
.\"         all right reserved.
.\" Translated Sun Jul 29 01:03:37 JST 2001
.\"         by Yuichi SATO <ysato@h4.dion.ne.jp>
.\" Updated & Modified Wed Sep 12 06:22:55 JST 2001 by Yuichi SATO
.\" Updated on Wed May 28 01:51:45 JST 2003 by
.\"    System Design and Research Institute Co., Ltd.
.\" Updated & Modified Sat Feb 21 23:28:25 JST 2004
.\"         by Yuichi SATO <ysato444@yahoo.co.jp>
.\"
.\"WORD:        chain           ¥Á¥§¥¤¥ó
.\"WORD:        built-in chain  ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó
.\"WORD:        connection tracking     ÀܳÄÉÀ×
.\"WORD:        enslave         ¥¹¥ì¡¼¥Ö¤Ë¤¹¤ë
.\"WORD:        infrastructure  ´ðÈ×
.\"WORD:        round-robin     ¥é¥¦¥ó¥É¡¦¥í¥Ó¥ó
.\"WORD:        rule traverse   ¥ë¡¼¥ë¤Î¸¡Æ¤
.\"WORD:        non-terminating target  Èó½ªÎ»¥¿¡¼¥²¥Ã¥È
.\"WORD:        criteria        ȽÃÇ(¤¹¤ë)´ð½à
.\"
.TH IPTABLES 8 "Mar 09, 2002" "" ""
.SH ̾Á°
iptables \- IPv4 ¤Î¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¤È NAT ¤ò´ÉÍý¤¹¤ë¥Ä¡¼¥ë
.SH ½ñ¼°
.BR "iptables [-t table] -[AD] " "¥Á¥§¥¤¥ó ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]"
.br
.BR "iptables [-t table] -I " "¥Á¥§¥¤¥ó [¥ë¡¼¥ëÈÖ¹æ] ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]"
.br
.BR "iptables [-t table] -R " "¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]"
.br
.BR "iptables [-t table] -D " "¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ [¥ª¥×¥·¥ç¥ó]"
.br
.BR "iptables [-t table] -[LFZ] " "[¥Á¥§¥¤¥ó] [¥ª¥×¥·¥ç¥ó]"
.br
.BR "iptables [-t table] -N " "¥Á¥§¥¤¥ó"
.br
.BR "iptables [-t table] -X " "[¥Á¥§¥¤¥ó]"
.br
.BR "iptables [-t table] -P " "¥Á¥§¥¤¥ó ¥¿¡¼¥²¥Ã¥È [¥ª¥×¥·¥ç¥ó]"
.br
.BR "iptables [-t table] -E " "µì¥Á¥§¥¤¥ó̾ ¿·¥Á¥§¥¤¥ó̾"
.SH ÀâÌÀ
.B iptables
¤Ï Linux ¥«¡¼¥Í¥ë¤Î IP ¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ë¡¼¥ë¤Î¥Æ¡¼¥Ö¥ë¤ò
ÀßÄꡦ´ÉÍý¡¦¸¡ºº¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
Ê£¿ô¤Î°Û¤Ê¤ë¥Æ¡¼¥Ö¥ë¤òÄêµÁ¤Ç¤­¤ë¡£
³Æ¥Æ¡¼¥Ö¥ë¤Ë¤Ï¤¿¤¯¤µ¤ó¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤Æ¤ª¤ê¡¢
¤µ¤é¤Ë¥æ¡¼¥¶¡¼ÄêµÁ¤Î¥Á¥§¥¤¥ó¤ò²Ã¤¨¤ë¤³¤È¤â¤Ç¤­¤ë¡£

³Æ¥Á¥§¥¤¥ó¤Ï¡¢¥Ñ¥±¥Ã¥È·²¤Ë¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤Î¥ê¥¹¥È¤Ç¤¢¤ë¡£
³Æ¥ë¡¼¥ë¤Ï¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ²¿¤ò¤¹¤ë¤«¤ò»ØÄꤹ¤ë¡£
¤³¤ì¤Ï¡Ö¥¿¡¼¥²¥Ã¥È¡×¤È¸Æ¤Ð¤ì¡¢
Ʊ¤¸¥Æ¡¼¥Ö¥ëÆâ¤Î¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Ë¥¸¥ã¥ó¥×¤¹¤ë¤³¤È¤â¤Ç¤­¤ë¡£

.SH ¥¿¡¼¥²¥Ã¥È
¤Ò¤È¤Ä¤Î¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¥ë¡¼¥ë¤Ç¤Ï¡¢
¥Ñ¥±¥Ã¥È¤òȽÃǤ¹¤ë´ð½à¤È¥¿¡¼¥²¥Ã¥È¤È¤¬»ØÄꤵ¤ì¤ë¡£
¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤Ê¤¤¾ì¹ç¡¢¥Á¥§¥¤¥óÆâ¤Î¼¡¤Î¥ë¡¼¥ë¤¬É¾²Á¤µ¤ì¤ë¡£
¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¡¢
¥¿¡¼¥²¥Ã¥È¤ÎÃͤ¬¼¡¤Î¥ë¡¼¥ë¤ò»ØÄꤹ¤ë¡£
¥¿¡¼¥²¥Ã¥È¤ÎÃͤϡ¢¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Î̾Á°¡¢¤Þ¤¿¤ÏÆÃÊ̤ÊÃÍ
.IR ACCEPT ,
.IR DROP ,
.IR QUEUE ,
.I RETURN
¤Î¤¦¤Á¤Î 1 ¤Ä¤Ç¤¢¤ë¡£
.PP
.I ACCEPT 
¤Ï¥Ñ¥±¥Ã¥È¤òÄ̤¹¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£
.I DROP
¤Ï¥Ñ¥±¥Ã¥È¤ò¾²¤ËÍ (¼Î¤Æ¤ë) ¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£
.I QUEUE
¤Ï¥Ñ¥±¥Ã¥È¤ò¥æ¡¼¥¶¡¼¶õ´Ö¤ËÅϤ¹¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë
(¥«¡¼¥Í¥ë¤¬¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ì¤Ð¤Ç¤¢¤ë¤¬)¡£
.I RETURN
¤Ï¡¢¤³¤Î¥Á¥§¥¤¥ó¤Î¸¡Æ¤¤òÃæ»ß¤·¤Æ¡¢
°ÊÁ°¤Î (¸Æ¤Ó½Ð¤·¸µ) ¥Á¥§¥¤¥óÆâ¤Î
¼¡¤Î¥ë¡¼¥ë¤«¤é¸¡Æ¤¤òºÆ³«¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£
ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤ÎºÇ¸å¤ËÅþ㤷¤¿¾ì¹ç¡¢
¤Þ¤¿¤ÏÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Ç¥¿¡¼¥²¥Ã¥È
.I RETURN
¤ò»ý¤Ä¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¡¢
¥Á¥§¥¤¥ó¥Ý¥ê¥·¡¼¤Ç»ØÄꤵ¤ì¤¿¥¿¡¼¥²¥Ã¥È¤¬
¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤ò·èÄꤹ¤ë¡£
.SH ¥Æ¡¼¥Ö¥ë
¸½ºß¤Î¤È¤³¤í 3 ¤Ä¤ÎÆÈΩ¤Ê¥Æ¡¼¥Ö¥ë¤¬Â¸ºß¤¹¤ë
(¤¢¤ë»þÅÀ¤Ç¤É¤Î¥Æ¡¼¥Ö¥ë¤¬Â¸ºß¤¹¤ë¤«¤Ï¡¢
¥«¡¼¥Í¥ë¤ÎÀßÄê¤ä¤É¤¦¤¤¤Ã¤¿¥â¥¸¥å¡¼¥ë¤¬Â¸ºß¤¹¤ë¤«¤Ë°Í¸¤¹¤ë)¡£
.TP
.BI "-t, --table " "table"
¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢¤³¤Î¥³¥Þ¥ó¥É¤òŬÍѤ¹¤ë
¥Ñ¥±¥Ã¥È¥Þ¥Ã¥Á¥ó¥°¥Æ¡¼¥Ö¥ë¤ò»ØÄꤹ¤ë¡£
¥«¡¼¥Í¥ë¤Ë¼«Æ°¥â¥¸¥å¡¼¥ë¥í¡¼¥Ç¥£¥ó¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢
¤½¤Î¥Æ¡¼¥Ö¥ë¤ËÂФ¹¤ëŬÀڤʥ⥸¥å¡¼¥ë¤¬¤Þ¤À¥í¡¼¥É¤µ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¡¢
¤½¤Î¥â¥¸¥å¡¼¥ë¤¬¥í¡¼¥É¤µ¤ì¤ë¡£

¥Æ¡¼¥Ö¥ë¤Ï°Ê²¼¤ÎÄ̤ê¤Ç¤¢¤ë¡£
.RS
.TP .4i
.BR "filter" :
(\-t ¥ª¥×¥·¥ç¥ó¤¬ÅϤµ¤ì¤Ê¤±¤ì¤Ð) ¤³¤ì¤¬¥Ç¥Õ¥©¥ë¥È¤Î¥Æ¡¼¥Ö¥ë¤Ç¤¢¤ë¡£
¤³¤ì¤Ë¤Ï
.B INPUT
(¥Þ¥·¥ó¼«ÂΤËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
.B FORWARD
(¥Þ¥·¥ó¤ò·Ðͳ¤¹¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
.B OUTPUT
(¥í¡¼¥«¥ë¥Þ¥·¥ó¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)
¤È¤¤¤¦ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤ë¡£
.TP
.BR "nat" :
¤³¤Î¥Æ¡¼¥Ö¥ë¤Ï¿·¤·¤¤Àܳ¤ò³«¤¯¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ»²¾È¤µ¤ì¤ë¡£
¤³¤ì¤Ë¤Ï
.B PREROUTING
(¥Ñ¥±¥Ã¥È¤¬Æþ¤Ã¤Æ¤­¤¿¾ì¹ç¡¢¤¹¤°¤Ë¤½¤Î¥Ñ¥±¥Ã¥È¤òÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)¡¦
.B OUTPUT
(¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ò¥ë¡¼¥Æ¥£¥ó¥°¤ÎÁ°¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)¡¦
.B POSTROUTING
(¥Ñ¥±¥Ã¥È¤¬½Ð¤Æ¹Ô¤¯¤È¤­¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)
¤È¤¤¤¦ 3 ¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤ë¡£
.TP
.BR "mangle" :
¤³¤Î¥Æ¡¼¥Ö¥ë¤ÏÆÃÊ̤ʥѥ±¥Ã¥ÈÊÑ´¹¤Ë»È¤ï¤ì¤ë¡£
¤³¤ì¤Ë¤Ï¡¢¥«¡¼¥Í¥ë 2.4.17 ¤Þ¤Ç¤Ï
.B PREROUTING
(¥Ñ¥±¥Ã¥È¤¬Æþ¤Ã¤Æ¤­¤¿¾ì¹ç¡¢¤¹¤°¤Ë¤½¤Î¥Ñ¥±¥Ã¥È¤òÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)¡¦
.B OUTPUT
(¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ò¥ë¡¼¥Æ¥£¥ó¥°¤ÎÁ°¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)
¤È¤¤¤¦ 2 ¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤ë¡£
¥«¡¼¥Í¥ë 2.4.18 ¤«¤é¤Ï¡¢¤³¤ì¤é¤Î¾¤Ë
.B INPUT
(¥Þ¥·¥ó¼«ÂΤËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
.B FORWARD
(¥Þ¥·¥ó¤ò·Ðͳ¤¹¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
.B POSTROUTING
(¥Ñ¥±¥Ã¥È¤¬½Ð¤Æ¹Ô¤¯¤È¤­¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)
¤È¤¤¤¦ 3 ¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤â´Þ¤Þ¤ì¤ë¡£
.RE
.SH ¥ª¥×¥·¥ç¥ó
.B iptables
¤Ç»È¤¨¤ë¥ª¥×¥·¥ç¥ó¤Ï¡¢¤¤¤¯¤Ä¤«¤Î¥°¥ë¡¼¥×¤Ëʬ¤±¤é¤ì¤ë¡£
.SS ¥³¥Þ¥ó¥É
¤³¤ì¤é¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢¼Â¹Ô¤¹¤ëÆÃÄê¤ÎÆ°ºî¤ò»ØÄꤹ¤ë¡£
°Ê²¼¤ÎÀâÌÀ¤ÇÃíµ­¤µ¤ì¤Æ¤¤¤Ê¤¤¸Â¤ê¡¢
¥³¥Þ¥ó¥É¥é¥¤¥ó¤Ç»ØÄê¤Ç¤­¤ë¤Î¤Ï¤³¤ÎÃæ¤Î 1 ¤Ä¤À¤±¤Ç¤¢¤ë¡£
Ť¤¥Ð¡¼¥¸¥ç¥ó¤Î¥³¥Þ¥ó¥É̾¤È¥ª¥×¥·¥ç¥ó̾¤Ï¡¢
.B iptables
¤¬Â¾¤Î¥³¥Þ¥ó¥É̾¤ä¥ª¥×¥·¥ç¥ó̾¤È¶èÊ̤Ǥ­¤ëÈϰϤÇ
(ʸ»ú¤ò¾Êά¤·¤Æ) »ØÄꤹ¤ë¤³¤È¤â¤Ç¤­¤ë¡£
.TP
.BI "-A, --append " "¥Á¥§¥¤¥ó ¥ë¡¼¥ë¤Î¾ÜºÙ"
ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤ÎºÇ¸å¤Ë 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òÄɲ乤롣
Á÷¿®¸µ¤äÁ÷¿®Àè¤Î̾Á°¤¬ 1 ¤Ä°Ê¾å¤Î¥¢¥É¥ì¥¹¤Ë²ò·è¤µ¤ì¤¿¾ì¹ç¤Ï¡¢
²Äǽ¤Ê¥¢¥É¥ì¥¹¤ÎÁȹ礻¤½¤ì¤¾¤ì¤ËÂФ·¤Æ¥ë¡¼¥ë¤¬Äɲ䵤ì¤ë¡£
.TP
.BI "-D, --delete " "¥Á¥§¥¤¥ó ¥ë¡¼¥ë¤Î¾ÜºÙ"
.ns
.TP
.BI "-D, --delete " "¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ"
ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤«¤é 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òºï½ü¤¹¤ë¡£
¤³¤Î¥³¥Þ¥ó¥É¤Ë¤Ï 2 ¤Ä¤Î»È¤¤Êý¤¬¤¢¤ë:
¥Á¥§¥¤¥ó¤ÎÃæ¤ÎÈÖ¹æ (ºÇ½é¤Î¥ë¡¼¥ë¤ò 1 ¤È¤¹¤ë) ¤ò»ØÄꤹ¤ë¾ì¹ç¤È¡¢
¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤ò»ØÄꤹ¤ë¾ì¹ç¤Ç¤¢¤ë¡£
.TP
.BR  "-I, --insert " "\fI¥Á¥§¥¤¥ó\fP [\fI¥ë¡¼¥ëÈÖ¹æ\fP] \fI¥ë¡¼¥ë¤Î¾ÜºÙ"
ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ë¥ë¡¼¥ëÈÖ¹æ¤ò»ØÄꤷ¤Æ 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òÁÞÆþ¤¹¤ë¡£
¥ë¡¼¥ëÈֹ椬 1 ¤Î¾ì¹ç¡¢¥ë¡¼¥ë¤Ï¥Á¥§¥¤¥ó¤ÎÀèƬ¤ËÁÞÆþ¤µ¤ì¤ë¡£
¤³¤ì¤Ï¥ë¡¼¥ëÈֹ椬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¤Î¥Ç¥Õ¥©¥ë¥È¤Ç¤â¤¢¤ë¡£
.TP
.BI  "-R, --replace " "¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ ¥ë¡¼¥ë¤Î¾ÜºÙ"
ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ç¥ë¡¼¥ë¤òÃÖ´¹¤¹¤ë¡£
Á÷¿®¸µ¤äÁ÷¿®Àè¤Î̾Á°¤¬ 1 ¤Ä°Ê¾å¤Î¥¢¥É¥ì¥¹¤Ë²ò·è¤µ¤ì¤¿¾ì¹ç¤Ï¡¢
¤³¤Î¥³¥Þ¥ó¥É¤Ï¼ºÇÔ¤¹¤ë¡£¥ë¡¼¥ëÈÖ¹æ¤Ï 1 ¤«¤é¤Ï¤¸¤Þ¤ë¡£
.TP
.BR  "-L, --list " "[\fI¥Á¥§¥¤¥ó\fP]"
ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ë¤¢¤ëÁ´¤Æ¤Î¥ë¡¼¥ë¤ò°ìÍ÷ɽ¼¨¤¹¤ë¡£
¥Á¥§¥¤¥ó¤¬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢Á´¤Æ¤Î¥Á¥§¥¤¥ó¤Ë¤¢¤ë¥ê¥¹¥È¤¬°ìÍ÷ɽ¼¨¤µ¤ì¤ë¡£
¾¤Î³Æ iptables ¥³¥Þ¥ó¥É¤ÈƱÍͤˡ¢»ØÄꤵ¤ì¤¿¥Æ¡¼¥Ö¥ë
(¥Ç¥Õ¥©¥ë¥È¤Ï filter) ¤ËÂФ·¤ÆºîÍѤ¹¤ë¡£
¤è¤Ã¤Æ NAT ¥ë¡¼¥ë¤òɽ¼¨¤¹¤ë¤Ë¤Ï°Ê²¼¤Î¤è¤¦¤Ë¤¹¤ë¡£
.nf
 iptables -t nat -n -L
.fi
DNS¤ÎµÕ°ú¤­¤òÈò¤±¤ë¤¿¤á¤Ë¡¢¤è¤¯
.B -n
¥ª¥×¥·¥ç¥ó¤È¶¦¤Ë»ÈÍѤµ¤ì¤ë¡£
.B -Z
(¥¼¥í²½) ¥ª¥×¥·¥ç¥ó¤òƱ»þ¤Ë»ØÄꤹ¤ë¤³¤È¤â¤Ç¤­¤ë¡£
¤³¤Î¾ì¹ç¡¢¥Á¥§¥¤¥ó¤ÏÍ×ÁÇËè¤Ë¥ê¥¹¥È¤µ¤ì¤Æ¡¢
(ÌõÃð: ¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤¬) ¥¼¥í¤Ë¤µ¤ì¤ë¡£
½ÐÎÏɽ¼¨¤ÏƱ»þ¤ËÍ¿¤¨¤é¤ì¤¿Â¾¤Î°ú¤­¿ô¤Ë±Æ¶Á¤µ¤ì¤ë¡£
.nf
 iptables -L -v
.fi
¤ò»È¤ï¤Ê¤¤¸Â¤ê (ÌõÃí: -v ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤷ¤Ê¤¤¸Â¤ê)¡¢
¼ÂºÝ¤Î¥ë¡¼¥ë¤½¤Î¤â¤Î¤Ïɽ¼¨¤µ¤ì¤Ê¤¤¡£
.TP
.BR "-F, --flush " "[\fI¥Á¥§¥¤¥ó\fP]"
ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó(²¿¤â»ØÄꤷ¤Ê¤±¤ì¤Ð¥Æ¡¼¥Ö¥ëÆâ¤ÎÁ´¤Æ¤Î¥Á¥§¥¤¥ó)
¤ÎÆâÍƤòÁ´¾Ãµî¤¹¤ë¡£
¤³¤ì¤ÏÁ´¤Æ¤Î¥ë¡¼¥ë¤ò 1 ¸Ä¤º¤Äºï½ü¤¹¤ë¤Î¤ÈƱ¤¸¤Ç¤¢¤ë¡£
.TP
.BR "-Z, --zero " "[\fI¥Á¥§¥¤¥ó\fP]"
¤¹¤Ù¤Æ¤Î¥Á¥§¥¤¥ó¤Î¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò¥¼¥í¤Ë¤¹¤ë¡£
¥¯¥ê¥¢¤µ¤ì¤ëľÁ°¤Î¥«¥¦¥ó¥¿¤ò¸«¤ë¤¿¤á¤Ë¡¢
.B "-L, --list"
(°ìÍ÷ɽ¼¨) ¥ª¥×¥·¥ç¥ó¤ÈƱ»þ¤Ë»ØÄꤹ¤ë¤³¤È¤â¤Ç¤­¤ë (¾åµ­¤ò»²¾È)¡£
.TP
.BI "-N, --new-chain " "¥Á¥§¥¤¥ó"
»ØÄꤷ¤¿Ì¾Á°¤Ç¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤òºîÀ®¤¹¤ë¡£
Ʊ¤¸Ì¾Á°¤Î¥¿¡¼¥²¥Ã¥È¤¬´û¤Ë¸ºß¤·¤Æ¤Ï¤Ê¤é¤Ê¤¤¡£
.TP
.BR "-X, --delete-chain " "[\fI¥Á¥§¥¤¥ó\fP]"
»ØÄꤷ¤¿¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ë¡£
¤½¤Î¥Á¥§¥¤¥ó¤¬»²¾È¤µ¤ì¤Æ¤¤¤Æ¤Ï¤Ê¤é¤Ê¤¤¡£
¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ëÁ°¤Ë¡¢¤½¤Î¥Á¥§¥¤¥ó¤ò»²¾È¤·¤Æ¤¤¤ë¥ë¡¼¥ë¤ò
ºï½ü¤¹¤ë¤«ÃÖ¤­´¹¤¨¤ë¤«¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
°ú¤­¿ô¤¬Í¿¤¨¤é¤ì¤Ê¤¤¾ì¹ç¡¢¥Æ¡¼¥Ö¥ë¤Ë¤¢¤ë¥Á¥§¥¤¥ó¤Î¤¦¤Á
ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Ç¤Ê¤¤¤â¤Î¤òÁ´¤Æºï½ü¤¹¤ë¡£
.TP
.BI "-P, --policy " "¥Á¥§¥¤¥ó ¥¿¡¼¥²¥Ã¥È"
¥Á¥§¥¤¥ó¤Î¥Ý¥ê¥·¡¼¤ò¡¢»ØÄꤷ¤¿¥¿¡¼¥²¥Ã¥È¤ËÀßÄꤹ¤ë¡£
»ØÄê²Äǽ¤Ê¥¿¡¼¥²¥Ã¥È¤Ï¡Ö\fB¥¿¡¼¥²¥Ã¥È\fR¡×¤Î¾Ï¤ò»²¾È¤¹¤ë¤³¤È¡£
(¥æ¡¼¥¶¡¼ÄêµÁ¤Ç¤Ï¤Ê¤¤)ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Ë¤·¤«¥Ý¥ê¥·¡¼¤ÏÀßÄê¤Ç¤­¤Ê¤¤¡£
¤Þ¤¿¡¢ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤â¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤â
¥Ý¥ê¥·¡¼¤Î¥¿¡¼¥²¥Ã¥È¤ËÀßÄꤹ¤ë¤³¤È¤Ï¤Ç¤­¤Ê¤¤¡£
.TP
.BI  "-E, --rename-chain " "µì¥Á¥§¥¤¥ó̾ ¿·¥Á¥§¥¤¥ó̾"
¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤ò»ØÄꤷ¤¿Ì¾Á°¤ËÊѹ¹¤¹¤ë¡£
¤³¤ì¤Ï¸«¤¿ÌܤÀ¤±¤ÎÊѹ¹¤Ê¤Î¤Ç¡¢¥Æ¡¼¥Ö¥ë¤Î¹½Â¤¤Ë¤Ï²¿¤â±Æ¶Á¤·¤Ê¤¤¡£
.TP
.B -h
¥Ø¥ë¥×¡£
(º£¤Î¤È¤³¤í¤Ï¤È¤Æ¤â´Êñ¤Ê) ¥³¥Þ¥ó¥É½ñ¼°¤ÎÀâÌÀ¤òɽ¼¨¤¹¤ë¡£
.SS ¥Ñ¥é¥á¡¼¥¿
°Ê²¼¤Î¥Ñ¥é¥á¡¼¥¿¤Ï (add, delete, insert, 
replace, append ¥³¥Þ¥ó¥É¤ÇÍѤ¤¤é¤ì¤Æ) ¥ë¡¼¥ë¤Î»ÅÍͤò·è¤á¤ë¡£
.TP
.BR "-p, --protocol " "[!] \fIprotocol\fP"
¥ë¡¼¥ë¤Ç»È¤ï¤ì¤ë¥×¥í¥È¥³¥ë¡¢¤Þ¤¿¤Ï¥Á¥§¥Ã¥¯¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¥×¥í¥È¥³¥ë¡£
»ØÄê¤Ç¤­¤ë¥×¥í¥È¥³¥ë¤Ï¡¢
.IR tcp ,
.IR udp ,
.IR icmp ,
.I all
¤Î¤¤¤º¤ì¤« 1 ¤Ä¤«¡¢¿ôÃͤǤ¢¤ë¡£
¿ôÃͤˤϡ¢¤³¤ì¤é¤Î¥×¥í¥È¥³¥ë¤Î¤É¤ì¤«¤Ê¤¤¤·Ê̤Υץí¥È¥³¥ë¤òɽ¤¹
¿ôÃͤò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
/etc/protocols ¤Ë¤¢¤ë¥×¥í¥È¥³¥ë̾¤â»ØÄê¤Ç¤­¤ë¡£
¥×¥í¥È¥³¥ë¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢¤½¤Î¥×¥í¥È¥³¥ë¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
¿ôÃÍ 0 ¤Ï
.I all
¤ÈÅù¤·¤¤¡£
¥×¥í¥È¥³¥ë
.I all
¤ÏÁ´¤Æ¤Î¥×¥í¥È¥³¥ë¤È¥Þ¥Ã¥Á¤·¡¢
¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿ºÝ¤Î¥Ç¥Õ¥©¥ë¥È¤Ç¤¢¤ë¡£
.TP
.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
Á÷¿®¸µ¤Î»ØÄê¡£
.I address
¤Ï¥Û¥¹¥È̾
(DNS ¤Î¤è¤¦¤Ê¥ê¥â¡¼¥È¤Ø¤ÎÌ䤤¹ç¤ï¤»¤Ç²ò·è¤¹¤ë̾Á°¤ò»ØÄꤹ¤ë¤Î¤ÏÈó¾ï¤ËÎɤ¯¤Ê¤¤)
¡¦¥Í¥Ã¥È¥ï¡¼¥¯ IP ¥¢¥É¥ì¥¹ (/mask ¤ò»ØÄꤹ¤ë)¡¦
Ä̾ï¤Î IP ¥¢¥É¥ì¥¹¡¢¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ë¡£
.I mask
¤Ï¥Í¥Ã¥È¥ï¡¼¥¯¥Þ¥¹¥¯¤«¡¢
¥Í¥Ã¥È¥ï¡¼¥¯¥Þ¥¹¥¯¤Îº¸Â¦¤Ë¤¢¤ë 1 ¤Î¿ô¤ò»ØÄꤹ¤ë¿ôÃͤǤ¢¤ë¡£
¤Ä¤Þ¤ê¡¢
.I 24
¤È¤¤¤¦ mask ¤Ï
.I 255.255.255.0
¤ËÅù¤·¤¤¡£
¥¢¥É¥ì¥¹»ØÄê¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢¤½¤Î¥¢¥É¥ì¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
¥Õ¥é¥°
.B --src
¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊÌ̾¤Ç¤¢¤ë¡£
.TP
.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
Á÷¿®Àè¤Î»ØÄê¡£
½ñ¼°¤Î¾Ü¤·¤¤ÀâÌÀ¤Ë¤Ä¤¤¤Æ¤Ï¡¢
.B -s
(Á÷¿®¸µ) ¥Õ¥é¥°¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£
¥Õ¥é¥°
.B --dst
¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊÌ̾¤Ç¤¢¤ë¡£
.TP
.BI "-j, --jump " "target"
¥ë¡¼¥ë¤Î¥¿¡¼¥²¥Ã¥È¡¢¤Ä¤Þ¤ê¡¢
¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¤Ë¤É¤¦¤¹¤ë¤«¤ò»ØÄꤹ¤ë¡£
¥¿¡¼¥²¥Ã¥È¤Ï¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó
(¤½¤Î¥ë¡¼¥ë¼«¿È¤¬Æþ¤Ã¤Æ¤¤¤ë¥Á¥§¥¤¥ó°Ê³°) ¤Ç¤â¡¢
¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤ò¨»þ¤Ë·èÄꤹ¤ëÆÃÊ̤ÊÁȤ߹þ¤ßºÑ¤ß¥¿¡¼¥²¥Ã¥È¤Ç¤â¡¢
³ÈÄ¥¤µ¤ì¤¿¥¿¡¼¥²¥Ã¥È (°Ê²¼¤Î
.RB ¡Ö ¥¿¡¼¥²¥Ã¥È¤Î³ÈÄ¥ ¡×
¤ò»²¾È) ¤Ç¤â¤è¤¤¡£
¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¥ë¡¼¥ë¤Ë»ØÄꤵ¤ì¤Ê¤«¤Ã¤¿¾ì¹ç¤Ï¡¢
¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤Æ¤â¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤Ë²¿¤â±Æ¶Á¤·¤Ê¤¤¤¬¡¢
¥ë¡¼¥ë¤Î¥«¥¦¥ó¥¿¤Ï 1 ¤Ä²Ã»»¤µ¤ì¤ë¡£
.TP
.BR "-i, --in-interface " "[!] \fIname\fP"
¥Ñ¥±¥Ã¥È¤ò¼õ¿®¤¹¤ë¤³¤È¤Ë¤Ê¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾
.RB ( INPUT ,
.BR FORWARD ,
.B PREROUTING
¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Î¤ß)¡£
¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢
¤½¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿¾ì¹ç¡¢
Ǥ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BR "-o, --out-interface " "[!] \fIname\fP"
¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë¤³¤È¤Ë¤Ê¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾
.RB ( FORWARD ,
.BR OUTPUT , 
.B POSTROUTING
¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Î¤ß)¡£
¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢
¤½¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿¾ì¹ç¡¢
Ǥ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.B "[!] " "-f, --fragment"
¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢Ê¬³ä¤µ¤ì¤¿¥Ñ¥±¥Ã¥È (fragmented packet) ¤Î¤¦¤Á
2 ÈÖÌܰʹߤΥѥ±¥Ã¥È¤À¤±¤ò»²¾È¤¹¤ë¥ë¡¼¥ë¤Ç¤¢¤ë¤³¤È¤ò°ÕÌ£¤¹¤ë¡£
¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È (¤Þ¤¿¤Ï ICMP ¥¿¥¤¥×¤Î¥Ñ¥±¥Ã¥È) ¤Ï
Á÷¿®¸µ¡¦Á÷¿®Àè¥Ý¡¼¥È¤òÃΤëÊýË¡¤¬¤Ê¤¤¤Î¤Ç¡¢
Á÷¿®¸µ¤äÁ÷¿®Àè¤ò»ØÄꤹ¤ë¤è¤¦¤Ê¥ë¡¼¥ë¤Ë¤Ï¥Þ¥Ã¥Á¤·¤Ê¤¤¡£
"-f" ¥Õ¥é¥°¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢
ʬ³ä¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Î¤¦¤ÁºÇ½é¤Î¤â¤Î¤«¡¢
ʬ³ä¤µ¤ì¤Æ¤¤¤Ê¤¤¥Ñ¥±¥Ã¥È¤À¤±¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BI "-c, --set-counters " "PKTS BYTES"
¤³¤Î¥ª¥×¥·¥ç¥ó¤ò»È¤¦¤È¡¢
.RB ( insert ,
.BR append ,
.B replace
Áàºî¤Ë¤ª¤¤¤Æ) ´ÉÍý¼Ô¤Ï¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò
½é´ü²½¤¹¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
.SS ¤½¤Î¾¤Î¥ª¥×¥·¥ç¥ó
¤½¤Î¾¤Ë°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë:
.TP
.B "-v, --verbose"
¾ÜºÙ¤Ê½ÐÎϤò¹Ô¤¦¡£
list ¥³¥Þ¥ó¥É¤ÎºÝ¤Ë¡¢¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¡¦
(¤â¤·¤¢¤ì¤Ð) ¥ë¡¼¥ë¤Î¥ª¥×¥·¥ç¥ó¡¦TOS ¥Þ¥¹¥¯¤òɽ¼¨¤µ¤»¤ë¡£
¥Ñ¥±¥Ã¥È¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤âɽ¼¨¤µ¤ì¤ë¡£
ź»ú 'K', 'M', 'G' ¤Ï¡¢
¤½¤ì¤¾¤ì 1000, 1,000,000, 1,000,000,000 Çܤòɽ¤¹
(¤³¤ì¤òÊѹ¹¤¹¤ë
.B -x
¥Õ¥é¥°¤â¸«¤è)¡£
¤³¤Î¥ª¥×¥·¥ç¥ó¤ò append, insert, delete, replace ¥³¥Þ¥ó¥É¤ËŬÍѤ¹¤ë¤È¡¢
¥ë¡¼¥ë¤Ë¤Ä¤¤¤Æ¤Î¾ÜºÙ¤Ê¾ðÊó¤òɽ¼¨¤¹¤ë¡£
.TP
.B "-n, --numeric"
¿ôÃͤˤè¤ë½ÐÎϤò¹Ô¤¦¡£
IP ¥¢¥É¥ì¥¹¤ä¥Ý¡¼¥ÈÈÖ¹æ¤ò¿ôÃͤˤè¤ë¥Õ¥©¡¼¥Þ¥Ã¥È¤Çɽ¼¨¤¹¤ë¡£
¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¡¢iptables ¤Ï (²Äǽ¤Ç¤¢¤ì¤Ð) ¤³¤ì¤é¤Î¾ðÊó¤ò
¥Û¥¹¥È̾¡¦¥Í¥Ã¥È¥ï¡¼¥¯Ì¾¡¦¥µ¡¼¥Ó¥¹Ì¾¤Çɽ¼¨¤·¤è¤¦¤È¤¹¤ë¡£
.TP
.B "-x, --exact"
¸·Ì©¤Ê¿ôÃͤÇɽ¼¨¤¹¤ë¡£
¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò¡¢
K (1000 ¤Î²¿Çܤ«)¡¦M (1000K ¤Î²¿Çܤ«)¡¦G (1000M ¤Î²¿Çܤ«) ¤Ç¤Ï¤Ê¤¯¡¢
¸·Ì©¤ÊÃͤÇɽ¼¨¤¹¤ë¡£
¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢
.B -L
¥³¥Þ¥ó¥É¤È¤·¤«´Ø·¸¤·¤Ê¤¤¡£
.TP
.B "--line-numbers"
¥ë¡¼¥ë¤ò°ìÍ÷ɽ¼¨¤¹¤ëºÝ¡¢¤½¤Î¥ë¡¼¥ë¤¬¥Á¥§¥¤¥ó¤Î¤É¤Î°ÌÃ֤ˤ¢¤ë¤«¤òɽ¤¹
¹ÔÈÖ¹æ¤ò³Æ¹Ô¤Î»Ï¤á¤ËÉղ乤롣
.TP
.B "--modprobe=command"
¥Á¥§¥¤¥ó¤Ë¥ë¡¼¥ë¤òÄɲäޤ¿¤ÏÁÞÆþ¤¹¤ëºÝ¤Ë¡¢
(¥¿¡¼¥²¥Ã¥È¤ä¥Þ¥Ã¥Á¥ó¥°¤Î³ÈÄ¥¤Ê¤É¤Ç) ɬÍפʥ⥸¥å¡¼¥ë¤ò¥í¡¼¥É¤¹¤ë¤¿¤á¤Ë»È¤¦
.B command
¤ò»ØÄꤹ¤ë¡£
.SH ¥Þ¥Ã¥Á¥ó¥°¤Î³ÈÄ¥
iptables ¤Ï³ÈÄ¥¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¥Þ¥Ã¥Á¥ó¥°¥â¥¸¥å¡¼¥ë¤ò»È¤¦¤³¤È¤¬¤Ç¤­¤ë¡£
¤³¤ì¤é¤Î¥â¥¸¥å¡¼¥ë¤Ï 2 ¼ïÎà¤ÎÊýË¡¤Ç¥í¡¼¥É¤µ¤ì¤ë:
¥â¥¸¥å¡¼¥ë¤Ï¡¢
.B -p
¤Þ¤¿¤Ï
.B --protocol
¤Ç°ÅÌۤΤ¦¤Á¤Ë»ØÄꤵ¤ì¤ë¤«¡¢
.B -m
¤Þ¤¿¤Ï
.B --match
¤Î¸å¤Ë¥â¥¸¥å¡¼¥ë̾¤ò³¤±¤Æ»ØÄꤵ¤ì¤ë¡£
¤³¤ì¤é¤Î¥â¥¸¥å¡¼¥ë¤Î¸å¤í¤Ë¤Ï¡¢¥â¥¸¥å¡¼¥ë¤Ë±þ¤¸¤Æ
¾¤Î¤¤¤í¤¤¤í¤Ê¥³¥Þ¥ó¥É¥é¥¤¥ó¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
Ê£¿ô¤Î³ÈÄ¥¥Þ¥Ã¥Á¥ó¥°¥â¥¸¥å¡¼¥ë¤ò°ì¹Ô¤Ç»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
¤Þ¤¿¡¢¥â¥¸¥å¡¼¥ë¤ËÆÃÍ­¤Î¥Ø¥ë¥×¤òɽ¼¨¤µ¤»¤ë¤¿¤á¤Ë¤Ï¡¢
¥â¥¸¥å¡¼¥ë¤ò»ØÄꤷ¤¿¸å¤Ç
.B -h
¤Þ¤¿¤Ï
.B --help
¤ò»ØÄꤹ¤ì¤Ð¤è¤¤¡£

°Ê²¼¤Î³ÈÄ¥¤¬¥Ù¡¼¥¹¥Ñ¥Ã¥±¡¼¥¸¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¡£
ÂçÉôʬ¤Î¤â¤Î¤Ï¡¢
.B !
¤òÁ°¤Ë¤ª¤¯¤³¤È¤Ë¤è¤Ã¤Æ
¥Þ¥Ã¥Á¥ó¥°¤Î°ÕÌ£¤òµÕ¤Ë¤Ç¤­¤ë¡£
.SS ah
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IPSec ¥Ñ¥±¥Ã¥È¤Î AH ¥Ø¥Ã¥À¡¼¤Î SPI Ãͤ˥ޥåÁ¤¹¤ë¡£ 
.TP
.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
.SS conntrack
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢ÀܳÄÉÀ× (connection tracking) ¤ÈÁȤ߹ç¤ï¤»¤ÆÍѤ¤¤ë¤È¡¢
"state" ¥Þ¥Ã¥Á¤è¤ê¤â¤µ¤é¤Ë¿¤¯¤Î¡¢
¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¤ÎÀܳÄÉÀ×¾õÂÖ¤òÃΤ뤳¤È¤¬¤Ç¤­¤ë
(¤³¤Îµ¡Ç½¤ò¥µ¥Ý¡¼¥È¤·¤¿¥«¡¼¥Í¥ë¤Î¤â¤È¤Ç iptables ¤¬¥³¥ó¥Ñ¥¤¥ë¤µ¤ì¤¿¾ì¹ç
¤Ë¤Î¤ß¡¢¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¸ºß¤¹¤ë)¡£
.TP
.BI "--ctstate " "state"
state ¤Ï¡¢¥Þ¥Ã¥Á¥ó¥°ÂоݤȤʤ롢¥³¥ó¥Þ¶èÀÚ¤ê¤ÎÀܳ¾õÂ֥ꥹ¥È¤Ç¤¢¤ë¡£
»ØÄê²Äǽ¤Ê state ¤Ï°Ê²¼¤ÎÄ̤ꡣ
.BR INVALID :
¥á¥â¥ê¤ò»È¤¤²Ì¤¿¤·¤¿°Ù¤ä¡¢
´ûÃΤÎÀܳ¤È¤ÏÂбþ¤·¤Ê¤¤ ICMP ¥¨¥é¡¼¤Ê¤É¡¢
²¿¤é¤«¤ÎÍýͳ¤Ë¤è¤ê¥Ñ¥±¥Ã¥È¤¬¼±Ê̤Ǥ­¤Ê¤¤¡£
.BR ESTABLISHED :
¤³¤Î¥Ñ¥±¥Ã¥È¤Ï¡¢²áµîÁÐÊý¸þ¤Ë¥Ñ¥±¥Ã¥È¤¬¤ä¤ê¼è¤ê¤µ¤ì¤¿Àܳ¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¢¤ë¡£
.BR NEW :
¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤¿¤«¡¢
ÁÐÊý¸þ¤Ë¤Ï¥Ñ¥±¥Ã¥È¤¬¤ä¤ê¼è¤ê¤µ¤ì¤Æ¤¤¤Ê¤¤Àܳ¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¢¤ë¡£
.BR RELATED :
¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤Æ¤¤¤ë¤¬¡¢
FTP ¥Ç¡¼¥¿Å¾Á÷¤ä ICMP ¥¨¥é¡¼¤Î¤è¤¦¤Ë¡¢´û¸¤ÎÀܳ¤Ë´Ø·¸¤·¤Æ¤¤¤ë¡£
.BR SNAT :
²¾ÁÛŪ¤Ê¾õÂ֤Ǥ¢¤ê¡¢½ñ¤­´¹¤¨Á°¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤¬±þÅú¤Î°¸À襢¥É¥ì¥¹¤È
°Û¤Ê¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.BR DNAT :
²¾ÁÛŪ¤Ê¾õÂ֤Ǥ¢¤ê¡¢½ñ¤­´¹¤¨Á°¤Î°¸À襢¥É¥ì¥¹¤¬±þÅú¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤È
°Û¤Ê¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BI "--ctproto " "proto"
(̾Á°¤Þ¤¿¤Ï¿ôÃͤÇ) »ØÄꤵ¤ì¤¿¥×¥í¥È¥³¥ë¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]"
½ñ¤­´¹¤¨Á°¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]"
½ñ¤­´¹¤¨Á°¤Î°¸À襢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]"
±þÅú¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]"
±þÅú¤Î°¸À襢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]"
ÀܳÄÉÀפÎÆâÉôŪ¤Ê¾õÂ֤˥ޥåÁ¤¹¤ë¡£
.TP
.BI "--ctexpire " "\fItime\fP[\fI:time\fP]"
Í­¸ú´ü´Ö¤Î»Ä¤êÉÿô¡¢¤Þ¤¿¤Ï¤½¤ÎÈÏ°Ï(ξü¤ò´Þ¤à)¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.SS dscp
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢IP ¥Ø¥Ã¥À¡¼¤Î TOS ¥Õ¥£¡¼¥ë¥ÉÆâ¤Ë¤¢¤ë¡¢
6 bit ¤Î DSCP ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
IETF ¤Ç¤Ï DSCP ¤¬ TOS ¤Ë¼è¤Ã¤ÆÂå¤ï¤Ã¤¿¡£
.TP
.BI "--dscp " "value"
(10 ¿Ê¤Þ¤¿¤Ï 16 ¿Ê¤Î) ¿ôÃÍ [0\-63] ¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BI "--dscp-class " "\fIDiffServ Class\fP"
DiffServ ¥¯¥é¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
ÃÍ¤Ï BE, EF, AFxx, CSx ¥¯¥é¥¹¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ë¡£
¤³¤ì¤é¤Ï¡¢Âбþ¤¹¤ë¿ôÃͤǻØÄꤹ¤ë¤Î¤ÈƱ¤¸¤Ç¤¢¤ë¡£
.SS esp
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IPSec ¥Ñ¥±¥Ã¥È¤Î ESP ¥Ø¥Ã¥À¡¼¤Î SPI Ãͤ˥ޥåÁ¤¹¤ë¡£ 
.TP
.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]"
.SS helper
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢»ØÄꤵ¤ì¤¿ÀܳÄÉÀץإë¥Ñ¡¼¥â¥¸¥å¡¼¥ë¤Ë
´ØÏ¢¤¹¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BI "--helper " "string"
»ØÄꤵ¤ì¤¿ÀܳÄÉÀץإë¥Ñ¡¼¥â¥¸¥å¡¼¥ë¤Ë
´ØÏ¢¤¹¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.RS
.PP
¥Ç¥Õ¥©¥ë¥È¤Î¥Ý¡¼¥È¤ò»È¤Ã¤¿ ftp-¥»¥Ã¥·¥ç¥ó¤Ë´ØÏ¢¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤Ï¡¢
string ¤Ë "ftp" ¤È½ñ¤±¤ë¡£
¾¤Î¥Ý¡¼¥È¤Ç¤Ï "\-¥Ý¡¼¥ÈÈÖ¹æ" ¤òÃͤËÉÕ¤±²Ã¤¨¤ë¡£
¤¹¤Ê¤ï¤Á "ftp-2121" ¤È¤Ê¤ë¡£
.PP
¾¤ÎÀܳÄÉÀץإë¥Ñ¡¼¤Ç¤âƱ¤¸¥ë¡¼¥ë¤¬Å¬ÍѤµ¤ì¤ë¡£
.RE
.SS icmp
¤³¤Î³ÈÄ¥¤Ï `--protocol icmp' ¤¬»ØÄꤵ¤ì¤¿¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢
°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
.TP
.BR "--icmp-type " "[!] \fItypename\fP"
¿ôÃͤΠICMP ¥¿¥¤¥×¡¢¤Þ¤¿¤Ï¥³¥Þ¥ó¥É
.nf
 iptables -p icmp -h
.fi
¤Çɽ¼¨¤µ¤ì¤ë ICMP ¥¿¥¤¥×̾¤ò»ØÄê¤Ç¤­¤ë¡£
.SS length
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢»ØÄꤵ¤ì¤¿¥Ñ¥±¥Ã¥ÈĹ¡¢¤Þ¤¿¤Ï¤½¤ÎÈϰϤ˥ޥåÁ¤¹¤ë¡£
.TP
.BR "--length " "\fIlength\fP[:\fIlength\fP]"
.SS limit
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥È¡¼¥¯¥ó¥Ð¥±¥Ä¥Õ¥£¥ë¥¿¤ò»È¤¤¡¢
ñ°Ì»þ´Ö¤¢¤¿¤êÀ©¸Â¤µ¤ì¤¿²ó¿ô¤À¤±¥Þ¥Ã¥Á¤¹¤ë¡£
¤³¤Î³ÈÄ¥¤ò»È¤Ã¤¿¥ë¡¼¥ë¤Ï¡¢(`!' ¥Õ¥é¥°¤¬»ØÄꤵ¤ì¤Ê¤¤¸Â¤ê)
À©¸Â¤Ë㤹¤ë¤Þ¤Ç¥Þ¥Ã¥Á¤¹¤ë¡£
¤³¤Î¥â¥¸¥å¡¼¥ë¤ÏÎ㤨¤Ð¡¢¥í¥°µ­Ï¿¤òÀ©¸Â¤¹¤ë¤¿¤á¤Ë
.B LOG
¥¿¡¼¥²¥Ã¥È¤ÈÁȤ߹ç¤ï¤»¤Æ»È¤¦¤³¤È¤¬¤Ç¤­¤ë¡£
.TP
.BI "--limit " "rate"
ñ°Ì»þ´Ö¤¢¤¿¤ê¤ÎÊ¿¶Ñ¥Þ¥Ã¥Á²ó¿ô¤ÎºÇÂçÃÍ¡£
¿ôÃͤǻØÄꤵ¤ì¡¢Åº»ú `/second', `/minute',
`/hour', `/day' ¤òÉÕ¤±¤ë¤³¤È¤â¤Ç¤­¤ë¡£
¥Ç¥Õ¥©¥ë¥È¤Ï 3/hour ¤Ç¤¢¤ë¡£
.TP
.BI "--limit-burst " "number"
¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤¹¤ë²ó¿ô¤ÎºÇÂç½é´üÃÍ:
¥Þ¥Ã¥Á²ó¿ô¤ÎºÇÂçÃͤϡ¢
¾å¤Î¥ª¥×¥·¥ç¥ó¤Ç»ØÄꤷ¤¿À©¸Â¤Ë㤷¤Ê¤±¤ì¤Ð¡¢
¤½¤ÎÅÙ¤´¤È¤Ë¡¢¤³¤Î¿ôÃͤˤʤë¤Þ¤Ç 1 ¸Ä¤º¤ÄÁý¤ä¤µ¤ì¤ë¡£
¥Ç¥Õ¥©¥ë¥È¤Ï 5 ¤Ç¤¢¤ë¡£
.SS mac
.TP
.BR "--mac-source " "[!] \fIaddress\fP"
Á÷¿®¸µ MAC ¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.I address
¤Ï XX:XX:XX:XX:XX:XX ¤È¤¤¤¦·Á¼°¤Ç¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
¥¤¡¼¥µ¡¼¥Í¥Ã¥È¥Ç¥Ð¥¤¥¹¤«¤éÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤Ç¡¢
.BR PREROUTING ,
.BR FORWARD ,
.B INPUT
¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Ë¤·¤«°ÕÌ£¤¬¤Ê¤¤¡£
.SS mark
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¥Ñ¥±¥Ã¥È¤Ë´ØÏ¢¤Å¤±¤é¤ì¤¿
netfilter ¤Î mark ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë
(¤³¤Î¥Õ¥£¡¼¥ë¥É¤Ï¡¢°Ê²¼¤Î
.B MARK
¥¿¡¼¥²¥Ã¥È¤ÇÀßÄꤵ¤ì¤ë)¡£
.TP
.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
»ØÄꤵ¤ì¤¿Éä¹æ¤Ê¤· mark ÃͤΥѥ±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë
(mask ¤¬»ØÄꤵ¤ì¤ë¤È¡¢Èæ³Ó¤ÎÁ°¤Ë mask ¤È¤ÎÏÀÍýÀÑ (AND) ¤¬¤È¤é¤ì¤ë)¡£
.SS multiport
¤³¤Î¥â¥¸¥å¡¼¥ë¤ÏÁ÷¿®¸µ¤äÁ÷¿®Àè¤Î¥Ý¡¼¥È¤Î½¸¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
¥Ý¡¼¥È¤Ï 15 ¸Ä¤Þ¤Ç»ØÄê¤Ç¤­¤ë¡£
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï
.B "-p tcp"
¤Þ¤¿¤Ï
.B "-p udp"
¤ÈÁȤ߹ç¤ï¤»¤Æ»È¤¦¤³¤È¤·¤«¤Ç¤­¤Ê¤¤¡£
.TP
.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
Á÷¿®¸µ¥Ý¡¼¥È¤¬»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£
¥Õ¥é¥°
.B --sports
¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
.TP
.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
°¸Àè¥Ý¡¼¥È¤¬»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£
¥Õ¥é¥°
.B --dports
¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
.TP
.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
Á÷¿®¸µ¥Ý¡¼¥È¤È°¸Àè¥Ý¡¼¥È¤¬Åù¤·¤¯¡¢
¤«¤Ä¤½¤Î¥Ý¡¼¥È¤¬»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£
.SS owner
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ËÉÕ¤¤¤Æ¡¢
¥Ñ¥±¥Ã¥ÈÀ¸À®¼Ô¤Î¤¤¤í¤¤¤í¤ÊÆÃÀ­¤ËÂФ·¤Æ¥Þ¥Ã¥Á¤ò¹Ô¤¦¡£
¤³¤ì¤Ï
.B OUTPUT
¥Á¥§¥¤¥ó¤Î¤ß¤Ç¤·¤«Í­¸ú¤Ç¤Ê¤¤¡£
¤Þ¤¿¡¢(ICMP ping ±þÅú¤Î¤è¤¦¤Ê) ¥Ñ¥±¥Ã¥È¤Ï¡¢
½êÍ­¼Ô¤¬¤¤¤Ê¤¤¤Î¤ÇÀäÂФ˥ޥåÁ¤·¤Ê¤¤¡£
.TP
.BI "--uid-owner " "userid"
»ØÄꤵ¤ì¤¿¼Â¸ú¥æ¡¼¥¶¡¼ ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BI "--gid-owner " "groupid"
»ØÄꤵ¤ì¤¿¼Â¸ú¥°¥ë¡¼¥× ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BI "--pid-owner " "processid"
»ØÄꤵ¤ì¤¿¥×¥í¥»¥¹ ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BI "--sid-owner " "sessionid"
»ØÄꤵ¤ì¤¿¥»¥Ã¥·¥ç¥ó¥°¥ë¡¼¥×¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BI "--cmd-owner " "name"
»ØÄꤵ¤ì¤¿¥³¥Þ¥ó¥É̾¤ò»ý¤Ä¥×¥í¥»¥¹¤Ë¤è¤ê
¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë
(¤³¤Îµ¡Ç½¤ò¥µ¥Ý¡¼¥È¤·¤¿¥«¡¼¥Í¥ë¤Î¤â¤È¤Ç iptables ¤¬¥³¥ó¥Ñ¥¤¥ë¤µ¤ì¤¿¾ì¹ç
¤Ë¤Î¤ß¡¢¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¸ºß¤¹¤ë)¡£
.SS physdev
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥Ö¥ê¥Ã¥¸¥Ç¥Ð¥¤¥¹¤Î¥¹¥ì¡¼¥Ö¤Ë¤µ¤ì¤¿¡¢
¥Ö¥ê¥Ã¥¸¥Ý¡¼¥È¤ÎÆþ½ÐÎϥǥХ¤¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥Ö¥ê¥Ã¥¸¤Ë¤è¤ëÆ©²áŪ¤Ê
IP ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Î´ðÈפΰìÉô¤Ç¤¢¤ê¡¢
¥«¡¼¥Í¥ë¥Ð¡¼¥¸¥ç¥ó 2.5.44 °Ê¹ß¤Ç¤Î¤ßÍ­¸ú¤Ç¤¢¤ë¡£
.TP
.B --physdev-in name
¥Ñ¥±¥Ã¥È¤¬¼õ¿®¤µ¤ì¤ë¥Ö¥ê¥Ã¥¸¤Î¥Ý¡¼¥È̾
.RB ( INPUT ,
.BR FORWARD ,
.B PREROUTING
¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Î¤ß)¡£
¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
¥Ö¥ê¥Ã¥¸¥Ç¥Ð¥¤¥¹¤òÄ̤·¤Æ¼õ¤±¼è¤é¤ì¤Ê¤«¤Ã¤¿¥Ñ¥±¥Ã¥È¤Ï¡¢
\&'!' ¤¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¸Â¤ê¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤Ë¥Þ¥Ã¥Á¤·¤Ê¤¤¡£
.TP
.B --physdev-out name
¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë¤³¤È¤Ë¤Ê¤ë¥Ö¥ê¥Ã¥¸¤Î¥Ý¡¼¥È̾
.RB ( FORWARD ,
.BR OUTPUT , 
.B POSTROUTING
¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Î¤ß)¡£ 
¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.B nat
¤È
.B mangle
¥Æ¡¼¥Ö¥ë¤Î
.B OUTPUT
¥Á¥§¥¤¥ó¤Ç¤Ï¥Ö¥ê¥Ã¥¸¤Î½ÐÎϥݡ¼¥È¤Ë¥Þ¥Ã¥Á¤µ¤»¤ë¤³¤È¤¬¤Ç¤­¤Ê¤¤¤¬¡¢
.B filter
¥Æ¡¼¥Ö¥ë¤Î
.B OUPUT
¥Á¥§¥¤¥ó¤Ç¤Ï¥Þ¥Ã¥Á²Äǽ¤Ç¤¢¤ë¡£
¥Ñ¥±¥Ã¥È¤¬¥Ö¥ê¥Ã¥¸¥Ç¥Ð¥¤¥¹¤«¤éÁ÷¤é¤ì¤Ê¤«¤Ã¤¿¾ì¹ç¡¢
¤Þ¤¿¤Ï¥Ñ¥±¥Ã¥È¤Î½ÐÎϥǥХ¤¥¹¤¬ÉÔÌÀ¤Ç¤¢¤Ã¤¿¾ì¹ç¤Ï¡¢
\&'!' ¤¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¸Â¤ê¡¢¥Ñ¥±¥Ã¥È¤Ï¤³¤Î¥ª¥×¥·¥ç¥ó¤Ë¥Þ¥Ã¥Á¤·¤Ê¤¤¡£
.TP
.B --physdev-is-in
¥Ñ¥±¥Ã¥È¤¬¥Ö¥ê¥Ã¥¸¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ËÆþ¤Ã¤¿¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.B --physdev-is-out
¥Ñ¥±¥Ã¥È¤¬¥Ö¥ê¥Ã¥¸¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤«¤é½Ð¤è¤¦¤È¤·¤¿¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.B --physdev-is-bridged
¥Ñ¥±¥Ã¥È¤¬¥Ö¥ê¥Ã¥¸¤µ¤ì¤ë¤³¤È¤Ë¤è¤ê¡¢
¥ë¡¼¥Æ¥£¥ó¥°¤µ¤ì¤Ê¤«¤Ã¤¿¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
¤³¤ì¤Ï FORWARD, POSTROUTING ¥Á¥§¥¤¥ó¤Ë¤ª¤¤¤Æ¤Î¤ßÌòΩ¤Ä¡£
.SS pkttype
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥ê¥ó¥¯ÁؤΥѥ±¥Ã¥È¥¿¥¤¥×¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BI "--pkt-type " "[\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP]"
.SS state
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢ÀܳÄÉÀ× (connection tracking) ¤ÈÁȤ߹ç¤ï¤»¤ÆÍѤ¤¤ë¤È¡¢
¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¤ÎÀܳÄÉÀ×¾õÂÖ¤òÃΤ뤳¤È¤¬¤Ç¤­¤ë¡£
.TP
.BI "--state " "state"
state ¤Ï¡¢¥Þ¥Ã¥Á¥ó¥°¤ò¹Ô¤¦¤¿¤á¤Î¡¢¥³¥ó¥Þ¤Ç¶èÀÚ¤é¤ì¤¿Àܳ¾õÂ֤Υꥹ¥È¤Ç¤¢¤ë¡£
»ØÄê²Äǽ¤Ê state ¤Ï°Ê²¼¤ÎÄ̤ꡣ
.BR INVALID :
¤³¤Î¥Ñ¥±¥Ã¥È¤Ï´ûÃΤÎÀܳ¤È´Ø·¸¤·¤Æ¤¤¤Ê¤¤¡£
.BR ESTABLISHED :
¤³¤Î¥Ñ¥±¥Ã¥È¤Ï¡¢²áµîÁÐÊý¸þ¤Ë¥Ñ¥±¥Ã¥È¤¬¤ä¤ê¼è¤ê¤µ¤ì¤¿Àܳ¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¢¤ë¡£
.BR NEW :
¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤¿¤«¡¢
ÁÐÊý¸þ¤Ë¤Ï¥Ñ¥±¥Ã¥È¤¬¤ä¤ê¼è¤ê¤µ¤ì¤Æ¤¤¤Ê¤¤Àܳ¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¢¤ë¡£
.BR RELATED :
¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤Æ¤¤¤ë¤¬¡¢
FTP ¥Ç¡¼¥¿Å¾Á÷¤ä ICMP ¥¨¥é¡¼¤Î¤è¤¦¤Ë¡¢´û¸¤ÎÀܳ¤Ë´Ø·¸¤·¤Æ¤¤¤ë¡£
.SS tcp
¤³¤ì¤é¤Î³ÈÄ¥¤Ï `--protocol tcp' ¤¬»ØÄꤵ¤ì¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢
°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
.TP
.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
Á÷¿®¸µ¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
¥µ¡¼¥Ó¥¹Ì¾¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈÖ¹æ¤ò»ØÄê¤Ç¤­¤ë¡£
.IR port : port
¤È¤¤¤¦·Á¼°¤Ç¡¢2 ¤Ä¤ÎÈÖ¹æ¤ò´Þ¤àÈϰϤò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤­¤ë¡£
ºÇ½é¤Î¥Ý¡¼¥È¤ò¾Êά¤·¤¿¾ì¹ç¡¢"0" ¤ò²¾Äꤹ¤ë¡£
ºÇ¸å¤Î¥Ý¡¼¥È¤ò¾Êά¤·¤¿¾ì¹ç¡¢"65535" ¤ò²¾Äꤹ¤ë¡£
ºÇ½é¤Î¥Ý¡¼¥È¤¬ºÇ¸å¤Î¥Ý¡¼¥È¤è¤êÂ礭¤¤¾ì¹ç¡¢2 ¤Ä¤ÏÆþ¤ì´¹¤¨¤é¤ì¤ë¡£
.\"tsekine ¸¶Ê¸¤¬´Ö°ã¤Ã¤Æ¤½¤¦
¥Õ¥é¥°
.B --sport
¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
.TP
.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
Á÷¿®Àè¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
¥Õ¥é¥°
.B --dport
¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
.TP
.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
TCP ¥Õ¥é¥°¤¬»ØÄꤵ¤ì¤¿¤â¤Î¤ÈÅù¤·¤¤¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
Âè 1 °ú¤­¿ô¤Ïɾ²ÁÂоݤȤ¹¤ë¥Õ¥é¥°¤Ç¡¢¥³¥ó¥Þ¶èÀÚ¤ê¤Î¥ê¥¹¥È¤Ç¤¢¤ë¡£
Âè 2 °ú¤­¿ô¤Ï¤³¤Î¤¦¤ÁÀßÄꤵ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¥Õ¥é¥°¤Ç¡¢
¥³¥ó¥Þ¶èÀÚ¤ê¤Î¥ê¥¹¥È¤Ç¤¢¤ë¡£
»ØÄê¤Ç¤­¤ë¥Õ¥é¥°¤Ï
.B "SYN ACK FIN RST URG PSH ALL NONE"
¤Ç¤¢¤ë¡£
¤è¤Ã¤Æ¡¢¥³¥Þ¥ó¥É
.nf
 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
.fi
¤Ï¡¢SYN ¥Õ¥é¥°¤¬ÀßÄꤵ¤ì ACK, FIN, RST ¥Õ¥é¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤Ê¤¤
¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.B "[!] --syn"
SYN ¥Ó¥Ã¥È¤¬ÀßÄꤵ¤ì ACK ¤È RST ¥Ó¥Ã¥È¤¬¥¯¥ê¥¢¤µ¤ì¤Æ¤¤¤ë
TCP ¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤Ï TCP Àܳ¤Î³«»ÏÍ×µá¤Ë»È¤ï¤ì¤ë¡£
Î㤨¤Ð¡¢¤¢¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ËÆþ¤Ã¤Æ¤¯¤ë¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤ò¥Ö¥í¥Ã¥¯¤¹¤ì¤Ð¡¢
Æ⦤ؤΠTCP Àܳ¤Ï¶Ø»ß¤µ¤ì¤ë¤¬¡¢³°Â¦¤Ø¤Î TCP Àܳ¤Ë¤Ï±Æ¶Á¤·¤Ê¤¤¡£
¤³¤ì¤Ï \fB--tcp-flags SYN,RST,ACK SYN\fP ¤ÈÅù¤·¤¤¡£
"--syn" ¤ÎÁ°¤Ë "!" ¥Õ¥é¥°¤òÃÖ¤¯¤È¡¢
SYN ¥Ó¥Ã¥È¤¬¥¯¥ê¥¢¤µ¤ì ACK ¤È RST ¥Ó¥Ã¥È¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë
TCP ¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BR "--tcp-option " "[!] \fInumber\fP"
TCP ¥ª¥×¥·¥ç¥ó¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BR "--mss " "\fIvalue\fP[:\fIvalue\fP]"
»ØÄꤵ¤ì¤¿ MSS ÃÍ (¤ÎÈÏ°Ï) ¤ò»ý¤Ä TCP ¤Î 
SYN ¤Þ¤¿¤Ï SYN/ACK ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
MSS ¤ÏÀܳ¤ËÂФ¹¤ë¥Ñ¥±¥Ã¥È¤ÎºÇÂ祵¥¤¥º¤òÀ©¸æ¤¹¤ë¡£
.SS tos
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IP ¥Ø¥Ã¥À¡¼¤Î 8 ¥Ó¥Ã¥È¤Î (¤Ä¤Þ¤ê¾å°Ì¥Ó¥Ã¥È¤ò´Þ¤à)
Type of Service ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BI "--tos " "tos"
°ú¤­¿ô¤Ï¡¢¥Þ¥Ã¥Á¤ò¹Ô¤¦É¸½àŪ¤Ê̾Á°¤Ç¤â¿ôÃͤǤâ¤è¤¤
(̾Á°¤Î¥ê¥¹¥È¤ò¸«¤ë¤Ë¤Ï
.nf
 iptables -m tos -h
.fi
¤ò»È¤¦¤³¤È)¡£
.SS ttl
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IP ¥Ø¥Ã¥À¡¼¤Î time to live ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
.TP
.BI "--ttl " "ttl"
»ØÄꤵ¤ì¤¿ TTL Ãͤ˥ޥåÁ¤¹¤ë¡£
.SS udp
¤³¤ì¤é¤Î³ÈÄ¥¤Ï `--protocol udp' ¤¬»ØÄꤵ¤ì¤¿¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢
°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
.TP
.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
Á÷¿®¸µ¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
¾ÜºÙ¤Ï TCP ³ÈÄ¥¤Î
.B --source-port
¥ª¥×¥·¥ç¥ó¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£
.TP
.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
Á÷¿®Àè¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
¾ÜºÙ¤Ï TCP ³ÈÄ¥¤Î
.B --destination-port
¥ª¥×¥·¥ç¥ó¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£
.SS unclean
¤³¤Î¥â¥¸¥å¡¼¥ë¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬¤Ê¤¤¤¬¡¢
¤ª¤«¤·¤¯Àµ¾ï¤Ç¤Ê¤¤¤è¤¦¤Ë¸«¤¨¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
¤³¤ì¤Ï¼Â¸³Åª¤Ê¤â¤Î¤È¤·¤Æ°·¤ï¤ì¤Æ¤¤¤ë¡£
.SH ¥¿¡¼¥²¥Ã¥È¤Î³ÈÄ¥
iptables ¤Ï³ÈÄ¥¥¿¡¼¥²¥Ã¥È¥â¥¸¥å¡¼¥ë¤ò»È¤¦¤³¤È¤¬¤Ç¤­¤ë:
°Ê²¼¤Î¤â¤Î¤¬¡¢É¸½àŪ¤Ê¥Ç¥£¥¹¥È¥ê¥Ó¥å¡¼¥·¥ç¥ó¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¡£
.SS DNAT
¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï
.B nat
¥Æ¡¼¥Ö¥ë¤Î
.BR PREROUTING ,
.B OUTPUT
¥Á¥§¥¤¥ó¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë
¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Î¤ß¤ÇÍ­¸ú¤Ç¤¢¤ë¡£
¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®À襢¥É¥ì¥¹¤ò½¤Àµ¤¹¤ë
(¤³¤ÎÀܳ¤Î°Ê¹ß¤Î¥Ñ¥±¥Ã¥È¤â½¤Àµ¤·¤Æʬ¤«¤é¤Ê¤¯ (mangle) ¤¹¤ë)¡£
¤µ¤é¤Ë¡¢¥ë¡¼¥ë¤Ë¤è¤ë¥Á¥§¥Ã¥¯¤ò»ß¤á¤µ¤»¤ë¡£
¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¼ïÎढ¤ë:
.TP
.BR "--to-destination " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
1 ¤Ä¤Î¿·¤·¤¤Á÷¿®Àè IP ¥¢¥É¥ì¥¹¡¢¤Þ¤¿¤Ï IP ¥¢¥É¥ì¥¹¤ÎÈϰϤ¬»ØÄê¤Ç¤­¤ë¡£
¥Ý¡¼¥È¤ÎÈϰϤò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤­¤ë
(¤³¤ì¤Ï¥ë¡¼¥ë¤Ç
.B "-p tcp"
¤Þ¤¿¤Ï
.B "-p udp"
¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ßÍ­¸ú)¡£
¥Ý¡¼¥È¤ÎÈϰϤ¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢Á÷¿®Àè¥Ý¡¼¥È¤ÏÊѹ¹¤µ¤ì¤Ê¤¤¡£
.RS
.PP
Ê£¿ô¤Î --to-destination ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
¥¢¥É¥ì¥¹¤ÎÈϰϤˤè¤Ã¤Æ¡¢
¤â¤·¤¯¤ÏÊ£¿ô¤Î --to-destination ¥ª¥×¥·¥ç¥ó¤Ë¤è¤Ã¤Æ
2 ¤Ä°Ê¾å¤ÎÁ÷¿®À襢¥É¥ì¥¹¤ò»ØÄꤷ¤¿¾ì¹ç¡¢
¤½¤ì¤é¤Î¥¢¥É¥ì¥¹¤ò»È¤Ã¤¿Ã±½ã¤Ê¥é¥¦¥ó¥É¡¦¥í¥Ó¥ó
(½ç¡¹¤Ë½Û´Ä¤µ¤»¤ë) ¤¬¤ª¤³¤Ê¤ï¤ì¤ë¡£
.RE
.SS DSCP
¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢IPv4 ¥Ñ¥±¥Ã¥È¤Î TOS ¥Ø¥Ã¥À¡¼¤Ë¤¢¤ë
DSCP ¥Ó¥Ã¥È¤ÎÃͤνñ¤­´¹¤¨¤ò²Äǽ¤Ë¤¹¤ë¡£
¤³¤ì¤Ï¥Ñ¥±¥Ã¥È¤òÁàºî¤¹¤ë¤Î¤Ç¡¢mangle ¥Æ¡¼¥Ö¥ë¤Ç¤Î¤ß»ÈÍѤǤ­¤ë¡£
.TP
.BI "--set-dscp " "value"
DSCP ¥Õ¥£¡¼¥ë¥É¤Î¿ôÃͤòÀßÄꤹ¤ë (10 ¿Ê¤Þ¤¿¤Ï 16 ¿Ê)¡£
.TP
.BI "--set-dscp-class " "class"
DSCP ¥Õ¥£¡¼¥ë¥É¤Î DiffServ ¥¯¥é¥¹¤òÀßÄꤹ¤ë¡£
.SS ECN
¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï ECN ¥Ö¥é¥Ã¥¯¥Û¡¼¥ëÌäÂê¤Ø¤ÎÂнè¤ò²Äǽ¤Ë¤¹¤ë¡£
mangle ¥Æ¡¼¥Ö¥ë¤Ç¤Î¤ß»ÈÍѤǤ­¤ë¡£
.TP
.BI "--ecn-tcp-remove"
TCP ¥Ø¥Ã¥À¡¼¤«¤éÁ´¤Æ¤Î ECN ¥Ó¥Ã¥È (ÌõÃí: ECE/CWR ¥Õ¥é¥°) ¤ò¼è¤ê½ü¤¯¡£
ÅöÁ³¡¢
.B "-p tcp"
¥ª¥×¥·¥ç¥ó¤È¤ÎÁȹç¤ï¤»¤Ç¤Î¤ß»ÈÍѤǤ­¤ë¡£
.SS LOG
¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ò¥«¡¼¥Í¥ë¥í¥°¤Ëµ­Ï¿¤¹¤ë¡£
¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¥ë¡¼¥ë¤ËÂФ·¤ÆÀßÄꤵ¤ì¤ë¤È¡¢
Linux ¥«¡¼¥Í¥ë¤Ï¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¤Î
(ÂçÉôʬ¤Î IP ¥Ø¥Ã¥À¡¼¥Õ¥£¡¼¥ë¥É¤Î¤è¤¦¤Ê) ²¿¤é¤«¤Î¾ðÊó¤ò
¥«¡¼¥Í¥ë¥í¥°¤Ëɽ¼¨¤¹¤ë
(¥«¡¼¥Í¥ë¥í¥°¤Ï
.I dmesg
¤Þ¤¿¤Ï
.IR syslogd (8)
¤Ç¸«¤ë¤³¤È¤¬¤Ç¤­¤ë)¡£
¤³¤ì¤Ï "Èó½ªÎ»¥¿¡¼¥²¥Ã¥È" ¤Ç¤¢¤ë¡£
¤¹¤Ê¤ï¤Á¡¢¥ë¡¼¥ë¤Î¸¡Æ¤¤Ï¡¢¼¡¤Î¥ë¡¼¥ë¤Ø¤È·Ñ³¤µ¤ì¤ë¡£
¤è¤Ã¤Æ¡¢µñÈݤ¹¤ë¥Ñ¥±¥Ã¥È¤ò¥í¥°µ­Ï¿¤·¤¿¤±¤ì¤Ð¡¢
Ʊ¤¸¥Þ¥Ã¥Á¥ó¥°È½ÃÇ´ð½à¤ò»ý¤Ä 2 ¤Ä¤Î¥ë¡¼¥ë¤ò»ÈÍѤ·¡¢
ºÇ½é¤Î¥ë¡¼¥ë¤Ç LOG ¥¿¡¼¥²¥Ã¥È¤ò¡¢
¼¡¤Î¥ë¡¼¥ë¤Ç DROP (¤Þ¤¿¤Ï REJECT) ¥¿¡¼¥²¥Ã¥È¤ò»ØÄꤹ¤ë¡£
.TP
.BI "--log-level " "level"
¥í¥°µ­Ï¿¤Î¥ì¥Ù¥ë (¿ôÃͤƻØÄꤹ¤ë¤«¡¢
(ÌõÃð: ̾Á°¤Ç»ØÄꤹ¤ë¾ì¹ç¤Ï) \fIsyslog.conf\fP(5) ¤ò»²¾È¤¹¤ë¤³¤È)¡£
.TP
.BI "--log-prefix " "prefix"
»ØÄꤷ¤¿¥×¥ì¥Õ¥£¥Ã¥¯¥¹¤ò¥í¥°¥á¥Ã¥»¡¼¥¸¤ÎÁ°¤ËÉÕ¤±¤ë¡£
¥×¥ì¥Õ¥£¥Ã¥¯¥¹¤Ï 29 ʸ»ú¤Þ¤Ç¤ÎŤµ¤Ç¡¢
¥í¥°¤ÎÃæ¤Ç¥á¥Ã¥»¡¼¥¸¤ò¶èÊ̤¹¤ë¤Î¤ËÌòΩ¤Ä¡£
.TP
.B --log-tcp-sequence
TCP ¥·¡¼¥±¥ó¥¹ÈÖ¹æ¤ò¥í¥°¤Ëµ­Ï¿¤¹¤ë¡£
¥í¥°¤¬¥æ¡¼¥¶¡¼¤«¤éÆɤá¤ë¾ì¹ç¡¢¥»¥­¥å¥ê¥Æ¥£¾å¤Î´í¸±¤¬¤¢¤ë¡£
.TP
.B --log-tcp-options
TCP ¥Ñ¥±¥Ã¥È¥Ø¥Ã¥À¡¼¤Î¥ª¥×¥·¥ç¥ó¤ò¥í¥°¤Ëµ­Ï¿¤¹¤ë¡£
.TP
.B --log-ip-options
IP ¥Ñ¥±¥Ã¥È¥Ø¥Ã¥À¡¼¤Î¥ª¥×¥·¥ç¥ó¤ò¥í¥°¤Ëµ­Ï¿¤¹¤ë¡£
.SS MARK
¥Ñ¥±¥Ã¥È¤Ë´ØÏ¢¤Å¤±¤é¤ì¤¿ netfilter ¤Î mark ÃͤòÀßÄꤹ¤ë¡£
.B mangle
¥Æ¡¼¥Ö¥ë¤Î¤ß¤ÇÍ­¸ú¤Ç¤¢¤ë¡£
Î㤨¤Ð¡¢iproute2 ¤ÈÁȤ߹ç¤ï¤»¤Æ»È¤¦¤³¤È¤¬¤Ç¤­¤ë¡£
.TP
.BI "--set-mark " "mark"
.SS MASQUERADE
¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï
.B nat
¥Æ¡¼¥Ö¥ë¤Î
.B POSTROUTING
¥Á¥§¥¤¥ó¤Î¤ß¤ÇÍ­¸ú¤Ç¤¢¤ë¡£
ưŪ³ä¤êÅö¤Æ IP (¥À¥¤¥ä¥ë¥¢¥Ã¥×) Àܳ¤Î¾ì¹ç¤Ë¤Î¤ß»È¤¦¤Ù¤­¤Ç¤¢¤ë¡£
¸ÇÄê IP ¥¢¥É¥ì¥¹¤Ê¤é¤Ð¡¢SNAT ¥¿¡¼¥²¥Ã¥È¤ò»È¤¦¤Ù¤­¤Ç¤¢¤ë¡£
¥Þ¥¹¥«¥ì¡¼¥Ç¥£¥ó¥°¤Ï¡¢¥Ñ¥±¥Ã¥È¤¬Á÷¿®¤µ¤ì¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤Î
IP ¥¢¥É¥ì¥¹¤Ø¤Î¥Þ¥Ã¥Ô¥ó¥°¤ò»ØÄꤹ¤ë¤Î¤ÈƱ¤¸¤Ç¤¢¤ë¤¬¡¢
¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤¬Ää»ß¤·¤¿¾ì¹ç¤ËÀܳ¤ò\fI˺¤ì¤ë\fR¤È¤¤¤¦¸ú²Ì¤¬¤¢¤ë¡£
¼¡¤Î¥À¥¤¥ä¥ë¥¢¥Ã¥×¤Ç¤ÏƱ¤¸¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¥¢¥É¥ì¥¹¤Ë¤Ê¤ë²ÄǽÀ­¤¬Ä㤤
(¤½¤Î¤¿¤á¡¢Á°²ó³ÎΩ¤µ¤ì¤¿Àܳ¤Ï¼º¤ï¤ì¤ë) ¾ì¹ç¡¢
¤³¤ÎÆ°ºî¤ÏÀµ¤·¤¤¡£
¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¤Ä¤¢¤ë¡£
.TP
.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢»ÈÍѤ¹¤ëÁ÷¿®¸µ¥Ý¡¼¥È¤ÎÈϰϤò»ØÄꤷ¡¢
¥Ç¥Õ¥©¥ë¥È¤Î
.B SNAT
Á÷¿®¸µ¥Ý¡¼¥È¤ÎÁªÂòÊýË¡ (¾åµ­) ¤è¤ê¤âÍ¥À褵¤ì¤ë¡£
¥ë¡¼¥ë¤¬
.B "-p tcp"
¤Þ¤¿¤Ï
.B "-p udp"
¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ßÍ­¸ú¤Ç¤¢¤ë¡£
.SS MIRROR
¼Â¸³Åª¤Ê¥Ç¥â¥ó¥¹¥È¥ì¡¼¥·¥ç¥óÍѤΥ¿¡¼¥²¥Ã¥È¤Ç¤¢¤ê¡¢
IP ¥Ø¥Ã¥À¡¼¤ÎÁ÷¿®¸µ¤ÈÁ÷¿®Àè¥Õ¥£¡¼¥ë¥É¤òÆþ¤ì´¹¤¨¡¢
¥Ñ¥±¥Ã¥È¤òºÆÁ÷¿®¤¹¤ë¤â¤Î¤Ç¤¢¤ë¡£
¤³¤ì¤Ï
.BR INPUT ,
.BR FORWARD ,
.B PREROUTING
¥Á¥§¥¤¥ó¤È¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë
¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤À¤±¤ÇÍ­¸ú¤Ç¤¢¤ë¡£
¥ë¡¼¥×Åù¤ÎÌäÂê¤ò²óÈò¤¹¤ë¤¿¤á¡¢³°Éô¤ËÁ÷¤é¤ì¤ë¥Ñ¥±¥Ã¥È¤Ï
¤¤¤«¤Ê¤ë¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¥Á¥§¥¤¥ó¡¦ÀܳÄÉÀס¦NAT ¤«¤é¤â
´Æ»ë\fB¤µ¤ì¤Ê¤¤\fR¡£
.SS REDIRECT
¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢
.B nat
¥Æ¡¼¥Ö¥ëÆâ¤Î
.B PREROUTING 
¥Á¥§¥¤¥óµÚ¤Ó
.B OUTPUT 
¥Á¥§¥¤¥ó¡¢¤½¤·¤Æ¤³¤ì¤é¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë
¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Ç¤Î¤ßÍ­¸ú¤Ç¤¢¤ë¡£
¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®Àè IP ¥¢¥É¥ì¥¹¤ò
¥Þ¥·¥ó¼«¿È¤Î IP ¥¢¥É¥ì¥¹¤ËÊÑ´¹¤¹¤ë¡£
(¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Ï¡¢¥¢¥É¥ì¥¹ 127.0.0.1 ¤Ë¥Þ¥Ã¥×¤µ¤ì¤ë)¡£
¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¤Ä¤¢¤ë:
.TP
.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï»ÈÍѤµ¤ì¤ëÁ÷¿®Àè¥Ý¡¼¥È¡¦¥Ý¡¼¥ÈÈÏ°Ï¡¦Ê£¿ô¥Ý¡¼¥È¤ò»ØÄꤹ¤ë¡£
¤³¤Î¥ª¥×¥·¥ç¥ó¤¬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢Á÷¿®Àè¥Ý¡¼¥È¤ÏÊѹ¹¤µ¤ì¤Ê¤¤¡£
¥ë¡¼¥ë¤¬
.B "-p tcp"
¤Þ¤¿¤Ï
.B "-p udp"
¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ßÍ­¸ú¤Ç¤¢¤ë¡£
.SS REJECT
¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤Î±þÅú¤È¤·¤Æ¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤òÁ÷¤é¤Ê¤±¤ì¤Ð¡¢
.B DROP
¤ÈƱ¤¸¤Ç¤¢¤ê¡¢TARGET ¤ò½ªÎ»¤·¡¢¥ë¡¼¥ë¤Î¸¡Æ¤¤ò½ªÎ»¤¹¤ë¡£
¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢
.BR INPUT ,
.BR FORWARD ,
.B OUTPUT
¥Á¥§¥¤¥ó¤È¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ð¤ì¤ë
¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤À¤±¤ÇÍ­¸ú¤Ç¤¢¤ë¡£
°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢ÊÖ¤µ¤ì¤ë¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤ÎÆÃÀ­¤òÀ©¸æ¤¹¤ë¡£
.TP
.BI "--reject-with " "type"
type ¤È¤·¤Æ»ØÄê²Äǽ¤Ê¤â¤Î¤Ï
.nf
.B " icmp-net-unreachable"
.B " icmp-host-unreachable"
.B " icmp-port-unreachable"
.B " icmp-proto-unreachable"
.B " icmp-net-prohibited"
.B " icmp-host-prohibited or"
.B " icmp-admin-prohibited (*)"
.fi
¤Ç¤¢¤ê¡¢Å¬ÀÚ¤Ê ICMP ¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤òÊÖ¤¹
.RB ( port-unreachable
¤¬¥Ç¥Õ¥©¥ë¥È¤Ç¤¢¤ë)¡£
TCP ¥×¥í¥È¥³¥ë¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤ËÂФ·¤Æ¡¢¥ª¥×¥·¥ç¥ó
.B tcp-reset
¤ò»È¤¦¤³¤È¤¬¤Ç¤­¤ë¡£
¤³¤Î¥ª¥×¥·¥ç¥ó¤ò»È¤¦¤È¡¢TCP RST ¥Ñ¥±¥Ã¥È¤¬Á÷¤êÊÖ¤µ¤ì¤ë¡£
¼ç¤È¤·¤Æ
.I ident
(113/tcp) ¤Ë¤è¤ëõºº¤òÁ˻ߤ¹¤ë¤Î¤ËÌòΩ¤Ä¡£
.I ident
¤Ë¤è¤ëõºº¤Ï¡¢²õ¤ì¤Æ¤¤¤ë (¥á¡¼¥ë¤ò¼õ¤±¼è¤é¤Ê¤¤) ¥á¡¼¥ë¥Û¥¹¥È¤Ë
¥á¡¼¥ë¤¬Á÷¤é¤ì¤ë¾ì¹ç¤ËÉÑÈˤ˵¯¤³¤ë¡£
.RS
.PP
(*) icmp-admin-prohibited ¤ò¥µ¥Ý¡¼¥È¤·¤Ê¤¤¥«¡¼¥Í¥ë¤Ç¡¢
icmp-admin-prohibited ¤ò»ÈÍѤ¹¤ë¤È¡¢
REJECT ¤Ç¤Ï¤Ê¤¯Ã±¤Ê¤ë DROP ¤Ë¤Ê¤ë¡£
.SS SNAT
¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï
.B nat
¥Æ¡¼¥Ö¥ë¤Î
.B POSTROUTING
¥Á¥§¥¤¥ó¤Î¤ß¤ÇÍ­¸ú¤Ç¤¢¤ë¡£
¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤ò½¤Àµ¤µ¤»¤ë
(¤³¤ÎÀܳ¤Î°Ê¹ß¤Î¥Ñ¥±¥Ã¥È¤â½¤Àµ¤·¤Æʬ¤«¤é¤Ê¤¯ (mangle) ¤¹¤ë)¡£
¤µ¤é¤Ë¡¢¥ë¡¼¥ë¤¬É¾²Á¤òÃæ»ß¤¹¤ë¤è¤¦¤Ë»Ø¼¨¤¹¤ë¡£
¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¼ïÎढ¤ë:
.TP
.BR "--to-source  " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
1 ¤Ä¤Î¿·¤·¤¤Á÷¿®¸µ IP ¥¢¥É¥ì¥¹¡¢¤Þ¤¿¤Ï IP ¥¢¥É¥ì¥¹¤ÎÈϰϤ¬»ØÄê¤Ç¤­¤ë¡£
¥Ý¡¼¥È¤ÎÈϰϤò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤­¤ë
(¥ë¡¼¥ë¤¬
.B "-p tcp"
¤Þ¤¿¤Ï
.B "-p udp"
¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ßÍ­¸ú)¡£
¥Ý¡¼¥È¤ÎÈϰϤ¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢
512 ̤Ëþ¤ÎÁ÷¿®¸µ¥Ý¡¼¥È¤Ï¡¢Â¾¤Î 512 ̤Ëþ¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£
512 ¡Á 1023 ¤Þ¤Ç¤Î¥Ý¡¼¥È¤Ï¡¢1024 ̤Ëþ¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£
¤½¤ì°Ê³°¤Î¥Ý¡¼¥È¤Ï¡¢1024 °Ê¾å¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£
²Äǽ¤Ç¤¢¤ì¤Ð¡¢¥Ý¡¼¥È¤ÎÊÑ´¹¤Ïµ¯¤³¤é¤Ê¤¤¡£
.RS
.PP
Ê£¿ô¤Î --to-source ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
¥¢¥É¥ì¥¹¤ÎÈϰϤˤè¤Ã¤Æ¡¢
¤â¤·¤¯¤ÏÊ£¿ô¤Î --to-source ¥ª¥×¥·¥ç¥ó¤Ë¤è¤Ã¤Æ
2 ¤Ä°Ê¾å¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤ò»ØÄꤷ¤¿¾ì¹ç¡¢
¤½¤ì¤é¤Î¥¢¥É¥ì¥¹¤ò»È¤Ã¤¿Ã±½ã¤Ê¥é¥¦¥ó¥É¡¦¥í¥Ó¥ó
(½ç¡¹¤Ë½Û´Ä¤µ¤»¤ë) ¤¬¤ª¤³¤Ê¤ï¤ì¤ë¡£
.SS TCPMSS
¤³¤Î¥¿¡¼¥²¥Ã¥È¤òÍѤ¤¤ë¤È¡¢TCP ¤Î SYN ¥Ñ¥±¥Ã¥È¤Î MSS Ãͤò½ñ¤­´¹¤¨¡¢
¤½¤Î¥³¥Í¥¯¥·¥ç¥ó¤ÎºÇÂ祵¥¤¥º
(Ä̾ï¤Ï¡¢Á÷¿®¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤Î MTU ¤«¤é 40 °ú¤¤¤¿ÃÍ)
¤òÀ©¸æ¤Ç¤­¤ë¡£
¤â¤Á¤í¤ó
.B "-p tcp"
¤ÈÁȤ߹ç¤ï¤»¤Æ¤·¤«»È¤¨¤Ê¤¤¡£
.PP
¤³¤Î¥¿¡¼¥²¥Ã¥È¤ÏÈȺáŪ¤ËƬ¤Î¤¤¤«¤ì¤¿ ISP ¤ä
ICMP Fragmentation Needed ¥Ñ¥±¥Ã¥È¤ò¥Ö¥í¥Ã¥¯¤·¤Æ¤·¤Þ¤¦¥µ¡¼¥Ð¡¼¤ò
¾è¤ê±Û¤¨¤ë¤¿¤á¤Ë»ÈÍѤ¹¤ë¡£
Linux ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë/¥ë¡¼¥¿¡¼¤Ç¤Ï²¿¤âÌäÂ꤬¤Ê¤¤¤Î¤Ë¡¢
¤½¤³¤Ë¤Ö¤é²¼¤¬¤ë¥Þ¥·¥ó¤Ç¤Ï°Ê²¼¤Î¤è¤¦¤ËÂ礭¤Ê¥Ñ¥±¥Ã¥È¤ò
¤ä¤ê¤È¤ê¤Ç¤­¤Ê¤¤¤È¤¤¤¦¤Î¤¬¡¢¤³¤ÎÌäÂê¤ÎÃû¸õ¤Ç¤¢¤ë¡£
.PD 0
.RS 0.1i
.TP 0.3i
1)
¥¦¥§¥Ö¡¦¥Ö¥é¥¦¥¶¤ÇÀܳ¤¬¡¢²¿¤Î¥Ç¡¼¥¿¤â¼õ¤±¼è¤é¤º¤Ë¥Ï¥ó¥°¤¹¤ë
.TP
2)
û¤¤¥á¡¼¥ë¤ÏÌäÂê¤Ê¤¤¤¬¡¢Ä¹¤¤¥á¡¼¥ë¤¬¥Ï¥ó¥°¤¹¤ë
.TP
3)
ssh ¤ÏÌäÂê¤Ê¤¤¤¬¡¢scp ¤ÏºÇ½é¤Î¥Ï¥ó¥É¥·¥§¡¼¥¯¸å¤Ë¥Ï¥ó¥°¤¹¤ë
.RE
.PD
²óÈòÊýË¡: ¤³¤Î¥ª¥×¥·¥ç¥ó¤òÍ­¸ú¤Ë¤·¡¢°Ê²¼¤Î¤è¤¦¤Ê¥ë¡¼¥ë¤ò
¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ÎÀßÄê¤ËÄɲ乤롣
.nf
 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
             -j TCPMSS --clamp-mss-to-pmtu
.fi
.TP
.BI "--set-mss " "value"
MSS ¥ª¥×¥·¥ç¥ó¤ÎÃͤò»ØÄꤷ¤¿ÃͤËÀßÄꤹ¤ë¡£
.TP
.B "--clamp-mss-to-pmtu"
¼«Æ°Åª¤Ë¡¢MSS Ãͤò (path_MTU - 40) ¤Ë¶¯À©¤¹¤ë¡£
.RS
.PP
¤³¤ì¤é¤Î¥ª¥×¥·¥ç¥ó¤Ï¤É¤Á¤é¤« 1 ¤Ä¤·¤«»ØÄê¤Ç¤­¤Ê¤¤¡£
.RE
.SS TOS
IP ¥Ø¥Ã¥À¡¼¤Î 8 ¥Ó¥Ã¥È¤Î Type of Service ¥Õ¥£¡¼¥ë¥É¤òÀßÄꤹ¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
.B mangle
¥Æ¡¼¥Ö¥ë¤Î¤ß¤ÇÍ­¸ú¤Ç¤¢¤ë¡£
.TP
.BI "--set-tos " "tos"
TOS ¤òÈÖ¹æ¤Ç»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
¤Þ¤¿¡¢
.nf
 iptables -j TOS -h
.fi
¤ò¼Â¹Ô¤·¤ÆÆÀ¤é¤ì¤ë¡¢»ÈÍѲÄǽ¤Ê TOS ̾¤Î°ìÍ÷¤Ë¤¢¤ë TOS ̾¤â»ØÄê¤Ç¤­¤ë¡£
.SS ULOG
¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ò
¥æ¡¼¥¶¡¼¶õ´Ö¤Ç¥í¥°µ­Ï¿¤¹¤ëµ¡Ç½¤òÄ󶡤¹¤ë¡£
¤³¤Î¥¿¡¼¥²¥Ã¥È¤¬¥ë¡¼¥ë¤ËÀßÄꤵ¤ì¤ë¤È¡¢
Linux ¥«¡¼¥Í¥ë¤Ï¡¢¤½¤Î¥Ñ¥±¥Ã¥È¤ò
.I netlink
¥½¥±¥Ã¥È¤òÍѤ¤¤Æ¥Þ¥ë¥Á¥­¥ã¥¹¥È¤¹¤ë¡£
¤½¤·¤Æ¡¢1 ¤Ä°Ê¾å¤Î¥æ¡¼¥¶¡¼¶õ´Ö¥×¥í¥»¥¹¤¬
¤¤¤í¤¤¤í¤Ê¥Þ¥ë¥Á¥­¥ã¥¹¥È¥°¥ë¡¼¥×¤ËÅÐÏ¿¤ò¤ª¤³¤Ê¤¤¡¢
¥Ñ¥±¥Ã¥È¤ò¼õ¿®¤¹¤ë¡£
LOG ¤ÈƱÍÍ¡¢¤³¤ì¤Ï "Èó½ªÎ»¥¿¡¼¥²¥Ã¥È" ¤Ç¤¢¤ê¡¢
¥ë¡¼¥ë¤Î¸¡Æ¤¤Ï¼¡¤Î¥ë¡¼¥ë¤Ø¤È·Ñ³¤µ¤ì¤ë¡£
.TP
.BI "--ulog-nlgroup " "nlgroup"
¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë netlink ¥°¥ë¡¼¥× (1-32) ¤ò»ØÄꤹ¤ë¡£
¥Ç¥Õ¥©¥ë¥È¤ÎÃÍ¤Ï 1 ¤Ç¤¢¤ë¡£
.TP
.BI "--ulog-prefix " "prefix"
»ØÄꤷ¤¿¥×¥ì¥Õ¥£¥Ã¥¯¥¹¤ò¥í¥°¥á¥Ã¥»¡¼¥¸¤ÎÁ°¤ËÉÕ¤±¤ë¡£
32 ʸ»ú¤Þ¤Ç¤Î»ØÄê¤Ç¤­¤ë¡£
¥í¥°¤ÎÃæ¤Ç¥á¥Ã¥»¡¼¥¸¤ò¶èÊ̤¹¤ë¤Î¤ËÊØÍø¤Ç¤¢¤ë¡£
.TP
.BI "--ulog-cprange " "size"
¥æ¡¼¥¶¡¼¶õ´Ö¤Ë¥³¥Ô¡¼¤¹¤ë¥Ñ¥±¥Ã¥È¤Î¥Ð¥¤¥È¿ô¡£
Ãͤ¬ 0 ¤Î¾ì¹ç¡¢¥µ¥¤¥º¤Ë´Ø·¸¤Ê¤¯Á´¥Ñ¥±¥Ã¥È¤ò¥³¥Ô¡¼¤¹¤ë¡£
¥Ç¥Õ¥©¥ë¥È¤Ï 0 ¤Ç¤¢¤ë¡£
.TP
.BI "--ulog-qthreshold " "size"
¥«¡¼¥Í¥ëÆâÉô¤Î¥­¥å¡¼¤ËÆþ¤ì¤é¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¿ô¡£
Î㤨¤Ð¡¢¤³¤ÎÃͤò 10 ¤Ë¤·¤¿¾ì¹ç¡¢
¥«¡¼¥Í¥ëÆâÉô¤Ç 10 ¸Ä¤Î¥Ñ¥±¥Ã¥È¤ò¤Þ¤È¤á¡¢
1 ¤Ä¤Î netlink ¥Þ¥ë¥Á¥Ñ¡¼¥È¥á¥Ã¥»¡¼¥¸¤È¤·¤Æ¥æ¡¼¥¶¡¼¶õ´Ö¤ËÁ÷¤ë¡£
(²áµî¤Î¤â¤Î¤È¤Î¸ß´¹À­¤Î¤¿¤á) ¥Ç¥Õ¥©¥ë¥È¤Ï 1 ¤Ç¤¢¤ë¡£
.SH ÊÖ¤êÃÍ
¤¤¤í¤¤¤í¤Ê¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤¬É¸½à¥¨¥é¡¼¤Ëɽ¼¨¤µ¤ì¤ë¡£
Àµ¤·¤¯µ¡Ç½¤·¤¿¾ì¹ç¡¢½ªÎ»¥³¡¼¥É¤Ï 0 ¤Ç¤¢¤ë¡£
ÉÔÀµ¤Ê¥³¥Þ¥ó¥É¥é¥¤¥ó¥Ñ¥é¥á¡¼¥¿¤Ë¤è¤ê¥¨¥é¡¼¤¬È¯À¸¤·¤¿¾ì¹ç¤Ï¡¢
½ªÎ»¥³¡¼¥É 2 ¤¬ÊÖ¤µ¤ì¤ë¡£
¤½¤Î¾¤Î¥¨¥é¡¼¤Î¾ì¹ç¤Ï¡¢½ªÎ»¥³¡¼¥É 1 ¤¬ÊÖ¤µ¤ì¤ë¡£
.SH ¥Ð¥°
¥Ð¥°? ¥Ð¥°¤Ã¤Æ²¿? ;-)
¤¨¡¼¤È¡Ä¡¢sparc64 ¤Ç¤Ï¥«¥¦¥ó¥¿¡¼Ãͤ¬¿®Íê¤Ç¤­¤Ê¤¤¡£
.SH IPCHAINS ¤È¤Î¸ß´¹À­
.B iptables
¤Ï¡¢Rusty Russell ¤Î ipchains ¤ÈÈó¾ï¤Ë¤è¤¯»÷¤Æ¤¤¤ë¡£
Â礭¤Ê°ã¤¤¤Ï¡¢¥Á¥§¥¤¥ó
.B INPUT
¤È
.B OUTPUT
¤¬¡¢¤½¤ì¤¾¤ì¥í¡¼¥«¥ë¥Û¥¹¥È¤ËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤È¡¢
¥í¡¼¥«¥ë¥Û¥¹¥È¤«¤é½Ð¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¤ß¤·¤«Ä´¤Ù¤Ê¤¤¤È¤¤¤¦ÅÀ¤Ç¤¢¤ë¡£
¤è¤Ã¤Æ¡¢(INPUT ¤È OUTPUT ¤ÎξÊý¤Î¥Á¥§¥¤¥ó¤òµ¯Æ°¤¹¤ë
¥ë¡¼¥×¥Ð¥Ã¥¯¥È¥é¥Õ¥£¥Ã¥¯¤ò½ü¤¯)
Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¤Ï 3 ¤Ä¤¢¤ë¥Á¥§¥¤¥ó¤Î¤¦¤Á 1 ¤·¤«Ä̤é¤Ê¤¤¡£
°ÊÁ°¤Ï (ipchains ¤Ç¤Ï)¡¢
¥Õ¥©¥ï¡¼¥É¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Ï 3 ¤Ä¤Î¥Á¥§¥¤¥óÁ´¤Æ¤òÄ̤äƤ¤¤¿¡£
.PP
¤½¤Î¾¤ÎÂ礭¤Ê°ã¤¤¤Ï¡¢
.B -i
¤ÇÆþÎÏ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¡¢
.B -o
¤Ç½ÐÎÏ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò»²¾È¤¹¤ë¤³¤È¡¢
¤½¤·¤Æ¤È¤â¤Ë
.B FORWARD
¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ»ØÄê²Äǽ¤ÊÅÀ¤Ç¤¢¤ë¡£
.PP
NAT ¤Î¤¤¤í¤¤¤í¤Ê·Á¼°¤¬Ê¬³ä¤µ¤ì¤¿¡£
¥ª¥×¥·¥ç¥ó¤Î³ÈÄ¥¥â¥¸¥å¡¼¥ë¤È¤È¤â¤Ë
¥Ç¥Õ¥©¥ë¥È¤Î¡Ö¥Õ¥£¥ë¥¿¡×¥Æ¡¼¥Ö¥ë¤òÍѤ¤¤¿¾ì¹ç¡¢
.B iptables 
¤Ï½ã¿è¤Ê¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¤È¤Ê¤ë¡£
¤³¤ì¤Ï¡¢°ÊÁ°¤ß¤é¤ì¤¿ IP ¥Þ¥¹¥«¥ì¡¼¥Ç¥£¥ó¥°¤È¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Î
Áȹ礻¤Ë¤è¤ëº®Íð¤ò´Êά²½¤¹¤ë¡£
¤è¤Ã¤Æ¡¢¥ª¥×¥·¥ç¥ó
.nf
 -j MASQ
 -M -S
 -M -L
.fi
¤ÏÊ̤Τâ¤Î¤È¤·¤Æ°·¤ï¤ì¤ë¡£
iptables ¤Ç¤Ï¡¢¤½¤Î¾¤Ë¤â¤¤¤¯¤Ä¤«¤ÎÊѹ¹¤¬¤¢¤ë¡£
.SH ´ØÏ¢¹àÌÜ
.BR iptables-save (8),
.BR iptables-restore (8),
.BR ip6tables (8),
.BR ip6tables-save (8),
.BR ip6tables-restore (8).
.P
¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Ë¤Ä¤¤¤Æ¤Î¾ÜºÙ¤Ê iptables ¤Î»ÈÍÑË¡¤ò
ÀâÌÀ¤·¤Æ¤¤¤ë packet-filtering-HOWTO¡£
NAT ¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë NAT-HOWTO¡£
ɸ½àŪ¤ÊÇÛÉۤˤϴޤޤì¤Ê¤¤³ÈÄ¥¤Î¾ÜºÙ¤ò
ÀâÌÀ¤·¤Æ¤¤¤ë netfilter-extensions-HOWTO¡£
ÆâÉô¹½Â¤¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë netfilter-hacking-HOWTO¡£
.PP
.UR http://www.netfilter.org/
.B http://www.netfilter.org/
.UE
¤ò»²¾È¤Î¤³¤È¡£
.SH Ãø¼Ô
Rusty Russell ¤Ï¡¢½é´ü¤ÎÃʳ¬¤Ç Michael Neuling ¤ËÁêÃ̤·¤Æ iptables ¤ò½ñ¤¤¤¿¡£
.PP
Marc Boucher ¤Ï Rusty ¤Ë iptables ¤Î°ìÈÌŪ¤Ê¥Ñ¥±¥Ã¥ÈÁªÂò¤Î¹Í¤¨Êý¤ò´«¤á¤Æ¡¢
ipnatctl ¤ò»ß¤á¤µ¤»¤¿¡£
¤½¤·¤Æ¡¢mangle ¥Æ¡¼¥Ö¥ë¡¦½êÍ­¼Ô¥Þ¥Ã¥Á¥ó¥°¡¦
mark µ¡Ç½¤ò½ñ¤­¡¢¤¤¤¿¤ë¤È¤³¤í¤Ç»È¤ï¤ì¤Æ¤¤¤ëÁÇÀ²¤é¤·¤¤¥³¡¼¥É¤ò½ñ¤¤¤¿¡£
.PP
James Morris ¤¬ TOS ¥¿¡¼¥²¥Ã¥È¤È tos ¥Þ¥Ã¥Á¥ó¥°¤ò½ñ¤¤¤¿¡£
.PP
Jozsef Kadlecsik ¤¬ REJECT ¥¿¡¼¥²¥Ã¥È¤ò½ñ¤¤¤¿¡£
.PP
Harald Welte ¤¬ ULOG ¥¿¡¼¥²¥Ã¥È¤È¡¢
TTL, DSCP, ECN ¤Î¥Þ¥Ã¥Á¡¦¥¿¡¼¥²¥Ã¥È¤ò½ñ¤¤¤¿¡£
.PP
Netfilter ¥³¥¢¥Á¡¼¥à¤Ï¡¢Marc Boucher, Martin Josefsson, Jozsef Kadlecsik, 
James Morris, Harald Welte, Rusty Russell ¤Ç¤¢¤ë¡£
.PP
man ¥Ú¡¼¥¸¤Ï Herve Eychenne <rv@wallfire.org> ¤¬½ñ¤¤¤¿¡£
.\" .. and did I mention that we are incredibly cool people?
.\" .. sexy, too ..
.\" .. witty, charming, powerful ..
.\" .. and most of all, modest ..
.\" .. ¤½¤·¤Æ¡¢ËÍÅù¤¬¤È¤Æ¤â¥¯¡¼¥ë¤ÊÅÛ¤é¤À¤È¸À¤Ã¤Æ¤ª¤¤¤Æ¤â¤¤¤¤¤«¤Ê¡©
.\" .. ¥»¥¯¥·¡¼¤Ç ..
.\" .. ¤È¤Æ¤â¥¦¥£¥Ã¥È¤ËÉÙ¤ó¤Ç¤¤¤Æ¡¢¥Á¥ã¡¼¥ß¥ó¥°¤Ç¡¢¥Ñ¥ï¥Õ¥ë¤Ç ..
.\" .. ¤½¤·¤Æ¡¢¤ß¤ó¤Ê¸¬µõ¤Ê¤ó¤À ..