--- /dev/null
+Fri Mar 13 03:04:28 2009 Akihiro MOTOKI <amotoki@dd.iij4u.or.jp>
+
+ * draft/man8/iptables.8, release/man8/iptables.8:
+ [JM:12854] --dscp ¥ª¥×¥·¥ç¥ó¤Î¸íµ¤ò½¤Àµ¤·¤Æ¤¤¤Þ¤¹¡£
+
+Wed Jan 18 23:32:54 2006 Akihiro MOTOKI <amotoki@dd.iij4u.or.jp>
+
+ * draft/man8/iptables.8, release/man8/iptables.8:
+ typo ½¤Àµ [JM:12074]
+
+Fri Mar 12 03:18:33 2004 Yuichi SATO <ysato444@yahoo.co.jp>
+
+ * iptables.8, ip6tables.8 : 1.2.9 ÂбþÈǤò¥ê¥ê¡¼¥¹¡£
+ * translation_list : ¾åµ¤òÈ¿±Ç¡£
+
+Mon Mar 8 01:13:07 2004 SEKINE Tatsuo <tsekine@sdri.co.jp>
+
+ * release/man8/iptables.8: fix typoe ([JM:10809])
+
+Sun Feb 22 06:03:03 JST 2004 JM ML to CVS Gateway
+
+ * translation_list: [JM:10810]
+ * draft/man8/iptables.8: [JM:10810]
+
+Sun Feb 8 18:02:42 JST 2004 JM ML to CVS Gateway
+
+ * translation_list: [JM:10781]
+ * draft/man8/ip6tables.8: [JM:10781]
+
+Sun Feb 8 13:54:04 2004 Yuichi SATO <ysato444@yahoo.co.jp>
+
+ * original/ : 1.2.8 ¢ª 1.2.9 ¤Ë¹¹¿·¡£
+ ¹¹¿·¤µ¤ì¤¿¤Î¤Ï iptables.8, ip6tables.8 ¤Î¤ß¤Ç¤¢¤ë¡£
+ * translation_list: ¾åµ¤òÈ¿±Ç¡£
+
+Sat Aug 30 01:31:11 JST 2003 JM ML to CVS Gateway
+
+ * translation_list: [LOCAL]
+ * draft/man8/iptables.8: [LOCAL]
+ * release/man8/iptables.8: [LOCAL]
+
+Sat Aug 9 03:17:20 JST 2003 SEKINE Tatsuo <tsekine@sdri.co.jp>
+
+ * draft/man8/iptables.8: [JM:10295]¤ÎÃæÌ¤ó¤Î»ØŦ¤òÈ¿±Ç
+
+Sat Jun 21 00:05:10 JST 2003 JM ML to CVS Gateway
+
+ * translation_list: [JM:10294]
+ * draft/man8/iptables.8: [JM:10294]
+ * release/man8/iptables.8: [JM:10294]
+
+Sat Jun 7 18:02:14 JST 2003 JM ML to CVS Gateway
+
+ * translation_list: [JM:10263]
+ * draft/man3/libipq.3: [JM:10263]
+
+Mon Jun 2 00:04:32 JST 2003 JM ML to CVS Gateway
+
+ * translation_list: [JM:10252]
+ * draft/man8/iptables.8: [JM:10252]
+
+Tue May 13 02:48:49 2003 Yuichi SATO <ysato444@yahoo.co.jp>
+
+ * ip6tables-save.8, ip6tables-restore.8: v1.2.8 ÂбþÈǤò¥ê¥ê¡¼¥¹¡£
+ * translation_list: ¾åµ¤òÈ¿±Ç¡£
+
+Sun May 11 12:04:36 JST 2003 JM ML to CVS Gateway
+
+ * translation_list: [JM:10223]
+
+Sat May 10 00:03:58 JST 2003 JM ML to CVS Gateway
+
+ * translation_list: [JM:10222]
+
+Thu May 1 22:32:21 2003 Yuichi SATO <ysato444@yahoo.co.jp>
+
+ * draft/man8/iptables-restore.8: [JM:10212] ¤Ç
+ ip6tables-restore.8 ¤ò̾Á°¤ò´Ö°ã¤¨¤ÆÅê¹Æ¤·¡¢
+ ¾å½ñ¤¤µ¤ì¤¿¤¿¤á¤Ë½¤Àµ¡£
+ * draft/man8/ip6tables-restore.8: [JM:10212] ¤òÅÐÏ¿¡£
+ * translation_list: ¾åµ¤Ëȼ¤¦½¤Àµ¡£
+
+Thu May 1 18:06:54 JST 2003 JM ML to CVS Gateway
+
+ * translation_list: [JM:10213]
+ * draft/man8/ip6tables-save.8: [JM:10213]
+
+Thu May 1 18:06:54 JST 2003 JM ML to CVS Gateway
+
+ * translation_list: [JM:10212]
+ * draft/man8/iptables-restore.8: [JM:10212]
+
+Thu May 1 15:22:24 2003 Yuichi SATO <ysato444@yahoo.co.jp>
+
+ * original/: 1.2.4 -> 1.2.8 ¤Ë¹¹¿·¡£
+ * iptables-restore.8, iptables-save.8: Êѹ¹ÅÀ¤¬
+ ¾¯¤Ê¤«¤Ã¤¿¤Î¤Ç draft, release ¤òľÀܽ¤Àµ¡£
+ * translation_list: ¾åµ¤òÈ¿±Ç¡£
+
+Sat Feb 15 00:57:24 2003 Yuichi SATO <ysato444@yahoo.co.jp>
+
+ * iptables.8 : [JM:09885] ¤ÎµÆÃϤµ¤ó¤Î¸æ»ØŦ¤È¡¢
+ [JM:09886] ¤Î¾¾ÅĤµ¤ó¤ÎËÝÌõ°Æ¤òÈ¿±Ç¡£
+
+Fri Dec 14 17:23:00 2001 Yuichi SATO <ysato@h4.dion.ne.jp>
+
+ * ip6tables.8: ver 1.2.4 ÂбþÈǤò¥ê¥ê¡¼¥¹¡£
+ * translation_list : ¾åµ¤òÈ¿±Ç¡£
+
+Sat Dec 1 12:02:39 JST 2001 JM ML to CVS Gateway
+
+ * translation_list: [JM:08747]
+ * draft/man8/ip6tables.8: [JM:08747]
+
+Sat Dec 1 05:17:03 2001 Yuichi SATO <ysato@h4.dion.ne.jp>
+
+ * original/* : 1.2.3 ¢ª 1.2.4 ¤Ë¹¹¿·¡£ip6tables.8 ¤¬Äɲ䵤줿¡£
+ * draft/man8/iptables.8 : ¸¶Ê¸¤Î¥¹¥Ú¥ë¥ß¥¹½¤Àµ¤òÈ¿±Ç¡£
+ * translation_list : ¾åµ¤òÈ¿±Ç¤·¤¿¡£
+
+Wed Sep 12 06:31:27 2001 Yuichi SATO <ysato@h4.dion.ne.jp>
+
+ * original/* : 1.2.2 ¢ª 1.2.3 ¤Ë¹¹¿·
+ * {draft,release}/man8/iptables.8: [JM:08442] ¤Î¸æ»ØŦ¤òÈ¿±Ç¡£
+ ver.1.2.3 ¤Ø¤Î¹¹¿·¤Ëȼ¤¤¡¢°ìÉô¤ò½¤Àµ¤·¤Æ¥ê¥ê¡¼¥¹¡£
+ * translation_list: ¾åµ¤òÈ¿±Ç¤·¤¿¡£
+
+Sun Jul 29 01:47:38 2001 Yuichi SATO <ysato@h4.dion.ne.jp>
+
+ * {draft,release}/man8/iptables.8: ver. 1.2.2 ¤ÎËÝÌõ¤ò¥ê¥ê¡¼¥¹¡£
+ * translation_list: ¾åµ¤òÈ¿±Ç¤·¤¿¡£
+
+Sat Jul 21 18:01:43 JST 2001 JM ML to CVS Gateway
+
+ * translation_list: [JM:08277]
+ * draft/man8/iptables.8: [JM:08277]
+
+Wed Jul 18 12:02:46 JST 2001 JM ML to CVS Gateway
+
+ * translation_list: [JM:08275]
+
+Sun Jul 1 17:55:18 2001 Yuichi SATO <ysato@h4.dion.ne.jp>
+
+ * original/man3/* : 1.2.2 ¤«¤é¥¤¥ó¥Ý¡¼¥È¤·¤¿¡£
+ * translation_list : ¾åµ¤òÈ¿±Ç¤·¤¿¡£
+
+Tue May 15 20:22:53 2001 Yuichi SATO <ysato@h4.dion.ne.jp>
+
+ * iptables-restore.8, iptables-save.8: ¥í¡¼¥«¥ë¤Ç¥ê¥ê¡¼¥¹¡£
+ * translation_list : ¾åµ¤òÈ¿±Ç¤·¤¿¡£
+
+Thu May 10 02:31:47 2001 Yuichi SATO <ysato@h4.dion.ne.jp>
+
+ * draft/man8/iptables-save.8: ¼êÆ°¤ÇÅÐÏ¿¡£
+ * draft/man8/iptables-restore.8: ¼êÆ°¤ÇÅÐÏ¿¡£
+ * translation_list: ½¤Àµ¤È¾åµ¤ÎÈ¿±Ç¡£
+
+Mon May 7 00:07:45 2001 SEKINE Tatsuo <tsekine@isoternet.org>
+
+ * translation_list, original: import
+
+
+
--- /dev/null
+.\"O .TH LIBIPQ 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual"
+.TH LIBIPQ 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual"
+.\"
+.\" $Id: libipq.3,v 1.4 2001/10/16 16:58:25 jamesm Exp $
+.\"
+.\" Copyright (c) 2000-2001 Netfilter Core Team
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\" Japanese Version Copyright (c) 2003 Susumu ISHIZUKA
+.\" all rights reserved.
+.\" Translated Tue Jun 6 19:25:23 JST 2003
+.\" by Susumu ISHIZUKA <szuka@isp.co.jp>
+.\"
+.\"WORD: userspace ¥æ¡¼¥¶¶õ´Ö
+.\"WORD: verdict ȽÃÇ
+.\"O .SH NAME
+.SH ̾Á°
+libipq \- iptables userspace packet queuing library.
+.\"O .SH SYNOPSIS
+.SH ½ñ¼°
+.B #include <linux/netfilter.h>
+.br
+.B #include <libipq.h>
+.\"O .SH DESCRIPTION
+.SH ÀâÌÀ
+.\"O libipq is a development library for iptables userspace packet queuing.
+libipq ¤Ï iptables ¤ò »È¤Ã¤Æ ¥æ¡¼¥¶¶õ´Ö¤Ç¥Ñ¥±¥Ã¥ÈÁàºî¤ò
+¤¹¤ë¤¿¤á¤Î¥é¥¤¥Ö¥é¥ê¤Ç¤¢¤ë¡£
+.SS Userspace Packet Queuing
+.\"O Netfilter provides a mechanism for passing packets out of the stack for
+.\"O queueing to userspace, then receiving these packets back into the kernel
+.\"O with a verdict specifying what to do with the packets (such as ACCEPT
+.\"O or DROP). These packets may also be modified in userspace prior to
+.\"O reinjection back into the kernel.
+Netfilter ¤Ï¡¢¥æ¡¼¥¶¶õ´Ö¤Ç¥Ñ¥±¥Ã¥ÈÁàºî¤ò¤¹¤ë¤¿¤á¤Îµ¡¹½¤ò
+Ä󶡤·¤Æ¤¤¤ë¡£ ¤³¤Îµ¡¹½¤Ï¥×¥í¥È¥³¥ë¥¹¥¿¥Ã¥¯¤«¤é¥Ñ¥±¥Ã¥È¤ò
+¥æ¡¼¥¶¶õ´Ö¤ËÅϤ·¤Æ¥¥å¡¼¥¤¥ó¥°(queuing) ¤·¡¢¥æ¡¼¥¶¶õ´Ö¤Ç
+(ACCEPT ¤ä DROP ¤È¤¤¤Ã¤¿) ¥Ñ¥±¥Ã¥È½èÍý¤ÎȽÃǤò¹Ô¤Ã¤¿¸å¤Ë
+¥Ñ¥±¥Ã¥È¤ò¥«¡¼¥Í¥ë¤ËÌᤷ¤Æ¤¤¤ë¡£ ¤³¤ì¤é¤Î¥Ñ¥±¥Ã¥È¤Ï¡¢
+¥æ¡¼¥¶¶õ´Ö¤ÇÊѹ¹¤ò²Ã¤¨¤é¤ì¤Æ¡¢¥«¡¼¥Í¥ë¤ËÊÖ¤µ¤ì¤ë¤³¤È¤â¤¢¤ë¡£
+.PP
+.\"O For each supported protocol, a kernel module called a
+.\"O .I queue handler
+.\"O may register with Netfilter to perform the mechanics of passing
+.\"O packets to and from userspace.
+¥æ¡¼¥¶¶õ´Ö¤È¤Î¥Ñ¥±¥Ã¥È¤Î¤ä¤ê¼è¤ê¤Î¤¿¤á¤Ë
+.I ¥¥å¡¼¥Ï¥ó¥É¥é¡¼ (queue handler)
+¤È¸Æ¤Ð¤ì¤ë¥«¡¼¥Í¥ë¥â¥¸¥å¡¼¥ë¤¬
+Netfilter ¤ËÅÐÏ¿¤µ¤ì¤Æ¤¤¤ë¡£
+¥¥å¡¼¥Ï¥ó¥É¥é¡¼¤Ï¡¢³Æ¥×¥í¥È¥³¥ë¤´¤È¤Ë ÍÑ°Õ¤µ¤ì¤ë¡£
+.PP
+.\"O The standard queue handler for IPv4 is ip_queue. It is provided as an
+.\"O experimental module with 2.4 kernels, and uses a Netlink socket for
+.\"O kernel/userspace communication.
+IPv4 ¤Ç¤Î ɸ½à¤Î¥¥å¡¼¥Ï¥ó¥É¥é¡¼¤Ï ip_queue ¤Ç¤¢¤ë¡£
+2.4¥«¡¼¥Í¥ë¤Ç¤Ï experimental ¥â¥¸¥å¡¼¥ë¤È¤·¤ÆÄ󶡤µ¤ì¡¢
+Netlink ¥½¥±¥Ã¥È¤ò»È¤Ã¤Æ¡¢¥«¡¼¥Í¥ë¤È¥æ¡¼¥¶¶õ´Ö¤È¤ÎÄÌ¿®¤ò
+¹Ô¤Ã¤Æ¤¤¤ë¡£
+.PP
+.\"O Once ip_queue is loaded, IP packets may be selected with iptables
+.\"O and queued for userspace processing via the QUEUE target. For example,
+.\"O running the following commands:
+ip_queue ¤¬¡¢¥á¥â¥ê¾å¤Ë¥í¡¼¥É¤µ¤ì¤ë¤È IP ¥Ñ¥±¥Ã¥È¤Ï iptables ¤Ç
+¥Õ¥£¥ë¥¿¥ê¥ó¥°¤µ¤ì QUEUE ¥¿¡¼¥²¥Ã¥È¤Ë¤è¤Ã¤Æ ¥æ¡¼¥¶¶õ´Ö¤Î ½èÍý¤Î¤¿¤á¤Ë
+¥¥å¡¼¥¤¥ó¥°¤µ¤ì¤ë¡£ Îã¤È¤·¤Æ ¼¡¤Î°ìÏ¢¤Î ¥³¥Þ¥ó¥É¤¬È¯¹Ô¤µ¤ì¤ë¤È¡¢
+.PP
+ # modprobe iptable_filter
+.br
+ # modprobe ip_queue
+.br
+ # iptables -A OUTPUT -p icmp -j QUEUE
+.PP
+.\"O will cause any locally generated ICMP packets (e.g. ping output) to
+.\"O be sent to the ip_queue module, which will then attempt to deliver the
+.\"O packets to a userspace application. If no userspace application is waiting,
+.\"O the packets will be dropped
+¥í¡¼¥«¥ë¥Û¥¹¥È¤«¤éÁ÷¿®¤µ¤ì¤¿ICMP¥Ñ¥±¥Ã¥È¡Êping¤ÎÁ÷¿®¤Ê¤É¡Ë¤¬
+ip_queue¥â¥¸¥å¡¼¥ë¤ËÁ÷¤é¤ì¡¢¤½¤³¤«¤é¥Ñ¥±¥Ã¥È¤ò¥æ¡¼¥¶¶õ´Ö¤Î
+¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤ËÅϤ½¤¦¤È¤¹¤ë¡£ ¥Ñ¥±¥Ã¥È¤ò¼õ¤±¼è¤ë
+¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤¬¤Ê¤¤¾ì¹ç¤Ï¡¢¥Ñ¥±¥Ã¥È¤ÏÇË´þ¡Êdrop¡Ë¤µ¤ì¤ë¡£
+.PP
+.\"O An application may receive and process these packets via libipq.
+¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤Ï¡¢libipq ¤ò»È¤¦¤³¤È¤Ç¥Ñ¥±¥Ã¥È¤ò¼õ¿®¡¦
+Êѹ¹¤Ç¤¤ë¡£
+.PP
+.PP
+.SS Libipq Overview
+.\"O Libipq provides an API for communicating with ip_queue. The following is
+.\"O an overview of API usage, refer to individual man pages for more details
+.\"O on each function.
+libipq ¤Ï¡¢ip_queue ¤ÈÄÌ¿®¤¹¤ë¤¿¤á¤Î API ¤òÄ󶡤¹¤ë¡£
+°Ê²¼¤Ï¡¢API ¤Î´Êñ¤ÊÀâÌÀ¤Ç¤¢¤ë¡£ ´Ø¿ô¤Î¾ÜºÙ¤Ï³Æ manpage ¤ò
+»²¾È¤¹¤ë¤³¤È¡£
+.\P
+.\"O .B Initialisation
+.B ½é´ü²½
+.br
+.\"O To initialise the library, call
+.\"O .BR ipq_create_handle (3).
+.\"O This will attempt to bind to the Netlink socket used by ip_queue and
+.\"O return an opaque context handle for subsequent library calls.
+½é´ü²½¤ò¹Ô¤¦¤Ë¤Ï¡¢
+.BR ipq_create_handle (3)
+¤ò»ÈÍѤ¹¤ë¡£
+¤³¤Î´Ø¿ô¤Ï ip_queue ¤¬»ÈÍѤ·¤Æ¤¤¤ë Netlink ¥½¥±¥Ã¥È¤ò bind
+¤·¡¢¤³¤Î¸å¤Î¥é¥¤¥Ö¥é¥ê´Ø¿ô¤¬»ÈÍѤ¹¤ë¥³¥ó¥Æ¥¥¹¥È¥Ï¥ó¥É¥ë¤ò
+ÊÖ¤¹¡£
+.PP
+.\"O .B Setting the Queue Mode
+.B ¥¥å¡¼¥â¡¼¥É¡Êqueue mode¡Ë¤ÎÀßÄê
+.br
+.\"O .BR ipq_set_mode (3)
+.\"O allows the application to specify whether packet metadata, or packet
+.\"O payloads as well as metadata are copied to userspace. It is also used to
+.\"O initially notify ip_queue that an application is ready to receive queue
+.\"O messages.
+.BR ipq_set_mode (3)
+¤Ï¡¢¥æ¡¼¥¶¶õ´Ö¤Ë¥Ñ¥±¥Ã¥È¤Î¥á¥¿¥Ç¡¼¥¿¤À¤±¤ò
+¥³¥Ô¡¼¤¹¤ë¤Î¤«¡¢¥Ñ¥±¥Ã¥È¤Î¥á¥¿¥Ç¡¼¥¿¤È¥Ú¥¤¥í¡¼¥É¤ÎξÊý¤ò
+¥³¥Ô¡¼¤¹¤ë¤Î¤«»ØÄꤹ¤ë¡£¤³¤Î´Ø¿ô¤Ï¤Þ¤¿ ip_queue ¤Ë
+¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤¬¥¥å¡¼¥á¥Ã¥»¡¼¥¸ (queue message)¤ò¼õ¤±
+¼è¤ë½àÈ÷¤¬¤Ç¤¤¿¤³¤È¤òÄÌÃΤ¹¤ë¡£
+.PP
+.\"O .B Receiving Packets from the Queue
+.B ¥¥å¡¼¤«¤é¥Ñ¥±¥Ã¥È¤ò¼õ¿®¤¹¤ë
+.br
+.\"O .BR ipq_read (3)
+.\"O waits for queue messages to arrive from ip_queue and copies
+.\"O them into a supplied buffer.
+.\"O Queue messages may be
+.\"O .I packet messages
+.\"O or
+.\"O .I error messages.
+.BR ipq_read (3)
+´Ø¿ô¤Ï ip_queue ¤«¤é¤Î¥¥å¡¼¥á¥Ã¥»¡¼¥¸¤ò
+ÂԤäơ¢¥Ð¥Ã¥Õ¥¡¤Ë¥³¥Ô¡¼¤¹¤ë¡£ ¥¥å¡¼¥á¥Ã¥»¡¼¥¸¤Ï
+.I ¥Ñ¥±¥Ã¥È ¥á¥Ã¥»¡¼¥¸
+¤Þ¤¿¤Ï
+.I ¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸
+¤Î¤É¤Á¤é¤« ¤Ç¤¢¤ë¡£
+.PP
+.\"O The type of packet may be determined with
+.\"O .BR ipq_message_type (3).
+¥Ñ¥±¥Ã¥È¤Î¥¿¥¤¥×¤Ï
+.BR ipq_message_type (3)
+¤Ç¼èÆÀ¤¹¤ë¡£
+.PP
+.\"O If it's a packet message, the metadata and optional payload may be retrieved with
+.\"O .BR ipq_get_packet (3).
+¥Ñ¥±¥Ã¥È¥á¥Ã¥»¡¼¥¸¤Î¾ì¹ç¤Ï¡¢¥á¥¿¥Ç¡¼¥¿¤È¥Ú¥¤¥í¡¼¥É¤ò
+.BR ipq_get_packet (3)
+´Ø¿ô¤Ç¼èÆÀ¤Ç¤¤ë¡£
+.PP
+.\"O To retrieve the value of an error message, use
+.\"O .BR ipq_get_msgerr (3).
+¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤ÎÃͤò¼èÆÀ¤¹¤ë¤Ë¤Ï¡¢
+.BR ipq_get_msgerr (3)
+¤ò »ÈÍѤ¹¤ë¡£
+.PP
+.\"O .B Issuing Verdicts on Packets
+.B ¥Ñ¥±¥Ã¥È¤Î½èÍýÆâÍƤÎȯ¹Ô
+.br
+.\"O To issue a verdict on a packet, and optionally return a modified version
+.\"O of the packet to the kernel, call
+.\"O .BR ipq_set_verdict (3).
+¥Ñ¥±¥Ã¥È¤Î½èÍý¤ò·èÄꤷ¡¢É¬Íפʤé¥Ñ¥±¥Ã¥È¤ËÊѹ¹¤ò²Ã¤¨¤Æ
+¥«¡¼¥Í¥ë¤ËÊÖ¤¹»þ¤Ë¤Ï¡¢
+.BR ipq_set_verdict (3)
+¤ò»ÈÍѤ¹¤ë¡£
+.PP
+.\"O .B Error Handling
+.B ¥¨¥é¡¼½èÍý
+.br
+.\"O An error string corresponding to the current value of the internal error
+.\"O variable
+.\"O .B ipq_errno
+.\"O may be obtained with
+.\"O .BR ipq_errstr (3).
+¸½ºß¤Î¥¨¥é¡¼¾õÂÖ¤ò³ÊǼ¤·¤Æ¤¤¤ëÊÑ¿ô
+.B ipq_errno
+¤ËÂбþ¤¹¤ë
+¥¨¥é¡¼Ê¸»úÎó¤Ï
+.BR ipq_errstr (3).
+¤Ç¼èÆÀ¤Ç¤¤ë¡£
+.PP
+.\"O For simple applications, calling
+.\"O .BR ipq_perror (3)
+.\"O will print the same message as
+.\"O .BR ipq_errstr (3),
+.\"O as well as the string corresponding to the global
+.\"O .B errno
+.\"O value (if set) to stderr.
+ñ½ã¤Ê¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤Ë»È¤¨¤ë´Ø¿ô¤È¤·¤Æ¡¢
+.BR ipq_perror (3)
+¤Ï¡¢
+.BR ipq_errstr (3),
+¤ÇÊÖ¤µ¤ì¤ë¤Î¤ÈƱ¤¸Ê¸»úÎó¤òɸ½à½ÐÎÏ (stderr) ¤Ë
+½ÐÎϤ¹¤ë¡£ ¤Þ¤¿¡¢
+.B errno
+¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ì¤Ð
+¤½¤ì¤ËÂбþ¤¹¤ë¥¨¥é¡¼Ê¸»úÎó¤â½ÐÎϤ¹¤ë¡£
+.PP
+.\"O .B Cleaning Up
+.B ¸å»ÏËö
+.br
+.\"O To free up the Netlink socket and destroy resources associated with
+.\"O the context handle, call
+.\"O .BR ipq_destroy_handle (3).
+Netlink ¥½¥±¥Ã¥È¤ò²òÊü¤·¡¢¥³¥ó¥Æ¥¥¹¥È¥Ï¥ó¥É¥ë¤Ë´ØÏ¢ÉÕ¤±
+¤é¤ì¤¿¥ê¥½¡¼¥¹¤òºï½ü¤¹¤ë¤Ë¤Ï¡¢
+.BR ipq_destroy_handle (3)
+´Ø¿ô¤ò»ÈÍѤ¹¤ë¡£
+.\"O .SH SUMMARY
+.SH ¤Þ¤È¤á
+.TP 4
+.BR ipq_create_handle (3)
+.\"O Initialise library, return context handle.
+¤Ï¡¢¥é¥¤¥Ö¥é¥ê¤ò½é´ü²½¤·¡¢¥³¥ó¥Æ¥¥¹¥È¥Ï¥ó¥É¥ë¤òÊÖ¤¹¡£
+.TP
+.BR ipq_set_mode (3)
+.\"O Set the queue mode, to copy either packet metadata, or payloads
+.\"O as well as metadata to userspace.
+¤Ï¡¢¥Ñ¥±¥Ã¥È¤Î¥á¥¿¥Ç¡¼¥¿¤À¤±¤ò¥³¥Ô¡¼¤¹¤ë¤«¡¢¥Ú¥¤¥í¡¼¥É¤â
+¥³¥Ô¡¼¤¹¤ë¤«¤ÎÆ°ºî¥â¡¼¥É¤ò¥»¥Ã¥È¤¹¤ë¡£
+.TP
+.BR ipq_read (3)
+.\"O Wait for a queue message to arrive from ip_queue and read it into
+.\"O a buffer.
+ip_queue ¤«¤é¤Î¥á¥Ã¥»¡¼¥¸¤òÂÔ¤Á¡¢¼õ¿®¤¹¤ë¤È¥Ð¥Ã¥Õ¥¡¤Ë
+Æɤ߹þ¤à¡£
+.TP
+.BR ipq_message_type (3)
+.\"O Determine message type in the buffer.
+¤Ï¡¢¥Ð¥Ã¥Õ¥¡¤µ¤ì¤¿¥á¥Ã¥»¡¼¥¸¤Î¥¿¥¤¥×¤òÊÖ¤¹¡£
+.TP
+.BR ipq_get_packet (3)
+.\"O Retrieve a packet message from the buffer.
+¤Ï¡¢¥Ð¥Ã¥Õ¥¡¤«¤é¥á¥Ã¥»¡¼¥¸¤òÆɤࡣ
+.TP
+.BR ipq_get_msgerr (3)
+.\"O Retrieve an error message from the buffer.
+¤Ï¡¢¥Ð¥Ã¥Õ¥¡¤«¤é¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤ò¼èÆÀ¤¹¤ë¡£
+.TP
+.BR ipq_set_verdict (3)
+.\"O Set a verdict on a packet, optionally replacing its contents.
+¤Ï¡¢¥Ñ¥±¥Ã¥È¤ÎȽÃǤò²¼¤¹¡£ÆâÍƤò½ñ¤´¹¤¨¤ë¤³¤È¤â¤Ç¤¤ë¡£
+.TP
+.BR ipq_errstr (3)
+.\"O Return an error message corresponding to the internal ipq_errno variable.
+¤Ï¡¢ÆâÉôÊÑ¿ô ipq_errno ¤ÎÃͤ˱þ¤¸¤¿¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤ò
+ÊÖ¤¹¡£
+.TP
+.BR ipq_perror (3)
+.\"O Helper function to print error messages to stderr.
+¤Ï¡¢¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤òɸ½à½ÐÎÏ¡Êstderr¡Ë¤Ëɽ¼¨¤¹¤ë
+¥Ø¥ë¥Ñ¡¼´Ø¿ô¤Ç¤¢¤ë¡£
+.TP
+.BR ipq_destroy_handle (3)
+.\"O Destroy context handle and associated resources.
+¤Ï¡¢¥³¥ó¥Æ¥¥¹¥È¥Ï¥ó¥É¥ë¤òÇË´þ¤·¡¢¥ê¥½¡¼¥¹¤ò²òÊü¤¹¤ë¡£
+.\"O .SH EXAMPLE
+.SH Îã
+.\"O The following is an example of a simple application which receives
+.\"O packets and issues NF_ACCEPT verdicts on each packet.
+¼¡¤Î¥³¡¼¥É¤Ï¡¢¥Ñ¥±¥Ã¥È¤ò¼õ¤±¼è¤Ã¤Æ NF_ACCEPT ¤ÎȽÃǤòÊÖ¤¹Ã±½ã¤Ê
+¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤ÎÎã¤Ç¤¢¤ë¡£
+.RS
+.nf
+/*
+ * This code is GPL.
+ */
+#include <linux/netfilter.h>
+#include <libipq.h>
+#include <stdio.h>
+
+#define BUFSIZE 2048
+
+static void die(struct ipq_handle *h)
+{
+ ipq_perror("passer");
+ ipq_destroy_handle(h);
+ exit(1);
+}
+
+int main(int argc, char **argv)
+{
+ int status;
+ unsigned char buf[BUFSIZE];
+ struct ipq_handle *h;
+
+ h = ipq_create_handle(0);
+ if (!h)
+ die(h);
+
+ status = ipq_set_mode(h, IPQ_COPY_PACKET, BUFSIZE);
+ if (status < 0)
+ die(h);
+
+ do{
+ status = ipq_read(h, buf, BUFSIZE, 0);
+ if (status < 0)
+ die(h);
+
+ switch (ipq_message_type(buf)) {
+ case NLMSG_ERROR:
+ fprintf(stderr, "Received error message %d\\n",
+ ipq_get_msgerr(buf));
+ break;
+
+ case IPQM_PACKET: {
+ ipq_packet_msg_t *m = ipq_get_packet(buf);
+
+ status = ipq_set_verdict(h, m->packet_id,
+ NF_ACCEPT, 0, NULL);
+ if (status < 0)
+ die(h);
+ break;
+ }
+
+ default:
+ fprintf(stderr, "Unknown message type!\\n");
+ break;
+ }
+ } while (1);
+
+ ipq_destroy_handle(h);
+ return 0;
+}
+.RE
+.fi
+.PP
+.\"O Pointers to more libipq application examples may be found in The
+.\"O Netfilter FAQ.
+libipq ¤ò»È¤Ã¤¿¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤ÎÎã¤Ï
+Netfilter FAQ ¤Ë¤â¤¢¤ë¡£
+.\"O .SH DIAGNOSTICS
+.SH DIAGNOSTICS
+.\"O For information about monitoring and tuning ip_queue, refer to the
+.\"O Linux 2.4 Packet Filtering HOWTO.
+ip_queue ¤Î´Æ»ë¤È¥Á¥å¡¼¥Ë¥ó¥°¤Ë´Ø¤·¤Æ¤Ï Linux 2.4 Packet
+Filtering HOWTO ¤ò»²¾È¤¹¤ë¤³¤È¡£
+.PP
+.\"O If an application modifies a packet, it needs to also update any
+.\"O checksums for the packet. Typically, the kernel will silently discard
+.\"O modified packets with invalid checksums.
+¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤¬¥Ñ¥±¥Ã¥È¤ËÊѹ¹¤ò²Ã¤¨¤¿»þ¤Ë¤Ï¡¢´ØÏ¢¤¹¤ë
+¥Á¥§¥Ã¥¯¥µ¥à¤âÊѹ¹¤¹¤ëɬÍפ¬¤¢¤ë¡£ Êѹ¹¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Î
+¥Á¥§¥Ã¥¯¥µ¥à¤¬°Û¾ï¤Ê¤È¤¤Ë¤Ï¥«¡¼¥Í¥ë¤ÏÌۤäÆÇË´þ (silently discard) ¤¹¤ë¡£
+.\"O .SH SECURITY
+.SH ¥»¥¥å¥ê¥Æ¥£¡¼
+.\"O Processes require CAP_NET_ADMIN capabilty to access the kernel ip_queue
+.\"O module. Such processes can potentially access and modify any IP packets
+.\"O received, generated or forwarded by the kernel.
+ip_queue ¥«¡¼¥Í¥ë¥â¥¸¥å¡¼¥ë¤Ë¥¢¥¯¥»¥¹¤¹¤ë¥×¥í¥»¥¹¤Ï
+CAP_NET_ADMIN ¸¢¸Â¤¬É¬ÍפǤ¢¤ë¡£ ¤½¤Î¤è¤¦¤Ê¥×¥í¥»¥¹¤Ï¡¢
+ÀøºßŪ¤Ë¥«¡¼¥Í¥ë¤¬¼õ¿® (Á÷¿®¡¢Å¾Á÷) ¤¹¤ëÁ´¤Æ¤Î IP ¥Ñ¥±¥Ã¥È¤ò
+¼èÆÀ¤·Êѹ¹¤¹¤ë²ÄǽÀ¤¬¤¢¤ë¡£
+.\"O .SH TODO
+.SH TODO
+.\"O Per-handle
+.\"O .B ipq_errno
+.\"O values.
+.B ipq_errno
+¤ò¥Ï¥ó¥É¥ë¤´¤È¤ËÍÑ°Õ¤¹¤ë¡£
+.\"O .SH BUGS
+.SH ¥Ð¥°
+.\"O Probably.
+¤¢¤ë¤«¤â¤·¤ì¤Ê¤¤¡£
+.\"O .SH AUTHOR
+.SH Ãø¼Ô
+James Morris <jmorris@intercode.com.au>
+.\"O .SH COPYRIGHT
+.SH Ãøºî¸¢
+Copyright (c) 2000-2001 Netfilter Core Team.
+.PP
+Distributed under the GNU General Public License.
+.SH CREDITS
+.\"O Joost Remijn implemented the
+.\"O .B ipq_read
+.\"O timeout feature, which appeared in the 1.2.4 release of iptables.
+Joost Remijn ¤Ï
+.B ipq_read
+¤Î¥¿¥¤¥à¥¢¥¦¥È¤ò¼ÂÁõ¤·¤¿¡£ ¤³¤Îµ¡Ç½¤Ï iptables ¤Î 1.2.4 ¤«¤é»ÈÍѤǤ¤ë¡£
+.\"O .SH SEE ALSO
+.SH ´ØÏ¢¹àÌÜ
+.BR iptables (8),
+.BR ipq_create_handle (3),
+.BR ipq_destroy_handle (3),
+.BR ipq_errstr (3),
+.BR ipq_get_msgerr (3),
+.BR ipq_get_packet (3),
+.BR ipq_message_type (3),
+.BR ipq_perror (3),
+.BR ipq_read (3),
+.BR ipq_set_mode (3),
+.BR ipq_set_verdict (3).
+.PP
+.\"O The Netfilter home page at http://netfilter.samba.org/
+.\"O which has links to The Networking Concepts HOWTO, The Linux 2.4 Packet
+.\"O Filtering HOWTO, The Linux 2.4 NAT HOWTO, The Netfilter Hacking HOWTO,
+.\"O The Netfilter FAQ and many other useful resources.
+Netfilter ¤Î¥Û¡¼¥à¥Ú¡¼¥¸¤Ï http://netfilter.samba.org/ ¤Ë¤¢¤ë¡£
+The Networking Concepts HOWTO, The Linux 2.4 Packet
+Filtering HOWTO, The Linux 2.4 NAT HOWTO, The Netfilter Hacking HOWTO,
+The Netfilter FAQ ¤Ê¤É¤ÎÍ±×¤Ê ¾ðÊ󤬤¢¤ë¡£
--- /dev/null
+.TH IP6TABLES-RESTORE 8 "Jan 30, 2002" "" ""
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\" Japanese Version Copyright (c) 2003 Yuichi SATO
+.\" all rights reserved.
+.\" Translated Thu May 1 16:13:34 JST 2003
+.\" by Yuichi SATO <ysato444@yahoo.co.jp>
+.\"
+.\"O .SH NAME
+.SH ̾Á°
+.\"O ip6tables-restore \- Restore IPv6 Tables
+ip6tables-restore \- IPv6 ¥Æ¡¼¥Ö¥ë¤òÉü¸µ¤¹¤ë
+.\"O .SH SYNOPSIS
+.SH ½ñ¼°
+.BR "ip6tables-restore " "[-c] [-n]"
+.br
+.\"O .SH DESCRIPTION
+.SH ÀâÌÀ
+.PP
+.\"O .B ip6tables-restore
+.\"O is used to restore IPv6 Tables from data specified on STDIN. Use
+.\"O I/O redirection provided by your shell to read from a file
+.B ip6tables-restore
+¤Ïɸ½àÆþÎϤǻØÄꤵ¤ì¤¿¥Ç¡¼¥¿¤«¤é IPv6 ¥Æ¡¼¥Ö¥ë¤òÉü¸µ¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+¥Õ¥¡¥¤¥ë¤«¤éÆɤ߹þ¤à¤¿¤á¤Ë¤Ï¡¢
+¥·¥§¥ë¤ÇÄ󶡤µ¤ì¤Æ¤¤¤ë I/O ¥ê¥À¥¤¥ì¥¯¥·¥ç¥ó¤ò»È¤¦¤³¤È¡£
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+.\"O restore the values of all packet and byte counters
+Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ÎÃͤòÉü¸µ¤¹¤ë¡£
+.TP
+\fB\-n\fR, \fB\-\-noflush\fR
+.\"O .TP
+.\"O don't flush the previous contents of the table. If not specified,
+.\"O .B ip6tables-restore
+.\"O flushes (deletes) all previous contents of the respective IPv6 Table.
+¤³¤ì¤Þ¤Ç¤Î¥Æ¡¼¥Ö¥ë¤ÎÆâÍƤò¥Õ¥é¥Ã¥·¥å¤·¤Ê¤¤¡£
+»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢
+.B ip6tables-restore
+¤Ï¡¢¤³¤ì¤Þ¤Ç¤Î³Æ IPv6 ¥Æ¡¼¥Ö¥ë¤ÎÆâÍƤòÁ´¤Æ¥Õ¥é¥Ã¥·¥å (ºï½ü) ¤¹¤ë¡£
+.\"O .SH BUGS
+.SH ¥Ð¥°
+.\"O None known as of iptables-1.2.1 release
+iptables-1.2.1 ¥ê¥ê¡¼¥¹¤Ç¤ÏÃΤé¤ì¤Æ¤¤¤Ê¤¤¡£
+.\"O .SH AUTHORS
+.SH Ãø¼Ô
+Harald Welte <laforge@gnumonks.org>
+.br
+Andras Kis-Szabo <kisza@sch.bme.hu>
+.\"O .SH SEE ALSO
+.SH ´ØÏ¢¹àÌÜ
+.BR ip6tables-save "(8), " ip6tables "(8) "
+.PP
+.\"O The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+.\"O which details NAT, and the netfilter-hacking-HOWTO which details the
+.\"O internals.
+¤è¤ê¿¤¯¤Î iptables ¤Î»ÈÍÑË¡¤Ë¤Ä¤¤¤Æ
+¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë iptables-HOWTO¡£
+NAT ¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë NAT-HOWTO¡£
+ÆâÉô¹½Â¤¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë netfilter-hacking-HOWTO¡£
--- /dev/null
+.TH IP6TABLES-SAVE 8 "Jan 30, 2002" "" ""
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\" Japanese Version Copyright (c) 2003 Yuichi SATO
+.\" all rights reserved.
+.\" Translated Thu May 1 17:36:08 JST 2003
+.\" by Yuichi SATO <ysato444@yahoo.co.jp>
+.\"
+.\"O .SH NAME
+.SH ̾Á°
+.\"O ip6tables-save \- Save IPv6 Tables
+ip6tables-save \- IPv6 ¥Æ¡¼¥Ö¥ë¤òÊݸ¤¹¤ë
+.\"O .SH SYNOPSIS
+.SH ½ñ¼°
+.BR "ip6tables-save " "[-c] [-t table]"
+.br
+.\"O .SH DESCRIPTION
+.SH ÀâÌÀ
+.PP
+.\"O .B ip6tables-save
+.\"O is used to dump the contents of an IPv6 Table in easily parseable format
+.\"O to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+.B ip6tables-save
+¤Ï IPv6 ¥Æ¡¼¥Ö¥ë¤ÎÆâÍƤò´Êñ¤Ë²òÀϤǤ¤ë·Á¼°¤Ç
+ɸ½à½ÐÎϤ˥À¥ó¥×¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+¥Õ¥¡¥¤¥ë¤Ë½ñ¤½Ð¤¹¤¿¤á¤Ë¤Ï¡¢
+¥·¥§¥ë¤ÇÄ󶡤µ¤ì¤Æ¤¤¤ë I/O ¥ê¥À¥¤¥ì¥¯¥·¥ç¥ó¤ò»È¤¦¤³¤È¡£
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+.\"O include the current values of all packet and byte counters in the output
+Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤Î¸½ºß¤ÎÃͤò½ÐÎϤ¹¤ë¡£
+.TP
+\fB\-t\fR, \fB\-\-table\fR \fBtablename\fR
+.\"O .TP
+.\"O restrict output to only one table. If not specified, output includes all
+.\"O available tables.
+½ÐÎϤò 1 ¤Ä¤Î¥Æ¡¼¥Ö¥ë¤Î¤ß¤ËÀ©¸Â¤¹¤ë¡£
+»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢ÆÀ¤é¤ì¤¿Á´¤Æ¤Î¥Æ¡¼¥Ö¥ë¤ò½ÐÎϤ¹¤ë¡£
+.\"O .SH BUGS
+.SH ¥Ð¥°
+.\"O None known as of iptables-1.2.1 release
+iptables-1.2.1 ¥ê¥ê¡¼¥¹¤Ç¤ÏÃΤé¤ì¤Æ¤¤¤Ê¤¤¡£
+.\"O .SH AUTHORS
+.SH Ãø¼Ô
+Harald Welte <laforge@gnumonks.org>
+.br
+Andras Kis-Szabo <kisza@sch.bme.hu>
+.\"O .SH SEE ALSO
+.SH ´ØÏ¢¹àÌÜ
+.BR ip6tables-restore "(8), " ip6tables "(8) "
+.PP
+.\"O The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+.\"O which details NAT, and the netfilter-hacking-HOWTO which details the
+.\"O internals.
+¤è¤ê¿¤¯¤Î iptables ¤Î»ÈÍÑË¡¤Ë¤Ä¤¤¤Æ
+¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë iptables-HOWTO¡£
+NAT ¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë NAT-HOWTO¡£
+ÆâÉô¹½Â¤¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë netfilter-hacking-HOWTO¡£
--- /dev/null
+.TH IP6TABLES 8 "Mar 09, 2002" "" ""
+.\"
+.\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
+.\" It is based on iptables man page.
+.\"
+.\" iptables page by Herve Eychenne <rv@wallfire.org>
+.\" It is based on ipchains man page.
+.\"
+.\" ipchains page by Paul ``Rusty'' Russell March 1997
+.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.\" Japanese Version Copyright (c) 2001-2004 Yuichi SATO
+.\" all right reserved.
+.\" Translated Sat Dec 1 06:32:08 JST 2001
+.\" by Yuichi SATO <ysato@h4.dion.ne.jp>
+.\" Updated & Modified Sun Feb 8 14:05:26 JST 2004
+.\" by Yuichi SATO <ysato444@yahoo.co.jp>
+.\"
+.\"WORD: chain ¥Á¥§¥¤¥ó
+.\"WORD: built-in chain ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó
+.\"WORD: non-terminating target Èó½ªÎ»¥¿¡¼¥²¥Ã¥È
+.\"
+.\"O .SH NAME
+.SH ̾Á°
+.\"O ip6tables \- IPv6 packet filter administration
+ip6tables \- IPv6 ¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¤ò´ÉÍý¤¹¤ë
+.\"O .SH SYNOPSIS
+.SH ½ñ¼°
+.\"O .BR "ip6tables [-t table] -[AD] " "chain rule-specification [options]"
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -[AD] " "¥Á¥§¥¤¥ó ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]"
+.br
+.\"O .BR "ip6tables [-t table] -I " "chain [rulenum] rule-specification [options]"
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -I " "¥Á¥§¥¤¥ó [¥ë¡¼¥ëÈÖ¹æ] ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]"
+.br
+.\"O .BR "ip6tables [-t table] -R " "chain rulenum rule-specification [options]"
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -R " "¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]"
+.br
+.\"O .BR "ip6tables [-t table] -D " "chain rulenum [options]"
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -D " "¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ [¥ª¥×¥·¥ç¥ó]"
+.br
+.\"O .BR "ip6tables [-t table] -[LFZ] " "[chain] [options]"
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -[LFZ] " "[¥Á¥§¥¤¥ó] [¥ª¥×¥·¥ç¥ó]"
+.br
+.\"O .BR "ip6tables [-t table] -N " "chain"
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -N " "¥Á¥§¥¤¥ó"
+.br
+.\"O .BR "ip6tables [-t table] -X " "[chain]"
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -X " "[¥Á¥§¥¤¥ó]"
+.br
+.\"O .BR "ip6tables [-t table] -P " "chain target [options]"
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -P " "¥Á¥§¥¤¥ó ¥¿¡¼¥²¥Ã¥È [¥ª¥×¥·¥ç¥ó]"
+.br
+.\"O .BR "ip6tables [-t table] -E " "old-chain-name new-chain-name"
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -E " "µì¥Á¥§¥¤¥ó̾ ¿·¥Á¥§¥¤¥ó̾"
+.\"O .SH DESCRIPTION
+.SH ÀâÌÀ
+.\"O .B Ip6tables
+.\"O is used to set up, maintain, and inspect the tables of IPv6 packet
+.\"O filter rules in the Linux kernel. Several different tables
+.\"O may be defined. Each table contains a number of built-in
+.\"O chains and may also contain user-defined chains.
+.B ip6tables
+¤Ï Linux ¥«¡¼¥Í¥ë¤Î IPv6 ¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ë¡¼¥ë¤Î¥Æ¡¼¥Ö¥ë¤ò
+ÀßÄꡦ´ÉÍý¡¦¸¡ºº¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+Ê£¿ô¤Î°Û¤Ê¤ë¥Æ¡¼¥Ö¥ë¤¬ÄêµÁ¤µ¤ì¤ë²ÄǽÀ¤¬¤¢¤ë¡£
+³Æ¥Æ¡¼¥Ö¥ë¤ÏÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤ò´Þ¤à¡£
+¤µ¤é¤Ë¥æ¡¼¥¶¡¼ÄêµÁ¤Î¥Á¥§¥¤¥ó¤ò´Þ¤à¤³¤È¤â¤Ç¤¤ë¡£
+
+.\"O Each chain is a list of rules which can match a set of packets. Each
+.\"O rule specifies what to do with a packet that matches. This is called
+.\"O a `target', which may be a jump to a user-defined chain in the same
+.\"O table.
+³Æ¥Á¥§¥¤¥ó¤Ï¡¢¥Ñ¥±¥Ã¥È·²¤Ë¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤Î¥ê¥¹¥È¤Ç¤¢¤ë¡£
+³Æ¥ë¡¼¥ë¤Ï¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ²¿¤ò¤¹¤ë¤«¤ò»ØÄꤹ¤ë¡£
+¤³¤ì¤Ï¡Ö¥¿¡¼¥²¥Ã¥È¡×¤È¸Æ¤Ð¤ì¡¢
+Ʊ¤¸¥Æ¡¼¥Ö¥ëÆâ¤Î¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Ë¥¸¥ã¥ó¥×¤¹¤ë¤³¤È¤â¤¢¤ë¡£
+
+.\"O .SH TARGETS
+.SH ¥¿¡¼¥²¥Ã¥È
+.\"O A firewall rule specifies criteria for a packet, and a target. If the
+.\"O packet does not match, the next rule in the chain is the examined; if
+.\"O it does match, then the next rule is specified by the value of the
+.\"O target, which can be the name of a user-defined chain or one of the
+.\"O special values
+.\"O .IR ACCEPT ,
+.\"O .IR DROP ,
+.\"O .IR QUEUE ,
+.\"O or
+.\"O .IR RETURN .
+¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Î¥ë¡¼¥ë¤Ï¡¢¥Ñ¥±¥Ã¥È¤òȽÃǤ¹¤ë´ð½à¤È¥¿¡¼¥²¥Ã¥È¤ò»ØÄꤹ¤ë¡£
+¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤Ê¤¤¾ì¹ç¡¢¥Á¥§¥¤¥óÆâ¤Î¼¡¤Î¥ë¡¼¥ë¤¬É¾²Á¤µ¤ì¤ë¡£
+¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¡¢
+¥¿¡¼¥²¥Ã¥È¤ÎÃͤˤè¤Ã¤Æ¼¡¤Î¥ë¡¼¥ë¤¬»ØÄꤵ¤ì¤ë¡£
+¥¿¡¼¥²¥Ã¥È¤ÎÃͤϡ¢¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Î̾Á°¡¢¤Þ¤¿¤ÏÆÃÊ̤ÊÃÍ
+.IR ACCEPT ,
+.IR DROP ,
+.IR QUEUE ,
+.I RETURN
+¤Î¤¦¤Á¤Î 1 ¤Ä¤Ç¤¢¤ë¡£
+.PP
+.\"O .I ACCEPT
+.\"O means to let the packet through.
+.I ACCEPT
+¤Ï¥Ñ¥±¥Ã¥È¤òÄ̤¹¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£
+.\"O .I DROP
+.\"O means to drop the packet on the floor.
+.I DROP
+¤Ï¥Ñ¥±¥Ã¥È¤ò¾²¤ËÍ (¼Î¤Æ¤ë) ¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£
+.\"O .I QUEUE
+.\"O means to pass the packet to userspace (if supported by the kernel).
+.I QUEUE
+¤Ï¥Ñ¥±¥Ã¥È¤ò¥æ¡¼¥¶¡¼¶õ´Ö¤ËÅϤ¹¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë
+(¥«¡¼¥Í¥ë¤¬¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ì¤Ð¤Ç¤¢¤ë¤¬)¡£
+.\"O .I RETURN
+.\"O means stop traversing this chain and resume at the next rule in the
+.\"O previous (calling) chain. If the end of a built-in chain is reached
+.\"O or a rule in a built-in chain with target
+.\"O .I RETURN
+.\"O is matched, the target specified by the chain policy determines the
+.\"O fate of the packet.
+.I RETURN
+¤Ï¡¢¤³¤Î¥Á¥§¥¤¥ó¤ò¸¡Æ¤¤¹¤ë¤³¤È¤òÃæ»ß¤·¤Æ¡¢
+Á°¤Î (¸Æ¤Ó½Ð¤·Â¦) ¥Á¥§¥¤¥ó¤Î¼¡¤Î¥ë¡¼¥ë¤ÇÄä»ß¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£
+ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤ÎºÇ¸å¤ËÅþ㤷¤¿¾ì¹ç¡¢
+¤Þ¤¿¤Ï¥¿¡¼¥²¥Ã¥È
+.I RETURN
+¤¬´Þ¤Þ¤ì¤Æ¤¤¤ëÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Î¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¡¢
+¥Á¥§¥¤¥ó¥Ý¥ê¥·¡¼¤Ç»ØÄꤵ¤ì¤¿¥¿¡¼¥²¥Ã¥È¤¬
+¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤ò·èÄꤹ¤ë¡£
+.\"O .SH TABLES
+.SH ¥Æ¡¼¥Ö¥ë
+.\"O There are currently two independent tables (which tables are present
+.\"O at any time depends on the kernel configuration options and which
+.\"O modules are present), as nat table has not been implemented yet.
+¸½ºß¤Î¤È¤³¤í 2 ¤Ä¤ÎÆÈΩ¤Ê¥Æ¡¼¥Ö¥ë¤¬Â¸ºß¤¹¤ë
+(¤É¤Î¥Æ¡¼¥Ö¥ë¤¬¤É¤Î»þÅÀ¤Ç¸½¤ì¤ë¤«¤Ï¡¢
+¥«¡¼¥Í¥ë¤ÎÀßÄê¤ä¤É¤¦¤¤¤Ã¤¿¥â¥¸¥å¡¼¥ë¤¬Â¸ºß¤¹¤ë¤«¤Ë°Í¸¤¹¤ë)¡£
+nat ¥Æ¡¼¥Ö¥ë¤Ï¡¢¤Þ¤À¼ÂÁõ¤µ¤ì¤Æ¤¤¤Ê¤¤¡£
+.TP
+.BI "-t, --table " "table"
+.\"O This option specifies the packet matching table which the command
+.\"O should operate on. If the kernel is configured with automatic module
+.\"O loading, an attempt will be made to load the appropriate module for
+.\"O that table if it is not already there.
+¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢¤É¤Î¥³¥Þ¥ó¥É¤òŬÍѤ¹¤Ù¤¤«¤ò·èÄꤹ¤ë¤¿¤á¤Î
+¥Ñ¥±¥Ã¥È¥Þ¥Ã¥Á¥ó¥°¥Æ¡¼¥Ö¥ë¤ò»ØÄꤹ¤ë¡£
+¥«¡¼¥Í¥ë¤Ë¼«Æ°¥â¥¸¥å¡¼¥ë¥í¡¼¥Ç¥£¥ó¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢
+¤¢¤ë¥Æ¡¼¥Ö¥ë¤ËÂФ·¤ÆŬÀڤʥ⥸¥å¡¼¥ë¤¬¤Þ¤À¥í¡¼¥É¤µ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¡¢
+¤½¤Î¥â¥¸¥å¡¼¥ë¤Î¥í¡¼¥É¤ò¹Ô¤¦¡£
+
+.\"O The tables are as follows:
+¥Æ¡¼¥Ö¥ë¤Ï°Ê²¼¤ÎÄ̤ê¤Ç¤¢¤ë¡£
+.RS
+.TP .4i
+.BR "filter" :
+.\"O This is the default table (if no -t option is passed). It contains
+.\"O the built-in chains
+.\"O .B INPUT
+.\"O (for packets coming into the box itself),
+.\"O .B FORWARD
+.\"O (for packets being routed through the box), and
+.\"O .B OUTPUT
+.\"O (for locally-generated packets).
+(-t ¥ª¥×¥·¥ç¥ó¤¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ï) ¤³¤ì¤¬¥Ç¥Õ¥©¥ë¥È¤Î¥Æ¡¼¥Ö¥ë¤Ç¤¢¤ë¡£
+¤³¤ì¤Ë¤Ï
+.B INPUT
+(¥Þ¥·¥ó¼«ÂΤËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
+.B FORWARD
+(¥Þ¥·¥ó¤ò·Ðͳ¤¹¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
+.B OUTPUT
+(¥í¡¼¥«¥ë¥Þ¥·¥ó¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)
+¤È¤¤¤¦ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤ë¡£
+.TP
+.BR "mangle" :
+.\"O This table is used for specialized packet alteration. Until kernel
+.\"O 2.4.17 it had two built-in chains:
+.\"O .B PREROUTING
+.\"O (for altering incoming packets before routing) and
+.\"O .B OUTPUT
+.\"O (for altering locally-generated packets before routing).
+¤³¤Î¥Æ¡¼¥Ö¥ë¤ÏÆÃÊ̤ʥѥ±¥Ã¥ÈÊÑ´¹¤Ë»È¤ï¤ì¤ë¡£
+¥«¡¼¥Í¥ë 2.4.17 ¤Þ¤Ç¤Ï¡¢
+.B PREROUTING
+(¥Ñ¥±¥Ã¥È¤¬Æþ¤Ã¤Æ¤¤¿¾ì¹ç¡¢
+¤¹¤°¤Ë¤½¤Î¥Ñ¥±¥Ã¥È¤òÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)¡¦
+.B OUTPUT
+(¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ò
+¥ë¡¼¥Æ¥£¥ó¥°¤ÎÁ°¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)
+¤È¤¤¤¦ 2 ¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤Æ¤¤¤¿¡£
+.\"O Since kernel 2.4.18, three other built-in chains are also supported:
+.\"O .B INPUT
+.\"O (for packets coming into the box itself),
+.\"O .B FORWARD
+.\"O (for altering packets being routed through the box), and
+.\"O .B POSTROUTING
+.\"O (for altering packets as they are about to go out).
+¥«¡¼¥Í¥ë 2.4.18 ¤«¤é¤Ï¡¢¤³¤ì¤é¤Î¾¤Ë
+.B INPUT
+(¥Þ¥·¥ó¼«ÂΤËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
+.B FORWARD
+(¥Þ¥·¥ó¤ò·Ðͳ¤¹¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
+.B POSTROUTING
+(¥Ñ¥±¥Ã¥È¤¬½Ð¤Æ¹Ô¤¯¤È¤¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)¡¦
+¤È¤¤¤¦ 3 ¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤â¥µ¥Ý¡¼¥È¤µ¤ì¤ë¡£
+.RE
+.\"O .SH OPTIONS
+.SH ¥ª¥×¥·¥ç¥ó
+.\"O The options that are recognized by
+.\"O .B ip6tables
+.\"O can be divided into several different groups.
+.B ip6tables
+¤Ç»È¤¨¤ë¥ª¥×¥·¥ç¥ó¤Ï¡¢¤¤¤¯¤Ä¤«¤Î¥°¥ë¡¼¥×¤Ëʬ¤±¤é¤ì¤ë¡£
+.\"O .SS COMMANDS
+.SS ¥³¥Þ¥ó¥É
+.\"O These options specify the specific action to perform. Only one of them
+.\"O can be specified on the command line unless otherwise specified
+.\"O below. For all the long versions of the command and option names, you
+.\"O need to use only enough letters to ensure that
+.\"O .B ip6tables
+.\"O can differentiate it from all other options.
+¤³¤ì¤é¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢¼Â¹Ô¤¹¤ëÆÃÄê¤ÎÆ°ºî¤ò»ØÄꤹ¤ë¡£
+°Ê²¼¤ÎÀâÌÀ¤Çµö²Ä¤µ¤ì¤Æ¤¤¤Ê¤¤¸Â¤ê¡¢
+¤³¤ÎÃæ¤Î 1 ¤Ä¤·¤«¥³¥Þ¥ó¥É¥é¥¤¥ó¤Ç»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Ê¤¤¡£
+Ť¤¥Ð¡¼¥¸¥ç¥ó¤Î¥³¥Þ¥ó¥É̾¤È¥ª¥×¥·¥ç¥ó̾¤Ï¡¢
+.B ip6tables
+¤¬Â¾¤Î¥³¥Þ¥ó¥É̾¤ä¥ª¥×¥·¥ç¥ó̾¤È¶èÊ̤Ǥ¤ëÈϰϤÇ
+(ʸ»ú¤ò¾Êά¤·¤Æ) »ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë¡£
+.TP
+.BI "-A, --append " "chain rule-specification"
+.\"O Append one or more rules to the end of the selected chain.
+.\"O When the source and/or destination names resolve to more than one
+.\"O address, a rule will be added for each possible address combination.
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤ÎºÇ¸å¤Ë 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òÄɲ乤롣
+Á÷¿®¸µ¤äÁ÷¿®Àè¤Î̾Á°¤¬ 1 ¤Ä°Ê¾å¤Î¥¢¥É¥ì¥¹¤ËÂбþ¤·¤Æ¤¤¤ë¾ì¹ç¡¢
+²Äǽ¤Ê¥¢¥É¥ì¥¹¤ÎÁȹ礻¤Î¤½¤ì¤¾¤ì¤Ë¤Ä¤¤¤Æ¥ë¡¼¥ë¤¬Äɲ䵤ì¤ë¡£
+.TP
+.BI "-D, --delete " "chain rule-specification"
+.ns
+.TP
+.BI "-D, --delete " "chain rulenum"
+.\"O Delete one or more rules from the selected chain. There are two
+.\"O versions of this command: the rule can be specified as a number in the
+.\"O chain (starting at 1 for the first rule) or a rule to match.
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤«¤é 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òºï½ü¤¹¤ë¡£
+¤³¤Î¥³¥Þ¥ó¥É¤Ë¤Ï 2 ¤Ä¤Î»È¤¤Êý¤¬¤¢¤ë:
+¥Á¥§¥¤¥ó¤ÎÃæ¤ÎÈÖ¹æ (ºÇ½é¤Î¥ë¡¼¥ë¤ò 1 ¤È¤¹¤ë) ¤ò»ØÄꤹ¤ë¾ì¹ç¤È¡¢
+¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤ò»ØÄꤹ¤ë¾ì¹ç¤Ç¤¢¤ë¡£
+.TP
+.B "-I, --insert"
+.\"O Insert one or more rules in the selected chain as the given rule
+.\"O number. So, if the rule number is 1, the rule or rules are inserted
+.\"O at the head of the chain. This is also the default if no rule number
+.\"O is specified.
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ë¥ë¡¼¥ëÈÖ¹æ¤ò»ØÄꤷ¤Æ 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òÁÞÆþ¤¹¤ë¡£
+¥ë¡¼¥ëÈֹ椬 1 ¤Î¾ì¹ç¡¢¥ë¡¼¥ë¤Ï¥Á¥§¥¤¥ó¤ÎÀèƬ¤ËÁÞÆþ¤µ¤ì¤ë¡£
+¤³¤ì¤Ï¥ë¡¼¥ëÈֹ椬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¤Î¥Ç¥Õ¥©¥ë¥È¤Ç¤â¤¢¤ë¡£
+.TP
+.BI "-R, --replace " "chain rulenum rule-specification"
+.\"O Replace a rule in the selected chain. If the source and/or
+.\"O destination names resolve to multiple addresses, the command will
+.\"O fail. Rules are numbered starting at 1.
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ë¤¢¤ë¥ë¡¼¥ë¤òÃÖ¤´¹¤¨¤ë¡£
+Á÷¿®¸µ¤äÁ÷¿®Àè¤Î̾Á°¤¬ 1 ¤Ä°Ê¾å¤Î¥¢¥É¥ì¥¹¤ËÂбþ¤·¤Æ¤¤¤ë¾ì¹ç¤Ï¼ºÇÔ¤¹¤ë¡£
+¥ë¡¼¥ë¤Ë¤Ï 1 ¤«¤é»Ï¤Þ¤ëÈֹ椬ÉÕ¤±¤é¤ì¤Æ¤¤¤ë¡£
+.TP
+.BR "-L, --list " "[\fIchain\fP]"
+.\"O List all rules in the selected chain. If no chain is selected, all
+.\"O chains are listed. As every other iptables command, it applies to the
+.\"O specified table (filter is the default), so mangle rules get listed by
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ë¤¢¤ëÁ´¤Æ¤Î¥ë¡¼¥ë¤ò°ìÍ÷ɽ¼¨¤¹¤ë¡£
+¥Á¥§¥¤¥ó¤¬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢Á´¤Æ¤Î¥Á¥§¥¤¥ó¤Ë¤¢¤ë¥ê¥¹¥È¤¬°ìÍ÷ɽ¼¨¤µ¤ì¤ë¡£
+¾¤Î³Æ iptables ¥³¥Þ¥ó¥É¤ÈƱÍͤˡ¢
+»ØÄꤵ¤ì¤¿¥Æ¡¼¥Ö¥ë (¥Ç¥Õ¥©¥ë¥È¤Ï filter) ¤ËÂФ·¤ÆºîÍѤ¹¤ë¡£
+¤è¤Ã¤Æ mangle ¥ë¡¼¥ë¤òɽ¼¨¤¹¤ë¤Ë¤Ï°Ê²¼¤Î¤è¤¦¤Ë¤¹¤ë¡£
+.nf
+ ip6tables -t mangle -n -L
+.fi
+.\"O Please note that it is often used with the
+.\"O .B -n
+.\"O option, in order to avoid long reverse DNS lookups.
+DNS ¤ÎµÕ°ú¤¤òÈò¤±¤ë¤¿¤á¤Ë¡¢¤è¤¯
+.B -n
+¥ª¥×¥·¥ç¥ó¤È¶¦¤Ë»ÈÍѤµ¤ì¤ë¡£
+.\"O It is legal to specify the
+.\"O chains are listed. It is legal to specify the
+.\"O .B -Z
+.\"O (zero) option as well, in which case the chain(s) will be atomically
+.\"O listed and zeroed. The exact output is affected by the other
+.\"O arguments given. The exact rules are suppressed until you use
+.B -Z
+(¥¼¥í²½) ¥ª¥×¥·¥ç¥ó¤òƱ»þ¤Ë»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë¡£
+¤³¤Î¾ì¹ç¡¢¥Á¥§¥¤¥ó¤ÏÍ×ÁÇËè¤Ë¥ê¥¹¥È¤µ¤ì¤Æ¡¢
+(ÌõÃð: ¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤¬) ¥¼¥í¤Ë¤µ¤ì¤ë¡£
+¤É¤Î¤è¤¦¤Ë½ÐÎϤ¹¤ë¤«¤Ï¡¢Í¿¤¨¤é¤ì¤ë¾¤Î°ú¤¿ô¤Ë±Æ¶Á¤µ¤ì¤ë¡£
+.nf
+ ip6tables -L -v
+.fi
+¤ò»È¤ï¤Ê¤¤¸Â¤ê¡¢(ÌõÃð: -v ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤷ¤Ê¤¤¸Â¤ê)
+¼ÂºÝ¤Î¥ë¡¼¥ë¤½¤Î¤â¤Î¤Ïɽ¼¨¤µ¤ì¤Ê¤¤¡£
+.TP
+.BR "-F, --flush " "[\fIchain\fP]"
+.\"O Flush the selected chain (all the chains in the table if none is given).
+.\"O This is equivalent to deleting all the rules one by one.
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó
+(²¿¤â»ØÄꤵ¤ì¤Ê¤±¤ì¤Ð¥Æ¡¼¥Ö¥ëÆâ¤ÎÁ´¤Æ¤Î¥Á¥§¥¤¥ó) ¤ÎÆâÍƤòÁ´¾Ãµî¤¹¤ë¡£
+¤³¤ì¤ÏÁ´¤Æ¤Î¥ë¡¼¥ë¤ò 1 ¸Ä¤º¤Äºï½ü¤¹¤ë¤Î¤ÈƱ¤¸¤Ç¤¢¤ë¡£
+.TP
+.BR "-Z, --zero " "[\fIchain\fP]"
+.\"O Zero the packet and byte counters in all chains. It is legal to
+.\"O specify the
+.\"O .B "-L, --list"
+.\"O (list) option as well, to see the counters immediately before they are
+.\"O cleared. (See above.)
+¤¹¤Ù¤Æ¤Î¥Á¥§¥¤¥ó¤Î¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò¥¼¥í¤Ë¤¹¤ë¡£
+¥¯¥ê¥¢¤µ¤ì¤ëľÁ°¤Î¥«¥¦¥ó¥¿¤ò¸«¤ë¤¿¤á¤Ë¡¢
+.B "-L, --list"
+(°ìÍ÷ɽ¼¨) ¥ª¥×¥·¥ç¥ó¤ÈƱ»þ¤Ë»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë (¾åµ¤ò»²¾È)¡£
+.TP
+.BI "-N, --new-chain " "chain"
+.\"O Create a new user-defined chain by the given name. There must be no
+.\"O target of that name already.
+»ØÄꤷ¤¿Ì¾Á°¤Ç¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤òºîÀ®¤¹¤ë¡£
+Ʊ¤¸Ì¾Á°¤Î¥¿¡¼¥²¥Ã¥È¤¬´û¤Ë¸ºß¤·¤Æ¤Ï¤Ê¤é¤Ê¤¤¡£
+.TP
+.BR "-X, --delete-chain " "[\fIchain\fP]"
+.\"O Delete the optional user-defined chain specified. There must be no references
+.\"O to the chain. If there are, you must delete or replace the referring
+.\"O rules before the chain can be deleted. If no argument is given, it
+.\"O will attempt to delete every non-builtin chain in the table.
+¥ª¥×¥·¥ç¥ó¤Î¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ë¡£
+¤½¤Î¥Á¥§¥¤¥ó¤¬»²¾È¤µ¤ì¤Æ¤¤¤Æ¤Ï¤Ê¤é¤Ê¤¤¡£
+¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ëÁ°¤Ë¡¢¤½¤Î¥Á¥§¥¤¥ó¤ò»²¾È¤·¤Æ¤¤¤ë¥ë¡¼¥ë¤ò
+ºï½ü¤¹¤ë¤«ÃÖ¤´¹¤¨¤ë¤«¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
+°ú¤¿ô¤¬Í¿¤¨¤é¤ì¤Ê¤¤¾ì¹ç¡¢¥Æ¡¼¥Ö¥ë¤Ë¤¢¤ë¥Á¥§¥¤¥ó¤Î¤¦¤Á
+ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Ç¤Ê¤¤¤â¤Î¤òÁ´¤Æºï½ü¤¹¤ë¡£
+.TP
+.BI "-P, --policy " "chain target"
+.\"O Set the policy for the chain to the given target. See the section
+.\"O .B TARGETS
+.\"O for the legal targets. Only built-in (non-user-defined) chains can have
+.\"O policies, and neither built-in nor user-defined chains can be policy
+.\"O targets.
+¥Á¥§¥¤¥ó¤Î¥Ý¥ê¥·¡¼¤ò¡¢»ØÄꤷ¤¿¥¿¡¼¥²¥Ã¥È¤ËÀßÄꤹ¤ë¡£
+»ØÄê²Äǽ¤Ê¥¿¡¼¥²¥Ã¥È¤Ï¡Ö\fB¥¿¡¼¥²¥Ã¥È\fR¡×¤Î¾Ï¤ò»²¾È¤¹¤ë¤³¤È¡£
+(¥æ¡¼¥¶¡¼ÄêµÁ¤Ç¤Ï¤Ê¤¤) ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Ë¤·¤«¥Ý¥ê¥·¡¼¤ÏÀßÄê¤Ç¤¤Ê¤¤¡£
+¤Þ¤¿¡¢ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤â¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤â
+¥Ý¥ê¥·¡¼¤Î¥¿¡¼¥²¥Ã¥È¤ËÀßÄꤹ¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤¡£
+.TP
+.BI "-E, --rename-chain " "old-chain new-chain"
+.\"O Rename the user specified chain to the user supplied name. This is
+.\"O cosmetic, and has no effect on the structure of the table.
+¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤ò»ØÄꤷ¤¿Ì¾Á°¤ËÊѹ¹¤¹¤ë¡£
+¤³¤ì¤Ï¸«¤¿ÌܤÀ¤±¤ÎÊѹ¹¤Ê¤Î¤Ç¡¢¥Æ¡¼¥Ö¥ë¤Î¹½Â¤¤Ë¤Ï²¿¤â±Æ¶Á¤·¤Ê¤¤¡£
+.TP
+.B -h
+.\"O Help.
+.\"O Give a (currently very brief) description of the command syntax.
+¥Ø¥ë¥×¡£
+(º£¤Î¤È¤³¤í¤Ï¤È¤Æ¤â´Êñ¤Ê) ¥³¥Þ¥ó¥É½ñ¼°¤ÎÀâÌÀ¤òɽ¼¨¤¹¤ë¡£
+.\"O .SS PARAMETERS
+.SS ¥Ñ¥é¥á¡¼¥¿
+.\"O The following parameters make up a rule specification (as used in the
+.\"O add, delete, insert, replace and append commands).
+°Ê²¼¤Î¥Ñ¥é¥á¡¼¥¿¤Ï (add, delete, insert,
+replace, append ¥³¥Þ¥ó¥É¤ÇÍѤ¤¤é¤ì¤Æ) ¥ë¡¼¥ë¤Î»ÅÍͤò·è¤á¤ë¡£
+.TP
+.BR "-p, --protocol " "[!] \fIprotocol\fP"
+.\"O The protocol of the rule or of the packet to check.
+.\"O The specified protocol can be one of
+.\"O .IR tcp ,
+.\"O .IR udp ,
+.\"O .IR ipv6-icmp|icmpv6 ,
+.\"O or
+.\"O .IR all ,
+.\"O or it can be a numeric value, representing one of these protocols or a
+.\"O different one. A protocol name from /etc/protocols is also allowed.
+¥ë¡¼¥ë¤Ç»È¤ï¤ì¤ë¥×¥í¥È¥³¥ë¡¢¤Þ¤¿¤Ï¥Á¥§¥Ã¥¯¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¥×¥í¥È¥³¥ë¡£
+»ØÄê¤Ç¤¤ë¥×¥í¥È¥³¥ë¤Ï¡¢
+.IR tcp ,
+.IR udp ,
+.IR ipv6-icmp|icmpv6 ,
+.I all
+¤Î¤¤¤º¤ì¤« 1 ¤Ä¤«¡¢¿ôÃͤǤ¢¤ë¡£
+¿ôÃͤϡ¢¤³¤ì¤é¤Î¥×¥í¥È¥³¥ë¤Î 1 ¤Ä¡¢¤â¤·¤¯¤ÏÊ̤Υץí¥È¥³¥ë¤òɽ¤¹¡£
+/etc/protocols ¤Ë¤¢¤ë¥×¥í¥È¥³¥ë̾¤â»ØÄê¤Ç¤¤ë¡£
+.\"O A "!" argument before the protocol inverts the
+.\"O test. The number zero is equivalent to
+.\"O .IR all .
+.\"O Protocol
+.\"O .I all
+.\"O will match with all protocols and is taken as default when this
+.\"O option is omitted.
+¥×¥í¥È¥³¥ë¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢¤½¤Î¥×¥í¥È¥³¥ë¤ò»ØÄꤷ¤Ê¤¤¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
+¿ôÃÍ 0 ¤Ï
+.I all
+¤ÈÅù¤·¤¤¡£
+¥×¥í¥È¥³¥ë
+.I all
+¤ÏÁ´¤Æ¤Î¥×¥í¥È¥³¥ë¤È¥Þ¥Ã¥Á¤·¡¢
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿ºÝ¤Î¥Ç¥Õ¥©¥ë¥È¤Ç¤¢¤ë¡£
+.TP
+.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
+.\"O Source specification.
+.\"O .I Address
+.\"O can be either a hostname (please note that specifying
+.\"O any name to be resolved with a remote query such as DNS is a really bad idea),
+.\"O a network IPv6 address (with /mask), or a plain IPv6 address.
+.\"O (the network name isn't supported now).
+Á÷¿®¸µ¤Î»ØÄê¡£
+.I address
+¤Ï¥Û¥¹¥È̾ (DNS ¤Î¤è¤¦¤Ê¥ê¥â¡¼¥È¤Ø¤ÎÌ䤤¹ç¤ï¤»¤Ç²ò·è¤¹¤ë̾Á°¤ò»ØÄꤹ¤ë¤Î¤Ï
+Èó¾ï¤ËÎɤ¯¤Ê¤¤)¡¦
+¥Í¥Ã¥È¥ï¡¼¥¯ IPv6 ¥¢¥É¥ì¥¹ (/mask ¤ò»ØÄꤹ¤ë)¡¦
+Ä̾ï¤Î IPv6 ¥¢¥É¥ì¥¹
+(º£¤Î¤È¤³¤í¡¢¥Í¥Ã¥È¥ï¡¼¥¯Ì¾¤Ï¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Ê¤¤)¡¢¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ë¡£
+.\"O The
+.\"O .I mask
+.\"O can be either a network mask or a plain number,
+.\"O specifying the number of 1's at the left side of the network mask.
+.I mask
+¤Ï¥Í¥Ã¥È¥ï¡¼¥¯¥Þ¥¹¥¯¤«¡¢
+¥Í¥Ã¥È¥ï¡¼¥¯¥Þ¥¹¥¯¤Îº¸Â¦¤Ë¤¢¤ë 1 ¤Î¿ô¤ò»ØÄꤹ¤ë¿ôÃͤǤ¢¤ë¡£
+.\"O Thus, a mask of
+.\"O .I 64
+.\"O is equivalent to
+.\"O .IR ffff:ffff:ffff:ffff:0000:0000:0000:0000 .
+¤Ä¤Þ¤ê¡¢
+.I 64
+¤È¤¤¤¦ mask ¤Ï
+.I ffff:ffff:ffff:ffff:0000:0000:0000:0000
+¤ËÅù¤·¤¤¡£
+.\"O A "!" argument before the address specification inverts the sense of
+.\"O the address. The flag
+.\"O .B --src
+.\"O is an alias for this option.
+¥¢¥É¥ì¥¹»ØÄê¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢¤½¤Î¥¢¥É¥ì¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
+¥Õ¥é¥°
+.B --src
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
+.\"O Destination specification.
+.\"O See the description of the
+.\"O .B -s
+.\"O (source) flag for a detailed description of the syntax. The flag
+.\"O .B --dst
+.\"O is an alias for this option.
+Á÷¿®Àè¤Î»ØÄê¡£
+½ñ¼°¤Î¾Ü¤·¤¤ÀâÌÀ¤Ë¤Ä¤¤¤Æ¤Ï¡¢
+.B -s
+(Á÷¿®¸µ) ¥Õ¥é¥°¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£
+¥Õ¥é¥°
+.B --dst
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BI "-j, --jump " "target"
+.\"O This specifies the target of the rule; i.e., what to do if the packet
+.\"O matches it. The target can be a user-defined chain (other than the
+.\"O one this rule is in), one of the special builtin targets which decide
+.\"O the fate of the packet immediately, or an extension (see
+.\"O .B EXTENSIONS
+.\"O below). If this
+.\"O option is omitted in a rule, then matching the rule will have no
+.\"O effect on the packet's fate, but the counters on the rule will be
+.\"O incremented.
+¥ë¡¼¥ë¤Î¥¿¡¼¥²¥Ã¥È¡¢¤Ä¤Þ¤ê¡¢
+¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¤Ë¤É¤¦¤¹¤ë¤«¤ò»ØÄꤹ¤ë¡£
+¥¿¡¼¥²¥Ã¥È¤Ï¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó
+(¤½¤Î¥ë¡¼¥ë¼«¿È¤¬Æþ¤Ã¤Æ¤¤¤ë¥Á¥§¥¤¥ó°Ê³°) ¤Ç¤â¡¢
+¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤ò¨»þ¤Ë·èÄꤹ¤ëÆÃÊ̤ÊÁȤ߹þ¤ßºÑ¤ß¥¿¡¼¥²¥Ã¥È¤Ç¤â¡¢
+³ÈÄ¥¤µ¤ì¤¿¥¿¡¼¥²¥Ã¥È (°Ê²¼¤Î
+.RB ¡Ö ¥¿¡¼¥²¥Ã¥È¤Î³ÈÄ¥ ¡×
+¤ò»²¾È) ¤Ç¤â¤è¤¤¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¥ë¡¼¥ë¤ÎÃæ¤Ç¾Êά¤µ¤ì¤¿¾ì¹ç¡¢
+¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤Æ¤â¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤Ë²¿¤â±Æ¶Á¤·¤Ê¤¤¤¬¡¢
+¥ë¡¼¥ë¤Î¥«¥¦¥ó¥¿¤Ï 1 ¤Ä²Ã»»¤µ¤ì¤ë¡£
+.TP
+.BR "-i, --in-interface " "[!] \fIname\fP"
+.\"O Name of an interface via which a packet is going to be received (only for
+.\"O packets entering the
+.\"O .BR INPUT ,
+.\"O .B FORWARD
+.\"O and
+.\"O .B PREROUTING
+.\"O chains).
+.RB ( INPUT ,
+.BR FORWARD ,
+.B PREROUTING
+¥Á¥§¥¤¥ó¤Î¤ß¤ËÆþ¤ë) ¥Ñ¥±¥Ã¥È¤ò¼õ¿®¤¹¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¡£
+.\"O When the "!" argument is used before the interface name, the
+.\"O sense is inverted. If the interface name ends in a "+", then any
+.\"O interface which begins with this name will match. If this option is
+.\"O omitted, any interface name will match.
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢
+¤½¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
+¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿¾ì¹ç¡¢
+Ǥ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BR "-o, --out-interface " "[!] \fIname\fP"
+.\"O Name of an interface via which a packet is going to be sent (for packets
+.\"O entering the
+.\"O .BR FORWARD
+.\"O and
+.\"O .B OUTPUT
+.\"O chains).
+.RB ( FORWARD ,
+.B OUTPUT
+¥Á¥§¥¤¥ó¤ËÆþ¤ë) ¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¡£
+.\"O When the "!" argument is used before the interface name, the
+.\"O sense is inverted. If the interface name ends in a "+", then any
+.\"O interface which begins with this name will match. If this option is
+.\"O omitted, any interface name will match.
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢
+¤½¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
+¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿¾ì¹ç¡¢
+Ǥ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.\"O .\" Currently not supported (header-based)
+.\" (¥Ø¥Ã¥À¤Ë´ð¤Å¤¯¤â¤Î¤Ï) º£¤Î¤È¤³¤í¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¡£
+.\"
+.\" .B "[!] " "-f, --fragment"
+.\"O .\" This means that the rule only refers to second and further fragments
+.\"O .\" of fragmented packets. Since there is no way to tell the source or
+.\"O .\" destination ports of such a packet (or ICMP type), such a packet will
+.\"O .\" not match any rules which specify them. When the "!" argument
+.\"O .\" precedes the "-f" flag, the rule will only match head fragments, or
+.\"O .\" unfragmented packets.
+.\" ¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢Ê¬³ä¤µ¤ì¤¿¥Ñ¥±¥Ã¥È (fragmented packet) ¤Î¤¦¤Á
+.\" 2 ÈÖÌܰʹߤΥѥ±¥Ã¥È¤À¤±¤ò»²¾È¤¹¤ë¥ë¡¼¥ë¤Ç¤¢¤ë¤³¤È¤ò°ÕÌ£¤·¤Æ¤¤¤ë¡£
+.\" ¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È (¤Þ¤¿¤Ï ICMP ¥¿¥¤¥×¤Î¥Ñ¥±¥Ã¥È) ¤Ï
+.\" Á÷¿®¸µ¡¦Á÷¿®Àè¥Ý¡¼¥È¤òÃΤëÊýË¡¤¬¤Ê¤¤¤Î¤Ç¡¢
+.\" Á÷¿®¸µ¤äÁ÷¿®Àè¤ò»ØÄꤹ¤ë¤è¤¦¤Ê¥ë¡¼¥ë¤Ë¤Ï¥Þ¥Ã¥Á¤·¤Ê¤¤¡£
+.\" "-f" ¥Õ¥é¥°¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢
+.\" ʬ³ä¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Î¤¦¤ÁºÇ½é¤Î¤â¤Î¤«¡¢
+.\" ʬ³ä¤µ¤ì¤Æ¤¤¤Ê¤¤¥Ñ¥±¥Ã¥È¤À¤±¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.\" .TP
+.B "-c, --set-counters " "PKTS BYTES"
+.\"O This enables the administrater to initialize the packet and byte
+.\"O counters of a rule (during
+.\"O .B INSERT,
+.\"O .B APPEND,
+.\"O .B REPLACE
+.\"O operations)
+¤³¤Î¥ª¥×¥·¥ç¥ó¤ò»È¤¦¤È¡¢
+.RB ( insert ,
+.BR append ,
+.B replace
+Áàºî¤Ë¤ª¤¤¤Æ) ´ÉÍý¼Ô¤Ï¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò
+½é´ü²½¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+.\"O .SS "OTHER OPTIONS"
+.SS ¤½¤Î¾¤Î¥ª¥×¥·¥ç¥ó
+.\"O The following additional options can be specified:
+¤½¤Î¾¤Ë°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë:
+.TP
+.B "-v, --verbose"
+.\"O Verbose output. This option makes the list command show the interface
+.\"O name, the rule options (if any), and the TOS masks. The packet and
+.\"O byte counters are also listed, with the suffix 'K', 'M' or 'G' for
+.\"O 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
+.\"O the
+.\"O .B -x
+.\"O flag to change this).
+.\"O For appending, insertion, deletion and replacement, this causes
+.\"O detailed information on the rule or rules to be printed.
+¾ÜºÙ¤Ê½ÐÎϤò¹Ô¤¦¡£
+list ¥³¥Þ¥ó¥É¤ÎºÝ¤Ë¡¢¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¡¦
+(¤â¤·¤¢¤ì¤Ð) ¥ë¡¼¥ë¤Î¥ª¥×¥·¥ç¥ó¡¦TOS ¥Þ¥¹¥¯¤òɽ¼¨¤µ¤»¤ë¡£
+¥Ñ¥±¥Ã¥È¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤âɽ¼¨¤µ¤ì¤ë¡£
+ź»ú 'K', 'M', 'G' ¤Ï¡¢
+¤½¤ì¤¾¤ì 1000, 1,000,000, 1,000,000,000 Çܤòɽ¤¹
+(¤³¤ì¤òÊѹ¹¤¹¤ë
+.B -x
+¥Õ¥é¥°¤â¸«¤è)¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤ò append, insert, delete, replace ¥³¥Þ¥ó¥É¤ËŬÍѤ¹¤ë¤È¡¢
+¥ë¡¼¥ë¤Ë¤Ä¤¤¤Æ¤Î¾ÜºÙ¤Ê¾ðÊó¤òɽ¼¨¤¹¤ë¡£
+.TP
+.B "-n, --numeric"
+.\"O Numeric output.
+.\"O IP addresses and port numbers will be printed in numeric format.
+.\"O By default, the program will try to display them as host names,
+.\"O network names, or services (whenever applicable).
+¿ôÃͤˤè¤ë½ÐÎϤò¹Ô¤¦¡£
+IP ¥¢¥É¥ì¥¹¤ä¥Ý¡¼¥ÈÈÖ¹æ¤ò¿ôÃͤˤè¤ë¥Õ¥©¡¼¥Þ¥Ã¥È¤Çɽ¼¨¤¹¤ë¡£
+¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¡¢¤³¤Î¥×¥í¥°¥é¥à¤Ï (²Äǽ¤Ç¤¢¤ì¤Ð) ¤³¤ì¤é¤Î¾ðÊó¤ò
+¥Û¥¹¥È̾¡¦¥Í¥Ã¥È¥ï¡¼¥¯Ì¾¡¦¥µ¡¼¥Ó¥¹Ì¾¤Çɽ¼¨¤·¤è¤¦¤È¤¹¤ë¡£
+.TP
+.B "-x, --exact"
+.\"O Expand numbers.
+.\"O Display the exact value of the packet and byte counters,
+.\"O instead of only the rounded number in K's (multiples of 1000)
+.\"O M's (multiples of 1000K) or G's (multiples of 1000M). This option is
+.\"O only relevant for the
+.\"O .B -L
+.\"O command.
+¸·Ì©¤Ê¿ôÃͤÇɽ¼¨¤¹¤ë¡£
+¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò¡¢
+K (1000 ¤Î²¿Çܤ«)¡¦M (1000K ¤Î²¿Çܤ«)¡¦G (1000M ¤Î²¿Çܤ«) ¤Ç¤Ï¤Ê¤¯¡¢
+¸·Ì©¤ÊÃͤÇɽ¼¨¤¹¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢
+.B -L
+¥³¥Þ¥ó¥É¤È¤·¤«´Ø·¸¤·¤Ê¤¤¡£
+.TP
+.B "--line-numbers"
+.\"O When listing rules, add line numbers to the beginning of each rule,
+.\"O corresponding to that rule's position in the chain.
+¥ë¡¼¥ë¤ò°ìÍ÷ɽ¼¨¤¹¤ëºÝ¡¢¤½¤Î¥ë¡¼¥ë¤¬¥Á¥§¥¤¥ó¤Î¤É¤Î°ÌÃ֤ˤ¢¤ë¤«¤òɽ¤¹
+¹ÔÈÖ¹æ¤ò³Æ¹Ô¤Î»Ï¤á¤ËÉղ乤롣
+.TP
+.B "--modprobe=command"
+.\"O When adding or inserting rules into a chain, use
+.\"O .B command
+.\"O to load any necessary modules (targets, match extensions, etc).
+¥Á¥§¥¤¥ó¤Ë¥ë¡¼¥ë¤òÄɲäޤ¿¤ÏÁÞÆþ¤¹¤ëºÝ¤Ë¡¢
+(¥¿¡¼¥²¥Ã¥È¤ä¥Þ¥Ã¥Á¥ó¥°¤Î³ÈÄ¥¤Ê¤É¤Ç) ɬÍפʥ⥸¥å¡¼¥ë¤ò¥í¡¼¥É¤¹¤ë¤¿¤á¤Ë»È¤¦
+.B command
+¤ò»ØÄꤹ¤ë¡£
+.\"O .SH MATCH EXTENSIONS
+.SH ¥Þ¥Ã¥Á¥ó¥°¤Î³ÈÄ¥
+.\"O ip6tables can use extended packet matching modules. These are loaded
+.\"O in two ways: implicitly, when
+.\"O .B -p
+.\"O or
+.\"O .B --protocol
+.\"O is specified, or with the
+.\"O .B -m
+.\"O or
+.\"O .B --match
+.\"O options, followed by the matching module name;
+ip6tables ¤Ï³ÈÄ¥¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¥Þ¥Ã¥Á¥ó¥°¥â¥¸¥å¡¼¥ë¤ò»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
+¤³¤ì¤é¤Î¥â¥¸¥å¡¼¥ë¤Ï 2 ¼ïÎà¤ÎÊýË¡¤Ç¥í¡¼¥É¤µ¤ì¤ë:
+¥â¥¸¥å¡¼¥ë¤Ï¡¢
+.B -p
+¤Þ¤¿¤Ï
+.B --protocol
+¤Ç°ÅÌۤΤ¦¤Á¤Ë»ØÄꤵ¤ì¤ë¤«¡¢
+.B -m
+¤Þ¤¿¤Ï
+.B --match
+¤Î¸å¤Ë¥â¥¸¥å¡¼¥ë̾¤ò³¤±¤Æ»ØÄꤵ¤ì¤ë¡£
+.\"O after these, various
+.\"O extra command line options become available, depending on the specific
+.\"O module. You can specify multiple extended match modules in one line,
+.\"O and you can use the
+.\"O .B -h
+.\"O or
+.\"O .B --help
+.\"O options after the module has been specified to receive help specific
+.\"O to that module.
+¤³¤ì¤é¤Î¥â¥¸¥å¡¼¥ë¤Î¸å¤í¤Ë¤Ï¡¢¥â¥¸¥å¡¼¥ë¤Ë±þ¤¸¤Æ
+¾¤Î¤¤¤í¤¤¤í¤Ê¥³¥Þ¥ó¥É¥é¥¤¥ó¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+Ê£¿ô¤Î³ÈÄ¥¥Þ¥Ã¥Á¥ó¥°¥â¥¸¥å¡¼¥ë¤ò 1 ¹Ô¤Ç»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+¤Þ¤¿¡¢¥â¥¸¥å¡¼¥ë¤ËÆÃͤΥإë¥×¤òɽ¼¨¤µ¤»¤ë¤¿¤á¤Ë¤Ï¡¢
+¥â¥¸¥å¡¼¥ë¤ò»ØÄꤷ¤¿¸å¤Ç
+.B -h
+¤Þ¤¿¤Ï
+.B --help
+¤ò»ØÄꤹ¤ì¤Ð¤è¤¤¡£
+
+.\"O The following are included in the base package, and most of these can
+.\"O be preceded by a
+.\"O .B !
+.\"O to invert the sense of the match.
+°Ê²¼¤Î³ÈÄ¥¤¬¥Ù¡¼¥¹¥Ñ¥Ã¥±¡¼¥¸¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¡£
+ÂçÉôʬ¤Î¤â¤Î¤Ï¡¢¥Þ¥Ã¥Á¥ó¥°¤Î°ÕÌ£¤òµÕ¤Ë¤¹¤ë¤¿¤á¤Ë
+.B !
+¤òÁ°¤Ë¤ª¤¯¤³¤È¤¬¤Ç¤¤ë¡£
+.SS tcp
+.\"O These extensions are loaded if `--protocol tcp' is specified. It
+.\"O provides the following options:
+¤³¤ì¤é¤Î³ÈÄ¥¤Ï `--protocol tcp' ¤¬»ØÄꤵ¤ì¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢
+°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+.\"O Source port or port range specification. This can either be a service
+.\"O name or a port number. An inclusive range can also be specified,
+.\"O using the format
+.\"O .IR port : port .
+Á÷¿®¸µ¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
+¥µ¡¼¥Ó¥¹Ì¾¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈÖ¹æ¤ò»ØÄê¤Ç¤¤ë¡£
+.IR port : port
+¤È¤¤¤¦·Á¼°¤Ç¡¢2 ¤Ä¤ÎÈÖ¹æ¤ò´Þ¤àÈϰϤò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë¡£
+.\"O If the first port is omitted, "0" is assumed; if the last is omitted,
+.\"O "65535" is assumed.
+.\"O If the second port greater then the first they will be swapped.
+.\"O The flag
+.\"O .B --sport
+.\"O is a convenient alias for this option.
+ºÇ½é¤Î¥Ý¡¼¥È¤ò¾Êά¤·¤¿¾ì¹ç¡¢"0" ¤ò²¾Äꤹ¤ë¡£
+ºÇ¸å¤Î¥Ý¡¼¥È¤ò¾Êά¤·¤¿¾ì¹ç¡¢"65535" ¤ò²¾Äꤹ¤ë¡£
+ºÇ¸å¤Î¥Ý¡¼¥È¤¬ºÇ½é¤Î¥Ý¡¼¥È¤è¤êÂ礤¤¾ì¹ç¡¢2 ¤Ä¤ÏÆþ¤ì´¹¤¨¤é¤ì¤ë¡£
+¥Õ¥é¥°
+.B --sport
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+.\"O Destination port or port range specification. The flag
+.\"O .B --dport
+.\"O is a convenient alias for this option.
+Á÷¿®Àè¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
+¥Õ¥é¥°
+.B --dport
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
+.\"O Match when the TCP flags are as specified. The first argument is the
+.\"O flags which we should examine, written as a comma-separated list, and
+.\"O the second argument is a comma-separated list of flags which must be
+.\"O set. Flags are:
+.\"O .BR "SYN ACK FIN RST URG PSH ALL NONE" .
+»ØÄꤵ¤ì¤Æ¤¤¤ë¤è¤¦¤Ê TCP ¥Õ¥é¥°¤Î¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+Âè 1 °ú¤¿ô¤Ïɾ²Á¤µ¤ì¤ë¥Õ¥é¥°¤Ç¡¢¥³¥ó¥Þ¤Çʬ¤±¤é¤ì¤¿¥ê¥¹¥È¤Ç½ñ¤«¤ì¤ë¡£
+Âè 2 °ú¤¿ô¤ÏÀßÄꤵ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¥Õ¥é¥°¤Ç¡¢
+¥³¥ó¥Þ¤Çʬ¤±¤é¤ì¤¿¥ê¥¹¥È¤Ç½ñ¤«¤ì¤ë¡£
+»ØÄê¤Ç¤¤ë¥Õ¥é¥°¤Ï
+.B "SYN ACK FIN RST URG PSH ALL NONE"
+¤Ç¤¢¤ë¡£
+.\"O Hence the command
+.\"O .nf
+.\"O ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
+.\"O .fi
+.\"O will only match packets with the SYN flag set, and the ACK, FIN and
+.\"O RST flags unset.
+¤è¤Ã¤Æ¡¢¥³¥Þ¥ó¥É
+.nf
+ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
+.fi
+¤Ï¡¢SYN ¥Õ¥é¥°¤¬ÀßÄꤵ¤ì ACK, FIN, RST ¥Õ¥é¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤Ê¤¤
+¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.B "[!] --syn"
+.\"O Only match TCP packets with the SYN bit set and the ACK and RST bits
+.\"O cleared. Such packets are used to request TCP connection initiation;
+.\"O for example, blocking such packets coming in an interface will prevent
+.\"O incoming TCP connections, but outgoing TCP connections will be
+.\"O unaffected.
+.\"O It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP.
+.\"O If the "!" flag precedes the "--syn", the sense of the
+.\"O option is inverted.
+SYN ¥Ó¥Ã¥È¤¬ÀßÄꤵ¤ì ACK ¤È RST ¥Ó¥Ã¥È¤¬¥¯¥ê¥¢¤µ¤ì¤Æ¤¤¤ë
+TCP ¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤Ï TCP Àܳ¤Î³«»ÏÍ×µá¤Ë»È¤ï¤ì¤ë¡£
+Î㤨¤Ð¡¢¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ËÆþ¤Ã¤Æ¤¯¤ë¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤ò¥Ö¥í¥Ã¥¯¤¹¤ì¤Ð¡¢
+Æ⦤ؤΠTCP Àܳ¤Ï¶Ø»ß¤µ¤ì¤ë¤¬¡¢³°Â¦¤Ø¤Î TCP Àܳ¤Ë¤Ï±Æ¶Á¤·¤Ê¤¤¡£
+¤³¤ì¤Ï \fB--tcp-flags SYN,RST,ACK SYN\fP ¤ÈÅù¤·¤¤¡£
+"--syn" ¤ÎÁ°¤Ë "!" ¥Õ¥é¥°¤òÃÖ¤¯¤È¡¢
+SYN ¥Ó¥Ã¥È¤¬¥¯¥ê¥¢¤µ¤ì ACK ¤È FIN ¥Ó¥Ã¥È¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë
+TCP ¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BR "--tcp-option " "[!] \fInumber\fP"
+.\"O Match if TCP option set.
+TCP ¥ª¥×¥·¥ç¥ó¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.SS udp
+.\"O These extensions are loaded if `--protocol udp' is specified. It
+.\"O provides the following options:
+¤³¤ì¤é¤Î³ÈÄ¥¤Ï `--protocol udp' ¤¬»ØÄꤵ¤ì¤¿¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢
+°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+.\"O Source port or port range specification.
+.\"O See the description of the
+.\"O .B --source-port
+.\"O option of the TCP extension for details.
+Á÷¿®¸µ¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
+¾ÜºÙ¤Ï TCP ³ÈÄ¥¤Î
+.B --source-port
+¥ª¥×¥·¥ç¥ó¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+.\"O Destination port or port range specification.
+.\"O See the description of the
+.\"O .B --destination-port
+.\"O option of the TCP extension for details.
+Á÷¿®Àè¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
+¾ÜºÙ¤Ï TCP ³ÈÄ¥¤Î
+.B --destination-port
+¥ª¥×¥·¥ç¥ó¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£
+.SS ipv6-icmp
+.\"O This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is
+.\"O specified. It provides the following option:
+¤³¤ì¤é¤Î³ÈÄ¥¤Ï `--protocol ipv6-icmp'
+¤Þ¤¿¤Ï `--protocol icmpv6' ¤¬»ØÄꤵ¤ì¤¿¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢
+°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
+.TP
+.BR "--icmpv6-type " "[!] \fItypename\fP"
+.\"O This allows specification of the ICMP type, which can be a numeric
+.\"O IPv6-ICMP type, or one of the IPv6-ICMP type names shown by the command
+¿ôÃͤΠIPv6-ICMP ¥¿¥¤¥×¡¢¤Þ¤¿¤Ï¥³¥Þ¥ó¥É
+.nf
+ ip6tables -p ipv6-icmp -h
+.fi
+¤Çɽ¼¨¤µ¤ì¤ë IPv6-ICMP ¥¿¥¤¥×̾¤ò»ØÄê¤Ç¤¤ë¡£
+.SS mac
+.TP
+.BR "--mac-source " "[!] \fIaddress\fP"
+.\"O Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
+.\"O Note that this only makes sense for packets coming from an Ethernet device
+.\"O and entering the
+.\"O .BR PREROUTING ,
+.\"O .B FORWARD
+.\"O or
+.\"O .B INPUT
+.\"O chains.
+Á÷¿®¸µ MAC ¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.I address
+¤Ï XX:XX:XX:XX:XX:XX ¤È¤¤¤¦·Á¼°¤Ç¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
+¥¤¡¼¥µ¡¼¥Í¥Ã¥È¥Ç¥Ð¥¤¥¹¤«¤éÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤Ç¡¢
+.BR PREROUTING ,
+.BR FORWARD ,
+.B INPUT
+¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Ë¤·¤«°ÕÌ£¤¬¤Ê¤¤ÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È¡£
+.SS limit
+.\"O This module matches at a limited rate using a token bucket filter.
+.\"O A rule using this extension will match until this limit is reached
+.\"O (unless the `!' flag is used). It can be used in combination with the
+.\"O .B LOG
+.\"O target to give limited logging, for example.
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥È¡¼¥¯¥ó¥Ð¥±¥Ä¥Õ¥£¥ë¥¿¤ò»È¤¤¡¢
+ñ°Ì»þ´Ö¤¢¤¿¤êÀ©¸Â¤µ¤ì¤¿²ó¿ô¤À¤±¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î³ÈÄ¥¤ò»È¤Ã¤¿¥ë¡¼¥ë¤Ï¡¢(`!' ¥Õ¥é¥°¤¬»ØÄꤵ¤ì¤Ê¤¤¸Â¤ê)
+À©¸Â¤Ë㤹¤ë¤Þ¤Ç¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥í¥°µÏ¿¤òÀ©¸Â¤¹¤ë
+.B LOG
+¥¿¡¼¥²¥Ã¥È¤ÈÁȤ߹ç¤ï¤»¤Æ»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
+¤¿¤È¤¨¤Ð¡¢
+.TP
+.BI "--limit " "rate"
+.\"O Maximum average matching rate: specified as a number, with an optional
+.\"O `/second', `/minute', `/hour', or `/day' suffix; the default is
+.\"O 3/hour.
+ñ°Ì»þ´Ö¤¢¤¿¤ê¤ÎÊ¿¶Ñ¥Þ¥Ã¥Á²ó¿ô¤ÎºÇÂçÃÍ¡£
+¿ôÃͤǻØÄꤵ¤ì¡¢Åº»ú `/second', `/minute',
+`/hour', `/day' ¤òÉÕ¤±¤ë¤³¤È¤â¤Ç¤¤ë¡£
+¥Ç¥Õ¥©¥ë¥È¤Ï 3/hour ¤Ç¤¢¤ë¡£
+.TP
+.BI "--limit-burst " "number"
+.\"O Maximum initial number of packets to match: this number gets
+.\"O recharged by one every time the limit specified above is not reached,
+.\"O up to this number; the default is 5.
+¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤¹¤ë²ó¿ô¤ÎºÇÂç½é´üÃÍ:
+¾å¤Î¥ª¥×¥·¥ç¥ó¤Ç»ØÄꤷ¤¿À©¸Â¤Ë㤷¤Ê¤±¤ì¤Ð¡¢
+¤½¤ÎÅÙ¤´¤È¤Ë¡¢¤³¤Î¿ôÃͤˤʤë¤Þ¤Ç 1 ¸Ä¤º¤ÄÁý¤ä¤µ¤ì¤ë¡£
+¥Ç¥Õ¥©¥ë¥È¤Ï 5 ¤Ç¤¢¤ë¡£
+.SS multiport
+.\"O This module matches a set of source or destination ports. Up to 15
+.\"O ports can be specified. It can only be used in conjunction with
+.\"O .B "-p tcp"
+.\"O or
+.\"O .BR "-p udp" .
+¤³¤Î¥â¥¸¥å¡¼¥ë¤ÏÁ÷¿®¸µ¤äÁ÷¿®Àè¤Î¥Ý¡¼¥È¤Î½¸¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¥Ý¡¼¥È¤Ï 15 ¸Ä¤Þ¤Ç»ØÄê¤Ç¤¤ë¡£
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï
+.B "-p tcp"
+¤Þ¤¿¤Ï
+.B "-p udp"
+¤ÈÁȤ߹ç¤ï¤»¤Æ»È¤¦¤³¤È¤·¤«¤Ç¤¤Ê¤¤¡£
+.TP
+.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+.\"O Match if the source port is one of the given ports. The flag
+.\"O .B --sports
+.\"O is a convenient alias for this option.
+Á÷¿®¸µ¥Ý¡¼¥È¤¬»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£
+¥Õ¥é¥°
+.B --sports
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+.\"O Match if the destination port is one of the given ports. The flag
+.\"O .B --dports
+.\"O is a convenient alias for this option.
+Á÷¿®Àè¥Ý¡¼¥È¤¬»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£
+¥Õ¥é¥°
+.B --dports
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+.\"O Match if the both the source and destination ports are equal to each
+.\"O other and to one of the given ports.
+Á÷¿®¸µ¤ÈÁ÷¿®Àè¥Ý¡¼¥È¤ÎξÊý¤¬¸ß¤¤¤ËÅù¤·¤¤¤«¡¢
+»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£
+.SS mark
+.\"O This module matches the netfilter mark field associated with a packet
+.\"O (which can be set using the
+.\"O .B MARK
+.\"O target below).
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¥Ñ¥±¥Ã¥È¤Ë´ØÏ¢¤Å¤±¤é¤ì¤¿
+netfilter ¤Î mark ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë
+(¤³¤Î¥Õ¥£¡¼¥ë¥É¤Ï¡¢°Ê²¼¤Î
+.B MARK
+¥¿¡¼¥²¥Ã¥È¤ÇÀßÄꤵ¤ì¤ë)¡£
+.TP
+.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
+.\"O Matches packets with the given unsigned mark value (if a mask is
+.\"O specified, this is logically ANDed with the mask before the
+.\"O comparison).
+»ØÄꤵ¤ì¤¿Éä¹æ¤Ê¤· mark ÃͤΥѥ±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë
+(mask ¤¬»ØÄꤵ¤ì¤ë¤È¡¢Èæ³Ó¤ÎÁ°¤Ë mask ¤È¤ÎÏÀÍýÀÑ (AND) ¤¬¤È¤é¤ì¤ë)¡£
+.SS owner
+.\"O This module attempts to match various characteristics of the packet
+.\"O creator, for locally-generated packets. It is only valid in the
+.\"O .B OUTPUT
+.\"O chain, and even this some packets (such as ICMP ping responses) may
+.\"O have no owner, and hence never match. This is regarded as experimental.
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ËÉÕ¤¤¤Æ¡¢
+¥Ñ¥±¥Ã¥ÈÀ¸À®¼Ô¤Î¤¤¤í¤¤¤í¤ÊÆÃÀ¤È¤Î¥Þ¥Ã¥Á¥ó¥°¤ò¤È¤ë¡£
+¤³¤ì¤Ï
+.B OUTPUT
+¥Á¥§¥¤¥ó¤Î¤ß¤Ç¤·¤«Í¸ú¤Ç¤Ê¤¤¡£
+¤Þ¤¿¡¢(ICMP ping ±þÅú¤Î¤è¤¦¤Ê) ¥Ñ¥±¥Ã¥È¤Ï¡¢
+½êͼԤ¬¤¤¤Ê¤¤¤Î¤ÇÀäÂФ˥ޥåÁ¤·¤Ê¤¤¡£
+¤³¤ì¤Ï¼Â¸³Åª¤Ê¤â¤Î¤È¤¤¤¦°·¤¤¤Ç¤¢¤ë¡£
+.TP
+.BI "--uid-owner " "userid"
+.\"O Matches if the packet was created by a process with the given
+.\"O effective user id.
+»ØÄꤵ¤ì¤¿¼Â¸ú¥æ¡¼¥¶¡¼ ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--gid-owner " "groupid"
+.\"O Matches if the packet was created by a process with the given
+.\"O effective group id.
+»ØÄꤵ¤ì¤¿¼Â¸ú¥°¥ë¡¼¥× ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--pid-owner " "processid"
+.\"O Matches if the packet was created by a process with the given
+.\"O process id.
+»ØÄꤵ¤ì¤¿¥×¥í¥»¥¹ ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--sid-owner " "sessionid"
+.\"O Matches if the packet was created by a process in the given session
+.\"O group.
+»ØÄꤵ¤ì¤¿¥»¥Ã¥·¥ç¥ó¥°¥ë¡¼¥×¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.\" .SS state
+.\"O .\" This module, when combined with connection tracking, allows access to
+.\"O .\" the connection tracking state for this packet.
+.\" ¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢ÀܳÄÉÀ× (connection tracking) ¤ÈÁȤ߹ç¤ï¤»¤ÆÍѤ¤¤ë¤È¡¢
+.\" ¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¤ÎÀܳÄÉÀ×¾õÂÖ¤òÃΤ뤳¤È¤¬¤Ç¤¤ë¡£
+.\" .TP
+.\" .BI "--state " "state"
+.\"O .\" Where state is a comma separated list of the connection states to
+.\"O .\" match. Possible states are
+.\"O .\" .B INVALID
+.\"O .\" meaning that the packet is associated with no known connection,
+.\"O .\" .B ESTABLISHED
+.\"O .\" meaning that the packet is associated with a connection which has seen
+.\"O .\" packets in both directions,
+.\" state ¤Ï¡¢¥Þ¥Ã¥Á¥ó¥°¤ò¹Ô¤¦¤¿¤á¤Î¡¢¥³¥ó¥Þ¤Ç¶èÀÚ¤é¤ì¤¿Àܳ¾õÂ֤Υꥹ¥È¤Ç¤¢¤ë¡£
+.\" »ØÄê²Äǽ¤Ê state ¤Ï°Ê²¼¤ÎÄ̤ꡣ
+.\" .BR INVALID :
+.\" ¤³¤Î¥Ñ¥±¥Ã¥È¤Ï´ûÃΤÎÀܳ¤È´Ø·¸¤·¤Æ¤¤¤Ê¤¤¡£
+.\" .BR ESTABLISHED :
+.\" ¤³¤Î¥Ñ¥±¥Ã¥È¤ÏÁÐÊý¸þÀܳ¤Î¥Ñ¥±¥Ã¥È¤ÈȽÌÀ¤·¤¿¡£
+.\"O .\" .B NEW
+.\"O .\" meaning that the packet has started a new connection, or otherwise
+.\"O .\" associated with a connection which has not seen packets in both
+.\"O .\" directions, and
+.\" .BR NEW :
+.\" ¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤¿¤«¡¢
+.\" ÁÐÊý¸þÀܳ¤Î¥Ñ¥±¥Ã¥È¤Ç¤Ê¤¤¤â¤Î¤ÈȽÌÀ¤·¤¿¡£
+.\"O .\" .B RELATED
+.\"O .\" meaning that the packet is starting a new connection, but is
+.\"O .\" associated with an existing connection, such as an FTP data transfer,
+.\"O .\" or an ICMP error.
+.\" .BR RELATED :
+.\" ¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤Æ¤¤¤ë¤¬¡¢
+.\" FTP ¥Ç¡¼¥¿Å¾Á÷¤ä ICMP ¥¨¥é¡¼¤Î¤è¤¦¤Ë¡¢´û¸¤ÎÀܳ¤Ë´Ø·¸¤·¤Æ¤¤¤ë¡£
+.\" .SS unclean
+.\"O .\" This module takes no options, but attempts to match packets which seem
+.\"O .\" malformed or unusual. This is regarded as experimental.
+.\" ¤³¤Î¥â¥¸¥å¡¼¥ë¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬¤Ê¤¤¤¬¡¢
+.\" ¤ª¤«¤·¤¯Àµ¾ï¤Ç¤Ê¤¤¤è¤¦¤Ë¸«¤¨¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.\" ¤³¤ì¤Ï¼Â¸³Åª¤Ê¤â¤Î¤È¤·¤Æ°·¤ï¤ì¤Æ¤¤¤ë¡£
+.\" .SS tos
+.\"O .\" This module matches the 8 bits of Type of Service field in the IP
+.\"O .\" header (ie. including the precedence bits).
+.\" ¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IP ¥Ø¥Ã¥À¡¼¤Î (¾å°Ì¥Ó¥Ã¥È¤ò´Þ¤à) 8 ¥Ó¥Ã¥È¤Î
+.\" Type of Service ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë
+.\" .TP
+.\" .BI "--tos " "tos"
+.\"O .\" The argument is either a standard name, (use
+.\"O .\" .br
+.\"O .\" iptables -m tos -h
+.\"O .\" .br
+.\"O .\" to see the list), or a numeric value to match.
+.\" °ú¤¿ô¤Ï¡¢¥Þ¥Ã¥Á¤ò¹Ô¤¦É¸½àŪ¤Ê̾Á°¤Ç¤â¿ôÃͤǤâ¤è¤¤
+.\" (̾Á°¤Î¥ê¥¹¥È¤ò¸«¤ë¤Ë¤Ï
+.\" .br
+.\" iptables -m tos -h
+.\" .br
+.\" ¤ò»È¤¦¤³¤È)¡£
+.\"O .SH TARGET EXTENSIONS
+.SH ¥¿¡¼¥²¥Ã¥È¤Î³ÈÄ¥
+.\"O iptables can use extended target modules: the following are included
+.\"O in the standard distribution.
+iptables ¤Ï³ÈÄ¥¥¿¡¼¥²¥Ã¥È¥â¥¸¥å¡¼¥ë¤ò»È¤¦¤³¤È¤¬¤Ç¤¤ë:
+°Ê²¼¤Î¤â¤Î¤¬¡¢É¸½àŪ¤Ê¥Ç¥£¥¹¥È¥ê¥Ó¥å¡¼¥·¥ç¥ó¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¡£
+.SS LOG
+.\"O Turn on kernel logging of matching packets. When this option is set
+.\"O for a rule, the Linux kernel will print some information on all
+.\"O matching packets (like most IPv6 IPv6-header fields) via the kernel log
+.\"O (where it can be read with
+.\"O .I dmesg
+.\"O or
+.\"O .IR syslogd (8)).
+¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ò¥«¡¼¥Í¥ë¥í¥°¤ËµÏ¿¤¹¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¥ë¡¼¥ë¤ËÂФ·¤ÆÀßÄꤵ¤ì¤ë¤È¡¢
+Linux ¥«¡¼¥Í¥ë¤Ï¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¤Î
+(IPv6 ¤Ë¤ª¤±¤ëÂçÉôʬ¤Î IPv6 ¥Ø¥Ã¥À¥Õ¥£¡¼¥ë¥É¤Î¤è¤¦¤Ê) ²¿¤é¤«¤Î¾ðÊó¤ò
+¥«¡¼¥Í¥ë¥í¥°¤Ëɽ¼¨¤¹¤ë
+(¥«¡¼¥Í¥ë¥í¥°¤Ï
+.I dmesg
+¤Þ¤¿¤Ï
+.IR syslogd (8)
+¤Ç¸«¤ë¤³¤È¤¬¤Ç¤¤ë)¡£
+.\"O This is a "non-terminating target", i.e. rule traversal continues at
+.\"O the next rule. So if you want to LOG the packets you refuse, use two
+.\"O separate rules with the same matching criteria, first using target LOG
+.\"O then DROP (or REJECT).
+¤³¤ì¤Ï¡ÖÈó½ªÎ»¥¿ ¡¼¥²¥Ã¥È¡×¤Ç¤¢¤ë¡£
+¤¹¤Ê¤ï¤Á¡¢¥ë¡¼¥ë¤Î¸¡Æ¤¤Ï¡¢¼¡¤Î¥ë¡¼¥ë¤Ø¤È·Ñ³¤µ¤ì¤ë¡£
+¤è¤Ã¤Æ¡¢µñÈݤ¹¤ë¥Ñ¥±¥Ã¥È¤ò¥í¥°µÏ¿¤·¤¿¤±¤ì¤Ð¡¢
+Ʊ¤¸¥Þ¥Ã¥Á¥ó¥°È½ÃÇ´ð½à¤ò»ý¤Ä 2 ¤Ä¤Î¥ë¡¼¥ë¤ò»ÈÍѤ·¡¢
+ºÇ½é¤Î¥ë¡¼¥ë¤Ç LOG ¥¿¡¼¥²¥Ã¥È¤ò¡¢
+¼¡¤Î¥ë¡¼¥ë¤Ç DROP (¤Þ¤¿¤Ï REJECT) ¥¿¡¼¥²¥Ã¥È¤ò»ØÄꤹ¤ë¡£
+.TP
+.BI "--log-level " "level"
+.\"O Level of logging (numeric or see \fIsyslog.conf\fP(5)).
+¥í¥°µÏ¿¤Î¥ì¥Ù¥ë (¿ôÃͤǻØÄꤹ¤ë¤«¡¢
+(ÌõÃð: ̾Á°¤Ç»ØÄꤹ¤ë¾ì¹ç¤Ï) \fIsyslog.conf\fP(5) ¤ò»²¾È¤¹¤ë¤³¤È)¡£
+.TP
+.BI "--log-prefix " "prefix"
+.\"O Prefix log messages with the specified prefix; up to 29 letters long,
+.\"O and useful for distinguishing messages in the logs.
+»ØÄꤷ¤¿¥×¥ì¥Õ¥£¥Ã¥¯¥¹¤ò¥í¥°¥á¥Ã¥»¡¼¥¸¤ÎÁ°¤ËÉÕ¤±¤ë¡£
+¥×¥ì¥Õ¥£¥Ã¥¯¥¹¤Ï 29 ʸ»ú¤Þ¤Ç¤ÎŤµ¤Ç¡¢
+¥í¥°¤Î¤Ê¤«¤Ç¥á¥Ã¥»¡¼¥¸¤ò¶èÊ̤¹¤ë¤Î¤ËÌòΩ¤Ä¡£
+.TP
+.B --log-tcp-sequence
+.\"O Log TCP sequence numbers. This is a security risk if the log is
+.\"O readable by users.
+TCP ¥·¡¼¥±¥ó¥¹ÈÖ¹æ¤ò¥í¥°¤ËµÏ¿¤¹¤ë¡£
+¥í¥°¤¬¥æ¡¼¥¶¡¼¤«¤éÆɤá¤ë¾ì¹ç¡¢¥»¥¥å¥ê¥Æ¥£¾å¤Î´í¸±¤¬¤¢¤ë¡£
+.TP
+.B --log-tcp-options
+.\"O Log options from the TCP packet header.
+TCP ¥Ñ¥±¥Ã¥È¥Ø¥Ã¥À¤Î¥ª¥×¥·¥ç¥ó¤ò¥í¥°¤ËµÏ¿¤¹¤ë¡£
+.TP
+.B --log-ip-options
+.\"O Log options from the IPv6 packet header.
+IPv6 ¥Ñ¥±¥Ã¥È¥Ø¥Ã¥À¤Î¥ª¥×¥·¥ç¥ó¤ò¥í¥°¤ËµÏ¿¤¹¤ë¡£
+.SS MARK
+.\"O This is used to set the netfilter mark value associated with the
+.\"O packet. It is only valid in the
+.\"O .B mangle
+.\"O table.
+¥Ñ¥±¥Ã¥È¤Ë´ØÏ¢¤Å¤±¤é¤ì¤¿ netfilter ¤Î mark Ãͤò»ØÄꤹ¤ë¡£
+.B mangle
+¥Æ¡¼¥Ö¥ë¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+.TP
+.BI "--set-mark " "mark"
+.SS REJECT
+.\"O This is used to send back an error packet in response to the matched
+.\"O packet: otherwise it is equivalent to
+.\"O .B DROP
+.\"O so it is a terminating TARGET, ending rule traversal.
+¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤Î±þÅú¤È¤·¤Æ¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤òÁ÷¤é¤Ê¤±¤ì¤Ð¡¢
+.B DROP
+¤ÈƱ¤¸¤Ç¤¢¤ê¡¢
+TARGET ¤ò½ªÎ»¤·¡¢¥ë¡¼¥ë¤Î¸¡Æ¤¤ò½ªÎ»¤¹¤ë¡£
+.\"O This target is only valid in the
+.\"O .BR INPUT ,
+.\"O .B FORWARD
+.\"O and
+.\"O .B OUTPUT
+.\"O chains, and user-defined chains which are only called from those
+.\"O chains. The following option controls the nature of the error packet
+.\"O returned:
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢
+.BR INPUT ,
+.BR FORWARD ,
+.B OUTPUT
+¥Á¥§¥¤¥ó¤È¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ð¤ì¤ë
+¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤À¤±¤Ç͸ú¤Ç¤¢¤ë¡£
+°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢ÊÖ¤µ¤ì¤ë¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤ÎÆÃÀ¤òÀ©¸æ¤¹¤ë¡£
+.TP
+.BI "--reject-with " "type"
+.\"O The type given can be
+type ¤È¤·¤Æ»ØÄê²Äǽ¤Ê¤â¤Î¤Ï
+.nf
+.B " icmp6-no-route"
+.B " no-route"
+.B " icmp6-adm-prohibited"
+.B " adm-prohibited"
+.B " icmp6-addr-unreachable"
+.B " addr-unreach"
+.B " icmp6-port-unreachable"
+.B " port-unreach"
+.fi
+.\"O which return the appropriate IPv6-ICMP error message (\fBport-unreach\fP is
+.\"O the default).
+¤Ç¤¢¤ê¡¢Å¬ÀÚ¤Ê IPv6-ICMP ¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤òÊÖ¤¹
+(\fBport-unreach\fP ¤¬¥Ç¥Õ¥©¥ë¥È¤Ç¤¢¤ë)¡£
+.\"O Finally, the option
+.\"O .B tcp-reset
+.\"O can be used on rules which only match the TCP protocol: this causes a
+.\"O TCP RST packet to be sent back. This is mainly useful for blocking
+.\"O .I ident
+.\"O (113/tcp) probes which frequently occur when sending mail to broken mail
+.\"O hosts (which won't accept your mail otherwise).
+¤µ¤é¤Ë¡¢TCP ¥×¥í¥È¥³¥ë¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤ËÂФ·¤Æ¡¢¥ª¥×¥·¥ç¥ó
+.B tcp-reset
+¤ò»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤ò»È¤¦¤È¡¢TCP RST ¥Ñ¥±¥Ã¥È¤¬Á÷¤êÊÖ¤µ¤ì¤ë¡£
+¼ç¤È¤·¤Æ
+.I ident
+(113/tcp) ¤Ë¤è¤ëõºº¤òÁ˻ߤ¹¤ë¤Î¤ËÌòΩ¤Ä¡£
+.I ident
+¤Ë¤è¤ëõºº¤Ï¡¢²õ¤ì¤Æ¤¤¤ë (¥á¡¼¥ë¤ò¼õ¤±¼è¤é¤Ê¤¤) ¥á¡¼¥ë¥Û¥¹¥È¤Ë
+¥á¡¼¥ë¤¬Á÷¤é¤ì¤ë¾ì¹ç¤ËÉÑÈˤ˵¯¤³¤ë¡£
+.\" .SS TOS
+.\"O .\" This is used to set the 8-bit Type of Service field in the IP header.
+.\"O .\" It is only valid in the
+.\"O .\" .B mangle
+.\"O .\" table.
+.\" IP ¥Ø¥Ã¥À¤Î 8 ¥Ó¥Ã¥È¤Î Type of Service ¥Õ¥£¡¼¥ë¥É¤òÀßÄꤹ¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+.\" .B mangle
+.\" ¥Æ¡¼¥Ö¥ë¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+.\" .TP
+.\" .BI "--set-tos " "tos"
+.\"O .\" You can use a numeric TOS values, or use
+.\"O .\" .br
+.\"O .\" iptables -j TOS -h
+.\"O .\" .br
+.\"O .\" to see the list of valid TOS names.
+.\" TOS ¤òÈÖ¹æ¤Ç»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+.\" ¤Þ¤¿¡¢
+.\" .br
+.\" iptables -j TOS -h
+.\" .br
+.\" ¤ò¼Â¹Ô¤·¤ÆÆÀ¤é¤ì¤ë¡¢»ÈÍѲÄǽ¤Ê TOS ̾¤Î°ìÍ÷¤Ë¤¢¤ë TOS ̾¤â»ØÄê¤Ç¤¤ë¡£
+.\" .SS MIRROR
+.\"O .\" This is an experimental demonstration target which inverts the source
+.\"O .\" and destination fields in the IP header and retransmits the packet.
+.\" ¼Â¸³Åª¤Ê¥Ç¥â¥ó¥¹¥È¥ì¡¼¥·¥ç¥óÍѤΥ¿¡¼¥²¥Ã¥È¤Ç¤¢¤ê¡¢
+.\" IP ¥Ø¥Ã¥À¤ÎÁ÷¿®¸µ¤ÈÁ÷¿®Àè¥Õ¥£¡¼¥ë¥É¤òÆþ¤ì´¹¤¨¡¢
+.\" ¥Ñ¥±¥Ã¥È¤òºÆÁ÷¿®¤¹¤ë¤â¤Î¤Ç¤¢¤ë¡£
+.\"O .\" It is only valid in the
+.\"O .\" .BR INPUT ,
+.\"O .\" .B FORWARD
+.\"O .\" and
+.\"O .\" .B PREROUTING
+.\"O .\" chains, and user-defined chains which are only called from those
+.\"O .\" chains.
+.\" ¤³¤ì¤Ï
+.\" .BR INPUT ,
+.\" .BR FORWARD ,
+.\" .B PREROUTING
+.\" ¥Á¥§¥¤¥ó¤È¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë
+.\" ¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤À¤±¤Ç͸ú¤Ç¤¢¤ë¡£
+.\"O .\" Note that the outgoing packets are
+.\"O .\" .B NOT
+.\"O .\" seen by any packet filtering chains, connection tracking or NAT, to
+.\"O .\" avoid loops and other problems.
+.\" ¥ë¡¼¥×Åù¤ÎÌäÂê¤ò²óÈò¤¹¤ë¤¿¤á¡¢³°Éô¤ËÁ÷¤é¤ì¤ë¥Ñ¥±¥Ã¥È¤Ï
+.\" ¤¤¤«¤Ê¤ë¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¥Á¥§¥¤¥ó¡¦ÀܳÄÉÀס¦NAT ¤«¤é¤â
+.\" ´Æ»ë\fB¤µ¤ì¤Ê¤¤\fR ¡£
+.\" .SS SNAT
+.\"O .\" This target is only valid in the
+.\"O .\" .B nat
+.\"O .\" table, in the
+.\"O .\" .B POSTROUTING
+.\"O .\" chain. It specifies that the source address of the packet should be
+.\"O .\" modified (and all future packets in this connection will also be
+.\"O .\" mangled), and rules should cease being examined. It takes one option:
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï
+.\" .B nat
+.\" ¥Æ¡¼¥Ö¥ë¤È
+.\" .B POSTROUTING
+.\" ¥Á¥§¥¤¥ó¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤ò½¤Àµ¤µ¤»¤ë
+.\" (¤³¤ÎÀܳ¤Î°Ê¹ß¤Î¥Ñ¥±¥Ã¥È¤â½¤Àµ¤·¤Æʬ¤«¤é¤Ê¤¯¤¹¤ë (mangle))¡£
+.\" ¤µ¤é¤Ë¡¢¥ë¡¼¥ë¤¬É¾²Á¤òÃæ»ß¤¹¤ë¤è¤¦¤Ë»Ø¼¨¤¹¤ë¡£
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¤Ä¤¢¤ë:
+.\" .TP
+.\" .BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+.\"O .\" which can specify a single new source IP address, an inclusive range
+.\"O .\" of IP addresses, and optionally, a port range (which is only valid if
+.\"O .\" the rule also specifies
+.\"O .\" .B "-p tcp"
+.\"O .\" or
+.\"O .\" .BR "-p udp" ).
+.\" 1 ¤Ä¤Î¿·¤·¤¤Á÷¿®¸µ IP ¥¢¥É¥ì¥¹¡¢¤Þ¤¿¤Ï IP ¥¢¥É¥ì¥¹¤ÎÈϰϤ¬»ØÄê¤Ç¤¤ë¡£
+.\" ¥ª¥×¥·¥ç¥ó¤È¤·¤Æ¡¢¥Ý¡¼¥È¤ÎÈϰϤ¬»ØÄê¤Ç¤¤ë
+.\" (¥ë¡¼¥ë¤¬
+.\" .B "-p tcp"
+.\" ¤Þ¤¿¤Ï
+.\" .B "-p udp"
+.\" ¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß͸ú)¡£
+.\"O .\" If no port range is specified, then source ports below 512 will be
+.\"O .\" mapped to other ports below 512: those between 512 and 1023 inclusive
+.\"O .\" will be mapped to ports below 1024, and other ports will be mapped to
+.\"O .\" 1024 or above. Where possible, no port alteration will occur.
+.\" ¥Ý¡¼¥È¤ÎÈϰϤ¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢
+.\" 512 ̤Ëþ¤ÎÁ÷¿®¸µ¥Ý¡¼¥È¤Ï¡¢Â¾¤Î 512 ̤Ëþ¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£
+.\" 512 ¡Á 1023 ¤Þ¤Ç¤Î¥Ý¡¼¥È¤Ï¡¢1024 ̤Ëþ¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£
+.\" ¤½¤ì°Ê³°¤Î¥Ý¡¼¥È¤Ï¡¢1024 °Ê¾å¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£
+.\" ²Äǽ¤Ç¤¢¤ì¤Ð¡¢¥Ý¡¼¥È¤ÎÊÑ´¹¤Ïµ¯¤³¤é¤Ê¤¤¡£
+.\" .SS DNAT
+.\"O .\" This target is only valid in the
+.\"O .\" .B nat
+.\"O .\" table, in the
+.\"O .\" .B PREROUTING
+.\"O .\" and
+.\"O .\" .B OUTPUT
+.\"O .\" chains, and user-defined chains which are only called from those
+.\"O .\" chains. It specifies that the destination address of the packet
+.\"O .\" should be modified (and all future packets in this connection will
+.\"O .\" also be mangled), and rules should cease being examined. It takes one
+.\"O .\" option:
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï
+.\" .B nat
+.\" ¥Æ¡¼¥Ö¥ë¤È
+.\" .BR PREROUTING ,
+.\" .B OUTPUT
+.\" ¥Á¥§¥¤¥ó¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë
+.\" ¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®À襢¥É¥ì¥¹¤ò½¤Àµ¤¹¤ë
+.\" (¤³¤ÎÀܳ¤Î°Ê¹ß¤Î¥Ñ¥±¥Ã¥È¤â½¤Àµ¤·¤Æʬ¤«¤é¤Ê¤¯¤¹¤ë (mangle))¡£
+.\" ¤µ¤é¤Ë¡¢¥ë¡¼¥ë¤Ë¤è¤ë¥Á¥§¥Ã¥¯¤ò»ß¤á¤µ¤»¤ë¡£
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¤Ä¤¢¤ë:
+.\" .TP
+.\" .BR "--to-destination " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+.\"O .\" which can specify a single new destination IP address, an inclusive
+.\"O .\" range of IP addresses, and optionally, a port range (which is only
+.\"O .\" valid if the rule also specifies
+.\"O .\" .B "-p tcp"
+.\"O .\" or
+.\"O .\" .BR "-p udp" ).
+.\"O .\" If no port range is specified, then the destination port will never be
+.\"O .\" modified.
+.\" 1 ¤Ä¤Î¿·¤·¤¤Á÷¿®Àè IP ¥¢¥É¥ì¥¹¡¢¤Þ¤¿¤Ï IP ¥¢¥É¥ì¥¹¤ÎÈϰϤ¬»ØÄê¤Ç¤¤ë¡£
+.\" ¥ª¥×¥·¥ç¥ó¤È¤·¤Æ¡¢¥Ý¡¼¥È¤ÎÈϰϤ¬»ØÄê¤Ç¤¤ë
+.\" (¥ë¡¼¥ë¤¬
+.\" .B "-p tcp"
+.\" ¤Þ¤¿¤Ï
+.\" .B "-p udp"
+.\" ¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß͸ú)¡£
+.\" ¥Ý¡¼¥È¤ÎÈϰϤ¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢Á÷¿®À襢¥É¥ì¥¹¤ÏÊѹ¹¤µ¤ì¤Ê¤¤¡£
+.\" .SS MASQUERADE
+.\"O .\" This target is only valid in the
+.\"O .\" .B nat
+.\"O .\" table, in the
+.\"O .\" .B POSTROUTING
+.\"O .\" chain.
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï
+.\" .B nat
+.\" ¥Æ¡¼¥Ö¥ë¡¢¤Þ¤¿¤Ï
+.\" .B POSTROUTING
+.\" ¥Á¥§¥¤¥ó¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+.\"O .\" It should only be used with dynamically assigned IP (dialup)
+.\"O .\" connections: if you have a static IP address, you should use the SNAT
+.\"O .\" target.
+.\" ưŪ³ä¤êÅö¤Æ IP (¥À¥¤¥ä¥ë¥¢¥Ã¥×) Àܳ¤Î¾ì¹ç¤Ë¤Î¤ß»È¤¦¤Ù¤¤Ç¤¢¤ë¡£
+.\" ¸ÇÄê IP ¥¢¥É¥ì¥¹¤Ê¤é¤Ð¡¢SNAT ¥¿¡¼¥²¥Ã¥È¤ò»È¤¦¤Ù¤¤Ç¤¢¤ë¡£
+.\"O .\" Masquerading is equivalent to specifying a mapping to the IP
+.\"O .\" address of the interface the packet is going out, but also has the
+.\"O .\" effect that connections are
+.\"O .\" .I forgotten
+.\"O .\" when the interface goes down.
+.\" ¥Þ¥¹¥«¥ì¡¼¥Ç¥£¥ó¥°¤Ï¡¢¥Ñ¥±¥Ã¥È¤¬Á÷¿®¤µ¤ì¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤Î
+.\" IP ¥¢¥É¥ì¥¹¤Ø¤Î¥Þ¥Ã¥Ô¥ó¥°¤ò»ØÄꤹ¤ë¤Î¤ÈƱ¤¸¤Ç¤¢¤ë¤¬¡¢
+.\" ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤¬Ää»ß¤·¤¿¾ì¹ç¤ËÀܳ¤ò\fI˺¤ì¤ë\fR¤È¤¤¤¦¸½¾Ý¤¬¤¢¤ë¡£
+.\"O .\" This is the correct behavior when the
+.\"O .\" next dialup is unlikely to have the same interface address (and hence
+.\"O .\" any established connections are lost anyway). It takes one option:
+.\" ¼¡¤Î¥À¥¤¥ä¥ë¥¢¥Ã¥×¤Ç¤ÏƱ¤¸¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¥¢¥É¥ì¥¹¤Ë¤Ê¤ë²ÄǽÀ¤¬Ä㤤
+.\" (¤½¤Î¤¿¤á¡¢Á°²ó³ÎΩ¤µ¤ì¤¿Àܳ¤Ï¼º¤ï¤ì¤ë) ¾ì¹ç¡¢
+.\" ¤³¤ÎÆ°ºî¤ÏÀµ¤·¤¤¡£
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¤Ä¤¢¤ë¡£
+.\" .TP
+.\" .BR "--to-ports " "\fIport\fP[-\fIport\fP]"
+.\"O .\" This specifies a range of source ports to use, overriding the default
+.\"O .\" .B SNAT
+.\"O .\" source port-selection heuristics (see above). This is only valid
+.\"O .\" if the rule also specifies
+.\"O .\" .B "-p tcp"
+.\"O .\" or
+.\"O .\" .BR "-p udp" .
+.\" ¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢»ÈÍѤ¹¤ëÁ÷¿®¸µ¥Ý¡¼¥È¤ÎÈϰϤò»ØÄꤷ¡¢
+.\" ¥Ç¥Õ¥©¥ë¥È¤Î
+.\" .B SNAT
+.\" Á÷¿®¸µ¥Ý¡¼¥È¤ÎÁªÂòÊýË¡ (¾åµ) ¤è¤ê¤âÍ¥À褵¤ì¤ë¡£
+.\" ¥ë¡¼¥ë¤¬
+.\" .B "-p tcp"
+.\" ¤Þ¤¿¤Ï
+.\" .B "-p udp"
+.\" ¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß͸ú¤Ç¤¢¤ë¡£
+.\" .SS REDIRECT
+.\"O .\" This target is only valid in the
+.\"O .\" .B nat
+.\"O .\" table, in the
+.\"O .\" .B PREROUTING
+.\"O .\" and
+.\"O .\" .B OUTPUT
+.\"O .\" chains, and user-defined chains which are only called from those
+.\"O .\" chains. It alters the destination IP address to send the packet to
+.\"O .\" the machine itself (locally-generated packets are mapped to the
+.\"O .\" 127.0.0.1 address). It takes one option:
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢
+.\" .B nat
+.\" ¥Æ¡¼¥Ö¥ëÆâ¤Î
+.\" .B PREROUTING
+.\" ¥Á¥§¥¤¥óµÚ¤Ó
+.\" .B OUTPUT
+.\" ¥Á¥§¥¤¥ó¡¢¤½¤·¤Æ¤³¤ì¤é¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë
+.\" ¥æ¡¼¥¶ÄêµÁ¥Á¥§¥¤¥ó¤Ç¤Î¤ß͸ú¤Ç¤¢¤ë¡£
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®Àè IP ¥¢¥É¥ì¥¹¤ò
+.\" ¥Þ¥·¥ó¼«¿È¤Î IP ¥¢¥É¥ì¥¹¤ËÊÑ´¹¤¹¤ë¡£
+.\" (¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Ï¡¢¥¢¥É¥ì¥¹ 127.0.0.1 ¤Ë¥Þ¥Ã¥×¤µ¤ì¤ë)¡£
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¤Ä¤¢¤ë:
+.\" .TP
+.\" .BR "--to-ports " "\fIport\fP[-\fIport\fP]"
+.\"O .\" This specifies a destination port or range of ports to use: without
+.\"O .\" this, the destination port is never altered. This is only valid
+.\"O .\" if the rule also specifies
+.\"O .\" .B "-p tcp"
+.\"O .\" or
+.\"O .\" .BR "-p udp" .
+.\" ¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï»ÈÍѤµ¤ì¤ëÁ÷¿®Àè¥Ý¡¼¥È¡¦¥Ý¡¼¥ÈÈÏ°Ï¡¦Ê£¿ô¥Ý¡¼¥È¤ò»ØÄꤹ¤ë¡£
+.\" ¤³¤Î¥ª¥×¥·¥ç¥ó¤¬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢Á÷¿®Àè¥Ý¡¼¥È¤ÏÊѹ¹¤µ¤ì¤Ê¤¤¡£
+.\" ¥ë¡¼¥ë¤¬
+.\" .B "-p tcp"
+.\" ¤Þ¤¿¤Ï
+.\" .B "-p udp"
+.\" ¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß͸ú¤Ç¤¢¤ë¡£
+.\"O .SH DIAGNOSTICS
+.SH ÊÖ¤êÃÍ
+.\"O Various error messages are printed to standard error. The exit code
+.\"O is 0 for correct functioning. Errors which appear to be caused by
+.\"O invalid or abused command line parameters cause an exit code of 2, and
+.\"O other errors cause an exit code of 1.
+¤¤¤í¤¤¤í¤Ê¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤¬É¸½à¥¨¥é¡¼¤Ëɽ¼¨¤µ¤ì¤ë¡£
+Àµ¤·¤¯µ¡Ç½¤·¤¿¾ì¹ç¡¢½ªÎ»¥³¡¼¥É¤Ï 0 ¤Ç¤¢¤ë¡£
+ÉÔÀµ¤Ê¥³¥Þ¥ó¥É¥é¥¤¥ó¥Ñ¥é¥á¡¼¥¿¤Ë¤è¤ê¥¨¥é¡¼¤¬È¯À¸¤·¤¿¾ì¹ç¤Ï¡¢
+½ªÎ»¥³¡¼¥É 2 ¤¬ÊÖ¤µ¤ì¤ë¡£
+¤½¤Î¾¤Î¥¨¥é¡¼¤Î¾ì¹ç¤Ï¡¢½ªÎ»¥³¡¼¥É 1 ¤¬ÊÖ¤µ¤ì¤ë¡£
+.\"O .SH BUGS
+.SH ¥Ð¥°
+.\"O Bugs? What's this? ;-)
+.\"O Well... the counters are not reliable on sparc64.
+¥Ð¥°? ¥Ð¥°¤Ã¤Æ²¿? ;-)
+¤¨¡¼¤È¡Ä¡¢sparc64 ¤Ç¤Ï¥«¥¦¥ó¥¿¡¼Ãͤ¬¿®Íê¤Ç¤¤Ê¤¤¡£
+.\"O .SH COMPATIBILITY WITH IPCHAINS
+.SH IPCHAINS ¤È¤Î¸ß´¹À
+.\"O This
+.\"O .B ip6tables
+.\"O is very similar to ipchains by Rusty Russell. The main difference is
+.\"O that the chains
+.\"O .B INPUT
+.\"O and
+.\"O .B OUTPUT
+.\"O are only traversed for packets coming into the local host and
+.\"O originating from the local host respectively. Hence every packet only
+.\"O passes through one of the three chains (except loopback traffic, which
+.\"O involves both INPUT and OUTPUT chains); previously a forwarded packet
+.\"O would pass through all three.
+.B ip6tables
+¤Ï¡¢Rusty Russell ¤Î ipchains ¤ÈÈó¾ï¤Ë¤è¤¯»÷¤Æ¤¤¤ë¡£
+Â礤ʰ㤤¤Ï¡¢¥Á¥§¥¤¥ó
+.B INPUT
+¤È
+.B OUTPUT
+¤¬¡¢¤½¤ì¤¾¤ì¥í¡¼¥«¥ë¥Û¥¹¥È¤ËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤È¡¢
+¥í¡¼¥«¥ë¥Û¥¹¥È¤«¤é½Ð¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¤ß¤·¤«Ä´¤Ù¤Ê¤¤¤È¤¤¤¦ÅÀ¤Ç¤¢¤ë¡£
+¤è¤Ã¤Æ¡¢Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¤Ï 3 ¤Ä¤¢¤ë¥Á¥§¥¤¥ó¤Î¤¦¤Á 1 ¤Ä¤·¤«Ä̤é¤Ê¤¤
+(¥ë¡¼¥×¥Ð¥Ã¥¯¥È¥é¥Õ¥£¥Ã¥¯¤ÏÎã³°¤Ç¡¢INPUT ¤È OUTPUT ¥Á¥§¥¤¥ó¤ÎξÊý¤òÄ̤ë)¡£
+°ÊÁ°¤Ï (ipchains ¤Ç¤Ï)¡¢
+¥Õ¥©¥ï¡¼¥É¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤¬ 3 ¤Ä¤Î¥Á¥§¥¤¥óÁ´¤Æ¤òÄ̤äƤ¤¤¿¡£
+.PP
+.\"O The other main difference is that
+.\"O .B -i
+.\"O refers to the input interface;
+.\"O .B -o
+.\"O refers to the output interface, and both are available for packets
+.\"O entering the
+.\"O .B FORWARD
+.\"O chain.
+¤½¤Î¾¤ÎÂ礤ʰ㤤¤Ï¡¢
+.B -i
+¤ÇÆþÎÏ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¡¢
+.B -o
+¤Ç½ÐÎÏ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò»ØÄꤷ¡¢
+¤È¤â¤Ë
+.B FORWARD
+¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ»ØÄê²Äǽ¤ÊÅÀ¤Ç¤¢¤ë¡£
+.\"O .\" .PP The various forms of NAT have been separated out;
+.\"O .\" .B iptables
+.\"O .\" is a pure packet filter when using the default `filter' table, with
+.\"O .\" optional extension modules. This should simplify much of the previous
+.\"O .\" confusion over the combination of IP masquerading and packet filtering
+.\"O .\" seen previously. So the following options are handled differently:
+.\" .PP
+.\" NAT ¤Î¤¤¤í¤¤¤í¤Ê·Á¼°¤¬Ê¬³ä¤µ¤ì¤¿¡£
+.\" ¥ª¥×¥·¥ç¥ó¤Î³ÈÄ¥¥â¥¸¥å¡¼¥ë¤È¤È¤â¤Ë
+.\" ¥Ç¥Õ¥©¥ë¥È¤Î¡Ö¥Õ¥£¥ë¥¿¡×¥Æ¡¼¥Ö¥ë¤òÍѤ¤¤¿¾ì¹ç¡¢
+.\" .B iptables
+.\" ¤Ï½ã¿è¤Ê¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¤È¤Ê¤ë¡£
+.\" ¤³¤ì¤Ï¡¢°ÊÁ°¤ß¤é¤ì¤¿ IP ¥Þ¥¹¥«¥ì¡¼¥Ç¥£¥ó¥°¤È¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Î
+.\" Áȹ礻¤Ë¤è¤ëº®Íð¤ò´Êά²½¤¹¤ë¡£
+.\" ¤è¤Ã¤Æ¡¢¥ª¥×¥·¥ç¥ó
+.\" .br
+.\" -j MASQ
+.\" .br
+.\" -M -S
+.\" .br
+.\" -M -L
+.\" .br
+.\" ¤ÏÊ̤Τâ¤Î¤È¤·¤Æ°·¤ï¤ì¤ë¡£
+.\"O There are several other changes in ip6tables.
+ip6tables ¤Ç¤Ï¡¢¤½¤Î¾¤Ë¤â¤¤¤¯¤Ä¤«¤ÎÊѹ¹¤¬¤¢¤ë¡£
+.\"O .SH SEE ALSO
+.SH ´ØÏ¢¹àÌÜ
+.BR ip6tables-save (8),
+.BR ip6tables-restore(8),
+.BR iptables (8),
+.BR iptables-save (8),
+.BR iptables-restore (8).
+.P
+.\"O The packet-filtering-HOWTO details iptables usage for
+.\"O packet filtering, the NAT-HOWTO details NAT,
+.\"O the netfilter-extensions-HOWTO details the extensions that are
+.\"O not in the standard distribution,
+.\"O and the netfilter-hacking-HOWTO details the netfilter internals.
+¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Ë¤Ä¤¤¤Æ¤Î¾ÜºÙ¤Ê iptables ¤Î»ÈÍÑË¡¤ò
+ÀâÌÀ¤·¤Æ¤¤¤ë packet-filtering-HOWTO¡£
+NAT ¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë NAT-HOWTO¡£
+ɸ½àŪ¤ÊÇÛÉۤˤϴޤޤì¤Ê¤¤³ÈÄ¥¤Î¾ÜºÙ¤òÀâÌÀ¤·¤Æ¤¤¤ë netfilter-extensions-HOWTO¡£
+ÆâÉô¹½Â¤¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë netfilter-hacking-HOWTO¡£
+.br
+.\"O See
+.\"O .BR "http://www.netfilter.org/" .
+.B "http://www.netfilter.org/"
+¤ò»²¾È¤Î¤³¤È¡£
+.\"O .SH AUTHORS
+.SH Ãø¼Ô
+.\"O Rusty Russell wrote iptables, in early consultation with Michael
+.\"O Neuling.
+Rusty Russell ¤Ï¡¢½é´ü¤ÎÃʳ¬¤Ç Michael Neuling ¤ËÁêÃ̤·¤Æ iptables ¤ò½ñ¤¤¤¿¡£
+.PP
+.\"O Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
+.\"O selection framework in iptables, then wrote the mangle table, the owner match,
+.\"O the mark stuff, and ran around doing cool stuff everywhere.
+Marc Boucher ¤Ï Rusty ¤Ë iptables ¤Î°ìÈÌŪ¤Ê¥Ñ¥±¥Ã¥ÈÁªÂò¤Î¹Í¤¨Êý¤ò´«¤á¤Æ¡¢
+ipnatctl ¤ò»ß¤á¤µ¤»¤¿¡£
+¤½¤·¤Æ¡¢mangle ¥Æ¡¼¥Ö¥ë¡¦½êͼԥޥåÁ¥ó¥°¡¦
+mark µ¡Ç½¤ò½ñ¤¡¢¤¤¤¿¤ë¤È¤³¤í¤Ç»È¤ï¤ì¤Æ¤¤¤ëÁÇÀ²¤é¤·¤¤¥³¡¼¥É¤ò½ñ¤¤¤¿¡£
+.PP
+.\"O James Morris wrote the TOS target, and tos match.
+James Morris ¤¬ TOS ¥¿¡¼¥²¥Ã¥È¤È tos ¥Þ¥Ã¥Á¥ó¥°¤ò½ñ¤¤¤¿¡£
+.PP
+.\"O Jozsef Kadlecsik wrote the REJECT target.
+Jozsef Kadlecsik ¤¬ REJECT ¥¿¡¼¥²¥Ã¥È¤ò½ñ¤¤¤¿¡£
+.PP
+.\"O Harald Welte wrote the ULOG target, TTL match+target and libipulog.
+Harald Welte ¤¬ ULOG ¥¿¡¼¥²¥Ã¥È¡¦TTL ¥Þ¥Ã¥Á¥ó¥°¤È TTL ¥¿¡¼¥²¥Ã¥È¡¦
+libipulog ¤ò½ñ¤¤¤¿¡£
+.PP
+.\"O The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
+.\"O James Morris, Harald Welte and Rusty Russell.
+Netfilter ¥³¥¢¥Á¡¼¥à¤Ï¡¢Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
+James Morris, Harald Welte, Rusty Russell ¤Ç¤¢¤ë¡£
+.PP
+.\"O ip6tables man page created by Andras Kis-Szabo, based on
+.\"O iptables man page written by Herve Eychenne <rv@wallfire.org>.
+ip6tables ¤Î man ¥Ú¡¼¥¸¤Ï¡¢Andras Kis-Szabo ¤Ë¤è¤Ã¤ÆºîÀ®¤µ¤ì¤¿¡£
+¤³¤ì¤Ï Herve Eychenne <rv@wallfire.org> ¤Ë¤è¤Ã¤Æ½ñ¤«¤ì¤¿
+iptables ¤Î man ¥Ú¡¼¥¸¤ò¸µ¤Ë¤·¤Æ¤¤¤ë¡£
+.\"O .\" .. and did I mention that we are incredibly cool people?
+.\"O .\" .. sexy, too ..
+.\"O .\" .. witty, charming, powerful ..
+.\"O .\" .. and most of all, modest ..
+.\" .. ¤½¤·¤Æ¡¢ËÍÅù¤¬¤È¤Æ¤â¥¯¡¼¥ë¤ÊÅÛ¤é¤À¤È¸À¤Ã¤Æ¤ª¤¤¤Æ¤â¤¤¤¤¤«¤Ê¡©
+.\" .. ¥»¥¯¥·¡¼¤Ç ..
+.\" .. ¤È¤Æ¤â¥¦¥£¥Ã¥È¤ËÉÙ¤ó¤Ç¤¤¤Æ¡¢¥Á¥ã¡¼¥ß¥ó¥°¤Ç¡¢¥Ñ¥ï¥Õ¥ë¤Ç ..
+.\" .. ¤½¤·¤Æ¡¢¤ß¤ó¤Ê¸¬µõ¤Ê¤ó¤À ..
--- /dev/null
+.TH IPTABLES-RESTORE 8 "Jan 04, 2001" "" ""
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\" Japanese Version Copyright (c) 2001 Yuichi SATO
+.\" all rights reserved.
+.\" Translated Tue May 15 20:08:04 JST 2001
+.\" by Yuichi SATO <ysato@h4.dion.ne.jp>
+.\"
+.\"O .SH NAME
+.SH ̾Á°
+.\"O iptables-restore \- Restore IP Tables
+iptables-restore \- IP ¥Æ¡¼¥Ö¥ë¤òÉü¸µ¤¹¤ë
+.\"O .SH SYNOPSIS
+.SH ½ñ¼°
+.BR "iptables-restore " "[-c] [-n]"
+.br
+.\"O .SH DESCRIPTION
+.SH ÀâÌÀ
+.PP
+.\"O .B iptables-restore
+.\"O is used to restore IP Tables from data specified on STDIN. Use
+.\"O I/O redirection provided by your shell to read from a file
+.B iptables-restore
+¤Ïɸ½àÆþÎϤǻØÄꤵ¤ì¤¿¥Ç¡¼¥¿¤«¤é IP ¥Æ¡¼¥Ö¥ë¤òÉü¸µ¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+¥Õ¥¡¥¤¥ë¤«¤éÆɤ߹þ¤à¤¿¤á¤Ë¤Ï¡¢
+¥·¥§¥ë¤ÇÄ󶡤µ¤ì¤Æ¤¤¤ë I/O ¥ê¥À¥¤¥ì¥¯¥·¥ç¥ó¤ò»È¤¦¤³¤È¡£
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+.\"O restore the values of all packet and byte counters
+Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ÎÃͤòÉü¸µ¤¹¤ë¡£
+.TP
+\fB\-n\fR, \fB\-\-noflush\fR
+.\"O .TP
+.\"O don't flush the previous contents of the table. If not specified,
+.\"O .B iptables-restore
+.\"O flushes (deletes) all previous contents of the respective IP Table.
+¤³¤ì¤Þ¤Ç¤Î¥Æ¡¼¥Ö¥ë¤ÎÆâÍƤò¥Õ¥é¥Ã¥·¥å¤·¤Ê¤¤¡£
+»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢
+.B iptables-restore
+¤Ï¡¢¤³¤ì¤Þ¤Ç¤Î³Æ IP ¥Æ¡¼¥Ö¥ë¤ÎÆâÍƤòÁ´¤Æ¥Õ¥é¥Ã¥·¥å (ºï½ü) ¤¹¤ë¡£
+.\"O .SH BUGS
+.SH ¥Ð¥°
+.\"O None known as of iptables-1.2.1 release
+iptables-1.2.1 ¥ê¥ê¡¼¥¹¤Ç¤ÏÃΤé¤ì¤Æ¤¤¤Ê¤¤¡£
+.\"O .SH AUTHOR
+.SH Ãø¼Ô
+Harald Welte <laforge@gnumonks.org>
+.\"O .SH SEE ALSO
+.SH ´ØÏ¢¹àÌÜ
+.BR iptables-save "(8), " iptables "(8) "
+.PP
+.\"O The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+.\"O which details NAT, and the netfilter-hacking-HOWTO which details the
+.\"O internals.
+¤è¤ê¿¤¯¤Î iptables ¤Î»ÈÍÑË¡¤Ë¤Ä¤¤¤Æ
+¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë iptables-HOWTO¡£
+NAT ¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë NAT-HOWTO¡£
+ÆâÉô¹½Â¤¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë netfilter-hacking-HOWTO¡£
--- /dev/null
+.TH IPTABLES-SAVE 8 "Jan 04, 2001" "" ""
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\" Japanese Version Copyright (c) 2001 Yuichi SATO
+.\" all rights reserved.
+.\" Translated Tue May 15 20:09:48 JST 2001
+.\" by Yuichi SATO <ysato@h4.dion.ne.jp>
+.\"
+.\"O .SH NAME
+.SH ̾Á°
+.\"O iptables-save \- Save IP Tables
+iptables-save \- IP ¥Æ¡¼¥Ö¥ë¤òÊݸ¤¹¤ë
+.\"O .SH SYNOPSIS
+.SH ½ñ¼°
+.BR "iptables-save " "[-c] [-t table]"
+.br
+.\"O .SH DESCRIPTION
+.SH ÀâÌÀ
+.PP
+.\"O .B iptables-save
+.\"O is used to dump the contents of an IP Table in easily parseable format
+.\"O to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+.B iptables-save
+¤Ï IP ¥Æ¡¼¥Ö¥ë¤ÎÆâÍƤò´Êñ¤Ë²òÀϤǤ¤ë·Á¼°¤Ç
+ɸ½à½ÐÎϤ˥À¥ó¥×¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+¥Õ¥¡¥¤¥ë¤Ë½ñ¤½Ð¤¹¤¿¤á¤Ë¤Ï¡¢
+¥·¥§¥ë¤ÇÄ󶡤µ¤ì¤Æ¤¤¤ë I/O ¥ê¥À¥¤¥ì¥¯¥·¥ç¥ó¤ò»È¤¦¤³¤È¡£
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+.\"O include the current values of all packet and byte counters in the output
+Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤Î¸½ºß¤ÎÃͤò½ÐÎϤ¹¤ë¡£
+.TP
+\fB\-t\fR, \fB\-\-table\fR \fBtablename\fR
+.\"O .TP
+.\"O restrict output to only one table. If not specified, output includes all
+.\"O available tables.
+½ÐÎϤò 1 ¤Ä¤Î¥Æ¡¼¥Ö¥ë¤Î¤ß¤ËÀ©¸Â¤¹¤ë¡£
+»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢ÆÀ¤é¤ì¤¿Á´¤Æ¤Î¥Æ¡¼¥Ö¥ë¤ò½ÐÎϤ¹¤ë¡£
+.\"O .SH BUGS
+.SH ¥Ð¥°
+.\"O None known as of iptables-1.2.1 release
+iptables-1.2.1 ¥ê¥ê¡¼¥¹¤Ç¤ÏÃΤé¤ì¤Æ¤¤¤Ê¤¤¡£
+.\"O .SH AUTHOR
+.SH Ãø¼Ô
+Harald Welte <laforge@gnumonks.org>
+.\"O .SH SEE ALSO
+.SH ´ØÏ¢¹àÌÜ
+.BR iptables-restore "(8), " iptables "(8) "
+.PP
+.\"O The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+.\"O which details NAT, and the netfilter-hacking-HOWTO which details the
+.\"O internals.
+¤è¤ê¿¤¯¤Î iptables ¤Î»ÈÍÑË¡¤Ë¤Ä¤¤¤Æ
+¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë iptables-HOWTO¡£
+NAT ¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë NAT-HOWTO¡£
+ÆâÉô¹½Â¤¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë netfilter-hacking-HOWTO¡£
--- /dev/null
+.\"
+.\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
+.\" It is based on ipchains page.
+.\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG)
+.\"
+.\" ipchains page by Paul ``Rusty'' Russell March 1997
+.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.\" Japanese Version Copyright (c) 2001, 2004 Yuichi SATO
+.\" all right reserved.
+.\" Translated Sun Jul 29 01:03:37 JST 2001
+.\" by Yuichi SATO <ysato@h4.dion.ne.jp>
+.\" Updated & Modified Wed Sep 12 06:22:55 JST 2001 by Yuichi SATO
+.\" Updated on Wed May 28 01:51:45 JST 2003 by
+.\" System Design and Research Institute Co., Ltd.
+.\" Updated & Modified Sat Feb 21 23:28:25 JST 2004
+.\" by Yuichi SATO <ysato444@yahoo.co.jp>
+.\"
+.\"WORD: chain ¥Á¥§¥¤¥ó
+.\"WORD: built-in chain ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó
+.\"WORD: connection tracking ÀܳÄÉÀ×
+.\"WORD: enslave ¥¹¥ì¡¼¥Ö¤Ë¤¹¤ë
+.\"WORD: infrastructure ´ðÈ×
+.\"WORD: round-robin ¥é¥¦¥ó¥É¡¦¥í¥Ó¥ó
+.\"WORD: rule traverse ¥ë¡¼¥ë¤Î¸¡Æ¤
+.\"WORD: non-terminating target Èó½ªÎ»¥¿¡¼¥²¥Ã¥È
+.\"WORD: criteria ȽÃÇ(¤¹¤ë)´ð½à
+.\"
+.TH IPTABLES 8 "Mar 09, 2002" "" ""
+.\"O .SH NAME
+.SH ̾Á°
+.\"O iptables \- administration tool for IPv4 packet filtering and NAT
+iptables \- IPv4 ¤Î¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¤È NAT ¤ò´ÉÍý¤¹¤ë¥Ä¡¼¥ë
+.\"O .SH SYNOPSIS
+.SH ½ñ¼°
+.\"O .BR "iptables [-t table] -[AD] " "chain rule-specification [options]"
+.BR "iptables [-t table] -[AD] " "¥Á¥§¥¤¥ó ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]"
+.br
+.\"O .BR "iptables [-t table] -I " "chain [rulenum] rule-specification [options]"
+.BR "iptables [-t table] -I " "¥Á¥§¥¤¥ó [¥ë¡¼¥ëÈÖ¹æ] ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]"
+.br
+.\"O .BR "iptables [-t table] -R " "chain rulenum rule-specification [options]"
+.BR "iptables [-t table] -R " "¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]"
+.br
+.\"O .BR "iptables [-t table] -D " "chain rulenum [options]"
+.BR "iptables [-t table] -D " "¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ [¥ª¥×¥·¥ç¥ó]"
+.br
+.\"O .BR "iptables [-t table] -[LFZ] " "[chain] [options]"
+.BR "iptables [-t table] -[LFZ] " "[¥Á¥§¥¤¥ó] [¥ª¥×¥·¥ç¥ó]"
+.br
+.\"O .BR "iptables [-t table] -N " "chain"
+.BR "iptables [-t table] -N " "¥Á¥§¥¤¥ó"
+.br
+.\"O .BR "iptables [-t table] -X " "[chain]"
+.BR "iptables [-t table] -X " "[¥Á¥§¥¤¥ó]"
+.br
+.\"O .BR "iptables [-t table] -P " "chain target [options]"
+.BR "iptables [-t table] -P " "¥Á¥§¥¤¥ó ¥¿¡¼¥²¥Ã¥È [¥ª¥×¥·¥ç¥ó]"
+.br
+.\"O .BR "iptables [-t table] -E " "old-chain-name new-chain-name"
+.BR "iptables [-t table] -E " "µì¥Á¥§¥¤¥ó̾ ¿·¥Á¥§¥¤¥ó̾"
+.\"O .SH DESCRIPTION
+.SH ÀâÌÀ
+.\"O .B Iptables
+.\"O is used to set up, maintain, and inspect the tables of IP packet
+.\"O filter rules in the Linux kernel. Several different tables
+.\"O may be defined. Each table contains a number of built-in
+.\"O chains and may also contain user-defined chains.
+.B iptables
+¤Ï Linux ¥«¡¼¥Í¥ë¤Î IP ¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ë¡¼¥ë¤Î¥Æ¡¼¥Ö¥ë¤ò
+ÀßÄꡦ´ÉÍý¡¦¸¡ºº¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+Ê£¿ô¤Î°Û¤Ê¤ë¥Æ¡¼¥Ö¥ë¤òÄêµÁ¤Ç¤¤ë¡£
+³Æ¥Æ¡¼¥Ö¥ë¤Ë¤Ï¤¿¤¯¤µ¤ó¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤Æ¤ª¤ê¡¢
+¤µ¤é¤Ë¥æ¡¼¥¶¡¼ÄêµÁ¤Î¥Á¥§¥¤¥ó¤ò²Ã¤¨¤ë¤³¤È¤â¤Ç¤¤ë¡£
+
+.\"O Each chain is a list of rules which can match a set of packets. Each
+.\"O rule specifies what to do with a packet that matches. This is called
+.\"O a `target', which may be a jump to a user-defined chain in the same
+.\"O table.
+³Æ¥Á¥§¥¤¥ó¤Ï¡¢¥Ñ¥±¥Ã¥È·²¤Ë¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤Î¥ê¥¹¥È¤Ç¤¢¤ë¡£
+³Æ¥ë¡¼¥ë¤Ï¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ²¿¤ò¤¹¤ë¤«¤ò»ØÄꤹ¤ë¡£
+¤³¤ì¤Ï¡Ö¥¿¡¼¥²¥Ã¥È¡×¤È¸Æ¤Ð¤ì¡¢
+Ʊ¤¸¥Æ¡¼¥Ö¥ëÆâ¤Î¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Ë¥¸¥ã¥ó¥×¤¹¤ë¤³¤È¤â¤Ç¤¤ë¡£
+
+.\"O .SH TARGETS
+.SH ¥¿¡¼¥²¥Ã¥È
+.\"O A firewall rule specifies criteria for a packet, and a target. If the
+.\"O packet does not match, the next rule in the chain is the examined; if
+.\"O it does match, then the next rule is specified by the value of the
+.\"O target, which can be the name of a user-defined chain or one of the
+.\"O special values
+.\"O .IR ACCEPT ,
+.\"O .IR DROP ,
+.\"O .IR QUEUE ,
+.\"O or
+.\"O .IR RETURN .
+¤Ò¤È¤Ä¤Î¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¥ë¡¼¥ë¤Ç¤Ï¡¢
+¥Ñ¥±¥Ã¥È¤òȽÃǤ¹¤ë´ð½à¤È¥¿¡¼¥²¥Ã¥È¤È¤¬»ØÄꤵ¤ì¤ë¡£
+¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤Ê¤¤¾ì¹ç¡¢¥Á¥§¥¤¥óÆâ¤Î¼¡¤Î¥ë¡¼¥ë¤¬É¾²Á¤µ¤ì¤ë¡£
+¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¡¢
+¥¿¡¼¥²¥Ã¥È¤ÎÃͤ¬¼¡¤Î¥ë¡¼¥ë¤ò»ØÄꤹ¤ë¡£
+¥¿¡¼¥²¥Ã¥È¤ÎÃͤϡ¢¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Î̾Á°¡¢¤Þ¤¿¤ÏÆÃÊ̤ÊÃÍ
+.IR ACCEPT ,
+.IR DROP ,
+.IR QUEUE ,
+.I RETURN
+¤Î¤¦¤Á¤Î 1 ¤Ä¤Ç¤¢¤ë¡£
+.PP
+.\"O .I ACCEPT
+.\"O means to let the packet through.
+.I ACCEPT
+¤Ï¥Ñ¥±¥Ã¥È¤òÄ̤¹¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£
+.\"O .I DROP
+.\"O means to drop the packet on the floor.
+.I DROP
+¤Ï¥Ñ¥±¥Ã¥È¤ò¾²¤ËÍ (¼Î¤Æ¤ë) ¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£
+.\"O .I QUEUE
+.\"O means to pass the packet to userspace (if supported by the kernel).
+.I QUEUE
+¤Ï¥Ñ¥±¥Ã¥È¤ò¥æ¡¼¥¶¡¼¶õ´Ö¤ËÅϤ¹¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë
+(¥«¡¼¥Í¥ë¤¬¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ì¤Ð¤Ç¤¢¤ë¤¬)¡£
+.\"O .I RETURN
+.\"O means stop traversing this chain and resume at the next rule in the
+.\"O previous (calling) chain. If the end of a built-in chain is reached
+.\"O or a rule in a built-in chain with target
+.\"O .I RETURN
+.\"O is matched, the target specified by the chain policy determines the
+.\"O fate of the packet.
+.I RETURN
+¤Ï¡¢¤³¤Î¥Á¥§¥¤¥ó¤Î¸¡Æ¤¤òÃæ»ß¤·¤Æ¡¢
+°ÊÁ°¤Î (¸Æ¤Ó½Ð¤·¸µ) ¥Á¥§¥¤¥óÆâ¤Î
+¼¡¤Î¥ë¡¼¥ë¤«¤é¸¡Æ¤¤òºÆ³«¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£
+ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤ÎºÇ¸å¤ËÅþ㤷¤¿¾ì¹ç¡¢
+¤Þ¤¿¤ÏÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Ç¥¿¡¼¥²¥Ã¥È
+.I RETURN
+¤ò»ý¤Ä¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¡¢
+¥Á¥§¥¤¥ó¥Ý¥ê¥·¡¼¤Ç»ØÄꤵ¤ì¤¿¥¿¡¼¥²¥Ã¥È¤¬
+¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤ò·èÄꤹ¤ë¡£
+.\"O .SH TABLES
+.SH ¥Æ¡¼¥Ö¥ë
+.\"O There are currently three independent tables (which tables are present
+.\"O at any time depends on the kernel configuration options and which
+.\"O modules are present).
+¸½ºß¤Î¤È¤³¤í 3 ¤Ä¤ÎÆÈΩ¤Ê¥Æ¡¼¥Ö¥ë¤¬Â¸ºß¤¹¤ë
+(¤¢¤ë»þÅÀ¤Ç¤É¤Î¥Æ¡¼¥Ö¥ë¤¬Â¸ºß¤¹¤ë¤«¤Ï¡¢
+¥«¡¼¥Í¥ë¤ÎÀßÄê¤ä¤É¤¦¤¤¤Ã¤¿¥â¥¸¥å¡¼¥ë¤¬Â¸ºß¤¹¤ë¤«¤Ë°Í¸¤¹¤ë)¡£
+.TP
+.BI "-t, --table " "table"
+.\"O This option specifies the packet matching table which the command
+.\"O should operate on. If the kernel is configured with automatic module
+.\"O loading, an attempt will be made to load the appropriate module for
+.\"O that table if it is not already there.
+¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢¤³¤Î¥³¥Þ¥ó¥É¤òŬÍѤ¹¤ë
+¥Ñ¥±¥Ã¥È¥Þ¥Ã¥Á¥ó¥°¥Æ¡¼¥Ö¥ë¤ò»ØÄꤹ¤ë¡£
+¥«¡¼¥Í¥ë¤Ë¼«Æ°¥â¥¸¥å¡¼¥ë¥í¡¼¥Ç¥£¥ó¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢
+¤½¤Î¥Æ¡¼¥Ö¥ë¤ËÂФ¹¤ëŬÀڤʥ⥸¥å¡¼¥ë¤¬¤Þ¤À¥í¡¼¥É¤µ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¡¢
+¤½¤Î¥â¥¸¥å¡¼¥ë¤¬¥í¡¼¥É¤µ¤ì¤ë¡£
+
+.\"O The tables are as follows:
+¥Æ¡¼¥Ö¥ë¤Ï°Ê²¼¤ÎÄ̤ê¤Ç¤¢¤ë¡£
+.RS
+.TP .4i
+.BR "filter" :
+.\"O This is the default table (if no -t option is passed). It contains
+.\"O the built-in chains
+.\"O .B INPUT
+.\"O (for packets coming into the box itself),
+.\"O .B FORWARD
+.\"O (for packets being routed through the box), and
+.\"O .B OUTPUT
+.\"O (for locally-generated packets).
+(\-t ¥ª¥×¥·¥ç¥ó¤¬ÅϤµ¤ì¤Ê¤±¤ì¤Ð) ¤³¤ì¤¬¥Ç¥Õ¥©¥ë¥È¤Î¥Æ¡¼¥Ö¥ë¤Ç¤¢¤ë¡£
+¤³¤ì¤Ë¤Ï
+.B INPUT
+(¥Þ¥·¥ó¼«ÂΤËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
+.B FORWARD
+(¥Þ¥·¥ó¤ò·Ðͳ¤¹¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
+.B OUTPUT
+(¥í¡¼¥«¥ë¥Þ¥·¥ó¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)
+¤È¤¤¤¦ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤ë¡£
+.TP
+.BR "nat" :
+.\"O This table is consulted when a packet that creates a new
+.\"O connection is encountered. It consists of three built-ins:
+.\"O .B PREROUTING
+.\"O (for altering packets as soon as they come in),
+.\"O .B OUTPUT
+.\"O (for altering locally-generated packets before routing), and
+.\"O .B POSTROUTING
+.\"O (for altering packets as they are about to go out).
+¤³¤Î¥Æ¡¼¥Ö¥ë¤Ï¿·¤·¤¤Àܳ¤ò³«¤¯¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ»²¾È¤µ¤ì¤ë¡£
+¤³¤ì¤Ë¤Ï
+.B PREROUTING
+(¥Ñ¥±¥Ã¥È¤¬Æþ¤Ã¤Æ¤¤¿¾ì¹ç¡¢¤¹¤°¤Ë¤½¤Î¥Ñ¥±¥Ã¥È¤òÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)¡¦
+.B OUTPUT
+(¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ò¥ë¡¼¥Æ¥£¥ó¥°¤ÎÁ°¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)¡¦
+.B POSTROUTING
+(¥Ñ¥±¥Ã¥È¤¬½Ð¤Æ¹Ô¤¯¤È¤¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)
+¤È¤¤¤¦ 3 ¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤ë¡£
+.TP
+.BR "mangle" :
+.\"O This table is used for specialized packet alteration. Until kernel
+.\"O 2.4.17 it had two built-in chains:
+.\"O .B PREROUTING
+.\"O (for altering incoming packets before routing) and
+.\"O .B OUTPUT
+.\"O (for altering locally-generated packets before routing).
+.\"O Since kernel 2.4.18, three other built-in chains are also supported:
+.\"O .B INPUT
+.\"O (for packets coming into the box itself),
+.\"O .B FORWARD
+.\"O (for altering packets being routed through the box), and
+.\"O .B POSTROUTING
+.\"O (for altering packets as they are about to go out).
+¤³¤Î¥Æ¡¼¥Ö¥ë¤ÏÆÃÊ̤ʥѥ±¥Ã¥ÈÊÑ´¹¤Ë»È¤ï¤ì¤ë¡£
+¤³¤ì¤Ë¤Ï¡¢¥«¡¼¥Í¥ë 2.4.17 ¤Þ¤Ç¤Ï
+.B PREROUTING
+(¥Ñ¥±¥Ã¥È¤¬Æþ¤Ã¤Æ¤¤¿¾ì¹ç¡¢¤¹¤°¤Ë¤½¤Î¥Ñ¥±¥Ã¥È¤òÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)¡¦
+.B OUTPUT
+(¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ò¥ë¡¼¥Æ¥£¥ó¥°¤ÎÁ°¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)
+¤È¤¤¤¦ 2 ¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤ë¡£
+¥«¡¼¥Í¥ë 2.4.18 ¤«¤é¤Ï¡¢¤³¤ì¤é¤Î¾¤Ë
+.B INPUT
+(¥Þ¥·¥ó¼«ÂΤËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
+.B FORWARD
+(¥Þ¥·¥ó¤ò·Ðͳ¤¹¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
+.B POSTROUTING
+(¥Ñ¥±¥Ã¥È¤¬½Ð¤Æ¹Ô¤¯¤È¤¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)
+¤È¤¤¤¦ 3 ¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤â´Þ¤Þ¤ì¤ë¡£
+.RE
+.\"O .SH OPTIONS
+.SH ¥ª¥×¥·¥ç¥ó
+.\"O The options that are recognized by
+.\"O .B iptables
+.\"O can be divided into several different groups.
+.B iptables
+¤Ç»È¤¨¤ë¥ª¥×¥·¥ç¥ó¤Ï¡¢¤¤¤¯¤Ä¤«¤Î¥°¥ë¡¼¥×¤Ëʬ¤±¤é¤ì¤ë¡£
+.\"O .SS COMMANDS
+.SS ¥³¥Þ¥ó¥É
+.\"O These options specify the specific action to perform. Only one of them
+.\"O can be specified on the command line unless otherwise specified
+.\"O below. For all the long versions of the command and option names, you
+.\"O need to use only enough letters to ensure that
+.\"O .B iptables
+.\"O can differentiate it from all other options.
+¤³¤ì¤é¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢¼Â¹Ô¤¹¤ëÆÃÄê¤ÎÆ°ºî¤ò»ØÄꤹ¤ë¡£
+°Ê²¼¤ÎÀâÌÀ¤ÇÃíµ¤µ¤ì¤Æ¤¤¤Ê¤¤¸Â¤ê¡¢
+¥³¥Þ¥ó¥É¥é¥¤¥ó¤Ç»ØÄê¤Ç¤¤ë¤Î¤Ï¤³¤ÎÃæ¤Î 1 ¤Ä¤À¤±¤Ç¤¢¤ë¡£
+Ť¤¥Ð¡¼¥¸¥ç¥ó¤Î¥³¥Þ¥ó¥É̾¤È¥ª¥×¥·¥ç¥ó̾¤Ï¡¢
+.B iptables
+¤¬Â¾¤Î¥³¥Þ¥ó¥É̾¤ä¥ª¥×¥·¥ç¥ó̾¤È¶èÊ̤Ǥ¤ëÈϰϤÇ
+(ʸ»ú¤ò¾Êά¤·¤Æ) »ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë¡£
+.TP
+.\"O .BI "-A, --append " "chain rule-specification"
+.BI "-A, --append " "¥Á¥§¥¤¥ó ¥ë¡¼¥ë¤Î¾ÜºÙ"
+.\"O Append one or more rules to the end of the selected chain.
+.\"O When the source and/or destination names resolve to more than one
+.\"O address, a rule will be added for each possible address combination.
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤ÎºÇ¸å¤Ë 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òÄɲ乤롣
+Á÷¿®¸µ¤äÁ÷¿®Àè¤Î̾Á°¤¬ 1 ¤Ä°Ê¾å¤Î¥¢¥É¥ì¥¹¤Ë²ò·è¤µ¤ì¤¿¾ì¹ç¤Ï¡¢
+²Äǽ¤Ê¥¢¥É¥ì¥¹¤ÎÁȹ礻¤½¤ì¤¾¤ì¤ËÂФ·¤Æ¥ë¡¼¥ë¤¬Äɲ䵤ì¤ë¡£
+.TP
+.\"O .BI "-D, --delete " "chain rule-specification"
+.BI "-D, --delete " "¥Á¥§¥¤¥ó ¥ë¡¼¥ë¤Î¾ÜºÙ"
+.ns
+.TP
+.\"O .BI "-D, --delete " "chain rulenum"
+.BI "-D, --delete " "¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ"
+.\"O Delete one or more rules from the selected chain. There are two
+.\"O versions of this command: the rule can be specified as a number in the
+.\"O chain (starting at 1 for the first rule) or a rule to match.
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤«¤é 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òºï½ü¤¹¤ë¡£
+¤³¤Î¥³¥Þ¥ó¥É¤Ë¤Ï 2 ¤Ä¤Î»È¤¤Êý¤¬¤¢¤ë:
+¥Á¥§¥¤¥ó¤ÎÃæ¤ÎÈÖ¹æ (ºÇ½é¤Î¥ë¡¼¥ë¤ò 1 ¤È¤¹¤ë) ¤ò»ØÄꤹ¤ë¾ì¹ç¤È¡¢
+¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤ò»ØÄꤹ¤ë¾ì¹ç¤Ç¤¢¤ë¡£
+.TP
+.\"O .BR "-I, --insert " "\fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP"
+.BR "-I, --insert " "\fI¥Á¥§¥¤¥ó\fP [\fI¥ë¡¼¥ëÈÖ¹æ\fP] \fI¥ë¡¼¥ë¤Î¾ÜºÙ"
+.\"O Insert one or more rules in the selected chain as the given rule
+.\"O number. So, if the rule number is 1, the rule or rules are inserted
+.\"O at the head of the chain. This is also the default if no rule number
+.\"O is specified.
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ë¥ë¡¼¥ëÈÖ¹æ¤ò»ØÄꤷ¤Æ 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òÁÞÆþ¤¹¤ë¡£
+¥ë¡¼¥ëÈֹ椬 1 ¤Î¾ì¹ç¡¢¥ë¡¼¥ë¤Ï¥Á¥§¥¤¥ó¤ÎÀèƬ¤ËÁÞÆþ¤µ¤ì¤ë¡£
+¤³¤ì¤Ï¥ë¡¼¥ëÈֹ椬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¤Î¥Ç¥Õ¥©¥ë¥È¤Ç¤â¤¢¤ë¡£
+.TP
+.\"O .BI "-R, --replace " "chain rulenum rule-specification"
+.BI "-R, --replace " "¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ ¥ë¡¼¥ë¤Î¾ÜºÙ"
+.\"O Replace a rule in the selected chain. If the source and/or
+.\"O destination names resolve to multiple addresses, the command will
+.\"O fail. Rules are numbered starting at 1.
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ç¥ë¡¼¥ë¤òÃÖ´¹¤¹¤ë¡£
+Á÷¿®¸µ¤äÁ÷¿®Àè¤Î̾Á°¤¬ 1 ¤Ä°Ê¾å¤Î¥¢¥É¥ì¥¹¤Ë²ò·è¤µ¤ì¤¿¾ì¹ç¤Ï¡¢
+¤³¤Î¥³¥Þ¥ó¥É¤Ï¼ºÇÔ¤¹¤ë¡£¥ë¡¼¥ëÈÖ¹æ¤Ï 1 ¤«¤é¤Ï¤¸¤Þ¤ë¡£
+.TP
+.\"O .BR "-L, --list " "[\fIchain\fP]"
+.BR "-L, --list " "[\fI¥Á¥§¥¤¥ó\fP]"
+.\"O List all rules in the selected chain. If no chain is selected, all
+.\"O chains are listed. As every other iptables command, it applies to the
+.\"O specified table (filter is the default), so NAT rules get listed by
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ë¤¢¤ëÁ´¤Æ¤Î¥ë¡¼¥ë¤ò°ìÍ÷ɽ¼¨¤¹¤ë¡£
+¥Á¥§¥¤¥ó¤¬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢Á´¤Æ¤Î¥Á¥§¥¤¥ó¤Ë¤¢¤ë¥ê¥¹¥È¤¬°ìÍ÷ɽ¼¨¤µ¤ì¤ë¡£
+¾¤Î³Æ iptables ¥³¥Þ¥ó¥É¤ÈƱÍͤˡ¢»ØÄꤵ¤ì¤¿¥Æ¡¼¥Ö¥ë
+(¥Ç¥Õ¥©¥ë¥È¤Ï filter) ¤ËÂФ·¤ÆºîÍѤ¹¤ë¡£
+¤è¤Ã¤Æ NAT ¥ë¡¼¥ë¤òɽ¼¨¤¹¤ë¤Ë¤Ï°Ê²¼¤Î¤è¤¦¤Ë¤¹¤ë¡£
+.nf
+ iptables -t nat -n -L
+.fi
+.\"O Please note that it is often used with the
+.\"O .B -n
+.\"O option, in order to avoid long reverse DNS lookups.
+DNS¤ÎµÕ°ú¤¤òÈò¤±¤ë¤¿¤á¤Ë¡¢¤è¤¯
+.B -n
+¥ª¥×¥·¥ç¥ó¤È¶¦¤Ë»ÈÍѤµ¤ì¤ë¡£
+.\"O It is legal to specify the
+.\"O .B -Z
+.\"O (zero) option as well, in which case the chain(s) will be atomically
+.\"O listed and zeroed. The exact output is affected by the other
+.\"O arguments given. The exact rules are suppressed until you use
+.\"O .br
+.\"O iptables -L -v
+.\"O .br
+.B -Z
+(¥¼¥í²½) ¥ª¥×¥·¥ç¥ó¤òƱ»þ¤Ë»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë¡£
+¤³¤Î¾ì¹ç¡¢¥Á¥§¥¤¥ó¤ÏÍ×ÁÇËè¤Ë¥ê¥¹¥È¤µ¤ì¤Æ¡¢
+(ÌõÃð: ¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤¬) ¥¼¥í¤Ë¤µ¤ì¤ë¡£
+½ÐÎÏɽ¼¨¤ÏƱ»þ¤ËÍ¿¤¨¤é¤ì¤¿Â¾¤Î°ú¤¿ô¤Ë±Æ¶Á¤µ¤ì¤ë¡£
+.nf
+ iptables -L -v
+.fi
+¤ò»È¤ï¤Ê¤¤¸Â¤ê (ÌõÃí: -v ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤷ¤Ê¤¤¸Â¤ê)¡¢
+¼ÂºÝ¤Î¥ë¡¼¥ë¤½¤Î¤â¤Î¤Ïɽ¼¨¤µ¤ì¤Ê¤¤¡£
+.TP
+.\"O .BR "-F, --flush " "[\fIchain\fP]"
+.BR "-F, --flush " "[\fI¥Á¥§¥¤¥ó\fP]"
+.\"O Flush the selected chain (all the chains in the table if none is given).
+.\"O This is equivalent to deleting all the rules one by one.
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó(²¿¤â»ØÄꤷ¤Ê¤±¤ì¤Ð¥Æ¡¼¥Ö¥ëÆâ¤ÎÁ´¤Æ¤Î¥Á¥§¥¤¥ó)
+¤ÎÆâÍƤòÁ´¾Ãµî¤¹¤ë¡£
+¤³¤ì¤ÏÁ´¤Æ¤Î¥ë¡¼¥ë¤ò 1 ¸Ä¤º¤Äºï½ü¤¹¤ë¤Î¤ÈƱ¤¸¤Ç¤¢¤ë¡£
+.TP
+.\"O .BR "-Z, --zero " "[\fIchain\fP]"
+.BR "-Z, --zero " "[\fI¥Á¥§¥¤¥ó\fP]"
+.\"O Zero the packet and byte counters in all chains. It is legal to
+.\"O specify the
+.\"O .B "-L, --list"
+.\"O (list) option as well, to see the counters immediately before they are
+.\"O cleared. (See above.)
+¤¹¤Ù¤Æ¤Î¥Á¥§¥¤¥ó¤Î¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò¥¼¥í¤Ë¤¹¤ë¡£
+¥¯¥ê¥¢¤µ¤ì¤ëľÁ°¤Î¥«¥¦¥ó¥¿¤ò¸«¤ë¤¿¤á¤Ë¡¢
+.B "-L, --list"
+(°ìÍ÷ɽ¼¨) ¥ª¥×¥·¥ç¥ó¤ÈƱ»þ¤Ë»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë (¾åµ¤ò»²¾È)¡£
+.TP
+.\"O .BI "-N, --new-chain " "chain"
+.BI "-N, --new-chain " "¥Á¥§¥¤¥ó"
+.\"O Create a new user-defined chain by the given name. There must be no
+.\"O target of that name already.
+»ØÄꤷ¤¿Ì¾Á°¤Ç¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤òºîÀ®¤¹¤ë¡£
+Ʊ¤¸Ì¾Á°¤Î¥¿¡¼¥²¥Ã¥È¤¬´û¤Ë¸ºß¤·¤Æ¤Ï¤Ê¤é¤Ê¤¤¡£
+.TP
+.\"O .BR "-X, --delete-chain " "[\fIchain\fP]"
+.BR "-X, --delete-chain " "[\fI¥Á¥§¥¤¥ó\fP]"
+.\"O Delete the optional user-defined chain specified. There must be no references
+.\"O to the chain. If there are, you must delete or replace the referring
+.\"O rules before the chain can be deleted. If no argument is given, it
+.\"O will attempt to delete every non-builtin chain in the table.
+»ØÄꤷ¤¿¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ë¡£
+¤½¤Î¥Á¥§¥¤¥ó¤¬»²¾È¤µ¤ì¤Æ¤¤¤Æ¤Ï¤Ê¤é¤Ê¤¤¡£
+¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ëÁ°¤Ë¡¢¤½¤Î¥Á¥§¥¤¥ó¤ò»²¾È¤·¤Æ¤¤¤ë¥ë¡¼¥ë¤ò
+ºï½ü¤¹¤ë¤«ÃÖ¤´¹¤¨¤ë¤«¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
+°ú¤¿ô¤¬Í¿¤¨¤é¤ì¤Ê¤¤¾ì¹ç¡¢¥Æ¡¼¥Ö¥ë¤Ë¤¢¤ë¥Á¥§¥¤¥ó¤Î¤¦¤Á
+ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Ç¤Ê¤¤¤â¤Î¤òÁ´¤Æºï½ü¤¹¤ë¡£
+.TP
+.\"O .BI "-P, --policy " "chain target"
+.BI "-P, --policy " "¥Á¥§¥¤¥ó ¥¿¡¼¥²¥Ã¥È"
+.\"O Set the policy for the chain to the given target. See the section
+.\"O .B TARGETS
+.\"O for the legal targets. Only built-in (non-user-defined) chains can have
+.\"O policies, and neither built-in nor user-defined chains can be policy
+.\"O targets.
+¥Á¥§¥¤¥ó¤Î¥Ý¥ê¥·¡¼¤ò¡¢»ØÄꤷ¤¿¥¿¡¼¥²¥Ã¥È¤ËÀßÄꤹ¤ë¡£
+»ØÄê²Äǽ¤Ê¥¿¡¼¥²¥Ã¥È¤Ï¡Ö\fB¥¿¡¼¥²¥Ã¥È\fR¡×¤Î¾Ï¤ò»²¾È¤¹¤ë¤³¤È¡£
+(¥æ¡¼¥¶¡¼ÄêµÁ¤Ç¤Ï¤Ê¤¤)ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Ë¤·¤«¥Ý¥ê¥·¡¼¤ÏÀßÄê¤Ç¤¤Ê¤¤¡£
+¤Þ¤¿¡¢ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤â¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤â
+¥Ý¥ê¥·¡¼¤Î¥¿¡¼¥²¥Ã¥È¤ËÀßÄꤹ¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤¡£
+.TP
+.\"O .BI "-E, --rename-chain " "old-chain new-chain"
+.BI "-E, --rename-chain " "µì¥Á¥§¥¤¥ó̾ ¿·¥Á¥§¥¤¥ó̾"
+.\"O Rename the user specified chain to the user supplied name. This is
+.\"O cosmetic, and has no effect on the structure of the table.
+¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤ò»ØÄꤷ¤¿Ì¾Á°¤ËÊѹ¹¤¹¤ë¡£
+¤³¤ì¤Ï¸«¤¿ÌܤÀ¤±¤ÎÊѹ¹¤Ê¤Î¤Ç¡¢¥Æ¡¼¥Ö¥ë¤Î¹½Â¤¤Ë¤Ï²¿¤â±Æ¶Á¤·¤Ê¤¤¡£
+.TP
+.B -h
+.\"O Help.
+.\"O Give a (currently very brief) description of the command syntax.
+¥Ø¥ë¥×¡£
+(º£¤Î¤È¤³¤í¤Ï¤È¤Æ¤â´Êñ¤Ê) ¥³¥Þ¥ó¥É½ñ¼°¤ÎÀâÌÀ¤òɽ¼¨¤¹¤ë¡£
+.\"O .SS PARAMETERS
+.SS ¥Ñ¥é¥á¡¼¥¿
+.\"O The following parameters make up a rule specification (as used in the
+.\"O add, delete, insert, replace and append commands).
+°Ê²¼¤Î¥Ñ¥é¥á¡¼¥¿¤Ï (add, delete, insert,
+replace, append ¥³¥Þ¥ó¥É¤ÇÍѤ¤¤é¤ì¤Æ) ¥ë¡¼¥ë¤Î»ÅÍͤò·è¤á¤ë¡£
+.TP
+.BR "-p, --protocol " "[!] \fIprotocol\fP"
+.\"O The protocol of the rule or of the packet to check.
+.\"O The specified protocol can be one of
+.\"O .IR tcp ,
+.\"O .IR udp ,
+.\"O .IR icmp ,
+.\"O or
+.\"O .IR all ,
+.\"O or it can be a numeric value, representing one of these protocols or a
+.\"O different one. A protocol name from /etc/protocols is also allowed.
+¥ë¡¼¥ë¤Ç»È¤ï¤ì¤ë¥×¥í¥È¥³¥ë¡¢¤Þ¤¿¤Ï¥Á¥§¥Ã¥¯¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¥×¥í¥È¥³¥ë¡£
+»ØÄê¤Ç¤¤ë¥×¥í¥È¥³¥ë¤Ï¡¢
+.IR tcp ,
+.IR udp ,
+.IR icmp ,
+.I all
+¤Î¤¤¤º¤ì¤« 1 ¤Ä¤«¡¢¿ôÃͤǤ¢¤ë¡£
+¿ôÃͤˤϡ¢¤³¤ì¤é¤Î¥×¥í¥È¥³¥ë¤Î¤É¤ì¤«¤Ê¤¤¤·Ê̤Υץí¥È¥³¥ë¤òɽ¤¹
+¿ôÃͤò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+/etc/protocols ¤Ë¤¢¤ë¥×¥í¥È¥³¥ë̾¤â»ØÄê¤Ç¤¤ë¡£
+.\"O A "!" argument before the protocol inverts the
+.\"O test. The number zero is equivalent to
+.\"O .IR all .
+.\"O Protocol
+.\"O .I all
+.\"O will match with all protocols and is taken as default when this
+.\"O option is omitted.
+¥×¥í¥È¥³¥ë¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢¤½¤Î¥×¥í¥È¥³¥ë¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
+¿ôÃÍ 0 ¤Ï
+.I all
+¤ÈÅù¤·¤¤¡£
+¥×¥í¥È¥³¥ë
+.I all
+¤ÏÁ´¤Æ¤Î¥×¥í¥È¥³¥ë¤È¥Þ¥Ã¥Á¤·¡¢
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿ºÝ¤Î¥Ç¥Õ¥©¥ë¥È¤Ç¤¢¤ë¡£
+.TP
+.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
+.\"O Source specification.
+.\"O .I Address
+.\"O can be either a network name, a hostname (please note that specifying
+.\"O any name to be resolved with a remote query such as DNS is a really bad idea),
+.\"O a network IP address (with /mask), or a plain IP address.
+Á÷¿®¸µ¤Î»ØÄê¡£
+.I address
+¤Ï¥Û¥¹¥È̾
+(DNS ¤Î¤è¤¦¤Ê¥ê¥â¡¼¥È¤Ø¤ÎÌ䤤¹ç¤ï¤»¤Ç²ò·è¤¹¤ë̾Á°¤ò»ØÄꤹ¤ë¤Î¤ÏÈó¾ï¤ËÎɤ¯¤Ê¤¤)
+¡¦¥Í¥Ã¥È¥ï¡¼¥¯ IP ¥¢¥É¥ì¥¹ (/mask ¤ò»ØÄꤹ¤ë)¡¦
+Ä̾ï¤Î IP ¥¢¥É¥ì¥¹¡¢¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ë¡£
+.\"O The
+.\"O .I mask
+.\"O can be either a network mask or a plain number,
+.\"O specifying the number of 1's at the left side of the network mask.
+.I mask
+¤Ï¥Í¥Ã¥È¥ï¡¼¥¯¥Þ¥¹¥¯¤«¡¢
+¥Í¥Ã¥È¥ï¡¼¥¯¥Þ¥¹¥¯¤Îº¸Â¦¤Ë¤¢¤ë 1 ¤Î¿ô¤ò»ØÄꤹ¤ë¿ôÃͤǤ¢¤ë¡£
+.\"O Thus, a mask of
+.\"O .I 24
+.\"O is equivalent to
+.\"O .IR 255.255.255.0 .
+¤Ä¤Þ¤ê¡¢
+.I 24
+¤È¤¤¤¦ mask ¤Ï
+.I 255.255.255.0
+¤ËÅù¤·¤¤¡£
+.\"O A "!" argument before the address specification inverts the sense of
+.\"O the address. The flag
+.\"O .B --src
+.\"O is an alias for this option.
+¥¢¥É¥ì¥¹»ØÄê¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢¤½¤Î¥¢¥É¥ì¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
+¥Õ¥é¥°
+.B --src
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
+.\"O Destination specification.
+.\"O See the description of the
+.\"O .B -s
+.\"O (source) flag for a detailed description of the syntax. The flag
+.\"O .B --dst
+.\"O is an alias for this option.
+Á÷¿®Àè¤Î»ØÄê¡£
+½ñ¼°¤Î¾Ü¤·¤¤ÀâÌÀ¤Ë¤Ä¤¤¤Æ¤Ï¡¢
+.B -s
+(Á÷¿®¸µ) ¥Õ¥é¥°¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£
+¥Õ¥é¥°
+.B --dst
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BI "-j, --jump " "target"
+.\"O This specifies the target of the rule; i.e., what to do if the packet
+.\"O matches it. The target can be a user-defined chain (other than the
+.\"O one this rule is in), one of the special builtin targets which decide
+.\"O the fate of the packet immediately, or an extension (see
+.\"O .B EXTENSIONS
+.\"O below). If this
+.\"O option is omitted in a rule, then matching the rule will have no
+.\"O effect on the packet's fate, but the counters on the rule will be
+.\"O incremented.
+¥ë¡¼¥ë¤Î¥¿¡¼¥²¥Ã¥È¡¢¤Ä¤Þ¤ê¡¢
+¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¤Ë¤É¤¦¤¹¤ë¤«¤ò»ØÄꤹ¤ë¡£
+¥¿¡¼¥²¥Ã¥È¤Ï¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó
+(¤½¤Î¥ë¡¼¥ë¼«¿È¤¬Æþ¤Ã¤Æ¤¤¤ë¥Á¥§¥¤¥ó°Ê³°) ¤Ç¤â¡¢
+¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤ò¨»þ¤Ë·èÄꤹ¤ëÆÃÊ̤ÊÁȤ߹þ¤ßºÑ¤ß¥¿¡¼¥²¥Ã¥È¤Ç¤â¡¢
+³ÈÄ¥¤µ¤ì¤¿¥¿¡¼¥²¥Ã¥È (°Ê²¼¤Î
+.RB ¡Ö ¥¿¡¼¥²¥Ã¥È¤Î³ÈÄ¥ ¡×
+¤ò»²¾È) ¤Ç¤â¤è¤¤¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¥ë¡¼¥ë¤Ë»ØÄꤵ¤ì¤Ê¤«¤Ã¤¿¾ì¹ç¤Ï¡¢
+¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤Æ¤â¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤Ë²¿¤â±Æ¶Á¤·¤Ê¤¤¤¬¡¢
+¥ë¡¼¥ë¤Î¥«¥¦¥ó¥¿¤Ï 1 ¤Ä²Ã»»¤µ¤ì¤ë¡£
+.TP
+.BR "-i, --in-interface " "[!] \fIname\fP"
+.\"O Name of an interface via which a packet is going to be received (only for
+.\"O packets entering the
+.\"O .BR INPUT ,
+.\"O .B FORWARD
+.\"O and
+.\"O .B PREROUTING
+.\"O chains).
+¥Ñ¥±¥Ã¥È¤ò¼õ¿®¤¹¤ë¤³¤È¤Ë¤Ê¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾
+.RB ( INPUT ,
+.BR FORWARD ,
+.B PREROUTING
+¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Î¤ß)¡£
+.\"O When the "!" argument is used before the interface name, the
+.\"O sense is inverted. If the interface name ends in a "+", then any
+.\"O interface which begins with this name will match. If this option is
+.\"O omitted, any interface name will match.
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢
+¤½¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
+¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿¾ì¹ç¡¢
+Ǥ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BR "-o, --out-interface " "[!] \fIname\fP"
+.\"O Name of an interface via which a packet is going to be sent (for packets
+.\"O entering the
+.\"O .BR FORWARD ,
+.\"O .B OUTPUT
+.\"O and
+.\"O .B POSTROUTING
+.\"O chains).
+¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë¤³¤È¤Ë¤Ê¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾
+.RB ( FORWARD ,
+.BR OUTPUT ,
+.B POSTROUTING
+¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Î¤ß)¡£
+.\"O When the "!" argument is used before the interface name, the
+.\"O sense is inverted. If the interface name ends in a "+", then any
+.\"O interface which begins with this name will match. If this option is
+.\"O omitted, any interface name will match.
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢
+¤½¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
+¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿¾ì¹ç¡¢
+Ǥ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.B "[!] " "-f, --fragment"
+.\"O This means that the rule only refers to second and further fragments
+.\"O of fragmented packets. Since there is no way to tell the source or
+.\"O destination ports of such a packet (or ICMP type), such a packet will
+.\"O not match any rules which specify them. When the "!" argument
+.\"O precedes the "-f" flag, the rule will only match head fragments, or
+.\"O unfragmented packets.
+¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢Ê¬³ä¤µ¤ì¤¿¥Ñ¥±¥Ã¥È (fragmented packet) ¤Î¤¦¤Á
+2 ÈÖÌܰʹߤΥѥ±¥Ã¥È¤À¤±¤ò»²¾È¤¹¤ë¥ë¡¼¥ë¤Ç¤¢¤ë¤³¤È¤ò°ÕÌ£¤¹¤ë¡£
+¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È (¤Þ¤¿¤Ï ICMP ¥¿¥¤¥×¤Î¥Ñ¥±¥Ã¥È) ¤Ï
+Á÷¿®¸µ¡¦Á÷¿®Àè¥Ý¡¼¥È¤òÃΤëÊýË¡¤¬¤Ê¤¤¤Î¤Ç¡¢
+Á÷¿®¸µ¤äÁ÷¿®Àè¤ò»ØÄꤹ¤ë¤è¤¦¤Ê¥ë¡¼¥ë¤Ë¤Ï¥Þ¥Ã¥Á¤·¤Ê¤¤¡£
+"-f" ¥Õ¥é¥°¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢
+ʬ³ä¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Î¤¦¤ÁºÇ½é¤Î¤â¤Î¤«¡¢
+ʬ³ä¤µ¤ì¤Æ¤¤¤Ê¤¤¥Ñ¥±¥Ã¥È¤À¤±¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "-c, --set-counters " "PKTS BYTES"
+.\"O This enables the administrator to initialize the packet and byte
+.\"O counters of a rule (during
+.\"O .B INSERT,
+.\"O .B APPEND,
+.\"O .B REPLACE
+.\"O operations).
+¤³¤Î¥ª¥×¥·¥ç¥ó¤ò»È¤¦¤È¡¢
+.RB ( insert ,
+.BR append ,
+.B replace
+Áàºî¤Ë¤ª¤¤¤Æ) ´ÉÍý¼Ô¤Ï¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò
+½é´ü²½¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+.\"O .SS "OTHER OPTIONS"
+.SS ¤½¤Î¾¤Î¥ª¥×¥·¥ç¥ó
+.\"O The following additional options can be specified:
+¤½¤Î¾¤Ë°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë:
+.TP
+.B "-v, --verbose"
+.\"O Verbose output. This option makes the list command show the interface
+.\"O name, the rule options (if any), and the TOS masks. The packet and
+.\"O byte counters are also listed, with the suffix 'K', 'M' or 'G' for
+.\"O 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
+.\"O the
+.\"O .B -x
+.\"O flag to change this).
+.\"O For appending, insertion, deletion and replacement, this causes
+.\"O detailed information on the rule or rules to be printed.
+¾ÜºÙ¤Ê½ÐÎϤò¹Ô¤¦¡£
+list ¥³¥Þ¥ó¥É¤ÎºÝ¤Ë¡¢¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¡¦
+(¤â¤·¤¢¤ì¤Ð) ¥ë¡¼¥ë¤Î¥ª¥×¥·¥ç¥ó¡¦TOS ¥Þ¥¹¥¯¤òɽ¼¨¤µ¤»¤ë¡£
+¥Ñ¥±¥Ã¥È¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤âɽ¼¨¤µ¤ì¤ë¡£
+ź»ú 'K', 'M', 'G' ¤Ï¡¢
+¤½¤ì¤¾¤ì 1000, 1,000,000, 1,000,000,000 Çܤòɽ¤¹
+(¤³¤ì¤òÊѹ¹¤¹¤ë
+.B -x
+¥Õ¥é¥°¤â¸«¤è)¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤ò append, insert, delete, replace ¥³¥Þ¥ó¥É¤ËŬÍѤ¹¤ë¤È¡¢
+¥ë¡¼¥ë¤Ë¤Ä¤¤¤Æ¤Î¾ÜºÙ¤Ê¾ðÊó¤òɽ¼¨¤¹¤ë¡£
+.TP
+.B "-n, --numeric"
+.\"O Numeric output.
+.\"O IP addresses and port numbers will be printed in numeric format.
+.\"O By default, the program will try to display them as host names,
+.\"O network names, or services (whenever applicable).
+¿ôÃͤˤè¤ë½ÐÎϤò¹Ô¤¦¡£
+IP ¥¢¥É¥ì¥¹¤ä¥Ý¡¼¥ÈÈÖ¹æ¤ò¿ôÃͤˤè¤ë¥Õ¥©¡¼¥Þ¥Ã¥È¤Çɽ¼¨¤¹¤ë¡£
+¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¡¢iptables ¤Ï (²Äǽ¤Ç¤¢¤ì¤Ð) ¤³¤ì¤é¤Î¾ðÊó¤ò
+¥Û¥¹¥È̾¡¦¥Í¥Ã¥È¥ï¡¼¥¯Ì¾¡¦¥µ¡¼¥Ó¥¹Ì¾¤Çɽ¼¨¤·¤è¤¦¤È¤¹¤ë¡£
+.TP
+.B "-x, --exact"
+.\"O Expand numbers.
+.\"O Display the exact value of the packet and byte counters,
+.\"O instead of only the rounded number in K's (multiples of 1000)
+.\"O M's (multiples of 1000K) or G's (multiples of 1000M). This option is
+.\"O only relevant for the
+.\"O .B -L
+.\"O command.
+¸·Ì©¤Ê¿ôÃͤÇɽ¼¨¤¹¤ë¡£
+¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò¡¢
+K (1000 ¤Î²¿Çܤ«)¡¦M (1000K ¤Î²¿Çܤ«)¡¦G (1000M ¤Î²¿Çܤ«) ¤Ç¤Ï¤Ê¤¯¡¢
+¸·Ì©¤ÊÃͤÇɽ¼¨¤¹¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢
+.B -L
+¥³¥Þ¥ó¥É¤È¤·¤«´Ø·¸¤·¤Ê¤¤¡£
+.TP
+.B "--line-numbers"
+.\"O When listing rules, add line numbers to the beginning of each rule,
+.\"O corresponding to that rule's position in the chain.
+¥ë¡¼¥ë¤ò°ìÍ÷ɽ¼¨¤¹¤ëºÝ¡¢¤½¤Î¥ë¡¼¥ë¤¬¥Á¥§¥¤¥ó¤Î¤É¤Î°ÌÃ֤ˤ¢¤ë¤«¤òɽ¤¹
+¹ÔÈÖ¹æ¤ò³Æ¹Ô¤Î»Ï¤á¤ËÉղ乤롣
+.TP
+.B "--modprobe=command"
+.\"O When adding or inserting rules into a chain, use
+.\"O .B command
+.\"O to load any necessary modules (targets, match extensions, etc).
+¥Á¥§¥¤¥ó¤Ë¥ë¡¼¥ë¤òÄɲäޤ¿¤ÏÁÞÆþ¤¹¤ëºÝ¤Ë¡¢
+(¥¿¡¼¥²¥Ã¥È¤ä¥Þ¥Ã¥Á¥ó¥°¤Î³ÈÄ¥¤Ê¤É¤Ç) ɬÍפʥ⥸¥å¡¼¥ë¤ò¥í¡¼¥É¤¹¤ë¤¿¤á¤Ë»È¤¦
+.B command
+¤ò»ØÄꤹ¤ë¡£
+.\"O .SH MATCH EXTENSIONS
+.SH ¥Þ¥Ã¥Á¥ó¥°¤Î³ÈÄ¥
+.\"O iptables can use extended packet matching modules. These are loaded
+.\"O in two ways: implicitly, when
+.\"O .B -p
+.\"O or
+.\"O .B --protocol
+.\"O is specified, or with the
+.\"O .B -m
+.\"O or
+.\"O .B --match
+.\"O options, followed by the matching module name;
+iptables ¤Ï³ÈÄ¥¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¥Þ¥Ã¥Á¥ó¥°¥â¥¸¥å¡¼¥ë¤ò»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
+¤³¤ì¤é¤Î¥â¥¸¥å¡¼¥ë¤Ï 2 ¼ïÎà¤ÎÊýË¡¤Ç¥í¡¼¥É¤µ¤ì¤ë:
+¥â¥¸¥å¡¼¥ë¤Ï¡¢
+.B -p
+¤Þ¤¿¤Ï
+.B --protocol
+¤Ç°ÅÌۤΤ¦¤Á¤Ë»ØÄꤵ¤ì¤ë¤«¡¢
+.B -m
+¤Þ¤¿¤Ï
+.B --match
+¤Î¸å¤Ë¥â¥¸¥å¡¼¥ë̾¤ò³¤±¤Æ»ØÄꤵ¤ì¤ë¡£
+.\"O after these, various
+.\"O extra command line options become available, depending on the specific
+.\"O module. You can specify multiple extended match modules in one line,
+.\"O and you can use the
+.\"O .B -h
+.\"O or
+.\"O .B --help
+.\"O options after the module has been specified to receive help specific
+.\"O to that module.
+¤³¤ì¤é¤Î¥â¥¸¥å¡¼¥ë¤Î¸å¤í¤Ë¤Ï¡¢¥â¥¸¥å¡¼¥ë¤Ë±þ¤¸¤Æ
+¾¤Î¤¤¤í¤¤¤í¤Ê¥³¥Þ¥ó¥É¥é¥¤¥ó¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+Ê£¿ô¤Î³ÈÄ¥¥Þ¥Ã¥Á¥ó¥°¥â¥¸¥å¡¼¥ë¤ò°ì¹Ô¤Ç»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+¤Þ¤¿¡¢¥â¥¸¥å¡¼¥ë¤ËÆÃͤΥإë¥×¤òɽ¼¨¤µ¤»¤ë¤¿¤á¤Ë¤Ï¡¢
+¥â¥¸¥å¡¼¥ë¤ò»ØÄꤷ¤¿¸å¤Ç
+.B -h
+¤Þ¤¿¤Ï
+.B --help
+¤ò»ØÄꤹ¤ì¤Ð¤è¤¤¡£
+
+.\"O The following are included in the base package, and most of these can
+.\"O be preceded by a
+.\"O .B !
+.\"O to invert the sense of the match.
+°Ê²¼¤Î³ÈÄ¥¤¬¥Ù¡¼¥¹¥Ñ¥Ã¥±¡¼¥¸¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¡£
+ÂçÉôʬ¤Î¤â¤Î¤Ï¡¢
+.B !
+¤òÁ°¤Ë¤ª¤¯¤³¤È¤Ë¤è¤Ã¤Æ
+¥Þ¥Ã¥Á¥ó¥°¤Î°ÕÌ£¤òµÕ¤Ë¤Ç¤¤ë¡£
+.SS ah
+.\"O This module matches the SPIs in AH header of IPSec packets.
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IPSec ¥Ñ¥±¥Ã¥È¤Î AH ¥Ø¥Ã¥À¡¼¤Î SPI Ãͤ˥ޥåÁ¤¹¤ë¡£
+.TP
+.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
+.SS conntrack
+.\"O This module, when combined with connection tracking, allows access to
+.\"O more connection tracking information than the "state" match.
+.\"O (this module is present only if iptables was compiled under a kernel
+.\"O supporting this feature)
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢ÀܳÄÉÀ× (connection tracking) ¤ÈÁȤ߹ç¤ï¤»¤ÆÍѤ¤¤ë¤È¡¢
+"state" ¥Þ¥Ã¥Á¤è¤ê¤â¤µ¤é¤Ë¿¤¯¤Î¡¢
+¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¤ÎÀܳÄÉÀ×¾õÂÖ¤òÃΤ뤳¤È¤¬¤Ç¤¤ë
+(¤³¤Îµ¡Ç½¤ò¥µ¥Ý¡¼¥È¤·¤¿¥«¡¼¥Í¥ë¤Î¤â¤È¤Ç iptables ¤¬¥³¥ó¥Ñ¥¤¥ë¤µ¤ì¤¿¾ì¹ç
+¤Ë¤Î¤ß¡¢¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¸ºß¤¹¤ë)¡£
+.TP
+.BI "--ctstate " "state"
+.\"O Where state is a comma separated list of the connection states to
+.\"O match. Possible states are
+.\"O .B INVALID
+.\"O meaning that the packet could not be identified for some reason which
+.\"O includes running out of memory and ICMP errors which don't correspond to any
+.\"O known connection,
+.\"O .B ESTABLISHED
+.\"O meaning that the packet is associated with a connection which has seen
+.\"O packets in both directions,
+state ¤Ï¡¢¥Þ¥Ã¥Á¥ó¥°ÂоݤȤʤ롢¥³¥ó¥Þ¶èÀÚ¤ê¤ÎÀܳ¾õÂ֥ꥹ¥È¤Ç¤¢¤ë¡£
+»ØÄê²Äǽ¤Ê state ¤Ï°Ê²¼¤ÎÄ̤ꡣ
+.BR INVALID :
+¥á¥â¥ê¤ò»È¤¤²Ì¤¿¤·¤¿°Ù¤ä¡¢
+´ûÃΤÎÀܳ¤È¤ÏÂбþ¤·¤Ê¤¤ ICMP ¥¨¥é¡¼¤Ê¤É¡¢
+²¿¤é¤«¤ÎÍýͳ¤Ë¤è¤ê¥Ñ¥±¥Ã¥È¤¬¼±Ê̤Ǥ¤Ê¤¤¡£
+.BR ESTABLISHED :
+¤³¤Î¥Ñ¥±¥Ã¥È¤Ï¡¢²áµîÁÐÊý¸þ¤Ë¥Ñ¥±¥Ã¥È¤¬¤ä¤ê¼è¤ê¤µ¤ì¤¿Àܳ¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¢¤ë¡£
+.\"O .B NEW
+.\"O meaning that the packet has started a new connection, or otherwise
+.\"O associated with a connection which has not seen packets in both
+.\"O directions, and
+.BR NEW :
+¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤¿¤«¡¢
+ÁÐÊý¸þ¤Ë¤Ï¥Ñ¥±¥Ã¥È¤¬¤ä¤ê¼è¤ê¤µ¤ì¤Æ¤¤¤Ê¤¤Àܳ¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¢¤ë¡£
+.\"O .B RELATED
+.\"O meaning that the packet is starting a new connection, but is
+.\"O associated with an existing connection, such as an FTP data transfer,
+.\"O or an ICMP error.
+.BR RELATED :
+¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤Æ¤¤¤ë¤¬¡¢
+FTP ¥Ç¡¼¥¿Å¾Á÷¤ä ICMP ¥¨¥é¡¼¤Î¤è¤¦¤Ë¡¢´û¸¤ÎÀܳ¤Ë´Ø·¸¤·¤Æ¤¤¤ë¡£
+.\"O .B SNAT
+.\"O A virtual state, matching if the original source address differs from
+.\"O the reply destination.
+.BR SNAT :
+²¾ÁÛŪ¤Ê¾õÂ֤Ǥ¢¤ê¡¢½ñ¤´¹¤¨Á°¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤¬±þÅú¤Î°¸À襢¥É¥ì¥¹¤È
+°Û¤Ê¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.\"O .B DNAT
+.\"O A virtual state, matching if the original destination differs from the
+.\"O reply source.
+.BR DNAT :
+²¾ÁÛŪ¤Ê¾õÂ֤Ǥ¢¤ê¡¢½ñ¤´¹¤¨Á°¤Î°¸À襢¥É¥ì¥¹¤¬±þÅú¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤È
+°Û¤Ê¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--ctproto " "proto"
+.\"O Protocol to match (by number or name)
+(̾Á°¤Þ¤¿¤Ï¿ôÃͤÇ) »ØÄꤵ¤ì¤¿¥×¥í¥È¥³¥ë¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]"
+.\"O Match against original source address
+½ñ¤´¹¤¨Á°¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]"
+.\"O Match against original destination address
+½ñ¤´¹¤¨Á°¤Î°¸À襢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]"
+.\"O Match against reply source address
+±þÅú¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]"
+.\"O Match against reply destination address
+±þÅú¤Î°¸À襢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]"
+.\"O Match against internal conntrack states
+ÀܳÄÉÀפÎÆâÉôŪ¤Ê¾õÂ֤˥ޥåÁ¤¹¤ë¡£
+.TP
+.BI "--ctexpire " "\fItime\fP[\fI:time\fP]"
+.\"O Match remaining lifetime in seconds against given value
+.\"O or range of values (inclusive)
+͸ú´ü´Ö¤Î»Ä¤êÉÿô¡¢¤Þ¤¿¤Ï¤½¤ÎÈÏ°Ï(ξü¤ò´Þ¤à)¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.SS dscp
+.\"O This module matches the 6 bit DSCP field within the TOS field in the
+.\"O IP header. DSCP has superseded TOS within the IETF.
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢IP ¥Ø¥Ã¥À¡¼¤Î TOS ¥Õ¥£¡¼¥ë¥ÉÆâ¤Ë¤¢¤ë¡¢
+6 bit ¤Î DSCP ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+IETF ¤Ç¤Ï DSCP ¤¬ TOS ¤Ë¼è¤Ã¤ÆÂå¤ï¤Ã¤¿¡£
+.TP
+.BI "--dscp " "value"
+.\"O Match against a numeric (decimal or hex) value [0-32].
+.\"O motoki: patch [JM:12854]
+(10 ¿Ê¤Þ¤¿¤Ï 16 ¿Ê¤Î) ¿ôÃÍ [0\-63] ¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--dscp-class " "\fIDiffServ Class\fP"
+.\"O Match the DiffServ class. This value may be any of the
+.\"O BE, EF, AFxx or CSx classes. It will then be converted
+.\"O into it's according numeric value.
+DiffServ ¥¯¥é¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+ÃÍ¤Ï BE, EF, AFxx, CSx ¥¯¥é¥¹¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ë¡£
+¤³¤ì¤é¤Ï¡¢Âбþ¤¹¤ë¿ôÃͤǻØÄꤹ¤ë¤Î¤ÈƱ¤¸¤Ç¤¢¤ë¡£
+.SS esp
+.\"O This module matches the SPIs in ESP header of IPSec packets.
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IPSec ¥Ñ¥±¥Ã¥È¤Î ESP ¥Ø¥Ã¥À¡¼¤Î SPI Ãͤ˥ޥåÁ¤¹¤ë¡£
+.TP
+.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]"
+.SS helper
+.\"O This module matches packets related to a specific conntrack-helper.
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢»ØÄꤵ¤ì¤¿ÀܳÄÉÀץإë¥Ñ¡¼¥â¥¸¥å¡¼¥ë¤Ë
+´ØÏ¢¤¹¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--helper " "string"
+.\"O Matches packets related to the specified conntrack-helper.
+»ØÄꤵ¤ì¤¿ÀܳÄÉÀץإë¥Ñ¡¼¥â¥¸¥å¡¼¥ë¤Ë
+´ØÏ¢¤¹¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.RS
+.PP
+.\"O string can be "ftp" for packets related to a ftp-session on default port.
+.\"O For other ports append -portnr to the value, ie. "ftp-2121".
+¥Ç¥Õ¥©¥ë¥È¤Î¥Ý¡¼¥È¤ò»È¤Ã¤¿ ftp-¥»¥Ã¥·¥ç¥ó¤Ë´ØÏ¢¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤Ï¡¢
+string ¤Ë "ftp" ¤È½ñ¤±¤ë¡£
+¾¤Î¥Ý¡¼¥È¤Ç¤Ï "\-¥Ý¡¼¥ÈÈÖ¹æ" ¤òÃͤËÉÕ¤±²Ã¤¨¤ë¡£
+¤¹¤Ê¤ï¤Á "ftp-2121" ¤È¤Ê¤ë¡£
+.PP
+.\"O Same rules apply for other conntrack-helpers.
+¾¤ÎÀܳÄÉÀץإë¥Ñ¡¼¤Ç¤âƱ¤¸¥ë¡¼¥ë¤¬Å¬ÍѤµ¤ì¤ë¡£
+.RE
+.SS icmp
+.\"O This extension is loaded if `--protocol icmp' is specified. It
+.\"O provides the following option:
+¤³¤Î³ÈÄ¥¤Ï `--protocol icmp' ¤¬»ØÄꤵ¤ì¤¿¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢
+°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
+.TP
+.BR "--icmp-type " "[!] \fItypename\fP"
+.\"O This allows specification of the ICMP type, which can be a numeric
+.\"O ICMP type, or one of the ICMP type names shown by the command
+¿ôÃͤΠICMP ¥¿¥¤¥×¡¢¤Þ¤¿¤Ï¥³¥Þ¥ó¥É
+.nf
+ iptables -p icmp -h
+.fi
+¤Çɽ¼¨¤µ¤ì¤ë ICMP ¥¿¥¤¥×̾¤ò»ØÄê¤Ç¤¤ë¡£
+.SS length
+.\"O This module matches the length of a packet against a specific value
+.\"O or range of values.
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢»ØÄꤵ¤ì¤¿¥Ñ¥±¥Ã¥ÈĹ¡¢¤Þ¤¿¤Ï¤½¤ÎÈϰϤ˥ޥåÁ¤¹¤ë¡£
+.TP
+.BR "--length " "\fIlength\fP[:\fIlength\fP]"
+.SS limit
+.\"O This module matches at a limited rate using a token bucket filter.
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥È¡¼¥¯¥ó¥Ð¥±¥Ä¥Õ¥£¥ë¥¿¤ò»È¤¤¡¢
+ñ°Ì»þ´Ö¤¢¤¿¤êÀ©¸Â¤µ¤ì¤¿²ó¿ô¤À¤±¥Þ¥Ã¥Á¤¹¤ë¡£
+.\"O A rule using this extension will match until this limit is reached
+.\"O (unless the `!' flag is used). It can be used in combination with the
+.\"O .B LOG
+.\"O target to give limited logging, for example.
+¤³¤Î³ÈÄ¥¤ò»È¤Ã¤¿¥ë¡¼¥ë¤Ï¡¢(`!' ¥Õ¥é¥°¤¬»ØÄꤵ¤ì¤Ê¤¤¸Â¤ê)
+À©¸Â¤Ë㤹¤ë¤Þ¤Ç¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¥â¥¸¥å¡¼¥ë¤ÏÎ㤨¤Ð¡¢¥í¥°µÏ¿¤òÀ©¸Â¤¹¤ë¤¿¤á¤Ë
+.B LOG
+¥¿¡¼¥²¥Ã¥È¤ÈÁȤ߹ç¤ï¤»¤Æ»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
+.TP
+.BI "--limit " "rate"
+.\"O Maximum average matching rate: specified as a number, with an optional
+.\"O `/second', `/minute', `/hour', or `/day' suffix; the default is
+.\"O 3/hour.
+ñ°Ì»þ´Ö¤¢¤¿¤ê¤ÎÊ¿¶Ñ¥Þ¥Ã¥Á²ó¿ô¤ÎºÇÂçÃÍ¡£
+¿ôÃͤǻØÄꤵ¤ì¡¢Åº»ú `/second', `/minute',
+`/hour', `/day' ¤òÉÕ¤±¤ë¤³¤È¤â¤Ç¤¤ë¡£
+¥Ç¥Õ¥©¥ë¥È¤Ï 3/hour ¤Ç¤¢¤ë¡£
+.TP
+.BI "--limit-burst " "number"
+.\"O Maximum initial number of packets to match: this number gets
+.\"O recharged by one every time the limit specified above is not reached,
+.\"O up to this number; the default is 5.
+¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤¹¤ë²ó¿ô¤ÎºÇÂç½é´üÃÍ:
+¥Þ¥Ã¥Á²ó¿ô¤ÎºÇÂçÃͤϡ¢
+¾å¤Î¥ª¥×¥·¥ç¥ó¤Ç»ØÄꤷ¤¿À©¸Â¤Ë㤷¤Ê¤±¤ì¤Ð¡¢
+¤½¤ÎÅÙ¤´¤È¤Ë¡¢¤³¤Î¿ôÃͤˤʤë¤Þ¤Ç 1 ¸Ä¤º¤ÄÁý¤ä¤µ¤ì¤ë¡£
+¥Ç¥Õ¥©¥ë¥È¤Ï 5 ¤Ç¤¢¤ë¡£
+.SS mac
+.TP
+.BR "--mac-source " "[!] \fIaddress\fP"
+.\"O Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
+.\"O Note that this only makes sense for packets coming from an Ethernet device
+.\"O and entering the
+.\"O .BR PREROUTING ,
+.\"O .B FORWARD
+.\"O or
+.\"O .B INPUT
+.\"O chains.
+Á÷¿®¸µ MAC ¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.I address
+¤Ï XX:XX:XX:XX:XX:XX ¤È¤¤¤¦·Á¼°¤Ç¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
+¥¤¡¼¥µ¡¼¥Í¥Ã¥È¥Ç¥Ð¥¤¥¹¤«¤éÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤Ç¡¢
+.BR PREROUTING ,
+.BR FORWARD ,
+.B INPUT
+¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Ë¤·¤«°ÕÌ£¤¬¤Ê¤¤¡£
+.SS mark
+.\"O This module matches the netfilter mark field associated with a packet
+.\"O (which can be set using the
+.\"O .B MARK
+.\"O target below).
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¥Ñ¥±¥Ã¥È¤Ë´ØÏ¢¤Å¤±¤é¤ì¤¿
+netfilter ¤Î mark ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë
+(¤³¤Î¥Õ¥£¡¼¥ë¥É¤Ï¡¢°Ê²¼¤Î
+.B MARK
+¥¿¡¼¥²¥Ã¥È¤ÇÀßÄꤵ¤ì¤ë)¡£
+.TP
+.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
+.\"O Matches packets with the given unsigned mark value (if a mask is
+.\"O specified, this is logically ANDed with the mask before the
+.\"O comparison).
+»ØÄꤵ¤ì¤¿Éä¹æ¤Ê¤· mark ÃͤΥѥ±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë
+(mask ¤¬»ØÄꤵ¤ì¤ë¤È¡¢Èæ³Ó¤ÎÁ°¤Ë mask ¤È¤ÎÏÀÍýÀÑ (AND) ¤¬¤È¤é¤ì¤ë)¡£
+.SS multiport
+.\"O This module matches a set of source or destination ports. Up to 15
+.\"O ports can be specified. It can only be used in conjunction with
+.\"O .B "-p tcp"
+.\"O or
+.\"O .BR "-p udp" .
+¤³¤Î¥â¥¸¥å¡¼¥ë¤ÏÁ÷¿®¸µ¤äÁ÷¿®Àè¤Î¥Ý¡¼¥È¤Î½¸¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¥Ý¡¼¥È¤Ï 15 ¸Ä¤Þ¤Ç»ØÄê¤Ç¤¤ë¡£
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï
+.B "-p tcp"
+¤Þ¤¿¤Ï
+.B "-p udp"
+¤ÈÁȤ߹ç¤ï¤»¤Æ»È¤¦¤³¤È¤·¤«¤Ç¤¤Ê¤¤¡£
+.TP
+.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+.\"O Match if the source port is one of the given ports. The flag
+.\"O .B --sports
+.\"O is a convenient alias for this option.
+Á÷¿®¸µ¥Ý¡¼¥È¤¬»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£
+¥Õ¥é¥°
+.B --sports
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+.\"O Match if the destination port is one of the given ports. The flag
+.\"O .B --dports
+.\"O is a convenient alias for this option.
+°¸Àè¥Ý¡¼¥È¤¬»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£
+¥Õ¥é¥°
+.B --dports
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+.\"O Match if the both the source and destination ports are equal to each
+.\"O other and to one of the given ports.
+Á÷¿®¸µ¥Ý¡¼¥È¤È°¸Àè¥Ý¡¼¥È¤¬Åù¤·¤¯¡¢
+¤«¤Ä¤½¤Î¥Ý¡¼¥È¤¬»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£
+.SS owner
+.\"O This module attempts to match various characteristics of the packet
+.\"O creator, for locally-generated packets. It is only valid in the
+.\"O .B OUTPUT
+.\"O chain, and even this some packets (such as ICMP ping responses) may
+.\"O have no owner, and hence never match.
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ËÉÕ¤¤¤Æ¡¢
+¥Ñ¥±¥Ã¥ÈÀ¸À®¼Ô¤Î¤¤¤í¤¤¤í¤ÊÆÃÀ¤ËÂФ·¤Æ¥Þ¥Ã¥Á¤ò¹Ô¤¦¡£
+¤³¤ì¤Ï
+.B OUTPUT
+¥Á¥§¥¤¥ó¤Î¤ß¤Ç¤·¤«Í¸ú¤Ç¤Ê¤¤¡£
+¤Þ¤¿¡¢(ICMP ping ±þÅú¤Î¤è¤¦¤Ê) ¥Ñ¥±¥Ã¥È¤Ï¡¢
+½êͼԤ¬¤¤¤Ê¤¤¤Î¤ÇÀäÂФ˥ޥåÁ¤·¤Ê¤¤¡£
+.TP
+.BI "--uid-owner " "userid"
+.\"O Matches if the packet was created by a process with the given
+.\"O effective user id.
+»ØÄꤵ¤ì¤¿¼Â¸ú¥æ¡¼¥¶¡¼ ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--gid-owner " "groupid"
+.\"O Matches if the packet was created by a process with the given
+.\"O effective group id.
+»ØÄꤵ¤ì¤¿¼Â¸ú¥°¥ë¡¼¥× ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--pid-owner " "processid"
+.\"O Matches if the packet was created by a process with the given
+.\"O process id.
+»ØÄꤵ¤ì¤¿¥×¥í¥»¥¹ ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--sid-owner " "sessionid"
+.\"O Matches if the packet was created by a process in the given session
+.\"O group.
+»ØÄꤵ¤ì¤¿¥»¥Ã¥·¥ç¥ó¥°¥ë¡¼¥×¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--cmd-owner " "name"
+.\"O Matches if the packet was created by a process with the given command name.
+.\"O (this option is present only if iptables was compiled under a kernel
+.\"O supporting this feature)
+»ØÄꤵ¤ì¤¿¥³¥Þ¥ó¥É̾¤ò»ý¤Ä¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë
+(¤³¤Îµ¡Ç½¤ò¥µ¥Ý¡¼¥È¤·¤¿¥«¡¼¥Í¥ë¤Î¤â¤È¤Ç iptables ¤¬¥³¥ó¥Ñ¥¤¥ë¤µ¤ì¤¿¾ì¹ç
+¤Ë¤Î¤ß¡¢¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¸ºß¤¹¤ë)¡£
+.SS physdev
+.\"O This module matches on the bridge port input and output devices enslaved
+.\"O to a bridge device. This module is a part of the infrastructure that enables
+.\"O a transparent bridging IP firewall and is only useful for kernel versions
+.\"O above version 2.5.44.
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥Ö¥ê¥Ã¥¸¥Ç¥Ð¥¤¥¹¤Î¥¹¥ì¡¼¥Ö¤Ë¤µ¤ì¤¿¡¢
+¥Ö¥ê¥Ã¥¸¥Ý¡¼¥È¤ÎÆþ½ÐÎϥǥХ¤¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥Ö¥ê¥Ã¥¸¤Ë¤è¤ëÆ©²áŪ¤Ê
+IP ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Î´ðÈפΰìÉô¤Ç¤¢¤ê¡¢
+¥«¡¼¥Í¥ë¥Ð¡¼¥¸¥ç¥ó 2.5.44 °Ê¹ß¤Ç¤Î¤ß͸ú¤Ç¤¢¤ë¡£
+.TP
+.B --physdev-in name
+.\"O Name of a bridge port via which a packet is received (only for
+.\"O packets entering the
+.\"O .BR INPUT ,
+.\"O .B FORWARD
+.\"O and
+.\"O .B PREROUTING
+.\"O chains). If the interface name ends in a "+", then any
+.\"O interface which begins with this name will match. If the packet didn't arrive
+.\"O through a bridge device, this packet won't match this option, unless '!' is used.
+¥Ñ¥±¥Ã¥È¤¬¼õ¿®¤µ¤ì¤ë¥Ö¥ê¥Ã¥¸¤Î¥Ý¡¼¥È̾
+.RB ( INPUT ,
+.BR FORWARD ,
+.B PREROUTING
+¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Î¤ß)¡£
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
+¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¥Ö¥ê¥Ã¥¸¥Ç¥Ð¥¤¥¹¤òÄ̤·¤Æ¼õ¤±¼è¤é¤ì¤Ê¤«¤Ã¤¿¥Ñ¥±¥Ã¥È¤Ï¡¢
+\&'!' ¤¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¸Â¤ê¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤Ë¥Þ¥Ã¥Á¤·¤Ê¤¤¡£
+.\"O sato: ºÇ¸å¤Î°ìʸ¤Ï°ÕÌõ¤®¤ß¤«¤â
+.TP
+.B --physdev-out name
+.\"O Name of a bridge port via which a packet is going to be sent (for packets
+.\"O entering the
+.\"O .BR FORWARD ,
+.\"O .B OUTPUT
+.\"O and
+.\"O .B POSTROUTING
+.\"O chains). If the interface name ends in a "+", then any
+.\"O interface which begins with this name will match. Note that in the
+.\"O .BR nat " and " mangle
+.\"O .B OUTPUT
+.\"O chains one cannot match on the bridge output port, however one can in the
+.\"O .B "filter OUTPUT"
+.\"O chain. If the packet won't leave by a bridge device or it is yet unknown what
+.\"O the output device will be, then the packet won't match this option, unless
+.\"O '!' is used.
+¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë¤³¤È¤Ë¤Ê¤ë¥Ö¥ê¥Ã¥¸¤Î¥Ý¡¼¥È̾
+.RB ( FORWARD ,
+.BR OUTPUT ,
+.B POSTROUTING
+¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Î¤ß)¡£
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
+¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.B nat
+¤È
+.B mangle
+¥Æ¡¼¥Ö¥ë¤Î
+.B OUTPUT
+¥Á¥§¥¤¥ó¤Ç¤Ï¥Ö¥ê¥Ã¥¸¤Î½ÐÎϥݡ¼¥È¤Ë¥Þ¥Ã¥Á¤µ¤»¤ë¤³¤È¤¬¤Ç¤¤Ê¤¤¤¬¡¢
+.B filter
+¥Æ¡¼¥Ö¥ë¤Î
+.B OUPUT
+¥Á¥§¥¤¥ó¤Ç¤Ï¥Þ¥Ã¥Á²Äǽ¤Ç¤¢¤ë¡£
+¥Ñ¥±¥Ã¥È¤¬¥Ö¥ê¥Ã¥¸¥Ç¥Ð¥¤¥¹¤«¤éÁ÷¤é¤ì¤Ê¤«¤Ã¤¿¾ì¹ç¡¢
+¤Þ¤¿¤Ï¥Ñ¥±¥Ã¥È¤Î½ÐÎϥǥХ¤¥¹¤¬ÉÔÌÀ¤Ç¤¢¤Ã¤¿¾ì¹ç¤Ï¡¢
+\&'!' ¤¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¸Â¤ê¡¢¥Ñ¥±¥Ã¥È¤Ï¤³¤Î¥ª¥×¥·¥ç¥ó¤Ë¥Þ¥Ã¥Á¤·¤Ê¤¤¡£
+.TP
+.B --physdev-is-in
+.\"O Matches if the packet has entered through a bridge interface.
+¥Ñ¥±¥Ã¥È¤¬¥Ö¥ê¥Ã¥¸¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ËÆþ¤Ã¤¿¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.B --physdev-is-out
+.\"O Matches if the packet will leave through a bridge interface.
+¥Ñ¥±¥Ã¥È¤¬¥Ö¥ê¥Ã¥¸¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤«¤é½Ð¤è¤¦¤È¤·¤¿¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.B --physdev-is-bridged
+.\"O Matches if the packet is being bridged and therefore is not being routed.
+.\"O This is only useful in the FORWARD and POSTROUTING chains.
+¥Ñ¥±¥Ã¥È¤¬¥Ö¥ê¥Ã¥¸¤µ¤ì¤ë¤³¤È¤Ë¤è¤ê¡¢
+¥ë¡¼¥Æ¥£¥ó¥°¤µ¤ì¤Ê¤«¤Ã¤¿¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤ì¤Ï FORWARD, POSTROUTING ¥Á¥§¥¤¥ó¤Ë¤ª¤¤¤Æ¤Î¤ßÌòΩ¤Ä¡£
+.SS pkttype
+.\"O This module matches the link-layer packet type.
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥ê¥ó¥¯ÁؤΥѥ±¥Ã¥È¥¿¥¤¥×¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--pkt-type " "[\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP]"
+.SS state
+.\"O This module, when combined with connection tracking, allows access to
+.\"O the connection tracking state for this packet.
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢ÀܳÄÉÀ× (connection tracking) ¤ÈÁȤ߹ç¤ï¤»¤ÆÍѤ¤¤ë¤È¡¢
+¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¤ÎÀܳÄÉÀ×¾õÂÖ¤òÃΤ뤳¤È¤¬¤Ç¤¤ë¡£
+.TP
+.BI "--state " "state"
+.\"O Where state is a comma separated list of the connection states to
+.\"O match. Possible states are
+.\"O .B INVALID
+.\"O meaning that the packet is associated with no known connection,
+.\"O .B ESTABLISHED
+.\"O meaning that the packet is associated with a connection which has seen
+.\"O packets in both directions,
+state ¤Ï¡¢¥Þ¥Ã¥Á¥ó¥°¤ò¹Ô¤¦¤¿¤á¤Î¡¢¥³¥ó¥Þ¤Ç¶èÀÚ¤é¤ì¤¿Àܳ¾õÂ֤Υꥹ¥È¤Ç¤¢¤ë¡£
+»ØÄê²Äǽ¤Ê state ¤Ï°Ê²¼¤ÎÄ̤ꡣ
+.BR INVALID :
+¤³¤Î¥Ñ¥±¥Ã¥È¤Ï´ûÃΤÎÀܳ¤È´Ø·¸¤·¤Æ¤¤¤Ê¤¤¡£
+.BR ESTABLISHED :
+¤³¤Î¥Ñ¥±¥Ã¥È¤Ï¡¢²áµîÁÐÊý¸þ¤Ë¥Ñ¥±¥Ã¥È¤¬¤ä¤ê¼è¤ê¤µ¤ì¤¿Àܳ¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¢¤ë¡£
+.\"O .B NEW
+.\"O meaning that the packet has started a new connection, or otherwise
+.\"O associated with a connection which has not seen packets in both
+.\"O directions, and
+.BR NEW :
+¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤¿¤«¡¢
+ÁÐÊý¸þ¤Ë¤Ï¥Ñ¥±¥Ã¥È¤¬¤ä¤ê¼è¤ê¤µ¤ì¤Æ¤¤¤Ê¤¤Àܳ¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¢¤ë¡£
+.\"O .B RELATED
+.\"O meaning that the packet is starting a new connection, but is
+.\"O associated with an existing connection, such as an FTP data transfer,
+.\"O or an ICMP error.
+.BR RELATED :
+¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤Æ¤¤¤ë¤¬¡¢
+FTP ¥Ç¡¼¥¿Å¾Á÷¤ä ICMP ¥¨¥é¡¼¤Î¤è¤¦¤Ë¡¢´û¸¤ÎÀܳ¤Ë´Ø·¸¤·¤Æ¤¤¤ë¡£
+.SS tcp
+.\"O These extensions are loaded if `--protocol tcp' is specified. It
+.\"O provides the following options:
+¤³¤ì¤é¤Î³ÈÄ¥¤Ï `--protocol tcp' ¤¬»ØÄꤵ¤ì¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢
+°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+.\"O Source port or port range specification. This can either be a service
+.\"O name or a port number. An inclusive range can also be specified,
+.\"O using the format
+.\"O .IR port : port .
+Á÷¿®¸µ¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
+¥µ¡¼¥Ó¥¹Ì¾¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈÖ¹æ¤ò»ØÄê¤Ç¤¤ë¡£
+.IR port : port
+¤È¤¤¤¦·Á¼°¤Ç¡¢2 ¤Ä¤ÎÈÖ¹æ¤ò´Þ¤àÈϰϤò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë¡£
+.\"O If the first port is omitted, "0" is assumed; if the last is omitted,
+.\"O "65535" is assumed.
+.\"O If the second port greater then the first they will be swapped.
+.\"O The flag
+.\"O .B --sport
+.\"O is a convenient alias for this option.
+ºÇ½é¤Î¥Ý¡¼¥È¤ò¾Êά¤·¤¿¾ì¹ç¡¢"0" ¤ò²¾Äꤹ¤ë¡£
+ºÇ¸å¤Î¥Ý¡¼¥È¤ò¾Êά¤·¤¿¾ì¹ç¡¢"65535" ¤ò²¾Äꤹ¤ë¡£
+ºÇ½é¤Î¥Ý¡¼¥È¤¬ºÇ¸å¤Î¥Ý¡¼¥È¤è¤êÂ礤¤¾ì¹ç¡¢2 ¤Ä¤ÏÆþ¤ì´¹¤¨¤é¤ì¤ë¡£
+.\"tsekine ¸¶Ê¸¤¬´Ö°ã¤Ã¤Æ¤½¤¦
+¥Õ¥é¥°
+.B --sport
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+.\"O Destination port or port range specification. The flag
+.\"O .B --dport
+.\"O is a convenient alias for this option.
+Á÷¿®Àè¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
+¥Õ¥é¥°
+.B --dport
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
+.\"O Match when the TCP flags are as specified. The first argument is the
+.\"O flags which we should examine, written as a comma-separated list, and
+.\"O the second argument is a comma-separated list of flags which must be
+.\"O set. Flags are:
+.\"O .BR "SYN ACK FIN RST URG PSH ALL NONE" .
+TCP ¥Õ¥é¥°¤¬»ØÄꤵ¤ì¤¿¤â¤Î¤ÈÅù¤·¤¤¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+Âè 1 °ú¤¿ô¤Ïɾ²ÁÂоݤȤ¹¤ë¥Õ¥é¥°¤Ç¡¢¥³¥ó¥Þ¶èÀÚ¤ê¤Î¥ê¥¹¥È¤Ç¤¢¤ë¡£
+Âè 2 °ú¤¿ô¤Ï¤³¤Î¤¦¤ÁÀßÄꤵ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¥Õ¥é¥°¤Ç¡¢
+¥³¥ó¥Þ¶èÀÚ¤ê¤Î¥ê¥¹¥È¤Ç¤¢¤ë¡£
+»ØÄê¤Ç¤¤ë¥Õ¥é¥°¤Ï
+.B "SYN ACK FIN RST URG PSH ALL NONE"
+¤Ç¤¢¤ë¡£
+.\"O Hence the command
+.\"O .nf
+.\"O iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
+.\"O .fi
+.\"O will only match packets with the SYN flag set, and the ACK, FIN and
+.\"O RST flags unset.
+¤è¤Ã¤Æ¡¢¥³¥Þ¥ó¥É
+.nf
+ iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
+.fi
+¤Ï¡¢SYN ¥Õ¥é¥°¤¬ÀßÄꤵ¤ì ACK, FIN, RST ¥Õ¥é¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤Ê¤¤
+¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.B "[!] --syn"
+.\"O Only match TCP packets with the SYN bit set and the ACK and RST bits
+.\"O cleared. Such packets are used to request TCP connection initiation;
+.\"O for example, blocking such packets coming in an interface will prevent
+.\"O incoming TCP connections, but outgoing TCP connections will be
+.\"O unaffected.
+.\"O It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP.
+.\"O If the "!" flag precedes the "--syn", the sense of the
+.\"O option is inverted.
+SYN ¥Ó¥Ã¥È¤¬ÀßÄꤵ¤ì ACK ¤È RST ¥Ó¥Ã¥È¤¬¥¯¥ê¥¢¤µ¤ì¤Æ¤¤¤ë
+TCP ¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤Ï TCP Àܳ¤Î³«»ÏÍ×µá¤Ë»È¤ï¤ì¤ë¡£
+Î㤨¤Ð¡¢¤¢¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ËÆþ¤Ã¤Æ¤¯¤ë¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤ò¥Ö¥í¥Ã¥¯¤¹¤ì¤Ð¡¢
+Æ⦤ؤΠTCP Àܳ¤Ï¶Ø»ß¤µ¤ì¤ë¤¬¡¢³°Â¦¤Ø¤Î TCP Àܳ¤Ë¤Ï±Æ¶Á¤·¤Ê¤¤¡£
+¤³¤ì¤Ï \fB--tcp-flags SYN,RST,ACK SYN\fP ¤ÈÅù¤·¤¤¡£
+"--syn" ¤ÎÁ°¤Ë "!" ¥Õ¥é¥°¤òÃÖ¤¯¤È¡¢
+SYN ¥Ó¥Ã¥È¤¬¥¯¥ê¥¢¤µ¤ì ACK ¤È RST ¥Ó¥Ã¥È¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë
+TCP ¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BR "--tcp-option " "[!] \fInumber\fP"
+.\"O Match if TCP option set.
+TCP ¥ª¥×¥·¥ç¥ó¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BR "--mss " "\fIvalue\fP[:\fIvalue\fP]"
+.\"O Match TCP SYN or SYN/ACK packets with the specified MSS value (or range),
+.\"O which control the maximum packet size for that connection.
+»ØÄꤵ¤ì¤¿ MSS ÃÍ (¤ÎÈÏ°Ï) ¤ò»ý¤Ä TCP ¤Î
+SYN ¤Þ¤¿¤Ï SYN/ACK ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+MSS ¤ÏÀܳ¤ËÂФ¹¤ë¥Ñ¥±¥Ã¥È¤ÎºÇÂ祵¥¤¥º¤òÀ©¸æ¤¹¤ë¡£
+.SS tos
+.\"O This module matches the 8 bits of Type of Service field in the IP
+.\"O header (ie. including the precedence bits).
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IP ¥Ø¥Ã¥À¡¼¤Î 8 ¥Ó¥Ã¥È¤Î (¤Ä¤Þ¤ê¾å°Ì¥Ó¥Ã¥È¤ò´Þ¤à)
+Type of Service ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--tos " "tos"
+.\"O The argument is either a standard name, (use
+.\"O .br
+.\"O iptables -m tos -h
+.\"O .br
+.\"O to see the list), or a numeric value to match.
+°ú¤¿ô¤Ï¡¢¥Þ¥Ã¥Á¤ò¹Ô¤¦É¸½àŪ¤Ê̾Á°¤Ç¤â¿ôÃͤǤâ¤è¤¤
+(̾Á°¤Î¥ê¥¹¥È¤ò¸«¤ë¤Ë¤Ï
+.nf
+ iptables -m tos -h
+.fi
+¤ò»È¤¦¤³¤È)¡£
+.SS ttl
+.\"O This module matches the time to live field in the IP header.
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IP ¥Ø¥Ã¥À¡¼¤Î time to live ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--ttl " "ttl"
+.\"O Matches the given TTL value.
+»ØÄꤵ¤ì¤¿ TTL Ãͤ˥ޥåÁ¤¹¤ë¡£
+.SS udp
+.\"O These extensions are loaded if `--protocol udp' is specified. It
+.\"O provides the following options:
+¤³¤ì¤é¤Î³ÈÄ¥¤Ï `--protocol udp' ¤¬»ØÄꤵ¤ì¤¿¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢
+°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+.\"O Source port or port range specification.
+.\"O See the description of the
+.\"O .B --source-port
+.\"O option of the TCP extension for details.
+Á÷¿®¸µ¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
+¾ÜºÙ¤Ï TCP ³ÈÄ¥¤Î
+.B --source-port
+¥ª¥×¥·¥ç¥ó¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+.\"O Destination port or port range specification.
+.\"O See the description of the
+.\"O .B --destination-port
+.\"O option of the TCP extension for details.
+Á÷¿®Àè¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
+¾ÜºÙ¤Ï TCP ³ÈÄ¥¤Î
+.B --destination-port
+¥ª¥×¥·¥ç¥ó¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£
+.SS unclean
+.\"O This module takes no options, but attempts to match packets which seem
+.\"O malformed or unusual. This is regarded as experimental.
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬¤Ê¤¤¤¬¡¢
+¤ª¤«¤·¤¯Àµ¾ï¤Ç¤Ê¤¤¤è¤¦¤Ë¸«¤¨¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤ì¤Ï¼Â¸³Åª¤Ê¤â¤Î¤È¤·¤Æ°·¤ï¤ì¤Æ¤¤¤ë¡£
+.\"O .SH TARGET EXTENSIONS
+.SH ¥¿¡¼¥²¥Ã¥È¤Î³ÈÄ¥
+.\"O iptables can use extended target modules: the following are included
+.\"O in the standard distribution.
+iptables ¤Ï³ÈÄ¥¥¿¡¼¥²¥Ã¥È¥â¥¸¥å¡¼¥ë¤ò»È¤¦¤³¤È¤¬¤Ç¤¤ë:
+°Ê²¼¤Î¤â¤Î¤¬¡¢É¸½àŪ¤Ê¥Ç¥£¥¹¥È¥ê¥Ó¥å¡¼¥·¥ç¥ó¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¡£
+.SS DNAT
+.\"O This target is only valid in the
+.\"O .B nat
+.\"O table, in the
+.\"O .B PREROUTING
+.\"O and
+.\"O .B OUTPUT
+.\"O chains, and user-defined chains which are only called from those
+.\"O chains. It specifies that the destination address of the packet
+.\"O should be modified (and all future packets in this connection will
+.\"O also be mangled), and rules should cease being examined. It takes one
+.\"O type of option:
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï
+.B nat
+¥Æ¡¼¥Ö¥ë¤Î
+.BR PREROUTING ,
+.B OUTPUT
+¥Á¥§¥¤¥ó¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë
+¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®À襢¥É¥ì¥¹¤ò½¤Àµ¤¹¤ë
+(¤³¤ÎÀܳ¤Î°Ê¹ß¤Î¥Ñ¥±¥Ã¥È¤â½¤Àµ¤·¤Æʬ¤«¤é¤Ê¤¯ (mangle) ¤¹¤ë)¡£
+¤µ¤é¤Ë¡¢¥ë¡¼¥ë¤Ë¤è¤ë¥Á¥§¥Ã¥¯¤ò»ß¤á¤µ¤»¤ë¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¼ïÎढ¤ë:
+.TP
+.BR "--to-destination " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+.\"O which can specify a single new destination IP address, an inclusive
+.\"O range of IP addresses, and optionally, a port range (which is only
+.\"O valid if the rule also specifies
+.\"O .B "-p tcp"
+.\"O or
+.\"O .BR "-p udp" ).
+.\"O If no port range is specified, then the destination port will never be
+.\"O modified.
+1 ¤Ä¤Î¿·¤·¤¤Á÷¿®Àè IP ¥¢¥É¥ì¥¹¡¢¤Þ¤¿¤Ï IP ¥¢¥É¥ì¥¹¤ÎÈϰϤ¬»ØÄê¤Ç¤¤ë¡£
+¥Ý¡¼¥È¤ÎÈϰϤò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë
+(¤³¤ì¤Ï¥ë¡¼¥ë¤Ç
+.B "-p tcp"
+¤Þ¤¿¤Ï
+.B "-p udp"
+¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß͸ú)¡£
+¥Ý¡¼¥È¤ÎÈϰϤ¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢Á÷¿®Àè¥Ý¡¼¥È¤ÏÊѹ¹¤µ¤ì¤Ê¤¤¡£
+.RS
+.PP
+.\"O You can add several --to-destination options. If you specify more
+.\"O than one destination address, either via an address range or multiple
+.\"O --to-destination options, a simple round-robin (one after another in
+.\"O cycle) load balancing takes place between these adresses.
+Ê£¿ô¤Î --to-destination ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+¥¢¥É¥ì¥¹¤ÎÈϰϤˤè¤Ã¤Æ¡¢
+¤â¤·¤¯¤ÏÊ£¿ô¤Î --to-destination ¥ª¥×¥·¥ç¥ó¤Ë¤è¤Ã¤Æ
+2 ¤Ä°Ê¾å¤ÎÁ÷¿®À襢¥É¥ì¥¹¤ò»ØÄꤷ¤¿¾ì¹ç¡¢
+¤½¤ì¤é¤Î¥¢¥É¥ì¥¹¤ò»È¤Ã¤¿Ã±½ã¤Ê¥é¥¦¥ó¥É¡¦¥í¥Ó¥ó
+(½ç¡¹¤Ë½Û´Ä¤µ¤»¤ë) ¤¬¤ª¤³¤Ê¤ï¤ì¤ë¡£
+.RE
+.SS DSCP
+.\"O This target allows to alter the value of the DSCP bits within the TOS
+.\"O header of the IPv4 packet. As this manipulates a packet, it can only
+.\"O be used in the mangle table.
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢IPv4 ¥Ñ¥±¥Ã¥È¤Î TOS ¥Ø¥Ã¥À¡¼¤Ë¤¢¤ë
+DSCP ¥Ó¥Ã¥È¤ÎÃͤνñ¤´¹¤¨¤ò²Äǽ¤Ë¤¹¤ë¡£
+¤³¤ì¤Ï¥Ñ¥±¥Ã¥È¤òÁàºî¤¹¤ë¤Î¤Ç¡¢mangle ¥Æ¡¼¥Ö¥ë¤Ç¤Î¤ß»ÈÍѤǤ¤ë¡£
+.TP
+.BI "--set-dscp " "value"
+.\"O Set the DSCP field to a numerical value (can be decimal or hex)
+DSCP ¥Õ¥£¡¼¥ë¥É¤Î¿ôÃͤòÀßÄꤹ¤ë (10 ¿Ê¤Þ¤¿¤Ï 16 ¿Ê)¡£
+.TP
+.BI "--set-dscp-class " "class"
+.\"O Set the DSCP field to a DiffServ class.
+DSCP ¥Õ¥£¡¼¥ë¥É¤Î DiffServ ¥¯¥é¥¹¤òÀßÄꤹ¤ë¡£
+.SS ECN
+.\"O This target allows to selectively work around known ECN blackholes.
+.\"O It can only be used in the mangle table.
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï ECN ¥Ö¥é¥Ã¥¯¥Û¡¼¥ëÌäÂê¤Ø¤ÎÂнè¤ò²Äǽ¤Ë¤¹¤ë¡£
+mangle ¥Æ¡¼¥Ö¥ë¤Ç¤Î¤ß»ÈÍѤǤ¤ë¡£
+.TP
+.BI "--ecn-tcp-remove"
+.\"O Remove all ECN bits from the TCP header. Of course, it can only be used
+.\"O in conjunction with
+.\"O .BR "-p tcp" .
+TCP ¥Ø¥Ã¥À¡¼¤«¤éÁ´¤Æ¤Î ECN ¥Ó¥Ã¥È (ÌõÃí: ECE/CWR ¥Õ¥é¥°) ¤ò¼è¤ê½ü¤¯¡£
+ÅöÁ³¡¢
+.B "-p tcp"
+¥ª¥×¥·¥ç¥ó¤È¤ÎÁȹç¤ï¤»¤Ç¤Î¤ß»ÈÍѤǤ¤ë¡£
+.SS LOG
+.\"O Turn on kernel logging of matching packets. When this option is set
+.\"O for a rule, the Linux kernel will print some information on all
+.\"O matching packets (like most IP header fields) via the kernel log
+.\"O (where it can be read with
+.\"O .I dmesg
+.\"O or
+.\"O .IR syslogd (8)).
+¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ò¥«¡¼¥Í¥ë¥í¥°¤ËµÏ¿¤¹¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¥ë¡¼¥ë¤ËÂФ·¤ÆÀßÄꤵ¤ì¤ë¤È¡¢
+Linux ¥«¡¼¥Í¥ë¤Ï¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¤Î
+(ÂçÉôʬ¤Î IP ¥Ø¥Ã¥À¡¼¥Õ¥£¡¼¥ë¥É¤Î¤è¤¦¤Ê) ²¿¤é¤«¤Î¾ðÊó¤ò
+¥«¡¼¥Í¥ë¥í¥°¤Ëɽ¼¨¤¹¤ë
+(¥«¡¼¥Í¥ë¥í¥°¤Ï
+.I dmesg
+¤Þ¤¿¤Ï
+.IR syslogd (8)
+¤Ç¸«¤ë¤³¤È¤¬¤Ç¤¤ë)¡£
+.\"O This is a "non-terminating target", i.e. rule traversal continues at
+.\"O the next rule. So if you want to LOG the packets you refuse, use two
+.\"O separate rules with the same matching criteria, first using target LOG
+.\"O then DROP (or REJECT).
+¤³¤ì¤Ï "Èó½ªÎ»¥¿¡¼¥²¥Ã¥È" ¤Ç¤¢¤ë¡£
+¤¹¤Ê¤ï¤Á¡¢¥ë¡¼¥ë¤Î¸¡Æ¤¤Ï¡¢¼¡¤Î¥ë¡¼¥ë¤Ø¤È·Ñ³¤µ¤ì¤ë¡£
+¤è¤Ã¤Æ¡¢µñÈݤ¹¤ë¥Ñ¥±¥Ã¥È¤ò¥í¥°µÏ¿¤·¤¿¤±¤ì¤Ð¡¢
+Ʊ¤¸¥Þ¥Ã¥Á¥ó¥°È½ÃÇ´ð½à¤ò»ý¤Ä 2 ¤Ä¤Î¥ë¡¼¥ë¤ò»ÈÍѤ·¡¢
+ºÇ½é¤Î¥ë¡¼¥ë¤Ç LOG ¥¿¡¼¥²¥Ã¥È¤ò¡¢
+¼¡¤Î¥ë¡¼¥ë¤Ç DROP (¤Þ¤¿¤Ï REJECT) ¥¿¡¼¥²¥Ã¥È¤ò»ØÄꤹ¤ë¡£
+.TP
+.BI "--log-level " "level"
+.\"O Level of logging (numeric or see \fIsyslog.conf\fP(5)).
+¥í¥°µÏ¿¤Î¥ì¥Ù¥ë (¿ôÃͤƻØÄꤹ¤ë¤«¡¢
+(ÌõÃð: ̾Á°¤Ç»ØÄꤹ¤ë¾ì¹ç¤Ï) \fIsyslog.conf\fP(5) ¤ò»²¾È¤¹¤ë¤³¤È)¡£
+.TP
+.BI "--log-prefix " "prefix"
+.\"O Prefix log messages with the specified prefix; up to 29 letters long,
+.\"O and useful for distinguishing messages in the logs.
+»ØÄꤷ¤¿¥×¥ì¥Õ¥£¥Ã¥¯¥¹¤ò¥í¥°¥á¥Ã¥»¡¼¥¸¤ÎÁ°¤ËÉÕ¤±¤ë¡£
+¥×¥ì¥Õ¥£¥Ã¥¯¥¹¤Ï 29 ʸ»ú¤Þ¤Ç¤ÎŤµ¤Ç¡¢
+¥í¥°¤ÎÃæ¤Ç¥á¥Ã¥»¡¼¥¸¤ò¶èÊ̤¹¤ë¤Î¤ËÌòΩ¤Ä¡£
+.TP
+.B --log-tcp-sequence
+.\"O Log TCP sequence numbers. This is a security risk if the log is
+.\"O readable by users.
+TCP ¥·¡¼¥±¥ó¥¹ÈÖ¹æ¤ò¥í¥°¤ËµÏ¿¤¹¤ë¡£
+¥í¥°¤¬¥æ¡¼¥¶¡¼¤«¤éÆɤá¤ë¾ì¹ç¡¢¥»¥¥å¥ê¥Æ¥£¾å¤Î´í¸±¤¬¤¢¤ë¡£
+.TP
+.B --log-tcp-options
+.\"O Log options from the TCP packet header.
+TCP ¥Ñ¥±¥Ã¥È¥Ø¥Ã¥À¡¼¤Î¥ª¥×¥·¥ç¥ó¤ò¥í¥°¤ËµÏ¿¤¹¤ë¡£
+.TP
+.B --log-ip-options
+.\"O Log options from the IP packet header.
+IP ¥Ñ¥±¥Ã¥È¥Ø¥Ã¥À¡¼¤Î¥ª¥×¥·¥ç¥ó¤ò¥í¥°¤ËµÏ¿¤¹¤ë¡£
+.SS MARK
+.\"O This is used to set the netfilter mark value associated with the
+.\"O packet. It is only valid in the
+.\"O .B mangle
+.\"O table. It can for example be used in conjunction with iproute2.
+¥Ñ¥±¥Ã¥È¤Ë´ØÏ¢¤Å¤±¤é¤ì¤¿ netfilter ¤Î mark ÃͤòÀßÄꤹ¤ë¡£
+.B mangle
+¥Æ¡¼¥Ö¥ë¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+Î㤨¤Ð¡¢iproute2 ¤ÈÁȤ߹ç¤ï¤»¤Æ»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
+.TP
+.BI "--set-mark " "mark"
+.SS MASQUERADE
+.\"O This target is only valid in the
+.\"O .B nat
+.\"O table, in the
+.\"O .B POSTROUTING
+.\"O chain.
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï
+.B nat
+¥Æ¡¼¥Ö¥ë¤Î
+.B POSTROUTING
+¥Á¥§¥¤¥ó¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+.\"O It should only be used with dynamically assigned IP (dialup)
+.\"O connections: if you have a static IP address, you should use the SNAT
+.\"O target.
+ưŪ³ä¤êÅö¤Æ IP (¥À¥¤¥ä¥ë¥¢¥Ã¥×) Àܳ¤Î¾ì¹ç¤Ë¤Î¤ß»È¤¦¤Ù¤¤Ç¤¢¤ë¡£
+¸ÇÄê IP ¥¢¥É¥ì¥¹¤Ê¤é¤Ð¡¢SNAT ¥¿¡¼¥²¥Ã¥È¤ò»È¤¦¤Ù¤¤Ç¤¢¤ë¡£
+.\"O Masquerading is equivalent to specifying a mapping to the IP
+.\"O address of the interface the packet is going out, but also has the
+.\"O effect that connections are
+.\"O .I forgotten
+.\"O when the interface goes down.
+¥Þ¥¹¥«¥ì¡¼¥Ç¥£¥ó¥°¤Ï¡¢¥Ñ¥±¥Ã¥È¤¬Á÷¿®¤µ¤ì¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤Î
+IP ¥¢¥É¥ì¥¹¤Ø¤Î¥Þ¥Ã¥Ô¥ó¥°¤ò»ØÄꤹ¤ë¤Î¤ÈƱ¤¸¤Ç¤¢¤ë¤¬¡¢
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤¬Ää»ß¤·¤¿¾ì¹ç¤ËÀܳ¤ò\fI˺¤ì¤ë\fR¤È¤¤¤¦¸ú²Ì¤¬¤¢¤ë¡£
+.\"O This is the correct behavior when the
+.\"O next dialup is unlikely to have the same interface address (and hence
+.\"O any established connections are lost anyway). It takes one option:
+¼¡¤Î¥À¥¤¥ä¥ë¥¢¥Ã¥×¤Ç¤ÏƱ¤¸¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¥¢¥É¥ì¥¹¤Ë¤Ê¤ë²ÄǽÀ¤¬Ä㤤
+(¤½¤Î¤¿¤á¡¢Á°²ó³ÎΩ¤µ¤ì¤¿Àܳ¤Ï¼º¤ï¤ì¤ë) ¾ì¹ç¡¢
+¤³¤ÎÆ°ºî¤ÏÀµ¤·¤¤¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¤Ä¤¢¤ë¡£
+.TP
+.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
+.\"O This specifies a range of source ports to use, overriding the default
+.\"O .B SNAT
+.\"O source port-selection heuristics (see above). This is only valid
+.\"O if the rule also specifies
+.\"O .B "-p tcp"
+.\"O or
+.\"O .BR "-p udp" .
+¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢»ÈÍѤ¹¤ëÁ÷¿®¸µ¥Ý¡¼¥È¤ÎÈϰϤò»ØÄꤷ¡¢
+¥Ç¥Õ¥©¥ë¥È¤Î
+.B SNAT
+Á÷¿®¸µ¥Ý¡¼¥È¤ÎÁªÂòÊýË¡ (¾åµ) ¤è¤ê¤âÍ¥À褵¤ì¤ë¡£
+¥ë¡¼¥ë¤¬
+.B "-p tcp"
+¤Þ¤¿¤Ï
+.B "-p udp"
+¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß͸ú¤Ç¤¢¤ë¡£
+.SS MIRROR
+.\"O This is an experimental demonstration target which inverts the source
+.\"O and destination fields in the IP header and retransmits the packet.
+¼Â¸³Åª¤Ê¥Ç¥â¥ó¥¹¥È¥ì¡¼¥·¥ç¥óÍѤΥ¿¡¼¥²¥Ã¥È¤Ç¤¢¤ê¡¢
+IP ¥Ø¥Ã¥À¡¼¤ÎÁ÷¿®¸µ¤ÈÁ÷¿®Àè¥Õ¥£¡¼¥ë¥É¤òÆþ¤ì´¹¤¨¡¢
+¥Ñ¥±¥Ã¥È¤òºÆÁ÷¿®¤¹¤ë¤â¤Î¤Ç¤¢¤ë¡£
+.\"O It is only valid in the
+.\"O .BR INPUT ,
+.\"O .B FORWARD
+.\"O and
+.\"O .B PREROUTING
+.\"O chains, and user-defined chains which are only called from those
+.\"O chains.
+¤³¤ì¤Ï
+.BR INPUT ,
+.BR FORWARD ,
+.B PREROUTING
+¥Á¥§¥¤¥ó¤È¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë
+¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤À¤±¤Ç͸ú¤Ç¤¢¤ë¡£
+.\"O Note that the outgoing packets are
+.\"O .B NOT
+.\"O seen by any packet filtering chains, connection tracking or NAT, to
+.\"O avoid loops and other problems.
+¥ë¡¼¥×Åù¤ÎÌäÂê¤ò²óÈò¤¹¤ë¤¿¤á¡¢³°Éô¤ËÁ÷¤é¤ì¤ë¥Ñ¥±¥Ã¥È¤Ï
+¤¤¤«¤Ê¤ë¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¥Á¥§¥¤¥ó¡¦ÀܳÄÉÀס¦NAT ¤«¤é¤â
+´Æ»ë\fB¤µ¤ì¤Ê¤¤\fR¡£
+.SS REDIRECT
+.\"O This target is only valid in the
+.\"O .B nat
+.\"O table, in the
+.\"O .B PREROUTING
+.\"O and
+.\"O .B OUTPUT
+.\"O chains, and user-defined chains which are only called from those
+.\"O chains. It alters the destination IP address to send the packet to
+.\"O the machine itself (locally-generated packets are mapped to the
+.\"O 127.0.0.1 address). It takes one option:
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢
+.B nat
+¥Æ¡¼¥Ö¥ëÆâ¤Î
+.B PREROUTING
+¥Á¥§¥¤¥óµÚ¤Ó
+.B OUTPUT
+¥Á¥§¥¤¥ó¡¢¤½¤·¤Æ¤³¤ì¤é¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë
+¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Ç¤Î¤ß͸ú¤Ç¤¢¤ë¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®Àè IP ¥¢¥É¥ì¥¹¤ò
+¥Þ¥·¥ó¼«¿È¤Î IP ¥¢¥É¥ì¥¹¤ËÊÑ´¹¤¹¤ë¡£
+(¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Ï¡¢¥¢¥É¥ì¥¹ 127.0.0.1 ¤Ë¥Þ¥Ã¥×¤µ¤ì¤ë)¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¤Ä¤¢¤ë:
+.TP
+.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
+.\"O This specifies a destination port or range of ports to use: without
+.\"O this, the destination port is never altered. This is only valid
+.\"O if the rule also specifies
+.\"O .B "-p tcp"
+.\"O or
+.\"O .BR "-p udp" .
+¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï»ÈÍѤµ¤ì¤ëÁ÷¿®Àè¥Ý¡¼¥È¡¦¥Ý¡¼¥ÈÈÏ°Ï¡¦Ê£¿ô¥Ý¡¼¥È¤ò»ØÄꤹ¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢Á÷¿®Àè¥Ý¡¼¥È¤ÏÊѹ¹¤µ¤ì¤Ê¤¤¡£
+¥ë¡¼¥ë¤¬
+.B "-p tcp"
+¤Þ¤¿¤Ï
+.B "-p udp"
+¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß͸ú¤Ç¤¢¤ë¡£
+.SS REJECT
+.\"O This is used to send back an error packet in response to the matched
+.\"O packet: otherwise it is equivalent to
+.\"O .B DROP
+.\"O so it is a terminating TARGET, ending rule traversal.
+¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤Î±þÅú¤È¤·¤Æ¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤òÁ÷¤é¤Ê¤±¤ì¤Ð¡¢
+.B DROP
+¤ÈƱ¤¸¤Ç¤¢¤ê¡¢TARGET ¤ò½ªÎ»¤·¡¢¥ë¡¼¥ë¤Î¸¡Æ¤¤ò½ªÎ»¤¹¤ë¡£
+.\"O This target is only valid in the
+.\"O .BR INPUT ,
+.\"O .B FORWARD
+.\"O and
+.\"O .B OUTPUT
+.\"O chains, and user-defined chains which are only called from those
+.\"O chains. The following option controls the nature of the error packet
+.\"O returned:
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢
+.BR INPUT ,
+.BR FORWARD ,
+.B OUTPUT
+¥Á¥§¥¤¥ó¤È¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ð¤ì¤ë
+¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤À¤±¤Ç͸ú¤Ç¤¢¤ë¡£
+°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢ÊÖ¤µ¤ì¤ë¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤ÎÆÃÀ¤òÀ©¸æ¤¹¤ë¡£
+.TP
+.BI "--reject-with " "type"
+.\"O The type given can be
+.\"O .nf
+.\"O .B " icmp-net-unreachable"
+.\"O .B " icmp-host-unreachable"
+.\"O .B " icmp-port-unreachable"
+.\"O .B " icmp-proto-unreachable"
+.\"O .B " icmp-net-prohibited"
+.\"O .B " icmp-host-prohibited or"
+.\"O .B " icmp-admin-prohibited (*)"
+.\"O .fi
+.\"O which return the appropriate ICMP error message (\fBport-unreachable\fP is
+.\"O the default).
+type ¤È¤·¤Æ»ØÄê²Äǽ¤Ê¤â¤Î¤Ï
+.nf
+.B " icmp-net-unreachable"
+.B " icmp-host-unreachable"
+.B " icmp-port-unreachable"
+.B " icmp-proto-unreachable"
+.B " icmp-net-prohibited"
+.B " icmp-host-prohibited or"
+.B " icmp-admin-prohibited (*)"
+.fi
+¤Ç¤¢¤ê¡¢Å¬ÀÚ¤Ê ICMP ¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤òÊÖ¤¹
+.RB ( port-unreachable
+¤¬¥Ç¥Õ¥©¥ë¥È¤Ç¤¢¤ë)¡£
+.\"O The option
+.\"O .B tcp-reset
+.\"O can be used on rules which only match the TCP protocol: this causes a
+.\"O TCP RST packet to be sent back. This is mainly useful for blocking
+.\"O .I ident
+.\"O (113/tcp) probes which frequently occur when sending mail to broken mail
+.\"O hosts (which won't accept your mail otherwise).
+TCP ¥×¥í¥È¥³¥ë¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤ËÂФ·¤Æ¡¢¥ª¥×¥·¥ç¥ó
+.B tcp-reset
+¤ò»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤ò»È¤¦¤È¡¢TCP RST ¥Ñ¥±¥Ã¥È¤¬Á÷¤êÊÖ¤µ¤ì¤ë¡£
+¼ç¤È¤·¤Æ
+.I ident
+(113/tcp) ¤Ë¤è¤ëõºº¤òÁ˻ߤ¹¤ë¤Î¤ËÌòΩ¤Ä¡£
+.I ident
+¤Ë¤è¤ëõºº¤Ï¡¢²õ¤ì¤Æ¤¤¤ë (¥á¡¼¥ë¤ò¼õ¤±¼è¤é¤Ê¤¤) ¥á¡¼¥ë¥Û¥¹¥È¤Ë
+¥á¡¼¥ë¤¬Á÷¤é¤ì¤ë¾ì¹ç¤ËÉÑÈˤ˵¯¤³¤ë¡£
+.\"O .TP
+.\"O (*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
+.RS
+.PP
+(*) icmp-admin-prohibited ¤ò¥µ¥Ý¡¼¥È¤·¤Ê¤¤¥«¡¼¥Í¥ë¤Ç¡¢
+icmp-admin-prohibited ¤ò»ÈÍѤ¹¤ë¤È¡¢
+REJECT ¤Ç¤Ï¤Ê¤¯Ã±¤Ê¤ë DROP ¤Ë¤Ê¤ë¡£
+.SS SNAT
+.\"O This target is only valid in the
+.\"O .B nat
+.\"O table, in the
+.\"O .B POSTROUTING
+.\"O chain. It specifies that the source address of the packet should be
+.\"O modified (and all future packets in this connection will also be
+.\"O mangled), and rules should cease being examined. It takes one type
+.\"O of option:
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï
+.B nat
+¥Æ¡¼¥Ö¥ë¤Î
+.B POSTROUTING
+¥Á¥§¥¤¥ó¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤ò½¤Àµ¤µ¤»¤ë
+(¤³¤ÎÀܳ¤Î°Ê¹ß¤Î¥Ñ¥±¥Ã¥È¤â½¤Àµ¤·¤Æʬ¤«¤é¤Ê¤¯ (mangle) ¤¹¤ë)¡£
+¤µ¤é¤Ë¡¢¥ë¡¼¥ë¤¬É¾²Á¤òÃæ»ß¤¹¤ë¤è¤¦¤Ë»Ø¼¨¤¹¤ë¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¼ïÎढ¤ë:
+.TP
+.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+.\"O which can specify a single new source IP address, an inclusive range
+.\"O of IP addresses, and optionally, a port range (which is only valid if
+.\"O the rule also specifies
+.\"O .B "-p tcp"
+.\"O or
+.\"O .BR "-p udp" ).
+1 ¤Ä¤Î¿·¤·¤¤Á÷¿®¸µ IP ¥¢¥É¥ì¥¹¡¢¤Þ¤¿¤Ï IP ¥¢¥É¥ì¥¹¤ÎÈϰϤ¬»ØÄê¤Ç¤¤ë¡£
+¥Ý¡¼¥È¤ÎÈϰϤò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë
+(¥ë¡¼¥ë¤¬
+.B "-p tcp"
+¤Þ¤¿¤Ï
+.B "-p udp"
+¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß͸ú)¡£
+.\"O If no port range is specified, then source ports below 512 will be
+.\"O mapped to other ports below 512: those between 512 and 1023 inclusive
+.\"O will be mapped to ports below 1024, and other ports will be mapped to
+.\"O 1024 or above. Where possible, no port alteration will occur.
+¥Ý¡¼¥È¤ÎÈϰϤ¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢
+512 ̤Ëþ¤ÎÁ÷¿®¸µ¥Ý¡¼¥È¤Ï¡¢Â¾¤Î 512 ̤Ëþ¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£
+512 ¡Á 1023 ¤Þ¤Ç¤Î¥Ý¡¼¥È¤Ï¡¢1024 ̤Ëþ¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£
+¤½¤ì°Ê³°¤Î¥Ý¡¼¥È¤Ï¡¢1024 °Ê¾å¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£
+²Äǽ¤Ç¤¢¤ì¤Ð¡¢¥Ý¡¼¥È¤ÎÊÑ´¹¤Ïµ¯¤³¤é¤Ê¤¤¡£
+.RS
+.PP
+.\"O You can add several --to-source options. If you specify more
+.\"O than one source address, either via an address range or multiple
+.\"O --to-source options, a simple round-robin (one after another in
+.\"O cycle) takes place between these adresses.
+Ê£¿ô¤Î --to-source ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+¥¢¥É¥ì¥¹¤ÎÈϰϤˤè¤Ã¤Æ¡¢
+¤â¤·¤¯¤ÏÊ£¿ô¤Î --to-source ¥ª¥×¥·¥ç¥ó¤Ë¤è¤Ã¤Æ
+2 ¤Ä°Ê¾å¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤ò»ØÄꤷ¤¿¾ì¹ç¡¢
+¤½¤ì¤é¤Î¥¢¥É¥ì¥¹¤ò»È¤Ã¤¿Ã±½ã¤Ê¥é¥¦¥ó¥É¡¦¥í¥Ó¥ó
+(½ç¡¹¤Ë½Û´Ä¤µ¤»¤ë) ¤¬¤ª¤³¤Ê¤ï¤ì¤ë¡£
+.SS TCPMSS
+.\"O This target allows to alter the MSS value of TCP SYN packets, to control
+.\"O the maximum size for that connection (usually limiting it to your
+.\"O outgoing interface's MTU minus 40). Of course, it can only be used
+.\"O in conjunction with
+.\"O .BR "-p tcp" .
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤òÍѤ¤¤ë¤È¡¢TCP ¤Î SYN ¥Ñ¥±¥Ã¥È¤Î MSS Ãͤò½ñ¤´¹¤¨¡¢
+¤½¤Î¥³¥Í¥¯¥·¥ç¥ó¤ÎºÇÂ祵¥¤¥º
+(Ä̾ï¤Ï¡¢Á÷¿®¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤Î MTU ¤«¤é 40 °ú¤¤¤¿ÃÍ)
+¤òÀ©¸æ¤Ç¤¤ë¡£
+¤â¤Á¤í¤ó
+.B "-p tcp"
+¤ÈÁȤ߹ç¤ï¤»¤Æ¤·¤«»È¤¨¤Ê¤¤¡£
+.\"O .br
+.PP
+.\"O This target is used to overcome criminally braindead ISPs or servers
+.\"O which block ICMP Fragmentation Needed packets. The symptoms of this
+.\"O problem are that everything works fine from your Linux
+.\"O firewall/router, but machines behind it can never exchange large
+.\"O packets:
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤ÏÈȺáŪ¤ËƬ¤Î¤¤¤«¤ì¤¿ ISP ¤ä
+ICMP Fragmentation Needed ¥Ñ¥±¥Ã¥È¤ò¥Ö¥í¥Ã¥¯¤·¤Æ¤·¤Þ¤¦¥µ¡¼¥Ð¡¼¤ò
+¾è¤ê±Û¤¨¤ë¤¿¤á¤Ë»ÈÍѤ¹¤ë¡£
+Linux ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë/¥ë¡¼¥¿¡¼¤Ç¤Ï²¿¤âÌäÂ꤬¤Ê¤¤¤Î¤Ë¡¢
+¤½¤³¤Ë¤Ö¤é²¼¤¬¤ë¥Þ¥·¥ó¤Ç¤Ï°Ê²¼¤Î¤è¤¦¤ËÂ礤ʥѥ±¥Ã¥È¤ò
+¤ä¤ê¤È¤ê¤Ç¤¤Ê¤¤¤È¤¤¤¦¤Î¤¬¡¢¤³¤ÎÌäÂê¤ÎÃû¸õ¤Ç¤¢¤ë¡£
+.PD 0
+.RS 0.1i
+.TP 0.3i
+1)
+.\"O Web browsers connect, then hang with no data received.
+¥¦¥§¥Ö¡¦¥Ö¥é¥¦¥¶¤ÇÀܳ¤¬¡¢²¿¤Î¥Ç¡¼¥¿¤â¼õ¤±¼è¤é¤º¤Ë¥Ï¥ó¥°¤¹¤ë
+.TP
+2)
+.\"O Small mail works fine, but large emails hang.
+û¤¤¥á¡¼¥ë¤ÏÌäÂê¤Ê¤¤¤¬¡¢Ä¹¤¤¥á¡¼¥ë¤¬¥Ï¥ó¥°¤¹¤ë
+.TP
+3)
+.\"O ssh works fine, but scp hangs after initial handshaking.
+ssh ¤ÏÌäÂê¤Ê¤¤¤¬¡¢scp ¤ÏºÇ½é¤Î¥Ï¥ó¥É¥·¥§¡¼¥¯¸å¤Ë¥Ï¥ó¥°¤¹¤ë
+.RE
+.PD
+.\"O Workaround: activate this option and add a rule to your firewall
+.\"O configuration like:
+²óÈòÊýË¡: ¤³¤Î¥ª¥×¥·¥ç¥ó¤ò͸ú¤Ë¤·¡¢°Ê²¼¤Î¤è¤¦¤Ê¥ë¡¼¥ë¤ò
+¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ÎÀßÄê¤ËÄɲ乤롣
+.nf
+ iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
+ -j TCPMSS --clamp-mss-to-pmtu
+.fi
+.TP
+.BI "--set-mss " "value"
+.\"O Explicitly set MSS option to specified value.
+MSS ¥ª¥×¥·¥ç¥ó¤ÎÃͤò»ØÄꤷ¤¿ÃͤËÀßÄꤹ¤ë¡£
+.TP
+.B "--clamp-mss-to-pmtu"
+.\"O Automatically clamp MSS value to (path_MTU - 40).
+¼«Æ°Åª¤Ë¡¢MSS Ãͤò (path_MTU - 40) ¤Ë¶¯À©¤¹¤ë¡£
+.\"O .TP
+.RS
+.PP
+.\"O These options are mutually exclusive.
+¤³¤ì¤é¤Î¥ª¥×¥·¥ç¥ó¤Ï¤É¤Á¤é¤« 1 ¤Ä¤·¤«»ØÄê¤Ç¤¤Ê¤¤¡£
+.RE
+.SS TOS
+.\"O This is used to set the 8-bit Type of Service field in the IP header.
+.\"O It is only valid in the
+.\"O .B mangle
+.\"O table.
+IP ¥Ø¥Ã¥À¡¼¤Î 8 ¥Ó¥Ã¥È¤Î Type of Service ¥Õ¥£¡¼¥ë¥É¤òÀßÄꤹ¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+.B mangle
+¥Æ¡¼¥Ö¥ë¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+.TP
+.BI "--set-tos " "tos"
+.\"O You can use a numeric TOS values, or use
+.\"O .nf
+.\"O iptables -j TOS -h
+.\"O .fi
+.\"O to see the list of valid TOS names.
+TOS ¤òÈÖ¹æ¤Ç»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+¤Þ¤¿¡¢
+.nf
+ iptables -j TOS -h
+.fi
+¤ò¼Â¹Ô¤·¤ÆÆÀ¤é¤ì¤ë¡¢»ÈÍѲÄǽ¤Ê TOS ̾¤Î°ìÍ÷¤Ë¤¢¤ë TOS ̾¤â»ØÄê¤Ç¤¤ë¡£
+.SS ULOG
+.\"O This target provides userspace logging of matching packets. When this
+.\"O target is set for a rule, the Linux kernel will multicast this packet
+.\"O through a
+.\"O .IR netlink
+.\"O socket. One or more userspace processes may then subscribe to various
+.\"O multicast groups and receive the packets.
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ò
+¥æ¡¼¥¶¡¼¶õ´Ö¤Ç¥í¥°µÏ¿¤¹¤ëµ¡Ç½¤òÄ󶡤¹¤ë¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤¬¥ë¡¼¥ë¤ËÀßÄꤵ¤ì¤ë¤È¡¢
+Linux ¥«¡¼¥Í¥ë¤Ï¡¢¤½¤Î¥Ñ¥±¥Ã¥È¤ò
+.I netlink
+¥½¥±¥Ã¥È¤òÍѤ¤¤Æ¥Þ¥ë¥Á¥¥ã¥¹¥È¤¹¤ë¡£
+¤½¤·¤Æ¡¢1 ¤Ä°Ê¾å¤Î¥æ¡¼¥¶¡¼¶õ´Ö¥×¥í¥»¥¹¤¬
+¤¤¤í¤¤¤í¤Ê¥Þ¥ë¥Á¥¥ã¥¹¥È¥°¥ë¡¼¥×¤ËÅÐÏ¿¤ò¤ª¤³¤Ê¤¤¡¢
+¥Ñ¥±¥Ã¥È¤ò¼õ¿®¤¹¤ë¡£
+.\"O Like LOG, this is a "non-terminating target", i.e. rule traversal
+.\"O continues at the next rule.
+LOG ¤ÈƱÍÍ¡¢¤³¤ì¤Ï "Èó½ªÎ»¥¿¡¼¥²¥Ã¥È" ¤Ç¤¢¤ê¡¢
+¥ë¡¼¥ë¤Î¸¡Æ¤¤Ï¼¡¤Î¥ë¡¼¥ë¤Ø¤È·Ñ³¤µ¤ì¤ë¡£
+.TP
+.BI "--ulog-nlgroup " "nlgroup"
+.\"O This specifies the netlink group (1-32) to which the packet is sent.
+.\"O Default value is 1.
+¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë netlink ¥°¥ë¡¼¥× (1-32) ¤ò»ØÄꤹ¤ë¡£
+¥Ç¥Õ¥©¥ë¥È¤ÎÃÍ¤Ï 1 ¤Ç¤¢¤ë¡£
+.TP
+.BI "--ulog-prefix " "prefix"
+.\"O Prefix log messages with the specified prefix; up to 32 characters
+.\"O long, and useful for distinguishing messages in the logs.
+»ØÄꤷ¤¿¥×¥ì¥Õ¥£¥Ã¥¯¥¹¤ò¥í¥°¥á¥Ã¥»¡¼¥¸¤ÎÁ°¤ËÉÕ¤±¤ë¡£
+32 ʸ»ú¤Þ¤Ç¤Î»ØÄê¤Ç¤¤ë¡£
+¥í¥°¤ÎÃæ¤Ç¥á¥Ã¥»¡¼¥¸¤ò¶èÊ̤¹¤ë¤Î¤ËÊØÍø¤Ç¤¢¤ë¡£
+.TP
+.BI "--ulog-cprange " "size"
+.\"O Number of bytes to be copied to userspace. A value of 0 always copies
+.\"O the entire packet, regardless of its size. Default is 0.
+¥æ¡¼¥¶¡¼¶õ´Ö¤Ë¥³¥Ô¡¼¤¹¤ë¥Ñ¥±¥Ã¥È¤Î¥Ð¥¤¥È¿ô¡£
+Ãͤ¬ 0 ¤Î¾ì¹ç¡¢¥µ¥¤¥º¤Ë´Ø·¸¤Ê¤¯Á´¥Ñ¥±¥Ã¥È¤ò¥³¥Ô¡¼¤¹¤ë¡£
+¥Ç¥Õ¥©¥ë¥È¤Ï 0 ¤Ç¤¢¤ë¡£
+.TP
+.BI "--ulog-qthreshold " "size"
+.\"O Number of packet to queue inside kernel. Setting this value to, e.g. 10
+.\"O accumulates ten packets inside the kernel and transmits them as one
+.\"O netlink multipart message to userspace. Default is 1 (for backwards
+.\"O compatibility).
+.\"O .br
+¥«¡¼¥Í¥ëÆâÉô¤Î¥¥å¡¼¤ËÆþ¤ì¤é¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¿ô¡£
+Î㤨¤Ð¡¢¤³¤ÎÃͤò 10 ¤Ë¤·¤¿¾ì¹ç¡¢
+¥«¡¼¥Í¥ëÆâÉô¤Ç 10 ¸Ä¤Î¥Ñ¥±¥Ã¥È¤ò¤Þ¤È¤á¡¢
+1 ¤Ä¤Î netlink ¥Þ¥ë¥Á¥Ñ¡¼¥È¥á¥Ã¥»¡¼¥¸¤È¤·¤Æ¥æ¡¼¥¶¡¼¶õ´Ö¤ËÁ÷¤ë¡£
+(²áµî¤Î¤â¤Î¤È¤Î¸ß´¹À¤Î¤¿¤á) ¥Ç¥Õ¥©¥ë¥È¤Ï 1 ¤Ç¤¢¤ë¡£
+.\"O .SH DIAGNOSTICS
+.SH ÊÖ¤êÃÍ
+.\"O Various error messages are printed to standard error. The exit code
+.\"O is 0 for correct functioning. Errors which appear to be caused by
+.\"O invalid or abused command line parameters cause an exit code of 2, and
+.\"O other errors cause an exit code of 1.
+¤¤¤í¤¤¤í¤Ê¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤¬É¸½à¥¨¥é¡¼¤Ëɽ¼¨¤µ¤ì¤ë¡£
+Àµ¤·¤¯µ¡Ç½¤·¤¿¾ì¹ç¡¢½ªÎ»¥³¡¼¥É¤Ï 0 ¤Ç¤¢¤ë¡£
+ÉÔÀµ¤Ê¥³¥Þ¥ó¥É¥é¥¤¥ó¥Ñ¥é¥á¡¼¥¿¤Ë¤è¤ê¥¨¥é¡¼¤¬È¯À¸¤·¤¿¾ì¹ç¤Ï¡¢
+½ªÎ»¥³¡¼¥É 2 ¤¬ÊÖ¤µ¤ì¤ë¡£
+¤½¤Î¾¤Î¥¨¥é¡¼¤Î¾ì¹ç¤Ï¡¢½ªÎ»¥³¡¼¥É 1 ¤¬ÊÖ¤µ¤ì¤ë¡£
+.\"O .SH BUGS
+.SH ¥Ð¥°
+.\"O Bugs? What's this? ;-)
+.\"O Well... the counters are not reliable on sparc64.
+¥Ð¥°? ¥Ð¥°¤Ã¤Æ²¿? ;-)
+¤¨¡¼¤È¡Ä¡¢sparc64 ¤Ç¤Ï¥«¥¦¥ó¥¿¡¼Ãͤ¬¿®Íê¤Ç¤¤Ê¤¤¡£
+.\"O .SH COMPATIBILITY WITH IPCHAINS
+.SH IPCHAINS ¤È¤Î¸ß´¹À
+.\"O This
+.\"O .B iptables
+.\"O is very similar to ipchains by Rusty Russell. The main difference is
+.\"O that the chains
+.\"O .B INPUT
+.\"O and
+.\"O .B OUTPUT
+.\"O are only traversed for packets coming into the local host and
+.\"O originating from the local host respectively. Hence every packet only
+.\"O passes through one of the three chains (except loopback traffic, which
+.\"O involves both INPUT and OUTPUT chains); previously a forwarded packet
+.\"O would pass through all three.
+.B iptables
+¤Ï¡¢Rusty Russell ¤Î ipchains ¤ÈÈó¾ï¤Ë¤è¤¯»÷¤Æ¤¤¤ë¡£
+Â礤ʰ㤤¤Ï¡¢¥Á¥§¥¤¥ó
+.B INPUT
+¤È
+.B OUTPUT
+¤¬¡¢¤½¤ì¤¾¤ì¥í¡¼¥«¥ë¥Û¥¹¥È¤ËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤È¡¢
+¥í¡¼¥«¥ë¥Û¥¹¥È¤«¤é½Ð¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¤ß¤·¤«Ä´¤Ù¤Ê¤¤¤È¤¤¤¦ÅÀ¤Ç¤¢¤ë¡£
+¤è¤Ã¤Æ¡¢(INPUT ¤È OUTPUT ¤ÎξÊý¤Î¥Á¥§¥¤¥ó¤òµ¯Æ°¤¹¤ë
+¥ë¡¼¥×¥Ð¥Ã¥¯¥È¥é¥Õ¥£¥Ã¥¯¤ò½ü¤¯)
+Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¤Ï 3 ¤Ä¤¢¤ë¥Á¥§¥¤¥ó¤Î¤¦¤Á 1 ¤·¤«Ä̤é¤Ê¤¤¡£
+°ÊÁ°¤Ï (ipchains ¤Ç¤Ï)¡¢
+¥Õ¥©¥ï¡¼¥É¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Ï 3 ¤Ä¤Î¥Á¥§¥¤¥óÁ´¤Æ¤òÄ̤äƤ¤¤¿¡£
+.PP
+.\"O The other main difference is that
+.\"O .B -i
+.\"O refers to the input interface;
+.\"O .B -o
+.\"O refers to the output interface, and both are available for packets
+.\"O entering the
+.\"O .B FORWARD
+.\"O chain.
+¤½¤Î¾¤ÎÂ礤ʰ㤤¤Ï¡¢
+.B -i
+¤ÇÆþÎÏ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¡¢
+.B -o
+¤Ç½ÐÎÏ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò»²¾È¤¹¤ë¤³¤È¡¢
+¤½¤·¤Æ¤È¤â¤Ë
+.B FORWARD
+¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ»ØÄê²Äǽ¤ÊÅÀ¤Ç¤¢¤ë¡£
+.\"O .PP The various forms of NAT have been separated out;
+.\"O .B iptables
+.\"O is a pure packet filter when using the default `filter' table, with
+.\"O optional extension modules. This should simplify much of the previous
+.\"O confusion over the combination of IP masquerading and packet filtering
+.\"O seen previously. So the following options are handled differently:
+.\"O .nf
+.\"O -j MASQ
+.\"O -M -S
+.\"O -M -L
+.\"O .fi
+.PP
+NAT ¤Î¤¤¤í¤¤¤í¤Ê·Á¼°¤¬Ê¬³ä¤µ¤ì¤¿¡£
+¥ª¥×¥·¥ç¥ó¤Î³ÈÄ¥¥â¥¸¥å¡¼¥ë¤È¤È¤â¤Ë
+¥Ç¥Õ¥©¥ë¥È¤Î¡Ö¥Õ¥£¥ë¥¿¡×¥Æ¡¼¥Ö¥ë¤òÍѤ¤¤¿¾ì¹ç¡¢
+.B iptables
+¤Ï½ã¿è¤Ê¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¤È¤Ê¤ë¡£
+¤³¤ì¤Ï¡¢°ÊÁ°¤ß¤é¤ì¤¿ IP ¥Þ¥¹¥«¥ì¡¼¥Ç¥£¥ó¥°¤È¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Î
+Áȹ礻¤Ë¤è¤ëº®Íð¤ò´Êά²½¤¹¤ë¡£
+¤è¤Ã¤Æ¡¢¥ª¥×¥·¥ç¥ó
+.nf
+ -j MASQ
+ -M -S
+ -M -L
+.fi
+¤ÏÊ̤Τâ¤Î¤È¤·¤Æ°·¤ï¤ì¤ë¡£
+.\"O There are several other changes in iptables.
+iptables ¤Ç¤Ï¡¢¤½¤Î¾¤Ë¤â¤¤¤¯¤Ä¤«¤ÎÊѹ¹¤¬¤¢¤ë¡£
+.\"O .SH SEE ALSO
+.SH ´ØÏ¢¹àÌÜ
+.BR iptables-save (8),
+.BR iptables-restore (8),
+.BR ip6tables (8),
+.BR ip6tables-save (8),
+.BR ip6tables-restore (8).
+.P
+.\"O The packet-filtering-HOWTO details iptables usage for
+.\"O packet filtering, the NAT-HOWTO details NAT,
+.\"O the netfilter-extensions-HOWTO details the extensions that are
+.\"O not in the standard distribution,
+.\"O and the netfilter-hacking-HOWTO details the netfilter internals.
+¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Ë¤Ä¤¤¤Æ¤Î¾ÜºÙ¤Ê iptables ¤Î»ÈÍÑË¡¤ò
+ÀâÌÀ¤·¤Æ¤¤¤ë packet-filtering-HOWTO¡£
+NAT ¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë NAT-HOWTO¡£
+ɸ½àŪ¤ÊÇÛÉۤˤϴޤޤì¤Ê¤¤³ÈÄ¥¤Î¾ÜºÙ¤ò
+ÀâÌÀ¤·¤Æ¤¤¤ë netfilter-extensions-HOWTO¡£
+ÆâÉô¹½Â¤¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë netfilter-hacking-HOWTO¡£
+.\"O .br
+.PP
+.\"O See
+.\"O .BR "http://www.netfilter.org/" .
+.UR http://www.netfilter.org/
+.B http://www.netfilter.org/
+.UE
+¤ò»²¾È¤Î¤³¤È¡£
+.\"O .SH AUTHORS
+.SH Ãø¼Ô
+.\"O Rusty Russell wrote iptables, in early consultation with Michael
+.\"O Neuling.
+Rusty Russell ¤Ï¡¢½é´ü¤ÎÃʳ¬¤Ç Michael Neuling ¤ËÁêÃ̤·¤Æ iptables ¤ò½ñ¤¤¤¿¡£
+.PP
+.\"O Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
+.\"O selection framework in iptables, then wrote the mangle table, the owner match,
+.\"O the mark stuff, and ran around doing cool stuff everywhere.
+Marc Boucher ¤Ï Rusty ¤Ë iptables ¤Î°ìÈÌŪ¤Ê¥Ñ¥±¥Ã¥ÈÁªÂò¤Î¹Í¤¨Êý¤ò´«¤á¤Æ¡¢
+ipnatctl ¤ò»ß¤á¤µ¤»¤¿¡£
+¤½¤·¤Æ¡¢mangle ¥Æ¡¼¥Ö¥ë¡¦½êͼԥޥåÁ¥ó¥°¡¦
+mark µ¡Ç½¤ò½ñ¤¡¢¤¤¤¿¤ë¤È¤³¤í¤Ç»È¤ï¤ì¤Æ¤¤¤ëÁÇÀ²¤é¤·¤¤¥³¡¼¥É¤ò½ñ¤¤¤¿¡£
+.PP
+.\"O James Morris wrote the TOS target, and tos match.
+James Morris ¤¬ TOS ¥¿¡¼¥²¥Ã¥È¤È tos ¥Þ¥Ã¥Á¥ó¥°¤ò½ñ¤¤¤¿¡£
+.PP
+.\"O Jozsef Kadlecsik wrote the REJECT target.
+Jozsef Kadlecsik ¤¬ REJECT ¥¿¡¼¥²¥Ã¥È¤ò½ñ¤¤¤¿¡£
+.PP
+.\"O Harald Welte wrote the ULOG target, TTL, DSCP, ECN matches and targets.
+Harald Welte ¤¬ ULOG ¥¿¡¼¥²¥Ã¥È¤È¡¢
+TTL, DSCP, ECN ¤Î¥Þ¥Ã¥Á¡¦¥¿¡¼¥²¥Ã¥È¤ò½ñ¤¤¤¿¡£
+.PP
+.\"O The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
+.\"O James Morris, Harald Welte and Rusty Russell.
+Netfilter ¥³¥¢¥Á¡¼¥à¤Ï¡¢Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
+James Morris, Harald Welte, Rusty Russell ¤Ç¤¢¤ë¡£
+.PP
+.\"O Man page written by Herve Eychenne <rv@wallfire.org>.
+man ¥Ú¡¼¥¸¤Ï Herve Eychenne <rv@wallfire.org> ¤¬½ñ¤¤¤¿¡£
+.\" .. and did I mention that we are incredibly cool people?
+.\" .. sexy, too ..
+.\" .. witty, charming, powerful ..
+.\" .. and most of all, modest ..
+.\" .. ¤½¤·¤Æ¡¢ËÍÅù¤¬¤È¤Æ¤â¥¯¡¼¥ë¤ÊÅÛ¤é¤À¤È¸À¤Ã¤Æ¤ª¤¤¤Æ¤â¤¤¤¤¤«¤Ê¡©
+.\" .. ¥»¥¯¥·¡¼¤Ç ..
+.\" .. ¤È¤Æ¤â¥¦¥£¥Ã¥È¤ËÉÙ¤ó¤Ç¤¤¤Æ¡¢¥Á¥ã¡¼¥ß¥ó¥°¤Ç¡¢¥Ñ¥ï¥Õ¥ë¤Ç ..
+.\" .. ¤½¤·¤Æ¡¢¤ß¤ó¤Ê¸¬µõ¤Ê¤ó¤À ..
--- /dev/null
+Begin3
+Title: iptables - IP packet filter administration
+Version: 1.2.1a
+Entered-date: 06MAY01
+Description: Iptables is used to set up, maintain, and inspect
+ the tables of IP packet filter rules in the Linux
+ kernel. Several different tables may be defined.
+ Each table contains a number of built-in chains and
+ may also contain user-defined chains.
+Keywords: IP firewall packet filters masquerading NAT
+Author: Netfilter Core Team
+Maintained-by: Netfilter Core Team
+Primary-site: http://netfilter.filewatcher.org/
+ iptables-1.2.1a.tar.bz2
+Platforms: Requires Linux 2.4.0 or above
+Copying-policy: GPL
+End
--- /dev/null
+.TH IPQ_CREATE_HANDLE 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual"
+.\"
+\" $Id: ipq_create_handle.3,v 1.3 2001/11/24 15:09:20 jamesm Exp $
+.\"
+.\" Copyright (c) 2000-2001 Netfilter Core Team
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ipq_create_handle, ipq_destroy_handle - create and destroy libipq handles.
+.SH SYNOPSIS
+.B #include <linux/netfilter.h>
+.br
+.B #include <libipq.h>
+.sp
+.BI "struct ipq_handle *ipq_create_handle(u_int32_t " flags ", u_int32_t " protocol ");"
+.br
+.BI "int ipq_destroy_handle(struct ipq_handle *" h );
+.SH DESCRIPTION
+The
+.B ipq_create_handle
+function initialises libipq for an application, attempts to bind to the
+Netlink socket used by ip_queue, and returns an opaque context handle. It
+should be the first libipq function to be called by an application. The
+handle returned should be used in all subsequent library calls which
+require a handle parameter.
+.PP
+The
+.I flags
+parameter is not currently used and should be set to zero by the application
+for forward compatibility.
+.PP
+The
+.I protocol
+parameter is used to specify the protocol of the packets to be queued.
+Valid values are PF_INET for IPv4 and PF_INET6 for IPv6. Currently,
+only one protocol may be queued at a time for a handle.
+.PP
+The
+.B ipq_destroy_handle
+function frees up resources allocated by
+.BR ipq_create_handle ,
+and should be used when the handle is no longer required by the application.
+.SH RETURN VALUES
+On success,
+.B ipq_create_handle
+returns a pointer to a context handle.
+.br
+On failure, NULL is returned.
+.PP
+On success,
+.B ipq_destroy_handle
+returns zero.
+.br
+On failure, -1 is returned.
+.SH ERRORS
+On failure, a descriptive error message will be available
+via the
+.B ipq_errstr
+function.
+.SH BUGS
+None known.
+.SH AUTHOR
+James Morris <jmorris@intercode.com.au>
+.SH COPYRIGHT
+Copyright (c) 2000-2001 Netfilter Core Team.
+.PP
+Distributed under the GNU General Public License.
+.SH SEE ALSO
+.BR iptables (8),
+.BR libipq (3).
--- /dev/null
+.TH IPQ_ERRSTR 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual"
+.\"
+.\" $Id: ipq_errstr.3,v 1.2 2001/10/16 14:41:02 jamesm Exp $
+.\"
+.\" Copyright (c) 2000 Netfilter Core Team
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ipq_errstr, ipq_perror - libipq error handling routines
+.SH SYNOPSIS
+.B #include <linux/netfilter.h>
+.br
+.B #include <libipq.h>
+.sp
+.BI "char *ipq_errstr(" void );
+.br
+.BI "void ipq_perror(const char *" s );
+.SH DESCRIPTION
+The
+.B ipq_errstr
+function returns a descriptive error message based on the current
+value of the internal
+.B ipq_errno
+variable. All libipq API functions set this internal variable
+upon failure.
+.PP
+The
+.B ipq_perror
+function prints an error message to stderr corresponding to the
+current value of the internal
+.B ipq_error
+variable, and the global
+.B errno
+variable (if set). The error message is prefixed with the string
+.I s
+as supplied by the application. If
+.I s
+is NULL, the error message is prefixed with the string "ERROR".
+.SH RETURN VALUE
+.B ipq_errstr
+returns an error message as outlined above.
+.SH BUGS
+None known.
+.SH AUTHOR
+James Morris <jmorris@intercode.com.au>
+.SH COPYRIGHT
+Copyright (c) 2000-2001 Netfilter Core Team.
+.PP
+Distributed under the GNU General Public License.
+.SH SEE ALSO
+.BR iptables (8),
+.BR libipq (3).
--- /dev/null
+.TH IPQ_MESSAGE_TYPE 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual"
+.\"
+.\" $Id: ipq_message_type.3,v 1.2 2001/10/16 14:41:02 jamesm Exp $
+.\"
+.\" Copyright (c) 2000-2001 Netfilter Core Team
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ipq_message_type, ipq_get_packet, ipq_getmsgerr - query queue messages
+.SH SYNOPSIS
+.B #include <linux/netfilter.h>
+.br
+.B #include <libipq.h>
+.sp
+.BI "int ipq_message_type(const unsigned char *" buf ");"
+.br
+.BI "ipq_packet_msg_t *ipq_get_packet(const unsigned char *" buf ");"
+.br
+.BI "int ipq_get_msgerr(const unsigned char *" buf ");"
+.SH DESCRIPTION
+The
+.B ipq_message_type
+function returns the type of queue message returned to userspace
+via
+.BR ipq_read .
+.PP
+.B ipq_message_type
+should always be called following a successful call to
+.B ipq_read
+to determine whether the message is a packet message or an
+error message. The
+.I buf
+parameter should be the same data obtained from
+the previous call to
+.BR ipq_read .
+.PP
+.B ipq_message_type
+will return one of the following values:
+.TP
+.B NLMSG_ERROR
+An error message generated by the Netlink transport.
+.PP
+.TP
+.B IPQM_PACKET
+A packet message containing packet metadata and optional packet payload data.
+.PP
+The
+.B ipq_get_packet
+function should be called if
+.B ipq_message_type
+returns
+.BR IPQM_PACKET .
+The
+.I buf
+parameter should point to the same data used for the call to
+.BR ipq_message_type .
+The pointer returned by
+.B ipq_get_packet
+points to a packet message, which is declared as follows:
+.PP
+.RS
+.nf
+typedef struct ipq_packet_msg {
+ unsigned long packet_id; /* ID of queued packet */
+ unsigned long mark; /* Netfilter mark value */
+ long timestamp_sec; /* Packet arrival time (seconds) */
+ long timestamp_usec; /* Packet arrvial time (+useconds) */
+ unsigned int hook; /* Netfilter hook we rode in on */
+ char indev_name[IFNAMSIZ]; /* Name of incoming interface */
+ char outdev_name[IFNAMSIZ]; /* Name of outgoing interface */
+ unsigned short hw_protocol; /* Hardware protocol (network order) */
+ unsigned short hw_type; /* Hardware type */
+ unsigned char hw_addrlen; /* Hardware address length */
+ unsigned char hw_addr[8]; /* Hardware address */
+ size_t data_len; /* Length of packet data */
+ unsigned char payload[0]; /* Optional packet data */
+} ipq_packet_msg_t;
+.fi
+.RE
+.PP
+Each of these fields may be read by the application. If the queue mode
+is
+.B IPQ_COPY_PACKET
+and the
+.I data_len
+value is greater than zero, the packet payload contents may be accessed
+in the memory following the
+.B ipq_packet_msg_t
+structure to a range of
+.I data_len.
+.PP
+The
+.I packet_id
+field contains a packet identifier to be used when calling
+.BR ipq_set_verdict .
+.PP
+The
+.B ipq_get_msgerr
+function should be called if
+.B ipq_message_type
+returns
+.BR NLMSG_ERROR.
+The
+.I buf
+parameter should point to the same data used for the call to
+.BR ipq_message_type .
+The value returned by
+.B ipq_get_msgerr
+is set by higher level kernel code and corresponds to standard
+.B errno
+values.
+.SH BUGS
+None known.
+.SH AUTHOR
+James Morris <jmorris@intercode.com.au>
+.SH COPYRIGHT
+Copyright (c) 2000-2001 Netfilter Core Team.
+.PP
+Distributed under the GNU General Public License.
+.SH SEE ALSO
+.BR iptables (8),
+.BR libipq (3).
--- /dev/null
+.TH IPQ_READ 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual"
+.\"
+.\" $Id: ipq_read.3,v 1.3 2001/10/16 16:58:25 jamesm Exp $
+.\"
+.\" Copyright (c) 2000-2001 Netfilter Core Team
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ipq_read - read queue messages from ip_queue and read into supplied buffer
+.SH SYNOPSIS
+.B #include <linux/netfilter.h>
+.br
+.B #include <libipq.h>
+.sp
+.BI "ssize_t ipq_read(const struct ipq_handle *" h ", unsigned char *" buf ", size_t " len ", int " timeout ");"
+.SH DESCRIPTION
+The
+.B ipq_read
+function reads a queue message from the kernel and copies it to
+the memory pointed to by
+.I buf
+to a maximum length of
+. IR len .
+.PP
+The
+.I h
+parameter is a context handle which must previously have been returned
+successfully from a call to
+.BR ipq_create_handle .
+.PP
+The caller is responsible for ensuring that the memory pointed to by
+.I buf
+is large enough to contain
+.I len
+bytes.
+.PP
+The
+.I timeout
+parameter may be used to set a timeout for the operation, specified in microseconds.
+This is implemented internally by the library via the
+.BR select
+system call. A value of zero provides normal, backwards-compatible blocking behaviour
+with no timeout. A negative value causes the function to return immediately.
+.PP
+Data returned via
+.I buf
+should not be accessed directly. Use the
+.BR ipq_message_type ,
+.BR ipq_get_packet ", and"
+.BR ipq_get_msgerr
+functions to access the queue message in the buffer.
+.SH RETURN VALUE
+On failure, -1 is returned.
+.br
+On success, a non-zero positive value is returned when no timeout
+value is specified.
+.br
+On success with a timeout value specified, zero is returned if no data
+was available to read, or if a non-blocked signal was caught. In the
+latter case, the global
+.B errno
+value will be set to
+.BR EINTR .
+.SH ERRORS
+On error, a descriptive error message will be available
+via the
+.B ipq_errstr
+function.
+.SH DIAGNOSTICS
+While the
+.B ipq_read
+function may return successfully, the queue message copied to the buffer
+may itself be an error message from a higher level kernel component. Use
+.B ipq_message_type
+to determine if it is an error message, and
+.B ipq_get_msgerr
+to access the value of the message.
+.SH BUGS
+None known.
+.SH AUTHOR
+James Morris <jmorris@intercode.com.au>
+.SH COPYRIGHT
+Copyright (c) 2000-2001 Netfilter Core Team.
+.PP
+Distributed under the GNU General Public License.
+.SH CREDITS
+Joost Remijn implemented the timeout feature, which appeared in the 1.2.4 release of iptables.
+.SH SEE ALSO
+.BR iptables (8),
+.BR libipq (3),
+.BR select (2).
+
--- /dev/null
+.TH IPQ_SET_MODE 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual"
+.\"
+.\" $Id: ipq_set_mode.3,v 1.2 2001/10/16 14:41:02 jamesm Exp $
+.\"
+.\" Copyright (c) 2000-2001 Netfilter Core Team
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ipq_set_mode - set the ip_queue queuing mode
+.SH SYNOPSIS
+.B #include <linux/netfilter.h>
+.br
+.B #include <libipq.h>
+.sp
+.BI "int ipq_set_mode(const struct ipq_handle *" h ", u_int8_t " mode ", size_t " range );
+.SH DESCRIPTION
+The
+.B ipq_set_mode
+function sends a message to the kernel ip_queue module, specifying whether
+packet metadata only, or packet payloads as well as metadata should be copied to
+userspace.
+.PP
+The
+.I h
+parameter is a context handle which must previously have been returned
+successfully from a call to
+.BR ipq_create_handle .
+.PP
+The
+.I mode
+parameter must be one of:
+.TP
+.B IPQ_COPY_META
+Copy only packet metadata to userspace.
+.TP
+.B IPQ_COPY_PACKET
+Copy packet metadata and packet payloads to userspace.
+.PP
+The
+.I range
+parameter is used to specify how many bytes of the payload to copy
+to userspace. It is only valid for
+.B IPQ_COPY_PACKET
+mode and is otherwise ignored. The maximum useful value for
+.I range
+is 65535 (greater values will be clamped to this by ip_queue).
+.PP
+.B ipq_set_mode
+is usually used immediately following
+.B ipq_create_handle
+to enable the flow of packets to userspace.
+.PP
+Note that as the underlying Netlink messaging transport is connectionless,
+the ip_queue module does not know that a userspace application is ready to
+communicate until it receives a message such as this.
+.SH RETURN VALUE
+On failure, -1 is returned.
+.br
+On success, a non-zero positive value is returned.
+.SH ERRORS
+On failure, a descriptive error message will be available
+via the
+.B ipq_errstr
+function.
+.SH DIAGNOSTICS
+A relatively common failure may occur if the ip_queue module is not loaded.
+In this case, the following code excerpt:
+.PP
+.RS
+.nf
+status = ipq_set_mode(h, IPQ_COPY_META, 0);
+if (status < 0) {
+ ipq_perror("myapp");
+ ipq_destroy_handle(h);
+ exit(1);
+}
+.RE
+.fi
+.PP
+would generate the following output:
+.PP
+.I myapp: Failed to send netlink message: Connection refused
+.SH BUGS
+None known.
+.SH AUTHOR
+James Morris <jmorris@intercode.com.au>
+.SH COPYRIGHT
+Copyright (c) 2000-2001 Netfilter Core Team.
+.PP
+Distributed under the GNU General Public License.
+.SH SEE ALSO
+.BR libipq (3),
+.BR iptables (8).
--- /dev/null
+.TH IPQ_SET_VERDICT 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual"
+.\"
+.\" $Id: ipq_set_verdict.3,v 1.2 2001/10/16 14:41:02 jamesm Exp $
+.\"
+.\" Copyright (c) 2000-2001 Netfilter Core Team
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ipq_set_verdict - issue verdict and optionally modified packet to kernel
+.SH SYNOPSIS
+.B #include <linux/netfilter.h>
+.br
+.B #include <libipq.h>
+.sp
+.BI "int ipq_set_verdict(const struct ipq_handle *" h ", ipq_id_t " id ", unsigned int " verdict ", size_t " data_len ", unsigned char *" buf ");"
+.SH DESCRIPTION
+The
+.B ipq_set_verdict
+function issues a verdict on a packet previously obtained with
+.BR ipq_read ,
+specifing the intended disposition of the packet, and optionally
+supplying a modified version of the payload data.
+.PP
+The
+.I h
+parameter is a context handle which must previously have been returned
+successfully from a call to
+.BR ipq_create_handle .
+.PP
+The
+.I id
+parameter is the packet identifier obtained via
+.BR ipq_get_packet .
+.PP
+The
+.I verdict
+parameter must be one of:
+.TP
+.B NF_ACCEPT
+Accept the packet and continue traversal within the kernel.
+.br
+.TP
+.B NF_DROP
+Drop the packet.
+.PP
+The
+.I data_len
+parameter is the length of the data pointed to
+by
+.IR buf ,
+the optional replacement payload data.
+.PP
+If simply setting a verdict without modifying the payload data, use zero
+for
+.I data_len
+and NULL for
+.IR buf .
+.PP
+The application is responsible for recalculating any packet checksums
+when modifying packets.
+.SH RETURN VALUE
+On failure, -1 is returned.
+.br
+On success, a non-zero positive value is returned.
+.SH ERRORS
+On error, a descriptive error message will be available
+via the
+.B ipq_errstr
+function.
+.SH BUGS
+None known.
+.SH AUTHOR
+James Morris <jmorris@intercode.com.au>
+.SH COPYRIGHT
+Copyright (c) 2000-2001 Netfilter Core Team.
+.PP
+Distributed under the GNU General Public License.
+.SH SEE ALSO
+.BR iptables (8),
+.BR libipq (3).
+
--- /dev/null
+.TH LIBIPQ 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual"
+.\"
+.\" $Id: libipq.3,v 1.5 2001/11/24 15:09:20 jamesm Exp $
+.\"
+.\" Copyright (c) 2000-2001 Netfilter Core Team
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+libipq \- iptables userspace packet queuing library.
+.SH SYNOPSIS
+.B #include <linux/netfilter.h>
+.br
+.B #include <libipq.h>
+.SH DESCRIPTION
+libipq is a development library for iptables userspace packet queuing.
+.SS Userspace Packet Queuing
+Netfilter provides a mechanism for passing packets out of the stack for
+queueing to userspace, then receiving these packets back into the kernel
+with a verdict specifying what to do with the packets (such as ACCEPT
+or DROP). These packets may also be modified in userspace prior to
+reinjection back into the kernel.
+.PP
+For each supported protocol, a kernel module called a
+.I queue handler
+may register with Netfilter to perform the mechanics of passing
+packets to and from userspace.
+.PP
+The standard queue handler for IPv4 is ip_queue. It is provided as an
+experimental module with 2.4 kernels, and uses a Netlink socket for
+kernel/userspace communication.
+.PP
+Once ip_queue is loaded, IP packets may be selected with iptables
+and queued for userspace processing via the QUEUE target. For example,
+running the following commands:
+.PP
+ # modprobe iptable_filter
+.br
+ # modprobe ip_queue
+.br
+ # iptables -A OUTPUT -p icmp -j QUEUE
+.PP
+will cause any locally generated ICMP packets (e.g. ping output) to
+be sent to the ip_queue module, which will then attempt to deliver the
+packets to a userspace application. If no userspace application is waiting,
+the packets will be dropped
+.PP
+An application may receive and process these packets via libipq.
+.PP
+.PP
+.SS Libipq Overview
+Libipq provides an API for communicating with ip_queue. The following is
+an overview of API usage, refer to individual man pages for more details
+on each function.
+.PP
+.B Initialisation
+.br
+To initialise the library, call
+.BR ipq_create_handle (3).
+This will attempt to bind to the Netlink socket used by ip_queue and
+return an opaque context handle for subsequent library calls.
+.PP
+.B Setting the Queue Mode
+.br
+.BR ipq_set_mode (3)
+allows the application to specify whether packet metadata, or packet
+payloads as well as metadata are copied to userspace. It is also used to
+initially notify ip_queue that an application is ready to receive queue
+messages.
+.PP
+.B Receiving Packets from the Queue
+.br
+.BR ipq_read (3)
+waits for queue messages to arrive from ip_queue and copies
+them into a supplied buffer.
+Queue messages may be
+.I packet messages
+or
+.I error messages.
+.PP
+The type of packet may be determined with
+.BR ipq_message_type (3).
+.PP
+If it's a packet message, the metadata and optional payload may be retrieved with
+.BR ipq_get_packet (3).
+.PP
+To retrieve the value of an error message, use
+.BR ipq_get_msgerr (3).
+.PP
+.B Issuing Verdicts on Packets
+.br
+To issue a verdict on a packet, and optionally return a modified version
+of the packet to the kernel, call
+.BR ipq_set_verdict (3).
+.PP
+.B Error Handling
+.br
+An error string corresponding to the current value of the internal error
+variable
+.B ipq_errno
+may be obtained with
+.BR ipq_errstr (3).
+.PP
+For simple applications, calling
+.BR ipq_perror (3)
+will print the same message as
+.BR ipq_errstr (3),
+as well as the string corresponding to the global
+.B errno
+value (if set) to stderr.
+.PP
+.B Cleaning Up
+.br
+To free up the Netlink socket and destroy resources associated with
+the context handle, call
+.BR ipq_destroy_handle (3).
+.SH SUMMARY
+.TP 4
+.BR ipq_create_handle (3)
+Initialise library, return context handle.
+.TP
+.BR ipq_set_mode (3)
+Set the queue mode, to copy either packet metadata, or payloads
+as well as metadata to userspace.
+.TP
+.BR ipq_read (3)
+Wait for a queue message to arrive from ip_queue and read it into
+a buffer.
+.TP
+.BR ipq_message_type (3)
+Determine message type in the buffer.
+.TP
+.BR ipq_get_packet (3)
+Retrieve a packet message from the buffer.
+.TP
+.BR ipq_get_msgerr (3)
+Retrieve an error message from the buffer.
+.TP
+.BR ipq_set_verdict (3)
+Set a verdict on a packet, optionally replacing its contents.
+.TP
+.BR ipq_errstr (3)
+Return an error message corresponding to the internal ipq_errno variable.
+.TP
+.BR ipq_perror (3)
+Helper function to print error messages to stderr.
+.TP
+.BR ipq_destroy_handle (3)
+Destroy context handle and associated resources.
+.SH EXAMPLE
+The following is an example of a simple application which receives
+packets and issues NF_ACCEPT verdicts on each packet.
+.RS
+.nf
+/*
+ * This code is GPL.
+ */
+#include <linux/netfilter.h>
+#include <libipq.h>
+#include <stdio.h>
+
+#define BUFSIZE 2048
+
+static void die(struct ipq_handle *h)
+{
+ ipq_perror("passer");
+ ipq_destroy_handle(h);
+ exit(1);
+}
+
+int main(int argc, char **argv)
+{
+ int status;
+ unsigned char buf[BUFSIZE];
+ struct ipq_handle *h;
+
+ h = ipq_create_handle(0, PF_INET);
+ if (!h)
+ die(h);
+
+ status = ipq_set_mode(h, IPQ_COPY_PACKET, BUFSIZE);
+ if (status < 0)
+ die(h);
+
+ do{
+ status = ipq_read(h, buf, BUFSIZE, 0);
+ if (status < 0)
+ die(h);
+
+ switch (ipq_message_type(buf)) {
+ case NLMSG_ERROR:
+ fprintf(stderr, "Received error message %d\\n",
+ ipq_get_msgerr(buf));
+ break;
+
+ case IPQM_PACKET: {
+ ipq_packet_msg_t *m = ipq_get_packet(buf);
+
+ status = ipq_set_verdict(h, m->packet_id,
+ NF_ACCEPT, 0, NULL);
+ if (status < 0)
+ die(h);
+ break;
+ }
+
+ default:
+ fprintf(stderr, "Unknown message type!\\n");
+ break;
+ }
+ } while (1);
+
+ ipq_destroy_handle(h);
+ return 0;
+}
+.RE
+.fi
+.PP
+Pointers to more libipq application examples may be found in The
+Netfilter FAQ.
+.SH DIAGNOSTICS
+For information about monitoring and tuning ip_queue, refer to the
+Linux 2.4 Packet Filtering HOWTO.
+.PP
+If an application modifies a packet, it needs to also update any
+checksums for the packet. Typically, the kernel will silently discard
+modified packets with invalid checksums.
+.SH SECURITY
+Processes require CAP_NET_ADMIN capabilty to access the kernel ip_queue
+module. Such processes can potentially access and modify any IP packets
+received, generated or forwarded by the kernel.
+.SH TODO
+Per-handle
+.B ipq_errno
+values.
+.SH BUGS
+Probably.
+.SH AUTHOR
+James Morris <jmorris@intercode.com.au>
+.SH COPYRIGHT
+Copyright (c) 2000-2001 Netfilter Core Team.
+.PP
+Distributed under the GNU General Public License.
+.SH CREDITS
+Joost Remijn implemented the
+.B ipq_read
+timeout feature, which appeared in the 1.2.4 release of iptables.
+.PP
+Fernando Anton added support for IPv6.
+.SH SEE ALSO
+.BR iptables (8),
+.BR ipq_create_handle (3),
+.BR ipq_destroy_handle (3),
+.BR ipq_errstr (3),
+.BR ipq_get_msgerr (3),
+.BR ipq_get_packet (3),
+.BR ipq_message_type (3),
+.BR ipq_perror (3),
+.BR ipq_read (3),
+.BR ipq_set_mode (3),
+.BR ipq_set_verdict (3).
+.PP
+The Netfilter home page at http://netfilter.samba.org/
+which has links to The Networking Concepts HOWTO, The Linux 2.4 Packet
+Filtering HOWTO, The Linux 2.4 NAT HOWTO, The Netfilter Hacking HOWTO,
+The Netfilter FAQ and many other useful resources.
+
--- /dev/null
+.TH IP6TABLES-RESTORE 8 "Jan 30, 2002" "" ""
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ip6tables-restore \- Restore IPv6 Tables
+.SH SYNOPSIS
+.BR "ip6tables-restore " "[-c] [-n]"
+.br
+.SH DESCRIPTION
+.PP
+.B ip6tables-restore
+is used to restore IPv6 Tables from data specified on STDIN. Use
+I/O redirection provided by your shell to read from a file
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+restore the values of all packet and byte counters
+.TP
+\fB\-n\fR, \fB\-\-noflush\fR
+.TP
+don't flush the previous contents of the table. If not specified,
+.B ip6tables-restore
+flushes (deletes) all previous contents of the respective IPv6 Table.
+.SH BUGS
+None known as of iptables-1.2.1 release
+.SH AUTHORS
+Harald Welte <laforge@gnumonks.org>
+.br
+Andras Kis-Szabo <kisza@sch.bme.hu>
+.SH SEE ALSO
+.BR ip6tables-save "(8), " ip6tables "(8) "
+.PP
+The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+which details NAT, and the netfilter-hacking-HOWTO which details the
+internals.
--- /dev/null
+.TH IP6TABLES-SAVE 8 "Jan 30, 2002" "" ""
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ip6tables-save \- Save IPv6 Tables
+.SH SYNOPSIS
+.BR "ip6tables-save " "[-c] [-t table]"
+.br
+.SH DESCRIPTION
+.PP
+.B ip6tables-save
+is used to dump the contents of an IPv6 Table in easily parseable format
+to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+include the current values of all packet and byte counters in the output
+.TP
+\fB\-t\fR, \fB\-\-table\fR \fBtablename\fR
+.TP
+restrict output to only one table. If not specified, output includes all
+available tables.
+.SH BUGS
+None known as of iptables-1.2.1 release
+.SH AUTHORS
+Harald Welte <laforge@gnumonks.org>
+.br
+Andras Kis-Szabo <kisza@sch.bme.hu>
+.SH SEE ALSO
+.BR ip6tables-restore "(8), " ip6tables "(8) "
+.PP
+The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+which details NAT, and the netfilter-hacking-HOWTO which details the
+internals.
--- /dev/null
+.TH IP6TABLES 8 "Mar 09, 2002" "" ""
+.\"
+.\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
+.\" It is based on iptables man page.
+.\"
+.\" iptables page by Herve Eychenne <rv@wallfire.org>
+.\" It is based on ipchains man page.
+.\"
+.\" ipchains page by Paul ``Rusty'' Russell March 1997
+.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ip6tables \- IPv6 packet filter administration
+.SH SYNOPSIS
+.BR "ip6tables [-t table] -[AD] " "chain rule-specification [options]"
+.br
+.BR "ip6tables [-t table] -I " "chain [rulenum] rule-specification [options]"
+.br
+.BR "ip6tables [-t table] -R " "chain rulenum rule-specification [options]"
+.br
+.BR "ip6tables [-t table] -D " "chain rulenum [options]"
+.br
+.BR "ip6tables [-t table] -[LFZ] " "[chain] [options]"
+.br
+.BR "ip6tables [-t table] -N " "chain"
+.br
+.BR "ip6tables [-t table] -X " "[chain]"
+.br
+.BR "ip6tables [-t table] -P " "chain target [options]"
+.br
+.BR "ip6tables [-t table] -E " "old-chain-name new-chain-name"
+.SH DESCRIPTION
+.B Ip6tables
+is used to set up, maintain, and inspect the tables of IPv6 packet
+filter rules in the Linux kernel. Several different tables
+may be defined. Each table contains a number of built-in
+chains and may also contain user-defined chains.
+
+Each chain is a list of rules which can match a set of packets. Each
+rule specifies what to do with a packet that matches. This is called
+a `target', which may be a jump to a user-defined chain in the same
+table.
+
+.SH TARGETS
+A firewall rule specifies criteria for a packet, and a target. If the
+packet does not match, the next rule in the chain is the examined; if
+it does match, then the next rule is specified by the value of the
+target, which can be the name of a user-defined chain or one of the
+special values
+.IR ACCEPT ,
+.IR DROP ,
+.IR QUEUE ,
+or
+.IR RETURN .
+.PP
+.I ACCEPT
+means to let the packet through.
+.I DROP
+means to drop the packet on the floor.
+.I QUEUE
+means to pass the packet to userspace (if supported by the kernel).
+.I RETURN
+means stop traversing this chain and resume at the next rule in the
+previous (calling) chain. If the end of a built-in chain is reached
+or a rule in a built-in chain with target
+.I RETURN
+is matched, the target specified by the chain policy determines the
+fate of the packet.
+.SH TABLES
+There are currently two independent tables (which tables are present
+at any time depends on the kernel configuration options and which
+modules are present), as nat table has not been implemented yet.
+.TP
+.BI "-t, --table " "table"
+This option specifies the packet matching table which the command
+should operate on. If the kernel is configured with automatic module
+loading, an attempt will be made to load the appropriate module for
+that table if it is not already there.
+
+The tables are as follows:
+.RS
+.TP .4i
+.BR "filter" :
+This is the default table (if no -t option is passed). It contains
+the built-in chains
+.B INPUT
+(for packets coming into the box itself),
+.B FORWARD
+(for packets being routed through the box), and
+.B OUTPUT
+(for locally-generated packets).
+.TP
+.BR "mangle" :
+This table is used for specialized packet alteration. Until kernel
+2.4.17 it had two built-in chains:
+.B PREROUTING
+(for altering incoming packets before routing) and
+.B OUTPUT
+(for altering locally-generated packets before routing).
+Since kernel 2.4.18, three other built-in chains are also supported:
+.B INPUT
+(for packets coming into the box itself),
+.B FORWARD
+(for altering packets being routed through the box), and
+.B POSTROUTING
+(for altering packets as they are about to go out).
+.RE
+.SH OPTIONS
+The options that are recognized by
+.B ip6tables
+can be divided into several different groups.
+.SS COMMANDS
+These options specify the specific action to perform. Only one of them
+can be specified on the command line unless otherwise specified
+below. For all the long versions of the command and option names, you
+need to use only enough letters to ensure that
+.B ip6tables
+can differentiate it from all other options.
+.TP
+.BI "-A, --append " "chain rule-specification"
+Append one or more rules to the end of the selected chain.
+When the source and/or destination names resolve to more than one
+address, a rule will be added for each possible address combination.
+.TP
+.BI "-D, --delete " "chain rule-specification"
+.ns
+.TP
+.BI "-D, --delete " "chain rulenum"
+Delete one or more rules from the selected chain. There are two
+versions of this command: the rule can be specified as a number in the
+chain (starting at 1 for the first rule) or a rule to match.
+.TP
+.B "-I, --insert"
+Insert one or more rules in the selected chain as the given rule
+number. So, if the rule number is 1, the rule or rules are inserted
+at the head of the chain. This is also the default if no rule number
+is specified.
+.TP
+.BI "-R, --replace " "chain rulenum rule-specification"
+Replace a rule in the selected chain. If the source and/or
+destination names resolve to multiple addresses, the command will
+fail. Rules are numbered starting at 1.
+.TP
+.BR "-L, --list " "[\fIchain\fP]"
+List all rules in the selected chain. If no chain is selected, all
+chains are listed. As every other iptables command, it applies to the
+specified table (filter is the default), so mangle rules get listed by
+.nf
+ ip6tables -t mangle -n -L
+.fi
+Please note that it is often used with the
+.B -n
+option, in order to avoid long reverse DNS lookups.
+It is legal to specify the
+.B -Z
+(zero) option as well, in which case the chain(s) will be atomically
+listed and zeroed. The exact output is affected by the other
+arguments given. The exact rules are suppressed until you use
+.nf
+ ip6tables -L -v
+.fi
+.TP
+.BR "-F, --flush " "[\fIchain\fP]"
+Flush the selected chain (all the chains in the table if none is given).
+This is equivalent to deleting all the rules one by one.
+.TP
+.BR "-Z, --zero " "[\fIchain\fP]"
+Zero the packet and byte counters in all chains. It is legal to
+specify the
+.B "-L, --list"
+(list) option as well, to see the counters immediately before they are
+cleared. (See above.)
+.TP
+.BI "-N, --new-chain " "chain"
+Create a new user-defined chain by the given name. There must be no
+target of that name already.
+.TP
+.BR "-X, --delete-chain " "[\fIchain\fP]"
+Delete the optional user-defined chain specified. There must be no references
+to the chain. If there are, you must delete or replace the referring
+rules before the chain can be deleted. If no argument is given, it
+will attempt to delete every non-builtin chain in the table.
+.TP
+.BI "-P, --policy " "chain target"
+Set the policy for the chain to the given target. See the section
+.B TARGETS
+for the legal targets. Only built-in (non-user-defined) chains can have
+policies, and neither built-in nor user-defined chains can be policy
+targets.
+.TP
+.BI "-E, --rename-chain " "old-chain new-chain"
+Rename the user specified chain to the user supplied name. This is
+cosmetic, and has no effect on the structure of the table.
+.TP
+.B -h
+Help.
+Give a (currently very brief) description of the command syntax.
+.SS PARAMETERS
+The following parameters make up a rule specification (as used in the
+add, delete, insert, replace and append commands).
+.TP
+.BR "-p, --protocol " "[!] \fIprotocol\fP"
+The protocol of the rule or of the packet to check.
+The specified protocol can be one of
+.IR tcp ,
+.IR udp ,
+.IR ipv6-icmp|icmpv6 ,
+or
+.IR all ,
+or it can be a numeric value, representing one of these protocols or a
+different one. A protocol name from /etc/protocols is also allowed.
+A "!" argument before the protocol inverts the
+test. The number zero is equivalent to
+.IR all .
+Protocol
+.I all
+will match with all protocols and is taken as default when this
+option is omitted.
+.TP
+.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
+Source specification.
+.I Address
+can be either a hostname (please note that specifying
+any name to be resolved with a remote query such as DNS is a really bad idea),
+a network IPv6 address (with /mask), or a plain IPv6 address.
+(the network name isn't supported now).
+The
+.I mask
+can be either a network mask or a plain number,
+specifying the number of 1's at the left side of the network mask.
+Thus, a mask of
+.I 64
+is equivalent to
+.IR ffff:ffff:ffff:ffff:0000:0000:0000:0000 .
+A "!" argument before the address specification inverts the sense of
+the address. The flag
+.B --src
+is an alias for this option.
+.TP
+.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
+Destination specification.
+See the description of the
+.B -s
+(source) flag for a detailed description of the syntax. The flag
+.B --dst
+is an alias for this option.
+.TP
+.BI "-j, --jump " "target"
+This specifies the target of the rule; i.e., what to do if the packet
+matches it. The target can be a user-defined chain (other than the
+one this rule is in), one of the special builtin targets which decide
+the fate of the packet immediately, or an extension (see
+.B EXTENSIONS
+below). If this
+option is omitted in a rule, then matching the rule will have no
+effect on the packet's fate, but the counters on the rule will be
+incremented.
+.TP
+.BR "-i, --in-interface " "[!] \fIname\fP"
+Name of an interface via which a packet is going to be received (only for
+packets entering the
+.BR INPUT ,
+.B FORWARD
+and
+.B PREROUTING
+chains). When the "!" argument is used before the interface name, the
+sense is inverted. If the interface name ends in a "+", then any
+interface which begins with this name will match. If this option is
+omitted, any interface name will match.
+.TP
+.BR "-o, --out-interface " "[!] \fIname\fP"
+Name of an interface via which a packet is going to be sent (for packets
+entering the
+.BR FORWARD
+and
+.B OUTPUT
+chains). When the "!" argument is used before the interface name, the
+sense is inverted. If the interface name ends in a "+", then any
+interface which begins with this name will match. If this option is
+omitted, any interface name will match.
+.TP
+.\" Currently not supported (header-based)
+.\"
+.\" .B "[!] " "-f, --fragment"
+.\" This means that the rule only refers to second and further fragments
+.\" of fragmented packets. Since there is no way to tell the source or
+.\" destination ports of such a packet (or ICMP type), such a packet will
+.\" not match any rules which specify them. When the "!" argument
+.\" precedes the "-f" flag, the rule will only match head fragments, or
+.\" unfragmented packets.
+.\" .TP
+.B "-c, --set-counters " "PKTS BYTES"
+This enables the administrator to initialize the packet and byte
+counters of a rule (during
+.B INSERT,
+.B APPEND,
+.B REPLACE
+operations).
+.SS "OTHER OPTIONS"
+The following additional options can be specified:
+.TP
+.B "-v, --verbose"
+Verbose output. This option makes the list command show the interface
+name, the rule options (if any), and the TOS masks. The packet and
+byte counters are also listed, with the suffix 'K', 'M' or 'G' for
+1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
+the
+.B -x
+flag to change this).
+For appending, insertion, deletion and replacement, this causes
+detailed information on the rule or rules to be printed.
+.TP
+.B "-n, --numeric"
+Numeric output.
+IP addresses and port numbers will be printed in numeric format.
+By default, the program will try to display them as host names,
+network names, or services (whenever applicable).
+.TP
+.B "-x, --exact"
+Expand numbers.
+Display the exact value of the packet and byte counters,
+instead of only the rounded number in K's (multiples of 1000)
+M's (multiples of 1000K) or G's (multiples of 1000M). This option is
+only relevant for the
+.B -L
+command.
+.TP
+.B "--line-numbers"
+When listing rules, add line numbers to the beginning of each rule,
+corresponding to that rule's position in the chain.
+.TP
+.B "--modprobe=command"
+When adding or inserting rules into a chain, use
+.B command
+to load any necessary modules (targets, match extensions, etc).
+.SH MATCH EXTENSIONS
+ip6tables can use extended packet matching modules. These are loaded
+in two ways: implicitly, when
+.B -p
+or
+.B --protocol
+is specified, or with the
+.B -m
+or
+.B --match
+options, followed by the matching module name; after these, various
+extra command line options become available, depending on the specific
+module. You can specify multiple extended match modules in one line,
+and you can use the
+.B -h
+or
+.B --help
+options after the module has been specified to receive help specific
+to that module.
+
+The following are included in the base package, and most of these can
+be preceded by a
+.B !
+to invert the sense of the match.
+.SS tcp
+These extensions are loaded if `--protocol tcp' is specified. It
+provides the following options:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+Source port or port range specification. This can either be a service
+name or a port number. An inclusive range can also be specified,
+using the format
+.IR port : port .
+If the first port is omitted, "0" is assumed; if the last is omitted,
+"65535" is assumed.
+If the second port greater then the first they will be swapped.
+The flag
+.B --sport
+is a convenient alias for this option.
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+Destination port or port range specification. The flag
+.B --dport
+is a convenient alias for this option.
+.TP
+.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
+Match when the TCP flags are as specified. The first argument is the
+flags which we should examine, written as a comma-separated list, and
+the second argument is a comma-separated list of flags which must be
+set. Flags are:
+.BR "SYN ACK FIN RST URG PSH ALL NONE" .
+Hence the command
+.nf
+ ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
+.fi
+will only match packets with the SYN flag set, and the ACK, FIN and
+RST flags unset.
+.TP
+.B "[!] --syn"
+Only match TCP packets with the SYN bit set and the ACK and RST bits
+cleared. Such packets are used to request TCP connection initiation;
+for example, blocking such packets coming in an interface will prevent
+incoming TCP connections, but outgoing TCP connections will be
+unaffected.
+It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP.
+If the "!" flag precedes the "--syn", the sense of the
+option is inverted.
+.TP
+.BR "--tcp-option " "[!] \fInumber\fP"
+Match if TCP option set.
+.SS udp
+These extensions are loaded if `--protocol udp' is specified. It
+provides the following options:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+Source port or port range specification.
+See the description of the
+.B --source-port
+option of the TCP extension for details.
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+Destination port or port range specification.
+See the description of the
+.B --destination-port
+option of the TCP extension for details.
+.SS ipv6-icmp
+This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is
+specified. It provides the following option:
+.TP
+.BR "--icmpv6-type " "[!] \fItypename\fP"
+This allows specification of the ICMP type, which can be a numeric
+IPv6-ICMP type, or one of the IPv6-ICMP type names shown by the command
+.nf
+ ip6tables -p ipv6-icmp -h
+.fi
+.SS mac
+.TP
+.BR "--mac-source " "[!] \fIaddress\fP"
+Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
+Note that this only makes sense for packets coming from an Ethernet device
+and entering the
+.BR PREROUTING ,
+.B FORWARD
+or
+.B INPUT
+chains.
+.SS limit
+This module matches at a limited rate using a token bucket filter.
+A rule using this extension will match until this limit is reached
+(unless the `!' flag is used). It can be used in combination with the
+.B LOG
+target to give limited logging, for example.
+.TP
+.BI "--limit " "rate"
+Maximum average matching rate: specified as a number, with an optional
+`/second', `/minute', `/hour', or `/day' suffix; the default is
+3/hour.
+.TP
+.BI "--limit-burst " "number"
+Maximum initial number of packets to match: this number gets
+recharged by one every time the limit specified above is not reached,
+up to this number; the default is 5.
+.SS multiport
+This module matches a set of source or destination ports. Up to 15
+ports can be specified. It can only be used in conjunction with
+.B "-p tcp"
+or
+.BR "-p udp" .
+.TP
+.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Match if the source port is one of the given ports. The flag
+.B --sports
+is a convenient alias for this option.
+.TP
+.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Match if the destination port is one of the given ports. The flag
+.B --dports
+is a convenient alias for this option.
+.TP
+.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Match if the both the source and destination ports are equal to each
+other and to one of the given ports.
+.SS mark
+This module matches the netfilter mark field associated with a packet
+(which can be set using the
+.B MARK
+target below).
+.TP
+.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
+Matches packets with the given unsigned mark value (if a mask is
+specified, this is logically ANDed with the mask before the
+comparison).
+.SS owner
+This module attempts to match various characteristics of the packet
+creator, for locally-generated packets. It is only valid in the
+.B OUTPUT
+chain, and even this some packets (such as ICMP ping responses) may
+have no owner, and hence never match. This is regarded as experimental.
+.TP
+.BI "--uid-owner " "userid"
+Matches if the packet was created by a process with the given
+effective user id.
+.TP
+.BI "--gid-owner " "groupid"
+Matches if the packet was created by a process with the given
+effective group id.
+.TP
+.BI "--pid-owner " "processid"
+Matches if the packet was created by a process with the given
+process id.
+.TP
+.BI "--sid-owner " "sessionid"
+Matches if the packet was created by a process in the given session
+group.
+.\" .SS state
+.\" This module, when combined with connection tracking, allows access to
+.\" the connection tracking state for this packet.
+.\" .TP
+.\" .BI "--state " "state"
+.\" Where state is a comma separated list of the connection states to
+.\" match. Possible states are
+.\" .B INVALID
+.\" meaning that the packet is associated with no known connection,
+.\" .B ESTABLISHED
+.\" meaning that the packet is associated with a connection which has seen
+.\" packets in both directions,
+.\" .B NEW
+.\" meaning that the packet has started a new connection, or otherwise
+.\" associated with a connection which has not seen packets in both
+.\" directions, and
+.\" .B RELATED
+.\" meaning that the packet is starting a new connection, but is
+.\" associated with an existing connection, such as an FTP data transfer,
+.\" or an ICMP error.
+.\" .SS unclean
+.\" This module takes no options, but attempts to match packets which seem
+.\" malformed or unusual. This is regarded as experimental.
+.\" .SS tos
+.\" This module matches the 8 bits of Type of Service field in the IP
+.\" header (ie. including the precedence bits).
+.\" .TP
+.\" .BI "--tos " "tos"
+.\" The argument is either a standard name, (use
+.\" .br
+.\" iptables -m tos -h
+.\" .br
+.\" to see the list), or a numeric value to match.
+.SH TARGET EXTENSIONS
+ip6tables can use extended target modules: the following are included
+in the standard distribution.
+.SS LOG
+Turn on kernel logging of matching packets. When this option is set
+for a rule, the Linux kernel will print some information on all
+matching packets (like most IPv6 IPv6-header fields) via the kernel log
+(where it can be read with
+.I dmesg
+or
+.IR syslogd (8)).
+This is a "non-terminating target", i.e. rule traversal continues at
+the next rule. So if you want to LOG the packets you refuse, use two
+separate rules with the same matching criteria, first using target LOG
+then DROP (or REJECT).
+.TP
+.BI "--log-level " "level"
+Level of logging (numeric or see \fIsyslog.conf\fP(5)).
+.TP
+.BI "--log-prefix " "prefix"
+Prefix log messages with the specified prefix; up to 29 letters long,
+and useful for distinguishing messages in the logs.
+.TP
+.B --log-tcp-sequence
+Log TCP sequence numbers. This is a security risk if the log is
+readable by users.
+.TP
+.B --log-tcp-options
+Log options from the TCP packet header.
+.TP
+.B --log-ip-options
+Log options from the IPv6 packet header.
+.SS MARK
+This is used to set the netfilter mark value associated with the
+packet. It is only valid in the
+.B mangle
+table.
+.TP
+.BI "--set-mark " "mark"
+.SS REJECT
+This is used to send back an error packet in response to the matched
+packet: otherwise it is equivalent to
+.B DROP
+so it is a terminating TARGET, ending rule traversal.
+This target is only valid in the
+.BR INPUT ,
+.B FORWARD
+and
+.B OUTPUT
+chains, and user-defined chains which are only called from those
+chains. The following option controls the nature of the error packet
+returned:
+.TP
+.BI "--reject-with " "type"
+The type given can be
+.nf
+.B " icmp6-no-route"
+.B " no-route"
+.B " icmp6-adm-prohibited"
+.B " adm-prohibited"
+.B " icmp6-addr-unreachable"
+.B " addr-unreach"
+.B " icmp6-port-unreachable"
+.B " port-unreach"
+.fi
+which return the appropriate IPv6-ICMP error message (\fBport-unreach\fP is
+the default). Finally, the option
+.B tcp-reset
+can be used on rules which only match the TCP protocol: this causes a
+TCP RST packet to be sent back. This is mainly useful for blocking
+.I ident
+(113/tcp) probes which frequently occur when sending mail to broken mail
+hosts (which won't accept your mail otherwise).
+.\" .SS TOS
+.\" This is used to set the 8-bit Type of Service field in the IP header.
+.\" It is only valid in the
+.\" .B mangle
+.\" table.
+.\" .TP
+.\" .BI "--set-tos " "tos"
+.\" You can use a numeric TOS values, or use
+.\" .br
+.\" iptables -j TOS -h
+.\" .br
+.\" to see the list of valid TOS names.
+.\" .SS MIRROR
+.\" This is an experimental demonstration target which inverts the source
+.\" and destination fields in the IP header and retransmits the packet.
+.\" It is only valid in the
+.\" .BR INPUT ,
+.\" .B FORWARD
+.\" and
+.\" .B PREROUTING
+.\" chains, and user-defined chains which are only called from those
+.\" chains. Note that the outgoing packets are
+.\" .B NOT
+.\" seen by any packet filtering chains, connection tracking or NAT, to
+.\" avoid loops and other problems.
+.\" .SS SNAT
+.\" This target is only valid in the
+.\" .B nat
+.\" table, in the
+.\" .B POSTROUTING
+.\" chain. It specifies that the source address of the packet should be
+.\" modified (and all future packets in this connection will also be
+.\" mangled), and rules should cease being examined. It takes one option:
+.\" .TP
+.\" .BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+.\" which can specify a single new source IP address, an inclusive range
+.\" of IP addresses, and optionally, a port range (which is only valid if
+.\" the rule also specifies
+.\" .B "-p tcp"
+.\" or
+.\" .BR "-p udp" ).
+.\" If no port range is specified, then source ports below 512 will be
+.\" mapped to other ports below 512: those between 512 and 1023 inclusive
+.\" will be mapped to ports below 1024, and other ports will be mapped to
+.\" 1024 or above. Where possible, no port alteration will occur.
+.\" .SS DNAT
+.\" This target is only valid in the
+.\" .B nat
+.\" table, in the
+.\" .B PREROUTING
+.\" and
+.\" .B OUTPUT
+.\" chains, and user-defined chains which are only called from those
+.\" chains. It specifies that the destination address of the packet
+.\" should be modified (and all future packets in this connection will
+.\" also be mangled), and rules should cease being examined. It takes one
+.\" option:
+.\" .TP
+.\" .BR "--to-destination " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+.\" which can specify a single new destination IP address, an inclusive
+.\" range of IP addresses, and optionally, a port range (which is only
+.\" valid if the rule also specifies
+.\" .B "-p tcp"
+.\" or
+.\" .BR "-p udp" ).
+.\" If no port range is specified, then the destination port will never be
+.\" modified.
+.\" .SS MASQUERADE
+.\" This target is only valid in the
+.\" .B nat
+.\" table, in the
+.\" .B POSTROUTING
+.\" chain. It should only be used with dynamically assigned IP (dialup)
+.\" connections: if you have a static IP address, you should use the SNAT
+.\" target. Masquerading is equivalent to specifying a mapping to the IP
+.\" address of the interface the packet is going out, but also has the
+.\" effect that connections are
+.\" .I forgotten
+.\" when the interface goes down. This is the correct behavior when the
+.\" next dialup is unlikely to have the same interface address (and hence
+.\" any established connections are lost anyway). It takes one option:
+.\" .TP
+.\" .BR "--to-ports " "\fIport\fP[-\fIport\fP]"
+.\" This specifies a range of source ports to use, overriding the default
+.\" .B SNAT
+.\" source port-selection heuristics (see above). This is only valid
+.\" if the rule also specifies
+.\" .B "-p tcp"
+.\" or
+.\" .BR "-p udp" .
+.\" .SS REDIRECT
+.\" This target is only valid in the
+.\" .B nat
+.\" table, in the
+.\" .B PREROUTING
+.\" and
+.\" .B OUTPUT
+.\" chains, and user-defined chains which are only called from those
+.\" chains. It alters the destination IP address to send the packet to
+.\" the machine itself (locally-generated packets are mapped to the
+.\" 127.0.0.1 address). It takes one option:
+.\" .TP
+.\" .BR "--to-ports " "\fIport\fP[-\fIport\fP]"
+.\" This specifies a destination port or range of ports to use: without
+.\" this, the destination port is never altered. This is only valid
+.\" if the rule also specifies
+.\" .B "-p tcp"
+.\" or
+.\" .BR "-p udp" .
+.SH DIAGNOSTICS
+Various error messages are printed to standard error. The exit code
+is 0 for correct functioning. Errors which appear to be caused by
+invalid or abused command line parameters cause an exit code of 2, and
+other errors cause an exit code of 1.
+.SH BUGS
+Bugs? What's this? ;-)
+Well... the counters are not reliable on sparc64.
+.SH COMPATIBILITY WITH IPCHAINS
+This
+.B ip6tables
+is very similar to ipchains by Rusty Russell. The main difference is
+that the chains
+.B INPUT
+and
+.B OUTPUT
+are only traversed for packets coming into the local host and
+originating from the local host respectively. Hence every packet only
+passes through one of the three chains (except loopback traffic, which
+involves both INPUT and OUTPUT chains); previously a forwarded packet
+would pass through all three.
+.PP
+The other main difference is that
+.B -i
+refers to the input interface;
+.B -o
+refers to the output interface, and both are available for packets
+entering the
+.B FORWARD
+chain.
+.\" .PP The various forms of NAT have been separated out;
+.\" .B iptables
+.\" is a pure packet filter when using the default `filter' table, with
+.\" optional extension modules. This should simplify much of the previous
+.\" confusion over the combination of IP masquerading and packet filtering
+.\" seen previously. So the following options are handled differently:
+.\" .br
+.\" -j MASQ
+.\" .br
+.\" -M -S
+.\" .br
+.\" -M -L
+.\" .br
+There are several other changes in ip6tables.
+.SH SEE ALSO
+.BR ip6tables-save (8),
+.BR ip6tables-restore(8),
+.BR iptables (8),
+.BR iptables-save (8),
+.BR iptables-restore (8).
+.P
+The packet-filtering-HOWTO details iptables usage for
+packet filtering, the NAT-HOWTO details NAT,
+the netfilter-extensions-HOWTO details the extensions that are
+not in the standard distribution,
+and the netfilter-hacking-HOWTO details the netfilter internals.
+.br
+See
+.BR "http://www.netfilter.org/" .
+.SH AUTHORS
+Rusty Russell wrote iptables, in early consultation with Michael
+Neuling.
+.PP
+Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
+selection framework in iptables, then wrote the mangle table, the owner match,
+the mark stuff, and ran around doing cool stuff everywhere.
+.PP
+James Morris wrote the TOS target, and tos match.
+.PP
+Jozsef Kadlecsik wrote the REJECT target.
+.PP
+Harald Welte wrote the ULOG target, TTL match+target and libipulog.
+.PP
+The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
+James Morris, Harald Welte and Rusty Russell.
+.PP
+ip6tables man page created by Andras Kis-Szabo, based on
+iptables man page written by Herve Eychenne <rv@wallfire.org>.
+.\" .. and did I mention that we are incredibly cool people?
+.\" .. sexy, too ..
+.\" .. witty, charming, powerful ..
+.\" .. and most of all, modest ..
--- /dev/null
+.TH IPTABLES-RESTORE 8 "Jan 04, 2001" "" ""
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+iptables-restore \- Restore IP Tables
+.SH SYNOPSIS
+.BR "iptables-restore " "[-c] [-n]"
+.br
+.SH DESCRIPTION
+.PP
+.B iptables-restore
+is used to restore IP Tables from data specified on STDIN. Use
+I/O redirection provided by your shell to read from a file
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+restore the values of all packet and byte counters
+.TP
+\fB\-n\fR, \fB\-\-noflush\fR
+.TP
+don't flush the previous contents of the table. If not specified,
+.B iptables-restore
+flushes (deletes) all previous contents of the respective IP Table.
+.SH BUGS
+None known as of iptables-1.2.1 release
+.SH AUTHOR
+Harald Welte <laforge@gnumonks.org>
+.SH SEE ALSO
+.BR iptables-save "(8), " iptables "(8) "
+.PP
+The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+which details NAT, and the netfilter-hacking-HOWTO which details the
+internals.
--- /dev/null
+.TH IPTABLES-SAVE 8 "Jan 04, 2001" "" ""
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+iptables-save \- Save IP Tables
+.SH SYNOPSIS
+.BR "iptables-save " "[-c] [-t table]"
+.br
+.SH DESCRIPTION
+.PP
+.B iptables-save
+is used to dump the contents of an IP Table in easily parseable format
+to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+include the current values of all packet and byte counters in the output
+.TP
+\fB\-t\fR, \fB\-\-table\fR \fBtablename\fR
+.TP
+restrict output to only one table. If not specified, output includes all
+available tables.
+.SH BUGS
+None known as of iptables-1.2.1 release
+.SH AUTHOR
+Harald Welte <laforge@gnumonks.org>
+.SH SEE ALSO
+.BR iptables-restore "(8), " iptables "(8) "
+.PP
+The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+which details NAT, and the netfilter-hacking-HOWTO which details the
+internals.
--- /dev/null
+.TH IPTABLES 8 "Mar 09, 2002" "" ""
+.\"
+.\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
+.\" It is based on ipchains page.
+.\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG)
+.\"
+.\" ipchains page by Paul ``Rusty'' Russell March 1997
+.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+iptables \- administration tool for IPv4 packet filtering and NAT
+.SH SYNOPSIS
+.BR "iptables [-t table] -[AD] " "chain rule-specification [options]"
+.br
+.BR "iptables [-t table] -I " "chain [rulenum] rule-specification [options]"
+.br
+.BR "iptables [-t table] -R " "chain rulenum rule-specification [options]"
+.br
+.BR "iptables [-t table] -D " "chain rulenum [options]"
+.br
+.BR "iptables [-t table] -[LFZ] " "[chain] [options]"
+.br
+.BR "iptables [-t table] -N " "chain"
+.br
+.BR "iptables [-t table] -X " "[chain]"
+.br
+.BR "iptables [-t table] -P " "chain target [options]"
+.br
+.BR "iptables [-t table] -E " "old-chain-name new-chain-name"
+.SH DESCRIPTION
+.B Iptables
+is used to set up, maintain, and inspect the tables of IP packet
+filter rules in the Linux kernel. Several different tables
+may be defined. Each table contains a number of built-in
+chains and may also contain user-defined chains.
+
+Each chain is a list of rules which can match a set of packets. Each
+rule specifies what to do with a packet that matches. This is called
+a `target', which may be a jump to a user-defined chain in the same
+table.
+
+.SH TARGETS
+A firewall rule specifies criteria for a packet, and a target. If the
+packet does not match, the next rule in the chain is the examined; if
+it does match, then the next rule is specified by the value of the
+target, which can be the name of a user-defined chain or one of the
+special values
+.IR ACCEPT ,
+.IR DROP ,
+.IR QUEUE ,
+or
+.IR RETURN .
+.PP
+.I ACCEPT
+means to let the packet through.
+.I DROP
+means to drop the packet on the floor.
+.I QUEUE
+means to pass the packet to userspace (if supported by the kernel).
+.I RETURN
+means stop traversing this chain and resume at the next rule in the
+previous (calling) chain. If the end of a built-in chain is reached
+or a rule in a built-in chain with target
+.I RETURN
+is matched, the target specified by the chain policy determines the
+fate of the packet.
+.SH TABLES
+There are currently three independent tables (which tables are present
+at any time depends on the kernel configuration options and which
+modules are present).
+.TP
+.BI "-t, --table " "table"
+This option specifies the packet matching table which the command
+should operate on. If the kernel is configured with automatic module
+loading, an attempt will be made to load the appropriate module for
+that table if it is not already there.
+
+The tables are as follows:
+.RS
+.TP .4i
+.BR "filter" :
+This is the default table (if no -t option is passed). It contains
+the built-in chains
+.B INPUT
+(for packets coming into the box itself),
+.B FORWARD
+(for packets being routed through the box), and
+.B OUTPUT
+(for locally-generated packets).
+.TP
+.BR "nat" :
+This table is consulted when a packet that creates a new
+connection is encountered. It consists of three built-ins:
+.B PREROUTING
+(for altering packets as soon as they come in),
+.B OUTPUT
+(for altering locally-generated packets before routing), and
+.B POSTROUTING
+(for altering packets as they are about to go out).
+.TP
+.BR "mangle" :
+This table is used for specialized packet alteration. Until kernel
+2.4.17 it had two built-in chains:
+.B PREROUTING
+(for altering incoming packets before routing) and
+.B OUTPUT
+(for altering locally-generated packets before routing).
+Since kernel 2.4.18, three other built-in chains are also supported:
+.B INPUT
+(for packets coming into the box itself),
+.B FORWARD
+(for altering packets being routed through the box), and
+.B POSTROUTING
+(for altering packets as they are about to go out).
+.RE
+.SH OPTIONS
+The options that are recognized by
+.B iptables
+can be divided into several different groups.
+.SS COMMANDS
+These options specify the specific action to perform. Only one of them
+can be specified on the command line unless otherwise specified
+below. For all the long versions of the command and option names, you
+need to use only enough letters to ensure that
+.B iptables
+can differentiate it from all other options.
+.TP
+.BI "-A, --append " "chain rule-specification"
+Append one or more rules to the end of the selected chain.
+When the source and/or destination names resolve to more than one
+address, a rule will be added for each possible address combination.
+.TP
+.BI "-D, --delete " "chain rule-specification"
+.ns
+.TP
+.BI "-D, --delete " "chain rulenum"
+Delete one or more rules from the selected chain. There are two
+versions of this command: the rule can be specified as a number in the
+chain (starting at 1 for the first rule) or a rule to match.
+.TP
+.BR "-I, --insert " "\fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP"
+Insert one or more rules in the selected chain as the given rule
+number. So, if the rule number is 1, the rule or rules are inserted
+at the head of the chain. This is also the default if no rule number
+is specified.
+.TP
+.BI "-R, --replace " "chain rulenum rule-specification"
+Replace a rule in the selected chain. If the source and/or
+destination names resolve to multiple addresses, the command will
+fail. Rules are numbered starting at 1.
+.TP
+.BR "-L, --list " "[\fIchain\fP]"
+List all rules in the selected chain. If no chain is selected, all
+chains are listed. As every other iptables command, it applies to the
+specified table (filter is the default), so NAT rules get listed by
+.nf
+ iptables -t nat -n -L
+.fi
+Please note that it is often used with the
+.B -n
+option, in order to avoid long reverse DNS lookups.
+It is legal to specify the
+.B -Z
+(zero) option as well, in which case the chain(s) will be atomically
+listed and zeroed. The exact output is affected by the other
+arguments given. The exact rules are suppressed until you use
+.nf
+ iptables -L -v
+.fi
+.TP
+.BR "-F, --flush " "[\fIchain\fP]"
+Flush the selected chain (all the chains in the table if none is given).
+This is equivalent to deleting all the rules one by one.
+.TP
+.BR "-Z, --zero " "[\fIchain\fP]"
+Zero the packet and byte counters in all chains. It is legal to
+specify the
+.B "-L, --list"
+(list) option as well, to see the counters immediately before they are
+cleared. (See above.)
+.TP
+.BI "-N, --new-chain " "chain"
+Create a new user-defined chain by the given name. There must be no
+target of that name already.
+.TP
+.BR "-X, --delete-chain " "[\fIchain\fP]"
+Delete the optional user-defined chain specified. There must be no references
+to the chain. If there are, you must delete or replace the referring
+rules before the chain can be deleted. If no argument is given, it
+will attempt to delete every non-builtin chain in the table.
+.TP
+.BI "-P, --policy " "chain target"
+Set the policy for the chain to the given target. See the section
+.B TARGETS
+for the legal targets. Only built-in (non-user-defined) chains can have
+policies, and neither built-in nor user-defined chains can be policy
+targets.
+.TP
+.BI "-E, --rename-chain " "old-chain new-chain"
+Rename the user specified chain to the user supplied name. This is
+cosmetic, and has no effect on the structure of the table.
+.TP
+.B -h
+Help.
+Give a (currently very brief) description of the command syntax.
+.SS PARAMETERS
+The following parameters make up a rule specification (as used in the
+add, delete, insert, replace and append commands).
+.TP
+.BR "-p, --protocol " "[!] \fIprotocol\fP"
+The protocol of the rule or of the packet to check.
+The specified protocol can be one of
+.IR tcp ,
+.IR udp ,
+.IR icmp ,
+or
+.IR all ,
+or it can be a numeric value, representing one of these protocols or a
+different one. A protocol name from /etc/protocols is also allowed.
+A "!" argument before the protocol inverts the
+test. The number zero is equivalent to
+.IR all .
+Protocol
+.I all
+will match with all protocols and is taken as default when this
+option is omitted.
+.TP
+.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
+Source specification.
+.I Address
+can be either a network name, a hostname (please note that specifying
+any name to be resolved with a remote query such as DNS is a really bad idea),
+a network IP address (with /mask), or a plain IP address.
+The
+.I mask
+can be either a network mask or a plain number,
+specifying the number of 1's at the left side of the network mask.
+Thus, a mask of
+.I 24
+is equivalent to
+.IR 255.255.255.0 .
+A "!" argument before the address specification inverts the sense of
+the address. The flag
+.B --src
+is an alias for this option.
+.TP
+.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
+Destination specification.
+See the description of the
+.B -s
+(source) flag for a detailed description of the syntax. The flag
+.B --dst
+is an alias for this option.
+.TP
+.BI "-j, --jump " "target"
+This specifies the target of the rule; i.e., what to do if the packet
+matches it. The target can be a user-defined chain (other than the
+one this rule is in), one of the special builtin targets which decide
+the fate of the packet immediately, or an extension (see
+.B EXTENSIONS
+below). If this
+option is omitted in a rule, then matching the rule will have no
+effect on the packet's fate, but the counters on the rule will be
+incremented.
+.TP
+.BR "-i, --in-interface " "[!] \fIname\fP"
+Name of an interface via which a packet is going to be received (only for
+packets entering the
+.BR INPUT ,
+.B FORWARD
+and
+.B PREROUTING
+chains). When the "!" argument is used before the interface name, the
+sense is inverted. If the interface name ends in a "+", then any
+interface which begins with this name will match. If this option is
+omitted, any interface name will match.
+.TP
+.BR "-o, --out-interface " "[!] \fIname\fP"
+Name of an interface via which a packet is going to be sent (for packets
+entering the
+.BR FORWARD ,
+.B OUTPUT
+and
+.B POSTROUTING
+chains). When the "!" argument is used before the interface name, the
+sense is inverted. If the interface name ends in a "+", then any
+interface which begins with this name will match. If this option is
+omitted, any interface name will match.
+.TP
+.B "[!] " "-f, --fragment"
+This means that the rule only refers to second and further fragments
+of fragmented packets. Since there is no way to tell the source or
+destination ports of such a packet (or ICMP type), such a packet will
+not match any rules which specify them. When the "!" argument
+precedes the "-f" flag, the rule will only match head fragments, or
+unfragmented packets.
+.TP
+.BI "-c, --set-counters " "PKTS BYTES"
+This enables the administrator to initialize the packet and byte
+counters of a rule (during
+.B INSERT,
+.B APPEND,
+.B REPLACE
+operations).
+.SS "OTHER OPTIONS"
+The following additional options can be specified:
+.TP
+.B "-v, --verbose"
+Verbose output. This option makes the list command show the interface
+name, the rule options (if any), and the TOS masks. The packet and
+byte counters are also listed, with the suffix 'K', 'M' or 'G' for
+1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
+the
+.B -x
+flag to change this).
+For appending, insertion, deletion and replacement, this causes
+detailed information on the rule or rules to be printed.
+.TP
+.B "-n, --numeric"
+Numeric output.
+IP addresses and port numbers will be printed in numeric format.
+By default, the program will try to display them as host names,
+network names, or services (whenever applicable).
+.TP
+.B "-x, --exact"
+Expand numbers.
+Display the exact value of the packet and byte counters,
+instead of only the rounded number in K's (multiples of 1000)
+M's (multiples of 1000K) or G's (multiples of 1000M). This option is
+only relevant for the
+.B -L
+command.
+.TP
+.B "--line-numbers"
+When listing rules, add line numbers to the beginning of each rule,
+corresponding to that rule's position in the chain.
+.TP
+.B "--modprobe=command"
+When adding or inserting rules into a chain, use
+.B command
+to load any necessary modules (targets, match extensions, etc).
+.SH MATCH EXTENSIONS
+iptables can use extended packet matching modules. These are loaded
+in two ways: implicitly, when
+.B -p
+or
+.B --protocol
+is specified, or with the
+.B -m
+or
+.B --match
+options, followed by the matching module name; after these, various
+extra command line options become available, depending on the specific
+module. You can specify multiple extended match modules in one line,
+and you can use the
+.B -h
+or
+.B --help
+options after the module has been specified to receive help specific
+to that module.
+
+The following are included in the base package, and most of these can
+be preceded by a
+.B !
+to invert the sense of the match.
+.SS ah
+This module matches the SPIs in AH header of IPSec packets.
+.TP
+.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
+.SS conntrack
+This module, when combined with connection tracking, allows access to
+more connection tracking information than the "state" match.
+(this module is present only if iptables was compiled under a kernel
+supporting this feature)
+.TP
+.BI "--ctstate " "state"
+Where state is a comma separated list of the connection states to
+match. Possible states are
+.B INVALID
+meaning that the packet is associated with no known connection,
+.B ESTABLISHED
+meaning that the packet is associated with a connection which has seen
+packets in both directions,
+.B NEW
+meaning that the packet has started a new connection, or otherwise
+associated with a connection which has not seen packets in both
+directions, and
+.B RELATED
+meaning that the packet is starting a new connection, but is
+associated with an existing connection, such as an FTP data transfer,
+or an ICMP error.
+.B SNAT
+A virtual state, matching if the original source address differs from
+the reply destination.
+.B DNAT
+A virtual state, matching if the original destination differs from the
+reply source.
+.TP
+.BI "--ctproto " "proto"
+Protocol to match (by number or name)
+.TP
+.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]"
+Match against original source address
+.TP
+.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]"
+Match against original destination address
+.TP
+.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]"
+Match against reply source address
+.TP
+.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]"
+Match against reply destination address
+.TP
+.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]"
+Match against internal conntrack states
+.TP
+.BI "--ctexpire " "\fItime\fP[\fI:time\fP]"
+Match remaining lifetime in seconds against given value
+or range of values (inclusive)
+.SS dscp
+This module matches the 6 bit DSCP field within the TOS field in the
+IP header. DSCP has superseded TOS within the IETF.
+.TP
+.BI "--dscp " "value"
+Match against a numeric (decimal or hex) value [0-32].
+.TP
+.BI "--dscp-class " "\fIDiffServ Class\fP"
+Match the DiffServ class. This value may be any of the
+BE, EF, AFxx or CSx classes. It will then be converted
+into it's according numeric value.
+.SS esp
+This module matches the SPIs in ESP header of IPSec packets.
+.TP
+.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]"
+.SS helper
+This module matches packets related to a specific conntrack-helper.
+.TP
+.BI "--helper " "string"
+Matches packets related to the specified conntrack-helper.
+.RS
+.PP
+string can be "ftp" for packets related to a ftp-session on default port.
+For other ports append -portnr to the value, ie. "ftp-2121".
+.PP
+Same rules apply for other conntrack-helpers.
+.RE
+.SS icmp
+This extension is loaded if `--protocol icmp' is specified. It
+provides the following option:
+.TP
+.BR "--icmp-type " "[!] \fItypename\fP"
+This allows specification of the ICMP type, which can be a numeric
+ICMP type, or one of the ICMP type names shown by the command
+.nf
+ iptables -p icmp -h
+.fi
+.SS length
+This module matches the length of a packet against a specific value
+or range of values.
+.TP
+.BR "--length " "\fIlength\fP[:\fIlength\fP]"
+.SS limit
+This module matches at a limited rate using a token bucket filter.
+A rule using this extension will match until this limit is reached
+(unless the `!' flag is used). It can be used in combination with the
+.B LOG
+target to give limited logging, for example.
+.TP
+.BI "--limit " "rate"
+Maximum average matching rate: specified as a number, with an optional
+`/second', `/minute', `/hour', or `/day' suffix; the default is
+3/hour.
+.TP
+.BI "--limit-burst " "number"
+Maximum initial number of packets to match: this number gets
+recharged by one every time the limit specified above is not reached,
+up to this number; the default is 5.
+.SS mac
+.TP
+.BR "--mac-source " "[!] \fIaddress\fP"
+Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
+Note that this only makes sense for packets coming from an Ethernet device
+and entering the
+.BR PREROUTING ,
+.B FORWARD
+or
+.B INPUT
+chains.
+.SS mark
+This module matches the netfilter mark field associated with a packet
+(which can be set using the
+.B MARK
+target below).
+.TP
+.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
+Matches packets with the given unsigned mark value (if a mask is
+specified, this is logically ANDed with the mask before the
+comparison).
+.SS multiport
+This module matches a set of source or destination ports. Up to 15
+ports can be specified. It can only be used in conjunction with
+.B "-p tcp"
+or
+.BR "-p udp" .
+.TP
+.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Match if the source port is one of the given ports. The flag
+.B --sports
+is a convenient alias for this option.
+.TP
+.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Match if the destination port is one of the given ports. The flag
+.B --dports
+is a convenient alias for this option.
+.TP
+.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Match if the both the source and destination ports are equal to each
+other and to one of the given ports.
+.SS owner
+This module attempts to match various characteristics of the packet
+creator, for locally-generated packets. It is only valid in the
+.B OUTPUT
+chain, and even this some packets (such as ICMP ping responses) may
+have no owner, and hence never match.
+.TP
+.BI "--uid-owner " "userid"
+Matches if the packet was created by a process with the given
+effective user id.
+.TP
+.BI "--gid-owner " "groupid"
+Matches if the packet was created by a process with the given
+effective group id.
+.TP
+.BI "--pid-owner " "processid"
+Matches if the packet was created by a process with the given
+process id.
+.TP
+.BI "--sid-owner " "sessionid"
+Matches if the packet was created by a process in the given session
+group.
+.TP
+.BI "--cmd-owner " "name"
+Matches if the packet was created by a process with the given command name.
+(this option is present only if iptables was compiled under a kernel
+supporting this feature)
+.SS physdev
+This module matches on the bridge port input and output devices enslaved
+to a bridge device. This module is a part of the infrastructure that enables
+a transparent bridging IP firewall and is only useful for kernel versions
+above version 2.5.44.
+.TP
+.B --physdev-in name
+Name of a bridge port via which a packet is received (only for
+packets entering the
+.BR INPUT ,
+.B FORWARD
+and
+.B PREROUTING
+chains). If the interface name ends in a "+", then any
+interface which begins with this name will match. If the packet didn't arrive
+through a bridge device, this packet won't match this option, unless '!' is used.
+.TP
+.B --physdev-out name
+Name of a bridge port via which a packet is going to be sent (for packets
+entering the
+.BR FORWARD ,
+.B OUTPUT
+and
+.B POSTROUTING
+chains). If the interface name ends in a "+", then any
+interface which begins with this name will match. Note that in the
+.BR nat " and " mangle
+.B OUTPUT
+chains one cannot match on the bridge output port, however one can in the
+.B "filter OUTPUT"
+chain. If the packet won't leave by a bridge device or it is yet unknown what
+the output device will be, then the packet won't match this option, unless
+'!' is used.
+.TP
+.B --physdev-is-in
+Matches if the packet has entered through a bridge interface.
+.TP
+.B --physdev-is-out
+Matches if the packet will leave through a bridge interface.
+.TP
+.B --physdev-is-bridged
+Matches if the packet is being bridged and therefore is not being routed.
+This is only useful in the FORWARD and POSTROUTING chains.
+.SS pkttype
+This module matches the link-layer packet type.
+.TP
+.BI "--pkt-type " "[\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP]"
+.SS state
+This module, when combined with connection tracking, allows access to
+the connection tracking state for this packet.
+.TP
+.BI "--state " "state"
+Where state is a comma separated list of the connection states to
+match. Possible states are
+.B INVALID
+meaning that the packet could not be identified for some reason which
+includes running out of memory and ICMP errors which don't correspond to any
+known connection,
+.B ESTABLISHED
+meaning that the packet is associated with a connection which has seen
+packets in both directions,
+.B NEW
+meaning that the packet has started a new connection, or otherwise
+associated with a connection which has not seen packets in both
+directions, and
+.B RELATED
+meaning that the packet is starting a new connection, but is
+associated with an existing connection, such as an FTP data transfer,
+or an ICMP error.
+.SS tcp
+These extensions are loaded if `--protocol tcp' is specified. It
+provides the following options:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+Source port or port range specification. This can either be a service
+name or a port number. An inclusive range can also be specified,
+using the format
+.IR port : port .
+If the first port is omitted, "0" is assumed; if the last is omitted,
+"65535" is assumed.
+If the second port greater then the first they will be swapped.
+The flag
+.B --sport
+is a convenient alias for this option.
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+Destination port or port range specification. The flag
+.B --dport
+is a convenient alias for this option.
+.TP
+.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
+Match when the TCP flags are as specified. The first argument is the
+flags which we should examine, written as a comma-separated list, and
+the second argument is a comma-separated list of flags which must be
+set. Flags are:
+.BR "SYN ACK FIN RST URG PSH ALL NONE" .
+Hence the command
+.nf
+ iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
+.fi
+will only match packets with the SYN flag set, and the ACK, FIN and
+RST flags unset.
+.TP
+.B "[!] --syn"
+Only match TCP packets with the SYN bit set and the ACK and RST bits
+cleared. Such packets are used to request TCP connection initiation;
+for example, blocking such packets coming in an interface will prevent
+incoming TCP connections, but outgoing TCP connections will be
+unaffected.
+It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP.
+If the "!" flag precedes the "--syn", the sense of the
+option is inverted.
+.TP
+.BR "--tcp-option " "[!] \fInumber\fP"
+Match if TCP option set.
+.TP
+.BR "--mss " "\fIvalue\fP[:\fIvalue\fP]"
+Match TCP SYN or SYN/ACK packets with the specified MSS value (or range),
+which control the maximum packet size for that connection.
+.SS tos
+This module matches the 8 bits of Type of Service field in the IP
+header (ie. including the precedence bits).
+.TP
+.BI "--tos " "tos"
+The argument is either a standard name, (use
+.br
+ iptables -m tos -h
+.br
+to see the list), or a numeric value to match.
+.SS ttl
+This module matches the time to live field in the IP header.
+.TP
+.BI "--ttl " "ttl"
+Matches the given TTL value.
+.SS udp
+These extensions are loaded if `--protocol udp' is specified. It
+provides the following options:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+Source port or port range specification.
+See the description of the
+.B --source-port
+option of the TCP extension for details.
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+Destination port or port range specification.
+See the description of the
+.B --destination-port
+option of the TCP extension for details.
+.SS unclean
+This module takes no options, but attempts to match packets which seem
+malformed or unusual. This is regarded as experimental.
+.SH TARGET EXTENSIONS
+iptables can use extended target modules: the following are included
+in the standard distribution.
+.SS DNAT
+This target is only valid in the
+.B nat
+table, in the
+.B PREROUTING
+and
+.B OUTPUT
+chains, and user-defined chains which are only called from those
+chains. It specifies that the destination address of the packet
+should be modified (and all future packets in this connection will
+also be mangled), and rules should cease being examined. It takes one
+type of option:
+.TP
+.BR "--to-destination " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+which can specify a single new destination IP address, an inclusive
+range of IP addresses, and optionally, a port range (which is only
+valid if the rule also specifies
+.B "-p tcp"
+or
+.BR "-p udp" ).
+If no port range is specified, then the destination port will never be
+modified.
+.RS
+.PP
+You can add several --to-destination options. If you specify more
+than one destination address, either via an address range or multiple
+--to-destination options, a simple round-robin (one after another in
+cycle) load balancing takes place between these adresses.
+.SS DSCP
+This target allows to alter the value of the DSCP bits within the TOS
+header of the IPv4 packet. As this manipulates a packet, it can only
+be used in the mangle table.
+.TP
+.BI "--set-dscp " "value"
+Set the DSCP field to a numerical value (can be decimal or hex)
+.TP
+.BI "--set-dscp-class " "class"
+Set the DSCP field to a DiffServ class.
+.SS ECN
+This target allows to selectively work around known ECN blackholes.
+It can only be used in the mangle table.
+.TP
+.BI "--ecn-tcp-remove"
+Remove all ECN bits from the TCP header. Of course, it can only be used
+in conjunction with
+.BR "-p tcp" .
+.SS LOG
+Turn on kernel logging of matching packets. When this option is set
+for a rule, the Linux kernel will print some information on all
+matching packets (like most IP header fields) via the kernel log
+(where it can be read with
+.I dmesg
+or
+.IR syslogd (8)).
+This is a "non-terminating target", i.e. rule traversal continues at
+the next rule. So if you want to LOG the packets you refuse, use two
+separate rules with the same matching criteria, first using target LOG
+then DROP (or REJECT).
+.TP
+.BI "--log-level " "level"
+Level of logging (numeric or see \fIsyslog.conf\fP(5)).
+.TP
+.BI "--log-prefix " "prefix"
+Prefix log messages with the specified prefix; up to 29 letters long,
+and useful for distinguishing messages in the logs.
+.TP
+.B --log-tcp-sequence
+Log TCP sequence numbers. This is a security risk if the log is
+readable by users.
+.TP
+.B --log-tcp-options
+Log options from the TCP packet header.
+.TP
+.B --log-ip-options
+Log options from the IP packet header.
+.SS MARK
+This is used to set the netfilter mark value associated with the
+packet. It is only valid in the
+.B mangle
+table. It can for example be used in conjunction with iproute2.
+.TP
+.BI "--set-mark " "mark"
+.SS MASQUERADE
+This target is only valid in the
+.B nat
+table, in the
+.B POSTROUTING
+chain. It should only be used with dynamically assigned IP (dialup)
+connections: if you have a static IP address, you should use the SNAT
+target. Masquerading is equivalent to specifying a mapping to the IP
+address of the interface the packet is going out, but also has the
+effect that connections are
+.I forgotten
+when the interface goes down. This is the correct behavior when the
+next dialup is unlikely to have the same interface address (and hence
+any established connections are lost anyway). It takes one option:
+.TP
+.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
+This specifies a range of source ports to use, overriding the default
+.B SNAT
+source port-selection heuristics (see above). This is only valid
+if the rule also specifies
+.B "-p tcp"
+or
+.BR "-p udp" .
+.SS MIRROR
+This is an experimental demonstration target which inverts the source
+and destination fields in the IP header and retransmits the packet.
+It is only valid in the
+.BR INPUT ,
+.B FORWARD
+and
+.B PREROUTING
+chains, and user-defined chains which are only called from those
+chains. Note that the outgoing packets are
+.B NOT
+seen by any packet filtering chains, connection tracking or NAT, to
+avoid loops and other problems.
+.SS REDIRECT
+This target is only valid in the
+.B nat
+table, in the
+.B PREROUTING
+and
+.B OUTPUT
+chains, and user-defined chains which are only called from those
+chains. It alters the destination IP address to send the packet to
+the machine itself (locally-generated packets are mapped to the
+127.0.0.1 address). It takes one option:
+.TP
+.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
+This specifies a destination port or range of ports to use: without
+this, the destination port is never altered. This is only valid
+if the rule also specifies
+.B "-p tcp"
+or
+.BR "-p udp" .
+.SS REJECT
+This is used to send back an error packet in response to the matched
+packet: otherwise it is equivalent to
+.B DROP
+so it is a terminating TARGET, ending rule traversal.
+This target is only valid in the
+.BR INPUT ,
+.B FORWARD
+and
+.B OUTPUT
+chains, and user-defined chains which are only called from those
+chains. The following option controls the nature of the error packet
+returned:
+.TP
+.BI "--reject-with " "type"
+The type given can be
+.nf
+.B " icmp-net-unreachable"
+.B " icmp-host-unreachable"
+.B " icmp-port-unreachable"
+.B " icmp-proto-unreachable"
+.B " icmp-net-prohibited"
+.B " icmp-host-prohibited or"
+.B " icmp-admin-prohibited (*)"
+.fi
+which return the appropriate ICMP error message (\fBport-unreachable\fP is
+the default). The option
+.B tcp-reset
+can be used on rules which only match the TCP protocol: this causes a
+TCP RST packet to be sent back. This is mainly useful for blocking
+.I ident
+(113/tcp) probes which frequently occur when sending mail to broken mail
+hosts (which won't accept your mail otherwise).
+.TP
+(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
+.SS SNAT
+This target is only valid in the
+.B nat
+table, in the
+.B POSTROUTING
+chain. It specifies that the source address of the packet should be
+modified (and all future packets in this connection will also be
+mangled), and rules should cease being examined. It takes one type
+of option:
+.TP
+.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+which can specify a single new source IP address, an inclusive range
+of IP addresses, and optionally, a port range (which is only valid if
+the rule also specifies
+.B "-p tcp"
+or
+.BR "-p udp" ).
+If no port range is specified, then source ports below 512 will be
+mapped to other ports below 512: those between 512 and 1023 inclusive
+will be mapped to ports below 1024, and other ports will be mapped to
+1024 or above. Where possible, no port alteration will occur.
+.RS
+.PP
+You can add several --to-source options. If you specify more
+than one source address, either via an address range or multiple
+--to-source options, a simple round-robin (one after another in
+cycle) takes place between these adresses.
+.SS TCPMSS
+This target allows to alter the MSS value of TCP SYN packets, to control
+the maximum size for that connection (usually limiting it to your
+outgoing interface's MTU minus 40). Of course, it can only be used
+in conjunction with
+.BR "-p tcp" .
+.br
+This target is used to overcome criminally braindead ISPs or servers
+which block ICMP Fragmentation Needed packets. The symptoms of this
+problem are that everything works fine from your Linux
+firewall/router, but machines behind it can never exchange large
+packets:
+.PD 0
+.RS 0.1i
+.TP 0.3i
+1)
+Web browsers connect, then hang with no data received.
+.TP
+2)
+Small mail works fine, but large emails hang.
+.TP
+3)
+ssh works fine, but scp hangs after initial handshaking.
+.RE
+.PD
+Workaround: activate this option and add a rule to your firewall
+configuration like:
+.nf
+ iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
+ -j TCPMSS --clamp-mss-to-pmtu
+.fi
+.TP
+.BI "--set-mss " "value"
+Explicitly set MSS option to specified value.
+.TP
+.B "--clamp-mss-to-pmtu"
+Automatically clamp MSS value to (path_MTU - 40).
+.TP
+These options are mutually exclusive.
+.SS TOS
+This is used to set the 8-bit Type of Service field in the IP header.
+It is only valid in the
+.B mangle
+table.
+.TP
+.BI "--set-tos " "tos"
+You can use a numeric TOS values, or use
+.nf
+ iptables -j TOS -h
+.fi
+to see the list of valid TOS names.
+.SS ULOG
+This target provides userspace logging of matching packets. When this
+target is set for a rule, the Linux kernel will multicast this packet
+through a
+.IR netlink
+socket. One or more userspace processes may then subscribe to various
+multicast groups and receive the packets.
+Like LOG, this is a "non-terminating target", i.e. rule traversal
+continues at the next rule.
+.TP
+.BI "--ulog-nlgroup " "nlgroup"
+This specifies the netlink group (1-32) to which the packet is sent.
+Default value is 1.
+.TP
+.BI "--ulog-prefix " "prefix"
+Prefix log messages with the specified prefix; up to 32 characters
+long, and useful for distinguishing messages in the logs.
+.TP
+.BI "--ulog-cprange " "size"
+Number of bytes to be copied to userspace. A value of 0 always copies
+the entire packet, regardless of its size. Default is 0.
+.TP
+.BI "--ulog-qthreshold " "size"
+Number of packet to queue inside kernel. Setting this value to, e.g. 10
+accumulates ten packets inside the kernel and transmits them as one
+netlink multipart message to userspace. Default is 1 (for backwards
+compatibility).
+.br
+.SH DIAGNOSTICS
+Various error messages are printed to standard error. The exit code
+is 0 for correct functioning. Errors which appear to be caused by
+invalid or abused command line parameters cause an exit code of 2, and
+other errors cause an exit code of 1.
+.SH BUGS
+Bugs? What's this? ;-)
+Well... the counters are not reliable on sparc64.
+.SH COMPATIBILITY WITH IPCHAINS
+This
+.B iptables
+is very similar to ipchains by Rusty Russell. The main difference is
+that the chains
+.B INPUT
+and
+.B OUTPUT
+are only traversed for packets coming into the local host and
+originating from the local host respectively. Hence every packet only
+passes through one of the three chains (except loopback traffic, which
+involves both INPUT and OUTPUT chains); previously a forwarded packet
+would pass through all three.
+.PP
+The other main difference is that
+.B -i
+refers to the input interface;
+.B -o
+refers to the output interface, and both are available for packets
+entering the
+.B FORWARD
+chain.
+.PP The various forms of NAT have been separated out;
+.B iptables
+is a pure packet filter when using the default `filter' table, with
+optional extension modules. This should simplify much of the previous
+confusion over the combination of IP masquerading and packet filtering
+seen previously. So the following options are handled differently:
+.nf
+ -j MASQ
+ -M -S
+ -M -L
+.fi
+There are several other changes in iptables.
+.SH SEE ALSO
+.BR iptables-save (8),
+.BR iptables-restore (8),
+.BR ip6tables (8),
+.BR ip6tables-save (8),
+.BR ip6tables-restore (8).
+.P
+The packet-filtering-HOWTO details iptables usage for
+packet filtering, the NAT-HOWTO details NAT,
+the netfilter-extensions-HOWTO details the extensions that are
+not in the standard distribution,
+and the netfilter-hacking-HOWTO details the netfilter internals.
+.br
+See
+.BR "http://www.netfilter.org/" .
+.SH AUTHORS
+Rusty Russell wrote iptables, in early consultation with Michael
+Neuling.
+.PP
+Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
+selection framework in iptables, then wrote the mangle table, the owner match,
+the mark stuff, and ran around doing cool stuff everywhere.
+.PP
+James Morris wrote the TOS target, and tos match.
+.PP
+Jozsef Kadlecsik wrote the REJECT target.
+.PP
+Harald Welte wrote the ULOG target, TTL, DSCP, ECN matches and targets.
+.PP
+The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
+James Morris, Harald Welte and Rusty Russell.
+.PP
+Man page written by Herve Eychenne <rv@wallfire.org>.
+.\" .. and did I mention that we are incredibly cool people?
+.\" .. sexy, too ..
+.\" .. witty, charming, powerful ..
+.\" .. and most of all, modest ..
--- /dev/null
+.TH IP6TABLES-RESTORE 8 "Jan 30, 2002" "" ""
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\" Japanese Version Copyright (c) 2003 Yuichi SATO
+.\" all rights reserved.
+.\" Translated Thu May 1 16:13:34 JST 2003
+.\" by Yuichi SATO <ysato444@yahoo.co.jp>
+.\"
+.SH ̾Á°
+ip6tables-restore \- IPv6 ¥Æ¡¼¥Ö¥ë¤òÉü¸µ¤¹¤ë
+.SH ½ñ¼°
+.BR "ip6tables-restore " "[-c] [-n]"
+.br
+.SH ÀâÌÀ
+.PP
+.B ip6tables-restore
+¤Ïɸ½àÆþÎϤǻØÄꤵ¤ì¤¿¥Ç¡¼¥¿¤«¤é IPv6 ¥Æ¡¼¥Ö¥ë¤òÉü¸µ¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+¥Õ¥¡¥¤¥ë¤«¤éÆɤ߹þ¤à¤¿¤á¤Ë¤Ï¡¢
+¥·¥§¥ë¤ÇÄ󶡤µ¤ì¤Æ¤¤¤ë I/O ¥ê¥À¥¤¥ì¥¯¥·¥ç¥ó¤ò»È¤¦¤³¤È¡£
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ÎÃͤòÉü¸µ¤¹¤ë¡£
+.TP
+\fB\-n\fR, \fB\-\-noflush\fR
+¤³¤ì¤Þ¤Ç¤Î¥Æ¡¼¥Ö¥ë¤ÎÆâÍƤò¥Õ¥é¥Ã¥·¥å¤·¤Ê¤¤¡£
+»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢
+.B ip6tables-restore
+¤Ï¡¢¤³¤ì¤Þ¤Ç¤Î³Æ IPv6 ¥Æ¡¼¥Ö¥ë¤ÎÆâÍƤòÁ´¤Æ¥Õ¥é¥Ã¥·¥å (ºï½ü) ¤¹¤ë¡£
+.SH ¥Ð¥°
+iptables-1.2.1 ¥ê¥ê¡¼¥¹¤Ç¤ÏÃΤé¤ì¤Æ¤¤¤Ê¤¤¡£
+.SH Ãø¼Ô
+Harald Welte <laforge@gnumonks.org>
+.br
+Andras Kis-Szabo <kisza@sch.bme.hu>
+.SH ´ØÏ¢¹àÌÜ
+.BR ip6tables-save "(8), " ip6tables "(8) "
+.PP
+¤è¤ê¿¤¯¤Î iptables ¤Î»ÈÍÑË¡¤Ë¤Ä¤¤¤Æ
+¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë iptables-HOWTO¡£
+NAT ¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë NAT-HOWTO¡£
+ÆâÉô¹½Â¤¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë netfilter-hacking-HOWTO¡£
--- /dev/null
+.TH IP6TABLES-SAVE 8 "Jan 30, 2002" "" ""
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\" Japanese Version Copyright (c) 2003 Yuichi SATO
+.\" all rights reserved.
+.\" Translated Thu May 1 17:36:08 JST 2003
+.\" by Yuichi SATO <ysato444@yahoo.co.jp>
+.\"
+.SH ̾Á°
+ip6tables-save \- IPv6 ¥Æ¡¼¥Ö¥ë¤òÊݸ¤¹¤ë
+.SH ½ñ¼°
+.BR "ip6tables-save " "[-c] [-t table]"
+.br
+.SH ÀâÌÀ
+.PP
+.B ip6tables-save
+¤Ï IPv6 ¥Æ¡¼¥Ö¥ë¤ÎÆâÍƤò´Êñ¤Ë²òÀϤǤ¤ë·Á¼°¤Ç
+ɸ½à½ÐÎϤ˥À¥ó¥×¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+¥Õ¥¡¥¤¥ë¤Ë½ñ¤½Ð¤¹¤¿¤á¤Ë¤Ï¡¢
+¥·¥§¥ë¤ÇÄ󶡤µ¤ì¤Æ¤¤¤ë I/O ¥ê¥À¥¤¥ì¥¯¥·¥ç¥ó¤ò»È¤¦¤³¤È¡£
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤Î¸½ºß¤ÎÃͤò½ÐÎϤ¹¤ë¡£
+.TP
+\fB\-t\fR, \fB\-\-table\fR \fBtablename\fR
+½ÐÎϤò 1 ¤Ä¤Î¥Æ¡¼¥Ö¥ë¤Î¤ß¤ËÀ©¸Â¤¹¤ë¡£
+»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢ÆÀ¤é¤ì¤¿Á´¤Æ¤Î¥Æ¡¼¥Ö¥ë¤ò½ÐÎϤ¹¤ë¡£
+.SH ¥Ð¥°
+iptables-1.2.1 ¥ê¥ê¡¼¥¹¤Ç¤ÏÃΤé¤ì¤Æ¤¤¤Ê¤¤¡£
+.SH Ãø¼Ô
+Harald Welte <laforge@gnumonks.org>
+.br
+Andras Kis-Szabo <kisza@sch.bme.hu>
+.SH ´ØÏ¢¹àÌÜ
+.BR ip6tables-restore "(8), " ip6tables "(8) "
+.PP
+¤è¤ê¿¤¯¤Î iptables ¤Î»ÈÍÑË¡¤Ë¤Ä¤¤¤Æ
+¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë iptables-HOWTO¡£
+NAT ¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë NAT-HOWTO¡£
+ÆâÉô¹½Â¤¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë netfilter-hacking-HOWTO¡£
--- /dev/null
+.TH IP6TABLES 8 "Mar 09, 2002" "" ""
+.\"
+.\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
+.\" It is based on iptables man page.
+.\"
+.\" iptables page by Herve Eychenne <rv@wallfire.org>
+.\" It is based on ipchains man page.
+.\"
+.\" ipchains page by Paul ``Rusty'' Russell March 1997
+.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.\" Japanese Version Copyright (c) 2001-2004 Yuichi SATO
+.\" all right reserved.
+.\" Translated Sat Dec 1 06:32:08 JST 2001
+.\" by Yuichi SATO <ysato@h4.dion.ne.jp>
+.\" Updated & Modified Sun Feb 8 14:05:26 JST 2004
+.\" by Yuichi SATO <ysato444@yahoo.co.jp>
+.\"
+.\"WORD: chain ¥Á¥§¥¤¥ó
+.\"WORD: built-in chain ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó
+.\"WORD: non-terminating target Èó½ªÎ»¥¿¡¼¥²¥Ã¥È
+.\"
+.SH ̾Á°
+ip6tables \- IPv6 ¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¤ò´ÉÍý¤¹¤ë
+.SH ½ñ¼°
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -[AD] " "¥Á¥§¥¤¥ó ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]"
+.br
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -I " "¥Á¥§¥¤¥ó [¥ë¡¼¥ëÈÖ¹æ] ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]"
+.br
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -R " "¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]"
+.br
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -D " "¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ [¥ª¥×¥·¥ç¥ó]"
+.br
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -[LFZ] " "[¥Á¥§¥¤¥ó] [¥ª¥×¥·¥ç¥ó]"
+.br
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -N " "¥Á¥§¥¤¥ó"
+.br
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -X " "[¥Á¥§¥¤¥ó]"
+.br
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -P " "¥Á¥§¥¤¥ó ¥¿¡¼¥²¥Ã¥È [¥ª¥×¥·¥ç¥ó]"
+.br
+.BR "ip6tables [-t ¥Æ¡¼¥Ö¥ë] -E " "µì¥Á¥§¥¤¥ó̾ ¿·¥Á¥§¥¤¥ó̾"
+.SH ÀâÌÀ
+.B ip6tables
+¤Ï Linux ¥«¡¼¥Í¥ë¤Î IPv6 ¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ë¡¼¥ë¤Î¥Æ¡¼¥Ö¥ë¤ò
+ÀßÄꡦ´ÉÍý¡¦¸¡ºº¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+Ê£¿ô¤Î°Û¤Ê¤ë¥Æ¡¼¥Ö¥ë¤¬ÄêµÁ¤µ¤ì¤ë²ÄǽÀ¤¬¤¢¤ë¡£
+³Æ¥Æ¡¼¥Ö¥ë¤ÏÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤ò´Þ¤à¡£
+¤µ¤é¤Ë¥æ¡¼¥¶¡¼ÄêµÁ¤Î¥Á¥§¥¤¥ó¤ò´Þ¤à¤³¤È¤â¤Ç¤¤ë¡£
+
+³Æ¥Á¥§¥¤¥ó¤Ï¡¢¥Ñ¥±¥Ã¥È·²¤Ë¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤Î¥ê¥¹¥È¤Ç¤¢¤ë¡£
+³Æ¥ë¡¼¥ë¤Ï¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ²¿¤ò¤¹¤ë¤«¤ò»ØÄꤹ¤ë¡£
+¤³¤ì¤Ï¡Ö¥¿¡¼¥²¥Ã¥È¡×¤È¸Æ¤Ð¤ì¡¢
+Ʊ¤¸¥Æ¡¼¥Ö¥ëÆâ¤Î¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Ë¥¸¥ã¥ó¥×¤¹¤ë¤³¤È¤â¤¢¤ë¡£
+
+.SH ¥¿¡¼¥²¥Ã¥È
+¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Î¥ë¡¼¥ë¤Ï¡¢¥Ñ¥±¥Ã¥È¤òȽÃǤ¹¤ë´ð½à¤È¥¿¡¼¥²¥Ã¥È¤ò»ØÄꤹ¤ë¡£
+¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤Ê¤¤¾ì¹ç¡¢¥Á¥§¥¤¥óÆâ¤Î¼¡¤Î¥ë¡¼¥ë¤¬É¾²Á¤µ¤ì¤ë¡£
+¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¡¢
+¥¿¡¼¥²¥Ã¥È¤ÎÃͤˤè¤Ã¤Æ¼¡¤Î¥ë¡¼¥ë¤¬»ØÄꤵ¤ì¤ë¡£
+¥¿¡¼¥²¥Ã¥È¤ÎÃͤϡ¢¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Î̾Á°¡¢¤Þ¤¿¤ÏÆÃÊ̤ÊÃÍ
+.IR ACCEPT ,
+.IR DROP ,
+.IR QUEUE ,
+.I RETURN
+¤Î¤¦¤Á¤Î 1 ¤Ä¤Ç¤¢¤ë¡£
+.PP
+.I ACCEPT
+¤Ï¥Ñ¥±¥Ã¥È¤òÄ̤¹¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£
+.I DROP
+¤Ï¥Ñ¥±¥Ã¥È¤ò¾²¤ËÍ (¼Î¤Æ¤ë) ¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£
+.I QUEUE
+¤Ï¥Ñ¥±¥Ã¥È¤ò¥æ¡¼¥¶¡¼¶õ´Ö¤ËÅϤ¹¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë
+(¥«¡¼¥Í¥ë¤¬¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ì¤Ð¤Ç¤¢¤ë¤¬)¡£
+.I RETURN
+¤Ï¡¢¤³¤Î¥Á¥§¥¤¥ó¤ò¸¡Æ¤¤¹¤ë¤³¤È¤òÃæ»ß¤·¤Æ¡¢
+Á°¤Î (¸Æ¤Ó½Ð¤·Â¦) ¥Á¥§¥¤¥ó¤Î¼¡¤Î¥ë¡¼¥ë¤ÇÄä»ß¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£
+ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤ÎºÇ¸å¤ËÅþ㤷¤¿¾ì¹ç¡¢
+¤Þ¤¿¤Ï¥¿¡¼¥²¥Ã¥È
+.I RETURN
+¤¬´Þ¤Þ¤ì¤Æ¤¤¤ëÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Î¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¡¢
+¥Á¥§¥¤¥ó¥Ý¥ê¥·¡¼¤Ç»ØÄꤵ¤ì¤¿¥¿¡¼¥²¥Ã¥È¤¬
+¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤ò·èÄꤹ¤ë¡£
+.SH ¥Æ¡¼¥Ö¥ë
+¸½ºß¤Î¤È¤³¤í 2 ¤Ä¤ÎÆÈΩ¤Ê¥Æ¡¼¥Ö¥ë¤¬Â¸ºß¤¹¤ë
+(¤É¤Î¥Æ¡¼¥Ö¥ë¤¬¤É¤Î»þÅÀ¤Ç¸½¤ì¤ë¤«¤Ï¡¢
+¥«¡¼¥Í¥ë¤ÎÀßÄê¤ä¤É¤¦¤¤¤Ã¤¿¥â¥¸¥å¡¼¥ë¤¬Â¸ºß¤¹¤ë¤«¤Ë°Í¸¤¹¤ë)¡£
+nat ¥Æ¡¼¥Ö¥ë¤Ï¡¢¤Þ¤À¼ÂÁõ¤µ¤ì¤Æ¤¤¤Ê¤¤¡£
+.TP
+.BI "-t, --table " "table"
+¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢¤É¤Î¥³¥Þ¥ó¥É¤òŬÍѤ¹¤Ù¤¤«¤ò·èÄꤹ¤ë¤¿¤á¤Î
+¥Ñ¥±¥Ã¥È¥Þ¥Ã¥Á¥ó¥°¥Æ¡¼¥Ö¥ë¤ò»ØÄꤹ¤ë¡£
+¥«¡¼¥Í¥ë¤Ë¼«Æ°¥â¥¸¥å¡¼¥ë¥í¡¼¥Ç¥£¥ó¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢
+¤¢¤ë¥Æ¡¼¥Ö¥ë¤ËÂФ·¤ÆŬÀڤʥ⥸¥å¡¼¥ë¤¬¤Þ¤À¥í¡¼¥É¤µ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¡¢
+¤½¤Î¥â¥¸¥å¡¼¥ë¤Î¥í¡¼¥É¤ò¹Ô¤¦¡£
+
+¥Æ¡¼¥Ö¥ë¤Ï°Ê²¼¤ÎÄ̤ê¤Ç¤¢¤ë¡£
+.RS
+.TP .4i
+.BR "filter" :
+(-t ¥ª¥×¥·¥ç¥ó¤¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ï) ¤³¤ì¤¬¥Ç¥Õ¥©¥ë¥È¤Î¥Æ¡¼¥Ö¥ë¤Ç¤¢¤ë¡£
+¤³¤ì¤Ë¤Ï
+.B INPUT
+(¥Þ¥·¥ó¼«ÂΤËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
+.B FORWARD
+(¥Þ¥·¥ó¤ò·Ðͳ¤¹¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
+.B OUTPUT
+(¥í¡¼¥«¥ë¥Þ¥·¥ó¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)
+¤È¤¤¤¦ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤ë¡£
+.TP
+.BR "mangle" :
+¤³¤Î¥Æ¡¼¥Ö¥ë¤ÏÆÃÊ̤ʥѥ±¥Ã¥ÈÊÑ´¹¤Ë»È¤ï¤ì¤ë¡£
+¥«¡¼¥Í¥ë 2.4.17 ¤Þ¤Ç¤Ï¡¢
+.B PREROUTING
+(¥Ñ¥±¥Ã¥È¤¬Æþ¤Ã¤Æ¤¤¿¾ì¹ç¡¢
+¤¹¤°¤Ë¤½¤Î¥Ñ¥±¥Ã¥È¤òÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)¡¦
+.B OUTPUT
+(¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ò
+¥ë¡¼¥Æ¥£¥ó¥°¤ÎÁ°¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)
+¤È¤¤¤¦ 2 ¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤Æ¤¤¤¿¡£
+¥«¡¼¥Í¥ë 2.4.18 ¤«¤é¤Ï¡¢¤³¤ì¤é¤Î¾¤Ë
+.B INPUT
+(¥Þ¥·¥ó¼«ÂΤËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
+.B FORWARD
+(¥Þ¥·¥ó¤ò·Ðͳ¤¹¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
+.B POSTROUTING
+(¥Ñ¥±¥Ã¥È¤¬½Ð¤Æ¹Ô¤¯¤È¤¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)¡¦
+¤È¤¤¤¦ 3 ¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤â¥µ¥Ý¡¼¥È¤µ¤ì¤ë¡£
+.RE
+.SH ¥ª¥×¥·¥ç¥ó
+.B ip6tables
+¤Ç»È¤¨¤ë¥ª¥×¥·¥ç¥ó¤Ï¡¢¤¤¤¯¤Ä¤«¤Î¥°¥ë¡¼¥×¤Ëʬ¤±¤é¤ì¤ë¡£
+.SS ¥³¥Þ¥ó¥É
+¤³¤ì¤é¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢¼Â¹Ô¤¹¤ëÆÃÄê¤ÎÆ°ºî¤ò»ØÄꤹ¤ë¡£
+°Ê²¼¤ÎÀâÌÀ¤Çµö²Ä¤µ¤ì¤Æ¤¤¤Ê¤¤¸Â¤ê¡¢
+¤³¤ÎÃæ¤Î 1 ¤Ä¤·¤«¥³¥Þ¥ó¥É¥é¥¤¥ó¤Ç»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Ê¤¤¡£
+Ť¤¥Ð¡¼¥¸¥ç¥ó¤Î¥³¥Þ¥ó¥É̾¤È¥ª¥×¥·¥ç¥ó̾¤Ï¡¢
+.B ip6tables
+¤¬Â¾¤Î¥³¥Þ¥ó¥É̾¤ä¥ª¥×¥·¥ç¥ó̾¤È¶èÊ̤Ǥ¤ëÈϰϤÇ
+(ʸ»ú¤ò¾Êά¤·¤Æ) »ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë¡£
+.TP
+.BI "-A, --append " "chain rule-specification"
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤ÎºÇ¸å¤Ë 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òÄɲ乤롣
+Á÷¿®¸µ¤äÁ÷¿®Àè¤Î̾Á°¤¬ 1 ¤Ä°Ê¾å¤Î¥¢¥É¥ì¥¹¤ËÂбþ¤·¤Æ¤¤¤ë¾ì¹ç¡¢
+²Äǽ¤Ê¥¢¥É¥ì¥¹¤ÎÁȹ礻¤Î¤½¤ì¤¾¤ì¤Ë¤Ä¤¤¤Æ¥ë¡¼¥ë¤¬Äɲ䵤ì¤ë¡£
+.TP
+.BI "-D, --delete " "chain rule-specification"
+.ns
+.TP
+.BI "-D, --delete " "chain rulenum"
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤«¤é 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òºï½ü¤¹¤ë¡£
+¤³¤Î¥³¥Þ¥ó¥É¤Ë¤Ï 2 ¤Ä¤Î»È¤¤Êý¤¬¤¢¤ë:
+¥Á¥§¥¤¥ó¤ÎÃæ¤ÎÈÖ¹æ (ºÇ½é¤Î¥ë¡¼¥ë¤ò 1 ¤È¤¹¤ë) ¤ò»ØÄꤹ¤ë¾ì¹ç¤È¡¢
+¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤ò»ØÄꤹ¤ë¾ì¹ç¤Ç¤¢¤ë¡£
+.TP
+.B "-I, --insert"
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ë¥ë¡¼¥ëÈÖ¹æ¤ò»ØÄꤷ¤Æ 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òÁÞÆþ¤¹¤ë¡£
+¥ë¡¼¥ëÈֹ椬 1 ¤Î¾ì¹ç¡¢¥ë¡¼¥ë¤Ï¥Á¥§¥¤¥ó¤ÎÀèƬ¤ËÁÞÆþ¤µ¤ì¤ë¡£
+¤³¤ì¤Ï¥ë¡¼¥ëÈֹ椬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¤Î¥Ç¥Õ¥©¥ë¥È¤Ç¤â¤¢¤ë¡£
+.TP
+.BI "-R, --replace " "chain rulenum rule-specification"
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ë¤¢¤ë¥ë¡¼¥ë¤òÃÖ¤´¹¤¨¤ë¡£
+Á÷¿®¸µ¤äÁ÷¿®Àè¤Î̾Á°¤¬ 1 ¤Ä°Ê¾å¤Î¥¢¥É¥ì¥¹¤ËÂбþ¤·¤Æ¤¤¤ë¾ì¹ç¤Ï¼ºÇÔ¤¹¤ë¡£
+¥ë¡¼¥ë¤Ë¤Ï 1 ¤«¤é»Ï¤Þ¤ëÈֹ椬ÉÕ¤±¤é¤ì¤Æ¤¤¤ë¡£
+.TP
+.BR "-L, --list " "[\fIchain\fP]"
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ë¤¢¤ëÁ´¤Æ¤Î¥ë¡¼¥ë¤ò°ìÍ÷ɽ¼¨¤¹¤ë¡£
+¥Á¥§¥¤¥ó¤¬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢Á´¤Æ¤Î¥Á¥§¥¤¥ó¤Ë¤¢¤ë¥ê¥¹¥È¤¬°ìÍ÷ɽ¼¨¤µ¤ì¤ë¡£
+¾¤Î³Æ iptables ¥³¥Þ¥ó¥É¤ÈƱÍͤˡ¢
+»ØÄꤵ¤ì¤¿¥Æ¡¼¥Ö¥ë (¥Ç¥Õ¥©¥ë¥È¤Ï filter) ¤ËÂФ·¤ÆºîÍѤ¹¤ë¡£
+¤è¤Ã¤Æ mangle ¥ë¡¼¥ë¤òɽ¼¨¤¹¤ë¤Ë¤Ï°Ê²¼¤Î¤è¤¦¤Ë¤¹¤ë¡£
+.nf
+ ip6tables -t mangle -n -L
+.fi
+DNS ¤ÎµÕ°ú¤¤òÈò¤±¤ë¤¿¤á¤Ë¡¢¤è¤¯
+.B -n
+¥ª¥×¥·¥ç¥ó¤È¶¦¤Ë»ÈÍѤµ¤ì¤ë¡£
+.B -Z
+(¥¼¥í²½) ¥ª¥×¥·¥ç¥ó¤òƱ»þ¤Ë»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë¡£
+¤³¤Î¾ì¹ç¡¢¥Á¥§¥¤¥ó¤ÏÍ×ÁÇËè¤Ë¥ê¥¹¥È¤µ¤ì¤Æ¡¢
+(ÌõÃð: ¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤¬) ¥¼¥í¤Ë¤µ¤ì¤ë¡£
+¤É¤Î¤è¤¦¤Ë½ÐÎϤ¹¤ë¤«¤Ï¡¢Í¿¤¨¤é¤ì¤ë¾¤Î°ú¤¿ô¤Ë±Æ¶Á¤µ¤ì¤ë¡£
+.nf
+ ip6tables -L -v
+.fi
+¤ò»È¤ï¤Ê¤¤¸Â¤ê¡¢(ÌõÃð: -v ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤷ¤Ê¤¤¸Â¤ê)
+¼ÂºÝ¤Î¥ë¡¼¥ë¤½¤Î¤â¤Î¤Ïɽ¼¨¤µ¤ì¤Ê¤¤¡£
+.TP
+.BR "-F, --flush " "[\fIchain\fP]"
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó
+(²¿¤â»ØÄꤵ¤ì¤Ê¤±¤ì¤Ð¥Æ¡¼¥Ö¥ëÆâ¤ÎÁ´¤Æ¤Î¥Á¥§¥¤¥ó) ¤ÎÆâÍƤòÁ´¾Ãµî¤¹¤ë¡£
+¤³¤ì¤ÏÁ´¤Æ¤Î¥ë¡¼¥ë¤ò 1 ¸Ä¤º¤Äºï½ü¤¹¤ë¤Î¤ÈƱ¤¸¤Ç¤¢¤ë¡£
+.TP
+.BR "-Z, --zero " "[\fIchain\fP]"
+¤¹¤Ù¤Æ¤Î¥Á¥§¥¤¥ó¤Î¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò¥¼¥í¤Ë¤¹¤ë¡£
+¥¯¥ê¥¢¤µ¤ì¤ëľÁ°¤Î¥«¥¦¥ó¥¿¤ò¸«¤ë¤¿¤á¤Ë¡¢
+.B "-L, --list"
+(°ìÍ÷ɽ¼¨) ¥ª¥×¥·¥ç¥ó¤ÈƱ»þ¤Ë»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë (¾åµ¤ò»²¾È)¡£
+.TP
+.BI "-N, --new-chain " "chain"
+»ØÄꤷ¤¿Ì¾Á°¤Ç¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤òºîÀ®¤¹¤ë¡£
+Ʊ¤¸Ì¾Á°¤Î¥¿¡¼¥²¥Ã¥È¤¬´û¤Ë¸ºß¤·¤Æ¤Ï¤Ê¤é¤Ê¤¤¡£
+.TP
+.BR "-X, --delete-chain " "[\fIchain\fP]"
+¥ª¥×¥·¥ç¥ó¤Î¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ë¡£
+¤½¤Î¥Á¥§¥¤¥ó¤¬»²¾È¤µ¤ì¤Æ¤¤¤Æ¤Ï¤Ê¤é¤Ê¤¤¡£
+¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ëÁ°¤Ë¡¢¤½¤Î¥Á¥§¥¤¥ó¤ò»²¾È¤·¤Æ¤¤¤ë¥ë¡¼¥ë¤ò
+ºï½ü¤¹¤ë¤«ÃÖ¤´¹¤¨¤ë¤«¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
+°ú¤¿ô¤¬Í¿¤¨¤é¤ì¤Ê¤¤¾ì¹ç¡¢¥Æ¡¼¥Ö¥ë¤Ë¤¢¤ë¥Á¥§¥¤¥ó¤Î¤¦¤Á
+ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Ç¤Ê¤¤¤â¤Î¤òÁ´¤Æºï½ü¤¹¤ë¡£
+.TP
+.BI "-P, --policy " "chain target"
+¥Á¥§¥¤¥ó¤Î¥Ý¥ê¥·¡¼¤ò¡¢»ØÄꤷ¤¿¥¿¡¼¥²¥Ã¥È¤ËÀßÄꤹ¤ë¡£
+»ØÄê²Äǽ¤Ê¥¿¡¼¥²¥Ã¥È¤Ï¡Ö\fB¥¿¡¼¥²¥Ã¥È\fR¡×¤Î¾Ï¤ò»²¾È¤¹¤ë¤³¤È¡£
+(¥æ¡¼¥¶¡¼ÄêµÁ¤Ç¤Ï¤Ê¤¤) ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Ë¤·¤«¥Ý¥ê¥·¡¼¤ÏÀßÄê¤Ç¤¤Ê¤¤¡£
+¤Þ¤¿¡¢ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤â¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤â
+¥Ý¥ê¥·¡¼¤Î¥¿¡¼¥²¥Ã¥È¤ËÀßÄꤹ¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤¡£
+.TP
+.BI "-E, --rename-chain " "old-chain new-chain"
+¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤ò»ØÄꤷ¤¿Ì¾Á°¤ËÊѹ¹¤¹¤ë¡£
+¤³¤ì¤Ï¸«¤¿ÌܤÀ¤±¤ÎÊѹ¹¤Ê¤Î¤Ç¡¢¥Æ¡¼¥Ö¥ë¤Î¹½Â¤¤Ë¤Ï²¿¤â±Æ¶Á¤·¤Ê¤¤¡£
+.TP
+.B -h
+¥Ø¥ë¥×¡£
+(º£¤Î¤È¤³¤í¤Ï¤È¤Æ¤â´Êñ¤Ê) ¥³¥Þ¥ó¥É½ñ¼°¤ÎÀâÌÀ¤òɽ¼¨¤¹¤ë¡£
+.SS ¥Ñ¥é¥á¡¼¥¿
+°Ê²¼¤Î¥Ñ¥é¥á¡¼¥¿¤Ï (add, delete, insert,
+replace, append ¥³¥Þ¥ó¥É¤ÇÍѤ¤¤é¤ì¤Æ) ¥ë¡¼¥ë¤Î»ÅÍͤò·è¤á¤ë¡£
+.TP
+.BR "-p, --protocol " "[!] \fIprotocol\fP"
+¥ë¡¼¥ë¤Ç»È¤ï¤ì¤ë¥×¥í¥È¥³¥ë¡¢¤Þ¤¿¤Ï¥Á¥§¥Ã¥¯¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¥×¥í¥È¥³¥ë¡£
+»ØÄê¤Ç¤¤ë¥×¥í¥È¥³¥ë¤Ï¡¢
+.IR tcp ,
+.IR udp ,
+.IR ipv6-icmp|icmpv6 ,
+.I all
+¤Î¤¤¤º¤ì¤« 1 ¤Ä¤«¡¢¿ôÃͤǤ¢¤ë¡£
+¿ôÃͤϡ¢¤³¤ì¤é¤Î¥×¥í¥È¥³¥ë¤Î 1 ¤Ä¡¢¤â¤·¤¯¤ÏÊ̤Υץí¥È¥³¥ë¤òɽ¤¹¡£
+/etc/protocols ¤Ë¤¢¤ë¥×¥í¥È¥³¥ë̾¤â»ØÄê¤Ç¤¤ë¡£
+¥×¥í¥È¥³¥ë¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢¤½¤Î¥×¥í¥È¥³¥ë¤ò»ØÄꤷ¤Ê¤¤¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
+¿ôÃÍ 0 ¤Ï
+.I all
+¤ÈÅù¤·¤¤¡£
+¥×¥í¥È¥³¥ë
+.I all
+¤ÏÁ´¤Æ¤Î¥×¥í¥È¥³¥ë¤È¥Þ¥Ã¥Á¤·¡¢
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿ºÝ¤Î¥Ç¥Õ¥©¥ë¥È¤Ç¤¢¤ë¡£
+.TP
+.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
+Á÷¿®¸µ¤Î»ØÄê¡£
+.I address
+¤Ï¥Û¥¹¥È̾ (DNS ¤Î¤è¤¦¤Ê¥ê¥â¡¼¥È¤Ø¤ÎÌ䤤¹ç¤ï¤»¤Ç²ò·è¤¹¤ë̾Á°¤ò»ØÄꤹ¤ë¤Î¤Ï
+Èó¾ï¤ËÎɤ¯¤Ê¤¤)¡¦
+¥Í¥Ã¥È¥ï¡¼¥¯ IPv6 ¥¢¥É¥ì¥¹ (/mask ¤ò»ØÄꤹ¤ë)¡¦
+Ä̾ï¤Î IPv6 ¥¢¥É¥ì¥¹
+(º£¤Î¤È¤³¤í¡¢¥Í¥Ã¥È¥ï¡¼¥¯Ì¾¤Ï¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Ê¤¤)¡¢¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ë¡£
+.I mask
+¤Ï¥Í¥Ã¥È¥ï¡¼¥¯¥Þ¥¹¥¯¤«¡¢
+¥Í¥Ã¥È¥ï¡¼¥¯¥Þ¥¹¥¯¤Îº¸Â¦¤Ë¤¢¤ë 1 ¤Î¿ô¤ò»ØÄꤹ¤ë¿ôÃͤǤ¢¤ë¡£
+¤Ä¤Þ¤ê¡¢
+.I 64
+¤È¤¤¤¦ mask ¤Ï
+.I ffff:ffff:ffff:ffff:0000:0000:0000:0000
+¤ËÅù¤·¤¤¡£
+¥¢¥É¥ì¥¹»ØÄê¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢¤½¤Î¥¢¥É¥ì¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
+¥Õ¥é¥°
+.B --src
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
+Á÷¿®Àè¤Î»ØÄê¡£
+½ñ¼°¤Î¾Ü¤·¤¤ÀâÌÀ¤Ë¤Ä¤¤¤Æ¤Ï¡¢
+.B -s
+(Á÷¿®¸µ) ¥Õ¥é¥°¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£
+¥Õ¥é¥°
+.B --dst
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BI "-j, --jump " "target"
+¥ë¡¼¥ë¤Î¥¿¡¼¥²¥Ã¥È¡¢¤Ä¤Þ¤ê¡¢
+¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¤Ë¤É¤¦¤¹¤ë¤«¤ò»ØÄꤹ¤ë¡£
+¥¿¡¼¥²¥Ã¥È¤Ï¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó
+(¤½¤Î¥ë¡¼¥ë¼«¿È¤¬Æþ¤Ã¤Æ¤¤¤ë¥Á¥§¥¤¥ó°Ê³°) ¤Ç¤â¡¢
+¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤ò¨»þ¤Ë·èÄꤹ¤ëÆÃÊ̤ÊÁȤ߹þ¤ßºÑ¤ß¥¿¡¼¥²¥Ã¥È¤Ç¤â¡¢
+³ÈÄ¥¤µ¤ì¤¿¥¿¡¼¥²¥Ã¥È (°Ê²¼¤Î
+.RB ¡Ö ¥¿¡¼¥²¥Ã¥È¤Î³ÈÄ¥ ¡×
+¤ò»²¾È) ¤Ç¤â¤è¤¤¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¥ë¡¼¥ë¤ÎÃæ¤Ç¾Êά¤µ¤ì¤¿¾ì¹ç¡¢
+¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤Æ¤â¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤Ë²¿¤â±Æ¶Á¤·¤Ê¤¤¤¬¡¢
+¥ë¡¼¥ë¤Î¥«¥¦¥ó¥¿¤Ï 1 ¤Ä²Ã»»¤µ¤ì¤ë¡£
+.TP
+.BR "-i, --in-interface " "[!] \fIname\fP"
+.RB ( INPUT ,
+.BR FORWARD ,
+.B PREROUTING
+¥Á¥§¥¤¥ó¤Î¤ß¤ËÆþ¤ë) ¥Ñ¥±¥Ã¥È¤ò¼õ¿®¤¹¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¡£
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢
+¤½¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
+¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿¾ì¹ç¡¢
+Ǥ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BR "-o, --out-interface " "[!] \fIname\fP"
+.RB ( FORWARD ,
+.B OUTPUT
+¥Á¥§¥¤¥ó¤ËÆþ¤ë) ¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¡£
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢
+¤½¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
+¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿¾ì¹ç¡¢
+Ǥ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.\" (¥Ø¥Ã¥À¤Ë´ð¤Å¤¯¤â¤Î¤Ï) º£¤Î¤È¤³¤í¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¡£
+.\"
+.\" .B "[!] " "-f, --fragment"
+.\" ¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢Ê¬³ä¤µ¤ì¤¿¥Ñ¥±¥Ã¥È (fragmented packet) ¤Î¤¦¤Á
+.\" 2 ÈÖÌܰʹߤΥѥ±¥Ã¥È¤À¤±¤ò»²¾È¤¹¤ë¥ë¡¼¥ë¤Ç¤¢¤ë¤³¤È¤ò°ÕÌ£¤·¤Æ¤¤¤ë¡£
+.\" ¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È (¤Þ¤¿¤Ï ICMP ¥¿¥¤¥×¤Î¥Ñ¥±¥Ã¥È) ¤Ï
+.\" Á÷¿®¸µ¡¦Á÷¿®Àè¥Ý¡¼¥È¤òÃΤëÊýË¡¤¬¤Ê¤¤¤Î¤Ç¡¢
+.\" Á÷¿®¸µ¤äÁ÷¿®Àè¤ò»ØÄꤹ¤ë¤è¤¦¤Ê¥ë¡¼¥ë¤Ë¤Ï¥Þ¥Ã¥Á¤·¤Ê¤¤¡£
+.\" "-f" ¥Õ¥é¥°¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢
+.\" ʬ³ä¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Î¤¦¤ÁºÇ½é¤Î¤â¤Î¤«¡¢
+.\" ʬ³ä¤µ¤ì¤Æ¤¤¤Ê¤¤¥Ñ¥±¥Ã¥È¤À¤±¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.\" .TP
+.B "-c, --set-counters " "PKTS BYTES"
+¤³¤Î¥ª¥×¥·¥ç¥ó¤ò»È¤¦¤È¡¢
+.RB ( insert ,
+.BR append ,
+.B replace
+Áàºî¤Ë¤ª¤¤¤Æ) ´ÉÍý¼Ô¤Ï¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò
+½é´ü²½¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+.SS ¤½¤Î¾¤Î¥ª¥×¥·¥ç¥ó
+¤½¤Î¾¤Ë°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë:
+.TP
+.B "-v, --verbose"
+¾ÜºÙ¤Ê½ÐÎϤò¹Ô¤¦¡£
+list ¥³¥Þ¥ó¥É¤ÎºÝ¤Ë¡¢¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¡¦
+(¤â¤·¤¢¤ì¤Ð) ¥ë¡¼¥ë¤Î¥ª¥×¥·¥ç¥ó¡¦TOS ¥Þ¥¹¥¯¤òɽ¼¨¤µ¤»¤ë¡£
+¥Ñ¥±¥Ã¥È¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤âɽ¼¨¤µ¤ì¤ë¡£
+ź»ú 'K', 'M', 'G' ¤Ï¡¢
+¤½¤ì¤¾¤ì 1000, 1,000,000, 1,000,000,000 Çܤòɽ¤¹
+(¤³¤ì¤òÊѹ¹¤¹¤ë
+.B -x
+¥Õ¥é¥°¤â¸«¤è)¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤ò append, insert, delete, replace ¥³¥Þ¥ó¥É¤ËŬÍѤ¹¤ë¤È¡¢
+¥ë¡¼¥ë¤Ë¤Ä¤¤¤Æ¤Î¾ÜºÙ¤Ê¾ðÊó¤òɽ¼¨¤¹¤ë¡£
+.TP
+.B "-n, --numeric"
+¿ôÃͤˤè¤ë½ÐÎϤò¹Ô¤¦¡£
+IP ¥¢¥É¥ì¥¹¤ä¥Ý¡¼¥ÈÈÖ¹æ¤ò¿ôÃͤˤè¤ë¥Õ¥©¡¼¥Þ¥Ã¥È¤Çɽ¼¨¤¹¤ë¡£
+¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¡¢¤³¤Î¥×¥í¥°¥é¥à¤Ï (²Äǽ¤Ç¤¢¤ì¤Ð) ¤³¤ì¤é¤Î¾ðÊó¤ò
+¥Û¥¹¥È̾¡¦¥Í¥Ã¥È¥ï¡¼¥¯Ì¾¡¦¥µ¡¼¥Ó¥¹Ì¾¤Çɽ¼¨¤·¤è¤¦¤È¤¹¤ë¡£
+.TP
+.B "-x, --exact"
+¸·Ì©¤Ê¿ôÃͤÇɽ¼¨¤¹¤ë¡£
+¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò¡¢
+K (1000 ¤Î²¿Çܤ«)¡¦M (1000K ¤Î²¿Çܤ«)¡¦G (1000M ¤Î²¿Çܤ«) ¤Ç¤Ï¤Ê¤¯¡¢
+¸·Ì©¤ÊÃͤÇɽ¼¨¤¹¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢
+.B -L
+¥³¥Þ¥ó¥É¤È¤·¤«´Ø·¸¤·¤Ê¤¤¡£
+.TP
+.B "--line-numbers"
+¥ë¡¼¥ë¤ò°ìÍ÷ɽ¼¨¤¹¤ëºÝ¡¢¤½¤Î¥ë¡¼¥ë¤¬¥Á¥§¥¤¥ó¤Î¤É¤Î°ÌÃ֤ˤ¢¤ë¤«¤òɽ¤¹
+¹ÔÈÖ¹æ¤ò³Æ¹Ô¤Î»Ï¤á¤ËÉղ乤롣
+.TP
+.B "--modprobe=command"
+¥Á¥§¥¤¥ó¤Ë¥ë¡¼¥ë¤òÄɲäޤ¿¤ÏÁÞÆþ¤¹¤ëºÝ¤Ë¡¢
+(¥¿¡¼¥²¥Ã¥È¤ä¥Þ¥Ã¥Á¥ó¥°¤Î³ÈÄ¥¤Ê¤É¤Ç) ɬÍפʥ⥸¥å¡¼¥ë¤ò¥í¡¼¥É¤¹¤ë¤¿¤á¤Ë»È¤¦
+.B command
+¤ò»ØÄꤹ¤ë¡£
+.SH ¥Þ¥Ã¥Á¥ó¥°¤Î³ÈÄ¥
+ip6tables ¤Ï³ÈÄ¥¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¥Þ¥Ã¥Á¥ó¥°¥â¥¸¥å¡¼¥ë¤ò»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
+¤³¤ì¤é¤Î¥â¥¸¥å¡¼¥ë¤Ï 2 ¼ïÎà¤ÎÊýË¡¤Ç¥í¡¼¥É¤µ¤ì¤ë:
+¥â¥¸¥å¡¼¥ë¤Ï¡¢
+.B -p
+¤Þ¤¿¤Ï
+.B --protocol
+¤Ç°ÅÌۤΤ¦¤Á¤Ë»ØÄꤵ¤ì¤ë¤«¡¢
+.B -m
+¤Þ¤¿¤Ï
+.B --match
+¤Î¸å¤Ë¥â¥¸¥å¡¼¥ë̾¤ò³¤±¤Æ»ØÄꤵ¤ì¤ë¡£
+¤³¤ì¤é¤Î¥â¥¸¥å¡¼¥ë¤Î¸å¤í¤Ë¤Ï¡¢¥â¥¸¥å¡¼¥ë¤Ë±þ¤¸¤Æ
+¾¤Î¤¤¤í¤¤¤í¤Ê¥³¥Þ¥ó¥É¥é¥¤¥ó¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+Ê£¿ô¤Î³ÈÄ¥¥Þ¥Ã¥Á¥ó¥°¥â¥¸¥å¡¼¥ë¤ò 1 ¹Ô¤Ç»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+¤Þ¤¿¡¢¥â¥¸¥å¡¼¥ë¤ËÆÃͤΥإë¥×¤òɽ¼¨¤µ¤»¤ë¤¿¤á¤Ë¤Ï¡¢
+¥â¥¸¥å¡¼¥ë¤ò»ØÄꤷ¤¿¸å¤Ç
+.B -h
+¤Þ¤¿¤Ï
+.B --help
+¤ò»ØÄꤹ¤ì¤Ð¤è¤¤¡£
+
+°Ê²¼¤Î³ÈÄ¥¤¬¥Ù¡¼¥¹¥Ñ¥Ã¥±¡¼¥¸¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¡£
+ÂçÉôʬ¤Î¤â¤Î¤Ï¡¢¥Þ¥Ã¥Á¥ó¥°¤Î°ÕÌ£¤òµÕ¤Ë¤¹¤ë¤¿¤á¤Ë
+.B !
+¤òÁ°¤Ë¤ª¤¯¤³¤È¤¬¤Ç¤¤ë¡£
+.SS tcp
+¤³¤ì¤é¤Î³ÈÄ¥¤Ï `--protocol tcp' ¤¬»ØÄꤵ¤ì¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢
+°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+Á÷¿®¸µ¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
+¥µ¡¼¥Ó¥¹Ì¾¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈÖ¹æ¤ò»ØÄê¤Ç¤¤ë¡£
+.IR port : port
+¤È¤¤¤¦·Á¼°¤Ç¡¢2 ¤Ä¤ÎÈÖ¹æ¤ò´Þ¤àÈϰϤò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë¡£
+ºÇ½é¤Î¥Ý¡¼¥È¤ò¾Êά¤·¤¿¾ì¹ç¡¢"0" ¤ò²¾Äꤹ¤ë¡£
+ºÇ¸å¤Î¥Ý¡¼¥È¤ò¾Êά¤·¤¿¾ì¹ç¡¢"65535" ¤ò²¾Äꤹ¤ë¡£
+ºÇ¸å¤Î¥Ý¡¼¥È¤¬ºÇ½é¤Î¥Ý¡¼¥È¤è¤êÂ礤¤¾ì¹ç¡¢2 ¤Ä¤ÏÆþ¤ì´¹¤¨¤é¤ì¤ë¡£
+¥Õ¥é¥°
+.B --sport
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+Á÷¿®Àè¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
+¥Õ¥é¥°
+.B --dport
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
+»ØÄꤵ¤ì¤Æ¤¤¤ë¤è¤¦¤Ê TCP ¥Õ¥é¥°¤Î¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+Âè 1 °ú¤¿ô¤Ïɾ²Á¤µ¤ì¤ë¥Õ¥é¥°¤Ç¡¢¥³¥ó¥Þ¤Çʬ¤±¤é¤ì¤¿¥ê¥¹¥È¤Ç½ñ¤«¤ì¤ë¡£
+Âè 2 °ú¤¿ô¤ÏÀßÄꤵ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¥Õ¥é¥°¤Ç¡¢
+¥³¥ó¥Þ¤Çʬ¤±¤é¤ì¤¿¥ê¥¹¥È¤Ç½ñ¤«¤ì¤ë¡£
+»ØÄê¤Ç¤¤ë¥Õ¥é¥°¤Ï
+.B "SYN ACK FIN RST URG PSH ALL NONE"
+¤Ç¤¢¤ë¡£
+¤è¤Ã¤Æ¡¢¥³¥Þ¥ó¥É
+.nf
+ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
+.fi
+¤Ï¡¢SYN ¥Õ¥é¥°¤¬ÀßÄꤵ¤ì ACK, FIN, RST ¥Õ¥é¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤Ê¤¤
+¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.B "[!] --syn"
+SYN ¥Ó¥Ã¥È¤¬ÀßÄꤵ¤ì ACK ¤È RST ¥Ó¥Ã¥È¤¬¥¯¥ê¥¢¤µ¤ì¤Æ¤¤¤ë
+TCP ¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤Ï TCP Àܳ¤Î³«»ÏÍ×µá¤Ë»È¤ï¤ì¤ë¡£
+Î㤨¤Ð¡¢¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ËÆþ¤Ã¤Æ¤¯¤ë¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤ò¥Ö¥í¥Ã¥¯¤¹¤ì¤Ð¡¢
+Æ⦤ؤΠTCP Àܳ¤Ï¶Ø»ß¤µ¤ì¤ë¤¬¡¢³°Â¦¤Ø¤Î TCP Àܳ¤Ë¤Ï±Æ¶Á¤·¤Ê¤¤¡£
+¤³¤ì¤Ï \fB--tcp-flags SYN,RST,ACK SYN\fP ¤ÈÅù¤·¤¤¡£
+"--syn" ¤ÎÁ°¤Ë "!" ¥Õ¥é¥°¤òÃÖ¤¯¤È¡¢
+SYN ¥Ó¥Ã¥È¤¬¥¯¥ê¥¢¤µ¤ì ACK ¤È FIN ¥Ó¥Ã¥È¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë
+TCP ¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BR "--tcp-option " "[!] \fInumber\fP"
+TCP ¥ª¥×¥·¥ç¥ó¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.SS udp
+¤³¤ì¤é¤Î³ÈÄ¥¤Ï `--protocol udp' ¤¬»ØÄꤵ¤ì¤¿¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢
+°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+Á÷¿®¸µ¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
+¾ÜºÙ¤Ï TCP ³ÈÄ¥¤Î
+.B --source-port
+¥ª¥×¥·¥ç¥ó¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+Á÷¿®Àè¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
+¾ÜºÙ¤Ï TCP ³ÈÄ¥¤Î
+.B --destination-port
+¥ª¥×¥·¥ç¥ó¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£
+.SS ipv6-icmp
+¤³¤ì¤é¤Î³ÈÄ¥¤Ï `--protocol ipv6-icmp'
+¤Þ¤¿¤Ï `--protocol icmpv6' ¤¬»ØÄꤵ¤ì¤¿¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢
+°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
+.TP
+.BR "--icmpv6-type " "[!] \fItypename\fP"
+¿ôÃͤΠIPv6-ICMP ¥¿¥¤¥×¡¢¤Þ¤¿¤Ï¥³¥Þ¥ó¥É
+.nf
+ ip6tables -p ipv6-icmp -h
+.fi
+¤Çɽ¼¨¤µ¤ì¤ë IPv6-ICMP ¥¿¥¤¥×̾¤ò»ØÄê¤Ç¤¤ë¡£
+.SS mac
+.TP
+.BR "--mac-source " "[!] \fIaddress\fP"
+Á÷¿®¸µ MAC ¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.I address
+¤Ï XX:XX:XX:XX:XX:XX ¤È¤¤¤¦·Á¼°¤Ç¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
+¥¤¡¼¥µ¡¼¥Í¥Ã¥È¥Ç¥Ð¥¤¥¹¤«¤éÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤Ç¡¢
+.BR PREROUTING ,
+.BR FORWARD ,
+.B INPUT
+¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Ë¤·¤«°ÕÌ£¤¬¤Ê¤¤ÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È¡£
+.SS limit
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥È¡¼¥¯¥ó¥Ð¥±¥Ä¥Õ¥£¥ë¥¿¤ò»È¤¤¡¢
+ñ°Ì»þ´Ö¤¢¤¿¤êÀ©¸Â¤µ¤ì¤¿²ó¿ô¤À¤±¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î³ÈÄ¥¤ò»È¤Ã¤¿¥ë¡¼¥ë¤Ï¡¢(`!' ¥Õ¥é¥°¤¬»ØÄꤵ¤ì¤Ê¤¤¸Â¤ê)
+À©¸Â¤Ë㤹¤ë¤Þ¤Ç¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥í¥°µÏ¿¤òÀ©¸Â¤¹¤ë
+.B LOG
+¥¿¡¼¥²¥Ã¥È¤ÈÁȤ߹ç¤ï¤»¤Æ»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
+¤¿¤È¤¨¤Ð¡¢
+.TP
+.BI "--limit " "rate"
+ñ°Ì»þ´Ö¤¢¤¿¤ê¤ÎÊ¿¶Ñ¥Þ¥Ã¥Á²ó¿ô¤ÎºÇÂçÃÍ¡£
+¿ôÃͤǻØÄꤵ¤ì¡¢Åº»ú `/second', `/minute',
+`/hour', `/day' ¤òÉÕ¤±¤ë¤³¤È¤â¤Ç¤¤ë¡£
+¥Ç¥Õ¥©¥ë¥È¤Ï 3/hour ¤Ç¤¢¤ë¡£
+.TP
+.BI "--limit-burst " "number"
+¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤¹¤ë²ó¿ô¤ÎºÇÂç½é´üÃÍ:
+¾å¤Î¥ª¥×¥·¥ç¥ó¤Ç»ØÄꤷ¤¿À©¸Â¤Ë㤷¤Ê¤±¤ì¤Ð¡¢
+¤½¤ÎÅÙ¤´¤È¤Ë¡¢¤³¤Î¿ôÃͤˤʤë¤Þ¤Ç 1 ¸Ä¤º¤ÄÁý¤ä¤µ¤ì¤ë¡£
+¥Ç¥Õ¥©¥ë¥È¤Ï 5 ¤Ç¤¢¤ë¡£
+.SS multiport
+¤³¤Î¥â¥¸¥å¡¼¥ë¤ÏÁ÷¿®¸µ¤äÁ÷¿®Àè¤Î¥Ý¡¼¥È¤Î½¸¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¥Ý¡¼¥È¤Ï 15 ¸Ä¤Þ¤Ç»ØÄê¤Ç¤¤ë¡£
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï
+.B "-p tcp"
+¤Þ¤¿¤Ï
+.B "-p udp"
+¤ÈÁȤ߹ç¤ï¤»¤Æ»È¤¦¤³¤È¤·¤«¤Ç¤¤Ê¤¤¡£
+.TP
+.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Á÷¿®¸µ¥Ý¡¼¥È¤¬»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£
+¥Õ¥é¥°
+.B --sports
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Á÷¿®Àè¥Ý¡¼¥È¤¬»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£
+¥Õ¥é¥°
+.B --dports
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Á÷¿®¸µ¤ÈÁ÷¿®Àè¥Ý¡¼¥È¤ÎξÊý¤¬¸ß¤¤¤ËÅù¤·¤¤¤«¡¢
+»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£
+.SS mark
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¥Ñ¥±¥Ã¥È¤Ë´ØÏ¢¤Å¤±¤é¤ì¤¿
+netfilter ¤Î mark ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë
+(¤³¤Î¥Õ¥£¡¼¥ë¥É¤Ï¡¢°Ê²¼¤Î
+.B MARK
+¥¿¡¼¥²¥Ã¥È¤ÇÀßÄꤵ¤ì¤ë)¡£
+.TP
+.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
+»ØÄꤵ¤ì¤¿Éä¹æ¤Ê¤· mark ÃͤΥѥ±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë
+(mask ¤¬»ØÄꤵ¤ì¤ë¤È¡¢Èæ³Ó¤ÎÁ°¤Ë mask ¤È¤ÎÏÀÍýÀÑ (AND) ¤¬¤È¤é¤ì¤ë)¡£
+.SS owner
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ËÉÕ¤¤¤Æ¡¢
+¥Ñ¥±¥Ã¥ÈÀ¸À®¼Ô¤Î¤¤¤í¤¤¤í¤ÊÆÃÀ¤È¤Î¥Þ¥Ã¥Á¥ó¥°¤ò¤È¤ë¡£
+¤³¤ì¤Ï
+.B OUTPUT
+¥Á¥§¥¤¥ó¤Î¤ß¤Ç¤·¤«Í¸ú¤Ç¤Ê¤¤¡£
+¤Þ¤¿¡¢(ICMP ping ±þÅú¤Î¤è¤¦¤Ê) ¥Ñ¥±¥Ã¥È¤Ï¡¢
+½êͼԤ¬¤¤¤Ê¤¤¤Î¤ÇÀäÂФ˥ޥåÁ¤·¤Ê¤¤¡£
+¤³¤ì¤Ï¼Â¸³Åª¤Ê¤â¤Î¤È¤¤¤¦°·¤¤¤Ç¤¢¤ë¡£
+.TP
+.BI "--uid-owner " "userid"
+»ØÄꤵ¤ì¤¿¼Â¸ú¥æ¡¼¥¶¡¼ ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--gid-owner " "groupid"
+»ØÄꤵ¤ì¤¿¼Â¸ú¥°¥ë¡¼¥× ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--pid-owner " "processid"
+»ØÄꤵ¤ì¤¿¥×¥í¥»¥¹ ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--sid-owner " "sessionid"
+»ØÄꤵ¤ì¤¿¥»¥Ã¥·¥ç¥ó¥°¥ë¡¼¥×¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.\" .SS state
+.\" ¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢ÀܳÄÉÀ× (connection tracking) ¤ÈÁȤ߹ç¤ï¤»¤ÆÍѤ¤¤ë¤È¡¢
+.\" ¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¤ÎÀܳÄÉÀ×¾õÂÖ¤òÃΤ뤳¤È¤¬¤Ç¤¤ë¡£
+.\" .TP
+.\" .BI "--state " "state"
+.\" state ¤Ï¡¢¥Þ¥Ã¥Á¥ó¥°¤ò¹Ô¤¦¤¿¤á¤Î¡¢¥³¥ó¥Þ¤Ç¶èÀÚ¤é¤ì¤¿Àܳ¾õÂ֤Υꥹ¥È¤Ç¤¢¤ë¡£
+.\" »ØÄê²Äǽ¤Ê state ¤Ï°Ê²¼¤ÎÄ̤ꡣ
+.\" .BR INVALID :
+.\" ¤³¤Î¥Ñ¥±¥Ã¥È¤Ï´ûÃΤÎÀܳ¤È´Ø·¸¤·¤Æ¤¤¤Ê¤¤¡£
+.\" .BR ESTABLISHED :
+.\" ¤³¤Î¥Ñ¥±¥Ã¥È¤ÏÁÐÊý¸þÀܳ¤Î¥Ñ¥±¥Ã¥È¤ÈȽÌÀ¤·¤¿¡£
+.\" .BR NEW :
+.\" ¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤¿¤«¡¢
+.\" ÁÐÊý¸þÀܳ¤Î¥Ñ¥±¥Ã¥È¤Ç¤Ê¤¤¤â¤Î¤ÈȽÌÀ¤·¤¿¡£
+.\" .BR RELATED :
+.\" ¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤Æ¤¤¤ë¤¬¡¢
+.\" FTP ¥Ç¡¼¥¿Å¾Á÷¤ä ICMP ¥¨¥é¡¼¤Î¤è¤¦¤Ë¡¢´û¸¤ÎÀܳ¤Ë´Ø·¸¤·¤Æ¤¤¤ë¡£
+.\" .SS unclean
+.\" ¤³¤Î¥â¥¸¥å¡¼¥ë¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬¤Ê¤¤¤¬¡¢
+.\" ¤ª¤«¤·¤¯Àµ¾ï¤Ç¤Ê¤¤¤è¤¦¤Ë¸«¤¨¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.\" ¤³¤ì¤Ï¼Â¸³Åª¤Ê¤â¤Î¤È¤·¤Æ°·¤ï¤ì¤Æ¤¤¤ë¡£
+.\" .SS tos
+.\" ¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IP ¥Ø¥Ã¥À¡¼¤Î (¾å°Ì¥Ó¥Ã¥È¤ò´Þ¤à) 8 ¥Ó¥Ã¥È¤Î
+.\" Type of Service ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë
+.\" .TP
+.\" .BI "--tos " "tos"
+.\" °ú¤¿ô¤Ï¡¢¥Þ¥Ã¥Á¤ò¹Ô¤¦É¸½àŪ¤Ê̾Á°¤Ç¤â¿ôÃͤǤâ¤è¤¤
+.\" (̾Á°¤Î¥ê¥¹¥È¤ò¸«¤ë¤Ë¤Ï
+.\" .br
+.\" iptables -m tos -h
+.\" .br
+.\" ¤ò»È¤¦¤³¤È)¡£
+.SH ¥¿¡¼¥²¥Ã¥È¤Î³ÈÄ¥
+iptables ¤Ï³ÈÄ¥¥¿¡¼¥²¥Ã¥È¥â¥¸¥å¡¼¥ë¤ò»È¤¦¤³¤È¤¬¤Ç¤¤ë:
+°Ê²¼¤Î¤â¤Î¤¬¡¢É¸½àŪ¤Ê¥Ç¥£¥¹¥È¥ê¥Ó¥å¡¼¥·¥ç¥ó¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¡£
+.SS LOG
+¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ò¥«¡¼¥Í¥ë¥í¥°¤ËµÏ¿¤¹¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¥ë¡¼¥ë¤ËÂФ·¤ÆÀßÄꤵ¤ì¤ë¤È¡¢
+Linux ¥«¡¼¥Í¥ë¤Ï¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¤Î
+(IPv6 ¤Ë¤ª¤±¤ëÂçÉôʬ¤Î IPv6 ¥Ø¥Ã¥À¥Õ¥£¡¼¥ë¥É¤Î¤è¤¦¤Ê) ²¿¤é¤«¤Î¾ðÊó¤ò
+¥«¡¼¥Í¥ë¥í¥°¤Ëɽ¼¨¤¹¤ë
+(¥«¡¼¥Í¥ë¥í¥°¤Ï
+.I dmesg
+¤Þ¤¿¤Ï
+.IR syslogd (8)
+¤Ç¸«¤ë¤³¤È¤¬¤Ç¤¤ë)¡£
+¤³¤ì¤Ï¡ÖÈó½ªÎ»¥¿ ¡¼¥²¥Ã¥È¡×¤Ç¤¢¤ë¡£
+¤¹¤Ê¤ï¤Á¡¢¥ë¡¼¥ë¤Î¸¡Æ¤¤Ï¡¢¼¡¤Î¥ë¡¼¥ë¤Ø¤È·Ñ³¤µ¤ì¤ë¡£
+¤è¤Ã¤Æ¡¢µñÈݤ¹¤ë¥Ñ¥±¥Ã¥È¤ò¥í¥°µÏ¿¤·¤¿¤±¤ì¤Ð¡¢
+Ʊ¤¸¥Þ¥Ã¥Á¥ó¥°È½ÃÇ´ð½à¤ò»ý¤Ä 2 ¤Ä¤Î¥ë¡¼¥ë¤ò»ÈÍѤ·¡¢
+ºÇ½é¤Î¥ë¡¼¥ë¤Ç LOG ¥¿¡¼¥²¥Ã¥È¤ò¡¢
+¼¡¤Î¥ë¡¼¥ë¤Ç DROP (¤Þ¤¿¤Ï REJECT) ¥¿¡¼¥²¥Ã¥È¤ò»ØÄꤹ¤ë¡£
+.TP
+.BI "--log-level " "level"
+¥í¥°µÏ¿¤Î¥ì¥Ù¥ë (¿ôÃͤǻØÄꤹ¤ë¤«¡¢
+(ÌõÃð: ̾Á°¤Ç»ØÄꤹ¤ë¾ì¹ç¤Ï) \fIsyslog.conf\fP(5) ¤ò»²¾È¤¹¤ë¤³¤È)¡£
+.TP
+.BI "--log-prefix " "prefix"
+»ØÄꤷ¤¿¥×¥ì¥Õ¥£¥Ã¥¯¥¹¤ò¥í¥°¥á¥Ã¥»¡¼¥¸¤ÎÁ°¤ËÉÕ¤±¤ë¡£
+¥×¥ì¥Õ¥£¥Ã¥¯¥¹¤Ï 29 ʸ»ú¤Þ¤Ç¤ÎŤµ¤Ç¡¢
+¥í¥°¤Î¤Ê¤«¤Ç¥á¥Ã¥»¡¼¥¸¤ò¶èÊ̤¹¤ë¤Î¤ËÌòΩ¤Ä¡£
+.TP
+.B --log-tcp-sequence
+TCP ¥·¡¼¥±¥ó¥¹ÈÖ¹æ¤ò¥í¥°¤ËµÏ¿¤¹¤ë¡£
+¥í¥°¤¬¥æ¡¼¥¶¡¼¤«¤éÆɤá¤ë¾ì¹ç¡¢¥»¥¥å¥ê¥Æ¥£¾å¤Î´í¸±¤¬¤¢¤ë¡£
+.TP
+.B --log-tcp-options
+TCP ¥Ñ¥±¥Ã¥È¥Ø¥Ã¥À¤Î¥ª¥×¥·¥ç¥ó¤ò¥í¥°¤ËµÏ¿¤¹¤ë¡£
+.TP
+.B --log-ip-options
+IPv6 ¥Ñ¥±¥Ã¥È¥Ø¥Ã¥À¤Î¥ª¥×¥·¥ç¥ó¤ò¥í¥°¤ËµÏ¿¤¹¤ë¡£
+.SS MARK
+¥Ñ¥±¥Ã¥È¤Ë´ØÏ¢¤Å¤±¤é¤ì¤¿ netfilter ¤Î mark Ãͤò»ØÄꤹ¤ë¡£
+.B mangle
+¥Æ¡¼¥Ö¥ë¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+.TP
+.BI "--set-mark " "mark"
+.SS REJECT
+¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤Î±þÅú¤È¤·¤Æ¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤òÁ÷¤é¤Ê¤±¤ì¤Ð¡¢
+.B DROP
+¤ÈƱ¤¸¤Ç¤¢¤ê¡¢
+TARGET ¤ò½ªÎ»¤·¡¢¥ë¡¼¥ë¤Î¸¡Æ¤¤ò½ªÎ»¤¹¤ë¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢
+.BR INPUT ,
+.BR FORWARD ,
+.B OUTPUT
+¥Á¥§¥¤¥ó¤È¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ð¤ì¤ë
+¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤À¤±¤Ç͸ú¤Ç¤¢¤ë¡£
+°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢ÊÖ¤µ¤ì¤ë¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤ÎÆÃÀ¤òÀ©¸æ¤¹¤ë¡£
+.TP
+.BI "--reject-with " "type"
+type ¤È¤·¤Æ»ØÄê²Äǽ¤Ê¤â¤Î¤Ï
+.nf
+.B " icmp6-no-route"
+.B " no-route"
+.B " icmp6-adm-prohibited"
+.B " adm-prohibited"
+.B " icmp6-addr-unreachable"
+.B " addr-unreach"
+.B " icmp6-port-unreachable"
+.B " port-unreach"
+.fi
+¤Ç¤¢¤ê¡¢Å¬ÀÚ¤Ê IPv6-ICMP ¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤òÊÖ¤¹
+(\fBport-unreach\fP ¤¬¥Ç¥Õ¥©¥ë¥È¤Ç¤¢¤ë)¡£
+¤µ¤é¤Ë¡¢TCP ¥×¥í¥È¥³¥ë¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤ËÂФ·¤Æ¡¢¥ª¥×¥·¥ç¥ó
+.B tcp-reset
+¤ò»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤ò»È¤¦¤È¡¢TCP RST ¥Ñ¥±¥Ã¥È¤¬Á÷¤êÊÖ¤µ¤ì¤ë¡£
+¼ç¤È¤·¤Æ
+.I ident
+(113/tcp) ¤Ë¤è¤ëõºº¤òÁ˻ߤ¹¤ë¤Î¤ËÌòΩ¤Ä¡£
+.I ident
+¤Ë¤è¤ëõºº¤Ï¡¢²õ¤ì¤Æ¤¤¤ë (¥á¡¼¥ë¤ò¼õ¤±¼è¤é¤Ê¤¤) ¥á¡¼¥ë¥Û¥¹¥È¤Ë
+¥á¡¼¥ë¤¬Á÷¤é¤ì¤ë¾ì¹ç¤ËÉÑÈˤ˵¯¤³¤ë¡£
+.\" .SS TOS
+.\" IP ¥Ø¥Ã¥À¤Î 8 ¥Ó¥Ã¥È¤Î Type of Service ¥Õ¥£¡¼¥ë¥É¤òÀßÄꤹ¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+.\" .B mangle
+.\" ¥Æ¡¼¥Ö¥ë¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+.\" .TP
+.\" .BI "--set-tos " "tos"
+.\" TOS ¤òÈÖ¹æ¤Ç»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+.\" ¤Þ¤¿¡¢
+.\" .br
+.\" iptables -j TOS -h
+.\" .br
+.\" ¤ò¼Â¹Ô¤·¤ÆÆÀ¤é¤ì¤ë¡¢»ÈÍѲÄǽ¤Ê TOS ̾¤Î°ìÍ÷¤Ë¤¢¤ë TOS ̾¤â»ØÄê¤Ç¤¤ë¡£
+.\" .SS MIRROR
+.\" ¼Â¸³Åª¤Ê¥Ç¥â¥ó¥¹¥È¥ì¡¼¥·¥ç¥óÍѤΥ¿¡¼¥²¥Ã¥È¤Ç¤¢¤ê¡¢
+.\" IP ¥Ø¥Ã¥À¤ÎÁ÷¿®¸µ¤ÈÁ÷¿®Àè¥Õ¥£¡¼¥ë¥É¤òÆþ¤ì´¹¤¨¡¢
+.\" ¥Ñ¥±¥Ã¥È¤òºÆÁ÷¿®¤¹¤ë¤â¤Î¤Ç¤¢¤ë¡£
+.\" ¤³¤ì¤Ï
+.\" .BR INPUT ,
+.\" .BR FORWARD ,
+.\" .B PREROUTING
+.\" ¥Á¥§¥¤¥ó¤È¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë
+.\" ¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤À¤±¤Ç͸ú¤Ç¤¢¤ë¡£
+.\" ¥ë¡¼¥×Åù¤ÎÌäÂê¤ò²óÈò¤¹¤ë¤¿¤á¡¢³°Éô¤ËÁ÷¤é¤ì¤ë¥Ñ¥±¥Ã¥È¤Ï
+.\" ¤¤¤«¤Ê¤ë¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¥Á¥§¥¤¥ó¡¦ÀܳÄÉÀס¦NAT ¤«¤é¤â
+.\" ´Æ»ë\fB¤µ¤ì¤Ê¤¤\fR ¡£
+.\" .SS SNAT
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï
+.\" .B nat
+.\" ¥Æ¡¼¥Ö¥ë¤È
+.\" .B POSTROUTING
+.\" ¥Á¥§¥¤¥ó¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤ò½¤Àµ¤µ¤»¤ë
+.\" (¤³¤ÎÀܳ¤Î°Ê¹ß¤Î¥Ñ¥±¥Ã¥È¤â½¤Àµ¤·¤Æʬ¤«¤é¤Ê¤¯¤¹¤ë (mangle))¡£
+.\" ¤µ¤é¤Ë¡¢¥ë¡¼¥ë¤¬É¾²Á¤òÃæ»ß¤¹¤ë¤è¤¦¤Ë»Ø¼¨¤¹¤ë¡£
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¤Ä¤¢¤ë:
+.\" .TP
+.\" .BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+.\" 1 ¤Ä¤Î¿·¤·¤¤Á÷¿®¸µ IP ¥¢¥É¥ì¥¹¡¢¤Þ¤¿¤Ï IP ¥¢¥É¥ì¥¹¤ÎÈϰϤ¬»ØÄê¤Ç¤¤ë¡£
+.\" ¥ª¥×¥·¥ç¥ó¤È¤·¤Æ¡¢¥Ý¡¼¥È¤ÎÈϰϤ¬»ØÄê¤Ç¤¤ë
+.\" (¥ë¡¼¥ë¤¬
+.\" .B "-p tcp"
+.\" ¤Þ¤¿¤Ï
+.\" .B "-p udp"
+.\" ¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß͸ú)¡£
+.\" ¥Ý¡¼¥È¤ÎÈϰϤ¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢
+.\" 512 ̤Ëþ¤ÎÁ÷¿®¸µ¥Ý¡¼¥È¤Ï¡¢Â¾¤Î 512 ̤Ëþ¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£
+.\" 512 ¡Á 1023 ¤Þ¤Ç¤Î¥Ý¡¼¥È¤Ï¡¢1024 ̤Ëþ¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£
+.\" ¤½¤ì°Ê³°¤Î¥Ý¡¼¥È¤Ï¡¢1024 °Ê¾å¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£
+.\" ²Äǽ¤Ç¤¢¤ì¤Ð¡¢¥Ý¡¼¥È¤ÎÊÑ´¹¤Ïµ¯¤³¤é¤Ê¤¤¡£
+.\" .SS DNAT
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï
+.\" .B nat
+.\" ¥Æ¡¼¥Ö¥ë¤È
+.\" .BR PREROUTING ,
+.\" .B OUTPUT
+.\" ¥Á¥§¥¤¥ó¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë
+.\" ¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®À襢¥É¥ì¥¹¤ò½¤Àµ¤¹¤ë
+.\" (¤³¤ÎÀܳ¤Î°Ê¹ß¤Î¥Ñ¥±¥Ã¥È¤â½¤Àµ¤·¤Æʬ¤«¤é¤Ê¤¯¤¹¤ë (mangle))¡£
+.\" ¤µ¤é¤Ë¡¢¥ë¡¼¥ë¤Ë¤è¤ë¥Á¥§¥Ã¥¯¤ò»ß¤á¤µ¤»¤ë¡£
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¤Ä¤¢¤ë:
+.\" .TP
+.\" .BR "--to-destination " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+.\" 1 ¤Ä¤Î¿·¤·¤¤Á÷¿®Àè IP ¥¢¥É¥ì¥¹¡¢¤Þ¤¿¤Ï IP ¥¢¥É¥ì¥¹¤ÎÈϰϤ¬»ØÄê¤Ç¤¤ë¡£
+.\" ¥ª¥×¥·¥ç¥ó¤È¤·¤Æ¡¢¥Ý¡¼¥È¤ÎÈϰϤ¬»ØÄê¤Ç¤¤ë
+.\" (¥ë¡¼¥ë¤¬
+.\" .B "-p tcp"
+.\" ¤Þ¤¿¤Ï
+.\" .B "-p udp"
+.\" ¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß͸ú)¡£
+.\" ¥Ý¡¼¥È¤ÎÈϰϤ¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢Á÷¿®À襢¥É¥ì¥¹¤ÏÊѹ¹¤µ¤ì¤Ê¤¤¡£
+.\" .SS MASQUERADE
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï
+.\" .B nat
+.\" ¥Æ¡¼¥Ö¥ë¡¢¤Þ¤¿¤Ï
+.\" .B POSTROUTING
+.\" ¥Á¥§¥¤¥ó¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+.\" ưŪ³ä¤êÅö¤Æ IP (¥À¥¤¥ä¥ë¥¢¥Ã¥×) Àܳ¤Î¾ì¹ç¤Ë¤Î¤ß»È¤¦¤Ù¤¤Ç¤¢¤ë¡£
+.\" ¸ÇÄê IP ¥¢¥É¥ì¥¹¤Ê¤é¤Ð¡¢SNAT ¥¿¡¼¥²¥Ã¥È¤ò»È¤¦¤Ù¤¤Ç¤¢¤ë¡£
+.\" ¥Þ¥¹¥«¥ì¡¼¥Ç¥£¥ó¥°¤Ï¡¢¥Ñ¥±¥Ã¥È¤¬Á÷¿®¤µ¤ì¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤Î
+.\" IP ¥¢¥É¥ì¥¹¤Ø¤Î¥Þ¥Ã¥Ô¥ó¥°¤ò»ØÄꤹ¤ë¤Î¤ÈƱ¤¸¤Ç¤¢¤ë¤¬¡¢
+.\" ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤¬Ää»ß¤·¤¿¾ì¹ç¤ËÀܳ¤ò\fI˺¤ì¤ë\fR¤È¤¤¤¦¸½¾Ý¤¬¤¢¤ë¡£
+.\" ¼¡¤Î¥À¥¤¥ä¥ë¥¢¥Ã¥×¤Ç¤ÏƱ¤¸¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¥¢¥É¥ì¥¹¤Ë¤Ê¤ë²ÄǽÀ¤¬Ä㤤
+.\" (¤½¤Î¤¿¤á¡¢Á°²ó³ÎΩ¤µ¤ì¤¿Àܳ¤Ï¼º¤ï¤ì¤ë) ¾ì¹ç¡¢
+.\" ¤³¤ÎÆ°ºî¤ÏÀµ¤·¤¤¡£
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¤Ä¤¢¤ë¡£
+.\" .TP
+.\" .BR "--to-ports " "\fIport\fP[-\fIport\fP]"
+.\" ¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢»ÈÍѤ¹¤ëÁ÷¿®¸µ¥Ý¡¼¥È¤ÎÈϰϤò»ØÄꤷ¡¢
+.\" ¥Ç¥Õ¥©¥ë¥È¤Î
+.\" .B SNAT
+.\" Á÷¿®¸µ¥Ý¡¼¥È¤ÎÁªÂòÊýË¡ (¾åµ) ¤è¤ê¤âÍ¥À褵¤ì¤ë¡£
+.\" ¥ë¡¼¥ë¤¬
+.\" .B "-p tcp"
+.\" ¤Þ¤¿¤Ï
+.\" .B "-p udp"
+.\" ¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß͸ú¤Ç¤¢¤ë¡£
+.\" .SS REDIRECT
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢
+.\" .B nat
+.\" ¥Æ¡¼¥Ö¥ëÆâ¤Î
+.\" .B PREROUTING
+.\" ¥Á¥§¥¤¥óµÚ¤Ó
+.\" .B OUTPUT
+.\" ¥Á¥§¥¤¥ó¡¢¤½¤·¤Æ¤³¤ì¤é¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë
+.\" ¥æ¡¼¥¶ÄêµÁ¥Á¥§¥¤¥ó¤Ç¤Î¤ß͸ú¤Ç¤¢¤ë¡£
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®Àè IP ¥¢¥É¥ì¥¹¤ò
+.\" ¥Þ¥·¥ó¼«¿È¤Î IP ¥¢¥É¥ì¥¹¤ËÊÑ´¹¤¹¤ë¡£
+.\" (¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Ï¡¢¥¢¥É¥ì¥¹ 127.0.0.1 ¤Ë¥Þ¥Ã¥×¤µ¤ì¤ë)¡£
+.\" ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¤Ä¤¢¤ë:
+.\" .TP
+.\" .BR "--to-ports " "\fIport\fP[-\fIport\fP]"
+.\" ¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï»ÈÍѤµ¤ì¤ëÁ÷¿®Àè¥Ý¡¼¥È¡¦¥Ý¡¼¥ÈÈÏ°Ï¡¦Ê£¿ô¥Ý¡¼¥È¤ò»ØÄꤹ¤ë¡£
+.\" ¤³¤Î¥ª¥×¥·¥ç¥ó¤¬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢Á÷¿®Àè¥Ý¡¼¥È¤ÏÊѹ¹¤µ¤ì¤Ê¤¤¡£
+.\" ¥ë¡¼¥ë¤¬
+.\" .B "-p tcp"
+.\" ¤Þ¤¿¤Ï
+.\" .B "-p udp"
+.\" ¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß͸ú¤Ç¤¢¤ë¡£
+.SH ÊÖ¤êÃÍ
+¤¤¤í¤¤¤í¤Ê¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤¬É¸½à¥¨¥é¡¼¤Ëɽ¼¨¤µ¤ì¤ë¡£
+Àµ¤·¤¯µ¡Ç½¤·¤¿¾ì¹ç¡¢½ªÎ»¥³¡¼¥É¤Ï 0 ¤Ç¤¢¤ë¡£
+ÉÔÀµ¤Ê¥³¥Þ¥ó¥É¥é¥¤¥ó¥Ñ¥é¥á¡¼¥¿¤Ë¤è¤ê¥¨¥é¡¼¤¬È¯À¸¤·¤¿¾ì¹ç¤Ï¡¢
+½ªÎ»¥³¡¼¥É 2 ¤¬ÊÖ¤µ¤ì¤ë¡£
+¤½¤Î¾¤Î¥¨¥é¡¼¤Î¾ì¹ç¤Ï¡¢½ªÎ»¥³¡¼¥É 1 ¤¬ÊÖ¤µ¤ì¤ë¡£
+.SH ¥Ð¥°
+¥Ð¥°? ¥Ð¥°¤Ã¤Æ²¿? ;-)
+¤¨¡¼¤È¡Ä¡¢sparc64 ¤Ç¤Ï¥«¥¦¥ó¥¿¡¼Ãͤ¬¿®Íê¤Ç¤¤Ê¤¤¡£
+.SH IPCHAINS ¤È¤Î¸ß´¹À
+.B ip6tables
+¤Ï¡¢Rusty Russell ¤Î ipchains ¤ÈÈó¾ï¤Ë¤è¤¯»÷¤Æ¤¤¤ë¡£
+Â礤ʰ㤤¤Ï¡¢¥Á¥§¥¤¥ó
+.B INPUT
+¤È
+.B OUTPUT
+¤¬¡¢¤½¤ì¤¾¤ì¥í¡¼¥«¥ë¥Û¥¹¥È¤ËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤È¡¢
+¥í¡¼¥«¥ë¥Û¥¹¥È¤«¤é½Ð¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¤ß¤·¤«Ä´¤Ù¤Ê¤¤¤È¤¤¤¦ÅÀ¤Ç¤¢¤ë¡£
+¤è¤Ã¤Æ¡¢Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¤Ï 3 ¤Ä¤¢¤ë¥Á¥§¥¤¥ó¤Î¤¦¤Á 1 ¤Ä¤·¤«Ä̤é¤Ê¤¤
+(¥ë¡¼¥×¥Ð¥Ã¥¯¥È¥é¥Õ¥£¥Ã¥¯¤ÏÎã³°¤Ç¡¢INPUT ¤È OUTPUT ¥Á¥§¥¤¥ó¤ÎξÊý¤òÄ̤ë)¡£
+°ÊÁ°¤Ï (ipchains ¤Ç¤Ï)¡¢
+¥Õ¥©¥ï¡¼¥É¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤¬ 3 ¤Ä¤Î¥Á¥§¥¤¥óÁ´¤Æ¤òÄ̤äƤ¤¤¿¡£
+.PP
+¤½¤Î¾¤ÎÂ礤ʰ㤤¤Ï¡¢
+.B -i
+¤ÇÆþÎÏ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¡¢
+.B -o
+¤Ç½ÐÎÏ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò»ØÄꤷ¡¢
+¤È¤â¤Ë
+.B FORWARD
+¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ»ØÄê²Äǽ¤ÊÅÀ¤Ç¤¢¤ë¡£
+.\" .PP
+.\" NAT ¤Î¤¤¤í¤¤¤í¤Ê·Á¼°¤¬Ê¬³ä¤µ¤ì¤¿¡£
+.\" ¥ª¥×¥·¥ç¥ó¤Î³ÈÄ¥¥â¥¸¥å¡¼¥ë¤È¤È¤â¤Ë
+.\" ¥Ç¥Õ¥©¥ë¥È¤Î¡Ö¥Õ¥£¥ë¥¿¡×¥Æ¡¼¥Ö¥ë¤òÍѤ¤¤¿¾ì¹ç¡¢
+.\" .B iptables
+.\" ¤Ï½ã¿è¤Ê¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¤È¤Ê¤ë¡£
+.\" ¤³¤ì¤Ï¡¢°ÊÁ°¤ß¤é¤ì¤¿ IP ¥Þ¥¹¥«¥ì¡¼¥Ç¥£¥ó¥°¤È¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Î
+.\" Áȹ礻¤Ë¤è¤ëº®Íð¤ò´Êά²½¤¹¤ë¡£
+.\" ¤è¤Ã¤Æ¡¢¥ª¥×¥·¥ç¥ó
+.\" .br
+.\" -j MASQ
+.\" .br
+.\" -M -S
+.\" .br
+.\" -M -L
+.\" .br
+.\" ¤ÏÊ̤Τâ¤Î¤È¤·¤Æ°·¤ï¤ì¤ë¡£
+ip6tables ¤Ç¤Ï¡¢¤½¤Î¾¤Ë¤â¤¤¤¯¤Ä¤«¤ÎÊѹ¹¤¬¤¢¤ë¡£
+.SH ´ØÏ¢¹àÌÜ
+.BR ip6tables-save (8),
+.BR ip6tables-restore(8),
+.BR iptables (8),
+.BR iptables-save (8),
+.BR iptables-restore (8).
+.P
+¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Ë¤Ä¤¤¤Æ¤Î¾ÜºÙ¤Ê iptables ¤Î»ÈÍÑË¡¤ò
+ÀâÌÀ¤·¤Æ¤¤¤ë packet-filtering-HOWTO¡£
+NAT ¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë NAT-HOWTO¡£
+ɸ½àŪ¤ÊÇÛÉۤˤϴޤޤì¤Ê¤¤³ÈÄ¥¤Î¾ÜºÙ¤òÀâÌÀ¤·¤Æ¤¤¤ë netfilter-extensions-HOWTO¡£
+ÆâÉô¹½Â¤¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë netfilter-hacking-HOWTO¡£
+.br
+.B "http://www.netfilter.org/"
+¤ò»²¾È¤Î¤³¤È¡£
+.SH Ãø¼Ô
+Rusty Russell ¤Ï¡¢½é´ü¤ÎÃʳ¬¤Ç Michael Neuling ¤ËÁêÃ̤·¤Æ iptables ¤ò½ñ¤¤¤¿¡£
+.PP
+Marc Boucher ¤Ï Rusty ¤Ë iptables ¤Î°ìÈÌŪ¤Ê¥Ñ¥±¥Ã¥ÈÁªÂò¤Î¹Í¤¨Êý¤ò´«¤á¤Æ¡¢
+ipnatctl ¤ò»ß¤á¤µ¤»¤¿¡£
+¤½¤·¤Æ¡¢mangle ¥Æ¡¼¥Ö¥ë¡¦½êͼԥޥåÁ¥ó¥°¡¦
+mark µ¡Ç½¤ò½ñ¤¡¢¤¤¤¿¤ë¤È¤³¤í¤Ç»È¤ï¤ì¤Æ¤¤¤ëÁÇÀ²¤é¤·¤¤¥³¡¼¥É¤ò½ñ¤¤¤¿¡£
+.PP
+James Morris ¤¬ TOS ¥¿¡¼¥²¥Ã¥È¤È tos ¥Þ¥Ã¥Á¥ó¥°¤ò½ñ¤¤¤¿¡£
+.PP
+Jozsef Kadlecsik ¤¬ REJECT ¥¿¡¼¥²¥Ã¥È¤ò½ñ¤¤¤¿¡£
+.PP
+Harald Welte ¤¬ ULOG ¥¿¡¼¥²¥Ã¥È¡¦TTL ¥Þ¥Ã¥Á¥ó¥°¤È TTL ¥¿¡¼¥²¥Ã¥È¡¦
+libipulog ¤ò½ñ¤¤¤¿¡£
+.PP
+Netfilter ¥³¥¢¥Á¡¼¥à¤Ï¡¢Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
+James Morris, Harald Welte, Rusty Russell ¤Ç¤¢¤ë¡£
+.PP
+ip6tables ¤Î man ¥Ú¡¼¥¸¤Ï¡¢Andras Kis-Szabo ¤Ë¤è¤Ã¤ÆºîÀ®¤µ¤ì¤¿¡£
+¤³¤ì¤Ï Herve Eychenne <rv@wallfire.org> ¤Ë¤è¤Ã¤Æ½ñ¤«¤ì¤¿
+iptables ¤Î man ¥Ú¡¼¥¸¤ò¸µ¤Ë¤·¤Æ¤¤¤ë¡£
+.\" .. ¤½¤·¤Æ¡¢ËÍÅù¤¬¤È¤Æ¤â¥¯¡¼¥ë¤ÊÅÛ¤é¤À¤È¸À¤Ã¤Æ¤ª¤¤¤Æ¤â¤¤¤¤¤«¤Ê¡©
+.\" .. ¥»¥¯¥·¡¼¤Ç ..
+.\" .. ¤È¤Æ¤â¥¦¥£¥Ã¥È¤ËÉÙ¤ó¤Ç¤¤¤Æ¡¢¥Á¥ã¡¼¥ß¥ó¥°¤Ç¡¢¥Ñ¥ï¥Õ¥ë¤Ç ..
+.\" .. ¤½¤·¤Æ¡¢¤ß¤ó¤Ê¸¬µõ¤Ê¤ó¤À ..
--- /dev/null
+.TH IPTABLES-RESTORE 8 "Jan 04, 2001" "" ""
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\" Japanese Version Copyright (c) 2001 Yuichi SATO
+.\" all rights reserved.
+.\" Translated Tue May 15 20:08:04 JST 2001
+.\" by Yuichi SATO <ysato@h4.dion.ne.jp>
+.\"
+.SH ̾Á°
+iptables-restore \- IP ¥Æ¡¼¥Ö¥ë¤òÉü¸µ¤¹¤ë
+.SH ½ñ¼°
+.BR "iptables-restore " "[-c] [-n]"
+.br
+.SH ÀâÌÀ
+.PP
+.B iptables-restore
+¤Ïɸ½àÆþÎϤǻØÄꤵ¤ì¤¿¥Ç¡¼¥¿¤«¤é IP ¥Æ¡¼¥Ö¥ë¤òÉü¸µ¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+¥Õ¥¡¥¤¥ë¤«¤éÆɤ߹þ¤à¤¿¤á¤Ë¤Ï¡¢
+¥·¥§¥ë¤ÇÄ󶡤µ¤ì¤Æ¤¤¤ë I/O ¥ê¥À¥¤¥ì¥¯¥·¥ç¥ó¤ò»È¤¦¤³¤È¡£
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ÎÃͤòÉü¸µ¤¹¤ë¡£
+.TP
+\fB\-n\fR, \fB\-\-noflush\fR
+¤³¤ì¤Þ¤Ç¤Î¥Æ¡¼¥Ö¥ë¤ÎÆâÍƤò¥Õ¥é¥Ã¥·¥å¤·¤Ê¤¤¡£
+»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢
+.B iptables-restore
+¤Ï¡¢¤³¤ì¤Þ¤Ç¤Î³Æ IP ¥Æ¡¼¥Ö¥ë¤ÎÆâÍƤòÁ´¤Æ¥Õ¥é¥Ã¥·¥å (ºï½ü) ¤¹¤ë¡£
+.SH ¥Ð¥°
+iptables-1.2.1 ¥ê¥ê¡¼¥¹¤Ç¤ÏÃΤé¤ì¤Æ¤¤¤Ê¤¤¡£
+.SH Ãø¼Ô
+Harald Welte <laforge@gnumonks.org>
+.SH ´ØÏ¢¹àÌÜ
+.BR iptables-save "(8), " iptables "(8) "
+.PP
+¤è¤ê¿¤¯¤Î iptables ¤Î»ÈÍÑË¡¤Ë¤Ä¤¤¤Æ
+¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë iptables-HOWTO¡£
+NAT ¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë NAT-HOWTO¡£
+ÆâÉô¹½Â¤¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë netfilter-hacking-HOWTO¡£
--- /dev/null
+.TH IPTABLES-SAVE 8 "Jan 04, 2001" "" ""
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\" Japanese Version Copyright (c) 2001 Yuichi SATO
+.\" all rights reserved.
+.\" Translated Tue May 15 20:09:48 JST 2001
+.\" by Yuichi SATO <ysato@h4.dion.ne.jp>
+.\"
+.SH ̾Á°
+iptables-save \- IP ¥Æ¡¼¥Ö¥ë¤òÊݸ¤¹¤ë
+.SH ½ñ¼°
+.BR "iptables-save " "[-c] [-t table]"
+.br
+.SH ÀâÌÀ
+.PP
+.B iptables-save
+¤Ï IP ¥Æ¡¼¥Ö¥ë¤ÎÆâÍƤò´Êñ¤Ë²òÀϤǤ¤ë·Á¼°¤Ç
+ɸ½à½ÐÎϤ˥À¥ó¥×¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+¥Õ¥¡¥¤¥ë¤Ë½ñ¤½Ð¤¹¤¿¤á¤Ë¤Ï¡¢
+¥·¥§¥ë¤ÇÄ󶡤µ¤ì¤Æ¤¤¤ë I/O ¥ê¥À¥¤¥ì¥¯¥·¥ç¥ó¤ò»È¤¦¤³¤È¡£
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤Î¸½ºß¤ÎÃͤò½ÐÎϤ¹¤ë¡£
+.TP
+\fB\-t\fR, \fB\-\-table\fR \fBtablename\fR
+½ÐÎϤò 1 ¤Ä¤Î¥Æ¡¼¥Ö¥ë¤Î¤ß¤ËÀ©¸Â¤¹¤ë¡£
+»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢ÆÀ¤é¤ì¤¿Á´¤Æ¤Î¥Æ¡¼¥Ö¥ë¤ò½ÐÎϤ¹¤ë¡£
+.SH ¥Ð¥°
+iptables-1.2.1 ¥ê¥ê¡¼¥¹¤Ç¤ÏÃΤé¤ì¤Æ¤¤¤Ê¤¤¡£
+.SH Ãø¼Ô
+Harald Welte <laforge@gnumonks.org>
+.SH ´ØÏ¢¹àÌÜ
+.BR iptables-restore "(8), " iptables "(8) "
+.PP
+¤è¤ê¿¤¯¤Î iptables ¤Î»ÈÍÑË¡¤Ë¤Ä¤¤¤Æ
+¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë iptables-HOWTO¡£
+NAT ¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë NAT-HOWTO¡£
+ÆâÉô¹½Â¤¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë netfilter-hacking-HOWTO¡£
--- /dev/null
+.\"
+.\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
+.\" It is based on ipchains page.
+.\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG)
+.\"
+.\" ipchains page by Paul ``Rusty'' Russell March 1997
+.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.\" Japanese Version Copyright (c) 2001, 2004 Yuichi SATO
+.\" all right reserved.
+.\" Translated Sun Jul 29 01:03:37 JST 2001
+.\" by Yuichi SATO <ysato@h4.dion.ne.jp>
+.\" Updated & Modified Wed Sep 12 06:22:55 JST 2001 by Yuichi SATO
+.\" Updated on Wed May 28 01:51:45 JST 2003 by
+.\" System Design and Research Institute Co., Ltd.
+.\" Updated & Modified Sat Feb 21 23:28:25 JST 2004
+.\" by Yuichi SATO <ysato444@yahoo.co.jp>
+.\"
+.\"WORD: chain ¥Á¥§¥¤¥ó
+.\"WORD: built-in chain ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó
+.\"WORD: connection tracking ÀܳÄÉÀ×
+.\"WORD: enslave ¥¹¥ì¡¼¥Ö¤Ë¤¹¤ë
+.\"WORD: infrastructure ´ðÈ×
+.\"WORD: round-robin ¥é¥¦¥ó¥É¡¦¥í¥Ó¥ó
+.\"WORD: rule traverse ¥ë¡¼¥ë¤Î¸¡Æ¤
+.\"WORD: non-terminating target Èó½ªÎ»¥¿¡¼¥²¥Ã¥È
+.\"WORD: criteria ȽÃÇ(¤¹¤ë)´ð½à
+.\"
+.TH IPTABLES 8 "Mar 09, 2002" "" ""
+.SH ̾Á°
+iptables \- IPv4 ¤Î¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¤È NAT ¤ò´ÉÍý¤¹¤ë¥Ä¡¼¥ë
+.SH ½ñ¼°
+.BR "iptables [-t table] -[AD] " "¥Á¥§¥¤¥ó ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]"
+.br
+.BR "iptables [-t table] -I " "¥Á¥§¥¤¥ó [¥ë¡¼¥ëÈÖ¹æ] ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]"
+.br
+.BR "iptables [-t table] -R " "¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]"
+.br
+.BR "iptables [-t table] -D " "¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ [¥ª¥×¥·¥ç¥ó]"
+.br
+.BR "iptables [-t table] -[LFZ] " "[¥Á¥§¥¤¥ó] [¥ª¥×¥·¥ç¥ó]"
+.br
+.BR "iptables [-t table] -N " "¥Á¥§¥¤¥ó"
+.br
+.BR "iptables [-t table] -X " "[¥Á¥§¥¤¥ó]"
+.br
+.BR "iptables [-t table] -P " "¥Á¥§¥¤¥ó ¥¿¡¼¥²¥Ã¥È [¥ª¥×¥·¥ç¥ó]"
+.br
+.BR "iptables [-t table] -E " "µì¥Á¥§¥¤¥ó̾ ¿·¥Á¥§¥¤¥ó̾"
+.SH ÀâÌÀ
+.B iptables
+¤Ï Linux ¥«¡¼¥Í¥ë¤Î IP ¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ë¡¼¥ë¤Î¥Æ¡¼¥Ö¥ë¤ò
+ÀßÄꡦ´ÉÍý¡¦¸¡ºº¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+Ê£¿ô¤Î°Û¤Ê¤ë¥Æ¡¼¥Ö¥ë¤òÄêµÁ¤Ç¤¤ë¡£
+³Æ¥Æ¡¼¥Ö¥ë¤Ë¤Ï¤¿¤¯¤µ¤ó¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤Æ¤ª¤ê¡¢
+¤µ¤é¤Ë¥æ¡¼¥¶¡¼ÄêµÁ¤Î¥Á¥§¥¤¥ó¤ò²Ã¤¨¤ë¤³¤È¤â¤Ç¤¤ë¡£
+
+³Æ¥Á¥§¥¤¥ó¤Ï¡¢¥Ñ¥±¥Ã¥È·²¤Ë¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤Î¥ê¥¹¥È¤Ç¤¢¤ë¡£
+³Æ¥ë¡¼¥ë¤Ï¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ²¿¤ò¤¹¤ë¤«¤ò»ØÄꤹ¤ë¡£
+¤³¤ì¤Ï¡Ö¥¿¡¼¥²¥Ã¥È¡×¤È¸Æ¤Ð¤ì¡¢
+Ʊ¤¸¥Æ¡¼¥Ö¥ëÆâ¤Î¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Ë¥¸¥ã¥ó¥×¤¹¤ë¤³¤È¤â¤Ç¤¤ë¡£
+
+.SH ¥¿¡¼¥²¥Ã¥È
+¤Ò¤È¤Ä¤Î¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¥ë¡¼¥ë¤Ç¤Ï¡¢
+¥Ñ¥±¥Ã¥È¤òȽÃǤ¹¤ë´ð½à¤È¥¿¡¼¥²¥Ã¥È¤È¤¬»ØÄꤵ¤ì¤ë¡£
+¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤Ê¤¤¾ì¹ç¡¢¥Á¥§¥¤¥óÆâ¤Î¼¡¤Î¥ë¡¼¥ë¤¬É¾²Á¤µ¤ì¤ë¡£
+¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¡¢
+¥¿¡¼¥²¥Ã¥È¤ÎÃͤ¬¼¡¤Î¥ë¡¼¥ë¤ò»ØÄꤹ¤ë¡£
+¥¿¡¼¥²¥Ã¥È¤ÎÃͤϡ¢¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Î̾Á°¡¢¤Þ¤¿¤ÏÆÃÊ̤ÊÃÍ
+.IR ACCEPT ,
+.IR DROP ,
+.IR QUEUE ,
+.I RETURN
+¤Î¤¦¤Á¤Î 1 ¤Ä¤Ç¤¢¤ë¡£
+.PP
+.I ACCEPT
+¤Ï¥Ñ¥±¥Ã¥È¤òÄ̤¹¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£
+.I DROP
+¤Ï¥Ñ¥±¥Ã¥È¤ò¾²¤ËÍ (¼Î¤Æ¤ë) ¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£
+.I QUEUE
+¤Ï¥Ñ¥±¥Ã¥È¤ò¥æ¡¼¥¶¡¼¶õ´Ö¤ËÅϤ¹¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë
+(¥«¡¼¥Í¥ë¤¬¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ì¤Ð¤Ç¤¢¤ë¤¬)¡£
+.I RETURN
+¤Ï¡¢¤³¤Î¥Á¥§¥¤¥ó¤Î¸¡Æ¤¤òÃæ»ß¤·¤Æ¡¢
+°ÊÁ°¤Î (¸Æ¤Ó½Ð¤·¸µ) ¥Á¥§¥¤¥óÆâ¤Î
+¼¡¤Î¥ë¡¼¥ë¤«¤é¸¡Æ¤¤òºÆ³«¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£
+ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤ÎºÇ¸å¤ËÅþ㤷¤¿¾ì¹ç¡¢
+¤Þ¤¿¤ÏÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Ç¥¿¡¼¥²¥Ã¥È
+.I RETURN
+¤ò»ý¤Ä¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¡¢
+¥Á¥§¥¤¥ó¥Ý¥ê¥·¡¼¤Ç»ØÄꤵ¤ì¤¿¥¿¡¼¥²¥Ã¥È¤¬
+¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤ò·èÄꤹ¤ë¡£
+.SH ¥Æ¡¼¥Ö¥ë
+¸½ºß¤Î¤È¤³¤í 3 ¤Ä¤ÎÆÈΩ¤Ê¥Æ¡¼¥Ö¥ë¤¬Â¸ºß¤¹¤ë
+(¤¢¤ë»þÅÀ¤Ç¤É¤Î¥Æ¡¼¥Ö¥ë¤¬Â¸ºß¤¹¤ë¤«¤Ï¡¢
+¥«¡¼¥Í¥ë¤ÎÀßÄê¤ä¤É¤¦¤¤¤Ã¤¿¥â¥¸¥å¡¼¥ë¤¬Â¸ºß¤¹¤ë¤«¤Ë°Í¸¤¹¤ë)¡£
+.TP
+.BI "-t, --table " "table"
+¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢¤³¤Î¥³¥Þ¥ó¥É¤òŬÍѤ¹¤ë
+¥Ñ¥±¥Ã¥È¥Þ¥Ã¥Á¥ó¥°¥Æ¡¼¥Ö¥ë¤ò»ØÄꤹ¤ë¡£
+¥«¡¼¥Í¥ë¤Ë¼«Æ°¥â¥¸¥å¡¼¥ë¥í¡¼¥Ç¥£¥ó¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢
+¤½¤Î¥Æ¡¼¥Ö¥ë¤ËÂФ¹¤ëŬÀڤʥ⥸¥å¡¼¥ë¤¬¤Þ¤À¥í¡¼¥É¤µ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¡¢
+¤½¤Î¥â¥¸¥å¡¼¥ë¤¬¥í¡¼¥É¤µ¤ì¤ë¡£
+
+¥Æ¡¼¥Ö¥ë¤Ï°Ê²¼¤ÎÄ̤ê¤Ç¤¢¤ë¡£
+.RS
+.TP .4i
+.BR "filter" :
+(\-t ¥ª¥×¥·¥ç¥ó¤¬ÅϤµ¤ì¤Ê¤±¤ì¤Ð) ¤³¤ì¤¬¥Ç¥Õ¥©¥ë¥È¤Î¥Æ¡¼¥Ö¥ë¤Ç¤¢¤ë¡£
+¤³¤ì¤Ë¤Ï
+.B INPUT
+(¥Þ¥·¥ó¼«ÂΤËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
+.B FORWARD
+(¥Þ¥·¥ó¤ò·Ðͳ¤¹¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
+.B OUTPUT
+(¥í¡¼¥«¥ë¥Þ¥·¥ó¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)
+¤È¤¤¤¦ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤ë¡£
+.TP
+.BR "nat" :
+¤³¤Î¥Æ¡¼¥Ö¥ë¤Ï¿·¤·¤¤Àܳ¤ò³«¤¯¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ»²¾È¤µ¤ì¤ë¡£
+¤³¤ì¤Ë¤Ï
+.B PREROUTING
+(¥Ñ¥±¥Ã¥È¤¬Æþ¤Ã¤Æ¤¤¿¾ì¹ç¡¢¤¹¤°¤Ë¤½¤Î¥Ñ¥±¥Ã¥È¤òÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)¡¦
+.B OUTPUT
+(¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ò¥ë¡¼¥Æ¥£¥ó¥°¤ÎÁ°¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)¡¦
+.B POSTROUTING
+(¥Ñ¥±¥Ã¥È¤¬½Ð¤Æ¹Ô¤¯¤È¤¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)
+¤È¤¤¤¦ 3 ¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤ë¡£
+.TP
+.BR "mangle" :
+¤³¤Î¥Æ¡¼¥Ö¥ë¤ÏÆÃÊ̤ʥѥ±¥Ã¥ÈÊÑ´¹¤Ë»È¤ï¤ì¤ë¡£
+¤³¤ì¤Ë¤Ï¡¢¥«¡¼¥Í¥ë 2.4.17 ¤Þ¤Ç¤Ï
+.B PREROUTING
+(¥Ñ¥±¥Ã¥È¤¬Æþ¤Ã¤Æ¤¤¿¾ì¹ç¡¢¤¹¤°¤Ë¤½¤Î¥Ñ¥±¥Ã¥È¤òÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)¡¦
+.B OUTPUT
+(¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ò¥ë¡¼¥Æ¥£¥ó¥°¤ÎÁ°¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)
+¤È¤¤¤¦ 2 ¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤ë¡£
+¥«¡¼¥Í¥ë 2.4.18 ¤«¤é¤Ï¡¢¤³¤ì¤é¤Î¾¤Ë
+.B INPUT
+(¥Þ¥·¥ó¼«ÂΤËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
+.B FORWARD
+(¥Þ¥·¥ó¤ò·Ðͳ¤¹¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦
+.B POSTROUTING
+(¥Ñ¥±¥Ã¥È¤¬½Ð¤Æ¹Ô¤¯¤È¤¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)
+¤È¤¤¤¦ 3 ¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤â´Þ¤Þ¤ì¤ë¡£
+.RE
+.SH ¥ª¥×¥·¥ç¥ó
+.B iptables
+¤Ç»È¤¨¤ë¥ª¥×¥·¥ç¥ó¤Ï¡¢¤¤¤¯¤Ä¤«¤Î¥°¥ë¡¼¥×¤Ëʬ¤±¤é¤ì¤ë¡£
+.SS ¥³¥Þ¥ó¥É
+¤³¤ì¤é¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢¼Â¹Ô¤¹¤ëÆÃÄê¤ÎÆ°ºî¤ò»ØÄꤹ¤ë¡£
+°Ê²¼¤ÎÀâÌÀ¤ÇÃíµ¤µ¤ì¤Æ¤¤¤Ê¤¤¸Â¤ê¡¢
+¥³¥Þ¥ó¥É¥é¥¤¥ó¤Ç»ØÄê¤Ç¤¤ë¤Î¤Ï¤³¤ÎÃæ¤Î 1 ¤Ä¤À¤±¤Ç¤¢¤ë¡£
+Ť¤¥Ð¡¼¥¸¥ç¥ó¤Î¥³¥Þ¥ó¥É̾¤È¥ª¥×¥·¥ç¥ó̾¤Ï¡¢
+.B iptables
+¤¬Â¾¤Î¥³¥Þ¥ó¥É̾¤ä¥ª¥×¥·¥ç¥ó̾¤È¶èÊ̤Ǥ¤ëÈϰϤÇ
+(ʸ»ú¤ò¾Êά¤·¤Æ) »ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë¡£
+.TP
+.BI "-A, --append " "¥Á¥§¥¤¥ó ¥ë¡¼¥ë¤Î¾ÜºÙ"
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤ÎºÇ¸å¤Ë 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òÄɲ乤롣
+Á÷¿®¸µ¤äÁ÷¿®Àè¤Î̾Á°¤¬ 1 ¤Ä°Ê¾å¤Î¥¢¥É¥ì¥¹¤Ë²ò·è¤µ¤ì¤¿¾ì¹ç¤Ï¡¢
+²Äǽ¤Ê¥¢¥É¥ì¥¹¤ÎÁȹ礻¤½¤ì¤¾¤ì¤ËÂФ·¤Æ¥ë¡¼¥ë¤¬Äɲ䵤ì¤ë¡£
+.TP
+.BI "-D, --delete " "¥Á¥§¥¤¥ó ¥ë¡¼¥ë¤Î¾ÜºÙ"
+.ns
+.TP
+.BI "-D, --delete " "¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ"
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤«¤é 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òºï½ü¤¹¤ë¡£
+¤³¤Î¥³¥Þ¥ó¥É¤Ë¤Ï 2 ¤Ä¤Î»È¤¤Êý¤¬¤¢¤ë:
+¥Á¥§¥¤¥ó¤ÎÃæ¤ÎÈÖ¹æ (ºÇ½é¤Î¥ë¡¼¥ë¤ò 1 ¤È¤¹¤ë) ¤ò»ØÄꤹ¤ë¾ì¹ç¤È¡¢
+¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤ò»ØÄꤹ¤ë¾ì¹ç¤Ç¤¢¤ë¡£
+.TP
+.BR "-I, --insert " "\fI¥Á¥§¥¤¥ó\fP [\fI¥ë¡¼¥ëÈÖ¹æ\fP] \fI¥ë¡¼¥ë¤Î¾ÜºÙ"
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ë¥ë¡¼¥ëÈÖ¹æ¤ò»ØÄꤷ¤Æ 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òÁÞÆþ¤¹¤ë¡£
+¥ë¡¼¥ëÈֹ椬 1 ¤Î¾ì¹ç¡¢¥ë¡¼¥ë¤Ï¥Á¥§¥¤¥ó¤ÎÀèƬ¤ËÁÞÆþ¤µ¤ì¤ë¡£
+¤³¤ì¤Ï¥ë¡¼¥ëÈֹ椬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¤Î¥Ç¥Õ¥©¥ë¥È¤Ç¤â¤¢¤ë¡£
+.TP
+.BI "-R, --replace " "¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ ¥ë¡¼¥ë¤Î¾ÜºÙ"
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ç¥ë¡¼¥ë¤òÃÖ´¹¤¹¤ë¡£
+Á÷¿®¸µ¤äÁ÷¿®Àè¤Î̾Á°¤¬ 1 ¤Ä°Ê¾å¤Î¥¢¥É¥ì¥¹¤Ë²ò·è¤µ¤ì¤¿¾ì¹ç¤Ï¡¢
+¤³¤Î¥³¥Þ¥ó¥É¤Ï¼ºÇÔ¤¹¤ë¡£¥ë¡¼¥ëÈÖ¹æ¤Ï 1 ¤«¤é¤Ï¤¸¤Þ¤ë¡£
+.TP
+.BR "-L, --list " "[\fI¥Á¥§¥¤¥ó\fP]"
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ë¤¢¤ëÁ´¤Æ¤Î¥ë¡¼¥ë¤ò°ìÍ÷ɽ¼¨¤¹¤ë¡£
+¥Á¥§¥¤¥ó¤¬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢Á´¤Æ¤Î¥Á¥§¥¤¥ó¤Ë¤¢¤ë¥ê¥¹¥È¤¬°ìÍ÷ɽ¼¨¤µ¤ì¤ë¡£
+¾¤Î³Æ iptables ¥³¥Þ¥ó¥É¤ÈƱÍͤˡ¢»ØÄꤵ¤ì¤¿¥Æ¡¼¥Ö¥ë
+(¥Ç¥Õ¥©¥ë¥È¤Ï filter) ¤ËÂФ·¤ÆºîÍѤ¹¤ë¡£
+¤è¤Ã¤Æ NAT ¥ë¡¼¥ë¤òɽ¼¨¤¹¤ë¤Ë¤Ï°Ê²¼¤Î¤è¤¦¤Ë¤¹¤ë¡£
+.nf
+ iptables -t nat -n -L
+.fi
+DNS¤ÎµÕ°ú¤¤òÈò¤±¤ë¤¿¤á¤Ë¡¢¤è¤¯
+.B -n
+¥ª¥×¥·¥ç¥ó¤È¶¦¤Ë»ÈÍѤµ¤ì¤ë¡£
+.B -Z
+(¥¼¥í²½) ¥ª¥×¥·¥ç¥ó¤òƱ»þ¤Ë»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë¡£
+¤³¤Î¾ì¹ç¡¢¥Á¥§¥¤¥ó¤ÏÍ×ÁÇËè¤Ë¥ê¥¹¥È¤µ¤ì¤Æ¡¢
+(ÌõÃð: ¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤¬) ¥¼¥í¤Ë¤µ¤ì¤ë¡£
+½ÐÎÏɽ¼¨¤ÏƱ»þ¤ËÍ¿¤¨¤é¤ì¤¿Â¾¤Î°ú¤¿ô¤Ë±Æ¶Á¤µ¤ì¤ë¡£
+.nf
+ iptables -L -v
+.fi
+¤ò»È¤ï¤Ê¤¤¸Â¤ê (ÌõÃí: -v ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤷ¤Ê¤¤¸Â¤ê)¡¢
+¼ÂºÝ¤Î¥ë¡¼¥ë¤½¤Î¤â¤Î¤Ïɽ¼¨¤µ¤ì¤Ê¤¤¡£
+.TP
+.BR "-F, --flush " "[\fI¥Á¥§¥¤¥ó\fP]"
+ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó(²¿¤â»ØÄꤷ¤Ê¤±¤ì¤Ð¥Æ¡¼¥Ö¥ëÆâ¤ÎÁ´¤Æ¤Î¥Á¥§¥¤¥ó)
+¤ÎÆâÍƤòÁ´¾Ãµî¤¹¤ë¡£
+¤³¤ì¤ÏÁ´¤Æ¤Î¥ë¡¼¥ë¤ò 1 ¸Ä¤º¤Äºï½ü¤¹¤ë¤Î¤ÈƱ¤¸¤Ç¤¢¤ë¡£
+.TP
+.BR "-Z, --zero " "[\fI¥Á¥§¥¤¥ó\fP]"
+¤¹¤Ù¤Æ¤Î¥Á¥§¥¤¥ó¤Î¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò¥¼¥í¤Ë¤¹¤ë¡£
+¥¯¥ê¥¢¤µ¤ì¤ëľÁ°¤Î¥«¥¦¥ó¥¿¤ò¸«¤ë¤¿¤á¤Ë¡¢
+.B "-L, --list"
+(°ìÍ÷ɽ¼¨) ¥ª¥×¥·¥ç¥ó¤ÈƱ»þ¤Ë»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë (¾åµ¤ò»²¾È)¡£
+.TP
+.BI "-N, --new-chain " "¥Á¥§¥¤¥ó"
+»ØÄꤷ¤¿Ì¾Á°¤Ç¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤òºîÀ®¤¹¤ë¡£
+Ʊ¤¸Ì¾Á°¤Î¥¿¡¼¥²¥Ã¥È¤¬´û¤Ë¸ºß¤·¤Æ¤Ï¤Ê¤é¤Ê¤¤¡£
+.TP
+.BR "-X, --delete-chain " "[\fI¥Á¥§¥¤¥ó\fP]"
+»ØÄꤷ¤¿¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ë¡£
+¤½¤Î¥Á¥§¥¤¥ó¤¬»²¾È¤µ¤ì¤Æ¤¤¤Æ¤Ï¤Ê¤é¤Ê¤¤¡£
+¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ëÁ°¤Ë¡¢¤½¤Î¥Á¥§¥¤¥ó¤ò»²¾È¤·¤Æ¤¤¤ë¥ë¡¼¥ë¤ò
+ºï½ü¤¹¤ë¤«ÃÖ¤´¹¤¨¤ë¤«¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
+°ú¤¿ô¤¬Í¿¤¨¤é¤ì¤Ê¤¤¾ì¹ç¡¢¥Æ¡¼¥Ö¥ë¤Ë¤¢¤ë¥Á¥§¥¤¥ó¤Î¤¦¤Á
+ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Ç¤Ê¤¤¤â¤Î¤òÁ´¤Æºï½ü¤¹¤ë¡£
+.TP
+.BI "-P, --policy " "¥Á¥§¥¤¥ó ¥¿¡¼¥²¥Ã¥È"
+¥Á¥§¥¤¥ó¤Î¥Ý¥ê¥·¡¼¤ò¡¢»ØÄꤷ¤¿¥¿¡¼¥²¥Ã¥È¤ËÀßÄꤹ¤ë¡£
+»ØÄê²Äǽ¤Ê¥¿¡¼¥²¥Ã¥È¤Ï¡Ö\fB¥¿¡¼¥²¥Ã¥È\fR¡×¤Î¾Ï¤ò»²¾È¤¹¤ë¤³¤È¡£
+(¥æ¡¼¥¶¡¼ÄêµÁ¤Ç¤Ï¤Ê¤¤)ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Ë¤·¤«¥Ý¥ê¥·¡¼¤ÏÀßÄê¤Ç¤¤Ê¤¤¡£
+¤Þ¤¿¡¢ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤â¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤â
+¥Ý¥ê¥·¡¼¤Î¥¿¡¼¥²¥Ã¥È¤ËÀßÄꤹ¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤¡£
+.TP
+.BI "-E, --rename-chain " "µì¥Á¥§¥¤¥ó̾ ¿·¥Á¥§¥¤¥ó̾"
+¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤ò»ØÄꤷ¤¿Ì¾Á°¤ËÊѹ¹¤¹¤ë¡£
+¤³¤ì¤Ï¸«¤¿ÌܤÀ¤±¤ÎÊѹ¹¤Ê¤Î¤Ç¡¢¥Æ¡¼¥Ö¥ë¤Î¹½Â¤¤Ë¤Ï²¿¤â±Æ¶Á¤·¤Ê¤¤¡£
+.TP
+.B -h
+¥Ø¥ë¥×¡£
+(º£¤Î¤È¤³¤í¤Ï¤È¤Æ¤â´Êñ¤Ê) ¥³¥Þ¥ó¥É½ñ¼°¤ÎÀâÌÀ¤òɽ¼¨¤¹¤ë¡£
+.SS ¥Ñ¥é¥á¡¼¥¿
+°Ê²¼¤Î¥Ñ¥é¥á¡¼¥¿¤Ï (add, delete, insert,
+replace, append ¥³¥Þ¥ó¥É¤ÇÍѤ¤¤é¤ì¤Æ) ¥ë¡¼¥ë¤Î»ÅÍͤò·è¤á¤ë¡£
+.TP
+.BR "-p, --protocol " "[!] \fIprotocol\fP"
+¥ë¡¼¥ë¤Ç»È¤ï¤ì¤ë¥×¥í¥È¥³¥ë¡¢¤Þ¤¿¤Ï¥Á¥§¥Ã¥¯¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¥×¥í¥È¥³¥ë¡£
+»ØÄê¤Ç¤¤ë¥×¥í¥È¥³¥ë¤Ï¡¢
+.IR tcp ,
+.IR udp ,
+.IR icmp ,
+.I all
+¤Î¤¤¤º¤ì¤« 1 ¤Ä¤«¡¢¿ôÃͤǤ¢¤ë¡£
+¿ôÃͤˤϡ¢¤³¤ì¤é¤Î¥×¥í¥È¥³¥ë¤Î¤É¤ì¤«¤Ê¤¤¤·Ê̤Υץí¥È¥³¥ë¤òɽ¤¹
+¿ôÃͤò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+/etc/protocols ¤Ë¤¢¤ë¥×¥í¥È¥³¥ë̾¤â»ØÄê¤Ç¤¤ë¡£
+¥×¥í¥È¥³¥ë¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢¤½¤Î¥×¥í¥È¥³¥ë¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
+¿ôÃÍ 0 ¤Ï
+.I all
+¤ÈÅù¤·¤¤¡£
+¥×¥í¥È¥³¥ë
+.I all
+¤ÏÁ´¤Æ¤Î¥×¥í¥È¥³¥ë¤È¥Þ¥Ã¥Á¤·¡¢
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿ºÝ¤Î¥Ç¥Õ¥©¥ë¥È¤Ç¤¢¤ë¡£
+.TP
+.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
+Á÷¿®¸µ¤Î»ØÄê¡£
+.I address
+¤Ï¥Û¥¹¥È̾
+(DNS ¤Î¤è¤¦¤Ê¥ê¥â¡¼¥È¤Ø¤ÎÌ䤤¹ç¤ï¤»¤Ç²ò·è¤¹¤ë̾Á°¤ò»ØÄꤹ¤ë¤Î¤ÏÈó¾ï¤ËÎɤ¯¤Ê¤¤)
+¡¦¥Í¥Ã¥È¥ï¡¼¥¯ IP ¥¢¥É¥ì¥¹ (/mask ¤ò»ØÄꤹ¤ë)¡¦
+Ä̾ï¤Î IP ¥¢¥É¥ì¥¹¡¢¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ë¡£
+.I mask
+¤Ï¥Í¥Ã¥È¥ï¡¼¥¯¥Þ¥¹¥¯¤«¡¢
+¥Í¥Ã¥È¥ï¡¼¥¯¥Þ¥¹¥¯¤Îº¸Â¦¤Ë¤¢¤ë 1 ¤Î¿ô¤ò»ØÄꤹ¤ë¿ôÃͤǤ¢¤ë¡£
+¤Ä¤Þ¤ê¡¢
+.I 24
+¤È¤¤¤¦ mask ¤Ï
+.I 255.255.255.0
+¤ËÅù¤·¤¤¡£
+¥¢¥É¥ì¥¹»ØÄê¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢¤½¤Î¥¢¥É¥ì¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
+¥Õ¥é¥°
+.B --src
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
+Á÷¿®Àè¤Î»ØÄê¡£
+½ñ¼°¤Î¾Ü¤·¤¤ÀâÌÀ¤Ë¤Ä¤¤¤Æ¤Ï¡¢
+.B -s
+(Á÷¿®¸µ) ¥Õ¥é¥°¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£
+¥Õ¥é¥°
+.B --dst
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BI "-j, --jump " "target"
+¥ë¡¼¥ë¤Î¥¿¡¼¥²¥Ã¥È¡¢¤Ä¤Þ¤ê¡¢
+¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¤Ë¤É¤¦¤¹¤ë¤«¤ò»ØÄꤹ¤ë¡£
+¥¿¡¼¥²¥Ã¥È¤Ï¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó
+(¤½¤Î¥ë¡¼¥ë¼«¿È¤¬Æþ¤Ã¤Æ¤¤¤ë¥Á¥§¥¤¥ó°Ê³°) ¤Ç¤â¡¢
+¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤ò¨»þ¤Ë·èÄꤹ¤ëÆÃÊ̤ÊÁȤ߹þ¤ßºÑ¤ß¥¿¡¼¥²¥Ã¥È¤Ç¤â¡¢
+³ÈÄ¥¤µ¤ì¤¿¥¿¡¼¥²¥Ã¥È (°Ê²¼¤Î
+.RB ¡Ö ¥¿¡¼¥²¥Ã¥È¤Î³ÈÄ¥ ¡×
+¤ò»²¾È) ¤Ç¤â¤è¤¤¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¥ë¡¼¥ë¤Ë»ØÄꤵ¤ì¤Ê¤«¤Ã¤¿¾ì¹ç¤Ï¡¢
+¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤Æ¤â¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤Ë²¿¤â±Æ¶Á¤·¤Ê¤¤¤¬¡¢
+¥ë¡¼¥ë¤Î¥«¥¦¥ó¥¿¤Ï 1 ¤Ä²Ã»»¤µ¤ì¤ë¡£
+.TP
+.BR "-i, --in-interface " "[!] \fIname\fP"
+¥Ñ¥±¥Ã¥È¤ò¼õ¿®¤¹¤ë¤³¤È¤Ë¤Ê¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾
+.RB ( INPUT ,
+.BR FORWARD ,
+.B PREROUTING
+¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Î¤ß)¡£
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢
+¤½¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
+¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿¾ì¹ç¡¢
+Ǥ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BR "-o, --out-interface " "[!] \fIname\fP"
+¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë¤³¤È¤Ë¤Ê¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾
+.RB ( FORWARD ,
+.BR OUTPUT ,
+.B POSTROUTING
+¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Î¤ß)¡£
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢
+¤½¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
+¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿¾ì¹ç¡¢
+Ǥ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.B "[!] " "-f, --fragment"
+¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢Ê¬³ä¤µ¤ì¤¿¥Ñ¥±¥Ã¥È (fragmented packet) ¤Î¤¦¤Á
+2 ÈÖÌܰʹߤΥѥ±¥Ã¥È¤À¤±¤ò»²¾È¤¹¤ë¥ë¡¼¥ë¤Ç¤¢¤ë¤³¤È¤ò°ÕÌ£¤¹¤ë¡£
+¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È (¤Þ¤¿¤Ï ICMP ¥¿¥¤¥×¤Î¥Ñ¥±¥Ã¥È) ¤Ï
+Á÷¿®¸µ¡¦Á÷¿®Àè¥Ý¡¼¥È¤òÃΤëÊýË¡¤¬¤Ê¤¤¤Î¤Ç¡¢
+Á÷¿®¸µ¤äÁ÷¿®Àè¤ò»ØÄꤹ¤ë¤è¤¦¤Ê¥ë¡¼¥ë¤Ë¤Ï¥Þ¥Ã¥Á¤·¤Ê¤¤¡£
+"-f" ¥Õ¥é¥°¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢
+ʬ³ä¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Î¤¦¤ÁºÇ½é¤Î¤â¤Î¤«¡¢
+ʬ³ä¤µ¤ì¤Æ¤¤¤Ê¤¤¥Ñ¥±¥Ã¥È¤À¤±¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "-c, --set-counters " "PKTS BYTES"
+¤³¤Î¥ª¥×¥·¥ç¥ó¤ò»È¤¦¤È¡¢
+.RB ( insert ,
+.BR append ,
+.B replace
+Áàºî¤Ë¤ª¤¤¤Æ) ´ÉÍý¼Ô¤Ï¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò
+½é´ü²½¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+.SS ¤½¤Î¾¤Î¥ª¥×¥·¥ç¥ó
+¤½¤Î¾¤Ë°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë:
+.TP
+.B "-v, --verbose"
+¾ÜºÙ¤Ê½ÐÎϤò¹Ô¤¦¡£
+list ¥³¥Þ¥ó¥É¤ÎºÝ¤Ë¡¢¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¡¦
+(¤â¤·¤¢¤ì¤Ð) ¥ë¡¼¥ë¤Î¥ª¥×¥·¥ç¥ó¡¦TOS ¥Þ¥¹¥¯¤òɽ¼¨¤µ¤»¤ë¡£
+¥Ñ¥±¥Ã¥È¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤âɽ¼¨¤µ¤ì¤ë¡£
+ź»ú 'K', 'M', 'G' ¤Ï¡¢
+¤½¤ì¤¾¤ì 1000, 1,000,000, 1,000,000,000 Çܤòɽ¤¹
+(¤³¤ì¤òÊѹ¹¤¹¤ë
+.B -x
+¥Õ¥é¥°¤â¸«¤è)¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤ò append, insert, delete, replace ¥³¥Þ¥ó¥É¤ËŬÍѤ¹¤ë¤È¡¢
+¥ë¡¼¥ë¤Ë¤Ä¤¤¤Æ¤Î¾ÜºÙ¤Ê¾ðÊó¤òɽ¼¨¤¹¤ë¡£
+.TP
+.B "-n, --numeric"
+¿ôÃͤˤè¤ë½ÐÎϤò¹Ô¤¦¡£
+IP ¥¢¥É¥ì¥¹¤ä¥Ý¡¼¥ÈÈÖ¹æ¤ò¿ôÃͤˤè¤ë¥Õ¥©¡¼¥Þ¥Ã¥È¤Çɽ¼¨¤¹¤ë¡£
+¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¡¢iptables ¤Ï (²Äǽ¤Ç¤¢¤ì¤Ð) ¤³¤ì¤é¤Î¾ðÊó¤ò
+¥Û¥¹¥È̾¡¦¥Í¥Ã¥È¥ï¡¼¥¯Ì¾¡¦¥µ¡¼¥Ó¥¹Ì¾¤Çɽ¼¨¤·¤è¤¦¤È¤¹¤ë¡£
+.TP
+.B "-x, --exact"
+¸·Ì©¤Ê¿ôÃͤÇɽ¼¨¤¹¤ë¡£
+¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò¡¢
+K (1000 ¤Î²¿Çܤ«)¡¦M (1000K ¤Î²¿Çܤ«)¡¦G (1000M ¤Î²¿Çܤ«) ¤Ç¤Ï¤Ê¤¯¡¢
+¸·Ì©¤ÊÃͤÇɽ¼¨¤¹¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢
+.B -L
+¥³¥Þ¥ó¥É¤È¤·¤«´Ø·¸¤·¤Ê¤¤¡£
+.TP
+.B "--line-numbers"
+¥ë¡¼¥ë¤ò°ìÍ÷ɽ¼¨¤¹¤ëºÝ¡¢¤½¤Î¥ë¡¼¥ë¤¬¥Á¥§¥¤¥ó¤Î¤É¤Î°ÌÃ֤ˤ¢¤ë¤«¤òɽ¤¹
+¹ÔÈÖ¹æ¤ò³Æ¹Ô¤Î»Ï¤á¤ËÉղ乤롣
+.TP
+.B "--modprobe=command"
+¥Á¥§¥¤¥ó¤Ë¥ë¡¼¥ë¤òÄɲäޤ¿¤ÏÁÞÆþ¤¹¤ëºÝ¤Ë¡¢
+(¥¿¡¼¥²¥Ã¥È¤ä¥Þ¥Ã¥Á¥ó¥°¤Î³ÈÄ¥¤Ê¤É¤Ç) ɬÍפʥ⥸¥å¡¼¥ë¤ò¥í¡¼¥É¤¹¤ë¤¿¤á¤Ë»È¤¦
+.B command
+¤ò»ØÄꤹ¤ë¡£
+.SH ¥Þ¥Ã¥Á¥ó¥°¤Î³ÈÄ¥
+iptables ¤Ï³ÈÄ¥¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¥Þ¥Ã¥Á¥ó¥°¥â¥¸¥å¡¼¥ë¤ò»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
+¤³¤ì¤é¤Î¥â¥¸¥å¡¼¥ë¤Ï 2 ¼ïÎà¤ÎÊýË¡¤Ç¥í¡¼¥É¤µ¤ì¤ë:
+¥â¥¸¥å¡¼¥ë¤Ï¡¢
+.B -p
+¤Þ¤¿¤Ï
+.B --protocol
+¤Ç°ÅÌۤΤ¦¤Á¤Ë»ØÄꤵ¤ì¤ë¤«¡¢
+.B -m
+¤Þ¤¿¤Ï
+.B --match
+¤Î¸å¤Ë¥â¥¸¥å¡¼¥ë̾¤ò³¤±¤Æ»ØÄꤵ¤ì¤ë¡£
+¤³¤ì¤é¤Î¥â¥¸¥å¡¼¥ë¤Î¸å¤í¤Ë¤Ï¡¢¥â¥¸¥å¡¼¥ë¤Ë±þ¤¸¤Æ
+¾¤Î¤¤¤í¤¤¤í¤Ê¥³¥Þ¥ó¥É¥é¥¤¥ó¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+Ê£¿ô¤Î³ÈÄ¥¥Þ¥Ã¥Á¥ó¥°¥â¥¸¥å¡¼¥ë¤ò°ì¹Ô¤Ç»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+¤Þ¤¿¡¢¥â¥¸¥å¡¼¥ë¤ËÆÃͤΥإë¥×¤òɽ¼¨¤µ¤»¤ë¤¿¤á¤Ë¤Ï¡¢
+¥â¥¸¥å¡¼¥ë¤ò»ØÄꤷ¤¿¸å¤Ç
+.B -h
+¤Þ¤¿¤Ï
+.B --help
+¤ò»ØÄꤹ¤ì¤Ð¤è¤¤¡£
+
+°Ê²¼¤Î³ÈÄ¥¤¬¥Ù¡¼¥¹¥Ñ¥Ã¥±¡¼¥¸¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¡£
+ÂçÉôʬ¤Î¤â¤Î¤Ï¡¢
+.B !
+¤òÁ°¤Ë¤ª¤¯¤³¤È¤Ë¤è¤Ã¤Æ
+¥Þ¥Ã¥Á¥ó¥°¤Î°ÕÌ£¤òµÕ¤Ë¤Ç¤¤ë¡£
+.SS ah
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IPSec ¥Ñ¥±¥Ã¥È¤Î AH ¥Ø¥Ã¥À¡¼¤Î SPI Ãͤ˥ޥåÁ¤¹¤ë¡£
+.TP
+.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
+.SS conntrack
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢ÀܳÄÉÀ× (connection tracking) ¤ÈÁȤ߹ç¤ï¤»¤ÆÍѤ¤¤ë¤È¡¢
+"state" ¥Þ¥Ã¥Á¤è¤ê¤â¤µ¤é¤Ë¿¤¯¤Î¡¢
+¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¤ÎÀܳÄÉÀ×¾õÂÖ¤òÃΤ뤳¤È¤¬¤Ç¤¤ë
+(¤³¤Îµ¡Ç½¤ò¥µ¥Ý¡¼¥È¤·¤¿¥«¡¼¥Í¥ë¤Î¤â¤È¤Ç iptables ¤¬¥³¥ó¥Ñ¥¤¥ë¤µ¤ì¤¿¾ì¹ç
+¤Ë¤Î¤ß¡¢¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¸ºß¤¹¤ë)¡£
+.TP
+.BI "--ctstate " "state"
+state ¤Ï¡¢¥Þ¥Ã¥Á¥ó¥°ÂоݤȤʤ롢¥³¥ó¥Þ¶èÀÚ¤ê¤ÎÀܳ¾õÂ֥ꥹ¥È¤Ç¤¢¤ë¡£
+»ØÄê²Äǽ¤Ê state ¤Ï°Ê²¼¤ÎÄ̤ꡣ
+.BR INVALID :
+¥á¥â¥ê¤ò»È¤¤²Ì¤¿¤·¤¿°Ù¤ä¡¢
+´ûÃΤÎÀܳ¤È¤ÏÂбþ¤·¤Ê¤¤ ICMP ¥¨¥é¡¼¤Ê¤É¡¢
+²¿¤é¤«¤ÎÍýͳ¤Ë¤è¤ê¥Ñ¥±¥Ã¥È¤¬¼±Ê̤Ǥ¤Ê¤¤¡£
+.BR ESTABLISHED :
+¤³¤Î¥Ñ¥±¥Ã¥È¤Ï¡¢²áµîÁÐÊý¸þ¤Ë¥Ñ¥±¥Ã¥È¤¬¤ä¤ê¼è¤ê¤µ¤ì¤¿Àܳ¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¢¤ë¡£
+.BR NEW :
+¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤¿¤«¡¢
+ÁÐÊý¸þ¤Ë¤Ï¥Ñ¥±¥Ã¥È¤¬¤ä¤ê¼è¤ê¤µ¤ì¤Æ¤¤¤Ê¤¤Àܳ¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¢¤ë¡£
+.BR RELATED :
+¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤Æ¤¤¤ë¤¬¡¢
+FTP ¥Ç¡¼¥¿Å¾Á÷¤ä ICMP ¥¨¥é¡¼¤Î¤è¤¦¤Ë¡¢´û¸¤ÎÀܳ¤Ë´Ø·¸¤·¤Æ¤¤¤ë¡£
+.BR SNAT :
+²¾ÁÛŪ¤Ê¾õÂ֤Ǥ¢¤ê¡¢½ñ¤´¹¤¨Á°¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤¬±þÅú¤Î°¸À襢¥É¥ì¥¹¤È
+°Û¤Ê¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.BR DNAT :
+²¾ÁÛŪ¤Ê¾õÂ֤Ǥ¢¤ê¡¢½ñ¤´¹¤¨Á°¤Î°¸À襢¥É¥ì¥¹¤¬±þÅú¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤È
+°Û¤Ê¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--ctproto " "proto"
+(̾Á°¤Þ¤¿¤Ï¿ôÃͤÇ) »ØÄꤵ¤ì¤¿¥×¥í¥È¥³¥ë¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]"
+½ñ¤´¹¤¨Á°¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]"
+½ñ¤´¹¤¨Á°¤Î°¸À襢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]"
+±þÅú¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]"
+±þÅú¤Î°¸À襢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]"
+ÀܳÄÉÀפÎÆâÉôŪ¤Ê¾õÂ֤˥ޥåÁ¤¹¤ë¡£
+.TP
+.BI "--ctexpire " "\fItime\fP[\fI:time\fP]"
+͸ú´ü´Ö¤Î»Ä¤êÉÿô¡¢¤Þ¤¿¤Ï¤½¤ÎÈÏ°Ï(ξü¤ò´Þ¤à)¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.SS dscp
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢IP ¥Ø¥Ã¥À¡¼¤Î TOS ¥Õ¥£¡¼¥ë¥ÉÆâ¤Ë¤¢¤ë¡¢
+6 bit ¤Î DSCP ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+IETF ¤Ç¤Ï DSCP ¤¬ TOS ¤Ë¼è¤Ã¤ÆÂå¤ï¤Ã¤¿¡£
+.TP
+.BI "--dscp " "value"
+(10 ¿Ê¤Þ¤¿¤Ï 16 ¿Ê¤Î) ¿ôÃÍ [0\-63] ¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--dscp-class " "\fIDiffServ Class\fP"
+DiffServ ¥¯¥é¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+ÃÍ¤Ï BE, EF, AFxx, CSx ¥¯¥é¥¹¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ë¡£
+¤³¤ì¤é¤Ï¡¢Âбþ¤¹¤ë¿ôÃͤǻØÄꤹ¤ë¤Î¤ÈƱ¤¸¤Ç¤¢¤ë¡£
+.SS esp
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IPSec ¥Ñ¥±¥Ã¥È¤Î ESP ¥Ø¥Ã¥À¡¼¤Î SPI Ãͤ˥ޥåÁ¤¹¤ë¡£
+.TP
+.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]"
+.SS helper
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢»ØÄꤵ¤ì¤¿ÀܳÄÉÀץإë¥Ñ¡¼¥â¥¸¥å¡¼¥ë¤Ë
+´ØÏ¢¤¹¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--helper " "string"
+»ØÄꤵ¤ì¤¿ÀܳÄÉÀץإë¥Ñ¡¼¥â¥¸¥å¡¼¥ë¤Ë
+´ØÏ¢¤¹¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.RS
+.PP
+¥Ç¥Õ¥©¥ë¥È¤Î¥Ý¡¼¥È¤ò»È¤Ã¤¿ ftp-¥»¥Ã¥·¥ç¥ó¤Ë´ØÏ¢¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤Ï¡¢
+string ¤Ë "ftp" ¤È½ñ¤±¤ë¡£
+¾¤Î¥Ý¡¼¥È¤Ç¤Ï "\-¥Ý¡¼¥ÈÈÖ¹æ" ¤òÃͤËÉÕ¤±²Ã¤¨¤ë¡£
+¤¹¤Ê¤ï¤Á "ftp-2121" ¤È¤Ê¤ë¡£
+.PP
+¾¤ÎÀܳÄÉÀץإë¥Ñ¡¼¤Ç¤âƱ¤¸¥ë¡¼¥ë¤¬Å¬ÍѤµ¤ì¤ë¡£
+.RE
+.SS icmp
+¤³¤Î³ÈÄ¥¤Ï `--protocol icmp' ¤¬»ØÄꤵ¤ì¤¿¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢
+°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
+.TP
+.BR "--icmp-type " "[!] \fItypename\fP"
+¿ôÃͤΠICMP ¥¿¥¤¥×¡¢¤Þ¤¿¤Ï¥³¥Þ¥ó¥É
+.nf
+ iptables -p icmp -h
+.fi
+¤Çɽ¼¨¤µ¤ì¤ë ICMP ¥¿¥¤¥×̾¤ò»ØÄê¤Ç¤¤ë¡£
+.SS length
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢»ØÄꤵ¤ì¤¿¥Ñ¥±¥Ã¥ÈĹ¡¢¤Þ¤¿¤Ï¤½¤ÎÈϰϤ˥ޥåÁ¤¹¤ë¡£
+.TP
+.BR "--length " "\fIlength\fP[:\fIlength\fP]"
+.SS limit
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥È¡¼¥¯¥ó¥Ð¥±¥Ä¥Õ¥£¥ë¥¿¤ò»È¤¤¡¢
+ñ°Ì»þ´Ö¤¢¤¿¤êÀ©¸Â¤µ¤ì¤¿²ó¿ô¤À¤±¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î³ÈÄ¥¤ò»È¤Ã¤¿¥ë¡¼¥ë¤Ï¡¢(`!' ¥Õ¥é¥°¤¬»ØÄꤵ¤ì¤Ê¤¤¸Â¤ê)
+À©¸Â¤Ë㤹¤ë¤Þ¤Ç¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¥â¥¸¥å¡¼¥ë¤ÏÎ㤨¤Ð¡¢¥í¥°µÏ¿¤òÀ©¸Â¤¹¤ë¤¿¤á¤Ë
+.B LOG
+¥¿¡¼¥²¥Ã¥È¤ÈÁȤ߹ç¤ï¤»¤Æ»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
+.TP
+.BI "--limit " "rate"
+ñ°Ì»þ´Ö¤¢¤¿¤ê¤ÎÊ¿¶Ñ¥Þ¥Ã¥Á²ó¿ô¤ÎºÇÂçÃÍ¡£
+¿ôÃͤǻØÄꤵ¤ì¡¢Åº»ú `/second', `/minute',
+`/hour', `/day' ¤òÉÕ¤±¤ë¤³¤È¤â¤Ç¤¤ë¡£
+¥Ç¥Õ¥©¥ë¥È¤Ï 3/hour ¤Ç¤¢¤ë¡£
+.TP
+.BI "--limit-burst " "number"
+¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤¹¤ë²ó¿ô¤ÎºÇÂç½é´üÃÍ:
+¥Þ¥Ã¥Á²ó¿ô¤ÎºÇÂçÃͤϡ¢
+¾å¤Î¥ª¥×¥·¥ç¥ó¤Ç»ØÄꤷ¤¿À©¸Â¤Ë㤷¤Ê¤±¤ì¤Ð¡¢
+¤½¤ÎÅÙ¤´¤È¤Ë¡¢¤³¤Î¿ôÃͤˤʤë¤Þ¤Ç 1 ¸Ä¤º¤ÄÁý¤ä¤µ¤ì¤ë¡£
+¥Ç¥Õ¥©¥ë¥È¤Ï 5 ¤Ç¤¢¤ë¡£
+.SS mac
+.TP
+.BR "--mac-source " "[!] \fIaddress\fP"
+Á÷¿®¸µ MAC ¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.I address
+¤Ï XX:XX:XX:XX:XX:XX ¤È¤¤¤¦·Á¼°¤Ç¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
+¥¤¡¼¥µ¡¼¥Í¥Ã¥È¥Ç¥Ð¥¤¥¹¤«¤éÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤Ç¡¢
+.BR PREROUTING ,
+.BR FORWARD ,
+.B INPUT
+¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Ë¤·¤«°ÕÌ£¤¬¤Ê¤¤¡£
+.SS mark
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¥Ñ¥±¥Ã¥È¤Ë´ØÏ¢¤Å¤±¤é¤ì¤¿
+netfilter ¤Î mark ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë
+(¤³¤Î¥Õ¥£¡¼¥ë¥É¤Ï¡¢°Ê²¼¤Î
+.B MARK
+¥¿¡¼¥²¥Ã¥È¤ÇÀßÄꤵ¤ì¤ë)¡£
+.TP
+.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
+»ØÄꤵ¤ì¤¿Éä¹æ¤Ê¤· mark ÃͤΥѥ±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë
+(mask ¤¬»ØÄꤵ¤ì¤ë¤È¡¢Èæ³Ó¤ÎÁ°¤Ë mask ¤È¤ÎÏÀÍýÀÑ (AND) ¤¬¤È¤é¤ì¤ë)¡£
+.SS multiport
+¤³¤Î¥â¥¸¥å¡¼¥ë¤ÏÁ÷¿®¸µ¤äÁ÷¿®Àè¤Î¥Ý¡¼¥È¤Î½¸¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¥Ý¡¼¥È¤Ï 15 ¸Ä¤Þ¤Ç»ØÄê¤Ç¤¤ë¡£
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï
+.B "-p tcp"
+¤Þ¤¿¤Ï
+.B "-p udp"
+¤ÈÁȤ߹ç¤ï¤»¤Æ»È¤¦¤³¤È¤·¤«¤Ç¤¤Ê¤¤¡£
+.TP
+.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Á÷¿®¸µ¥Ý¡¼¥È¤¬»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£
+¥Õ¥é¥°
+.B --sports
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+°¸Àè¥Ý¡¼¥È¤¬»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£
+¥Õ¥é¥°
+.B --dports
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Á÷¿®¸µ¥Ý¡¼¥È¤È°¸Àè¥Ý¡¼¥È¤¬Åù¤·¤¯¡¢
+¤«¤Ä¤½¤Î¥Ý¡¼¥È¤¬»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£
+.SS owner
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ËÉÕ¤¤¤Æ¡¢
+¥Ñ¥±¥Ã¥ÈÀ¸À®¼Ô¤Î¤¤¤í¤¤¤í¤ÊÆÃÀ¤ËÂФ·¤Æ¥Þ¥Ã¥Á¤ò¹Ô¤¦¡£
+¤³¤ì¤Ï
+.B OUTPUT
+¥Á¥§¥¤¥ó¤Î¤ß¤Ç¤·¤«Í¸ú¤Ç¤Ê¤¤¡£
+¤Þ¤¿¡¢(ICMP ping ±þÅú¤Î¤è¤¦¤Ê) ¥Ñ¥±¥Ã¥È¤Ï¡¢
+½êͼԤ¬¤¤¤Ê¤¤¤Î¤ÇÀäÂФ˥ޥåÁ¤·¤Ê¤¤¡£
+.TP
+.BI "--uid-owner " "userid"
+»ØÄꤵ¤ì¤¿¼Â¸ú¥æ¡¼¥¶¡¼ ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--gid-owner " "groupid"
+»ØÄꤵ¤ì¤¿¼Â¸ú¥°¥ë¡¼¥× ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--pid-owner " "processid"
+»ØÄꤵ¤ì¤¿¥×¥í¥»¥¹ ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--sid-owner " "sessionid"
+»ØÄꤵ¤ì¤¿¥»¥Ã¥·¥ç¥ó¥°¥ë¡¼¥×¤Î¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--cmd-owner " "name"
+»ØÄꤵ¤ì¤¿¥³¥Þ¥ó¥É̾¤ò»ý¤Ä¥×¥í¥»¥¹¤Ë¤è¤ê
+¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë
+(¤³¤Îµ¡Ç½¤ò¥µ¥Ý¡¼¥È¤·¤¿¥«¡¼¥Í¥ë¤Î¤â¤È¤Ç iptables ¤¬¥³¥ó¥Ñ¥¤¥ë¤µ¤ì¤¿¾ì¹ç
+¤Ë¤Î¤ß¡¢¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¸ºß¤¹¤ë)¡£
+.SS physdev
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥Ö¥ê¥Ã¥¸¥Ç¥Ð¥¤¥¹¤Î¥¹¥ì¡¼¥Ö¤Ë¤µ¤ì¤¿¡¢
+¥Ö¥ê¥Ã¥¸¥Ý¡¼¥È¤ÎÆþ½ÐÎϥǥХ¤¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥Ö¥ê¥Ã¥¸¤Ë¤è¤ëÆ©²áŪ¤Ê
+IP ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Î´ðÈפΰìÉô¤Ç¤¢¤ê¡¢
+¥«¡¼¥Í¥ë¥Ð¡¼¥¸¥ç¥ó 2.5.44 °Ê¹ß¤Ç¤Î¤ß͸ú¤Ç¤¢¤ë¡£
+.TP
+.B --physdev-in name
+¥Ñ¥±¥Ã¥È¤¬¼õ¿®¤µ¤ì¤ë¥Ö¥ê¥Ã¥¸¤Î¥Ý¡¼¥È̾
+.RB ( INPUT ,
+.BR FORWARD ,
+.B PREROUTING
+¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Î¤ß)¡£
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
+¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¥Ö¥ê¥Ã¥¸¥Ç¥Ð¥¤¥¹¤òÄ̤·¤Æ¼õ¤±¼è¤é¤ì¤Ê¤«¤Ã¤¿¥Ñ¥±¥Ã¥È¤Ï¡¢
+\&'!' ¤¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¸Â¤ê¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤Ë¥Þ¥Ã¥Á¤·¤Ê¤¤¡£
+.TP
+.B --physdev-out name
+¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë¤³¤È¤Ë¤Ê¤ë¥Ö¥ê¥Ã¥¸¤Î¥Ý¡¼¥È̾
+.RB ( FORWARD ,
+.BR OUTPUT ,
+.B POSTROUTING
+¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Î¤ß)¡£
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
+¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.B nat
+¤È
+.B mangle
+¥Æ¡¼¥Ö¥ë¤Î
+.B OUTPUT
+¥Á¥§¥¤¥ó¤Ç¤Ï¥Ö¥ê¥Ã¥¸¤Î½ÐÎϥݡ¼¥È¤Ë¥Þ¥Ã¥Á¤µ¤»¤ë¤³¤È¤¬¤Ç¤¤Ê¤¤¤¬¡¢
+.B filter
+¥Æ¡¼¥Ö¥ë¤Î
+.B OUPUT
+¥Á¥§¥¤¥ó¤Ç¤Ï¥Þ¥Ã¥Á²Äǽ¤Ç¤¢¤ë¡£
+¥Ñ¥±¥Ã¥È¤¬¥Ö¥ê¥Ã¥¸¥Ç¥Ð¥¤¥¹¤«¤éÁ÷¤é¤ì¤Ê¤«¤Ã¤¿¾ì¹ç¡¢
+¤Þ¤¿¤Ï¥Ñ¥±¥Ã¥È¤Î½ÐÎϥǥХ¤¥¹¤¬ÉÔÌÀ¤Ç¤¢¤Ã¤¿¾ì¹ç¤Ï¡¢
+\&'!' ¤¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¸Â¤ê¡¢¥Ñ¥±¥Ã¥È¤Ï¤³¤Î¥ª¥×¥·¥ç¥ó¤Ë¥Þ¥Ã¥Á¤·¤Ê¤¤¡£
+.TP
+.B --physdev-is-in
+¥Ñ¥±¥Ã¥È¤¬¥Ö¥ê¥Ã¥¸¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ËÆþ¤Ã¤¿¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.B --physdev-is-out
+¥Ñ¥±¥Ã¥È¤¬¥Ö¥ê¥Ã¥¸¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤«¤é½Ð¤è¤¦¤È¤·¤¿¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.B --physdev-is-bridged
+¥Ñ¥±¥Ã¥È¤¬¥Ö¥ê¥Ã¥¸¤µ¤ì¤ë¤³¤È¤Ë¤è¤ê¡¢
+¥ë¡¼¥Æ¥£¥ó¥°¤µ¤ì¤Ê¤«¤Ã¤¿¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤ì¤Ï FORWARD, POSTROUTING ¥Á¥§¥¤¥ó¤Ë¤ª¤¤¤Æ¤Î¤ßÌòΩ¤Ä¡£
+.SS pkttype
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥ê¥ó¥¯ÁؤΥѥ±¥Ã¥È¥¿¥¤¥×¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--pkt-type " "[\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP]"
+.SS state
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢ÀܳÄÉÀ× (connection tracking) ¤ÈÁȤ߹ç¤ï¤»¤ÆÍѤ¤¤ë¤È¡¢
+¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¤ÎÀܳÄÉÀ×¾õÂÖ¤òÃΤ뤳¤È¤¬¤Ç¤¤ë¡£
+.TP
+.BI "--state " "state"
+state ¤Ï¡¢¥Þ¥Ã¥Á¥ó¥°¤ò¹Ô¤¦¤¿¤á¤Î¡¢¥³¥ó¥Þ¤Ç¶èÀÚ¤é¤ì¤¿Àܳ¾õÂ֤Υꥹ¥È¤Ç¤¢¤ë¡£
+»ØÄê²Äǽ¤Ê state ¤Ï°Ê²¼¤ÎÄ̤ꡣ
+.BR INVALID :
+¤³¤Î¥Ñ¥±¥Ã¥È¤Ï´ûÃΤÎÀܳ¤È´Ø·¸¤·¤Æ¤¤¤Ê¤¤¡£
+.BR ESTABLISHED :
+¤³¤Î¥Ñ¥±¥Ã¥È¤Ï¡¢²áµîÁÐÊý¸þ¤Ë¥Ñ¥±¥Ã¥È¤¬¤ä¤ê¼è¤ê¤µ¤ì¤¿Àܳ¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¢¤ë¡£
+.BR NEW :
+¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤¿¤«¡¢
+ÁÐÊý¸þ¤Ë¤Ï¥Ñ¥±¥Ã¥È¤¬¤ä¤ê¼è¤ê¤µ¤ì¤Æ¤¤¤Ê¤¤Àܳ¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¢¤ë¡£
+.BR RELATED :
+¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤Æ¤¤¤ë¤¬¡¢
+FTP ¥Ç¡¼¥¿Å¾Á÷¤ä ICMP ¥¨¥é¡¼¤Î¤è¤¦¤Ë¡¢´û¸¤ÎÀܳ¤Ë´Ø·¸¤·¤Æ¤¤¤ë¡£
+.SS tcp
+¤³¤ì¤é¤Î³ÈÄ¥¤Ï `--protocol tcp' ¤¬»ØÄꤵ¤ì¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢
+°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+Á÷¿®¸µ¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
+¥µ¡¼¥Ó¥¹Ì¾¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈÖ¹æ¤ò»ØÄê¤Ç¤¤ë¡£
+.IR port : port
+¤È¤¤¤¦·Á¼°¤Ç¡¢2 ¤Ä¤ÎÈÖ¹æ¤ò´Þ¤àÈϰϤò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë¡£
+ºÇ½é¤Î¥Ý¡¼¥È¤ò¾Êά¤·¤¿¾ì¹ç¡¢"0" ¤ò²¾Äꤹ¤ë¡£
+ºÇ¸å¤Î¥Ý¡¼¥È¤ò¾Êά¤·¤¿¾ì¹ç¡¢"65535" ¤ò²¾Äꤹ¤ë¡£
+ºÇ½é¤Î¥Ý¡¼¥È¤¬ºÇ¸å¤Î¥Ý¡¼¥È¤è¤êÂ礤¤¾ì¹ç¡¢2 ¤Ä¤ÏÆþ¤ì´¹¤¨¤é¤ì¤ë¡£
+.\"tsekine ¸¶Ê¸¤¬´Ö°ã¤Ã¤Æ¤½¤¦
+¥Õ¥é¥°
+.B --sport
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+Á÷¿®Àè¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
+¥Õ¥é¥°
+.B --dport
+¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
+.TP
+.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
+TCP ¥Õ¥é¥°¤¬»ØÄꤵ¤ì¤¿¤â¤Î¤ÈÅù¤·¤¤¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+Âè 1 °ú¤¿ô¤Ïɾ²ÁÂоݤȤ¹¤ë¥Õ¥é¥°¤Ç¡¢¥³¥ó¥Þ¶èÀÚ¤ê¤Î¥ê¥¹¥È¤Ç¤¢¤ë¡£
+Âè 2 °ú¤¿ô¤Ï¤³¤Î¤¦¤ÁÀßÄꤵ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¥Õ¥é¥°¤Ç¡¢
+¥³¥ó¥Þ¶èÀÚ¤ê¤Î¥ê¥¹¥È¤Ç¤¢¤ë¡£
+»ØÄê¤Ç¤¤ë¥Õ¥é¥°¤Ï
+.B "SYN ACK FIN RST URG PSH ALL NONE"
+¤Ç¤¢¤ë¡£
+¤è¤Ã¤Æ¡¢¥³¥Þ¥ó¥É
+.nf
+ iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
+.fi
+¤Ï¡¢SYN ¥Õ¥é¥°¤¬ÀßÄꤵ¤ì ACK, FIN, RST ¥Õ¥é¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤Ê¤¤
+¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.B "[!] --syn"
+SYN ¥Ó¥Ã¥È¤¬ÀßÄꤵ¤ì ACK ¤È RST ¥Ó¥Ã¥È¤¬¥¯¥ê¥¢¤µ¤ì¤Æ¤¤¤ë
+TCP ¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤Ï TCP Àܳ¤Î³«»ÏÍ×µá¤Ë»È¤ï¤ì¤ë¡£
+Î㤨¤Ð¡¢¤¢¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ËÆþ¤Ã¤Æ¤¯¤ë¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤ò¥Ö¥í¥Ã¥¯¤¹¤ì¤Ð¡¢
+Æ⦤ؤΠTCP Àܳ¤Ï¶Ø»ß¤µ¤ì¤ë¤¬¡¢³°Â¦¤Ø¤Î TCP Àܳ¤Ë¤Ï±Æ¶Á¤·¤Ê¤¤¡£
+¤³¤ì¤Ï \fB--tcp-flags SYN,RST,ACK SYN\fP ¤ÈÅù¤·¤¤¡£
+"--syn" ¤ÎÁ°¤Ë "!" ¥Õ¥é¥°¤òÃÖ¤¯¤È¡¢
+SYN ¥Ó¥Ã¥È¤¬¥¯¥ê¥¢¤µ¤ì ACK ¤È RST ¥Ó¥Ã¥È¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë
+TCP ¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BR "--tcp-option " "[!] \fInumber\fP"
+TCP ¥ª¥×¥·¥ç¥ó¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BR "--mss " "\fIvalue\fP[:\fIvalue\fP]"
+»ØÄꤵ¤ì¤¿ MSS ÃÍ (¤ÎÈÏ°Ï) ¤ò»ý¤Ä TCP ¤Î
+SYN ¤Þ¤¿¤Ï SYN/ACK ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+MSS ¤ÏÀܳ¤ËÂФ¹¤ë¥Ñ¥±¥Ã¥È¤ÎºÇÂ祵¥¤¥º¤òÀ©¸æ¤¹¤ë¡£
+.SS tos
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IP ¥Ø¥Ã¥À¡¼¤Î 8 ¥Ó¥Ã¥È¤Î (¤Ä¤Þ¤ê¾å°Ì¥Ó¥Ã¥È¤ò´Þ¤à)
+Type of Service ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--tos " "tos"
+°ú¤¿ô¤Ï¡¢¥Þ¥Ã¥Á¤ò¹Ô¤¦É¸½àŪ¤Ê̾Á°¤Ç¤â¿ôÃͤǤâ¤è¤¤
+(̾Á°¤Î¥ê¥¹¥È¤ò¸«¤ë¤Ë¤Ï
+.nf
+ iptables -m tos -h
+.fi
+¤ò»È¤¦¤³¤È)¡£
+.SS ttl
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IP ¥Ø¥Ã¥À¡¼¤Î time to live ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+.TP
+.BI "--ttl " "ttl"
+»ØÄꤵ¤ì¤¿ TTL Ãͤ˥ޥåÁ¤¹¤ë¡£
+.SS udp
+¤³¤ì¤é¤Î³ÈÄ¥¤Ï `--protocol udp' ¤¬»ØÄꤵ¤ì¤¿¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢
+°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+Á÷¿®¸µ¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
+¾ÜºÙ¤Ï TCP ³ÈÄ¥¤Î
+.B --source-port
+¥ª¥×¥·¥ç¥ó¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+Á÷¿®Àè¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£
+¾ÜºÙ¤Ï TCP ³ÈÄ¥¤Î
+.B --destination-port
+¥ª¥×¥·¥ç¥ó¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£
+.SS unclean
+¤³¤Î¥â¥¸¥å¡¼¥ë¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬¤Ê¤¤¤¬¡¢
+¤ª¤«¤·¤¯Àµ¾ï¤Ç¤Ê¤¤¤è¤¦¤Ë¸«¤¨¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
+¤³¤ì¤Ï¼Â¸³Åª¤Ê¤â¤Î¤È¤·¤Æ°·¤ï¤ì¤Æ¤¤¤ë¡£
+.SH ¥¿¡¼¥²¥Ã¥È¤Î³ÈÄ¥
+iptables ¤Ï³ÈÄ¥¥¿¡¼¥²¥Ã¥È¥â¥¸¥å¡¼¥ë¤ò»È¤¦¤³¤È¤¬¤Ç¤¤ë:
+°Ê²¼¤Î¤â¤Î¤¬¡¢É¸½àŪ¤Ê¥Ç¥£¥¹¥È¥ê¥Ó¥å¡¼¥·¥ç¥ó¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¡£
+.SS DNAT
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï
+.B nat
+¥Æ¡¼¥Ö¥ë¤Î
+.BR PREROUTING ,
+.B OUTPUT
+¥Á¥§¥¤¥ó¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë
+¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®À襢¥É¥ì¥¹¤ò½¤Àµ¤¹¤ë
+(¤³¤ÎÀܳ¤Î°Ê¹ß¤Î¥Ñ¥±¥Ã¥È¤â½¤Àµ¤·¤Æʬ¤«¤é¤Ê¤¯ (mangle) ¤¹¤ë)¡£
+¤µ¤é¤Ë¡¢¥ë¡¼¥ë¤Ë¤è¤ë¥Á¥§¥Ã¥¯¤ò»ß¤á¤µ¤»¤ë¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¼ïÎढ¤ë:
+.TP
+.BR "--to-destination " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+1 ¤Ä¤Î¿·¤·¤¤Á÷¿®Àè IP ¥¢¥É¥ì¥¹¡¢¤Þ¤¿¤Ï IP ¥¢¥É¥ì¥¹¤ÎÈϰϤ¬»ØÄê¤Ç¤¤ë¡£
+¥Ý¡¼¥È¤ÎÈϰϤò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë
+(¤³¤ì¤Ï¥ë¡¼¥ë¤Ç
+.B "-p tcp"
+¤Þ¤¿¤Ï
+.B "-p udp"
+¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß͸ú)¡£
+¥Ý¡¼¥È¤ÎÈϰϤ¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢Á÷¿®Àè¥Ý¡¼¥È¤ÏÊѹ¹¤µ¤ì¤Ê¤¤¡£
+.RS
+.PP
+Ê£¿ô¤Î --to-destination ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+¥¢¥É¥ì¥¹¤ÎÈϰϤˤè¤Ã¤Æ¡¢
+¤â¤·¤¯¤ÏÊ£¿ô¤Î --to-destination ¥ª¥×¥·¥ç¥ó¤Ë¤è¤Ã¤Æ
+2 ¤Ä°Ê¾å¤ÎÁ÷¿®À襢¥É¥ì¥¹¤ò»ØÄꤷ¤¿¾ì¹ç¡¢
+¤½¤ì¤é¤Î¥¢¥É¥ì¥¹¤ò»È¤Ã¤¿Ã±½ã¤Ê¥é¥¦¥ó¥É¡¦¥í¥Ó¥ó
+(½ç¡¹¤Ë½Û´Ä¤µ¤»¤ë) ¤¬¤ª¤³¤Ê¤ï¤ì¤ë¡£
+.RE
+.SS DSCP
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢IPv4 ¥Ñ¥±¥Ã¥È¤Î TOS ¥Ø¥Ã¥À¡¼¤Ë¤¢¤ë
+DSCP ¥Ó¥Ã¥È¤ÎÃͤνñ¤´¹¤¨¤ò²Äǽ¤Ë¤¹¤ë¡£
+¤³¤ì¤Ï¥Ñ¥±¥Ã¥È¤òÁàºî¤¹¤ë¤Î¤Ç¡¢mangle ¥Æ¡¼¥Ö¥ë¤Ç¤Î¤ß»ÈÍѤǤ¤ë¡£
+.TP
+.BI "--set-dscp " "value"
+DSCP ¥Õ¥£¡¼¥ë¥É¤Î¿ôÃͤòÀßÄꤹ¤ë (10 ¿Ê¤Þ¤¿¤Ï 16 ¿Ê)¡£
+.TP
+.BI "--set-dscp-class " "class"
+DSCP ¥Õ¥£¡¼¥ë¥É¤Î DiffServ ¥¯¥é¥¹¤òÀßÄꤹ¤ë¡£
+.SS ECN
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï ECN ¥Ö¥é¥Ã¥¯¥Û¡¼¥ëÌäÂê¤Ø¤ÎÂнè¤ò²Äǽ¤Ë¤¹¤ë¡£
+mangle ¥Æ¡¼¥Ö¥ë¤Ç¤Î¤ß»ÈÍѤǤ¤ë¡£
+.TP
+.BI "--ecn-tcp-remove"
+TCP ¥Ø¥Ã¥À¡¼¤«¤éÁ´¤Æ¤Î ECN ¥Ó¥Ã¥È (ÌõÃí: ECE/CWR ¥Õ¥é¥°) ¤ò¼è¤ê½ü¤¯¡£
+ÅöÁ³¡¢
+.B "-p tcp"
+¥ª¥×¥·¥ç¥ó¤È¤ÎÁȹç¤ï¤»¤Ç¤Î¤ß»ÈÍѤǤ¤ë¡£
+.SS LOG
+¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ò¥«¡¼¥Í¥ë¥í¥°¤ËµÏ¿¤¹¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¥ë¡¼¥ë¤ËÂФ·¤ÆÀßÄꤵ¤ì¤ë¤È¡¢
+Linux ¥«¡¼¥Í¥ë¤Ï¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¤Î
+(ÂçÉôʬ¤Î IP ¥Ø¥Ã¥À¡¼¥Õ¥£¡¼¥ë¥É¤Î¤è¤¦¤Ê) ²¿¤é¤«¤Î¾ðÊó¤ò
+¥«¡¼¥Í¥ë¥í¥°¤Ëɽ¼¨¤¹¤ë
+(¥«¡¼¥Í¥ë¥í¥°¤Ï
+.I dmesg
+¤Þ¤¿¤Ï
+.IR syslogd (8)
+¤Ç¸«¤ë¤³¤È¤¬¤Ç¤¤ë)¡£
+¤³¤ì¤Ï "Èó½ªÎ»¥¿¡¼¥²¥Ã¥È" ¤Ç¤¢¤ë¡£
+¤¹¤Ê¤ï¤Á¡¢¥ë¡¼¥ë¤Î¸¡Æ¤¤Ï¡¢¼¡¤Î¥ë¡¼¥ë¤Ø¤È·Ñ³¤µ¤ì¤ë¡£
+¤è¤Ã¤Æ¡¢µñÈݤ¹¤ë¥Ñ¥±¥Ã¥È¤ò¥í¥°µÏ¿¤·¤¿¤±¤ì¤Ð¡¢
+Ʊ¤¸¥Þ¥Ã¥Á¥ó¥°È½ÃÇ´ð½à¤ò»ý¤Ä 2 ¤Ä¤Î¥ë¡¼¥ë¤ò»ÈÍѤ·¡¢
+ºÇ½é¤Î¥ë¡¼¥ë¤Ç LOG ¥¿¡¼¥²¥Ã¥È¤ò¡¢
+¼¡¤Î¥ë¡¼¥ë¤Ç DROP (¤Þ¤¿¤Ï REJECT) ¥¿¡¼¥²¥Ã¥È¤ò»ØÄꤹ¤ë¡£
+.TP
+.BI "--log-level " "level"
+¥í¥°µÏ¿¤Î¥ì¥Ù¥ë (¿ôÃͤƻØÄꤹ¤ë¤«¡¢
+(ÌõÃð: ̾Á°¤Ç»ØÄꤹ¤ë¾ì¹ç¤Ï) \fIsyslog.conf\fP(5) ¤ò»²¾È¤¹¤ë¤³¤È)¡£
+.TP
+.BI "--log-prefix " "prefix"
+»ØÄꤷ¤¿¥×¥ì¥Õ¥£¥Ã¥¯¥¹¤ò¥í¥°¥á¥Ã¥»¡¼¥¸¤ÎÁ°¤ËÉÕ¤±¤ë¡£
+¥×¥ì¥Õ¥£¥Ã¥¯¥¹¤Ï 29 ʸ»ú¤Þ¤Ç¤ÎŤµ¤Ç¡¢
+¥í¥°¤ÎÃæ¤Ç¥á¥Ã¥»¡¼¥¸¤ò¶èÊ̤¹¤ë¤Î¤ËÌòΩ¤Ä¡£
+.TP
+.B --log-tcp-sequence
+TCP ¥·¡¼¥±¥ó¥¹ÈÖ¹æ¤ò¥í¥°¤ËµÏ¿¤¹¤ë¡£
+¥í¥°¤¬¥æ¡¼¥¶¡¼¤«¤éÆɤá¤ë¾ì¹ç¡¢¥»¥¥å¥ê¥Æ¥£¾å¤Î´í¸±¤¬¤¢¤ë¡£
+.TP
+.B --log-tcp-options
+TCP ¥Ñ¥±¥Ã¥È¥Ø¥Ã¥À¡¼¤Î¥ª¥×¥·¥ç¥ó¤ò¥í¥°¤ËµÏ¿¤¹¤ë¡£
+.TP
+.B --log-ip-options
+IP ¥Ñ¥±¥Ã¥È¥Ø¥Ã¥À¡¼¤Î¥ª¥×¥·¥ç¥ó¤ò¥í¥°¤ËµÏ¿¤¹¤ë¡£
+.SS MARK
+¥Ñ¥±¥Ã¥È¤Ë´ØÏ¢¤Å¤±¤é¤ì¤¿ netfilter ¤Î mark ÃͤòÀßÄꤹ¤ë¡£
+.B mangle
+¥Æ¡¼¥Ö¥ë¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+Î㤨¤Ð¡¢iproute2 ¤ÈÁȤ߹ç¤ï¤»¤Æ»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
+.TP
+.BI "--set-mark " "mark"
+.SS MASQUERADE
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï
+.B nat
+¥Æ¡¼¥Ö¥ë¤Î
+.B POSTROUTING
+¥Á¥§¥¤¥ó¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+ưŪ³ä¤êÅö¤Æ IP (¥À¥¤¥ä¥ë¥¢¥Ã¥×) Àܳ¤Î¾ì¹ç¤Ë¤Î¤ß»È¤¦¤Ù¤¤Ç¤¢¤ë¡£
+¸ÇÄê IP ¥¢¥É¥ì¥¹¤Ê¤é¤Ð¡¢SNAT ¥¿¡¼¥²¥Ã¥È¤ò»È¤¦¤Ù¤¤Ç¤¢¤ë¡£
+¥Þ¥¹¥«¥ì¡¼¥Ç¥£¥ó¥°¤Ï¡¢¥Ñ¥±¥Ã¥È¤¬Á÷¿®¤µ¤ì¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤Î
+IP ¥¢¥É¥ì¥¹¤Ø¤Î¥Þ¥Ã¥Ô¥ó¥°¤ò»ØÄꤹ¤ë¤Î¤ÈƱ¤¸¤Ç¤¢¤ë¤¬¡¢
+¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤¬Ää»ß¤·¤¿¾ì¹ç¤ËÀܳ¤ò\fI˺¤ì¤ë\fR¤È¤¤¤¦¸ú²Ì¤¬¤¢¤ë¡£
+¼¡¤Î¥À¥¤¥ä¥ë¥¢¥Ã¥×¤Ç¤ÏƱ¤¸¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¥¢¥É¥ì¥¹¤Ë¤Ê¤ë²ÄǽÀ¤¬Ä㤤
+(¤½¤Î¤¿¤á¡¢Á°²ó³ÎΩ¤µ¤ì¤¿Àܳ¤Ï¼º¤ï¤ì¤ë) ¾ì¹ç¡¢
+¤³¤ÎÆ°ºî¤ÏÀµ¤·¤¤¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¤Ä¤¢¤ë¡£
+.TP
+.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
+¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢»ÈÍѤ¹¤ëÁ÷¿®¸µ¥Ý¡¼¥È¤ÎÈϰϤò»ØÄꤷ¡¢
+¥Ç¥Õ¥©¥ë¥È¤Î
+.B SNAT
+Á÷¿®¸µ¥Ý¡¼¥È¤ÎÁªÂòÊýË¡ (¾åµ) ¤è¤ê¤âÍ¥À褵¤ì¤ë¡£
+¥ë¡¼¥ë¤¬
+.B "-p tcp"
+¤Þ¤¿¤Ï
+.B "-p udp"
+¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß͸ú¤Ç¤¢¤ë¡£
+.SS MIRROR
+¼Â¸³Åª¤Ê¥Ç¥â¥ó¥¹¥È¥ì¡¼¥·¥ç¥óÍѤΥ¿¡¼¥²¥Ã¥È¤Ç¤¢¤ê¡¢
+IP ¥Ø¥Ã¥À¡¼¤ÎÁ÷¿®¸µ¤ÈÁ÷¿®Àè¥Õ¥£¡¼¥ë¥É¤òÆþ¤ì´¹¤¨¡¢
+¥Ñ¥±¥Ã¥È¤òºÆÁ÷¿®¤¹¤ë¤â¤Î¤Ç¤¢¤ë¡£
+¤³¤ì¤Ï
+.BR INPUT ,
+.BR FORWARD ,
+.B PREROUTING
+¥Á¥§¥¤¥ó¤È¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë
+¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤À¤±¤Ç͸ú¤Ç¤¢¤ë¡£
+¥ë¡¼¥×Åù¤ÎÌäÂê¤ò²óÈò¤¹¤ë¤¿¤á¡¢³°Éô¤ËÁ÷¤é¤ì¤ë¥Ñ¥±¥Ã¥È¤Ï
+¤¤¤«¤Ê¤ë¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¥Á¥§¥¤¥ó¡¦ÀܳÄÉÀס¦NAT ¤«¤é¤â
+´Æ»ë\fB¤µ¤ì¤Ê¤¤\fR¡£
+.SS REDIRECT
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢
+.B nat
+¥Æ¡¼¥Ö¥ëÆâ¤Î
+.B PREROUTING
+¥Á¥§¥¤¥óµÚ¤Ó
+.B OUTPUT
+¥Á¥§¥¤¥ó¡¢¤½¤·¤Æ¤³¤ì¤é¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë
+¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Ç¤Î¤ß͸ú¤Ç¤¢¤ë¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®Àè IP ¥¢¥É¥ì¥¹¤ò
+¥Þ¥·¥ó¼«¿È¤Î IP ¥¢¥É¥ì¥¹¤ËÊÑ´¹¤¹¤ë¡£
+(¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Ï¡¢¥¢¥É¥ì¥¹ 127.0.0.1 ¤Ë¥Þ¥Ã¥×¤µ¤ì¤ë)¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¤Ä¤¢¤ë:
+.TP
+.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
+¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï»ÈÍѤµ¤ì¤ëÁ÷¿®Àè¥Ý¡¼¥È¡¦¥Ý¡¼¥ÈÈÏ°Ï¡¦Ê£¿ô¥Ý¡¼¥È¤ò»ØÄꤹ¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤¬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢Á÷¿®Àè¥Ý¡¼¥È¤ÏÊѹ¹¤µ¤ì¤Ê¤¤¡£
+¥ë¡¼¥ë¤¬
+.B "-p tcp"
+¤Þ¤¿¤Ï
+.B "-p udp"
+¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß͸ú¤Ç¤¢¤ë¡£
+.SS REJECT
+¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤Î±þÅú¤È¤·¤Æ¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤òÁ÷¤é¤Ê¤±¤ì¤Ð¡¢
+.B DROP
+¤ÈƱ¤¸¤Ç¤¢¤ê¡¢TARGET ¤ò½ªÎ»¤·¡¢¥ë¡¼¥ë¤Î¸¡Æ¤¤ò½ªÎ»¤¹¤ë¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢
+.BR INPUT ,
+.BR FORWARD ,
+.B OUTPUT
+¥Á¥§¥¤¥ó¤È¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ð¤ì¤ë
+¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤À¤±¤Ç͸ú¤Ç¤¢¤ë¡£
+°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢ÊÖ¤µ¤ì¤ë¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤ÎÆÃÀ¤òÀ©¸æ¤¹¤ë¡£
+.TP
+.BI "--reject-with " "type"
+type ¤È¤·¤Æ»ØÄê²Äǽ¤Ê¤â¤Î¤Ï
+.nf
+.B " icmp-net-unreachable"
+.B " icmp-host-unreachable"
+.B " icmp-port-unreachable"
+.B " icmp-proto-unreachable"
+.B " icmp-net-prohibited"
+.B " icmp-host-prohibited or"
+.B " icmp-admin-prohibited (*)"
+.fi
+¤Ç¤¢¤ê¡¢Å¬ÀÚ¤Ê ICMP ¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤òÊÖ¤¹
+.RB ( port-unreachable
+¤¬¥Ç¥Õ¥©¥ë¥È¤Ç¤¢¤ë)¡£
+TCP ¥×¥í¥È¥³¥ë¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤ËÂФ·¤Æ¡¢¥ª¥×¥·¥ç¥ó
+.B tcp-reset
+¤ò»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
+¤³¤Î¥ª¥×¥·¥ç¥ó¤ò»È¤¦¤È¡¢TCP RST ¥Ñ¥±¥Ã¥È¤¬Á÷¤êÊÖ¤µ¤ì¤ë¡£
+¼ç¤È¤·¤Æ
+.I ident
+(113/tcp) ¤Ë¤è¤ëõºº¤òÁ˻ߤ¹¤ë¤Î¤ËÌòΩ¤Ä¡£
+.I ident
+¤Ë¤è¤ëõºº¤Ï¡¢²õ¤ì¤Æ¤¤¤ë (¥á¡¼¥ë¤ò¼õ¤±¼è¤é¤Ê¤¤) ¥á¡¼¥ë¥Û¥¹¥È¤Ë
+¥á¡¼¥ë¤¬Á÷¤é¤ì¤ë¾ì¹ç¤ËÉÑÈˤ˵¯¤³¤ë¡£
+.RS
+.PP
+(*) icmp-admin-prohibited ¤ò¥µ¥Ý¡¼¥È¤·¤Ê¤¤¥«¡¼¥Í¥ë¤Ç¡¢
+icmp-admin-prohibited ¤ò»ÈÍѤ¹¤ë¤È¡¢
+REJECT ¤Ç¤Ï¤Ê¤¯Ã±¤Ê¤ë DROP ¤Ë¤Ê¤ë¡£
+.SS SNAT
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï
+.B nat
+¥Æ¡¼¥Ö¥ë¤Î
+.B POSTROUTING
+¥Á¥§¥¤¥ó¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤ò½¤Àµ¤µ¤»¤ë
+(¤³¤ÎÀܳ¤Î°Ê¹ß¤Î¥Ñ¥±¥Ã¥È¤â½¤Àµ¤·¤Æʬ¤«¤é¤Ê¤¯ (mangle) ¤¹¤ë)¡£
+¤µ¤é¤Ë¡¢¥ë¡¼¥ë¤¬É¾²Á¤òÃæ»ß¤¹¤ë¤è¤¦¤Ë»Ø¼¨¤¹¤ë¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¼ïÎढ¤ë:
+.TP
+.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+1 ¤Ä¤Î¿·¤·¤¤Á÷¿®¸µ IP ¥¢¥É¥ì¥¹¡¢¤Þ¤¿¤Ï IP ¥¢¥É¥ì¥¹¤ÎÈϰϤ¬»ØÄê¤Ç¤¤ë¡£
+¥Ý¡¼¥È¤ÎÈϰϤò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë
+(¥ë¡¼¥ë¤¬
+.B "-p tcp"
+¤Þ¤¿¤Ï
+.B "-p udp"
+¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß͸ú)¡£
+¥Ý¡¼¥È¤ÎÈϰϤ¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢
+512 ̤Ëþ¤ÎÁ÷¿®¸µ¥Ý¡¼¥È¤Ï¡¢Â¾¤Î 512 ̤Ëþ¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£
+512 ¡Á 1023 ¤Þ¤Ç¤Î¥Ý¡¼¥È¤Ï¡¢1024 ̤Ëþ¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£
+¤½¤ì°Ê³°¤Î¥Ý¡¼¥È¤Ï¡¢1024 °Ê¾å¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£
+²Äǽ¤Ç¤¢¤ì¤Ð¡¢¥Ý¡¼¥È¤ÎÊÑ´¹¤Ïµ¯¤³¤é¤Ê¤¤¡£
+.RS
+.PP
+Ê£¿ô¤Î --to-source ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+¥¢¥É¥ì¥¹¤ÎÈϰϤˤè¤Ã¤Æ¡¢
+¤â¤·¤¯¤ÏÊ£¿ô¤Î --to-source ¥ª¥×¥·¥ç¥ó¤Ë¤è¤Ã¤Æ
+2 ¤Ä°Ê¾å¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤ò»ØÄꤷ¤¿¾ì¹ç¡¢
+¤½¤ì¤é¤Î¥¢¥É¥ì¥¹¤ò»È¤Ã¤¿Ã±½ã¤Ê¥é¥¦¥ó¥É¡¦¥í¥Ó¥ó
+(½ç¡¹¤Ë½Û´Ä¤µ¤»¤ë) ¤¬¤ª¤³¤Ê¤ï¤ì¤ë¡£
+.SS TCPMSS
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤òÍѤ¤¤ë¤È¡¢TCP ¤Î SYN ¥Ñ¥±¥Ã¥È¤Î MSS Ãͤò½ñ¤´¹¤¨¡¢
+¤½¤Î¥³¥Í¥¯¥·¥ç¥ó¤ÎºÇÂ祵¥¤¥º
+(Ä̾ï¤Ï¡¢Á÷¿®¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤Î MTU ¤«¤é 40 °ú¤¤¤¿ÃÍ)
+¤òÀ©¸æ¤Ç¤¤ë¡£
+¤â¤Á¤í¤ó
+.B "-p tcp"
+¤ÈÁȤ߹ç¤ï¤»¤Æ¤·¤«»È¤¨¤Ê¤¤¡£
+.PP
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤ÏÈȺáŪ¤ËƬ¤Î¤¤¤«¤ì¤¿ ISP ¤ä
+ICMP Fragmentation Needed ¥Ñ¥±¥Ã¥È¤ò¥Ö¥í¥Ã¥¯¤·¤Æ¤·¤Þ¤¦¥µ¡¼¥Ð¡¼¤ò
+¾è¤ê±Û¤¨¤ë¤¿¤á¤Ë»ÈÍѤ¹¤ë¡£
+Linux ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë/¥ë¡¼¥¿¡¼¤Ç¤Ï²¿¤âÌäÂ꤬¤Ê¤¤¤Î¤Ë¡¢
+¤½¤³¤Ë¤Ö¤é²¼¤¬¤ë¥Þ¥·¥ó¤Ç¤Ï°Ê²¼¤Î¤è¤¦¤ËÂ礤ʥѥ±¥Ã¥È¤ò
+¤ä¤ê¤È¤ê¤Ç¤¤Ê¤¤¤È¤¤¤¦¤Î¤¬¡¢¤³¤ÎÌäÂê¤ÎÃû¸õ¤Ç¤¢¤ë¡£
+.PD 0
+.RS 0.1i
+.TP 0.3i
+1)
+¥¦¥§¥Ö¡¦¥Ö¥é¥¦¥¶¤ÇÀܳ¤¬¡¢²¿¤Î¥Ç¡¼¥¿¤â¼õ¤±¼è¤é¤º¤Ë¥Ï¥ó¥°¤¹¤ë
+.TP
+2)
+û¤¤¥á¡¼¥ë¤ÏÌäÂê¤Ê¤¤¤¬¡¢Ä¹¤¤¥á¡¼¥ë¤¬¥Ï¥ó¥°¤¹¤ë
+.TP
+3)
+ssh ¤ÏÌäÂê¤Ê¤¤¤¬¡¢scp ¤ÏºÇ½é¤Î¥Ï¥ó¥É¥·¥§¡¼¥¯¸å¤Ë¥Ï¥ó¥°¤¹¤ë
+.RE
+.PD
+²óÈòÊýË¡: ¤³¤Î¥ª¥×¥·¥ç¥ó¤ò͸ú¤Ë¤·¡¢°Ê²¼¤Î¤è¤¦¤Ê¥ë¡¼¥ë¤ò
+¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ÎÀßÄê¤ËÄɲ乤롣
+.nf
+ iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
+ -j TCPMSS --clamp-mss-to-pmtu
+.fi
+.TP
+.BI "--set-mss " "value"
+MSS ¥ª¥×¥·¥ç¥ó¤ÎÃͤò»ØÄꤷ¤¿ÃͤËÀßÄꤹ¤ë¡£
+.TP
+.B "--clamp-mss-to-pmtu"
+¼«Æ°Åª¤Ë¡¢MSS Ãͤò (path_MTU - 40) ¤Ë¶¯À©¤¹¤ë¡£
+.RS
+.PP
+¤³¤ì¤é¤Î¥ª¥×¥·¥ç¥ó¤Ï¤É¤Á¤é¤« 1 ¤Ä¤·¤«»ØÄê¤Ç¤¤Ê¤¤¡£
+.RE
+.SS TOS
+IP ¥Ø¥Ã¥À¡¼¤Î 8 ¥Ó¥Ã¥È¤Î Type of Service ¥Õ¥£¡¼¥ë¥É¤òÀßÄꤹ¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
+.B mangle
+¥Æ¡¼¥Ö¥ë¤Î¤ß¤Ç͸ú¤Ç¤¢¤ë¡£
+.TP
+.BI "--set-tos " "tos"
+TOS ¤òÈÖ¹æ¤Ç»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
+¤Þ¤¿¡¢
+.nf
+ iptables -j TOS -h
+.fi
+¤ò¼Â¹Ô¤·¤ÆÆÀ¤é¤ì¤ë¡¢»ÈÍѲÄǽ¤Ê TOS ̾¤Î°ìÍ÷¤Ë¤¢¤ë TOS ̾¤â»ØÄê¤Ç¤¤ë¡£
+.SS ULOG
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ò
+¥æ¡¼¥¶¡¼¶õ´Ö¤Ç¥í¥°µÏ¿¤¹¤ëµ¡Ç½¤òÄ󶡤¹¤ë¡£
+¤³¤Î¥¿¡¼¥²¥Ã¥È¤¬¥ë¡¼¥ë¤ËÀßÄꤵ¤ì¤ë¤È¡¢
+Linux ¥«¡¼¥Í¥ë¤Ï¡¢¤½¤Î¥Ñ¥±¥Ã¥È¤ò
+.I netlink
+¥½¥±¥Ã¥È¤òÍѤ¤¤Æ¥Þ¥ë¥Á¥¥ã¥¹¥È¤¹¤ë¡£
+¤½¤·¤Æ¡¢1 ¤Ä°Ê¾å¤Î¥æ¡¼¥¶¡¼¶õ´Ö¥×¥í¥»¥¹¤¬
+¤¤¤í¤¤¤í¤Ê¥Þ¥ë¥Á¥¥ã¥¹¥È¥°¥ë¡¼¥×¤ËÅÐÏ¿¤ò¤ª¤³¤Ê¤¤¡¢
+¥Ñ¥±¥Ã¥È¤ò¼õ¿®¤¹¤ë¡£
+LOG ¤ÈƱÍÍ¡¢¤³¤ì¤Ï "Èó½ªÎ»¥¿¡¼¥²¥Ã¥È" ¤Ç¤¢¤ê¡¢
+¥ë¡¼¥ë¤Î¸¡Æ¤¤Ï¼¡¤Î¥ë¡¼¥ë¤Ø¤È·Ñ³¤µ¤ì¤ë¡£
+.TP
+.BI "--ulog-nlgroup " "nlgroup"
+¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë netlink ¥°¥ë¡¼¥× (1-32) ¤ò»ØÄꤹ¤ë¡£
+¥Ç¥Õ¥©¥ë¥È¤ÎÃÍ¤Ï 1 ¤Ç¤¢¤ë¡£
+.TP
+.BI "--ulog-prefix " "prefix"
+»ØÄꤷ¤¿¥×¥ì¥Õ¥£¥Ã¥¯¥¹¤ò¥í¥°¥á¥Ã¥»¡¼¥¸¤ÎÁ°¤ËÉÕ¤±¤ë¡£
+32 ʸ»ú¤Þ¤Ç¤Î»ØÄê¤Ç¤¤ë¡£
+¥í¥°¤ÎÃæ¤Ç¥á¥Ã¥»¡¼¥¸¤ò¶èÊ̤¹¤ë¤Î¤ËÊØÍø¤Ç¤¢¤ë¡£
+.TP
+.BI "--ulog-cprange " "size"
+¥æ¡¼¥¶¡¼¶õ´Ö¤Ë¥³¥Ô¡¼¤¹¤ë¥Ñ¥±¥Ã¥È¤Î¥Ð¥¤¥È¿ô¡£
+Ãͤ¬ 0 ¤Î¾ì¹ç¡¢¥µ¥¤¥º¤Ë´Ø·¸¤Ê¤¯Á´¥Ñ¥±¥Ã¥È¤ò¥³¥Ô¡¼¤¹¤ë¡£
+¥Ç¥Õ¥©¥ë¥È¤Ï 0 ¤Ç¤¢¤ë¡£
+.TP
+.BI "--ulog-qthreshold " "size"
+¥«¡¼¥Í¥ëÆâÉô¤Î¥¥å¡¼¤ËÆþ¤ì¤é¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¿ô¡£
+Î㤨¤Ð¡¢¤³¤ÎÃͤò 10 ¤Ë¤·¤¿¾ì¹ç¡¢
+¥«¡¼¥Í¥ëÆâÉô¤Ç 10 ¸Ä¤Î¥Ñ¥±¥Ã¥È¤ò¤Þ¤È¤á¡¢
+1 ¤Ä¤Î netlink ¥Þ¥ë¥Á¥Ñ¡¼¥È¥á¥Ã¥»¡¼¥¸¤È¤·¤Æ¥æ¡¼¥¶¡¼¶õ´Ö¤ËÁ÷¤ë¡£
+(²áµî¤Î¤â¤Î¤È¤Î¸ß´¹À¤Î¤¿¤á) ¥Ç¥Õ¥©¥ë¥È¤Ï 1 ¤Ç¤¢¤ë¡£
+.SH ÊÖ¤êÃÍ
+¤¤¤í¤¤¤í¤Ê¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤¬É¸½à¥¨¥é¡¼¤Ëɽ¼¨¤µ¤ì¤ë¡£
+Àµ¤·¤¯µ¡Ç½¤·¤¿¾ì¹ç¡¢½ªÎ»¥³¡¼¥É¤Ï 0 ¤Ç¤¢¤ë¡£
+ÉÔÀµ¤Ê¥³¥Þ¥ó¥É¥é¥¤¥ó¥Ñ¥é¥á¡¼¥¿¤Ë¤è¤ê¥¨¥é¡¼¤¬È¯À¸¤·¤¿¾ì¹ç¤Ï¡¢
+½ªÎ»¥³¡¼¥É 2 ¤¬ÊÖ¤µ¤ì¤ë¡£
+¤½¤Î¾¤Î¥¨¥é¡¼¤Î¾ì¹ç¤Ï¡¢½ªÎ»¥³¡¼¥É 1 ¤¬ÊÖ¤µ¤ì¤ë¡£
+.SH ¥Ð¥°
+¥Ð¥°? ¥Ð¥°¤Ã¤Æ²¿? ;-)
+¤¨¡¼¤È¡Ä¡¢sparc64 ¤Ç¤Ï¥«¥¦¥ó¥¿¡¼Ãͤ¬¿®Íê¤Ç¤¤Ê¤¤¡£
+.SH IPCHAINS ¤È¤Î¸ß´¹À
+.B iptables
+¤Ï¡¢Rusty Russell ¤Î ipchains ¤ÈÈó¾ï¤Ë¤è¤¯»÷¤Æ¤¤¤ë¡£
+Â礤ʰ㤤¤Ï¡¢¥Á¥§¥¤¥ó
+.B INPUT
+¤È
+.B OUTPUT
+¤¬¡¢¤½¤ì¤¾¤ì¥í¡¼¥«¥ë¥Û¥¹¥È¤ËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤È¡¢
+¥í¡¼¥«¥ë¥Û¥¹¥È¤«¤é½Ð¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¤ß¤·¤«Ä´¤Ù¤Ê¤¤¤È¤¤¤¦ÅÀ¤Ç¤¢¤ë¡£
+¤è¤Ã¤Æ¡¢(INPUT ¤È OUTPUT ¤ÎξÊý¤Î¥Á¥§¥¤¥ó¤òµ¯Æ°¤¹¤ë
+¥ë¡¼¥×¥Ð¥Ã¥¯¥È¥é¥Õ¥£¥Ã¥¯¤ò½ü¤¯)
+Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¤Ï 3 ¤Ä¤¢¤ë¥Á¥§¥¤¥ó¤Î¤¦¤Á 1 ¤·¤«Ä̤é¤Ê¤¤¡£
+°ÊÁ°¤Ï (ipchains ¤Ç¤Ï)¡¢
+¥Õ¥©¥ï¡¼¥É¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Ï 3 ¤Ä¤Î¥Á¥§¥¤¥óÁ´¤Æ¤òÄ̤äƤ¤¤¿¡£
+.PP
+¤½¤Î¾¤ÎÂ礤ʰ㤤¤Ï¡¢
+.B -i
+¤ÇÆþÎÏ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¡¢
+.B -o
+¤Ç½ÐÎÏ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò»²¾È¤¹¤ë¤³¤È¡¢
+¤½¤·¤Æ¤È¤â¤Ë
+.B FORWARD
+¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ»ØÄê²Äǽ¤ÊÅÀ¤Ç¤¢¤ë¡£
+.PP
+NAT ¤Î¤¤¤í¤¤¤í¤Ê·Á¼°¤¬Ê¬³ä¤µ¤ì¤¿¡£
+¥ª¥×¥·¥ç¥ó¤Î³ÈÄ¥¥â¥¸¥å¡¼¥ë¤È¤È¤â¤Ë
+¥Ç¥Õ¥©¥ë¥È¤Î¡Ö¥Õ¥£¥ë¥¿¡×¥Æ¡¼¥Ö¥ë¤òÍѤ¤¤¿¾ì¹ç¡¢
+.B iptables
+¤Ï½ã¿è¤Ê¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¤È¤Ê¤ë¡£
+¤³¤ì¤Ï¡¢°ÊÁ°¤ß¤é¤ì¤¿ IP ¥Þ¥¹¥«¥ì¡¼¥Ç¥£¥ó¥°¤È¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Î
+Áȹ礻¤Ë¤è¤ëº®Íð¤ò´Êά²½¤¹¤ë¡£
+¤è¤Ã¤Æ¡¢¥ª¥×¥·¥ç¥ó
+.nf
+ -j MASQ
+ -M -S
+ -M -L
+.fi
+¤ÏÊ̤Τâ¤Î¤È¤·¤Æ°·¤ï¤ì¤ë¡£
+iptables ¤Ç¤Ï¡¢¤½¤Î¾¤Ë¤â¤¤¤¯¤Ä¤«¤ÎÊѹ¹¤¬¤¢¤ë¡£
+.SH ´ØÏ¢¹àÌÜ
+.BR iptables-save (8),
+.BR iptables-restore (8),
+.BR ip6tables (8),
+.BR ip6tables-save (8),
+.BR ip6tables-restore (8).
+.P
+¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Ë¤Ä¤¤¤Æ¤Î¾ÜºÙ¤Ê iptables ¤Î»ÈÍÑË¡¤ò
+ÀâÌÀ¤·¤Æ¤¤¤ë packet-filtering-HOWTO¡£
+NAT ¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë NAT-HOWTO¡£
+ɸ½àŪ¤ÊÇÛÉۤˤϴޤޤì¤Ê¤¤³ÈÄ¥¤Î¾ÜºÙ¤ò
+ÀâÌÀ¤·¤Æ¤¤¤ë netfilter-extensions-HOWTO¡£
+ÆâÉô¹½Â¤¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë netfilter-hacking-HOWTO¡£
+.PP
+.UR http://www.netfilter.org/
+.B http://www.netfilter.org/
+.UE
+¤ò»²¾È¤Î¤³¤È¡£
+.SH Ãø¼Ô
+Rusty Russell ¤Ï¡¢½é´ü¤ÎÃʳ¬¤Ç Michael Neuling ¤ËÁêÃ̤·¤Æ iptables ¤ò½ñ¤¤¤¿¡£
+.PP
+Marc Boucher ¤Ï Rusty ¤Ë iptables ¤Î°ìÈÌŪ¤Ê¥Ñ¥±¥Ã¥ÈÁªÂò¤Î¹Í¤¨Êý¤ò´«¤á¤Æ¡¢
+ipnatctl ¤ò»ß¤á¤µ¤»¤¿¡£
+¤½¤·¤Æ¡¢mangle ¥Æ¡¼¥Ö¥ë¡¦½êͼԥޥåÁ¥ó¥°¡¦
+mark µ¡Ç½¤ò½ñ¤¡¢¤¤¤¿¤ë¤È¤³¤í¤Ç»È¤ï¤ì¤Æ¤¤¤ëÁÇÀ²¤é¤·¤¤¥³¡¼¥É¤ò½ñ¤¤¤¿¡£
+.PP
+James Morris ¤¬ TOS ¥¿¡¼¥²¥Ã¥È¤È tos ¥Þ¥Ã¥Á¥ó¥°¤ò½ñ¤¤¤¿¡£
+.PP
+Jozsef Kadlecsik ¤¬ REJECT ¥¿¡¼¥²¥Ã¥È¤ò½ñ¤¤¤¿¡£
+.PP
+Harald Welte ¤¬ ULOG ¥¿¡¼¥²¥Ã¥È¤È¡¢
+TTL, DSCP, ECN ¤Î¥Þ¥Ã¥Á¡¦¥¿¡¼¥²¥Ã¥È¤ò½ñ¤¤¤¿¡£
+.PP
+Netfilter ¥³¥¢¥Á¡¼¥à¤Ï¡¢Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
+James Morris, Harald Welte, Rusty Russell ¤Ç¤¢¤ë¡£
+.PP
+man ¥Ú¡¼¥¸¤Ï Herve Eychenne <rv@wallfire.org> ¤¬½ñ¤¤¤¿¡£
+.\" .. and did I mention that we are incredibly cool people?
+.\" .. sexy, too ..
+.\" .. witty, charming, powerful ..
+.\" .. and most of all, modest ..
+.\" .. ¤½¤·¤Æ¡¢ËÍÅù¤¬¤È¤Æ¤â¥¯¡¼¥ë¤ÊÅÛ¤é¤À¤È¸À¤Ã¤Æ¤ª¤¤¤Æ¤â¤¤¤¤¤«¤Ê¡©
+.\" .. ¥»¥¯¥·¡¼¤Ç ..
+.\" .. ¤È¤Æ¤â¥¦¥£¥Ã¥È¤ËÉÙ¤ó¤Ç¤¤¤Æ¡¢¥Á¥ã¡¼¥ß¥ó¥°¤Ç¡¢¥Ñ¥ï¥Õ¥ë¤Ç ..
+.\" .. ¤½¤·¤Æ¡¢¤ß¤ó¤Ê¸¬µõ¤Ê¤ó¤À ..
--- /dev/null
+¡ß:iptables:1.2.9:2000/11/18:ipq_create_handle:3:::::
+¢¨:iptables:1.2.9:2000/11/18:ipq_destroy_handle:3:ipq_create_handle:3:
+¡ß:iptables:1.2.9:2000/11/18:ipq_errstr:3:::::
+¢¨:iptables:1.2.9:2000/11/18:ipq_get_msgerr:3:ipq_message_type:3:
+¢¨:iptables:1.2.9:2000/11/18:ipq_get_packet:3:ipq_message_type:3:
+¡ß:iptables:1.2.9:2000/11/18:ipq_message_type:3:::::
+¢¨:iptables:1.2.9:2000/11/18:ipq_perror:3:ipq_errstr:3:
+¡ß:iptables:1.2.9:2000/11/18:ipq_read:3:::::
+¡ß:iptables:1.2.9:2000/11/18:ipq_set_mode:3:::::
+¡ß:iptables:1.2.9:2000/11/18:ipq_set_verdict:3:::::
+¡ü:iptables:1.2.9:2000/11/18:libipq:3:2003/06/06::szuka@isp.co.jp:Susumu ISHIZUKA:
+¡û:iptables:1.2.9:2002/03/09:ip6tables:8:2004/03/12::ysato444@yahoo.co.jp:Yuichi SATO:
+¡û:iptables:1.2.9:2002/01/30:ip6tables-restore:8:2003/05/13::ysato444@yahoo.co.jp:Yuichi SATO:
+¡û:iptables:1.2.9:2002/01/30:ip6tables-save:8:2003/05/13::ysato444@yahoo.co.jp:Yuichi SATO:
+¡û:iptables:1.2.9:2002/03/09:iptables:8:2004/03/12::ysato444@yahoo.co.jp:Yuichi SATO:
+¡û:iptables:1.2.9:2001/03/16:iptables-restore:8:2001/05/15::ysato@h4.dion.ne.jp:Yuichi SATO:
+¡û:iptables:1.2.9:2001/03/16:iptables-save:8:2001/05/15::ysato@h4.dion.ne.jp:Yuichi SATO:
OSDN Git Service
