Linux IPCHAINS-HOWTO
Rusty Russell
v1.0.8, Tue Jul 4 14:20:53 EST 2000
ú{êó: JF Project (jf@linux.or.jp)
v1.0.1j Nov. 21, 2000
±Ì¶ÍALinux ü¯Ìg£³ê½ IP t@CAEH[O`FC\t
gEFAðÇÌæ¤ÉüèµACXg[µAÝèµA»µÄA±êðp
·éACfBAÌô©ðÚq·é±ÆðÚIƵܷB
______________________________________________________________________
Ú
1. nßÉ
1.1 ½?
1.2 Ⱥ?
1.3 Ǥ·êÎ?
1.4 DZ?
2. pPbgtB^OÌîb
2.1 pPbgtB^Æͽð·éàÌ?
2.2 Ⱥ?
2.3 ǤâÁÄ?
2.3.1 pPbgtB^O@\ðLøɵ½J[l
2.3.2 ipchains
2.3.3 tB^K¥ðPvIÉ·éÉÍ
3. à¤A¬µÄ½! [eBO¾ÌA}XJ[fBO¾ÌA|[gtH[fBO¾ÌA©®tH[fBO(ipautofw)¾ÌÁÄcB
3.1 Rusty Ì}XJ[fBOÉÖ·é 3ÂÌwj
3.2 ©IÈé`: WatchGuard ÅK§·é
3.3 t@CAEH[I®ìɤÊÈÝè
3.3.1 [Jlbg[N: `IÈvLV
3.3.2 vCx[glbg[N: §ßIÈvLV
3.3.3 vCx[glbg[N: }XJ[fBO
3.3.4 pubNlbg[N
3.3.5 §À³ê½àT[rX
3.4 }XJ[fBOÉηé»Ì¼Ìîñ
4. IP t@CAEH[O`FC
4.1 ÇÌæ¤ÉpPbgªtB^ðÊß·éÌ©
4.1.1 ipchains ðg¤
4.1.2 ȽÌRs
[^ªN®·éÉ©éàÌ
4.1.3 PêÌ[ÅÌì
4.1.4 tB^OÌdl
4.1.4.1 \[Xƶæ IP AhXÌwè
4.1.4.2 ÛèÌwè
4.1.4.3 vgRÌwè
4.1.4.3.1 UDP Æ TCP |[gÌwè
4.1.4.3.2 ICMP ^CvÆR[hÌwè
4.1.4.4 C^[tFCXÌwè
4.1.4.5 TCP SYN pPbgÌÝðwè·é
4.1.4.6 tOgÌ
4.1.5 tB^OÌIøÊ
4.1.5.1 ^[QbgÌwè
4.1.5.2 pPbgÌOL^
4.1.5.3 T[rXÌ^ðì·é
4.1.5.4 pPbgÌ}[LO
4.1.5.5 `FCÌì
4.1.5.6 Vµ¢`FCðìé
4.1.5.7 `FCðí·é
4.1.5.8 `FCðóÉ·é
4.1.5.9 `FCÌàeðXgAbv·é
4.1.5.10 JE^[ð([É)Zbg·é
4.1.5.11 |V[ðÝè·é
4.1.6 }XJ[fBOÌì
4.1.7 pPbgð`FbN·é
4.1.8 êxÉ¡Ì[ƽªN±éÌ©ð©é
4.2 ÀáW
4.2.1 ipchains-save ðg¤
4.2.2 ipchains-restore ðg¤
5. »Ì¼Ìîñ
5.1 t@CAEH[[ðÇÌæ¤É\z·é©
5.2 tB^OÅjüµÄÍ¢¯È¢pPbg
5.2.1 ICMP pPbg
5.2.2 DNS (l[T[o[) ÖÌ TCP Ú±
5.2.3 FTP Ì«²
5.3 Ping of Death ðr·é
5.4 Teardrop Æ Bonk ðr·é
5.5 tOgðr·é
5.6 t@CAEH[[ðÏX·é
5.7 IP UÛì(IP Spoof Protection)ðAÇÌæ¤ÉÝèµ½çæ¢Å·©?
5.8 ÅVÌvWFNg
5.8.1 SPF: Xe[gtpPbgtB^O
5.8.2 Michael Hasenstein Ì ftp-data nbN
5.9 ¡ãÌÛè
6. êÊIÈâè
6.1 ipchains -L ðg¤Æt[YµÜ·!
6.2 ½]ªÅ«Ü¹ñ!
6.3 Masquerading Ü½Í Forwarding ª®«Ü¹ñ!
6.4 -j REDIR ª®«Ü¹ñ!
6.5 ChJ[hC^[tF[Xª®«Ü¹ñ!
6.6 TOS (Type of Service) ª®«Ü¹ñ!
6.7 ipautofw Æipportfw ª®«Ü¹ñ!
6.8 xosview ªóêĢܷ!
6.9 `-j REDIRECT' Å Segmentation G[ÉÈèÜ·!
6.10 }XJ[fBOÌ^CAEglðÝèūܹñ!
6.11 IPX ðt@CAEH[µ½¢Å·!
7. ÀpIÈá
7.1 \¬
7.2 ÚI
7.3 pPbgtB^Oðs¤OÉ
7.4 pPbgðÊß³¹é½ßÌpPbgtB^O
7.4.1 forward `FC©çWv³¹é
7.4.2 icmp-acc `FCðè`·é
7.4.3 GOOD (àlbg[N) ©ç DMZ (T[olbg[N)
7.4.4 BAD (Olbg[N)©ç DMZ (T[olbg[N)
7.4.5 GOOD (àlbg[N)©ç BAD (Olbg[N)
7.4.6 DMZ ©ç GOOD (àlbg[N)
7.4.7 DMZ ©ç BAD (Olbg[N)
7.4.8 BAD (Olbg[N)©ç GOOD (àlbg[N)
7.4.9 Linux }V©gÉηépPbgtB^O
7.4.9.1 BAD (Olbg[N) C^[tF[X
7.4.9.2 DMZ C^tF[X
7.4.9.3 GOOD (àlbg[N)C^[tF[X
7.5 ÅãÉ
8. t^: ipchains Æ ipfwadm ÆÌá¢
8.1 NBbNt@Xê
8.2 ipfwadm R}hÌÏ·á
9. t^: ipfwadm-wrapper XNvgðg¤
10. t^: Ó«
10.1 |ó
11. ú{êóÉ¢Ä
______________________________________________________________________
1. nßÉ
±Ì¶Í IPCHAINS-HOWTO Å·BÅVŪ é}X^[TCgÍ ``DZ?''
ðQƵĺ³¢B LINUX NET-3-HOWTO àÇñ¾ûªæ¢Åµå¤B IP-
Masquerading HOWTO, PPP-HOWTO, Ethernet-HOWTO Æ Firewall HOTO àÊ
¢Åµå¤B (»µÄAJèԵܷªA alt.fan.bigfoot FAQ à)B
(ó: alt.fan.bigfoot FAQ <- [ájÌj
[XO[vAMO?])
pPbgtB^OÉ¢ÄùÉmÁÄ¢élÍA ``Ⱥ?'' ÌÍA
``ǤâÁÄ?'' ÌÍðÇñÅA ``IP t@CAEH[O`FC'' Ì
ÍÌÌ^Cgð´ÁÆßÄÝܵå¤B
ipfwadm ©çÚsµ½¢lÍA ``nßÉ'' ÌÍA ``ǤâÁÄ?'' ÌÍA
»µÄt^àÌ ``ipchains Æ ipfwadm ÆÌá¢'' ÌÍÆA ```ipfwadm-
wrapper' XNvgðg¤'' ÌÍðÇÝܵå¤B
1.1. ½?
Linux ipchains Í Linux IPv4 t@CAEH[OÌR[h (åÉ BSD ©
çÌpN)Ì«¼µÅ èAipfwadm Ì«¼µÅà èÜ·B»Ì
ipfwadm ÍA BSD Ì ipfw Ì«¼µÅà éÆAÍM¶Ä¢Ü·B
Linux o[W 2.1.102 È~Ì IP pPbgtB^ªAÇÉKvÅ
·B
1.2. Ⱥ?
ÈOÌ Linux Ìt@CAEH[ÌR[hÍ fragment ðµ¦Ü¹ñµA
(ÈÆà Intel pÅÍ) 32 rbgÌJE^µ© èܹñµA
TCP/UDP/ICMP ÈOÌdlÌvgRðl¶µÄ¢Ü¹ñµAAg~bN(u
ÔI)Éå«([ð)ÏX·é±ÆàūܹñµAt[ð½¹Ü
¹ñµA¢Â©ÈȪ èܵ½µAǵɢàÌŵ½(pÒÌ
~Xðµ«â·¢)B
(ó: ±±Åp¢çêéuAg~bN(´¶Í `atomically')vÍA
ipchains Æ¢¤R}h̼OÌRÉàÈÁÄ¢éƱë¾Æv¢Ü·B
[Uè``FCÉ¡Ì[ðè`µÄ¨«A»êðù¶Ì`FCÉ
ÇÁµ½èA½Íù¶Ì`FCðVµè`µ½`FCÆu··é±Æ
ÅAêuɵÄt@CAEH[ÌìpðÏX·é±ÆªÅ«Ü·B)
1.3. Ǥ·êÎ?
»ÝAJ[lÌR[hÌå¬Í 2.1.102 È~Å·B 2.0 J[lV[Y
ÅÍA web y[W©çpb`ð_E[h·éKvª èÜ·BàµA¨
è¿Ì 2.0 J[lª web ãÉľçêépb`æèàVµ¢ÈçÎA»
Ìâpb`ͽª OK ŵå¤B 2.0 J[lÌYªÍ¨¨æ»Àè
µÄ¢Ü·B(á¦ÎA 2.0.34 J[lÌpb`Í 2.0.35 J[lÉà
µÁ©èÄçêÜ·) 2.0 pb`Í ipportfw Æ ipautofw pb`ÆÌÝ·
«ªÈ¢ÌÅA ipchains ÁLÌ@\ð{ÉKvƵȢÈçÎApb`Ì
±üͨEߵܹñB
1.4. DZ?
ö®y[WÍ3Ó èÜ·B Penguin Computing ɴӵܷB
<http://netfilter.filewatcher.org/ipchains> the SAMBA Team É´ÓµÜ
·B <http://www.samba.org/netfilter/ipchains> Jim Pick ɴӵܷB
<http://netfilter.kernelnotes.org/ipchains>
oOñAc_AJAg¢ûðbµ¤[OXgª èÜ·B[
OXgÖÌüïÉÍAbZ[WÉ ``subscribe ipchains-list'' ð
¢ÄA east.balius.com É[µÄº³¢B[OXgÌo
[SõÉ[ðo·ÉÍA east.balius.com Ì ipchains-list ðgÁĺ
³¢B
2. pPbgtB^OÌîb
2.1. pPbgtB^Æͽð·éàÌ?
lbg[NðÊéSÄÌgtBbNÍApPbgÌ`Åèo³êÜ·B
á¦ÎA±ÌpbP[W(50KoCgÍ éŵå¤)ð_E[h·é±Æ
ÅA1460oCgÌpPbg36ÂÙÇðóM·é±ÆÉÈéŵå¤(ÀÛÉÍ
»ÌÆ«Ç«ÉæÁÄÂâTCYÍÙÈèÜ·)B
(ó: »ÝÅͱ̶Í100KBðz¦Ä¢Ü·:))
epPbgÍ»êªÇ±Éü¯çê½àÌ©ðLq·éª©çnÜèADZ
©ç½àÌ©A»ê©çpPbgÌíÞÆÇãKvÈÚ×àeðÜñÅ¢
Ü·BpPbg̱ÌJnªÍAwb_ÆÄÎêĢܷBܽA`³ê
Ä¢éÀÛÌf[^ðÜñ¾pPbgÌcè̪ÍAÊí{fBÆÄÎêÄ
¢Ü·B
EFuEgtBbNA[Æ[gOC̽ßÉgíêé¢Â©
ÌvgR(á¦Î TCP)Í `Ú±(RlNV)'ÆæÎêéTOðg¢Ü
·BÀÛÌf[^pPbgªèo³êéOÉA`ÍAÚ±µ½¢'A`OK'A
»µÄ` èªÆ¤'Æ¢Á½A(ÁÊÈwb_ðº¤)FXÈZbgAbvEp
Pbgðð·µÜ·B
pPbgEtB^ÍApPbgÌwb_ð©ÄA»ÌpPbgSÌðÇÌæ
¤Éæ赤©ðè·é¬³È\tgEFAÅ·BpPbgÍ
Û(deny)(·Èí¿AóMµÈ©Á½©Ìæ¤ÉApPbgðÌÄé)±ÆÉ
ßçêé©àµêÈ¢µAÂ(accept)(·Èí¿ApPbgðÊß³¹é)·
é±ÆÉÈé©àµêÈ¢µApPbgðÔp(reject)("Û"ÆÄ¢é¯
êÇApPbgÌM³É»Ì±ÆðÊm·é)·é©àµêܹñB
Linux ɨ¢ÄÍApPbgEtB^OÍJ[lÉgÝÜêÄ¢Ü
·B»µÄApPbgÌæµ¢ÉֵĵΩègbNðd|¯é±Æª
Å«Ü·ªA»Ìî{IÈK¥Í ÜÅwb_ð©ÄApPbgÌæèµ¢
ðè·éÆ¢¤àÌÅ·B
2.2. Ⱥ?
Rg[BZL
eBBÄB
Rg[:
Ƚª Linux {bNXðàÌlbg[NÆÊÌlbg[N(á
¦ÎAC^[lbg)ðq®½ßÉgÁÄ¢éÈçA ȽÉÍAÁ
èÌgtBbN¾¯ÂµÄA¼ÌàÌð³È¢æ¤É·é`
Xª èÜ·Bá¦ÎApPbgÌwb_[ÉÍ ÄæAhX ªÜ
ÜêÄ¢ÄAOlbg[NÌÆ éÖü©¤pPbgðÛ·é
±ÆªÅ«Ü·BÊÌáƵÄANetscape ðgÁÄ Dilbert ÌA[J
Cu (ó: Dilbert Æ¢¤GWjAªålöÌhæÌTCgA
¿ÈÝÉ dilbert ÌÓ¡Í'Ω') ÉANZX·éêÅ·By[W
ÉÍ doubleclick.net ÌLª èA Netscape Í»ê𢻢»Æ
_E[h·é½ßÉÌÔðQïµÜ·BpPbgtB^[É
doubleclick.net LÌAhX©çÌÇñÈpPbgàµȢæ
¤Éw¦·êÎâèÍðµÜ·(àÁÆ¢¢û@ª èÜ·¯êÇ:
Junkbuster (ó: http://internet.junkbuster.com
<http://internet.junkbuster.com> ) ð©Äº³¢)B
ZL
eB:
È½Ì Linux {bNXªC^[lbg̬×ÆA³µ¢ È
½Ì·Ä«Èlbg[NÌÔÉ éBę̂ÈçA·Îçµ¢±Æ
ÉA ȽͣèÉâÁÄéÒðhAÌƱëŧÀ·é±ÆªÅ«
Ü·Bá¦ÎA ȽÌlbg[N©çoÄsàÌͽÅà·æ
¤ÉµÄA«ÓÌ éO©çÌæmçê½ `Ping of Death' U
ðxú·éæ¤ÉÅ«Ü·BÊÌáƵÄA È½Ì Linux {bNX
ÉA½Æ¦SÄÌAJEgÉpX[hªt¢Ä¢éƵÄàAO
ÌÒª telnet µÄé±Æð]ÜÈ¢©àµêܹñB½ÔñA È
½Í(åïÌlXÌæ¤É)C^[lbgð½¾ßÄ¢½¢¾¯ÅA
T[o[É(DÞÆDܸɩ©íç¸)Èè½È¢ÌÅ·BPÉA
pPbgtB^[ÅÚ±ðJn·épPbg̬üðÛµÄA¾ê
ÉàÚ±³êÈ¢æ¤ÉµÄº³¢B
(ó: "Ìping" ÙíÉ·åÈ ICMP pPbgÈÇðlbg[NÚ
±³ê½Rs
[^Éè¯ÄAVXeNbV
âT[rXÌ
â~ðø«N±·U̱ÆB)
Ä:
Æ«Ç«[Jlbg[NÉ«ÝèÌ«¢}Vª èAOÌ
¢EÉpPbgªRêoéæ¤ÉÈÁÄ¢é±Æª èÜ·B·Îçµ
¢±ÆÉApPbgtB^[ͽ©ÙíȱƪN±Á½Æ«É È
½Émç¹ÄêÜ·B»êÉæÁĽç©ÌΪūé±Æðmé
©A é¢Í½¾PÉ©ªªFõD«È«i¾Æm龯©àµêܹ
ñB
2.3. ǤâÁÄ?
2.3.1. pPbgtB^O@\ðLøɵ½J[l
Vµ¢ IP t@CAEH[E`F[@\ðÂJ[lªKvÅ·B¡®
ìµÄ¢éJ[lªA±Ì@\ðgÝñ¾à̩Ǥ©»f·éÉÍA
/proc/net/ip_fwchains ðTµÄÝܵå¤B±êª¶Ý·éÈçÎAùÉg
ÝÜêĢܷB
(ó: 2.2.xÈ~ÌJ[lð¨g¢ÌêÍAåïùÉgÝÜêÄ¢é±
Æŵå¤B)
ൻ¤ÅȯêÎA È½Í IP t@CAEH[E`F[ðÂJ[l
ðìéKvª èÜ·BÅÉA Ƚª~µ¢J[lÌ\[Xð_E
[hµÜµå¤B ȽÌJ[lª o[W 2.1.102 È~ÌàÌÈ
çA»Ýå¬ÌJ[lÅ éÌÅAüßÄpb`ðÄéKvÍ èܹ
ñB»¤ÅÈ¢ÉÍOoÌ Web y[W©çpb`ðüèµÄKpµA»µ
Äɦ·æ¤ÈÝèÅJ[lð\¬µÄº³¢BàµA Ƚª±êð·
éû@ðmçÈÄàAQÄȢŠKernel-HOWTO ðÇÝܵå¤B
(ó: Kernel-HOWTOÌMóÍ http://www.linux.or.jp/JF/JFdocs/Kernel-
HOWTO.html <http://www.linux.or.jp/JF/JFdocs/Kernel-HOWTO.html> É è
Ü·B)
Ƚª2.0-V[YÌJ[lÉÝè·éKvª éRtBO[V
IvVÍAȺÌÊèÅ·:
______________________________________________________________________
CONFIG_EXPERIMENTAL=y
CONFIG_FIREWALL=y
CONFIG_IP_FIREWALL=y
CONFIG_IP_FIREWALL_CHAINS=y
______________________________________________________________________
2.1 © 2.2 ÌV[YEJ[lÌêÍÌÊèÅ·:
______________________________________________________________________
CONFIG_FIREWALL=y
CONFIG_IP_FIREWALL=y
______________________________________________________________________
c[Å é ipchains vOÍAJ[lÉεÄÇñÈpPbgð
tB^·é׫©É¢ÄÊm·é½ßÌàÌÅ·B ȽªvO}Å
é©AïÁÈlÔÅÈ¢ÀèA±êªpPbgtB^Oð§ä·éû
@ÆÈèÜ·B
2.3.2. ipchains
ipchains c[ÍAJ[lÌpPbgEtB^OÉÖ·éZNV
©ç[ð}üµ½èíµ½èµÜ·B±êÍA Ƚª½Æ¦½ðÝ
èµÄàA»êªÄN®ÉæÁÄÁ¦ÄµÜ¤±ÆðÓ¡µÄ¢Ü·BñA
Linux ªu[g³êéÛÉA»êçðmÀÉß··éû@É¢ÄÍAÌß
``tB^K¥ðPvIÉ·éÉÍ'' ðQƵĺ³¢B
ipchains ÍÈOÜÅIPt@CAEH[ðÀ»·é½ßÉgíêÄ¢½
ipfwadm Æu«·¦çêé±ÆÉÈèÜ·BðɧÂXNvgÌZbgªA
Ì ipchains ÌAhX©çüèÂ\Å·:
http://netfilter.filewatcher.org/ipchains/ipchains-
scripts-1.1.2.tar.gz
<http://netfilter.filewatcher.org/ipchains/ipchains-
scripts-1.1.2.tar.gz>
±êÉÍÈOsíêÄ¢½ÌƯ¶æ¤ÈX^CÅpPbgEtB^
Oðsí¹é½ßÌ ipfwadm-wrapper ÆÄÎêÄ¢éVFXNvgðÜ
ñŢܷB Ƚª ipfwadm (ipchainsÆä×AæèxÄAøA»Ì¼
ð`FbNµÈ¢ÌàÌ)ðg¤VXeðAbvO[h·éèÁæè
¢û@ª~µÈ¢ÀèA Ƚͽª±ÌXNvgðg¤×«ÅÍÈ¢Å
µå¤B»¤¢¤ûÉÍ Üè±Ì HOWTO àKvÆͳêÈ¢±ÆÆv¢Ü
·B
ipfwadm ÖAÌÚ×É¢ÄÍAt^: ``ipchains Æ ipfwadm ÆÌá¢''
ât^: ```ipfwadm-wrapper'XNvgðg¤'' 𲺳¢B
2.3.3. tB^K¥ðPvIÉ·éÉÍ
Ƚ̻ÝÌt@CAEH[ÝèÍAJ[lÉi[³êÄA±Ìæ¤É
ÄN®É͸íêĵܢܷB ȽÌ[ðPvIÉ·é½ßÉ
`ipchains-save' Æ `ipchains-restore' XNvgðg¤±Æð¨©ßµÜ
·B±êðg¤ÉÍAܸ ȽÌ[ðÝèµÄAÌæ¤ÉR}hð
ÀsµÜ·(root ƵÄÀsµÄº³¢):
# ipchains-save > /etc/ipchains.rules
#
XNvgÍÌæ¤ÉìÁĨ«Ü·:
#! /bin/sh
# pPbgtB^§ä̽ßÌXNvg
# [ªÈ¯êνàµÈ¢
[ -f /etc/ipchains.rules ] || exit 0
case "$1" in
start)
echo -n "Turning on packet filtering:"
/sbin/ipchains-restore < /etc/ipchains.rules || exit 1
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "."
;;
stop)
echo -n "Turning off packet filtering:"
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -F
/sbin/ipchains -X
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward ACCEPT
echo "."
;;
*)
echo "Usage: /etc/init.d/packetfilter {start|stop}"
exit 1
;;
esac
exit 0
±êªN®ÌÅ̤¿ÉÀs³êéæ¤ÉµÜ·BMÒÌP[X (Debian
2.1) ÅÍA `S39packetfilter' Æ¢¤V{bNNð `/etc/rcS.d'
fBNgÉìÁÄ èÜ·(±êÍA S40network ÌOÉÀs³êÜ·)B
(ó: uÅ̤¿vÆ¢¤ÌÍAN®Albg[NÉεÄÊMªÂ
\ÆÈéóÔÈOÉs¤Æ¢¤Ó¡Å·Blbg[N̼ÌT[rXÈǪ
N®µ½ ÆÉt@CAEI[ðÝè·éÆASÝè³êÄ¢È¢í¸©
ÈuÔð¢Ä"«¢âÂ"ªüèÞ믫ª èÜ·B)
3. à¤A¬µÄ½! [eBO¾ÌA}XJ[fBO¾ÌA|[
gtH[fBO¾ÌA©®tH[fBO(ipautofw)¾ÌÁÄcB
±Ì HOWTO ÍApPbgEtB^OÉ¢Äq×½àÌÅ·B»êÍ
pPbgªÊß·éÌð·©Ç¤©É¢Äßé±ÆðÓ¡µÄ¢Ü·B
µ©µÈªçALinuxÍ¢íÎnbJ[BÌVÑêÌæ¤ÈàÌÅ·ÌÅA¨
»ç»êÈãÌ@\ðÀ»µ½¢Æv¤±Æŵå¤B
1ÂÌâèÍA{ÊÈTOÅ é͸Ì}XJ[fBOƧßIÈv
LV̧ä̽ßɯ¶c[ (``ipchains'') ªgíêé±ÆÅ·(»ÝÌ
Linux ÅÌÀÅÍA±êçªs©RÈ©½¿Å¢ÁµåÉÈÁĨèA ½
©à»ê窧ÚÉÖAª éÆ¢¤óÛð^¦ÄµÜ¢Ü·)B
(ó: J[l 2.4.x nÅÍA±êçÌ@\ͳçÉ»³êÄ¢Ü
·B»êçÌJ[lð¨g¢ÌûÍALinux 2.4 NAT
HOWTO(http://netfilter.kernelnotes.org/unreliable-guides/NAT-
HOWTO.html
<http://netfilter.kernelnotes.org/unreliable-guides/NAT-HOWTO.html>)à
²º³¢B JFvWFNgÉæéM
ó(http://www.linux.or.jp/JF/JFdocs/NAT-HOWTO.html
<http://www.linux.or.jp/JF/JFdocs/NAT-HOWTO.html>)à èÜ·B)
}XJ[fBOÆvLVÉ¢ÄÍÊXÌ HOWTO ¶ÈÇÉæÁÄÔ
³êA©®tH[fBOÆ|[gEtH[fBO@\ÍÊXÌc[
ŧä³êÜ·Bµ©µA½ÌlX©ç»êçÉ¢ÄÌâ¢í¹ð¤
¯Ä¢Ü·ÌÅA±±ÅÍêAÌêÊIƨàíêéViI¢Â©ÆAÇ
Ìæ¤É·êÎ梩Ƣ¤Ýèðñ¦µÜ·BȨAeZbgAbvÌZ
L
eBÉÖ·é·É¢ÄÍA±±Å_cµÜ¹ñB
3.1. Rusty Ì}XJ[fBOÉÖ·é 3ÂÌwj
±êÍA ȽÌOC^tF[Xª `ppp0' Å éƼèµÄ¢Ü·B
ifconfig R}hð©ÁÄA ȽÌ«ɤæ¤ÉÇÝ֦ĺ³
¢B
# ipchains -P forward DENY
# ipchains -A forward -i ppp0 -j MASQ
# echo 1 > /proc/sys/net/ipv4/ip_forward
3.2. ©IÈé`: WatchGuard ÅK§·é
sÌÌt@CAEH[êp@ðwü·é±ÆàÅ«Ü·BDê½êp@ÌÐ
ÆÂƵÄAWatchGuard ÐÌ FireBox ª èÜ·B FireBox ªDêÄ¢é
Æv¤ÌÍAí½µªCÉüÁÄ¢é©çÅ èA»êªÀS¾©çÅ
èALinux x[XÅ®ìµÄ¢é©çÅ·BܽA±ÌïÐÍAipchains Ì
CeiXÆA(2.4 nJ[lpÌ)Vµ¢t@CAEH[ÌR[hÌ
½ßÉàñµÄ꽩çÅ·BÂÜèAí½µªF³ñ̽ßÉìÆð
µÄ¢éÔA WatchGuard ÐÍAí½µÌ¶ðx¦Äê½í¯Å·B»¤
¢¤í¯ÅAÞçÌ»iÉ¢Äàäêlè¢Ü·B
http://www.watchguard.com <http://www.watchguard.com>
(ó: WatchGuardÐÌú{àÌZ[àA±Ìy[W©çèJé±Æª
Å«Ü·B)
3.3. t@CAEH[I®ìɤÊÈÝè
ȽÍA littlecorp.com Æ¢¤hC¼ÅVXe𮩵ĢܷB
»µÄàlbg[Nð¿AC^[lbgÉεÄAIPAhXª
1.2.3.4 Å é (firewall.littlecorp.com) Æ¢¤Rs
[^É1ñüÌ_
CAbv(PPP)RlNVðÁĢܷB ȽÍC[TlbgÉæ
é[Jlbg[Nð\zµÄ¨èA ȽÌÂlpRs
[^Í
"myhost" ÆÄÎêĢܷB
±ÌZNVÅÍAêÊIƨàíêé¢Â©ÌzuáÅÌÝèÉ¢Ä
ڵྵܷB»êçÍ÷ÉÙÈèÜ·ÌÅAÓ[ÇÝißĺ³
¢B
3.3.1. [Jlbg[N: `IÈvLV
±ÌViIÅÍA[Jlbg[N©çÌpPbgÍAC^[lbg
ðs«·é±ÆÍ èܹñB[Jlbg[NÌ IP AhXÍA
RFC1918 ÉÄvCx[gÈC^[lbg«̽ßÉpÓ³êÄ¢éAh
X(·Èí¿ 10.*.*.*, 172.16.*.*-172.31.*.* Ü½Í 192.168.*.*)ð
èÄȯêÎÈèܹñB
C^[lbgÉÚ±·éBêÌû@Ít@CAEH[ÉÚ±·é±ÆÅA
±ÌRs
[^ª¼ûÌlbg[N(ó: C^[lbgÆ[J
lbg[N)ɼÚÂȪÁĢܷB±Ìt@CAEH[ÌãÅvL
VÆÄÎêé\tg𮩷±ÆÉÈèÜ·(±êÍ FTP AEFuEANZ
XA telnet A RealAudio A Usenet News â¼ÌT[rXÉ¢ÄA"ã
"Ƶīܷ)BÚ×É¢ÄÍ Firewall HOWTO ð©Üµå¤B
(ó: "Firewall HOWTO" Ì´¶Í
http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html
<http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html> É èÜ·B JFv
WFNgÉæéMóÍܾìÆÅ·B)
ȽªC^[lbgÖÌANZXÅ]ÞT[rXÉ¢ÄÍAK¸t@C
AEH[ãÌvLVÅT|[g³ê½T[rXÅȯêÎÈèܹñ(µ
©µAãqÌ ``§À³ê½àT[rX'' ðQƵĺ³¢)B
á: vCx[glbg[N©çC^[lbgÖÌEFuEANZXð
·
1. vCx[glbg[NÍA192.168.1.*ðèÄç꽡ÌÔn©
çÈèAIPAhXª192.168.1.100Í"myhost"ÉAt@CAEH[ÌC
[TlbgEC^tF[XÉÍ192.168.1.1ªèÄçêĢܷB
2. EFuEvLV(á¦Î"squid")ÍAt@CAEH[ÌãÉCXg[
³êĨè|[g8080Å®¢Ä¢Ü·B
3. vCx[glbg[NÌNetscapeÍAvLVƵÄt@CAEH[
Ì|[g8080ðg¤æ¤ÉÝè³êĢܷB
4. DNSÍAvCx[glbg[NÌÅÝè³êéKvÍ èܹñB
5. DNSÍAt@CAEH[ÌãÅÝè³êéKvª èÜ·B
6. ftHgE[g(ʼAQ[gEFC)ÍAvCx[glbg[N
ÌÅÝè³êéKvÍ èܹñB
myhost ãÌ Netscape ©çA http://slashdot.org Ìy[Wð©é
1. Netscape Ít@CAEH[Ì|[g8080ÉÚ±µA myhost ãÌ|[
g1050ðgÁÄ "http://slashdot.org" ÌEFuEy[Wð©éæ¤É
t@CAEH[É˵ܷB
2. vLVÍ "slashdot.org" Æ¢¤¼Oð²×ÄA "207.218.152.131" Æ
¢¤IPAhXð¾Ü·B»ê©çt@CAEH[ÌOC^tF[
X(ó: ppp0 ÈÇ)ÌãÅ|[g1025ðgÁÄA»Ì IP AhXÉε
ÄEFuET[o(|[g80)ÅEFuEy[WðvµÜ·B
3. èÌEFuET[oÉηéÚ±©çEFuEy[Wðó¯æéÆA»
êÍNetscapeÖÌÚ±Öf[^ªRs[³êÜ·B
4. NetscapeÍAy[Wð\¦µÜ·B
ÂÜèA slashdot.org ̤©ç©éÆA 1.2.3.4 (t@CAEH[Ì PPP
C^tF[X)|[g1025©çA 207.218.152.131 (slashdot.org)|[
g80ÜÅÚ±³êé±ÆÉÈèÜ·B myhost ̤©ç©éÆA 192.168.1.1
(t@CAEH[ÌC[TlbgEC^tF[X)Ì|[g8080Æ
192.168.1.100(myhost)Ì|[g1050ªÚ±³êé±ÆÉÈèÜ·B
3.3.2. vCx[glbg[N: §ßIÈvLV
±ÌViIÅÍA[Jlbg[N©çÌpPbgÍAC^[lbg
ðs«·é±ÆÍ èܹñB[Jlbg[NÌ IP AhXÍA
RFC1918 ÉÄvCx[gÈC^[lbg«̽ßÉpÓ³êÄ¢éAh
X(·Èí¿ 10.*.*.* A 172.16.*.*-172.31.*.* Ü½Í 192.168.*.*)ð
èÄȯêÎÈèܹñB
C^[lbgÉÚ±·éBêÌû@Ít@CAEH[ÉÚ±·é±ÆÅA
±ÌRs
[^ª¼ûÌlbg[N(ó: C^[lbgÆ[J
lbg[N)ɼÚÂȪÁĢܷB±Ìt@CAEH[ÌãÅ"§ßI
ÈvLV"ÆÄÎêé\tg𮩷±ÆÉÈèÜ·ªA±±ÅÍJ[l
ªoÍpPbgðOÉéãèÉA§ßIÈvLVÉèo·±ÆÉÈè
Ü· (·Èí¿AUÌ[eBOðs¤æ¤ÉÈèÜ·)B
§ßIÈvLV𮩷Ƣ¤±ÆÍANCAgÍvLV̶ÝðÓ
¯µÈÄàæ¢Æ¢¤±ÆÅ·B
ȽªC^[lbgÖÌANZXÅ]ÞT[rXÉ¢ÄÍAK¸t@C
AEH[ãÌvLVÅT|[g³ê½T[rXÅȯêÎÈèܹñ(µ
©µAãqÌ ``§À³ê½àT[rX'' ðQƵĺ³¢)B
á: vCx[glbg[N©çC^[lbgÖÌEFuEANZXð
·
1. vCx[glbg[NÍA 192.168.1.* ðèÄç꽡ÌÔn
©çÈèA IP AhXª 192.168.1.100 Í myhost ÉAt@CAEH[
ÌC[TlbgEC^tF[XÉÍ 192.168.1.1 ªèÄçêÄ¢
Ü·B
2. §ßIÈEFuEvLV(squid Éηé±Ìpr̽ßÌpb`ª¢
© éÆv¢Ü·B é¢Í "transproxy" ð·Ìࢢ©à)ÍC
Xg[³êÄAt@CAEH[ÌãÅ|[g8080ÉÄ®¢Ä¢Ü·B
3. J[lÍ ipchains ðgÁÄ|[g80ÌÚ±ðvLVÉü¯È¨·æ
¤Éw¦³êĢܷB
4. vCx[glbg[NÌ Netscape ÍA ½©à¼ÚÚ±·éæ¤É
ÝèµÜ·B
5. DNS ÍAvCx[glbg[NãÉÝè³êÄ¢éKvª èÜ·(·
Èí¿A ȽÍt@CAEH[ÌãÅÌuãvÆµÄ DNS T[oð
Às·éKvª èÜ·)B
(ó: ÂÜèANCAg©ç̼OðÌð·×ÄvCx[
glbg[NàÌ DNS ÅdíȯêÎÈçȢƢ¤±ÆÅ·B³àÈ
¢ÆA¼Oð̽ßÌpPbgªNCAg©çC^[lbgÉo
ĵܢܷB)
6. t@CAEH[ÉpPbgðé½ßÉvCx[glbg[NàÉ
ftHgE[g(ʼAQ[gEFC)ðÝè·éKvª èÜ·B
myhost Ì Netscape ©çAhttp://slashdot.org ð©éB
1. NetscapeÍA "slashdot.org" Æ¢¤¼Oð²×ÄA 207.218.152.131 Æ
¢¤ IP AhXð¾Ü·B»µÄA»Ì IP AhXÉεÄ|[
g1050ÉÄÚ±µAEFuT[o(|[g80)Öy[Wf[^ðvµÜ
·B
2. slashdot.org (|[g80)ÖÌ myhost (|[g1050)©çÌpPbgÍt@
CAEH[ðoRµÜ·ªA»êçÍ|[g8080ÌãÅÒÁÄ¢é§ß
IÈvLVÉü¯¼³êÜ·B§ßIÈvLVÍA 207.218.152.131
Ì|[g80(àÆàÆNCAg©çÌpPbgÉwè³êÄ¢½¶
æ)ÉεÄA([JÈ|[g1025ðgÁÄ)Ú±ðs¢Ü·B
3. vLVÍ»ÌÚ±ÉæÁÄEFuET[o©çy[Wðó¯æèA
Netscape ÉηéڱɻÌf[^ðRs[µÜ·B
4. NetscapeÍAy[Wð\¦µÜ·B
ÂÜèA slashdot.org ©ç©éÆAÚ±ÍÍ 1.2.3.4 (t@CAEH[Ì
PPP C^tF[X)|[g1025©çA 207.218.152.131 (slashdot.org)Ì|
[g80ÜÅÌÔÅsíêĢܷB myhost ©ç©éÆA 207.218.152.131
(slashdot.org)Ì|[g80ÉεÄA 192.168.1.100 (myhost)|[g1050Ü
ÅÌÔÅsíêĢܷBªA»êÍÀÛÉͧßIÈvLVÆâèæèµ
Ä¢é±ÆÉÈèÜ·B
3.3.3. vCx[glbg[N: }XJ[fBO
±ÌViIÅÍA[Jlbg[N©çÌpPbgÍAÁÊȵ¢ªÈ
¯êÎC^[lbgðs«·é±ÆÍ èܹñB[Jlbg[N
Ì IP AhXÍA RFC1918 ÉÄvCx[gÈC^[lbg«̽ß
ÉpÓ³êÄ¢éAhX(·Èí¿ 10.*.*.* A 172.16.*.*-172.31.*.* Ü
½Í 192.168.*.*)ðèÄȯêÎÈèܹñB
vLVðg¤ãíèÉA "}XJ[fBO" ÆÄÎêéÁÊÈJ[l
@\ðg¢Ü·B}XJ[fBOÍAt@CAEH[ðoRµ½©Ìæ
¤ÉpPbgð«·¦éÌÅA±êçÌpPbgÍíÉt@CAEH[©
g©ç«½æ¤É©¦Ü·B»ê©çAð{Ìv³Öéæ¤É«
·¦Ü·B
}XJ[fBOÍ¢Â©Ì "gbL[È" vgR𵤽ßÌÂ
ÊÌW
[ðÁĢܷBá¦ÎAFTP, RealAudio, Quake ÈÇÅ·B
{Éæèµ¢ªïµ¢vgR̽ßÉÍA "©®tH[fBO" @
\ÉÄAÖAµ½|[gÌ]ð©®IÉÝè·é±ÆÉæèA»êçÌê
ðæ赤±ÆªÅ«Ü·BÚ×É¢ÄÍ ``ipportfw'' (2.0nJ[l
)Ü½Í ``ipmasqadm'' (2.1nJ[l)ð²×ÄÝĺ³¢B
ȽªC^[lbgÖÌANZXÅ]ÞT[rXÉ¢ÄÍAK¸t@C
AEH[ãÌvLVÅT|[g³ê½T[rXÅȯêÎÈèܹñ(µ
©µAãqÌ ``§À³ê½àT[rX'' ðQƵĺ³¢)B
á: vCx[glbg[N©çC^[lbgÖÌEFuEANZXð
·
1. vCx[glbg[NÍA 192.168.1.* ãÌ¡ÌÔn©çÈèA
myhost ÉÍ 192.168.1.100 ªèÄçêAt@CAEH[ÌC[T
lbgC^[tF[XÉÍ 192.168.1.1 ªèÄçêĢܷB
2. t@CAEH[ÍAvCx[glbg[N©çC^[lbgÌã
ÌzXgÌ|[g80ÖÌ·×ÄÌpPbgð}XJ[h·éæ¤Ýè³
êĢܷB
3. Netscape ÍA¼ÚÚ±·éæ¤ÉÝè³êĢܷB
4. DNS ÍAvCx[glbg[NÌãųµÝè³êĢȯêÎÈ
èܹñB
5. t@CAEH[ÍAvCx[glbg[N̽ßÌftHgE
[g(ʼAQ[gEFC)ÅȯêÎÈèܹñB
myhost Ì Netscape ©çA http://slashdot.org ðÇÞB
1. Netscape ÍA "slashdot.org" Æ¢¤¼Oð²×ÄA 207.218.152.131
Æ¢¤ IP AhXð¾Ü·B»ê©ç[JÈ|[g1050ðgÁÄA
»Ì IP AhXÌEFuET[o(|[g80)ÉεÄÚ±ðs¢AEF
uEy[WðvµÜ·B
2. slashdot.org (|[g80)ÖÌ myhost (|[g1050)©çÌpPbgÍt@
CAEH[Én³êA»±Åt@CAEH[(|[g65000)Ì PPP C
^tF[X©ç½©Ìæ¤É«¼³êÜ·B slashdot.org ©çÌ
pPbgðÔ·±ÆªÂ\ÆÈéæ¤ÉAt@CAEH[ÍLøÈ
C^[lbgAhX(1.2.3.4)ðÁĢܷB
3. firewall.littlecorp.com (|[g65000)É뵀 slashdot.org (|[
g80)©çÌpPbgªÔ³êA»êçð myhost (|[g1050)Öé½ß
É«¼³êÜ·B}XJ[fBOðÀ»·é½ßÌ "@" ̳Ì
Æ¢¤ÌÍAÂÜèAª½Æ«ÉA»êð³µß¹éæ¤ÉAo
ÍpPbgð«·¦éÆ«Éo¦Ä¨Æ¢¤±ÆÅ·B
4. NetscapeÍAy[Wð\¦µÜ·B
slashdot.org ̤©ç©éÆAÚ±Í 1.2.3.4 (t@CAEH[Ì PPP C
^tF[X)|[g65000©çA 207.218.152.131 (slashdot.org)|[
g80ÜÅsíêĢܷB myhost ̤©ç©éÆAÚ±Í 207.218.152.131
(slashdot.org)|[g80ÉεÄA 192.168.1.100 (myhost)|[g1050©ç
síêĢܷB
3.3.4. pubNlbg[N
±ÌViIÅÍA ȽÌÂlÌlbg[NÍC^[lbgÌêªÅ
·: pPbgÍÏX³êé±ÆȼûÌlbg[Nð¬êé±ÆªÅ«Ü
·Bàlbg[NÌ IP AhXÍA IP AhXÌubNð\¿·é
±ÆÉæÁÄèÄçê½àÌÌ͸ŷÌÅA¼Ìlbg[NÍAǤ
âÁÄ È½Ì³ÖpPbgðͯçêé©ðmÁÄ¢éŵå¤B±êÍp
±IÉÚ±³êé±ÆðÓ¡µÄ¢Ü·B
(ó: á¦ÎA INTERNIC â JPNIC ÈÇÉη鳵¢è±«ÉæÁľç
ê½p±IÉgpÅ«é IP AhXð ȽªLµÄ¢È¯êÎÈçÈ¢
Æ¢¤±ÆÅ·B)
±ÌêÊÅpPbgEtB^OÍAÇÌæ¤ÈpPbgª ȽÌlb
g[NÆ»êÈOÌC^[lbgÆÌÔÅâèæè³êé©ð§À·é½
ßÈÇÉgíêÜ·Bá¦ÎAC^[lbg̼ÌêÆÌpPbgÌâè
æèð ȽÌEFuT[oÉεÄÌÝÉÀè³¹é±ÆªÅ«Ü·B
vCx[glbg[N©çC^[lbgÖÌEFuEANZXð·
1. ȽÌàlbg[NÍA Ƚªo^µ½ IP AhXEub
N(1.2.3.* Ƶܷ)ɶ½AhXªèÄçêĢܷB
2. t@CAEH[ÍASÄÌgtBbNð·æ¤Ýè³êĢܷB
(ó: ±±Å¦³ê½ViIÍà¾Ì½ßÌÖXIÈP[XÅ·BÀÛ
ÌP[XÅÍAÌß("àT[rXÌÀè")Ŧ³ê½æ¤ÉAT[r
XðÀè·éÈÇA ȽÌlbg[Nðçé½ßÉAoüè·ép
PbgÉ¢ÄKØÈÂ^Û̽ßÌððÝèµÄ¨©È¯êÎÈ
èܹñB)
3. NetscapeÍAC^[lbgɼÚÚ±·éæ¤ÉÝè³êĢܷB
4. DNSÍA ȽÌlbg[NÌãųµÝè³êĢȯêÎÈèܹ
ñB
5. t@CAEH[ÍAvCx[glbg[N̽ßÌftHgE
[g(Q[gEFC)ÅȯêÎÈèܹñB
myhost Ì Netscape ©çAhttp://slashdot.org ð©éB
1. NetscapeÍA "slashdot.org" Æ¢¤¼Oð²×ÄA 207.218.152.131 Æ
¢¤ IP AhXð¾Ü·B»ê©ç[JÈ|[g1050ðgÁÄA»
Ì IP AhXÌEFuET[o(|[g80)ÉεÄÚ±ðs¢AEF
uEy[WðvµÜ·B
2. pPbgÍ È½Ìlbg[NÆ slashdot.org ÌÔ̢̼©Ì
[^[ðÊ貯éÌƯ¶æ¤ÉA ȽÌt@CAEH[ðÊè
²¯Äâèæè³êÜ·B
3. NetscapeÍAy[Wð\¦µÜ·B
ÂÜèA±ÌêÍ 207.218.152.131 (slashdot.org)|[g80ÆA
1.2.3.100 (myhost)|[g1050ÌÔ̽¾Ðƾ¯ÌÚ±ª¶ÝµÜ·B
3.3.5. §À³ê½àT[rX
OÌC^[lbg©ç ȽÌàT[rXÉεÄAt@CAEH[ã
ÅT[rXðÀs·éÈOÌû@ðÆé±ÆÌÅ«égbNªµÎ©è
èÜ·B»êçÌû@ÅÍvLVâ}XJ[fBOðOÌRlNV
̽ßÉgp·éÆ¢¤Av[`ðÆèÜ·B
ÅàPÈAv[`Í "_CN^[" (»êÍ^¦çê½|[gÌãÅ
Ú±ðÒÂÆ¢¤"nãÈ"vLVÅ·)ð®ì³¹é±ÆÅ·B»êçÍ
究ßßçê½àzXgÆ|[gÉεÄÚ±ðs¢Af[^ðñÂÌ
Ú±ÌÔÅRs[µÜ·B "redir" vOðgÁ½áð¦·ÆAOÌC
^[lbg¤©ç©éÆAÚ±Í È½Ìt@CAEH[ÉεÄsíê
Ü·BÌT[o̤©ç©éÆAt@CAEH[Æ»ÌT[oÉεÄÚ
±ªsíêéæ¤ÉÈèÜ·B
à¤êÂÌAv[`(±êÉÍ ipportfw ̽ßÉpb`ðÄçê½ 2.0
nJ[l©A é¢Í 2.1 nÈ~ÌJ[lªKvÅ·)ÍJ[lÅÌ|
[gEtH[fBOðg¤±ÆÅ·B±êÍA "redir" Ư¶®ìðÊ
Èû@Ås¢Ü·BÂÜèAJ[lÍn³ê½pPbgÉεÄA»ÌÚI
AhXÆ|[gðàÌzXgÆ|[gÉεÄü¯çê½æ¤É«·¦
Ü·BOÌC^[lbg¤©ç©éÆA ȽÌt@CAEH[ÉεÄ
Ú±³ê½æ¤É©¦Ü·BܽA ȽÌàÌT[o¤©ç©éÆAC
^[lbgEzXg©çT[oÜżÚÚ±³êÄ¢éæ¤É©¦Ü·B
3.4. }XJ[fBOÉηé»Ì¼Ìîñ
David Ranch Í}XJ[fBOÉÖ·éDê½Vµ¢ HOWTO ð«Üµ
½B±Ì HOWTO ÆͽÌd¡ªð¿Ü·ªAÌy[W©ç©Â¯é
±ÆªÅ«Ü·B
http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html
<http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html>
}XJ[fBOÌö®y[WÍÌƨèÅ·B
http://ipmasq.cjb.net <http://ipmasq.cjb.net>
4. IP t@CAEH[O`FC
±ÌÍÍA ȽÌKvɤpPbgtB^ð\z·é½ßÉAÀÛÉ
mÁĨ©È¯êÎÈçÈ¢±ÆðSÄྵܷB
4.1. ÇÌæ¤ÉpPbgªtB^ðÊß·éÌ©
J[lÍN®É 3ÂÌ[Xgð۵ĢܷB±êçÌXgÍ
t@CAEH[`FCAܽÍPÉ`FCÆÄÎêÜ·B 3ÂÌ`FC
ÍA input, output »µÄ forward ÆÄÎêÜ·BpPbgª (á¦ÎA
C[TlbgJ[hðʶÄ) üÁÄéÆAJ[lÍ»ÌpPbgÌu^
½vðè·é½ßÉ input `FCðg¢Ü·BpPbgª±ÌXebv
Ŷ«céÆAJ[lÍpPbgðÉDZÉé©ðèµÜ·B(±ê
ð[eBOÆÄÑÜ·B) pPbgª¼Ì}VÖsÆèßçêÄ¢é
ÈçÎA forward `FCð²×Ü·BÅãÉApPbgªoͳêéO
ÉAJ[lÍ output `FCð²×Ü·B
1ÂÌ`FCÍ¡Ì[Ì`FbNXg©ç\¬³êĢܷBeX
Ì[ÍuàµApPbgÌwb_[ª±ñȾÁ½çApPbgð±Ìæ
¤ÉµÈ³¢vÆw¦µÜ·BàµA é[ªpPbgÆ}b`µÈ¯ê
ÎA`FCàÌÌ[ª²×çêÜ·BÅIIÉA²×é[ª³
ÈÁ½çAJ[lÍ»Ì`FCÌ|V[(ûj)ð©Ä½ð·é©ßÜ
·BZL
eBӯ̢VXeÅÍA±Ì|V[ÍÊApPbgð
DROP ·éæ¤ÉJ[lÉw¦µÜ·B
ASCII A[gt@̽ßÉA}VÉü·épPbgÌ®SÈÊè¹ð±
±ÉLµÜ·B
(ó: ±Ì¶ÅÍú{ê¶R[hðp¢½ "JIS A[g" ð쬵Ĩ
èÜ·B
¢íäéSp¶Æ¼p¶ª¬Ý·é "JIS A[g" ðA Netscape
Navigator/Communicator â Microsoft Internet Explorer Å\¦³¹éÆA
¼p¶ÌÆSp¶ÌÌäªêvµÈ¢×ÉAwK^K^Éöê½}
ÊxÉÈÁĵܢܷB
html Å ð©éÛÉÍA lynx â w3m ÌeLXguEUð¨EßµÜ
·B)
¡¢
lo C^[tF[X
ACCEPT/
« REDIRECT ¬ªªªªª ¡¢ ACCEPT
¨`¨³¨¡¢¨}¨«[eB«¨ forward ¨¡¢¨
F input X «OÌè « `FC ¡¨ output
b « `FC J ¯ªªªªª® ¤£ ¡¨ `FC
N ¤£ ¤£
T [ «
h [JvZX « «
« « O DENY/ DENY/
DENY DENY/ µ REJECT REJECT
« REJECT
DENY ¤£
¤£
ȺÉeXÌiKÅÌà¾ðêLµÜ·B
`FbNT:
pPbgªô©Ìû@ÉÄó³êĢȢ©ðeXgµÜ·BpPb
gªóêÄ¢êÎAÛè³êÜ·B
³«:
eXÌt@CAEH[`FCÌOÉ»êçÌpPbg̳«Ì
`FbNªê èÜ·Bµ©µA input `FCÌ»êªÅàdv
Å·Bô©ÌÙíÈpPbgÍK¥`FbNR[h𬳹é°ê
ª èÜ·B»êçͱ±ÅÛè³êÜ·B (±êª¶·éÆ
syslog ÉbZ[WªL^³êÜ·B)
input `FC:
pPbgªeXg³êéÅÌt@CAEH[`FCÅ·B`FC
Ì»fª DENY (Ûè) Ü½Í REJECT (â) ÅȯêÎApPbg
Ì®«Í±«Ü·B
f}XJ[h(}XJ[hOµ):
pPbgªÈOÉ}XJ[h³ê½pPbgÉηéÈçA}X
J[hªO³êA output `FCÜÅêCÉðòεܷB
IP }XJ[hðgÁĢȯêÎAÓ}IÉãLÌ}©çÁÅ«
Ü·B
[eBOÌè:
(pPbgÌ)¶ætB[hÍ[eBOR[hÉæÁÄA±Ìp
Pbgª[JvZXÉs׫ÈÌ© ([JvZXÌÍð
QƵĺ³¢) A[g}VÉ]³êéÌ© (tH[h`F
CÌÍðQƵĺ³¢) ðè·é½ßɲ×çêÜ·B
[JvZX:
}VãÅÒ·évZXÍ[eBOÌèÌiKÌãÌpPb
gðó¯æêéƤÉApPbgðMÅ«Ü·B (MpPbgÍ
[eBOèXebvðoÄA output `FCðÊߵܷB)
lo C^[tF[X:
[JvZX©çÌpPbgª[JvZXÉsàÌÈç
ÎA»êçÍ `lo' ÆÝè³ê½C^[tF[XÅ output `FC
ðÊ貯AÄÑ `lo' C^[tF[XÅ input `FCÉüèÜ
·B lo C^[tF[XÍÊí[vobNC^[tF[XÆÄÎ
êÜ·B
[J:
pPbgª[JvZXŶ¬³ê½àÌÅÈ¢ÈçA forward
`FCª`FbN³êA³àÈÎApPbgÍ output `FCÖ
s«Ü·B
forward `FC:
±Ì`FCÉͱÌ}V©ç¼Ö]³êéSÄÌpPbgªÊß
µÜ·B
output `FC:
±Ì`FCÉÍoͳêé¼OÌSÄÌpPbgªÊߵܷB
4.1.1. ipchains ðg¤
æ¸A±Ì¶Éĵ¤¨è¿Ì ipchains Ìo[WðAȺÌæ¤É
QƵܵå¤:
$ ipchains --version
ipchains 1.3.9, 17-Mar-1999
LƵÄA1.3.4 (`--sport' Ìæ¤È·¢IvVª èܹñ) ©A
1.3.8 È~ð¨Eߵܷ; ±êçÍåÏÀèµÄ¢Ü·B
ÂXÌÉ¢ÄÌàÁÆÚµ¢à¾ªKvÈçAipchains ÉÍ©ÈèÚ
µ¢}j
Ay[W (man ipchains) ª èÜ·BÁÉÚµàeðmè½
¢ÈçAvO~OC^[tF[X(man 4 ipfw) ©A½Í 2.1.x ÌJ
[l\[XàÌ net/ipv4/ip_fw.c t@Cð²×éÆǢŵå¤B±ê
çÍ (¾ç©É) MÅ«Ü·B
\[XpbP[WÉÍ Scott Bronson Éæéf°çµ¢NBbNt@
XJ[hà èÜ·B A4»Ü½Í US ^[TCYÌ PostScript(TM) ̼
ûª èÜ·B
ipchains ðgÁÄFXȱƪūܷBæ¸ASÌÌ`FCðÇ·é
ìB È½Í 3ÂÌgÝÝÏÝ`FCÅ éA input, output,
forward (±êçÍíūܹñ)©çnßÜ·B
1. Vµ¢`FCðìé (-N)
2. óÌ`FCðí·é (-X)
3. gÝÝÏÝ`FCÌ|V[ðÏX·é (-P)
4. `FCàÌ[ðXgAbv·é (-L)
5. `FC©ç[ðSÄÁµé (-F)
6. `FCàÌSÄÌ[ÌpPbgÆoCgÌJE^[ð[É·é
(-Z)
`FCàÌ[ðì·éÉÍlXÈû@ª èÜ·:
1. `FCÉVµ¢[ðÇÁ·é (-A)
2. `FCàÌ éÊuÉVµ¢[ð}ü·é (-I)
3. `FCàÌ éÊuÌ[ðu«·¦é (-R)
4. `FCàÌ éÊuÌ[ðí·é (-D)
5. `FCàÌKµ½ÅÌ[ðí·é (-D)
}XJ[fBOÉÖ·éìªÈ¢Èªç èÜ·B»êçðzu·é
ɵ¢êÌv]Ì×É ipchains ÉÜÜêĢܷB
1. »ÝÌ}XJ[h³ê½Ú±Ìêð\¦·é (-M -L)
2. }XJ[fBOÌ^CAEglðÝè·é (-M -S) (Åà ``}XJ
[fBOÌ^CAEglðÝèūܹñ!'' ð©Äº³¢B)
ÅãÌ (»µÄ°çÅàÖÈ) @\ÍAwèµ½pPbgªwèµ½`F
CðÊß·éÈçA»ÌpPbgªÇ¤ÈéÌ©ðµÉ`FbNÅ«é±
ÆÅ·B
4.1.2. ȽÌRs
[^ªN®·éÉ©éàÌ
ipchains R}hªN®³êéO (Ó: ô©ÌfBXgr
[V
ÅÍú»XNvgàÅ ipchains ðN®µÄ¢Ü·) ÍAgÝÝÏÝÌ
[ (`input', `forward' Æ `output') ÈOÉͽà èܹñB»µÄ
eXÌ`FCÍ ACCEPT (Â) Ì|V[ÉÝè³êĢܷB±êÍS
Äðó¯üêé±ÆÆ¿Å·B
4.1.3. PêÌ[ÅÌì
[ðì·é±Æ \ »êÍ ipchains Ìî{Å·BÙÆñÇÌêA
ÊA ȽÍÇÁ (-A) Æí (-D) R}hðg¤±ÆÉÈéŵå¤Bc
èÌR}h(}üÌ -I Æu·Ì -R )ÍA±êçÌTOðPÉ(@\)g£
µ½àÌÅ·B
eXÌ[ÉÍApPbgª½·×«ðÌZbgÆA𪽳ê½
Æ«É·é±Æ(e^[Qbgf)ðwèµÜ·Bá¦ÎAIP AhX
127.0.0.1 ©çâÁÄéSÄÌ ICMP pPbgðjüµ½¢ÆµÜ·B»Ì
êÌðÍvgRª ICMP ÅA\[XAhXª 127.0.0.1 ÅA^[
QbgÍ `DENY'(Ûè) Å·B
127.0.0.1 Í `[vobN' C^[tFCXÅA»êÍ È½Ì}Vª
ÀÛÌlbg[NÉqªÁÄ¢ÈÄà¶ÝµÜ·B `ping' vOÅ
»Ìæ¤ÈpPbg (ping Í PÉ ICMP ^Cv8 (GR[v)ðèAS
Ä̦ÍIÈzXgÍeØÉà ICMP ^Cv 0 (GR[)ÌpPbgÅ»
êɦܷ)𶳹éÌÉg¢Ü·B±êÍeXgÉð§¿Ü·B
# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.2 ms
# ipchains -A input -s 127.0.0.1 -p icmp -j DENY
# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
#
²ÌƨèÅÌ ping ª¬÷µÄ¢Ü·(`-c 1' Í ping ÉpPbgð
1¾¯éæ¤Éw¦µÄ¢Ü·)B
É[ð `INPUT' `FCÉÇÁ (-A) µÜ·B[ÌwèÍA
127.0.0.1 ©ç (`-s 127.0.0.1') ÅvgR ICMP (`-p icmp') ÌpPb
gÍADENY ÖWv·é (`-j DENY') Å·B
»ê©ç 2ÔÚÌ ping Å[ðeXgµÜ·BAÁÄÈ¢ðÒÂÌ
ð ping ª~ßéÜŵÌÔª éŵå¤B
[ðí·éÉÍ 2ÊèÌû@ª èÜ·B 1ÔÚÍAá¦ÎA input
`FCÉÍ[ª 1¾¯µ©È¢ÌðªÁÄ¢éêÅÍAÔðgÁ
ÄȺÌæ¤ÉíÅ«Ü·:
# ipchains -D input 1
#
INPUT `FCÌ[Ô 1 ðíB
2ÔÚÌû@Í -A R}hð»Áè浀 -A ð -D Éu«·¦½àÌÅ
·B±êÍ[ª¡GÈ`FCÌêÅAá¦ÎAæ諽¢Ìª[
37 ¾ÆTµÄé½ßÉ[ð¦½È¢êÉLøÅ·B±Ìê
AÌæ¤Ég¢Ü·:
# ipchains -D input -s 127.0.0.1 -p icmp -j DENY
#
-D Ì«ûÍA -A (Ü½Í -I © -R) R}hÌƳmɯ¶IvV
ÅȯêÎÈèܹñBàµA¯ê`FCÉ¡Ì}b`·é[ª
Á½çAÅÌà̾¯ªí³êÜ·B
4.1.4. tB^OÌdl
±êÜÅÉAvgRðwè·é `-p' IvVÆA\[XAhXðw
è·é `-s' IvVð©Ä«Üµ½ªA±Ì¼ÉàpPbgÌÁ¥ðwè
·élXÈIvVª èÜ·B±ê©çA»ÌTvð ܷƱëȨ
bµÜ·B
4.1.4.1. \[Xƶæ IP AhXÌwè
\[X (-s) yѶæ (-d) IP AhXÍ 4ÊèÌwèû@ª èÜ·B
àÁÆàêÊIÈû@Í®SÉLq³ê½¼O(FQDN)ðg¤±ÆÅAá¦
ÎA`localhost' Æ© `www.linuxhq.com' Å·B 2ÔÚÌû@Í
`127.0.0.1'Ìæ¤È IP AhXðwè·éû@Å·B
3ÔÚÆ 4ÔÚÌû@Í IP AhXÌO[vðwè·éû@ÅA
`199.95.207.0/24' Æ© `199.95.207.0/255.255.255.0' Ìæ¤É«Ü·B
¼ûÆà 199.95.207.0 ©ç 199.95.207.255 ÜÅÌÇÌ IP AhXàÜÜ
êéwèÅAÌ ÆÌ `/' Í IP AhXÌÇ̪ÜÅLø©ð¦µ
ĢܷBÈªÍ `/32' Ü½Í `/255.255.255.255' (IP AhXÌ®S
êv)Å·BÇñÈ IP AhXÅàæ¢êÍAȺÌæ¤É `/0' ªg¦
Ü·:
# ipchains -A input -s 0/0 -j DENY
#
ãLÌøÊÍ `-s' IvVðwèµÈ¢ÌÆS¯¶ÈÌÅA±ñÈg¢
ûÍßÁ½ÉµÜ¹ñB
4.1.4.2. ÛèÌwè
`-s' Æ `-d' ðÜÞ½ÌtOÍA`!' (ÛèÌé¾) ð»ÌøÌOÉu
±ÆªÅ«Ü·B `-s' â `-d' ÌêÍ^¦çê½AhXƵȢ
AhXÆ}b`µÜ·Bá¦ÎA `-s ! localhost' Í[JzXg©ç
ÅÈ¢SÄÌpPbgÆ}b`µÜ·B
`!' ÌOãÉXy[XðüêéÌðYêȢź³¢B{ÉKvÈÌÅ·B
4.1.4.3. vgRÌwè
vgRÍ `-p' tOÅwèµÜ·BvgRÌlÍÔ( Ƚª IP
ÌvgRÌlÔðmÁÄ¢éê)© `TCP', `UDP' Ü½Í `ICMP'
Æ¢¤Áè̼ÌÅwèµÜ·B嶬¶ÌæÊ͵ܹñ©çA`tcp'
à `TCP' Ư¶«ðµÜ·B
vgR¼ÌÍ»êðÛè·é½ßÉ `!' ðOÉt¯é±ÆªÅ«Ü·B
á¦ÎA`-p ! TCP' Í TCP ÅÈ¢pPbgðwèµÜ·B
4.1.4.3.1. UDP Æ TCP |[gÌwè
ÁÊÈêÅ é TCP ½Í UDP ÌvgRªwè³ê½ÉÍA TCP ½
Í UDP Ì|[gA½ÍÜÜêé|[gÌÍÍ (µ©µAãqÌ ``tO
gÌ''ðQƵĺ³¢) ðwµ¦·g£øª¶Ýµ¾Ü·BÍÍͶ
`:' Å\»µÜ·Bá¦Î `6000:6010' Í 6000 ©ç 6010 ÌÍÍÉÜ
Üêé11ÂÌ|[gÔð¦µÜ·BൺÀlªÈª³êêÎAftHg
Ì 0 ðÓ¡µÜ·BãÀlªÈª³êêÎAftHgÌ 65535 ðÓ¡µÜ
·BÅ·©çA1024ÔȺÌ|[gÌ TCP Ú±ðwè·éÉÍA«ûÍ
`-p TCP -s 0.0.0.0/0 :1023' ƵܷB|[gÔÍ `www' Ìæ¤ÉA¼
OÅàwèÅ«Ü·B
LƵÄA|[gwèÌOÉÍÛèðÓ¡·é `!' ðu±ÆªÅ«Ü
·BÅ·©çA WWW pPbgÈOÌSÄÌ TCP pPbgðwè·éÉÍAÈ
ºÌæ¤ÉwèµÜ·B
-p TCP -d 0.0.0.0/0 ! www
ȺÌwèÆA
-p TCP -d ! 192.168.1.1 www
ȺÌwèÍSᤱÆðµÁ©èF¯µÄº³¢B
-p TCP -d 192.168.1.1 ! www
ÅÌáÍA 192.168.1.1 ÈOÌSÄÌ}VÌ WWW |[gÖÌ TCP p
PbgðwèµÜ·BÌáÍA WWW |[gðSÄÌ|[gɨ¯é
192.168.1.1 ÖÌ TCP Ú±ðwèµÜ·B
ÅãÉA±ÌP[XÍ WWW |[gÅÈA 192.168.1.1 ÅàÈ¢±ÆðÓ¡
µÜ·:
-p TCP -d ! 192.168.1.1 ! www
4.1.4.3.2. ICMP ^CvÆR[hÌwè
ICMP ÉàܽIvVøª èÜ·ªA ICMP Í|[gð¿¾Ü¹
ñB (ICMP ÉÍ^CvÆR[hª èÜ·) »êçÉÍÙÈéÓ¡ª èÜ
·B
`-s' IvVÌãÉ ICMP l[ðp¢é (ipchains -h icmp ðp¢ÄA
l[ðê\¦µÜ·) ©A ICMP ^CvÆR[hÌlðp¢é©ÅA»
êçðwèµÜ·B^CvÍ `-s' IvVÌãÉAR[hÍ `-d' Iv
VÌãÉwèµÜ·B
ICMP l[Í©È跢ŷ: ¼ÆÍÁ«èæÊū骾¯Ì·¢¶ñ
Å êÎ\ªÅ·B
ÅàêÊIÈ ICMP pPbg̬³ÈêðȺɦµÜ·:
Ô l[ KvƳêéàÌ
0 echo-reply ping
3 destination-unreachable SÄÌ TCP/UDP gtBbN
5 redirect [eBOf[ª®ìµÄ¢È¢Ì
[eBO
8 echo-request ping
11 time-exceeded traceroute
ICMP l[Í `!' ðu¯È¢±ÆÉӵĺ³¢B
âÎÉâÎÉâÎÉA ICMP ^Cv3 bZ[WÌSðubNµÈ¢Å!!
(ãqÌ``ICMP pPbg''ðQƵĺ³¢)
4.1.4.4. C^[tFCXÌwè
`-i' IvVÍ}b`·×«C^[tFCX̼OðwèµÜ·BC
^[tFCXÆÍApPbgªüÁÄé©AܽÍoÄs¨foCXÅ
·Bifconig R}hðgÁÄ `up' Å é (·Èí¿A¡®¢Ä¢é)C
^[tFCXðXgAbvÅ«Ü·B
ü·épPbg (·Èí¿A input `FCðÊß·épPbg) ÌC
^[tF[XÍA»ê窬êñÅéC^[tF[XÅ éàÌÆ©È
³êÜ·B_IÉÍAoÄspPbg (output `FCðÊß·ép
Pbg) ÌC^[tF[XÍA»êçªoÄsÅ ë¤C^[tF[X
Å èÜ·B forward `FCðÊß·épPbgÌC^[tF[XàÜ
½A»êçªoÄsÅ ë¤C^[tF[XÅ·; ÉÍA±êÍSÌ
ÆfÉv¦Ü·B
(ó: ±±ÅÒÍ forward `FCÌC^[tF[XðoÍC^[
tF[Xɵ½±ÆÉRcµÄ¢éæ¤Év¦Ü·B½ÔñÒÍüÍÆoÍ
̼ûwèÅ«½Ù¤ªæ¢ÆvÁÄ¢ÄAÅàA ipchains ÉÍC^[
tFCXðwè·éIvVª -i ÌPµ©È¢ÌÅAÇ¿ç©É¹´é
¨¦È©Á½Bƾ¤b¾Æv¢Ü·B ipchains ÌãpÅ é iptables Å
ÍA FORWARD `FCÅAüÍÆoÍ̼ûÌC^[tFCXðwèÅ«
éæ¤ÉÈÁÄÜ·B)
»Ý¶ÝµÄ¢È¢C^[tFCXðwè·é±ÆÍSâèª èܹñ
ªAwèµ½C^[tFCXª up µÄéÜÅ[ª}b`·é±ÆÍ
èܹñB±êÍ_CAAbv PPP N(ÊíC^[tFCXÍ
ppp0 )â¯lÌàÌÉ¢ÄñíÉLøÅ·B
ÁÊÈP[XƵÄAC^[tF[X¼ÌÅ㪠`+' ÅIíéàÌÍA
(»Ý¶ÝµÄ¢æ¤ÆÈ©ë¤Æ) »Ì¶ñ©çnÜéSÄÌC^[
tF[XÉ}b`µÜ·Bá¦ÎASÄÌ PPP C^[tF[XÉ}b`·
é[ðwè·éÉÍA -i ppp+ IvVªg¦Ü·B
wèµ½C^[tFCXÆêvµÈ¢pPbgÉ}b`·éæ¤ÉC^[
tFCX¼ÌOÉÍ `!' ðu±ÆªÅ«Ü·B
4.1.4.5. TCP SYN pPbgÌÝðwè·é
êûü¾¯ TCP RlNVðµA¼û͵Ȣæ¤É·é±ÆÍ
XɵÄLøÅ·Bá¦ÎA ȽªOÌ WWW T[o[ÆÚ±µ½¢
ªA»ÌT[o[©çÌÚ±ðµ½È¢Æ«Å·B
»ÌT[o[©çé TCP pPbgðubN·é±ÆÍ©RÈû@Å·B
cOȱÆÉATCP RlNVÉÍÆÉ©¼ûüÌpPbgªs«·é
±ÆªKvÅ·B
»Ìðû@ÍARlNVvÉp¢çêépPbgÌÝðubN·é
±ÆÅ·B±Ìæ¤ÈpPbgÍ SYN pPbgÆÄÎêÜ·B (ZpIÉ
ÍASYN tOªÝè³êÄ¢ÄA FIN Æ ACK tOªNA³êÄ¢ép
PbgðwµÜ·ªAäXͱêð SYN pPbgÆÄÑÜ·B) »êçÌp
Pbg¾¯ðµȢ±ÆÅA»ÌêÌÚ±vð~ßçêÜ·B
`-y' tOͱ̽ßÉgíêÜ·: ±êÍ TCP vgRðwè³êÄ¢
éêɨ¢ÄÌÝLøÅ·Bá¦ÎA 192.168.1.1 ©çv³êé TCP R
lNVðwè·éÉÍ:
-p TCP -s 192.168.1.1 -y
à¤êxA±ÌtOÍ»ÌOÉ `!' ðu±ÆÉæÁÄ (ó: ! -y Ƶ
Ä) Ûè·é±ÆªÅ«A»êÍÚ±JnÌpPbgðSÄÌpPbgð
Ó¡µÜ·B
4.1.4.6. tOgÌ
ÉAêxÉP[uÉèo·ÉÍpPbgªå«ß¬é±Æª èÜ·B
±ñÈÆ«ÍApPbgÍtOgɪ³êA¡ÌpPbgÅçê
Ü·BóM_űêçÌtOgðÄÑWßÄ®SÈpPbgÉÄ\¬µ
Ü·B
tOgÌâè_ÍAæöXgAbvµ½dlÌô© (ÁÉA\[X
|[gA¶æ|[gA ICMP ^CvA ICMP R[hA½Í TCP SYN tO)
ÍAJ[lÉAÅÌtOgɾ¯ÜÜêÄ¢épPbgÌnßÌ
ªð`æ¤ÉvµÄ¢é_É èÜ·B
ȽÌ}VªOlbg[NÉÌÝÚ±³êéÈçAJ[lÌ "IP:
íÉftOg·é" ð Y ÉÝèµÄRpC·é±ÆÉæèAÊß
·éSÄÌtOgðÄ\z·éæ¤É Linux J[lɽ¸é±Æª
Å«Ü·B±êÍâèð¤ÜñðµÜ·B
»¤ÅȯêÎAtB^O[ªtOgðÇÌæ¤Éµ¤©ð
ð·é±ÆªdvÅ·Bîñª³¯êÎÇñÈtB^O[à}b
`µÜ¹ñB±ÌÓ¡·éƱëÍ 1ÔÚÌtOgͼÌpPbgƯ
¶æ¤ÉµíêÜ·B 2ÔÚÈ~ÌtOgÍÙÈèÜ·B]ÁÄA -p
TCP -s 192.168.1.1 www Æ¢¤[ (\[X|[gª `www' Ìwè)ÍA
tOg(1ÔÚÌtOgÈO)ƵÄ}b`µÜ¹ñB¯lÉÛ
èÌ[ -p TCP -s 192.168.1.1 ! www à}b`µÜ¹ñB
ÆÍ¢¦A`-f' tOðp¢ÄA 2ÔÚyÑ»êÈ~ÌtOgÉv
·é[ðwèÅ«Ü·B¾ç©ÉA±Ìæ¤ÈtOg[ÉÍ
TCP â UDP |[gA ICMP ^CvA ICMP R[h½Í TCP SYN tOðwè
·éÌÍÔá¢Å·B
ܽA`!' ð `-f' ÌOÉt¯ÄA 2ÔÚÈ~ÌtOgÆKµÈ¢
[ÌwèàÅ«Ü·B
ÊíAtB^OÍ 1ÔÚÌtOgÉøͪ éÌÅAÚIÌzX
gÅÌtOgÌÄgݧÄðW°é½ßA2ÔÚÈ~ÌtOgð
Êß³¹é±ÆÍÀSÆÝȳêĢܷBÆÍ¢¦AtOgðé±
ÆÉæèÈPÉ}VðNbV
³¹é±ÆªÅ«éoOªmçêÄ¢Ü
·B²×ĺ³¢ËB
lbg[NÇÒ̽ßÌL: ÙíÈpPbg(TCP, UDP ¨æÑ ICMP Ì
pPbgÅZ·¬Ät@CA[EH[ÌR[hª|[gÔÜ½Í ICMP Ì
R[hÆíÞðÇßÈ¢àÌ)ÍAtOgƯlÉæèµíêÜ·Bt
OgÌÊuª 8 ©çnÜéTCP pPbg¾¯ª¾Ét@CAEH[
R[hÉæÁÄjü³êÜ·B(±êª¶·éÆ syslog ÉbZ[Wª
»êÜ·B)
á¦ÎAÌ[Í 192.168.1.1 ÖstOgÍÇêÅàjüµÜ
·:
# ipchains -A output -f -d 192.168.1.1 -j DENY
#
4.1.5. tB^OÌIøÊ
³ÄA¡äXÍ[ðp¢ÄpPbgÉ}b`³¹éû@ÌSÄðmèܵ
½BpPbgª[É}b`·éÆAȺÉL·±ÆªN±èÜ·:
1. Y·é[ÌoCgJE^ÍpPbgÌTCY(wb_ƻ̼S
Ä) ÉæÁÄÁµÜ·B
2. Y·é[ÌpPbgJE^ªpPbgÌÉæÁÄ1 ÁZ³êÜ
·B
3. [ªv·éÈçApPbgªOÉL^³êÜ·B
4. [ªv·éÈçApPbgÌ Type Of Service (TOS) tB[hª
ÏX³êÜ·B
5. [ªv·éÈçApPbgÉóªt¯çêÜ·B(2.0 J[lV
[YÉÍ èܹñB)
6. pPbgÉεAɽðsí¹é©ðè·é×A[^[Qbg
ª¸³êÜ·B
±êçÈOÌíÞÉ¢ÄÍAdvxɶÄèðt¯½¢Æv¢Ü·B
4.1.5.1. ^[QbgÌwè
^[QbgÍ[É}b`·épPbgÉε½ð·×«©ðJ[lÉw
¦µÜ·B ipchains Í^[QbgÌwèÉ `-j' ðp¢Ü·B(`Wv·
é'Æl¦Äº³¢) ^[Qbg¼Í 8¶ÈºÅȯêÎÈç¸Aܽå¬
¶ðæʵܷ: "RETURN" Æ "return" ÍSʨŷB
ÅàPÈP[XÍwè³êé^[QbgªSÈ¢êÅ·B±Ì[Ì
^Cv (µÎµÎ `v' [ÆÄÎêÜ·) ÍPÉêèÌpPbgÌ^
CvðJEg·éÌÉÖÅ·B±Ì[É}b`·é©Û©É©©íç
¸AJ[lÍPÉ`FCàÌÌ[ð¸µÜ·Bá¦ÎA
192.168.1.1 ©çÌpPbgÌð¦éÉÍAȺÌæ¤ÉÅ«Ü·:
# ipchains -A input -s 192.168.1.1
#
(`ipchains -L -v' ðp¢ÄAeXÌ[ÉÖAt¯çê½oCgyÑp
PbgJE^ð©êÜ·B)
6ÂÌÁÊÈ^[Qbgª èÜ·BÅÌ 3ÂÌ ACCEPT, REJECT Æ DENY
ÍÆÄàPÅ·B ACCEPT ÍpPbgÌÊßðµܷB DENY Í ½©
àpPbgðó¯æÁĢȢ©Ìæ¤ÉjüµÜ·B REJECT ÍpPbgð
jüµÜ·ªA(àµ»êª ICMP pPbgÅÈ¢Èç) ¶æÍ¢BÅ é
±Æðmç¹é ICMP ÔðA\[XÉεĶ¬µÜ·B
ÌêÂA MASQ ÍJ[lÉpPbgð}XJ[h·é±Æðmç¹Ü
·B±êð®ì³¹éÉÍAJ[lª IP }XJ[fBOðLøɵÄ
RpC³êÄ¢éKvª èÜ·BÚ×É¢ÄÍA Masquerading-
HOWTO ÆAt^Ì``ipchains Æ ipfwadm ÆÌá¢''ð©Äº³¢B±Ì^[
QbgÍ forward `FCðÊß·épPbgɨ¢ÄÌÝLøÅ·B
¼ÌåvÈÁÊÈ^[QbgÍAJ[lÉεÄA½©ç¶µ½©ðâ
í¸ÉpPbgð[J|[gÖéA REDIRECT Å·B±êÍvgR
É TCP Ü½Í UDP ðwèµÄ¢é[ɨ¢ÄÌÝwèÅ«Ü·BCÓ
ÉA|[g (¼OÍÔ) Í `-j REDIRECT' ÆwèÅ«Ü·B±êÍp
Pbgª¼Ì|[gÖAhX³êÄ¢½ÆµÄàÁèÌ|[gÖ]³¹é
øÊð¿Ü·B±Ì^[QbgÍ input `FCðÊß·épPbgɨ
¢ÄÌÝLøÅ·B
ÅãÌÁÊÈ^[QbgÍ RETURN ÅA¼¿É`FCÌÅãɵޱÆ
Æ¿Å·B(ãqÌ``|V[ðÝè·é''ðQƵĺ³¢B)
¼Ì^[QbgÍ[U[wèÌ`FCð¦µÜ·B (ãqÌ```FCÌ
ì''ÅྵĢܷB) pPbgÍ»Ì`FCàÌ[ðÊßµnß
Ü·B»Ì[Uè``FCÅ̸ªSÄIÁÄàpPbgÌ^½ªÜ
çȯêÎA»ÝÌ`FCÉßèA»ÌÌ[©ç¸ðÄJµÜ·B
ASCII A[gÌÔÅ·B2ÂÌ(¨Î©³ñÈ)`FC: input (gÝÝÏ
Ý`FC)Æ test ([Uè``FC)Ål¦Üµå¤B
`input' `test'
¡¢ ¡¢
[ 1: -p ICMP -j REJECT [ 1: -s 192.168.1.1
¥§ ¥§
[ 2: -p TCP -j Test [ 2: -d 192.168.1.1
¥§ ¤£
[ 3: -p UDP -j DENY
¤£
192.168.1.1 ©çÄ 1.2.3.4 Öü©¤ TCP pPbgÉ¢Äl¦Üµå
¤BpPbgÍ input `FCÉüèAܸA[ 1 ª¸³êÜ·\
}b`µÜ¹ñB[ 2 ª}b`µÄA»Ì^[QbgÍ Test ÈÌÅA
ɸ³êé[Í Test ÌæªÅ·B Test Ì[ 1 Í}b`µÜ
·ªA^[QbgðwèµÄ¢È¢ÌÅAÌ[Å é[ 2 ª¸
³êÜ·B±êÍ}b`µÈ¢ÌÅA`FCÌIíèÉBµÜµ½Bæö
¸µ½[ 2 Ì é input `FCÉßèA»êÅ¡xÍ[ 3 ª
¸³êÜ·ªA±êàܽ}b`µÜ¹ñB
»êÅApPbgÌoHÍÌæ¤ÉÈèÜ·:
v __________________________
`input' | / `Test' v
¡|/ ¡|¢
[ 1 | / [ 1 |
¥|/-§ ¥|§
[ 2 / [ 2 |
¥-§ ¤v£
[ 3 /©\_______________________/
¤|£
v
[Uè``FCðøÊIÉg¤û@ÍA``t@CAEH[[ðÇÌ
æ¤É\z·é©''ÌÍðQƵĺ³¢B
4.1.5.2. pPbgÌOL^
±êÍ[É}b`·é±ÆÌIøÊÅ·; }b`µ½pPbgð
`-l' tOðp¢ÄOÉL^·é±ÆªÅ«Ü·BÊAÊíÌpPbg
ɨ¢ÄOðL^µ½ÍȢŵ夯ÇAáOIÈCxg𩽢
ÉÖÈÁ¥Å·B
±ÌîñÌJ[lÌOÍȺÌæ¤È´¶Å·:
Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025
L=34 S=0x00 I=18 F=0x0000 T=254
±ÌObZ[WÍÈÉÝv³êĨèAlbg[NÌ ÐÒÌ×¾¯
ÉÖÈZpîñðÜñŢܷªA ÆÌäXÉàLpÅ·BÈPÉྷ
éÆȺÌæ¤ÉÈèÜ·:
1. `input' ÍpPbgÉ}b`µ½[ðÜÞ`FCÅAObZ[
Wð¶µÄ¢Ü·B
2. `DENY' Í[ªpPbgɽð·é©ð¦µÄ¢Ü·Bàµ±êª `-'
ÈçA[ÍpPbgɽàs¢Ü¹ñB (v[Å·B)
3. `eth0' ÍC^[tF[X¼Å·. ½ÌÈçαêÍ input `FCÅ
è, pPbgÍ `eth0' ©çüÁĽ±ÆðÓ¡·é©çÅ·B
4. `PROTO=17' ÍpPbgªvgR 17 Å Á½±ÆðÓ¡µÜ·Bv
gRÔÌXgÍ /etc/protocols ÉÄ^¦çêÜ·BÅàêÊIÈ
àÌÍ 1 (ICMP), 6 (TCP) Æ 17 (UDP) Å·B
5. `192.168.2.1' ÍpPbgÌ\[X IP AhXÍ 192.168.2.1 Å Á½
±ÆðÓ¡µÜ·B
6. `:53' Í\[X|[gÍ|[g 53 ÔÅ Á½±ÆðÓ¡µÜ·B
`/etc/services' ð©êÎA±êª `domain' |[gÅ é±ÆðJ¦µ
ĢܷB(·Èí¿A±êÍ°ç DNS ÌÔÅ·B) UDP Æ TCP ɨ
¢ÄÍA±ÌÔÍ\[X|[gÅ·B ICMP ɨ¢ÄÍA ICMP ^Cv
Å·B»êÈOÅÍA 65535 ÉÈéŵå¤B
7. `192.168.1.1' Ͷæ IP AhXÅ·B
8. `:1025' Ͷæ|[gÍ 1025 Å Á½±ÆðÓ¡µÜ·B UDP Æ TCP
ɨ¢ÄÍA±ÌÔͶæ|[gÅ·B ICMPɨ¢ÄÍA ICMP R[h
Å·B»êÈOÅÍA 65535 ÉÈéŵå¤B
9. `L=34' ÍApPbgÍv 34 oCg·Å Á½±ÆðÓ¡µÜ·B
10.
`S=0x00' Í TOS tB[hðÓ¡µÜ·B (4 ÅÁÄA ipchains Å
p¢çêéT[rXÌ^ª¾çêÜ·B)
11.
`I=18' Í IP Ì ID Å·B
12.
`F=0x0000' Í 16 rbgÌtOgItZbgÆtOÌÁZÅ·B
`0x4' Í `0x5' ÅnÜélÍ utOgµÄ¢È¢vrbgªÝ
è³êÄ¢é±Æð¦µÜ·B `0x2' Í `0x3' Í `XÉtOg
µÄ¢é' rbgªÝè³êÄ¢é±Æð¦µÜ·; ±ÌãÉXÈét
Ogª\ª³êÜ·BcèÌlͱÌtOgÌItZbg
ÅA»êÍ 8 ÅÁ½lÅ·B
13.
`T=254' ÍpPbgÌõ½ÔÅ·B±ÌlÍSÄÌzbvɸ¶ç
êAåT 15 © 255 ÅnÜèÜ·B
14.
`(#5)' ÍAuPbgàÌÅãÌÔª»êæèVµ¢J[lÅ ë¤
±Æð¦µÜ·B(°ç 2.2.9 È~ŵå¤B) ÅãÉAæèVµ¢J
[l(½Ôñ 2.2.9 È~)ÅAÊÅÍÜê½Ôª éŵå¤B
(ó: ´¶ÉÍ This is the rule number which caused the packet
log. Æ©êĢܷªA±êÍ finally there may be a number ...
ÆvíêÜ·B)
WIÈ Linux VXeÅÍAJ[lÌoÍÍ klogd (J[lMO
f[) ÉÄߨ³êA syslogd (VXeMOf[) Én³êÜ
·B `/etc/syslog.conf' ÍAeXÌ `facility' (äXÌêÍAfacility
Í "J[l"Å·) ̶æÆA `level' (ipchains Ì×ÉAgíêé level
Í "info" Å·)ðwè·é±ÆÉæÁÄA syslogd ÌUé¢ð§äµÜ
·B
á¦ÎAÌ (Debian) /etc/syslog.conf Í `kern.info' É}b`·é 2s
ðÜñŢܷ:
kern.* -/var/log/kern.log
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
±êçÍbZ[Wª `/var/log/kern.log' Æ `/var/log/messages' É¡»
³êé±Æð¦µÄ¢Ü·BÚ×Í `man syslog.conf' ð©Äº³¢B
4.1.5.3. T[rXÌ^ðì·é
IP wb_ÉÍŽÉgíêÈ¢ 4ÂÌrbgª èAuT[rXÌ^v
(TOS) rbgÆÄÎêĢܷB»êçÍpPbgªæèµíêéprÉe¿
µÜ·; 4ÂÌrbgÍ "Minimum Delay"(Ŭx), "Maximum Throughput"
(Åå\Í), "Maximum Reliability"(ÅåMl) »µÄ "Minimum
Cost" (ŬRXg) Å·B»êçÌrbgÌ꾯ªÝèð³êÜ·B
TOS ìR[hÌìÒÌ Rob van Nieuwkerk ÍȺÌæ¤Éq×Ģܷ:
ÁÉ "Minimum Delay"(Ŭx) ªÉÆÁÄdvÅ·BÍã
¬Ì (Linux) [^Å"Îb^"pPbgÌ×ɱÌXCb`ðI
µÄ¢Ü·BÌ}VÍ 33.6k fÅOÆÚ±³êÄ¢
Ü·B Linux ÍpPbgÉ 3ÂÌL
[ÅDæÊðt¯Ä¢Ü
·B±Ìû@ÅÍåÊÌ_E[hƯÉeÅ«éÎbI
ÈptH[}Xð¾Ä¢Ü·B (±êÍVAhCoÉ»Ì
æ¤ÈåÈL
[ªÈ¯êÎÇ¢ÌÅ·ªAÒ¿ÔÍ1.5bÉ
³êÜ·B)
Ó: ¾ç©ÉA ȽÍüÁÄépPbgÉεħäÍūܹñB
ȽͩgÌ Linux box ðÁÄ¢pPbgÌDæʾ¯ð§äÅ«Ü
·B¼Ìû@ÅDæÊðâèè·éÈçA RSVP Ìæ¤ÈvgRªK
vÅ·B(±êÉÖµÄÍͽàmçÈ¢ÌÅAÉÍ·©È¢Åº³¢B)
ÅàêÊIÈgpû@Í telnet Æ ftp ÌRg[RlNVÉ
"Minimum Delay" ðÝèµA FTP f[^É "Maximum Throughput" ðÝè·
éàÌÅ·BȺÌæ¤ÉÈèÜ·:
ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10
ipchains -A output -p tcp -d 0.0.0.0/0 ftp -t 0x01 0x10
ipchains -A output -p tcp -s 0.0.0.0/0 ftp-data -t 0x01 0x08
`-t' tOÍ 2ÂÌÁÊÈp[^ð¿A»êçÍ16iÅwèµÜ·B
»êçÍTOS rbgð¡GÉ¢¶èñµÜ·: ÅÌ}XNÍpPbgÌ»
ÝÌ TOS É AND (_Ï)³êÜ·B 2ÔÚÌ}XNÍ»êÉ뵀 XOR (r
¼I_a)³êÜ·B±êŵ¬·éÌŵ½çAȺÌêðgÁ
ĺ³¢:
TOS ¼ l êÊIÈpr
Minimum Delay 0x01 0x10 ftp, telnet
Maximum Throughput 0x01 0x08 ftp-data
Maximum Reliability 0x01 0x04 snmp
Minimum Cost 0x01 0x02 nntp
Andi Kleen ÍȺÌæ¤ÉwEµÄ¢Ü·B (ãXÉc·½ßÉ\»ðîç
©µÄ¢Ü·B)
½ªATOS rbgÌc_É¢ÄÍA ifconfig Ì txqueuelen p
[^ÌQÆðÇÁ·éÌÉÖŵå¤BfoCXÌL
[·
ÌúlÍC[TlbgJ[hÌ×ɲ®³êAfɨ¢ÄÍ
»êÍ··¬ÄA (TOSÉ¥Á½L
[Ì) 3ohÌXPW
[
ð쬵A»êçÌ«Í÷X½éàÌÅ·BfâVO b
`lÌ ISDN ڱɨ¢ÄA±Ìlð 4-10 ÌÔÉÝè·éÌ
ÍÇ¢Æv¢Ü·; ¾¢foCXÈçæè·¢L
[ªKvÅ·B
±êÍJ[lo[W 2.0 Æ 2.1 Ìâèŵ½ªA 2.1 É
¨¢Ä»êÍ (ÅVÌ nettools ðp¢Ä) ifconfig tOÅÂ
\ÉÈèA 2.0 ɨ¢ÄÍfoCXhCoÌ\[XÉpb`ð
KpµÄÂ\ÉÈèÜ·B
Å·ÌÅAfÅÌ PPP ڱɨ¯é TOS ìÌÅå̶bð¾éÉÍA
ȽÌ}VÌ /etc/ppp/ip-up XNvgàÅ `ifconfig $1
txqueuelen' ðÀs·é±ÆÅ·B±êðg¤ÛÌlÍf̬xÆf
àÌobt@ÌÊÉ˶µÜ·; 鼃 Andi ÌÖÌÔð»ÌÜÜÄx
fڵܷ:
^¦çê½RtBM
[VÌÅKlÍo±ªKvÅ·Bà
µ[^ãÌL
[ªZ·¬éÆApPbgðæè±ÚµÄµÜ¢
Ü·B»µÄÜ_ TOS Ì«·¦àÈøÊð¾é±ÆÉÈèA
PÉ TOS Ì«·¦Íñ¦ÍIÈvOÉøÊðà½çµÜ
·B (µ©µSÄÌWIÈ Linux VXevOͦÍI
Å·B)
4.1.5.4. pPbgÌ}[LO
±êÍ Alexey Kuznetsov ÉæéV½È"i¿ÊM"ÌÀÉæÁÄA¡GÅ
ÍÈÝìpðLøɵܷB 2.1 V[YJ[lÈ~Ìmarkx[XÌ
tH[fBOƯlÉÇDÅ·BXÈéj
[XƵÄͱêªg¦éæ
¤ÉÈÁ½±ÆÅ·B±ÌIvVÍ 2.0 J[lV[YÅÍS³
³êÜ·B
(ó: Quality of Service ÍA QoS ƪ³êAlbg[N¬Ê§Àðw
µÜ·B±êÍJ[lÌRtBM
[VXCb`É
CONFIG_NET_QOS ƵĶݵܷB)
4.1.5.5. `FCÌì
ipchains ÌÆÄàLøÈÁ¥ÍA`FCÌÖA·é[ðO[v»
Å«é±ÆÅ·B¨]ÝÌ`FCͽÅàÄÑo¹Ü·ªAgÝÝÏÝ
`FC (input, output Æ forward) â^[Qbg (MASQ, REDIRECT,
ACCEPT, DENY, REJECT ½Í RETURN) ðó³È¢×ÉA\ª·¢¼OðgÁÄ
º³¢B«Ìg£Éõ¦ÄAx¼ÌSÉå¶ðgíÈ¢±Æð¨©
ߵܷB`FC̼OÍÅå 8¶ÜÅg¦Ü·B
4.1.5.6. Vµ¢`FCðìé
Vµ¢`FCðìèܵå¤BÍÆÁÄàn¢ÍÉxñ¾ìYÈÌÅA»
êð test Ƽt¯Ü·B
# ipchains -N test
#
±êÍÈPÅ·B³ÄA ȽͱêÜÅÚ×Éq×Ä«½æ¤ÉA±êÉ
[ðüêé±ÆªÅ«Ü·B
4.1.5.7. `FCðí·é
`FCðí·éÌà¯lÉÈPÅ·B
# ipchains -X test
#
Ⱥ `-X' ©ÁÄ? ¤[ñA梶ªSÄæçêĵÜÁ½ÌÅ·B
`FCðí·éÉÍ 2Â̧Àª èÜ·: »Ì`FCÍóÅ éKv
ª è(ãqÌ```FCðóÉ·é''ð©Äº³¢)Aµ©àAµÄÇÌ
[Ì^[QbgÉàÈÁĢȢ±ÆÅ·BgÝÝÏÝÌ 3ÂÌ`FC
ÍÇêàíūܹñB
4.1.5.8. `FCðóÉ·é
`FC©çSÄÌ[ðæèèóÉ·éÌÍÈPÅA`-F' R}hð
g¢Ü·B
# ipchains -F forward
#
àµA`FC¼ðwèµÈ¯êÎASÄÌ`FCðóɵܷB
4.1.5.9. `FCÌàeðXgAbv·é
`FCÌSÄÌ[ðXgAbv·éÉÍA`-L' R}hðg¢Ü
·B
# ipchains -L input
Chain input (refcnt = 1): (policy ACCEPT)
target prot opt source destination ports
ACCEPT icmp ----- anywhere anywhere any
# ipchains -L test
Chain test (refcnt = 0):
target prot opt source destination ports
DENY icmp ----- localnet/24 anywhere any
#
test É\¦³êÄ¢é `refcnt' ÍAtest ð^[QbgÉwèµÄ¢é[
ÌÅ·B±Ìª 0 ÅÈ¢Æ(©Â`FCªóÅ é±Æ)A»Ì`F
Cðí·é±ÆÍūܹñB
àµA`FC¼ðwèµÈ¯êÎAóÌàÜßÄSÄÌ`FCÉ¢Ä
XgAbv³êÜ·B
`-L' ÉÍ 3ÂÌIvVª èÜ·B (åïÌlXÍ DNS ðgÁĢܷ
ª) DNS ªKØÉÝè³êĢȢêâ DNS ÌvðtB^[AEgµ
Ä¢éêÍA ipchains ª IP AhXð²×æ¤Æ·éÆ«É·Ò½³
êÜ·B»êðh®ÌÉ `-n' (l)IvVÍÆÄàLøÅ·B±ÌIv
VÍ TCP â UDP |[gÉ¢Äà¼OÅÍÈÔÅ\¦µÜ·B
`-v' IvVÍ[ÌÚ×ðSÄAá¦ÎApPbgâoCgÌJE
^[ATOS }XNAC^[tFCXA»µÄpPbg}[Nð\¦µÜ·B
±ÌIvVðwèµÈ¯êÎA±êçÌlÍȪ³êÜ·B
# ipchains -v -L input
Chain input (refcnt = 1): (policy ACCEPT)
pkts bytes target prot opt tosa tosx ifname mark source destination ports
10 840 ACCEPT icmp ----- 0xFF 0x00 lo anywhere anywhere any
LƵÄApPbgÆoCgÌJE^[ÍA1000, 1,000,000 ¨æÑ
1,000,000,000 ðA»ê¼ê `K', `M' ¨æÑ `G' ÌÚö«ðgÁÄ\¦µ
Ü·B `-x' (g£l)IvVðg¤ÆAlÌ嫳ɩ©í縮SÈ
lð¯lÉ\¦µÜ·B
4.1.5.10. JE^[ð([É)Zbg·é
JE^[ðZbgÅ«éÆÖÅ·B±êÍ `-Z' (JE^ð[É·
é) IvVÅÅ«Ü·Bá¦Î:
# ipchains -v -L input
Chain input (refcnt = 1): (policy ACCEPT)
pkts bytes target prot opt tosa tosx ifname mark source destination ports
10 840 ACCEPT icmp ----- 0xFF 0x00 lo anywhere anywhere any
# ipchains -Z input
# ipchains -v -L input
Chain input (refcnt = 1): (policy ACCEPT)
pkts bytes target prot opt tosa tosx ifname mark source destination ports
0 0 ACCEPT icmp ----- 0xFF 0x00 lo anywhere anywhere any
#
±ÌâèûÅÍAZbg·é¼OÌJE^lðméKvª éÆ«Éâè
ÉÈèÜ·BãLÌû@ÅÍA`-L' ©ç `-Z' R}hÜÅÌÔɢ©
ÌpPbgªÊß·é©àµêܹñB»Ì½ßAJE^[ðÇÞƯÉ
Zbg·éÉÍA`-L' Æ `-Z' ð¯Ég¢Ü·BcOȪçA Ƚª
±êðg¤ÆAPêÌ`FCðìūܹñ: êUSÄÌ`FCðX
gAbvµÄ[É·éKvª èÜ·B
# ipchains -L -v -Z
Chain input (policy ACCEPT):
pkts bytes target prot opt tosa tosx ifname mark source destination ports
10 840 ACCEPT icmp ----- 0xFF 0x00 lo anywhere anywhere any
Chain forward (refcnt = 1): (policy ACCEPT)
Chain output (refcnt = 1): (policy ACCEPT)
Chain test (refcnt = 0):
0 0 DENY icmp ----- 0xFF 0x00 ppp0 localnet/24 anywhere any
# ipchains -L -v
Chain input (policy ACCEPT):
pkts bytes target prot opt tosa tosx ifname mark source destination ports
10 840 ACCEPT icmp ----- 0xFF 0x00 lo anywhere anywhere any
Chain forward (refcnt = 1): (policy ACCEPT)
Chain output (refcnt = 1): (policy ACCEPT)
Chain test (refcnt = 0):
0 0 DENY icmp ----- 0xFF 0x00 ppp0 localnet/24 anywhere any
#
4.1.5.11. |V[ðÝè·é
ÈOÉpPbgªÇÌæ¤É`FCðÊ貯éÌ©ðAOqÌ ``^[
QbgÌwè''ÉÄ_¶½Æ«ApPbgªgÝÝÏÝ`FCÌIíèÉ
Bµ½É½ªN«éÌ©ðåÌq×ܵ½B±ÌêA`FCÌ|V[
ª»ÌpPbgÌ^½ðèµÜ·BgÝÝÏÝ`FC(input, output
¨æÑ forward)¾¯ª|V[ðÁĢܷBȺÈçApPbgª[
Uè``FCÌIíèÜźè¿éÆAOÌ`FCÉßÁÄs©çÅ
·B
|V[ÍÅ©ç 4ÂÜÅÌÁÊÈ^[QbgÌ¢¸ê©Å·: ACCEPT,
DENY, REJECT ½Í MASQ Å·B MASQ Í `forward' `FCɨ¢ÄÌÝL
øÅ·B
ܽAdvÈÓ_ƵÄAgÝÝÏÝ`FCÌ[ɨ¯é
RETURN ^[QbgÍApPbgª[É}b`µ½É¾¦IÉ`FC
Ì|V[ð^[QbgÉ·é½ßÖÅ·B
4.1.6. }XJ[fBOÌì
IP }XJ[fBOð÷²®·éô©Ìp[^ª èÜ·B»êç
Í ipchains ÉgÝÜêĢܷB½ÌÈçA»Ì@\Ì×ÉÊÌc[ð
ÌÍÇÈ¢©çÅ·B (µ©µ±êÍÏX³êéŵå¤B)
IP }XJ[fBOÌR}hÍ `-M' ÅA¡}XJ[h³êÄ¢éR
lNVðXgAbv·é½ßÉ `-L' ÆgÝí¹çêA}XJ[
fBOÌlð²®·é½ßÉ `-S' ÆgÝí¹çêÜ·B
`-L' R}hÍ `-n' (zXg¼â|[g¼ÅÍÈAlð\¦µÜ·B)
©AÜ½Í `-v' (Ü³É È½ªÓ·éA}XJ[hRlNVÌV
[PXÔÌÚ×ð\¦µÜ·B)ðº¢Ü·B
`-S' R}hÍÈºÌ 3ÂÌ^CAEglðÝèµÜ·A»êçÍbPÊ
Å·: TCP ZbVA FIN pPbgãÌ TCP ZbVÆA UDP pPb
gÅ·BൻêçÌlÌêÂðÏXµ½È¢ÈçÎAPÉ `0' ª^¦
çêÜ·B
ùèlÍ `/usr/src/linux/include/net/ip_masq.h' ÉXgAbv³êĨ
èA »ÝÍ»ê¼ê 15 bA 2b »µÄ 5bÅ·B
ÏX³êéÅàêÊIÈlÍA ftp Ì×ÉÏX·éÅÌlÅ·B (ãq
Ì``FTP Ì«²''ðQƵĺ³¢B)
``}XJ[fBOÌ^CAEglðÝèūܹñ!''Éñµ½^C
AEgÌÝèÉÖ·éâèÉӵĺ³¢B
4.1.7. pPbgð`FbN·é
É È½Ì}VÉêèÌpPbgªüèÞÛɽªN±é̩𩽢
Æv¤±Æŵå¤B ȽÌt@CAEH[`FCðfobO·éÈ
ÇB ipchains ͱêðLøɳ¹é `-C' R}hðõµÄ¢Ü·B»Ì
ÛAJ[lª{ÌpPbgðff·éÌÉp¢é[`Ƴmɯ¶
[`ðp¢Ü·B
pPbgðeXg·é`FCÍAø `-C' ÌãÉpPbgÌeXgð·é
`FC̼OðwèµÜ·BJ[lÍíÉ input, output ܽÍ
forward `FCAÆÚÁÄs«Ü·ªAeXgÍÇÌ`FC©çÅànß
é±ÆªÅ«Ü·B
`packet' ÌÚ×ÍAt@CAEH[[ðwè·é×Ép¢çêéÌÆ
¯¶«ûðp¢ÄwèµÜ·BÁÉAvgR (`-p') A\[XAhX
(`-s') A¶æAhX (`-d') ÆC^[tF[X (`-i')ÍK{Å·Bàµ
vgRª TCP Í UDP ÈçAPêÌ\[XÆPê̶æ|[gªwè³
êȯêÎÈèܹñµA ICMP vgRɨ¢ÄÍ ICMP ^Cvªwè³
êȯêÎÈèܹñB (tOg𦷠`-f' tOðwèµÄ¢È¯
êÎBwèµÄ¢éêͱêçÌIvVÍs³Å·B)
vgRª TCP ÈçÎ (»µÄ `-f' tOªµÄ¢³êĢȯêÎ)
AeXgpPbgÉ SYN rbgðZbg·éÌÉ `-y' tOðwèµÄà
æ¢Åµå¤B
ÈºÍ 192.168.1.1 Ì60000 |[g©ç 192.168.1.2 Ì www |[gÖA
eth0 C^[tF[XÉüèA `input' `FCÉB·é TCP SYN p
PbgðeXg·éáÅ·B (±êÍT^IÈ WWW ÌÚ±JnÌüÅ·)
# ipchains -C input -p tcp -y -i eth0 -s 192.168.1.1 60000 -d 192.168.1.2 www
packet accepted
#
4.1.8. êxÉ¡Ì[ƽªN±éÌ©ð©é
ÉPêÌR}hCª¡Ì[Ée¿³¹é±ÆªÅ«Ü·B±ê
ÉÍñÂÌû@ª èÜ·BÅÉA(DNS ðp¢Ä)¡Ì IP AhXÉð
·ézXg¼ðwè·éÆA ipchains Í È½ªeXÌAhXÌgÝ
í¹ÉεġÌR}hðsµ½ÌƯ¶æ¤ÉUé¢Ü·B
Å·©çAàµzXg¼ `www.foo.com' ª 3ÂÌ IP AhXÉðµAz
Xg¼ `www.bar.com' ª 2ÂÌ IP AhXÉð·éêAR}h
`ipchains -A input -j reject -s www.bar.com -d www.foo.com' ÍA input
`FCÉ 6ÂÌ[ðÇÁ·é±ÆÆÈèÜ·B
ipchains É¡Ì®ìðsí¹éà¤êÂÌû@ÍAoûütO(`-b') ð
p¢Ü·B±ÌtOÍA ipchains ÉR}hð 2ñüͳ¹½ÌƯlÉ
Uéí¹Ü·B»ÌÛÌ 2ñÚÌR}hÍ `-s' Æ `-d' Ìøð½]³
¹½±ÆÉÈèÜ·BÅ·ÌÅA 192.168.1.1 ÉÝÉtH[h³¹é±
ÆðÖ¶³¹éÉÍAȺÌæ¤ÉÅ«Ü·:
# ipchains -b -A forward -j reject -s 192.168.1.1
#
ÂlIÉÍA `-b' IvVÍD«ÅȢŷ; àÁÆÖɵ½¢ÈçA
ãqÌ``ipchains-save ðg¤''ð©Äº³¢B
-b IvVÍ }ü (`-I') A í (`-D') (Åà[io[Ìg£Å
Í èܹñB) AÇÁ (`-A') Æ`FbN (`-C') R}hƤÉg¦Ü
·B
à¤êÂÌÖÈtOÉ `-v' (ç·È) ª èÜ·B±êÍ ipchains ª
ȽÌR}hÉæÁĽðµÄ¢éÌ©ð³mÉvgAEgµÜ·B
Ƚª¡Ì[ðR}hð{µÄ¢éÌÈçA±êªÖÅ·Bá¦
ÎAÈºÍ 192.168.1.1 Æ 192.168.1.2 ÆÌÔÅtOgÌUé¢ð
`FbN·éáÅ·B
# ipchains -v -b -C input -p tcp -f -s 192.168.1.1 -d 192.168.1.2 -i lo
tcp opt ---f- tos 0xFF 0x00 via lo 192.168.1.1 -> 192.168.1.2 * -> *
packet accepted
tcp opt ---f- tos 0xFF 0x00 via lo 192.168.1.2 -> 192.168.1.1 * -> *
packet accepted
#
4.2. ÀáW
Ì PC ÍC^[lbgÖ_CAbv PPP Ú±³êÜ·B (-i ppp0)
Í_CAbvÌxÉlbgj
[X (-p TCP -s
news.virtual.net.au nntp) Æ[ (-p TCP -s mail.virtual.net.au
pop-3) ð PC ÉæèÝÜ·BÍ Debian Ì FTP Éæé PC ÌXVìÆð
èúIÉs¢Ü·B (-p TCP -y -s ftp.debian.org.au ftp-data) Í ISP
ÌvLVðîµÄ web ÖÌANZXðs¢Ü· (-p TCP -d
proxy.virtual.net.au 8080) ªA Dilbert A[JCãÌ doubleclick.net
©çÌLoi[ð¢Ü·B (-p TCP -y -d 199.95.207.0/24 Æ -p TCP
-y -d 199.95.208.0/24)
Í PC ªICÌÛÉN©ªÌ PC É뵀 ftp ðÝé±ÆÉÖ
µÄÍCɵܹñB (-p TCP -d $LOCALIP ftp) ¯êÇàAOÌN©É
Ìàlbg[N (-s 192.168.1.0/24) Ì IP AhXðU³ê½
èܹñB±êÍÊíA IP Xv[tBO (ó: U) ÆÄÎêAo[
W 2.1.x È~ÌJ[lÉͱêðh®Ç¢û@ª èÜ·: ``IP U
Ûì(IP Spoof Protection)ðAÇÌæ¤ÉÝèµ½çæ¢Å·©?''ðQƵ
ĺ³¢B
±ÌZbgAbvÍÆÄàPÅA½ÌÈç¡Ìàlbg[NãÉͼ
É}VªÈ¢©çÅ·B
Í çäé[JvZX(·Èí¿AlbgXP[vA lynx ) ð
doubleclick.net ÉÚ±³¹½ èܹñB
# ipchains -A output -d 199.95.207.0/24 -j REJECT
# ipchains -A output -d 199.95.208.0/24 -j REJECT
#
³ÄAÍOÖoÄslXÈpPbgÉDæÊðÝèµ½¢Å·B (üÁ
ÄépPbgÉεıêðs¤½ÌbgÍ èܹñB) ±êçÌ
[ª½ éÌÅAppp-out Ƽt¯½`FCÉ»êçSÄðüêé±
ÆÍÓ¡Ì é±ÆÅ·B
# ipchains -N ppp-out
# ipchains -A output -i ppp0 -j ppp-out
#
web ÌgtBbNÆ telnet ÖŬxðÝèµÜ·B
# ipchains -A ppp-out -p TCP -d proxy.virtual.net.au 8080 -t 0x01 0x10
# ipchains -A ppp-out -p TCP -d 0.0.0.0/0 telnet -t 0x01 0x10
#
ftp f[^, nntp, pop-3 ÉáRXgðÝèµÜ·:
# ipchains -A ppp-out -p TCP -d 0.0.0.0/0 ftp-data -t 0x01 0x02
# ipchains -A ppp-out -p TCP -d 0.0.0.0/0 nntp -t 0x01 0x02
# ipchains -A ppp-out -p TCP -d 0.0.0.0/0 pop-3 -t 0x01 0x02
#
ppp0 C^[tF[XÉüÁÄépPbgÉÍô©̧Àª èÜ·:
`ppp-in' Æ¢¤`FCðìèܵå¤:
# ipchains -N ppp-in
# ipchains -A input -i ppp0 -j ppp-in
#
³ÄA ppp0 ÉüÁÄépPbgÍ 192.168.1.* Ì\[XAhXðå£
·é׫ÅÍ èܹñBÅ·©çAäXÍ»êçðOÉL^µÄÛè
(deny) µÜ·:
# ipchains -A ppp-in -s 192.168.1.0/24 -l -j DENY
#
Í DNS Ì UDP pPbg (ÍSÄÌvð 203.29.16.1 Ö]·é
LbV
l[T[o𮩵ĢéÌÅA»êçÌv©ç»Ì DNS ¾
¯ªÔ·é±Æð\ªµÜ·B) Æ üÁÄé ftp ÆAÁÄé ftp-
data (±êçÍ1023ÔÈãÌ|[gÌݪgíêAÂ6000ÔßÓÌ X11 |
[gðg¢Ü¹ñB) Ì TCP pPbgÌÝðµܷB
# ipchains -A ppp-in -p UDP -s 203.29.16.1 -d $LOCALIP dns -j ACCEPT
# ipchains -A ppp-in -p TCP -s 0.0.0.0/0 ftp-data -d $LOCALIP 1024:5999 -j ACCEPT
# ipchains -A ppp-in -p TCP -s 0.0.0.0/0 ftp-data -d $LOCALIP 6010: -j ACCEPT
# ipchains -A ppp-in -p TCP -d $LOCALIP ftp -j ACCEPT
#
AÁÄé TCP ÌÔpPbgðµܷB
# ipchains -A ppp-in -p TCP ! -y -j ACCEPT
#
ÅãÉA[JÆ[J¯mÌpPbgÍ OK Å·:
# ipchains -A input -i lo -j ACCEPT
#
³ÄAÌ input `FCɨ¯éùè|V[Í DENY (Ûè) Å·ÌÅA
ãqÌàÌÈOÍSÄjüµÜ·:
# ipchains -P input DENY
#
Ó: ͱÌÔÅ`FCðZbgAbvµÜ¹ñŵ½BZbgAbv
ÌÅÉpPbgªüèñÅé©çÅ·BÅàÀSÈÌÍÅÉ DENY Ì
|V[ðÝè·é±ÆÅ·BÜ_A ȽÌ[ªzXg¼ðð·é×
É DNS ÌQÆðv·éÈçAâ誶·é±Æŵå¤B
4.2.1. ipchains-save ðg¤
Ü³É È½Ì¨]ÝÊèÌt@CAEH[`FCðZbgAbvµA»
µÄñÉâÁ½±Æðv¢o»¤Æ·éÌÍh¢±ÆÅ·B
»±ÅA¡ZbgAbvµ½ ȽÌ`FCðÇÝAt@CÉÛ¶·éA
ipchains-save Æ¢¤XNvgÅ·B ipchains-restore ª½ð·é©ÉÖ
µÄÍ¿åÁÆÒÁÄĺ³¢ËB
ipchains-save ÍPêÌ`FCÍ (`FC¼ªwè³êȯêÎ) SÄ
Ì`FCðZ[uÅ«Ü·BIvVƵÄÍ `-v' Ìݪ³êA±ê
ÍZ[u³ê½[ð (WG[oÍÉ) vgµÜ·B input,
output »µÄ forward `FCÌ|V[à¯lÉZ[u³êÜ·B
# ipchains-save > my_firewall
Saving `input'.
Saving `output'.
Saving `forward'.
Saving `ppp-in'.
Saving `ppp-out'.
#
4.2.2. ipchains-restore ðg¤
ipchains-restore Í ipchains-save ÅÛ¶³ê½`FCð³µÜ·B±
êÍ 2ÂÌIvVð¿¾Ü·: `-v' ÍeXÌ[ªÇÁ³êéæ¤
ÉྵܷB»µÄ `-f' ÍȺÉྷéæ¤ÉAùɶݷé[U[
è``FCð§IÉÁµÜ·B
àµA input `FCàÉ[U[è``FCª êÎA ipchains-
restore Í»êªù¶Ì`FCÈÌ©ð`FbNµÜ·B»¤Å êÎAv
vgª\¦³êA`FCðÁ·é (SÄÌ[ðÁ·é) ©A
ðXLbvµÄ»ÝÌÝèðÛ·é©ÌIððßçêÜ·BàµR}
hCÉ `-f' ðwè·êÎAvvgÍ\¦³êܹñ: `FCÍÁ
³êÜ·B
á:
# ipchains-restore < my_firewall
Restoring `input'.
Restoring `output'.
Restoring `forward'.
Restoring `ppp-in'.
Chain `ppp-in' already exists. Skip or flush? [S/f]? s
Skipping `ppp-in'.
Restoring `ppp-out'.
Chain `ppp-out' already exists. Skip or flush? [S/f]? f
Flushing `ppp-out'.
#
5. »Ì¼Ìîñ
±ÌÍãqÌྩçàê½·×ÄÌîñÆ FAQ Wª èÜ·B
5.1. t@CAEH[[ðÇÌæ¤É\z·é©
±ÌâèÉÍ éíÌûjªKvÅ·B¬xðÅK»(ÅàÊÌpPbgÉ
ηé[`FbNðŬÀÉÆÇßé)µÄ\z·é©AÇ«ðßÄ
\z·é±ÆàÅ«Ü·B
PPP Nƾ¤ÔIÈNðgÁÄ¢éÈçAN®É input `FC
ÌÅÌ[ð `-i ppp0 -jDENY' ÉÝèµ½¢Æv¤©àµêܹñB
»ÌêÍA ip-up XNvgt@CÅÌæ¤ÉµÜ·B
(ó: foCX ppp0 ©çÌpPbgðjü·éB_CAbvñüÈÇ
©çÌNüðh~µ½êÉÝè·éB)
# `ppp-in' `FCðĶ¬·éB
ipchains-restore -f < ppp-in.firewall
# ppp-handling `FCÉèñÅ DENY [ðu«·¦éB
ipchains -R input 1 -i ppp0 -j ppp-in
ip-down ÍÌæ¤ÉÈèÜ·B
ipchains -R input 1 -i ppp0 -j DENY
5.2. tB^OÅjüµÄÍ¢¯È¢pPbg
KvÅÈ¢pPbgðtB^OÅjü·éOÉӵĨ©È¯ê΢
¯È¢ª èÜ·B
5.2.1. ICMP pPbg
ICMP pPbgÍA(TCP â UDP Ìæ¤È)ÊÌvgRÉεÄA¸sð\
¦ (»Ì¼ éàÌÌÈ©Å) ·éÌÉgíêĢܷBÆèí¯ `ÚIn
ÉBµÈ¢' pPbgð\¦µÜ·B±êçÌpPbgðubN·éÆA
`zXgÉBµÜ¹ñ' â `zXgÖÌoHª èܹñ' Æ¢¤G[ð
ó¯æé±ÆªÅ«ÈÈèÜ·BÇÌæ¤ÈÚ±àé͸ÌÈ¢ÔðÒ
¾¯ÉÈèÜ·B±êÍ¢ç¢çµÜ·ªv½IÅÍ èܹñB
³çÉ«¢±ÆÍ MTU oÅÌ ICMP pPbgÌðÅ·B·×ÄÌÇDÈ
TCP ÌÀ(Linux ðÜß½)ÍAª³êÈ¢óÔÅ(ª³êéÆptH[
}Xðẳ¹AÆèí¯AÆ«Ç«ª³ê½fЪ¸íêéƳçÉá
ºµÜ·)ÚInÉB·éÅåÌpPbgTCYðèo·½ßÉ MTU o
ðgÁĢܷB MTU oÍAܸpPbgð "ªsÂ" ÌrbgðÝè
µÄèA 'ªªKv¾ªªµÈ¢Ýè(DF)ðµÄ¢é'Æ¢¤G[ð
¦· ICMP pPbgðó¯æÁ½çAæÙÇÌàÌæ謳¢TCYÌpPb
gðè¼·AÆ¢¤â詽ŮìµÜ·B±êÍA`ÚInÖBs\'
pPbgÌ^CvÅAàµó¯È¢ÈçA[JzXgÍ MTU ðẳ¹
È¢ÅAÀsÍÐÇ«Èé©A¶ÝµÈ¢±ÆÉÈéŵå¤B
ó:
ICMP: Internet Control Message Protocol
IP ÝÚ±lbg[NàÌm[hÅG[ÊBAffA§ä̽ß
ÌbZ[WðévgR
MTU: maximum transmission unit
lbg[NC^[tF[XªêxÉé±ÆªÅ«éÅåÌf[^
Ê
·×ÄÌ ICMP oHÏXvbZ[W(type 5)ðubN·éÌÍʾÆ
¢¤±ÆÉӵĺ³¢B±êçÍAoHðè®Ýè·é×Ég¤±Æªo
Ü·ª(ÇDÈ IP X^bNÍÀSuðÁĢܷ)AµÎµÎââë¯
¾ÆmçêĢܷB
5.2.2. DNS (l[T[o[) ÖÌ TCP Ú±
Oü«Ì TCP Ú±ðubN·éæ¤ÉµÄ¢éÈçA DNS Í¢Âà UDP
ðgíÈ¢±ÆÉӵĺ³¢BT[o©çÌÔª 512 oCgðz¦é
ÆANCAgÍf[^ð¾éÌÉ TCP Ú±(âÍè 53 Ô|[gÔ) ð
g¢Ü·B
ó:
UDP: User Datagram Protocol
f[^pPbgÌ]ðs¤vOBUDP Í TCP Éä×éƬ
Å·ªAM«ªáApPbgÌBªÛسêܹñB
TCP ]ðÖ~µÄ¢ÄàA DNS ª `ÙÆñÇ®' ÌÅn}Ü·B»Ì
æ¤ÉµÄ¢éÈçAsÂðÈ·¢xâ»Ì¼ÌÆ«Ç«¶·é DNS Ì
âèðo±·é±ÆÉÈéŵå¤B
DNS Ìâ¢í¹ªA¢Âà¯êÌOÌ\[X(/etc/resolv.conf É©ê
½sÌl[T[oð¼Úg¤©AtH[h[hÅLbV
Ìl[T
[o[ðg¤©ÌÇ¿ç©)ɵĢéÈçA(LbV
ðgÁÄ¢éÈ
ç)[J domain |[g©çA /etc/resolv.conf ðgÁÄ¢éÈçnC
|[g(>1023)©çA»Ìl[T[oÌ domain |[gÖÌ TCP Ú±ðÂ
·éKv¾¯Å©Ü¢Ü¹ñB
ó: domain Í /etc/services ÉÌÚªè`³êÄ¢é©ðmFµÄ¨
«Ü·BÌæ¤ÉµÄ²×é±ÆªÅ«Ü·B
$ grep domain /etc/services
domain 53/tcp nameserver # name-domain server
domain 53/udp nameserver
5.2.3. FTP Ì«²
T^IÈpPbgtB^OÌâèÍ FTP Å·BFTP ÉÍQÂÌ[h
ª èÜ·B`IÈàÌÍ ANeBu[h ƾíêéàÌÅAæèÅß
ÌàÌÍA pbVu[h ƾíêÜ·B Web uEUÍÊípbVu
[hªftHgÅ·ªAR}hÌ FTP vOÍÊíANeBu[
hªftHgÅ·B
ANeBu[hÅÍA[gzXgªt@CðMµ½¢Æ«( é¢
ÍA ls â dir R}hÌÊų¦)A[J}VÖÌ TCP Ú±ðI
[vµæ¤ÆµÜ·B±êÍANeBu FTP ðØfµÈ¢ÈçA±êçÌ
TCP Ú±ðrūȢƢ¤±ÆÅ·B
pbVu[hðg¤IvVª éÈçAÇ¢±ÆÅ·BpbVu[h
ÍüÍf[^ÉεÄàANCAg©çT[oÉf[^Ú±ðìèÜ·B
pbVu[hªg¦È¢ÈçATCP Ú±É 1024 ðz¦A6000 ©ç 6010
ÌÍÍɳ¢|[gÉ뵀 TCP Ú±ð·é±Æð§µÜ·B(6000
Í X-Window System ÉgíêĢܷB)
5.3. Ping of Death ðr·é
Linux }VÍ¢ÜâL¼È Ping of Death ðSz·é±ÆÍ èܹñB
Ping of Death Ís@Éå«È ICMP pPbgðMµA»êÍó¯æè¤Å
TCP X^bNÉ éobt@[ðìê³¹AjóÌ´öÉÈèÜ·B
ÆãÈ}VðÛì·éÈçAPÉ ICMP tOgðubNÅ«Ü
·BÊíÌ ICMP pPbgͪðv·éÙÇå«Í èܹñ©çAå
«È ping ðr·éÈO¼ÉÍe¿ð^¦Ü¹ñB (sm©Å·ª)
ÍAICMP tOgð·½ßÉATCYI[o[Ì ICMP pPbgÌÅ
ãÌtOg¾¯ðvµA»ÌÊAÅÌtOg¾¯ðub
N·éVXeª éÆ¢¤ñð·¢½±Æª èÜ·ªAÅÌtO
g¾¯ðubN·éæ¤ÈVXeͨ©ßūܹñB
Í ICMP ðg¤·×ÄÌvOð©Ä«Üµ½ªATCP â UDP tO
g( é¢Ís¾ÌvgR)ÍA±Ìæ¤ÈUÉεÄg¤±ÆªÅ
«È¢Æ¢¤RªÈ¢ÌÅA ICMP tOgðubN·éÌÍAÔÉ
í¹Ìðŵ© èܹñB
5.4. Teardrop Æ Bonk ðr·é
Teardrop Æ Bonk ƾíêéàÌÍAd¡·étOgðÚIɵĢ
é 2íÞÌU(¨àÉMicrosoft Windows NT }VÉεÄ)Å·B Linux
[^ªftO@\ðÁÄ¢é©AU³êâ·¢}VÉ·×ÄÌt
OgðÖ~·éÌÍÊÌIvVÅ·B
5.5. tOgðr·é
M«ÌᢠTCP X^bNÍApPbgª½ÌtOgÉÈÁÄ¢
ÄA»êçð·×ÄóMūȢƫAåÊÌtOgðµ¤ÌÉâèð
ÁÄ¢éà̪ éƾíêĢܷB Linux ͱÌæ¤Èâèª èÜ
¹ñBtOgðjü(³Égp³ê½àÌàó·©àµêܹñ)·é
©AܽÍA `IP: always defragment' ð `Y' Æ( È½Ì Linux }Vª
±êçÌpPbgÉεÄBêæè¾éoHÅ éêÌÝ)Iðµ½J[l
ðRpC·é±ÆÅrÅ«Ü·B
5.6. t@CAEH[[ðÏX·é
t@CAEH[[ðÏX·éÆ«A^C~OÌâèª èÜ·Bsè
Ûª éÆAÏXÌrÅÉpPbgðʵĵܢܷBÀÕÈâ詽Æ
µÄÍÌæ¤Èû@ª èÜ·:
# ipchains -I input 1 -j DENY
# ipchains -I output 1 -j DENY
# ipchains -I forward 1 -j DENY
. ÏXµÜ· ...
# ipchains -D input 1
# ipchains -D output 1
# ipchains -D forward 1
#
ÏXµÄ¢éÔA·×ÄÌpPbgªjü³êÜ·B
ÏXªPêÌ`FCÉÀè³ê½àÌÈçAVµ¢[ÅVµ¢`FC
ðìè½¢©àµêܹñBVµ¢`FCð¦·àÌÆAâ`FCð¦
·[ðu«·¦Ü·(`-R')B»¤·êÎAâ`FCðíÅ«Ü·B
±Ìu«·¦ÍAg~bNÉ(¼ÌàÌÉÍe¿µÈ¢Å)síêÜ·B
5.7. IP UÛì(IP Spoof Protection)ðAÇÌæ¤ÉÝèµ½çæ¢Å·
©?
IP UÍAzXgªÊÌzXg©ç¿³êépPbgðèo·ZpÅ
·BpPbgtB^OÍA±Ì\[XAhXðàÆÉ»è·éÌÅA
IP UÍpPbgtB^[ð²Ü©·½ßÉg¤àÌÅ·B SYN Uâµ
¸(Teardrop)Aܽ½æèÌ Ping(Ping of Death) â»êɽàÌ(»ê
窽ҩðmçÈ¢ÈçSzÍspÅ·)ðgÁÄ¢éUÒÌg³ðB·
½ßÉàܽgíêÜ·B
IP Uðhä·éàÁÆàæ¢û@ÍA\[XAhXFØ(Source Address
Verification)ƾíêéàÌÅA»êÍ[eBOR[hÉæÁÄsíê
éàÌÅASt@CAEH[ÅÍ èܹñB
/proc/sys/net/ipv4/conf/all/rp_filter Æ¢¤t@CðTµÄº³¢B±
êª éÈçAn®·é½ÑÉ\[XAhXFØ(Source Address
Verification)ðLø·é±Æª³µ¢ðÉÈèÜ·B±Ìæ¤É·é½
ßA¢¸ê©Ìlbg[NC^[tF[Xªú»³êéOÉA¨g¢Ì
init XNvgÌDZ©ÉÌsðÁ¦Ü·B
# ±êªàÁÆàÇ¢û@Å·: \[XAhXFØ
# (Source Address Verification) ðLøɵA»Ý éàÌƱê©ç
# g¤·×ÄÌC^[tF[XÉUÛìðµÜ·B
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
echo "done."
else
echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED.
echo "CONTROL-D will exit from this shell and continue system startup."
echo
# R\[ãÅVO[UVFðN®µÜ·B
/sbin/sulogin $CONSOLE
fi
±êªÅ«È¢ÈçA·×ÄÌC^[tF[XðÛì·é½ßÉè®Å[
ð«Á¦Ü·B±ÌêÍ»ê¼êÌC^[tF[XÉ¢ÄÌm¯ª
KvÅ·BJ[l 2.1 Í©®IÉ127.* ÌAhX([J[vobN
C^[tF[X lo É\ñ³ê½àÌ)©çv·épPbgðÛµÜ
·B
á¦Î eth0, eth1 »µÄ ppp0 Ì 3ÂÌC^[tF[Xª èÜ·BC
^[tF[XÌAhXÆlbg}XNðmé½ßÉ ifconfig ðg¤±Æª
Å«Ü·Bá¦ÎA eth0 ªlbg}XN 255.255.255.0 Ìlbg[N
192.168.1.0 ÉA^b`³êA eth1 Ílbg}XN 255.0.0.0 Ìlbg
[N 10.0.0.0 ÉA^b`³êA ppp0 ªC^[lbg(\ñ³ê½vC
x[g IP AhXð¢ÄAÇñÈAhXÅà³êÜ·)BÌæ¤È
[ðÁ¦éÆæ¢Åµå¤B
# ipchains -A input -i eth0 -s ! 192.168.1.0/255.255.255.0 -j DENY
# ipchains -A input -i ! eth0 -s 192.168.1.0/255.255.255.0 -j DENY
# ipchains -A input -i eth1 -s ! 10.0.0.0/255.0.0.0 -j DENY
# ipchains -A input -i ! eth1 -s 10.0.0.0/255.0.0.0 -j DENY
#
±Ìû@ͨg¢Ìlbg[NªÏíéÆA¢ÜÜÅÌ»ÌóÔðÛ·é
½ßÉ È½Ít@CAEH[[ðÏXµÈ¯ê΢¯È¢ÌÅA\[
XAhXFØ(Source Address Verification)Ås¤ÙÇÇ èܹñB
2.0 nÌJ[lð¨g¢ÈçAɦ·æ¤È[ðgÁÄA[vob
NC^[tF[XàܽÛìµ½¢©àµêܹñBÌæ¤É[ðg
¢Ü·:
# ipchains -A input -i ! lo -s 127.0.0.0/255.0.0.0 -j DENY
#
5.8. ÅVÌvWFNg
Í[UXy[XCuð¢Ä¨èA»êÍ`libfw' ÆÄÎêé\[
XfBXgr
[VðÜñŢܷB»êÍ ipchains Ìo[W
1.3 ÈãÌ\ÍðgpµÄ(IP_FIREWALL_NETLINK ÌRtBOIvVð
gÁÄ)[UXy[XÉpPbgðRs[µÜ·B
}[NlÍpPbg̽ßÌ Service Ì¿ (QoS) p[^ðßé½ßÉ
g¤©A é¢ÍApPbgªÇÌæ¤É|[gÉp³êé©ðßé½ß
Ég¤±ÆªÅ«Ü·BÍÇ¿çàpµÄ¢Ü¹ñªA Ƚª»êÉÂ
¢Ä¢ÄÝæ¤Æv¤ÈçAǤ¼ÉAðµÄº³¢B
óÔÏ@(stateful inspection)(Í_Ci~bNt@CAEH[Æ¢¤¾
tðñ¥µÜ·)Ìæ¤È±ÆÍA±ÌCuðg¤[UXy[XÅÀ
³êéŵå¤B»Ì¼Ìf°çµ¢ACfBAÍA[UXy[Xf[
ÅT·±ÆÅ[U²ÆÌîÕãÅpPbgðRg[µÜ·B±êÍ
ÆÄàÈPÅȯêÎÈèܹñB
5.8.1. SPF: Xe[gtpPbgtB^O
ftp://ftp.interlinx.bc.ca/pub/spf <ftp://ftp.interlinx.bc.ca/pub/spf>
ãLÍA Brian Murrell Ì SPF vWFNgÌTCgÅA»êÍ[UXy
[XÅÚ±ÌÇÕðµÜ·BáohÌTCgÉdvÈZL
eBðÇÁ
µÄ¢Ü·B
»ÝASPF É¢Ä̶ÍÙÆñÇ èܹñªAÌàÌÍ Brian ª¿
âɦ½àÌð[OXgÉeµ½àÌÅ·B
> »ê±»ª³ÉÌ]Þ±ÆðsȤÆM¶Ä¢Ü·B
> OÖÌvÌX|XƵÄpPbgðÊ·æ¤É
> êIÈ''t¬(backward)''Ì[ðCXg[µÄ¢Ü·B
Í¢A»ÌÊèÅ·B
vgRÉ¢Äð·êηéÙÇA "t¬(backward)" Ì[ÍàÁƳµÈèÜ·B
¡ÌƱëÍA (o¦Å¢Ä¢Ü·AG[âè²©èª ÁÄàµÄº³¢)
FTP(ANeBuÆpbVuAà¤ÆO¤Ì¼û)ARealAudioA tracerouteA
ICMP »µÄàIÈ ICQ( ICQ T[o©çüéàÌA»µÄA¼ÚIÈ TCP Ú±©çÌàÌAµ©µÈªçt@C]Ìæ¤È±ÆÉÖ·éæ2 ̼ÚIÈ TCP Ú±ÈÇÍܾ èܹñª)ðT|[gµÄ¢Ü·B
> SPF Í ipchains ðu«·¦éÌÅ·©A»êÆàâ«·éÌÅ·©B
â«·éàÌÅ·B
ipchains Í Linux }Vðz¦Ä`íépPbgðµ½èAh¢¾è·é¹ïÅ·B
SPF ÍhCoÅ èAgtBbN𽦸ĵÄAÇÌæ¤ÉÏX·é©ð ipchains É`¦A ipchains ÍAÏXðgtBbNp^[É`¦Ü·B
5.8.2. Michael Hasenstein Ì ftp-data nbN
SuSE Ì Michael Hasenstein Í ipchains É ftp Ú±ÌÇÕ@\ðÇÁ·é
J[lpb`ð¢Ä¢Ü·BÌƱëÉ èÜ·B
http://www.suse.de/~mha/patch.ftp-data-2.gz
<http://www.suse.de/~mha/patch.ftp-data-2.gz>
5.9. ¡ãÌÛè
t@CAEH[Æ NAT Í 2.4 ÅÄÝv³êĢܷBvæÆc_Í
netfilter Ì[OXgÅpÅ«Ü·B ( http://lists.samba.org
<http://lists.samba.org>ð©Äº³¢) ±Ìæ¤È»Í½ÌÖ«Ìâ
èððµA(ÀÛAt@CAEH[â}XJ[hͱÌæ¤È¢ï ÍÈ
¢Í¸Å·)A»µÄàÁÆÍé©É_î«Ì ét@CAEH[ÌWð
£·Í¸Å·B
6. êÊIÈâè
6.1. ipchains -L ðg¤Æt[YµÜ·!
DNS õðó¯t¯È¢Ìŵå¤BÇÍ^CAEgÉÈÁĵܢÜ
·B ipchains É뵀 `-n' (l)tOðgÁÄÝܵå¤B `-n' ÍA
l[ÅÌõðs¢Ü¹ñB
6.2. ½]ªÅ«Ü¹ñ!
`!'IvV̼¤ÉXy[Xð¨¢ÄA`!' IvVðPÆÅgíȯ
ê΢¯Ü¹ñB (4.1.4.1 Åӵܵ½)T^IÈÔá¢Å·B
# ipchains -A input -i !eth0 -j DENY
#
`!eth0' ÆÄÎêéC^[tF[XͶݵܹñªA ipchains Í»êª
í©çÈ¢ÌÅ·B
(ó: `!' Ìg¢ûÉÖ·éÓÍA 4ÍðQÆB `!' IvVÌOãÌ
Xy[XðYêȢź³¢B)
6.3. Masquerading Ü½Í Forwarding ª®«Ü¹ñ!
pPbgÌ forwarding ªÂ\ÉÈÁÄ¢é̩Ǥ©ðmFµÄº³¢(Å
ßÌJ[lÅÍAftHgÅ `gpµÈ¢'ÉÈÁĢܷBpPbgÍ
`forward' chain ðz¦é±Æ·çȢƢ¤±ÆÅ·)B root ÀÅÌ
æ¤ÉüÍ·êÎÏXÅ«Ü·B
# echo 1 > /proc/sys/net/ipv4/ip_forward
#
±êŤܢÈçAñAÂ\ÉÈéæ¤ÉA¨g¢ÌN®XNvgÌ
DZ©É±Ìsð¢Ä¨±ÆªÅ«Ü·B±ÌR}hª®OÉt@C
AEH[ðÝèµ½¢Í¸Å·B»¤µÈ¢ÆA(jü·×«)pPbgðÊ
ß³¹ÄµÜ¤@ïð^¦ÄµÜ¢Ü·B
6.4. -j REDIR ª®«Ü¹ñ!
_CNg𮩷½ßÉÍpPbgÌ forwarding (ãqð©Äº³¢)ð
µȯê΢¯Ü¹ñB»¤µÈ¢ÆA[eBOÌR[hÍpPbg
ðµÜ·B»±ÅA_CNgÌÝðgÁÄ¢ÄtH[fBOÍSR
gÁĢȢÈçÎA±Ì±ÆÉӵĺ³¢B
REDIRECT (input `FCÉ é)ÍA[JvZX©çÌÚ±ÉÍøÊ
ªÈ¢±ÆÉӵĺ³¢B
(ó: ipchains ÌIvVÉ¢ÄÍAman ipchains ÅmFµÄº³
¢B)
6.5. ChJ[hC^[tF[Xª®«Ü¹ñ!
J[lÌ 2.1.102 Æ 2.1.103 Å(»µÄªìÁ½¢Â©Ìâpb
`)ÉÍoOª èܵ½B»êçÌJ[lÅÍA(-i ppp+ Ìæ¤È)C
hJ[hC^[tF[Xª¤Ü¢©È¢G[𾦷é ipchains R
}h𶬵ܵ½B
±ÌÍAÅVÌJ[lÆ web TCgÉ é 2.0.34 Ìpb`ÅÍC³³
êĢܷBJ[l\[XðèÅC³·éÈçA include/linux/ip_fw.h
t@CÌ 63s ½èðÌæ¤ÉÏXµÜ·:
#define IP_FW_F_MASK 0x002F /* All possible flag bits mask */
±êÍ ``0x003F'' ðÇÞ׫ŷB±êðC³µAJ[lðÄ\zµÜ
·B
6.6. TOS (Type of Service) ª®«Ü¹ñ!
±êÍÌÔá¢Åµ½B Service field Ì^CvðÝèÍA 2.1.102 ©ç
2.1.111 ÅÌJ[lÅÍÀÛÉÍ Service Ì^CvðÝèÅ«È¢ÌÅ
·B±ÌâèÍA2.1.112 ÅÍC³³êܵ½B
6.7. ipautofw Æipportfw ª®«Ü¹ñ!
2.0.x ÅÍ®«Ü¹ñB ipchains Æipautofw é¢Í ipportfw Éηé
å«Èpb`ð쬵AÛ·éÔª èܹñB
2.1.x ÉεÄÍAÌƱë©ç Juan Ciarlante Ì ipmasqadm ð_E
[hµÄº³¢B http://juanjox.linuxhq.com/
<http://juanjox.linuxhq.com/> »µÄAipautofw âipportfw ðg¤Æ«A
ipportfw Ì©íèÉ ipmasqadm portfw ðü͵A»µÄA ipautofw Ì©
íèÉipmasqadm autofw ðü͵ÄA«¿ñÆgÁĺ³¢B
6.8. xosview ªóêĢܷ!
1.6.0 Å©A»êÈ~ÌàÌɵĺ³¢B»êçÌÅÅÍAJ[l 2.1.x
ÉεÄÇÌæ¤È firewall rule àvµÜ¹ñB±êÍ 1.6.1 Åܾó
êÄ¢éÆvíêéÈçA»ÌêÍÒÉoOñðµÄº³¢(»êÍA
̸sÅÍ èܹñ)B
6.9. `-j REDIRECT' Å Segmentation G[ÉÈèÜ·!
±êÍ ipchains 1.3.3 ÅÌoOÅ·ÌÅAVµ¢ÅÉAbvO[hµÄº
³¢B
6.10. }XJ[fBOÌ^CAEglðÝèūܹñ!
(J[l 2.1.x ɨ¢Ä) 2.1.123 È~ÅÍ®«Ü¹ñB 2.1.124 ÅÝè
µÄÝéÆA masquerading timeouts ÍJ[lðbNµÄµÜ¢Ü·
(net/ipv4/ip_fw.c t@CÌ 1328 sÉ é return ð ret = ÉÏXµÄ
º³¢)B 2.1.125 ÅÍA¿áñÆ®«Ü·B
: 4.1.1 à©Äº³¢B
6.11. IPX ðt@CAEH[µ½¢Å·!
¼É௶æ¤È²ó]ª éÆv¢Ü·BcOȪçAÌR[hÍ IP ð
·×ÄÔ
µÄ¢é¾¯Å·ªAK¢È±ÆÉAIPXðt@CAEI[·é
ÌÉKvÈ@\Í·×Ä»ëÁĢܷB»êðpµÄ Ƚ²©gÅR[
hðKvª èÜ·ªAÂ\ÈÍÍÅÍìñŨè`¢µÜµå¤B
ó: IPX Æ¢¤ÌÍANovell Éæé MS-DOS ãÌlbg[NvgR
Å·B IPX É¢ÄÍAIPX-HOWTOðQƵĺ³¢B
http://www.linux.or.jp/JF/JFdocs/IPX-HOWTO.html
7. ÀpIÈá
±ÌÍáÍA1999 NÌ 3 ÉJÃ³ê½ LinuxWorld Å Michael Neuling
ƪ\µ½`
[gA©çøpµÜµ½B±êÍA^¦çê½âèð
ð·é½ßÌBêÌû@ÅÍȢŷªA½ªÅàPÈàÌÅ·B±ÌÍ
áðLvÈà̾ÆvÁĸ¯êÎK¢Å·B
7.1. \¬
o }XJ[h³ê½àlbg[N(lXÈ OS ª¶ÝµÄ¢Ü·) ª¶
ݵA"GOOD" ÆÄÑÜ·B
o ª£³ê½lbg[NãÉöJT[oª¶ÝµÄ¢Ü·(ñ»nÑ
"Demilitarized Zone" Æ¢¤±ÆÅ "DMZ" ÆÄÑÜ·)B
o C^[lbgÖ PPP Ú±µÄ¢Ü·( "BAD" ÆÄÑÜ·)B
Olbg[N (BAD)
ppp0
¡¢
192.84.219.1 T[olbg[N (DMZ)
eth0
¦¦¦
192.84.219.250
192.168.1.250
¤£ ¡¢ ¡¢ ¡¢
eth1 SMTP DNS WWW
¤£ ¤£ ¤£
192.84.219.128 192.84.219.129 192.84.218.130
àlbg[N (GOOD)
7.2. ÚI
pPbgtB^[}V:
SÄÌlbg[NÉ뵀 PING ªÂ\
}Vª_EµÄ¢é©Ç¤©ðméÌÉåÏðɧ¿Ü·B
SÄÌlbg[NÉ뵀 TRACEROUTE ªÂ\
±êàܽA´öªÍÉðɧ¿Ü·B
DNS ÖÌANZXªÂ\
ping Æ DNS ðæèg¢â··é½ßÅ·B
DMZ à:
[T[o
o Olbg[NÖÌ SMTP ªÂ\
o àÆOlbg[N©çÌ SMTP ÌANZvg(ó¯üê)ªÂ\
o àlbg[N©çÌ POP-3 ÌANZvgªÂ\
l[T[o
o Olbg[NÖÌ DNS ÌvªÂ\
o àÆOlbg[NApPbgtB^[}V©çÌ DNS ÌANZ
vgªÂ\
EFuT[o
o àÆOlbg[N©çÌ HTTP ÌANZvgªÂ\
o àlbg[N©çÌ Rsync ÉæéANZXªÂ\
àlbg[N:
Olbg[NÖÌ WWW, ftp ,traceroute, ssh ð·é
±êçÍAÂÌÎÛƵÄÍ©ÈèWIȱÆÅ·Bàlbg
[NãÌ}VÉεÄÙÚSÄð·é±Æ©çnßÜ·ªA±±
ÅͧÀð©¯Ä¢Ü·B
[T[oÖÌ SMTP ð·é
RA[ÍOÖMÅ«éæ¤Éµ½¢Å·B
[T[oÖÌ POP-3 ð·é
[ðÇÞû@Å·B
l[T[oÖÌ DNS ð·é
WWW Æ ftp, traceroute, ssh ðp·éÛÉAOl[Ìõð·
éÌÉKvÅ·B
EFuT[oÖÌ rsync ð·é
Oü¯EFuT[oÆàEFuT[oð¯ú³¹éû@Å·B
EFuT[oÖÌ WWW ð·é
RAOü¯EFuT[oÖڱūé׫ŷB
pPbgtB^[}VÖÌ ping ð·é
±êÍAêÊIÉLeF³êÄ¢é±ÆÅ·BÂÜèt@CAEH[
}Vª_EµÄ¢é©Ç¤©ðAmFÅ«éæ¤É·é½ßÅ
·(»êÅOTCgªóêÄ¢½êÍAñï³êܹñÌÅ)B
7.3. pPbgtB^Oðs¤OÉ
o IP UÛì (Anti-spoofing)
¢©ÈéñÎÌÌ[eBOàÁĢȢÌÅASÄÌC^[tF
[XÉ뵀 IP UÛìðPÉIÅ«Ü·B
# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
#
o tB^OÌ[ƵÄSÄðÛÉ·é
¡ÜÅÊè[JÌ[vobNgtBbN͵ܷªA»êÈ
OÌSÄð۵ܷB
# ipchains -A input -i ! lo -j DENY
# ipchains -A output -i ! lo -j DENY
# ipchains -A forward -j DENY
#
o C^[tF[XÌZbgAbv
C^[tF[XÌZbgAbvÍAåïu[gÌXNvgÅÀs³
êÜ·BtB^OÌ[ªKp³êéOÉpPbgªRê¾·±
Æðh®×ÉAC^[tF[XªÝè³êéOÉãLÌXebvªÀs
³êÄ¢é±ÆðmFµÄº³¢B
o vgRÊÉ}XJ[hW
[ðgÝÞ
FTP ðp·éÛÉÍA}XJ[hW
[ðgÝÞKvª èÜ
·B»¤·é±ÆÅAàlbg[N©çÌANeBuÆpbVu FTP
ª `¿áñÆ®ìµÜ·'B
# insmod ip_masq_ftp
#
7.4. pPbgðÊß³¹é½ßÌpPbgtB^O
}XJ[hðgpµÄAforward `FCÅtB^[ð©¯é±ÆÍÅÇ
Ìû@Å·B
forward `FCð\[X^ Äæ C^[tF[XÉí¹ÄlXÈ[
Uè``FCɪµÄº³¢BÂÜèAâèð浢ⷢPÊɪð·
éÌÅ·B
ipchains -N good-dmz
ipchains -N bad-dmz
ipchains -N good-bad
ipchains -N dmz-good
ipchains -N dmz-bad
ipchains -N bad-good
ICMP ÌWG[ðANZvg·é±ÆÍA¤ÊÌàeÅ·Bµ½ªÁÄA
»Ì½ßÌ`FCðìèÜ·B
ipchains -N icmp-acc
7.4.1. forward `FC©çWv³¹é
cOȱÆÉA(forward `FCÅÍ)oÍC^[tF[Xµ©ª©èܹ
ñBµ½ªÁÄApPbgªÇÌC^[tF[X©çüÁÄé©ð©²
½ßÉA\[XAhXðgpµÜ·(UÛìªAhXÌÈè·Üµðh
¢Å¢éÌÅåävÅ·)B
±êçÌ¢¸êÉà}b`µÈ¢pPbg(¾ç©ÉA»Ìæ¤È±ÆÍN±
çȢ͸ŷª)ÍSÄOðæé±ÆÉӵĺ³¢B
ipchains -A forward -s 192.168.1.0/24 -i eth0 -j good-dmz
ipchains -A forward -s 192.168.1.0/24 -i ppp0 -j good-bad
ipchains -A forward -s 192.84.219.0/24 -i ppp0 -j dmz-bad
ipchains -A forward -s 192.84.219.0/24 -i eth1 -j dmz-good
ipchains -A forward -i eth0 -j bad-dmz
ipchains -A forward -i eth1 -j bad-good
ipchains -A forward -j DENY -l
7.4.2. icmp-acc `FCðè`·é
pPbgª(ȺÌ)G[ ICMP Ì¢¸ê©ÈçANZvg³êÜ·B³àÈ
¯êÎA}b`µÈ©Á½pPbgÉηé§äÍ icmp-acc `FC©ç²
¯ÄAÄoµ³Ì`FCÉß³êé±ÆÉÈèÜ·B
ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
7.4.3. GOOD (àlbg[N) ©ç DMZ (T[olbg[N)
àlbg[NÉηé§À :
o Olbg[NÖÌ WWW, ftp, traceroute, ssh ð·é
o [T[oÖÌ SMTP ð·é
o [T[oÖÌ POP-3 ð·é
o l[T[oÖÌ DNS ð·é
o EFuT[oÖÌ rsync ð·é
o EFuT[oÖÌ WWW ð·é
o pPbgtB^[}VÖÌ ping ð·é
àlbg[N©ç DMZ ÌÛÉ}XJ[hÍÅ«Ü·ªA±±ÅÍs¢
ܹñBàlbg[NãÌÇÌ}Và«ÓÌ é±ÆðµÈ¢Í¸ÈÌ
ÅAÛ³êéSÄÌpPbgÌOðæèÜ·B
Debian Ìâo[WÅÍA/etc/services ãÌ `pop3' ð`pop-3' ÆÄ
ÔÌÅӵĺ³¢B±Ì±ÆÍ RFC1700 ÆêvµÄ¢Ü¹ñB
ipchains -A good-dmz -p tcp -d 192.84.219.128 smtp -j ACCEPT
ipchains -A good-dmz -p tcp -d 192.84.219.128 pop3 -j ACCEPT
ipchains -A good-dmz -p udp -d 192.84.219.129 domain -j ACCEPT
ipchains -A good-dmz -p tcp -d 192.84.219.129 domain -j ACCEPT
ipchains -A good-dmz -p tcp -d 192.84.218.130 www -j ACCEPT
ipchains -A good-dmz -p tcp -d 192.84.218.130 rsync -j ACCEPT
ipchains -A good-dmz -p icmp -j icmp-acc
ipchains -A good-dmz -j DENY -l
7.4.4. BAD (Olbg[N)©ç DMZ (T[olbg[N)
o DMZ Éηé§À:
o [T[o
o Olbg[NÖÌ SMTP ªÂ\
o àÆOlbg[N©çÌ SMTP ÌANZvgªÂ\
o àlbg[N©çÌ POP-3 ÌANZvgªÂ\
o l[T[o
o Olbg[NÖÌ DNS ÌvªÂ\
o àÆOlbg[NApPbgtB^[}V©çÌ DNS Ì
ANZvgªÂ\
o EFuT[o
o àÆOlbg[N©çÌ HTTP ÌANZvgªÂ\
o àlbg[N©çÌ Rsync ÌANZvgªÂ\
o Olbg[N©ç DMZ Ö·é±Æ
o NQs×É¢ÄÍAOÍÆ縻ÌÜÜÉ·é
ipchains -A bad-dmz -p tcp -d 192.84.219.128 smtp -j ACCEPT
ipchains -A bad-dmz -p udp -d 192.84.219.129 domain -j ACCEPT
ipchains -A bad-dmz -p tcp -d 192.84.219.129 domain -j ACCEPT
ipchains -A bad-dmz -p tcp -d 192.84.218.130 www -j ACCEPT
ipchains -A bad-dmz -p icmp -j icmp-acc
ipchains -A bad-dmz -j DENY
7.4.5. GOOD (àlbg[N)©ç BAD (Olbg[N)
o àlbg[NÉηé§À:
o Olbg[NÖÌ WWW, ftp ,traceroute, ssh ð·é
o [T[oÖÌ SMTP ð·é
o [T[oÖÌ POP-3 ð·é
o l[T[oÖÌ DNS ð·é
o EFuT[oÖÌ rsync ð·é
o EFuT[oÖÌ WWW ð·é
o pPbgtB^[}VÖÌ ping ð·é
o êÊÉAàlbg[N©çOlbg[NÉεÄÍASÄðÂ
µA»ê©ç§ÀðÁ¦Ü·BäXÍAt@VXgÈÌÅ·B
o NQs×ÌOðæé
o pbVu FTP ÍA}XJ[hW
[Å·é
o UDP Ì Äæ|[g 33434 È~ Í traceroute Ågp³êé
ipchains -A good-bad -p tcp --dport www -j MASQ
ipchains -A good-bad -p tcp --dport ssh -j MASQ
ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
ipchains -A good-bad -p tcp --dport ftp -j MASQ
ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
ipchains -A good-bad -j REJECT -l
7.4.6. DMZ ©ç GOOD (àlbg[N)
o àlbg[NÉηé§À:
o Olbg[NÖÌ WWW, ftp ,traceroute, ssh ð·é
o [T[oÖÌ SMTP ð·é
o [T[oÖÌ POP-3 ð·é
o l[T[oÖÌ DNS ð·é
o EFuT[oÖÌ rsync ð·é
o EFuT[oÖÌ WWW ð·é
o pPbgtB^[}VÖÌ ping ð·é
o àlbg[N©ç DMZ ÌÛÉ}XJ[h·éêAPÉ»êÈOÌ
pPbgð۵ĺ³¢BÀÌƱëAPÉRlNVªm§³ê½
êÌpPbgÌÝ·龯ŷB
ipchains -A dmz-good -p tcp ! -y -s 192.84.219.128 smtp -j ACCEPT
ipchains -A dmz-good -p udp -s 192.84.219.129 domain -j ACCEPT
ipchains -A dmz-good -p tcp ! -y -s 192.84.219.129 domain -j ACCEPT
ipchains -A dmz-good -p tcp ! -y -s 192.84.218.130 www -j ACCEPT
ipchains -A dmz-good -p tcp ! -y -s 192.84.218.130 rsync -j ACCEPT
ipchains -A dmz-good -p icmp -j icmp-acc
ipchains -A dmz-good -j DENY -l
7.4.7. DMZ ©ç BAD (Olbg[N)
o DMZ Éηé§À:
o [T[o
o Olbg[NÖÌ SMTP ªÂ\
o àÆOlbg[N©çÌ SMTP ÌANZvgªÂ\
o Olbg[N©çÌ POP-3 ÌANZvgªÂ\
o l[T[o
o Olbg[NÖÌ DNS ÌMªÂ\
o àÆOlbg[NApPbgtB^[}V©çÌ DNS Ì
ANZvgªÂ\
o EFuT[o
o àÆOlbg[N©çÌ HTTP ÌANZvgªÂ\
o àlbg[N©çÌ Rsync ÌANZvgªÂ\
o
ipchains -A dmz-bad -p tcp -s 192.84.219.128 smtp -j ACCEPT
ipchains -A dmz-bad -p udp -s 192.84.219.129 domain -j ACCEPT
ipchains -A dmz-bad -p tcp -s 192.84.219.129 domain -j ACCEPT
ipchains -A dmz-bad -p tcp ! -y -s 192.84.218.130 www -j ACCEPT
ipchains -A dmz-bad -p icmp -j icmp-acc
ipchains -A dmz-bad -j DENY -l
7.4.8. BAD (Olbg[N)©ç GOOD (àlbg[N)
o Olbg[N©çàlbg[NÖüÁÄéàÌSÄ(}XJ[
h³êĢȢàÌ)ðµܹñB
ipchains -A bad-good -j REJECT
7.4.9. Linux }V©gÉηépPbgtB^O
o pPbgtB^[}V©gÉüÁÄépPbbgÉàApPbg
tB^Oðs¢½¢ÈçAinput `FCÅpPbgtB^
Oðs¤Kvª èÜ·B ÄæC^[tF[XÉAêÂ`FCð
ìèÜ·B
ipchains -N bad-if
ipchains -N dmz-if
ipchains -N good-if
o ìÁ½`FCÉWv³¹Ü·B
ipchains -A input -d 192.84.219.1 -j bad-if
ipchains -A input -d 192.84.219.250 -j dmz-if
ipchains -A input -d 192.168.1.250 -j good-if
7.4.9.1. BAD (Olbg[N) C^[tF[X
o pPbgtB^[}V:
o SÄÌlbg[NÉ뵀 PING ªÂ\
o SÄÌlbg[NÉ뵀 TRACEROUTE ªÂ\
o DNS ÖÌANZXªÂ\
o ܽOlbg[NpÌC^[tF[XÍA}XJ[h³ê½p
Pbg(}XJ[hÍA\[X|[gÆµÄ 61000 ©ç 65095 ðgpµ
Ü·)ÖÌvCÆ ICMP G[APING ÌvCàó¯üêÜ·B
ipchains -A bad-if -i ! ppp0 -j DENY -l
ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT
ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT
ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A bad-if -j icmp-acc
ipchains -A bad-if -j DENY
7.4.9.2. DMZ C^tF[X
o pPbgtB^[}VÉηé§À:
o SÄÌlbg[NÉ뵀 PING ªÂ\
o SÄÌlbg[NÉ뵀 TRACEROUTE ªÂ\
o DNS ÖÌANZXªÂ\
o DMZ C^[tF[XÍADNS ©çÌvCÆ ping ÌvCAG
[ ICMP ðó¯üêÜ·B
ipchains -A dmz-if -i ! eth0 -j DENY
ipchains -A dmz-if -p TCP ! -y -s 192.84.219.129 53 -j ACCEPT
ipchains -A dmz-if -p UDP -s 192.84.219.129 53 -j ACCEPT
ipchains -A dmz-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A dmz-if -j icmp-acc
ipchains -A dmz-if -j DENY -l
7.4.9.3. GOOD (àlbg[N)C^[tF[X
o pPbgtB^[}VÉηé§À:
o SÄÌlbg[NÉ뵀 PING ªÂ\
o SÄÌlbg[NÉ뵀 TRACEROUTE ªÂ\
o DNS ÖÌANZXªÂ\
o àlbg[NÉηé§À:
o Olbg[NÖÌ WWW, ftp ,traceroute, ssh ð·é
o [T[oÖÌ SMTP ð·é
o [T[oÖÌ POP-3 ð·é
o l[T[oÖÌ DNS ð·é
o EFuT[oÖÌ rsync ð·é
o EFuT[oÖÌ WWW ð·é
o pPbgtB^[}VÖÌ ping ð·é
o àlbg[NC^[tF[XÍAping Æ ping ÌvCAG[
ICMP ðó¯üêÜ·B
ipchains -A good-if -i ! eth1 -j DENY
ipchains -A good-if -p ICMP --icmp-type ping -j ACCEPT
ipchains -A good-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A good-if -j icmp-acc
ipchains -A good-if -j DENY -l
7.5. ÅãÉ
o ubLOÌ[ðíµÜ·B
ipchains -D input 1
ipchains -D forward 1
ipchains -D output 1
8. t^: ipchains Æ ipfwadm ÆÌá¢
±êçÌÏXÌô©ÍJ[lÌÏXÌÊÅ èAܽô©Í
ipchains Æ ipfwadm ÆÌá¢ÌÊÅ·B
1. ½ÌøÍÄzu³êܵ½: »ÝAå¶ÍR}hð¦µA¬¶
ÍIvVð¦µÜ·B
2. CÓÌ`FCªT|[g³êܵ½ÌÅAgÝÝ`FCà¯lÉt
OÅÍÈtl[ÅLÚ·éKvª èÜ·B (á. `-I' ÅÍÈ
`input' ÆLڵܷ).
3. `-k' IvVÍÈÈèܵ½B `! -y' ðgÁĺ³¢B
4. `-b' IvVÍAPêÌ `oûü' [Æ¢¤æèàAÞµëÀÛÉ
Í2ÂÌ[ÉεÄ}ü/ÇÁ/íðs¢Ü·B
5. `-b' IvVÍ 2ÂÌ`FbNðs¤½ßÉA `-C' IvVÉij
ø»³êÜ·B(eXÌûüÌ1Â)
6. `-l' Éηé `-x' IvVÍ `-v' ÉÏX³êܵ½B
7. à¤A¡ÌM¤ÆóM¤Ì|[gÍT|[g³êܹñB]ܵ
ÍA|[gðÛèÅ«é±ÆÅA½Í»ÌÚIðâ¤Åµå¤B
8. C^[tF[XÍ(AhXÅÈ)¼OÉæÁÄÌÝwèÅ«Ü·B
ÜAÇÌÝ¿AÈOÌÓ¡t¯Í 2.1 J[lV[YÅéÉÏX³
ê½±ÆÅ·µB
9. pPbgÌfл͸³êÜ·ÌÅA©®IÉÍfÊèµÜ¹ñB
10.
¾¦IÈv`FCÍp~³êܵ½B
11.
IPãÌCÓÌvgRªeXgÅ«Ü·B
12.
SYN Æ ACK Ìg¹ÉηéÈOÌU¢ (ÈOÍñ TCP pPbgͳ
µÄ¢Üµ½) ÍÏX³êܵ½; SYN IvVÍAñ TCP ÆÁÌ
[ÉεÄͳøÅ·B
13.
»ÝA32rbg}VãÌJE^Í 64rbgÅ èA32rbgÅÍ è
ܹñB
14.
»ÝA½]IvVªT|[g³êĢܷB
15.
»ÝA ICMP R[hªT|[g³êĢܷB
16.
»ÝAChJ[hC^[tF[XªT|[g³êĢܷB
17.
»ÝATOS ìͪÊ`FbN³êÜ·: âJ[lR[hÍ `[Å
ȯêÎÈçÈ¢' TOS rbgð(sÉ)ì³êé±ÆÅAéÉ~
ÜÁĵÜÁĢܵ½; »ÝA ipchains Í »Ìæ¤ÈÝÉεÄA
¼ÌsÈêƯlÉG[ðԵܷB
8.1. NBbNt@Xê
[ åÉAR}høÍå¶ÅAIvVøͬ¶Å·B]
ӷ׫ê_ƵÄA }XJ[fBOÍ `-j MASQ' ÆLڵܷ; ±
êÍ `-j ACCEPT' ÆSÙÈèAܽ ipfwadm Ìæ¤ÈIøÊƵÄÍ
æ赢ܹñB
================================================================
| ipfwadm | ipchains | Ó
----------------------------------------------------------------
| -A [both] | -N acct | `acct' `FC𶬵A
| |& -I 1 input -j acct | oÍÆüÍpPbgð»ê
| |& -I 1 output -j acct | ÉÊß³¹Ü·B
| |& acct |
----------------------------------------------------------------
| -A in | input | ^[QbgȵÌ[
----------------------------------------------------------------
| -A out | output | ^[QbgȵÌ[
----------------------------------------------------------------
| -F | forward | [`FC]ƵÄp¢Ü·B
----------------------------------------------------------------
| -I | input | [`FC]ƵÄp¢Ü·B
----------------------------------------------------------------
| -O | output | [`FC]ƵÄp¢Ü·B
----------------------------------------------------------------
| -M -l | -M -L |
----------------------------------------------------------------
| -M -s | -M -S |
----------------------------------------------------------------
| -a policy | -A [chain] -j POLICY | (Åà -r Æ -m à©Äº
| | | ³¢).
----------------------------------------------------------------
| -d policy | -D [chain] -j POLICY | (Åà -r Æ -m à©Äº
| | | ³¢).
----------------------------------------------------------------
| -i policy | -I 1 [chain] -j POLICY| (Åà -r Æ -m à©Äº
| | | ³¢).
----------------------------------------------------------------
| -l | -L |
----------------------------------------------------------------
| -z | -Z |
----------------------------------------------------------------
| -f | -F |
----------------------------------------------------------------
| -p | -P |
----------------------------------------------------------------
| -c | -C |
----------------------------------------------------------------
| -P | -p |
----------------------------------------------------------------
| -S | -s | 1|[gܽÍWÉÎ
| | | µÄÌÝ@\µA¡Å
| | | Í èܹñB
----------------------------------------------------------------
| -D | -d | 1|[gܽÍWÉÎ
| | | µÄÌÝ@\µA¡Å
| | | Í èܹñB
----------------------------------------------------------------
| -V | <none> | -i [¼O] Åp¢Ü·B
----------------------------------------------------------------
| -W | -i |
----------------------------------------------------------------
| -b | -b | »ÝAÀÛÉÍ2[ð
| | | 쬵ܷB
----------------------------------------------------------------
| -e | -v |
----------------------------------------------------------------
| -k | ! -y | -p tcp ƤÉwèµÈ¢
| | | Æ@\µÜ¹ñB
----------------------------------------------------------------
| -m | -j MASQ |
----------------------------------------------------------------
| -n | -n |
----------------------------------------------------------------
| -o | -l |
----------------------------------------------------------------
| -r [redirpt] | -j REDIRECT [redirpt] |
----------------------------------------------------------------
| -t | -t |
----------------------------------------------------------------
| -v | -v |
----------------------------------------------------------------
| -x | -x |
----------------------------------------------------------------
| -y | -y | -p tcp ƤÉwèµÈ¢
| | | Æ@\µÜ¹ñB
----------------------------------------------------------------
8.2. ipfwadm R}hÌÏ·á
R}h: ipfwadm -F -p deny
VR}h: ipchains -P forward DENY
R}h: ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0
VR}h: ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0
R}h: ipfwadm -I -a accept -V 10.1.2.1 -S 10.0.0.0/8 -D
0.0.0.0/0
VR}h: ipchains -A input -j ACCEPT -i eth0 -s 10.0.0.0/8 -d
0.0.0.0/0
(C^[tF[XðAhXÉæÁÄwè·éÌÆÍᤱÆÉӵĺ
³¢: C^[tF[X¼ðp¢Äº³¢B±Ì}VãÅÍA 10.1.2.1 Í
eth0 ɵܷ)B
9. t^: ipfwadm-wrapper XNvgðg¤
ipfwadm-wrapper VFXNvgÍAipfwadm ÆvOCÉÄu·³êé
×É èA ipfwadm 2.3a Æ̺ÊÝ·«ª èÜ·B
BêAǤµÄàÅ«È¢@\Í `-V' IvVÅ·B±êªp¢çê
éÍA[jOªoͳêÜ·B `-W' IvVàgíêéÈçA
`-V' IvVͳ³êÜ·B¼Ì_ÅÍAXNvgÍ ifconfig ðp
¢ÄAC^[tF[X¼ðèÄçêÄ¢éAhX©ç©Â¯æ¤Æµ
Ü·Bൻêɸs·êÎ(á¦ÎC^[tF[Xª_EµÄ¢éê
)AG[bZ[WðºÁÄI¹µÜ·B
±Ì[jOÍ `-V' ð `-W' ÉÏX·é©AXNvgÌWoÍð
/dev/null ÉêÎ}¦çêÜ·B
±ÌXNvgÌ~Xâ ipfwadm ÆÌá_𩵽çA¥ñÆàAoO
|[gðɺ³¢: TuWFNgÉ "BUG-REPORT" Æ¢ÄA
rusty@linuxcare.com ¶É[𺳢B¨è¿Ìâ ipfwadm Ìo[
W (ipfwadm -h) ÆA ipchains Ìo[W (ipchains --version)
ÆA ipfwadm wrapper XNvgÌo[W (ipfwadm-wrapper
--version) ðñµÄº³¢B¯ÉA ipchains-save ÌoÍàÁĺ³
¢BXµ¨è¢µÜ·B
±Ì ipfwadm-wrapper XNvgð ipchains Ƭp·éÛÉÍA©ÈÓC
ÉĨ袵ܷB
10. t^: Ó«
Michael Neuling ɽ̴ÓðµÈ¯êÎÈèܹñBÞÍ̽ßÉÅ
Ì IP `FCÌR[hð¢Äêܵ½BÞÌUgLbV
ÌAC
fBAðÛµ½±ÆÉ¢ÄA±±Éö®ÉÓßvµÜ·BÀÍãÉ Alan
Cox ª¯¶ACfBAðñĵAÔá¢ÉCâ½ÍÇAÀÉÆè©©
é±ÆÉÈÁ½ÌÅ·B
Alan Cox Ì24Ô̧Ì[ÉæéZpT|[gÆãɴӵܷB
ipfw Æ ipfwadm ÌR[hÌìÒSÄɴӵܷBÁÉ Jos VosBl̨
Ìãɧ¿A»µÄSÄcB±êÍ Linus Torvalds ÆJ[lâ[U[ó
ÔÌnbJ[SÄÉÄÍÜèÜ·B
(ó:ul̨ÌãɧÂvÆ¢¤ÌÍAj
[gª¾Á½L¼È¾tÅ
·BªLøÍÌ©Æ¢¤ÆÑ𬵰çê½ÌÍAl (æìÒ) ½
¿Ì¨ÌãɧÁÄ¢½©çÉ·¬È¢AÆBú{là^ÁÂ̪÷Ìü¿Å
·ËB)
OüèÈx[^eX^[ÆoOn^[ɴӵܷAÁÉ Jordan
Mendelson, Shaw Carruthers, Kevin Moule, Dr. Liviu Daia, Helmut Adams,
Franck Sicard, Kevin Littlejohn, Matt Kemner, John D. Hardin, Alexey
Kuznetsov, Leos Bitto, Jim Kunzman, Gerard Gerritsen, Serge Sivkov,
Andrew Burgess, Steve Schmidtke, Richard Offer, Bernhard Weisshuhn,
Larry Auton, Ambrose Li, Pavel Krauz, Steve Chadsey, Francesco
Potorti`, Alain Knaff, Casper Boden-Cummins, »µÄ Henry Hollenberg
ÉB
10.1. |ó
|ó·élÍÓ«y[WÌ`ªÉ|óÒêðfڵĺ³¢Bá¦Î: `
Ìpê©çSÄð³mÉ|óµÄê½XXX³ñɴӵܷB' »µÄA
ª±Ì¶ÉÜßçêélÉA ȽÌ|ó¶ð³¦Äº³¢B
Arnaud Launay, asl@launay.org:
http://www.freenix.fr/unix/linux/HOWTO/IPCHAINS-HOWTO.html
<http://www.freenix.fr/unix/linux/HOWTO/IPCHAINS-HOWTO.html>
Giovanni Bortolozzo, borto@pluto.linux.it:
http://www.pluto.linux.it/ildp/HOWTO/IPCHAINS-HOWTO.html
<http://www.pluto.linux.it/ildp/HOWTO/IPCHAINS-HOWTO.html>
Herman Rodríguez, herman@maristas.dhis.org:
http://netfilter.kernelnotes.org/ipchains/spanish/HOWTO.html
<http://netfilter.kernelnotes.org/ipchains/spanish/HOWTO.html>
JF Project, jf@linux.or.jp: http://www.linux.or.jp/JF/JFdocs/IPCHAINS-
HOWTO.html <http://www.linux.or.jp/JF/JFdocs/IPCHAINS-HOWTO.html>
11. ú{êóÉ¢Ä
ú{êó Å: 2000N 11 21ú
JF Project u`[ ipchainsv |óÒê(h̪A50¹):
o Á¡åT <daisuke@terra.dti.ne.jp> 7Í
o ã¡ë° <magotou@fubyshare.gr.jp> 2,3Í
o JçG <jeanne@mbox.kyoto-inet.or.jp> 5,6Í
o ÞîLº <nagoya@cc.hit-u.ac.jp> 1`4Í
o ¼czê <yoh@coolmail.net> 1,4,8`10ÍyÑÜÆß
±Ì¶ð|ó·éÉ ½èARX_K³ñ <h-yamamo@db3.so-net.ne.jp>
Ì Linux 2.4 Packet Filtering HOWTO ú{êó
<http://www.linux.or.jp/JF/JFdocs/packet-filtering-HOWTO.html> ©ç½
ðøpvµÜµ½BܽAÔ¼O³ñ <akamatsu@kobedenshi.ac.jp> ÌA
LinuxJAPAN ÖÌeLðQlɳ¹Ä¸«Üµ½B
±Ì¶ð|óyÑÒW·éÉ ½èAȺÌûX©çAhoCXð¸«Üµ
½B(50¹)
{É èªÆ¤²´¢Üµ½B
o É¡Sê³ñ <kade@kadesoft.com>
o ÁÎqV³ñ <kto@interlink.or.jp>
o úºzê³ñ <void@merope.pleiades.or.jp>
o Äc®¾³ñ <shibata@luky.org>
o £Ëû³ñ <setzer@mx3.tiki.ne.jp>
o çUTi³ñ <ysenda@pop01.odn.ne.jp>
o äLõ³ñ <takei@webmasters.gr.jp>
o ¼ci³ñ <wnishida@skyfree.org>
o
´¶³ñ <mizuhara@acm.org>
o RX_K³ñ <h-yamamo@db3.so-net.ne.jp>
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
e74e806c1a2640e922856d7eb69d1420
>
files
>
43
