Linux IPCHAINS-HOWTO Rusty Russell v1.0.8, Tue Jul 4 14:20:53 EST 2000 ú{êó: JF Project (jf@linux.or.jp) v1.0.1j Nov. 21, 2000 ±Ì¶ÍALinux ü¯Ìg£³ê½ IP t@CAEH[O`FC\t gEFAðÇÌæ¤ÉüèµACXg[µAÝèµA»µÄA±êðp ·éACfBAÌô©ðÚq·é±ÆðÚIƵܷB ______________________________________________________________________ Ú 1. nßÉ 1.1 ½? 1.2 Ⱥ? 1.3 Ǥ·êÎ? 1.4 DZ? 2. pPbgtB^OÌîb 2.1 pPbgtB^Æͽð·éàÌ? 2.2 Ⱥ? 2.3 ǤâÁÄ? 2.3.1 pPbgtB^O@\ðLøɵ½J[l 2.3.2 ipchains 2.3.3 tB^K¥ðPvIÉ·éÉÍ 3. à¤A¬µÄ½! [eBO¾ÌA}XJ[fBO¾ÌA|[gtH[fBO¾ÌA©®tH[fBO(ipautofw)¾ÌÁÄcB 3.1 Rusty Ì}XJ[fBOÉÖ·é 3ÂÌwj 3.2 ©IÈé`: WatchGuard ÅK§·é 3.3 t@CAEH[I®ìɤÊÈÝè 3.3.1 [Jlbg[N: `IÈvLV 3.3.2 vCx[glbg[N: §ßIÈvLV 3.3.3 vCx[glbg[N: }XJ[fBO 3.3.4 pubNlbg[N 3.3.5 §À³ê½àT[rX 3.4 }XJ[fBOÉηé»Ì¼Ìîñ 4. IP t@CAEH[O`FC 4.1 ÇÌæ¤ÉpPbgªtB^ðÊß·éÌ© 4.1.1 ipchains ðg¤ 4.1.2 ȽÌRs [^ªN®·éÉ©éàÌ 4.1.3 PêÌ[ÅÌì 4.1.4 tB^OÌdl 4.1.4.1 \[Xƶæ IP AhXÌwè 4.1.4.2 ÛèÌwè 4.1.4.3 vgRÌwè 4.1.4.3.1 UDP Æ TCP |[gÌwè 4.1.4.3.2 ICMP ^CvÆR[hÌwè 4.1.4.4 C^[tFCXÌwè 4.1.4.5 TCP SYN pPbgÌÝðwè·é 4.1.4.6 tOgÌ 4.1.5 tB^OÌIøÊ 4.1.5.1 ^[QbgÌwè 4.1.5.2 pPbgÌOL^ 4.1.5.3 T[rXÌ^ðì·é 4.1.5.4 pPbgÌ}[LO 4.1.5.5 `FCÌì 4.1.5.6 Vµ¢`FCðìé 4.1.5.7 `FCðí·é 4.1.5.8 `FCðóÉ·é 4.1.5.9 `FCÌàeðXgAbv·é 4.1.5.10 JE^[ð([É)Zbg·é 4.1.5.11 |V[ðÝè·é 4.1.6 }XJ[fBOÌì 4.1.7 pPbgð`FbN·é 4.1.8 êxÉ¡Ì[ƽªN±éÌ©ð©é 4.2 ÀáW 4.2.1 ipchains-save ðg¤ 4.2.2 ipchains-restore ðg¤ 5. »Ì¼Ìîñ 5.1 t@CAEH[[ðÇÌæ¤É\z·é© 5.2 tB^OÅjüµÄÍ¢¯È¢pPbg 5.2.1 ICMP pPbg 5.2.2 DNS (l[T[o[) ÖÌ TCP Ú± 5.2.3 FTP Ì«² 5.3 Ping of Death ðr·é 5.4 Teardrop Æ Bonk ðr·é 5.5 tOgðr·é 5.6 t@CAEH[[ðÏX·é 5.7 IP UÛì(IP Spoof Protection)ðAÇÌæ¤ÉÝèµ½çæ¢Å·©? 5.8 ÅVÌvWFNg 5.8.1 SPF: Xe[gtpPbgtB^O 5.8.2 Michael Hasenstein Ì ftp-data nbN 5.9 ¡ãÌÛè 6. êÊIÈâè 6.1 ipchains -L ðg¤Æt[YµÜ·! 6.2 ½]ªÅ«Ü¹ñ! 6.3 Masquerading Ü½Í Forwarding ª®«Ü¹ñ! 6.4 -j REDIR ª®«Ü¹ñ! 6.5 ChJ[hC^[tF[Xª®«Ü¹ñ! 6.6 TOS (Type of Service) ª®«Ü¹ñ! 6.7 ipautofw Æipportfw ª®«Ü¹ñ! 6.8 xosview ªóêĢܷ! 6.9 `-j REDIRECT' Å Segmentation G[ÉÈèÜ·! 6.10 }XJ[fBOÌ^CAEglðÝèūܹñ! 6.11 IPX ðt@CAEH[µ½¢Å·! 7. ÀpIÈá 7.1 \¬ 7.2 ÚI 7.3 pPbgtB^Oðs¤OÉ 7.4 pPbgðÊß³¹é½ßÌpPbgtB^O 7.4.1 forward `FC©çWv³¹é 7.4.2 icmp-acc `FCðè`·é 7.4.3 GOOD (àlbg[N) ©ç DMZ (T[olbg[N) 7.4.4 BAD (Olbg[N)©ç DMZ (T[olbg[N) 7.4.5 GOOD (àlbg[N)©ç BAD (Olbg[N) 7.4.6 DMZ ©ç GOOD (àlbg[N) 7.4.7 DMZ ©ç BAD (Olbg[N) 7.4.8 BAD (Olbg[N)©ç GOOD (àlbg[N) 7.4.9 Linux }V©gÉηépPbgtB^O 7.4.9.1 BAD (Olbg[N) C^[tF[X 7.4.9.2 DMZ C^tF[X 7.4.9.3 GOOD (àlbg[N)C^[tF[X 7.5 ÅãÉ 8. t^: ipchains Æ ipfwadm ÆÌᢠ8.1 NBbNt@Xê 8.2 ipfwadm R}hÌÏ·á 9. t^: ipfwadm-wrapper XNvgðg¤ 10. t^: Ó« 10.1 |ó 11. ú{êóÉ墀 ______________________________________________________________________ 1. nßÉ ±Ì¶Í IPCHAINS-HOWTO Å·BÅVŪ é}X^[TCgÍ ``DZ?'' ðQƵĺ³¢B LINUX NET-3-HOWTO àÇñ¾ûªæ¢Åµå¤B IP- Masquerading HOWTO, PPP-HOWTO, Ethernet-HOWTO Æ Firewall HOTO àÊ ¢Åµå¤B (»µÄAJèԵܷªA alt.fan.bigfoot FAQ à)B (ó: alt.fan.bigfoot FAQ <- [ájÌj [XO[vAMO?]) pPbgtB^OÉ¢ÄùÉmÁÄ¢élÍA ``Ⱥ?'' ÌÍA ``ǤâÁÄ?'' ÌÍðÇñÅA ``IP t@CAEH[O`FC'' Ì ÍÌÌ^Cgð´ÁÆßÄÝܵå¤B ipfwadm ©çÚsµ½¢lÍA ``nßÉ'' ÌÍA ``ǤâÁÄ?'' ÌÍA »µÄt^àÌ ``ipchains Æ ipfwadm ÆÌá¢'' ÌÍÆA ```ipfwadm- wrapper' XNvgðg¤'' ÌÍðÇÝܵå¤B 1.1. ½? Linux ipchains Í Linux IPv4 t@CAEH[OÌR[h (åÉ BSD © çÌpN)Ì«¼µÅ èAipfwadm Ì«¼µÅà èÜ·B»Ì ipfwadm ÍA BSD Ì ipfw Ì«¼µÅà éÆAÍM¶Ä¢Ü·B Linux o[W 2.1.102 È~Ì IP pPbgtB^ªAÇÉKvÅ ·B 1.2. Ⱥ? ÈOÌ Linux Ìt@CAEH[ÌR[hÍ fragment ðµ¦Ü¹ñµA (ÈÆà Intel pÅÍ) 32 rbgÌJE^µ© èܹñµA TCP/UDP/ICMP ÈOÌdlÌvgRðl¶µÄ¢Ü¹ñµAAg~bN(u ÔI)Éå«([ð)ÏX·é±ÆàūܹñµAt[ð½¹Ü ¹ñµA¢Â©ÈȪ èܵ½µAǵɢàÌŵ½(pÒÌ ~Xðµ«â·¢)B (ó: ±±Åp¢çêéuAg~bN(´¶Í `atomically')vÍA ipchains Æ¢¤R}h̼OÌRÉàÈÁÄ¢éƱë¾Æv¢Ü·B [Uè``FCÉ¡Ì[ðè`µÄ¨«A»êðù¶Ì`FCÉ ÇÁµ½èA½Íù¶Ì`FCðVµè`µ½`FCÆu··é±Æ ÅAêuɵÄt@CAEH[ÌìpðÏX·é±ÆªÅ«Ü·B) 1.3. Ǥ·êÎ? »ÝAJ[lÌR[hÌå¬Í 2.1.102 È~Å·B 2.0 J[lV[Y ÅÍA web y[W©çpb`ð_E[h·éKvª èÜ·BàµA¨ è¿Ì 2.0 J[lª web ãÉľçêépb`æèàVµ¢ÈçÎA» Ìâpb`ͽª OK ŵå¤B 2.0 J[lÌYªÍ¨¨æ»Àè µÄ¢Ü·B(á¦ÎA 2.0.34 J[lÌpb`Í 2.0.35 J[lÉà µÁ©èÄçêÜ·) 2.0 pb`Í ipportfw Æ ipautofw pb`ÆÌÝ· «ªÈ¢ÌÅA ipchains ÁLÌ@\ð{ÉKvƵȢÈçÎApb`Ì ±üͨEߵܹñB 1.4. DZ? ö®y[WÍ3Ó èÜ·B Penguin Computing ɴӵܷB <http://netfilter.filewatcher.org/ipchains> the SAMBA Team É´ÓµÜ ·B <http://www.samba.org/netfilter/ipchains> Jim Pick ɴӵܷB <http://netfilter.kernelnotes.org/ipchains> oOñAc_AJAg¢ûðbµ¤[OXgª èÜ·B[ OXgÖÌüïÉÍAbZ[WÉ ``subscribe ipchains-list'' ð ¢ÄA east.balius.com É[µÄº³¢B[OXgÌo [SõÉ[ðo·ÉÍA east.balius.com Ì ipchains-list ðgÁĺ ³¢B 2. pPbgtB^OÌîb 2.1. pPbgtB^Æͽð·éàÌ? lbg[NðÊéSÄÌgtBbNÍApPbgÌ`Åèo³êÜ·B á¦ÎA±ÌpbP[W(50KoCgÍ éŵå¤)ð_E[h·é±Æ ÅA1460oCgÌpPbg36ÂÙÇðóM·é±ÆÉÈéŵå¤(ÀÛÉÍ »ÌÆ«Ç«ÉæÁÄÂâTCYÍÙÈèÜ·)B (ó: »ÝÅͱ̶Í100KBðz¦Ä¢Ü·:)) epPbgÍ»êªÇ±Éü¯çê½àÌ©ðLq·éª©çnÜèADZ ©ç½àÌ©A»ê©çpPbgÌíÞÆÇãKvÈÚ×àeðÜñÅ¢ Ü·BpPbg̱ÌJnªÍAwb_ÆÄÎêĢܷBܽA`³ê Ä¢éÀÛÌf[^ðÜñ¾pPbgÌcè̪ÍAÊí{fBÆÄÎêÄ ¢Ü·B EFuEgtBbNA[Æ[gOC̽ßÉgíêé¢Â© ÌvgR(á¦Î TCP)Í `Ú±(RlNV)'ÆæÎêéTOðg¢Ü ·BÀÛÌf[^pPbgªèo³êéOÉA`ÍAÚ±µ½¢'A`OK'A »µÄ` èªÆ¤'Æ¢Á½A(ÁÊÈwb_ðº¤)FXÈZbgAbvEp Pbgðð·µÜ·B pPbgEtB^ÍApPbgÌwb_ð©ÄA»ÌpPbgSÌðÇÌæ ¤Éæ赤©ðè·é¬³È\tgEFAÅ·BpPbgÍ Û(deny)(·Èí¿AóMµÈ©Á½©Ìæ¤ÉApPbgðÌÄé)±ÆÉ ßçêé©àµêÈ¢µAÂ(accept)(·Èí¿ApPbgðÊß³¹é)· é±ÆÉÈé©àµêÈ¢µApPbgðÔp(reject)("Û"ÆÄ¢é¯ êÇApPbgÌM³É»Ì±ÆðÊm·é)·é©àµêܹñB Linux ɨ¢ÄÍApPbgEtB^OÍJ[lÉgÝÜêÄ¢Ü ·B»µÄApPbgÌæµ¢ÉֵĵΩègbNðd|¯é±Æª Å«Ü·ªA»Ìî{IÈK¥Í ÜÅwb_ð©ÄApPbgÌæèµ¢ ðè·éÆ¢¤àÌÅ·B 2.2. Ⱥ? Rg[BZL eBBÄB Rg[: Ƚª Linux {bNXðàÌlbg[NÆÊÌlbg[N(á ¦ÎAC^[lbg)ðq®½ßÉgÁÄ¢éÈçA ȽÉÍAÁ èÌgtBbN¾¯ÂµÄA¼ÌàÌð³È¢æ¤É·é` Xª èÜ·Bá¦ÎApPbgÌwb_[ÉÍ ÄæAhX ªÜ ÜêÄ¢ÄAOlbg[NÌÆ éÖü©¤pPbgðÛ·é ±ÆªÅ«Ü·BÊÌáƵÄANetscape ðgÁÄ Dilbert ÌA[J Cu (ó: Dilbert Æ¢¤GWjAªålöÌhæÌTCgA ¿ÈÝÉ dilbert ÌÓ¡Í'Ω') ÉANZX·éêÅ·By[W ÉÍ doubleclick.net ÌLª èA Netscape Í»ê𢻢»Æ _E[h·é½ßÉÌÔðQïµÜ·BpPbgtB^[É doubleclick.net LÌAhX©çÌÇñÈpPbgàÂµÈ¢æ ¤Éw¦·êÎâèÍðµÜ·(àÁÆ¢¢û@ª èÜ·¯êÇ: Junkbuster (ó: http://internet.junkbuster.com <http://internet.junkbuster.com> ) ð©Äº³¢)B ZL eB: È½Ì Linux {bNXªC^[lbg̬×ÆA³µ¢ È ½Ì·Ä«Èlbg[NÌÔÉ éBę̂ÈçA·Îçµ¢±Æ ÉA ȽͣèÉâÁÄéÒðhAÌƱëŧÀ·é±ÆªÅ« Ü·Bá¦ÎA ȽÌlbg[N©çoÄsàÌͽÅà·æ ¤ÉµÄA«ÓÌ éO©çÌæmçê½ `Ping of Death' U ðxú·éæ¤ÉÅ«Ü·BÊÌáƵÄA È½Ì Linux {bNX ÉA½Æ¦SÄÌAJEgÉpX[hªt¢Ä¢éƵÄàAO ÌÒª telnet µÄé±Æð]ÜÈ¢©àµêܹñB½ÔñA È ½Í(åïÌlXÌæ¤É)C^[lbgð½¾ßÄ¢½¢¾¯ÅA T[o[É(DÞÆDܸɩ©íç¸)Èè½È¢ÌÅ·BPÉA pPbgtB^[ÅÚ±ðJn·épPbg̬üðÛµÄA¾ê ÉàÚ±³êÈ¢æ¤ÉµÄº³¢B (ó: "Ìping" ÙíÉ·åÈ ICMP pPbgÈÇðlbg[NÚ ±³ê½Rs [^Éè¯ÄAVXeNbV âT[rXÌ â~ðø«N±·U̱ÆB) Ä: Æ«Ç«[Jlbg[NÉ«ÝèÌ«¢}Vª èAOÌ ¢EÉpPbgªRêoéæ¤ÉÈÁÄ¢é±Æª èÜ·B·Îçµ ¢±ÆÉApPbgtB^[ͽ©ÙíȱƪN±Á½Æ«É È ½Émç¹ÄêÜ·B»êÉæÁĽç©ÌΪūé±Æðmé ©A é¢Í½¾PÉ©ªªFõD«È«i¾Æm龯©àµêܹ ñB 2.3. ǤâÁÄ? 2.3.1. pPbgtB^O@\ðLøɵ½J[l Vµ¢ IP t@CAEH[E`F[@\ðÂJ[lªKvÅ·B¡® ìµÄ¢éJ[lªA±Ì@\ðgÝñ¾à̩Ǥ©»f·éÉÍA /proc/net/ip_fwchains ðTµÄÝܵå¤B±êª¶Ý·éÈçÎAùÉg ÝÜêĢܷB (ó: 2.2.xÈ~ÌJ[lð¨g¢ÌêÍAåïùÉgÝÜêÄ¢é± Æŵå¤B) ൻ¤ÅȯêÎA È½Í IP t@CAEH[E`F[ðÂJ[l ðìéKvª èÜ·BÅÉA Ƚª~µ¢J[lÌ\[Xð_E [hµÜµå¤B ȽÌJ[lª o[W 2.1.102 È~ÌàÌÈ çA»Ýå¬ÌJ[lÅ éÌÅAüßÄpb`ðÄéKvÍ èܹ ñB»¤ÅÈ¢ÉÍOoÌ Web y[W©çpb`ðüèµÄKpµA»µ Äɦ·æ¤ÈÝèÅJ[lð\¬µÄº³¢BàµA Ƚª±êð· éû@ðmçÈÄàAQÄȢŠKernel-HOWTO ðÇÝܵå¤B (ó: Kernel-HOWTOÌMóÍ http://www.linux.or.jp/JF/JFdocs/Kernel- HOWTO.html <http://www.linux.or.jp/JF/JFdocs/Kernel-HOWTO.html> É è Ü·B) Ƚª2.0-V[YÌJ[lÉÝè·éKvª éRtBO[V IvVÍAȺÌÊèÅ·: ______________________________________________________________________ CONFIG_EXPERIMENTAL=y CONFIG_FIREWALL=y CONFIG_IP_FIREWALL=y CONFIG_IP_FIREWALL_CHAINS=y ______________________________________________________________________ 2.1 © 2.2 ÌV[YEJ[lÌêÍÌÊèÅ·: ______________________________________________________________________ CONFIG_FIREWALL=y CONFIG_IP_FIREWALL=y ______________________________________________________________________ c[Å é ipchains vOÍAJ[lÉεÄÇñÈpPbgð tB^·é׫©É¢ÄÊm·é½ßÌàÌÅ·B ȽªvO}Å é©AïÁÈlÔÅÈ¢ÀèA±êªpPbgtB^Oð§ä·éû @ÆÈèÜ·B 2.3.2. ipchains ipchains c[ÍAJ[lÌpPbgEtB^OÉÖ·éZNV ©ç[ð}üµ½èíµ½èµÜ·B±êÍA Ƚª½Æ¦½ðÝ èµÄàA»êªÄN®ÉæÁÄÁ¦ÄµÜ¤±ÆðÓ¡µÄ¢Ü·BñA Linux ªu[g³êéÛÉA»êçðmÀÉß··éû@É¢ÄÍAÌß ``tB^K¥ðPvIÉ·éÉÍ'' ðQƵĺ³¢B ipchains ÍÈOÜÅIPt@CAEH[ðÀ»·é½ßÉgíêÄ¢½ ipfwadm Æu«·¦çêé±ÆÉÈèÜ·BðɧÂXNvgÌZbgªA Ì ipchains ÌAhX©çüèÂ\Å·: http://netfilter.filewatcher.org/ipchains/ipchains- scripts-1.1.2.tar.gz <http://netfilter.filewatcher.org/ipchains/ipchains- scripts-1.1.2.tar.gz> ±êÉÍÈOsíêÄ¢½ÌƯ¶æ¤ÈX^CÅpPbgEtB^ Oðsí¹é½ßÌ ipfwadm-wrapper ÆÄÎêÄ¢éVFXNvgðÜ ñŢܷB Ƚª ipfwadm (ipchainsÆä×AæèxÄAøA»Ì¼ ð`FbNµÈ¢ÌàÌ)ðg¤VXeðAbvO[h·éèÁæè ¢û@ª~µÈ¢ÀèA Ƚͽª±ÌXNvgðg¤×«ÅÍȢŠµå¤B»¤¢¤ûÉÍ Üè±Ì HOWTO àKvÆͳêÈ¢±ÆÆv¢Ü ·B ipfwadm ÖAÌÚ×É¢ÄÍAt^: ``ipchains Æ ipfwadm ÆÌá¢'' ât^: ```ipfwadm-wrapper'XNvgðg¤'' 𲺳¢B 2.3.3. tB^K¥ðPvIÉ·éÉÍ È½Ì»ÝÌt@CAEH[ÝèÍAJ[lÉi[³êÄA±Ìæ¤É ÄN®É͸íêĵܢܷB ȽÌ[ðPvIÉ·é½ßÉ `ipchains-save' Æ `ipchains-restore' XNvgðg¤±Æð¨©ßµÜ ·B±êðg¤ÉÍAܸ ȽÌ[ðÝèµÄAÌæ¤ÉR}hð ÀsµÜ·(root ƵÄÀsµÄº³¢): # ipchains-save > /etc/ipchains.rules # XNvgÍÌæ¤ÉìÁĨ«Ü·: #! /bin/sh # pPbgtB^§ä̽ßÌXNvg # [ªÈ¯êνàµÈ¢ [ -f /etc/ipchains.rules ] || exit 0 case "$1" in start) echo -n "Turning on packet filtering:" /sbin/ipchains-restore < /etc/ipchains.rules || exit 1 echo 1 > /proc/sys/net/ipv4/ip_forward echo "." ;; stop) echo -n "Turning off packet filtering:" echo 0 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -F /sbin/ipchains -X /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward ACCEPT echo "." ;; *) echo "Usage: /etc/init.d/packetfilter {start|stop}" exit 1 ;; esac exit 0 ±êªN®ÌÅ̤¿ÉÀs³êéæ¤ÉµÜ·BMÒÌP[X (Debian 2.1) ÅÍA `S39packetfilter' Æ¢¤V{bNNð `/etc/rcS.d' fBNgÉìÁÄ èÜ·(±êÍA S40network ÌOÉÀs³êÜ·)B (ó: uÅ̤¿vÆ¢¤ÌÍAN®Albg[NÉεÄÊMªÂ \ÆÈéóÔÈOÉs¤Æ¢¤Ó¡Å·Blbg[N̼ÌT[rXÈǪ N®µ½ ÆÉt@CAEI[ðÝè·éÆASÝè³êÄ¢È¢í¸© ÈuÔð¢Ä"«¢âÂ"ªüèÞ믫ª èÜ·B) 3. à¤A¬µÄ½! [eBO¾ÌA}XJ[fBO¾ÌA|[ gtH[fBO¾ÌA©®tH[fBO(ipautofw)¾ÌÁÄcB ±Ì HOWTO ÍApPbgEtB^OÉ¢Äq×½àÌÅ·B»êÍ pPbgªÊß·éÌð·©Ç¤©É¢Äßé±ÆðÓ¡µÄ¢Ü·B µ©µÈªçALinuxÍ¢íÎnbJ[BÌVÑêÌæ¤ÈàÌÅ·ÌÅA¨ »ç»êÈãÌ@\ðÀ»µ½¢Æv¤±Æŵå¤B 1ÂÌâèÍA{ÊÈTOÅ é͸Ì}XJ[fBOƧßIÈv LV̧ä̽ßɯ¶c[ (``ipchains'') ªgíêé±ÆÅ·(»ÝÌ Linux ÅÌÀÅÍA±êçªs©RÈ©½¿Å¢ÁµåÉÈÁĨèA ½ ©à»ê窧ÚÉÖAª éÆ¢¤óÛð^¦ÄµÜ¢Ü·)B (ó: J[l 2.4.x nÅÍA±êçÌ@\ͳçÉ»³êÄ¢Ü ·B»êçÌJ[lð¨g¢ÌûÍALinux 2.4 NAT HOWTO(http://netfilter.kernelnotes.org/unreliable-guides/NAT- HOWTO.html <http://netfilter.kernelnotes.org/unreliable-guides/NAT-HOWTO.html>)à ²º³¢B JFvWFNgÉæéM ó(http://www.linux.or.jp/JF/JFdocs/NAT-HOWTO.html <http://www.linux.or.jp/JF/JFdocs/NAT-HOWTO.html>)à èÜ·B) }XJ[fBOÆvLVÉ¢ÄÍÊXÌ HOWTO ¶ÈÇÉæÁÄÔ ³êA©®tH[fBOÆ|[gEtH[fBO@\ÍÊXÌc[ ŧä³êÜ·Bµ©µA½ÌlX©ç»êçÉ¢ÄÌâ¢í¹ð¤ ¯Ä¢Ü·ÌÅA±±ÅÍêAÌêÊIƨàíêéViI¢Â©ÆAÇ Ìæ¤É·êÎ梩Ƣ¤Ýèðñ¦µÜ·BȨAeZbgAbvÌZ L eBÉÖ·é·É¢ÄÍA±±Å_cµÜ¹ñB 3.1. Rusty Ì}XJ[fBOÉÖ·é 3ÂÌwj ±êÍA ȽÌOC^tF[Xª `ppp0' Å éƼèµÄ¢Ü·B ifconfig R}hð©ÁÄA ȽÌ«ɤæ¤ÉÇÝ֦ĺ³ ¢B # ipchains -P forward DENY # ipchains -A forward -i ppp0 -j MASQ # echo 1 > /proc/sys/net/ipv4/ip_forward 3.2. ©IÈé`: WatchGuard ÅK§·é sÌÌt@CAEH[êp@ðwü·é±ÆàÅ«Ü·BDê½êp@ÌÐ ÆÂƵÄAWatchGuard ÐÌ FireBox ª èÜ·B FireBox ªDêÄ¢é Æv¤ÌÍAí½µªCÉüÁÄ¢é©çÅ èA»êªÀS¾©çÅ èALinux x[XÅ®ìµÄ¢é©çÅ·BܽA±ÌïÐÍAipchains Ì CeiXÆA(2.4 nJ[lpÌ)Vµ¢t@CAEH[ÌR[hÌ ½ßÉàñµÄ꽩çÅ·BÂÜèAí½µªF³ñ̽ßÉìÆð µÄ¢éÔA WatchGuard ÐÍAí½µÌ¶ðx¦Äê½í¯Å·B»¤ ¢¤í¯ÅAÞçÌ»iÉ¢Äàäêlè¢Ü·B http://www.watchguard.com <http://www.watchguard.com> (ó: WatchGuardÐÌú{àÌZ[àA±Ìy[W©çèJé±Æª Å«Ü·B) 3.3. t@CAEH[I®ìɤÊÈÝè ȽÍA littlecorp.com Æ¢¤hC¼ÅVXe𮩵ĢܷB »µÄàlbg[Nð¿AC^[lbgÉεÄAIPAhXª 1.2.3.4 Å é (firewall.littlecorp.com) Æ¢¤Rs [^É1ñüÌ_ CAbv(PPP)RlNVðÁĢܷB ȽÍC[TlbgÉæ é[Jlbg[Nð\zµÄ¨èA ȽÌÂlpRs [^Í "myhost" ÆÄÎêĢܷB ±ÌZNVÅÍAêÊIƨàíêé¢Â©ÌzuáÅÌÝèÉÂ¢Ä Úµà¾µÜ·B»êçÍ÷ÉÙÈèÜ·ÌÅAÓ[ÇÝißĺ³ ¢B 3.3.1. [Jlbg[N: `IÈvLV ±ÌViIÅÍA[Jlbg[N©çÌpPbgÍAC^[lbg ðs«·é±ÆÍ èܹñB[Jlbg[NÌ IP AhXÍA RFC1918 ÉÄvCx[gÈC^[lbg«̽ßÉpÓ³êÄ¢éAh X(·Èí¿ 10.*.*.*, 172.16.*.*-172.31.*.* Ü½Í 192.168.*.*)ð èÄȯêÎÈèܹñB C^[lbgÉÚ±·éBêÌû@Ít@CAEH[ÉÚ±·é±ÆÅA ±ÌRs [^ª¼ûÌlbg[N(ó: C^[lbgÆ[J lbg[N)ɼÚÂȪÁĢܷB±Ìt@CAEH[ÌãÅvL VÆÄÎêé\tg𮩷±ÆÉÈèÜ·(±êÍ FTP AEFuEANZ XA telnet A RealAudio A Usenet News â¼ÌT[rXÉ¢ÄA"ã "Ƶīܷ)BÚ×É¢ÄÍ Firewall HOWTO ð©Üµå¤B (ó: "Firewall HOWTO" Ì´¶Í http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html <http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html> É èÜ·B JFv WFNgÉæéMóÍܾìÆÅ·B) ȽªC^[lbgÖÌANZXÅ]ÞT[rXÉ¢ÄÍAK¸t@C AEH[ãÌvLVÅT|[g³ê½T[rXÅȯêÎÈèܹñ(µ ©µAãqÌ ``§À³ê½àT[rX'' ðQƵĺ³¢)B á: vCx[glbg[N©çC^[lbgÖÌEFuEANZXð · 1. vCx[glbg[NÍA192.168.1.*ðèÄç꽡ÌÔn© çÈèAIPAhXª192.168.1.100Í"myhost"ÉAt@CAEH[ÌC [TlbgEC^tF[XÉÍ192.168.1.1ªèÄçêĢܷB 2. EFuEvLV(á¦Î"squid")ÍAt@CAEH[ÌãÉCXg[ ³êĨè|[g8080Å®¢Ä¢Ü·B 3. vCx[glbg[NÌNetscapeÍAvLVƵÄt@CAEH[ Ì|[g8080ðg¤æ¤ÉÝè³êĢܷB 4. DNSÍAvCx[glbg[NÌÅÝè³êéKvÍ èܹñB 5. DNSÍAt@CAEH[ÌãÅÝè³êéKvª èÜ·B 6. ftHgE[g(ʼAQ[gEFC)ÍAvCx[glbg[N ÌÅÝè³êéKvÍ èܹñB myhost ãÌ Netscape ©çA http://slashdot.org Ìy[Wð©é 1. Netscape Ít@CAEH[Ì|[g8080ÉÚ±µA myhost ãÌ|[ g1050ðgÁÄ "http://slashdot.org" ÌEFuEy[Wð©éæ¤É t@CAEH[É˵ܷB 2. vLVÍ "slashdot.org" Æ¢¤¼Oð²×ÄA "207.218.152.131" Æ ¢¤IPAhXð¾Ü·B»ê©çt@CAEH[ÌOC^tF[ X(ó: ppp0 ÈÇ)ÌãÅ|[g1025ðgÁÄA»Ì IP AhXÉε ÄEFuET[o(|[g80)ÅEFuEy[WðvµÜ·B 3. èÌEFuET[oÉηéÚ±©çEFuEy[Wðó¯æéÆA» êÍNetscapeÖÌÚ±Öf[^ªRs[³êÜ·B 4. NetscapeÍAy[Wð\¦µÜ·B ÂÜèA slashdot.org ̤©ç©éÆA 1.2.3.4 (t@CAEH[Ì PPP C^tF[X)|[g1025©çA 207.218.152.131 (slashdot.org)|[ g80ÜÅÚ±³êé±ÆÉÈèÜ·B myhost ̤©ç©éÆA 192.168.1.1 (t@CAEH[ÌC[TlbgEC^tF[X)Ì|[g8080Æ 192.168.1.100(myhost)Ì|[g1050ªÚ±³êé±ÆÉÈèÜ·B 3.3.2. vCx[glbg[N: §ßIÈvLV ±ÌViIÅÍA[Jlbg[N©çÌpPbgÍAC^[lbg ðs«·é±ÆÍ èܹñB[Jlbg[NÌ IP AhXÍA RFC1918 ÉÄvCx[gÈC^[lbg«̽ßÉpÓ³êÄ¢éAh X(·Èí¿ 10.*.*.* A 172.16.*.*-172.31.*.* Ü½Í 192.168.*.*)ð èÄȯêÎÈèܹñB C^[lbgÉÚ±·éBêÌû@Ít@CAEH[ÉÚ±·é±ÆÅA ±ÌRs [^ª¼ûÌlbg[N(ó: C^[lbgÆ[J lbg[N)ɼÚÂȪÁĢܷB±Ìt@CAEH[ÌãÅ"§ßI ÈvLV"ÆÄÎêé\tg𮩷±ÆÉÈèÜ·ªA±±ÅÍJ[l ªoÍpPbgðOÉéãèÉA§ßIÈvLVÉèo·±ÆÉÈè Ü· (·Èí¿AUÌ[eBOðs¤æ¤ÉÈèÜ·)B §ßIÈvLV𮩷Ƣ¤±ÆÍANCAgÍvLV̶ÝðÓ ¯µÈÄàæ¢Æ¢¤±ÆÅ·B ȽªC^[lbgÖÌANZXÅ]ÞT[rXÉ¢ÄÍAK¸t@C AEH[ãÌvLVÅT|[g³ê½T[rXÅȯêÎÈèܹñ(µ ©µAãqÌ ``§À³ê½àT[rX'' ðQƵĺ³¢)B á: vCx[glbg[N©çC^[lbgÖÌEFuEANZXð · 1. vCx[glbg[NÍA 192.168.1.* ðèÄç꽡ÌÔn ©çÈèA IP AhXª 192.168.1.100 Í myhost ÉAt@CAEH[ ÌC[TlbgEC^tF[XÉÍ 192.168.1.1 ªèÄçêÄ¢ Ü·B 2. §ßIÈEFuEvLV(squid Éηé±Ìpr̽ßÌpb`ª¢ © éÆv¢Ü·B é¢Í "transproxy" ð·Ìࢢ©à)ÍC Xg[³êÄAt@CAEH[ÌãÅ|[g8080ÉÄ®¢Ä¢Ü·B 3. J[lÍ ipchains ðgÁÄ|[g80ÌÚ±ðvLVÉü¯È¨·æ ¤Éw¦³êĢܷB 4. vCx[glbg[NÌ Netscape ÍA ½©à¼ÚÚ±·éæ¤É ÝèµÜ·B 5. DNS ÍAvCx[glbg[NãÉÝè³êÄ¢éKvª èÜ·(· Èí¿A ȽÍt@CAEH[ÌãÅÌuãvÆµÄ DNS T[oð Às·éKvª èÜ·)B (ó: ÂÜèANCAg©ç̼OðÌð·×ÄvCx[ glbg[NàÌ DNS ÅdíȯêÎÈçȢƢ¤±ÆÅ·B³àÈ ¢ÆA¼Oð̽ßÌpPbgªNCAg©çC^[lbgÉo ĵܢܷB) 6. t@CAEH[ÉpPbgðé½ßÉvCx[glbg[NàÉ ftHgE[g(ʼAQ[gEFC)ðÝè·éKvª èÜ·B myhost Ì Netscape ©çAhttp://slashdot.org ð©éB 1. NetscapeÍA "slashdot.org" Æ¢¤¼Oð²×ÄA 207.218.152.131 Æ ¢¤ IP AhXð¾Ü·B»µÄA»Ì IP AhXÉεÄ|[ g1050ÉÄÚ±µAEFuT[o(|[g80)Öy[Wf[^ðvµÜ ·B 2. slashdot.org (|[g80)ÖÌ myhost (|[g1050)©çÌpPbgÍt@ CAEH[ðoRµÜ·ªA»êçÍ|[g8080ÌãÅÒÁÄ¢é§ß IÈvLVÉü¯¼³êÜ·B§ßIÈvLVÍA 207.218.152.131 Ì|[g80(àÆàÆNCAg©çÌpPbgÉwè³êÄ¢½¶ æ)ÉεÄA([JÈ|[g1025ðgÁÄ)Ú±ðs¢Ü·B 3. vLVÍ»ÌÚ±ÉæÁÄEFuET[o©çy[Wðó¯æèA Netscape ÉηéڱɻÌf[^ðRs[µÜ·B 4. NetscapeÍAy[Wð\¦µÜ·B ÂÜèA slashdot.org ©ç©éÆAÚ±ÍÍ 1.2.3.4 (t@CAEH[Ì PPP C^tF[X)|[g1025©çA 207.218.152.131 (slashdot.org)Ì| [g80ÜÅÌÔÅsíêĢܷB myhost ©ç©éÆA 207.218.152.131 (slashdot.org)Ì|[g80ÉεÄA 192.168.1.100 (myhost)|[g1050Ü ÅÌÔÅsíêĢܷBªA»êÍÀÛÉͧßIÈvLVÆâèæèµ Ä¢é±ÆÉÈèÜ·B 3.3.3. vCx[glbg[N: }XJ[fBO ±ÌViIÅÍA[Jlbg[N©çÌpPbgÍAÁÊȵ¢ªÈ ¯êÎC^[lbgðs«·é±ÆÍ èܹñB[Jlbg[N Ì IP AhXÍA RFC1918 ÉÄvCx[gÈC^[lbgÂ«Ì½ß ÉpÓ³êÄ¢éAhX(·Èí¿ 10.*.*.* A 172.16.*.*-172.31.*.* Ü ½Í 192.168.*.*)ðèÄȯêÎÈèܹñB vLVðg¤ãíèÉA "}XJ[fBO" ÆÄÎêéÁÊÈJ[l @\ðg¢Ü·B}XJ[fBOÍAt@CAEH[ðoRµ½©Ìæ ¤ÉpPbgð«·¦éÌÅA±êçÌpPbgÍíÉt@CAEH[© g©ç«½æ¤É©¦Ü·B»ê©çAð{Ìv³Öéæ¤É« ·¦Ü·B }XJ[fBOÍ¢Â©Ì "gbL[È" vgR𵤽ßÌ ÊÌW [ðÁĢܷBá¦ÎAFTP, RealAudio, Quake ÈÇÅ·B {Éæèµ¢ªïµ¢vgR̽ßÉÍA "©®tH[fBO" @ \ÉÄAÖAµ½|[gÌ]ð©®IÉÝè·é±ÆÉæèA»êçÌê ðæ赤±ÆªÅ«Ü·BÚ×É¢ÄÍ ``ipportfw'' (2.0nJ[l )Ü½Í ``ipmasqadm'' (2.1nJ[l)ð²×ÄÝĺ³¢B ȽªC^[lbgÖÌANZXÅ]ÞT[rXÉ¢ÄÍAK¸t@C AEH[ãÌvLVÅT|[g³ê½T[rXÅȯêÎÈèܹñ(µ ©µAãqÌ ``§À³ê½àT[rX'' ðQƵĺ³¢)B á: vCx[glbg[N©çC^[lbgÖÌEFuEANZXð · 1. vCx[glbg[NÍA 192.168.1.* ãÌ¡ÌÔn©çÈèA myhost ÉÍ 192.168.1.100 ªèÄçêAt@CAEH[ÌC[T lbgC^[tF[XÉÍ 192.168.1.1 ªèÄçêĢܷB 2. t@CAEH[ÍAvCx[glbg[N©çC^[lbgÌã ÌzXgÌ|[g80ÖÌ·×ÄÌpPbgð}XJ[h·éæ¤Ýè³ êĢܷB 3. Netscape ÍA¼ÚÚ±·éæ¤ÉÝè³êĢܷB 4. DNS ÍAvCx[glbg[NÌãųµÝè³êĢȯêÎÈ èܹñB 5. t@CAEH[ÍAvCx[glbg[N̽ßÌftHgE [g(ʼAQ[gEFC)ÅȯêÎÈèܹñB myhost Ì Netscape ©çA http://slashdot.org ðÇÞB 1. Netscape ÍA "slashdot.org" Æ¢¤¼Oð²×ÄA 207.218.152.131 Æ¢¤ IP AhXð¾Ü·B»ê©ç[JÈ|[g1050ðgÁÄA »Ì IP AhXÌEFuET[o(|[g80)ÉεÄÚ±ðs¢AEF uEy[WðvµÜ·B 2. slashdot.org (|[g80)ÖÌ myhost (|[g1050)©çÌpPbgÍt@ CAEH[Én³êA»±Åt@CAEH[(|[g65000)Ì PPP C ^tF[X©ç½©Ìæ¤É«¼³êÜ·B slashdot.org ©çÌ pPbgðÔ·±ÆªÂ\ÆÈéæ¤ÉAt@CAEH[ÍLøÈ C^[lbgAhX(1.2.3.4)ðÁĢܷB 3. firewall.littlecorp.com (|[g65000)É뵀 slashdot.org (|[ g80)©çÌpPbgªÔ³êA»êçð myhost (|[g1050)Öé½ß É«¼³êÜ·B}XJ[fBOðÀ»·é½ßÌ "@" Ì³Ì Æ¢¤ÌÍAÂÜèAª½Æ«ÉA»êð³µß¹éæ¤ÉAo ÍpPbgð«·¦éÆ«Éo¦Ä¨Æ¢¤±ÆÅ·B 4. NetscapeÍAy[Wð\¦µÜ·B slashdot.org ̤©ç©éÆAÚ±Í 1.2.3.4 (t@CAEH[Ì PPP C ^tF[X)|[g65000©çA 207.218.152.131 (slashdot.org)|[ g80ÜÅsíêĢܷB myhost ̤©ç©éÆAÚ±Í 207.218.152.131 (slashdot.org)|[g80ÉεÄA 192.168.1.100 (myhost)|[g1050©ç síêĢܷB 3.3.4. pubNlbg[N ±ÌViIÅÍA ȽÌÂlÌlbg[NÍC^[lbgÌêªÅ ·: pPbgÍÏX³êé±ÆȼûÌlbg[Nð¬êé±ÆªÅ«Ü ·Bàlbg[NÌ IP AhXÍA IP AhXÌubNð\¿·é ±ÆÉæÁÄèÄçê½àÌÌ͸ŷÌÅA¼Ìlbg[NÍAǤ âÁÄ È½Ì³ÖpPbgðͯçêé©ðmÁÄ¢éŵå¤B±êÍp ±IÉÚ±³êé±ÆðÓ¡µÄ¢Ü·B (ó: á¦ÎA INTERNIC â JPNIC ÈÇÉη鳵¢è±«ÉæÁľç ê½p±IÉgpÅ«é IP AhXð ȽªLµÄ¢È¯êÎÈçÈ¢ Æ¢¤±ÆÅ·B) ±ÌêÊÅpPbgEtB^OÍAÇÌæ¤ÈpPbgª ȽÌlb g[NÆ»êÈOÌC^[lbgÆÌÔÅâèæè³êé©ð§À·é½ ßÈÇÉgíêÜ·Bá¦ÎAC^[lbg̼ÌêÆÌpPbgÌâè æèð ȽÌEFuT[oÉεÄÌÝÉÀè³¹é±ÆªÅ«Ü·B vCx[glbg[N©çC^[lbgÖÌEFuEANZXð· 1. ȽÌàlbg[NÍA Ƚªo^µ½ IP AhXEub N(1.2.3.* Ƶܷ)ɶ½AhXªèÄçêĢܷB 2. t@CAEH[ÍASÄÌgtBbNð·æ¤Ýè³êĢܷB (ó: ±±Å¦³ê½ViIÍà¾Ì½ßÌÖXIÈP[XÅ·BÀÛ ÌP[XÅÍAÌß("àT[rXÌÀè")Ŧ³ê½æ¤ÉAT[r XðÀè·éÈÇA ȽÌlbg[Nðçé½ßÉAoüè·ép PbgÉ¢ÄKØÈÂ^Û̽ßÌððÝèµÄ¨©È¯êÎÈ èܹñB) 3. NetscapeÍAC^[lbgɼÚÚ±·éæ¤ÉÝè³êĢܷB 4. DNSÍA ȽÌlbg[NÌãųµÝè³êĢȯêÎÈèܹ ñB 5. t@CAEH[ÍAvCx[glbg[N̽ßÌftHgE [g(Q[gEFC)ÅȯêÎÈèܹñB myhost Ì Netscape ©çAhttp://slashdot.org ð©éB 1. NetscapeÍA "slashdot.org" Æ¢¤¼Oð²×ÄA 207.218.152.131 Æ ¢¤ IP AhXð¾Ü·B»ê©ç[JÈ|[g1050ðgÁÄA» Ì IP AhXÌEFuET[o(|[g80)ÉεÄÚ±ðs¢AEF uEy[WðvµÜ·B 2. pPbgÍ È½Ìlbg[NÆ slashdot.org ÌÔÌ¼Ì¢Â©Ì [^[ðÊ貯éÌƯ¶æ¤ÉA ȽÌt@CAEH[ðÊè ²¯Äâèæè³êÜ·B 3. NetscapeÍAy[Wð\¦µÜ·B ÂÜèA±ÌêÍ 207.218.152.131 (slashdot.org)|[g80ÆA 1.2.3.100 (myhost)|[g1050ÌÔ̽¾Ðƾ¯ÌÚ±ª¶ÝµÜ·B 3.3.5. §À³ê½àT[rX OÌC^[lbg©ç ȽÌàT[rXÉεÄAt@CAEH[ã ÅT[rXðÀs·éÈOÌû@ðÆé±ÆÌÅ«égbNªµÎ©è èÜ·B»êçÌû@ÅÍvLVâ}XJ[fBOðOÌRlNV ̽ßÉgp·éÆ¢¤Av[`ðÆèÜ·B ÅàPÈAv[`Í "_CN^[" (»êÍ^¦çê½|[gÌãÅ Ú±ðÒÂÆ¢¤"nãÈ"vLVÅ·)ð®ì³¹é±ÆÅ·B»êçÍ ç©¶ßßçê½àzXgÆ|[gÉεÄÚ±ðs¢Af[^ðñÂÌ Ú±ÌÔÅRs[µÜ·B "redir" vOðgÁ½áð¦·ÆAOÌC ^[lbg¤©ç©éÆAÚ±Í È½Ìt@CAEH[ÉεÄsíê Ü·BÌT[o̤©ç©éÆAt@CAEH[Æ»ÌT[oÉεÄÚ ±ªsíêéæ¤ÉÈèÜ·B à¤êÂÌAv[`(±êÉÍ ipportfw ̽ßÉpb`ðÄçê½ 2.0 nJ[l©A é¢Í 2.1 nÈ~ÌJ[lªKvÅ·)ÍJ[lÅÌ| [gEtH[fBOðg¤±ÆÅ·B±êÍA "redir" Ư¶®ìðÊ Èû@Ås¢Ü·BÂÜèAJ[lÍn³ê½pPbgÉεÄA»ÌÚI AhXÆ|[gðàÌzXgÆ|[gÉεÄü¯çê½æ¤É«·¦ Ü·BOÌC^[lbg¤©ç©éÆA ȽÌt@CAEH[ÉÎµÄ Ú±³ê½æ¤É©¦Ü·BܽA ȽÌàÌT[o¤©ç©éÆAC ^[lbgEzXg©çT[oÜżÚÚ±³êÄ¢éæ¤É©¦Ü·B 3.4. }XJ[fBOÉηé»Ì¼Ìîñ David Ranch Í}XJ[fBOÉÖ·éDê½Vµ¢ HOWTO ð«Üµ ½B±Ì HOWTO ÆͽÌd¡ªð¿Ü·ªAÌy[W©ç©Â¯é ±ÆªÅ«Ü·B http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html <http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html> }XJ[fBOÌö®y[WÍÌƨèÅ·B http://ipmasq.cjb.net <http://ipmasq.cjb.net> 4. IP t@CAEH[O`FC ±ÌÍÍA ȽÌKvɤpPbgtB^ð\z·é½ßÉAÀÛÉ mÁĨ©È¯êÎÈçÈ¢±ÆðSÄྵܷB 4.1. ÇÌæ¤ÉpPbgªtB^ðÊß·éÌ© J[lÍN®É 3ÂÌ[Xgð۵ĢܷB±êçÌXgÍ t@CAEH[`FCAܽÍPÉ`FCÆÄÎêÜ·B 3ÂÌ`FC ÍA input, output »µÄ forward ÆÄÎêÜ·BpPbgª (á¦ÎA C[TlbgJ[hðʶÄ) üÁÄéÆAJ[lÍ»ÌpPbgÌu^ ½vðè·é½ßÉ input `FCðg¢Ü·BpPbgª±ÌXebv Ŷ«céÆAJ[lÍpPbgðÉDZÉé©ðèµÜ·B(±ê ð[eBOÆÄÑÜ·B) pPbgª¼Ì}VÖsÆèßçêÄ¢é ÈçÎA forward `FCð²×Ü·BÅãÉApPbgªoͳêéO ÉAJ[lÍ output `FCð²×Ü·B 1ÂÌ`FCÍ¡Ì[Ì`FbNXg©ç\¬³êĢܷBeX Ì[ÍuàµApPbgÌwb_[ª±ñȾÁ½çApPbgð±Ìæ ¤ÉµÈ³¢vÆw¦µÜ·BàµA é[ªpPbgÆ}b`µÈ¯ê ÎA`FCàÌÌ[ª²×çêÜ·BÅIIÉA²×é[ª³ ÈÁ½çAJ[lÍ»Ì`FCÌ|V[(ûj)ð©Ä½ð·é©ßÜ ·BZL eBӯ̢VXeÅÍA±Ì|V[ÍÊApPbgð DROP ·éæ¤ÉJ[lÉw¦µÜ·B ASCII A[gt@̽ßÉA}VÉü·épPbgÌ®SÈÊè¹ð± ±ÉLµÜ·B (ó: ±Ì¶ÅÍú{ê¶R[hðp¢½ "JIS A[g" ð쬵Ĩ èÜ·B ¢íäéSp¶Æ¼p¶ª¬Ý·é "JIS A[g" ðA Netscape Navigator/Communicator â Microsoft Internet Explorer Å\¦³¹éÆA ¼p¶ÌÆSp¶ÌÌäªêvµÈ¢×ÉAwK^K^Éöê½} ÊxÉÈÁĵܢܷB html Å ð©éÛÉÍA lynx â w3m ÌeLXguEUð¨EßµÜ ·B) ¡¢ lo C^[tF[X ACCEPT/ « REDIRECT ¬ªªªªª ¡¢ ACCEPT ¨`¨³¨¡¢¨}¨«[eB«¨ forward ¨¡¢¨ F input X «OÌè « `FC ¡¨ output b « `FC J ¯ªªªªª® ¤£ ¡¨ `FC N ¤£ ¤£ T [ « h [JvZX « « « « O DENY/ DENY/ DENY DENY/ µ REJECT REJECT « REJECT DENY ¤£ ¤£ ȺÉeXÌiKÅÌà¾ðêLµÜ·B `FbNT: pPbgªô©Ìû@ÉÄó³êĢȢ©ðeXgµÜ·BpPb gªóêÄ¢êÎAÛè³êÜ·B ³«: eXÌt@CAEH[`FCÌOÉ»êçÌpPbg̳«Ì `FbNªê èÜ·Bµ©µA input `FCÌ»êªÅàdv Å·Bô©ÌÙíÈpPbgÍK¥`FbNR[h𬳹é°ê ª èÜ·B»êçͱ±ÅÛè³êÜ·B (±êª¶·éÆ syslog ÉbZ[WªL^³êÜ·B) input `FC: pPbgªeXg³êéÅÌt@CAEH[`FCÅ·B`FC Ì»fª DENY (Ûè) Ü½Í REJECT (â) ÅȯêÎApPbg Ì®«Í±«Ü·B f}XJ[h(}XJ[hOµ): pPbgªÈOÉ}XJ[h³ê½pPbgÉηéÈçA}X J[hªO³êA output `FCÜÅêCÉðòεܷB IP }XJ[hðgÁĢȯêÎAÓ}IÉãLÌ}©çÁÅ« Ü·B [eBOÌè: (pPbgÌ)¶ætB[hÍ[eBOR[hÉæÁÄA±Ìp Pbgª[JvZXÉs׫ÈÌ© ([JvZXÌÍð QƵĺ³¢) A[g}VÉ]³êéÌ© (tH[h`F CÌÍðQƵĺ³¢) ðè·é½ßɲ×çêÜ·B [JvZX: }VãÅÒ·évZXÍ[eBOÌèÌiKÌãÌpPb gðó¯æêéƤÉApPbgðMÅ«Ü·B (MpPbgÍ [eBOèXebvðoÄA output `FCðÊߵܷB) lo C^[tF[X: [JvZX©çÌpPbgª[JvZXÉsàÌÈç ÎA»êçÍ `lo' ÆÝè³ê½C^[tF[XÅ output `FC ðÊ貯AÄÑ `lo' C^[tF[XÅ input `FCÉüèÜ ·B lo C^[tF[XÍÊí[vobNC^[tF[XÆÄÎ êÜ·B [J: pPbgª[JvZXŶ¬³ê½àÌÅÈ¢ÈçA forward `FCª`FbN³êA³àÈÎApPbgÍ output `FCÖ s«Ü·B forward `FC: ±Ì`FCÉͱÌ}V©ç¼Ö]³êéSÄÌpPbgªÊß µÜ·B output `FC: ±Ì`FCÉÍoͳêé¼OÌSÄÌpPbgªÊߵܷB 4.1.1. ipchains ðg¤ æ¸A±Ì¶Éĵ¤¨è¿Ì ipchains Ìo[WðAȺÌæ¤É QƵܵå¤: $ ipchains --version ipchains 1.3.9, 17-Mar-1999 LƵÄA1.3.4 (`--sport' Ìæ¤È·¢IvVª èܹñ) ©A 1.3.8 È~ð¨Eߵܷ; ±êçÍåÏÀèµÄ¢Ü·B ÂXÌÉ¢ÄÌàÁÆÚµ¢à¾ªKvÈçAipchains ÉÍ©ÈèÚ µ¢}j Ay[W (man ipchains) ª èÜ·BÁÉÚµàeðmè½ ¢ÈçAvO~OC^[tF[X(man 4 ipfw) ©A½Í 2.1.x ÌJ [l\[XàÌ net/ipv4/ip_fw.c t@Cð²×éÆǢŵå¤B±ê çÍ (¾ç©É) MÅ«Ü·B \[XpbP[WÉÍ Scott Bronson Éæéf°çµ¢NBbNt@ XJ[hà èÜ·B A4»Ü½Í US ^[TCYÌ PostScript(TM) ̼ ûª èÜ·B ipchains ðgÁÄFXȱƪūܷBæ¸ASÌÌ`FCðÇ·é ìB È½Í 3ÂÌgÝÝÏÝ`FCÅ éA input, output, forward (±êçÍíūܹñ)©çnßÜ·B 1. Vµ¢`FCðìé (-N) 2. óÌ`FCðí·é (-X) 3. gÝÝÏÝ`FCÌ|V[ðÏX·é (-P) 4. `FCàÌ[ðXgAbv·é (-L) 5. `FC©ç[ðSÄÁµé (-F) 6. `FCàÌSÄÌ[ÌpPbgÆoCgÌJE^[ð[É·é (-Z) `FCàÌ[ðì·éÉÍlXÈû@ª èÜ·: 1. `FCÉVµ¢[ðÇÁ·é (-A) 2. `FCàÌ éÊuÉVµ¢[ð}ü·é (-I) 3. `FCàÌ éÊuÌ[ðu«·¦é (-R) 4. `FCàÌ éÊuÌ[ðí·é (-D) 5. `FCàÌKµ½ÅÌ[ðí·é (-D) }XJ[fBOÉÖ·éìªÈ¢Èªç èÜ·B»êçðzu·é ɵ¢êÌv]Ì×É ipchains ÉÜÜêĢܷB 1. »ÝÌ}XJ[h³ê½Ú±Ìêð\¦·é (-M -L) 2. }XJ[fBOÌ^CAEglðÝè·é (-M -S) (Åà ``}XJ [fBOÌ^CAEglðÝèūܹñ!'' ð©Äº³¢B) ÅãÌ (»µÄ°çÅàÖÈ) @\ÍAwèµ½pPbgªwèµ½`F CðÊß·éÈçA»ÌpPbgªÇ¤ÈéÌ©ðµÉ`FbNÅ«é± ÆÅ·B 4.1.2. ȽÌRs [^ªN®·éÉ©éàÌ ipchains R}hªN®³êéO (Ó: ô©ÌfBXgr [V ÅÍú»XNvgàÅ ipchains ðN®µÄ¢Ü·) ÍAgÝÝÏÝÌ [ (`input', `forward' Æ `output') ÈOÉͽà èܹñB»µÄ eXÌ`FCÍ ACCEPT (Â) Ì|V[ÉÝè³êĢܷB±êÍS Äðó¯üêé±ÆÆ¿Å·B 4.1.3. PêÌ[ÅÌì [ðì·é±Æ \ »êÍ ipchains Ìî{Å·BÙÆñÇÌêA ÊA ȽÍÇÁ (-A) Æí (-D) R}hðg¤±ÆÉÈéŵå¤Bc èÌR}h(}üÌ -I Æu·Ì -R )ÍA±êçÌTOðPÉ(@\)g£ µ½àÌÅ·B eXÌ[ÉÍApPbgª½·×«ðÌZbgÆAðª½³ê½ Æ«É·é±Æ(e^[Qbgf)ðwèµÜ·Bá¦ÎAIP AhX 127.0.0.1 ©çâÁÄéSÄÌ ICMP pPbgðjüµ½¢ÆµÜ·B»Ì êÌðÍvgRª ICMP ÅA\[XAhXª 127.0.0.1 ÅA^[ QbgÍ `DENY'(Ûè) Å·B 127.0.0.1 Í `[vobN' C^[tFCXÅA»êÍ È½Ì}Vª ÀÛÌlbg[NÉqªÁÄ¢ÈÄà¶ÝµÜ·B `ping' vOÅ »Ìæ¤ÈpPbg (ping Í PÉ ICMP ^Cv8 (GR[v)ðèAS Ä̦ÍIÈzXgÍeØÉà ICMP ^Cv 0 (GR[)ÌpPbgÅ» êɦܷ)𶳹éÌÉg¢Ü·B±êÍeXgÉð§¿Ü·B # ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.2 ms # ipchains -A input -s 127.0.0.1 -p icmp -j DENY # ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes --- 127.0.0.1 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss # ²ÌƨèÅÌ ping ª¬÷µÄ¢Ü·(`-c 1' Í ping ÉpPbgð 1¾¯éæ¤Éw¦µÄ¢Ü·)B É[ð `INPUT' `FCÉÇÁ (-A) µÜ·B[ÌwèÍA 127.0.0.1 ©ç (`-s 127.0.0.1') ÅvgR ICMP (`-p icmp') ÌpPb gÍADENY ÖWv·é (`-j DENY') Å·B »ê©ç 2ÔÚÌ ping Å[ðeXgµÜ·BAÁÄÈ¢ðÒÂÌ ð ping ª~ßéÜŵÌÔª éŵå¤B [ðí·éÉÍ 2ÊèÌû@ª èÜ·B 1ÔÚÍAá¦ÎA input `FCÉÍ[ª 1¾¯µ©È¢ÌðªÁÄ¢éêÅÍAÔðgÁ ÄȺÌæ¤ÉíÅ«Ü·: # ipchains -D input 1 # INPUT `FCÌ[Ô 1 ðíB 2ÔÚÌû@Í -A R}hð»Áè浀 -A ð -D Éu«·¦½àÌÅ ·B±êÍ[ª¡GÈ`FCÌêÅAá¦ÎAæ諽¢Ìª[ 37 ¾ÆTµÄé½ßÉ[ð¦½È¢êÉLøÅ·B±Ìê AÌæ¤Ég¢Ü·: # ipchains -D input -s 127.0.0.1 -p icmp -j DENY # -D Ì«ûÍA -A (Ü½Í -I © -R) R}hÌƳmɯ¶IvV ÅȯêÎÈèܹñBàµA¯ê`FCÉ¡Ì}b`·é[ª Á½çAÅÌà̾¯ªí³êÜ·B 4.1.4. tB^OÌdl ±êÜÅÉAvgRðwè·é `-p' IvVÆA\[XAhXðw è·é `-s' IvVð©Ä«Üµ½ªA±Ì¼ÉàpPbgÌÁ¥ðwè ·élXÈIvVª èÜ·B±ê©çA»ÌTvð ܷƱëȨ bµÜ·B 4.1.4.1. \[Xƶæ IP AhXÌwè \[X (-s) yѶæ (-d) IP AhXÍ 4ÊèÌwèû@ª èÜ·B àÁÆàêÊIÈû@Í®SÉLq³ê½¼O(FQDN)ðg¤±ÆÅAᦠÎA`localhost' Æ© `www.linuxhq.com' Å·B 2ÔÚÌû@Í `127.0.0.1'Ìæ¤È IP AhXðwè·éû@Å·B 3ÔÚÆ 4ÔÚÌû@Í IP AhXÌO[vðwè·éû@ÅA `199.95.207.0/24' Æ© `199.95.207.0/255.255.255.0' Ìæ¤É«Ü·B ¼ûÆà 199.95.207.0 ©ç 199.95.207.255 ÜÅÌÇÌ IP AhXàÜÜ êéwèÅAÌ ÆÌ `/' Í IP AhXÌÇ̪ÜÅLø©ð¦µ ĢܷBÈªÍ `/32' Ü½Í `/255.255.255.255' (IP AhXÌ®S êv)Å·BÇñÈ IP AhXÅàæ¢êÍAȺÌæ¤É `/0' ªg¦ Ü·: # ipchains -A input -s 0/0 -j DENY # ãLÌøÊÍ `-s' IvVðwèµÈ¢ÌÆS¯¶ÈÌÅA±ñÈg¢ ûÍßÁ½ÉµÜ¹ñB 4.1.4.2. ÛèÌwè `-s' Æ `-d' ðÜÞ½ÌtOÍA`!' (ÛèÌé¾) ð»ÌøÌOÉu ±ÆªÅ«Ü·B `-s' â `-d' ÌêÍ^¦çê½AhXƵȢ AhXÆ}b`µÜ·Bá¦ÎA `-s ! localhost' Í[JzXg©ç ÅÈ¢SÄÌpPbgÆ}b`µÜ·B `!' ÌOãÉXy[XðüêéÌðYêȢź³¢B{ÉKvÈÌÅ·B 4.1.4.3. vgRÌwè vgRÍ `-p' tOÅwèµÜ·BvgRÌlÍÔ( Ƚª IP ÌvgRÌlÔðmÁÄ¢éê)© `TCP', `UDP' Ü½Í `ICMP' Æ¢¤Áè̼ÌÅwèµÜ·B嶬¶ÌæÊ͵ܹñ©çA`tcp' à `TCP' Ư¶«ðµÜ·B vgR¼ÌÍ»êðÛè·é½ßÉ `!' ðOÉt¯é±ÆªÅ«Ü·B á¦ÎA`-p ! TCP' Í TCP ÅÈ¢pPbgðwèµÜ·B 4.1.4.3.1. UDP Æ TCP |[gÌwè ÁÊÈêÅ é TCP ½Í UDP ÌvgRªwè³ê½ÉÍA TCP ½ Í UDP Ì|[gA½ÍÜÜêé|[gÌÍÍ (µ©µAãqÌ ``tO gÌ''ðQƵĺ³¢) ðwµ¦·g£øª¶Ýµ¾Ü·BÍÍͶ `:' Å\»µÜ·Bá¦Î `6000:6010' Í 6000 ©ç 6010 ÌÍÍÉÜ Üêé11ÂÌ|[gÔð¦µÜ·BൺÀlªÈª³êêÎAftHg Ì 0 ðÓ¡µÜ·BãÀlªÈª³êêÎAftHgÌ 65535 ðÓ¡µÜ ·BÅ·©çA1024ÔȺÌ|[gÌ TCP Ú±ðwè·éÉÍA«ûÍ `-p TCP -s 0.0.0.0/0 :1023' ƵܷB|[gÔÍ `www' Ìæ¤ÉA¼ OÅàwèÅ«Ü·B LƵÄA|[gwèÌOÉÍÛèðÓ¡·é `!' ðu±ÆªÅ«Ü ·BÅ·©çA WWW pPbgÈOÌSÄÌ TCP pPbgðwè·éÉÍAÈ ºÌæ¤ÉwèµÜ·B -p TCP -d 0.0.0.0/0 ! www ȺÌwèÆA -p TCP -d ! 192.168.1.1 www ȺÌwèÍSᤱÆðµÁ©èF¯µÄº³¢B -p TCP -d 192.168.1.1 ! www ÅÌáÍA 192.168.1.1 ÈOÌSÄÌ}VÌ WWW |[gÖÌ TCP p PbgðwèµÜ·BÌáÍA WWW |[gðSÄÌ|[gɨ¯é 192.168.1.1 ÖÌ TCP Ú±ðwèµÜ·B ÅãÉA±ÌP[XÍ WWW |[gÅÈA 192.168.1.1 ÅàÈ¢±ÆðÓ¡ µÜ·: -p TCP -d ! 192.168.1.1 ! www 4.1.4.3.2. ICMP ^CvÆR[hÌwè ICMP ÉàܽIvVøª èÜ·ªA ICMP Í|[gð¿¾Ü¹ ñB (ICMP ÉÍ^CvÆR[hª èÜ·) »êçÉÍÙÈéÓ¡ª èÜ ·B `-s' IvVÌãÉ ICMP l[ðp¢é (ipchains -h icmp ðp¢ÄA l[ðê\¦µÜ·) ©A ICMP ^CvÆR[hÌlðp¢é©ÅA» êçðwèµÜ·B^CvÍ `-s' IvVÌãÉAR[hÍ `-d' Iv VÌãÉwèµÜ·B ICMP l[Í©È跢ŷ: ¼ÆÍÁ«èæÊū骾¯Ì·¢¶ñ Å êÎ\ªÅ·B ÅàêÊIÈ ICMP pPbg̬³ÈêðȺɦµÜ·: Ô l[ KvƳêéàÌ 0 echo-reply ping 3 destination-unreachable SÄÌ TCP/UDP gtBbN 5 redirect [eBOf[ª®ìµÄ¢È¢Ì [eBO 8 echo-request ping 11 time-exceeded traceroute ICMP l[Í `!' ðu¯È¢±ÆÉӵĺ³¢B âÎÉâÎÉâÎÉA ICMP ^Cv3 bZ[WÌSðubNµÈ¢Å!! (ãqÌ``ICMP pPbg''ðQƵĺ³¢) 4.1.4.4. C^[tFCXÌwè `-i' IvVÍ}b`·×«C^[tFCX̼OðwèµÜ·BC ^[tFCXÆÍApPbgªüÁÄé©AܽÍoÄs¨foCXÅ ·Bifconig R}hðgÁÄ `up' Å é (·Èí¿A¡®¢Ä¢é)C ^[tFCXðXgAbvÅ«Ü·B ü·épPbg (·Èí¿A input `FCðÊß·épPbg) ÌC ^[tF[XÍA»ê窬êñÅéC^[tF[XÅ éàÌÆ©È ³êÜ·B_IÉÍAoÄspPbg (output `FCðÊß·ép Pbg) ÌC^[tF[XÍA»êçªoÄsÅ ë¤C^[tF[X Å èÜ·B forward `FCðÊß·épPbgÌC^[tF[XàÜ ½A»êçªoÄsÅ ë¤C^[tF[XÅ·; ÉÍA±êÍSÌ ÆfÉv¦Ü·B (ó: ±±ÅÒÍ forward `FCÌC^[tF[XðoÍC^[ tF[Xɵ½±ÆÉRcµÄ¢éæ¤Év¦Ü·B½ÔñÒÍüÍÆoÍ Ì¼ûwèÅ«½Ù¤ªæ¢ÆvÁÄ¢ÄAÅàA ipchains ÉÍC^[ tFCXðwè·éIvVª -i ÌPµ©È¢ÌÅAÇ¿ç©É¹´é ¨¦È©Á½Bƾ¤b¾Æv¢Ü·B ipchains ÌãpÅ é iptables Å ÍA FORWARD `FCÅAüÍÆoÍ̼ûÌC^[tFCXðwèÅ« éæ¤ÉÈÁÄÜ·B) »Ý¶ÝµÄ¢È¢C^[tFCXðwè·é±ÆÍSâèª èܹñ ªAwèµ½C^[tFCXª up µÄéÜÅ[ª}b`·é±ÆÍ èܹñB±êÍ_CAAbv PPP N(ÊíC^[tFCXÍ ppp0 )â¯lÌàÌÉ¢ÄñíÉLøÅ·B ÁÊÈP[XƵÄAC^[tF[X¼ÌÅ㪠`+' ÅIíéàÌÍA (»Ý¶ÝµÄ¢æ¤ÆÈ©ë¤Æ) »Ì¶ñ©çnÜéSÄÌC^[ tF[XÉ}b`µÜ·Bá¦ÎASÄÌ PPP C^[tF[XÉ}b`· é[ðwè·éÉÍA -i ppp+ IvVªg¦Ü·B wèµ½C^[tFCXÆêvµÈ¢pPbgÉ}b`·éæ¤ÉC^[ tFCX¼ÌOÉÍ `!' ðu±ÆªÅ«Ü·B 4.1.4.5. TCP SYN pPbgÌÝðwè·é êûü¾¯ TCP RlNVðµA¼û͵Ȣæ¤É·é±ÆÍ XɵÄLøÅ·Bá¦ÎA ȽªOÌ WWW T[o[ÆÚ±µ½¢ ªA»ÌT[o[©çÌÚ±ðµ½È¢Æ«Å·B »ÌT[o[©çé TCP pPbgðubN·é±ÆÍ©RÈû@Å·B cOȱÆÉATCP RlNVÉÍÆÉ©¼ûüÌpPbgªs«·é ±ÆªKvÅ·B »Ìðû@ÍARlNVvÉp¢çêépPbgÌÝðubN·é ±ÆÅ·B±Ìæ¤ÈpPbgÍ SYN pPbgÆÄÎêÜ·B (ZpIÉ ÍASYN tOªÝè³êÄ¢ÄA FIN Æ ACK tOªNA³êÄ¢ép PbgðwµÜ·ªAäXͱêð SYN pPbgÆÄÑÜ·B) »êçÌp Pbg¾¯ðµȢ±ÆÅA»ÌêÌÚ±vð~ßçêÜ·B `-y' tOͱ̽ßÉgíêÜ·: ±êÍ TCP vgRðwè³êÄ¢ éêɨ¢ÄÌÝLøÅ·Bá¦ÎA 192.168.1.1 ©çv³êé TCP R lNVðwè·éÉÍ: -p TCP -s 192.168.1.1 -y à¤êxA±ÌtOÍ»ÌOÉ `!' ðu±ÆÉæÁÄ (ó: ! -y Ƶ Ä) Ûè·é±ÆªÅ«A»êÍÚ±JnÌpPbgðSÄÌpPbgð Ó¡µÜ·B 4.1.4.6. tOgÌ ÉAêxÉP[uÉèo·ÉÍpPbgªå«ß¬é±Æª èÜ·B ±ñÈÆ«ÍApPbgÍtOgɪ³êA¡ÌpPbgÅçê Ü·BóM_űêçÌtOgðÄÑWßÄ®SÈpPbgÉÄ\¬µ Ü·B tOgÌâè_ÍAæöXgAbvµ½dlÌô© (ÁÉA\[X |[gA¶æ|[gA ICMP ^CvA ICMP R[hA½Í TCP SYN tO) ÍAJ[lÉAÅÌtOgɾ¯ÜÜêÄ¢épPbgÌnßÌ ªð`æ¤ÉvµÄ¢é_É èÜ·B ȽÌ}VªOlbg[NÉÌÝÚ±³êéÈçAJ[lÌ "IP: íÉftOg·é" ð Y ÉÝèµÄRpC·é±ÆÉæèAÊß ·éSÄÌtOgðÄ\z·éæ¤É Linux J[lɽ¸é±Æª Å«Ü·B±êÍâèð¤ÜñðµÜ·B »¤ÅȯêÎAtB^O[ªtOgðÇÌæ¤Éµ¤©ð ð·é±ÆªdvÅ·Bîñª³¯êÎÇñÈtB^O[à}b `µÜ¹ñB±ÌÓ¡·éƱëÍ 1ÔÚÌtOgͼÌpPbgƯ ¶æ¤ÉµíêÜ·B 2ÔÚÈ~ÌtOgÍÙÈèÜ·B]ÁÄA -p TCP -s 192.168.1.1 www Æ¢¤[ (\[X|[gª `www' Ìwè)ÍA tOg(1ÔÚÌtOgÈO)ƵÄ}b`µÜ¹ñB¯lÉÛ èÌ[ -p TCP -s 192.168.1.1 ! www à}b`µÜ¹ñB ÆÍ¢¦A`-f' tOðp¢ÄA 2ÔÚyÑ»êÈ~ÌtOgÉv ·é[ðwèÅ«Ü·B¾ç©ÉA±Ìæ¤ÈtOg[ÉÍ TCP â UDP |[gA ICMP ^CvA ICMP R[h½Í TCP SYN tOðwè ·éÌÍÔá¢Å·B ܽA`!' ð `-f' ÌOÉt¯ÄA 2ÔÚÈ~ÌtOgÆKµÈ¢ [ÌwèàÅ«Ü·B ÊíAtB^OÍ 1ÔÚÌtOgÉøͪ éÌÅAÚIÌzX gÅÌtOgÌÄgݧÄðW°é½ßA2ÔÚÈ~ÌtOgð Êß³¹é±ÆÍÀSÆÝȳêĢܷBÆÍ¢¦AtOgðé± ÆÉæèÈPÉ}VðNbV ³¹é±ÆªÅ«éoOªmçêÄ¢Ü ·B²×ĺ³¢ËB lbg[NÇÒ̽ßÌL: ÙíÈpPbg(TCP, UDP ¨æÑ ICMP Ì pPbgÅZ·¬Ät@CA[EH[ÌR[hª|[gÔÜ½Í ICMP Ì R[hÆíÞðÇßÈ¢àÌ)ÍAtOgƯlÉæèµíêÜ·Bt OgÌÊuª 8 ©çnÜéTCP pPbg¾¯ª¾Ét@CAEH[ R[hÉæÁÄjü³êÜ·B(±êª¶·éÆ syslog ÉbZ[Wª »êÜ·B) á¦ÎAÌ[Í 192.168.1.1 ÖstOgÍÇêÅàjüµÜ ·: # ipchains -A output -f -d 192.168.1.1 -j DENY # 4.1.5. tB^OÌIøÊ ³ÄA¡äXÍ[ðp¢ÄpPbgÉ}b`³¹éû@ÌSÄðmèܵ ½BpPbgª[É}b`·éÆAȺÉL·±ÆªN±èÜ·: 1. Y·é[ÌoCgJE^ÍpPbgÌTCY(wb_ƻ̼S Ä) ÉæÁÄÁµÜ·B 2. Y·é[ÌpPbgJE^ªpPbgÌÉæÁÄ1 ÁZ³êÜ ·B 3. [ªv·éÈçApPbgªOÉL^³êÜ·B 4. [ªv·éÈçApPbgÌ Type Of Service (TOS) tB[hª ÏX³êÜ·B 5. [ªv·éÈçApPbgÉóªt¯çêÜ·B(2.0 J[lV [YÉÍ èܹñB) 6. pPbgÉεAɽðsí¹é©ðè·é×A[^[Qbg ª¸³êÜ·B ±êçÈOÌíÞÉ¢ÄÍAdvxɶÄèðt¯½¢Æv¢Ü·B 4.1.5.1. ^[QbgÌwè ^[QbgÍ[É}b`·épPbgÉε½ð·×«©ðJ[lÉw ¦µÜ·B ipchains Í^[QbgÌwèÉ `-j' ðp¢Ü·B(`Wv· é'Æl¦Äº³¢) ^[Qbg¼Í 8¶ÈºÅȯêÎÈç¸AÜ½å¬ ¶ðæʵܷ: "RETURN" Æ "return" ÍSʨŷB ÅàPÈP[XÍwè³êé^[QbgªSÈ¢êÅ·B±Ì[Ì ^Cv (µÎµÎ `v' [ÆÄÎêÜ·) ÍPÉêèÌpPbgÌ^ CvðJEg·éÌÉÖÅ·B±Ì[É}b`·é©Û©É©©íç ¸AJ[lÍPÉ`FCàÌÌ[ð¸µÜ·Bá¦ÎA 192.168.1.1 ©çÌpPbgÌð¦éÉÍAȺÌæ¤ÉÅ«Ü·: # ipchains -A input -s 192.168.1.1 # (`ipchains -L -v' ðp¢ÄAeXÌ[ÉÖAt¯çê½oCgyÑp PbgJE^ð©êÜ·B) 6ÂÌÁÊÈ^[Qbgª èÜ·BÅÌ 3ÂÌ ACCEPT, REJECT Æ DENY ÍÆÄàPÅ·B ACCEPT ÍpPbgÌÊßðµܷB DENY Í ½© àpPbgðó¯æÁĢȢ©Ìæ¤ÉjüµÜ·B REJECT ÍpPbgð jüµÜ·ªA(àµ»êª ICMP pPbgÅÈ¢Èç) ¶æÍ¢BÅ é ±Æðmç¹é ICMP ÔðA\[XÉεĶ¬µÜ·B ÌêÂA MASQ ÍJ[lÉpPbgð}XJ[h·é±Æðmç¹Ü ·B±êð®ì³¹éÉÍAJ[lª IP }XJ[fBOðLøÉµÄ RpC³êÄ¢éKvª èÜ·BÚ×É¢ÄÍA Masquerading- HOWTO ÆAt^Ì``ipchains Æ ipfwadm ÆÌá¢''ð©Äº³¢B±Ì^[ QbgÍ forward `FCðÊß·épPbgɨ¢ÄÌÝLøÅ·B ¼ÌåvÈÁÊÈ^[QbgÍAJ[lÉεÄA½©ç¶µ½©ðâ í¸ÉpPbgð[J|[gÖéA REDIRECT Å·B±êÍvgR É TCP Ü½Í UDP ðwèµÄ¢é[ɨ¢ÄÌÝwèÅ«Ü·BCÓ ÉA|[g (¼OÍÔ) Í `-j REDIRECT' ÆwèÅ«Ü·B±êÍp Pbgª¼Ì|[gÖAhX³êÄ¢½ÆµÄàÁèÌ|[gÖ]³¹é øÊð¿Ü·B±Ì^[QbgÍ input `FCðÊß·épPbgɨ ¢ÄÌÝLøÅ·B ÅãÌÁÊÈ^[QbgÍ RETURN ÅA¼¿É`FCÌÅãÉµÞ±Æ Æ¿Å·B(ãqÌ``|V[ðÝè·é''ðQƵĺ³¢B) ¼Ì^[QbgÍ[U[wèÌ`FCð¦µÜ·B (ãqÌ```FCÌ ì''ÅྵĢܷB) pPbgÍ»Ì`FCàÌ[ðÊßµnß Ü·B»Ì[Uè``FCÅ̸ªSÄIÁÄàpPbgÌ^½ªÜ çȯêÎA»ÝÌ`FCÉßèA»ÌÌ[©ç¸ðÄJµÜ·B ASCII A[gÌÔÅ·B2ÂÌ(¨Î©³ñÈ)`FC: input (gÝÝÏ Ý`FC)Æ test ([Uè``FC)Ål¦Üµå¤B `input' `test' ¡¢ ¡¢ [ 1: -p ICMP -j REJECT [ 1: -s 192.168.1.1 ¥§ ¥§ [ 2: -p TCP -j Test [ 2: -d 192.168.1.1 ¥§ ¤£ [ 3: -p UDP -j DENY ¤£ 192.168.1.1 ©çÄ 1.2.3.4 Öü©¤ TCP pPbgÉ¢Äl¦Üµå ¤BpPbgÍ input `FCÉüèAܸA[ 1 ª¸³êÜ·\ }b`µÜ¹ñB[ 2 ª}b`µÄA»Ì^[QbgÍ Test ÈÌÅA ɸ³êé[Í Test ÌæªÅ·B Test Ì[ 1 Í}b`µÜ ·ªA^[QbgðwèµÄ¢È¢ÌÅAÌ[Å é[ 2 ª¸ ³êÜ·B±êÍ}b`µÈ¢ÌÅA`FCÌIíèÉBµÜµ½Bæö ¸µ½[ 2 Ì é input `FCÉßèA»êÅ¡xÍ[ 3 ª ¸³êÜ·ªA±êàܽ}b`µÜ¹ñB »êÅApPbgÌoHÍÌæ¤ÉÈèÜ·: v __________________________ `input' | / `Test' v ¡|/ ¡|¢ [ 1 | / [ 1 | ¥|/-§ ¥|§ [ 2 / [ 2 | ¥-§ ¤v£ [ 3 /©\_______________________/ ¤|£ v [Uè``FCðøÊIÉg¤û@ÍA``t@CAEH[[ðÇÌ æ¤É\z·é©''ÌÍðQƵĺ³¢B 4.1.5.2. pPbgÌOL^ ±êÍ[É}b`·é±ÆÌIøÊÅ·; }b`µ½pPbgð `-l' tOðp¢ÄOÉL^·é±ÆªÅ«Ü·BÊAÊíÌpPbg ɨ¢ÄOðL^µ½ÍȢŵ夯ÇAáOIÈCxg𩽢 ÉÖÈÁ¥Å·B ±ÌîñÌJ[lÌOÍȺÌæ¤È´¶Å·: Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254 ±ÌObZ[WÍÈÉÝv³êĨèAlbg[NÌ ÐÒÌ×¾¯ ÉÖÈZpîñðÜñŢܷªA ÆÌäXÉàLpÅ·BÈPÉྷ éÆȺÌæ¤ÉÈèÜ·: 1. `input' ÍpPbgÉ}b`µ½[ðÜÞ`FCÅAObZ[ Wð¶µÄ¢Ü·B 2. `DENY' Í[ªpPbgɽð·é©ð¦µÄ¢Ü·Bàµ±êª `-' ÈçA[ÍpPbgɽàs¢Ü¹ñB (v[Å·B) 3. `eth0' ÍC^[tF[X¼Å·. ½ÌÈçαêÍ input `FCÅ è, pPbgÍ `eth0' ©çüÁĽ±ÆðÓ¡·é©çÅ·B 4. `PROTO=17' ÍpPbgªvgR 17 Å Á½±ÆðÓ¡µÜ·Bv gRÔÌXgÍ /etc/protocols ÉÄ^¦çêÜ·BÅàêÊIÈ àÌÍ 1 (ICMP), 6 (TCP) Æ 17 (UDP) Å·B 5. `192.168.2.1' ÍpPbgÌ\[X IP AhXÍ 192.168.2.1 Å Á½ ±ÆðÓ¡µÜ·B 6. `:53' Í\[X|[gÍ|[g 53 ÔÅ Á½±ÆðÓ¡µÜ·B `/etc/services' ð©êÎA±êª `domain' |[gÅ é±ÆðJ¦µ ĢܷB(·Èí¿A±êÍ°ç DNS ÌÔÅ·B) UDP Æ TCP ɨ ¢ÄÍA±ÌÔÍ\[X|[gÅ·B ICMP ɨ¢ÄÍA ICMP ^Cv Å·B»êÈOÅÍA 65535 ÉÈéŵå¤B 7. `192.168.1.1' Ͷæ IP AhXÅ·B 8. `:1025' Ͷæ|[gÍ 1025 Å Á½±ÆðÓ¡µÜ·B UDP Æ TCP ɨ¢ÄÍA±ÌÔͶæ|[gÅ·B ICMPɨ¢ÄÍA ICMP R[h Å·B»êÈOÅÍA 65535 ÉÈéŵå¤B 9. `L=34' ÍApPbgÍv 34 oCg·Å Á½±ÆðÓ¡µÜ·B 10. `S=0x00' Í TOS tB[hðÓ¡µÜ·B (4 ÅÁÄA ipchains Å p¢çêéT[rXÌ^ª¾çêÜ·B) 11. `I=18' Í IP Ì ID Å·B 12. `F=0x0000' Í 16 rbgÌtOgItZbgÆtOÌÁZÅ·B `0x4' Í `0x5' ÅnÜélÍ utOgµÄ¢È¢vrbgªÝ è³êÄ¢é±Æð¦µÜ·B `0x2' Í `0x3' Í `XÉtOg µÄ¢é' rbgªÝè³êÄ¢é±Æð¦µÜ·; ±ÌãÉXÈét Ogª\ª³êÜ·BcèÌlͱÌtOgÌItZbg ÅA»êÍ 8 ÅÁ½lÅ·B 13. `T=254' ÍpPbgÌõ½ÔÅ·B±ÌlÍSÄÌzbvɸ¶ç êAåT 15 © 255 ÅnÜèÜ·B 14. `(#5)' ÍAuPbgàÌÅãÌÔª»êæèVµ¢J[lÅ ë¤ ±Æð¦µÜ·B(°ç 2.2.9 È~ŵå¤B) ÅãÉAæèVµ¢J [l(½Ôñ 2.2.9 È~)ÅAÊÅÍÜê½Ôª éŵå¤B (ó: ´¶ÉÍ This is the rule number which caused the packet log. Æ©êĢܷªA±êÍ finally there may be a number ... ÆvíêÜ·B) WIÈ Linux VXeÅÍAJ[lÌoÍÍ klogd (J[lMO f[) ÉÄߨ³êA syslogd (VXeMOf[) Én³êÜ ·B `/etc/syslog.conf' ÍAeXÌ `facility' (äXÌêÍAfacility Í "J[l"Å·) ̶æÆA `level' (ipchains Ì×ÉAgíêé level Í "info" Å·)ðwè·é±ÆÉæÁÄA syslogd ÌUé¢ð§äµÜ ·B á¦ÎAÌ (Debian) /etc/syslog.conf Í `kern.info' É}b`·é 2s ðÜñŢܷ: kern.* -/var/log/kern.log *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages ±êçÍbZ[Wª `/var/log/kern.log' Æ `/var/log/messages' É¡» ³êé±Æð¦µÄ¢Ü·BÚ×Í `man syslog.conf' ð©Äº³¢B 4.1.5.3. T[rXÌ^ðì·é IP wb_ÉÍŽÉgíêÈ¢ 4ÂÌrbgª èAuT[rXÌ^v (TOS) rbgÆÄÎêĢܷB»êçÍpPbgªæèµíêéprÉe¿ µÜ·; 4ÂÌrbgÍ "Minimum Delay"(Ŭx), "Maximum Throughput" (Åå\Í), "Maximum Reliability"(ÅåMl) »µÄ "Minimum Cost" (ŬRXg) Å·B»êçÌrbgÌ꾯ªÝèð³êÜ·B TOS ìR[hÌìÒÌ Rob van Nieuwkerk ÍȺÌæ¤Éq×Ģܷ: ÁÉ "Minimum Delay"(Ŭx) ªÉÆÁÄdvÅ·BÍã ¬Ì (Linux) [^Å"Îb^"pPbgÌ×ɱÌXCb`ðI µÄ¢Ü·BÌ}VÍ 33.6k fÅOÆÚ±³êÄ¢ Ü·B Linux ÍpPbgÉ 3ÂÌL [ÅDæÊðt¯Ä¢Ü ·B±Ìû@ÅÍåÊÌ_E[hƯÉeÅ«éÎbI ÈptH[}Xð¾Ä¢Ü·B (±êÍVAhCoÉ»Ì æ¤ÈåÈL [ªÈ¯êÎÇ¢ÌÅ·ªAÒ¿ÔÍ1.5bÉ ³êÜ·B) Ó: ¾ç©ÉA ȽÍüÁÄépPbgÉεħäÍūܹñB ȽͩgÌ Linux box ðÁÄ¢pPbgÌDæʾ¯ð§äÅ«Ü ·B¼Ìû@ÅDæÊðâèè·éÈçA RSVP Ìæ¤ÈvgRªK vÅ·B(±êÉÖµÄÍͽàmçÈ¢ÌÅAÉÍ·©È¢Åº³¢B) ÅàêÊIÈgpû@Í telnet Æ ftp ÌRg[RlNVÉ "Minimum Delay" ðÝèµA FTP f[^É "Maximum Throughput" ðÝè· éàÌÅ·BȺÌæ¤ÉÈèÜ·: ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10 ipchains -A output -p tcp -d 0.0.0.0/0 ftp -t 0x01 0x10 ipchains -A output -p tcp -s 0.0.0.0/0 ftp-data -t 0x01 0x08 `-t' tOÍ 2ÂÌÁÊÈp[^ð¿A»êçÍ16iÅwèµÜ·B »êçÍTOS rbgð¡GÉ¢¶èñµÜ·: ÅÌ}XNÍpPbgÌ» ÝÌ TOS É AND (_Ï)³êÜ·B 2ÔÚÌ}XNÍ»êÉ뵀 XOR (r ¼I_a)³êÜ·B±êŵ¬·éÌŵ½çAȺÌêðgÁ ĺ³¢: TOS ¼ l êÊIÈpr Minimum Delay 0x01 0x10 ftp, telnet Maximum Throughput 0x01 0x08 ftp-data Maximum Reliability 0x01 0x04 snmp Minimum Cost 0x01 0x02 nntp Andi Kleen ÍȺÌæ¤ÉwEµÄ¢Ü·B (ãXÉc·½ßÉ\»ðîç ©µÄ¢Ü·B) ½ªATOS rbgÌc_É¢ÄÍA ifconfig Ì txqueuelen p [^ÌQÆðÇÁ·éÌÉÖŵå¤BfoCXÌL [· ÌúlÍC[TlbgJ[hÌ×ɲ®³êAfɨ¢ÄÍ »êÍ··¬ÄA (TOSÉ¥Á½L [Ì) 3ohÌXPW [ ð쬵A»êçÌ«Í÷X½éàÌÅ·BfâVO b `lÌ ISDN ڱɨ¢ÄA±Ìlð 4-10 ÌÔÉÝè·éÌ ÍÇ¢Æv¢Ü·; ¾¢foCXÈçæè·¢L [ªKvÅ·B ±êÍJ[lo[W 2.0 Æ 2.1 Ìâèŵ½ªA 2.1 É ¨¢Ä»êÍ (ÅVÌ nettools ðp¢Ä) ifconfig tOÅ \ÉÈèA 2.0 ɨ¢ÄÍfoCXhCoÌ\[XÉpb`ð KpµÄÂ\ÉÈèÜ·B Å·ÌÅAfÅÌ PPP ڱɨ¯é TOS ìÌÅå̶bð¾éÉÍA ȽÌ}VÌ /etc/ppp/ip-up XNvgàÅ `ifconfig $1 txqueuelen' ðÀs·é±ÆÅ·B±êðg¤ÛÌlÍf̬xÆf àÌobt@ÌÊÉ˶µÜ·; 鼃 Andi ÌÖÌÔð»ÌÜÜÄx fڵܷ: ^¦çê½RtBM [VÌÅKlÍo±ªKvÅ·Bà µ[^ãÌL [ªZ·¬éÆApPbgðæè±ÚµÄµÜ¢ Ü·B»µÄÜ_ TOS Ì«·¦àÈøÊð¾é±ÆÉÈèA PÉ TOS Ì«·¦Íñ¦ÍIÈvOÉøÊðà½çµÜ ·B (µ©µSÄÌWIÈ Linux VXevOͦÍI Å·B) 4.1.5.4. pPbgÌ}[LO ±êÍ Alexey Kuznetsov ÉæéV½È"i¿ÊM"ÌÀÉæÁÄA¡GÅ ÍÈÝìpðLøɵܷB 2.1 V[YJ[lÈ~Ìmarkx[XÌ tH[fBOƯlÉÇDÅ·BXÈéj [XƵÄͱêªg¦éæ ¤ÉÈÁ½±ÆÅ·B±ÌIvVÍ 2.0 J[lV[YÅÍS³ ³êÜ·B (ó: Quality of Service ÍA QoS ƪ³êAlbg[N¬Ê§Àðw µÜ·B±êÍJ[lÌRtBM [VXCb`É CONFIG_NET_QOS ƵĶݵܷB) 4.1.5.5. `FCÌì ipchains ÌÆÄàLøÈÁ¥ÍA`FCÌÖA·é[ðO[v» Å«é±ÆÅ·B¨]ÝÌ`FCͽÅàÄÑo¹Ü·ªAgÝÝÏÝ `FC (input, output Æ forward) â^[Qbg (MASQ, REDIRECT, ACCEPT, DENY, REJECT ½Í RETURN) ðó³È¢×ÉA\ª·¢¼OðgÁÄ º³¢B«Ìg£Éõ¦ÄAx¼ÌSÉå¶ðgíÈ¢±Æ𨩠ߵܷB`FC̼OÍÅå 8¶ÜÅg¦Ü·B 4.1.5.6. Vµ¢`FCðìé Vµ¢`FCðìèܵå¤BÍÆÁÄàn¢ÍÉxñ¾ìYÈÌÅA» êð test Ƽt¯Ü·B # ipchains -N test # ±êÍÈPÅ·B³ÄA ȽͱêÜÅÚ×Éq×Ä«½æ¤ÉA±êÉ [ðüêé±ÆªÅ«Ü·B 4.1.5.7. `FCðí·é `FCðí·éÌà¯lÉÈPÅ·B # ipchains -X test # Ⱥ `-X' ©ÁÄ? ¤[ñA梶ªSÄæçêĵÜÁ½ÌÅ·B `FCðí·éÉÍ 2Â̧Àª èÜ·: »Ì`FCÍóÅ éKv ª è(ãqÌ```FCðóÉ·é''ð©Äº³¢)Aµ©àAµÄÇÌ [Ì^[QbgÉàÈÁĢȢ±ÆÅ·BgÝÝÏÝÌ 3ÂÌ`FC ÍÇêàíūܹñB 4.1.5.8. `FCðóÉ·é `FC©çSÄÌ[ðæèèóÉ·éÌÍÈPÅA`-F' R}hð g¢Ü·B # ipchains -F forward # àµA`FC¼ðwèµÈ¯êÎASÄÌ`FCðóɵܷB 4.1.5.9. `FCÌàeðXgAbv·é `FCÌSÄÌ[ðXgAbv·éÉÍA`-L' R}hðg¢Ü ·B # ipchains -L input Chain input (refcnt = 1): (policy ACCEPT) target prot opt source destination ports ACCEPT icmp ----- anywhere anywhere any # ipchains -L test Chain test (refcnt = 0): target prot opt source destination ports DENY icmp ----- localnet/24 anywhere any # test É\¦³êÄ¢é `refcnt' ÍAtest ð^[QbgÉwèµÄ¢é[ ÌÅ·B±Ìª 0 ÅÈ¢Æ(©Â`FCªóÅ é±Æ)A»Ì`F Cðí·é±ÆÍūܹñB àµA`FC¼ðwèµÈ¯êÎAóÌàÜßÄSÄÌ`FCÉ墀 XgAbv³êÜ·B `-L' ÉÍ 3ÂÌIvVª èÜ·B (åïÌlXÍ DNS ðgÁĢܷ ª) DNS ªKØÉÝè³êĢȢêâ DNS ÌvðtB^[AEgµ Ä¢éêÍA ipchains ª IP AhXð²×æ¤Æ·éÆ«É·Ò½³ êÜ·B»êðh®ÌÉ `-n' (l)IvVÍÆÄàLøÅ·B±ÌIv VÍ TCP â UDP |[gÉ¢Äà¼OÅÍÈÔÅ\¦µÜ·B `-v' IvVÍ[ÌÚ×ðSÄAá¦ÎApPbgâoCgÌJE ^[ATOS }XNAC^[tFCXA»µÄpPbg}[Nð\¦µÜ·B ±ÌIvVðwèµÈ¯êÎA±êçÌlÍȪ³êÜ·B # ipchains -v -L input Chain input (refcnt = 1): (policy ACCEPT) pkts bytes target prot opt tosa tosx ifname mark source destination ports 10 840 ACCEPT icmp ----- 0xFF 0x00 lo anywhere anywhere any LƵÄApPbgÆoCgÌJE^[ÍA1000, 1,000,000 ¨æÑ 1,000,000,000 ðA»ê¼ê `K', `M' ¨æÑ `G' ÌÚö«ðgÁÄ\¦µ Ü·B `-x' (g£l)IvVðg¤ÆAlÌ嫳ɩ©í縮SÈ lð¯lÉ\¦µÜ·B 4.1.5.10. JE^[ð([É)Zbg·é JE^[ðZbgÅ«éÆÖÅ·B±êÍ `-Z' (JE^ð[É· é) IvVÅÅ«Ü·Bá¦Î: # ipchains -v -L input Chain input (refcnt = 1): (policy ACCEPT) pkts bytes target prot opt tosa tosx ifname mark source destination ports 10 840 ACCEPT icmp ----- 0xFF 0x00 lo anywhere anywhere any # ipchains -Z input # ipchains -v -L input Chain input (refcnt = 1): (policy ACCEPT) pkts bytes target prot opt tosa tosx ifname mark source destination ports 0 0 ACCEPT icmp ----- 0xFF 0x00 lo anywhere anywhere any # ±ÌâèûÅÍAZbg·é¼OÌJE^lðméKvª éÆ«Éâè ÉÈèÜ·BãLÌû@ÅÍA`-L' ©ç `-Z' R}hÜÅÌÔɢ© ÌpPbgªÊß·é©àµêܹñB»Ì½ßAJE^[ðÇÞÆ¯É Zbg·éÉÍA`-L' Æ `-Z' ð¯Ég¢Ü·BcOȪçA Ƚª ±êðg¤ÆAPêÌ`FCðìūܹñ: êUSÄÌ`FCðX gAbvµÄ[É·éKvª èÜ·B # ipchains -L -v -Z Chain input (policy ACCEPT): pkts bytes target prot opt tosa tosx ifname mark source destination ports 10 840 ACCEPT icmp ----- 0xFF 0x00 lo anywhere anywhere any Chain forward (refcnt = 1): (policy ACCEPT) Chain output (refcnt = 1): (policy ACCEPT) Chain test (refcnt = 0): 0 0 DENY icmp ----- 0xFF 0x00 ppp0 localnet/24 anywhere any # ipchains -L -v Chain input (policy ACCEPT): pkts bytes target prot opt tosa tosx ifname mark source destination ports 10 840 ACCEPT icmp ----- 0xFF 0x00 lo anywhere anywhere any Chain forward (refcnt = 1): (policy ACCEPT) Chain output (refcnt = 1): (policy ACCEPT) Chain test (refcnt = 0): 0 0 DENY icmp ----- 0xFF 0x00 ppp0 localnet/24 anywhere any # 4.1.5.11. |V[ðÝè·é ÈOÉpPbgªÇÌæ¤É`FCðÊ貯éÌ©ðAOqÌ ``^[ QbgÌwè''ÉÄ_¶½Æ«ApPbgªgÝÝÏÝ`FCÌIíèÉ Bµ½É½ªN«éÌ©ðåÌq×ܵ½B±ÌêA`FCÌ|V[ ª»ÌpPbgÌ^½ðèµÜ·BgÝÝÏÝ`FC(input, output ¨æÑ forward)¾¯ª|V[ðÁĢܷBȺÈçApPbgª[ Uè``FCÌIíèÜźè¿éÆAOÌ`FCÉßÁÄs©çÅ ·B |V[ÍÅ©ç 4ÂÜÅÌÁÊÈ^[QbgÌ¢¸ê©Å·: ACCEPT, DENY, REJECT ½Í MASQ Å·B MASQ Í `forward' `FCɨ¢ÄÌÝL øÅ·B ܽAdvÈÓ_ƵÄAgÝÝÏÝ`FCÌ[ɨ¯é RETURN ^[QbgÍApPbgª[É}b`µ½É¾¦IÉ`FC Ì|V[ð^[QbgÉ·é½ßÖÅ·B 4.1.6. }XJ[fBOÌì IP }XJ[fBOð÷²®·éô©Ìp[^ª èÜ·B»êç Í ipchains ÉgÝÜêĢܷB½ÌÈçA»Ì@\Ì×ÉÊÌc[ð ÌÍÇÈ¢©çÅ·B (µ©µ±êÍÏX³êéŵå¤B) IP }XJ[fBOÌR}hÍ `-M' ÅA¡}XJ[h³êÄ¢éR lNVðXgAbv·é½ßÉ `-L' ÆgÝí¹çêA}XJ[ fBOÌlð²®·é½ßÉ `-S' ÆgÝí¹çêÜ·B `-L' R}hÍ `-n' (zXg¼â|[g¼ÅÍÈAlð\¦µÜ·B) ©AÜ½Í `-v' (Ü³É È½ªÓ·éA}XJ[hRlNVÌV [PXÔÌÚ×ð\¦µÜ·B)ðº¢Ü·B `-S' R}hÍÈºÌ 3ÂÌ^CAEglðÝèµÜ·A»êçÍbPÊ Å·: TCP ZbVA FIN pPbgãÌ TCP ZbVÆA UDP pPb gÅ·BൻêçÌlÌêÂðÏXµ½È¢ÈçÎAPÉ `0' ª^¦ çêÜ·B ùèlÍ `/usr/src/linux/include/net/ip_masq.h' ÉXgAbv³êĨ èA »ÝÍ»ê¼ê 15 bA 2b »µÄ 5bÅ·B ÏX³êéÅàêÊIÈlÍA ftp Ì×ÉÏX·éÅÌlÅ·B (ãq Ì``FTP Ì«²''ðQƵĺ³¢B) ``}XJ[fBOÌ^CAEglðÝèūܹñ!''Éñµ½^C AEgÌÝèÉÖ·éâèÉӵĺ³¢B 4.1.7. pPbgð`FbN·é É È½Ì}VÉêèÌpPbgªüèÞÛɽªN±é̩𩽢 Æv¤±Æŵå¤B ȽÌt@CAEH[`FCðfobO·éÈ ÇB ipchains ͱêðLøɳ¹é `-C' R}hðõµÄ¢Ü·B»Ì ÛAJ[lª{ÌpPbgðff·éÌÉp¢é[`Ƴmɯ¶ [`ðp¢Ü·B pPbgðeXg·é`FCÍAø `-C' ÌãÉpPbgÌeXgð·é `FC̼OðwèµÜ·BJ[lÍíÉ input, output Ü½Í forward `FCAÆÚÁÄs«Ü·ªAeXgÍÇÌ`FC©çÅànß é±ÆªÅ«Ü·B `packet' ÌÚ×ÍAt@CAEH[[ðwè·é×Ép¢çêéÌÆ ¯¶«ûðp¢ÄwèµÜ·BÁÉAvgR (`-p') A\[XAhX (`-s') A¶æAhX (`-d') ÆC^[tF[X (`-i')ÍK{Å·BൠvgRª TCP Í UDP ÈçAPêÌ\[XÆPê̶æ|[gªwè³ êȯêÎÈèܹñµA ICMP vgRɨ¢ÄÍ ICMP ^Cvªwè³ êȯêÎÈèܹñB (tOg𦷠`-f' tOðwèµÄ¢È¯ êÎBwèµÄ¢éêͱêçÌIvVÍs³Å·B) vgRª TCP ÈçÎ (»µÄ `-f' tOªµÄ¢³êĢȯêÎ) AeXgpPbgÉ SYN rbgðZbg·éÌÉ `-y' tOðwèµÄà æ¢Åµå¤B ÈºÍ 192.168.1.1 Ì60000 |[g©ç 192.168.1.2 Ì www |[gÖA eth0 C^[tF[XÉüèA `input' `FCÉB·é TCP SYN p PbgðeXg·éáÅ·B (±êÍT^IÈ WWW ÌÚ±JnÌüÅ·) # ipchains -C input -p tcp -y -i eth0 -s 192.168.1.1 60000 -d 192.168.1.2 www packet accepted # 4.1.8. êxÉ¡Ì[ƽªN±éÌ©ð©é ÉPêÌR}hCª¡Ì[Ée¿³¹é±ÆªÅ«Ü·B±ê ÉÍñÂÌû@ª èÜ·BÅÉA(DNS ðp¢Ä)¡Ì IP AhXÉð ·ézXg¼ðwè·éÆA ipchains Í È½ªeXÌAhXÌgÝ í¹ÉεġÌR}hðsµ½ÌƯ¶æ¤ÉUé¢Ü·B Å·©çAàµzXg¼ `www.foo.com' ª 3ÂÌ IP AhXÉðµAz Xg¼ `www.bar.com' ª 2ÂÌ IP AhXÉð·éêAR}h `ipchains -A input -j reject -s www.bar.com -d www.foo.com' ÍA input `FCÉ 6ÂÌ[ðÇÁ·é±ÆÆÈèÜ·B ipchains É¡Ì®ìðsí¹éà¤êÂÌû@ÍAoûütO(`-b') ð p¢Ü·B±ÌtOÍA ipchains ÉR}hð 2ñüͳ¹½ÌƯlÉ Uéí¹Ü·B»ÌÛÌ 2ñÚÌR}hÍ `-s' Æ `-d' Ìøð½]³ ¹½±ÆÉÈèÜ·BÅ·ÌÅA 192.168.1.1 ÉÝÉtH[h³¹é± ÆðÖ¶³¹éÉÍAȺÌæ¤ÉÅ«Ü·: # ipchains -b -A forward -j reject -s 192.168.1.1 # ÂlIÉÍA `-b' IvVÍD«ÅȢŷ; àÁÆÖɵ½¢ÈçA ãqÌ``ipchains-save ðg¤''ð©Äº³¢B -b IvVÍ }ü (`-I') A í (`-D') (Åà[io[Ìg£Å Í èܹñB) AÇÁ (`-A') Æ`FbN (`-C') R}hƤÉg¦Ü ·B à¤êÂÌÖÈtOÉ `-v' (ç·È) ª èÜ·B±êÍ ipchains ª ȽÌR}hÉæÁĽðµÄ¢éÌ©ð³mÉvgAEgµÜ·B Ƚª¡Ì[ðR}hð{µÄ¢éÌÈçA±êªÖÅ·BᦠÎAÈºÍ 192.168.1.1 Æ 192.168.1.2 ÆÌÔÅtOgÌUé¢ð `FbN·éáÅ·B # ipchains -v -b -C input -p tcp -f -s 192.168.1.1 -d 192.168.1.2 -i lo tcp opt ---f- tos 0xFF 0x00 via lo 192.168.1.1 -> 192.168.1.2 * -> * packet accepted tcp opt ---f- tos 0xFF 0x00 via lo 192.168.1.2 -> 192.168.1.1 * -> * packet accepted # 4.2. ÀáW Ì PC ÍC^[lbgÖ_CAbv PPP Ú±³êÜ·B (-i ppp0) Í_CAbvÌxÉlbgj [X (-p TCP -s news.virtual.net.au nntp) Æ[ (-p TCP -s mail.virtual.net.au pop-3) ð PC ÉæèÝÜ·BÍ Debian Ì FTP Éæé PC ÌXVìÆð èúIÉs¢Ü·B (-p TCP -y -s ftp.debian.org.au ftp-data) Í ISP ÌvLVðîµÄ web ÖÌANZXðs¢Ü· (-p TCP -d proxy.virtual.net.au 8080) ªA Dilbert A[JCãÌ doubleclick.net ©çÌLoi[ð¢Ü·B (-p TCP -y -d 199.95.207.0/24 Æ -p TCP -y -d 199.95.208.0/24) Í PC ªICÌÛÉN©ªÌ PC É뵀 ftp ðÝé±ÆÉÖ µÄÍCɵܹñB (-p TCP -d $LOCALIP ftp) ¯êÇàAOÌN©É Ìàlbg[N (-s 192.168.1.0/24) Ì IP AhXðU³ê½ èܹñB±êÍÊíA IP Xv[tBO (ó: U) ÆÄÎêAo[ W 2.1.x È~ÌJ[lÉͱêðh®Ç¢û@ª èÜ·: ``IP U Ûì(IP Spoof Protection)ðAÇÌæ¤ÉÝèµ½çæ¢Å·©?''ðQƵ ĺ³¢B ±ÌZbgAbvÍÆÄàPÅA½ÌÈç¡Ìàlbg[NãÉͼ É}VªÈ¢©çÅ·B Í çäé[JvZX(·Èí¿AlbgXP[vA lynx ) ð doubleclick.net ÉÚ±³¹½ èܹñB # ipchains -A output -d 199.95.207.0/24 -j REJECT # ipchains -A output -d 199.95.208.0/24 -j REJECT # ³ÄAÍOÖoÄslXÈpPbgÉDæÊðÝèµ½¢Å·B (üÁ ÄépPbgÉεıêðs¤½ÌbgÍ èܹñB) ±êçÌ [ª½ éÌÅAppp-out Ƽt¯½`FCÉ»êçSÄðüêé± ÆÍÓ¡Ì é±ÆÅ·B # ipchains -N ppp-out # ipchains -A output -i ppp0 -j ppp-out # web ÌgtBbNÆ telnet ÖŬxðÝèµÜ·B # ipchains -A ppp-out -p TCP -d proxy.virtual.net.au 8080 -t 0x01 0x10 # ipchains -A ppp-out -p TCP -d 0.0.0.0/0 telnet -t 0x01 0x10 # ftp f[^, nntp, pop-3 ÉáRXgðÝèµÜ·: # ipchains -A ppp-out -p TCP -d 0.0.0.0/0 ftp-data -t 0x01 0x02 # ipchains -A ppp-out -p TCP -d 0.0.0.0/0 nntp -t 0x01 0x02 # ipchains -A ppp-out -p TCP -d 0.0.0.0/0 pop-3 -t 0x01 0x02 # ppp0 C^[tF[XÉüÁÄépPbgÉÍô©̧Àª èÜ·: `ppp-in' Æ¢¤`FCðìèܵå¤: # ipchains -N ppp-in # ipchains -A input -i ppp0 -j ppp-in # ³ÄA ppp0 ÉüÁÄépPbgÍ 192.168.1.* Ì\[XAhXðå£ ·é׫ÅÍ èܹñBÅ·©çAäXÍ»êçðOÉL^µÄÛè (deny) µÜ·: # ipchains -A ppp-in -s 192.168.1.0/24 -l -j DENY # Í DNS Ì UDP pPbg (ÍSÄÌvð 203.29.16.1 Ö]·é LbV l[T[o𮩵ĢéÌÅA»êçÌv©ç»Ì DNS ¾ ¯ªÔ·é±Æð\ªµÜ·B) Æ üÁÄé ftp ÆAÁÄé ftp- data (±êçÍ1023ÔÈãÌ|[gÌݪgíêAÂ6000ÔßÓÌ X11 | [gðg¢Ü¹ñB) Ì TCP pPbgÌÝðµܷB # ipchains -A ppp-in -p UDP -s 203.29.16.1 -d $LOCALIP dns -j ACCEPT # ipchains -A ppp-in -p TCP -s 0.0.0.0/0 ftp-data -d $LOCALIP 1024:5999 -j ACCEPT # ipchains -A ppp-in -p TCP -s 0.0.0.0/0 ftp-data -d $LOCALIP 6010: -j ACCEPT # ipchains -A ppp-in -p TCP -d $LOCALIP ftp -j ACCEPT # AÁÄé TCP ÌÔpPbgðµܷB # ipchains -A ppp-in -p TCP ! -y -j ACCEPT # ÅãÉA[JÆ[J¯mÌpPbgÍ OK Å·: # ipchains -A input -i lo -j ACCEPT # ³ÄAÌ input `FCɨ¯éùè|V[Í DENY (Ûè) Å·ÌÅA ãqÌàÌÈOÍSÄjüµÜ·: # ipchains -P input DENY # Ó: ͱÌÔÅ`FCðZbgAbvµÜ¹ñŵ½BZbgAbv ÌÅÉpPbgªüèñÅé©çÅ·BÅàÀSÈÌÍÅÉ DENY Ì |V[ðÝè·é±ÆÅ·BÜ_A ȽÌ[ªzXg¼ðð·é× É DNS ÌQÆðv·éÈçAâ誶·é±Æŵå¤B 4.2.1. ipchains-save ðg¤ Ü³É È½Ì¨]ÝÊèÌt@CAEH[`FCðZbgAbvµA» µÄñÉâÁ½±Æðv¢o»¤Æ·éÌÍh¢±ÆÅ·B »±ÅA¡ZbgAbvµ½ ȽÌ`FCðÇÝAt@CÉÛ¶·éA ipchains-save Æ¢¤XNvgÅ·B ipchains-restore ª½ð·é©ÉÖ µÄÍ¿åÁÆÒÁÄĺ³¢ËB ipchains-save ÍPêÌ`FCÍ (`FC¼ªwè³êȯêÎ) SÄ Ì`FCðZ[uÅ«Ü·BIvVƵÄÍ `-v' Ìݪ³êA±ê ÍZ[u³ê½[ð (WG[oÍÉ) vgµÜ·B input, output »µÄ forward `FCÌ|V[à¯lÉZ[u³êÜ·B # ipchains-save > my_firewall Saving `input'. Saving `output'. Saving `forward'. Saving `ppp-in'. Saving `ppp-out'. # 4.2.2. ipchains-restore ðg¤ ipchains-restore Í ipchains-save ÅÛ¶³ê½`FCð³µÜ·B± êÍ 2ÂÌIvVð¿¾Ü·: `-v' ÍeXÌ[ªÇÁ³êéæ¤ ÉྵܷB»µÄ `-f' ÍȺÉྷéæ¤ÉAùɶݷé[U[ è``FCð§IÉÁµÜ·B àµA input `FCàÉ[U[è``FCª êÎA ipchains- restore Í»êªù¶Ì`FCÈÌ©ð`FbNµÜ·B»¤Å êÎAv vgª\¦³êA`FCðÁ·é (SÄÌ[ðÁ·é) ©A ðXLbvµÄ»ÝÌÝèðÛ·é©ÌIððßçêÜ·BàµR} hCÉ `-f' ðwè·êÎAvvgÍ\¦³êܹñ: `FCÍÁ ³êÜ·B á: # ipchains-restore < my_firewall Restoring `input'. Restoring `output'. Restoring `forward'. Restoring `ppp-in'. Chain `ppp-in' already exists. Skip or flush? [S/f]? s Skipping `ppp-in'. Restoring `ppp-out'. Chain `ppp-out' already exists. Skip or flush? [S/f]? f Flushing `ppp-out'. # 5. »Ì¼Ìîñ ±ÌÍãqÌྩçàê½·×ÄÌîñÆ FAQ Wª èÜ·B 5.1. t@CAEH[[ðÇÌæ¤É\z·é© ±ÌâèÉÍ éíÌûjªKvÅ·B¬xðÅK»(ÅàÊÌpPbgÉ Î·é[`FbNðŬÀÉÆÇßé)µÄ\z·é©AÇ«ðßÄ \z·é±ÆàÅ«Ü·B PPP Nƾ¤ÔIÈNðgÁÄ¢éÈçAN®É input `FC ÌÅÌ[ð `-i ppp0 -jDENY' ÉÝèµ½¢Æv¤©àµêܹñB »ÌêÍA ip-up XNvgt@CÅÌæ¤ÉµÜ·B (ó: foCX ppp0 ©çÌpPbgðjü·éB_CAbvñüÈÇ ©çÌNüðh~µ½êÉÝè·éB) # `ppp-in' `FCðĶ¬·éB ipchains-restore -f < ppp-in.firewall # ppp-handling `FCÉèñÅ DENY [ðu«·¦éB ipchains -R input 1 -i ppp0 -j ppp-in ip-down ÍÌæ¤ÉÈèÜ·B ipchains -R input 1 -i ppp0 -j DENY 5.2. tB^OÅjüµÄÍ¢¯È¢pPbg KvÅÈ¢pPbgðtB^OÅjü·éOÉӵĨ©È¯ê΢ ¯È¢ª èÜ·B 5.2.1. ICMP pPbg ICMP pPbgÍA(TCP â UDP Ìæ¤È)ÊÌvgRÉεÄA¸sð\ ¦ (»Ì¼ éàÌÌÈ©Å) ·éÌÉgíêĢܷBÆèí¯ `ÚIn ÉBµÈ¢' pPbgð\¦µÜ·B±êçÌpPbgðubN·éÆA `zXgÉBµÜ¹ñ' â `zXgÖÌoHª èܹñ' Æ¢¤G[ð ó¯æé±ÆªÅ«ÈÈèÜ·BÇÌæ¤ÈÚ±àé͸ÌÈ¢ÔðÒ Â¾¯ÉÈèÜ·B±êÍ¢ç¢çµÜ·ªv½IÅÍ èܹñB ³çÉ«¢±ÆÍ MTU oÅÌ ICMP pPbgÌðÅ·B·×ÄÌÇDÈ TCP ÌÀ(Linux ðÜß½)ÍAª³êÈ¢óÔÅ(ª³êéÆptH[ }Xðẳ¹AÆèí¯AÆ«Ç«ª³ê½fЪ¸íêéƳçÉá ºµÜ·)ÚInÉB·éÅåÌpPbgTCYðèo·½ßÉ MTU o ðgÁĢܷB MTU oÍAܸpPbgð "ªsÂ" ÌrbgðÝè µÄèA 'ªªKv¾ªªµÈ¢Ýè(DF)ðµÄ¢é'Æ¢¤G[ð ¦· ICMP pPbgðó¯æÁ½çAæÙÇÌàÌæ謳¢TCYÌpPb gðè¼·AÆ¢¤â詽ŮìµÜ·B±êÍA`ÚInÖBs\' pPbgÌ^CvÅAàµó¯È¢ÈçA[JzXgÍ MTU ðẳ¹ È¢ÅAÀsÍÐÇ«Èé©A¶ÝµÈ¢±ÆÉÈéŵå¤B ó: ICMP: Internet Control Message Protocol IP ÝÚ±lbg[NàÌm[hÅG[ÊBAffA§äÌ½ß ÌbZ[WðévgR MTU: maximum transmission unit lbg[NC^[tF[XªêxÉé±ÆªÅ«éÅåÌf[^ Ê ·×ÄÌ ICMP oHÏXvbZ[W(type 5)ðubN·éÌÍÊ¾Æ ¢¤±ÆÉӵĺ³¢B±êçÍAoHðè®Ýè·é×Ég¤±Æªo Ü·ª(ÇDÈ IP X^bNÍÀSuðÁĢܷ)AµÎµÎââë¯ ¾ÆmçêĢܷB 5.2.2. DNS (l[T[o[) ÖÌ TCP Ú± Oü«Ì TCP Ú±ðubN·éæ¤ÉµÄ¢éÈçA DNS Í¢Âà UDP ðgíÈ¢±ÆÉӵĺ³¢BT[o©çÌÔª 512 oCgðz¦é ÆANCAgÍf[^ð¾éÌÉ TCP Ú±(âÍè 53 Ô|[gÔ) ð g¢Ü·B ó: UDP: User Datagram Protocol f[^pPbgÌ]ðs¤vOBUDP Í TCP Éä×éƬ Å·ªAM«ªáApPbgÌBªÛسêܹñB TCP ]ðÖ~µÄ¢ÄàA DNS ª `ÙÆñÇ®' ÌÅn}Ü·B»Ì æ¤ÉµÄ¢éÈçAsÂðÈ·¢xâ»Ì¼ÌÆ«Ç«¶·é DNS Ì âèðo±·é±ÆÉÈéŵå¤B DNS Ìâ¢í¹ªA¢Âà¯êÌOÌ\[X(/etc/resolv.conf É©ê ½sÌl[T[oð¼Úg¤©AtH[h[hÅLbV Ìl[T [o[ðg¤©ÌÇ¿ç©)ɵĢéÈçA(LbV ðgÁÄ¢éÈ ç)[J domain |[g©çA /etc/resolv.conf ðgÁÄ¢éÈçnC |[g(>1023)©çA»Ìl[T[oÌ domain |[gÖÌ TCP Ú±ð ·éKv¾¯Å©Ü¢Ü¹ñB ó: domain Í /etc/services ÉÌÚªè`³êÄ¢é©ðmFµÄ¨ «Ü·BÌæ¤ÉµÄ²×é±ÆªÅ«Ü·B $ grep domain /etc/services domain 53/tcp nameserver # name-domain server domain 53/udp nameserver 5.2.3. FTP Ì«² T^IÈpPbgtB^OÌâèÍ FTP Å·BFTP ÉÍQÂÌ[h ª èÜ·B`IÈàÌÍ ANeBu[h ƾíêéàÌÅAæèÅß ÌàÌÍA pbVu[h ƾíêÜ·B Web uEUÍÊípbVu [hªftHgÅ·ªAR}hÌ FTP vOÍÊíANeBu[ hªftHgÅ·B ANeBu[hÅÍA[gzXgªt@CðMµ½¢Æ«( é¢ ÍA ls â dir R}hÌÊų¦)A[J}VÖÌ TCP Ú±ðI [vµæ¤ÆµÜ·B±êÍANeBu FTP ðØfµÈ¢ÈçA±êçÌ TCP Ú±ðrūȢƢ¤±ÆÅ·B pbVu[hðg¤IvVª éÈçAÇ¢±ÆÅ·BpbVu[h ÍüÍf[^ÉεÄàANCAg©çT[oÉf[^Ú±ðìèÜ·B pbVu[hªg¦È¢ÈçATCP Ú±É 1024 ðz¦A6000 ©ç 6010 ÌÍÍɳ¢|[gÉ뵀 TCP Ú±ð·é±Æð§µÜ·B(6000 Í X-Window System ÉgíêĢܷB) 5.3. Ping of Death ðr·é Linux }VÍ¢ÜâL¼È Ping of Death ðSz·é±ÆÍ èܹñB Ping of Death Ís@Éå«È ICMP pPbgðMµA»êÍó¯æè¤Å TCP X^bNÉ éobt@[ðìê³¹AjóÌ´öÉÈèÜ·B ÆãÈ}VðÛì·éÈçAPÉ ICMP tOgðubNÅ«Ü ·BÊíÌ ICMP pPbgͪðv·éÙÇå«Í èܹñ©çAå «È ping ðr·éÈO¼ÉÍe¿ð^¦Ü¹ñB (sm©Å·ª) ÍAICMP tOgð·½ßÉATCYI[o[Ì ICMP pPbgÌÅ ãÌtOg¾¯ðvµA»ÌÊAÅÌtOg¾¯ðub N·éVXeª éÆ¢¤ñð·¢½±Æª èÜ·ªAÅÌtO g¾¯ðubN·éæ¤ÈVXeͨ©ßūܹñB Í ICMP ðg¤·×ÄÌvOð©Ä«Üµ½ªATCP â UDP tO g( é¢Ís¾ÌvgR)ÍA±Ìæ¤ÈUÉεÄg¤±ÆªÅ «È¢Æ¢¤RªÈ¢ÌÅA ICMP tOgðubN·éÌÍAÔÉ í¹Ìðŵ© èܹñB 5.4. Teardrop Æ Bonk ðr·é Teardrop Æ Bonk ƾíêéàÌÍAd¡·étOgðÚIɵĢ é 2íÞÌU(¨àÉMicrosoft Windows NT }VÉεÄ)Å·B Linux [^ªftO@\ðÁÄ¢é©AU³êâ·¢}VÉ·×ÄÌt OgðÖ~·éÌÍÊÌIvVÅ·B 5.5. tOgðr·é M«ÌᢠTCP X^bNÍApPbgª½ÌtOgÉÈÁÄ¢ ÄA»êçð·×ÄóMūȢƫAåÊÌtOgðµ¤ÌÉâèð ÁÄ¢éà̪ éƾíêĢܷB Linux ͱÌæ¤Èâèª èÜ ¹ñBtOgðjü(³Égp³ê½àÌàó·©àµêܹñ)·é ©AܽÍA `IP: always defragment' ð `Y' Æ( È½Ì Linux }Vª ±êçÌpPbgÉεÄBêæè¾éoHÅ éêÌÝ)Iðµ½J[l ðRpC·é±ÆÅrÅ«Ü·B 5.6. t@CAEH[[ðÏX·é t@CAEH[[ðÏX·éÆ«A^C~OÌâèª èÜ·Bsè Ûª éÆAÏXÌrÅÉpPbgðʵĵܢܷBÀÕÈâè©½Æ µÄÍÌæ¤Èû@ª èÜ·: # ipchains -I input 1 -j DENY # ipchains -I output 1 -j DENY # ipchains -I forward 1 -j DENY . ÏXµÜ· ... # ipchains -D input 1 # ipchains -D output 1 # ipchains -D forward 1 # ÏXµÄ¢éÔA·×ÄÌpPbgªjü³êÜ·B ÏXªPêÌ`FCÉÀè³ê½àÌÈçAVµ¢[ÅVµ¢`FC ðìè½¢©àµêܹñBVµ¢`FCð¦·àÌÆAâ`FC𦠷[ðu«·¦Ü·(`-R')B»¤·êÎAâ`FCðíÅ«Ü·B ±Ìu«·¦ÍAg~bNÉ(¼ÌàÌÉÍe¿µÈ¢Å)síêÜ·B 5.7. IP UÛì(IP Spoof Protection)ðAÇÌæ¤ÉÝèµ½çæ¢Å· ©? IP UÍAzXgªÊÌzXg©ç¿³êépPbgðèo·ZpÅ ·BpPbgtB^OÍA±Ì\[XAhXðàÆÉ»è·éÌÅA IP UÍpPbgtB^[ð²Ü©·½ßÉg¤àÌÅ·B SYN Uâµ ¸(Teardrop)Aܽ½æèÌ Ping(Ping of Death) â»êɽàÌ(»ê 窽ҩðmçÈ¢ÈçSzÍspÅ·)ðgÁÄ¢éUÒÌg³ðB· ½ßÉàܽgíêÜ·B IP Uðhä·éàÁÆàæ¢û@ÍA\[XAhXFØ(Source Address Verification)ƾíêéàÌÅA»êÍ[eBOR[hÉæÁÄsíê éàÌÅASt@CAEH[ÅÍ èܹñB /proc/sys/net/ipv4/conf/all/rp_filter Æ¢¤t@CðTµÄº³¢B± êª éÈçAn®·é½ÑÉ\[XAhXFØ(Source Address Verification)ðLø·é±Æª³µ¢ðÉÈèÜ·B±Ìæ¤É·é½ ßA¢¸ê©Ìlbg[NC^[tF[Xªú»³êéOÉA¨g¢Ì init XNvgÌDZ©ÉÌsðÁ¦Ü·B # ±êªàÁÆàÇ¢û@Å·: \[XAhXFØ # (Source Address Verification) ðLøɵA»Ý éàÌƱê©ç # g¤·×ÄÌC^[tF[XÉUÛìðµÜ·B if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo -n "Setting up IP spoofing protection..." for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done echo "done." else echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED. echo "CONTROL-D will exit from this shell and continue system startup." echo # R\[ãÅVO[UVFðN®µÜ·B /sbin/sulogin $CONSOLE fi ±êªÅ«È¢ÈçA·×ÄÌC^[tF[XðÛì·é½ßÉè®Å[ ð«Á¦Ü·B±ÌêÍ»ê¼êÌC^[tF[XÉ¢ÄÌm¯ª KvÅ·BJ[l 2.1 Í©®IÉ127.* ÌAhX([J[vobN C^[tF[X lo É\ñ³ê½àÌ)©çv·épPbgðÛµÜ ·B á¦Î eth0, eth1 »µÄ ppp0 Ì 3ÂÌC^[tF[Xª èÜ·BC ^[tF[XÌAhXÆlbg}XNðmé½ßÉ ifconfig ðg¤±Æª Å«Ü·Bá¦ÎA eth0 ªlbg}XN 255.255.255.0 Ìlbg[N 192.168.1.0 ÉA^b`³êA eth1 Ílbg}XN 255.0.0.0 Ìlbg [N 10.0.0.0 ÉA^b`³êA ppp0 ªC^[lbg(\ñ³ê½vC x[g IP AhXð¢ÄAÇñÈAhXÅà³êÜ·)BÌæ¤È [ðÁ¦éÆæ¢Åµå¤B # ipchains -A input -i eth0 -s ! 192.168.1.0/255.255.255.0 -j DENY # ipchains -A input -i ! eth0 -s 192.168.1.0/255.255.255.0 -j DENY # ipchains -A input -i eth1 -s ! 10.0.0.0/255.0.0.0 -j DENY # ipchains -A input -i ! eth1 -s 10.0.0.0/255.0.0.0 -j DENY # ±Ìû@ͨg¢Ìlbg[NªÏíéÆA¢ÜÜÅÌ»ÌóÔðÛ·é ½ßÉ È½Ít@CAEH[[ðÏXµÈ¯ê΢¯È¢ÌÅA\[ XAhXFØ(Source Address Verification)Ås¤ÙÇÇ èܹñB 2.0 nÌJ[lð¨g¢ÈçAɦ·æ¤È[ðgÁÄA[vob NC^[tF[XàܽÛìµ½¢©àµêܹñBÌæ¤É[ðg ¢Ü·: # ipchains -A input -i ! lo -s 127.0.0.0/255.0.0.0 -j DENY # 5.8. ÅVÌvWFNg Í[UXy[XCuð¢Ä¨èA»êÍ`libfw' ÆÄÎêé\[ XfBXgr [VðÜñŢܷB»êÍ ipchains Ìo[W 1.3 ÈãÌ\ÍðgpµÄ(IP_FIREWALL_NETLINK ÌRtBOIvVð gÁÄ)[UXy[XÉpPbgðRs[µÜ·B }[NlÍpPbg̽ßÌ Service Ì¿ (QoS) p[^ðßé½ßÉ g¤©A é¢ÍApPbgªÇÌæ¤É|[gÉp³êé©ðßé½ß Ég¤±ÆªÅ«Ü·BÍÇ¿çàpµÄ¢Ü¹ñªA Ƚª»êÉ ¢Ä¢ÄÝæ¤Æv¤ÈçAǤ¼ÉAðµÄº³¢B óÔÏ@(stateful inspection)(Í_Ci~bNt@CAEH[Æ¢¤¾ tðñ¥µÜ·)Ìæ¤È±ÆÍA±ÌCuðg¤[UXy[XÅÀ ³êéŵå¤B»Ì¼Ìf°çµ¢ACfBAÍA[UXy[Xf[ ÅT·±ÆÅ[U²ÆÌîÕãÅpPbgðRg[µÜ·B±êÍ ÆÄàÈPÅȯêÎÈèܹñB 5.8.1. SPF: Xe[gtpPbgtB^O ftp://ftp.interlinx.bc.ca/pub/spf <ftp://ftp.interlinx.bc.ca/pub/spf> ãLÍA Brian Murrell Ì SPF vWFNgÌTCgÅA»êÍ[UXy [XÅÚ±ÌÇÕðµÜ·BáohÌTCgÉdvÈZL eBðÇÁ µÄ¢Ü·B »ÝASPF É¢Ä̶ÍÙÆñÇ èܹñªAÌàÌÍ Brian ª¿ âɦ½àÌð[OXgÉeµ½àÌÅ·B > »ê±»ª³ÉÌ]Þ±ÆðsȤÆM¶Ä¢Ü·B > OÖÌvÌX|XƵÄpPbgðÊ·æ¤É > êIÈ''t¬(backward)''Ì[ðCXg[µÄ¢Ü·B Í¢A»ÌÊèÅ·B vgRÉ¢Äð·êηéÙÇA "t¬(backward)" Ì[ÍàÁƳµÈèÜ·B ¡ÌƱëÍA (o¦Å¢Ä¢Ü·AG[âè²©èª ÁÄàµÄº³¢) FTP(ANeBuÆpbVuAà¤ÆO¤Ì¼û)ARealAudioA tracerouteA ICMP »µÄàIÈ ICQ( ICQ T[o©çüéàÌA»µÄA¼ÚIÈ TCP Ú±©çÌàÌAµ©µÈªçt@C]Ìæ¤È±ÆÉÖ·éæ2 ̼ÚIÈ TCP Ú±ÈÇÍܾ èܹñª)ðT|[gµÄ¢Ü·B > SPF Í ipchains ðu«·¦éÌÅ·©A»êÆàâ«·éÌÅ·©B â«·éàÌÅ·B ipchains Í Linux }Vðz¦Ä`íépPbgðµ½èAh¢¾è·é¹ïÅ·B SPF ÍhCoÅ èAgtBbN𽦸ĵÄAÇÌæ¤ÉÏX·é©ð ipchains É`¦A ipchains ÍAÏXðgtBbNp^[É`¦Ü·B 5.8.2. Michael Hasenstein Ì ftp-data nbN SuSE Ì Michael Hasenstein Í ipchains É ftp Ú±ÌÇÕ@\ðÇÁ·é J[lpb`ð¢Ä¢Ü·BÌƱëÉ èÜ·B http://www.suse.de/~mha/patch.ftp-data-2.gz <http://www.suse.de/~mha/patch.ftp-data-2.gz> 5.9. ¡ãÌÛè t@CAEH[Æ NAT Í 2.4 ÅÄÝv³êĢܷBvæÆc_Í netfilter Ì[OXgÅpÅ«Ü·B ( http://lists.samba.org <http://lists.samba.org>ð©Äº³¢) ±Ìæ¤È»Í½ÌÖ«Ìâ èððµA(ÀÛAt@CAEH[â}XJ[hͱÌæ¤È¢ï ÍÈ ¢Í¸Å·)A»µÄàÁÆÍé©É_î«Ì ét@CAEH[ÌW𠣷͸ŷB 6. êÊIÈâè 6.1. ipchains -L ðg¤Æt[YµÜ·! DNS õðó¯t¯È¢Ìŵå¤BÇÍ^CAEgÉÈÁÄµÜ¢Ü ·B ipchains É뵀 `-n' (l)tOðgÁÄÝܵå¤B `-n' ÍA l[ÅÌõðs¢Ü¹ñB 6.2. ½]ªÅ«Ü¹ñ! `!'IvV̼¤ÉXy[Xð¨¢ÄA`!' IvVðPÆÅgíȯ ê΢¯Ü¹ñB (4.1.4.1 Åӵܵ½)T^IÈÔá¢Å·B # ipchains -A input -i !eth0 -j DENY # `!eth0' ÆÄÎêéC^[tF[XͶݵܹñªA ipchains Í»êª í©çÈ¢ÌÅ·B (ó: `!' Ìg¢ûÉÖ·éÓÍA 4ÍðQÆB `!' IvVÌOãÌ Xy[XðYêȢź³¢B) 6.3. Masquerading Ü½Í Forwarding ª®«Ü¹ñ! pPbgÌ forwarding ªÂ\ÉÈÁÄ¢é̩Ǥ©ðmFµÄº³¢(Å ßÌJ[lÅÍAftHgÅ `gpµÈ¢'ÉÈÁĢܷBpPbgÍ `forward' chain ðz¦é±Æ·çȢƢ¤±ÆÅ·)B root ÀÅÌ æ¤ÉüÍ·êÎÏXÅ«Ü·B # echo 1 > /proc/sys/net/ipv4/ip_forward # ±êŤܢÈçAñAÂ\ÉÈéæ¤ÉA¨g¢ÌN®XNvgÌ Ç±©É±Ìsð¢Ä¨±ÆªÅ«Ü·B±ÌR}hª®OÉt@C AEH[ðÝèµ½¢Í¸Å·B»¤µÈ¢ÆA(jü·×«)pPbgðÊ ß³¹ÄµÜ¤@ïð^¦ÄµÜ¢Ü·B 6.4. -j REDIR ª®«Ü¹ñ! _CNg𮩷½ßÉÍpPbgÌ forwarding (ãqð©Äº³¢)ð µȯê΢¯Ü¹ñB»¤µÈ¢ÆA[eBOÌR[hÍpPbg ðµÜ·B»±ÅA_CNgÌÝðgÁÄ¢ÄtH[fBOÍSR gÁĢȢÈçÎA±Ì±ÆÉӵĺ³¢B REDIRECT (input `FCÉ é)ÍA[JvZX©çÌÚ±ÉÍøÊ ªÈ¢±ÆÉӵĺ³¢B (ó: ipchains ÌIvVÉ¢ÄÍAman ipchains ÅmFµÄº³ ¢B) 6.5. ChJ[hC^[tF[Xª®«Ü¹ñ! J[lÌ 2.1.102 Æ 2.1.103 Å(»µÄªìÁ½¢Â©Ìâpb `)ÉÍoOª èܵ½B»êçÌJ[lÅÍA(-i ppp+ Ìæ¤È)C hJ[hC^[tF[Xª¤Ü¢©È¢G[𾦷é ipchains R }h𶬵ܵ½B ±ÌÍAÅVÌJ[lÆ web TCgÉ é 2.0.34 Ìpb`ÅÍC³³ êĢܷBJ[l\[XðèÅC³·éÈçA include/linux/ip_fw.h t@CÌ 63s ½èðÌæ¤ÉÏXµÜ·: #define IP_FW_F_MASK 0x002F /* All possible flag bits mask */ ±êÍ ``0x003F'' ðÇÞ׫ŷB±êðC³µAJ[lðÄ\zµÜ ·B 6.6. TOS (Type of Service) ª®«Ü¹ñ! ±êÍÌÔá¢Åµ½B Service field Ì^CvðÝèÍA 2.1.102 ©ç 2.1.111 ÅÌJ[lÅÍÀÛÉÍ Service Ì^CvðÝèÅ«È¢ÌÅ ·B±ÌâèÍA2.1.112 ÅÍC³³êܵ½B 6.7. ipautofw Æipportfw ª®«Ü¹ñ! 2.0.x ÅÍ®«Ü¹ñB ipchains Æipautofw é¢Í ipportfw Éηé å«Èpb`ð쬵AÛ·éÔª èܹñB 2.1.x ÉεÄÍAÌƱë©ç Juan Ciarlante Ì ipmasqadm ð_E [hµÄº³¢B http://juanjox.linuxhq.com/ <http://juanjox.linuxhq.com/> »µÄAipautofw âipportfw ðg¤Æ«A ipportfw Ì©íèÉ ipmasqadm portfw ðü͵A»µÄA ipautofw Ì© íèÉipmasqadm autofw ðü͵ÄA«¿ñÆgÁĺ³¢B 6.8. xosview ªóêĢܷ! 1.6.0 Å©A»êÈ~ÌàÌɵĺ³¢B»êçÌÅÅÍAJ[l 2.1.x ÉεÄÇÌæ¤È firewall rule àvµÜ¹ñB±êÍ 1.6.1 Åܾó êÄ¢éÆvíêéÈçA»ÌêÍÒÉoOñðµÄº³¢(»êÍA ̸sÅÍ èܹñ)B 6.9. `-j REDIRECT' Å Segmentation G[ÉÈèÜ·! ±êÍ ipchains 1.3.3 ÅÌoOÅ·ÌÅAVµ¢ÅÉAbvO[hµÄº ³¢B 6.10. }XJ[fBOÌ^CAEglðÝèūܹñ! (J[l 2.1.x ɨ¢Ä) 2.1.123 È~ÅÍ®«Ü¹ñB 2.1.124 ÅÝè µÄÝéÆA masquerading timeouts ÍJ[lðbNµÄµÜ¢Ü· (net/ipv4/ip_fw.c t@CÌ 1328 sÉ é return ð ret = ÉÏXµÄ º³¢)B 2.1.125 ÅÍA¿áñÆ®«Ü·B : 4.1.1 à©Äº³¢B 6.11. IPX ðt@CAEH[µ½¢Å·! ¼É௶æ¤È²ó]ª éÆv¢Ü·BcOȪçAÌR[hÍ IP ð ·×ÄÔ µÄ¢é¾¯Å·ªAK¢È±ÆÉAIPXðt@CAEI[·é ÌÉKvÈ@\Í·×Ä»ëÁĢܷB»êðpµÄ Ƚ²©gÅR[ hðKvª èÜ·ªAÂ\ÈÍÍÅÍìñŨè`¢µÜµå¤B ó: IPX Æ¢¤ÌÍANovell Éæé MS-DOS ãÌlbg[NvgR Å·B IPX É¢ÄÍAIPX-HOWTOðQƵĺ³¢B http://www.linux.or.jp/JF/JFdocs/IPX-HOWTO.html 7. ÀpIÈá ±ÌÍáÍA1999 NÌ 3 ÉJÃ³ê½ LinuxWorld Å Michael Neuling ƪ\µ½` [gA©çøpµÜµ½B±êÍA^¦çê½âèð ð·é½ßÌBêÌû@ÅÍȢŷªA½ªÅàPÈàÌÅ·B±ÌÍ áðLvÈà̾ÆvÁĸ¯êÎK¢Å·B 7.1. \¬ o }XJ[h³ê½àlbg[N(lXÈ OS ª¶ÝµÄ¢Ü·) ª¶ ݵA"GOOD" ÆÄÑÜ·B o ª£³ê½lbg[NãÉöJT[oª¶ÝµÄ¢Ü·(ñ»nÑ "Demilitarized Zone" Æ¢¤±ÆÅ "DMZ" ÆÄÑÜ·)B o C^[lbgÖ PPP Ú±µÄ¢Ü·( "BAD" ÆÄÑÜ·)B Olbg[N (BAD) ppp0 ¡¢ 192.84.219.1 T[olbg[N (DMZ) eth0 ¦¦¦ 192.84.219.250 192.168.1.250 ¤£ ¡¢ ¡¢ ¡¢ eth1 SMTP DNS WWW ¤£ ¤£ ¤£ 192.84.219.128 192.84.219.129 192.84.218.130 àlbg[N (GOOD) 7.2. ÚI pPbgtB^[}V: SÄÌlbg[NÉ뵀 PING ªÂ\ }Vª_EµÄ¢é©Ç¤©ðméÌÉåÏðɧ¿Ü·B SÄÌlbg[NÉ뵀 TRACEROUTE ªÂ\ ±êàܽA´öªÍÉðɧ¿Ü·B DNS ÖÌANZXªÂ\ ping Æ DNS ðæèg¢â··é½ßÅ·B DMZ à: [T[o o Olbg[NÖÌ SMTP ªÂ\ o àÆOlbg[N©çÌ SMTP ÌANZvg(ó¯üê)ªÂ\ o àlbg[N©çÌ POP-3 ÌANZvgªÂ\ l[T[o o Olbg[NÖÌ DNS ÌvªÂ\ o àÆOlbg[NApPbgtB^[}V©çÌ DNS ÌANZ vgªÂ\ EFuT[o o àÆOlbg[N©çÌ HTTP ÌANZvgªÂ\ o àlbg[N©çÌ Rsync ÉæéANZXªÂ\ àlbg[N: Olbg[NÖÌ WWW, ftp ,traceroute, ssh ðÂ·é ±êçÍAÂÌÎÛƵÄÍ©ÈèWIȱÆÅ·Bàlbg [NãÌ}VÉεÄÙÚSÄð·é±Æ©çnßÜ·ªA±± ÅͧÀð©¯Ä¢Ü·B [T[oÖÌ SMTP ð·é RA[ÍOÖMÅ«éæ¤Éµ½¢Å·B [T[oÖÌ POP-3 ð·é [ðÇÞû@Å·B l[T[oÖÌ DNS ð·é WWW Æ ftp, traceroute, ssh ðp·éÛÉAOl[Ìõð· éÌÉKvÅ·B EFuT[oÖÌ rsync ð·é Oü¯EFuT[oÆàEFuT[oð¯ú³¹éû@Å·B EFuT[oÖÌ WWW ð·é RAOü¯EFuT[oÖڱūé׫ŷB pPbgtB^[}VÖÌ ping ðÂ·é ±êÍAêÊIÉLeF³êÄ¢é±ÆÅ·BÂÜèt@CAEH[ }Vª_EµÄ¢é©Ç¤©ðAmFÅ«éæ¤É·é½ßÅ ·(»êÅOTCgªóêÄ¢½êÍAñï³êܹñÌÅ)B 7.3. pPbgtB^Oðs¤OÉ o IP UÛì (Anti-spoofing) ¢©ÈéñÎÌÌ[eBOàÁĢȢÌÅASÄÌC^[tF [XÉ뵀 IP UÛìðPÉIÅ«Ü·B # for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done # o tB^OÌ[ƵÄSÄðÛÉ·é ¡ÜÅÊè[JÌ[vobNgtBbN͵ܷªA»êÈ OÌSÄð۵ܷB # ipchains -A input -i ! lo -j DENY # ipchains -A output -i ! lo -j DENY # ipchains -A forward -j DENY # o C^[tF[XÌZbgAbv C^[tF[XÌZbgAbvÍAåïu[gÌXNvgÅÀs³ êÜ·BtB^OÌ[ªKp³êéOÉpPbgªRê¾·± Æðh®×ÉAC^[tF[XªÝè³êéOÉãLÌXebvªÀs ³êÄ¢é±ÆðmFµÄº³¢B o vgRÊÉ}XJ[hW [ðgÝÞ FTP ðp·éÛÉÍA}XJ[hW [ðgÝÞKvª èÜ ·B»¤·é±ÆÅAàlbg[N©çÌANeBuÆpbVu FTP ª `¿áñÆ®ìµÜ·'B # insmod ip_masq_ftp # 7.4. pPbgðÊß³¹é½ßÌpPbgtB^O }XJ[hðgpµÄAforward `FCÅtB^[ð©¯é±ÆÍÅÇ Ìû@Å·B forward `FCð\[X^ Äæ C^[tF[XÉí¹ÄlXÈ[ Uè``FCɪµÄº³¢BÂÜèAâèð浢ⷢPÊɪð· éÌÅ·B ipchains -N good-dmz ipchains -N bad-dmz ipchains -N good-bad ipchains -N dmz-good ipchains -N dmz-bad ipchains -N bad-good ICMP ÌWG[ðANZvg·é±ÆÍA¤ÊÌàeÅ·Bµ½ªÁÄA »Ì½ßÌ`FCðìèÜ·B ipchains -N icmp-acc 7.4.1. forward `FC©çWv³¹é cOȱÆÉA(forward `FCÅÍ)oÍC^[tF[Xµ©ª©èܹ ñBµ½ªÁÄApPbgªÇÌC^[tF[X©çüÁÄé©ð©² ½ßÉA\[XAhXðgpµÜ·(UÛìªAhXÌÈè·Üµðh ¢Å¢éÌÅåävÅ·)B ±êçÌ¢¸êÉà}b`µÈ¢pPbg(¾ç©ÉA»Ìæ¤È±ÆÍN± çȢ͸ŷª)ÍSÄOðæé±ÆÉӵĺ³¢B ipchains -A forward -s 192.168.1.0/24 -i eth0 -j good-dmz ipchains -A forward -s 192.168.1.0/24 -i ppp0 -j good-bad ipchains -A forward -s 192.84.219.0/24 -i ppp0 -j dmz-bad ipchains -A forward -s 192.84.219.0/24 -i eth1 -j dmz-good ipchains -A forward -i eth0 -j bad-dmz ipchains -A forward -i eth1 -j bad-good ipchains -A forward -j DENY -l 7.4.2. icmp-acc `FCðè`·é pPbgª(ȺÌ)G[ ICMP Ì¢¸ê©ÈçANZvg³êÜ·B³àÈ ¯êÎA}b`µÈ©Á½pPbgÉηé§äÍ icmp-acc `FC©ç² ¯ÄAÄoµ³Ì`FCÉß³êé±ÆÉÈèÜ·B ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT 7.4.3. GOOD (àlbg[N) ©ç DMZ (T[olbg[N) àlbg[NÉηé§À : o Olbg[NÖÌ WWW, ftp, traceroute, ssh ð·é o [T[oÖÌ SMTP ð·é o [T[oÖÌ POP-3 ð·é o l[T[oÖÌ DNS ð·é o EFuT[oÖÌ rsync ð·é o EFuT[oÖÌ WWW ð·é o pPbgtB^[}VÖÌ ping ð·é àlbg[N©ç DMZ ÌÛÉ}XJ[hÍÅ«Ü·ªA±±ÅÍs¢ ܹñBàlbg[NãÌÇÌ}Và«ÓÌ é±ÆðµÈ¢Í¸ÈÌ ÅAÛ³êéSÄÌpPbgÌOðæèÜ·B Debian Ìâo[WÅÍA/etc/services ãÌ `pop3' ð`pop-3' ÆÄ ÔÌÅӵĺ³¢B±Ì±ÆÍ RFC1700 ÆêvµÄ¢Ü¹ñB ipchains -A good-dmz -p tcp -d 192.84.219.128 smtp -j ACCEPT ipchains -A good-dmz -p tcp -d 192.84.219.128 pop3 -j ACCEPT ipchains -A good-dmz -p udp -d 192.84.219.129 domain -j ACCEPT ipchains -A good-dmz -p tcp -d 192.84.219.129 domain -j ACCEPT ipchains -A good-dmz -p tcp -d 192.84.218.130 www -j ACCEPT ipchains -A good-dmz -p tcp -d 192.84.218.130 rsync -j ACCEPT ipchains -A good-dmz -p icmp -j icmp-acc ipchains -A good-dmz -j DENY -l 7.4.4. BAD (Olbg[N)©ç DMZ (T[olbg[N) o DMZ Éηé§À: o [T[o o Olbg[NÖÌ SMTP ªÂ\ o àÆOlbg[N©çÌ SMTP ÌANZvgªÂ\ o àlbg[N©çÌ POP-3 ÌANZvgªÂ\ o l[T[o o Olbg[NÖÌ DNS ÌvªÂ\ o àÆOlbg[NApPbgtB^[}V©çÌ DNS Ì ANZvgªÂ\ o EFuT[o o àÆOlbg[N©çÌ HTTP ÌANZvgªÂ\ o àlbg[N©çÌ Rsync ÌANZvgªÂ\ o Olbg[N©ç DMZ Ö·é±Æ o NQs×É¢ÄÍAOÍÆ縻ÌÜÜÉ·é ipchains -A bad-dmz -p tcp -d 192.84.219.128 smtp -j ACCEPT ipchains -A bad-dmz -p udp -d 192.84.219.129 domain -j ACCEPT ipchains -A bad-dmz -p tcp -d 192.84.219.129 domain -j ACCEPT ipchains -A bad-dmz -p tcp -d 192.84.218.130 www -j ACCEPT ipchains -A bad-dmz -p icmp -j icmp-acc ipchains -A bad-dmz -j DENY 7.4.5. GOOD (àlbg[N)©ç BAD (Olbg[N) o àlbg[NÉηé§À: o Olbg[NÖÌ WWW, ftp ,traceroute, ssh ð·é o [T[oÖÌ SMTP ð·é o [T[oÖÌ POP-3 ð·é o l[T[oÖÌ DNS ð·é o EFuT[oÖÌ rsync ð·é o EFuT[oÖÌ WWW ð·é o pPbgtB^[}VÖÌ ping ð·é o êÊÉAàlbg[N©çOlbg[NÉεÄÍASÄð µA»ê©ç§ÀðÁ¦Ü·BäXÍAt@VXgÈÌÅ·B o NQs×ÌOðæé o pbVu FTP ÍA}XJ[hW [Å·é o UDP Ì Äæ|[g 33434 È~ Í traceroute Ågp³êé ipchains -A good-bad -p tcp --dport www -j MASQ ipchains -A good-bad -p tcp --dport ssh -j MASQ ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ ipchains -A good-bad -p tcp --dport ftp -j MASQ ipchains -A good-bad -p icmp --icmp-type ping -j MASQ ipchains -A good-bad -j REJECT -l 7.4.6. DMZ ©ç GOOD (àlbg[N) o àlbg[NÉηé§À: o Olbg[NÖÌ WWW, ftp ,traceroute, ssh ð·é o [T[oÖÌ SMTP ð·é o [T[oÖÌ POP-3 ð·é o l[T[oÖÌ DNS ð·é o EFuT[oÖÌ rsync ð·é o EFuT[oÖÌ WWW ð·é o pPbgtB^[}VÖÌ ping ð·é o àlbg[N©ç DMZ ÌÛÉ}XJ[h·éêAPÉ»êÈOÌ pPbgð۵ĺ³¢BÀÌƱëAPÉRlNVªm§³ê½ êÌpPbgÌÝ·龯ŷB ipchains -A dmz-good -p tcp ! -y -s 192.84.219.128 smtp -j ACCEPT ipchains -A dmz-good -p udp -s 192.84.219.129 domain -j ACCEPT ipchains -A dmz-good -p tcp ! -y -s 192.84.219.129 domain -j ACCEPT ipchains -A dmz-good -p tcp ! -y -s 192.84.218.130 www -j ACCEPT ipchains -A dmz-good -p tcp ! -y -s 192.84.218.130 rsync -j ACCEPT ipchains -A dmz-good -p icmp -j icmp-acc ipchains -A dmz-good -j DENY -l 7.4.7. DMZ ©ç BAD (Olbg[N) o DMZ Éηé§À: o [T[o o Olbg[NÖÌ SMTP ªÂ\ o àÆOlbg[N©çÌ SMTP ÌANZvgªÂ\ o Olbg[N©çÌ POP-3 ÌANZvgªÂ\ o l[T[o o Olbg[NÖÌ DNS ÌMªÂ\ o àÆOlbg[NApPbgtB^[}V©çÌ DNS Ì ANZvgªÂ\ o EFuT[o o àÆOlbg[N©çÌ HTTP ÌANZvgªÂ\ o àlbg[N©çÌ Rsync ÌANZvgªÂ\ o ipchains -A dmz-bad -p tcp -s 192.84.219.128 smtp -j ACCEPT ipchains -A dmz-bad -p udp -s 192.84.219.129 domain -j ACCEPT ipchains -A dmz-bad -p tcp -s 192.84.219.129 domain -j ACCEPT ipchains -A dmz-bad -p tcp ! -y -s 192.84.218.130 www -j ACCEPT ipchains -A dmz-bad -p icmp -j icmp-acc ipchains -A dmz-bad -j DENY -l 7.4.8. BAD (Olbg[N)©ç GOOD (àlbg[N) o Olbg[N©çàlbg[NÖüÁÄéàÌSÄ(}XJ[ h³êĢȢàÌ)ðµܹñB ipchains -A bad-good -j REJECT 7.4.9. Linux }V©gÉηépPbgtB^O o pPbgtB^[}V©gÉüÁÄépPbbgÉàApPbg tB^Oðs¢½¢ÈçAinput `FCÅpPbgtB^ Oðs¤Kvª èÜ·B ÄæC^[tF[XÉAêÂ`FCð ìèÜ·B ipchains -N bad-if ipchains -N dmz-if ipchains -N good-if o ìÁ½`FCÉWv³¹Ü·B ipchains -A input -d 192.84.219.1 -j bad-if ipchains -A input -d 192.84.219.250 -j dmz-if ipchains -A input -d 192.168.1.250 -j good-if 7.4.9.1. BAD (Olbg[N) C^[tF[X o pPbgtB^[}V: o SÄÌlbg[NÉ뵀 PING ªÂ\ o SÄÌlbg[NÉ뵀 TRACEROUTE ªÂ\ o DNS ÖÌANZXªÂ\ o ܽOlbg[NpÌC^[tF[XÍA}XJ[h³ê½p Pbg(}XJ[hÍA\[X|[gÆµÄ 61000 ©ç 65095 ðgpµ Ü·)ÖÌvCÆ ICMP G[APING ÌvCàó¯üêÜ·B ipchains -A bad-if -i ! ppp0 -j DENY -l ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT ipchains -A bad-if -j icmp-acc ipchains -A bad-if -j DENY 7.4.9.2. DMZ C^tF[X o pPbgtB^[}VÉηé§À: o SÄÌlbg[NÉ뵀 PING ªÂ\ o SÄÌlbg[NÉ뵀 TRACEROUTE ªÂ\ o DNS ÖÌANZXªÂ\ o DMZ C^[tF[XÍADNS ©çÌvCÆ ping ÌvCAG [ ICMP ðó¯üêÜ·B ipchains -A dmz-if -i ! eth0 -j DENY ipchains -A dmz-if -p TCP ! -y -s 192.84.219.129 53 -j ACCEPT ipchains -A dmz-if -p UDP -s 192.84.219.129 53 -j ACCEPT ipchains -A dmz-if -p ICMP --icmp-type pong -j ACCEPT ipchains -A dmz-if -j icmp-acc ipchains -A dmz-if -j DENY -l 7.4.9.3. GOOD (àlbg[N)C^[tF[X o pPbgtB^[}VÉηé§À: o SÄÌlbg[NÉ뵀 PING ªÂ\ o SÄÌlbg[NÉ뵀 TRACEROUTE ªÂ\ o DNS ÖÌANZXªÂ\ o àlbg[NÉηé§À: o Olbg[NÖÌ WWW, ftp ,traceroute, ssh ð·é o [T[oÖÌ SMTP ð·é o [T[oÖÌ POP-3 ð·é o l[T[oÖÌ DNS ð·é o EFuT[oÖÌ rsync ð·é o EFuT[oÖÌ WWW ð·é o pPbgtB^[}VÖÌ ping ð·é o àlbg[NC^[tF[XÍAping Æ ping ÌvCAG[ ICMP ðó¯üêÜ·B ipchains -A good-if -i ! eth1 -j DENY ipchains -A good-if -p ICMP --icmp-type ping -j ACCEPT ipchains -A good-if -p ICMP --icmp-type pong -j ACCEPT ipchains -A good-if -j icmp-acc ipchains -A good-if -j DENY -l 7.5. ÅãÉ o ubLOÌ[ðíµÜ·B ipchains -D input 1 ipchains -D forward 1 ipchains -D output 1 8. t^: ipchains Æ ipfwadm ÆÌᢠ±êçÌÏXÌô©ÍJ[lÌÏXÌÊÅ èAܽôÂ©Í ipchains Æ ipfwadm ÆÌá¢ÌÊÅ·B 1. ½ÌøÍÄzu³êܵ½: »ÝAå¶ÍR}hð¦µA¬¶ ÍIvVð¦µÜ·B 2. CÓÌ`FCªT|[g³êܵ½ÌÅAgÝÝ`FCà¯lÉt OÅÍÈtl[ÅLÚ·éKvª èÜ·B (á. `-I' ÅÍÈ `input' ÆLڵܷ). 3. `-k' IvVÍÈÈèܵ½B `! -y' ðgÁĺ³¢B 4. `-b' IvVÍAPêÌ `oûü' [Æ¢¤æèàAÞµëÀÛÉ Í2ÂÌ[ÉεÄ}ü/ÇÁ/íðs¢Ü·B 5. `-b' IvVÍ 2ÂÌ`FbNðs¤½ßÉA `-C' IvVÉij ø»³êÜ·B(eXÌûüÌ1Â) 6. `-l' Éηé `-x' IvVÍ `-v' ÉÏX³êܵ½B 7. à¤A¡ÌM¤ÆóM¤Ì|[gÍT|[g³êܹñB]ܵ ÍA|[gðÛèÅ«é±ÆÅA½Í»ÌÚIðâ¤Åµå¤B 8. C^[tF[XÍ(AhXÅÈ)¼OÉæÁÄÌÝwèÅ«Ü·B ÜAÇÌÝ¿AÈOÌÓ¡t¯Í 2.1 J[lV[YÅéÉÏX³ ê½±ÆÅ·µB 9. pPbgÌfл͸³êÜ·ÌÅA©®IÉÍfÊèµÜ¹ñB 10. ¾¦IÈv`FCÍp~³êܵ½B 11. IPãÌCÓÌvgRªeXgÅ«Ü·B 12. SYN Æ ACK Ìg¹ÉηéÈOÌU¢ (ÈOÍñ TCP pPbgͳ µÄ¢Üµ½) ÍÏX³êܵ½; SYN IvVÍAñ TCP ÆÁÌ [ÉεÄͳøÅ·B 13. »ÝA32rbg}VãÌJE^Í 64rbgÅ èA32rbgÅÍ è ܹñB 14. »ÝA½]IvVªT|[g³êĢܷB 15. »ÝA ICMP R[hªT|[g³êĢܷB 16. »ÝAChJ[hC^[tF[XªT|[g³êĢܷB 17. »ÝATOS ìͪÊ`FbN³êÜ·: âJ[lR[hÍ `[ŠȯêÎÈçÈ¢' TOS rbgð(sÉ)ì³êé±ÆÅAéÉ~ ÜÁĵÜÁĢܵ½; »ÝA ipchains Í »Ìæ¤ÈÝÉεÄA ¼ÌsÈêƯlÉG[ðԵܷB 8.1. NBbNt@Xê [ åÉAR}høÍå¶ÅAIvVøͬ¶Å·B] ӷ׫ê_ƵÄA }XJ[fBOÍ `-j MASQ' ÆLڵܷ; ± êÍ `-j ACCEPT' ÆSÙÈèAܽ ipfwadm Ìæ¤ÈIøÊƵÄÍ æ赢ܹñB ================================================================ | ipfwadm | ipchains | Ó ---------------------------------------------------------------- | -A [both] | -N acct | `acct' `FC𶬵A | |& -I 1 input -j acct | oÍÆüÍpPbgð»ê | |& -I 1 output -j acct | ÉÊß³¹Ü·B | |& acct | ---------------------------------------------------------------- | -A in | input | ^[QbgȵÌ[ ---------------------------------------------------------------- | -A out | output | ^[QbgȵÌ[ ---------------------------------------------------------------- | -F | forward | [`FC]ƵÄp¢Ü·B ---------------------------------------------------------------- | -I | input | [`FC]ƵÄp¢Ü·B ---------------------------------------------------------------- | -O | output | [`FC]ƵÄp¢Ü·B ---------------------------------------------------------------- | -M -l | -M -L | ---------------------------------------------------------------- | -M -s | -M -S | ---------------------------------------------------------------- | -a policy | -A [chain] -j POLICY | (Åà -r Æ -m à©Äº | | | ³¢). ---------------------------------------------------------------- | -d policy | -D [chain] -j POLICY | (Åà -r Æ -m à©Äº | | | ³¢). ---------------------------------------------------------------- | -i policy | -I 1 [chain] -j POLICY| (Åà -r Æ -m à©Äº | | | ³¢). ---------------------------------------------------------------- | -l | -L | ---------------------------------------------------------------- | -z | -Z | ---------------------------------------------------------------- | -f | -F | ---------------------------------------------------------------- | -p | -P | ---------------------------------------------------------------- | -c | -C | ---------------------------------------------------------------- | -P | -p | ---------------------------------------------------------------- | -S | -s | 1|[gܽÍWÉÎ | | | µÄÌÝ@\µA¡Å | | | Í èܹñB ---------------------------------------------------------------- | -D | -d | 1|[gܽÍWÉÎ | | | µÄÌÝ@\µA¡Å | | | Í èܹñB ---------------------------------------------------------------- | -V | <none> | -i [¼O] Åp¢Ü·B ---------------------------------------------------------------- | -W | -i | ---------------------------------------------------------------- | -b | -b | »ÝAÀÛÉÍ2[ð | | | 쬵ܷB ---------------------------------------------------------------- | -e | -v | ---------------------------------------------------------------- | -k | ! -y | -p tcp ƤÉwèµÈ¢ | | | Æ@\µÜ¹ñB ---------------------------------------------------------------- | -m | -j MASQ | ---------------------------------------------------------------- | -n | -n | ---------------------------------------------------------------- | -o | -l | ---------------------------------------------------------------- | -r [redirpt] | -j REDIRECT [redirpt] | ---------------------------------------------------------------- | -t | -t | ---------------------------------------------------------------- | -v | -v | ---------------------------------------------------------------- | -x | -x | ---------------------------------------------------------------- | -y | -y | -p tcp ƤÉwèµÈ¢ | | | Æ@\µÜ¹ñB ---------------------------------------------------------------- 8.2. ipfwadm R}hÌÏ·á R}h: ipfwadm -F -p deny VR}h: ipchains -P forward DENY R}h: ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0 VR}h: ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0 R}h: ipfwadm -I -a accept -V 10.1.2.1 -S 10.0.0.0/8 -D 0.0.0.0/0 VR}h: ipchains -A input -j ACCEPT -i eth0 -s 10.0.0.0/8 -d 0.0.0.0/0 (C^[tF[XðAhXÉæÁÄwè·éÌÆÍᤱÆÉӵĺ ³¢: C^[tF[X¼ðp¢Äº³¢B±Ì}VãÅÍA 10.1.2.1 Í eth0 ɵܷ)B 9. t^: ipfwadm-wrapper XNvgðg¤ ipfwadm-wrapper VFXNvgÍAipfwadm ÆvOCÉÄu·³êé ×É èA ipfwadm 2.3a Æ̺ÊÝ·«ª èÜ·B BêAǤµÄàÅ«È¢@\Í `-V' IvVÅ·B±êªp¢çê éÍA[jOªoͳêÜ·B `-W' IvVàgíêéÈçA `-V' IvVͳ³êÜ·B¼Ì_ÅÍAXNvgÍ ifconfig ðp ¢ÄAC^[tF[X¼ðèÄçêÄ¢éAhX©ç©Â¯æ¤Æµ Ü·Bൻêɸs·êÎ(á¦ÎC^[tF[Xª_EµÄ¢éê )AG[bZ[WðºÁÄI¹µÜ·B ±Ì[jOÍ `-V' ð `-W' ÉÏX·é©AXNvgÌWoÍð /dev/null ÉêÎ}¦çêÜ·B ±ÌXNvgÌ~Xâ ipfwadm ÆÌá_𩵽çA¥ñÆàAoO |[gðɺ³¢: TuWFNgÉ "BUG-REPORT" Æ¢ÄA rusty@linuxcare.com ¶É[𺳢B¨è¿Ìâ ipfwadm Ìo[ W (ipfwadm -h) ÆA ipchains Ìo[W (ipchains --version) ÆA ipfwadm wrapper XNvgÌo[W (ipfwadm-wrapper --version) ðñµÄº³¢B¯ÉA ipchains-save ÌoÍàÁĺ³ ¢BXµ¨è¢µÜ·B ±Ì ipfwadm-wrapper XNvgð ipchains Ƭp·éÛÉÍA©ÈÓC ÉĨ袵ܷB 10. t^: Ó« Michael Neuling ɽ̴ÓðµÈ¯êÎÈèܹñBÞÍ̽ßÉÅ Ì IP `FCÌR[hð¢Äêܵ½BÞÌUgLbV ÌAC fBAðÛµ½±ÆÉ¢ÄA±±Éö®ÉÓßvµÜ·BÀÍãÉ Alan Cox ª¯¶ACfBAðñĵAÔá¢ÉCâ½ÍÇAÀÉÆè©© é±ÆÉÈÁ½ÌÅ·B Alan Cox Ì24Ô̧Ì[ÉæéZpT|[gÆãɴӵܷB ipfw Æ ipfwadm ÌR[hÌìÒSÄɴӵܷBÁÉ Jos VosBl̨ Ìãɧ¿A»µÄSÄcB±êÍ Linus Torvalds ÆJ[lâ[U[ó ÔÌnbJ[SÄÉÄÍÜèÜ·B (ó:ul̨ÌãɧÂvÆ¢¤ÌÍAj [gª¾Á½L¼È¾tÅ ·BªLøÍÌ©Æ¢¤ÆÑ𬵰çê½ÌÍAl (æìÒ) ½ ¿Ì¨ÌãɧÁÄ¢½©çÉ·¬È¢AÆBú{là^ÁÂ̪÷Ìü¿Å ·ËB) OüèÈx[^eX^[ÆoOn^[ɴӵܷAÁÉ Jordan Mendelson, Shaw Carruthers, Kevin Moule, Dr. Liviu Daia, Helmut Adams, Franck Sicard, Kevin Littlejohn, Matt Kemner, John D. Hardin, Alexey Kuznetsov, Leos Bitto, Jim Kunzman, Gerard Gerritsen, Serge Sivkov, Andrew Burgess, Steve Schmidtke, Richard Offer, Bernhard Weisshuhn, Larry Auton, Ambrose Li, Pavel Krauz, Steve Chadsey, Francesco Potorti`, Alain Knaff, Casper Boden-Cummins, »µÄ Henry Hollenberg ÉB 10.1. |ó |ó·élÍÓ«y[WÌ`ªÉ|óÒêðfڵĺ³¢Bá¦Î: ` Ìpê©çSÄð³mÉ|óµÄê½XXX³ñɴӵܷB' »µÄA ª±Ì¶ÉÜßçêélÉA ȽÌ|ó¶ð³¦Äº³¢B Arnaud Launay, asl@launay.org: http://www.freenix.fr/unix/linux/HOWTO/IPCHAINS-HOWTO.html <http://www.freenix.fr/unix/linux/HOWTO/IPCHAINS-HOWTO.html> Giovanni Bortolozzo, borto@pluto.linux.it: http://www.pluto.linux.it/ildp/HOWTO/IPCHAINS-HOWTO.html <http://www.pluto.linux.it/ildp/HOWTO/IPCHAINS-HOWTO.html> Herman Rodríguez, herman@maristas.dhis.org: http://netfilter.kernelnotes.org/ipchains/spanish/HOWTO.html <http://netfilter.kernelnotes.org/ipchains/spanish/HOWTO.html> JF Project, jf@linux.or.jp: http://www.linux.or.jp/JF/JFdocs/IPCHAINS- HOWTO.html <http://www.linux.or.jp/JF/JFdocs/IPCHAINS-HOWTO.html> 11. ú{êóÉ墀 ú{êó Å: 2000N 11 21ú JF Project u`[ ipchainsv |óÒê(h̪A50¹): o Á¡åT <daisuke@terra.dti.ne.jp> 7Í o ã¡ë° <magotou@fubyshare.gr.jp> 2,3Í o JçG <jeanne@mbox.kyoto-inet.or.jp> 5,6Í o ÞîLº <nagoya@cc.hit-u.ac.jp> 1`4Í o ¼czê <yoh@coolmail.net> 1,4,8`10ÍyÑÜÆß ±Ì¶ð|ó·éÉ ½èARX_K³ñ <h-yamamo@db3.so-net.ne.jp> Ì Linux 2.4 Packet Filtering HOWTO ú{êó <http://www.linux.or.jp/JF/JFdocs/packet-filtering-HOWTO.html> ©ç½ ðøpvµÜµ½BܽAÔ¼O³ñ <akamatsu@kobedenshi.ac.jp> ÌA LinuxJAPAN ÖÌeLðQlɳ¹Ä¸«Üµ½B ±Ì¶ð|óyÑÒW·éÉ ½èAȺÌûX©çAhoCXð¸«Üµ ½B(50¹) {É èªÆ¤²´¢Üµ½B o É¡Sê³ñ <kade@kadesoft.com> o ÁÎqV³ñ <kto@interlink.or.jp> o úºzê³ñ <void@merope.pleiades.or.jp> o Äc®¾³ñ <shibata@luky.org> o £Ëû³ñ <setzer@mx3.tiki.ne.jp> o çUTi³ñ <ysenda@pop01.odn.ne.jp> o äLõ³ñ <takei@webmasters.gr.jp> o ¼ci³ñ <wnishida@skyfree.org> o ´¶³ñ <mizuhara@acm.org> o RX_K³ñ <h-yamamo@db3.so-net.ne.jp>