  Linux IPCHAINS-HOWTO
  Paul Russell, Paul.Russell@rustcorp.com.au
  v0.6, Sun May 17 14:29:26 CST 1998
  :  , geoman@nownuri.net


       Ϲ IP ȭ 罽 Ʈ 
  ϰ ġϰ ϴ ׸ ̸   ˾Ƶξ  ׵鿡
  Ͽ ڼ ϰ Ѵ.

  < >

   IP ȭ ڵ ipfwadm  ſ ̷Ӱ  ڿ̴.
  IP Ŷ ؿ ɷ  뼺 ¿  ʿ䰡 
  .  Ư ŽĿ̵   ̴   ϳ̴.
    2.1.102    ִ ``'' IP ȭ ڵ
  ξ    ipchains   ȭ  ȣϴ 
     ̶ Ѵ.

   ϳ ȹ ǰ Ŀ 2.2  ٸ ȭ   ֵ
     Ͽ.

    ġ  Ϳ  ǰ  Լ  
  ̴.

  ______________________________________________________________________

  

  1. Ұ

     1.1 ?
     1.2 ?
     1.3 ?
     1.4 ?

  2. Ŷ ͸ ⺻

     2.1 ?
     2.2 ?
     2.3 ?
        2.3.1 Ŷ ͸   Ŀ
        2.3.2 ``ipchains''

  3. Ϲ IP ȭ 罽

     3.1  Ŷ ͸ ϴ°?
        3.1.1 ipchains ϱ
        3.1.2  Ģ  
        3.1.3  Ģ ϱ
           3.1.3.1 ,  IP ּ ϱ
           3.1.3.2  ϱ
           3.1.3.3  ϱ
              3.1.3.3.1 UDP, TCP Ʈ ϱ
              3.1.3.3.2 ICMP  ڵ ϱ
           3.1.3.4 ̽ ϱ
           3.1.3.5 TCP SYN Ŷ ϱ
           3.1.3.6 (Fragments) ó
        3.1.4 ͸ ֺ ȿ
           3.1.4.1 ǥ ϱ
           3.1.4.2 Ŷ ϱ
           3.1.4.3   óϱ
           3.1.4.4 Ŷ ǥϱ
           3.1.4.5 ü 罽  
           3.1.4.6 ο 罽 
           3.1.4.7 罽 
           3.1.4.8 罽 
           3.1.4.9 罽  
           3.1.4.10 ī  0  
           3.1.4.11 å ϱ
        3.1.5 Operations on Masquerading
        3.1.6 Checking a Packet
        3.1.7 Multiple Rules at Once and Watching What Happens
     3.2  
        3.2.1 ``ipchains-save'' ϱ
        3.2.2 ``ipchains-restore'' ϱ

  4.   ͵

     4.1  ȭ Ģ üȭ  ִ°?
     4.2   ɷ ƾ ϴ°?
        4.2.1 ICMP Ŷ
        4.2.2 DNS 
        4.2.3 FTP  Ǹ
     4.3   ɷ
     4.4 ƼӰ ũ ɷ
     4.5  ź ɷ
     4.6 ȭ Ģ ٲٱ
     4.7    Ʈ
     4.8   

  5. ÷ - ipchains  ipfwadm  

     5.1   ǥ
     5.2 ipfwadm   

  6. ÷ - `ipfwadm-wrapper' ũƮ ϱ

  7. ÷ -  



  ______________________________________________________________________


     IPCHAINS-HOWTO ̴.   NET-3-HOWTO, IP ŽĿ̵
  Ͽ, PPP Ͽ, ̴ Ͽ  о   ġ ִ ̴.
  ( alt.fan.bigfoot FAQ )


  Ŷ ͸ Ͽ ̹ ˰ ִٸ ``?'' ǰ ``?'' 
  а ``Ϲ IP ȭ 罽''  о ٶ.


  ipfwadmκ ȯ ϰ ִٸ ``Ұ'' , ``?'' ,
  ׸ ÷ ``ipchains ipfwadm  '', ``ipfwadm-wrapper ũ
  Ʈ ϱ'' о ȴ.


   ipchains   IPv4 ȭ ڵ(ַ BSDκ  ̴.)
  ٽ  ̸ BSD ipfw  ٽ  ipfwadm  ٽ ۼ ̴.


  1.2.  ?

      ȭ ڵ Ŷ  ٷ ϸ 32 Ʈ
  ī( ) ϰ ְ TCP, UDP, ICMP ̿ 
    .    뿡 ȭ    Ģ 
       ִ.  ׸ ϱ⵵ .
  (  ϱ )


  1.3.  ?

    ڵ Ŀ 2.1.102   ԵǾ ִ.
  2.0 Ŀ 쿡  κ Ŀ ġ ٿε޾ƾ Ѵ.


  1.4.  ?

   Ϲ IP ȭ 罽     .
  <http://www.adelaide.net.au/~rustcorp/ipfwchains>


   Ŀٶ ͸ FTP    ִٸ FTP  Ʈ ξ
  ׷ ϱ  HTTP  ϰ ִ.


   , ,  ׸ 뿡   ٷ ϸ Ʈ
  ִ.  wantree.com.au ipchains-request subscribe  ܾ Ե
  ޽  Եȴ.  Ʈ    `ipchains-request'
  ƴ϶ `ipchains'    Ѵ.


  2.  Ŷ ͸ ⺻

  2.1.  ?

  Ʈ ϴ   Ŷ ¸ .      Ű
  ( 50k) ޴µ ϳ ũⰡ 1460 Ʈ Ŷ  36  
  ߻Ų. (  ׳ ƹԳ Ҵ )


   Ŷ  κп Ŷ  ϰ ִ,  Դ, 
   Ŷ ׸     ʿ   ִ.
   κ Ŷ `(header)' θ.   κп ϰ ϴ
   ڷᰡ  `ü(body)' θ.


  , ,  αο Ǵ TCP    `'̶
   Ѵ.   ϴ  ڷḦ  Ŷ ⿡ ռ
  پ  Ŷ(Ư   ִ) ȯǴµ  
  ` Ѵ', `Ѵ', `'  ޽  ȴ.
  ׸   Ŷ ȯȴ.


  Ŷ Ͷ  Ŷ   Ŷ   Ʈ
  ̴.  Ŷ (deny)  ְ(ġ Ŷ ȹ ó  )
  Ŷ  ϰų Ŷ (reject)  ִ.(ÿ 
  Ŷ    뺸ش.)


   Ŷ ͸  Ŀ ȿ ְ Ŷ óԿ ־
  ؾ    ׵   캸 Ŷ  Ѵٴ
  Ϲ Ģ Ȱ.


  2.2.  ?

  .  .  .



     (Control):
	 Ʈ ٸ Ʈ(ڸ ͳ)  ִ 뵵
	 ڽ ϰ ִٸ Ư  Ʈ ڷḦ ϰų
	  ִ.    Ŷ   ּҰ ֱ
	 Ư ܺ Ʈ Ŷ     ִ.
	ٸ  .   Dilbert ī̺꿡 ϱ  ׽
	Ѵ.   doubleclick.net   ־ ׽
	 ޾ƴ   ð Ҹϰ ִ.
	Ŷ ͷ Ͽ doubleclick.net κ   Ŷ 
	Ͽ  ذϿ.(   ؼ    ִ)


     (Security):
	 ڽ õ ͳݰ ϰ   и
	Ʈ ̿   ǻ , п 湮  ִ
	 ϴ  δ  .     Ʈ
	κ      ƴ ` '  
	Ǹ ǰ ܺκ  Ϳ Ͽ ϰ   𸥴.
	Ǵ  н带   ִ ϴ ܺο 
	ڽ ڳϿ   ٶ   ִ.   κ
	  ͳ ϴ 湮 ǰ  , 湮
	޾ƾ ϴ  ǰ  ʴٰ   𸥴.
	   ӿ Ǵ Ŷ  ͸ ƹ ׸
	̴.


     (Watchfulness):
	 ߸   Ʈ  ӽŵ ܺη Ŷ ϴ
	͵ ϴ.    Ŷ ͷ Ͽ   
	Ϳ Ͽ 뺸ϵ   ִ.  ̿  ġ   ְ
	Ǵ ׳ ñؼ    ִ.


  2.3.  ?

  2.3.1.  Ŷ ͸   Ŀ

  Ŀ ȿ ο Ϲ IP ȭ 罽(Generic IP Firewall Chain) 
   Ѵ.    ۵  Ŀ   ߰ ִ ˾ƺ
   `/proc/net/ip_fwchains'  ִ Ȯ϶.  ִٸ ̹ Ŀ
  ȿ  ԵǾ ִ ̴.


  ׷ ʴٸ Ϲ IP ȭ 罽   Ŀ ؾ Ѵ.
  Ŀ ٿεް    κ  ġ ϰ
     ־ Ѵ.  Ŀ Ͽ Ͽ  𸥴ٸ
  Ŀ Ͽ  о ٶ.


  ʿ  ɼ  :


  ______________________________________________________________________
          CONFIG_EXPERIMENTAL=y
          CONFIG_FIREWALL=y
          CONFIG_IP_FIREWALL=y
          CONFIG_IP_FIREWALL_CHAINS=y
  ______________________________________________________________________




  `ipchains'  Ͽ Ŀΰ ȭϸ鼭  Ŷ ͸
   Ѵ.  α׷Ӱ ƴ , ׸ ʿ ̻ ȣ 
  ʴ ̶ ipchains  Ͽ Ŷ ͸ Ѵ.


  2.3.2.  ``ipchains''

     IP ȭ ڵ忡 Ǿ `ipfwadm' üѴ.
  Ű `ipfwadm-wrapper' ̸  ũƮ ִµ ̰
  ϸ  Ŷ ͸  ״   ִ.  ipfwadm
  (  μ   ʴ   ִ) ϴ
  ýκ ϴ  ׷̵ ¿ ȭ  ö
  ߴϰ   쿡 ϶.   ũƮ Ѵٸ  Ͽ
    ̻  ʿ䰡 .  ÷ ``ipchains ipfwadm 
  '' ÷ ``ipfwadm-wrapper ũƮ ϱ'' о ipfwadm
       ڼ   ִ.


  3.  Ϲ IP ȭ 罽(Generic IP Firewalling Chains)

  ̹ ǿ  ϴ Ŷ ͸ ϴµ ־  ˾Ƶ־
     Ѵ.

  3.1.   Ŷ ͸ °?

  Ŀ 3  Ģ (`ȭ 罽' Ǵ  `罽'̶ θ)
   Ѵ.   3  罽 `Է(input)', `(output)', ׸
  `(forward)'̴.  Ŷ (  ̴ ī带 ) Ŀ
  Ŷ    `input' 罽 Ѵ.    ܰ迡
  ƳҴٸ ̹ Ŷ     Ѵ.
   Ŷ ٸ ӽ  Ѵٸ `forward' 罽 캻.
   Ŷ  ϴ , `output' 罽 Ѵ.


  罽̶ `Ģ'  ׸̴.   Ģ ` Ŷ  ̷̷
  ϴٸ Ŷ ̷ óϽÿ' Ѵ.   Ŷ Ģ 
   罽    Ģ Ѵ.    ̻ 
  Ģ  罽 `å' .    ΰ ýۿ
   Ǵ ø ⺻ å ´.


  ASCII Ʈ ҵ  ӽ  Ŷ   θ ׷
  Ҵ.


                       ACCEPT/
                      REDIRECT                                        ACCEPT
  --> C --> S --> ______ --> D --> ~~~~~~~~ --> local ------> _______ -->
      h  -> a    |input |    e    {Routing } |  __|____ -->->|output |
      e  |  n    |Chain |    m    {Decision} | |forward|   | |Chain  |
      c  |  i    |______|    a     ~~~~~~~~  | |Chain  |   | |_______|
      k  |  t       |        s        |      | |_______|   |     |
      s  |  y       |        q        |      |     |       |     |
      u  |  |       v        e        v      |     |       |     v
      m  |  |     DENY/      r  Local Process|     v       |   DENY/
      |  |  v    REJECT      a        |-------   DENY/     |  REJECT
      |  |DENY               d        |         REJECT     |
      v  |                   e -------+---------------------
     DENY|                            |
         ------------------------------


   ܰ ϳϳ   غڸ  :


     üũ(Checksum):
	Ŷ  ߰ ջǾ θ Ѵ.   ջǾٸ
	õȴ.


      ׽Ʈ(Sanity):
	 ȭ 罽 ռ   ׽Ʈ  ϳ̴.
	  ߿  Է 罽  ̷  ׽Ʈ̴.
	 ߸  Ŷ Ģ  ڵ带 ȥ   ɼ
	Ƿ ⼭ ع.(̷  ߻ϸ syslog 
	޽ µȴ)


     Է 罽(input Chain):
	Ŷ   ׽Ʈ ľ  ȭ 罽̴.   罽 
	 DENY Ǵ REJECT ƴ϶ Ŷ    Ѵ.


     ŽĿ̵(Demasquerade):
	 Ŷ ռ ŽĿ̵ Ŷ   Ŷ̶ ϴ
	ŽĿ̵ϰ  罽  Ѵ.  IP ŽĿ̵带
	 ʴ  ǥ ŽĿ̵ κ  ص
	.


      (Routing Decision):
	 ڵ带   ʵ带 Ͽ Ŷ  μ
	(ڿ   μ  )   ƴϸ
	 ӽſ ޵  Ѵ.(ڿ   罽 
	)


      μ(Local Process):
	ӽſ ۵  μ   ܰ  Ŷ ްų
	Ǵ Ŷ   ִ.( Ŷ  μ  
	̶ lo   ̽ , Է 罽 Ѵ.
	׷ ʴٸ  罽 )  μ  罽  
	̷ ʱ  ǥ  ǥ ʾҴ.


     (local):
	 μ    ƴ϶  罽 Ͽ 
	ϰ  μ   ̶   罽 ư.


      罽(forward Chain):
	 ӽſ ٸ ӽ ư Ŷ Ͽ 罽 Ѵ.


      罽(output Chain):
	Ŷ   罽 Ģ Ѵ.


  3.1.1.  ipchains ϱ

  켱   ϰ ִ ipchains   ִ Ѵ:



       $ ipchains --version
       ipchains 1.3.3, 16-May-1998





  ipchains  ſ    ִ  ִ. ("man
  ipchains")  Ư о߿    ڼ  Ѵٸ α׷
  ̽ 캸ų("man 4 ipfw") Ŀ ҽ ߿
  "net/ipv4/ip_fwtrees.c"  캸.      Ȯ
    ӿ Ʋ.


  ipchains    ִ Ͽ  .  켱 ü 罽 ϴ
   ִ.  켱    `input', `output', `forward'  3 
   罽 غ.


  1. ο 罽  (-N).

  2.  罽  (-X).

  3.  罽  ⺻ å Ѵ (-P).

  4. 罽 ӿ  Ģ Ѵ (-L).

  5. 罽κ Ģ  Ѵ (-F).

  6. 罽   Ģ  Ŷ, Ʈ ī  0  Ѵ (-Z).


  罽  Ģ ϴ   :


  1. 罽 ο Ģ ߰Ѵ (-A).

  2. 罽  򰡿 ο Ģ Ѵ. (-I).

  3. 罽  Ư ġ Ģ üѴ (-R).

  4. 罽  Ư Ģ Ѵ (-D).

  5. 罽 ӿ ù° յǴ Ģ Ѵ (-D).


  ŽĿ̵     ipchains  ִ.


  1.  ŽĿ̵  Ģ Ѵ (-M -L).

  2. ŽĿ̵ ŸӾƿ  Ѵ (-M -S).

  (׸ ¼  ) δ  Ͽ  Ŷ
  ־ 罽      ϴ  ִ.


  3.1.2.  ϳ Ģ  

  Ģ  ϴ , ̰̾߸ ipchains ٽ̴.
  κ   ߰(-A), (-D)  Ѵ.
  ٸ ͵(  -I, ü  -R)  信  ܼ
  Ȯ忡 Ұϴ.


   Ģ Ŷ Ѿ ϴ ǵ Ÿ  ϸ 
  (`target') ؾ ϴ Ѵ.    127.0.0.1 ̶ IP ּҷ
     ICMP Ŷ Ϸ Ѵٰ .     ICMP 
   ϰ ߽ ּҴ 127.0.0.1 ̾ Ѵٴ  ̴.  ǥ(target)
  "DENY" ȴ.


  127.0.0.1  `' ̽μ  Ʈ   ׻
   ִ ̴̽.  ping α׷ Ͽ Ŷ ߻ų 
  ִ. (ping ܼ ICMP Ÿ 8(echo request)  ̿ ϴ
   ȣƮ ICMP Ÿ 0(echo reply) ֵ Ǿ ִ.)
  ׽Ʈغ⿡  ̴.


  # ping -c 1 127.0.0.1
  PING 127.0.0.1 (127.0.0.1): 56 data bytes
  64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms

  --- 127.0.0.1 ping statistics ---
  1 packets transmitted, 1 packets received, 0% packet loss
  round-trip min/avg/max = 0.2/0.2/0.2 ms
  # ipchains -A input -s 127.0.0.1 -p icmp -j DENY
  # ping -c 1 127.0.0.1
  PING 127.0.0.1 (127.0.0.1): 56 data bytes

  --- 127.0.0.1 ping statistics ---
  1 packets transmitted, 0 packets received, 100% packet loss
  #



    ù° ping  Ѵ. (`-c 1'̶ Ŷ ϳ 
  ̴.)


  ׸  츮 `input' 罽 127.0.0.1 κ (`-s 127.0.0.1')
   ICMP (`-p ICMP') Ŷ Ͽ DENY  ϶(`-j DENY')
  Ģ ߰Ͽ(-A).


  ι° ping   Ģ غ.      ٸ
  α׷ ٸ ð ֱ   ȴ.


  Ģ    ̴.  켱 Է 罽 Ģ ϳ ̶
   ˰ ֱ  ڸ Ͽ   ִ.


               # ipchains -D input 1
               #




    Է 罽 1  Ģ .


  ι°  -A ɰ Ȱ ϵ -A  -D  ٲٴ ̴.
  ſ  Ģ 罽 ְ ؾ  Ģ ȣ  ã
     Ѵ.   :


               # ipchains -D input -s 127.0.0.1 -p icmp -j DENY
               #




  -D  -A (Ǵ -I, -R)  Ȱ ɼ  Ѵ.
    罽  Ģ   ִٸ ù° ͸ .




  3.1.3.  ͸ Ģǥ(Specification)

  We have seen the use of `-p' to specify protocol, and `-s' to specify
  ռ  ϱ  `-p'  ϰ ߽ ּҸ ϱ 
  `-s'    Ҵ.   ̰ ̿ܿ Ŷ Ư ǥϴ 
  ٸ ɼǵ .  ణ ϰ   𸣴   ϰ
  Ѵ.


  3.1.3.1.  ߽,  IP ּ ϱ

  ߽(-s), (-d) IP ּҴ 4   ǥ  ִ.
   Ϲ  `localhost', `www.linuxhq.com'   ̸
  ϴ ̴.  ι°  `127.0.0.1'  IP ּҸ  ̴.


  °, ׹°  `199.95.207.0/24' Ǵ `199.95.207.0/255.255.255.0'
    IP ּ ׷ ǥϴ ̴.     192.95.207.0 
  192.95.207.255  IP ּҸ ǥѴ.  `/'  ڴ IP ּ 
   κ ߿Ѱ Ÿ.  `/32' Ǵ `/255.255.255.255'  ⺻
  ̴.(IP ּ  κ ߿)  `/0'  ϸ  IP ּҸ Ÿ
    ִ.


               # ipchains -A input -s 0/0 -j DENY
               #




      ʴ´.  ֳϸ ƿ `-s' ɼ  
  ̳ ٸ ̱ ̴.


  3.1.3.2.  Ģ(Inversion) ϱ

  `-s', `-d' ÷׸ ϴ  ÷ տ `!'(`not' Ѵ) ̸
  ־ ּҿ  ʴ  ǥѴ.    `-s ! localhost' 
  localhost  ʴ  Ŷ ġѴ.


  3.1.3.3.   ϱ

  The protocol can be specified with the `-p' flag.  Protocol can be a
  `-p' ÷׸ Ͽ    ִ.   ȣ
  (IP   ȣ ˰ ִ ) Ǵ `TCP', `UDP', `ICMP'
   ̸   ִ.  ҹڴ ߿ Ƿ `tcp', `TCP'
  Ȱ óȴ.


  ǥ ϱ  `-p ! TCP' ó `!'    ִ.


  3.1.3.3.1.  UDP, TCP Ʈ ϱ

  TCP, UDP  쿡 TCP, UDP Ʈ Ǵ Ʈ  ߰
    ִ.(`` óϱ''   о ٶ)  
  `6000:6010' ó ݷ(:) ڸ Ͽ ǥѴ.    `6000:6010'
  ǹ̴ 6000  Ͽ 6010  11  Ʈ ȣ̴.
    ۰ Ǹ 0  Ѵ.     Ǹ
  65535  Ѵ.   1024 Ʈ Ϸκ  TCP 
  `-p TCP -s 0.0.0.0/0 :1024' ǥѴ.  Ʈ ȣ   `www'
   ̸ ǥ  ִ.

  Ʈ Կ ־ `!' Ͽ Ģ ǥ ϴ.
  WWW Ŷ ̿  TCP Ŷ ǥϰ     Ѵ.

  -p TCP -d 0.0.0.0/0 ! www


  -p TCP -d ! 192.168.1.1 www

     

  -p TCP -d 192.168.1.1 ! www

  ǥ   ٸ ̶    ־ Ѵ.


  The first specifies any TCP packet to the WWW port on any machine but
  ù°  192.168.1.1    ӽ WWW Ʈ ϴ TCP
  Ŷ Ű ݸ ι°  192.168.1.1 ӽ  WWW Ʈ
  ̿  TCP  Ÿ.


    ǥ 192.168.1.1  ƴϰ WWW Ʈ ƴ Ÿ:

  -p TCP -d ! 192.168.1.1 ! www




  3.1.3.3.2.  ICMP Ÿ԰ ڵ ϱ

  ICMP  ΰ ɼ  ִ.   ICMP  ־ Ʈ  
   ǹ̴  ٸ.


  `-s' ɼ  ICMP ̸(̸ ˾ƺ `ipchains -h icmp' 
  Ѵ) ų Ǵ ڷ  ICMP  ڵ   ִ.
  ICMP  `-s' ɼ ڿ  ڵ `-d' ɼ ڿ   ִ.


  ICMP ̸  :  ٸ Ͱ    θ 
  ָ ȴ.


    ICMP Ŷ  Ϻ̴.


       ȣ    ̸                     ʿ ϴ 

       0       echo-reply               ping
       3       destination-unreachable   TCP/UDP ڷ ȯ
       5       redirect                      
       8       echo-request             ping
       11      time-exceeded            traceroute




   μ ICMP ̸ տ `!'    ̴.


    ICMP  3  ޽ Ƽ ȵȴ.
  (``ICMP Ŷ'' )


  3.1.3.4.  ̽ ϱ

  `-i' ɼ Ͽ  ̽ ̸   ִ.
   Ŷ  ̽(, `input' 罽 ϴ Ŷ Ͽ)
  Ŷ  ̽ Ѵ.      Ŷ 
  ̽(`output' 罽 ϴ Ŷ Ͽ) ׵  
  ̽ Ų.  `forward' 罽  Ŷ  ̽
   Ŷ  ̽ Ѵ.  ſ پ  ϴٰ .


     ʴ ̽ ص ƹ  .
  ġ ۵ϱ   Ģ  쵵 ش  ̱
  ̴.   Ư¡ ̾  PPP (Ϲ `ppp0')  쿡
  ſ ִ.


  Ư μ ̽ ̸ `+'   ڿ ϴ 
  ̽( ϵ ʵ ) ȴ.    `-i ppp+'
  ɼ ϸ  PPP ̽ Ų.


  ־ ̽  ̽ ǥϱ  `!'  ̽
  ̸ տ   ִ.


  3.1.3.5.  TCP SYN Ŷ ϱ

  δ TCP   θ  ʿ䰡 ִ.    ܺ WWW
     ϸ鼭    ۵   
  ϵ    ִ.


  ڿ   κ  TCP Ŷ ϴ ̸.
   ϰԵ TCP   Ŷ   ־߸ Ѵ.


  ̿  ذåμ  ûϴ Ŷ ϴ  Ѵ.
   Ŷ SYN Ŷ̶ θ.( δ SYN ÷װ Ǿ
  ְ FIN, ACK ÷״   Ŷ Ų)   Ŷ 
  ν  û   ִ.


  `-y' ÷׸ ̷ 뵵 Ѵ.   TCP ݿ شѴ.
    192.168.1.1 κ  TCP  ǥ   .

  -p TCP -s 192.168.1.1 -y


   `!' ν  ʱȭ Ŷ ̿ Ŷ ǥ  ִ.





  3.1.3.6.  (Fragments) óϱ

   ϳ Ŷ    ȸ ϱ⿡ ʹ ū 찡 ߻Ѵ.
    Ŷ `'    Ŷ ۵ȴ.  ޴ ʿ
     ϳ Ŷ 籸Ѵ.


   õ   .  ռ     
  (Ư ߽ Ʈ,  Ʈ, ICMP , ICMP ڵ Ǵ TCP SYN ÷)
   Ŀ Ŷ  κ  Ǻϴµ    ù° 
   Ѵٴ Ƿκ Ѵ.


   ӽ ܺ Ʈ    â Ŀ Ͻ
  `IP: always defragment' Y  ϰ ν  ӽ 
        ִ.  ̷ ν  ϰ
  ó  ִ.


  ׷    ͸ Ģ   óǴ ϴ 
  ߿ϴ.  츮     䱸ϴ  ͸ Ģ ġ
    ̴.  ̴ ù°  ġ ٸ Ŷ  ó
  Ѵ.   ι° ĺʹ  ߻Ѵ.
   `-p TCP -s 192.168.1.1 www'  Ģ(߽ Ʈ `www' )
  ù°  ϰ   Ͽ ġ ʴ´.
   ݴ Ģ `-p TCP -s 192.168.1.1 ! www'  .


  ׷ `-f' ÷׸ Ͽ ι°   Ͽ Ģ 
   ִ.   鿡 Ͽ TCP, UDP Ʈ, ICMP , ICMP ڵ Ǵ
  TCP SYN ÷׸ ϴ  и  ʴ.


  `!' `-f' տ ν ι°   ƴ Ϳ  Ģ
  ϴ  ϴ.


  Usually it is regarded as safe to let second and further fragments
  Ϲ ι°   ׳ δ  ϴ.  ֳϸ ͸
  Ģ ù°    ̰  ȣƮ   
  ϰ  ̱ ̴.   ̷  ̿Ͽ   Ǹ
  ӽ ٿǴ װ ߰ߵ  ִ.   Ǵܿ ñ.


  Ʈ ڰ   : ߸  Ŷ(TCP, UDP, ICMP Ŷ Ʈ
  ICMP ڵ,  ȭ ڵ尡 б⿡ ʹ  )  
  Ѵ.  8 ° ġ ִ TCP   ȭ ڵ忡 
  .(  syslog   ޽ Ÿ )


     Ģ 192.168.1.1     .




       # ipchains -A output -f -D 192.168.1.1 -j DENY
       #


  3.1.4.  ͸  ȿ

  . ݱ Ģ Ͽ Ŷ Ƴ   .
   Ŷ Ģ ϸ    Ͼ:


  1. Ģ  Ʈ īͰ Ŷ ũ(  ڷ)ŭ Ѵ.

  2. Ģ  Ŷ īͰ Ѵ.

  3. Ģ 䱸ϴ  Ŷ Ѵ.

  4. Ģ 䱸ϴ  Ŷ  (Type Of Service) ʵ带
     Ѵ.

  5. Ģ 䱸ϴ  Ŷ ǥѴ.(2.0 Ŀ ø ȵ)

  6. Ģ ǥ Ͽ Ŷ Ͽ     Ѵ.


  For variety, I'll address these in order of importance.
  ߿伺    ϵ ϰڴ.


  3.1.4.1.  ǥ ϱ

  `target'  Ŀ Ģ ´ Ŷ  ó  ִ ̴.
  ipchains  `-j' ( Ѵٰ ϶) Ἥ ǥ Ѵ.


     ƹ ǥ  ̴.  ̷ Ģ( `ȸ
  (accounting) Ģ'̶ θ) Ư  Ŷ Ͽ   
  ȴ.  Ģ µ Ʋ Ŀ 罽   Ģ Ѵ.
    192.168.1.1κ  Ŷ     
   Ѵ:


       # ipchains -A input -s 192.168.1.1
       #


  (`ipchains -L -v' Ͽ  Ģ  Ʈ, Ŷ ī͸ 
   ִ.)


  6  Ư ǥ ִ.  ó 3  `ACCEPT', `REJECT', `DENY' μ
  ſ ϴ.  ACCEPT Ŷ ϵ Ѵ.  DENY ġ Ŷ
    ó .  REJECT Ŷ  Ŷ ߽ ICMP
        뺸Ѵ.(ICMP Ŷ ƴ )


    `MASQ'μ Ŀη Ͽ Ŷ ŽĿ̵ϰ Ѵ.  
  ۵ϱ ؼ IP ŽĿ̵ ϵ Ŀ ϵǾ ־
  Ѵ.  ڼ  Masquerading-HOWTO ÷ ``ipchains ipfwadm 
  '' ϶.   ǥ `forward' 罽 ϴ Ŷ
  ȿϴ.


   ٸ ߿ Ư ǥδ Ŀη Ͽ Ŷ ϰ  ϰ
  ־   Ʈ Ŷ  ع `REDIRECT'
  ִ.  TCP, UDP  ݿ ϴ.   Ʈ(̸ Ǵ
  ȣ) `-j REDIRECT'  ν  Ư Ʈ ϰ ִ Ŷ
  ٸ Ʈ ȯų  ִ.   ǥ `input' 罽 ϴ Ŷ
  ȿϴ.

  Ư ǥ  `RETURN'μ  罽  ׸ 
  Ѵ. (``å ϱ'' )


  ̿ ٸ ǥ   罽(``ü 罽  '' )̴.
  Ŷ 罽 Ģ ϱ Ѵ.   罽 Ŷ 
   ʾҰ 罽  ƴٸ   ̾ 罽 ٷ  
  Ģ Ŷ  ۾ 簳ȴ.


  ASCII Ʈ ð ƿԴ.   2  (ణ û) 罽 
  . ϳ  罽 `input'̸ ϳ   罽 `Test'̴.


           `input'                         `Test'
          ----------------------------    ----------------------------
          | Rule1: -p ICMP -j REJECT |    | Rule1: -s 192.168.1.1    |
          |--------------------------|    |--------------------------|
          | Rule2: -p TCP -j Test    |    | Rule2: -d 192.168.1.1    |
          |--------------------------|    ----------------------------
          | Rule3: -p UDP -j DENY    |
          ----------------------------


  192.168.1.1κ ͼ 1.2.3.4  TCP Ŷ غ.  Ŷ
  Է 罽  Ģ 1  غ.  ش ʴ´.
  Ģ 2  °  ǥ `Test'̴.     Ģ `Test'
   κ̴.  Test Ģ 1  ǥ ϰ  Ƿ  
  Ģ 2  Ѵ.   Ƿ 罽  ϰ ȴ.  ⼭ 츮
  ġ Ģ 2  ϰ  Ģ 3  ϰ  ó  `input'
  罽 ư.  Ģ 3   ʴ´.


   Ŷ δ  :

                                  v    __________________________
           `input'                |   /    `Test'                v
          ------------------------|--/    -----------------------|----
          | Rule1                 | /|    | Rule1                |   |
          |-----------------------|/-|    |----------------------|---|
          | Rule2                 /  |    | Rule2                |   |
          |--------------------------|    -----------------------v----
          | Rule3                 /--+___________________________/
          ------------------------|---
                                  v


   罽 ȿ ϱ   ``и ȭ Ģ
  üȭϱ''  ϶.


  3.1.4.2.  Ŷ ϱ

  Ģ     ִ μ ȿ̴.  ġϴ Ŷ Ͽ `-l'
  ÷׸    ִ.  ϻ Ŷ ϱ ٴ 
  Ȳ ߰ϰ   ϰ  ̴.
  (`man klogd' Ǵ `man dmesg' )


  3.1.4.3.    óϱ

  IP    ʴ 4  Ʈ  (Type of
  Service, TOS) Ʈ θ.   Ʈ Ŷ ó Ŀ 
  ش.  4  Ʈ "ּ (Minimum Delay)", "ִ ۷(Maximum
  Throughput)", "ִ (Maximum Reliability)", "ּ (Minimum Cost)"
  ̴.    ϳ   ִ.  TOS ó ڵ  Rob
  van Nieuwkerk   ڴ.


       ٵ  ־ "ּ (Minimum Delay)" ߿ϴ.
         (̴)  "ȭ" Ŷ Ͽ 
       Ʈ ѵд.   33k6   ִ.   3 
       ť  Ŷ 켱 Ѵ.  ̷  ÿ 뷮
       ٿε ۾ ϸ鼭 ȭ ۾ ȿ   ִ.
       (ø ġ ̹ ť  ۾Ҵ  Ǿ 
       ְ  Ǿ  ð 1.5 ʷ   ־.)



  The most common use is to set telnet & ftp control connections to
   Ϲ   telnet & ftp  ӿ ؼ
  "ּ (Minimum Delay)" ϰ FTP ڷῡ ؼ
  "ִ ۷(Maximum Throughput)" ϴ ̴.    ϸ
  ȴ.


       ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10
       ipchains -A output -p tcp -d 0.0.0.0/0 ftp -t 0x01 0x10
       ipchains -A output -p tcp -s 0.0.0.0/0 ftp-data -t 0x01 0x08



  `-t' ÷״ 2    16  ޾Ƶδ.  ̷ ν
   TOS Ʈ  ϴ.  ù° Žũ Ŷ  TOS  AND
  ǰ ι° Žũ XOR ȴ.  ʹ ϰ ٸ  ǥ
  ϶.


       TOS ̸                               뵵

       Minimum Delay           0x01 0x10       ftp, telnet
       Maximum Throughput      0x01 0x08       ftp-data
       Maximum Reliability     0x01 0x04       snmp
       Minimum Cost            0x01 0x02       nntp



  3.1.4.4.  Ŷ ǥϱ

   ǰ   Ŀ v2.1 ø Traffic Shaper ڵ带
  Alexey Kuznetsov  ο  ǰ(Quality of Service) 
  ٲ Ǹ  ϰ  ȣ ۿ  ̶ ϰ ִ.
   2.0 ø  õȴ.


  3.1.4.5.  ü 罽  

  ipchains     ϳ  Ģ  罽 ӿ  
  ִٴ ̴.   罽(`input', `output', `forward')  ǥ 
  (`MASQ', `REDIRECT', `ACCEPT', `DENY', `REJECT', `RETURN') ̸ 浹
  ٸ  罽  θ .    Ȯ ɿ
  Ͽ   𸣹Ƿ 빮 ̸ ϱ Ѵ.  罽 ̸
  8 ڱ ϴ.


  3.1.4.6.  ο 罽 

  ο 罽 .      ſ  ǳ(?)
  ̱  罽 ̸ `test' ϰڴ (^^)



       # ipchains -N test
       #



  ſ ϴ.   Ģ ߰  ִ.


  3.1.4.7.  罽 

  罽   ϴ.



       # ipchains -X test
       #



   `-X' ΰ?  ~ ̹  ڵ  ȱ ̴.


  罽 µ     ִ.  ϴ 罽  ¿
  Ѵ.(``罽 '' )  ׸ 罽 ٸ Ģ ǥ Ǿ
  ȵȴ.  3   罽   .


  3.1.4.8.  罽 

  `-F'  ϸ 罽κ  Ģ    ִ.



               # ipchains -F forward
               #



  罽    罽  .


  3.1.4.9.  罽  


  `-L'  Ͽ 罽 ӿ   Ģ   ִ.


       # ipchains -L input
       Chain input (refcnt = 1): (policy ACCEPT)
       target     prot opt    source                destination           ports
       ACCEPT     icmp -----  anywhere              anywhere              any
       # ipchains -L test
       Chain test (refcnt = 0):
       target     prot opt    source                destination           ports
       DENY       icmp -----  localnet/24           anywhere              any
       #


  `test' ׸ ǥõ "refcnt" `test' ǥ  ִ Ģ 
  Ÿ.  罽     0 ̾ Ѵ.(׸ 罽 ü
   ¿ Ѵ.)


  罽 ̸ Ǹ  ̶    罽 ǥõȴ.


  There are three options which can accompany `-L'.  The `-n' (numeric)
  `-L' ɰ   ִ 3  ɼ ִ.  `-n'( ǥ) ɼ
  ipchains Ͽ IP ּ 캸⸦  ʰ ϱ  DNS  
   ʾ   ų DNS û ͸ 쿡 ϴ.
  Ʈ ؼ Ʈ ̸ ƴ ڷ ǥõǵ Ѵ.


  `-v' ɼ ϸ Ŷ, Ʈ ī, TOS Žũ, ̽ ׸
  Ŷ ǥİ  Ģ     ִ.
  ɼ     ǥõ ʴ´.   :



       # ipchains -v -L input
       Chain input (refcnt = 1): (policy ACCEPT)
        pkts bytes target     prot opt   tosa tosx  ifname    mark        source                destination           ports
          10   840 ACCEPT     icmp ----- 0xFF 0x00  lo                    anywhere              anywhere              any



  Ŷ, Ʈ ī  1000, 1,000,000, 1,000,000,000  Ͽ
  `K', `M', `G' ̻縦 Ͽ ǥõȴٴ   .
  `-x' ɼ ϸ   ſ ũ    ڷ ǥش.


  3.1.4.10.  ī 缳ϱ(0 )

  ī  0     ִ.  `-Z'( ī) ɼ 
  ϸ ȴ.   :


       # ipchains -v -L input
       Chain input (refcnt = 1): (policy ACCEPT)
        pkts bytes target     prot opt   tosa tosx  ifname    mark        source                destination           ports
          10   840 ACCEPT     icmp ----- 0xFF 0x00  lo                    anywhere              anywhere              any
       # ipchains -Z input
       # ipchains -v -L input
       Chain input (refcnt = 1): (policy ACCEPT)
        pkts bytes target     prot opt   tosa tosx  ifname    mark        source                destination           ports
           0     0 ACCEPT     icmp ----- 0xFF 0x00  lo                    anywhere              anywhere              any
       #


  ̷     缳 ٷ  ī  ˾ƾ 
  ʿ䰡 ִٴ ̴.     Ŷ `-L' `-Z'  ߰
   찡 ߻Ѵ.  ̷    鼭 ÿ 
  缳ϱ  `-L' `-Z'  Ѵ.    δ ϳ
  罽 Ͽ   Ƿ    罽 鼭 ÿ 0 
   Ѵ.


       # ipchains -L -v -Z
       Chain input (policy ACCEPT):
        pkts bytes target     prot opt   tosa tosx  ifname    mark        source                destination           ports
          10   840 ACCEPT     icmp ----- 0xFF 0x00  lo                    anywhere              anywhere              any

       Chain forward (refcnt = 1): (policy ACCEPT)
       Chain output (refcnt = 1): (policy ACCEPT)
       Chain test (refcnt = 0):
           0     0 DENY       icmp ----- 0xFF 0x00  ppp0                  localnet/24           anywhere              any
       # ipchains -L -v
       Chain input (policy ACCEPT):
        pkts bytes target     prot opt   tosa tosx  ifname    mark        source                destination           ports
          10   840 ACCEPT     icmp ----- 0xFF 0x00  lo                    anywhere              anywhere              any

       Chain forward (refcnt = 1): (policy ACCEPT)
       Chain output (refcnt = 1): (policy ACCEPT)
       Chain test (refcnt = 0):
           0     0 DENY       icmp ----- 0xFF 0x00  ppp0                  localnet/24           anywhere              any
       #


  3.1.4.11.  å ϱ

  ռ ``ǥ ϱ''   Ŷ 罽 ϴ ̾߱ 
  Ŷ  罽        ˾ƺҴ.
    罽 `å' Ŷ  Ѵ.    罽
  (`input', `output', `forward') å ´.  ֳϸ Ŷ 
   罽 ϰ   罽 ٽ ϱ ̴.


  å   Ư 4    ϳ   ִ.
  `ACCEPT', `DENY', `REJECT', `MASQ'.  ⼭ `MASQ' 
  `forward' 罽 ȿϴ.


   罽 Ե Ģ `RETURN' ǥ θ Ŷ Ģ
     罽 å  ϴµ  ִ
    ˾Ƶδ  .


  3.1.5.  Ž̵(Masquerading) õ 


  IP ŽĿ̵ Ͽ   ִ   Ű ִ.
  ̵      ٰ ߱⿡(  
  ٲ  ִ) `ipchains'    Խ״.


  IP ŽĿ̵  `-M' ̴.  `-L'     ŽĿ̵Ǿ
  ִ  Ȳ   ְ `-S' Ͽ ŽĿ̵ Ű 
   ִ.


  `-L' ɿ `-n' ̸ ȣƮ ̸ Ʈ ̸   ڷ ָ
  `-v' ɼ ָ ŽĿ̵  Ȳ Ͽ  ȣ(sequence #)
  Ÿ(delta) ش.


  `-S'  ڿ 3  ŸӾƿ     Ѵ.  
  ϳ TCP ,  ϳ FIN Ŷ  TCP , ׸ ϳ
  UDP Ŷ  ̴.   ϰ     `0'
  ´.


  ⺻ `/usr/include/net/ip_masq.h'    
  15 , 2 , 5 ̴.


  Ϲ ϴ  ù° μ FTP  ؼ̴.
  (``FTP Ǹ'' )


  3.1.6.  Ŷ ϱ

  δ ȭ 罽 ϱ   Ŷ ӽſ  
   ߻ϴ ˰   ִ.  `ipchains' `-C'  ϸ
  ȴ.  Ŀ  Ŷ ˻  ϴ  ƾ Ѵ.


  `-C' μ  Ŷ ׽Ʈ  罽 ̸ ´.  Ŀ 
  `input', `output', `forward' 罽  ׽  
    罽   ִ.


  `Ŷ'    ȭ Ģ   ߴ  ״
  Ѵ.  Ư (`-p'), ߽ ּ(`-s'),  ּ(`-d'),
  ̽(`-i') ɼ  ؾ Ѵ.   TCP Ǵ UDP  
  ߽ ּ ϳ  Ʈ ؾ ϸ ICMP  쿡
  ICMP  ڵ带  ؾ Ѵ. ( Ģ Ű  `-f' ÷
    찡 ƴ  ׷ϴ.   `-f' ɼ  쿡
  ߽ ּ,  Ʈ ɼ   .)


   TCP (׸ `-f' ÷װ  ) `-y' ÷׸ Ͽ
  Ŷ SYN Ʈ Ǿ  ǥ  ִ.


   192.168.1.1  60000 Ʈ 192.168.1.2  www Ʈ ϴ
  TCP SYN Ŷ `input' 罽     ׽Ʈϴ 
  ̴.  (  WWW    ̴. )



       # ipchains -C input -p tcp -y -s 192.168.1.1 60000 -d 192.168.1.2 www
       packet accepted
       #



  3.1.7.     Ģ   ϱ

  δ ϳ ε  Ģ  ĥ  ִ.   
     ִ.  켱 DNS  Ͽ   IP ּҷ ؼǴ
  ȣƮ ̸ ϰ Ǹ `ipchains' ġ   IP ּҸ
    Ȱ   ó óѴ.


    `www.foo.com' ̶ ȣƮ ̸ 3  IP ּҸ Ű
  `www.bar.com' ȣƮ ̸ 2  IP ּҸ Ű ȴٰ ϰ
  `ipchains -A input -j reject -s www.bar.com -d www.foo.com'  ϰ
  Ǹ ġ 6  Ģ `input' 罽  Ͱ .


  `ipchains'  ൿ ϰ ϴ ٸ   ÷(`-b')
  ϴ ̴.   ÷׸ ϸ `ipchains'    
  ó Ѵ.  ι°  ù° Ͱ `-s', `-d' ڹٲ ̴.
   192.168.1.1 ϰų ׷κ   Ŷ   
       ִ.



       # ipchains -b -A forward -j reject -s 192.168.1.1
       #


  δ `-b' ɼ  ʴ´.  ̰ ϴٰ ϴ 
  ``ipchains-save ϱ''  ϶.


  -b ɼ (`-I'), (`-D') (Ģ ȣ   ), ߰(`-A'),
  (`-C') ɰ Բ   ִ.


   ÷׷δ  ɿ  `ipchains'   ϰ ִ
  ֵ ϴ `-v'(Ȳϰ) ִ.  ټ Ģ  ĥ ̶
  ϴ ɿ ִ.    192.168.1.1 192.168.1.2 
   ¸ ϴ 츦 ڴ.



  # ipchains -v -b -C input -p tcp -f -s 192.168.1.1 -d 192.168.1.2 -i lo
    tcp opt   ---f- tos 0xFF 0x00  via lo    192.168.1.1  -> 192.168.1.2    * ->   *
  packet accepted
    tcp opt   ---f- tos 0xFF 0x00  via lo    192.168.1.2  -> 192.168.1.1    * ->   *
  packet accepted
  #


  3.2.   

   ȭ PPP (`-i ppp0') ϰ ִ.  ȭ  
   ܾ(`-p TCP -s news.virtual.net.au nntp')  ´.
  (`-p TCP -s mail.virtual.net.au pop-3')   ڽ  
  ϱ   FTP   Ѵ. (`-p TCP -s ftp.debian.org
  ftp-data')    ISP Ͻø    .
  (`-p TCP -d proxy.virtual.net.au 8080')   Dilbert Archive Ʈ
  ̴ doubleclick.net κ  ȾѴ.
  (`-p TCP -y -d 199.95.207.0/24' & `-p TCP -y -s 199.95.208.0/24')


   ߿ ٸ   ӽ ftp   ġ ʴ´.
  (`-p TCP -d $LOCALIP ftp')    Ʈ ܺ   IP ּҸ
  Ͽ ϱ ġ ʴ´. (`-s 192.168.1.0/24')


   Ʈ ٸ ӽ    ſ  ̷.


   μ  ͵(  ׽, Gzilla ) doubleclick.net
    ϵ ϰ ʹ.



       # ipchains -A input -d 199.95.207.0/24 -j REJECT
       # ipchains -A input -d 199.95.208.0/24 -j REJECT
       #


   Ǿ `input' 罽 ϴ Ŷ Ͽ ̽
  `lo' ϱ  `-i lo'   ִ.


    ܺη  Ŷ Ͽ 켱 Ϸ Ѵ. ( 
  Ŷ Ͽ   ִ ̶  . )    Ģ 
  ֱ   θ `ppp-out'̶ ̸ 罽 ־δ  ٰ
  Ѵ.



       # ipchains -N ppp-out
       # ipchains -A output -i ppp0 -j ppp-out
       #



  , ڳݿ ؼ ּ  Ѵ.


       # ipchains -A ppp-out -p TCP -d proxy.virtual.net.au 8080 -t 0x00 0x10
       # ipchains -A ppp-out -p TCP -d 0.0.0.0 telnet -t 0x00 0x10
       #



  ftp ڷ nntp, pop-3  ؼ 켱 :


       # ipchains -A ppp-out -p TCP -d 0.0.0.0/0 ftp-data -t 0x00 0x02
       # ipchains -A ppp-out -p TCP -d 0.0.0.0/0 nntp -t 0x00 0x02
       # ipchains -A ppp-out -p TCP -d 0.0.0.0/0 pop-3 -t 0x00 0x02
       #



  ppp0 ̽   Ŷ    Ģ ִ:
  `ppp-in' ̶ 罽 :



       # ipchains -N ppp-in
       # ipchains -A input -i ppp0 -j ppp-in
       #



  ppp0  192.168.1.* ̶ ߽ ּҸ   Ŷ 
  ϰ óѴ.



       # ipchains -A ppp-in -s 192.168.1.0/24 -l -j DENY
       #



  DNS ( û `203.29.16.1' ϱ  DNS TCP ؼ 
  㰡Ѵ), ftp, ȯϴ(return) ftp-data  㰡Ѵ.(return ftp-data
   1023 Ʈ   ftp-data Ѵ.)


       # ipchains -A ppp-in -p TCP -s 203.29.16.1 -d $LOCALIP dns -j ACCEPT
       # ipchains -A ppp-in -p TCP -s 0.0.0.0/0 ftp-data -d $LOCALIP 1024: -j ACCEPT
       # ipchains -A ppp-in -p TCP -d $LOCALIP ftp -j ACCEPT
       #


    ۿ   Ŷ  㰡Ѵ:


  # ipchains -A input -i lo -j ACCEPT
  #


  `input' 罽  ⺻ å DENY̴.   õ  ̿ 
   źѴ.


       # ipchains -P input DENY
       #


  :    罽   ʴ´.  ֳϸ  ߿
  Ŷ   ֱ ̴.     켱 å DENY
    Ģ س ̴.  翬 Ģ DNS ãƺ⸦ ʿ
  ϴ 쿡  ȴ.




  3.2.1.  ``ipchains-save'' ϱ

   ϴ  ȭ 罽   ,    ߴ
  ϸ Ÿ   뽺.


  ٷ    `ipchains-save' ũƮ  罽  
  о鿩 Ϸ ϴ  ش.  а `ipchains-restore'
    ϴ ؼ صΰڴ.


  `ipchains-save' can save a single chain, or all chains (if no chain
  name is specified).  The only option currently permitted is `-v' which
  prints the rules (to stderr) as they are saved.  The policy of the
  chain is also saved for `input', `output' and `forward' chains.



       $ ipchains-save > my_firewall
       Saving `input'.
       Saving `output'.
       Saving `forward'.
       Saving `ppp-in'.
       Saving `ppp-out'.
       $


  3.2.2.  ``ipchains-restore'' ϱ

  `ipchains-save' Ͽ  罽 ϴ ũƮ
  `ipchains-restore' ̴.    ɼ  ִ.
  `-v'   Ģ ߰ǰ ִ ش.  `-f' ɼ ռ 
   罽 ϴ    罽  ϴ 쵵 Ѵ.


   ũƮ Է 뿡   罽 ִٸ `ipchains-restore'
  罽 ̹ ϰ ִ Ѵ.  ϴ  ϴ 罽 
    (Ģ   ) ƴϸ ׳  κ ƹ ϵ
   ʰ Ѿ   ޴´.  `-f' ɼ ࿡ ָ
    .   罽  ϴ .


  ũƮ ϱ ؼ root  Ѵ; Ģ ѳ 
  `ipchains' ϱ ̴.


   :


       # ipchains-restore < my_firewall
       Restoring `input'.
       Restoring `output'.
       Restoring `forward'.
       Restoring `ppp-in'.
       Chain `ppp-in' already exists. Skip or flush? [S/f]? s
       Skipping `ppp-in'.
       Restoring `ppp-out'.
       Chain `ppp-out' already exists. Skip or flush? [S/f]? f
       Flushing `ppp-out'.
       #



  4.  Ÿ 

   ǿ   κ     Ÿ  FAQ ٷ.


  4.1.   ϴ ȭ Ģ üȭ  ִ°?


    ռ ణ  ʿϴ.   ӵ ȭ
   ְ(κ Ŷ Ͽ  Ģ  ּȭϴ ) Ǵ 
   ϰ ϴ    ִ.


  PPP ó  Ǵ ȸ  ִ 쿡 ϸ鼭
    input 罽 `-i ppp0 -j DENY'  ϰ  ̴.
  ׸ `ip-up' ũƮ    ־ Ѵ.


       # Re-create the `ppp-in' chain.
       ipchains-restore -f < ppp-in.firewall

       # Replace DENY rule with jump to ppp-handling chain.
       ipchains -R input 1 -i ppp0 -j ppp-in


  ip-down ũƮ   :


       ipchains -R input 1 -i ppp0 -j DENY



  4.2.  ɷ ȵ 


   ʴ   ɷ ϱ  ˾Ƶξ   
  ߿  ִ.


  4.2.1.  ICMP Ŷ

  ICMP packets are used (among other things) to indicate failure for
  (ٸ  ͵ ߿) ICMP ٸ (TCP, UDP) и 뺸
   ȴ.  `   (destination-unreachable)' Ŷ
  ICMP Ŷ ̴.   Ŷ  Ǹ `ȣƮ   
  (Host unreachable)' Ǵ `ȣƮ   (No route to host)'
      ȴ.     쿡  ٸ
  ȴ.  ¥ ϴ  ׷ ɰ  ƴϴ.


   ߿  ICMP Ŷ MTU ã⿡ δٴ   Եȴ.
   Ǿ ִ TCP ü( ) Ŷ   
    ִ  ū Ŷ ũ⸦ ˾Ƴ  MTU ã⸦ Ѵ.
  ((fragmentation)  ϽŰ ̴.  Ư   Ϻθ
  Ұ Ǹ  ϴ ſ ɰ.)  MTU ã "   
  (Don't Fragment)" Ʈ  Ŷ   " Ⱑ ʿ
  DF(  ʾ) Ʈ (Fragmentation needed but DF set)"
  ̶ ޽   ׸ Ŷ ν ̷.
   Ŷ ٷ `   (destination-unreachable)' 
  Ŷ̴.    Ŷ  ϸ  ȣƮ MTU    
  ǰ    ȴ.


  4.2.2.  DNS 


   TCP     ְ ̷ ϸ   ߿ 
  ۵  찡 ִµ  ù° ٷ DNS ̴.   
  ӽ ȣƮ ̸ IP ּҷ ٲٱ  DNS  Ѵ.
    DNS  UDP   Ŭ  TCP  Ѵ.
  ̷  䱸  Ǹ DNS  ŷ  .


  DNS û ׻ Ȱ ܺ ӽ óϰ ϰ ִٸ ( /etc/resolv.conf
   `nameserver'  ְų ĳ Ӽ   ϰ
  ִ  ) ٷ  ӽſ ؼ `domain' Ʈ TCP  ϸ
  ȴ.


  4.2.3.  FTP   Ǹ


   ϳ   FTP ̴.  FTP   "" ִ.
    `active mode'  θ ٷ Ե 
  `passive mode'  θ.    ⺻  带 ϰ
   ftp α׷ Ϲ ɵ 带 Ѵ.


  ɵ 忡  ӽ    (Ǵ ls  dir 
  ) 켱    ӽ TCP  õѴ.   ⼭ ϴ
  TCP   Ǹ ɵ  FTP  ۵ ʰ ȴ.


    带   ִٸ .    ڷ ޱ 쿡
  Ŭ̾Ʈκ  ڷ  ̷ ̴.  ñ ٸ
  1024 ̻ Ʈ ׸ 6000 6010  Ʈ  Ʈ TCP 
   Ϳ Ͽ 㰡ϴ  .(6000 X 찡 Ѵ)



  4.3.   (Ping of Death) ɷ


   ڽ     (Ping of Death) Ͽ 鿪 
  ִ.     ū ICMP Ŷ  TCP  ȿ ÷ο
   Ͼ ϰ    ظ ġ Ǿ ִ.


   ο 鿪     ڽ ȣϱ ؼ 
  ICMP  ƹ ׸̴.   ICMP Ŷ  Ⱑ ʿ
   ũ ʱ  Ŵ   ٸ κп   ̴.
   δ(Ȯ  ƴϴ)  ý   ũ ̻
  ICMP Ŷ  ε ý   ֱ  ù° 
     ʴ´.


  4.4.  Ƽ(Teardrop) ũ(Bonk) ɷ


  ƼӰ ũ ġ (overlapping fragment)  ϴ  
   μ ַ ũμƮ  NT ӽſ ȴ.
    Ͱ ⸦ ϰ ϰų  ݿ  
  NT  ӽſ   ϵ  ȴ.


  4.5.   ź(Fragment Bombs) ɷ


  Some less-reliable TCP stacks are said to have problems dealing with
   ŷڼ Ǿ ִ TCP  ü    ¿
  Ŵ   ó   Ųٰ Ѵ.   ̷
   .   ׳ ɷų( 쿡  Ŷ ɷ
   ȿ ´) Ŀ   `IP: always defragment'  Y 
  Ѵ.  (  ڽ  Ŷ 峪    ȿ)


  4.6.  ȭ Ģ ϱ


  ȭ Ģ ϴµ ־ Ÿֿ̹ õ  ִ.   
  ʴ´ٸ Ģ ϴ  Ŷ  ġ  ִ.
  ̸      .



       # ipchains -I input 1 -j DENY
       # ipchains -I output 1 -j DENY
       # ipchains -I forward 1 -j DENY

       ... Ģ ȭŲ ...

       # ipchains -D input 1
       # ipchains -D output 1
       # ipchains -D forward 1
       #



  ϴ   Ŷ  Ѵ.


     罽 ؼ  ۾ ϰ ִٸ ο Ģ ο
  罽  ä  ü  罽 Ű ִ Ģ Ӱ 
  罽 Ű ü(`-R')  ִ.     罽 Ѵ.
  ̷ Ͽ ü ۾   ̷   ִ.


  4.7.    ȹ


   ۼ ڵ `libfw' ̸   ̺귯
  ҽ ڵ忡 Խ ξ.  IP 罽 1.3   Ͽ Ŷ 
   ش.(IP_FIREWALL_NETLINK ɼ ؾ )


   ̺귯 Ͽ ` ˻(stateful inspection)'  
      ִ.(   ˻纸ٴ  ȭ
  ̶   ȣѴ)
   ٸ   ִ  оߴ ں Ŷ ϴ ε
  ̴    캸⸦ ϸ ϴ.   ۾ ſ 
  ۾̴.


  ȭ `ǥ(mark)'   ǰ   ̴.
  Ŷ 켱    ֵ  ǰ(Quality of Service)
  ڵ忡   Ÿ   ִ.


  4.8.    ȹ


  δ  ȭ  /proc/sys/net/ipv4 ؿ ΰ Ѵ.
  ũƮ Ͽ ϱ  Ϲ  ϰ ̱ ̴.


   κ Ư 罽 Ŷ ٽ ϴ   ϰ
  ִ.  ̷ Ǹ libfw 谡   .



  5.  ÷ - ipchains ipfwadm  



  ȭ   Ϻδ Ŀ ȭ ̸ ٸ κ ipchains ipfwadm
  ̷κ  ̴.


  1.  μ ٽ ġǾ:  빮ڴ  Ÿ ҹڴ
     ɼ Ÿµ ǰ ִ.

  2.  罽     罽̶   ÷ 
     ƴ϶ ̸  ִ.(. `-I'  ʰ `input'̶ θ)

  3. `-k' ɼ :  `! -y'  ϶.

  4. `-b' ɼ    Ģ ϰų ߰ϰų Ѵ.
     ϳ  `ӹ' Ģ  ʴ´.

  5.   ϱ ( ⿡ Ͽ  ) `-C' `-b' ɼ
       ִ.

  6. `-l' ϴ `-x' ɼ `-v' üǾ.

  7.   ߽ Ʈ  ̻  ʴ´.  Ʈ  տ 
     ϴ     Ѵ.

  8. ̽  ̸θ   ִ.(ּҴ ȵ)
       2.1 Ŀ ø  ȭǾ ִ.

  9.  ˻ϸ ڵ  ʴ´.

  10.
      ȸ 罽 .

  11.
     IP     Ѵ.

  12.
     SYN, ACK Ī   (TCP ƴ Ŷ ؼ )
     ٲ.  SYN ɼ TCP  Ģ ƴ    .

  13.
     īʹ x86  32 Ʈ ƴ϶ 64 Ʈ̴.

  14.
     ݴ ɼ ȴ.

  15.
     ICMP ڵ尡 ȴ.

  16.
     ϵ ī ̽ ȴ.

  17.
     TOS ó   ̷.   Ŀ ڵ忡 `0 ̾ 
     (Must Be Zero)' TOS Ʈ (ҹ) óϴ  ׳ ƹ  
     ߴ.  ipchains  Ÿ ٸ ҹ    
     ߻Ų.


  5.1.    ǥ


  [ ַ  μ 빮̰ ɼ μ ҹڷ Ǿ ִ]


     ˾Ƶ־  μ ŽĿ̵ `-j MASQ'  ´.
  `-j ACCEPT'ʹ  ٸ μ ipfwadm  ܼ 2 
   ʴ´.


  ================================================================
  | ipfwadm      | ipchains              |  
  ----------------------------------------------------------------
  | -A [both]    | -N acct               | `acct' 罽 
  |              |& -I 1 input -j acct   |   Ŷ
  |              |& -I 1 output -j acct  |  罽 ϵ
  |              |& acct                 | Ѵ.
  ----------------------------------------------------------------
  | -A in        | input                 | ǥ  Ģ
  ----------------------------------------------------------------
  | -A out       | output                | ǥ  Ģ
  ----------------------------------------------------------------
  | -F           | forward               | [罽] ϶.
  ----------------------------------------------------------------
  | -I           | input                 | [罽] ϶.
  ----------------------------------------------------------------
  | -O           | output                | [罽] ϶.
  ----------------------------------------------------------------
  | -M -l        | -M -L                 |
  ----------------------------------------------------------------
  | -M -s        | -M -S                 |
  ----------------------------------------------------------------
  | -a policy    | -A [chain] -j POLICY  | (-r  -m ).
  ----------------------------------------------------------------
  | -d policy    | -D [chain] -j POLICY  | (-r  -m ).
  ----------------------------------------------------------------
  | -i policy    | -I 1 [chain] -j POLICY| (-r  -m ).
  ----------------------------------------------------------------
  | -l           | -L                    |
  ----------------------------------------------------------------
  | -z           | -Z                    |
  ----------------------------------------------------------------
  | -f           | -F                    |
  ----------------------------------------------------------------
  | -p           | -P                    |
  ----------------------------------------------------------------
  | -c           | -C                    |
  ----------------------------------------------------------------
  | -P           | -p                    |
  ----------------------------------------------------------------
  | -S           | -s                    | Ʈ ϳ Ǵ 
  |              |                       | ȿ. ټ  Ұ
  ----------------------------------------------------------------
  | -D           | -d                    | Ʈ ϳ Ǵ 
  |              |                       | ȿ. ټ  Ұ
  ----------------------------------------------------------------
  | -V           | <none>                | -i [̸]  .
  ----------------------------------------------------------------
  | -W           | -i                    |
  ----------------------------------------------------------------
  | -b           | -b                    | δ 2  Ģ 
  ----------------------------------------------------------------
  | -e           | -v                    |
  ----------------------------------------------------------------
  | -k           | ! -y                  | -p tcp    
  |              |                       | ؾ Ѵ.
  ----------------------------------------------------------------
  | -m           | -j MASQ               |
  ----------------------------------------------------------------
  | -n           | -n                    |
  ----------------------------------------------------------------
  | -o           | -l                    |
  ----------------------------------------------------------------
  | -r [redirpt] | -j REDIR [redirpt]    |
  ----------------------------------------------------------------
  | -t           | -t                    |
  ----------------------------------------------------------------
  | -v           | -v                    |
  ----------------------------------------------------------------
  | -x           | -x                    |
  ----------------------------------------------------------------
  | -y           | -y                    | -p tcp    
  |              |                       | ؾ Ѵ.
  ----------------------------------------------------------------




  5.2.  ipfwadm   


  Old command: ipfwadm -F  -p deny

  New command: ipchains -P forward DENY


  Old command: ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0

  New command: ipchains -A forward -j MASQ -s 192.168.0.0/24 -d
  0.0.0.0/0


  Old command: ipfwadm -I -a accept -V 10.1.2.1 -S 10.0.0.0/8 -D
  0.0.0.0/0

  New command: ipchains -A input -j ACCEPT -i eth0 -s 10.0.0.0/8 -d
  0.0.0.0/0

  (Note that there is no equivalent for specifying interfaces by
  (: ּҸ ̿Ͽ ̽ ϴ  .
   ̽ ̸ ϶.   ӽ  10.1.2.1 
   eth0  شѴ.)


  6.  ÷ - `ipfwadm-wrapper' ũƮ ϱ


  `ipfwadm-wrapper'  ũƮ ipfwadm 2.3a   ȣȯ ߱ 
   ipfwadm   ÷- ü̴.


  ٷ     `-V' ɼ̴.   ɼ Ǹ  ޽
  µ ̴.  `-W' ɼ ϸ `-V' ɼ Ѵ.  `-W' ɼ
   쿡 `ifconfig'  Ͽ ּҿ Ǿ ִ ̽
  ̸ ã õѴ.   Ѵٸ(  ̽ ٿǾ
  ִ  )  ޽ ̰ Ѵ.


  `-V'  `-W'  ٲٰų ũƮ ǥ  /dev/null  ̷Ʈ
  Ͽ  ޽   ִ.


  ũƮ Ǽ  ߰ϰų  ipfwadm  ũƮ  
  ִٸ    ֱ ٶ : 
   ּҴ Paul.Russell@rustcorp.com.au ̸  BUG-REPORT 
   ֱ ٶ.    ִ ipfwadm (`ipfwadm -h')
    ipchains  (`ipchains --version'), ipfwadm  ũƮ
  (`ipfwadm-wrapper --version') ϰ  `ipchains-save' µ
  ־ Ѵ.  켱   ϰ ʹ.


  ipchains ipfwadm-wrapper ũƮ     
  ̴.


  7.  ÷ -  


  Many thanks have to go to Michael Neuling, who wrote the first
  releasable cut of the Generic IP Chains code while working for me.
  Public apologies for nixing his result-caching idea, which Alan Cox
  later proposed and I have finally begun implementing, having seen the
  error of my ways.


  Thanks to Alan Cox for his 24-hour EMail tech support, and
  encouragement.


  Thanks to all the authors of the ipfw and ipfwadm code, especially Jos
  Vos.  Standing on the shoulders of giants and all that...  This
  applies to Linus Torvalds and all the kernel and userspace hackers as
  well.


  Thanks to the diligent beta testers and bughunters, especially:

     Jordan Mendelson
        ICMP code suggestion.

     Shaw Carruthers
        For various ipchains and ipfwadm-wrapper bugfixes.

     Kevin Moule
        For a patch for glibc.

     Dr. Liviu Daia
        For documentation fixes and printk fix.

     Helmut Adams
        For fixing a race condition in v. large chains.

     Franck Sicard
        For masquerading listing fix.

     Kevin Littlejohn
        For ipchains-save bugfix with destination ports.

     Matt Kemner
        For more documentation fixes.

     John D. Hardin
        For `ipchains -X' suggestion.

     Alexey Kuznetsov
        For noticing a typo which stop marks being initialised.

     Ricardo Kustner
        For fixing my leftover debug messages in 2.0.33.


