   2.4 Ŷ ͸ Ͽ

  Rusty Russell, mailing list netfilter@lists.samba.org
  v1.0 Tue Mar 21 23:29:42 EST 2000

    2.4  Ŀο ߸ Ŷ ͸ϱ Ͽ 
  iptables  ̿ϴ° Ѵ.
  ______________________________________________________________________

  

  1. ҰAID CDATA intro(LABEL)LABEL
  2. Ʈ Ʈ  ֳ ?
  3. ׷ٸ, Ŷ Ͷ ϱ?
     3.1  츮 Ŷ ҷ ϳ ?
     3.2  Ŷ ʹ  ϳ ?AID CDATA filter-linux(LABEL)LABEL
        3.2.1 iptables
        3.2.2 Ģ ӽŰAID CDATA permanent(LABEL)LABEL

  4.     Ŀ   ϳ ?
  5. Rusty's  Ŷ ͸  Ѿ ̵
  6. Ŷ ͸  ° ?
  7. iptables ϱ
     7.1 ǻͰ õɶ   Ǵ 
     7.2 ϳ Ģ ۵ϱ
     7.3 ͸ 
        7.3.1 ó  
        7.3.2 ''  
        7.3.3  
        7.3.4 ̼ 
        7.3.5  (Fragments) 
        7.3.6 iptables  Ȯ : ο (Matches)
           7.3.6.1 TCP Ȯ
              7.3.6.1.1 TCP ڿ 
           7.3.6.2 UDP Ȯ
           7.3.6.3 ICMP Ȯ
           7.3.6.4 ׿  Ȯ
           7.3.6.5  
     7.4 Ÿ 
        7.4.1   üε
        7.4.2 iptables Ȯ : ο Ÿ
        7.4.3 Ư ̸  Ÿ
     7.5 ü üο  ۿ.AID CDATA chain-ops(LABEL)LABEL
        7.5.1  ü 
        7.5.2 ü 
        7.5.3 ü AID CDATA flushing(LABEL)LABEL
        7.5.4 ü Ģ ϱ
        7.5.5 īƮ Ʈ ('0' )
        7.5.6 å AID CDATA policy(LABEL)LABEL
        7.5.7 ipchains ipfwadm ϱAID CDATA oldstyle(LABEL)LABEL

  8. iptables ipchains AID CDATA Appendix=A(LABEL)LABEL

  ______________________________________________________________________

  1.  Ұ

   ȯմϴ.

     IP address, network address, netmask, routing, DNS
    ˰ ִٰ մϴ. ׷ ʴٸ 'Ʈũ 
  Ͽ'  б⸦ մϴ.

   Ͽ  Ұ(̰  ް ϰ  帮ϰ
  ׷ )   (which would leave all but
  the hardiest souls confused, paranoid and seeking heavy
  weaponry)̸   ̴.

   Ʈũ   ʴ. , ϸ鼭   
  θ ϵϰ  õ  ʵ Ϸ   
  ȭ ο ȭ ϸ鼭 "̾"ϰ ġ  ϴ
  ó  ذҴ  . ̰Ϳ ش  Ͽ
     ̴.

    ִ    ϴ ̴.  ̷ 
     ִ   Ͽ  Ͽ 
    ϰ ִ   ʱ⸦ ٶ, ˷
  ַ Ѵ. Ǵٸ  ̴.

  2.  Ʈ Ʈ  ֳ ?

   Ʈ ִ.

  o  Thanks to Penguin Computing
     <http://antarctica.penguincomputing.com/~netfilter/>

  o  Thanks to The Samba Team and SGI <http://www.samba.org/netfilter>.

  o  Thanks to Jim Pick <http://netfilter.kernelnotes.org>.

  netfilter ϸ Ʈ ؼ  Ʈ 
  <http://list.samba.org> .

  3.  ׷ٸ, Ŷ Ͷ ϱ?

  Ŷʹ  Ŷ ش 캸  ü Ŷ 
  ϴ Ʈ Ϻ̴. ̰ Ŷ 'DROP'(, ġ 
  ޵  ߴ ó Ŷ ź) ϴ, 'ACCEPT'(, Ŷ
    ) ϴ Ǵ ٸ     ΰ
   ̴.

   Ŷ ͸ Ŀ ο ǰ(Ŀ μ Ǵ 
  ο  Ǵ ̴), 츮 Ŷ ؾ   
  ִ. ׷,  Ŷ  ϰ  Ŷ  ϴ ⺻
  Ģ   ȴ.

  3.1.   츮 Ŷ ҷ ϳ ?

  , , ɼ

     :
          Ʈũ ٸ Ʈũ  ڽ
        ̿Ͽ  ϰ Ҷ(, ͳ)  
         ϰ ϰ ٸ Ұϰ  ȸ . 
        , Ŷ   ּҸ ϰ ְ ̰
        Ŷ ٱ Ʈ ٸ   ʵ Ѵ. ٸ ,
         Dilbert archives ȣϱ Ͽ ݽ ̿Ѵ.
        װ  doubleclick.net   ְ
        ݽ   ޱϿ  ð Һ .
        doubleclick.net ּҷ ų Ǵ װ   Ŷ
         ʵ ŶͿ ̾߱     ذ
         ִ. (̷ ϴ    ִ : Junkbuster )

     :
         ,   Ʈũ ͳ ȥ̿ 
        ڽ  ִٸ,  Ʈũ    
        ִٴ  ٻ ̴. ,  
        Ʈũκ    ϰ , ݸ鿡
        κ , " ",  ִ Ϳ Ͽ
          ̴. ٸ , ƹ   ڽ 
        ڰ ȣ  ִٰ ϴ ٱκ
        ڳݽõ ٶ  ̴. κ ó ͳݿ
          ǰ Ͱ ڴ ǰ  ̴. 
        ؼ, ߿   Ŷ Ŷ ͸ ̿ϰ
        źҷ  ̴.

     ɼ:
         ߸  Ʈũ Ŷ ٱ س´.
        Ŷ Ϳ  ̻ ̶ Ͼ п ˷
        ֵ  δ  ٻ ̴.  ̷ ϿϿ
        ΰ   ְ ׳ '̻ ̳'ϰ ѱ  ִ.

  3.2.   Ŷ ʹ  ϳ ?

  1.1 ø   Ŀ Ŷ ͸ ϱ ߴ. 
  1 BSD ipfw ⺻ Ͽ 1994 Ĺݱ⿡ Alan Cox ؼ
  Ʈ Ǿ.  ̰  2.0 Jos Vos ٸ̵鿡 ؼ
  Ǿ Ŀ ͸ Ģ ϴ  δ 'ipfwadm'
  Ǿ. 1998 ߹ݿ  2.2 Ͽ  Michael Neuling
   Ŀο Ͽ  Ͽ   'ipchains'
  Ҵ. ,  4  'iptables'̰  2.4 Ͽ
  1999 ߹ݿ Ŀ  ۼ Ͽ.  Ͽ   ߰
  ִ   iptables   ̴.

  netfilter ִ Ŀ ʿϴ. netfilter ٸ ͵(iptables
   )  ִ  Ŀ Ϲ ⺻ ̴. ̰
  2.3.15 ̻   Ŀο ְ Ŀ  CONFIG_NETFILTER
   'Y' ϰ   ̾ Ѵ.

  iptables  Ŀο  Ŷ   ˷ش.
    α׷ӳ ° ƴ϶, ̰ Ŷ ͸ ϴ
  ̴.

  3.2.1.  iptables

  iptables  Ŀ Ŷ ͸ ̺ ͸ Ģ ϰų
  ϴ  ̴. ̰   ߵ, ýÿ
  ҽǵȴٴ  ǹѴ.    ٽ õǾ 
   缳ġ Ǳ⸦ ٶٸ ``Ģ  ӽŰ'' ƶ

  iptables ipfwadm ipchains ġѴ. սǾ iptables  
  ϰ  ٸ ``ipchains ipfwadm ϱ'' ƶ.

  3.2.2.  Ģ ӽŰ

   ̾  Ŀο ǹǷ ýÿ սǵȴ.
  iptables-save  iptables-restore ϴ   TODO Ʈ
  ִ. ̰͵  Ǹ   ̴. Ѵ.
  ׵  Ģ ϴ ɵ ʱȭ ũƮ ؾ
  Ѵ.  ɵ ϳ Ͽ Ͽ  ̼ΰ
  صξ Ѵ. (

  4.      Ŀ   ϳ ?

   Rusty̴.  IP ̾ ϴ ̰  ñ⿡
   ҿ ְԵ ׳ ŷڴ ̴.  ipchains ͱ۾.
  ( ۾    "How Do I Packet Filter Under
  Linux?"  ), ׸ ̹ Ŷ ͸   
     .

  WatchGuard <http://www.watchguard.com>  Ǹ ̾
  ȸ̸,   ÷ ̾ڽ Ǹϸ ƹ͵  ʾƵ
    ش. п   ǰ µ   ð
  Ҹ  ־,  ۾ ׷ϴ.  6̸ ġ
   12 ɷȴ. ׷  ٸ ߴٴ  .
    ϵũ ڻ, ѹ žнǰ  Ͻý
  ڻ ѹ  ڻ  ִ.

   ⿡ ִ ,  ߸  ְ ʹ. 
  Ŀδ  ƴϴ.   Ŀδ ƴѰ ȴ. ֳϸ ̷
  Ŀο    ¥ Ŀδյ(David S. Miller, Alexey Kuznetsov,
  Andi Kleen, Alan Cox )   ñ ̴. ׷ ׵
  ɿ  ϴ ʹ ٻ,    ڸ 
  Ÿ  ξ.

  5.  Rusty's  Ŷ ͸  Ѿ ̵

  κ   ϳ PPP Ӹ ϰ   ̰
  ؼ    ʴ´.

       ## connection-tracking modules Ѵ. (not needed if built into kernel).
       # insmod ip_conntrack
       # insmod ip_conntrack_ftp

       ## ηκ    ٸ ο  Ͽ ο ü
       ## .
       # iptables -N block
       # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
       # iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
       # iptables -A block -j DROP

       ## Է°  üκ  ü  Ѵ.
       # iptables -A INPUT -j block
       # iptables -A FORWARD -j block

  6.  Ŷ ͸  ° ?

  Ŀ '' ̺  Ģ  Ѵ. ̰ ̾
  ü Ǵ ׳ ü̶ Ѵ.   ü INPUT, OUTPUT,
  FORWARD ̴.

  ̰ 2.0 ̳ 2.2 Ŀΰ  ٸ δ.

   ü Ʒ׸ó .

                        _____
                       /     \
     -->[  ]--->| |------->
        [    ]     \_____/        ^
             |                        |
             v                       ____
            ___                     /    \
           /   \                   |  |
          |Է |                   \____/
           \___/                      ^
             |                        |
              ----> Local Process ----

   ׸      ü Ÿ. Ŷ
   ׸ ׶̷ Ÿ ̸  ü  Ŷ 
   Ͽ Ѵ. ü  Ŷ DROP ϶ ϸ Ŷ
  װ  ȴ. ׷  ü ACCEPT ϰ ϸ   ׸
   κ   ޵ȴ.

  ü Ģ ǥ̴.  Ģ 'Ŷ  ̷ Ǿ
     ϶' · Ǿ ִ. Ģ  Ŷ 
     Ģ Ѵ.  ̻  Ģ 
  Ŀ    ΰ ϱ Ͽ  ü å ȮѴ.
     ýۿ ̷ å  Ŀο  Ŷ DROP
  ϵ Ѵ.

  1. Ŷ Ŀο Źϸ  Ŷ  ȮѴ. ̰ ''
     ̶ Ѵ.

  2. ̰  ̸̰, Ŷ  ׸ Ʒ  
     Ǿ Է üο Ѵ. ̰  ü ϸ Ŷ ٸ
     ִ  μ װ ް ȴ.

  3. ׷ , Ŀ  Ҵ Ǿִ, Ŷ  
     ؾ ϴ°  ϸ,  Ŷ DROP ȴ.  
      Ǿְ ٸ  ̸ Ŷ ׸   
     Ǿ  ü .  ü ACCEPT ϰ Ǹ ̰ 
      Ʈũ .

  4. , ̰ ư α׷ Ʈũ Ŷ  
       ȴ.  Ŷ   üο .  ü ACCEPT
     ϰ Ǹ  Ŷ    .

  7.  iptables ϱ

  iptables  ڼ ޴ (man iptables)  ִ.
  ipchains  ͼϴٸ ``ipchains iptables ٸ'' ƶ. 
   ſ ϴ.

  iptables Ҽ ִ Ͽ  ٸ ִ. ù° ۵ ü
  ü Ѵ. ó   ̸  ü ϴ 
  ̰ ŵ  .

  1. ο ü  (-N).

  2. ִ ü ϱ (-X).

  3. ̸  ü å ٲٱ (-P)

  4.  ü Ģ ϱ (-L)

  5. üκ Ģ  (-F)

  6. üγ  Ģ Ŷ Ʈ ī带 0   (-Z)

  ü  Ģ ϴ   ִ.

  1. üο ο Ģ ߰ϱ (-A)

  2. ü   Ģ ϱ (-I)

  3. ü   Ģ ȯϱ (-R)

  4. ü   Ģ ϱ (-D)

  5. üο ġϴ ù° Ģ ϱ (-D)

  7.1.  ǻͰ õɶ   Ǵ 

  iptables  Ǿ ̴. ̰ iptable_filter.o ̴.
  ̰ ó iptables Ҷ ڵ ε ̴. ̰ʹ
  Ŀο  Ե  ִ.

  iptables  Ǳ  ⺻ ִ ü(Է,
  , ) ƹ Ģ . ( :  ǿ ʱȭ
  ũƮ iptables ϴ    ִ.) Է° 
  ü å ACCEPT̰  ü å DROP̴.
  (iptable_filter ⿡

  7.2.  ϳ Ģ ۵ϱ

  ̰ Ŷ ͸  ̴. Ϲ ߰  
   ̴. ٸ ̷  ܼ Ȯ̴.

   Ģ Ŷ ġǾ ¸ ϰ, ġǾ  
  ΰ ('target') Ÿ. ,  127.0.0.1κ
   ICMP Ŷ DROPϷ  ̴. ׷ٸ, ̰ ġǾ
  ´ 'ICMP̸鼭  ó  127.0.0.1' ̴.   'target' 
  DROP ̴.

  127.0.0.1  'loopback' ̼ ̰  Ʈũ  
   ̰   ̴. ̷ Ŷ 'ping' α׷
  ̿Ͽ   ִ. (̰ ܼ ICMP type 8 (䱸)
     ȣƮ ģϰ ICMP type 0 (䱸 
  ) Ѵ. ̰ ׽Ʈϴµ  ϴ.

  # ping -c 1 127.0.0.1
  PING 127.0.0.1 (127.0.0.1): 56 data bytes
  64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms

  --- 127.0.0.1 ping statistics ---
  1 packets transmitted, 1 packets received, 0% packet loss
  round-trip min/avg/max = 0.2/0.2/0.2 ms
  # iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
  # ping -c 1 127.0.0.1
  PING 127.0.0.1 (127.0.0.1): 56 data bytes

  --- 127.0.0.1 ping statistics ---
  1 packets transmitted, 0 packets received, 100% packet loss
  #

  ⼭ ù° ping      ִ. ('-c 1' ϳ
  Ŷ  ping ϴ ̴.)

  ׸, 'Է' üο 127.0.0.1  Ŷ('-s 127.0.0.1') ICMP
  ΰ ('-p icmp') DROP ('-j DROP')϶ Ģ
  ߰(-A)Ͽ.

  ׸ ٽ ping Ģ ׽ƮϿ. ping  
    ϰ ޱ⸦ ϱ ణ ð ɸ̴.

  Ģ ϴµ ΰ  ִ. ù°, Էüο  ϳ
  Ģ  ִٴ  ,      ִ.

                      # iptables -D INPUT 1
                      #

  Է üκ 1 Ģ Ѵ.

  ι°  -A  ̿  ɿ -A -D ٲָ
  ȴ.  ̰  Ģ  ְ  Ģ ° Ģ
  ܿ ٴϱ⸦ Ⱦ Ѵٸ,   ̴.

                      # iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP
                      #

  -D  -A ɰ   ̴. (-I  -R  ̴.)
  ,    Ģ  üο ִٸ, ù° ͸ 
   ̴.

  7.3.  ͸ 

  տ  ϱϿ '-p' ̿Ͽ, ó ϱ
  Ͽ '-s' ̿Ͽ.  ܿ Ŷ Ư¡ ϴµ  
  ٸ ɼǵ ִ. Ʒ ̰͵鿡  Ϻ ̴.

  7.3.1.  ó  

  ó('-s', '--source', '--src') ('-d', '--destination', 
  '127.0.0.1' ó IP ּҸ ̿ϴ ̴.

  ° ׹°  IP ּ ׷ ϴ 
  '199.95.207.0/24' Ǵ '199.95.207.0/255.255.255.0'  ̴. 
    199.95.207.0  199.95.207.255   IP ּҸ
  Ѵ. '/'  ڴ IP ּ  κ ǹִ°
  Ÿ. '/32'   IP ּҸ ϴµ '/0'  ȴ.

                      # iptables -A INPUT -s 0/0 -j DROP
                      #

  ̰ '-s' ɼ ̿ Ͱ  ȿ ŸǷ 
   ʴ´.

  7.3.2.

   ڵ('-s' '-d' ) ġ ʴ ּҸ Ÿ Ͽ

  7.3.3.   

   '-p' ڷ   ִ.  ڰ ɼ ְ
  (IP  ȣ ˰ ִٸ) 'TCP', 'UDP', 'ICMP'  ̸ 
   ִ. ׸ 'tcp' 'TCP'   Ѵ.

   ̸  '!' ̿  ִ. '-p ! TCP'

  7.3.4.  ̼ 

  ϴµ ȴ. ̼ Ŷ   
  ̴.  ifconfig  Ͽ  Ȱȭ Ǿִ ̼
  ˾ƺ ִ.

  Է ü  Ŷ  ̼   Ƿ '-o'
   ġϴ Ŷ  ̰  ü  Ŷ Է 
  ̼   Ƿ '-i'  ġϴ Ŷ  ̴.

   ü  Ŷ Է°  ̼ 
  ̴.

    ʴ ̼ ϴ ͵ ƹ    
  . ̰  ̼ Ȱȭ Ǳ  Ģ ġϴ Ŷ
    ̴. ̰ dial-up PPP ϴ  Ư ϴ.

  Ư , ̼ ̸ '+'  ִµ ̰ 
  ̸ ϴ  ̼  Ѵ(װ  ϵ
   ʵ). ,  PPP ̼ ġϴ Ģ
  Ϸ -i ppp+Ͱ ϸ ȴ.

  ̼ ̸տ '!' ̿  ִ.

  7.3.5.   (Fragments) 

   Ŷ ѹ  ޵Ǳ⿡ ʹ ū 찡 ִ. ̷
  Ŷ    Ŷ · ޵ȴ. 
      Ǿ ü Ŷ ȴ.

     Ŷ κ IP   ġ
    ãµ, ̰ ù°  ֱ  ã
  .

    ̳ NAT Ѵٸ   ͸ ڵ忡
     Ƿ     ʿ䰡 .

  ׷ ʴٸ,  ͸ Ģ  óǴ° ϴ
    ߿ϴ. 츮    䱸ϴ ͸ Ģ
  յ  . ̰ ù° Ŷ ٸ Ŷ  óǰ
  ι°   ޵   ǹѴ. ׷Ƿ -p TCP
  --sport www ('www'   Ʈ ϴ )  Ģ ´
     ( ù°  ϰ).  ݴ Ģ -p TCP
  --sport ! www   ó  .

  ׷, ι° ̻  Ͽ Ģ ϱϿ '-f'
  ('--fragment') ڸ   ִ. ι° ̻ 
   ʴ Ģ ϱ Ͽ '-f' տ '!'  ̴ ͵
  ϴ.

  Ϲ , ù°  ͸ Ǿ DROP Ǹ  
  ٸ  ռ  Ƿ, ι° ̻  ׳
  ϴ ͵    ȴ. ׷ ܼ 
  ϴ ͸ ȣƮ ũ  װ ˷ ִ.
    ̴.

  Ʈũ    : ߸  Ŷ ̷  Ҷ
  DROP Ǿ. (TCP, UDP, ICMP Ŷ ̰ ʹ ª ̾ ڵ尡
  Ʈ ICMP ڵ ¸    ). ֳϸ TCP 
  8° ġ ۵Ǳ ̴.

  ,   Ģ 192.168.1.1  ϴ  DROP Ų.

       # iptables -A OUTPUT -f -d 192.168.1.1 -j DROP
       #

  7.3.6.  iptables  Ȯ : ο (Matches)

  iptables Ȯ ϴ.  ο ¸ ϱ Ͽ iptables
  Ŀ ΰ Ȯ ϴٴ ǹ̴.

   Ϻδ ǥ̰ ٸ  ̴̻. ٸ ؼ Ȯ
         ִ.

   Ŀ Ȯ Ŀ  Ϻ 丮 Ѵ.
  (/lib/modules/2.3.15/net). ̰ 䱸 Ͽ ȴ. ׷Ƿ 
   ̵   ʿ .

  iptables Ȯ ̹ ·  /usr/local/lib/iptables
   ġѴ.  ̰ /lib/iptables /usr/lib/iptables 
    ̴.

  Ȯ ΰ ̴. : ο Ÿ(target), ο (match)
  Ʒ ο Ÿٿ Ͽ ̾߱  ̴.   ڵ
  ο ׽Ʈ ϴµ δ TCP, UDP, ICMP  ؼ Ʒ
    ̴.

  ̰ ؼ '-p' ɼ ڿ ϴµ ׷ Ȯ  ̴.
   ҷ '-m' ɼ Ȯ ϰ Ȯ ɼ 밡ϰ
    ִ.

  Ȯ忡   , ϴ ɼ('-p', '-j', '-m') '-h'

  7.3.6.1.  TCP Ȯ

  TCP Ȯ '--protocol tcp'  ǰ ٸ   
  ڵ ȴ. ̰   ɼ Ѵ.

     --tcp-flags
         ˻ϰ ϴ  Ʈ ũ̴. ι° ܾ
        ڿ     ش. ,

          # iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DENY

     ̰  ˻Ǿ  Ѵ.('ALL'
     `SYN,ACK,FIN,RST,URG,PSH'  .) ׷ SYN  ACK  ȴ.
     'NONE' ڰ   Ѵ.

     --syn
        ̴.

     --source-port
        Ѵ. /etc/services  ϵ Ͱ  Ʈ ̸ 
          ְ ڷ Ÿ  ִ.  ΰ Ʈ ̸
        '-'   ؼ ϰų (Ŀų 츦 ؼ) ϳ
        Ʈ ڿ    ִ.
     --sport
        ̰ '--source-port' Ǿ̴.

     --destination-port
        

     --dport
              Ѵ.

     --tcp-option
         TCP ɼ   Ŷ ˻Ѵ. TCP ɼ ˻Ϸ
           TCP  ʴ  ڵ DROP ȴ.

  7.3.6.1.1.  TCP ڿ 

    ⿡ TCP Ӹ ϰ ٸ ⿡  
    ϴ. ,  ܺ WWW   ϸ 
     ϱ⸦  ̴.

  ܼϰ  κ  TCP Ŷ  ȴٰ  ̴.
  ׷ ,  ۵ϱ ؼ TCP   Ŷ 䱸Ѵ.

  ع  䱸ϴ Ŷ  ̴. ̷ Ŷ SYN
  Ŷ̶Ѵ.  (,  SYN    Ŷ ִ.
  ׸ FIN  ACK  ڴ . ׷  װ SYN
  Ŷ̶ Ѵ.) ̷ Ŷ Ұ μ ܺη 
   õ   ִ.

  ̷  ؼ '--syn' ڰ ȴ. : ̰  TCP
     ȿ ִ.  , 192.168.1.1 κ TCP
    ϱ Ͽ   ϸ ȴ.

       -p TCP -s 192.168.1.1 --syn

       Ŷ ϱ Ͽ '!' ɼ  
  ִ.

  7.3.6.2.  UDP Ȯ

   Ȯ '--protocol udp' ǰ    ڵ
  ȴ. ̰ '--source-port', '--sport', '--destination-port',

  7.3.6.3.  ICMP Ȯ

   Ȯ '--protocol icmp' ǰ    
  ڵ ȴ. ̰  ϳ ο ɼǸ Ѵ.:

     --icmp-type
        ̳  ('3'), Ǵ ¿ ڵ('/' и . '3/3')
          ° ȴ.   ִ ICMP  ̸ Ʈ
  7.3.6.4.  ׿  Ȯ

  Netfilter Ű ٸ Ȯ  Ȯ̴. ̰ (ġ
  Ǿִٸ)

     mac
          '-m mac' Ǵ '--match mac' ̶   
        ִ.  ̰  Ŷ ̴ ּҸ ˻Ѵ. ׷Ƿ
        Է üο  ϴ. ̰ ϳ ɼǸ Ѵ.

        --mac-source
           ̴ ּҰ ´.  '--mac-source 00:60:08:91:CC:B7'

     limit
          '-m limit' Ǵ '--match limit'̶   
         . ̰ α ޼ Ҷ ó ˻ ӵ
        ϴµ Ѵ. 1ʿ ־ ڸŭ 븸 ˻Ѵ.
        (⺻  ð  3, ְ 5̴.) ̰ ΰ ɼ
        Ѵ.

        --limit
           ڰ ´ : ʴ  ִ  ˻  Ѵ.
           ڵ  ð    ִ. ('/second',
           '/minute', '/hour',

        --limit-burst
           ڰ ´.   Ǳ ִ Burst(?) 
            Ѵ.

           α ӵ ϱϿ LOG Ÿٰ Բ
         . ̰ ϱϿ Ʒ ⺻ Ѽ ϴ
        α Ŷ  .

          # iptables -A FORWARD -m limit -j LOG

      Ģ ޵ɶ Ŷ α׵ ̴.  Burst ⺻
     5 ̹Ƿ óǤ 5 Ŷ α׵ɰ̴.   󸶳 
     Ŷ ϵ  ϳ Ŷ α׵Ǳ 20 ɸ ̴.
     ׸ 20  Ŷ   Burst ϳ ٽ  ̴.
     Ŷ 100   Burst    ɰ̴. ó
     Ҷ ư  ̴.

     纹 ð 59ð ̻δ  Ѵ. ׷Ƿ
     ռӵ  翡 1 Ͽٸ Burst ӵ 3 ϰ Ǿ
     Ѵ.

     owner
            Ŷ   Ư¡ Ϸ
        Ѵ.  ̰  üο Ǹ  Ŷ(ICMP ping
        䰰)   Ƿ  ʴ´.

        --uid-owner userid
           ȿ  id () μ  Ŷ Ѵ.
        --uid-owner groupid
           ȿ ׷ id () μ  Ŷ Ѵ.

        --pid-owner processid
           ־ μ id  μ  Ŷ Ѵ.

        --sid-owner processid
            ׷쳻 μ  Ŷ Ѵ.

     unclean
           Ȯ '-m unclean' Ǵ '--match
        unclean'  ־ Ѵ. ̰   
        ˻縦 Ѵ. ̰  ˻ ʾҰ  ε
         Ѵ.(Ƹ ̰     ϰ  
        ü ̴.) ̰ ɼ .

  7.3.6.5.   

      'ip_conntrack'    м
  ؼϴ

  иǴ  µ Ʈ ´.('!' ڴ Ǿ ʴ
  .)  µ ;

     NEW
        ο   Ŷ

     ESTABLISHED
        ϴ ӿ ϴ Ŷ (,  Ŷ  )

     RELATED
          κ ƴ   Ŷ . ICMP 
         (FTP   Ǿ) ftp   ϴ Ŷ.

     INVALID
          Ȯ   Ŷ: ˷ Ӱ  ʴ
        ICMP  'out of memory'  Ѵ.  ̷ Ŷ DROP
        ȴ.

  7.4.  Ÿ 

   Ŷ  ˻縦   ִ ˾Ҵ.  츮 ˻翡
  ġ ϴ Ŷ    ϴ  ˾ƾ Ѵ. ̰
  Ģ Ÿ ̶ Ѵ.

  ΰ ̹  ܼ Ÿ ִ. : DROP  ACCEPT. ̹ ̰Ϳ
  ؼ ̾߱⸦   ִ.  Ǵ Ŷ װ Ÿ 
    ϳ ̻  Ģ . : Ŷ  
  Ǵ  ̴.

  ̹  ΰ Ÿٿܿ ΰ  Ÿ ִ.: Ȯ
    üε ̴.

  7.4.1.    üε

  ipchains  ӵǴ iptables   ϳ ɷµǴ
   ڰ   ü(Է, , )ܿ ο ü
    ִٴ ̴.     ü װ
  ϱ Ͽ ҹ ڷ Ÿ. (Ʒ ``ü üο  ۿ''
  κп    ο ü   ̴.)

  Ÿ   ü Ģ Ŷ  Ŷ  
  ü  ̰ ȴ.  ü Ŷ   ϸ
  ׸  üο  ̼ , Ŷ  ü  Ģ
  ƿ´.

  ׸ . ΰ ü ְ װ Է° ׽Ʈ  
  ü  .

                 `INPUT'                         `test'
                ----------------------------    ----------------------------
                | Rule1: -p ICMP -j DROP   |    | Rule1: -s 192.168.1.1    |
                |--------------------------|    |--------------------------|
                | Rule2: -p TCP -j test    |    | Rule2: -d 192.168.1.1    |
                |--------------------------|    ----------------------------
                | Rule3: -p UDP -j DROP    |
                ----------------------------

  192.168.1.1 κ ͼ 1.2.3.4  ϴ TCP Ŷ ִٰ Ѵ.
  ̰ Է ü ´. Rule1  ˻Ѵ.  . Rule2
  . װ Ÿ  ׽Ʈ,   ˻ Ģ ׽Ʈ
  ̴. ׽Ʈ Rule1  ´.  ׷ ̰ Ÿ 
  ʴ´. ׷Ƿ  Ģ ˻ȴ. Rule 2.   ʴ.  ü
   ߴ. ٽ Է ü ư Rule3  ˻ Ѵ. װ͵
   ʴ.

  ⼭ Ŷ ̵θ ׸ Ÿ´.

                                       v    __________________________
                `INPUT'                |   /    `test'                v
               ------------------------|--/    -----------------------|----
               | Rule1                 | /|    | Rule1                |   |
               |-----------------------|/-|    |----------------------|---|
               | Rule2                 /  |    | Rule2                |   |
               |--------------------------|    -----------------------v----
               | Rule3                 /--+___________________________/
               ------------------------|---
                                       v

    üο 븦   ü  ִ. (׷
     .  ߰ϰ Ǹ Ŷ DROP ȴ.)

  7.4.2.  iptables Ȯ : ο Ÿ

  Ÿ ٸ ´ Ȯ̴. Ÿ Ȯ Ŀ  ȴ. ׸
  iptables    Ȯ ο  ɼ Ѵ.
  ⺻   Ե  Ȯ  .

     LOG
        ġϴ Ŷ Ŀ α׸ Ѵ. ̰ ΰ ɼ
        Ѵ.

        --log-level
            ڳ ̸ ´. ȿ ̸ (Ȳ 
           ٸ) 'debug'    7  0  Ѵ. ̷
              syslog.conf  man  .

        --log-prefix
           14   ´.  ޼ α ޼
           ۺκ  Ȯο   ִ.

          'limit' Ÿ  ϸ  ȿ̴. ׷
        αװ   ʵ   ִ.

     REJECT
          'DROP'  ȿ Ÿ. ٸ, 'port
        unreachable' ̶  ޼ ICMP  .  
        ICMP  ޼     ʴ´ ( RFC 1122 
        ) :

     o  ˻ Ŷ ICMP ޼̰ų ˼  ICMP  

     o  ˻ Ŷ    

     o  ʹ  ICMP  ޼    .

        REJECT  '--reject-with' ɼ µ ̰  
        Ŷ Ѵ. ڼ  ޴  .

  7.4.3.  Ư ̸  Ÿ

  ΰ ̸  Ÿ ִ : RETURN, QUEUE

  RETURN  ü   Ͱ  ȿ ִ. : ̸
   ü    ü å ̴.   ü
    ü  ϴ Ģ ٷ   ü ̵Ѵ.

  QUEUE Ư Ÿ, ڰ ۾  Ŷ ϵ
  Ѵ. Ŷ  ؼ ϰִ  ٸ(,  Ŷ ٷ
  α׷    ʴٸ) Ŷ DROP  ̴.

  7.5.  ü üο  ۿ.

  iptables   ϳ  谡 ִ Ģ ϳ
  üμ ׷ȭ ϴ ̴. ü ̸    
   ̸   üΰ ȥ  Ͽ ҹڸ ϱ⸦
  Ѵ. ü ̸ 16   ϴ.

  7.5.1.   ü 

  ο ü  .  ſ   ̹Ƿ ̰
  ׽Ʈ  θ ϰڴ. '-N' Ǵ '--new-chain' ɼ Ѵ.

       # iptables -N test
       #

  ܼϴ.   üο  Ģ   ִ.

  7.5.2.  ü 

  ü ϴ ͵ ܼϤ. '-X'  '--delete-chain'  Ѵ.

       # iptables -X test
       #

  ü  ϴµ   ִ. ̰ ־ Ѵ.
  (Ʒ ``ü '' ) ׸ װ ٸ  Ģ Ÿٵ
  ƴϾ Ѵ.  ̸   ü   .

  ü ̸      ü ŵȴ.

  7.5.3.  ü 

  ϳ ü  Ģ    , '-F'
  ('--flush') ̴.

               # iptables -F forward
               #

  ü    ü Ģ .

  7.5.4.  ü Ģ ϱ

   ü  Ģ '-L'    ִ.

     ü ߴ 'refcnt'   ü ׵
  Ÿ  Ģ ȣ̴. ü ŵǱ ؼ ̰ '0'
   Ǿ Ѵ.  (׸  ü  Ѵ)

  ü ̸ Ǹ ִ    ü ȴ.

   DNS 䱸 ͸ ƿ 쳪 DNS  Ǿ 
  ʴٸ  ð ɸ, IP ּҸ ã  ϴ  
  ɼ̴. ̰  TCP UDP Ʈ ̸ ƴ ڷ µǵ
  ϱ⵵ Ѵ.

  ) Ÿ.

  Ŷ Ʈ īƮ 'K'(1000), 'M'(1,000,000), 'G'(1,000,000,000)
    ̾ Բ Ÿ. '-x' (Ȯ ) ڸ ϸ
  󸶳 ū ڵ  ü ڰ Ÿ.

  7.5.5.  īƮ Ʈ ('0' )

  ̰ īƮ ϴµ ϴ. ̰ '-Z' ('--zero') ɼ
  ϴ.

  ̰  ϱ  īƮ  ʿ䰡   
  ִٴ  ̴. ̷  ,  Ŷ '-L'  '-Z' 
  ̿   ִ.  ̷ īƮ д Ͱ ÿ
  ϱؼ '-L'  '-Z'     ִ.

  7.5.6.  å 

  츮  ü Ŷ  ° ǳ , ̸ 
  ü  Ŷ ٴٷ   Ͼ ΰ Ͽ. 
   ü å  Ŷ  Ѵ. ̸  ü(Է,
  , ) å µ, ̰   ü 
  ٴٸ Ŷ ̵  üο Ǿ ̴.

  å ACCEPT Ǵ DROP  ɼ ִ.

  7.5.7.  ipchains ipfwadm ϱ

  Ǵ Ϳ ipchains.o  ipfwadm.o   ִ. ̰
    Ŀο ԽŰ    ipchains  ipfwadm
     . (  : ̵ iptables.o, ip_conntrack.o,
  ip_nat.o ȣȯ )

  ̰  ѵ  ̴. ̵  ġϴ 
   µ  2 * [ġ ̶ ǥ - ù° ] ̶
    ȴٰ Ѵ.

  , ipfwadm  ̰    :

       2 * [October 1997 (2.1.102 release) - March 1995 (ipfwadm 1.0)]
               + January 1999 (2.2.0 release)
           = November 2003.

  ׸ ipchains  ̰    :

       2 * [August 1999 (2.3.15 release) - October 1997 (2.2.0 release)]
               + January 2000 (2.3.0 release?)
           = September 2003.

  ׷Ƿ, 2004   ʿ䰡  ̴.

  8.  iptables ipchains 

  o  ù°, ̸  ü ̸ ҹڿ 빮ڷ
     ٲµ ̰ Է°  ü ̰   ϴ ׸
       Ŷ ϱ ̴. ̰ 
     °Ͱ  Ŷ ٷ.

  o   ۵Ѵ.    üο Ǿ '-i'  '-o'
     ٲ Ѵ.

  o   TCP  UDP Ʈ --source-port Ǵ --spotr (Ǵ
     --destination-port / --dport) ɼǰ Բ Ǿ  ʿ䰡
     ְ '-p tcp' Ǵ '-p udp' ɼǰ Բ Ǿ Ѵ. ׷
     ̰ TCP Ǵ UDP Ȯ    ̴. (ipt_tcp  ipt_udp
        ϱؼ  ų  ִ.)

  o  TCP -y ڴ --syn ٲ `-p tcp' ; Ѵ.

  o  DENY target  DROP  ٲ.

  o  Zeroing single chains while listing them works.

  o   ü '0'ϸ å ī͵ .

  o  ü ϴ  īƮ ܼ Ѵ.

  o  REJECT  LOG  Ȯ target̴. , ̰͵  Ŀ
     ̴ٴ ǹ̴.

  o  ü ̸ 16  ϴ.

  o  MASQ  REDIRECT  ̻ target  ƴϴ. iptables Ŷ ȭ
     Ű ʴ´. ̰ ؼ NAT Ϻα ִ. ̰
     ipnatctl Ͽθ оƶ.

  o    ͵ ؾԾ.

