iptables

Autres langues

Langue: ja

Autres versions - même langue

Version: 55223 (openSuse - 09/10/07)

Section: 8 (Commandes administrateur)

̾Á°

iptables - IPv4 ¤Î¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¤È NAT ¤ò´ÉÍý¤¹¤ë¥Ä¡¼¥ë

½ñ¼°

iptables [-t table] -[AD] ¥Á¥§¥¤¥ó ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]
iptables [-t table] -I ¥Á¥§¥¤¥ó [¥ë¡¼¥ëÈÖ¹æ] ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]
iptables [-t table] -R ¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ ¥ë¡¼¥ë¤Î¾ÜºÙ [¥ª¥×¥·¥ç¥ó]
iptables [-t table] -D ¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ [¥ª¥×¥·¥ç¥ó]
iptables [-t table] -[LFZ] [¥Á¥§¥¤¥ó] [¥ª¥×¥·¥ç¥ó]
iptables [-t table] -N ¥Á¥§¥¤¥ó
iptables [-t table] -X [¥Á¥§¥¤¥ó]
iptables [-t table] -P ¥Á¥§¥¤¥ó ¥¿¡¼¥²¥Ã¥È [¥ª¥×¥·¥ç¥ó]
iptables [-t table] -E µì¥Á¥§¥¤¥ó̾ ¿·¥Á¥§¥¤¥ó̾

ÀâÌÀ

iptables ¤Ï Linux ¥«¡¼¥Í¥ë¤Î IP ¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ë¡¼¥ë¤Î¥Æ¡¼¥Ö¥ë¤ò ÀßÄꡦ´ÉÍý¡¦¸¡ºº¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£ Ê£¿ô¤Î°Û¤Ê¤ë¥Æ¡¼¥Ö¥ë¤òÄêµÁ¤Ç¤­¤ë¡£ ³Æ¥Æ¡¼¥Ö¥ë¤Ë¤Ï¤¿¤¯¤µ¤ó¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤Æ¤ª¤ê¡¢ ¤µ¤é¤Ë¥æ¡¼¥¶¡¼ÄêµÁ¤Î¥Á¥§¥¤¥ó¤ò²Ã¤¨¤ë¤³¤È¤â¤Ç¤­¤ë¡£

³Æ¥Á¥§¥¤¥ó¤Ï¡¢¥Ñ¥±¥Ã¥È·²¤Ë¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤Î¥ê¥¹¥È¤Ç¤¢¤ë¡£ ³Æ¥ë¡¼¥ë¤Ï¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ²¿¤ò¤¹¤ë¤«¤ò»ØÄꤹ¤ë¡£ ¤³¤ì¤Ï¡Ö¥¿¡¼¥²¥Ã¥È¡×¤È¸Æ¤Ð¤ì¡¢ Ʊ¤¸¥Æ¡¼¥Ö¥ëÆâ¤Î¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Ë¥¸¥ã¥ó¥×¤¹¤ë¤³¤È¤â¤Ç¤­¤ë¡£

¥¿¡¼¥²¥Ã¥È

¤Ò¤È¤Ä¤Î¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¥ë¡¼¥ë¤Ç¤Ï¡¢ ¥Ñ¥±¥Ã¥È¤òȽÃǤ¹¤ë´ð½à¤È¥¿¡¼¥²¥Ã¥È¤È¤¬»ØÄꤵ¤ì¤ë¡£ ¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤Ê¤¤¾ì¹ç¡¢¥Á¥§¥¤¥óÆâ¤Î¼¡¤Î¥ë¡¼¥ë¤¬É¾²Á¤µ¤ì¤ë¡£ ¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¡¢ ¥¿¡¼¥²¥Ã¥È¤ÎÃͤ¬¼¡¤Î¥ë¡¼¥ë¤ò»ØÄꤹ¤ë¡£ ¥¿¡¼¥²¥Ã¥È¤ÎÃͤϡ¢¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Î̾Á°¡¢¤Þ¤¿¤ÏÆÃÊ̤ÊÃÍ ACCEPT, DROP, QUEUE, RETURN ¤Î¤¦¤Á¤Î 1 ¤Ä¤Ç¤¢¤ë¡£

ACCEPT ¤Ï¥Ñ¥±¥Ã¥È¤òÄ̤¹¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£ DROP ¤Ï¥Ñ¥±¥Ã¥È¤ò¾²¤ËÍ (¼Î¤Æ¤ë) ¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£ QUEUE ¤Ï¥Ñ¥±¥Ã¥È¤ò¥æ¡¼¥¶¡¼¶õ´Ö¤ËÅϤ¹¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë (¥«¡¼¥Í¥ë¤¬¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ì¤Ð¤Ç¤¢¤ë¤¬)¡£ RETURN ¤Ï¡¢¤³¤Î¥Á¥§¥¤¥ó¤Î¸¡Æ¤¤òÃæ»ß¤·¤Æ¡¢ °ÊÁ°¤Î (¸Æ¤Ó½Ð¤·¸µ) ¥Á¥§¥¤¥óÆâ¤Î ¼¡¤Î¥ë¡¼¥ë¤«¤é¸¡Æ¤¤òºÆ³«¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ç¤¢¤ë¡£ ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤ÎºÇ¸å¤ËÅþ㤷¤¿¾ì¹ç¡¢ ¤Þ¤¿¤ÏÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Ç¥¿¡¼¥²¥Ã¥È RETURN ¤ò»ý¤Ä¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¡¢ ¥Á¥§¥¤¥ó¥Ý¥ê¥·¡¼¤Ç»ØÄꤵ¤ì¤¿¥¿¡¼¥²¥Ã¥È¤¬ ¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤ò·èÄꤹ¤ë¡£

¥Æ¡¼¥Ö¥ë

¸½ºß¤Î¤È¤³¤í 3 ¤Ä¤ÎÆÈΩ¤Ê¥Æ¡¼¥Ö¥ë¤¬Â¸ºß¤¹¤ë (¤¢¤ë»þÅÀ¤Ç¤É¤Î¥Æ¡¼¥Ö¥ë¤¬Â¸ºß¤¹¤ë¤«¤Ï¡¢ ¥«¡¼¥Í¥ë¤ÎÀßÄê¤ä¤É¤¦¤¤¤Ã¤¿¥â¥¸¥å¡¼¥ë¤¬Â¸ºß¤¹¤ë¤«¤Ë°Í¸¤¹¤ë)¡£
-t, --table table
¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢¤³¤Î¥³¥Þ¥ó¥É¤òŬÍѤ¹¤ë ¥Ñ¥±¥Ã¥È¥Þ¥Ã¥Á¥ó¥°¥Æ¡¼¥Ö¥ë¤ò»ØÄꤹ¤ë¡£ ¥«¡¼¥Í¥ë¤Ë¼«Æ°¥â¥¸¥å¡¼¥ë¥í¡¼¥Ç¥£¥ó¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢ ¤½¤Î¥Æ¡¼¥Ö¥ë¤ËÂФ¹¤ëŬÀڤʥ⥸¥å¡¼¥ë¤¬¤Þ¤À¥í¡¼¥É¤µ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¡¢ ¤½¤Î¥â¥¸¥å¡¼¥ë¤¬¥í¡¼¥É¤µ¤ì¤ë¡£

¥Æ¡¼¥Ö¥ë¤Ï°Ê²¼¤ÎÄ̤ê¤Ç¤¢¤ë¡£

filter:
(-t ¥ª¥×¥·¥ç¥ó¤¬ÅϤµ¤ì¤Ê¤±¤ì¤Ð) ¤³¤ì¤¬¥Ç¥Õ¥©¥ë¥È¤Î¥Æ¡¼¥Ö¥ë¤Ç¤¢¤ë¡£ ¤³¤ì¤Ë¤Ï INPUT (¥Þ¥·¥ó¼«ÂΤËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦ FORWARD (¥Þ¥·¥ó¤ò·Ðͳ¤¹¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦ OUTPUT (¥í¡¼¥«¥ë¥Þ¥·¥ó¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó) ¤È¤¤¤¦ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤ë¡£
nat:
¤³¤Î¥Æ¡¼¥Ö¥ë¤Ï¿·¤·¤¤Àܳ¤ò³«¤¯¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ»²¾È¤µ¤ì¤ë¡£ ¤³¤ì¤Ë¤Ï PREROUTING (¥Ñ¥±¥Ã¥È¤¬Æþ¤Ã¤Æ¤­¤¿¾ì¹ç¡¢¤¹¤°¤Ë¤½¤Î¥Ñ¥±¥Ã¥È¤òÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)¡¦ OUTPUT (¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ò¥ë¡¼¥Æ¥£¥ó¥°¤ÎÁ°¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)¡¦ POSTROUTING (¥Ñ¥±¥Ã¥È¤¬½Ð¤Æ¹Ô¤¯¤È¤­¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó) ¤È¤¤¤¦ 3 ¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤ë¡£
mangle:
¤³¤Î¥Æ¡¼¥Ö¥ë¤ÏÆÃÊ̤ʥѥ±¥Ã¥ÈÊÑ´¹¤Ë»È¤ï¤ì¤ë¡£ ¤³¤ì¤Ë¤Ï¡¢¥«¡¼¥Í¥ë 2.4.17 ¤Þ¤Ç¤Ï PREROUTING (¥Ñ¥±¥Ã¥È¤¬Æþ¤Ã¤Æ¤­¤¿¾ì¹ç¡¢¤¹¤°¤Ë¤½¤Î¥Ñ¥±¥Ã¥È¤òÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó)¡¦ OUTPUT (¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ò¥ë¡¼¥Æ¥£¥ó¥°¤ÎÁ°¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó) ¤È¤¤¤¦ 2 ¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤¬´Þ¤Þ¤ì¤ë¡£ ¥«¡¼¥Í¥ë 2.4.18 ¤«¤é¤Ï¡¢¤³¤ì¤é¤Î¾¤Ë INPUT (¥Þ¥·¥ó¼«ÂΤËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦ FORWARD (¥Þ¥·¥ó¤ò·Ðͳ¤¹¤ë¥Ñ¥±¥Ã¥È¤ËÂФ¹¤ë¥Á¥§¥¤¥ó)¡¦ POSTROUTING (¥Ñ¥±¥Ã¥È¤¬½Ð¤Æ¹Ô¤¯¤È¤­¤ËÊÑ´¹¤¹¤ë¤¿¤á¤Î¥Á¥§¥¤¥ó) ¤È¤¤¤¦ 3 ¤Ä¤ÎÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤â´Þ¤Þ¤ì¤ë¡£

¥ª¥×¥·¥ç¥ó

iptables ¤Ç»È¤¨¤ë¥ª¥×¥·¥ç¥ó¤Ï¡¢¤¤¤¯¤Ä¤«¤Î¥°¥ë¡¼¥×¤Ëʬ¤±¤é¤ì¤ë¡£

¥³¥Þ¥ó¥É

¤³¤ì¤é¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢¼Â¹Ô¤¹¤ëÆÃÄê¤ÎÆ°ºî¤ò»ØÄꤹ¤ë¡£ °Ê²¼¤ÎÀâÌÀ¤ÇÃíµ­¤µ¤ì¤Æ¤¤¤Ê¤¤¸Â¤ê¡¢ ¥³¥Þ¥ó¥É¥é¥¤¥ó¤Ç»ØÄê¤Ç¤­¤ë¤Î¤Ï¤³¤ÎÃæ¤Î 1 ¤Ä¤À¤±¤Ç¤¢¤ë¡£ Ť¤¥Ð¡¼¥¸¥ç¥ó¤Î¥³¥Þ¥ó¥É̾¤È¥ª¥×¥·¥ç¥ó̾¤Ï¡¢ iptables ¤¬Â¾¤Î¥³¥Þ¥ó¥É̾¤ä¥ª¥×¥·¥ç¥ó̾¤È¶èÊ̤Ǥ­¤ëÈÏ°Ï¤Ç (ʸ»ú¤ò¾Êά¤·¤Æ) »ØÄꤹ¤ë¤³¤È¤â¤Ç¤­¤ë¡£
-A, --append ¥Á¥§¥¤¥ó ¥ë¡¼¥ë¤Î¾ÜºÙ
ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤ÎºÇ¸å¤Ë 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òÄɲ乤롣 Á÷¿®¸µ¤äÁ÷¿®Àè¤Î̾Á°¤¬ 1 ¤Ä°Ê¾å¤Î¥¢¥É¥ì¥¹¤Ë²ò·è¤µ¤ì¤¿¾ì¹ç¤Ï¡¢ ²Äǽ¤Ê¥¢¥É¥ì¥¹¤ÎÁȹ礻¤½¤ì¤¾¤ì¤ËÂФ·¤Æ¥ë¡¼¥ë¤¬Äɲ䵤ì¤ë¡£
-D, --delete ¥Á¥§¥¤¥ó ¥ë¡¼¥ë¤Î¾ÜºÙ
-D, --delete ¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ
ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤«¤é 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òºï½ü¤¹¤ë¡£ ¤³¤Î¥³¥Þ¥ó¥É¤Ë¤Ï 2 ¤Ä¤Î»È¤¤Êý¤¬¤¢¤ë: ¥Á¥§¥¤¥ó¤ÎÃæ¤ÎÈÖ¹æ (ºÇ½é¤Î¥ë¡¼¥ë¤ò 1 ¤È¤¹¤ë) ¤ò»ØÄꤹ¤ë¾ì¹ç¤È¡¢ ¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤ò»ØÄꤹ¤ë¾ì¹ç¤Ç¤¢¤ë¡£
-I, --insert ¥Á¥§¥¤¥ó [¥ë¡¼¥ëÈÖ¹æ] ¥ë¡¼¥ë¤Î¾ÜºÙ
ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ë¥ë¡¼¥ëÈÖ¹æ¤ò»ØÄꤷ¤Æ 1 ¤Ä°Ê¾å¤Î¥ë¡¼¥ë¤òÁÞÆþ¤¹¤ë¡£ ¥ë¡¼¥ëÈֹ椬 1 ¤Î¾ì¹ç¡¢¥ë¡¼¥ë¤Ï¥Á¥§¥¤¥ó¤ÎÀèƬ¤ËÁÞÆþ¤µ¤ì¤ë¡£ ¤³¤ì¤Ï¥ë¡¼¥ëÈֹ椬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¤Î¥Ç¥Õ¥©¥ë¥È¤Ç¤â¤¢¤ë¡£
-R, --replace ¥Á¥§¥¤¥ó ¥ë¡¼¥ëÈÖ¹æ ¥ë¡¼¥ë¤Î¾ÜºÙ
ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ç¥ë¡¼¥ë¤òÃÖ´¹¤¹¤ë¡£ Á÷¿®¸µ¤äÁ÷¿®Àè¤Î̾Á°¤¬ 1 ¤Ä°Ê¾å¤Î¥¢¥É¥ì¥¹¤Ë²ò·è¤µ¤ì¤¿¾ì¹ç¤Ï¡¢ ¤³¤Î¥³¥Þ¥ó¥É¤Ï¼ºÇÔ¤¹¤ë¡£¥ë¡¼¥ëÈÖ¹æ¤Ï 1 ¤«¤é¤Ï¤¸¤Þ¤ë¡£
-L, --list [¥Á¥§¥¤¥ó]
ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó¤Ë¤¢¤ëÁ´¤Æ¤Î¥ë¡¼¥ë¤ò°ìÍ÷ɽ¼¨¤¹¤ë¡£ ¥Á¥§¥¤¥ó¤¬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢Á´¤Æ¤Î¥Á¥§¥¤¥ó¤Ë¤¢¤ë¥ê¥¹¥È¤¬°ìÍ÷ɽ¼¨¤µ¤ì¤ë¡£ ¾¤Î³Æ iptables ¥³¥Þ¥ó¥É¤ÈƱÍͤˡ¢»ØÄꤵ¤ì¤¿¥Æ¡¼¥Ö¥ë (¥Ç¥Õ¥©¥ë¥È¤Ï filter) ¤ËÂФ·¤ÆºîÍѤ¹¤ë¡£ ¤è¤Ã¤Æ NAT ¥ë¡¼¥ë¤òɽ¼¨¤¹¤ë¤Ë¤Ï°Ê²¼¤Î¤è¤¦¤Ë¤¹¤ë¡£

 iptables -t nat -n -L

DNS¤ÎµÕ°ú¤­¤òÈò¤±¤ë¤¿¤á¤Ë¡¢¤è¤¯ -n ¥ª¥×¥·¥ç¥ó¤È¶¦¤Ë»ÈÍѤµ¤ì¤ë¡£ -Z (¥¼¥í²½) ¥ª¥×¥·¥ç¥ó¤òƱ»þ¤Ë»ØÄꤹ¤ë¤³¤È¤â¤Ç¤­¤ë¡£ ¤³¤Î¾ì¹ç¡¢¥Á¥§¥¤¥ó¤ÏÍ×ÁÇËè¤Ë¥ê¥¹¥È¤µ¤ì¤Æ¡¢ (ÌõÃð: ¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤¬) ¥¼¥í¤Ë¤µ¤ì¤ë¡£ ½ÐÎÏɽ¼¨¤ÏƱ»þ¤ËÍ¿¤¨¤é¤ì¤¿Â¾¤Î°ú¤­¿ô¤Ë±Æ¶Á¤µ¤ì¤ë¡£

 iptables -L -v

¤ò»È¤ï¤Ê¤¤¸Â¤ê (ÌõÃí: -v ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤷ¤Ê¤¤¸Â¤ê)¡¢ ¼ÂºÝ¤Î¥ë¡¼¥ë¤½¤Î¤â¤Î¤Ïɽ¼¨¤µ¤ì¤Ê¤¤¡£
-F, --flush [¥Á¥§¥¤¥ó]
ÁªÂò¤µ¤ì¤¿¥Á¥§¥¤¥ó(²¿¤â»ØÄꤷ¤Ê¤±¤ì¤Ð¥Æ¡¼¥Ö¥ëÆâ¤ÎÁ´¤Æ¤Î¥Á¥§¥¤¥ó) ¤ÎÆâÍƤòÁ´¾Ãµî¤¹¤ë¡£ ¤³¤ì¤ÏÁ´¤Æ¤Î¥ë¡¼¥ë¤ò 1 ¸Ä¤º¤Äºï½ü¤¹¤ë¤Î¤ÈƱ¤¸¤Ç¤¢¤ë¡£
-Z, --zero [¥Á¥§¥¤¥ó]
¤¹¤Ù¤Æ¤Î¥Á¥§¥¤¥ó¤Î¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò¥¼¥í¤Ë¤¹¤ë¡£ ¥¯¥ê¥¢¤µ¤ì¤ëľÁ°¤Î¥«¥¦¥ó¥¿¤ò¸«¤ë¤¿¤á¤Ë¡¢ -L, --list (°ìÍ÷ɽ¼¨) ¥ª¥×¥·¥ç¥ó¤ÈƱ»þ¤Ë»ØÄꤹ¤ë¤³¤È¤â¤Ç¤­¤ë (¾åµ­¤ò»²¾È)¡£
-N, --new-chain ¥Á¥§¥¤¥ó
»ØÄꤷ¤¿Ì¾Á°¤Ç¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤òºîÀ®¤¹¤ë¡£ Ʊ¤¸Ì¾Á°¤Î¥¿¡¼¥²¥Ã¥È¤¬´û¤Ë¸ºß¤·¤Æ¤Ï¤Ê¤é¤Ê¤¤¡£
-X, --delete-chain [¥Á¥§¥¤¥ó]
»ØÄꤷ¤¿¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ë¡£ ¤½¤Î¥Á¥§¥¤¥ó¤¬»²¾È¤µ¤ì¤Æ¤¤¤Æ¤Ï¤Ê¤é¤Ê¤¤¡£ ¥Á¥§¥¤¥ó¤òºï½ü¤¹¤ëÁ°¤Ë¡¢¤½¤Î¥Á¥§¥¤¥ó¤ò»²¾È¤·¤Æ¤¤¤ë¥ë¡¼¥ë¤ò ºï½ü¤¹¤ë¤«ÃÖ¤­´¹¤¨¤ë¤«¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£ °ú¤­¿ô¤¬Í¿¤¨¤é¤ì¤Ê¤¤¾ì¹ç¡¢¥Æ¡¼¥Ö¥ë¤Ë¤¢¤ë¥Á¥§¥¤¥ó¤Î¤¦¤Á ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Ç¤Ê¤¤¤â¤Î¤òÁ´¤Æºï½ü¤¹¤ë¡£
-P, --policy ¥Á¥§¥¤¥ó ¥¿¡¼¥²¥Ã¥È
¥Á¥§¥¤¥ó¤Î¥Ý¥ê¥·¡¼¤ò¡¢»ØÄꤷ¤¿¥¿¡¼¥²¥Ã¥È¤ËÀßÄꤹ¤ë¡£ »ØÄê²Äǽ¤Ê¥¿¡¼¥²¥Ã¥È¤Ï¡Ö¥¿¡¼¥²¥Ã¥È¡×¤Î¾Ï¤ò»²¾È¤¹¤ë¤³¤È¡£ (¥æ¡¼¥¶¡¼ÄêµÁ¤Ç¤Ï¤Ê¤¤)ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤Ë¤·¤«¥Ý¥ê¥·¡¼¤ÏÀßÄê¤Ç¤­¤Ê¤¤¡£ ¤Þ¤¿¡¢ÁȤ߹þ¤ßºÑ¤ß¥Á¥§¥¤¥ó¤â¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤â ¥Ý¥ê¥·¡¼¤Î¥¿¡¼¥²¥Ã¥È¤ËÀßÄꤹ¤ë¤³¤È¤Ï¤Ç¤­¤Ê¤¤¡£
-E, --rename-chain µì¥Á¥§¥¤¥ó̾ ¿·¥Á¥§¥¤¥ó̾
¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤ò»ØÄꤷ¤¿Ì¾Á°¤ËÊѹ¹¤¹¤ë¡£ ¤³¤ì¤Ï¸«¤¿ÌܤÀ¤±¤ÎÊѹ¹¤Ê¤Î¤Ç¡¢¥Æ¡¼¥Ö¥ë¤Î¹½Â¤¤Ë¤Ï²¿¤â±Æ¶Á¤·¤Ê¤¤¡£
-h
¥Ø¥ë¥×¡£ (º£¤Î¤È¤³¤í¤Ï¤È¤Æ¤â´Êñ¤Ê) ¥³¥Þ¥ó¥É½ñ¼°¤ÎÀâÌÀ¤òɽ¼¨¤¹¤ë¡£

¥Ñ¥é¥á¡¼¥¿

°Ê²¼¤Î¥Ñ¥é¥á¡¼¥¿¤Ï (add, delete, insert, replace, append ¥³¥Þ¥ó¥É¤ÇÍѤ¤¤é¤ì¤Æ) ¥ë¡¼¥ë¤Î»ÅÍͤò·è¤á¤ë¡£
-p, --protocol [!] protocol
¥ë¡¼¥ë¤Ç»È¤ï¤ì¤ë¥×¥í¥È¥³¥ë¡¢¤Þ¤¿¤Ï¥Á¥§¥Ã¥¯¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¥×¥í¥È¥³¥ë¡£ »ØÄê¤Ç¤­¤ë¥×¥í¥È¥³¥ë¤Ï¡¢ tcp, udp, icmp, all ¤Î¤¤¤º¤ì¤« 1 ¤Ä¤«¡¢¿ôÃͤǤ¢¤ë¡£ ¿ôÃͤˤϡ¢¤³¤ì¤é¤Î¥×¥í¥È¥³¥ë¤Î¤É¤ì¤«¤Ê¤¤¤·Ê̤Υץí¥È¥³¥ë¤òɽ¤¹ ¿ôÃͤò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë¡£ /etc/protocols ¤Ë¤¢¤ë¥×¥í¥È¥³¥ë̾¤â»ØÄê¤Ç¤­¤ë¡£ ¥×¥í¥È¥³¥ë¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢¤½¤Î¥×¥í¥È¥³¥ë¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£ ¿ôÃÍ 0 ¤Ï all ¤ÈÅù¤·¤¤¡£ ¥×¥í¥È¥³¥ë all ¤ÏÁ´¤Æ¤Î¥×¥í¥È¥³¥ë¤È¥Þ¥Ã¥Á¤·¡¢ ¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿ºÝ¤Î¥Ç¥Õ¥©¥ë¥È¤Ç¤¢¤ë¡£
-s, --source [!] address[/mask]
Á÷¿®¸µ¤Î»ØÄê¡£ address ¤Ï¥Û¥¹¥È̾ (DNS ¤Î¤è¤¦¤Ê¥ê¥â¡¼¥È¤Ø¤ÎÌ䤤¹ç¤ï¤»¤Ç²ò·è¤¹¤ë̾Á°¤ò»ØÄꤹ¤ë¤Î¤ÏÈó¾ï¤ËÎɤ¯¤Ê¤¤) ¡¦¥Í¥Ã¥È¥ï¡¼¥¯ IP ¥¢¥É¥ì¥¹ (/mask ¤ò»ØÄꤹ¤ë)¡¦ Ä̾ï¤Î IP ¥¢¥É¥ì¥¹¡¢¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ë¡£ mask ¤Ï¥Í¥Ã¥È¥ï¡¼¥¯¥Þ¥¹¥¯¤«¡¢ ¥Í¥Ã¥È¥ï¡¼¥¯¥Þ¥¹¥¯¤Îº¸Â¦¤Ë¤¢¤ë 1 ¤Î¿ô¤ò»ØÄꤹ¤ë¿ôÃͤǤ¢¤ë¡£ ¤Ä¤Þ¤ê¡¢ 24 ¤È¤¤¤¦ mask ¤Ï 255.255.255.0 ¤ËÅù¤·¤¤¡£ ¥¢¥É¥ì¥¹»ØÄê¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢¤½¤Î¥¢¥É¥ì¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£ ¥Õ¥é¥° --src ¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊÌ̾¤Ç¤¢¤ë¡£
-d, --destination [!] address[/mask]
Á÷¿®Àè¤Î»ØÄê¡£ ½ñ¼°¤Î¾Ü¤·¤¤ÀâÌÀ¤Ë¤Ä¤¤¤Æ¤Ï¡¢ -s (Á÷¿®¸µ) ¥Õ¥é¥°¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£ ¥Õ¥é¥° --dst ¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊÌ̾¤Ç¤¢¤ë¡£
-j, --jump target
¥ë¡¼¥ë¤Î¥¿¡¼¥²¥Ã¥È¡¢¤Ä¤Þ¤ê¡¢ ¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤·¤¿¾ì¹ç¤Ë¤É¤¦¤¹¤ë¤«¤ò»ØÄꤹ¤ë¡£ ¥¿¡¼¥²¥Ã¥È¤Ï¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó (¤½¤Î¥ë¡¼¥ë¼«¿È¤¬Æþ¤Ã¤Æ¤¤¤ë¥Á¥§¥¤¥ó°Ê³°) ¤Ç¤â¡¢ ¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤ò¨»þ¤Ë·èÄꤹ¤ëÆÃÊ̤ÊÁȤ߹þ¤ßºÑ¤ß¥¿¡¼¥²¥Ã¥È¤Ç¤â¡¢ ³ÈÄ¥¤µ¤ì¤¿¥¿¡¼¥²¥Ã¥È (°Ê²¼¤Î ¡Ö¥¿¡¼¥²¥Ã¥È¤Î³ÈÄ¥¡× ¤ò»²¾È) ¤Ç¤â¤è¤¤¡£ ¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¥ë¡¼¥ë¤Ë»ØÄꤵ¤ì¤Ê¤«¤Ã¤¿¾ì¹ç¤Ï¡¢ ¥ë¡¼¥ë¤Ë¥Þ¥Ã¥Á¤·¤Æ¤â¥Ñ¥±¥Ã¥È¤Î¹ÔÊý¤Ë²¿¤â±Æ¶Á¤·¤Ê¤¤¤¬¡¢ ¥ë¡¼¥ë¤Î¥«¥¦¥ó¥¿¤Ï 1 ¤Ä²Ã»»¤µ¤ì¤ë¡£
-i, --in-interface [!] name
¥Ñ¥±¥Ã¥È¤ò¼õ¿®¤¹¤ë¤³¤È¤Ë¤Ê¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾ (INPUT, FORWARD, PREROUTING ¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Î¤ß)¡£ ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢ ¤½¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£ ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢ ¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£ ¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿¾ì¹ç¡¢ Ǥ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
-o, --out-interface [!] name
¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë¤³¤È¤Ë¤Ê¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾ (FORWARD, OUTPUT, POSTROUTING ¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Î¤ß)¡£ ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢ ¤½¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò½ü³°¤¹¤ë¤È¤¤¤¦°ÕÌ£¤Ë¤Ê¤ë¡£ ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢ ¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£ ¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¾Êά¤µ¤ì¤¿¾ì¹ç¡¢ Ǥ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
[!] -f, --fragment
¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢Ê¬³ä¤µ¤ì¤¿¥Ñ¥±¥Ã¥È (fragmented packet) ¤Î¤¦¤Á 2 ÈÖÌܰʹߤΥѥ±¥Ã¥È¤À¤±¤ò»²¾È¤¹¤ë¥ë¡¼¥ë¤Ç¤¢¤ë¤³¤È¤ò°ÕÌ£¤¹¤ë¡£ ¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È (¤Þ¤¿¤Ï ICMP ¥¿¥¤¥×¤Î¥Ñ¥±¥Ã¥È) ¤Ï Á÷¿®¸µ¡¦Á÷¿®Àè¥Ý¡¼¥È¤òÃΤëÊýË¡¤¬¤Ê¤¤¤Î¤Ç¡¢ Á÷¿®¸µ¤äÁ÷¿®Àè¤ò»ØÄꤹ¤ë¤è¤¦¤Ê¥ë¡¼¥ë¤Ë¤Ï¥Þ¥Ã¥Á¤·¤Ê¤¤¡£ "-f" ¥Õ¥é¥°¤ÎÁ°¤Ë "!" ¤òÃÖ¤¯¤È¡¢ ʬ³ä¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Î¤¦¤ÁºÇ½é¤Î¤â¤Î¤«¡¢ ʬ³ä¤µ¤ì¤Æ¤¤¤Ê¤¤¥Ñ¥±¥Ã¥È¤À¤±¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
-c, --set-counters PKTS BYTES
¤³¤Î¥ª¥×¥·¥ç¥ó¤ò»È¤¦¤È¡¢ (insert, append, replace Áàºî¤Ë¤ª¤¤¤Æ) ´ÉÍý¼Ô¤Ï¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò ½é´ü²½¤¹¤ë¤³¤È¤¬¤Ç¤­¤ë¡£

¤½¤Î¾¤Î¥ª¥×¥·¥ç¥ó

¤½¤Î¾¤Ë°Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë:
-v, --verbose
¾ÜºÙ¤Ê½ÐÎϤò¹Ô¤¦¡£ list ¥³¥Þ¥ó¥É¤ÎºÝ¤Ë¡¢¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¡¦ (¤â¤·¤¢¤ì¤Ð) ¥ë¡¼¥ë¤Î¥ª¥×¥·¥ç¥ó¡¦TOS ¥Þ¥¹¥¯¤òɽ¼¨¤µ¤»¤ë¡£ ¥Ñ¥±¥Ã¥È¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤âɽ¼¨¤µ¤ì¤ë¡£ ź»ú 'K', 'M', 'G' ¤Ï¡¢ ¤½¤ì¤¾¤ì 1000, 1,000,000, 1,000,000,000 Çܤòɽ¤¹ (¤³¤ì¤òÊѹ¹¤¹¤ë -x ¥Õ¥é¥°¤â¸«¤è)¡£ ¤³¤Î¥ª¥×¥·¥ç¥ó¤ò append, insert, delete, replace ¥³¥Þ¥ó¥É¤ËŬÍѤ¹¤ë¤È¡¢ ¥ë¡¼¥ë¤Ë¤Ä¤¤¤Æ¤Î¾ÜºÙ¤Ê¾ðÊó¤òɽ¼¨¤¹¤ë¡£
-n, --numeric
¿ôÃͤˤè¤ë½ÐÎϤò¹Ô¤¦¡£ IP ¥¢¥É¥ì¥¹¤ä¥Ý¡¼¥ÈÈÖ¹æ¤ò¿ôÃͤˤè¤ë¥Õ¥©¡¼¥Þ¥Ã¥È¤Çɽ¼¨¤¹¤ë¡£ ¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¡¢iptables ¤Ï (²Äǽ¤Ç¤¢¤ì¤Ð) ¤³¤ì¤é¤Î¾ðÊó¤ò ¥Û¥¹¥È̾¡¦¥Í¥Ã¥È¥ï¡¼¥¯Ì¾¡¦¥µ¡¼¥Ó¥¹Ì¾¤Çɽ¼¨¤·¤è¤¦¤È¤¹¤ë¡£
-x, --exact
¸·Ì©¤Ê¿ôÃͤÇɽ¼¨¤¹¤ë¡£ ¥Ñ¥±¥Ã¥È¥«¥¦¥ó¥¿¤È¥Ð¥¤¥È¥«¥¦¥ó¥¿¤ò¡¢ K (1000 ¤Î²¿Çܤ«)¡¦M (1000K ¤Î²¿Çܤ«)¡¦G (1000M ¤Î²¿Çܤ«) ¤Ç¤Ï¤Ê¤¯¡¢ ¸·Ì©¤ÊÃͤÇɽ¼¨¤¹¤ë¡£ ¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢ -L ¥³¥Þ¥ó¥É¤È¤·¤«´Ø·¸¤·¤Ê¤¤¡£
--line-numbers
¥ë¡¼¥ë¤ò°ìÍ÷ɽ¼¨¤¹¤ëºÝ¡¢¤½¤Î¥ë¡¼¥ë¤¬¥Á¥§¥¤¥ó¤Î¤É¤Î°ÌÃ֤ˤ¢¤ë¤«¤òɽ¤¹ ¹ÔÈÖ¹æ¤ò³Æ¹Ô¤Î»Ï¤á¤ËÉղ乤롣
--modprobe=command
¥Á¥§¥¤¥ó¤Ë¥ë¡¼¥ë¤òÄɲäޤ¿¤ÏÁÞÆþ¤¹¤ëºÝ¤Ë¡¢ (¥¿¡¼¥²¥Ã¥È¤ä¥Þ¥Ã¥Á¥ó¥°¤Î³ÈÄ¥¤Ê¤É¤Ç) ɬÍפʥ⥸¥å¡¼¥ë¤ò¥í¡¼¥É¤¹¤ë¤¿¤á¤Ë»È¤¦ command ¤ò»ØÄꤹ¤ë¡£

¥Þ¥Ã¥Á¥ó¥°¤Î³ÈÄ¥

iptables ¤Ï³ÈÄ¥¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¥Þ¥Ã¥Á¥ó¥°¥â¥¸¥å¡¼¥ë¤ò»È¤¦¤³¤È¤¬¤Ç¤­¤ë¡£ ¤³¤ì¤é¤Î¥â¥¸¥å¡¼¥ë¤Ï 2 ¼ïÎà¤ÎÊýË¡¤Ç¥í¡¼¥É¤µ¤ì¤ë: ¥â¥¸¥å¡¼¥ë¤Ï¡¢ -p ¤Þ¤¿¤Ï --protocol ¤Ç°ÅÌۤΤ¦¤Á¤Ë»ØÄꤵ¤ì¤ë¤«¡¢ -m ¤Þ¤¿¤Ï --match ¤Î¸å¤Ë¥â¥¸¥å¡¼¥ë̾¤ò³¤±¤Æ»ØÄꤵ¤ì¤ë¡£ ¤³¤ì¤é¤Î¥â¥¸¥å¡¼¥ë¤Î¸å¤í¤Ë¤Ï¡¢¥â¥¸¥å¡¼¥ë¤Ë±þ¤¸¤Æ ¾¤Î¤¤¤í¤¤¤í¤Ê¥³¥Þ¥ó¥É¥é¥¤¥ó¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë¡£ Ê£¿ô¤Î³ÈÄ¥¥Þ¥Ã¥Á¥ó¥°¥â¥¸¥å¡¼¥ë¤ò°ì¹Ô¤Ç»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë¡£ ¤Þ¤¿¡¢¥â¥¸¥å¡¼¥ë¤ËÆÃÍ­¤Î¥Ø¥ë¥×¤òɽ¼¨¤µ¤»¤ë¤¿¤á¤Ë¤Ï¡¢ ¥â¥¸¥å¡¼¥ë¤ò»ØÄꤷ¤¿¸å¤Ç -h ¤Þ¤¿¤Ï --help ¤ò»ØÄꤹ¤ì¤Ð¤è¤¤¡£

°Ê²¼¤Î³ÈÄ¥¤¬¥Ù¡¼¥¹¥Ñ¥Ã¥±¡¼¥¸¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¡£ ÂçÉôʬ¤Î¤â¤Î¤Ï¡¢ ! ¤òÁ°¤Ë¤ª¤¯¤³¤È¤Ë¤è¤Ã¤Æ ¥Þ¥Ã¥Á¥ó¥°¤Î°ÕÌ£¤òµÕ¤Ë¤Ç¤­¤ë¡£

ah

¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IPSec ¥Ñ¥±¥Ã¥È¤Î AH ¥Ø¥Ã¥À¡¼¤Î SPI Ãͤ˥ޥåÁ¤¹¤ë¡£
--ahspi [!] spi[:spi]

conntrack

¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢ÀܳÄÉÀ× (connection tracking) ¤ÈÁȤ߹ç¤ï¤»¤ÆÍѤ¤¤ë¤È¡¢ "state" ¥Þ¥Ã¥Á¤è¤ê¤â¤µ¤é¤Ë¿¤¯¤Î¡¢ ¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¤ÎÀܳÄÉÀ×¾õÂÖ¤òÃΤ뤳¤È¤¬¤Ç¤­¤ë (¤³¤Îµ¡Ç½¤ò¥µ¥Ý¡¼¥È¤·¤¿¥«¡¼¥Í¥ë¤Î¤â¤È¤Ç iptables ¤¬¥³¥ó¥Ñ¥¤¥ë¤µ¤ì¤¿¾ì¹ç ¤Ë¤Î¤ß¡¢¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¸ºß¤¹¤ë)¡£
--ctstate state
state ¤Ï¡¢¥Þ¥Ã¥Á¥ó¥°ÂоݤȤʤ롢¥³¥ó¥Þ¶èÀÚ¤ê¤ÎÀܳ¾õÂ֥ꥹ¥È¤Ç¤¢¤ë¡£ »ØÄê²Äǽ¤Ê state ¤Ï°Ê²¼¤ÎÄ̤ꡣ INVALID: ¥á¥â¥ê¤ò»È¤¤²Ì¤¿¤·¤¿°Ù¤ä¡¢ ´ûÃΤÎÀܳ¤È¤ÏÂбþ¤·¤Ê¤¤ ICMP ¥¨¥é¡¼¤Ê¤É¡¢ ²¿¤é¤«¤ÎÍýͳ¤Ë¤è¤ê¥Ñ¥±¥Ã¥È¤¬¼±Ê̤Ǥ­¤Ê¤¤¡£ ESTABLISHED: ¤³¤Î¥Ñ¥±¥Ã¥È¤Ï¡¢²áµîÁÐÊý¸þ¤Ë¥Ñ¥±¥Ã¥È¤¬¤ä¤ê¼è¤ê¤µ¤ì¤¿Àܳ¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¢¤ë¡£ NEW: ¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤¿¤«¡¢ ÁÐÊý¸þ¤Ë¤Ï¥Ñ¥±¥Ã¥È¤¬¤ä¤ê¼è¤ê¤µ¤ì¤Æ¤¤¤Ê¤¤Àܳ¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¢¤ë¡£ RELATED: ¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤Æ¤¤¤ë¤¬¡¢ FTP ¥Ç¡¼¥¿Å¾Á÷¤ä ICMP ¥¨¥é¡¼¤Î¤è¤¦¤Ë¡¢´û¸¤ÎÀܳ¤Ë´Ø·¸¤·¤Æ¤¤¤ë¡£ SNAT: ²¾ÁÛŪ¤Ê¾õÂ֤Ǥ¢¤ê¡¢½ñ¤­´¹¤¨Á°¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤¬±þÅú¤Î°¸À襢¥É¥ì¥¹¤È °Û¤Ê¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£ DNAT: ²¾ÁÛŪ¤Ê¾õÂ֤Ǥ¢¤ê¡¢½ñ¤­´¹¤¨Á°¤Î°¸À襢¥É¥ì¥¹¤¬±þÅú¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤È °Û¤Ê¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--ctproto proto
(̾Á°¤Þ¤¿¤Ï¿ôÃͤÇ) »ØÄꤵ¤ì¤¿¥×¥í¥È¥³¥ë¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--ctorigsrc [!] address[/mask]
½ñ¤­´¹¤¨Á°¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--ctorigdst [!] address[/mask]
½ñ¤­´¹¤¨Á°¤Î°¸À襢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--ctreplsrc [!] address[/mask]
±þÅú¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--ctrepldst [!] address[/mask]
±þÅú¤Î°¸À襢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED][,...]
ÀܳÄÉÀפÎÆâÉôŪ¤Ê¾õÂ֤˥ޥåÁ¤¹¤ë¡£
--ctexpire time[:time]
Í­¸ú´ü´Ö¤Î»Ä¤êÉÿô¡¢¤Þ¤¿¤Ï¤½¤ÎÈÏ°Ï(ξü¤ò´Þ¤à)¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£

dscp

¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢IP ¥Ø¥Ã¥À¡¼¤Î TOS ¥Õ¥£¡¼¥ë¥ÉÆâ¤Ë¤¢¤ë¡¢ 6 bit ¤Î DSCP ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£ IETF ¤Ç¤Ï DSCP ¤¬ TOS ¤Ë¼è¤Ã¤ÆÂå¤ï¤Ã¤¿¡£
--dscp value
(10 ¿Ê¤Þ¤¿¤Ï 16 ¿Ê¤Î) ¿ôÃÍ [0-32] ¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--dscp-class DiffServ Class
DiffServ ¥¯¥é¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£ ÃÍ¤Ï BE, EF, AFxx, CSx ¥¯¥é¥¹¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ë¡£ ¤³¤ì¤é¤Ï¡¢Âбþ¤¹¤ë¿ôÃͤǻØÄꤹ¤ë¤Î¤ÈƱ¤¸¤Ç¤¢¤ë¡£

esp

¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IPSec ¥Ñ¥±¥Ã¥È¤Î ESP ¥Ø¥Ã¥À¡¼¤Î SPI Ãͤ˥ޥåÁ¤¹¤ë¡£
--espspi [!] spi[:spi]

helper

¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢»ØÄꤵ¤ì¤¿ÀܳÄÉÀץإë¥Ñ¡¼¥â¥¸¥å¡¼¥ë¤Ë ´ØÏ¢¤¹¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--helper string
»ØÄꤵ¤ì¤¿ÀܳÄÉÀץإë¥Ñ¡¼¥â¥¸¥å¡¼¥ë¤Ë ´ØÏ¢¤¹¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£

¥Ç¥Õ¥©¥ë¥È¤Î¥Ý¡¼¥È¤ò»È¤Ã¤¿ ftp-¥»¥Ã¥·¥ç¥ó¤Ë´ØÏ¢¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤Ï¡¢ string ¤Ë "ftp" ¤È½ñ¤±¤ë¡£ ¾¤Î¥Ý¡¼¥È¤Ç¤Ï "-¥Ý¡¼¥ÈÈÖ¹æ" ¤òÃͤËÉÕ¤±²Ã¤¨¤ë¡£ ¤¹¤Ê¤ï¤Á "ftp-2121" ¤È¤Ê¤ë¡£
¾¤ÎÀܳÄÉÀץإë¥Ñ¡¼¤Ç¤âƱ¤¸¥ë¡¼¥ë¤¬Å¬ÍѤµ¤ì¤ë¡£

icmp

¤³¤Î³ÈÄ¥¤Ï `--protocol icmp' ¤¬»ØÄꤵ¤ì¤¿¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢ °Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
--icmp-type [!] typename
¿ôÃͤΠICMP ¥¿¥¤¥×¡¢¤Þ¤¿¤Ï¥³¥Þ¥ó¥É

 iptables -p icmp -h

¤Çɽ¼¨¤µ¤ì¤ë ICMP ¥¿¥¤¥×̾¤ò»ØÄê¤Ç¤­¤ë¡£

length

¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢»ØÄꤵ¤ì¤¿¥Ñ¥±¥Ã¥ÈĹ¡¢¤Þ¤¿¤Ï¤½¤ÎÈϰϤ˥ޥåÁ¤¹¤ë¡£
--length length[:length]

limit

¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥È¡¼¥¯¥ó¥Ð¥±¥Ä¥Õ¥£¥ë¥¿¤ò»È¤¤¡¢ ñ°Ì»þ´Ö¤¢¤¿¤êÀ©¸Â¤µ¤ì¤¿²ó¿ô¤À¤±¥Þ¥Ã¥Á¤¹¤ë¡£ ¤³¤Î³ÈÄ¥¤ò»È¤Ã¤¿¥ë¡¼¥ë¤Ï¡¢(`!' ¥Õ¥é¥°¤¬»ØÄꤵ¤ì¤Ê¤¤¸Â¤ê) À©¸Â¤Ë㤹¤ë¤Þ¤Ç¥Þ¥Ã¥Á¤¹¤ë¡£ ¤³¤Î¥â¥¸¥å¡¼¥ë¤ÏÎ㤨¤Ð¡¢¥í¥°µ­Ï¿¤òÀ©¸Â¤¹¤ë¤¿¤á¤Ë LOG ¥¿¡¼¥²¥Ã¥È¤ÈÁȤ߹ç¤ï¤»¤Æ»È¤¦¤³¤È¤¬¤Ç¤­¤ë¡£
--limit rate
ñ°Ì»þ´Ö¤¢¤¿¤ê¤ÎÊ¿¶Ñ¥Þ¥Ã¥Á²ó¿ô¤ÎºÇÂçÃÍ¡£ ¿ôÃͤǻØÄꤵ¤ì¡¢Åº»ú `/second', `/minute', `/hour', `/day' ¤òÉÕ¤±¤ë¤³¤È¤â¤Ç¤­¤ë¡£ ¥Ç¥Õ¥©¥ë¥È¤Ï 3/hour ¤Ç¤¢¤ë¡£
--limit-burst number
¥Ñ¥±¥Ã¥È¤¬¥Þ¥Ã¥Á¤¹¤ë²ó¿ô¤ÎºÇÂç½é´üÃÍ: ¥Þ¥Ã¥Á²ó¿ô¤ÎºÇÂçÃͤϡ¢ ¾å¤Î¥ª¥×¥·¥ç¥ó¤Ç»ØÄꤷ¤¿À©¸Â¤Ë㤷¤Ê¤±¤ì¤Ð¡¢ ¤½¤ÎÅÙ¤´¤È¤Ë¡¢¤³¤Î¿ôÃͤˤʤë¤Þ¤Ç 1 ¸Ä¤º¤ÄÁý¤ä¤µ¤ì¤ë¡£ ¥Ç¥Õ¥©¥ë¥È¤Ï 5 ¤Ç¤¢¤ë¡£

mac

--mac-source [!] address
Á÷¿®¸µ MAC ¥¢¥É¥ì¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£ address ¤Ï XX:XX:XX:XX:XX:XX ¤È¤¤¤¦·Á¼°¤Ç¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£ ¥¤¡¼¥µ¡¼¥Í¥Ã¥È¥Ç¥Ð¥¤¥¹¤«¤éÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤Ç¡¢ PREROUTING, FORWARD, INPUT ¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Ë¤·¤«°ÕÌ£¤¬¤Ê¤¤¡£

mark

¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¥Ñ¥±¥Ã¥È¤Ë´ØÏ¢¤Å¤±¤é¤ì¤¿ netfilter ¤Î mark ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë (¤³¤Î¥Õ¥£¡¼¥ë¥É¤Ï¡¢°Ê²¼¤Î MARK ¥¿¡¼¥²¥Ã¥È¤ÇÀßÄꤵ¤ì¤ë)¡£
--mark value[/mask]
»ØÄꤵ¤ì¤¿Éä¹æ¤Ê¤· mark ÃͤΥѥ±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë (mask ¤¬»ØÄꤵ¤ì¤ë¤È¡¢Èæ³Ó¤ÎÁ°¤Ë mask ¤È¤ÎÏÀÍýÀÑ (AND) ¤¬¤È¤é¤ì¤ë)¡£

multiport

¤³¤Î¥â¥¸¥å¡¼¥ë¤ÏÁ÷¿®¸µ¤äÁ÷¿®Àè¤Î¥Ý¡¼¥È¤Î½¸¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£ ¥Ý¡¼¥È¤Ï 15 ¸Ä¤Þ¤Ç»ØÄê¤Ç¤­¤ë¡£ ¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï -p tcp ¤Þ¤¿¤Ï -p udp ¤ÈÁȤ߹ç¤ï¤»¤Æ»È¤¦¤³¤È¤·¤«¤Ç¤­¤Ê¤¤¡£
--source-ports port[,port[,port...]]
Á÷¿®¸µ¥Ý¡¼¥È¤¬»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£ ¥Õ¥é¥° --sports ¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
--destination-ports port[,port[,port...]]
°¸Àè¥Ý¡¼¥È¤¬»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£ ¥Õ¥é¥° --dports ¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
--ports port[,port[,port...]]
Á÷¿®¸µ¥Ý¡¼¥È¤È°¸Àè¥Ý¡¼¥È¤¬Åù¤·¤¯¡¢ ¤«¤Ä¤½¤Î¥Ý¡¼¥È¤¬»ØÄꤵ¤ì¤¿¥Ý¡¼¥È¤Î¤¦¤Á¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ì¤Ð¥Þ¥Ã¥Á¤¹¤ë¡£

owner

¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤ËÉÕ¤¤¤Æ¡¢ ¥Ñ¥±¥Ã¥ÈÀ¸À®¼Ô¤Î¤¤¤í¤¤¤í¤ÊÆÃÀ­¤ËÂФ·¤Æ¥Þ¥Ã¥Á¤ò¹Ô¤¦¡£ ¤³¤ì¤Ï OUTPUT ¥Á¥§¥¤¥ó¤Î¤ß¤Ç¤·¤«Í­¸ú¤Ç¤Ê¤¤¡£ ¤Þ¤¿¡¢(ICMP ping ±þÅú¤Î¤è¤¦¤Ê) ¥Ñ¥±¥Ã¥È¤Ï¡¢ ½êÍ­¼Ô¤¬¤¤¤Ê¤¤¤Î¤ÇÀäÂФ˥ޥåÁ¤·¤Ê¤¤¡£
--uid-owner userid
»ØÄꤵ¤ì¤¿¼Â¸ú¥æ¡¼¥¶¡¼ ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê ¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--gid-owner groupid
»ØÄꤵ¤ì¤¿¼Â¸ú¥°¥ë¡¼¥× ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê ¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--pid-owner processid
»ØÄꤵ¤ì¤¿¥×¥í¥»¥¹ ID ¤Î¥×¥í¥»¥¹¤Ë¤è¤ê ¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--sid-owner sessionid
»ØÄꤵ¤ì¤¿¥»¥Ã¥·¥ç¥ó¥°¥ë¡¼¥×¤Î¥×¥í¥»¥¹¤Ë¤è¤ê ¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--cmd-owner name
»ØÄꤵ¤ì¤¿¥³¥Þ¥ó¥É̾¤ò»ý¤Ä¥×¥í¥»¥¹¤Ë¤è¤ê ¥Ñ¥±¥Ã¥È¤¬À¸À®¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë (¤³¤Îµ¡Ç½¤ò¥µ¥Ý¡¼¥È¤·¤¿¥«¡¼¥Í¥ë¤Î¤â¤È¤Ç iptables ¤¬¥³¥ó¥Ñ¥¤¥ë¤µ¤ì¤¿¾ì¹ç ¤Ë¤Î¤ß¡¢¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¸ºß¤¹¤ë)¡£

physdev

¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥Ö¥ê¥Ã¥¸¥Ç¥Ð¥¤¥¹¤Î¥¹¥ì¡¼¥Ö¤Ë¤µ¤ì¤¿¡¢ ¥Ö¥ê¥Ã¥¸¥Ý¡¼¥È¤ÎÆþ½ÐÎϥǥХ¤¥¹¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£ ¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥Ö¥ê¥Ã¥¸¤Ë¤è¤ëÆ©²áŪ¤Ê IP ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Î´ðÈפΰìÉô¤Ç¤¢¤ê¡¢ ¥«¡¼¥Í¥ë¥Ð¡¼¥¸¥ç¥ó 2.5.44 °Ê¹ß¤Ç¤Î¤ßÍ­¸ú¤Ç¤¢¤ë¡£
--physdev-in name
¥Ñ¥±¥Ã¥È¤¬¼õ¿®¤µ¤ì¤ë¥Ö¥ê¥Ã¥¸¤Î¥Ý¡¼¥È̾ (INPUT, FORWARD, PREROUTING ¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Î¤ß)¡£ ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢ ¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£ ¥Ö¥ê¥Ã¥¸¥Ç¥Ð¥¤¥¹¤òÄ̤·¤Æ¼õ¤±¼è¤é¤ì¤Ê¤«¤Ã¤¿¥Ñ¥±¥Ã¥È¤Ï¡¢ '!' ¤¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¸Â¤ê¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤Ë¥Þ¥Ã¥Á¤·¤Ê¤¤¡£
--physdev-out name
¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë¤³¤È¤Ë¤Ê¤ë¥Ö¥ê¥Ã¥¸¤Î¥Ý¡¼¥È̾ (FORWARD, OUTPUT, POSTROUTING ¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤Î¤ß)¡£ ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤¬ "+" ¤Ç½ª¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢ ¤½¤Î̾Á°¤Ç»Ï¤Þ¤ëǤ°Õ¤Î¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹Ì¾¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£ nat ¤È mangle ¥Æ¡¼¥Ö¥ë¤Î OUTPUT ¥Á¥§¥¤¥ó¤Ç¤Ï¥Ö¥ê¥Ã¥¸¤Î½ÐÎϥݡ¼¥È¤Ë¥Þ¥Ã¥Á¤µ¤»¤ë¤³¤È¤¬¤Ç¤­¤Ê¤¤¤¬¡¢ filter ¥Æ¡¼¥Ö¥ë¤Î OUPUT ¥Á¥§¥¤¥ó¤Ç¤Ï¥Þ¥Ã¥Á²Äǽ¤Ç¤¢¤ë¡£ ¥Ñ¥±¥Ã¥È¤¬¥Ö¥ê¥Ã¥¸¥Ç¥Ð¥¤¥¹¤«¤éÁ÷¤é¤ì¤Ê¤«¤Ã¤¿¾ì¹ç¡¢ ¤Þ¤¿¤Ï¥Ñ¥±¥Ã¥È¤Î½ÐÎϥǥХ¤¥¹¤¬ÉÔÌÀ¤Ç¤¢¤Ã¤¿¾ì¹ç¤Ï¡¢ '!' ¤¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¸Â¤ê¡¢¥Ñ¥±¥Ã¥È¤Ï¤³¤Î¥ª¥×¥·¥ç¥ó¤Ë¥Þ¥Ã¥Á¤·¤Ê¤¤¡£
--physdev-is-in
¥Ñ¥±¥Ã¥È¤¬¥Ö¥ê¥Ã¥¸¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ËÆþ¤Ã¤¿¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--physdev-is-out
¥Ñ¥±¥Ã¥È¤¬¥Ö¥ê¥Ã¥¸¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤«¤é½Ð¤è¤¦¤È¤·¤¿¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--physdev-is-bridged
¥Ñ¥±¥Ã¥È¤¬¥Ö¥ê¥Ã¥¸¤µ¤ì¤ë¤³¤È¤Ë¤è¤ê¡¢ ¥ë¡¼¥Æ¥£¥ó¥°¤µ¤ì¤Ê¤«¤Ã¤¿¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£ ¤³¤ì¤Ï FORWARD, POSTROUTING ¥Á¥§¥¤¥ó¤Ë¤ª¤¤¤Æ¤Î¤ßÌòΩ¤Ä¡£

pkttype

¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢¥ê¥ó¥¯ÁؤΥѥ±¥Ã¥È¥¿¥¤¥×¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--pkt-type [unicast|broadcast|multicast]

state

¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï¡¢ÀܳÄÉÀ× (connection tracking) ¤ÈÁȤ߹ç¤ï¤»¤ÆÍѤ¤¤ë¤È¡¢ ¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¤ÎÀܳÄÉÀ×¾õÂÖ¤òÃΤ뤳¤È¤¬¤Ç¤­¤ë¡£
--state state
state ¤Ï¡¢¥Þ¥Ã¥Á¥ó¥°¤ò¹Ô¤¦¤¿¤á¤Î¡¢¥³¥ó¥Þ¤Ç¶èÀÚ¤é¤ì¤¿Àܳ¾õÂ֤Υꥹ¥È¤Ç¤¢¤ë¡£ »ØÄê²Äǽ¤Ê state ¤Ï°Ê²¼¤ÎÄ̤ꡣ INVALID: ¤³¤Î¥Ñ¥±¥Ã¥È¤Ï´ûÃΤÎÀܳ¤È´Ø·¸¤·¤Æ¤¤¤Ê¤¤¡£ ESTABLISHED: ¤³¤Î¥Ñ¥±¥Ã¥È¤Ï¡¢²áµîÁÐÊý¸þ¤Ë¥Ñ¥±¥Ã¥È¤¬¤ä¤ê¼è¤ê¤µ¤ì¤¿Àܳ¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¢¤ë¡£ NEW: ¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤¿¤«¡¢ ÁÐÊý¸þ¤Ë¤Ï¥Ñ¥±¥Ã¥È¤¬¤ä¤ê¼è¤ê¤µ¤ì¤Æ¤¤¤Ê¤¤Àܳ¤Ë°¤¹¤ë¥Ñ¥±¥Ã¥È¤Ç¤¢¤ë¡£ RELATED: ¤³¤Î¥Ñ¥±¥Ã¥È¤¬¿·¤·¤¤Àܳ¤ò³«»Ï¤·¤Æ¤¤¤ë¤¬¡¢ FTP ¥Ç¡¼¥¿Å¾Á÷¤ä ICMP ¥¨¥é¡¼¤Î¤è¤¦¤Ë¡¢´û¸¤ÎÀܳ¤Ë´Ø·¸¤·¤Æ¤¤¤ë¡£

tcp

¤³¤ì¤é¤Î³ÈÄ¥¤Ï `--protocol tcp' ¤¬»ØÄꤵ¤ì¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢ °Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
--source-port [!] port[:port]
Á÷¿®¸µ¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£ ¥µ¡¼¥Ó¥¹Ì¾¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈÖ¹æ¤ò»ØÄê¤Ç¤­¤ë¡£ port:port ¤È¤¤¤¦·Á¼°¤Ç¡¢2 ¤Ä¤ÎÈÖ¹æ¤ò´Þ¤àÈϰϤò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤­¤ë¡£ ºÇ½é¤Î¥Ý¡¼¥È¤ò¾Êά¤·¤¿¾ì¹ç¡¢"0" ¤ò²¾Äꤹ¤ë¡£ ºÇ¸å¤Î¥Ý¡¼¥È¤ò¾Êά¤·¤¿¾ì¹ç¡¢"65535" ¤ò²¾Äꤹ¤ë¡£ ºÇ½é¤Î¥Ý¡¼¥È¤¬ºÇ¸å¤Î¥Ý¡¼¥È¤è¤êÂ礭¤¤¾ì¹ç¡¢2 ¤Ä¤ÏÆþ¤ì´¹¤¨¤é¤ì¤ë¡£ ¥Õ¥é¥° --sport ¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
--destination-port [!] port[:port]
Á÷¿®Àè¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£ ¥Õ¥é¥° --dport ¤Ï¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤ÎÊØÍø¤ÊÊÌ̾¤Ç¤¢¤ë¡£
--tcp-flags [!] mask comp
TCP ¥Õ¥é¥°¤¬»ØÄꤵ¤ì¤¿¤â¤Î¤ÈÅù¤·¤¤¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£ Âè 1 °ú¤­¿ô¤Ïɾ²ÁÂоݤȤ¹¤ë¥Õ¥é¥°¤Ç¡¢¥³¥ó¥Þ¶èÀÚ¤ê¤Î¥ê¥¹¥È¤Ç¤¢¤ë¡£ Âè 2 °ú¤­¿ô¤Ï¤³¤Î¤¦¤ÁÀßÄꤵ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¥Õ¥é¥°¤Ç¡¢ ¥³¥ó¥Þ¶èÀÚ¤ê¤Î¥ê¥¹¥È¤Ç¤¢¤ë¡£ »ØÄê¤Ç¤­¤ë¥Õ¥é¥°¤Ï SYN ACK FIN RST URG PSH ALL NONE ¤Ç¤¢¤ë¡£ ¤è¤Ã¤Æ¡¢¥³¥Þ¥ó¥É

 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN

¤Ï¡¢SYN ¥Õ¥é¥°¤¬ÀßÄꤵ¤ì ACK, FIN, RST ¥Õ¥é¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤Ê¤¤ ¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
[!] --syn
SYN ¥Ó¥Ã¥È¤¬ÀßÄꤵ¤ì ACK ¤È RST ¥Ó¥Ã¥È¤¬¥¯¥ê¥¢¤µ¤ì¤Æ¤¤¤ë TCP ¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£ ¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤Ï TCP Àܳ¤Î³«»ÏÍ×µá¤Ë»È¤ï¤ì¤ë¡£ Î㤨¤Ð¡¢¤¢¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ËÆþ¤Ã¤Æ¤¯¤ë¤³¤Î¤è¤¦¤Ê¥Ñ¥±¥Ã¥È¤ò¥Ö¥í¥Ã¥¯¤¹¤ì¤Ð¡¢ Æ⦤ؤΠTCP Àܳ¤Ï¶Ø»ß¤µ¤ì¤ë¤¬¡¢³°Â¦¤Ø¤Î TCP Àܳ¤Ë¤Ï±Æ¶Á¤·¤Ê¤¤¡£ ¤³¤ì¤Ï --tcp-flags SYN,RST,ACK SYN ¤ÈÅù¤·¤¤¡£ "--syn" ¤ÎÁ°¤Ë "!" ¥Õ¥é¥°¤òÃÖ¤¯¤È¡¢ SYN ¥Ó¥Ã¥È¤¬¥¯¥ê¥¢¤µ¤ì ACK ¤È RST ¥Ó¥Ã¥È¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë TCP ¥Ñ¥±¥Ã¥È¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¡£
--tcp-option [!] number
TCP ¥ª¥×¥·¥ç¥ó¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--mss value[:value]
»ØÄꤵ¤ì¤¿ MSS ÃÍ (¤ÎÈÏ°Ï) ¤ò»ý¤Ä TCP ¤Î SYN ¤Þ¤¿¤Ï SYN/ACK ¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£ MSS ¤ÏÀܳ¤ËÂФ¹¤ë¥Ñ¥±¥Ã¥È¤ÎºÇÂ祵¥¤¥º¤òÀ©¸æ¤¹¤ë¡£

tos

¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IP ¥Ø¥Ã¥À¡¼¤Î 8 ¥Ó¥Ã¥È¤Î (¤Ä¤Þ¤ê¾å°Ì¥Ó¥Ã¥È¤ò´Þ¤à) Type of Service ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--tos tos
°ú¤­¿ô¤Ï¡¢¥Þ¥Ã¥Á¤ò¹Ô¤¦É¸½àŪ¤Ê̾Á°¤Ç¤â¿ôÃͤǤâ¤è¤¤ (̾Á°¤Î¥ê¥¹¥È¤ò¸«¤ë¤Ë¤Ï

 iptables -m tos -h

¤ò»È¤¦¤³¤È)¡£

ttl

¤³¤Î¥â¥¸¥å¡¼¥ë¤Ï IP ¥Ø¥Ã¥À¡¼¤Î time to live ¥Õ¥£¡¼¥ë¥É¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
--ttl ttl
»ØÄꤵ¤ì¤¿ TTL Ãͤ˥ޥåÁ¤¹¤ë¡£

udp

¤³¤ì¤é¤Î³ÈÄ¥¤Ï `--protocol udp' ¤¬»ØÄꤵ¤ì¤¿¾ì¹ç¤Ë¥í¡¼¥É¤µ¤ì¡¢ °Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë:
--source-port [!] port[:port]
Á÷¿®¸µ¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£ ¾ÜºÙ¤Ï TCP ³ÈÄ¥¤Î --source-port ¥ª¥×¥·¥ç¥ó¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£
--destination-port [!] port[:port]
Á÷¿®Àè¥Ý¡¼¥È¤Þ¤¿¤Ï¥Ý¡¼¥ÈÈϰϤλØÄê¡£ ¾ÜºÙ¤Ï TCP ³ÈÄ¥¤Î --destination-port ¥ª¥×¥·¥ç¥ó¤ÎÀâÌÀ¤ò»²¾È¤¹¤ë¤³¤È¡£

unclean

¤³¤Î¥â¥¸¥å¡¼¥ë¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬¤Ê¤¤¤¬¡¢ ¤ª¤«¤·¤¯Àµ¾ï¤Ç¤Ê¤¤¤è¤¦¤Ë¸«¤¨¤ë¥Ñ¥±¥Ã¥È¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£ ¤³¤ì¤Ï¼Â¸³Åª¤Ê¤â¤Î¤È¤·¤Æ°·¤ï¤ì¤Æ¤¤¤ë¡£

¥¿¡¼¥²¥Ã¥È¤Î³ÈÄ¥

iptables ¤Ï³ÈÄ¥¥¿¡¼¥²¥Ã¥È¥â¥¸¥å¡¼¥ë¤ò»È¤¦¤³¤È¤¬¤Ç¤­¤ë: °Ê²¼¤Î¤â¤Î¤¬¡¢É¸½àŪ¤Ê¥Ç¥£¥¹¥È¥ê¥Ó¥å¡¼¥·¥ç¥ó¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¡£

DNAT

¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï nat ¥Æ¡¼¥Ö¥ë¤Î PREROUTING, OUTPUT ¥Á¥§¥¤¥ó¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë ¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Î¤ß¤ÇÍ­¸ú¤Ç¤¢¤ë¡£ ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®À襢¥É¥ì¥¹¤ò½¤Àµ¤¹¤ë (¤³¤ÎÀܳ¤Î°Ê¹ß¤Î¥Ñ¥±¥Ã¥È¤â½¤Àµ¤·¤Æʬ¤«¤é¤Ê¤¯ (mangle) ¤¹¤ë)¡£ ¤µ¤é¤Ë¡¢¥ë¡¼¥ë¤Ë¤è¤ë¥Á¥§¥Ã¥¯¤ò»ß¤á¤µ¤»¤ë¡£ ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¼ïÎढ¤ë:
--to-destination ipaddr[-ipaddr][:port-port]
1 ¤Ä¤Î¿·¤·¤¤Á÷¿®Àè IP ¥¢¥É¥ì¥¹¡¢¤Þ¤¿¤Ï IP ¥¢¥É¥ì¥¹¤ÎÈϰϤ¬»ØÄê¤Ç¤­¤ë¡£ ¥Ý¡¼¥È¤ÎÈϰϤò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤­¤ë (¤³¤ì¤Ï¥ë¡¼¥ë¤Ç -p tcp ¤Þ¤¿¤Ï -p udp ¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ßÍ­¸ú)¡£ ¥Ý¡¼¥È¤ÎÈϰϤ¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢Á÷¿®Àè¥Ý¡¼¥È¤ÏÊѹ¹¤µ¤ì¤Ê¤¤¡£

Ê£¿ô¤Î --to-destination ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë¡£ ¥¢¥É¥ì¥¹¤ÎÈϰϤˤè¤Ã¤Æ¡¢ ¤â¤·¤¯¤ÏÊ£¿ô¤Î --to-destination ¥ª¥×¥·¥ç¥ó¤Ë¤è¤Ã¤Æ 2 ¤Ä°Ê¾å¤ÎÁ÷¿®À襢¥É¥ì¥¹¤ò»ØÄꤷ¤¿¾ì¹ç¡¢ ¤½¤ì¤é¤Î¥¢¥É¥ì¥¹¤ò»È¤Ã¤¿Ã±½ã¤Ê¥é¥¦¥ó¥É¡¦¥í¥Ó¥ó (½ç¡¹¤Ë½Û´Ä¤µ¤»¤ë) ¤¬¤ª¤³¤Ê¤ï¤ì¤ë¡£

DSCP

¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢IPv4 ¥Ñ¥±¥Ã¥È¤Î TOS ¥Ø¥Ã¥À¡¼¤Ë¤¢¤ë DSCP ¥Ó¥Ã¥È¤ÎÃͤνñ¤­´¹¤¨¤ò²Äǽ¤Ë¤¹¤ë¡£ ¤³¤ì¤Ï¥Ñ¥±¥Ã¥È¤òÁàºî¤¹¤ë¤Î¤Ç¡¢mangle ¥Æ¡¼¥Ö¥ë¤Ç¤Î¤ß»ÈÍѤǤ­¤ë¡£
--set-dscp value
DSCP ¥Õ¥£¡¼¥ë¥É¤Î¿ôÃͤòÀßÄꤹ¤ë (10 ¿Ê¤Þ¤¿¤Ï 16 ¿Ê)¡£
--set-dscp-class class
DSCP ¥Õ¥£¡¼¥ë¥É¤Î DiffServ ¥¯¥é¥¹¤òÀßÄꤹ¤ë¡£

ECN

¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï ECN ¥Ö¥é¥Ã¥¯¥Û¡¼¥ëÌäÂê¤Ø¤ÎÂнè¤ò²Äǽ¤Ë¤¹¤ë¡£ mangle ¥Æ¡¼¥Ö¥ë¤Ç¤Î¤ß»ÈÍѤǤ­¤ë¡£
--ecn-tcp-remove
TCP ¥Ø¥Ã¥À¡¼¤«¤éÁ´¤Æ¤Î ECN ¥Ó¥Ã¥È (ÌõÃí: ECE/CWR ¥Õ¥é¥°) ¤ò¼è¤ê½ü¤¯¡£ ÅöÁ³¡¢ -p tcp ¥ª¥×¥·¥ç¥ó¤È¤ÎÁȹç¤ï¤»¤Ç¤Î¤ß»ÈÍѤǤ­¤ë¡£

LOG

¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ò¥«¡¼¥Í¥ë¥í¥°¤Ëµ­Ï¿¤¹¤ë¡£ ¤³¤Î¥ª¥×¥·¥ç¥ó¤¬¥ë¡¼¥ë¤ËÂФ·¤ÆÀßÄꤵ¤ì¤ë¤È¡¢ Linux ¥«¡¼¥Í¥ë¤Ï¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤Ë¤Ä¤¤¤Æ¤Î (ÂçÉôʬ¤Î IP ¥Ø¥Ã¥À¡¼¥Õ¥£¡¼¥ë¥É¤Î¤è¤¦¤Ê) ²¿¤é¤«¤Î¾ðÊó¤ò ¥«¡¼¥Í¥ë¥í¥°¤Ëɽ¼¨¤¹¤ë (¥«¡¼¥Í¥ë¥í¥°¤Ï dmesg ¤Þ¤¿¤Ï syslogd(8) ¤Ç¸«¤ë¤³¤È¤¬¤Ç¤­¤ë)¡£ ¤³¤ì¤Ï "Èó½ªÎ»¥¿¡¼¥²¥Ã¥È" ¤Ç¤¢¤ë¡£ ¤¹¤Ê¤ï¤Á¡¢¥ë¡¼¥ë¤Î¸¡Æ¤¤Ï¡¢¼¡¤Î¥ë¡¼¥ë¤Ø¤È·Ñ³¤µ¤ì¤ë¡£ ¤è¤Ã¤Æ¡¢µñÈݤ¹¤ë¥Ñ¥±¥Ã¥È¤ò¥í¥°µ­Ï¿¤·¤¿¤±¤ì¤Ð¡¢ Ʊ¤¸¥Þ¥Ã¥Á¥ó¥°È½ÃÇ´ð½à¤ò»ý¤Ä 2 ¤Ä¤Î¥ë¡¼¥ë¤ò»ÈÍѤ·¡¢ ºÇ½é¤Î¥ë¡¼¥ë¤Ç LOG ¥¿¡¼¥²¥Ã¥È¤ò¡¢ ¼¡¤Î¥ë¡¼¥ë¤Ç DROP (¤Þ¤¿¤Ï REJECT) ¥¿¡¼¥²¥Ã¥È¤ò»ØÄꤹ¤ë¡£
--log-level level
¥í¥°µ­Ï¿¤Î¥ì¥Ù¥ë (¿ôÃͤƻØÄꤹ¤ë¤«¡¢ (ÌõÃð: ̾Á°¤Ç»ØÄꤹ¤ë¾ì¹ç¤Ï) syslog.conf(5) ¤ò»²¾È¤¹¤ë¤³¤È)¡£
--log-prefix prefix
»ØÄꤷ¤¿¥×¥ì¥Õ¥£¥Ã¥¯¥¹¤ò¥í¥°¥á¥Ã¥»¡¼¥¸¤ÎÁ°¤ËÉÕ¤±¤ë¡£ ¥×¥ì¥Õ¥£¥Ã¥¯¥¹¤Ï 29 ʸ»ú¤Þ¤Ç¤ÎŤµ¤Ç¡¢ ¥í¥°¤ÎÃæ¤Ç¥á¥Ã¥»¡¼¥¸¤ò¶èÊ̤¹¤ë¤Î¤ËÌòΩ¤Ä¡£
--log-tcp-sequence
TCP ¥·¡¼¥±¥ó¥¹ÈÖ¹æ¤ò¥í¥°¤Ëµ­Ï¿¤¹¤ë¡£ ¥í¥°¤¬¥æ¡¼¥¶¡¼¤«¤éÆɤá¤ë¾ì¹ç¡¢¥»¥­¥å¥ê¥Æ¥£¾å¤Î´í¸±¤¬¤¢¤ë¡£
--log-tcp-options
TCP ¥Ñ¥±¥Ã¥È¥Ø¥Ã¥À¡¼¤Î¥ª¥×¥·¥ç¥ó¤ò¥í¥°¤Ëµ­Ï¿¤¹¤ë¡£
--log-ip-options
IP ¥Ñ¥±¥Ã¥È¥Ø¥Ã¥À¡¼¤Î¥ª¥×¥·¥ç¥ó¤ò¥í¥°¤Ëµ­Ï¿¤¹¤ë¡£

MARK

¥Ñ¥±¥Ã¥È¤Ë´ØÏ¢¤Å¤±¤é¤ì¤¿ netfilter ¤Î mark ÃͤòÀßÄꤹ¤ë¡£ mangle ¥Æ¡¼¥Ö¥ë¤Î¤ß¤ÇÍ­¸ú¤Ç¤¢¤ë¡£ Î㤨¤Ð¡¢iproute2 ¤ÈÁȤ߹ç¤ï¤»¤Æ»È¤¦¤³¤È¤¬¤Ç¤­¤ë¡£
--set-mark mark

MASQUERADE

¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï nat ¥Æ¡¼¥Ö¥ë¤Î POSTROUTING ¥Á¥§¥¤¥ó¤Î¤ß¤ÇÍ­¸ú¤Ç¤¢¤ë¡£ ưŪ³ä¤êÅö¤Æ IP (¥À¥¤¥ä¥ë¥¢¥Ã¥×) Àܳ¤Î¾ì¹ç¤Ë¤Î¤ß»È¤¦¤Ù¤­¤Ç¤¢¤ë¡£ ¸ÇÄê IP ¥¢¥É¥ì¥¹¤Ê¤é¤Ð¡¢SNAT ¥¿¡¼¥²¥Ã¥È¤ò»È¤¦¤Ù¤­¤Ç¤¢¤ë¡£ ¥Þ¥¹¥«¥ì¡¼¥Ç¥£¥ó¥°¤Ï¡¢¥Ñ¥±¥Ã¥È¤¬Á÷¿®¤µ¤ì¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤Î IP ¥¢¥É¥ì¥¹¤Ø¤Î¥Þ¥Ã¥Ô¥ó¥°¤ò»ØÄꤹ¤ë¤Î¤ÈƱ¤¸¤Ç¤¢¤ë¤¬¡¢ ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤¬Ää»ß¤·¤¿¾ì¹ç¤ËÀܳ¤ò˺¤ì¤ë¤È¤¤¤¦¸ú²Ì¤¬¤¢¤ë¡£ ¼¡¤Î¥À¥¤¥ä¥ë¥¢¥Ã¥×¤Ç¤ÏƱ¤¸¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¥¢¥É¥ì¥¹¤Ë¤Ê¤ë²ÄǽÀ­¤¬Ä㤤 (¤½¤Î¤¿¤á¡¢Á°²ó³ÎΩ¤µ¤ì¤¿Àܳ¤Ï¼º¤ï¤ì¤ë) ¾ì¹ç¡¢ ¤³¤ÎÆ°ºî¤ÏÀµ¤·¤¤¡£ ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¤Ä¤¢¤ë¡£
--to-ports port[-port]
¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢»ÈÍѤ¹¤ëÁ÷¿®¸µ¥Ý¡¼¥È¤ÎÈϰϤò»ØÄꤷ¡¢ ¥Ç¥Õ¥©¥ë¥È¤Î SNAT Á÷¿®¸µ¥Ý¡¼¥È¤ÎÁªÂòÊýË¡ (¾åµ­) ¤è¤ê¤âÍ¥À褵¤ì¤ë¡£ ¥ë¡¼¥ë¤¬ -p tcp ¤Þ¤¿¤Ï -p udp ¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ßÍ­¸ú¤Ç¤¢¤ë¡£

MIRROR

¼Â¸³Åª¤Ê¥Ç¥â¥ó¥¹¥È¥ì¡¼¥·¥ç¥óÍѤΥ¿¡¼¥²¥Ã¥È¤Ç¤¢¤ê¡¢ IP ¥Ø¥Ã¥À¡¼¤ÎÁ÷¿®¸µ¤ÈÁ÷¿®Àè¥Õ¥£¡¼¥ë¥É¤òÆþ¤ì´¹¤¨¡¢ ¥Ñ¥±¥Ã¥È¤òºÆÁ÷¿®¤¹¤ë¤â¤Î¤Ç¤¢¤ë¡£ ¤³¤ì¤Ï INPUT, FORWARD, PREROUTING ¥Á¥§¥¤¥ó¤È¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë ¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤À¤±¤ÇÍ­¸ú¤Ç¤¢¤ë¡£ ¥ë¡¼¥×Åù¤ÎÌäÂê¤ò²óÈò¤¹¤ë¤¿¤á¡¢³°Éô¤ËÁ÷¤é¤ì¤ë¥Ñ¥±¥Ã¥È¤Ï ¤¤¤«¤Ê¤ë¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¥Á¥§¥¤¥ó¡¦ÀܳÄÉÀס¦NAT ¤«¤é¤â ´Æ»ë¤µ¤ì¤Ê¤¤¡£

REDIRECT

¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢ nat ¥Æ¡¼¥Ö¥ëÆâ¤Î PREROUTING ¥Á¥§¥¤¥óµÚ¤Ó OUTPUT ¥Á¥§¥¤¥ó¡¢¤½¤·¤Æ¤³¤ì¤é¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ó½Ð¤µ¤ì¤ë ¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤Ç¤Î¤ßÍ­¸ú¤Ç¤¢¤ë¡£ ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®Àè IP ¥¢¥É¥ì¥¹¤ò ¥Þ¥·¥ó¼«¿È¤Î IP ¥¢¥É¥ì¥¹¤ËÊÑ´¹¤¹¤ë¡£ (¥í¡¼¥«¥ë¤ÇÀ¸À®¤µ¤ì¤¿¥Ñ¥±¥Ã¥È¤Ï¡¢¥¢¥É¥ì¥¹ 127.0.0.1 ¤Ë¥Þ¥Ã¥×¤µ¤ì¤ë)¡£ ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¤Ä¤¢¤ë:
--to-ports port[-port]
¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï»ÈÍѤµ¤ì¤ëÁ÷¿®Àè¥Ý¡¼¥È¡¦¥Ý¡¼¥ÈÈÏ°Ï¡¦Ê£¿ô¥Ý¡¼¥È¤ò»ØÄꤹ¤ë¡£ ¤³¤Î¥ª¥×¥·¥ç¥ó¤¬»ØÄꤵ¤ì¤Ê¤¤¾ì¹ç¡¢Á÷¿®Àè¥Ý¡¼¥È¤ÏÊѹ¹¤µ¤ì¤Ê¤¤¡£ ¥ë¡¼¥ë¤¬ -p tcp ¤Þ¤¿¤Ï -p udp ¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ßÍ­¸ú¤Ç¤¢¤ë¡£

REJECT

¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤Î±þÅú¤È¤·¤Æ¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£ ¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤òÁ÷¤é¤Ê¤±¤ì¤Ð¡¢ DROP ¤ÈƱ¤¸¤Ç¤¢¤ê¡¢TARGET ¤ò½ªÎ»¤·¡¢¥ë¡¼¥ë¤Î¸¡Æ¤¤ò½ªÎ»¤¹¤ë¡£ ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢ INPUT, FORWARD, OUTPUT ¥Á¥§¥¤¥ó¤È¡¢¤³¤ì¤é¤Î¥Á¥§¥¤¥ó¤«¤é¸Æ¤Ð¤ì¤ë ¥æ¡¼¥¶¡¼ÄêµÁ¥Á¥§¥¤¥ó¤À¤±¤ÇÍ­¸ú¤Ç¤¢¤ë¡£ °Ê²¼¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢ÊÖ¤µ¤ì¤ë¥¨¥é¡¼¥Ñ¥±¥Ã¥È¤ÎÆÃÀ­¤òÀ©¸æ¤¹¤ë¡£
--reject-with type
type ¤È¤·¤Æ»ØÄê²Äǽ¤Ê¤â¤Î¤Ï

 icmp-net-unreachable

 icmp-host-unreachable

 icmp-port-unreachable

 icmp-proto-unreachable

 icmp-net-prohibited

 icmp-host-prohibited or

 icmp-admin-prohibited (*)

¤Ç¤¢¤ê¡¢Å¬ÀÚ¤Ê ICMP ¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤òÊÖ¤¹ (port-unreachable ¤¬¥Ç¥Õ¥©¥ë¥È¤Ç¤¢¤ë)¡£ TCP ¥×¥í¥È¥³¥ë¤Ë¤Î¤ß¥Þ¥Ã¥Á¤¹¤ë¥ë¡¼¥ë¤ËÂФ·¤Æ¡¢¥ª¥×¥·¥ç¥ó tcp-reset ¤ò»È¤¦¤³¤È¤¬¤Ç¤­¤ë¡£ ¤³¤Î¥ª¥×¥·¥ç¥ó¤ò»È¤¦¤È¡¢TCP RST ¥Ñ¥±¥Ã¥È¤¬Á÷¤êÊÖ¤µ¤ì¤ë¡£ ¼ç¤È¤·¤Æ ident (113/tcp) ¤Ë¤è¤ëõºº¤òÁ˻ߤ¹¤ë¤Î¤ËÌòΩ¤Ä¡£ ident ¤Ë¤è¤ëõºº¤Ï¡¢²õ¤ì¤Æ¤¤¤ë (¥á¡¼¥ë¤ò¼õ¤±¼è¤é¤Ê¤¤) ¥á¡¼¥ë¥Û¥¹¥È¤Ë ¥á¡¼¥ë¤¬Á÷¤é¤ì¤ë¾ì¹ç¤ËÉÑÈˤ˵¯¤³¤ë¡£

(*) icmp-admin-prohibited ¤ò¥µ¥Ý¡¼¥È¤·¤Ê¤¤¥«¡¼¥Í¥ë¤Ç¡¢ icmp-admin-prohibited ¤ò»ÈÍѤ¹¤ë¤È¡¢ REJECT ¤Ç¤Ï¤Ê¤¯Ã±¤Ê¤ë DROP ¤Ë¤Ê¤ë¡£

SNAT

¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï nat ¥Æ¡¼¥Ö¥ë¤Î POSTROUTING ¥Á¥§¥¤¥ó¤Î¤ß¤ÇÍ­¸ú¤Ç¤¢¤ë¡£ ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¥Ñ¥±¥Ã¥È¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤ò½¤Àµ¤µ¤»¤ë (¤³¤ÎÀܳ¤Î°Ê¹ß¤Î¥Ñ¥±¥Ã¥È¤â½¤Àµ¤·¤Æʬ¤«¤é¤Ê¤¯ (mangle) ¤¹¤ë)¡£ ¤µ¤é¤Ë¡¢¥ë¡¼¥ë¤¬É¾²Á¤òÃæ»ß¤¹¤ë¤è¤¦¤Ë»Ø¼¨¤¹¤ë¡£ ¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ë¤Ï¥ª¥×¥·¥ç¥ó¤¬ 1 ¼ïÎढ¤ë:
--to-source ipaddr[-ipaddr][:port-port]
1 ¤Ä¤Î¿·¤·¤¤Á÷¿®¸µ IP ¥¢¥É¥ì¥¹¡¢¤Þ¤¿¤Ï IP ¥¢¥É¥ì¥¹¤ÎÈϰϤ¬»ØÄê¤Ç¤­¤ë¡£ ¥Ý¡¼¥È¤ÎÈϰϤò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤­¤ë (¥ë¡¼¥ë¤¬ -p tcp ¤Þ¤¿¤Ï -p udp ¤ò»ØÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ßÍ­¸ú)¡£ ¥Ý¡¼¥È¤ÎÈϰϤ¬»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢ 512 ̤Ëþ¤ÎÁ÷¿®¸µ¥Ý¡¼¥È¤Ï¡¢Â¾¤Î 512 ̤Ëþ¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£ 512 ¡Á 1023 ¤Þ¤Ç¤Î¥Ý¡¼¥È¤Ï¡¢1024 ̤Ëþ¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£ ¤½¤ì°Ê³°¤Î¥Ý¡¼¥È¤Ï¡¢1024 °Ê¾å¤Î¥Ý¡¼¥È¤Ë¥Þ¥Ã¥Ô¥ó¥°¤µ¤ì¤ë¡£ ²Äǽ¤Ç¤¢¤ì¤Ð¡¢¥Ý¡¼¥È¤ÎÊÑ´¹¤Ïµ¯¤³¤é¤Ê¤¤¡£

Ê£¿ô¤Î --to-source ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë¡£ ¥¢¥É¥ì¥¹¤ÎÈϰϤˤè¤Ã¤Æ¡¢ ¤â¤·¤¯¤ÏÊ£¿ô¤Î --to-source ¥ª¥×¥·¥ç¥ó¤Ë¤è¤Ã¤Æ 2 ¤Ä°Ê¾å¤ÎÁ÷¿®¸µ¥¢¥É¥ì¥¹¤ò»ØÄꤷ¤¿¾ì¹ç¡¢ ¤½¤ì¤é¤Î¥¢¥É¥ì¥¹¤ò»È¤Ã¤¿Ã±½ã¤Ê¥é¥¦¥ó¥É¡¦¥í¥Ó¥ó (½ç¡¹¤Ë½Û´Ä¤µ¤»¤ë) ¤¬¤ª¤³¤Ê¤ï¤ì¤ë¡£

TCPMSS

¤³¤Î¥¿¡¼¥²¥Ã¥È¤òÍѤ¤¤ë¤È¡¢TCP ¤Î SYN ¥Ñ¥±¥Ã¥È¤Î MSS Ãͤò½ñ¤­´¹¤¨¡¢ ¤½¤Î¥³¥Í¥¯¥·¥ç¥ó¤ÎºÇÂ祵¥¤¥º (Ä̾ï¤Ï¡¢Á÷¿®¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤Î MTU ¤«¤é 40 °ú¤¤¤¿ÃÍ) ¤òÀ©¸æ¤Ç¤­¤ë¡£ ¤â¤Á¤í¤ó -p tcp ¤ÈÁȤ߹ç¤ï¤»¤Æ¤·¤«»È¤¨¤Ê¤¤¡£

¤³¤Î¥¿¡¼¥²¥Ã¥È¤ÏÈȺáŪ¤ËƬ¤Î¤¤¤«¤ì¤¿ ISP ¤ä ICMP Fragmentation Needed ¥Ñ¥±¥Ã¥È¤ò¥Ö¥í¥Ã¥¯¤·¤Æ¤·¤Þ¤¦¥µ¡¼¥Ð¡¼¤ò ¾è¤ê±Û¤¨¤ë¤¿¤á¤Ë»ÈÍѤ¹¤ë¡£ Linux ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë/¥ë¡¼¥¿¡¼¤Ç¤Ï²¿¤âÌäÂ꤬¤Ê¤¤¤Î¤Ë¡¢ ¤½¤³¤Ë¤Ö¤é²¼¤¬¤ë¥Þ¥·¥ó¤Ç¤Ï°Ê²¼¤Î¤è¤¦¤ËÂ礭¤Ê¥Ñ¥±¥Ã¥È¤ò ¤ä¤ê¤È¤ê¤Ç¤­¤Ê¤¤¤È¤¤¤¦¤Î¤¬¡¢¤³¤ÎÌäÂê¤ÎÃû¸õ¤Ç¤¢¤ë¡£

1)
¥¦¥§¥Ö¡¦¥Ö¥é¥¦¥¶¤ÇÀܳ¤¬¡¢²¿¤Î¥Ç¡¼¥¿¤â¼õ¤±¼è¤é¤º¤Ë¥Ï¥ó¥°¤¹¤ë
2)
û¤¤¥á¡¼¥ë¤ÏÌäÂê¤Ê¤¤¤¬¡¢Ä¹¤¤¥á¡¼¥ë¤¬¥Ï¥ó¥°¤¹¤ë
3)
ssh ¤ÏÌäÂê¤Ê¤¤¤¬¡¢scp ¤ÏºÇ½é¤Î¥Ï¥ó¥É¥·¥§¡¼¥¯¸å¤Ë¥Ï¥ó¥°¤¹¤ë
²óÈòÊýË¡: ¤³¤Î¥ª¥×¥·¥ç¥ó¤òÍ­¸ú¤Ë¤·¡¢°Ê²¼¤Î¤è¤¦¤Ê¥ë¡¼¥ë¤ò ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ÎÀßÄê¤ËÄɲ乤롣

 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \

             -j TCPMSS --clamp-mss-to-pmtu

--set-mss value
MSS ¥ª¥×¥·¥ç¥ó¤ÎÃͤò»ØÄꤷ¤¿ÃͤËÀßÄꤹ¤ë¡£
--clamp-mss-to-pmtu
¼«Æ°Åª¤Ë¡¢MSS Ãͤò (path_MTU - 40) ¤Ë¶¯À©¤¹¤ë¡£

¤³¤ì¤é¤Î¥ª¥×¥·¥ç¥ó¤Ï¤É¤Á¤é¤« 1 ¤Ä¤·¤«»ØÄê¤Ç¤­¤Ê¤¤¡£

TOS

IP ¥Ø¥Ã¥À¡¼¤Î 8 ¥Ó¥Ã¥È¤Î Type of Service ¥Õ¥£¡¼¥ë¥É¤òÀßÄꤹ¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£ mangle ¥Æ¡¼¥Ö¥ë¤Î¤ß¤ÇÍ­¸ú¤Ç¤¢¤ë¡£
--set-tos tos
TOS ¤òÈÖ¹æ¤Ç»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë¡£ ¤Þ¤¿¡¢

 iptables -j TOS -h

¤ò¼Â¹Ô¤·¤ÆÆÀ¤é¤ì¤ë¡¢»ÈÍѲÄǽ¤Ê TOS ̾¤Î°ìÍ÷¤Ë¤¢¤ë TOS ̾¤â»ØÄê¤Ç¤­¤ë¡£

ULOG

¤³¤Î¥¿¡¼¥²¥Ã¥È¤Ï¡¢¥Þ¥Ã¥Á¤·¤¿¥Ñ¥±¥Ã¥È¤ò ¥æ¡¼¥¶¡¼¶õ´Ö¤Ç¥í¥°µ­Ï¿¤¹¤ëµ¡Ç½¤òÄ󶡤¹¤ë¡£ ¤³¤Î¥¿¡¼¥²¥Ã¥È¤¬¥ë¡¼¥ë¤ËÀßÄꤵ¤ì¤ë¤È¡¢ Linux ¥«¡¼¥Í¥ë¤Ï¡¢¤½¤Î¥Ñ¥±¥Ã¥È¤ò netlink ¥½¥±¥Ã¥È¤òÍѤ¤¤Æ¥Þ¥ë¥Á¥­¥ã¥¹¥È¤¹¤ë¡£ ¤½¤·¤Æ¡¢1 ¤Ä°Ê¾å¤Î¥æ¡¼¥¶¡¼¶õ´Ö¥×¥í¥»¥¹¤¬ ¤¤¤í¤¤¤í¤Ê¥Þ¥ë¥Á¥­¥ã¥¹¥È¥°¥ë¡¼¥×¤ËÅÐÏ¿¤ò¤ª¤³¤Ê¤¤¡¢ ¥Ñ¥±¥Ã¥È¤ò¼õ¿®¤¹¤ë¡£ LOG ¤ÈƱÍÍ¡¢¤³¤ì¤Ï "Èó½ªÎ»¥¿¡¼¥²¥Ã¥È" ¤Ç¤¢¤ê¡¢ ¥ë¡¼¥ë¤Î¸¡Æ¤¤Ï¼¡¤Î¥ë¡¼¥ë¤Ø¤È·Ñ³¤µ¤ì¤ë¡£
--ulog-nlgroup nlgroup
¥Ñ¥±¥Ã¥È¤òÁ÷¿®¤¹¤ë netlink ¥°¥ë¡¼¥× (1-32) ¤ò»ØÄꤹ¤ë¡£ ¥Ç¥Õ¥©¥ë¥È¤ÎÃÍ¤Ï 1 ¤Ç¤¢¤ë¡£
--ulog-prefix prefix
»ØÄꤷ¤¿¥×¥ì¥Õ¥£¥Ã¥¯¥¹¤ò¥í¥°¥á¥Ã¥»¡¼¥¸¤ÎÁ°¤ËÉÕ¤±¤ë¡£ 32 ʸ»ú¤Þ¤Ç¤Î»ØÄê¤Ç¤­¤ë¡£ ¥í¥°¤ÎÃæ¤Ç¥á¥Ã¥»¡¼¥¸¤ò¶èÊ̤¹¤ë¤Î¤ËÊØÍø¤Ç¤¢¤ë¡£
--ulog-cprange size
¥æ¡¼¥¶¡¼¶õ´Ö¤Ë¥³¥Ô¡¼¤¹¤ë¥Ñ¥±¥Ã¥È¤Î¥Ð¥¤¥È¿ô¡£ Ãͤ¬ 0 ¤Î¾ì¹ç¡¢¥µ¥¤¥º¤Ë´Ø·¸¤Ê¤¯Á´¥Ñ¥±¥Ã¥È¤ò¥³¥Ô¡¼¤¹¤ë¡£ ¥Ç¥Õ¥©¥ë¥È¤Ï 0 ¤Ç¤¢¤ë¡£
--ulog-qthreshold size
¥«¡¼¥Í¥ëÆâÉô¤Î¥­¥å¡¼¤ËÆþ¤ì¤é¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¿ô¡£ Î㤨¤Ð¡¢¤³¤ÎÃͤò 10 ¤Ë¤·¤¿¾ì¹ç¡¢ ¥«¡¼¥Í¥ëÆâÉô¤Ç 10 ¸Ä¤Î¥Ñ¥±¥Ã¥È¤ò¤Þ¤È¤á¡¢ 1 ¤Ä¤Î netlink ¥Þ¥ë¥Á¥Ñ¡¼¥È¥á¥Ã¥»¡¼¥¸¤È¤·¤Æ¥æ¡¼¥¶¡¼¶õ´Ö¤ËÁ÷¤ë¡£ (²áµî¤Î¤â¤Î¤È¤Î¸ß´¹À­¤Î¤¿¤á) ¥Ç¥Õ¥©¥ë¥È¤Ï 1 ¤Ç¤¢¤ë¡£

ÊÖ¤êÃÍ

¤¤¤í¤¤¤í¤Ê¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤¬É¸½à¥¨¥é¡¼¤Ëɽ¼¨¤µ¤ì¤ë¡£ Àµ¤·¤¯µ¡Ç½¤·¤¿¾ì¹ç¡¢½ªÎ»¥³¡¼¥É¤Ï 0 ¤Ç¤¢¤ë¡£ ÉÔÀµ¤Ê¥³¥Þ¥ó¥É¥é¥¤¥ó¥Ñ¥é¥á¡¼¥¿¤Ë¤è¤ê¥¨¥é¡¼¤¬È¯À¸¤·¤¿¾ì¹ç¤Ï¡¢ ½ªÎ»¥³¡¼¥É 2 ¤¬ÊÖ¤µ¤ì¤ë¡£ ¤½¤Î¾¤Î¥¨¥é¡¼¤Î¾ì¹ç¤Ï¡¢½ªÎ»¥³¡¼¥É 1 ¤¬ÊÖ¤µ¤ì¤ë¡£

¥Ð¥°

¥Ð¥°? ¥Ð¥°¤Ã¤Æ²¿? ;-) ¤¨¡¼¤È¡Ä¡¢sparc64 ¤Ç¤Ï¥«¥¦¥ó¥¿¡¼Ãͤ¬¿®Íê¤Ç¤­¤Ê¤¤¡£

IPCHAINS ¤È¤Î¸ß´¹À­

iptables ¤Ï¡¢Rusty Russell ¤Î ipchains ¤ÈÈó¾ï¤Ë¤è¤¯»÷¤Æ¤¤¤ë¡£ Â礭¤Ê°ã¤¤¤Ï¡¢¥Á¥§¥¤¥ó INPUT ¤È OUTPUT ¤¬¡¢¤½¤ì¤¾¤ì¥í¡¼¥«¥ë¥Û¥¹¥È¤ËÆþ¤Ã¤Æ¤¯¤ë¥Ñ¥±¥Ã¥È¤È¡¢ ¥í¡¼¥«¥ë¥Û¥¹¥È¤«¤é½Ð¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Î¤ß¤·¤«Ä´¤Ù¤Ê¤¤¤È¤¤¤¦ÅÀ¤Ç¤¢¤ë¡£ ¤è¤Ã¤Æ¡¢(INPUT ¤È OUTPUT ¤ÎξÊý¤Î¥Á¥§¥¤¥ó¤òµ¯Æ°¤¹¤ë ¥ë¡¼¥×¥Ð¥Ã¥¯¥È¥é¥Õ¥£¥Ã¥¯¤ò½ü¤¯) Á´¤Æ¤Î¥Ñ¥±¥Ã¥È¤Ï 3 ¤Ä¤¢¤ë¥Á¥§¥¤¥ó¤Î¤¦¤Á 1 ¤·¤«Ä̤é¤Ê¤¤¡£ °ÊÁ°¤Ï (ipchains ¤Ç¤Ï)¡¢ ¥Õ¥©¥ï¡¼¥É¤µ¤ì¤ë¥Ñ¥±¥Ã¥È¤Ï 3 ¤Ä¤Î¥Á¥§¥¤¥óÁ´¤Æ¤òÄ̤äƤ¤¤¿¡£

¤½¤Î¾¤ÎÂ礭¤Ê°ã¤¤¤Ï¡¢ -i ¤ÇÆþÎÏ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¡¢ -o ¤Ç½ÐÎÏ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ò»²¾È¤¹¤ë¤³¤È¡¢ ¤½¤·¤Æ¤È¤â¤Ë FORWARD ¥Á¥§¥¤¥ó¤ËÆþ¤ë¥Ñ¥±¥Ã¥È¤ËÂФ·¤Æ»ØÄê²Äǽ¤ÊÅÀ¤Ç¤¢¤ë¡£

NAT ¤Î¤¤¤í¤¤¤í¤Ê·Á¼°¤¬Ê¬³ä¤µ¤ì¤¿¡£ ¥ª¥×¥·¥ç¥ó¤Î³ÈÄ¥¥â¥¸¥å¡¼¥ë¤È¤È¤â¤Ë ¥Ç¥Õ¥©¥ë¥È¤Î¡Ö¥Õ¥£¥ë¥¿¡×¥Æ¡¼¥Ö¥ë¤òÍѤ¤¤¿¾ì¹ç¡¢ iptables ¤Ï½ã¿è¤Ê¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¤È¤Ê¤ë¡£ ¤³¤ì¤Ï¡¢°ÊÁ°¤ß¤é¤ì¤¿ IP ¥Þ¥¹¥«¥ì¡¼¥Ç¥£¥ó¥°¤È¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Î Áȹ礻¤Ë¤è¤ëº®Íð¤ò´Êά²½¤¹¤ë¡£ ¤è¤Ã¤Æ¡¢¥ª¥×¥·¥ç¥ó


 -j MASQ

 -M -S

 -M -L

¤ÏÊ̤Τâ¤Î¤È¤·¤Æ°·¤ï¤ì¤ë¡£ iptables ¤Ç¤Ï¡¢¤½¤Î¾¤Ë¤â¤¤¤¯¤Ä¤«¤ÎÊѹ¹¤¬¤¢¤ë¡£

´ØÏ¢¹àÌÜ

iptables-save(8), iptables-restore(8), ip6tables(8), ip6tables-save(8), ip6tables-restore(8). ¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Ë¤Ä¤¤¤Æ¤Î¾ÜºÙ¤Ê iptables ¤Î»ÈÍÑË¡¤ò ÀâÌÀ¤·¤Æ¤¤¤ë packet-filtering-HOWTO¡£ NAT ¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë NAT-HOWTO¡£ ɸ½àŪ¤ÊÇÛÉۤˤϴޤޤì¤Ê¤¤³ÈÄ¥¤Î¾ÜºÙ¤ò ÀâÌÀ¤·¤Æ¤¤¤ë netfilter-extensions-HOWTO¡£ ÆâÉô¹½Â¤¤Ë¤Ä¤¤¤Æ¾ÜºÙ¤ËÀâÌÀ¤·¤Æ¤¤¤ë netfilter-hacking-HOWTO¡£

http://www.netfilter.org/ ¤ò»²¾È¤Î¤³¤È¡£

Ãø¼Ô

Rusty Russell ¤Ï¡¢½é´ü¤ÎÃʳ¬¤Ç Michael Neuling ¤ËÁêÃ̤·¤Æ iptables ¤ò½ñ¤¤¤¿¡£

Marc Boucher ¤Ï Rusty ¤Ë iptables ¤Î°ìÈÌŪ¤Ê¥Ñ¥±¥Ã¥ÈÁªÂò¤Î¹Í¤¨Êý¤ò´«¤á¤Æ¡¢ ipnatctl ¤ò»ß¤á¤µ¤»¤¿¡£ ¤½¤·¤Æ¡¢mangle ¥Æ¡¼¥Ö¥ë¡¦½êÍ­¼Ô¥Þ¥Ã¥Á¥ó¥°¡¦ mark µ¡Ç½¤ò½ñ¤­¡¢¤¤¤¿¤ë¤È¤³¤í¤Ç»È¤ï¤ì¤Æ¤¤¤ëÁÇÀ²¤é¤·¤¤¥³¡¼¥É¤ò½ñ¤¤¤¿¡£

James Morris ¤¬ TOS ¥¿¡¼¥²¥Ã¥È¤È tos ¥Þ¥Ã¥Á¥ó¥°¤ò½ñ¤¤¤¿¡£

Jozsef Kadlecsik ¤¬ REJECT ¥¿¡¼¥²¥Ã¥È¤ò½ñ¤¤¤¿¡£

Harald Welte ¤¬ ULOG ¥¿¡¼¥²¥Ã¥È¤È¡¢ TTL, DSCP, ECN ¤Î¥Þ¥Ã¥Á¡¦¥¿¡¼¥²¥Ã¥È¤ò½ñ¤¤¤¿¡£

Netfilter ¥³¥¢¥Á¡¼¥à¤Ï¡¢Marc Boucher, Martin Josefsson, Jozsef Kadlecsik, James Morris, Harald Welte, Rusty Russell ¤Ç¤¢¤ë¡£

man ¥Ú¡¼¥¸¤Ï Herve Eychenne <rv@wallfire.org> ¤¬½ñ¤¤¤¿¡£