<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>Linux IPCHAINS-HOWTO: IP �$B%U%!%$%"%&%)!<%j%s%0%A%'%$%s�(B</TITLE>
<LINK HREF="IPCHAINS-HOWTO-5.html" REL=next>
<LINK HREF="IPCHAINS-HOWTO-3.html" REL=previous>
<LINK HREF="IPCHAINS-HOWTO.html#toc4" REL=contents>
</HEAD>
<BODY>
<A HREF="IPCHAINS-HOWTO-5.html">�$B<!$N%Z!<%8�(B</A>
<A HREF="IPCHAINS-HOWTO-3.html">�$BA0$N%Z!<%8�(B</A>
<A HREF="IPCHAINS-HOWTO.html#toc4">�$BL\<!$X�(B</A>
<HR>
<H2><A NAME="core"></A> <A NAME="s4">4. IP �$B%U%!%$%"%&%)!<%j%s%0%A%'%$%s�(B</A></H2>
<P>�$B$3$N>O$O!"$"$J$?$NI,MW$K3p$&%Q%1%C%H%U%#%k%?$r9=C[$9$k$?$a$K!"<B:]$KCN$C$F$*$+$J$1$l$P$J$i$J$$$3$H$rA4$F@bL@$7$^$9!#�(B
<P>
<H2><A NAME="ss4.1">4.1 �$B$I$N$h$&$K%Q%1%C%H$,%U%#%k%?$rDL2a$9$k$N$+�(B</A>
</H2>
<P>�$B%+!<%M%k$O5/F0;~$K�(B 3�$B$D$N%k!<%k%j%9%H$rJ];}$7$F$$$^$9!#�(B
�$B$3$l$i$N%j%9%H$O�(B<B>�$B%U%!%$%"%&%)!<%k%A%'%$%s�(B</B>�$B!"$^$?$OC1$K�(B<B>�$B%A%'%$%s�(B</B>�$B$H8F$P$l$^$9!#�(B
3�$B$D$N%A%'%$%s$O!"�(B <B>input</B>, <B>output</B> �$B$=$7$F�(B <B>forward</B> �$B$H8F$P$l$^$9!#�(B
�$B%Q%1%C%H$,�(B (�$BNc$($P!"%$!<%5%M%C%H%+!<%I$rDL$8$F�(B) �$BF~$C$FMh$k$H!"%+!<%M%k$O$=$N%Q%1%C%H$N!V1?L?!W$r7hDj$9$k$?$a$K�(B <CODE>input</CODE> �$B%A%'%$%s$r;H$$$^$9!#�(B
�$B%Q%1%C%H$,$3$N%9%F%C%W$G@8$-;D$k$H!"%+!<%M%k$O%Q%1%C%H$r<!$K$I$3$KAw$k$+$r7hDj$7$^$9!#�(B(�$B$3$l$r�(B<B>�$B%k!<%F%#%s%0�(B</B>�$B$H8F$S$^$9!#�(B)
�$B%Q%1%C%H$,B>$N%^%7%s$X9T$/$HDj$a$i$l$F$$$k$J$i$P!"�(B <CODE>forward</CODE> �$B%A%'%$%s$rD4$Y$^$9!#�(B
�$B:G8e$K!"%Q%1%C%H$,=PNO$5$l$kA0$K!"%+!<%M%k$O�(B <CODE>output</CODE> �$B%A%'%$%s$rD4$Y$^$9!#�(B
<P>
<P>1�$B$D$N%A%'%$%s$OJ#?t$N�(B<B>�$B%k!<%k�(B</B>�$B$N%A%'%C%/%j%9%H$+$i9=@.$5$l$F$$$^$9!#�(B
�$B3F!9$N%k!<%k$O!V$b$7!"%Q%1%C%H$N%X%C%@!<$,$3$s$J$@$C$?$i!"%Q%1%C%H$r$3$N$h$&$K$7$J$5$$!W$H;X<($7$^$9!#�(B
�$B$b$7!"$"$k%k!<%k$,%Q%1%C%H$H%^%C%A$7$J$1$l$P!"%A%'%$%sFb$N<!$N%k!<%k$,D4$Y$i$l$^$9!#�(B
�$B:G=*E*$K!"D4$Y$k%k!<%k$,L5$/$J$C$?$i!"%+!<%M%k$O$=$N%A%'%$%s$N�(B<B>�$B%]%j%7!<�(B</B>(�$BJ}?K�(B)�$B$r8+$F2?$r$9$k$+7h$a$^$9!#�(B
�$B%;%-%e%j%F%#0U<1$N6/$$%7%9%F%`$G$O!"$3$N%]%j%7!<$OIaDL!"%Q%1%C%H$r�(B DROP �$B$9$k$h$&$K%+!<%M%k$K;X<($7$^$9!#�(B
<P>
<P>ASCII �$B%"!<%H%U%!%s$N$?$a$K!"%^%7%s$KF~Mh$9$k%Q%1%C%H$N40A4$JDL$jF;$r$3$3$K5-$7$^$9!#�(B
<P>(�$BLuCm�(B: �$B$3$NJ8=q$G$OF|K\8lJ8;z%3!<%I$rMQ$$$?�(B "JIS �$B%"!<%H�(B" �$B$r:n@.$7$F$*$j$^$9!#�(B<BR>
�$B$$$o$f$kA43QJ8;z$HH>3QJ8;z$,:.:_$9$k�(B "JIS �$B%"!<%H�(B" �$B$r!"�(B Netscape Navigator/Communicator �$B$d�(B Microsoft Internet Explorer �$B$GI=<($5$;$k$H!"H>3QJ8;z$NI}$HA43QJ8;z$NI}$NHf$,0lCW$7$J$$0Y$K!"!X%,%?%,%?$KJx$l$??^LL!Y$K$J$C$F$7$^$$$^$9!#�(B<BR>
html �$BHG�(B �$B$r8+$k:]$K$O!"�(B lynx �$B$d�(B w3m �$BEy$N%F%-%9%H%V%i%&%6$r$*A&$a$7$^$9!#�(B)
<P>
<PRE>
�$B(#(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!($�(B
�$B("�(B lo �$B%$%s%?!<%U%'!<%9("�(B
�$B("�(B ACCEPT/ �$B("�(B
�$B"-�(B REDIRECT �$B(.(,(,(,(,(,(/�(B �$B(#(!(!(!(!($�(B ACCEPT�$B("�(B
�$B"*%A"*@5"*(#(!(!(!(!($"*%^"*(-%k!<%F%#%s(-"*("�(Bforward �$B("(!(!"*(#(!(!(!(!($"*�(B
�$B%'�(B �$BEv�(B �$B("�(B input �$B("�(B �$B%9�(B �$B(-%0$N7hDj�(B �$B(-�(B �$B("%A%'%$%s("(#(!"*("�(B output �$B("�(B
�$B%C�(B �$B@-�(B �$B("%A%'%$%s("�(B �$B%+�(B �$B(1(,(,(,(,(,(0�(B �$B(&(!(!(!(!(%("(#"*("%A%'%$%s("�(B
�$B%/�(B �$B("�(B �$B(&(!(!(!(!(%�(B �$B%l�(B �$B("�(B �$B("�(B �$B("("�(B �$B(&(!(!(!(!(%�(B
�$B%5�(B �$B("�(B �$B("�(B �$B!<�(B �$B"-�(B �$B("�(B �$B("("�(B �$B("�(B
�$B%`�(B �$B("�(B �$B("�(B �$B%I�(B �$B%m!<%+%k%W%m%;%9�(B �$B"-�(B �$B("("�(B �$B"-�(B
�$B("�(B �$B"-�(B �$B"-�(B �$B30�(B �$B("�(B DENY/ �$B("("�(B DENY/
�$B("�(B DENY DENY/ �$B$7�(B �$B("�(B REJECT �$B("("�(B REJECT
�$B"-�(B REJECT �$B("�(B �$B("�(B �$B("("�(B
DENY �$B("�(B �$B(&(!(!(!(!(!(!(!(!(!(!(%("�(B
�$B(&(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(%�(B
</PRE>
�$B0J2<$K3F!9$NCJ3,$G$N@bL@$rC`0l5-$7$^$9!#�(B
<P>
<DL>
<DT><B>�$B%A%'%C%/%5%`�(B:</B><DD><P>�$B%Q%1%C%H$,4v$D$+$NJ}K!$K$F2u$5$l$F$$$J$$$+$r%F%9%H$7$^$9!#�(B
�$B%Q%1%C%H$,2u$l$F$$$l$P!"H]Dj$5$l$^$9!#�(B
<P>
<DT><B>�$B@5Ev@-�(B:</B><DD><P>�$B3F!9$N%U%!%$%"%&%)!<%k%A%'%$%s$NA0$K$=$l$i$N%Q%1%C%H$N@5Ev@-$N%A%'%C%/$,0l$D$"$j$^$9!#�(B
�$B$7$+$7!"�(B input �$B%A%'%$%s$N$=$l$,:G$b=EMW$G$9!#�(B
�$B4v$D$+$N0[>o$J%Q%1%C%H$O5,B'%A%'%C%/%3!<%I$r:.Mp$5$;$k62$l$,$"$j$^$9!#�(B
�$B$=$l$i$O$3$3$GH]Dj$5$l$^$9!#�(B
(�$B$3$l$,H/@8$9$k$H�(B syslog �$B$K%a%C%;!<%8$,5-O?$5$l$^$9!#�(B)
<P>
<DT><B>input �$B%A%'%$%s�(B:</B><DD><P>�$B%Q%1%C%H$,%F%9%H$5$l$k:G=i$N%U%!%$%"%&%)!<%k%A%'%$%s$G$9!#�(B
�$B%A%'%$%s$NH=CG$,�(B <CODE>DENY</CODE> (�$BH]Dj�(B) �$B$^$?$O�(B <CODE>REJECT</CODE> (�$B5q@d�(B) �$B$G$J$1$l$P!"�(B
�$B%Q%1%C%H$NF0$-$OB3$-$^$9!#�(B
<P>
<DT><B>�$B%G%^%9%+%l!<%I�(B(�$B%^%9%+%l!<%I30$7�(B):</B><DD><P>�$B%Q%1%C%H$,0JA0$K%^%9%+%l!<%I$5$l$?%Q%1%C%H$KBP$9$k1~Ez$J$i!"%^%9%+%l!<%I$,30$5$l!"�(B <CODE>output</CODE> �$B%A%'%$%s$^$G0l5$$K=hM}$rHt$P$7$^$9!#�(B
IP �$B%^%9%+%l!<%I$r;H$C$F$$$J$1$l$P!"0U?^E*$K>e5-$N?^$+$i>C5n$G$-$^$9!#�(B
<P>
<DT><B>�$B%k!<%F%#%s%0$N7hDj�(B:</B><DD><P>(�$B%Q%1%C%HCf$N�(B)�$B08@h%U%#!<%k%I$O%k!<%F%#%s%0%3!<%I$K$h$C$F!"$3$N%Q%1%C%H$,%m!<%+%k%W%m%;%9$K9T$/$Y$-$J$N$+�(B (�$B%m!<%+%k%W%m%;%9$N>O$r;2>H$7$F2<$5$$�(B) �$B!"%j%b!<%H%^%7%s$KE>Aw$5$l$k$N$+�(B (�$B%U%)%o!<%I%A%'%$%s$N>O$r;2>H$7$F2<$5$$�(B) �$B$r7hDj$9$k$?$a$KD4$Y$i$l$^$9!#�(B
<P>
<DT><B>�$B%m!<%+%k%W%m%;%9�(B:</B><DD><P>�$B%^%7%s>e$G2TF/$9$k%W%m%;%9$O%k!<%F%#%s%0$N7hDj$NCJ3,$N8e$N%Q%1%C%H$r<u$1<h$l$k$H6&$K!"%Q%1%C%H$rAw?.$G$-$^$9!#�(B
(�$BAw?.%Q%1%C%H$O%k!<%F%#%s%07hDj%9%F%C%W$r7P$F!"�(B output �$B%A%'%$%s$rDL2a$7$^$9!#�(B)
<P>
<DT><B>lo �$B%$%s%?!<%U%'!<%9�(B:</B><DD><P>�$B%m!<%+%k%W%m%;%9$+$i$N%Q%1%C%H$,%m!<%+%k%W%m%;%9$K9T$/$b$N$J$i$P!"$=$l$i$O�(B `lo' �$B$H@_Dj$5$l$?%$%s%?!<%U%'!<%9$G�(B output �$B%A%'%$%s$rDL$jH4$1!":F$S�(B `lo' �$B%$%s%?!<%U%'!<%9$G�(B input �$B%A%'%$%s$KF~$j$^$9!#�(B
lo �$B%$%s%?!<%U%'!<%9$ODL>o%k!<%W%P%C%/%$%s%?!<%U%'!<%9$H8F$P$l$^$9!#�(B
<P>
<DT><B>�$B%m!<%+%k�(B:</B><DD><P>�$B%Q%1%C%H$,%m!<%+%k%W%m%;%9$G@8@.$5$l$?$b$N$G$J$$$J$i!"�(B forward �$B%A%'%$%s$,%A%'%C%/$5$l!"$5$b$J$/$P!"%Q%1%C%H$O�(B output �$B%A%'%$%s$X9T$-$^$9!#�(B
<P>
<DT><B>forward �$B%A%'%$%s�(B:</B><DD><P>�$B$3$N%A%'%$%s$K$O$3$N%^%7%s$+$iB>$XE>Aw$5$l$kA4$F$N%Q%1%C%H$,DL2a$7$^$9!#�(B
<P>
<DT><B>output �$B%A%'%$%s�(B:</B><DD><P>�$B$3$N%A%'%$%s$K$O=PNO$5$l$kD>A0$NA4$F$N%Q%1%C%H$,DL2a$7$^$9!#�(B
</DL>
<P>
<H3>ipchains �$B$r;H$&�(B</H3>
<P>�$B@h$:!"$3$NJ8=q$K$F07$&$*<j;}$A$N�(B ipchains �$B$N%P!<%8%g%s$r!"0J2<$N$h$&$K;2>H$7$^$7$g$&�(B:
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ ipchains --version
ipchains 1.3.9, 17-Mar-1999
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>�$BCm5-$H$7$F!"�(B1.3.4 (`--sport' �$B$N$h$&$JD9$$%*%W%7%g%s$,$"$j$^$;$s�(B) �$B$+!"�(B 1.3.8 �$B0J9_$r$*A&$a$7$^$9�(B; �$B$3$l$i$OBgJQ0BDj$7$F$$$^$9!#�(B
<P>
<P>�$B8D!9$N;v9`$K$D$$$F$N$b$C$H>\$7$$@bL@$,I,MW$J$i!"�(Bipchains �$B$K$O$+$J$j>\$7$$%^%K%e%"%k%Z!<%8�(B (<CODE>man ipchains</CODE>) �$B$,$"$j$^$9!#�(B
�$BFC$K>\$7$/FbMF$rCN$j$?$$$J$i!"%W%m%0%i%_%s%0%$%s%?!<%U%'!<%9�(B(<CODE>man 4 ipfw</CODE>) �$B$+!"0?$O�(B 2.1.x �$B$N%+!<%M%k%=!<%9Fb$N�(B <CODE>net/ipv4/ip_fw.c</CODE> �$B%U%!%$%k$rD4$Y$k$HNI$$$G$7$g$&!#�(B
�$B$3$l$i$O�(B (�$BL@$i$+$K�(B) �$B?.Mj$G$-$^$9!#�(B
<P>
<P>�$B%=!<%9%Q%C%1!<%8$K$O�(B Scott Bronson �$B$K$h$kAG@2$i$7$$%/%#%C%/%j%U%!%l%s%9%+!<%I$b$"$j$^$9!#�(B
A4�$BH=$^$?$O�(B US �$B%l%?!<%5%$%:$N�(B PostScript(TM) �$B$NN>J}$,$"$j$^$9!#�(B
<P>
<P><CODE>ipchains</CODE> �$B$r;H$C$F?'!9$J$3$H$,$G$-$^$9!#�(B
�$B@h$:!"A4BN$N%A%'%$%s$r4IM}$9$kA`:n!#�(B
�$B$"$J$?$O�(B 3�$B$D$NAH$_9~$_:Q$_%A%'%$%s$G$"$k!"�(B <CODE>input</CODE>, <CODE>output</CODE>, <CODE>forward</CODE> (�$B$3$l$i$O:o=|$G$-$^$;$s�(B)�$B$+$i;O$a$^$9!#�(B
<P>
<OL>
<LI> �$B?7$7$$%A%'%$%s$r:n$k�(B (-N)</LI>
<LI> �$B6u$N%A%'%$%s$r:o=|$9$k�(B (-X)</LI>
<LI> �$BAH$_9~$_:Q$_%A%'%$%s$N%]%j%7!<$rJQ99$9$k�(B (-P)</LI>
<LI> �$B%A%'%$%sFb$N%k!<%k$r%j%9%H%"%C%W$9$k�(B (-L)</LI>
<LI> �$B%A%'%$%s$+$i%k!<%k$rA4$F>C$75n$k�(B (-F)</LI>
<LI> �$B%A%'%$%sFb$NA4$F$N%k!<%k$N%Q%1%C%H$H%P%$%H$N%+%&%s%?!<$r%<%m$K$9$k�(B (-Z)</LI>
</OL>
<P>�$B%A%'%$%sFb$N%k!<%k$rA`:n$9$k$K$OMM!9$JJ}K!$,$"$j$^$9�(B:
<P>
<OL>
<LI> �$B%A%'%$%s$K?7$7$$%k!<%k$rDI2C$9$k�(B (-A)</LI>
<LI> �$B%A%'%$%sFb$N$"$k0LCV$K?7$7$$%k!<%k$rA^F~$9$k�(B (-I)</LI>
<LI> �$B%A%'%$%sFb$N$"$k0LCV$N%k!<%k$rCV$-49$($k�(B (-R)</LI>
<LI> �$B%A%'%$%sFb$N$"$k0LCV$N%k!<%k$r:o=|$9$k�(B (-D)</LI>
<LI> �$B%A%'%$%sFb$NE,9g$7$?:G=i$N%k!<%k$r:o=|$9$k�(B (-D)</LI>
</OL>
<P>�$B%^%9%+%l!<%G%#%s%0$K4X$9$kA`:n$,>/$J$$$J$,$i$"$j$^$9!#�(B
�$B$=$l$i$rG[CV$9$k$KAj1~$7$$>l=j$NMWK>$N0Y$K�(B <CODE>ipchains</CODE> �$B$K4^$^$l$F$$$^$9!#�(B
<P>
<OL>
<LI> �$B8=:_$N%^%9%+%l!<%I$5$l$?@\B3$N0lMw$rI=<($9$k�(B (-M -L)</LI>
<LI> �$B%^%9%+%l!<%G%#%s%0$N%?%$%`%"%&%HCM$r@_Dj$9$k�(B (-M -S) (�$B$G$b�(B
<A HREF="IPCHAINS-HOWTO-6.html#no-timeout">�$B%^%9%+%l!<%G%#%s%0$N%?%$%`%"%&%HCM$r@_Dj$G$-$^$;$s�(B!</A> �$B$r8+$F2<$5$$!#�(B)</LI>
</OL>
<P>�$B:G8e$N�(B (�$B$=$7$F62$i$/:G$bJXMx$J�(B) �$B5!G=$O!";XDj$7$?%Q%1%C%H$,;XDj$7$?%A%'%$%s$rDL2a$9$k$J$i!"$=$N%Q%1%C%H$,$I$&$J$k$N$+$r;n$7$K%A%'%C%/$G$-$k$3$H$G$9!#�(B
<P>
<H3>�$B$"$J$?$N%3%s%T%e!<%?$,5/F0$9$k;~$K8+$k$b$N�(B</H3>
<P>ipchains �$B%3%^%s%I$,5/F0$5$l$kA0�(B (�$BCm0U�(B: �$B4v$D$+$N%G%#%9%H%j%S%e!<%7%g%s$G$O=i4|2=%9%/%j%W%HFb$G�(B ipchains �$B$r5/F0$7$F$$$^$9�(B) �$B$O!"AH$_9~$_:Q$_$N%k!<%k�(B (`input', `forward' �$B$H�(B `output') �$B0J30$K$O2?$b$"$j$^$;$s!#�(B
�$B$=$7$F3F!9$N%A%'%$%s$O�(B ACCEPT (�$B5v2D�(B) �$B$N%]%j%7!<$K@_Dj$5$l$F$$$^$9!#�(B
�$B$3$l$OA4$F$r<u$1F~$l$k$3$H$HEy2A$G$9!#�(B
<P>
<H3>�$BC10l$N%k!<%k$G$NA`:n�(B</H3>
<P>�$B%k!<%k$rA`:n$9$k$3$H�(B �$B!=�(B �$B$=$l$O�(B ipchains �$B$N4pK\$G$9!#�(B
�$B$[$H$s$I$N>l9g!"IaDL!"$"$J$?$ODI2C�(B (-A) �$B$H:o=|�(B (-D) �$B%3%^%s%I$r;H$&$3$H$K$J$k$G$7$g$&!#�(B
�$B;D$j$N%3%^%s%I�(B(�$BA^F~$N�(B -I �$B$HCV49$N�(B -R )�$B$O!"$3$l$i$N35G0$rC1=c$K�(B(�$B5!G=�(B)�$B3HD%$7$?$b$N$G$9!#�(B
<P>
<P>�$B3F!9$N%k!<%k$K$O!"%Q%1%C%H$,K~$?$9$Y$->r7o$N%;%C%H$H!">r7o$,K~$?$5$l$?$H$-$K$9$k$3$H�(B(�$B!F%?!<%2%C%H!G�(B)�$B$r;XDj$7$^$9!#�(B
�$BNc$($P!"�(BIP �$B%"%I%l%9�(B 127.0.0.1 �$B$+$i$d$C$FMh$kA4$F$N�(B ICMP �$B%Q%1%C%H$rGK4~$7$?$$$H$7$^$9!#�(B
�$B$=$N>l9g$N>r7o$O%W%m%H%3%k$,�(B ICMP �$B$G!"%=!<%9%"%I%l%9$,�(B 127.0.0.1 �$B$G!"%?!<%2%C%H$O�(B `DENY'(�$BH]Dj�(B) �$B$G$9!#�(B
<P>
<P>127.0.0.1 �$B$O�(B `�$B%k!<%W%P%C%/�(B' �$B%$%s%?!<%U%'%$%9$G!"$=$l$O$"$J$?$N%^%7%s$,<B:]$N%M%C%H%o!<%/$K7R$,$C$F$$$J$/$F$bB8:_$7$^$9!#�(B
`ping' �$B%W%m%0%i%`$G$=$N$h$&$J%Q%1%C%H�(B (ping �$B$O�(B �$BC1=c$K�(B ICMP �$B%?%$%W�(B8 (�$B%(%3!<MW5a�(B)�$B$rAw$j!"A4$F$N6(NOE*$J%[%9%H$O?F@Z$K$b�(B ICMP �$B%?%$%W�(B 0 (�$B%(%3!<1~Ez�(B)�$B$N%Q%1%C%H$G$=$l$K1~$($^$9�(B)�$B$rH/@8$5$;$k$N$K;H$$$^$9!#�(B
�$B$3$l$O%F%9%H$KLrN)$A$^$9!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.2 ms
# ipchains -A input -s 127.0.0.1 -p icmp -j DENY
# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
#
</PRE>
</CODE></BLOCKQUOTE>
<P>�$B$4Mw$N$H$*$j:G=i$N�(B ping �$B$,@.8y$7$F$$$^$9�(B(`-c 1' �$B$O�(B ping �$B$K%Q%1%C%H$r�(B 1�$B8D$@$1Aw$k$h$&$K;X<($7$F$$$^$9�(B)�$B!#�(B
<P>
<P>�$B<!$K%k!<%k$r�(B `INPUT' �$B%A%'%$%s$KDI2C�(B (-A) �$B$7$^$9!#%k!<%k$N;XDj$O!"�(B
127.0.0.1 �$B$+$i�(B (`-s 127.0.0.1') �$B$G%W%m%H%3%k�(B ICMP (`-p icmp')
�$B$N%Q%1%C%H$O!"�(BDENY �$B$X%8%c%s%W$9$k�(B (`-j DENY') �$B$G$9!#�(B
<P>
<P>�$B$=$l$+$i�(B 2�$BHVL\$N�(B ping �$B$G%k!<%k$r%F%9%H$7$^$9!#�(B
�$B5"$C$FMh$J$$1~Ez$rBT$D$N$r�(B ping �$B$,;_$a$k$^$G>/$7$N4V$,$"$k$G$7$g$&!#�(B
<P>
<P>�$B%k!<%k$r:o=|$9$k$K$O�(B 2�$BDL$j$NJ}K!$,$"$j$^$9!#�(B
1�$BHVL\$O!"Nc$($P!"�(B input �$B%A%'%$%s$K$O%k!<%k$,�(B 1�$B8D$@$1$7$+$J$$$N$rJ,$C$F$$$k>l9g$G$O!"HV9f$r;H$C$F0J2<$N$h$&$K:o=|$G$-$^$9�(B:
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -D input 1
#
</PRE>
</CODE></BLOCKQUOTE>
INPUT �$B%A%'%$%s$N%k!<%kHV9f�(B 1 �$B$r:o=|!#�(B
<P>
<P>2�$BHVL\$NJ}K!$O�(B -A �$B%3%^%s%I$r$=$C$/$j<L$7$F�(B -A �$B$r�(B -D �$B$KCV$-49$($?$b$N$G$9!#�(B
�$B$3$l$O%k!<%k$,J#;($J%A%'%$%s$N>l9g$G!"Nc$($P!"<h$j=|$-$?$$$N$,%k!<%k�(B 37 �$B$@$HC5$7Ev$F$k$?$a$K%k!<%k$r?t$($?$/$J$$>l9g$KM-8z$G$9!#�(B
�$B$3$N>l9g!"<!$N$h$&$K;H$$$^$9�(B:
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -D input -s 127.0.0.1 -p icmp -j DENY
#
</PRE>
</CODE></BLOCKQUOTE>
-D �$B$N=q$-J}$O!"�(B -A (�$B$^$?$O�(B -I �$B$+�(B -R) �$B%3%^%s%I$N;~$H@53N$KF1$8%*%W%7%g%s$G$J$1$l$P$J$j$^$;$s!#�(B
�$B$b$7!"F10l%A%'%$%sCf$KJ#?t$N%^%C%A$9$k%k!<%k$,$"$C$?$i!":G=i$N$b$N$@$1$,:o=|$5$l$^$9!#�(B
<P>
<H3>�$B%U%#%k%?%j%s%0$N;EMM�(B</H3>
<P>�$B$3$l$^$G$K!"%W%m%H%3%k$r;XDj$9$k�(B `-p' �$B%*%W%7%g%s$H!"%=!<%9%"%I%l%9$r;XDj$9$k�(B `-s' �$B%*%W%7%g%s$r8+$F$-$^$7$?$,!"$3$NB>$K$b%Q%1%C%H$NFCD'$r;XDj$9$kMM!9$J%*%W%7%g%s$,$"$j$^$9!#�(B
�$B$3$l$+$i!"$=$N35MW$r$"$^$9$H$3$m$J$/$*OC$7$^$9!#�(B
<P>
<H3>�$B%=!<%9$H08@h�(B IP �$B%"%I%l%9$N;XDj�(B</H3>
<P>�$B%=!<%9�(B (-s) �$B5Z$S08@h�(B (-d) IP �$B%"%I%l%9$O�(B 4�$BDL$j$N;XDjJ}K!$,$"$j$^$9!#�(B
�$B$b$C$H$b0lHLE*$JJ}K!$O40A4$K5-=R$5$l$?L>A0�(B(FQDN)�$B$r;H$&$3$H$G!"Nc$($P!"�(B`localhost' �$B$H$+�(B `www.linuxhq.com' �$B$G$9!#�(B
2�$BHVL\$NJ}K!$O�(B `127.0.0.1'�$B$N$h$&$J�(B IP �$B%"%I%l%9$r;XDj$9$kJ}K!$G$9!#�(B
<P>
<P>3�$BHVL\$H�(B 4�$BHVL\$NJ}K!$O�(B IP �$B%"%I%l%9$N%0%k!<%W$r;XDj$9$kJ}K!$G!"�(B `199.95.207.0/24' �$B$H$+�(B `199.95.207.0/255.255.255.0' �$B$N$h$&$K=q$-$^$9!#�(B
�$BN>J}$H$b�(B 199.95.207.0 �$B$+$i�(B 199.95.207.255 �$B$^$G$N$I$N�(B IP �$B%"%I%l%9$b4^$^$l$k;XDj$G!"?t;z$N$"$H$N�(B `/' �$B$O�(B IP �$B%"%I%l%9$N$I$NItJ,$^$GM-8z$+$r<($7$F$$$^$9!#�(B
�$B>JN,;~$O�(B `/32' �$B$^$?$O�(B `/255.255.255.255' (IP �$B%"%I%l%9$N40A40lCW�(B)�$B$G$9!#�(B
�$B$I$s$J�(B IP �$B%"%I%l%9$G$b$h$$>l9g$O!"0J2<$N$h$&$K�(B `/0' �$B$,;H$($^$9�(B:
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -A input -s 0/0 -j DENY
#
</PRE>
</CODE></BLOCKQUOTE>
<P>�$B>e5-$N8z2L$O�(B `-s' �$B%*%W%7%g%s$r;XDj$7$J$$$N$HA4$/F1$8$J$N$G!"$3$s$J;H�(B
�$B$$J}$O$a$C$?$K$7$^$;$s!#�(B
<P>
<H3>�$BH]Dj$N;XDj�(B</H3>
<P>`-s' �$B$H�(B `-d' �$B$r4^$`B?$/$N%U%i%0$O!"�(B`!' (�$BH]Dj$N@k8@�(B) �$B$r$=$N0z?t$NA0$K�(B
�$BCV$/$3$H$,$G$-$^$9!#�(B
`-s' �$B$d�(B `-d' �$B$N>l9g$OM?$($i$l$?%"%I%l%9$HEy$7$/$J$$%"%I%l%9$H%^%C%A�(B
�$B$7$^$9!#�(B
�$BNc$($P!"�(B `-s ! localhost' �$B$O%m!<%+%k%[%9%H$+$i$G$J$$A4$F$N%Q%1%C%H$H�(B
�$B%^%C%A$7$^$9!#�(B
<P>
<P>`!' �$B$NA08e$K%9%Z!<%9$rF~$l$k$N$rK:$l$J$$$G2<$5$$!#K\Ev$KI,MW$J$N$G$9!#�(B
<P>
<H3>�$B%W%m%H%3%k$N;XDj�(B</H3>
<P>�$B%W%m%H%3%k$O�(B `-p' �$B%U%i%0$G;XDj$7$^$9!#�(B
�$B%W%m%H%3%k$NCM$OHV9f�(B(�$B$"$J$?$,�(B IP �$B$N%W%m%H%3%k$N?tCMHV9f$rCN$C$F�(B
�$B$$$k>l9g�(B)�$B$+�(B `TCP', `UDP' �$B$^$?$O�(B `ICMP' �$B$H$$$&FCDj$NL>>N$G;XDj$7$^$9!#�(B
�$BBgJ8;z>.J8;z$N6hJL$O$7$^$;$s$+$i!"�(B`tcp' �$B$b�(B `TCP' �$B$HF1$8F/$-$r$7$^$9!#�(B
<P>
<P>�$B%W%m%H%3%kL>>N$O$=$l$rH]Dj$9$k$?$a$K�(B `!' �$B$rA0$KIU$1$k$3$H$,$G$-$^$9!#�(B
�$BNc$($P!"�(B`-p ! TCP' �$B$O�(B TCP �$B$G$J$$%Q%1%C%H$r;XDj$7$^$9!#�(B
<P>
<H3>UDP �$B$H�(B TCP �$B%]!<%H$N;XDj�(B</H3>
<P>�$BFCJL$J>l9g$G$"$k�(B TCP �$B0?$O�(B UDP �$B$N%W%m%H%3%k$,;XDj$5$l$?;~$K$O!"�(B
TCP �$B0?$O�(B UDP �$B$N%]!<%H!"0?$O4^$^$l$k%]!<%H$NHO0O�(B (�$B$7$+$7!"8e=R$N�(B
<A HREF="#handling-fragments">�$B%U%i%0%a%s%H$N=hM}�(B</A>�$B$r;2>H$7$F2<$5$$�(B) �$B$r;X$7<($93HD%0z?t$,B8:_$7F@$^$9!#�(B
�$BHO0O$OJ8;z�(B `:' �$B$GI=8=$7$^$9!#Nc$($P�(B `6000:6010' �$B$O�(B 6000 �$B$+$i�(B 6010 �$BKx$N�(B
�$BHO0O$K4^$^$l$k�(B11�$B8D$N%]!<%HHV9f$r<($7$^$9!#�(B
�$B$b$72<8BCM$,>JN,$5$l$l$P!"%G%U%)%k%H$N�(B 0 �$B$r0UL#$7$^$9!#�(B
�$B>e8BCM$,>JN,$5$l$l$P!"%G%U%)%k%H$N�(B 65535 �$B$r0UL#$7$^$9!#�(B
�$B$G$9$+$i!"�(B1024�$BHV0J2<$N%]!<%H$N�(B TCP �$B@\B3$r;XDj$9$k$K$O!"=q$-J}$O�(B
`-p TCP -s 0.0.0.0/0 :1023' �$B$H$7$^$9!#�(B
�$B%]!<%HHV9f$O�(B `www' �$B$N$h$&$K!"L>A0$G$b;XDj$G$-$^$9!#�(B
<P>
<P>�$BCm5-$H$7$F!"%]!<%H;XDj$NA0$K$OH]Dj$r0UL#$9$k�(B `!' �$B$rCV$/$3$H$,$G$-$^$9!#�(B
�$B$G$9$+$i!"�(B WWW �$B%Q%1%C%H0J30$NA4$F$N�(B TCP �$B%Q%1%C%H$r;XDj$9$k$K$O!"0J2<$N�(B
�$B$h$&$K;XDj$7$^$9!#�(B
<PRE>
-p TCP -d 0.0.0.0/0 ! www
</PRE>
<P>�$B0J2<$N;XDj$H!"�(B
<P>
<PRE>
-p TCP -d ! 192.168.1.1 www
</PRE>
<P>�$B0J2<$N;XDj$OA4$/0c$&$3$H$r$7$C$+$jG'<1$7$F2<$5$$!#�(B
<PRE>
-p TCP -d 192.168.1.1 ! www
</PRE>
<P>�$B:G=i$NNc$O!"�(B 192.168.1.1 �$B0J30$NA4$F$N%^%7%s$N�(B WWW �$B%]!<%H$X$N�(B TCP �$B%Q%1%C%H�(B
�$B$r;XDj$7$^$9!#�(B
�$B<!$NNc$O!"�(B WWW �$B%]!<%H$r=|$/A4$F$N%]!<%H$K$*$1$k�(B 192.168.1.1 �$B$X$N�(B TCP
�$B@\B3$r;XDj$7$^$9!#�(B
<P>
<P>�$B:G8e$K!"$3$N%1!<%9$O�(B WWW �$B%]!<%H$G$J$/!"�(B 192.168.1.1 �$B$G$b$J$$$3$H$r�(B
�$B0UL#$7$^$9�(B:
<PRE>
-p TCP -d ! 192.168.1.1 ! www
</PRE>
<P>
<H3>ICMP �$B%?%$%W$H%3!<%I$N;XDj�(B</H3>
<P>ICMP �$B$K$b$^$?%*%W%7%g%s0z?t$,$"$j$^$9$,!"�(B ICMP �$B$O%]!<%H$r;}$AF@$^$;$s!#�(B
(ICMP �$B$K$O�(B<B>�$B%?%$%W�(B</B>�$B$H�(B<B>�$B%3!<%I�(B</B>�$B$,$"$j$^$9�(B) �$B$=$l$i$K$O0[$J$k0UL#$,$"$j$^$9!#�(B
<P>
<P>`-s' �$B%*%W%7%g%s$N8e$K�(B ICMP �$B%M!<%`$rMQ$$$k�(B (<CODE>ipchains -h icmp</CODE> �$B$rMQ$$$F!"�(B
�$B%M!<%`$r0lMwI=<($7$^$9�(B) �$B$+!"�(B ICMP �$B%?%$%W$H%3!<%I$N?tCM$rMQ$$$k$+$G!"�(B
�$B$=$l$i$r;XDj$7$^$9!#�(B
�$B%?%$%W$O�(B `-s' �$B%*%W%7%g%s$N8e$K!"%3!<%I$O�(B `-d' �$B%*%W%7%g%s$N8e$K;XDj$7�(B
�$B$^$9!#�(B
<P>
<P>ICMP �$B%M!<%`$O$+$J$jD9$$$G$9�(B: �$BB>$H$O$C$-$j6hJL$G$-$kJ,$@$1$ND9$$J8;zNs�(B
�$B$G$"$l$P==J,$G$9!#�(B
<P>
<P>�$B:G$b0lHLE*$J�(B ICMP �$B%Q%1%C%H$N>.$5$J0lMw$r0J2<$K<($7$^$9�(B:
<BLOCKQUOTE><CODE>
<PRE>
�$BHV9f�(B �$B%M!<%`�(B �$BI,MW$H$5$l$k$b$N�(B
0 echo-reply ping
3 destination-unreachable �$BA4$F$N�(B TCP/UDP �$B%H%i%U%#%C%/�(B
5 redirect �$B%k!<%F%#%s%0%G!<%b%s$,F0:n$7$F$$$J$$;~$N�(B
�$B%k!<%F%#%s%0�(B
8 echo-request ping
11 time-exceeded traceroute
</PRE>
</CODE></BLOCKQUOTE>
<P>ICMP �$B%M!<%`$O�(B `!' �$B$rCV$1$J$$$3$H$KCm0U$7$F2<$5$$!#�(B
<P>
<P>�$B@dBP$K@dBP$K@dBP$K!"�(B ICMP �$B%?%$%W�(B3 �$B%a%C%;!<%8$NA4It$r%V%m%C%/$7$J$$$G�(B!!
(�$B8e=R$N�(B
<A HREF="IPCHAINS-HOWTO-5.html#ICMP">ICMP �$B%Q%1%C%H�(B</A>�$B$r;2>H$7$F2<$5$$�(B)
<P>
<H3>�$B%$%s%?!<%U%'%$%9$N;XDj�(B</H3>
<P>`-i' �$B%*%W%7%g%s$O%^%C%A$9$Y$-�(B<B>�$B%$%s%?!<%U%'%$%9�(B</B>�$B$NL>A0$r;XDj$7$^$9!#�(B
�$B%$%s%?!<%U%'%$%9$H$O!"%Q%1%C%H$,F~$C$FMh$k$+!"$^$?$O=P$F9T$/�(B
�$BJ*M}%G%P%$%9$G$9!#�(B<CODE>ifconig</CODE> �$B%3%^%s%I$r;H$C$F�(B `up' �$B$G$"$k�(B
(�$B$9$J$o$A!":#F0$$$F$$$k�(B)�$B%$%s%?!<%U%'%$%9$r%j%9%H%"%C%W$G$-$^$9!#�(B
<P>
<P>�$BF~Mh$9$k%Q%1%C%H�(B (�$B$9$J$o$A!"�(B <CODE>input</CODE> �$B%A%'%$%s$rDL2a$9$k%Q%1%C%H�(B) �$B$N�(B
�$B%$%s%?!<%U%'!<%9$O!"$=$l$i$,N.$l9~$s$GMh$k%$%s%?!<%U%'!<%9$G$"$k$b$N�(B
�$B$H8+$J$5$l$^$9!#�(B
�$BO@M}E*$K$O!"=P$F9T$/%Q%1%C%H�(B (<CODE>output</CODE> �$B%A%'%$%s$rDL2a$9$k%Q%1%C%H�(B) �$B$N�(B
�$B%$%s%?!<%U%'!<%9$O!"$=$l$i$,=P$F9T$/$G$"$m$&%$%s%?!<%U%'!<%9$G$"$j$^�(B
�$B$9!#�(B
<CODE>forward</CODE> �$B%A%'%$%s$rDL2a$9$k%Q%1%C%H$N%$%s%?!<%U%'!<%9$b$^$?!"$=$l$i$,�(B
�$B=P$F9T$/$G$"$m$&%$%s%?!<%U%'!<%9$G$9�(B; �$B;d$K$O!"$3$l$OA4$/$NFHCG$K;W$($^$9!#�(B
<P>(�$BLuCm�(B: �$B$3$3$GCx<T$O�(B forward �$B%A%'%$%s$N%$%s%?!<%U%'!<%9$r=PNO%$%s%?!<�(B
�$B%U%'!<%9$K$7$?$3$H$K935D$7$F$$$k$h$&$K;W$($^$9!#�(B
�$B$?$V$sCx<T$OF~NO$H=PNO$NN>J};XDj$G$-$?$[$&$,$h$$$H;W$C$F$$$F!"$G$b!"�(B
ipchains �$B$K$O%$%s%?!<%U%'%$%9$r;XDj$9$k%*%W%7%g%s$,�(B -i �$B$N#1$D$7$+$J$$�(B
�$B$N$G!"$I$A$i$+$K$;$6$k$*$($J$+$C$?!#$H8@$&OC$@$H;W$$$^$9!#�(B
ipchains �$B$N8e7Q$G$"$k�(B iptables �$B$G$O!"�(B FORWARD �$B%A%'%$%s$G!"F~NO$H=PNO�(B
�$B$NN>J}$N%$%s%?!<%U%'%$%9$r;XDj$G$-$k$h$&$K$J$C$F$^$9!#�(B)
<P>
<P>�$B8=:_B8:_$7$F$$$J$$%$%s%?!<%U%'%$%9$r;XDj$9$k$3$H$OA4$/LdBj$,$"$j$^$;$s�(B
�$B$,!";XDj$7$?%$%s%?!<%U%'%$%9$,�(B up �$B$7$FMh$k$^$G%k!<%k$,%^%C%A$9$k$3$H$O�(B
�$B$"$j$^$;$s!#$3$l$O%@%$%"%k%"%C%W�(B PPP �$B%j%s%/�(B(�$BDL>o%$%s%?!<%U%'%$%9$O�(B
<CODE>ppp0</CODE> )�$B$dF1MM$N$b$N$K$D$$$FHs>o$KM-8z$G$9!#�(B
<P>
<P>�$BFCJL$J%1!<%9$H$7$F!"%$%s%?!<%U%'!<%9L>$N:G8e$,�(B `+' �$B$G=*$o$k$b$N$O!"�(B
(�$B8=:_B8:_$7$F$$$h$&$H$J$+$m$&$H�(B) �$B$=$NJ8;zNs$+$i;O$^$kA4$F$N%$%s%?!<�(B
�$B%U%'!<%9$K%^%C%A$7$^$9!#�(B
�$BNc$($P!"A4$F$N�(B PPP �$B%$%s%?!<%U%'!<%9$K%^%C%A$9$k%k!<%k$r;XDj$9$k$K$O!"�(B
<CODE>-i ppp+</CODE> �$B%*%W%7%g%s$,;H$($^$9!#�(B
<P>
<P>�$B;XDj$7$?%$%s%?!<%U%'%$%9$H0lCW�(B<B>�$B$7$J$$�(B</B>�$B%Q%1%C%H$K%^%C%A$9$k$h$&$K�(B
�$B%$%s%?!<%U%'%$%9L>$NA0$K$O�(B `!' �$B$rCV$/$3$H$,$G$-$^$9!#�(B
<P>
<H3>TCP SYN �$B%Q%1%C%H$N$_$r;XDj$9$k�(B</H3>
<P>�$B0lJ}8~$@$1�(B TCP �$B%3%M%/%7%g%s$r5v2D$7!"B>J}$O5v2D$7$J$$$h$&$K$9$k$3$H$O�(B
�$B1}!9$K$7$FM-8z$G$9!#Nc$($P!"$"$J$?$,30It$N�(B WWW �$B%5!<%P!<$H@\B3$7$?$$$,!"�(B
�$B$=$N%5!<%P!<$+$i$N@\B3$r5v2D$7$?$/$J$$$H$-$G$9!#�(B
<P>
<P>�$B$=$N%5!<%P!<$+$iMh$k�(B TCP �$B%Q%1%C%H$r%V%m%C%/$9$k$3$H$O<+A3$JJ}K!$G$9!#�(B
�$B;DG0$J$3$H$K!"�(BTCP �$B%3%M%/%7%g%s$K$O$H$K$+$/N>J}8~$N%Q%1%C%H$,9T$-Mh$9$k�(B
�$B$3$H$,I,MW$G$9!#�(B
<P>
<P>�$B$=$N2r7hJ}K!$O!"%3%M%/%7%g%sMW5a$KMQ$$$i$l$k%Q%1%C%H$N$_$r%V%m%C%/$9�(B
�$B$k$3$H$G$9!#�(B
�$B$3$N$h$&$J%Q%1%C%H$O�(B <B>SYN</B> �$B%Q%1%C%H$H8F$P$l$^$9!#�(B
(�$B5;=QE*$K$O!"�(BSYN �$B%U%i%0$,@_Dj$5$l$F$$$F!"�(B FIN �$B$H�(B ACK �$B%U%i%0$,%/%j%"�(B
�$B$5$l$F$$$k%Q%1%C%H$r;X$7$^$9$,!"2f!9$O$3$l$r�(B SYN �$B%Q%1%C%H$H8F$S$^$9!#�(B)
�$B$=$l$i$N%Q%1%C%H$@$1$r5v2D$7$J$$$3$H$G!"$=$N>l$N@\B3MW5a$r;_$a$i$l$^�(B
�$B$9!#�(B
<P>
<P>`-y' �$B%U%i%0$O$3$N$?$a$K;H$o$l$^$9�(B: �$B$3$l$O�(B TCP �$B%W%m%H%3%k$r;XDj$5$l$F�(B
�$B$$$k>l9g$K$*$$$F$N$_M-8z$G$9!#�(B
�$BNc$($P!"�(B 192.168.1.1 �$B$+$iMW5a$5$l$k�(B TCP �$B%3%M%/%7%g%s$r;XDj$9$k$K$O�(B:
<PRE>
-p TCP -s 192.168.1.1 -y
</PRE>
<P>
<P>�$B$b$&0lEY!"$3$N%U%i%0$O$=$NA0$K�(B `!' �$B$rCV$/$3$H$K$h$C$F�(B (�$BLuCm�(B: ! -y �$B$H$7$F�(B)
�$BH]Dj$9$k$3$H$,$G$-!"$=$l$O@\B33+;O$N%Q%1%C%H$r=|$/A4$F$N%Q%1%C%H$r�(B
�$B0UL#$7$^$9!#�(B
<P>
<H3><A NAME="handling-fragments"></A> �$B%U%i%0%a%s%H$N=hM}�(B</H3>
<P>�$B;~$K!"0lEY$K%1!<%V%k$KAw$j=P$9$K$O%Q%1%C%H$,Bg$-2a$.$k$3$H$,$"$j$^$9!#�(B
�$B$3$s$J$H$-$O!"%Q%1%C%H$O�(B<B>�$B%U%i%0%a%s%H�(B</B>�$B$KJ,3d$5$l!"J#?t$N%Q%1%C%H$GAw$i$l�(B
�$B$^$9!#<u?.E@$G$3$l$i$N%U%i%0%a%s%H$r:F$S=8$a$F40A4$J%Q%1%C%H$K:F9=@.�(B
�$B$7$^$9!#�(B
<P>
<P>�$B%U%i%0%a%s%H$NLdBjE@$O!"@hDx%j%9%H%"%C%W$7$?;EMM$N4v$D$+�(B
(�$BFC$K!"%=!<%9%]!<%H!"08@h%]!<%H!"�(B ICMP �$B%?%$%W!"�(B ICMP �$B%3!<%I!"�(B
�$B0?$O�(B TCP SYN �$B%U%i%0�(B) �$B$O!"%+!<%M%k$K!":G=i$N%U%i%0%a%s%H$K$@$14^$^$l$F$$$k�(B
�$B%Q%1%C%H$N;O$a$NItJ,$rGA$/$h$&$KMW5a$7$F$$$kE@$K$"$j$^$9!#�(B
<P>
<P>�$B$"$J$?$N%^%7%s$,30It%M%C%H%o!<%/$K$N$_@\B3$5$l$k$J$i!"%+!<%M%k$N�(B
"IP: �$B>o$K%G%U%i%0%a%s%H$9$k�(B" �$B$r�(B Y �$B$K@_Dj$7$F%3%s%Q%$%k$9$k$3$H$K$h$j!"�(B
�$BDL2a$9$kA4$F$N%U%i%0%a%s%H$r:F9=C[$9$k$h$&$K�(B Linux �$B%+!<%M%k$KL?$:$k�(B
�$B$3$H$,$G$-$^$9!#�(B
�$B$3$l$OLdBj$r$&$^$/2sHr$7$^$9!#�(B
<P>
<P>�$B$=$&$G$J$1$l$P!"%U%#%k%?%j%s%0%k!<%k$,%U%i%0%a%s%H$r$I$N$h$&$K07$&$+�(B
�$B$rM}2r$9$k$3$H$,=EMW$G$9!#�(B
�$B>pJs$,L5$1$l$P$I$s$J%U%#%k%?%j%s%0%k!<%k$b%^%C%A�(B<EM>�$B$7$^$;$s�(B</EM>�$B!#�(B
�$B$3$N0UL#$9$k$H$3$m$O�(B 1�$BHVL\$N%U%i%0%a%s%H$OB>$N%Q%1%C%H$HF1$8$h$&$K07�(B
�$B$o$l$^$9!#�(B
2�$BHVL\0J9_$N%U%i%0%a%s%H$O0[$J$j$^$9!#�(B
�$B=>$C$F!"�(B <CODE>-p TCP -s 192.168.1.1 www</CODE> �$B$H$$$&%k!<%k�(B (�$B%=!<%9%]!<%H$,�(B `www'
�$B$N;XDj�(B)�$B$O!"%U%i%0%a%s%H�(B(1�$BHVL\$N%U%i%0%a%s%H0J30�(B)�$B$H7h$7$F%^%C%A�(B
�$B$7$^$;$s!#�(B
�$BF1MM$KH]Dj$N%k!<%k�(B <CODE>-p TCP -s 192.168.1.1 ! www</CODE> �$B$b%^%C%A$7$^$;$s!#�(B
<P>
<P>�$B$H$O$$$(!"�(B`-f' �$B%U%i%0$rMQ$$$F!"�(B 2�$BHVL\5Z$S$=$l0J9_$N%U%i%0%a%s%H$K�(B
�$B9gCW$9$k%k!<%k$r;XDj$G$-$^$9!#�(B
�$BL@$i$+$K!"$3$N$h$&$J%U%i%0%a%s%H%k!<%k$K$O�(B TCP �$B$d�(B UDP �$B%]!<%H!"�(B
ICMP �$B%?%$%W!"�(B ICMP �$B%3!<%I0?$O�(B TCP SYN �$B%U%i%0$r;XDj$9$k$N$O4V0c$$$G�(B
�$B$9!#�(B
<P>
<P>�$B$^$?!"�(B`!' �$B$r�(B `-f' �$B$NA0$KIU$1$F!"�(B 2�$BHVL\0J9_$N%U%i%0%a%s%H$HE,9g$7$J�(B
�$B$$%k!<%k$N;XDj$b$G$-$^$9!#�(B
<P>
<P>�$BDL>o!"%U%#%k%?%j%s%0$O�(B 1�$BHVL\$N%U%i%0%a%s%H$K8zNO$,$"$k$N$G!"L\E*$N�(B
�$B%[%9%H$G$N%U%i%0%a%s%H$N:FAH$_N)$F$rK8$2$k$?$a!"�(B2�$BHVL\0J9_$N%U%i%0%a%s%H�(B
�$B$rDL2a$5$;$k$3$H$O0BA4$H$_$J$5$l$F$$$^$9!#$H$O$$$(!"%U%i%0%a%s%H$rAw$k�(B
�$B$3$H$K$h$j4JC1$K%^%7%s$r%/%i%C%7%e$5$;$k$3$H$,$G$-$k%P%0$,CN$i$l$F�(B
�$B$$$^$9!#D4$Y$F2<$5$$$M!#�(B
<P>
<P>�$B%M%C%H%o!<%/4IM}<T$N$?$a$NCm5-�(B: �$B0[>o$J%Q%1%C%H�(B(TCP, UDP �$B$*$h$S�(B ICMP �$B$N�(B
�$B%Q%1%C%H$GC;$9$.$F%U%!%$%"!<%&%)!<%k$N%3!<%I$,%]!<%HHV9f$^$?$O�(B ICMP �$B$N�(B
�$B%3!<%I$H<oN`$rFI$a$J$$$b$N�(B)�$B$O!"%U%i%0%a%s%H$HF1MM$K<h$j07$o$l$^$9!#�(B
�$B%U%i%0%a%s%H$N0LCV$,�(B 8 �$B$+$i;O$^$k�(BTCP �$B%Q%1%C%H$@$1$,L@Gr$K%U%!%$%"%&%)!<�(B
�$B%k%3!<%I$K$h$C$FGK4~$5$l$^$9!#�(B(�$B$3$l$,H/@8$9$k$H�(B syslog �$B$K%a%C%;!<%8$,�(B
�$B8=$l$^$9!#�(B)
<P>
<P>�$BNc$($P!"<!$N%k!<%k$O�(B 192.168.1.1 �$B$X9T$/%U%i%0%a%s%H$O$I$l$G$bGK4~$7$^$9�(B:
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -A output -f -d 192.168.1.1 -j DENY
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<H3>�$B%U%#%k%?%j%s%0$NI{<!E*8z2L�(B</H3>
<P>�$B$5$F!":#2f!9$O%k!<%k$rMQ$$$F%Q%1%C%H$K%^%C%A$5$;$kJ}K!$NA4$F$rCN$j�(B
�$B$^$7$?!#�(B
�$B%Q%1%C%H$,%k!<%k$K%^%C%A$9$k$H!"0J2<$K5-$9$3$H$,5/$3$j$^$9�(B:
<P>
<OL>
<LI> �$B3:Ev$9$k%k!<%k$N%P%$%H%+%&%s%?$O%Q%1%C%H$N%5%$%:�(B(�$B%X%C%@$H$=$NB>A4$F�(B)
�$B$K$h$C$FA}2C$7$^$9!#�(B
</LI>
<LI> �$B3:Ev$9$k%k!<%k$N%Q%1%C%H%+%&%s%?$,%Q%1%C%H$N?t$K$h$C$F�(B1 �$B2C;;$5$l$^$9!#�(B
</LI>
<LI> �$B%k!<%k$,MW5a$9$k$J$i!"%Q%1%C%H$,%m%0$K5-O?$5$l$^$9!#�(B
</LI>
<LI> �$B%k!<%k$,MW5a$9$k$J$i!"%Q%1%C%H$N�(B Type Of Service (TOS) �$B%U%#!<%k%I�(B
�$B$,JQ99$5$l$^$9!#�(B
</LI>
<LI> �$B%k!<%k$,MW5a$9$k$J$i!"%Q%1%C%H$K0u$,IU$1$i$l$^$9!#�(B(2.0 �$B%+!<%M%k�(B
�$B%7%j!<%:$K$O$"$j$^$;$s!#�(B)
</LI>
<LI> �$B%Q%1%C%H$KBP$7!"<!$K2?$r9T$o$;$k$+$r7hDj$9$k$Y$/!"%k!<%k%?!<%2%C%H�(B
�$B$,8!::$5$l$^$9!#�(B</LI>
</OL>
<P>
<P>�$B$3$l$i0J30$N<oN`$K$D$$$F$O!"=EMWEY$K1~$8$F<j$rIU$1$?$$$H;W$$$^$9!#�(B
<P>
<H3><A NAME="target-spec"></A> �$B%?!<%2%C%H$N;XDj�(B</H3>
<P><B>�$B%?!<%2%C%H�(B</B>�$B$O%k!<%k$K%^%C%A$9$k%Q%1%C%H$KBP$72?$r$9$Y$-$+$r%+!<%M%k$K�(B
�$B;X<($7$^$9!#�(B
ipchains �$B$O%?!<%2%C%H$N;XDj$K�(B `-j' �$B$rMQ$$$^$9!#�(B(`�$B%8%c%s%W$9$k�(B'�$B$H9M$(�(B
�$B$F2<$5$$�(B)
�$B%?!<%2%C%HL>$O�(B 8�$BJ8;z0J2<$G$J$1$l$P$J$i$:!"$^$?Bg>.J8;z$r6hJL$7$^$9�(B:
"RETURN" �$B$H�(B "return" �$B$OA4$/JLJ*$G$9!#�(B
<P>
<P>�$B:G$bC1=c$J%1!<%9$O;XDj$5$l$k%?!<%2%C%H$,A4$/$J$$>l9g$G$9!#�(B
�$B$3$N%k!<%k$N%?%$%W�(B (�$B$7$P$7$P�(B `�$B7W?t�(B' �$B%k!<%k$H8F$P$l$^$9�(B)
�$B$OC1=c$K0lDj$N%Q%1%C%H$N%?%$%W$r%+%&%s%H$9$k$N$KJXMx$G$9!#�(B
�$B$3$N%k!<%k$K%^%C%A$9$k$+H]$+$K$+$+$o$i$:!"%+!<%M%k$OC1=c$K%A%'%$%s�(B
�$BFb$N<!$N%k!<%k$r8!::$7$^$9!#�(B
�$BNc$($P!"�(B 192.168.1.1 �$B$+$i$N%Q%1%C%H$N?t$r?t$($k$K$O!"0J2<$N$h$&$K�(B
�$B$G$-$^$9�(B:
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -A input -s 192.168.1.1
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>(`ipchains -L -v' �$B$rMQ$$$F!"3F!9$N%k!<%k$K4XO"IU$1$i$l$?%P%$%H5Z$S�(B
�$B%Q%1%C%H%+%&%s%?$r8+$l$^$9!#�(B)
<P>
<P>6�$B$D$NFCJL$J%?!<%2%C%H$,$"$j$^$9!#�(B
�$B:G=i$N�(B 3�$B$D$N�(B <CODE>ACCEPT</CODE>, <CODE>REJECT</CODE> �$B$H�(B <CODE>DENY</CODE> �$B$O$H$F$bC1=c$G$9!#�(B
<CODE>ACCEPT</CODE> �$B$O%Q%1%C%H$NDL2a$r5v2D$7$^$9!#�(B
<CODE>DENY</CODE> �$B$O$"$?$+$b%Q%1%C%H$r<u$1<h$C$F$$$J$$$+$N$h$&$KGK4~$7$^$9!#�(B
<CODE>REJECT</CODE> �$B$O%Q%1%C%H$rGK4~$7$^$9$,!"�(B(�$B$b$7$=$l$,�(B ICMP �$B%Q%1%C%H$G$J$$$J$i�(B)
�$B08@h$OL$E~C#$G$"$k$3$H$rCN$i$;$k�(B ICMP �$BJVEz$r!"%=!<%9$KBP$7$F@8@.�(B
�$B$7$^$9!#�(B
<P>
<P>�$B<!$N0l$D!"�(B <CODE>MASQ</CODE> �$B$O%+!<%M%k$K%Q%1%C%H$r%^%9%+%l!<%I$9$k$3$H$rCN$i$;�(B
�$B$^$9!#�(B
�$B$3$l$rF0:n$5$;$k$K$O!"%+!<%M%k$,�(B IP �$B%^%9%+%l!<%G%#%s%0$rM-8z$K$7$F�(B
�$B%3%s%Q%$%k$5$l$F$$$kI,MW$,$"$j$^$9!#�(B
�$B>\:Y$K$D$$$F$O!"�(B Masquerading-HOWTO �$B$H!"IUO?$N�(B
<A HREF="IPCHAINS-HOWTO-8.html#ipfwadm-diff">ipchains �$B$H�(B ipfwadm �$B$H$N0c$$�(B</A>�$B$r8+$F2<$5$$!#�(B
�$B$3$N%?!<%2%C%H$O�(B <CODE>forward</CODE> �$B%A%'%$%s$rDL2a$9$k%Q%1%C%H$K$*$$$F$N$_M-�(B
�$B8z$G$9!#�(B
<P>
<P>�$BB>$N<gMW$JFCJL$J%?!<%2%C%H$O!"%+!<%M%k$KBP$7$F!"2?=h$+$iH/@8$7$?$+$r�(B
�$BLd$o$:$K%Q%1%C%H$r%m!<%+%k%]!<%H$XAw$k!"�(B <CODE>REDIRECT</CODE> �$B$G$9!#�(B
�$B$3$l$O%W%m%H%3%k$K�(B TCP �$B$^$?$O�(B UDP �$B$r;XDj$7$F$$$k%k!<%k$K$*$$$F$N$_;X�(B
�$BDj$G$-$^$9!#�(B
�$BG$0U$K!"%]!<%H�(B (�$BL>A0Kt$OHV9f�(B) �$B$O�(B `-j REDIRECT' �$B$H;XDj$G$-$^$9!#�(B
�$B$3$l$O%Q%1%C%H$,B>$N%]!<%H$X%"%I%l%9$5$l$F$$$?$H$7$F$bFCDj$N%]!<%H$X�(B
�$BE>Aw$5$;$k8z2L$r;}$A$^$9!#�(B
�$B$3$N%?!<%2%C%H$O�(B <CODE>input</CODE> �$B%A%'%$%s$rDL2a$9$k%Q%1%C%H$K$*$$$F$N$_M-8z$G$9!#�(B
<P>
<P>�$B:G8e$NFCJL$J%?!<%2%C%H$O�(B <CODE>RETURN</CODE> �$B$G!"D>$A$K%A%'%$%s$N:G8e$KMn$79~$`$3�(B
�$B$H$HEy2A$G$9!#�(B(�$B8e=R$N�(B
<A HREF="#policy">�$B%]%j%7!<$r@_Dj$9$k�(B</A>�$B$r;2>H$7$F2<$5$$!#�(B)
<P>
<P>�$BB>$N%?!<%2%C%H$O%f!<%6!<;XDj$N%A%'%$%s$r<($7$^$9!#�(B
(�$B8e=R$N�(B
<A HREF="#chain-ops">�$B%A%'%$%s$NA`:n�(B</A>�$B$G@bL@$7$F$$$^$9!#�(B)
�$B%Q%1%C%H$O$=$N%A%'%$%sFb$N%k!<%k$rDL2a$7;O$a$^$9!#�(B
�$B$=$N%f!<%6Dj5A%A%'%$%s$G$N8!::$,A4$F=*$C$F$b%Q%1%C%H$N1?L?$,�(B
�$B7h$^$i$J$1$l$P!"8=:_$N%A%'%$%s$KLa$j!"$=$N<!$N%k!<%k$+$i8!::�(B
�$B$r:F3+$7$^$9!#�(B
<P>
<P>ASCII �$B%"!<%H$N;~4V$G$9!#�(B2�$B$D$N�(B(�$B$*$P$+$5$s$J�(B)�$B%A%'%$%s�(B: <CODE>input</CODE>
(�$BAH$_9~$_:Q$_%A%'%$%s�(B)�$B$H�(B <CODE>test</CODE> (�$B%f!<%6Dj5A%A%'%$%s�(B)�$B$G9M$($^�(B
�$B$7$g$&!#�(B
<P>
<PRE>
`input' `test'
�$B(#(!(!(!(!(!(!(!(!(!(!(!(!(!(!($�(B �$B(#(!(!(!(!(!(!(!(!(!(!(!(!(!($�(B
�$B("%k!<%k�(B 1: -p ICMP -j REJECT �$B("�(B �$B("%k!<%k�(B 1: -s 192.168.1.1 �$B("�(B
�$B('(!(!(!(!(!(!(!(!(!(!(!(!(!(!()�(B �$B('(!(!(!(!(!(!(!(!(!(!(!(!(!()�(B
�$B("%k!<%k�(B 2: -p TCP -j Test �$B("�(B �$B("%k!<%k�(B 2: -d 192.168.1.1 �$B("�(B
�$B('(!(!(!(!(!(!(!(!(!(!(!(!(!(!()�(B �$B(&(!(!(!(!(!(!(!(!(!(!(!(!(!(%�(B
�$B("%k!<%k�(B 3: -p UDP -j DENY �$B("�(B
�$B(&(!(!(!(!(!(!(!(!(!(!(!(!(!(!(%�(B
</PRE>
<P>
<P>192.168.1.1 �$B$+$iMh$F�(B 1.2.3.4 �$B$X8~$+$&�(B TCP �$B%Q%1%C%H$K$D$$$F9M$($^$7$g$&!#�(B
�$B%Q%1%C%H$O�(B <CODE>input</CODE> �$B%A%'%$%s$KF~$j!"$^$:!"%k!<%k�(B 1 �$B$,8!::$5$l$^$9�(B
�$B!=�(B �$B%^%C%A$7$^$;$s!#�(B
�$B%k!<%k�(B 2 �$B$,%^%C%A$7$F!"$=$N%?!<%2%C%H$O�(B <CODE>Test</CODE> �$B$J$N$G!"<!$K8!::$5$l$k�(B
�$B%k!<%k$O�(B <CODE>Test</CODE> �$B$N@hF,$G$9!#�(B
<CODE>Test</CODE> �$B$N%k!<%k�(B 1 �$B$O%^%C%A$7$^$9$,!"%?!<%2%C%H$r;XDj$7$F$$$J$$$N$G!"�(B
�$B<!$N%k!<%k$G$"$k%k!<%k�(B 2 �$B$,8!::$5$l$^$9!#�(B
�$B$3$l$O%^%C%A$7$J$$$N$G!"%A%'%$%s$N=*$o$j$KC#$7$^$7$?!#�(B
�$B@hDx8!::$7$?%k!<%k�(B 2 �$B$N$"$k�(B <CODE>input</CODE> �$B%A%'%$%s$KLa$j!"$=$l$G:#EY$O%k!<%k�(B 3
�$B$,8!::$5$l$^$9$,!"$3$l$b$^$?%^%C%A$7$^$;$s!#�(B
<P>
<P>�$B$=$l$G!"%Q%1%C%H$N7PO)$O<!$N$h$&$K$J$j$^$9�(B:
<PRE>
v __________________________
`input' | / `Test' v
�$B(#(!(!(!(!(!(!(!(!(!(!(!�(B|�$B(!�(B/ �$B(#(!(!(!(!(!(!(!(!(!(!�(B|�$B(!($�(B
�$B("%k!<%k�(B 1 | /�$B("�(B �$B("%k!<%k�(B 1 | �$B("�(B
�$B('(!(!(!(!(!(!(!(!(!(!(!�(B|/-�$B()�(B �$B('(!(!(!(!(!(!(!(!(!(!�(B|�$B(!()�(B
�$B("%k!<%k�(B 2 / �$B("�(B �$B("%k!<%k�(B 2 | �$B("�(B
�$B('(!(!(!(!(!(!(!(!(!(!(!�(B-�$B(!()�(B �$B(&(!(!(!(!(!(!(!(!(!(!�(Bv�$B(!(%�(B
�$B("%k!<%k�(B 3 /�$B(!(+(!�(B\_______________________/
�$B(&(!(!(!(!(!(!(!(!(!(!(!�(B|�$B(!(%�(B
v
</PRE>
<P>
<P>�$B%f!<%6Dj5A%A%'%$%s$r8z2LE*$K;H$&J}K!$O!"�(B
<A HREF="IPCHAINS-HOWTO-5.html#organisation">�$B%U%!%$%"%&%)!<%k%k!<%k$r$I$N$h$&$K9=C[$9$k$+�(B</A>�$B$N>O$r;2>H$7$F2<$5$$!#�(B
<P>
<H3>�$B%Q%1%C%H$N%m%05-O?�(B</H3>
<P>�$B$3$l$O%k!<%k$K%^%C%A$9$k$3$H$NI{<!E*8z2L$G$9�(B;
�$B%^%C%A$7$?%Q%1%C%H$r�(B `-l' �$B%U%i%0$rMQ$$$F%m%0$K5-O?$9$k$3$H$,$G$-$^�(B
�$B$9!#�(B
�$BIaDL!"DL>o$N%Q%1%C%H$K$*$$$F%m%0$r5-O?$7$?$/$O$J$$$G$7$g$&$1$I!"Nc�(B
�$B30E*$J%$%Y%s%H$r8+$?$$;~$KJXMx$JFCD'$G$9!#�(B
<P>
<P>�$B$3$N>pJs$N%+!<%M%k$N%m%0$O0J2<$N$h$&$J46$8$G$9�(B:
<P>
<BLOCKQUOTE><CODE>
<PRE>
Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025
L=34 S=0x00 I=18 F=0x0000 T=254
</PRE>
</CODE></BLOCKQUOTE>
<P>�$B$3$N%m%0%a%C%;!<%8$O4J7i$K@_7W$5$l$F$*$j!"%M%C%H%o!<%/$N8"0R<T$N0Y�(B
�$B$@$1$KJXMx$J5;=Q>pJs$r4^$s$G$$$^$9$,!"$"$H$N2f!9$K$bM-MQ$G$9!#�(B
�$B4JC1$K@bL@$9$k$H0J2<$N$h$&$K$J$j$^$9�(B:
<P>
<OL>
<LI> `input' �$B$O%Q%1%C%H$K%^%C%A$7$?%k!<%k$r4^$`%A%'%$%s$G!"%m%0%a%C%;!<%8�(B
�$B$rH/@8$7$F$$$^$9!#�(B
</LI>
<LI> `DENY' �$B$O%k!<%k$,%Q%1%C%H$K2?$r$9$k$+$r<($7$F$$$^$9!#�(B
�$B$b$7$3$l$,�(B `-' �$B$J$i!"%k!<%k$O%Q%1%C%H$K2?$b9T$$$^$;$s!#�(B
(�$B7W?t%k!<%k$G$9!#�(B)
</LI>
<LI> `eth0' �$B$O%$%s%?!<%U%'!<%9L>$G$9�(B.
�$B2?8N$J$i$P$3$l$O�(B input �$B%A%'%$%s$G$"$j�(B, �$B%Q%1%C%H$O�(B `eth0' �$B$+$iF~$C$F�(B
�$BMh$?$3$H$r0UL#$9$k$+$i$G$9!#�(B
</LI>
<LI> `PROTO=17' �$B$O%Q%1%C%H$,%W%m%H%3%k�(B 17 �$B$G$"$C$?$3$H$r0UL#$7$^$9!#�(B
�$B%W%m%H%3%kHV9f$N%j%9%H$O�(B /etc/protocols �$B$K$FM?$($i$l$^$9!#�(B
�$B:G$b0lHLE*$J$b$N$O�(B 1 (ICMP), 6 (TCP) �$B$H�(B 17 (UDP) �$B$G$9!#�(B
</LI>
<LI> `192.168.2.1' �$B$O%Q%1%C%H$N%=!<%9�(B IP �$B%"%I%l%9$O�(B 192.168.2.1 �$B$G�(B
�$B$"$C$?$3$H$r0UL#$7$^$9!#�(B
</LI>
<LI> `:53' �$B$O%=!<%9%]!<%H$O%]!<%H�(B 53 �$BHV$G$"$C$?$3$H$r0UL#$7$^$9!#�(B
`/etc/services' �$B$r8+$l$P!"$3$l$,�(B `domain' �$B%]!<%H$G$"$k$3$H$r3+<(�(B
�$B$7$F$$$^$9!#�(B(�$B$9$J$o$A!"$3$l$O62$i$/�(B DNS �$B$NJVEz$G$9!#�(B)
UDP �$B$H�(B TCP �$B$K$*$$$F$O!"$3$NHV9f$O%=!<%9%]!<%H$G$9!#�(B
ICMP �$B$K$*$$$F$O!"�(B ICMP �$B%?%$%W$G$9!#�(B
�$B$=$l0J30$G$O!"�(B 65535 �$B$K$J$k$G$7$g$&!#�(B
</LI>
<LI> `192.168.1.1' �$B$O08@h�(B IP �$B%"%I%l%9$G$9!#�(B
</LI>
<LI> `:1025' �$B$O08@h%]!<%H$O�(B 1025 �$B$G$"$C$?$3$H$r0UL#$7$^$9!#�(B
UDP �$B$H�(B TCP �$B$K$*$$$F$O!"$3$NHV9f$O08@h%]!<%H$G$9!#�(B
ICMP�$B$K$*$$$F$O!"�(B ICMP �$B%3!<%I$G$9!#�(B
�$B$=$l0J30$G$O!"�(B 65535 �$B$K$J$k$G$7$g$&!#�(B
</LI>
<LI> `L=34' �$B$O!"%Q%1%C%H$O9g7W�(B 34 �$B%P%$%HD9$G$"$C$?$3$H$r0UL#$7$^$9!#�(B
</LI>
<LI> `S=0x00' �$B$O�(B TOS �$B%U%#!<%k%I$r0UL#$7$^$9!#�(B
(4 �$B$G3d$C$F!"�(B ipchains �$B$GMQ$$$i$l$k%5!<%S%9$N7?$,F@$i$l$^$9!#�(B)
</LI>
<LI> `I=18' �$B$O�(B IP �$B$N�(B ID �$B$G$9!#�(B
</LI>
<LI> `F=0x0000' �$B$O�(B 16 �$B%S%C%H$N%U%i%0%a%s%H%*%U%;%C%H$H%U%i%0$N2C;;$G$9!#�(B
`0x4' �$BKt$O�(B `0x5' �$B$G;O$^$kCM$O�(B �$B!V%U%i%0%a%s%H$7$F$$$J$$!W%S%C%H$,@_Dj�(B
�$B$5$l$F$$$k$3$H$r<($7$^$9!#�(B
`0x2' �$BKt$O�(B `0x3' �$B$O�(B `�$B99$K%U%i%0%a%s%H$7$F$$$k�(B' �$B%S%C%H$,@_Dj$5$l$F$$$k�(B
�$B$3$H$r<($7$^$9�(B; �$B$3$N8e$K99$J$k%U%i%0%a%s%H$,M=B,$5$l$^$9!#�(B
�$B;D$j$N?tCM$O$3$N%U%i%0%a%s%H$N%*%U%;%C%H$G!"$=$l$O�(B 8 �$B$G3d$C$?CM$G$9!#�(B
</LI>
<LI> `T=254' �$B$O%Q%1%C%H$N<wL?;~4V$G$9!#�(B
�$B$3$NCM$OA4$F$N%[%C%WKh$K8:$8$i$l!"Bg35�(B 15 �$B$+�(B 255 �$B$G;O$^$j$^$9!#�(B
</LI>
<LI> `(#5)' �$B$O!"%V%i%1%C%HFb$N:G8e$NHV9f$,$=$l$h$j?7$7$$%+!<%M%k$G$"$m$&�(B
�$B$3$H$r<($7$^$9!#�(B(�$B62$i$/�(B 2.2.9 �$B0J9_$G$7$g$&!#�(B)
�$B:G8e$K!"$h$j?7$7$$%+!<%M%k�(B(�$B$?$V$s�(B 2.2.9 �$B0J9_�(B)�$B$G!"3g8L$G0O$^$l$?HV9f�(B
�$B$,$"$k$G$7$g$&!#�(B
(�$BLuCm�(B: �$B86J8$K$O�(B
This is the rule number which caused the packet log.
�$B$H=q$+$l$F$$$^$9$,!"$3$l$O�(B
finally there may be a number ... �$B$H;W$o$l$^$9!#�(B)
</LI>
</OL>
<P>
<P>�$BI8=`E*$J�(B Linux �$B%7%9%F%`$G$O!"%+!<%M%k$N=PNO$O�(B klogd (�$B%+!<%M%k%m%.%s%0�(B
�$B%G!<%b%s�(B) �$B$K$FJaB*$5$l!"�(B syslogd (�$B%7%9%F%`%m%.%s%0%G!<%b%s�(B) �$B$KEO$5$l�(B
�$B$^$9!#�(B
`/etc/syslog.conf' �$B$O!"3F!9$N�(B `facility' (�$B2f!9$N>l9g$O!"�(Bfacility �$B$O�(B
"�$B%+!<%M%k�(B"�$B$G$9�(B) �$B$N08@h$H!"�(B `level' (ipchains �$B$N0Y$K!";H$o$l$k�(B level
�$B$O�(B "info" �$B$G$9�(B)�$B$r;XDj$9$k$3$H$K$h$C$F!"�(B syslogd �$B$N?6$kIq$$$r@)8f$7$^�(B
�$B$9!#�(B
<P>
<P>�$BNc$($P!";d$N�(B (Debian) /etc/syslog.conf �$B$O�(B `kern.info' �$B$K%^%C%A$9$k�(B
2�$B9T$r4^$s$G$$$^$9�(B:
<P>
<BLOCKQUOTE><CODE>
<PRE>
kern.* -/var/log/kern.log
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
</PRE>
</CODE></BLOCKQUOTE>
<P>�$B$3$l$i$O%a%C%;!<%8$,�(B `/var/log/kern.log' �$B$H�(B `/var/log/messages' �$B$K�(B
�$BJ#@=$5$l$k$3$H$r<($7$F$$$^$9!#�(B
�$B>\:Y$O�(B `man syslog.conf' �$B$r8+$F2<$5$$!#�(B
<P>
<H3>�$B%5!<%S%9$N7?$rA`:n$9$k�(B</H3>
<P>IP �$B%X%C%@$K$OLGB?$K;H$o$l$J$$�(B 4�$B$D$N%S%C%H$,$"$j!"�(B<B>�$B!V%5!<%S%9$N7?!W�(B</B> (TOS) �$B%S%C%H$H8F$P$l$F$$$^$9!#�(B
�$B$=$l$i$O%Q%1%C%H$,<h$j07$o$l$kMQES$K1F6A$7$^$9�(B;
4�$B$D$N%S%C%H$O�(B "Minimum Delay"(�$B:G>.CY1d�(B), "Maximum Throughput"
(�$B:GBg=hM}G=NO�(B), "Maximum Reliability"(�$B:GBg?.MjCM�(B) �$B$=$7$F�(B "Minimum Cost"
(�$B:G>.%3%9%H�(B) �$B$G$9!#�(B
�$B$=$l$i$N%S%C%H$N0l$D$@$1$,@_Dj$r5v$5$l$^$9!#�(B
TOS �$BA`:n%3!<%I$N:n<T$N�(B Rob van Nieuwkerk �$B$O0J2<$N$h$&$K=R$Y$F$$$^$9�(B:
<P>
<BLOCKQUOTE>
�$BFC$K�(B "Minimum Delay"(�$B:G>.CY1d�(B) �$B$,;d$K$H$C$F=EMW$G$9!#�(B
�$B;d$O>eN.$N�(B (Linux) �$B%k!<%?$G�(B"�$BBPOC7?�(B"�$B%Q%1%C%H$N0Y$K$3$N%9%$%C%A$r%*%s�(B
�$B$7$F$$$^$9!#�(B
�$B;d$N%^%7%s$O�(B 33.6k �$B%b%G%`$G30It$H@\B3$5$l$F$$$^$9!#�(B
Linux �$B$O%Q%1%C%H$K�(B 3�$B$D$N%-%e!<$GM%@h=g0L$rIU$1$F$$$^$9!#�(B
�$B$3$NJ}K!$G;d$OBgNL$N%@%&%s%m!<%I$HF1;~$K5vMF$G$-$kBPOCE*$J%Q%U%)!<�(B
�$B%^%s%9$rF@$F$$$^$9!#�(B
(�$B$3$l$O%7%j%"%k%I%i%$%P$K$=$N$h$&$J5pBg$J%-%e!<$,$J$1$l$PNI$$$N$G$9�(B
�$B$,!"BT$A;~4V$O�(B1.5�$BIC$KMn$5$l$^$9!#�(B)
</BLOCKQUOTE>
<P>
<P>�$BCm0U�(B: �$BL@$i$+$K!"$"$J$?$OF~$C$FMh$k%Q%1%C%H$KBP$7$F@)8f$O$G$-$^$;$s!#�(B
�$B$"$J$?$O<+?H$N�(B Linux box �$B$r5n$C$F$$$/%Q%1%C%H$NM%@h=g0L$@$1$r@)8f�(B
�$B$G$-$^$9!#�(B
�$BB>$NJ}K!$GM%@h=g0L$r$d$j$/$j$9$k$J$i!"�(B RSVP �$B$N$h$&$J%W%m%H%3%k$,�(B
�$BI,MW$G$9!#�(B(�$B$3$l$K4X$7$F$O;d$O2?$bCN$i$J$$$N$G!";d$K$OJ9$+$J$$$G2<�(B
�$B$5$$!#�(B)
<P>
<P>�$B:G$b0lHLE*$J;HMQJ}K!$O�(B telnet �$B$H�(B ftp �$B$N%3%s%H%m!<%k%3%M%/%7%g%s$K�(B
"Minimum Delay" �$B$r@_Dj$7!"�(B FTP �$B%G!<%?$K�(B "Maximum Throughput" �$B$r@_�(B
�$BDj$9$k$b$N$G$9!#�(B
�$B0J2<$N$h$&$K$J$j$^$9�(B:
<P>
<BLOCKQUOTE><CODE>
<PRE>
ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10
ipchains -A output -p tcp -d 0.0.0.0/0 ftp -t 0x01 0x10
ipchains -A output -p tcp -s 0.0.0.0/0 ftp-data -t 0x01 0x08
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>`-t' �$B%U%i%0$O�(B 2�$B$D$NFCJL$J%Q%i%a!<%?$r;}$A!"$=$l$i$O�(B16�$B?J$G;XDj$7$^$9!#�(B
�$B$=$l$i$O�(BTOS �$B%S%C%H$rJ#;($K$$$8$/$j2s$7$^$9�(B:
�$B:G=i$N%^%9%/$O%Q%1%C%H$N8=:_$N�(B TOS �$B$K�(B AND (�$BO@M}@Q�(B)�$B$5$l$^$9!#�(B
2�$BHVL\$N%^%9%/$O$=$l$KBP$7$F�(B XOR (�$BGSB>E*O@M}OB�(B)�$B$5$l$^$9!#�(B
�$B$3$l$G7c$7$/:.Mp$9$k$N$G$7$?$i!"0J2<$N0lMw$r;H$C$F2<$5$$�(B:
<P>
<BLOCKQUOTE><CODE>
<PRE>
TOS �$BL>�(B �$BCM�(B �$B0lHLE*$JMQES�(B
Minimum Delay 0x01 0x10 ftp, telnet
Maximum Throughput 0x01 0x08 ftp-data
Maximum Reliability 0x01 0x04 snmp
Minimum Cost 0x01 0x02 nntp
</PRE>
</CODE></BLOCKQUOTE>
<P>Andi Kleen �$B$O0J2<$N$h$&$K;XE&$7$F$$$^$9!#�(B (�$B8e!9$K;D$9$?$a$KI=8=$r�(B
�$BFp$i$+$/$7$F$$$^$9!#�(B)
<BLOCKQUOTE>
�$BB?J,!"�(BTOS �$B%S%C%H$N5DO@$K$D$$$F$O!"�(B ifconfig �$B$N�(B txqueuelen �$B%Q%i%a!<%?$N;2>H$rDI2C$9$k$N$KJXMx$G$7$g$&!#�(B
�$B%G%P%$%9$N%-%e!<D9$N=i4|CM$O%$!<%5%M%C%H%+!<%I$N0Y$KD4@0$5$l!"%b%G%`$K$*$$$F$O$=$l$OD9$9$.$F!"�(B (TOS�$B$KB'$C$?%-%e!<$N�(B) 3�$B%P%s%I$N%9%1%8%e!<%i$r:n@.$7!"$=$l$i$NF/$-$OHy!9$?$k$b$N$G$9!#�(B
�$B%b%G%`$d%7%s%0%k�(B b �$B%A%c%M%k$N�(B ISDN �$B@\B3$K$*$$$F!"$3$NCM$r�(B 4-10 �$B$N4V$K@_Dj$9$k$N$ONI$$$H;W$$$^$9�(B; �$BB@$$%G%P%$%9$J$i$h$jD9$$%-%e!<$,I,MW$G$9!#�(B
�$B$3$l$O%+!<%M%k%P!<%8%g%s�(B 2.0 �$B$H�(B 2.1 �$B$NLdBj$G$7$?$,!"�(B 2.1 �$B$K$*$$$F$=$l$O�(B (�$B:G?7$N�(B nettools �$B$rMQ$$$F�(B) ifconfig �$B%U%i%0$G2DG=$K$J$j!"�(B 2.0 �$B$K$*$$$F$O%G%P%$%9%I%i%$%P$N%=!<%9$K%Q%C%A$rE,MQ$7$F2DG=$K$J$j$^$9!#�(B
</BLOCKQUOTE>
<P>�$B$G$9$N$G!"%b%G%`$G$N�(B PPP �$B@\B3$K$*$1$k�(B TOS �$BA`:n$N:GBg$N287C$rF@$k$K$O!"�(B
�$B$"$J$?$N%^%7%s$N�(B /etc/ppp/ip-up �$B%9%/%j%W%HFb$G�(B `ifconfig $1 txqueuelen'
�$B$r<B9T$9$k$3$H$G$9!#�(B
�$B$3$l$r;H$&:]$NCM$O%b%G%`$NB.EY$H%b%G%`Fb$N%P%C%U%!$NAmNL$K0MB8$7$^$9�(B;
�$B0J2<$K�(B Andi �$B$N;d$X$NJVEz$r$=$N$^$^:FEY7G:\$7$^$9�(B:
<P>
<BLOCKQUOTE>
�$BM?$($i$l$?%3%s%U%#%.%e%l!<%7%g%s$N:GE,CM$O7P83$,I,MW$G$9!#�(B
�$B$b$7%k!<%?>e$N%-%e!<$,C;$9$.$k$H!"%Q%1%C%H$r<h$j$3$\$7$F$7$^$$$^$9!#�(B
�$B$=$7$FL^O@�(B TOS �$B$N=q$-49$($b$J$/8z2L$rF@$k$3$H$K$J$j!"C1$K�(B TOS �$B$N=q$-�(B
�$B49$($OHs6(NOE*$J%W%m%0%i%`$K8z2L$r$b$?$i$7$^$9!#�(B
(�$B$7$+$7A4$F$NI8=`E*$J�(B Linux �$B%7%9%F%`%W%m%0%i%`$O6(NOE*$G$9!#�(B)
</BLOCKQUOTE>
<P>
<H3>�$B%Q%1%C%H$N%^!<%-%s%0�(B</H3>
<P>�$B$3$l$O�(B Alexey Kuznetsov �$B$K$h$k?7$?$J�(B"�$B9bIJ<ADL?.�(B"�$B$N<BAu$K$h$C$F!"J#;(�(B
�$B$G6/NO$JAj8_:nMQ$rM-8z$K$7$^$9!#�(B
2.1 �$B%7%j!<%:%+!<%M%k0J9_$N�(Bmark�$B%Y!<%9$N%U%)%o!<%G%#%s%0$HF1MM$KNI9%$G�(B
�$B$9!#�(B
�$B99$J$k%K%e!<%9$H$7$F$O$3$l$,;H$($k$h$&$K$J$C$?$3$H$G$9!#�(B
�$B$3$N%*%W%7%g%s$O�(B 2.0 �$B%+!<%M%k%7%j!<%:$G$OA4$/L5;k$5$l$^$9!#�(B
<P>(�$BLuCm�(B: Quality of Service �$B$O!"�(B QoS �$B$HN,$5$l!"%M%C%H%o!<%/N.NL@)8B$r�(B
�$B;X$7$^$9!#$3$l$O%+!<%M%k$N%3%s%U%#%.%e%l!<%7%g%s%9%$%C%A$K�(B
CONFIG_NET_QOS �$B$H$7$FB8:_$7$^$9!#�(B)
<P>
<H3><A NAME="chain-ops"></A> �$B%A%'%$%s$NA`:n�(B</H3>
<P>ipchains �$B$N$H$F$bM-8z$JFCD'$O!"%A%'%$%sCf$N4XO"$9$k%k!<%k$r%0%k!<%W�(B
�$B2=$G$-$k$3$H$G$9!#�(B
�$B$*K>$_$N%A%'%$%s$O2?$G$b8F$S=P$;$^$9$,!"AH$_9~$_:Q$_%A%'%$%s�(B (<CODE>input</CODE>,
<CODE>output</CODE> �$B$H�(B <CODE>forward</CODE>) �$B$d%?!<%2%C%H�(B (<CODE>MASQ</CODE>, <CODE>REDIRECT</CODE>, <CODE>ACCEPT</CODE>, <CODE>DENY</CODE>, <CODE>REJECT</CODE>
�$B0?$O�(B <CODE>RETURN</CODE>) �$B$r2u$5$J$$0Y$K!"==J,D9$$L>A0$r;H$C$F2<$5$$!#�(B
�$B>-Mh$N3HD%$KHw$($F!"%i%Y%kL>$NA4It$KBgJ8;z$r;H$o$J$$$3$H$r$*4+$a$7$^$9!#�(B
�$B%A%'%$%s$NL>A0$O:GBg�(B 8�$BJ8;z$^$G;H$($^$9!#�(B
<P>
<H3>�$B?7$7$$%A%'%$%s$r:n$k�(B</H3>
<P>�$B?7$7$$%A%'%$%s$r:n$j$^$7$g$&!#;d$O$H$C$F$bAOB$NO$KIY$s$@LnO:$J$N$G!"�(B
�$B$=$l$r�(B <CODE>test</CODE> �$B$HL>IU$1$^$9!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -N test
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>�$B$3$l$O4JC1$G$9!#�(B
�$B$5$F!"$"$J$?$O$3$l$^$G>\:Y$K=R$Y$F$-$?$h$&$K!"$3$l$K%k!<%k$rF~$l$k�(B
�$B$3$H$,$G$-$^$9!#�(B
<P>
<H3>�$B%A%'%$%s$r:o=|$9$k�(B</H3>
<P>�$B%A%'%$%s$r:o=|$9$k$N$bF1MM$K4JC1$G$9!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -X test
#
</PRE>
</CODE></BLOCKQUOTE>
<P>�$B$J$<�(B `-X' �$B$+$C$F�(B? �$B$&!<$s!"$h$$J8;z$,A4$F<h$i$l$F$7$^$C$?$N$G$9!#�(B
<P>
<P>�$B%A%'%$%s$r:o=|$9$k$K$O�(B 2�$B$D$N@)8B$,$"$j$^$9�(B:
�$B$=$N%A%'%$%s$O6u$G$"$kI,MW$,$"$j�(B(�$B8e=R$N�(B
<A HREF="#flushing">�$B%A%'%$%s$r6u$K$9$k�(B</A>�$B$r8+$F2<$5$$�(B)�$B!"$7$+$b!"7h$7$F$I$N%k!<%k$N%?!<%2%C%H$K$b$J$C$F$$$J$$$3$H$G$9!#�(B
�$BAH$_9~$_:Q$_$N�(B 3�$B$D$N%A%'%$%s$O$I$l$b:o=|$G$-$^$;$s!#�(B
<P>
<H3><A NAME="flushing"></A> �$B%A%'%$%s$r6u$K$9$k�(B</H3>
<P>�$B%A%'%$%s$+$iA4$F$N%k!<%k$r<h$j5n$j6u$K$9$k$N$O4JC1$G!"�(B`-F' �$B%3%^%s%I�(B
�$B$r;H$$$^$9!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -F forward
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>�$B$b$7!"%A%'%$%sL>$r;XDj$7$J$1$l$P!"�(B<EM>�$BA4$F$N�(B</EM>�$B%A%'%$%s$r6u$K$7$^$9!#�(B
<P>
<H3>�$B%A%'%$%s$NFbMF$r%j%9%H%"%C%W$9$k�(B</H3>
<P>�$B%A%'%$%sCf$NA4$F$N%k!<%k$r%j%9%H%"%C%W$9$k$K$O!"�(B`-L' �$B%3%^%s%I$r;H$$�(B
�$B$^$9!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -L input
Chain input (refcnt = 1): (policy ACCEPT)
target prot opt source destination ports
ACCEPT icmp ----- anywhere anywhere any
# ipchains -L test
Chain test (refcnt = 0):
target prot opt source destination ports
DENY icmp ----- localnet/24 anywhere any
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P><CODE>test</CODE> �$B$KI=<($5$l$F$$$k�(B `refcnt' �$B$O!"�(B<CODE>test</CODE> �$B$r%?!<%2%C%H$K;XDj$7$F$$$k�(B
�$B%k!<%k$N?t$G$9!#�(B
�$B$3$N?t$,�(B 0 �$B$G$J$$$H�(B(�$B$+$D%A%'%$%s$,6u$G$"$k$3$H�(B)�$B!"$=$N%A%'%$%s$r:o=|�(B
�$B$9$k$3$H$O$G$-$^$;$s!#�(B
<P>
<P>�$B$b$7!"%A%'%$%sL>$r;XDj$7$J$1$l$P!"6u$N$b4^$a$FA4$F$N%A%'%$%s$K$D$$$F�(B
�$B%j%9%H%"%C%W$5$l$^$9!#�(B
<P>
<P>`-L' �$B$K$O�(B 3�$B$D$N%*%W%7%g%s$,$"$j$^$9!#�(B
(�$BBgDq$N?M!9$O�(B DNS �$B$r;H$C$F$$$^$9$,�(B) DNS �$B$,E,@Z$K@_Dj�(B
�$B$5$l$F$$$J$$>l9g$d�(B DNS �$B$NMW5a$r%U%#%k%?!<%"%&%H$7$F$$$k>l9g$O!"�(B
<CODE>ipchains</CODE> �$B$,�(B IP �$B%"%I%l%9$rD4$Y$h$&$H$9$k$H$-$KD9$/BT$?$5$l$^$9!#�(B
�$B$=$l$rKI$0$N$K�(B `-n' (�$B?tCM�(B)�$B%*%W%7%g%s$O$H$F$bM-8z$G$9!#�(B
�$B$3$N%*%W%7%g%s$O�(B TCP �$B$d�(B UDP �$B%]!<%H$K$D$$$F$bL>A0$G$O$J$/HV9f$GI=<(�(B
�$B$7$^$9!#�(B
<P>
<P>`-v' �$B%*%W%7%g%s$O%k!<%k$N>\:Y$rA4$F!"Nc$($P!"%Q%1%C%H$d%P%$%H$N�(B
�$B%+%&%s%?!<!"�(BTOS �$B%^%9%/!"%$%s%?!<%U%'%$%9!"$=$7$F%Q%1%C%H%^!<%/$r�(B
�$BI=<($7$^$9!#�(B
�$B$3$N%*%W%7%g%s$r;XDj$7$J$1$l$P!"$3$l$i$NCM$O>JN,$5$l$^$9!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -v -L input
Chain input (refcnt = 1): (policy ACCEPT)
pkts bytes target prot opt tosa tosx ifname mark source destination ports
10 840 ACCEPT icmp ----- 0xFF 0x00 lo anywhere anywhere any
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>�$BCm5-$H$7$F!"%Q%1%C%H$H%P%$%H$N%+%&%s%?!<$O!"�(B1000, 1,000,000 �$B$*$h$S�(B
1,000,000,000 �$B$r!"$=$l$>$l�(B `K', `M' �$B$*$h$S�(B `G' �$B$N@\Hx<-$r;H$C$FI=<(�(B
�$B$7$^$9!#�(B
`-x' (�$B3HD%?tCM�(B)�$B%*%W%7%g%s$r;H$&$H!"CM$NBg$-$5$K$+$+$o$i$:40A4$J?tCM�(B
�$B$rF1MM$KI=<($7$^$9!#�(B
<P>
<H3>�$B%+%&%s%?!<$r�(B(�$B%<%m$K�(B)�$B%j%;%C%H$9$k�(B</H3>
<P>�$B%+%&%s%?!<$r%j%;%C%H$G$-$k$HJXMx$G$9!#$3$l$O�(B `-Z' (�$B%+%&%s%?$r%<%m$K$9$k�(B)
�$B%*%W%7%g%s$G$G$-$^$9!#Nc$($P�(B:
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -v -L input
Chain input (refcnt = 1): (policy ACCEPT)
pkts bytes target prot opt tosa tosx ifname mark source destination ports
10 840 ACCEPT icmp ----- 0xFF 0x00 lo anywhere anywhere any
# ipchains -Z input
# ipchains -v -L input
Chain input (refcnt = 1): (policy ACCEPT)
pkts bytes target prot opt tosa tosx ifname mark source destination ports
0 0 ACCEPT icmp ----- 0xFF 0x00 lo anywhere anywhere any
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>�$B$3$N$d$jJ}$G$O!"%j%;%C%H$9$kD>A0$N%+%&%s%?CM$rCN$kI,MW$,$"$k$H$-$K�(B
�$BLdBj$K$J$j$^$9!#�(B
�$B>e5-$NJ}K!$G$O!"�(B`-L' �$B$+$i�(B `-Z' �$B%3%^%s%I$^$G$N4V$K$$$/$D$+$N%Q%1%C%H�(B
�$B$,DL2a$9$k$+$b$7$l$^$;$s!#�(B
�$B$=$N$?$a!"%+%&%s%?!<$rFI$`$HF1;~$K%j%;%C%H$9$k$K$O!"�(B`-L' �$B$H�(B `-Z' �$B$r�(B
<EM>�$BF1;~$K�(B</EM>�$B;H$$$^$9!#�(B
�$B;DG0$J$,$i!"$"$J$?$,$3$l$r;H$&$H!"C10l$N%A%'%$%s$rA`:n$G$-$^$;$s�(B:
�$B0lC6A4$F$N%A%'%$%s$r%j%9%H%"%C%W$7$F%<%m$K$9$kI,MW$,$"$j$^$9!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -L -v -Z
Chain input (policy ACCEPT):
pkts bytes target prot opt tosa tosx ifname mark source destination ports
10 840 ACCEPT icmp ----- 0xFF 0x00 lo anywhere anywhere any
Chain forward (refcnt = 1): (policy ACCEPT)
Chain output (refcnt = 1): (policy ACCEPT)
Chain test (refcnt = 0):
0 0 DENY icmp ----- 0xFF 0x00 ppp0 localnet/24 anywhere any
# ipchains -L -v
Chain input (policy ACCEPT):
pkts bytes target prot opt tosa tosx ifname mark source destination ports
10 840 ACCEPT icmp ----- 0xFF 0x00 lo anywhere anywhere any
Chain forward (refcnt = 1): (policy ACCEPT)
Chain output (refcnt = 1): (policy ACCEPT)
Chain test (refcnt = 0):
0 0 DENY icmp ----- 0xFF 0x00 ppp0 localnet/24 anywhere any
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<H3><A NAME="policy"></A> �$B%]%j%7!<$r@_Dj$9$k�(B</H3>
<P>�$B0JA0$K%Q%1%C%H$,$I$N$h$&$K%A%'%$%s$rDL$jH4$1$k$N$+$r!"A0=R$N�(B
<A HREF="#target-spec">�$B%?!<%2%C%H$N;XDj�(B</A>�$B$K$FO@$8$?$H$-!"%Q%1%C%H�(B
�$B$,AH$_9~$_:Q$_%A%'%$%s$N=*$o$j$KC#$7$?;~$K2?$,5/$-$k$N$+$rBgBN=R$Y$^$7�(B
�$B$?!#�(B
�$B$3$N>l9g!"%A%'%$%s$N�(B<B>�$B%]%j%7!<�(B</B>�$B$,$=$N%Q%1%C%H$N1?L?$r7hDj$7$^$9!#�(B
�$BAH$_9~$_:Q$_%A%'%$%s�(B(<CODE>input</CODE>, <CODE>output</CODE> �$B$*$h$S�(B <CODE>forward</CODE>)�$B$@$1$,%]%j%7!<$r;}$C�(B
�$B$F$$$^$9!#�(B
�$B$J$<$J$i!"%Q%1%C%H$,%f!<%6Dj5A%A%'%$%s$N=*$o$j$^$G2<$jMn$A$k$H!"A0$N�(B
�$B%A%'%$%s$KLa$C$F9T$/$+$i$G$9!#�(B
<P>
<P>�$B%]%j%7!<$O:G=i$+$i�(B 4�$B$D$^$G$NFCJL$J%?!<%2%C%H$N$$$:$l$+$G$9�(B:
<CODE>ACCEPT</CODE>, <CODE>DENY</CODE>, <CODE>REJECT</CODE> �$B0?$O�(B <CODE>MASQ</CODE> �$B$G$9!#�(B
<CODE>MASQ</CODE> �$B$O�(B `forward' �$B%A%'%$%s$K$*$$$F$N$_M-8z$G$9!#�(B
<P>
<P>�$B$^$?!"=EMW$JCm0UE@$H$7$F!"AH$_9~$_:Q$_%A%'%$%sCf$N%k!<%k$K$*$1$k�(B <CODE>RETURN</CODE>
�$B%?!<%2%C%H$O!"%Q%1%C%H$,%k!<%k$K%^%C%A$7$?;~$KL@<(E*$K%A%'%$%s$N%]%j%7!<�(B
�$B$r%?!<%2%C%H$K$9$k$?$aJXMx$G$9!#�(B
<P>
<H3>�$B%^%9%+%l!<%G%#%s%0$NA`:n�(B</H3>
<P>IP �$B%^%9%+%l!<%G%#%s%0$rHyD4@0$9$k4v$D$+$N%Q%i%a!<%?$,$"$j$^$9!#�(B
�$B$=$l$i$O�(B <CODE>ipchains</CODE> �$B$KAH$_9~$^$l$F$$$^$9!#�(B
�$B2?8N$J$i!"$=$N5!G=$N0Y$KJL$N%D!<%k$r=q$/$N$ONI$/$J$$$+$i$G$9!#�(B
(�$B$7$+$7$3$l$OJQ99$5$l$k$G$7$g$&!#�(B)
<P>
<P>IP �$B%^%9%+%l!<%G%#%s%0$N%3%^%s%I$O�(B `-M' �$B$G!":#%^%9%+%l!<%I$5$l$F$$$k�(B
�$B%3%M%/%7%g%s$r%j%9%H%"%C%W$9$k$?$a$K�(B `-L' �$B$HAH$_9g$o$;$i$l!"%^%9%+�(B
�$B%l!<%G%#%s%0$NCM$rD4@0$9$k$?$a$K�(B `-S' �$B$HAH$_9g$o$;$i$l$^$9!#�(B
<P>
<P>`-L' �$B%3%^%s%I$O�(B `-n' (�$B%[%9%HL>$d%]!<%HL>$G$O$J$/!"?tCM$rI=<($7$^$9!#�(B)
�$B$+!"$^$?$O�(B `-v' (�$B$^$5$K$"$J$?$,Cm0U$9$k!"%^%9%+%l!<%I%3%M%/%7%g%s$N�(B
�$B%7!<%1%s%9HV9f$N>\:Y$rI=<($7$^$9!#�(B)�$B$rH<$$$^$9!#�(B
<P>
<P>`-S' �$B%3%^%s%I$O0J2<$N�(B 3�$B$D$N%?%$%`%"%&%HCM$r@_Dj$7$^$9!"$=$l$i$O�(B
�$BICC10L$G$9�(B:
TCP �$B%;%C%7%g%s!"�(B FIN �$B%Q%1%C%H8e$N�(B TCP �$B%;%C%7%g%s$H!"�(B UDP �$B%Q%1%C%H�(B
�$B$G$9!#�(B
�$B$b$7$=$l$i$NCM$N0l$D$rJQ99$7$?$/$J$$$J$i$P!"C1=c$K�(B `0' �$B$,M?$($i$l�(B
�$B$^$9!#�(B
<P>
<P>�$B4{DjCM$O�(B `/usr/src/linux/include/net/ip_masq.h' �$B$K%j%9%H%"%C%W$5�(B
�$B$l$F$*$j!"�(B �$B8=:_$O$=$l$>$l�(B 15 �$BIC!"�(B 2�$BIC�(B �$B$=$7$F�(B 5�$BIC$G$9!#�(B
<P>
<P>�$BJQ99$5$l$k:G$b0lHLE*$JCM$O!"�(B ftp �$B$N0Y$KJQ99$9$k:G=i$NCM$G$9!#�(B
(�$B8e=R$N�(B
<A HREF="IPCHAINS-HOWTO-5.html#ftp">FTP �$B$N0-L4�(B</A>�$B$r;2>H$7$F2<$5$$!#�(B)
<P>
<P>
<A HREF="IPCHAINS-HOWTO-6.html#no-timeout">�$B%^%9%+%l!<%G%#%s%0$N%?%$%`%"%&%HCM$r@_Dj$G$-$^$;$s�(B!</A>�$B$KNs5s$7$?%?%$%`%"%&%H$N@_Dj$K4X$9$kLdBj$KCm0U$7$F2<$5$$!#�(B
<P>
<H3>�$B%Q%1%C%H$r%A%'%C%/$9$k�(B</H3>
<P>�$B;~$K$"$J$?$N%^%7%s$K0lDj$N%Q%1%C%H$,F~$j9~$`:]$K2?$,5/$3$k$N$+$r�(B
�$B8+$?$$$H;W$&$3$H$G$7$g$&!#�(B
�$B$"$J$?$N%U%!%$%"%&%)!<%k%A%'%$%s$r%G%P%C%0$9$k;~$J$I!#�(B
<CODE>ipchains</CODE> �$B$O$3$l$rM-8z$K$5$;$k�(B `-C' �$B%3%^%s%I$rAuHw$7$F$$$^$9!#�(B
�$B$=$N:]!"%+!<%M%k$,K\Ev$N%Q%1%C%H$r?GCG$9$k$N$KMQ$$$k%k!<%A%s$H@5�(B
�$B3N$KF1$8%k!<%A%s$rMQ$$$^$9!#�(B
<P>
<P>�$B%Q%1%C%H$r%F%9%H$9$k%A%'%$%s$O!"0z?t�(B `-C' �$B$N8e$K%Q%1%C%H$N%F%9%H$r�(B
�$B$9$k%A%'%$%s$NL>A0$r;XDj$7$^$9!#�(B
�$B%+!<%M%k$O>o$K�(B <CODE>input</CODE>, <CODE>output</CODE> �$B$^$?$O�(B <CODE>forward</CODE> �$B%A%'%$%s!"$H0\$C$F9T$-�(B
�$B$^$9$,!"%F%9%H$O$I$N%A%'%$%s$+$i$G$b;O$a$k$3$H$,$G$-$^$9!#�(B
<P>
<P>`packet' �$B$N>\:Y$O!"%U%!%$%"%&%)!<%k%k!<%k$r;XDj$9$k0Y$KMQ$$$i$l$k�(B
�$B$N$HF1$8=q$-J}$rMQ$$$F;XDj$7$^$9!#�(B
�$BFC$K!"%W%m%H%3%k�(B (`-p') �$B!"%=!<%9%"%I%l%9�(B (`-s') �$B!"08@h%"%I%l%9�(B (`-d')
�$B$H%$%s%?!<%U%'!<%9�(B (`-i')�$B$OI,?\$G$9!#�(B
�$B$b$7%W%m%H%3%k$,�(B TCP �$BKt$O�(B UDP �$B$J$i!"C10l$N%=!<%9$HC10l$N08@h%]!<%H�(B
�$B$,;XDj$5$l$J$1$l$P$J$j$^$;$s$7!"�(B ICMP �$B%W%m%H%3%k$K$*$$$F$O�(B ICMP �$B%?�(B
�$B%$%W$,;XDj$5$l$J$1$l$P$J$j$^$;$s!#�(B
(�$B%U%i%0%a%s%H$r<($9�(B `-f' �$B%U%i%0$r;XDj$7$F$$$J$1$l$P!#;XDj$7$F$$$k>l9g$O�(B
�$B$3$l$i$N%*%W%7%g%s$OIT@5$G$9!#�(B)
<P>
<P>�$B%W%m%H%3%k$,�(B TCP �$B$J$i$P�(B (�$B$=$7$F�(B `-f' �$B%U%i%0$,$7$F$$$5$l$F$$$J$1�(B
�$B$l$P�(B) �$B!"%F%9%H%Q%1%C%H$K�(B SYN �$B%S%C%H$r%;%C%H$9$k$N$K�(B `-y' �$B%U%i%0$r;XDj�(B
�$B$7$F$b$h$$$G$7$g$&!#�(B
<P>
<P>�$B0J2<$O�(B 192.168.1.1 �$B$N�(B60000 �$B%]!<%H$+$i�(B 192.168.1.2 �$B$N�(B www �$B%]!<%H$X!"�(B
eth0 �$B%$%s%?!<%U%'!<%9$KF~$j!"�(B `input' �$B%A%'%$%s$KE~C#$9$k�(B TCP SYN
�$B%Q%1%C%H$r%F%9%H$9$kNc$G$9!#�(B
(�$B$3$l$OE57?E*$J�(B WWW �$B$N@\B33+;O$NF~Mh$G$9�(B)
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -C input -p tcp -y -i eth0 -s 192.168.1.1 60000 -d 192.168.1.2 www
packet accepted
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<H3>�$B0lEY$KJ#?t$N%k!<%k$H2?$,5/$3$k$N$+$r8+$k�(B</H3>
<P>�$B;~$KC10l$N%3%^%s%I%i%$%s$,J#?t$N%k!<%k$K1F6A$5$;$k$3$H$,$G$-$^$9!#�(B
�$B$3$l$K$OFs$D$NJ}K!$,$"$j$^$9!#�(B
�$B:G=i$K!"�(B(DNS �$B$rMQ$$$F�(B)�$BJ#?t$N�(B IP �$B%"%I%l%9$K2r7h$9$k%[%9%HL>$r;XDj�(B
�$B$9$k$H!"�(B <CODE>ipchains</CODE> �$B$O$"$J$?$,3F!9$N%"%I%l%9$NAH$_9g$o$;$KBP$7$FJ#�(B
�$B?t$N%3%^%s%I$rH/9T$7$?$N$HF1$8$h$&$K?6$kIq$$$^$9!#�(B
<P>
<P>�$B$G$9$+$i!"$b$7%[%9%HL>�(B `www.foo.com' �$B$,�(B 3�$B$D$N�(B IP �$B%"%I%l%9$K2r7h�(B
�$B$7!"%[%9%HL>�(B `www.bar.com' �$B$,�(B 2�$B$D$N�(B IP �$B%"%I%l%9$K2r7h$9$k>l9g!"�(B
�$B%3%^%s%I�(B `ipchains -A input -j reject -s www.bar.com -d www.foo.com'
�$B$O!"�(B <CODE>input</CODE> �$B%A%'%$%s$K�(B 6�$B$D$N%k!<%k$rDI2C$9$k$3$H$H$J$j$^$9!#�(B
<P>
<P><CODE>ipchains</CODE> �$B$KJ#?t$NF0:n$r9T$o$;$k$b$&0l$D$NJ}K!$O!"APJ}8~%U%i%0�(B(`-b')
�$B$rMQ$$$^$9!#�(B
�$B$3$N%U%i%0$O!"�(B <CODE>ipchains</CODE> �$B$K%3%^%s%I$r�(B 2�$B2sF~NO$5$;$?$N$HF1MM$K?6�(B
�$B$kIq$o$;$^$9!#�(B
�$B$=$N:]$N�(B 2�$B2sL\$N%3%^%s%I$O�(B `-s' �$B$H�(B `-d' �$B$N0z?t$rH?E>$5$;$?$3$H�(B
�$B$K$J$j$^$9!#�(B
�$B$G$9$N$G!"�(B 192.168.1.1 �$B$KAj8_$K%U%)%o!<%I$5$;$k$3$H$r6X$8$5$;$k�(B
�$B$K$O!"0J2<$N$h$&$K$G$-$^$9�(B:
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -b -A forward -j reject -s 192.168.1.1
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>�$B8D?ME*$K$O!"�(B `-b' �$B%*%W%7%g%s$O9%$-$G$J$$$G$9�(B;
�$B$b$C$HJXMx$K$7$?$$$J$i!"8e=R$N�(B
<A HREF="#ipchains-save">ipchains-save �$B$r;H$&�(B</A>�$B$r8+$F2<$5$$!#�(B
<P>
<P>-b �$B%*%W%7%g%s$O�(B �$BA^F~�(B (`-I') �$B!"�(B �$B:o=|�(B (`-D') (�$B$G$b%k!<%k%J%s%P!<$N�(B
�$B3HD%$G$O$"$j$^$;$s!#�(B) �$B!"DI2C�(B (`-A') �$B$H%A%'%C%/�(B (`-C') �$B%3%^%s%I$H�(B
�$B6&$K;H$($^$9!#�(B
<P>
<P>�$B$b$&0l$D$NJXMx$J%U%i%0$K�(B `-v' (�$B>iD9$J�(B) �$B$,$"$j$^$9!#�(B
�$B$3$l$O�(B <CODE>ipchains</CODE> �$B$,$"$J$?$N%3%^%s%I$K$h$C$F2?$r$7$F$$$k$N$+$r@53N�(B
�$B$K%W%j%s%H%"%&%H$7$^$9!#�(B
�$B$"$J$?$,J#?t$N%k!<%k$r%3%^%s%I$r;\$7$F$$$k$N$J$i!"$3$l$,JXMx$G$9!#�(B
�$BNc$($P!"0J2<$O�(B 192.168.1.1 �$B$H�(B 192.168.1.2 �$B$H$N4V$G%U%i%0%a%s%H$N�(B
�$B?6$kIq$$$r%A%'%C%/$9$kNc$G$9!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -v -b -C input -p tcp -f -s 192.168.1.1 -d 192.168.1.2 -i lo
tcp opt ---f- tos 0xFF 0x00 via lo 192.168.1.1 -> 192.168.1.2 * -> *
packet accepted
tcp opt ---f- tos 0xFF 0x00 via lo 192.168.1.2 -> 192.168.1.1 * -> *
packet accepted
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<H2><A NAME="ss4.2">4.2 �$B<BNc=8�(B</A>
</H2>
<P>�$B;d$N�(B PC �$B$O%$%s%?!<%M%C%H$X%@%$%d%k%"%C%W�(B PPP �$B@\B3$5$l$^$9!#�(B (<CODE>-i ppp0</CODE>)
�$B;d$O%@%$%d%k%"%C%W$NEYKh$K%M%C%H%K%e!<%9�(B (<CODE>-p TCP -s news.virtual.net.au nntp</CODE>)
�$B$H%a!<%k�(B (<CODE>-p TCP -s mail.virtual.net.au pop-3</CODE>) �$B$r�(B PC �$B$K<h$j9~$_$^$9!#�(B
�$B;d$O�(B Debian �$B$N�(B FTP �$B$K$h$k�(B PC �$B$N99?7:n6H$rDj4|E*$K9T$$$^$9!#�(B
(<CODE>-p TCP -y -s ftp.debian.org.au ftp-data</CODE>)
�$B;d$O�(B ISP �$B$N%W%m%-%7$r2p$7$F�(B web �$B$X$N%"%/%;%9$r9T$$$^$9�(B
(<CODE>-p TCP -d proxy.virtual.net.au 8080</CODE>)
�$B$,!"�(B Dilbert �$B%"!<%+%$%t>e$N�(B doubleclick.net �$B$+$i$N9-9p%P%J!<$r7y$$�(B
�$B$^$9!#�(B
(<CODE>-p TCP -y -d 199.95.207.0/24</CODE> �$B$H�(B <CODE>-p TCP -y -d 199.95.208.0/24</CODE>)
<P>
<P>�$B;d$O�(B PC �$B$,%*%s%i%$%s$N:]$KC/$+$,;d$N�(B PC �$B$KBP$7$F�(B ftp �$B$r;n$_$k�(B
�$B$3$H$K4X$7$F$O5$$K$7$^$;$s!#�(B (<CODE>-p TCP -d $LOCALIP ftp</CODE>)
�$B$1$l$I$b!"30It$NC/$+$K;d$NFbIt%M%C%H%o!<%/�(B (<CODE>-s 192.168.1.0/24</CODE>)
�$B$N�(B IP �$B%"%I%l%9$r56Au$5$l$?$/$"$j$^$;$s!#�(B
�$B$3$l$ODL>o!"�(B IP �$B%9%W!<%U%#%s%0�(B (�$BLuCm�(B: �$B56Au�(B) �$B$H8F$P$l!"%P!<%8%g%s�(B
2.1.x �$B0J9_$N%+!<%M%k$K$O$3$l$rKI$0NI$$J}K!$,$"$j$^$9�(B:
<A HREF="IPCHAINS-HOWTO-5.html#antispoof">IP �$B56AuJ]8n�(B(IP Spoof Protection)�$B$r!"$I$N$h$&$K@_Dj$7$?$i$h$$$G$9$+�(B?</A>�$B$r;2>H$7$F2<$5$$!#�(B
<P>
<P>�$B$3$N%;%C%H%"%C%W$O$H$F$bC1=c$G!"2?8N$J$i:#;d$NFbIt%M%C%H%o!<%/>e�(B
�$B$K$OB>$K%^%7%s$,$J$$$+$i$G$9!#�(B
<P>
<P>�$B;d$O$"$i$f$k%m!<%+%k%W%m%;%9�(B(�$B$9$J$o$A!"%M%C%H%9%1!<%W!"�(B lynx �$BEy�(B)
�$B$r�(B doubleclick.net �$B$K@\B3$5$;$?$/$"$j$^$;$s!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -A output -d 199.95.207.0/24 -j REJECT
# ipchains -A output -d 199.95.208.0/24 -j REJECT
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>�$B$5$F!";d$O30$X=P$F9T$/MM!9$J%Q%1%C%H$KM%@h=g0L$r@_Dj$7$?$$$G$9!#�(B
(�$BF~$C$FMh$k%Q%1%C%H$KBP$7$F$3$l$r9T$&B?$/$N%a%j%C%H$O$"$j$^$;$s!#�(B)
�$B$3$l$i$N%k!<%k$,B??t$"$k$N$G!"�(B<CODE>ppp-out</CODE> �$B$HL>IU$1$?%A%'%$%s$K$=$l$iA4$F$r�(B
�$BF~$l$k$3$H$O0UL#$N$"$k$3$H$G$9!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -N ppp-out
# ipchains -A output -i ppp0 -j ppp-out
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>web �$B$N%H%i%U%#%C%/$H�(B telnet �$B$X:G>.CY1d$r@_Dj$7$^$9!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -A ppp-out -p TCP -d proxy.virtual.net.au 8080 -t 0x01 0x10
# ipchains -A ppp-out -p TCP -d 0.0.0.0/0 telnet -t 0x01 0x10
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>ftp �$B%G!<%?�(B, nntp, pop-3 �$B$KDc%3%9%H$r@_Dj$7$^$9�(B:
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -A ppp-out -p TCP -d 0.0.0.0/0 ftp-data -t 0x01 0x02
# ipchains -A ppp-out -p TCP -d 0.0.0.0/0 nntp -t 0x01 0x02
# ipchains -A ppp-out -p TCP -d 0.0.0.0/0 pop-3 -t 0x01 0x02
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>ppp0 �$B%$%s%?!<%U%'!<%9$KF~$C$FMh$k%Q%1%C%H$K$O4v$D$+$N@)8B$,$"$j$^$9�(B:
`ppp-in' �$B$H$$$&%A%'%$%s$r:n$j$^$7$g$&�(B:
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -N ppp-in
# ipchains -A input -i ppp0 -j ppp-in
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>�$B$5$F!"�(B <CODE>ppp0</CODE> �$B$KF~$C$FMh$k%Q%1%C%H$O�(B 192.168.1.* �$B$N%=!<%9%"%I%l%9�(B
�$B$r<gD%$9$k$Y$-$G$O$"$j$^$;$s!#�(B
�$B$G$9$+$i!"2f!9$O$=$l$i$r%m%0$K5-O?$7$FH]Dj�(B (deny) �$B$7$^$9�(B:
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -A ppp-in -s 192.168.1.0/24 -l -j DENY
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>�$B;d$O�(B DNS �$B$N�(B UDP �$B%Q%1%C%H�(B (�$B;d$OA4$F$NMW5a$r�(B 203.29.16.1 �$B$XE>Aw$9$k�(B
�$B%-%c%C%7%e%M!<%`%5!<%P$rF0$+$7$F$$$k$N$G!"$=$l$i$NMW5a$+$i$=$N�(B DNS
�$B$@$1$,JVEz$9$k$3$H$rM=B,$7$^$9!#�(B) �$B$H�(B �$BF~$C$FMh$k�(B ftp �$B$H5"$C$FMh$k�(B ftp-data
(�$B$3$l$i$O�(B1023�$BHV0J>e$N%]!<%H$N$_$,;H$o$l!"3n$D�(B6000�$BHV6aJU$N�(B X11 �$B%]!<�(B
�$B%H$r;H$$$^$;$s!#�(B) �$B$N�(B TCP �$B%Q%1%C%H$N$_$r5v2D$7$^$9!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -A ppp-in -p UDP -s 203.29.16.1 -d $LOCALIP dns -j ACCEPT
# ipchains -A ppp-in -p TCP -s 0.0.0.0/0 ftp-data -d $LOCALIP 1024:5999 -j ACCEPT
# ipchains -A ppp-in -p TCP -s 0.0.0.0/0 ftp-data -d $LOCALIP 6010: -j ACCEPT
# ipchains -A ppp-in -p TCP -d $LOCALIP ftp -j ACCEPT
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>�$B5"$C$F$/$k�(B TCP �$B$NJVEz%Q%1%C%H$r5v2D$7$^$9!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -A ppp-in -p TCP ! -y -j ACCEPT
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>�$B:G8e$K!"%m!<%+%k$H%m!<%+%kF1;N$N%Q%1%C%H$O�(B OK �$B$G$9�(B:
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -A input -i lo -j ACCEPT
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>�$B$5$F!";d$N�(B <CODE>input</CODE> �$B%A%'%$%s$K$*$1$k4{Dj%]%j%7!<$O�(B <CODE>DENY</CODE> (�$BH]Dj�(B) �$B$G$9�(B
�$B$N$G!">e=R$N$b$N0J30$OA4$FGK4~$7$^$9�(B:
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -P input DENY
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>�$BCm0U�(B: �$B;d$O$3$N=gHV$G%A%'%$%s$r%;%C%H%"%C%W$7$^$;$s$G$7$?!#�(B
�$B%;%C%H%"%C%W$N:GCf$K%Q%1%C%H$,F~$j9~$s$GMh$k$+$i$G$9!#�(B
�$B:G$b0BA4$J$N$O:G=i$K�(B DENY �$B$N%]%j%7!<$r@_Dj$9$k$3$H$G$9!#�(B
�$BL^O@!"$"$J$?$N%k!<%k$,%[%9%HL>$r2r7h$9$k0Y$K�(B DNS �$B$N;2>H$r�(B
�$BMW5a$9$k$J$i!"LdBj$,H/@8$9$k$3$H$G$7$g$&!#�(B
<P>
<H3><A NAME="ipchains-save"></A> ipchains-save �$B$r;H$&�(B</H3>
<P>�$B$^$5$K$"$J$?$N$*K>$_DL$j$N%U%!%$%"%&%)!<%k%A%'%$%s$r%;%C%H%"%C%W$7!"�(B
�$B$=$7$F<!2s$K$d$C$?$3$H$r;W$$=P$=$&$H$9$k$N$O?I$$$3$H$G$9!#�(B
<P>
<P>�$B$=$3$G!":#%;%C%H%"%C%W$7$?$"$J$?$N%A%'%$%s$rFI$_!"%U%!%$%k$KJ]B8$9�(B
�$B$k!"�(B <CODE>ipchains-save</CODE> �$B$H$$$&%9%/%j%W%H$G$9!#�(B
<CODE>ipchains-restore</CODE> �$B$,2?$r$9$k$+$K4X$7$F$O$A$g$C$HBT$C$F$F2<�(B
�$B$5$$$M!#�(B
<P>
<P><CODE>ipchains-save</CODE> �$B$OC10l$N%A%'%$%sKt$O�(B (�$B%A%'%$%sL>$,;XDj$5$l$J$1$l$P�(B)
�$BA4$F$N%A%'%$%s$r%;!<%V$G$-$^$9!#�(B
�$B%*%W%7%g%s$H$7$F$O�(B `-v' �$B$N$_$,5v$5$l!"$3$l$O%;!<%V$5$l$?%k!<%k$r�(B
(�$BI8=`%(%i!<=PNO$K�(B) �$B%W%j%s%H$7$^$9!#�(B
<CODE>input</CODE>, <CODE>output</CODE> �$B$=$7$F�(B <CODE>forward</CODE> �$B%A%'%$%s$N%]%j%7!<$bF1MM$K%;!<%V$5$l�(B
�$B$^$9!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains-save > my_firewall
Saving `input'.
Saving `output'.
Saving `forward'.
Saving `ppp-in'.
Saving `ppp-out'.
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<H3>ipchains-restore �$B$r;H$&�(B</H3>
<P><CODE>ipchains-restore</CODE> �$B$O�(B <CODE>ipchains-save</CODE> �$B$GJ]B8$5$l$?%A%'%$%s$rI|85$7$^$9!#�(B
�$B$3$l$O�(B 2�$B$D$N%*%W%7%g%s$r;}$AF@$^$9�(B:
`-v' �$B$O3F!9$N%k!<%k$,DI2C$5$l$k$h$&$K@bL@$7$^$9!#�(B
�$B$=$7$F�(B `-f' �$B$O0J2<$K@bL@$9$k$h$&$K!"4{$KB8:_$9$k%f!<%6!<Dj5A%A%'%$%s�(B
�$B$r6/@)E*$K>C5n$7$^$9!#�(B
<P>
<P>�$B$b$7!"�(B input �$B%A%'%$%sFb$K%f!<%6!<Dj5A%A%'%$%s$,$"$l$P!"�(B <CODE>ipchains-restore</CODE>
�$B$O$=$l$,4{B8$N%A%'%$%s$J$N$+$r%A%'%C%/$7$^$9!#�(B
�$B$=$&$G$"$l$P!"%W%m%s%W%H$,I=<($5$l!"%A%'%$%s$r>C5n$9$k�(B (�$BA4$F$N%k!<%k�(B
�$B$r>C5n$9$k�(B) �$B$+!"=hM}$r%9%-%C%W$7$F8=:_$N@_Dj$rJ];}$9$k$+$NA*Br$r5a$a�(B
�$B$i$l$^$9!#�(B
�$B$b$7%3%^%s%I%i%$%s$K�(B `-f' �$B$r;XDj$9$l$P!"%W%m%s%W%H$OI=<($5$l$^$;$s�(B:
�$B%A%'%$%s$O>C5n$5$l$^$9!#�(B
<P>
<P>�$BNc�(B:
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains-restore < my_firewall
Restoring `input'.
Restoring `output'.
Restoring `forward'.
Restoring `ppp-in'.
Chain `ppp-in' already exists. Skip or flush? [S/f]? s
Skipping `ppp-in'.
Restoring `ppp-out'.
Chain `ppp-out' already exists. Skip or flush? [S/f]? f
Flushing `ppp-out'.
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<HR>
<A HREF="IPCHAINS-HOWTO-5.html">�$B<!$N%Z!<%8�(B</A>
<A HREF="IPCHAINS-HOWTO-3.html">�$BA0$N%Z!<%8�(B</A>
<A HREF="IPCHAINS-HOWTO.html#toc4">�$BL\<!$X�(B</A>
</BODY>
</HTML>
