<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>Linux IPCHAINS-HOWTO: �$B<BMQE*$JNc�(B</TITLE>
<LINK HREF="IPCHAINS-HOWTO-8.html" REL=next>
<LINK HREF="IPCHAINS-HOWTO-6.html" REL=previous>
<LINK HREF="IPCHAINS-HOWTO.html#toc7" REL=contents>
</HEAD>
<BODY>
<A HREF="IPCHAINS-HOWTO-8.html">�$B<!$N%Z!<%8�(B</A>
<A HREF="IPCHAINS-HOWTO-6.html">�$BA0$N%Z!<%8�(B</A>
<A HREF="IPCHAINS-HOWTO.html#toc7">�$BL\<!$X�(B</A>
<HR>
<H2><A NAME="s7">7. �$B<BMQE*$JNc�(B</A></H2>
<P>�$B$3$NHONc$O!"�(B1999 �$BG/$N�(B 3 �$B7n$K3+:E$5$l$?�(B LinuxWorld �$B$G�(B Michael Neuling
�$B$H;d$,H/I=$7$?%A%e!<%H%j%"%k$+$i0zMQ$7$^$7$?!#$3$l$O!"M?$($i$l$?Ld�(B
�$BBj$r2r7h$9$k$?$a$NM#0l$NJ}K!$G$O$J$$$G$9$,!"B?J,:G$bC1=c$J$b$N$G$9!#�(B
�$B$3$NHONc$rM-1W$J$b$N$@$H;W$C$FD:$1$l$P9,$$$G$9!#�(B
<P>
<P>
<P>
<H2><A NAME="ss7.1">7.1 �$B9=@.�(B</A>
</H2>
<P>
<UL>
<LI>�$B%^%9%+%l!<%I$5$l$?FbIt%M%C%H%o!<%/�(B(�$BMM!9$J�(B OS �$B$,B8:_$7$F$$$^$9�(B)
�$B$,B8:_$7!"�(B"GOOD" �$B$H8F$S$^$9!#�(B</LI>
<LI>�$BJ,N%$5$l$?%M%C%H%o!<%/>e$K8x3+%5!<%P$,B8:_$7$F$$$^$9�(B(�$BHsIpAu2=�(B
�$BCOBS�(B "Demilitarized Zone" �$B$H$$$&$3$H$G�(B "DMZ" �$B$H8F$S$^$9�(B)�$B!#�(B</LI>
<LI>�$B%$%s%?!<%M%C%H$X�(B PPP �$B@\B3$7$F$$$^$9�(B( "BAD" �$B$H8F$S$^$9�(B)�$B!#�(B</LI>
</UL>
<P>
<P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
�$B30It%M%C%H%o!<%/�(B (BAD)
�$B("�(B
�$B("�(B
ppp0�$B("�(B
�$B(#(!(!(!(!(!(!(!($�(B
�$B("�(B192.84.219.1 �$B("�(B �$B%5!<%P%M%C%H%o!<%/�(B (DMZ)
�$B("�(B �$B("�(Beth0
�$B("�(B �$B("(!(!(!(!(!(!(!(((!(!(!(!(!(!(((!(!(!(!(!(!(((!�(B
�$B("�(B �$B("�(B192.84.219.250�$B("�(B �$B("�(B �$B("�(B
�$B("�(B �$B("�(B �$B("�(B �$B("�(B �$B("�(B
�$B("�(B192.168.1.250 �$B("�(B �$B("�(B �$B("�(B �$B("�(B
�$B(&(!(!(!(!(!(!(!(%�(B �$B(#(!(!(!($�(B �$B(#(!(!(!($�(B �$B(#(!(!(!($�(B
�$B("�(B eth1 �$B("�(B SMTP �$B("�(B �$B("�(B DNS �$B("�(B �$B("�(B WWW �$B("�(B
�$B("�(B �$B(&(!(!(!(%�(B �$B(&(!(!(!(%�(B �$B(&(!(!(!(%�(B
�$B("�(B 192.84.219.128 192.84.219.129 192.84.218.130
�$B("�(B
�$BFbIt%M%C%H%o!<%/�(B (GOOD)
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>
<H2><A NAME="ss7.2">7.2 �$BL\E*�(B</A>
</H2>
<P>
<P>
<P>�$B%Q%1%C%H%U%#%k%?!<%^%7%s�(B:
<P>
<P>
<DL>
<DT><B>�$BA4$F$N%M%C%H%o!<%/$KBP$7$F�(B PING �$B$,2DG=�(B</B><DD><P>�$B%^%7%s$,%@%&%s$7$F$$$k$+$I$&$+$rCN$k$N$KBgJQLr$KN)$A$^$9!#�(B
<P>
<P>
<DT><B>�$BA4$F$N%M%C%H%o!<%/$KBP$7$F�(B TRACEROUTE �$B$,2DG=�(B</B><DD><P>�$B$3$l$b$^$?!"860xJ,@O$KLr$KN)$A$^$9!#�(B
<P>
<P>
<DT><B>DNS �$B$X$N%"%/%;%9$,2DG=�(B</B><DD><P>ping �$B$H�(B DNS �$B$r$h$j;H$$$d$9$/$9$k$?$a$G$9!#�(B
</DL>
<P>
<P>
<P>DMZ �$BFb�(B:
<P>
<P>
<P>�$B%a!<%k%5!<%P�(B
<UL>
<LI> �$B30It%M%C%H%o!<%/$X$N�(B SMTP �$B$,2DG=�(B</LI>
<LI> �$BFbIt$H30It%M%C%H%o!<%/$+$i$N�(B SMTP �$B$N%"%/%;%W%H�(B(�$B<u$1F~$l�(B)�$B$,2DG=�(B</LI>
<LI> �$BFbIt%M%C%H%o!<%/$+$i$N�(B POP-3 �$B$N%"%/%;%W%H$,2DG=�(B</LI>
</UL>
<P>
<P>
<P>�$B%M!<%`%5!<%P�(B
<UL>
<LI> �$B30It%M%C%H%o!<%/$X$N�(B DNS �$B$NMW5a$,2DG=�(B</LI>
<LI> �$BFbIt$H30It%M%C%H%o!<%/!"%Q%1%C%H%U%#%k%?!<%^%7%s$+$i$N�(B DNS �$B$N�(B
�$B%"%/%;%W%H$,2DG=�(B</LI>
</UL>
<P>
<P>
<P>�$B%&%'%V%5!<%P�(B
<UL>
<LI> �$BFbIt$H30It%M%C%H%o!<%/$+$i$N�(B HTTP �$B$N%"%/%;%W%H$,2DG=�(B</LI>
<LI> �$BFbIt%M%C%H%o!<%/$+$i$N�(B Rsync �$B$K$h$k%"%/%;%9$,2DG=�(B</LI>
</UL>
<P>
<P>
<P> �$BFbIt%M%C%H%o!<%/�(B:
<P>
<P>
<DL>
<DT><B>�$B30It%M%C%H%o!<%/$X$N�(B WWW, ftp ,traceroute, ssh �$B$r5v2D$9$k�(B</B><DD><P>�$B$3$l$i$O!"5v2D$NBP>]$H$7$F$O$+$J$jI8=`E*$J$3$H$G$9!#FbIt%M%C�(B
�$B%H%o!<%/>e$N%^%7%s$KBP$7$F$[$\A4$F$r5v2D$9$k$3$H$+$i;O$a$^$9�(B
�$B$,!"$3$3$G$O@)8B$r$+$1$F$$$^$9!#�(B
<P>
<P>
<DT><B>�$B%a!<%k%5!<%P$X$N�(B SMTP �$B$r5v2D$9$k�(B </B><DD><P>�$BEvA3!"%a!<%k$O30It$XAw?.$G$-$k$h$&$K$7$?$$$G$9!#�(B
<P>
<P>
<DT><B> �$B%a!<%k%5!<%P$X$N�(B POP-3 �$B$r5v2D$9$k�(B </B><DD><P>�$B%a!<%k$rFI$`J}K!$G$9!#�(B
<P>
<P>
<DT><B> �$B%M!<%`%5!<%P$X$N�(B DNS �$B$r5v2D$9$k�(B </B><DD><P>WWW �$B$H�(B ftp, traceroute, ssh �$B$rMxMQ$9$k:]$K!"30It%M!<%`$N8!:w�(B
�$B$r$9$k$N$KI,MW$G$9!#�(B
<P>
<P>
<DT><B> �$B%&%'%V%5!<%P$X$N�(B rsync �$B$r5v2D$9$k�(B </B><DD><P>�$B30It8~$1%&%'%V%5!<%P$HFbIt%&%'%V%5!<%P$rF14|$5$;$kJ}K!$G$9!#�(B
<P>
<DT><B> �$B%&%'%V%5!<%P$X$N�(B WWW �$B$r5v2D$9$k�(B </B><DD><P>�$BEvA3!"30It8~$1%&%'%V%5!<%P$X@\B3$G$-$k$Y$-$G$9!#�(B
<P>
<P>
<DT><B> �$B%Q%1%C%H%U%#%k%?!<%^%7%s$X$N�(B ping �$B$r5v2D$9$k�(B </B><DD><P>�$B$3$l$O!"0lHLE*$K9-$/MFG'$5$l$F$$$k$3$H$G$9!#$D$^$j%U%!%$%"�(B
�$B%&%)!<%k%^%7%s$,%@%&%s$7$F$$$k$+$I$&$+$r!"3NG'$G$-$k$h$&$K�(B
�$B$9$k$?$a$G$9�(B(�$B$=$l$G30It%5%$%H$,2u$l$F$$$?>l9g$O!"HsFq$5$l$^�(B
�$B$;$s$N$G�(B)�$B!#�(B
</DL>
<P>
<P>
<H2><A NAME="ss7.3">7.3 �$B%Q%1%C%H%U%#%k%?%j%s%0$r9T$&A0$K�(B</A>
</H2>
<P>
<UL>
<LI> IP �$B56AuJ]8n�(B (Anti-spoofing)
<P>�$B$$$+$J$kHsBP>N$N%k!<%F%#%s%0$b;}$C$F$$$J$$$N$G!"A4$F$N%$%s%?!<�(B
�$B%U%'!<%9$KBP$7$F�(B IP �$B56AuJ]8n$rC1$K%*%s$G$-$^$9!#�(B
<BLOCKQUOTE><CODE>
<PRE>
# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>
</LI>
<LI> �$B%U%#%k%?%j%s%0$N%k!<%k$H$7$FA4$F$r5qH]$K$9$k�(B
<P>�$B:#$^$GDL$j%m!<%+%k$N%k!<%W%P%C%/%H%i%U%#%C%/$O5v2D$7$^$9$,!"$=$l0J30�(B
�$B$NA4$F$r5qH]$7$^$9!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ipchains -A input -i ! lo -j DENY
# ipchains -A output -i ! lo -j DENY
# ipchains -A forward -j DENY
#
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>
</LI>
<LI> �$B%$%s%?!<%U%'!<%9$N%;%C%H%"%C%W�(B
<P>�$B%$%s%?!<%U%'!<%9$N%;%C%H%"%C%W$O!"BgDq%V!<%H;~$N%9%/%j%W%H�(B
�$B$G<B9T$5$l$^$9!#%U%#%k%?%j%s%0$N%k!<%k$,E,MQ$5$l$kA0$K%Q%1%C%H�(B
�$B$,O3$l$@$9$3$H$rKI$00Y$K!"%$%s%?!<%U%'!<%9$,@_Dj$5$l$kA0$K>e5-�(B
�$B$N%9%F%C%W$,<B9T$5$l$F$$$k$3$H$r3NG'$7$F2<$5$$!#�(B
<P>
<P>
</LI>
<LI> �$B%W%m%H%3%kJL$K%^%9%+%l!<%I%b%8%e!<%k$rAH$_9~$`�(B
<P>FTP �$B$rMxMQ$9$k:]$K$O!"%^%9%+%l!<%I%b%8%e!<%k$rAH$_9~$`I,MW$,$"�(B
�$B$j$^$9!#$=$&$9$k$3$H$G!"FbIt%M%C%H%o!<%/$+$i$N%"%/%F%#%V$H%Q%C�(B
�$B%7%V�(B FTP �$B$,�(B `�$B$A$c$s$HF0:n$7$^$9�(B'�$B!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
# insmod ip_masq_ftp
#
</PRE>
</CODE></BLOCKQUOTE>
</LI>
</UL>
<P>
<P>
<H2><A NAME="ss7.4">7.4 �$B%Q%1%C%H$rDL2a$5$;$k$?$a$N%Q%1%C%H%U%#%k%?%j%s%0�(B</A>
</H2>
<P>�$B%^%9%+%l!<%I$r;HMQ$7$F!"�(Bforward �$B%A%'%$%s$G%U%#%k%?!<$r$+$1$k$3$H$O�(B
�$B:GNI$NJ}K!$G$9!#�(B
<P>forward �$B%A%'%$%s$r%=!<%9!?$"$F@h�(B �$B%$%s%?!<%U%'!<%9$K9g$o$;$FMM!9$J%f�(B
�$B!<%6Dj5A%A%'%$%s$KJ,3d$7$F2<$5$$!#$D$^$j!"LdBj$r<h07$$$d$9$$C10L�(B
�$B$KJ,2r$9$k$N$G$9!#�(B
<BLOCKQUOTE><CODE>
<PRE>
ipchains -N good-dmz
ipchains -N bad-dmz
ipchains -N good-bad
ipchains -N dmz-good
ipchains -N dmz-bad
ipchains -N bad-good
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>ICMP �$B$NI8=`%(%i!<$r%"%/%;%W%H$9$k$3$H$O!"6&DL$NFbMF$G$9!#$7$?$,$C$F!"�(B
�$B$=$N$?$a$N%A%'%$%s$r:n$j$^$9!#�(B
<BLOCKQUOTE><CODE>
<PRE>
ipchains -N icmp-acc
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>
<H3>forward �$B%A%'%$%s$+$i%8%c%s%W$5$;$k�(B</H3>
<P>�$B;DG0$J$3$H$K!"�(B(forward �$B%A%'%$%s$G$O�(B)�$B=PNO%$%s%?!<%U%'!<%9$7$+J,$+$j�(B
�$B$^$;$s!#$7$?$,$C$F!"%Q%1%C%H$,$I$N%$%s%?!<%U%'!<%9$+$iF~$C$F$/$k$+�(B
�$B$r8+H4$/$?$a$K!"%=!<%9%"%I%l%9$r;HMQ$7$^$9�(B(�$B56AuJ]8n$,%"%I%l%9$N$J�(B
�$B$j$9$^$7$rKI$$$G$$$k$N$GBg>fIW$G$9�(B)�$B!#�(B
<P>
<P>
<P>�$B$3$l$i$N$$$:$l$K$b%^%C%A$7$J$$%Q%1%C%H�(B(�$BL@$i$+$K!"$=$N$h$&$J$3$H$O5/�(B
�$B$3$i$J$$$O$:$G$9$,�(B)�$B$OA4$F%m%0$r<h$k$3$H$KCm0U$7$F2<$5$$!#�(B
<BLOCKQUOTE><CODE>
<PRE>
ipchains -A forward -s 192.168.1.0/24 -i eth0 -j good-dmz
ipchains -A forward -s 192.168.1.0/24 -i ppp0 -j good-bad
ipchains -A forward -s 192.84.219.0/24 -i ppp0 -j dmz-bad
ipchains -A forward -s 192.84.219.0/24 -i eth1 -j dmz-good
ipchains -A forward -i eth0 -j bad-dmz
ipchains -A forward -i eth1 -j bad-good
ipchains -A forward -j DENY -l
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>
<H3>icmp-acc �$B%A%'%$%s$rDj5A$9$k�(B</H3>
<P>�$B%Q%1%C%H$,�(B(�$B0J2<$N�(B)�$B%(%i!<�(B ICMP �$B$N$$$:$l$+$J$i%"%/%;%W%H$5$l$^$9!#�(B
�$B$5$b$J$1$l$P!"%^%C%A$7$J$+$C$?%Q%1%C%H$KBP$9$k@)8f$O�(B icmp-acc �$B%A%'%$%s�(B
�$B$+$iH4$1$F!"8F=P$785$N%A%'%$%s$KLa$5$l$k$3$H$K$J$j$^$9!#�(B
<P>
<BLOCKQUOTE><CODE>
<PRE>
ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>
<H3>GOOD (�$BFbIt%M%C%H%o!<%/�(B) �$B$+$i�(B DMZ (�$B%5!<%P%M%C%H%o!<%/�(B)</H3>
<P>�$BFbIt%M%C%H%o!<%/$KBP$9$k@)8B�(B :
<UL>
<LI> �$B30It%M%C%H%o!<%/$X$N�(B WWW, ftp, traceroute, ssh �$B$r5v2D$9$k�(B</LI>
<LI> <B>�$B%a!<%k%5!<%P$X$N�(B SMTP �$B$r5v2D$9$k�(B</B></LI>
<LI> <B>�$B%a!<%k%5!<%P$X$N�(B POP-3 �$B$r5v2D$9$k�(B</B></LI>
<LI> <B>�$B%M!<%`%5!<%P$X$N�(B DNS �$B$r5v2D$9$k�(B</B></LI>
<LI> <B>�$B%&%'%V%5!<%P$X$N�(B rsync �$B$r5v2D$9$k�(B</B></LI>
<LI> <B>�$B%&%'%V%5!<%P$X$N�(B WWW �$B$r5v2D$9$k�(B</B></LI>
<LI> �$B%Q%1%C%H%U%#%k%?!<%^%7%s$X$N�(B ping �$B$r5v2D$9$k�(B</LI>
</UL>
<P>
<P>�$BFbIt%M%C%H%o!<%/$+$i�(B DMZ �$B$N:]$K%^%9%+%l!<%I$O$G$-$^$9$,!"$3$3$G$O9T�(B
�$B$$$^$;$s!#FbIt%M%C%H%o!<%/>e$N$I$N%^%7%s$b0-0U$N$"$k$3$H$r$7$J$$$O�(B
�$B$:$J$N$G!"5qH]$5$l$kA4$F$N%Q%1%C%H$N%m%0$r<h$j$^$9!#�(B
<P>
<P>
<P>Debian �$B$N8E$$%P!<%8%g%s$G$O!"�(B/etc/services �$B>e$N�(B `pop3' �$B$r�(B`pop-3' �$B$H�(B
�$B8F$V$N$GCm0U$7$F2<$5$$!#$3$N$3$H$O�(B RFC1700 �$B$H0lCW$7$F$$$^$;$s!#�(B
<BLOCKQUOTE><CODE>
<PRE>
ipchains -A good-dmz -p tcp -d 192.84.219.128 smtp -j ACCEPT
ipchains -A good-dmz -p tcp -d 192.84.219.128 pop3 -j ACCEPT
ipchains -A good-dmz -p udp -d 192.84.219.129 domain -j ACCEPT
ipchains -A good-dmz -p tcp -d 192.84.219.129 domain -j ACCEPT
ipchains -A good-dmz -p tcp -d 192.84.218.130 www -j ACCEPT
ipchains -A good-dmz -p tcp -d 192.84.218.130 rsync -j ACCEPT
ipchains -A good-dmz -p icmp -j icmp-acc
ipchains -A good-dmz -j DENY -l
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>
<H3>BAD (�$B30It%M%C%H%o!<%/�(B)�$B$+$i�(B DMZ (�$B%5!<%P%M%C%H%o!<%/�(B)</H3>
<P>
<UL>
<LI> DMZ �$B$KBP$9$k@)8B�(B:
<UL>
<LI> �$B%a!<%k%5!<%P�(B
<UL>
<LI> <B>�$B30It%M%C%H%o!<%/$X$N�(B SMTP �$B$,2DG=�(B</B></LI>
<LI> �$BFbIt$H�(B<B>�$B30It%M%C%H%o!<%/$+$i$N�(B SMTP �$B$N%"%/%;%W%H$,2DG=�(B</B></LI>
<LI> �$BFbIt%M%C%H%o!<%/$+$i$N�(B POP-3 �$B$N%"%/%;%W%H$,2DG=�(B</LI>
</UL>
</LI>
<LI> �$B%M!<%`%5!<%P�(B
<UL>
<LI> <B>�$B30It%M%C%H%o!<%/$X$N�(B DNS �$B$NMW5a$,2DG=�(B</B></LI>
<LI> �$BFbIt$H�(B<B>�$B30It%M%C%H%o!<%/�(B</B>�$B!"%Q%1%C%H%U%#%k%?!<%^%7%s�(B<B>�$B$+$i�(B
�$B$N�(B DNS �$B$N%"%/%;%W%H$,2DG=�(B</B></LI>
</UL>
</LI>
<LI> �$B%&%'%V%5!<%P�(B
<UL>
<LI> �$BFbIt$H�(B<B>�$B30It%M%C%H%o!<%/$+$i$N�(B HTTP �$B$N%"%/%;%W%H$,2DG=�(B</B></LI>
<LI> �$BFbIt%M%C%H%o!<%/$+$i$N�(B Rsync �$B$N%"%/%;%W%H$,2DG=�(B</LI>
</UL>
</LI>
</UL>
</LI>
<LI> �$B30It%M%C%H%o!<%/$+$i�(B DMZ �$B$X5v2D$9$k$3$H�(B
<UL>
<LI> �$B?/329T0Y$K$D$$$F$O!"%m%0$O$H$i$:$=$N$^$^$K$9$k�(B</LI>
</UL>
<BLOCKQUOTE><CODE>
<PRE>
ipchains -A bad-dmz -p tcp -d 192.84.219.128 smtp -j ACCEPT
ipchains -A bad-dmz -p udp -d 192.84.219.129 domain -j ACCEPT
ipchains -A bad-dmz -p tcp -d 192.84.219.129 domain -j ACCEPT
ipchains -A bad-dmz -p tcp -d 192.84.218.130 www -j ACCEPT
ipchains -A bad-dmz -p icmp -j icmp-acc
ipchains -A bad-dmz -j DENY
</PRE>
</CODE></BLOCKQUOTE>
</LI>
</UL>
<P>
<P>
<H3>GOOD (�$BFbIt%M%C%H%o!<%/�(B)�$B$+$i�(B BAD (�$B30It%M%C%H%o!<%/�(B) </H3>
<P>
<UL>
<LI> �$BFbIt%M%C%H%o!<%/$KBP$9$k@)8B�(B:
<UL>
<LI> <B>�$B30It%M%C%H%o!<%/$X$N�(B WWW, ftp ,traceroute, ssh �$B$r5v2D$9$k�(B</B></LI>
<LI> �$B%a!<%k%5!<%P$X$N�(B SMTP �$B$r5v2D$9$k�(B</LI>
<LI> �$B%a!<%k%5!<%P$X$N�(B POP-3 �$B$r5v2D$9$k�(B</LI>
<LI> �$B%M!<%`%5!<%P$X$N�(B DNS �$B$r5v2D$9$k�(B</LI>
<LI> �$B%&%'%V%5!<%P$X$N�(B rsync �$B$r5v2D$9$k�(B</LI>
<LI> �$B%&%'%V%5!<%P$X$N�(B WWW �$B$r5v2D$9$k�(B</LI>
<LI> �$B%Q%1%C%H%U%#%k%?!<%^%7%s$X$N�(B ping �$B$r5v2D$9$k�(B</LI>
</UL>
</LI>
<LI> �$B0lHL$K!"FbIt%M%C%H%o!<%/$+$i30It%M%C%H%o!<%/$KBP$7$F$O!"�(B
�$BA4$F$r5v2D$7!"$=$l$+$i@)8B$r2C$($^$9!#2f!9$O!"%U%!%7%9%H$J$N$G$9!#�(B
<UL>
<LI> �$B?/329T0Y$N%m%0$r<h$k�(B</LI>
<LI> �$B%Q%C%7%V�(B FTP �$B$O!"%^%9%+%l!<%I%b%8%e!<%k$G=hM}$9$k�(B</LI>
<LI> UDP �$B$N�(B �$B$"$F@h%]!<%H�(B 33434 �$B0J9_�(B �$B$O�(B traceroute �$B$G;HMQ$5$l$k�(B</LI>
</UL>
<BLOCKQUOTE><CODE>
<PRE>
ipchains -A good-bad -p tcp --dport www -j MASQ
ipchains -A good-bad -p tcp --dport ssh -j MASQ
ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
ipchains -A good-bad -p tcp --dport ftp -j MASQ
ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
ipchains -A good-bad -j REJECT -l
</PRE>
</CODE></BLOCKQUOTE>
</LI>
</UL>
<P>
<P>
<H3>DMZ �$B$+$i�(B GOOD (�$BFbIt%M%C%H%o!<%/�(B) </H3>
<P>
<UL>
<LI> �$BFbIt%M%C%H%o!<%/$KBP$9$k@)8B�(B:
<UL>
<LI> �$B30It%M%C%H%o!<%/$X$N�(B WWW, ftp ,traceroute, ssh �$B$r5v2D$9$k�(B</LI>
<LI> <B>�$B%a!<%k%5!<%P$X$N�(B SMTP �$B$r5v2D$9$k�(B</B></LI>
<LI> <B>�$B%a!<%k%5!<%P$X$N�(B POP-3 �$B$r5v2D$9$k�(B</B></LI>
<LI> <B>�$B%M!<%`%5!<%P$X$N�(B DNS �$B$r5v2D$9$k�(B</B></LI>
<LI> <B>�$B%&%'%V%5!<%P$X$N�(B rsync �$B$r5v2D$9$k�(B</B></LI>
<LI> <B>�$B%&%'%V%5!<%P$X$N�(B WWW �$B$r5v2D$9$k�(B</B></LI>
<LI> �$B%Q%1%C%H%U%#%k%?!<%^%7%s$X$N�(B ping �$B$r5v2D$9$k�(B</LI>
</UL>
</LI>
<LI> �$BFbIt%M%C%H%o!<%/$+$i�(B DMZ �$B$N:]$K%^%9%+%l!<%I$9$k>l9g!"C1$K$=$l0J�(B
�$B30$N%Q%1%C%H$r5qH]$7$F2<$5$$!#<B$N$H$3$m!"C1$K%3%M%/%7%g%s$,�(B
�$B3NN)$5$l$?0lIt$N%Q%1%C%H$N$_5v2D$9$k$@$1$G$9!#�(B
<BLOCKQUOTE><CODE>
<PRE>
ipchains -A dmz-good -p tcp ! -y -s 192.84.219.128 smtp -j ACCEPT
ipchains -A dmz-good -p udp -s 192.84.219.129 domain -j ACCEPT
ipchains -A dmz-good -p tcp ! -y -s 192.84.219.129 domain -j ACCEPT
ipchains -A dmz-good -p tcp ! -y -s 192.84.218.130 www -j ACCEPT
ipchains -A dmz-good -p tcp ! -y -s 192.84.218.130 rsync -j ACCEPT
ipchains -A dmz-good -p icmp -j icmp-acc
ipchains -A dmz-good -j DENY -l
</PRE>
</CODE></BLOCKQUOTE>
</LI>
</UL>
<P>
<P>
<H3>DMZ �$B$+$i�(B BAD (�$B30It%M%C%H%o!<%/�(B) </H3>
<P>
<UL>
<LI> DMZ �$B$KBP$9$k@)8B�(B:
<UL>
<LI> �$B%a!<%k%5!<%P�(B
<UL>
<LI> <B>�$B30It%M%C%H%o!<%/$X$N�(B SMTP �$B$,2DG=�(B</B></LI>
<LI> �$BFbIt$H�(B<B>�$B30It%M%C%H%o!<%/$+$i$N�(B SMTP �$B$N%"%/%;%W%H$,2DG=�(B</B></LI>
<LI> �$B30It%M%C%H%o!<%/$+$i$N�(B POP-3 �$B$N%"%/%;%W%H$,2DG=�(B</LI>
</UL>
</LI>
<LI> �$B%M!<%`%5!<%P�(B
<UL>
<LI> <B>�$B30It%M%C%H%o!<%/$X$N�(B DNS �$B$NAw?.$,2DG=�(B</B></LI>
<LI> �$BFbIt$H�(B<B>�$B30It%M%C%H%o!<%/�(B</B>�$B!"%Q%1%C%H%U%#%k%?!<%^%7%s�(B<B>�$B$+$i�(B
�$B$N�(B DNS �$B$N%"%/%;%W%H$,2DG=�(B</B></LI>
</UL>
</LI>
<LI> �$B%&%'%V%5!<%P�(B
<UL>
<LI> �$BFbIt$H�(B<B>�$B30It%M%C%H%o!<%/$+$i$N�(B HTTP �$B$N%"%/%;%W%H$,2DG=�(B</B></LI>
<LI> �$BFbIt%M%C%H%o!<%/$+$i$N�(B Rsync �$B$N%"%/%;%W%H$,2DG=�(B</LI>
</UL>
</LI>
</UL>
</LI>
<LI>
<BLOCKQUOTE><CODE>
<PRE>
ipchains -A dmz-bad -p tcp -s 192.84.219.128 smtp -j ACCEPT
ipchains -A dmz-bad -p udp -s 192.84.219.129 domain -j ACCEPT
ipchains -A dmz-bad -p tcp -s 192.84.219.129 domain -j ACCEPT
ipchains -A dmz-bad -p tcp ! -y -s 192.84.218.130 www -j ACCEPT
ipchains -A dmz-bad -p icmp -j icmp-acc
ipchains -A dmz-bad -j DENY -l
</PRE>
</CODE></BLOCKQUOTE>
</LI>
</UL>
<P>
<P>
<H3>BAD (�$B30It%M%C%H%o!<%/�(B)�$B$+$i�(B GOOD (�$BFbIt%M%C%H%o!<%/�(B) </H3>
<P>
<UL>
<LI> �$B30It%M%C%H%o!<%/$+$iFbIt%M%C%H%o!<%/$XF~$C$FMh$k$b$NA4$F�(B(�$B%^%9%+�(B
�$B%l!<%I$5$l$F$$$J$$$b$N�(B)�$B$r5v2D$7$^$;$s!#�(B
<BLOCKQUOTE><CODE>
<PRE>
ipchains -A bad-good -j REJECT
</PRE>
</CODE></BLOCKQUOTE>
</LI>
</UL>
<P>
<P>
<H3>Linux �$B%^%7%s<+?H$KBP$9$k%Q%1%C%H%U%#%k%?%j%s%0�(B</H3>
<P>
<UL>
<LI> �$B%Q%1%C%H%U%#%k%?!<%^%7%s<+?H$KF~$C$FMh$k%Q%1%C%C%H$K$b!"%Q%1%C�(B
�$B%H%U%#%k%?%j%s%0$r9T$$$?$$$J$i!"�(Binput �$B%A%'%$%s$G%Q%1%C%H%U%#%k�(B
�$B%?%j%s%0$r9T$&I,MW$,$"$j$^$9!#$"$F@h%$%s%?!<%U%'!<%9Kh$K!"0l$D�(B
�$B%A%'%$%s$r:n$j$^$9!#�(B
<BLOCKQUOTE><CODE>
<PRE>
ipchains -N bad-if
ipchains -N dmz-if
ipchains -N good-if
</PRE>
</CODE></BLOCKQUOTE>
</LI>
<LI> �$B:n$C$?%A%'%$%s$K%8%c%s%W$5$;$^$9!#�(B
<BLOCKQUOTE><CODE>
<PRE>
ipchains -A input -d 192.84.219.1 -j bad-if
ipchains -A input -d 192.84.219.250 -j dmz-if
ipchains -A input -d 192.168.1.250 -j good-if
</PRE>
</CODE></BLOCKQUOTE>
</LI>
</UL>
<P>
<P>
<H3>BAD (�$B30It%M%C%H%o!<%/�(B) �$B%$%s%?!<%U%'!<%9�(B</H3>
<P>
<UL>
<LI> �$B%Q%1%C%H%U%#%k%?!<%^%7%s�(B:
<UL>
<LI> <B>�$BA4$F$N%M%C%H%o!<%/$KBP$7$F�(B PING �$B$,2DG=�(B</B></LI>
<LI> <B>�$BA4$F$N%M%C%H%o!<%/$KBP$7$F�(B TRACEROUTE �$B$,2DG=�(B</B></LI>
<LI> DNS �$B$X$N%"%/%;%9$,2DG=�(B</LI>
</UL>
</LI>
<LI> �$B$^$?30It%M%C%H%o!<%/MQ$N%$%s%?!<%U%'!<%9$O!"%^%9%+%l!<%I$5$l$?�(B
�$B%Q%1%C%H�(B(�$B%^%9%+%l!<%I$O!"%=!<%9%]!<%H$H$7$F�(B 61000 �$B$+$i�(B 65095 �$B$r�(B
�$B;HMQ$7$^$9�(B)�$B$X$N%j%W%i%$$H�(B ICMP �$B%(%i!<!"�(BPING �$B$N%j%W%i%$$b<u$1F~�(B
�$B$l$^$9!#�(B
<BLOCKQUOTE><CODE>
<PRE>
ipchains -A bad-if -i ! ppp0 -j DENY -l
ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT
ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT
ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A bad-if -j icmp-acc
ipchains -A bad-if -j DENY
</PRE>
</CODE></BLOCKQUOTE>
</LI>
</UL>
<P>
<P>
<H3>DMZ �$B%$%s%?%U%'!<%9�(B</H3>
<P>
<UL>
<LI> �$B%Q%1%C%H%U%#%k%?!<%^%7%s$KBP$9$k@)8B�(B:
<UL>
<LI> <B>�$BA4$F$N%M%C%H%o!<%/$KBP$7$F�(B PING �$B$,2DG=�(B</B></LI>
<LI> <B>�$BA4$F$N%M%C%H%o!<%/$KBP$7$F�(B TRACEROUTE �$B$,2DG=�(B</B></LI>
<LI> <B>DNS �$B$X$N%"%/%;%9$,2DG=�(B</B></LI>
</UL>
</LI>
<LI>DMZ �$B%$%s%?!<%U%'!<%9$O!"�(BDNS �$B$+$i$N%j%W%i%$$H�(B ping �$B$N%j%W%i%$!"�(B
�$B%(%i!<�(B ICMP �$B$r<u$1F~$l$^$9!#�(B
<BLOCKQUOTE><CODE>
<PRE>
ipchains -A dmz-if -i ! eth0 -j DENY
ipchains -A dmz-if -p TCP ! -y -s 192.84.219.129 53 -j ACCEPT
ipchains -A dmz-if -p UDP -s 192.84.219.129 53 -j ACCEPT
ipchains -A dmz-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A dmz-if -j icmp-acc
ipchains -A dmz-if -j DENY -l
</PRE>
</CODE></BLOCKQUOTE>
</LI>
</UL>
<P>
<P>
<H3>GOOD (�$BFbIt%M%C%H%o!<%/�(B)�$B%$%s%?!<%U%'!<%9�(B</H3>
<P>
<UL>
<LI> �$B%Q%1%C%H%U%#%k%?!<%^%7%s$KBP$9$k@)8B�(B:
<UL>
<LI> <B>�$BA4$F$N%M%C%H%o!<%/$KBP$7$F�(B PING �$B$,2DG=�(B</B></LI>
<LI> <B>�$BA4$F$N%M%C%H%o!<%/$KBP$7$F�(B TRACEROUTE �$B$,2DG=�(B</B></LI>
<LI> <B>DNS �$B$X$N%"%/%;%9$,2DG=�(B</B></LI>
</UL>
</LI>
<LI>�$BFbIt%M%C%H%o!<%/$KBP$9$k@)8B�(B:
<UL>
<LI> �$B30It%M%C%H%o!<%/$X$N�(B WWW, ftp ,traceroute, ssh �$B$r5v2D$9$k�(B</LI>
<LI> �$B%a!<%k%5!<%P$X$N�(B SMTP �$B$r5v2D$9$k�(B</LI>
<LI> �$B%a!<%k%5!<%P$X$N�(B POP-3 �$B$r5v2D$9$k�(B</LI>
<LI> �$B%M!<%`%5!<%P$X$N�(B DNS �$B$r5v2D$9$k�(B</LI>
<LI> �$B%&%'%V%5!<%P$X$N�(B rsync �$B$r5v2D$9$k�(B</LI>
<LI> �$B%&%'%V%5!<%P$X$N�(B WWW �$B$r5v2D$9$k�(B</LI>
<LI> <B>�$B%Q%1%C%H%U%#%k%?!<%^%7%s$X$N�(B ping �$B$r5v2D$9$k�(B</B></LI>
</UL>
</LI>
<LI>�$BFbIt%M%C%H%o!<%/%$%s%?!<%U%'!<%9$O!"�(Bping �$B$H�(B ping �$B$N%j%W%i%$!"�(B
�$B%(%i!<�(B ICMP �$B$r<u$1F~$l$^$9!#�(B
<BLOCKQUOTE><CODE>
<PRE>
ipchains -A good-if -i ! eth1 -j DENY
ipchains -A good-if -p ICMP --icmp-type ping -j ACCEPT
ipchains -A good-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A good-if -j icmp-acc
ipchains -A good-if -j DENY -l
</PRE>
</CODE></BLOCKQUOTE>
</LI>
</UL>
<P>
<P>
<H2><A NAME="ss7.5">7.5 �$B:G8e$K�(B</A>
</H2>
<P>
<UL>
<LI>�$B%V%m%C%-%s%0$N%k!<%k$r:o=|$7$^$9!#�(B
<BLOCKQUOTE><CODE>
<PRE>
ipchains -D input 1
ipchains -D forward 1
ipchains -D output 1
</PRE>
</CODE></BLOCKQUOTE>
</LI>
</UL>
<P>
<P>
<P>
<HR>
<A HREF="IPCHAINS-HOWTO-8.html">�$B<!$N%Z!<%8�(B</A>
<A HREF="IPCHAINS-HOWTO-6.html">�$BA0$N%Z!<%8�(B</A>
<A HREF="IPCHAINS-HOWTO.html#toc7">�$BL\<!$X�(B</A>
</BODY>
</HTML>
