
ipchains mini HOWTO

܂Ђ

negi@KU3G.org

1999/02/05



Table of Contents
1. ͂߂
2. bm
3. ipchains ̎g
4. `FC̍쐬Ɖp
5. H
6. IP Masquerade ̐ݒ

1. ͂߂

@ipchains ͐VJ[lō̗pꂽt@CAEH[ݒc[łB
܂ł ipfwadm Ƃ͂傢Ƒ쐫Ⴄ̂Ō˘flƂł傤B
Ȃ킯ł mini HOWTO 肵܂B

@OƂ ipfwadm xgƂΏۂɂĂ
܂B

@́̕CM҂ 30 Jan, 1999  fj.os.linux  KU3G ML Ƀ|Xg
 Message-Id: <m2iudp8qlw.fsf@clotho.KU3G.org> ̋LɏX̎蒼
̂łB܂Ĕzz͉ςȂ茴RłB


2. bm

@VJ[l̓`FCƂdggăt@CAEH[̐ݒsȂ
܂B`FCƂ͍̂ƂŁCtB^O[̃XĝƂłB
xC̗ֈ[Cq̂ɂȂBȐ}z
Ă݂ĉB

@J[ĺC̍𓪂珇ɃeXgĂ܂B

@J[l͍ŏ 3 ̃`FCĂ܂BinputC outputC
forward  3 łBipfwadm Ō -IC -OC-F ɂ܂B

input
    pPbgĂ鎞Ƀ`FbN`FCłB
   
output
    pPbgOɏoĂɃ`FbN`FCłB
   
forward
    󂯎pPbg𑼏ɓ]鎞i[eBO
    ܂jɃ`FbN`FCłB
   

@ftHgł́Ce`FCɂ͉̃[ȂC܂e`FC̃ft
Hg̃[ ACCEPT ƂȂĂ܂B̃ftHg̃[|V
[ƌ -P Őݒł܂B


3. ipchains ̎g

@ ipchains gĂ݂܂傤Bipchains ͊e`FCɃ[ǉ
(-A) 폜 ( -D) ł܂Be`FC̃[̃Xg ( -L)
Ƃł܂B

Example 1.
  ipchains -A input -s 192.168.0.0/24 -j DENY                          
                       ~~~~~~~~~~~~~~~~~~~~~~~~~                       

́u\[XAhX 192.168.0.0/24 pPbg DENY v
[ input `FCɒǉ܂([ɂȂ܂)B

[ɋLqłXCb`ɂ͈ȉ̂悤Ȃ̂܂B

 E -s \[XAhXw肵܂
   
 E -d fBXeBl[VAhXw肵܂
   
 E -p vgRw肵܂
   
    tcpCudpCicmp Lqł܂Bڂ man y[WQƂĉ
    B
   
 E -j ^[QbgLq܂
   
    DENYCREJECTCACCEPT Lqł܂B`FCw肷邱Ƃł
    ܂(q)Bڂ man y[WQƂĉB
   
 E -i C^[tFCXw肵܂
   
    eth0Cppp0 Lqł܂B up łȂC^[tFCXw肷
    邱Ƃł܂B܂ڑĂȂԂł ppp0 C^[t
    FCXƂĎwł܂B
   

Example 2.
  ipchains -n -L input                                                 

 input `FC̃[邱Ƃł܂B -n  IP AhX
ŕ\ƂӖłBǉ[

  Chain input (policy ACCEPT):                                              
  target     prot opt     source                destination           ports 
  DENY       all  ------  192.168.0.0/24        0.0.0.0/0             n/a   

Ȃǂƕ\܂ł傤H@Ă̒ʂ肱̍ɂ͂P̗ւ
܂񂪁C-A ɂĂǂǂǉĂ܂B

Example 3.
  ipchains -D input 1                                                  

͂قǎw肵[ input `FC폜܂B-D ͎
悤ɂLqł܂

Example 4.
  ipchains -D input -s 192.168.1.0/24 -j DENY                          

 1.  -A  -D ɂłˁB-A Ŏw肵[Ĉ܂
-D Ŏw肵Ă폜邱Ƃł܂B


4. `FC̍쐬Ɖp

`FC͍ŏ炠 inputCoutputC forward ȊOɂŎRɍ
Ƃł܂B

Example 5.
  ipchains -N ppp-in                                                   

 ppp-in Ƃ`FC쐬܂B

Example 6.
  ipchains -A ppp-in -p tcp -s 0/0 -d 192.168.0.1 smtp -j DENY         

 ppp-in Ƃ`FCɁCuSĂ smtp |[gւ̐ڑ DENY 
vƂ[ǉ܂B

܂ -p ̓vgR̎w(tcp)C-s ̓\[XAhX̎w
(0/0 = S) -j ̓^[Qbg (DENY)łB

-d ͎zXg IP AhX smtp  /etc/services ɏꂽ|[gł
B|[g͐\Lł\܂B

̂悤ɍ쐬`FCɂ́CRɃ[ǉ (-A) 폜 (-D)
C܂{ (-L) ł܂B

̂܂܂ł͉̖ɂ܂B`FC͘A邱Ƃɂ
ʂ𔭊܂B

Example 7.
  ipchains -A input -i ppp0 -j ppp-in                                  

́upPbg͂ꂽC^[tFCX ppp0 ̂Ƃ ppp-in Ƃ
`FCIvƂ[ input `FCɒǉĂ܂B

ppp0 ĂpPbg̓^[Qbg ppp-in Ǝw肳Ă܂̂
C`FC ppp-in Ɉڂ܂B

ppp-in `FCɂ͗6 ɂĐݒ肵[܂̂ŁC̃[
̃`FbN󂯂܂B̃[Ƀ}b`Ȃ΁C ppp-in `FC
CĂ input `FCɖ߂ĂĎ̃`FbN󂯂܂B

̂悤 -j  DENYCREJECT ƂV{łȂC`FCw
肷邱Ƃł܂B

Example 8.
  ipchains -F ppp-in                                                   

 ppp-in `FC̓e܂B͓̂eŃ`F
Ĉ͏܂Bɂ -X g܂B

Example 9.
  ipchains -X ppp-in                                                   

ppp-in `FC܂B ppp-in `FC̓ȅꍇɂ
ł܂B܂ -F ŋɂĂ -X ŏ܂B


5. H

@PPP ڑĂԂ̓t@CAEH[ݒ肵CȊO̓t@CAE
H[ݒuȂC󋵂lĐݒ肵Ă݂܂傤B

# pppd  ip-upCip-down ƂXNvgs܂BO҂͐
# mꂽC҂͐ؒfꂽɎs܂Bip-up ɂ
# n܂B$1 ͐ڑɗpC^[tFCXC$2  tty
# foCXC$3 ̓VAXs[hC$4 ̓[J IP AhXC
# $5 ̓[gIP AhXłB

ip-up ͈ȉ̂悤ɂȂ܂B

8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----        
                                                                       
#!/bin/sh                                                              
umask 022                                                              
                                                                       
# ϐ̐ݒ                                                           
iface=$1                                                               
device=$2                                                              
speed=$3                                                               
localip=$4                                                             
remoteip=$5                                                            
                                                                       
# ppp-in Ƃ`FC쐬܂                                    
/sbin/ipchains -N ppp-in                                               
                                                                       
# input `FC                                                     
# uC^[tFCX ppp0 ̏ꍇC^[Qbg ppp-in `FCv     
# Ƃ[ǉ܂                                             
/sbin/ipchains -A input -i ppp0 -j ppp-in                              
                                                                       
# uTCg SMTP |[gւ̐ڑev                             
# Ƃ[ ppp-in `FCɒǉ܂B                         
/sbin/ipchains -A ppp-in -p tcp -s 0/0 -d $localip smtp -j REJECT      
                                                                       
# uTCg NetBIOS |[gւ̐ڑev                          
# Ƃ[ ppp-in `FCɒǉ܂B                         
/sbin/ipchains -A ppp-in -p tcp -s 0/0 -d $localip 137:139 -j DENY     
/sbin/ipchains -A ppp-in -p udp -s 0/0 -d $localip 137:139 -j DENY     
                                                                       
# uTCg X server |[gւ̐ڑev                         
# Ƃ[ ppp-in `FCɒǉ܂B                         
/sbin/ipchains -A ppp-in -p tcp -s 0/0 -d $localip 6000 -j DENY        
                                                                       
# uTCg X font server |[gւ̐ڑev                    
# Ƃ[ ppp-in `FCɒǉ܂B                         
/sbin/ipchains -A ppp-in -p tcp -s 0/0 -d $localip 7000 -j DENY        
                                                                       
8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----        

ip-down ͈ȉ̂悤Ȋł

8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----        
                                                                       
#!/bin/sh                                                              
                                                                       
# input `FC ppp-in [폜܂                         
/sbin/ipchains -D input -i ppp0 -j ppp-in                              
                                                                       
# ppp-in `FCɂ܂                                          
/sbin/ipchains -F ppp-in                                               
                                                                       
# ppp-in `FC폜܂                                          
/sbin/ipchains -X ppp-in                                               
                                                                       
8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----        

@܂ł ipfwadm ł ppp0 ̓ʂȐݒCӂɒǉC폜
ƂɍłC`FCgƂɂɃX}[g
ɐݒ肷邱Ƃł܂B


6. IP Masquerade ̐ݒ

@܂ ipfwadm Őݒ肵Ă IP Masquerade ̐ݒ́Cipchains ōs
Ȃ悤ɂȂ܂Bȉ̂悤ɋLq܂B

Example 10.
  ipchains -A forward -s 192.168.1.0/24 -d 0.0.0.0/0 -j MASQ           

) VJ[lł́CftHgŃpPbgtH[hȂݒɂȂ
Ă܂Bȉ̂悤ɂătH[hLɂ܂B

  echo 1 > /proc/sys/net/ipv4/ip_forward                               

(LinuxDoc ϊF2000/05/12, 앐Y)
(DocBook ϊF2001/03/04, UTi) 

