iptables-extensions

iptables-extensions(8)          iptables 1.4.21         iptables-extensions(8)



åå
       iptables-extensions — æ¨æºã® iptables ã«å«ã¾ããæ¡å¼µã¢ã¸ã¥ã¼ã«ã®ãªã¹ã

æ¸å¼
       ip6tables [-m name [module-options...]] [-j target-name
       [target-options...]

       iptables [-m name [module-options...]] [-j target-name
       [target-options...]

ãããã³ã°ã®æ¡å¼µ
       iptables ã¯æ¡å¼µããããã±ãããããã³ã°ã¢ã¸ã¥ã¼ã«ã使ããã¨ãã§ããã
       使ç¨ããã¢ã¸ã¥ã¼ã«ã¯ -m ã --match ã®å¾ãã«ã¢ã¸ã¥ã¼ã«åã«ç¶ãã¦æå®ããã
       ã¢ã¸ã¥ã¼ã«åã®å¾ãã«ã¯ã
       ã¢ã¸ã¥ã¼ã«ã«å¿ãã¦ä»ã®ãããããªã³ãã³ãã©ã¤ã³ãªãã·ã§ã³ãæå®ãããã¨ãã§ããã
       è¤æ°ã®æ¡å¼µãããã³ã°ã¢ã¸ã¥ã¼ã«ãä¸è¡ã§æå®ãããã¨ãã§ããã
       ã¢ã¸ã¥ã¼ã«ã®æå®ããå¾ã㧠-h ã --help ãæå®ããã¨ã
       ã¢ã¸ã¥ã¼ã«åºæã®ãã«ãã表示ãããã
       æ¡å¼µãããã³ã°ã¢ã¸ã¥ã¼ã«ã¯ã«ã¼ã«ã§æå®ãããé åºã§è©ä¾¡ãããã

       -p ã --protocol ãæå®ããã ãã¤æªç¥ã®ãªãã·ã§ã³ã ããæå®ããã¦ããå ´åã«ã®ã¿ã
       iptables ã¯ãããã³ã«ã¨åãååã®ãããã¢ã¸ã¥ã¼ã«ããã¼ããã
       ãã®ãªãã·ã§ã³ã使ããããã«ãããã¨ããã

   addrtype
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ã ã¢ãã¬ã¹ç¨®å¥ (address type) ã«åºã¥ãã¦ãã±ãããããã³ã°ãè¡ãã
       ã¢ãã¬ã¹ç¨®å¥ã¯ã«ã¼ãã«ã®ãããã¯ã¼ã¯ã¹ã¿ãã¯åã§ä½¿ããã¦ããã
       ã¢ãã¬ã¹ã¯ããã¤ãã°ã«ã¼ãã«åé¡ãããã å³å¯ãªã°ã«ã¼ãã®å®ç¾©ã¯åãã®ã¬ã¤ã¤ 3 ãã‐
       ãã³ã«ã«ä¾åããã

       以ä¸ã®ã¢ãã¬ã¹ã¿ã¤ããå©ç¨ã§ããã

       UNSPEC ã¢ãã¬ã¹ãæå®ããªã (ã¤ã¾ãã¢ãã¬ã¹ 0.0.0.0)

       UNICAST
              ã¦ããã£ã¹ãã¢ãã¬ã¹

       LOCAL  ãã¼ã«ã«ã¢ãã¬ã¹

       BROADCAST
              ããã¼ããã£ã¹ãã¢ãã¬ã¹

       ANYCAST
              ã¨ãã¼ãã£ã¹ãã¢ãã¬ã¹

       MULTICAST
              ãã«ããã£ã¹ãã¢ãã¬ã¹

       BLACKHOLE
              ãã©ãã¯ãã¼ã«ã¢ãã¬ã¹

       UNREACHABLE
              å°éã§ããªãã¢ãã¬ã¹

       PROHIBIT
              ç¦æ¢ãããã¢ãã¬ã¹

       THROW  è¦ä¿®æ£

       NAT    è¦ä¿®æ£

       XRESOLVE

       [!] --src-type type
              éä¿¡åã¢ãã¬ã¹ãæå®ããã種é¡ã®å ´åã«ãããããã

       [!] --dst-type type
              å®åã¢ãã¬ã¹ãæå®ããã種é¡ã®å ´åã«ãããããã

       --limit-iface-in
              ã¢ãã¬ã¹ç¨®å¥ã®ãã§ãã¯ããã®ãã±ãããåä¿¡ãããã¤ã³ã¿ã¼ãã§ã¼ã¹ã«éå®ããã
              ãã®ãªãã·ã§ã³ã¯ PREROUTING, INPUT, FORWARD ãã§ã¤ã³ã§ã®ã¿å©ç¨ã§ããã
              --limit-iface-out ãªãã·ã§ã³ã¨åæã«æå®ãããã¨ã¯ã§ããªãã

       --limit-iface-out
              ã¢ãã¬ã¹ç¨®å¥ã®ãã§ãã¯ããã®ãã±ãããåºåãããã¤ã³ã¿ã¼ãã§ã¼ã¹ã«éå®ããã
              ãã®ãªãã·ã§ã³ã¯ POSTROUTING, OUTPUT, FORWARD
              ãã§ã¤ã³ã§ã®ã¿å©ç¨ã§ããã --limit-iface-in
              ãªãã·ã§ã³ã¨åæã«æå®ãããã¨ã¯ã§ããªãã

   ah (IPv6 ã®ã¿)
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ IPsec ãã±ããã®èªè¨¼ãããã¼ã®ãã©ã¡ã¼ã¿ã«ãããããã

       [!] --ahspi spi[:spi]
              SPI ã«ãããããã

       [!] --ahlen length
              ãã®ãããã¼ã®å¨ä½ã®é·ã (8é²æ°)ã

       --ahres
              äºç´ãã£ã¼ã«ãã 0 ã§åãããã¦ããå ´åã«ãããããã

   ah (IPv4 ã®å ´å)
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ IPsec ãã±ããã®èªè¨¼ãããã¼ (AH) ã® SPI å¤ã«ãããããã

       [!] --ahspi spi[:spi]

   bpf
       Linux Socket Filter ã使ã£ã¦ããããè¡ãã BPF ããã°ã©ã ã 10 é²æ°å½¢å¼ã§æå®ããã
       ãã㯠nfbpf_compile ã¦ã¼ãã£ãªãã£ã«ããçæããããã©ã¼ãããã§ããã

       --bytecode code
              BPF ãã¤ãã³ã¼ããã©ã¼ãããã渡ã (ãã©ã¼ãããã«ã¤ãã¦ã¯ä¸è¨ã®ä¾ã§èª¬æ)ã

       ã³ã¼ãã®ãã©ã¼ããã㯠tcpdump ã® -ddd ã³ãã³ãã®åºåã«ä¼¼ã¦ããã
       æåã«å½ä»¤æ°ãå¥ã£ãè¡ã 1 è¡ããã 1 è¡ 1 å½ä»¤ãããã«ç¶ãã å½ä»¤è¡ã¯ 'u16 u8 u8
       u32' ã®ãã¿ã¼ã³ã§ 10 é²æ°ã§æå®ããã åãã£ã¼ã«ãã¯ãå½ä»¤ã true
       æã®ã¸ã£ã³ããªãã»ããã false æã®ã¸ã£ã³ããªãã»ããã
       æ±ç¨ã§æ§ããªç¨éã«ä½¿ç¨ãããã£ã¼ã«ã 'K' ã§ããã ã³ã¡ã³ãã¯ãµãã¼ãããã¦ããªãã

       ä¾ãã° 'ip proto 6' ã«ããããããã±ããã®ã¿ãèªã¿è¾¼ãã«ã¯ã以ä¸ãæ¿å¥ããã°ãã
       (ã³ã ã¨æ«å°¾ã®ãã¯ã¤ãã¹ãã¼ã¹ã¯å«ããã«)ã

              4 # å½ä»¤æ°
              48 0 0 9 # load byte ip->proto
              21 0 1 6 # jump equal IPPROTO_TCP
              6 0 0 1 # return pass (non-zero)
              6 0 0 0 # return fail (zero)

       ãã®ãã£ã«ã¿ã¼ã bpf ãããã«æ¸¡ãã«ã¯ä»¥ä¸ã®ã³ãã³ãã®ããã«ããã

              iptables -A OUTPUT -m bpf --bytecode '4,48 0 0 9,21 0 1 6,6 0 0
              1,6 0 0 0' -j ACCEPT

       代ããã«ã nfbpf_compile ã¦ã¼ãã£ãªãã£ã使ãæ¹æ³ãããã

              iptables -A OUTPUT -m bpf --bytecode "`nfbpf_compile RAW 'ip
              proto 6'`" -j ACCEPT

       BPF ã«ã¤ãã¦ãã£ã¨è©³ããç¥ãã«ã¯ FreeBSD ã® bpf(4) manpage ãè¦ãã¨ããã ããã

   cluster
       ãã®ã¢ã¸ã¥ã¼ã«ã使ãã¨ãè² è·åæ£è£ç½®ãªãã§ãã²ã¼ãã¦ã§ã¤ã¨ããã¯ã¨ã³ãã®è² è·åæ£ã¯ã©ã¹ã¿ã¼ãéåã§ããã

       This match requires that all the nodes see the same packets. Thus, the
       cluster match decides if this node has to handle a packet given the
       following options:

       --cluster-total-nodes num
              ã¯ã©ã¹ã¿ã¼ã®ç·ãã¼ãæ°ãè¨å®ããã

       [!] --cluster-local-node num
              ãã¼ã«ã«ãã¼ãã®æ°åã® ID ãè¨å®ããã

       [!] --cluster-local-nodemask mask
              ãã¼ã«ã«ãã¼ãã® ID ãã¹ã¯ãè¨å®ããã ãã®ãªãã·ã§ã³ã¯
              --cluster-local-node ã®ä»£ããã«ä½¿ããã¨ãã§ããã

       --cluster-hash-seed value
              Jenkins ããã·ã¥ã®ã·ã¼ãå¤ãè¨å®ããã

       ä¾:

              iptables -A PREROUTING -t mangle -i eth1 -m cluster
              --cluster-total-nodes 2 --cluster-local-node 1
              --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff

              iptables -A PREROUTING -t mangle -i eth2 -m cluster
              --cluster-total-nodes 2 --cluster-local-node 1
              --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff

              iptables -A PREROUTING -t mangle -i eth1 -m mark ! --mark 0xffff
              -j DROP

              iptables -A PREROUTING -t mangle -i eth2 -m mark ! --mark 0xffff
              -j DROP

       以ä¸ã®ã³ãã³ãã§ã ãã¹ã¦ã®ãã¼ãã«åããã±ãããå±ãããã¨ãã§ããã

              ip maddr add 01:00:5e:00:01:01 dev eth1

              ip maddr add 01:00:5e:00:01:02 dev eth2

              arptables -A OUTPUT -o eth1 --h-length 6 -j mangle
              --mangle-mac-s 01:00:5e:00:01:01

              arptables -A INPUT -i eth1 --h-length 6 --destination-mac
              01:00:5e:00:01:01 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27

              arptables -A OUTPUT -o eth2 --h-length 6 -j mangle
              --mangle-mac-s 01:00:5e:00:01:02

              arptables -A INPUT -i eth2 --h-length 6 --destination-mac
              01:00:5e:00:01:02 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27

       NOTE: the arptables commands above use mainstream syntax. If you are
       using arptables-jf included in some RedHat, CentOS and Fedora versions,
       you will hit syntax errors. Therefore, you'll have to adapt these to
       the arptables-jf syntax to get them working.

       TCP æ¥ç¶ã®å ´åã«ã¯ãå¿çæ¹åã§åä¿¡ãã TCP ACK
       ãã±ãããæå¹ã¨ãã¼ã¯ãããªãããã«ãããããããã¯ã¢ãã (pickup) æ©è½ãç¡å¹ããå¿è¦ãããã

              echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose

   comment
       ã«ã¼ã«ã«ã³ã¡ã³ã (æ大 256 æå) ãä»ãããã¨ãã§ããã

       --comment comment

       ä¾:    iptables -A INPUT -i eth1 -m comment --comment "my local LAN"

   connbytes
       ä¸ã¤ã®ã³ãã¯ã·ã§ã³ (ãããã¯ãã®ã³ãã¯ã·ã§ã³ãæ§æãã 2 ã¤ã®ããã¼ã®ä¸æ¹)
       ã§ããã¾ã§ã«è»¢éããããã¤ãæ°ããã±ããæ°ã ãããã¯ãã±ãããããã®å¹³åãã¤ãæ°ã«ãããããã

       ã«ã¦ã³ã¿ã¼ã¯ 64 ãããã§ããããããã£ã¦ãªã¼ãã¼ããã¼ãããã¨ã¯èãããã¦ããªã ;)

       主ãªå©ç¨æ¹æ³ã¯ãé·æéåå¨ãããã¦ã³ãã¼ããæ¤åºãã ãããã«å°ãä»ãããã¨ã§ã
       ãã©ãã£ãã¯å¶å¾¡ã«ããã¦èåªå帯åã使ãããã«ã¹ã±ã¸ã¥ã¼ãªã³ã°ã§ããããã«ãããã¨ã§ããã

       ã³ãã¯ã·ã§ã³ãããã®è»¢éãã¤ãæ°ã¯ã `conntrack -L` çµç±ã§è¦ããã¨ãã§ãã
       ctnetlink çµç±ã§ãã¢ã¯ã»ã¹ãããã¨ãã§ããã

       ã¢ã«ã¦ã³ãæå ±ãæã£ã¦ããªãã³ãã¯ã·ã§ã³ã§ã¯ã ãã®ãããã³ã°ã¯å¸¸ã« false
       ãè¿ãç¹ã«æ³¨æãããã¨ã "net.netfilter.nf_conntrack_acct" sysctl ãã©ã°ã§ã
       æ°è¦ã³ãã¯ã·ã§ã³ã§ãã¤ãæ°/ãã±ããæ°ã®è¨æ¸¬ãè¡ãããããå¶å¾¡ã§ããã sysctl
       ãã©ã°ãå¤æ´ããã¦ãã æ¢åã®ã³ãã¯ã·ã§ã³ã®ã¢ã«ã¦ã³ãæå ±ã¯å½±é¿ãåããªãã

       [!] --connbytes from[:to]
              ãã±ããæ°/ãã¤ãæ°/å¹³åãã±ãããµã¤ãºã FROM ãã¤ã/ãã±ãããã大ãã TO
              ãã¤ã/ãã±ãããããå°ããã³ãã¯ã·ã§ã³ã®ãã±ããã«ãããããã TO ãçç¥ããå ´å㯠FROM
              ã®ã¿ããã§ãã¯ãããã "!" ã使ãã¨ã ãã®ç¯å²ã«ãªããã±ããã«ãããããã

       --connbytes-dir {original|reply|both}
              ã©ã®ãã±ãããè¨æ¸¬ããããæå®ãã

       --connbytes-mode {packets|bytes|avgpkt}
              ãã±ããç·æ°ã転éãã¤ãæ°ãããã¾ã§ã«åä¿¡ããå¨ãã±ããã®å¹³åãµã¤ãº (ãã¤ãåä½)
              ã®ã©ãããã§ãã¯ããããæå®ããã "both" 㨠"avgpkt"
              ãçµã¿åããã¦ä½¿ã£ãå ´åã§ã (HTTP ã®ããã«) ãã¼ã¿ã (主ã«)
              çæ¹åã§ã®ã¿è»¢éãããå ´åã
              å¹³åãã±ãããµã¤ãºã¯å®éã®ãã¼ã¿ãã±ããã®ç´ååã«ãªãç¹ã«æ³¨æãããã¨ã

       ä¾:    iptables .. -m connbytes --connbytes 10000:100000
              --connbytes-dir both --connbytes-mode bytes ...

   connlimit
       ä¸ã¤ã®ãµã¼ãã¼ã«å¯¾ããã ä¸ã¤ã®ã¯ã©ã¤ã¢ã³ã IP ã¢ãã¬ã¹
       (ã¾ãã¯ã¯ã©ã¤ã¢ã³ãã¢ãã¬ã¹ãããã¯) ããã®åææ¥ç¶æ°ãå¶éãããã¨ãã§ããã

       --connlimit-upto n
              æ¢åã®æ¥ç¶æ°ã n 以ä¸ã®å ´åã«ãããããã

       --connlimit-above n
              æ¢åã®æ¥ç¶æ°ã n ããå¤ãå ´åã«ãããããã

       --connlimit-mask prefix_length
              ãã¬ãã£ãã¯ã¹é·ã使ã£ã¦ãã¹ãã®ã°ã«ã¼ãã³ã°ãè¡ãã IPv4
              ã®å ´åã«ã¯ããã¬ãã£ãã¯ã¹é·ã¯ 0 ä»¥ä¸ 32 以ä¸ã®å¤ã§ãªããã°ãªããªãã
              IPv6 ã®å ´åã«ã¯ 0 ä»¥ä¸ 128 以ä¸ã§ãªããã°ãªããªãã
              æå®ããªãã£ãå ´åããã®ãããã³ã«ã§ä½¿ãããæãé·ããã¬ãã£ãã¯ã¹é·ã使ç¨ãããã

       --connlimit-saddr
              éä¿¡åã°ã«ã¼ãã«å¯¾ãã¦å¶éãé©ç¨ããã ããã --connlimit-daddr
              ãæå®ãããªãã£ãå ´åã®ããã©ã«ãã§ããã

       --connlimit-daddr
              å®åã°ã«ã¼ãã«å¯¾ãã¦å¶éãé©ç¨ããã

       ä¾:

       # ã¯ã©ã¤ã¢ã³ããã¹ãããã 2 ã¤ã® telnet æ¥ç¶ã許å¯ãã
              iptables -A INPUT -p tcp --syn --dport 23 -m connlimit
              --connlimit-above 2 -j REJECT

       # åããã¨ã®ã«è¡ãå¥ã®ãããæ¹æ³
              iptables -A INPUT -p tcp --syn --dport 23 -m connlimit
              --connlimit-upto 2 -j ACCEPT

       # ã¯ã©ã¹ C ã®éä¿¡åãããã¯ã¼ã¯ (ããããã¹ã¯ã 24 ããã) ãããã®åæ HTTP
       ãªã¯ã¨ã¹ãæ°ã 16 ã¾ã§ã«å¶éãã
              iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above
              16 --connlimit-mask 24 -j REJECT

       # ãªã³ã¯ãã¼ã«ã«ãããã¯ã¼ã¯ããã®åæ HTTP ãªã¯ã¨ã¹ãæ°ã 16 ã¾ã§ã«å¶éãã
              (ipv6)  ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m
              connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT

       # ç¹å®ã®ãã¹ãå®ã®ã³ãã¯ã·ã§ã³æ°ãå¶éãã
              ip6tables -p tcp --syn --dport 49152:65535 -d 2001:db8::1 -m
              connlimit --connlimit-above 100 -j REJECT

   connmark
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ã³ãã¯ã·ã§ã³ã«é¢é£ã¥ãããã netfilter ã® mark
       ãã£ã¼ã«ãã«ããããã (ãã®ãã£ã¼ã«ãã¯ã 以ä¸ã® CONNMARK ã¿ã¼ã²ããã§è¨å®ããã)ã

       [!] --mark value[/mask]
              æå®ããã mark å¤ãæã¤ã³ãã¯ã·ã§ã³ã®ãã±ããã«ããããã (mask ãæå®ãããã¨ã
              æ¯è¼ã®åã« mask ã¨ã®è«çç© (AND) ãã¨ããã)ã

   conntrack
       ã³ãã¯ã·ã§ã³è¿½è·¡ (connection tracking) ã¨çµã¿åããã¦ä½¿ç¨ããå ´åã«ã
       ãã®ã¢ã¸ã¥ã¼ã«ã使ãã¨ã ãã±ãããã³ãã¯ã·ã§ã³ã®è¿½è·¡ç¶æãç¥ããã¨ãã§ããã

       [!] --ctstate statelist
              statelist ã¯ãããããã³ãã¯ã·ã§ã³ç¶æ (connection state) ã®ãªã¹ãã§ã
              ã³ã³ãåºåãã§æå®ããã æå®ã§ããç¶æã®ãªã¹ãã¯å¾è¿°ã

       [!] --ctproto l4proto
              æå®ãããã¬ã¤ã¤ 4 ã®ãããã³ã«ã«ãããããã ãããã³ã«ã¯ååã¾ãã¯æ°å¤ã§æå®ããã

       [!] --ctorigsrc address[/mask]

       [!] --ctorigdst address[/mask]

       [!] --ctreplsrc address[/mask]

       [!] --ctrepldst address[/mask]
              é æ¹å/å対æ¹åã®ã³ãã¯ã·ã§ã³ã®éä¿¡å/å®åã¢ãã¬ã¹ã«ãããããã

       [!] --ctorigsrcport port[:port]

       [!] --ctorigdstport port[:port]

       [!] --ctreplsrcport port[:port]

       [!] --ctrepldstport port[:port]
              é æ¹å/å対æ¹åã®ã³ãã¯ã·ã§ã³ã® (TCP/UDPãªã©ã®)
              éä¿¡å/å®åãã¼ãã¢ãã¬ã¹ã ããã㯠GRE ãã¼ã«ãããããã
              ãã¼ãã®ç¯å²æå®ã¯ã«ã¼ãã« 2.6.38 以éã§ã®ã¿ãµãã¼ãããã¦ããã

       [!] --ctstatus statelist
              statuslist ã¯ãããããã³ãã¯ã·ã§ã³ç¶æ³ (connection status) ã®ãªã¹ãã§ã
              ã³ã³ãåºåãã§æå®ããã æå®ã§ããç¶æ³ã®ãªã¹ãã¯å¾è¿°ã

       [!] --ctexpire time[:time]
              æå¹æéã®æ®ãç§æ°ã ã¾ãã¯ãã®ç¯å²(両端ãå«ã)ã«ãããããã

       --ctdir {ORIGINAL|REPLY}
              æå®ããæ¹åã«æµãããã±ããã«ãããããã ãã®ãã©ã°ãå¨ãæå®ãããªãã£ãå ´åã
              両æ¹åã®ãã±ããããããããã

       --ctstate ã«æå®ã§ããç¶æã¯ä»¥ä¸ã®éãã

       INVALID
              ãã®ãã±ããã¯ã©ã®æ¢ç¥ã®ã³ãã¯ã·ã§ã³ã¨ãé¢é£ä»ãããã¦ããªãã

       NEW    ãã®ãã±ãããæ°ããã³ãã¯ã·ã§ã³ãéå§ãããã¨ãã¦ããã ãããã¯ã
              両æ¹ã®æ¹åã§ãã±ããã観測ããã¦ããªãã³ãã¯ã·ã§ã³ã«é¢é£ä»ããããã

       ESTABLISHED
              ãã®ãã±ãããã 両æ¹åã®ãã±ããã観測ãããã³ãã¯ã·ã§ã³ã«é¢é£ä»ããããã

       RELATED
              ãã®ãã±ããã¯ãæ°ããã³ãã¯ã·ã§ã³ãéå§ãããã¨ãã¦ãããã æ¢å‐
              ã®ã³ãã¯ã·ã§ã³ã¨é¢é£ä»ããããã FTP ãã¼ã¿è»¢éã ICMP
              ã¨ã©ã¼ãªã©ã該å½ããã

       UNTRACKED
              ãã®ãã±ããã¯å¨ã追跡ããã¦ããªãã ãã®ç¶æã¯ã raw ãã¼ãã«ã§ -j CT
              --notrack
              ã使ã£ã¦æ示çã«ãã®ãã±ããã追跡ããªãããã«ãã¦ããå ´åã«èµ·ããã

       SNAT   åã®éä¿¡åã¢ãã¬ã¹ãå¿çã®å®åã¢ãã¬ã¹ã¨ç°ãªãå ´åã«ãããããä»®æ³çãªç¶æã

       DNAT   åã®å®åã¢ãã¬ã¹ãå¿çã®éä¿¡åã¢ãã¬ã¹ã¨ç°ãªãå ´åã«ãããããä»®æ³çãªç¶æã

       --ctstatus ã«æå®ã§ããå¤ã¯ä»¥ä¸ã®éãã

       NONE   以ä¸ã®ãããã§ããªãã

       EXPECTED
              æå¾éãã®ã³ãã¯ã·ã§ã³ã§ãã (ã¤ã¾ã conntrack
              ã®ãã«ãã¼ãã³ãã¯ã·ã§ã³ãã»ããã¢ãããã)ã

       SEEN_REPLY
              conntrack ã両æ¹ã®æ¹åã§ãã±ããã観測æ¸ã§ããã

       ASSURED
              conntrack ã¨ã³ããªã early-expired ããããã¨ã¯ãªãã

       CONFIRMED
              Connection is confirmed: originating packet has left box.

   cpu
       [!] --cpu number
              ãã®ãã±ãããå¦çãã CPU ã«ãããããã CPU ã«ã¯ 0 ãã NR_CPUS-1
              ã®çªå·ãæ¯ãããã ãããã¯ã¼ã¯ãã©ãã£ãã¯ãè¤æ°ã®ãã¥ã¼ã«åæ£ãããããã« RPS
              (Remote Packet Steering) ããã«ããã¥ã¼ NIC ã¨çµã¿åããã¦ä½¿ç¨ã§ããã

       ä¾:

       iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 -j
       REDIRECT --to-port 8080

       iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 -j
       REDIRECT --to-port 8081

       Linux 2.6.36 以éã§å©ç¨å¯è½ã

   dccp
       [!] --source-port,--sport port[:port]

       [!] --destination-port,--dport port[:port]

       [!] --dccp-types mask
              DCCP ãã±ããã¿ã¤ãã mask ã®ããããã§ããã°ãããããã mask
              ã¯ã«ã³ãåºåãã®ãã±ããã¿ã¤ãã®ãªã¹ãã§ããã æå®ã§ãããã±ããã¿ã¤ã㯠REQUEST
              RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK
              INVALID ã§ããã

       [!] --dccp-option number
              DCCP ãªãã·ã§ã³ãè¨å®ããã¦ããå ´åã«ãããããã

   devgroup
       ãã±ããã®åä¿¡/éä¿¡ã¤ã³ã¿ã¼ãã§ã¼ã¹ã®ããã¤ã¹ã°ã«ã¼ãã«ãããããã

       [!] --src-group name
              åä¿¡ããã¤ã¹ã®ããã¤ã¹ã°ã«ã¼ãã«ããããã

       [!] --dst-group name
              éä¿¡ããã¤ã¹ã®ããã¤ã¹ã°ã«ã¼ãã«ããããã

   dscp
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ã IP ãããã¼ã® TOS ãã£ã¼ã«ãåã«ããã 6 bit ã® DSCP
       ãã£ã¼ã«ãã«ãããããã IETF ã§ã¯ DSCP ã TOS ã«åã£ã¦ä»£ãã£ãã

       [!] --dscp value
              (10 é²ã¾ã㯠16 é²ã®) æ°å¤ [0-63] ã«ãããããã

       [!] --dscp-class class
              DiffServ ã¯ã©ã¹ã«ãããããã å¤ã¯ BE, EF, AFxx, CSx ã¯ã©ã¹ã®ããããã§ããã
              対å¿ããæ°å¤ã«å¤æãããã

   dst (IPv6 ã®ã¿)
       ãã®ã¢ã¸ã¥ã¼ã«ã¯å®åãªãã·ã§ã³ãããã¼ã®ãã©ã¡ã¼ã¿ã«ãããããã

       [!] --dst-len length
              ãã®ãããã¼ã®å¨ä½ã®é·ã (8é²æ°)ã

       --dst-opts type[:length][,type[:length]...]
              æ°å¤ã®ãªãã·ã§ã³ã¿ã¤ãã¨ãªãã·ã§ã³ãã¼ã¿ã®ãªã¯ãããåä½ã®é·ãã

   ecn
       IPv4/IPv6 㨠TCP ãããã¼ã® ECN ãããã«ãããã³ã°ãè¡ãã ECN ã¨ã¯ RFC3168
       ã§è¦å®ããã Explicit Congestion Notification (æ示çãªè¼»è¼³éç¥)
       æ©æ§ã®ãã¨ã§ããã

       [!] --ecn-tcp-cwr
              TCP ECN CWR (Congestion Window Received)
              ããããã»ããããã¦ããå ´åã«ãããããã

       [!] --ecn-tcp-ece
              TCP ECN ECE (ECN Echo) ããããã»ããããã¦ããå ´åã«ãããããã

       [!] --ecn-ip-ect num
              ç¹å®ã® IPv4/IPv6 ECT (ECN-Capable Transport) ã«ãããããã `0' 以ä¸
              `3' 以ä¸ã®å¤ãæå®ããªããã°ãªããªãã

   esp
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ IPsec ãã±ããã® ESP ãããã¼ã® SPI å¤ã«ãããããã

       [!] --espspi spi[:spi]

   eui64 (IPv6 ã®ã¿)
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ stateless ã®èªåã§è¨å®ããã IPv6 ã¢ãã¬ã¹ã® EUI-64
       ã®é¨åã«ãããããã Ethernet ã®éä¿¡å MAC ã¢ãã¬ã¹ã«åºã¥ã EUI-64 㨠IPv6
       éä¿¡åã¢ãã¬ã¹ã®ä¸ä½ 64 ãããã®æ¯è¼ãè¡ãããã ãã ã "Universal/Local"
       ãããã¯æ¯è¼ãããªãã ãã®ã¢ã¸ã¥ã¼ã«ã¯ä»ã®ãªã³ã¯å±¤ãã¬ã¼ã ã«ã¯ãããããªãã
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ PREROUTING, INPUT, FORWARD ãã§ã¤ã³ã§ã®ã¿æå¹ã§ããã

   frag (IPv6 ã®ã¿)
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ãã©ã°ã¡ã³ããããã¼ã®ãã©ã¡ã¼ã¿ã«ãããããã

       [!] --fragid id[:id]
              æå®ãããå¤ãããã¯ç¯å²ã® ID ã«ãããããã

       [!] --fraglen length
              ãã®ãªãã·ã§ã³ã¯ãã¼ã¸ã§ã³ 2.6.10 以éã®ã«ã¼ãã«ã§ã¯ä½¿ç¨ã§ããªãã
              ãã©ã°ã¡ã³ããããã¼é·ã¯å¤åããªãã®ã§ããã®ãªãã·ã§ã³ã¯æå³ãæããªãã

       --fragres
              äºç´ãã£ã¼ã«ãã« 0 ãå¥ã£ã¦ããå ´åã«ãããããã

       --fragfirst
              æåã®ãã©ã°ã¡ã³ãã«ãããããã

       --fragmore
              ããã«ãã©ã°ã¡ã³ããç¶ãå ´åã«ãããããã

       --fraglast
              æå¾ã®ãã©ã°ã¡ã³ãã®å ´åã«ãããããã

   hashlimit
       hashlimit uses hash buckets to express a rate limiting match (like the
       limit match) for a group of connections using a single iptables rule.
       Grouping can be done per-hostgroup (source and/or destination address)
       and/or per-port. It gives you the ability to express "N packets per
       time quantum per group" or "N bytes per seconds" (see below for some
       examples).

       hash limit ãªãã·ã§ã³ (--hashlimit-upto, --hashlimit-above) ã¨
       --hashlimit-name ã¯å¿é ã§ããã

       --hashlimit-upto amount[/second|/minute|/hour|/day]
              åä½æéãããã®å¹³åãããåæ°ã®æ大å¤ã æ°å¤ã§æå®ããã æ·»å `/second',
              `/minute', `/hour', `/day' ãä»ãããã¨ãã§ããã ããã©ã«ã㯠3/hour ã§ããã

       --hashlimit-above amount[/second|/minute|/hour|/day]
              ã¬ã¼ããæå®ãããåºéã§ã® amount ãã大ããå ´åã«ãããããã

       --hashlimit-burst amount
              ãã±ããããããããåæ°ã®æ大åæå¤: ä¸ã®ãªãã·ã§ã³ã§æå®ããå¶éã«éããªããã°ã
              ããããããã¨ã«ã ãã®æ°å¤ã«ãªãã¾ã§ 1 åãã¤å¢ããããã ããã©ã«ã㯠5 ã§ããã
              ãã¤ãã§ã®ã¬ã¼ãç§åãè¦æ±ãããå ´åã
              ãã®ãªãã·ã§ã³ã¯æå®ã¬ã¼ããè¶éã§ãããã¤ãæ°ãè¦å®ããã
              ãã®ãªãã·ã§ã³ã使ç¨ããéã«ã¯æ³¨æãå¿è¦ã§ãã --
              ã¨ã³ããªãã¿ã¤ã ã¢ã¦ãã§åé¤ãããéã«ããã¼ã¹ãå¤ããªã»ãããããã

       --hashlimit-mode {srcip|srcport|dstip|dstport},...
              対象ã¨ããè¦ç´ ã®ã«ã³ãåºåãã®ãªã¹ãã --hashlimit-mode
              ãªãã·ã§ã³ãæå®ãããªãã£ãå ´åã hashlimit 㯠limit ã¨åãåä½ããããã
              ããã·ã¥ã®ç®¡çãè¡ãã³ã¹ãããããã

       --hashlimit-srcmask prefix
              When --hashlimit-mode srcip is used, all source addresses
              encountered will be grouped according to the given prefix length
              and the so-created subnet will be subject to hashlimit. prefix
              must be between (inclusive) 0 and 32. Note that
              --hashlimit-srcmask 0 is basically doing the same thing as not
              specifying srcip for --hashlimit-mode, but is technically more
              expensive.

       --hashlimit-dstmask prefix
              Like --hashlimit-srcmask, but for destination addresses.

       --hashlimit-name foo
              /proc/net/ipt_hashlimit/foo ã¨ã³ããªã®ååã

       --hashlimit-htable-size buckets
              ããã·ã¥ãã¼ãã«ã®ãã±ããæ°ã

       --hashlimit-htable-max entries
              ããã·ã¥ã®æ大ã¨ã³ããªæ°ã

       --hashlimit-htable-expire msec
              ããã·ã¥ã¨ã³ããªãä½ããªç§å¾ã«åé¤ããããã

       --hashlimit-htable-gcinterval msec
              ã¬ãã¼ã¸ã³ã¬ã¯ã·ã§ã³ã®éé (ããªç§)ã

       ä¾:

       éä¿¡åãã¹ãã«å¯¾ããããã
              "192.168.0.0/16 ã®åãã¹ãã«å¯¾ã㦠1000 ãã±ãã/ç§" => -s
              192.168.0.0/16 --hashlimit-mode srcip --hashlimit-upto 1000/sec

       éä¿¡åãã¼ãã«å¯¾ããããã
              "192.168.1.1 ã®åãµã¼ãã¹ã«å¯¾ã㦠100 ãã±ãã/ç§" => -s 192.168.1.1
              --hashlimit-mode srcport --hashlimit-upto 100/sec

       ãµããããã«å¯¾ããããã
              "10.0.0.0/8 åã® /28 ãµãããã (ã¢ãã¬ã¹ 8 åã®ã°ã«ã¼ã) ããããã«å¯¾ãã¦
              10000 ãã±ãã/ç§" => -s 10.0.0.0/8 --hashlimit-mask 28
              --hashlimit-upto 10000/min

       ãã¤ã/ç§ã«ããããã
              "512kbyte/s ãè¶éããããã¼" => --hashlimit-mode
              srcip,dstip,srcport,dstport --hashlimit-above 512kb/s

       ãã¤ã/ç§ã«ããããã
              "512kbyte/s ãè¶éããã¨ããããããã 1 ã¡ã¬ãã¤ãã«éããã¾ã§ã¯ããããã許å¯ãã"
              --hashlimit-mode dstip --hashlimit-above 512kb/s
              --hashlimit-burst 1mb

   hbh (IPv6 ã®ã¿)
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ Hop-by-Hop ãªãã·ã§ã³ãããã¼ã®ãã©ã¡ã¼ã¿ã«ãããããã

       [!] --hbh-len length
              ãã®ãããã¼ã®å¨ä½ã®é·ã (8é²æ°)ã

       --hbh-opts type[:length][,type[:length]...]
              æ°å¤ã®ãªãã·ã§ã³ã¿ã¤ãã¨ãªãã·ã§ã³ãã¼ã¿ã®ãªã¯ãããåä½ã®é·ãã

   helper
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ã æå®ãããã³ãã¯ã·ã§ã³è¿½è·¡ãã«ãã¼ã¢ã¸ã¥ã¼ã«ã«
       é¢é£ãããã±ããã«ãããããã

       [!] --helper string
              æå®ãããã³ãã¯ã·ã§ã³è¿½è·¡ãã«ãã¼ã¢ã¸ã¥ã¼ã«ã« é¢é£ãããã±ããã«ãããããã

              ããã©ã«ãã®ãã¼ãã使ã£ã ftp-ã»ãã·ã§ã³ã«é¢é£ãããã±ããã§ã¯ã string ã«
              "ftp" ã¨æ¸ããã ä»ã®ãã¼ãã§ã¯ "-ãã¼ãçªå·" ãå¤ã«ä»ãå ããã ããªãã¡
              "ftp-2121" ã¨ãªãã

              ä»ã®ã³ãã¯ã·ã§ã³è¿½è·¡ãã«ãã¼ã§ãåãã«ã¼ã«ãé©ç¨ãããã

   hl (IPv6 ã®ã¿)
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ IPv6 ãããã¼ã® Hop Limit ãã£ã¼ã«ãã«ãããããã

       [!] --hl-eq value
              Hop Limit ã value ã¨åãå ´åã«ãããããã

       --hl-lt value
              Hop Limit ã value ããå°ããå ´åã«ãããããã

       --hl-gt value
              Hop Limit ã value ãã大ããå ´åã«ãããããã

   icmp (IPv4 ã®å ´å)
       ãã®æ¡å¼µã¯ `--protocol icmp' ãæå®ãããå ´åã«ä½¿ç¨ã§ãã
       以ä¸ã®ãªãã·ã§ã³ãæä¾ããã:

       [!] --icmp-type {type[/code]|typename}
              ICMP ã¿ã¤ããæå®ã§ããã ã¿ã¤ãæå®ã«ã¯ã æ°å¤ã® ICMP ã¿ã¤ãã
              ã¿ã¤ã/ã³ã¼ãã®çµã ã¾ãã¯ä»¥ä¸ã®ã³ãã³ã ã§è¡¨ç¤ºããã ICMP
              ã¿ã¤ãåãæå®ã§ããã
               iptables -p icmp -h

   icmp6 (IPv6 ã®ã¿)
       ãããã®æ¡å¼µã¯ `--protocol ipv6-icmp' ã¾ã㯠`--protocol icmpv6'
       ãæå®ãããå ´åã«ä½¿ç¨ã§ãã 以ä¸ã®ãªãã·ã§ã³ãæä¾ããã:

       [!] --icmpv6-type type[/code]|typename
              ICMPv6 ã¿ã¤ããæå®ã§ããã ã¿ã¤ãæå®ã«ã¯ã æ°å¤ã® ICMP typeã type ã¨
              codeã ã¾ãã¯ä»¥ä¸ã®ã³ãã³ã ã§è¡¨ç¤ºããã ICMPv6 ã¿ã¤ãåãæå®ã§ããã
               ip6tables -p ipv6-icmp -h

   iprange
       ãã®ã¢ã¸ã¥ã¼ã«ã¯æå®ãããä»»æã®ç¯å²ã® IP ã¢ãã¬ã¹ã«ãããããã

       [!] --src-range from[-to]
              æå®ãããç¯å²ã®éä¿¡å IP ã«ãããããã

       [!] --dst-range from[-to]
              æå®ãããç¯å²ã®å®å IP ã«ãããããã

   ipv6header (IPv6 ã®ã¿)
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ IPv6 æ¡å¼µãããã¼ã
       ä¸ä½ã¬ã¤ã¤ã®ãããã¼ããããã¯ãã®ä¸¡æ¹ã«ãããããã

       --soft ãã±ããã --header ã§æå®ããããããã¼ã®ãããããå«ãå ´åã«ãããããã

       [!] --header header[,header...]
              Matches the packet which EXACTLY includes all specified headers.
              The headers encapsulated with ESP header are out of scope.
              Possible header types can be:

       hop|hop-by-hop
              Hop-by-Hop ãªãã·ã§ã³ãããã¼

       dst    å®åãªãã·ã§ã³ãããã¼

       route  ã«ã¼ãã£ã³ã°ãããã¼

       frag   ãã©ã°ã¡ã³ããããã¼

       auth   èªè¨¼ãããã¼ (AH)

       esp    ESP (Encapsulating Security Payload) ãããã¼

       none   No Next header which matches 59 in the 'Next Header field' of
              IPv6 header or any IPv6 extension headers

       proto  which matches any upper layer protocol header. A protocol name
              from /etc/protocols and numeric value also allowed. The number
              255 is equivalent to proto.

   ipvs
       IPVS ã³ãã¯ã·ã§ã³å±æ§ã«ãããããã

       [!] --ipvs
              IPVS ã³ãã¯ã·ã§ã³ã«å±ããã±ãã

       以ä¸ã®ãªãã·ã§ã³ã§ã¯ --ipvs ãæé»ã®ãã¡ã«æå®ããã (å¦å®ã®å ´åãå«ã)

       [!] --vproto protocol
              ããããã VIP ãããã³ã« (æ°å¤ãåå (ä¾ãã° "tcp") ã§æå®ãã)

       [!] --vaddr address[/mask]
              ããããã VIP ã¢ãã¬ã¹

       [!] --vport port
              ããããã VIP ãããã³ã« (æ°å¤ãåå (ä¾ãã°

       --vdir {ORIGINAL|REPLY}
              ãã±ããããã¼ã®æ¹å

       [!] --vmethod {GATE|IPIP|MASQ}
              使ç¨ãã IPVS ã®è»¢éæ¹æ³

       [!] --vportctl port
              ãããããå¶å¾¡ç¨ã³ãã¯ã·ã§ã³ã® VIP ãã¼ã (ä¾ãã° FTP ã§ããã° 21)

   length
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ã ãã±ããã®ã¬ã¤ã¤ 3 ãã¤ãã¼ã (ä¾ãã°ã¬ã¤ã¤ 4 ãã±ãã) ã®é·ããã
       æå®ãããå¤ã ã¾ãã¯å¤ã®ç¯å²ã«ããã°ãããããã

       [!] --length length[:length]

   limit
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ã ãã¼ã¯ã³ãã±ãããã£ã«ã¿ã使ã£ã¦å¶éã¬ã¼ãã®ããããè¡ãã
       ãã®æ¡å¼µã使ã£ãã«ã¼ã«ã¯ãæå®ãããå¶éã«éããã¾ã§ãããããã ä¾ãã°ã
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ãã°è¨é²ãå¶éããããã« LOG ã¿ã¼ã²ããã¨çµã¿åããã¦ä½¿ããã¨ãã§ããã

       xt_limit has no negation support - you will have to use -m hashlimit !
       --hashlimit rate in this case whilst omitting --hashlimit-mode.

       --limit rate[/second|/minute|/hour|/day]
              åä½æéãããã®å¹³åãããåæ°ã®æ大å¤ã æ°å¤ã§æå®ããã æ·»å `/second',
              `/minute', `/hour', `/day' ãä»ãããã¨ãã§ããã ããã©ã«ã㯠3/hour ã§ããã

       --limit-burst number
              ãã±ããããããããåæ°ã®æ大åæå¤: ä¸ã®ãªãã·ã§ã³ã§æå®ããå¶éã«éããªããã°ã
              ããããããã¨ã«ã ãã®æ°å¤ã«ãªãã¾ã§ 1 åãã¤å¢ããããã ããã©ã«ã㯠5 ã§ããã

   mac
       [!] --mac-source address
              éä¿¡å MAC ã¢ãã¬ã¹ã«ãããããã address 㯠XX:XX:XX:XX:XX:XX ã¨
              ããå½¢å¼ã§ãªããã°ãªããªãã ã¤ã¼ãµã¼ãããããã¤ã¹ããå¥ã£ã¦ãããã±ã ãã§ã
              PREROUTING, FORWARD, INPUT ãã§ã¤ã³ã«å¥ããã±ããã«ãã æå³ããªãã

   mark
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ãã±ããã«é¢é£ã¥ãããã netfilter ã® mark ãã£ã¼ã«ãã«ããããã
       (ãã®ãã£ã¼ã«ãã¯ã 以ä¸ã® MARK ã¿ã¼ã²ããã§è¨å®ããã)ã

       [!] --mark value[/mask]
              æå®ããã符å·ãªãã® mark å¤ãæã¤ãã±ããã«ããããã (mask ãæå®ãããã¨ã
              æ¯è¼ã®åã« mask ã¨ã®è«çç© (AND) ãã¨ããã)ã

   mh (IPv6 ã®ã¿)
       ãã®æ¡å¼µã¯ `--protocol ipv6-mh' ã¾ã㯠`--protocol mh' ãæå®ãããå ´åã«ã‐
       ã¼ããããã 以ä¸ã®ãªãã·ã§ã³ãæä¾ãããã

       [!] --mh-type type[:type]
              Mobility Header (MH) ã¿ã¤ããæå®ã§ããã ã¿ã¤ãæå®ã«ã¯ã æ°å¤ã® MH
              ã¿ã¤ããã 以ä¸ã®ã³ãã³ãã§è¡¨ç¤ºããã MH ã¿ã¤ãåãæå®ã§ããã
               ip6tables -p mh -h

   multiport
       ãã®ã¢ã¸ã¥ã¼ã«ã¯éä¿¡åãã¼ããå®åãã¼ãã®éåã«ãããããã ãã¼ã㯠15 åã¾ã§æå®ã§ããã
       ãã¼ãã®ç¯å²æå® (port:port) 㯠2 ãã¼ãã¨ã«ã¦ã³ããããã
       ãã®ã¢ã¸ã¥ã¼ã«ã使ç¨ã§ããã®ã¯ tcp, udp, udplite, dccp, sctp
       ã®ããããã¨çµã¿åãããå ´åã ãã§ããã

       [!] --source-ports,--sports port[,port|,port:port]...
              éä¿¡åãã¼ããæå®ããããã¼ãã®ãããã«ãããããã ãã©ã° --sports
              ã¯ãã®ãªãã·ã§ã³ã®ä¾¿å©ãªå¥åã§ããã
              è¤æ°ã®ãã¼ãããã¼ãç¯å²ãã«ã³ãåºåãã§æå®ã§ããã ãã¼ãç¯å²ã¯ã³ã‐
              ã³åºåãã§æå®ããã ãããã£ã¦ 53,1024:65535 ã¯ãã¼ã 53 ããã³ 1024 ãã
              65535 ã¾ã§ã®å¨ãã¼ãã«ãããããã

       [!] --destination-ports,--dports port[,port|,port:port]...
              å®åãã¼ããæå®ããããã¼ãã®ãã¡ã®ããããã§ããã°ãããããã ãã©ã° --dports ã¯ã
              ãã®ãªãã·ã§ã³ã®ä¾¿å©ãªå¥åã§ããã

       [!] --ports port[,port|,port:port]...
              éä¿¡åãã¼ãã¨å®åãã¼ãã®ä¸æ¹ãæå®ããããã¼ãã®ããããä¸ã¤ã¨çãããã°ã ãããããã

   nfacct
       nfacct ãããã³ã°ã¯ iptable ã«æ¡å¼µã¢ã«ã¦ã³ãã£ã³ã°æ©æ§ãæä¾ããã
       ãã®ãããã³ã°ã¢ã¸ã¥ã¼ã«ã¯ã¦ã¼ã¶ã¼ç©ºéã¹ã¿ã³ãã¢ãã³ã¦ã¼ãã£ãªã㣠nfacct(8)
       ã¨ä¸ç·ã«ä½¿ãå¿è¦ãããã

       以ä¸ã®ãªãã·ã§ã³ã ãããã®ãããã³ã°ã§ä½¿ç¨ã§ããã

       --nfacct-name name
              ãã®ã«ã¼ã«ã»ãããããããããã©ãã£ãã¯éãè¨é²ããã®ã«ä½¿ç¨ããæ¢å‐
              ã®ãªãã¸ã§ã¯ãåãæå®ããã

       ãã®æ¡å¼µã使ç¨ããã«ã¯ãã¢ã«ã¦ã³ãã£ã³ã°ãªãã¸ã§ã¯ããä½æããå¿è¦ãããã¾ãã

              nfacct add http-traffic

       ãããããiptables ã使ã£ã¦ã¢ã«ã¦ã³ãã£ã³ã°ãªãã¸ã§ã¯ãã«ãã©ãã£ãã¯ãé¢é£ä»ãã¾ãã

              iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name
              http-traffic

              iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name
              http-traffic

       ããããã¨ãã«ã¼ã«ã«ããããããã©ãã£ãã¯éããã§ãã¯ã§ããã

              nfacct get http-traffic

              { pkts = 00000000000000000156, bytes = 00000000000000151786 } =
              http-traffic;

       nfacct(8) 㯠http://www.netfilter.org ããã㯠git.netfilter.org
       ãªãã¸ããªããå¥æã§ããã

   osf
       osf ã¢ã¸ã¥ã¼ã«ã¯ååç㪠OS (ãªãã¬ã¼ãã£ã³ã°ã·ã¹ãã )
       ãã£ã³ã¬ã¼ããªã³ãã£ã³ã°ãè¡ãã ãã®ã¢ã¸ã¥ã¼ã«ã¯ SYN
       ããããã»ããããããã±ããã®ããã¤ãã®ãã¼ã¿ (Window Size, MSS, ãªãã·ã§ã³ã¨ãã®é åº,
       TTL, DF ãªã©) ãæ¯è¼ããã

       [!] --genre string
              ååçãã£ã³ã¬ã¼ããªã³ãã£ã³ã°ã§ãããããããªãã¬ã¼ãã£ã³ã°ã·ã¹ãã ã®ã¸ã£ã³ã«ã

       --ttl level
              ãã±ããã«å¯¾ãã¦ããªãã¬ã¼ãã£ã³ã°ã·ã¹ãã ãå¤å®ããããã®è¿½å ã® TTL
              ãã§ãã¯ãè¡ãã level ã«ã¯ä»¥ä¸ã®å¤ã®ããããæå®ã§ããã

       ·   0 - æ¬å½ã® IP ã¢ãã¬ã¹ã¨ãã£ã³ã¬ã¼ããªã³ã TTL ã®æ¯è¼ãè¡ãã ä¸è¬ã« LAN
           ã§æå¹ã§ããã

       ·   1 - IP ãããã¼ã® TTL ããã£ã³ã¬ã¼ããªã³ã TTL ããå°ããããã§ãã¯ããã ã°ã‐
           ã¼ãã«ã«ã«ã¼ãã£ã³ã°å¯è½ãªã¢ãã¬ã¹ã§æå¹ã§ããã

       ·   2 - TTL ã®æ¯è¼ãå¨ãè¡ããªãã

       --log level
           å¤å¥ããã¸ã£ã³ã«ãæå¾ãããã®ã¨éãå ´åã§ããã®ã³ã°ãããã©ããã level
           ã«ã¯ä»¥ä¸ã®ãããããæå®ã§ããã

       ·   ãããããã·ã°ããã£ã¼ã¨ä¸æãªã·ã°ããã£ã¼ããã¹ã¦è¨é²ãã

       ·   1 - æåã«ããããããã®ã®ã¿ãè¨é²ãã

       ·   2 - ãããããæ¢ç¥ã®ã·ã°ããã£ã¼ããã¹ã¦è¨é²ãã

       syslog ã«ä»¥ä¸ã®ãããªã¡ãã»ã¼ã¸ãè¨é²ãããã

       Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 ->
       11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22
       hops=4

       OS ãã£ã³ã¬ã¼ããªã³ã㯠nfnl_osf ããã°ã©ã ã使ã£ã¦ãã¼ãã§ããã
       ãã¡ã¤ã«ãããã£ã³ã¬ã¼ããªã³ãããã¼ãããã«ã¯ä»¥ä¸ã®ããã«ããã

       nfnl_osf -f /usr/share/xtables/pf.os

       å度åé¤ããã«ã¯ä»¥ä¸ã®ããã«ããã

       nfnl_osf -f /usr/share/xtables/pf.os -d

       ãã£ã³ã¬ã¼ããªã³ããã¼ã¿ãã¼ã¹ã¯
       http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os ãããã¦ã³ãã¼ãã§ããã

   owner
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ã ãã¼ã«ã«ã§çæããããã±ããã«å¯¾ãã¦ã
       ãã±ããçæèã®æ§ããªç¹æ§ã«å¯¾ããããããè¡ãã ãã®ããã㯠OUTPUT ãã§ã¤ã³ã POSTROUTING
       ãã§ã¤ã³ã§ã®ã¿æå¹ã§ããã 転éãã±ããã¯ã©ã®ã½ã±ããã¨ãé¢é£ä»ãããã¦ããªãã
       ã«ã¼ãã«ã¹ã¬ããããã®ãã±ããã«ã¯å¯¾å¿ããã½ã±ããããããã é常ã½ã±ããã®ææèã¯ããªãã

       [!] --uid-owner username

       [!] --uid-owner userid[-userid]
              ãã®ãã±ããã®ã½ã±ããã®ãã¡ã¤ã«æ§é ä½ãå‐
              å¨ããã½ã±ããã®ææèãæå®ãããã¦ã¼ã¶ã¼ã®å ´åã«ãããããã æ°å¤ã® UID ã UID
              ã®ç¯å²ãæå®ãããã¨ãã§ããã

       [!] --gid-owner groupname

       [!] --gid-owner groupid[-groupid]
              ãã®ãã±ããã®ã½ã±ããã®ãã¡ã¤ã«æ§é ä½ã®ææèãæå®ãããã°ã«ã¼ãã®å ´åã«ãããããã
              æ°å¤ã® GID ã GID ã®ç¯å²ãæå®ãããã¨ãã§ããã

       [!] --socket-exists
              ãã±ãããã½ã±ããã«é¢é£ä»ãããã¦ããå ´åã«ãããããã

   physdev
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ã ããªãã¸ããã¤ã¹ã®ã¹ã¬ã¼ãã«ãããã
       ããªãã¸ãã¼ãã®å¥åºåããã¤ã¹ã«ãããããã ãã®ã¢ã¸ã¥ã¼ã«ã¯ã ããªãã¸ã«ããééç㪠IP
       ãã¡ã¤ã¢ã¦ã©ã¼ã«ã®åºç¤ã®ä¸é¨ã§ããã ã«ã¼ãã«ãã¼ã¸ã§ã³ 2.5.44
       以éã§ã®ã¿æå¹ã§ããã

       [!] --physdev-in name
              ãã±ãããåä¿¡ãããããªãã¸ã®ãã¼ãå (INPUT, FORWARD, PREROUTING
              ãã§ã¤ã³ã«å¥ããã±ããã®ã¿)ã ã¤ã³ã¿ã¼ãã§ã¼ã¹åã "+" ã§çµã£ã¦ããå ´åã
              ãã®ååã§å§ã¾ãä»»æã®ã¤ã³ã¿ã¼ãã§ã¼ã¹åã«ãããããã
              ããªãã¸ããã¤ã¹ãéãã¦åãåãããªãã£ããã±ããã¯ã '!' ãæå®ããã¦ããªãéãã
              ãã®ãªãã·ã§ã³ã«ãããããªãã

       [!] --physdev-out name
              ãã±ãããéä¿¡ãããã¨ã«ãªãããªãã¸ã®ãã¼ãå (FORWARD, OUTPUT, POSTROUTING
              ãã§ã¤ã³ã«å¥ããã±ããã®ã¿)ã ã¤ã³ã¿ã¼ãã§ã¼ã¹åã "+" ã§çµã£ã¦ããå ´åã
              ãã®ååã§å§ã¾ãä»»æã®ã¤ã³ã¿ã¼ãã§ã¼ã¹åã«ãããããã nat 㨠mangle
              ãã¼ãã«ã® OUTPUT ãã§ã¤ã³ã§ã¯ããªãã¸ã®åºåãã¼ãã«ãããããããã¨ãã§ããªããã
              filter ãã¼ãã«ã® OUPUT ãã§ã¤ã³ã§ã¯ãããå¯è½ã§ããã
              ãã±ãããããªãã¸ããã¤ã¹ããéãããªãã£ãå ´åã
              ã¾ãã¯ãã±ããã®åºåããã¤ã¹ãä¸æã§ãã£ãå ´åã¯ã '!' ãæå®ããã¦ããªãéãã
              ãã±ããã¯ãã®ãªãã·ã§ã³ã«ãããããªãã

       [!] --physdev-is-in
              ãã±ãããããªãã¸ã¤ã³ã¿ã¼ãã§ã¼ã¹ã«å¥ã£ãå ´åã«ãããããã

       [!] --physdev-is-out
              ãã±ãããããªãã¸ã¤ã³ã¿ã¼ãã§ã¼ã¹ããåºããã¨ããå ´åã«ãããããã

       [!] --physdev-is-bridged
              ãã±ãããããªãã¸ããããã¨ã«ããã ã«ã¼ãã£ã³ã°ãããªãã£ãå ´åã«ãããããã ããã¯
              FORWARD, POSTROUTING ãã§ã¤ã³ã«ããã¦ã®ã¿å½¹ç«ã¤ã

   pkttype
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ã ãªã³ã¯å±¤ã®ãã±ããã¿ã¤ãã«ãããããã

       [!] --pkt-type {unicast|broadcast|multicast}

   policy
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ãã±ãããå¦çãã IPsec ã使ç¨ããããªã·ã¼ã«ãããããã

       --dir {in|out}
              å¾©å· (decapsulation) ã«ä½¿ç¨ããããªã·ã¼ã«ãããããããã«ãã»ã«å
              (encapsulation) ã«ä½¿ç¨ããããªã·ã¼ã«ãããããããæå®ããã in ã¯ãã§ã¤ã³
              PREROUTING, INPUT, FORWARD ã§æå¹ã§ã out ã¯ãã§ã¤ã³ POSTROUTING,
              OUTPUT, FORWARD ã§æå¹ã§ããã

       --pol {none|ipsec}
              ãã±ããã IPsec å¦ç対象ã§ããã°ãããããã --pol none 㯠--strict
              ã¨ä¸ç·ã«ä½¿ç¨ã§ããªãã

       --strict
              ããªã·ã¼ãæ‐
              £ç¢ºã«ãããããããæå®ããããªã·ã¼ãããªã·ã¼ã®ããããã®ã«ã¼ã«ã«ãããããããæå®ããã

       ããããã®ããªã·ã¼è¦ç´ ãå®ç¾©ããã®ã«ã以ä¸ã®ãªãã·ã§ã³ (è¤æ°å¯)
       ã使ç¨ãããã¨ãã§ããã --strict
       ãæå¹ã«ãªã£ã¦ããå ´åãåè¦ç´ ã«ã¤ãå°ãªãã¨ããªãã·ã§ã³ãä¸ã¤æå®ããªããã°ãªããªãã

       [!] --reqid id
              ããªã·ã¼ã«ã¼ã«ã® reqid ã«ãããããã reqid 㯠setkey(8) ã§ã¬ãã«ã¨ãã¦
              unique:id ã使ã£ã¦æå®ã§ããã

       [!] --spi spi
              SA ã® SPI ã«ãããããã

       [!] --proto {ah|esp|ipcomp}
              ã«ãã»ã«åãããã³ã«ã«ãããããã

       [!] --mode {tunnel|transport}
              ã«ãã»ã«åã¢ã¼ãã«ãããããã

       [!] --tunnel-src addr[/mask]
              ãã³ãã«ã¢ã¼ã SA ã®éä¿¡åã¨ã³ããã¤ã³ãã¢ãã¬ã¹ã«ãããããã --mode tunnel
              ã¨ã®çµã¿åããã§ã®ã¿æå¹ã

       [!] --tunnel-dst addr[/mask]
              ãã³ãã«ã¢ã¼ã SA ã®å®åã¨ã³ããã¤ã³ãã¢ãã¬ã¹ã«ãããããã --mode tunnel
              ã¨ã®çµã¿åããã§ã®ã¿æå¹ã

       --next ããªã·ã¼å®ç¾©ã®æ¬¡ã®è¦ç´ ããéå§ããã --strict
              ã¨ã®çµã¿åããã§ã®ã¿ä½¿ç¨ã§ããã

   quota
       Implements network quotas by decrementing a byte counter with each
       packet. The condition matches until the byte counter reaches zero.
       Behavior is reversed with negation (i.e. the condition does not match
       until the byte counter reaches zero).

       [!] --quota bytes
              ãã¤ãåä½ã®ã¯ã©ã¼ã¿ã

   rateest
       ã¬ã¼ãæ¨æ¸¬å¨ (rate estimator) 㯠RATEEST
       ã¿ã¼ã²ããã§åéãããæ¨å®ã¬ã¼ãã«ãããããã bps/pps ã®çµ¶å¯¾å¤ã«å¯¾ãããããã³ã°ã 2
       ã¤ã®ã¬ã¼ãæ¨æ¸¬å¨ã®æ¯è¼ã 2
       ã¤ã®ã¬ã¼ãæ¨æ¸¬å¨ã®å·®åã«å¯¾ãããããã³ã°ããµãã¼ããã¦ããã

       å©ç¨å¯è½ãªãªãã·ã§ã³ãåãããããããã«ããã¹ã¦ã®å¯è½ãªçµã¿åããã以ä¸ã«ç¤ºãã

       ·   rateest operator rateest-bps

       ·   rateest operator rateest-pps

       ·   (rateest minus rateest-bps1) operator rateest-bps2

       ·   (rateest minus rateest-pps1) operator rateest-pps2

       ·   rateest1 operator rateest2 rateest-bps(without rate!)

       ·   rateest1 operator rateest2 rateest-pps(without rate!)

       ·   (rateest1 minus rateest-bps1) operator (rateest2 minus
           rateest-bps2)

       ·   (rateest1 minus rateest-pps1) operator (rateest2 minus
           rateest-pps2)

       --rateest-delta
           (絶対ã¢ã¼ãã§ãç¸å¯¾ã¢ã¼ãã§ã) åã¬ã¼ãæ¨æ¸¬å¨ã«ã¤ãã¦ã
           ã¬ã¼ãæ¨æ¸¬å¨ãæ¨æ¸¬ããããã¼ã¬ã¼ã㨠BPS/PPS
           ãªãã·ã§ã³ã§æå®ãããåºå®å¤ã®å·®åãè¨ç®ããã ããã¼ã¬ã¼ããæå®ããã BPS/PPS
           ããã大ããå ´åã è² ã®å¤ã§ã¯ãªã 0 ã代ããã«ä½¿ç¨ãããã ã¤ã¾ã "max(0,
           rateest#_rate - rateest#_bps)" ã使ç¨ãããã

       [!] --rateest-lt
           ã¬ã¼ããæå®ãããã¬ã¼ããã¬ã¼ãæ¨æ¸¬å¨ã®ã¬ã¼ããããä½ãå ´åã«ãããããã

       [!] --rateest-gt
           ã¬ã¼ããæå®ãããã¬ã¼ããã¬ã¼ãæ¨æ¸¬å¨ã®ã¬ã¼ããããé«ãå ´åã«ãããããã

       [!] --rateest-eq
           ã¬ã¼ããæå®ãããã¬ã¼ããã¬ã¼ãæ¨æ¸¬å¨ã®ã¬ã¼ãã¨çããå ´åã«ãããããã

       ããããã絶対ã¢ã¼ããã§ã¯ã使ç¨ã§ããã¬ã¼ãæ¨æ¸¬å¨ã¯ä¸ã¤ã ãã§ãããåºå®å¤ã«å¯¾ããæ¯è¼ã ããã§ãããä¸æ¹ããç¸å¯¾ã¢ã¼ããã§ã¯ã2
       ã¤ã®ã¬ã¼ãæ¨æ¸¬å¨ã使ç¨ã§ããã¬ã¼ãæ¨æ¸¬å¨ã©ããã®æ¯è¼ãã§ããã

       --rateest name
              絶対ã¢ã¼ãã§ä½¿ç¨ããã¬ã¼ãæ¨æ¸¬å¨ã®åå

       --rateest1 name

       --rateest2 name
              ç¸å¯¾ã¢ã¼ãã§ä½¿ç¨ãã 2 ã¤ã¬ã¼ãæ¨æ¸¬å¨ã®åå

       --rateest-bps [value]

       --rateest-pps [value]

       --rateest-bps1 [value]

       --rateest-bps2 [value]

       --rateest-pps1 [value]

       --rateest-pps2 [value]
              ã¬ã¼ãæ¨æ¸¬å¨ã¨æå®ããå¤ããç§éã®ãã¤ãæ°ã¾ãã¯ãã±ããæ°ã§æ¯è¼ããã
              ã©ã®ãªãã·ã§ã³ãã©ã®å ´åã«ä½¿ç¨ã§ãããã¯ä¸ã®ç®æ¡æ¸ãã®ãªã¹ããè¦ã¦ã»ããã
              åä½ã示ãæ¥å°¾è¾ãä»ãããã¨ãã§ããã bit, [kmgt]bit, [KMGT]ibit, Bps,
              [KMGT]Bps, [KMGT]iBps ã使ç¨ã§ããã

       ä¾: ãã®æ©è½ãããã¼ã¿ã³ãã¯ã·ã§ã³ã®éå§æã«å©ç¨å¯è½å¸¯åã«åºã¥ãã¦ã FTP
       ãµã¼ãã¼ããã®åºåãã¼ã¿ã³ãã¯ã·ã§ã³ã 2 ã¤ã®åç·ã«æ¯ãåããã®ã«ä½¿ç¨ããå ´åã

       # åºåã¬ã¼ããæ¨å®ãã

       iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name
       eth0 --rateest-interval 250ms --rateest-ewma 0.5s

       iptables -t mangle -A POSTROUTING -o ppp0 -j RATEEST --rateest-name
       ppp0 --rateest-interval 250ms --rateest-ewma 0.5s

       # å©ç¨å¯è½å¸¯åã«åºã¥ãã¦ãã¼ãã³ã°ãè¡ã

       iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper
       --helper ftp -m rateest --rateest-delta --rateest1 eth0 --rateest-bps1
       2.5mbit --rateest-gt --rateest2 ppp0 --rateest-bps2 2mbit -j CONNMARK
       --set-mark 1

       iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper
       --helper ftp -m rateest --rateest-delta --rateest1 ppp0 --rateest-bps1
       2mbit --rateest-gt --rateest2 eth0 --rateest-bps2 2.5mbit -j CONNMARK
       --set-mark 2

       iptables -t mangle -A balance -j CONNMARK --restore-mark

   realm (IPv4 ã®å ´å)
       This matches the routing realm.  Routing realms are used in complex
       routing setups involving dynamic routing protocols like BGP.

       [!] --realm value[/mask]
              Matches a given realm number (and optionally mask). If not a
              number, value can be a named realm from /etc/iproute2/rt_realms
              (mask can not be used in that case).

   recent
       IP ã¢ãã¬ã¹ã®ãªã¹ããåçã«ä½æãããã®ãªã¹ãã«å¯¾ãããããã³ã°ãããã¤ãã®æ¹æ³ã§è¡ãã

       ä¾ãã°ã ããªãã®ãã¡ã¤ã¢ã¦ã©ã¼ã«ã® 139 çªãã¼ãã«æ¥ç¶ãããã¨ãããæªã¬ã‐
       ããªã¹ããä½æãã ãã®ã¢ãã¬ã¹ããã®ãã以éã®ãã¹ã¦ã®ãã±ããããå»æ£ãããã

       --set, --rcheck, --update, --remove ã¯åæã«ä½¿ç¨ã§ããªãã

       --name name
              ã³ãã³ãã§ä½¿ç¨ãããªã¹ããæå®ãããååãæå®ãããªãã£ãå ´å DEFAULT ã使ç¨ãããã

       [!] --set
              ãªã¹ãã«ãã±ããã®éä¿¡åã¢ãã¬ã¹ã追å ããã
              ãã®éä¿¡åã¢ãã¬ã¹ããã§ã«ãªã¹ãã«ããå ´åã¯ãæ¢åã®ã¨ã³ããªã¼ãæ´æ°ããã
              常ã«æåãè¿ã (!  ãæå®ããã¦ããå ´åã¯å¸¸ã«å¤±æãè¿ã)ã

       --rsource
              recent ãªã¹ãã®ãã¼ãã«ã®ç§å/ä¿åã§ãåãã±ããã®éä¿¡åã¢ãã¬ã¹ã使ãã
              ãããããã©ã«ãã§ããã

       --rdest
              recent ãªã¹ãã®ãã¼ãã«ã®ç§å/ä¿åã§ãåãã±ããã®å®åã¢ãã¬ã¹ã使ãã

       --mask netmask
              ãã® recent ãªã¹ãã«é©ç¨ããããããã¹ã¯ã

       [!] --rcheck
              ãã®ãã±ããã®éä¿¡åã¢ãã¬ã¹ãç¾å¨ãªã¹ãã«å«ã¾ãããããã§ãã¯ããã

       [!] --update
              --rcheck ã¨åãã ãã ãã®ãªãã·ã§ã³ã§ã¯ãããããå ´åã« "last seen"
              ã¿ã¤ã ã¹ã¿ã³ããæ´æ°ããã

       [!] --remove
              ãã±ããã®éä¿¡åã¢ãã¬ã¹ãç¾å¨ãªã¹ãã«å«ã¾ãã¦ãããããã§ãã¯ãã
              å«ã¾ãã¦ããå ´åããã®ã¢ãã¬ã¹ããªã¹ãããåé¤ããã«ã¼ã«ã¯ true ãè¿ãã
              ã¢ãã¬ã¹ãå«ã¾ããªãå ´åãfalse ãè¿ãã

       --seconds seconds
              ãã®ãªãã·ã§ã³ã¯ --rcheck ã --update ã¨ã®çµã¿åããã§ã®ã¿ä½¿ç¨ã§ããã
              使ç¨ãããå ´åã
              ã¢ãã¬ã¹ããªã¹ãã«å«ã¾ãããã¤ãã®ã¢ãã¬ã¹ãç´è¿ã®æå®ãããç§æ°ä»¥åã«è¦³æ¸¬ãããå ´åã«ã®ã¿ã
              ãããããããã«ãªãã

       --reap ãã®ãªãã·ã§ã³ã¯ --seconds ã¨ã®çµã¿åããã§ã®ã¿ä½¿ç¨ã§ããã
              使ç¨ãããå ´åã æå¾ã«æå®ãããç§æ°ããå¤ãã¨ã³ããªã¼ãç ´æ£ããã

       --hitcount hits
              ãã®ãªãã·ã§ã³ã¯ --rcheck ã --update
              ã¨ã®çµã¿åããã¦ä½¿ç¨ããªããã°ãªããªãã 使ç¨ãããå ´åã
              ã¢ãã¬ã¹ããªã¹ãã«å«ã¾ããåä¿¡ããããã±ããæ°ãæå®ããå¤ä»¥ä¸ã®å ´åã«ã®ã¿ãããããããã«ãªãã
              ãã®ãªãã·ã§ã³ã¯ --seconds ã¨å±ã«ä½¿ç¨ãããã¨ãã§ãã
              ãã®å ´åã¯æå®ãããæéåã®ãããæ°ã«å¯¾ãã¦ç§åãè¡ãã hitcount
              ãã©ã¡ã¼ã¿ã®æ大å¤ã¯ xt_recent ã«ã¼ãã«ã¢ã¼ãã® "ip_pkt_list_tot"
              ãã©ã¡ã¼ã¿ã§è¦å®ãããã
              ãã®ã³ãã³ããªã¹ãã§ãã®å¤ããã大ããªå¤ãæå®ããã¨ããã®ã«ã¼ã«ã¯æå¦ãããã

       --rttl ãã®ãªãã·ã§ã³ã¯ --rcheck ã --update ã¨ã®çµã¿åããã§ã®ã¿ä½¿ç¨ã§ããã
              使ç¨ãããå ´åã ã¢ãã¬ã¹ããªã¹ãã«å«ã¾ãããã¤ç¾å¨ã®ãã±ããã® TTL ã --set
              ã«ã¼ã«ã«ããããããã±ããã® TTL ã«ãããããå ´åã«ã®ã¿ãããããããã«ãªãã
              ãã®ãªãã·ã§ã³ã¯ã
              éä¿¡åã¢ãã¬ã¹ãå½è£ãã人ãå½ãã®ãã±ãããéä¿¡ãã¦ããã®ã¢ã¸ã¥ã¼ã«ã使ã£ã¦ããªãã®ãµã¤ãã¸ã®ä»ã®ã¢ã¯ã»ã¹ãã§ããªãããã«ãã
              DoS æ»æãããå ´åãªã©ã«å½¹ã«ç«ã¤ãããããªãã

       ä¾:

              iptables -A FORWARD -m recent --name badguy --rcheck --seconds
              60 -j DROP

              iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name
              badguy --set -j DROP

       /proc/net/xt_recent/*
       ã¯ç¾å¨ã®ã¢ãã¬ã¹ã®ãªã¹ãã¨åãªã¹ãã®åã¨ã³ããªã¼ã®æå ±ã§ããã

       /proc/net/xt_recent/ ã®åãã¡ã¤ã«ã¯ãèªã¿åºãã¦ç¾å¨ã®ãªã¹ãã確èªãããã¨ãã§ããã
       ã¾ãã以ä¸ã®ã³ãã³ãã使ã£ã¦ã ãããã®ãã¡ã¤ã«ã«æ¸ãè¾¼ãã§ãªã¹ããå¤æ´ãããã¨ãã§ããã

       echo +addr >/proc/net/xt_recent/DEFAULT
              DEFAULT ãªã¹ãã« addr ã追å ãã

       echo -addr >/proc/net/xt_recent/DEFAULT
              DEFAULT ãªã¹ããã addr ãåé¤ãã

       echo / >/proc/net/xt_recent/DEFAULT
              DEFAULT ãªã¹ãããã©ãã·ã¥ (å¨ã¨ã³ããªã¼ãåé¤) ãã

       ã¢ã¸ã¥ã¼ã«èªä½ããã©ã¡ã¼ã¿ã¼ãåããããã©ã«ãã¯ä»¥ä¸ã®éãã§ããã

       ip_list_tot=100
              ãã¼ãã«åä½ã®è¨é²ã¢ãã¬ã¹æ°ã

       ip_pkt_list_tot=20
              ã¢ãã¬ã¹åä½ã®è¨é²ãã±ããæ°ã

       ip_list_hash_size=0
              ããã·ã¥ãã¼ãã«ãµã¤ãºã 0 㯠ip_list_tot ã«åºã¥ãã¦è¨ç®ãããã¨ãæå³ããã
              ããã©ã«ã㯠512ã

       ip_list_perms=0644
              /proc/net/xt_recent/* ãã¡ã¤ã«ã®ã¢ã¯ã»ã¹è¨±å¯ã¢ã¼ãã

       ip_list_uid=0
              /proc/net/xt_recent/* ãã¡ã¤ã«ã®æ°å¤ ID ã§ã®ææèã

       ip_list_gid=0
              /proc/net/xt_recent/* ãã¡ã¤ã«ã®æ°å¤ ID ã§ã®ã°ã«ã¼ãææèã

   rpfilter
       ãã±ããã«å¯¾ã㦠reverse path ãã£ã«ã¿ã¼ãã¹ããè¡ãã ãã±ããã«å¯¾ããå¿ç‐
       ããã±ãããå°çããã¤ã³ã¿ã¼ãã§ã¼ã¹ã¨åãã¤ã³ã¿ã¼ãã§ã¼ã¹ããéä¿¡ãããå ´åããã®ãã±ããã«ãããããã
       ã«ã¼ãã«åã® rp_filter ã¨ç°ãªãã IPsec ã§ä¿è‐
       ·ããããã±ãããç¹å¥æ±ããããªãç¹ã«æ³¨æãããã¨ã
       å¿è¦ãªå ´åã¯ããã®ããããããªã·ã¼ãããã¨çµã¿åããã¦ä½¿ããã¨ã
       ã¾ããã«ã¼ãããã¯ã¤ã³ã¿ã¼ãã§ã¼ã¹çµç±ã§å°çãããã±ããã¯å¸¸ã«è¨±å¯ãããã ãã®ãããã¯
       raw ãã¼ãã«ã¾ã㯠mangle ãã¼ãã«ã® PREROUTING ãã§ã¤ã³ã§ã®ã¿ä½¿ç¨ã§ããã

       --loose
              é¸æãããåºåããã¤ã¹ãæå¾ããããã®ã§ã¯ãªãå ´åã§ãã£ã¦ãã reverse path
              ãã£ã«ã¿ã¼ãã¹ãã®ããããè¡ããã¨ãæ示ããã

       --validmark
              reverse path ã®çµè·¯æ¤ç´¢å®è¡æã«ãã®ãã±ããã® nfmark å¤ã使ç¨ããã

       --accept-local
              ã‐
              ã¼ã«ã«ãã·ã³ã«ãå²ãå½ã¦ããã¦ããéä¿¡åã¢ãã¬ã¹ãæã¤ãããã¯ã¼ã¯ããå°çãããã±ããã許å¯ããã

       --invert
              ãããã®æå³ãéã«ããã reverse path
              ãã£ã«ã¿ã¼ãã¹ãã«åæ ¼ãããã±ããã«ãããããã®ã§ã¯ãªãããã¹ãã«å¤±æãããã±ããã«ãããããã

       reverse path ãã£ã«ã¿ã¼ãã¹ãã«å¤±æãããã±ããããã®ã³ã°ãç ´æ£ããä¾

       iptables -t raw -N RPFILTER

       iptables -t raw -A RPFILTER -m rpfilter -j RETURN

       iptables -t raw -A RPFILTER -m limit --limit 10/minute -j NFLOG
       --nflog-prefix "rpfilter drop"

       iptables -t raw -A RPFILTER -j DROP

       iptables -t raw -A PREROUTING -j RPFILTER

       失æãããã±ããããããããããããã®ã³ã°ãè¡ããªãä¾

       iptables -t raw -A RPFILTER -m rpfilter --invert -j DROP

   rt (IPv6 ã®ã¿)
       IPv6 ã«ã¼ãã£ã³ã°ãããã¼ã«å¯¾ãã¦ãããããã

       [!] --rt-type type
              æå®ããã¿ã¤ã (æ°å¤) ã«ãããããã

       [!] --rt-segsleft num[:num]
              `segments left' ãã£ã¼ã«ã (ç¯å²) ã«ãããããã

       [!] --rt-len length
              ãã®ãããã¼ã®é·ãã«ãããããã

       --rt-0-res
              äºç´ãã£ã¼ã«ã (type=0) ã«ããããããã

       --rt-0-addrs addr[,addr...]
              type=0 ã®ã¢ãã¬ã¹ (ãªã¹ã) ã«ãããããã

       --rt-0-not-strict
              type=0 ã®ã¢ãã¬ã¹ã®ãªã¹ãã¯å³å¯ãªãªã¹ãã§ã¯ãªãã

   sctp
       [!] --source-port,--sport port[:port]

       [!] --destination-port,--dport port[:port]

       [!] --chunk-types {all|any|only} chunktype[:flags] [...]
              大æåã®ãã©ã°æåã¯ãã®ãã©ã°ãã»ããããã¦ããå ´åã«ããããã å°æåã®ãã©ã°æå‐
              ã¯ã»ããããã¦ããªãå ´åã«ããããããã¨ãæ示ããã

              ãã£ã³ã¯ç¨®å¥: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK
              ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK
              ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN

              ãã£ã³ã¯ç¨®å¥ã§å©ç¨å¯è½ãªãã©ã°
              DATA I U B E i u b e
              ABORT T t
              SHUTDOWN_COMPLETE T t

              (å°æåã¯ãã©ã°ãããªããã«ãããã¨ãã大æåã¯ããªã³ãã«ãããã¨ãæå³ãã)

       ä¾:

       iptables -A INPUT -p sctp --dport 80 -j DROP

       iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP

       iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT

   set
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ ipsec(8) ã§å®ç¾©ã§ãã IP éåã«ãããããã

       [!] --match-set setname flag[,flag]...
              where flags are the comma separated list of src and/or dst
              specifications and there can be no more than six of them. Hence
              the command

               iptables -A FORWARD -m set --match-set test src,dst

              will match packets, for which (if the set type is ipportmap) the
              source address and destination port pair can be found in the
              specified set. If the set type of the specified set is single
              dimension (for example ipmap), then the command will match
              packets for which the source address can be found in the
              specified set.

       --return-nomatch
              If the --return-nomatch option is specified and the set type
              supports the nomatch flag, then the matching is reversed: a
              match with an element flagged with nomatch returns true, while a
              match with a plain element returns false.

       ! --update-counters
              If the --update-counters flag is negated, then the packet and
              byte counters of the matching element in the set won't be
              updated. Default the packet and byte counters are updated.

       ! --update-subcounters
              If the --update-subcounters flag is negated, then the packet and
              byte counters of the matching element in the member set of a
              list type of set won't be updated. Default the packet and byte
              counters are updated.

       [!] --packets-eq value
              If the packet is matched an element in the set, match only if
              the packet counter of the element matches the given value too.

       --packets-lt value
              If the packet is matched an element in the set, match only if
              the packet counter of the element is less than the given value
              as well.

       --packets-gt value
              If the packet is matched an element in the set, match only if
              the packet counter of the element is greater than the given
              value as well.

       [!] -bytes-eq value
              If the packet is matched an element in the set, match only if
              the byte counter of the element matches the given value too.

       --bytes-lt value
              If the packet is matched an element in the set, match only if
              the byte counter of the element is less than the given value as
              well.

       --bytes-gt value
              If the packet is matched an element in the set, match only if
              the byte counter of the element is greater than the given value
              as well.

       The packet and byte counters related options and flags are ignored when
       the set was defined without counter support.

       The option --match-set can be replaced by --set if that does not clash
       with an option of other extensions.

       Use of -m set requires that ipset kernel support is provided, which,
       for standard kernels, is the case since Linux 2.6.39.

   socket
       This matches if an open TCP/UDP socket can be found by doing a socket
       lookup on the packet. It matches if there is an established or non-zero
       bound listening socket (possibly with a non-local address). The lookup
       is performed using the packet tuple of TCP/UDP packets, or the original
       TCP/UDP header embedded in an ICMP/ICPMv6 error packet.

       --transparent
              ééé (non-transparent) ã½ã±ãããç¡è¦ããã

       --nowildcard
              Do not ignore sockets bound to 'any' address.  The socket match
              won't accept zero-bound listeners by default, since then local
              services could intercept traffic that would otherwise be
              forwarded.  This option therefore has security implications when
              used to match traffic being forwarded to redirect such packets
              to local machine with policy routing.  When using the socket
              match to implement fully transparent proxies bound to non-local
              addresses it is recommended to use the --transparent option
              instead.

       Example (assuming packets with mark 1 are delivered locally):

              -t mangle -A PREROUTING -m socket --transparent -j MARK
              --set-mark 1

   state
       "state" æ¡å¼µã¯ "conntrack" ã¢ã¸ã¥ã¼ã«ã®ãµãã»ããã§ããã "state" ã使ãã¨ã
       ãã±ããã«ã¤ãã¦ã®ã³ãã¯ã·ã§ã³è¿½è·¡ç¶æãåç§ã§ããã

       [!] --state state
              state ã¯ãããããã³ãã¯ã·ã§ã³ç¶æã®ã«ã³ãåºåãã®ãªã¹ãã§ããã "conntrack"
              ãç解ã§ããç¶æã®ä¸é¨ã ããæå®ã§ããã æå®ã§ããã®ã¯ INVALID, ESTABLISHED,
              NEW, RELATED, UNTRACKED ã§ããã ãããã®èª¬æã¯ãã®ããã¥ã¢ã«ãã¼ã¸ã®
              "conntrack" ã®èª¬æãåç§ã®ãã¨ã

   statistic
       ãã®ã¢ã¸ã¥ã¼ã«ã¯çµ±è¨çãªæ¡ä»¶ã«åºã¥ãããã±ããã®ãããã³ã°ãè¡ãã
       äºã¤ã®ã¢ã¼ãããµãã¼ãããã¦ããã --mode ãªãã·ã§ã³ã§è¨å®ã§ããã

       ãµãã¼ãããã¦ãããªãã·ã§ã³:

       --mode mode
              ãããã³ã°ã«ã¼ã«ã®ãããã³ã°ã¢ã¼ããè¨å®ããã ãµãã¼ãããã¦ããã¢ã¼ã㯠random
              㨠nth ã§ããã

       [!] --probability p
              ã©ã³ãã ã«ãã±ãããããããã確çãè¨å®ããã random ã¢ã¼ãã§ã®ã¿æ©è½ããã p ã¯
              0.0 㨠1.0 ã®ç¯å²ã§ãªããã°ãªããªãã ãµãã¼ãããã¦ããç²åº¦ã¯
              1/2147483648 ã§ããã

       [!] --every n
              n ãã±ããã« 1 ã¤ãããããã nth ã¢ã¼ãã§ã®ã¿æ©è½ãã (--packet
              ãªãã·ã§ã³ãåç§)ã

       --packet p
              nth ã¢ã¼ãã§ã«ã¦ã³ã¿ã¼ã®åæå¤ãè¨å®ãã (0 <= p <= n-1, ããã©ã«ã㯠0)ã

   string
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ãããã¤ãã®ãã¿ã¼ã³ãããææ³ãç¨ãã¦æå®ãããæååã¨ã®ããããè¡ãã Linux
       ã«ã¼ãã« 2.6.14 以ä¸ãå¿è¦ã§ããã

       --algo {bm|kmp}
              ãã¿ã¼ã³ãããã³ã°ææ³ãé¸æãã (bm = Boyer-Moore, kmp =
              Knuth-Pratt-Morris)

       --from offset
              ãããã³ã°ã®æ¤ç´¢ãéå§ãããªãã»ãããè¨å®ããã æå®ãããªãã£ãå ´åã®ããã©ã«ã㯠0
              ã§ããã

       --to offset
              æ¤ç´¢ãçµäºãããªãã»ãããè¨å®ããã ãã¤ã offset-1 (ãã¤ãçªå·ã¯ 0 ããéå§)
              ãæ¤ç´¢ç¯å²ã®æçµãã¤ãã¨ãªãã
              æå®ãããªãã£ãå ´åãããã©ã«ãã¯ãã±ãããµã¤ãºã§ããã

       [!] --string pattern
              æå®ããããã¿ã¼ã³ã«ãããããã

       [!] --hex-string pattern
              æå®ããã 16 é²è¡¨è¨ã®ãã¿ã¼ã³ã«ãããããã

       ä¾:

              # æååãã¿ã¼ã³ã¯åç´ãªããã¹ãæåãæ¢ãã®ã«ä½¿ç¨ã§ããã
              iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string
              'GET /index.html' -j LOG

              16 é²æ°æååã®ãã¿ã¼ã³ã¯è¡¨ç¤ºå¯è½æå以å¤ãæ¤ç´¢ããã®ã«ä½¿ç¨ã§ããã |0D
              0A| ã |0D0A| ãªã©ã
              iptables -p udp --dport 53 -m string --algo bm --from 40 --to 57
              --hex-string '|03|www|09|netfilter|03|org|00|'

   tcp
       ãããã®æ¡å¼µã¯ `--protocol tcp' ãæå®ããå ´åã«ä½¿ç¨ã§ããã
       以ä¸ã®ãªãã·ã§ã³ãæä¾ããã:

       [!] --source-port,--sport port[:port]
              éä¿¡åãã¼ãã¾ãã¯ãã¼ãç¯å²ã®æå®ã ãµã¼ãã¹åã¾ãã¯ãã¼ãçªå·ãæå®ã§ããã
              first:last ã¨ããå½¢å¼ã§ã 2 ã¤ã®çªå·ãå«ãç¯å²ãæå®ãããã¨ãã§ããã
              æåã®ãã¼ããçç¥ããå ´åã "0" ãä»®å®ããã æå¾ã®ãã¼ããçç¥ããå ´åã "65535"
              ãä»®å®ããã æåã®ãã¼ããæå¾ã®ãã¼ããã大ããå ´åã 2 ã¤ã¯å¥ãæããããã ãã©ã°
              --sport ã¯ã ãã®ãªãã·ã§ã³ã®ä¾¿å©ãªå¥åã§ããã

       [!] --destination-port,--dport port[:port]
              å®åãã¼ãã¾ãã¯ãã¼ãç¯å²ã®æå®ã ãã©ã° --dport ã¯ã
              ãã®ãªãã·ã§ã³ã®ä¾¿å©ãªå¥åã§ããã

       [!] --tcp-flags mask comp
              TCP ãã©ã°ãæå®ããããã®ã¨çããå ´åã«ãããããã 第 1 å¼ãæ° mask
              ã¯è©ä¾¡å¯¾è±¡ã¨ãããã©ã°ã§ã ã³ã³ãåºåãã®ãªã¹ãã§ããã 第 2 å¼ãæ° comp
              ã¯å¿ãè¨å®ããªããã°ãªããªããã©ã°ã§ã ã³ã³ãåºåãã®ãªã¹ãã§ããã
              æå®ã§ãããã©ã°ã¯ SYN ACK FIN RST URG PSH ALL NONE ã§ããã ãã£ã¦ã
              ã³ãã³ã
               iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
              ã¯ã SYN ãã©ã°ãè¨å®ãã ACK, FIN, RST ãã©ã°ãè¨å®ããã¦ããªã
              ãã±ããã«ã®ã¿ãããããã

       [!] --syn
              SYN ããããè¨å®ãã ACK, RST, FIN ããããã¯ãªã¢ããã¦ãã TCP
              ãã±ããã«ã®ã¿ãããããã ãã®ãããªãã±ãã㯠TCP
              ã³ãã¯ã·ã§ã³ã®éå§è¦æ±ã«ä½¿ãããã ä¾ãã°ã
              ããã¤ã³ã¿ã¼ãã§ã¼ã¹ã«å¥ã£ã¦ãããã®ãããªãã±ããããããã¯ããã°ã åå´ã¸ã® TCP
              ã³ãã¯ã·ã§ã³ã¯ç¦æ¢ããããã å¤å´ã¸ã® TCP ã³ãã¯ã·ã§ã³ã«ã¯å½±é¿ããªãã
              ãã㯠--tcp-flags SYN,RST,ACK,FIN SYN ã¨çããã "--syn" ã®åã« "!"
              ãã©ã° ãç½®ãã¨ã SYN ããããã¯ãªã¢ãã ACK 㨠RST ããããè¨å®ããã¦ãã TCP
              ãã±ããã«ã®ã¿ãããããã

       [!] --tcp-option number
              TCP ãªãã·ã§ã³ãè¨å®ããã¦ããå ´åã«ãããããã

   tcpmss
       TCP ãããã¼ã® TCP MSS (maximum segment size) ãã£ã¼ã«ãã«ãããããã TCP ã® SYN
       ãã±ããã SYN/ACK ãã±ããã«å¯¾ãã¦ã®ã¿å©ç¨ã§ããã MSS
       ã®ãã´ã·ã¨ã¼ã·ã§ã³ã¯ã³ãã¯ã·ã§ã³éå§æã® TCP ãã³ãã·ã§ã¤ã¯ä¸ã ãã ããã§ããã

       [!] --mss value[:value]
              æå®ããã TCP MSS å¤ãç¯å²ã«ãããããã

   time
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ãã±ããã®å°çæå»/æ¥ä»ãæå®ãããç¯å²åã®å ´åã«ãããããã
       ãã¹ã¦ã®ãªãã·ã§ã³ãä»»æãªãã·ã§ã³ã§ã è¤æ°æå®ããå ´å㯠AND ã¨è§£éãããã
       ããã©ã«ãã§ã¯ãã¹ã¦ã®æå»ã¯ UTC ã¨è§£éãããã

       --datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]

       --datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
              æå®ãããæå» (æ¥ä»ãå«ã) ã®ç¯å²ã«ããå ´åã«ãããããã æå»ã¯ ISO 8601 "T"
              表è¨ã§ãªããã°ãªããªãã æå®å¯è½ãªç¯å²ã¯ 1970-01-01T00:00:00 ãã
              2038-01-19T04:17:07 ã§ããã

              --datestart 㨠--datestop ã¯ãæå®ãããªãã£ãå ´åããããã 1970-01-01 ã¨
              2038-01-19 ã¨ã¿ãªããã¾ãã

       --timestart hh:mm[:ss]

       --timestop hh:mm[:ss]
              æå®ãããæå» (æ¥ä»ã¯å«ã¾ãªã) ã®ç¯å²ã«ããå ´åã«ãããããã æå®å¯è½ãªç¯å²ã¯
              00:00:00 ãã 23:59:59 ã§ããã ("06:03" ã®ããã«) åé ã« 0 ãä»ãã¦ãããã
              ãã®å ´åã 10 é²æ°ã¨ãã¦æ£ãã解éãããã

       [!] --monthdays day[,day...]
              æå®ãããæã®æ¥ä»ã«ãããããã æå®å¯è½ãªå¤ã¯ 1 ãã 31 ã§ããã ãã¡ãã 31
              ãæå®ããå ´å 31 æ¥ããªãæã§ã¯ãããããªãã åããã¨ã 2 æ 29 æ¥ã«ã¤ãã¦ãè¨ããã

       [!] --weekdays day[,day...]
              æå®ããææ¥ã«ãããããã æå®å¯è½ãªå¤ã¯ Mon, Tue, Wed, Thu, Fri, Sat, Sun
              ããã³ 1 ãã 7 ã®å¤ã§ããã ã¾ãã2 æåã®ææ¥æå® (Mo, Tu ãªã©) ã使ç¨ã§ããã

       --contiguous
              --timestop ã --timestart
              ãããå°ããå ´åãè¤æ°ã®æéã§ã¯ãªããä¸ã¤ã®æé帯ã¨ãã¦ãããããããã«ããã ä¾ãåç§ã

       --kerneltz
              ãã±ãããæå»æå®ã«ãããããããå¤å®ããéã« UTC
              ã§ã¯ãªãã«ã¼ãã«ã¿ã¤ã ã¾ã¼ã³ã使ç¨ããã

       About kernel timezones: Linux keeps the system time in UTC, and always
       does so.  On boot, system time is initialized from a referential time
       source. Where this time source has no timezone information, such as the
       x86 CMOS RTC, UTC will be assumed. If the time source is however not in
       UTC, userspace should provide the correct system time and timezone to
       the kernel once it has the information.

       Local time is a feature on top of the (timezone independent) system
       time. Each process has its own idea of local time, specified via the TZ
       environment variable. The kernel also has its own timezone offset
       variable. The TZ userspace environment variable specifies how the
       UTC-based system time is displayed, e.g. when you run date(1), or what
       you see on your desktop clock.  The TZ string may resolve to different
       offsets at different dates, which is what enables the automatic
       time-jumping in userspace. when DST changes. The kernel's timezone
       offset variable is used when it has to convert between non-UTC sources,
       such as FAT filesystems, to UTC (since the latter is what the rest of
       the system uses).

       The caveat with the kernel timezone is that Linux distributions may
       ignore to set the kernel timezone, and instead only set the system
       time. Even if a particular distribution does set the timezone at boot,
       it is usually does not keep the kernel timezone offset - which is what
       changes on DST - up to date.  ntpd will not touch the kernel timezone,
       so running it will not resolve the issue. As such, one may encounter a
       timezone that is always +0000, or one that is wrong half of the time of
       the year. As such, using --kerneltz is highly discouraged.

       ä¾ãããã¤ãã é±æ«ã«ããããããå ´å:

              -m time --weekdays Sa,Su

       å½ã®ç¥æ¥ã« (ä¸åº¦ã ã) ããããããå ´å:

              -m time --datestart 2007-12-24 --datestop 2007-12-27

       çµäºæå»ãå®éã«ã¯å«ã¾ããã®ã§ãæ°å¹´ã®æåã® 1
       ç§ã«ãããããªãããã«çµäºæå»ã以ä¸ã®ããã«æå®ããå¿è¦ããã:

              -m time --datestart 2007-01-01T17:00 --datestop
              2007-01-01T23:59:59

       æ¼å¾¡é£¯ã®æé帯:

              -m time --timestart 12:30 --timestop 13:30

       第 4 éææ¥:

              -m time --weekdays Fr --monthdays 22,23,24,25,26,27,28

       (ããã¯æ°å¦çãªæ§è³ªãå©ç¨ãã¦ããç¹ã«çæãããã¨ã ä¸ã¤ã®ã«ã¼ã«ã§ã第 4 æ¨ææ¥
       ã¾ã㯠第 4 éææ¥ãã¨æå®ãããã¨ã¯ã§ããªãã è¤æ°ã«ã¼ã«ã§æå®ãããã¨ã¯ã§ãããã)

       æ¥ãã¾ãããããã³ã°ã¯æå¾ããããã«ã¯åããªãã ãããä¾ãã°ã

              -m time --weekdays Mo --timestart 23:00 --timestop 01:00
              ã¯ãæææ¥ã® 0 æããåå 1 æã® 1 æéã«ããããã ãã®å¾ããã« 23 æããã® 1
              æéã«ããããããã ãããå¸æéãã§ãªãå ´åãä¾ãã°ãæææ¥ 23 æãã 2
              æéã«ãããããããå ´åã¯ã ä¸è¨ã«è¿½å 㧠--contiguous
              ãªãã·ã§ã³ãæå®ããå¿è¦ãããã

   tos
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ IPv4 ãããã¼ã® 8 ãããã® Type of Service ãã£ã¼ã«ã
       (ããªãã¡ä¸ä½ããããå«ã¾ãã) ããã㯠IPv6 ãããã¼ã® (8 ãããã®) Priority
       ãã£ã¼ã«ãã«ãããããã

       [!] --tos value[/mask]
              æå®ããã TOS ãã¼ã¯å¤ãæã¤ãã±ããã«ãããããã mask ãæå®ãããã¨ã æ¯è¼ã®åã«
              TOS ãã¼ã¯å¤ã¨ã®è«çç© (AND) ãã¨ããã)ã

       [!] --tos symbol
              IPv4 ã® tos ãã£ã¼ã«ãã«å¯¾ããããããæå®ããéã«ã·ã³ãã«åã使ããã¨ãã§ããã
              iptables ã -m tos -h ã§å¼ã³åºãã¨ãå©ç¨å¯è½ãª TOS
              åã®ä¸è¦§ãå¾ããã¨ãã§ããã ã·ã³ãã«åã使ã£ãå ´åã mask ã¨ã㦠0x3F
              ã使ç¨ããã (0x3F 㯠ECN ããã以å¤ã®å¨ãããã§ãã)ã

   ttl (IPv4 ã®å ´å)
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ IP ãããã¼ã® time to live ãã£ã¼ã«ãã«ãããããã

       [!] --ttl-eq ttl
              æå®ããã TTL å¤ã«ãããããã

       --ttl-gt ttl
              TTL ãæå®ããã TTL å¤ãã大ãããã°ãããããã

       --ttl-lt ttl
              TTL ãæå®ããã TTL å¤ããå°ãããã°ãããããã

   u32
       U32 ã¯ããã±ããããæ大 4 ãã¤ãã®æ°å¤ãåãåºãã¦ãæå®ããå¤ãæã¤ãã®æ¤æ»ãè¡ãã
       ã©ããåãåºããã®æå®ã¯æ±ç¨çã«ãªã£ã¦ãããTCP ãããã¼ããã¤ã‐
       ã¼ãããæå®ãããªãã»ããã®ãã¼ã¿ãåãåºããã¨ãã§ããã

       [!] --u32 tests
              å¼ãæ°ã¯ã以ä¸ã§èª¬æããå°ããªè¨èªã®ããã°ã©ã ã«ãªãã

              tests := location "=" value | tests "&&" location "=" value

              value := range | value "," range

              range := number | number ":" number

       æ°å 1 å n 㯠n:n ã¨åããã®ã¨è§£éãããã n:m 㯠>=n ã㤠<=m ã®ç¯å²ã®æ°å‐
       ã¨è§£éãããã

           location := number | location operator number

           operator := "&" | "<<" | ">>" | "@"

       ãªãã¬ã¼ã¿ã¼ &, <<, >>, && 㯠C ã¨åãæå³ã§ããã =
       ã¯éåã®æå±ãæ¤æ»ãããªãã¬ã¼ã¿ã¼ã§ãå¤ã¯éåã¨ãã¦è¨è¿°ããã @
       ãªãã¬ã¼ã¿ã¼ã¯ã次ã®ãããã¼ã¸ã®ç§»åã«ä½¿ããªãã¬ã¼ã¿ã¼ã§ãå¾ã§è©³ãã説æããã

       ç¾å¨ã®ã¨ããããã¹ãã®å¤§ããã«ã¯ããã¤ãå®è£ããæ¥ãå¶ç´ãããã

           *  u32 å¼ãæ°ãããã® "=" ã¯æ大 10 åã¾ã§ ("&&" 㯠9 åã¾ã§)

           *  value ãããã® range 㯠10 åã¾ã§ (ã«ã³ã㯠9 åã¾ã§)

           *  ä¸ã¤ã® location ãããã® number ã¯æ大 10 åã¾ã§ (operator 㯠9
              åã¾ã§)

       location ã®æå³ã説æããããã«ã location ã解éãã以ä¸ã®ãããªãã·ã³ãèãã¦ã¿ãã 3
       ã¤ã®ã¬ã¸ã¹ã¿ã¼ãããã

              A 㯠char * åã§ãæå㯠IP ãããã¼ã®ã¢ãã¬ã¹ãå¥ã£ã¦ããã

              B 㨠C 㯠32 ãããæ´æ°ã§ãæå㯠0 ã§ããã

       å½ä»¤ã¯ä»¥ä¸ã®éãã

              number B = number;

              C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3)

              &number C = C & number

              << number C = C << number

              >> number C = C >> number

              @number A = A + C; ãã®å¾ãå½ä»¤ã®æ°åãå®è¡ãã

       [skb->data,skb->end] 以å¤ã¸ã®ã¡ã¢ãªã¢ã¯ã»ã¹ã¯ãã¹ã¦ããã失æã¨ãªãã
       ãã以å¤ã®å ´åãè¨ç®ã®çµæã C ã®æçµçãªå¤ã¨ãªãã

       ãã¯ã¤ãã¹ãã¼ã¹ãå¥ãããã¨ã¯ã§ãããããã¹ãã§ã¯å¿é ã§ã¯ãªãã ããã ãããã¹ãã«å«ã¾ããæå‐
       ã¯ã·ã§ã«ã§ã®ã¯ã©ã¼ããå¿è¦ãªå ´åãããããã®ã§ã
       å¼ãæ°å¨ä½ãã¯ã©ã¼ãã§å²ãã§ããã¨ããã ããã

       ä¾:

              ãã¼ã¿ã«é·ã 256 以ä¸ã® IP ãã±ããã«ããããã

              IP ãããã¼ã§ã¯ãã¤ã 2-3 ã«ãã¼ã¿ã«é·ãã£ã¼ã«ããããã

              --u32 "0 & 0xFFFF = 0x100:0xFFFF"

              ãã¤ã 0-3 ãèªã¿åºãã

              0xFFFF (ãã¤ã 2-3 ã«å¯¾å¿) ã®è«çç© (AND) ãåãã ãã®å¤ãç¯å²
              [0x100:0xFFFF] ã«ãããæ¤æ»ããã

       ä¾: (ãã£ã¨å®ç¨çãªããããã£ã¦ãã£ã¨è¤éãªä¾)

              ICMP ã¿ã¤ãã 0 ã® ICMP ãã±ããã«ããããã

              ã¾ã ICMP ãã±ãããã©ããæ¤æ»ããã ãã¤ã 9 (ãããã³ã«) = 1 ã§ããã°çã

              --u32 "6 & 0xFF = 1 && ...

              ãã¤ã 6-9 ãèªã¿åºãã & ã使ã£ã¦ãã¤ã 6-8 ãåãé¤ãã å¾ãããå¤ã 1
              ã¨æ¯è¼ããã 次ã«ããã©ã°ã¡ã³ãã§ã¯ãªããã¨ãæ¤æ»ãã
              (ãã©ã°ã¡ã³ãã®å ´åããã±ãã㯠ICMP ãã±ããã®ä¸é¨ãããããªããã
              常ã«ããã ã¨ã¯è¨ããªã)ã 注æ: ä¸è¬çã« IP
              ãããã¼ããåã«ãããã®ã¨ããããè¡ãå ´åã«ã¯ãã®æ¤æ»ã¯å¿è¦ã§ããã ãã®ãã±ããã
              (ãã©ã°ã¡ã³ãã§ã¯ãªã) å®å¨ãªãã±ããã§ããã°ããã¤ã 6 ã®æå¾ã® 6 ãããã¨ãã¤ã
              7 ã®å¨ãããã 0 ã§ããã 代ããã«ã ãã¤ã 6 ã®æå¾ã® 5
              ããããæ¤æ»ããã ãã§æåã®ãã©ã°ã¡ã³ãã許å¯ãããã¨ãã§ããã

              ... 4 & 0x3FFF = 0 && ...

              æå¾ã®æ¤æ»ã¨ãã¦ã IP ãããã¼ç´å¾ã®ãã¤ã (ICMP ã¿ã¤ã) ã 0 ãã確èªããã
              ãã㧠@ è¨æ³ã使ãå¿è¦ãããã IP ãããã¼ã®é·ã (IHL) 㯠IP
              ãããã¼èªèº«ã®ãã¤ã 0 ã®å³ååã« 32 ãããã¯ã¼ãã§æ ¼ç´ããã¦ããã

              ... 0 >> 22 & 0x3C @ 0 >> 24 = 0"

              æåã® 0 ã¯ãã¤ã 0-3 ãèªã¿åºãã >>22 ã¯ãã®å¤ã 22
              ãããå³ã«ã·ãããããã¨ãæå³ããã 24 ãããã·ããããã¨æåã®ãã¤ããå¾ãããã®ã§ã 22
              ãããã ãã·ãããã㨠(å°ãä½è¨ãªããããä»ãã¦ããã) ãã® 4 åã®å¤ãå¾ãããã &3C
              ã§å³å´ã®ä½è¨ãª 2 ãããã¨æåã®ãã¤ãã®åé  4 ããããåãé¤ãã ä¾ãã°ã IHL ã 5
              ã®å ´å IP ãããã¼ã¯ 20 ãã¤ã (4 x 5) ã§ããã ãã®å ´åããã¤ã 0-1 ã¯
              (ãã¤ããªã§) xxxx0101 yyzzzzzz ã§ããã >>22 ã«ãã 10 ãããã®å¤
              xxxx0101yy ãå¾ããã &3C 㧠010100 ãå¾ãããã @ ã¯ããã®æ°å‐
              ããã±ããã®æ°ãããªãã»ããã¨ãã¦ä½¿ç¨ãã ãã®å°ç¹ããå§ã¾ã 4 ãã¤ããèª‐
              ã¿åºããã¨ãæå³ããã ãã® 4 ãã¤ã㯠ICMP ãã¤ãã¼ãã®æåã® 4 ãã¤ãã§ããã ãã¤ã
              0 ã ICMP ã¿ã¤ãã§ããã ãããã£ã¦ããã®å¤ã 24
              ãããå³ã«ã·ãããã¦ãæåã®ãã¤ã以å¤ããã¹ã¦åãé¤ãã ãã®çµæã 0
              ã¨æ¯è¼ããã ãã§ããã

       ä¾:

              TCP ãã¤ãã¼ãã®ãã¤ã 8-12 ã 1, 2, 5, 8 ã®ããããããæ¤æ»ãã

              ã¾ãããã±ããã TCP ãã±ããã§ããããæ¤æ»ãã (ICMP ã¨åæ§)ã

              --u32 "6 & 0xFF = 6 && ...

              次ã«ããã©ã°ã¡ã³ãã§ãªããã¨ãæ¤æ»ãã (ä¸è¨ã¨åã)ã

              ... 0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8"

              ä¸ã§èª¬æããéã 0>>22&3C 㧠IP ãããã¼ã®ãã¤ãæ°ãè¨ç®ããã @
              ã§ãã®å¤ããã±ããã®æ°ãããªãã»ããã¨ãããã㯠TCP ãããã¼ã®åé ã§ããã TCP
              ãããã¼é· (ããã 32 ãããã¯ã¼ã) 㯠TCP ãããã¼ã®ãã¤ã 12 ã®å·¦ååã«ããã
              12>>26&3C 㧠TCP ãããã¼ã®ãã¤ãæ°ãè¨ç®ãã (IP ãããã¼ã®å ´åã¨åæ§)ã "@"
              ã使ã£ã¦ãããæ°ãããªãã»ããã«è¨å®ããããã®æç¹ã§ TCP ãã¤ãã¼ãã®åé ãæãã¦ããã
              æå¾ã«ã8 ã§ãã¤ãã¼ãã®ãã¤ã 8-12 ãèªã¿åºãã = ã使ã£ã¦åãåºããå¤ã 1, 2,
              5, 8 ã®ããããã§ããããã§ãã¯ããã

   udp
       ãããã®æ¡å¼µã¯ `--protocol udp' ãæå®ãããå ´åã«å©ç¨ã§ããã
       以ä¸ã®ãªãã·ã§ã³ãæä¾ãããã

       [!] --source-port,--sport port[:port]
              éä¿¡åãã¼ãã¾ãã¯ãã¼ãç¯å²ã®æå®ã 詳細㯠TCP æ¡å¼µã® --source-port
              ãªãã·ã§ã³ã®èª¬æãåç§ãããã¨ã

       [!] --destination-port,--dport port[:port]
              å®åãã¼ãã¾ãã¯ãã¼ãç¯å²ã®æå®ã 詳細㯠TCP æ¡å¼µã®
              --destination-port ãªãã·ã§ã³ã®èª¬æãåç§ãããã¨ã

   unclean (IPv4 ã®å ´å)
       ãã®ã¢ã¸ã¥ã¼ã«ã«ã¯ãªãã·ã§ã³ããªããã ããããæ£å¸¸ã§ãªãããã«è¦ãããã±ããã«ãããããã
       ããã¯å®é¨çãªãã®ã¨ãã¦æ±ããã¦ããã

ã¿ã¼ã²ããã®æ¡å¼µ
       iptables ã¯æ¡å¼µã¿ã¼ã²ããã¢ã¸ã¥ã¼ã«ã使ããã¨ãã§ãã: 以ä¸ã®ãã®ãã
       æ¨æºçãªãã£ã¹ããªãã¥ã¼ã·ã§ã³ã«å«ã¾ãã¦ããã

   AUDIT
       ãã®ã¿ã¼ã²ããã使ãã¨ããã®ã¿ã¼ã²ããã«ããããããã±ããã«å¯¾ããç£æ» (audit)
       ã¬ã³ã¼ããä½æãããã¨ãã§ããã 許å¯/å»æ£/æå¦ããããã±ãããè¨é²ããã®ã«ä½¿ç¨ã§ããã
       詳細ã«ã¤ãã¦ã¯ auditd(8) ãåç§ã

       --type {accept|drop|reject}
              ç£æ»ã¬ã³ã¼ã種å¥ãè¨å®ããã

       ä¾:

              iptables -N AUDIT_DROP

              iptables -A AUDIT_DROP -j AUDIT --type drop

              iptables -A AUDIT_DROP -j DROP

   CHECKSUM
       ãã®ã¿ã¼ã²ããã¯ã
       ããããã¢ããªã±ã¼ã·ã§ã³ãå¤ãã¢ããªã±ã¼ã·ã§ã³ã«å¯¾ããé¸æçãªå¯¾å¦ãå¯è½ã«ããã
       mangle ãã¼ãã«ã§ã®ã¿ä½¿ç¨ã§ããã

       --checksum-fill
              Compute and fill in the checksum in a packet that lacks a
              checksum.  This is particularly useful, if you need to work
              around old applications such as dhcp clients, that do not work
              well with checksum offloads, but don't want to disable checksum
              offload in your device.

   CLASSIFY
       ãã®ã¢ã¸ã¥ã¼ã«ã使ã㨠skb->priority ã®å¤ãè¨å®ã§ãã
       (ãã®çµæããã®ãã±ãããç¹å®ã® CBQ ã¯ã©ã¹ã«åé¡ã§ãã)ã

       --set-class major:minor
              ã¡ã¸ã£ã¼ã¯ã©ã¹ã¨ãã¤ãã¼ã¯ã©ã¹ã®å¤ãè¨å®ãããå¤ã¯å¸¸ã« 16
              é²æ°ã¨ãã¦è§£éãããã  0x ãåã«ä»ãã¦ããªãå ´åã§ãã£ã¦ã 16
              é²æ°ã¨è§£éãããã

   CLUSTERIP (IPv4 ã®å ´å)
       ãã®ã¢ã¸ã¥ã¼ã«ã使ãã¨ã ãã¼ãã®å段ã«æ示çã«è² è·åæ£è£ç½®ãç½®ããã«ã ç¹å®ã®
       IP ã¢ãã¬ã¹ã¨ MAC ã¢ãã¬ã¹ãå±æãããã¼ãã®ç°¡åãªã¯ã©ã¹ã¿ã¼ãæ§æãããã¨ãã§ããã
       ã³ãã¯ã·ã§ã³ã¯ããã®ã¯ã©ã¹ã¿ã¼ã®ãã¼ãéã§éçã«åæ£ãããã

       --new  æ°ãã ClusterIP ãä½æããã ãã®ãªãã·ã§ã³ã¯ãããã§æå®ãã ClusterIP
              ã使ãã«ã¼ã«ã®ä¸ã§ä¸çªæåã«è¨å®ããªããã°ãªããªãã

       --hashmode mode
              ããã·ã¥ã¢ã¼ããæå®ããã sourceip, sourceip-sourceport,
              sourceip-sourceport-destport ã®ããããã§ãªããã°ãªããªãã

       --clustermac mac
              ClusterIP ã® MAC ã¢ãã¬ã¹ãæå®ããã ãªã³ã¯å±¤ã®ãã«ãã‐
              ã£ã¹ãã¢ãã¬ã¹ã§ãªããã°ãªããªãã

       --total-nodes num
              ãã®ã¯ã©ã¹ã¿ã¼ã®ç·ãã¼ãæ°ã

       --local-node num
              ãã®ã¯ã©ã¹ã¿ã¼ã®ãã¼ã«ã«ãã¼ãçªå·ã

       --hash-init rnd
              ããã·ã¥ã®åæåã«ä½¿ç¨ãããä¹±æ°ã·ã¼ãå¤ãæå®ããã

   CONNMARK
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ã ã³ãã¯ã·ã§ã³ã«é¢é£ä»ãããã netfilter ã® mark å¤ãè¨å®ããã
       mark 㯠32 ãããå¹ã§ããã

       --set-xmark value[/mask]
              mask ã§æå®ããããããã 0 ã«ãã value 㨠ctmark ã® XOR ãåãã

       --save-mark [--nfmask nfmask] [--ctmask ctmask]
              æå®ããããã¹ã¯ã使ã£ã¦ã ãã±ãããã¼ã¯ (nfmark) ãã³ãã¯ã·ã§ã³ãã¼ã¯
              (ctmark) ã«ã³ãã¼ããã æ°ãã ctmark å¤ã¯ä»¥ä¸ã®ããã«æ±ºå®ãããã

              ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)

              ctmask ã¯ã©ã®ããããã¯ãªã¢ããããè¦å®ãã nfmask 㯠nfmark ã®ã©ã®ãããã
              ctmark 㨠XOR ããããè¦å®ããã ctmask 㨠nfmask ã®ããã©ã«ãå¤ã¯
              0xFFFFFFFF ã§ããã

       --restore-mark [--nfmask nfmask] [--ctmask ctmask]
              æå®ããããã¹ã¯ã使ã£ã¦ã ã³ãã¯ã·ã§ã³ãã¼ã¯ (ctmark) ããã±ãããã¼ã¯
              (nfmark) ã«ã³ãã¼ããã æ°ãã nfmark å¤ã¯ä»¥ä¸ã®ããã«æ±ºå®ãããã

              nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask);

              nfmask ã¯ã©ã®ããããã¯ãªã¢ããããè¦å®ãã ctmask 㯠ctmark ã®ã©ã®ãããã
              nfmark 㨠XOR ããããè¦å®ããã ctmask 㨠nfmask ã®ããã©ã«ãå¤ã¯
              0xFFFFFFFF ã§ããã

              --restore-mark 㯠mangle ãã¼ãã«ã§ã®ã¿æå¹ã§ããã

       以ä¸ã®ç°¡æ表ç¾ã --set-xmark ã®ä»£ããã«å©ç¨ã§ããã

       --and-mark bits
              ctmark 㨠bits ã®ãããè«çç© (AND) ãåã (--set-xmark 0/invbits
              ã®ç°¡æ表ç¾ã invbits 㯠bits ã®ãããåä½ã®å¦å®ã§ãã)ã

       --or-mark bits
              ctmark 㨠bits ã®ãããè«çå (OR) ãåã (--set-xmark bits/bits
              ã®ç°¡æ表ç¾)ã

       --xor-mark bits
              ctmark 㨠bits ã®ããã XOR ãåã (--set-xmark bits/0 ã®ç°¡æ表ç¾)ã

       --set-mark value[/mask]
              ã³ãã¯ã·ã§ã³ãã¼ã¯ãè¨å®ããã mask ãæå®ãããå ´åã mask
              ã§æå®ããããããã ããå¤æ´ãããã

       --save-mark [--mask mask]
              nfmark ã ctmark ã¸ã³ãã¼ããã mask ãæå®ãããå ´åããã®ãããã ããã³ãã¼ãããã

       --restore-mark [--mask mask]
              ctmark ã nfmark ã«ã³ãã¼ããã mask ãæå®ãããã¨ã
              æå®ããããããã ããã³ãã¼ãããã mangle ãã¼ãã«ã®ã¿ã§æå¹ã§ããã

   CONNSECMARK
       This module copies security markings from packets to connections (if
       unlabeled), and from connections back to packets (also only if
       unlabeled).  Typically used in conjunction with SECMARK, it is valid in
       the security table (for backwards compatibility with older kernels, it
       is also valid in the mangle table).

       --save If the packet has a security marking, copy it to the connection
              if the connection is not marked.

       --restore
              If the packet does not have a security marking, and the
              connection does, copy the security marking from the connection
              to the packet.


   CT
       The CT target allows to set parameters for a packet or its associated
       connection. The target attaches a "template" connection tracking entry
       to the packet, which is then used by the conntrack core when
       initializing a new ct entry. This target is thus only valid in the
       "raw" table.

       --notrack
              ãã®ãã±ããã«å¯¾ããã³ãã¯ã·ã§ã³è¿½è·¡ãç¡å¹ã«ããã

       --helper name
              name ã§æå®ããããã«ãã¼ããã®ã³ãã¯ã·ã§ã³ã§ä½¿ç¨ããã ãã®æ¹æ³ã¯ããããããè¨‐
              å®ãããã¼ãã«å¯¾ã㦠conntrack ãã«ãã¼ã¢ã¸ã¥ã¼ã«ããã¼ããããããæè»æ§ãããã

       --ctevents event[,...]
              Only generate the specified conntrack events for this
              connection. Possible event types are: new, related, destroy,
              reply, assured, protoinfo, helper, mark (this refers to the
              ctmark, not nfmark), natseqinfo, secmark (ctsecmark).

       --expevents event[,...]
              Only generate the specified expectation events for this
              connection.  Possible event types are: new.

       --zone id
              Assign this packet to zone id and only have lookups done in that
              zone.  By default, packets have zone 0.

       --timeout name
              Use the timeout policy identified by name for the connection.
              This is provides more flexible timeout policy definition than
              global timeout values available at
              /proc/sys/net/netfilter/nf_conntrack_*_timeout_*.

   DNAT
       ãã®ã¿ã¼ã²ãã㯠nat ãã¼ãã«ã® PREROUTING, OUTPUT ãã§ã¤ã³ã
       ãããã®ãã§ã¤ã³ããå¼ã³åºããã ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã®ã¿ã§æå¹ã§ããã
       ãã®ã¿ã¼ã²ããã¯ãã±ããã®å®åã¢ãã¬ã¹ãä¿®æ£ãã
       (ãã®ã³ãã¯ã·ã§ã³ã®ä»¥éã®ãã±ãããä¿®æ£ãã¦åãããªã (mangle) ãã)ã ããã«ã
       ã«ã¼ã«ã«ãããã§ãã¯ãæ¢ããããã ãã®ã¿ã¼ã²ããã¯ä»¥ä¸ã®ãªãã·ã§ã³ãåãã

       --to-destination [ipaddr[-ipaddr]][:port[-port]]
              1 ã¤ã®æ°ããå®å IP ã¢ãã¬ã¹ã ã¾ã㯠IP ã¢ãã¬ã¹ã®ç¯å²ãæå®ã§ããã
              ã¾ããã«ã¼ã«ã§ãããã³ã«ã¨ã㦠tcp, udp, dccp, sctp
              ã®ããããæå®ããã¦ããå ´åã¯ããã¼ãã®ç¯å²ãæå®ãããã¨ãã§ããã
              ãã¼ãã®ç¯å²ãæå®ããã¦ããªãå ´åã å®åãã¼ãã¯å¤æ´ãããªãã IP
              ã¢ãã¬ã¹ãæå®ãããªãã£ãå ´åã¯ã å®åãã¼ãã ããå¤æ´ãããã 2.6.10
              以åã®ã«ã¼ãã«ã§ã¯ã è¤æ°ã® --to-destination
              ãªãã·ã§ã³ãæå®ãããã¨ãã§ããã ãããã®ã«ã¼ãã«ã§ã¯ã ã¢ãã¬ã¹ã®ç¯å²æå®ã
              --to-destination ãªãã·ã§ã³ã®è¤æ°åæå®ã«ãã 2
              ã¤ä»¥ä¸ã®å®åã¢ãã¬ã¹ãæå®ããå ´åã ãããã®ã¢ãã¬ã¹ã使ã£ãåç´ãªã©ã¦ã³ãã‐
              ãã³ã«ããè² è·åæ£ãè¡ãããã ãã以éã®ã«ã¼ãã« (>= 2.6.11-rc1)
              ã«ã¯è¤æ°ã®ç¯å²ã NAT ããæ©è½ã¯åå¨ããªãã

       --random
              --random ãªãã·ã§ã³ã使ç¨ããã¨ã ãã¼ããããã³ã°ãã©ã³ãã åããã (ã«ã¼ãã«
              2.6.22 以é)ã

       --persistent
              ã¯ã©ã¤ã¢ã³ãã®åã³ãã¯ã·ã§ã³ã«åãéä¿¡åã¢ãã¬ã¹/å®åã¢ãã¬ã¹ãå²ãå½ã¦ãã
              ãã㯠SAME ã¿ã¼ã²ãããããåªåãããã persistent ãããã³ã°ã®ãµãã¼ãã¯
              2.6.29-rc2 以éã§å©ç¨å¯è½ã§ããã

       IPv6 ãµãã¼ã㯠Linux ã«ã¼ãã« 3.7 以éã§å©ç¨å¯è½ã§ããã

   DNPT (IPv6 ã®ã¿)
       (RFC 6296 ã§èª¬æããã¦ãã) ã¹ãã¼ãã¬ã¹ IPv6-to-IPv6
       å®åãããã¯ã¼ã¯ãã¬ãã£ãã¯ã¹å¤æãæä¾ããã

       ãã®ã¿ã¼ã²ãã㯠nat ãã¼ãã«ã§ã¯ãªã mangle ãã¼ãã«ã§ä½¿ããªããã°ãªããªãã
       以ä¸ã®ãªãã·ã§ã³ãåãã

       --src-pfx [prefix/length]
              å¤æãè¡ãéä¿¡åãã¬ãã£ãã¯ã¹ã¨ãã®é·ããè¨å®ããã

       --dst-pfx [prefix/length]
              å¤æãè¡ãå®åãã¬ãã£ãã¯ã¹ã¨ãã®é·ããè¨å®ããã

       å¤æãåãæ¶ãã«ã¯ SNPT ã¿ã¼ã²ããã使ããªããã°ãªããªãã ä¾:

              ip6tables -t mangle -I POSTROUTING -s fd00::/64  -o vboxnet0 -j
              SNPT --src-pfx fd00::/64 --dst-pfx 2001:e20:2000:40f::/64

              ip6tables -t mangle -I PREROUTING -i wlan0 -d
              2001:e20:2000:40f::/64 -j DNPT --src-pfx 2001:e20:2000:40f::/64
              --dst-pfx fd00::/64

       IPv6 neighbor proxy ãæå¹ã«ããå¿è¦ããããããããªãã

              sysctl -w net.ipv6.conf.all.proxy_ndp=1

       ã¾ããå¤æãããããã¼ã«å¯¾ããã³ãã¯ã·ã§ã³è¿½è·¡ãç¡å¹ã«ããã«ã¯ NOTRACK
       ã¿ã¼ã²ããã使ç¨ããå¿è¦ãããã

   DSCP
       ãã®ã¿ã¼ã²ããã¯ã IPv4 ãã±ããã® TOS ãããã¼ã«ãã DSCP ãããã®å¤ã®æ¸ãæããå¯è½ã«ããã
       ããã¯ãã±ãããæä½ããã®ã§ã mangle ãã¼ãã«ã§ã®ã¿ä½¿ç¨ã§ããã

       --set-dscp value
              DSCP ãã£ã¼ã«ãã®æ°å¤ãè¨å®ãã (10 é²ã¾ã㯠16 é²)ã

       --set-dscp-class class
              DSCP ãã£ã¼ã«ãã® DiffServ ã¯ã©ã¹ãè¨å®ããã

   ECN (IPv4 ã®å ´å)
       ãã®ã¿ã¼ã²ãã㯠ECN ãã©ãã¯ãã¼ã«åé¡ã¸ã®å¯¾å¦ãå¯è½ã«ããã mangle
       ãã¼ãã«ã§ã®ã¿ä½¿ç¨ã§ããã

       --ecn-tcp-remove
              TCP ãããã¼ããå¨ã¦ã® ECN ããã (訳注: ECE/CWR ãã©ã°) ãåãé¤ãã å½ç¶ã
              -p tcp ãªãã·ã§ã³ã¨ã®çµåããã§ã®ã¿ä½¿ç¨ã§ããã

   HL (IPv6 ã®ã¿)
       ãã®ã¿ã¼ã²ããã使ã㨠IPv6 ãããã¼ã® Hop Limit ãã£ã¼ã«ããå¤æ´ãããã¨ãã§ããã Hop
       Limit ãã£ã¼ã«ã㯠IPv4 ã® TTL å¤ã¨åããããªãã®ã§ããã Hop Limit ãã£ã¼ã«ããè¨‐
       å®ãããå¢ããã®ã¯ã å±éºæ§ãé常ã«ã¯ããã§ããã ãããã£ã¦ãå¯è½ãªéãé¿ããã¹ãã§ããã
       ãã®ã¿ã¼ã²ãã㯠mangle ãã¼ãã«ã§ã®ã¿æå¹ã§ããã

       決ãã¦ãã¼ã«ã«ãããã¯ã¼ã¯åã«çã¾ããã±ããã®ãã£ã¼ã«ãå¤ãè¨å®ãããå¢ããããããªããã¨ï¼

       --hl-set value
              Hop Limit ã `value' ã«è¨å®ããã

       --hl-dec value
              Hop Limit ã `value' åæ¸ç®ããã

       --hl-inc value
              Hop Limit ã `value' åå ç®ããã

   HMARK
       Like MARK, i.e. set the fwmark, but the mark is calculated from hashing
       packet selector at choice. You have also to specify the mark range and,
       optionally, the offset to start from. ICMP error messages are inspected
       and used to calculate the hashing.

       Existing options are:

       --hmark-tuple tuple
              Possible tuple members are: src meaning source address (IPv4,
              IPv6 address), dst meaning destination address (IPv4, IPv6
              address), sport meaning source port (TCP, UDP, UDPlite, SCTP,
              DCCP), dport meaning destination port (TCP, UDP, UDPlite, SCTP,
              DCCP), spi meaning Security Parameter Index (AH, ESP), and ct
              meaning the usage of the conntrack tuple instead of the packet
              selectors.

       --hmark-mod value (must be > 0)
              Modulus for hash calculation (to limit the range of possible
              marks)

       --hmark-offset value
              Offset to start marks from.

       For advanced usage, instead of using --hmark-tuple, you can specify
       custom
              prefixes and masks:

       --hmark-src-prefix cidr
              The source address mask in CIDR notation.

       --hmark-dst-prefix cidr
              The destination address mask in CIDR notation.

       --hmark-sport-mask value
              A 16 bit source port mask in hexadecimal.

       --hmark-dport-mask value
              A 16 bit destination port mask in hexadecimal.

       --hmark-spi-mask value
              A 32 bit field with spi mask.

       --hmark-proto-mask value
              An 8 bit field with layer 4 protocol number.

       --hmark-rnd value
              A 32 bit random custom value to feed hash calculation.

       ä¾:

       iptables -t mangle -A PREROUTING -m conntrack --ctstate NEW
        -j HMARK --hmark-tuple ct,src,dst,proto --hmark-offset 10000
       --hmark-mod 10 --hmark-rnd 0xfeedcafe

       iptables -t mangle -A PREROUTING -j HMARK --hmark-offset 10000
       --hmark-tuple src,dst,proto --hmark-mod 10 --hmark-rnd 0xdeafbeef

   IDLETIMER
       This target can be used to identify when interfaces have been idle for
       a certain period of time.  Timers are identified by labels and are
       created when a rule is set with a new label.  The rules also take a
       timeout value (in seconds) as an option.  If more than one rule uses
       the same timer label, the timer will be restarted whenever any of the
       rules get a hit.  One entry for each timer is created in sysfs.  This
       attribute contains the timer remaining for the timer to expire.  The
       attributes are located under the xt_idletimer class:

       /sys/class/xt_idletimer/timers/<label>

       When the timer expires, the target module sends a sysfs notification to
       the userspace, which can then decide what to do (eg. disconnect to save
       power).

       --timeout amount
              This is the time in seconds that will trigger the notification.

       --label string
              This is a unique identifier for the timer.  The maximum length
              for the label string is 27 characters.

   LED
       This creates an LED-trigger that can then be attached to system
       indicator lights, to blink or illuminate them when certain packets pass
       through the system. One example might be to light up an LED for a few
       minutes every time an SSH connection is made to the local machine. The
       following options control the trigger behavior:

       --led-trigger-id name
              This is the name given to the LED trigger. The actual name of
              the trigger will be prefixed with "netfilter-".

       --led-delay ms
              This indicates how long (in milliseconds) the LED should be left
              illuminated when a packet arrives before being switched off
              again. The default is 0 (blink as fast as possible.) The special
              value inf can be given to leave the LED on permanently once
              activated. (In this case the trigger will need to be manually
              detached and reattached to the LED device to switch it off
              again.)

       --led-always-blink
              Always make the LED blink on packet arrival, even if the LED is
              already on.  This allows notification of new packets even with
              long delay values (which otherwise would result in a silent
              prolonging of the delay time.)

       ä¾:

       Create an LED trigger for incoming SSH traffic:
              iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh

       Then attach the new trigger to an LED:
              echo netfilter-ssh >/sys/class/leds/ledname/trigger

   LOG
       ããããããã±ãããã«ã¼ãã«ãã°ã«è¨é²ããã ãã®ãªãã·ã§ã³ãã«ã¼ã«ã«å¯¾ãã¦è¨å®ãããã¨ã
       Linux ã«ã¼ãã«ã¯ããããããã±ããã«ã¤ãã¦ã®ä½ããã®æå ± (å¤ãã® IP/IPv6
       ãããã¼ãã£ã¼ã«ããªã©) ã ã«ã¼ãã«ãã°ã«è¡¨ç¤ºãã (ã«ã¼ãã«ãã°ã¯ dmesg(1) ã
       syslog ã§åç§ã§ãã)ã

       ãã㯠"éçµäºã¿ã¼ã²ãã" ã§ããã ããªãã¡ã
       ã«ã¼ã«ã®æ¢ç´¢ã¯æ¬¡ã®ã«ã¼ã«ã¸ã¨ç¶ç¶ãããã ãã£ã¦ã æå¦ãããã±ããããã°è¨é²ããããã°ã
       åããããã³ã°å¤æåºæºãæ㤠2 ã¤ã®ã«ã¼ã«ã使ç¨ãã æåã®ã«ã¼ã«ã§ LOG ã¿ã¼ã²ãããã
       次ã®ã«ã¼ã«ã§ DROP (ã¾ã㯠REJECT) ã¿ã¼ã²ãããæå®ããã

       --log-level level
              ãã®ã³ã°ã¬ãã«ã (ã·ã¹ãã åºæã®) æ°å¤ãã·ã³ãã«åãæå®ããã æå®ã§ããå¤ã¯
              (åªå度ãé«ãé ã«)  emerg, alert, crit, error, warning, notice,
              info, debug ã§ããã

       --log-prefix prefix
              æå®ãããã¬ãã£ãã¯ã¹ããã°ã¡ãã»ã¼ã¸ã®åã«ä»ããã ãã¬ãã£ãã¯ã¹ã¯ 29 æå‐
              ã¾ã§ã®é·ãã§ã ãã°ã®ä¸ã§ã¡ãã»ã¼ã¸ãåºå¥ããã®ã«å½¹ç«ã¤ã

       --log-tcp-sequence
              TCP ã·ã¼ã±ã³ã¹çªå·ããã°ã«è¨é²ããã ãã°ãã¦ã¼ã¶ã¼ããèªããå ´åã ã»ã‐
              ã¥ãªãã£ä¸ã®å±éºãããã

       --log-tcp-options
              TCP ãã±ãããããã¼ã®ãªãã·ã§ã³ããã°ã«è¨é²ããã

       --log-ip-options
              IP/IPv6 ãã±ãããããã¼ã®ãªãã·ã§ã³ããã°ã«è¨é²ããã

       --log-uid
              ãã±ãããçæããããã»ã¹ã®ã¦ã¼ã¶ã¼ ID ããã°ã«è¨é²ããã

   MARK
       ãã®ã¿ã¼ã²ããã使ãã¨ã ãã®ãã±ããã«é¢é£ä»ãããã Netfilter ãã¼ã¯å¤ãè¨å®ããã
       ä¾ãã°ã fwmark ã«åºã¥ãã«ã¼ãã£ã³ã° (iproute2 ãå¿è¦)
       ã¨çµã¿åããã¦ä½¿ããã¨ãã§ããã ããããå ´åã«ã¯ã ã«ã¼ãã£ã³ã°æã«èæ®ãããããã«ããã«ã¯ã
       mangle ãã¼ãã«ã® PREROUTING ãã§ã¤ã³ã§ãã¼ã¯ãè¨å®ããå¿è¦ãããã
       ãã¼ã¯ãã£ã¼ã«ã㯠32 ãããå¹ã§ããã

       --set-xmark value[/mask]
              mask ã§æå®ããããããã 0 ã«ãã value 㨠packet mark ("nfmark") ã® XOR
              ãåãã mask ãçç¥ãããå ´å㯠0xFFFFFFFF ã¨ã¿ãªãããã

       --set-mark value[/mask]
              mask ã§æå®ããããããã 0 ã«ãã value 㨠packet mark ã® OR ãåãã mask
              ãçç¥ãããå ´å㯠0xFFFFFFFF ã¨ã¿ãªãããã

       以ä¸ã®ç°¡æ表ç¾ãå©ç¨ã§ããã

       --and-mark bits
              nfmark 㨠bits ã®ãããè«çç© (AND) ãåã (--set-xmark 0/invbits
              ã®ç°¡æ表ç¾ã invbits 㯠bits ã®ãããåä½ã®å¦å®ã§ãã)ã

       --or-mark bits
              nfmark 㨠bits ã®ãããè«çå (OR) ãåã (--set-xmark bits/bits
              ã®ç°¡æ表ç¾)ã

       --xor-mark bits
              nfmark 㨠bits ã®ããã XOR ãåã (--set-xmark bits/0 ã®ç°¡æ表ç¾)ã

   MASQUERADE
       ãã®ã¿ã¼ã²ãã㯠nat ãã¼ãã«ã® POSTROUTING ãã§ã¤ã³ã®ã¿ã§æå¹ã§ããã åçå²ãå½ã¦
       IP (ãã¤ã¤ã«ã¢ãã) ã³ãã¯ã·ã§ã³ã®å ´åã«ã®ã¿ä½¿ãã¹ãã§ããã åºå® IP
       ã¢ãã¬ã¹ãªãã°ã SNAT ã¿ã¼ã²ããã使ãã¹ãã§ããã ãã¹ã«ã¬ã¼ãã£ã³ã°ã¯ã
       ãã±ãããéä¿¡ãããã¤ã³ã¿ã¼ãã§ã¼ã¹ã® IP ã¢ãã¬ã¹ã¸ã®ãããã³ã°ãæå®ããã®ã¨åãã§ãããã
       ã¤ã³ã¿ã¼ãã§ã¼ã¹ãåæ¢ããå ´åã«ã³ãã¯ã·ã§ã³ãå¿ããã¨ããå¹æãããã
       次ã®ãã¤ã¤ã«ã¢ããã§ã¯åãã¤ã³ã¿ã¼ãã§ã¼ã¹ã¢ãã¬ã¹ã«ãªãå¯è½æ§ãä½ã (ãã®ããã
       åå確ç«ãããã³ãã¯ã·ã§ã³ã¯å¤±ããã) å ´åã ãã®åä½ã¯æ£ããã

       --to-ports port[-port]
              ãã®ãªãã·ã§ã³ã¯ã 使ç¨ããéä¿¡åãã¼ãã®ç¯å²ãæå®ãã ããã©ã«ãã® SNAT
              éä¿¡åãã¼ãã®é¸ææ¹æ³ (ä¸è¨) ãããåªåãããã ã«ã¼ã«ããããã³ã«ã¨ã㦠tcp,
              udp, dccp, sctp ãæå®ãã¦ããå ´åã«ã®ã¿æå¹ã§ããã

       --random
              éä¿¡åãã¼ãã®ãããã³ã°ãã©ã³ãã åããã --random ãªãã·ã§ã³ã使ç¨ããã¨ã
              ãã¼ããããã³ã°ãã©ã³ãã åããã (ã«ã¼ãã« 2.6.21 以é)ã

       IPv6 ãµãã¼ã㯠Linux ã«ã¼ãã« 3.7 以éã§å©ç¨å¯è½ã§ããã

   MIRROR (IPv4 ã®å ´å)
       å®é¨çãªãã¢ã³ã¹ãã¬ã¼ã·ã§ã³ç¨ã®ã¿ã¼ã²ããã§ããã IP
       ãããã¼ã®éä¿¡åã¨å®åãã£ã¼ã«ããå¥ãæãã ãã±ãããåéä¿¡ãããã®ã§ããã ãã㯠INPUT,
       FORWARD, PREROUTING ãã§ã¤ã³ã¨ã ãããã®ãã§ã¤ã³ããå¼ã³åºããã
       ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã ãã§æå¹ã§ããã ã«ã¼ãçã®åé¡ãåé¿ããããã
       å¤é¨ã«éããããã±ããã¯
       ãããªããã±ãããã£ã«ã¿ãªã³ã°ãã§ã¤ã³ã»ã³ãã¯ã·ã§ã³è¿½è·¡ã»NAT ããã ç£è¦ãããªãã

   NETMAP
       ãã®ã¿ã¼ã²ããã使ãã¨ãããã¢ãã¬ã¹ãããã¯ã¼ã¯å¨ä½ãå¥ã®ãããã¯ã¼ã¯ã¢ãã¬ã¹ã«éçã«ãããã³ã°ã§ããã
       ãã®ã¿ã¼ã²ãã㯠nat ãã¼ãã«ã§ã«ã¼ã«ã§ã®ã¿ä½¿ç¨ã§ããã

       --to address[/mask]
              ãããã³ã°åã®ãããã¯ã¼ã¯ã¢ãã¬ã¹ã
              å¤æå¾ã®ã¢ãã¬ã¹ã¯ä»¥ä¸ã®ããã«ãã¦æ§ç¯ãããã mask 㧠'1'
              ã«ãªã£ã¦ãããããã¯æ°ããã¢ãã¬ã¹ã使ããã mask 㧠'0'
              ã«ãªã£ã¦ãããããã¯åã®ã¢ãã¬ã¹ã使ãããã

       IPv6 ãµãã¼ã㯠Linux ã«ã¼ãã« 3.7 以éã§å©ç¨å¯è½ã§ããã

   NFLOG
       ãã®ã¿ã¼ã²ããã¯ã ããããããã±ããããã°ã«è¨é²ããæ©è½ãæä¾ããã
       ãã®ã¿ã¼ã²ãããã«ã¼ã«ã«è¨å®ãããã¨ã Linux ã«ã¼ãã«ã¯ãã®ã‐
       ã°ã«è¨é²ããããã«ãã®ãã±ããããã¼ãããããã®ã³ã°ããã¯ã¨ã³ãã«æ¸¡ãã
       ãã®ã¿ã¼ã²ããã¯é常㯠nfnetlink_log ãã‐
       ã®ã³ã°ããã¯ã¨ã³ãã¨ãã¦ä½¿ãçµã¿åããã§ä½¿ç¨ãããã nfnetlink_log ã¯ãã®ãã±ããã
       netlink ã½ã±ããçµç±ã§æå®ããããã«ããã£ã¹ãã°ã«ã¼ãã«ãã«ããã£ã¹ãããã 1
       ã¤ä»¥ä¸ã®ã¦ã¼ã¶ã¼ç©ºéããã»ã¹ããã«ããã£ã¹ãã°ã«ã¼ããè³¼èª‐
       ããã±ãããåä¿¡ãããã¨ãã§ããã LOG ã¨åæ§ã«ã ãã®ã¿ã¼ã²ããã¯éçµäºã¿ã¼ã²ããã§ããã
       ã«ã¼ã«ã®æ¢ç´¢ã¯æ¬¡ã®ã«ã¼ã«ã¸ã¨ç¶ç¶ãããã

       --nflog-group nlgroup
              ãã±ãããéä¿¡ãã netlink ã°ã«ã¼ã (0 - 2^16-1) ãæå®ãã (nfnetlink_log
              ã®å ´åã®ã¿å©ç¨ã§ãã)ã ããã©ã«ãã®å¤ã¯ 0 ã§ããã

       --nflog-prefix prefix
              ãã°ã¡ãã»ã¼ã¸ã®åã«ä»ãããã¬ãã£ãã¯ã¹æååã æ大 64 æåã¾ã§ã®æå®ã§ããã ã‐
              ã°ã®ä¸ã§ã¡ãã»ã¼ã¸ãåºå¥ããã®ã«å½¹ã«ç«ã¤ã

       --nflog-range size
              ã¦ã¼ã¶ã¼ç©ºéã«ã³ãã¼ãããã¤ãæ° (nfnetlink_log ã®å ´åã®ã¿å©ç¨ã§ãã)ã
              nfnetlink_log ã®ã¤ã³ã¹ã¿ã³ã¹ã¯èªèº«ã§ã³ãã¼ããç¯å²ãæå®ã§ãããã
              ãã®ãªãã·ã§ã³ã¯ãããä¸æ¸ãããã

       --nflog-threshold size
              ã¦ã¼ã¶ã¼ç©ºéã«ãã±ãããéä¿¡ããåã«ãã«ã¼ãã«åé¨ã®ãã¥ã¼ã«å¥ãããã±ããæ°
              (nfnetlink_log ã®å ´åã®ã¿å©ç¨ã§ãã)ã
              大ããã®å¤ãæå®ããã»ã©ãã±ããåä½ã®ãªã¼ããããã¯å°ãªããªããã
              ãã±ãããã¦ã¼ã¶ã¼ç©ºéã«å±ãã¾ã§ã®é延ã大ãããªãã ããã©ã«ãå¤ã¯ 1 ã§ããã

   NFQUEUE
       ãã®ã¿ã¼ã²ããã¯ã nfnetlink_queue
       ãã³ãã©ã¼ã使ã£ã¦ãã®ãã±ãããã¦ã¼ã¶ã¼ç©ºéã«æ¸¡ãã ãã±ãã㯠16 ãããã®ã‐
       ã¥ã¼çªå·ã§æå®ããããã¥ã¼ã«å¥ããããã
       ã¦ã¼ã¶ã¼ç©ºéã§ã¯å¥½ããªããã«ãã±ãããæ¤æ»ãå¤æ´ã§ããã
       ã¦ã¼ã¶ã¼ç©ºéå´ã§ã¯ãå¿ããã®ãã±ãããç ´æ£ãããã«ã¼ãã«ã«æ»ããã®ã©ã¡ãããããªããã°ãªããªãã
       詳細㯠libnetfilter_queue ãåç§ã®ãã¨ã nfnetlink_queue 㯠Linux 2.6.14
       ã§è¿½å ãããã queue-balance ãªãã·ã§ã³ã¯ Linux 2.6.31 ã§ã queue-bypass ã¯
       Linux 2.6.39 ã§è¿½å ãããã

       --queue-num value
              使ç¨ãã QUEUE çªå·ãæå®ããã æå¹ãªãã¥ã¼çªå·ã¯ 0 ãã 65535 ã§ããã
              ããã©ã«ã㯠0 ã§ããã

       --queue-balance value:value
              使ç¨ãããã¥ã¼ã®ç¯å²ãæå®ããã ãã±ããã¯æå®ãããç¯å²ã®ãã¥ã¼ã«åæ£ãããã
              ããã¯ãã«ãã³ã¢ã·ã¹ãã ã§æç¨ã§ããã ã¦ã¼ã¶ã¼ç©ºéãã‐
              ã°ã©ã ã®è¤æ°ã¤ã³ã¹ã¿ã³ã¹ããã¥ã¼ x, x+1, .. x+n ã§éå§ãã
              "--queue-balance x:x+n" ã使ç¨ããã åãã³ãã¯ã·ã§ã³ã«æå±ãããã±ããã¯åã
              nfqueue ã«å¥ããããã

       --queue-bypass
              ããã©ã«ãã§ã¯ã ã©ã®ã¦ã¼ã¶ã¼ç©ºéããã°ã©ã ã NFQUEUE
              ããªãã¹ã³ãã¦ããªãå ´åã ãã¥ã¼ãããã¯ãã®ãã¹ã¦ã®ãã±ãããç ´æ£ãããã
              ãã®ãªãã·ã§ã³ã使ãã¨ã NFQUEUE ã«ã¼ã«ã¯ ACCEPT ã®ãããªåä½ã¨ãªãã
              ãã±ããã¯æ¬¡ã®ãã¼ãã«ã«é²ãã

       --queue-cpu-fanout
              Linux ã«ã¼ãã« 3.10 以éã§å©ç¨å¯è½ã --queue-balance
              ã¨ã¨ãã«ä½¿ç¨ãããã¨ããã®ãªãã·ã§ã³ã¯ãã±ãããã‐
              ã¥ã¼ã«ãããã³ã°ããéã®ã¤ã³ããã¯ã¹ã¨ã㦠CPU ID ã使ç¨ããã ããã¯ã CPU
              ãã¨ã«ãã¥ã¼ãããå ´åã«æ§è½ãåä¸ããããã¨ãããã®ã§ããã
              ãã®ãªãã·ã§ã³ã使ãã«ã¯ --queue-balance ãæå®ããå¿è¦ãããã

   NOTRACK
       ãã®ã¿ã¼ã²ããã使ãã¨ããã®ã«ã¼ã«ã«ãããããå¨ã¦ã®ãã±ããã§ã³ãã¯ã·ã§ã³è¿½è·¡ãç¡å¹ã«ãªãã
       ãã㯠-j CT --notrack ã¨ç価ã§ããã CT ã¨åæ§ã NOTRACK 㯠raw
       ãã¼ãã«ã§ã®ã¿ä½¿ç¨ã§ããã

   RATEEST
       The RATEEST target collects statistics, performs rate estimation
       calculation and saves the results for later evaluation using the
       rateest match.

       --rateest-name name
              Count matched packets into the pool referred to by name, which
              is freely choosable.

       --rateest-interval amount{s|ms|us}
              Rate measurement interval, in seconds, milliseconds or
              microseconds.

       --rateest-ewmalog value
              Rate measurement averaging time constant.

   REDIRECT
       ãã®ã¿ã¼ã²ããã¯ã nat ãã¼ãã«ã® PREROUTING ãã§ã¤ã³ã¨ OUTPUT ãã§ã¤ã³ã
       ããã³ããããã§ã¤ã³ããå¼ã³åºãããã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã§ã®ã¿æå¹ã§ããã
       ãã®ã¿ã¼ã²ããã¯ã å®å IP
       ããã±ãããåä¿¡ããã¤ã³ã¿ãã§ã¼ã¹ã®æåã®ã¢ãã¬ã¹ã«å¤æ´ãããã¨ã§ã
       ãã±ããããã®ãã·ã³èªèº«ã«ãªãã¤ã¬ã¯ããã (ãã¼ã«ã«ã§çæããããã±ããã¯ã‐
       ã¼ã«ã«ãã¹ãã®ã¢ãã¬ã¹ã IPv4 ã§ã¯ 127.0.0.1ã IPv6 ã§ã¯ ::1 ã«ãããããã)ã

       --to-ports port[-port]
              ãã®ãªãã·ã§ã³ã¯ä½¿ç¨ãããå®åãã¼ãã»ãã¼ãç¯å²ã»è¤æ°ãã¼ããæå®ããã
              ãã®ãªãã·ã§ã³ãæå®ãããªãå ´åã å®åãã¼ãã¯å¤æ´ãããªãã ã«ã¼ã«ããã‐
              ãã³ã«ã¨ã㦠tcp, udp, dccp, sctp ãæå®ãã¦ããå ´åã«ã®ã¿æå¹ã§ããã

       --random
              --random ãªãã·ã§ã³ã使ç¨ããã¨ã ãã¼ããããã³ã°ãã©ã³ãã åããã (ã«ã¼ãã«
              2.6.22 以é)ã

       IPv6 ãµãã¼ã㯠Linux ã«ã¼ãã« 3.7 以éã§å©ç¨å¯è½ã§ããã

   REJECT (IPv6 ã®ã¿)
       ããããããã±ããã®å¿çã¨ãã¦ã¨ã©ã¼ãã±ãããéä¿¡ããããã«ä½¿ãããã ã¨ã©ã¼ãã±ãããéããªããã°ã
       DROP ã¨åãã§ããã TARGET ãçµäºãã ã«ã¼ã«ã®æ¢ç´¢ãçµäºããã ãã®ã¿ã¼ã²ããã¯ã
       INPUT, FORWARD, OUTPUT ãã§ã¤ã³ã¨ã ãããã®ãã§ã¤ã³ããå¼ã°ãã
       ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ ã ãã§æå¹ã§ããã 以ä¸ã®ãªãã·ã§ã³ã¯ã
       è¿ãããã¨ã©ã¼ãã±ããã®ç¹æ§ã å¶å¾¡ããã

       --reject-with type
              æå®ã§ããã¿ã¤ã㯠icmp6-no-route, no-route, icmp6-adm-prohibited,
              adm-prohibited, icmp6-addr-unreachable, addr-unreach,
              icmp6-port-unreachable ã§ããã æå®ããã¿ã¤ãã®é©å㪠IPv6
              ã¨ã©ã¼ã¡ãã»ã¼ã¸ãè¿ããã (icmp6-port-unreachable ãããã©ã«ãã§ãã)ã
              ããã«ã TCP ãããã³ã«ã«ã®ã¿ãããããã«ã¼ã«ã«å¯¾ãã¦ã ãªãã·ã§ã³ tcp-reset
              ã使ããã¨ãã§ããã ãã®ãªãã·ã§ã³ã使ãã¨ã TCP RST ãã±ãããéãè¿ãããã
              主ã¨ã㦠ident (113/tcp) ã«ããæ¢æ»ãé»æ¢ããã®ã«å½¹ç«ã¤ã ident
              ã«ããæ¢æ»ã¯ã å£ãã¦ãã (ã¡ã¼ã«ãåãåããªã) ã¡ã¼ã«ãã¹ãã«
              ã¡ã¼ã«ãéãããå ´åã«é »ç¹ã«èµ·ããã tcp-reset ã¯ãã¼ã¸ã§ã³ 2.6.14
              以éã®ã«ã¼ãã«ã§ã®ã¿ä½¿ç¨ã§ããã

   REJECT (IPv4 ã®å ´å)
       ããããããã±ããã®å¿çã¨ãã¦ã¨ã©ã¼ãã±ãããéä¿¡ããããã«ä½¿ãããã ã¨ã©ã¼ãã±ãããéããªããã°ã
       DROP ã¨åãã§ããã TARGET ãçµäºãã ã«ã¼ã«ã®æ¢ç´¢ãçµäºããã ãã®ã¿ã¼ã²ããã¯ã
       INPUT, FORWARD, OUTPUT ãã§ã¤ã³ã¨ã ãããã®ãã§ã¤ã³ããå¼ã°ãã
       ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ ã ãã§æå¹ã§ããã 以ä¸ã®ãªãã·ã§ã³ã¯ã
       è¿ãããã¨ã©ã¼ãã±ããã®ç¹æ§ã å¶å¾¡ããã

       --reject-with type
              æå®ã§ããã¿ã¤ã㯠icmp-net-unreachable, icmp-host-unreachable,
              icmp-port-unreachable, icmp-proto-unreachable,
              icmp-net-prohibited, icmp-host-prohibited, icmp-admin-prohibited
              (*) ã§ãããæå®ããã¿ã¤ãã®é©å㪠ICMP ã¨ã©ã¼ã¡ãã»ã¼ã¸ãè¿ã
              (icmp-port-unreachable ãããã©ã«ãã§ãã)ã TCP ãã‐
              ãã³ã«ã«ã®ã¿ãããããã«ã¼ã«ã«å¯¾ãã¦ã ãªãã·ã§ã³ tcp-reset
              ã使ããã¨ãã§ããã ãã®ãªãã·ã§ã³ã使ãã¨ã TCP RST ãã±ãããéãè¿ãããã
              主ã¨ã㦠ident (113/tcp) ã«ããæ¢æ»ãé»æ¢ããã®ã«å½¹ç«ã¤ã ident
              ã«ããæ¢æ»ã¯ã å£ãã¦ãã (ã¡ã¼ã«ãåãåããªã) ã¡ã¼ã«ãã¹ãã«
              ã¡ã¼ã«ãéãããå ´åã«é »ç¹ã«èµ·ããã

       (*) icmp-admin-prohibited ããµãã¼ãããªãã«ã¼ãã«ã§ã icmp-admin-prohibited
       ã使ç¨ããã¨ã REJECT ã§ã¯ãªãåãªã DROP ã«ãªãã

   SAME (IPv4 ã®å ´å)
       Similar to SNAT/DNAT depending on chain: it takes a range of addresses
       (`--to 1.2.3.4-1.2.3.7') and gives a client the same
       source-/destination-address for each connection.

       N.B.: The DNAT target's --persistent option replaced the SAME target.

       --to ipaddr[-ipaddr]
              Addresses to map source to. May be specified more than once for
              multiple ranges.

       --nodst
              Don't use the destination-ip in the calculations when selecting
              the new source-ip

       --random
              Port mapping will be forcibly randomized to avoid attacks based
              on port prediction (kernel >= 2.6.21).

   SECMARK
       This is used to set the security mark value associated with the packet
       for use by security subsystems such as SELinux.  It is valid in the
       security table (for backwards compatibility with older kernels, it is
       also valid in the mangle table). The mark is 32 bits wide.

       --selctx security_context

   SET
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ ipsec(8) ã§å®ç¾©ã§ãã IP
       éåã®ã¨ã³ããªã®è¿½å ãåé¤ããã®ä¸¡æ¹ãè¡ãã

       --add-set setname flag[,flag...]
              éåã«æå®ãããã¢ãã¬ã¹/ãã¼ã (è¤æ°å¯) ã追å ãã

       --del-set setname flag[,flag...]
              éåããæå®ãããã¢ãã¬ã¹/ãã¼ã (è¤æ°å¯) ãåé¤ãã

              flag 㯠src ã dst ã®æå®ã§ããã æå®ã§ããã®ã¯ 6 åã¾ã§ã§ããã

       --timeout value
              ã¨ã³ããªã追å ããéã«ã
              éåå®ç¾©ã®ããã©ã«ãå¤ã§ã¯ãªãæå®ããã¿ã¤ã ã¢ã¦ãå¤ã使ç¨ãã

       --exist
              ã¨ã³ããªã追å ããéã«ã ã¨ã³ããªãåå¨ããå ´åã ã¿ã¤ã ã¢ã¦ãå¤ãã
              æå®ãããå¤ãéåå®ç¾©ã®ããã©ã«ãå¤ã«ãªã»ãããã

       -j SET ã使ç¨ããã«ã¯ ipset ã®ã«ã¼ãã«ãµãã¼ããå¿è¦ã§ããã æ¨æºã®ã«ã¼ãã«ã§ã¯ã
       Linux 2.6.39 以éã§æä¾ããã¦ããã

   SNAT
       ãã®ã¿ã¼ã²ãã㯠nat ãã¼ãã«ã® POSTROUTING, INPUT ãã§ã¤ã³ã
       ãããã®ãã§ã¤ã³ããå¼ã³åºããã ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã®ã¿ã§æå¹ã§ããã
       ãã®ã¿ã¼ã²ããã¯ãã±ããã®éä¿¡åã¢ãã¬ã¹ãä¿®æ£ãã
       (ãã®ã³ãã¯ã·ã§ã³ã®ä»¥éã®ãã±ãããä¿®æ£ãã¦åãããªã (mangle) ãã)ã ããã«ã
       ã«ã¼ã«ã«ãããã§ãã¯ãæ¢ããããã ãã®ã¿ã¼ã²ããã«ã¯ä»¥ä¸ã®ãªãã·ã§ã³ããã:

       --to-source [ipaddr[-ipaddr]][:port[-port]]
              1 ã¤ã®æ°ããéä¿¡å IP ã¢ãã¬ã¹ã ã¾ã㯠IP ã¢ãã¬ã¹ã®ç¯å²ãæå®ã§ããã
              ã«ã¼ã«ã§ãããã³ã«ã¨ã㦠tcp, udp, dccp, sctp ãæå®ããã¦ããå ´åã
              ãã¼ãã®ç¯å²ãæå®ãããã¨ãã§ããã ãã¼ãã®ç¯å²ãæå®ããã¦ããªãå ´åã 512
              æªæºã®éä¿¡åãã¼ãã¯ã ä»ã® 512 æªæºã®ãã¼ãã«ãããã³ã°ãããã 512 ã 1023
              ã¾ã§ã®ãã¼ãã¯ã 1024 æªæºã®ãã¼ãã«ãããã³ã°ãããã ãã以å¤ã®ãã¼ãã¯ã 1024
              以ä¸ã®ãã¼ãã«ãããã³ã°ãããã å¯è½ã§ããã°ã ãã¼ãã®å¤æã¯èµ·ãããªãã 2.6.10
              以åã®ã«ã¼ãã«ã§ã¯ã è¤æ°ã® --to-source ãªãã·ã§ã³ãæå®ãããã¨ãã§ããã
              ãããã®ã«ã¼ãã«ã§ã¯ã ã¢ãã¬ã¹ã®ç¯å²æå®ã --to-source
              ãªãã·ã§ã³ã®è¤æ°åæå®ã«ãã 2 ã¤ä»¥ä¸ã®éä¿¡åã¢ãã¬ã¹ãæå®ããå ´åã
              ãããã®ã¢ãã¬ã¹ã使ã£ãåç´ãªã©ã¦ã³ãã»ããã³ãè¡ãããã ãã以éã®ã«ã¼ãã« (>=
              2.6.11-rc1) ã«ã¯è¤æ°ã®ç¯å²ã NAT ããæ©è½ã¯åå¨ããªãã

       --random
              --random ãªãã·ã§ã³ã使ç¨ãããã¨ããã¼ããããã³ã°ã¯ã©ã³ãã åããã (ã«ã¼ãã«
              2.6.21 以é)ã

       --persistent
              ã¯ã©ã¤ã¢ã³ãã®åã³ãã¯ã·ã§ã³ã«åãéä¿¡åã¢ãã¬ã¹/å®åã¢ãã¬ã¹ãå²ãå½ã¦ãã
              ãã㯠SAME ã¿ã¼ã²ãããããåªåãããã persistent ãããã³ã°ã®ãµãã¼ãã¯
              2.6.29-rc2 以éã§å©ç¨å¯è½ã§ããã

       2.6.36-rc1 ããåã®ã«ã¼ãã«ã§ã¯ INPUT ãã§ã¤ã³ã§ SNAT ã使ç¨ã§ããªãã

       IPv6 ãµãã¼ã㯠Linux ã«ã¼ãã« 3.7 以éã§å©ç¨å¯è½ã§ããã

   SNPT (IPv6 ã®ã¿)
       (RFC 6296 ã§èª¬æããã¦ãã) ã¹ãã¼ãã¬ã¹ IPv6-to-IPv6
       éä¿¡åãããã¯ã¼ã¯ãã¬ãã£ãã¯ã¹å¤æãæä¾ããã

       ãã®ã¿ã¼ã²ãã㯠nat ãã¼ãã«ã§ã¯ãªã mangle ãã¼ãã«ã§ä½¿ããªããã°ãªããªãã
       以ä¸ã®ãªãã·ã§ã³ãåãã

       --src-pfx [prefix/length]
              å¤æãè¡ãéä¿¡åãã¬ãã£ãã¯ã¹ã¨ãã®é·ããè¨å®ããã

       --dst-pfx [prefix/length]
              å¤æãè¡ãå®åãã¬ãã£ãã¯ã¹ã¨ãã®é·ããè¨å®ããã

       å¤æãåãæ¶ãã«ã¯ DNPT ã¿ã¼ã²ããã使ããªããã°ãªããªãã ä¾:

              ip6tables -t mangle -I POSTROUTING -s fd00::/64  -o vboxnet0 -j
              SNPT --src-pfx fd00::/64 --dst-pfx 2001:e20:2000:40f::/64

              ip6tables -t mangle -I PREROUTING -i wlan0 -d
              2001:e20:2000:40f::/64 -j DNPT --src-pfx 2001:e20:2000:40f::/64
              --dst-pfx fd00::/64

       IPv6 neighbor proxy ãæå¹ã«ããå¿è¦ããããããããªãã

              sysctl -w net.ipv6.conf.all.proxy_ndp=1

       ã¾ããå¤æãããããã¼ã«å¯¾ããã³ãã¯ã·ã§ã³è¿½è·¡ãç¡å¹ã«ããã«ã¯ NOTRACK
       ã¿ã¼ã²ããã使ç¨ããå¿è¦ãããã

   TCPMSS
       ãã®ã¿ã¼ã²ãããç¨ããã¨ã TCP ã® SYN ãã±ããã® MSS å¤ãæ¸ãæãã
       ãã®ã³ãã¯ã·ã§ã³ã§ã®æ大ãµã¤ãºãå¶å¾¡ã§ãã (é常ã¯ã éä¿¡ã¤ã³ã¿ã¼ãã§ã¼ã¹ã®
       MTU ãã IPv4 ã§ã¯ 40 ãã IPv6 ã§ã¯ 60 ãå¼ããå¤ã«å¶éãã)ã ãã¡ãã -p tcp
       ã¨ã®çµã¿åããã§ãã使ããªãã

       ãã®ã¿ã¼ã²ããã¯ã "ICMP Fragmentation Needed" ã "ICMPv6 Packet Too Big"
       ãã±ããããããã¯ãã¦ããç¯ç½ªçã«é ã®ãããã ISP ããµã¼ãã¼ãä¹ãè¶ããããã«ä½¿ç¨ãããã
       Linux ãã¡ã¤ã¢ã¦ã©ã¼ã«/ã«ã¼ã¿ã¼ã§ã¯ä½ãåé¡ããªãã®ã«ã
       ããã«ã¶ãä¸ãããã·ã³ã§ã¯ä»¥ä¸ã®ããã«å¤§ããªãã±ãããããã¨ãã§ããªãã¨ããã®ãã
       ãã®åé¡ã®ååã§ããã

       1.  ã¦ã§ãã»ãã©ã¦ã¶ã§æ¥ç¶ãããã¨ããã¨ã ä½ã®ãã¼ã¿ãåãåããã«ãã³ã°ãã

       2.  çãã¡ã¼ã«ã¯åé¡ãªããã é·ãã¡ã¼ã«ããã³ã°ãã

       3.  ssh ã¯åé¡ãªããã scp ã¯æåã®ãã³ãã·ã§ã¼ã¯å¾ã«ãã³ã°ãã

       åé¿æ¹æ³: ãã®ãªãã·ã§ã³ãæå¹ã«ãã 以ä¸ã®ãããªã«ã¼ã«ã ãã¡ã¤ã¢ã¦ã©ã¼ã«ã®è¨‐
       å®ã«è¿½å ããã

               iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN
                           -j TCPMSS --clamp-mss-to-pmtu

       --set-mss value
              Explicitly sets MSS option to specified value. If the MSS of the
              packet is already lower than value, it will not be increased
              (from Linux 2.6.25 onwards) to avoid more problems with hosts
              relying on a proper MSS.

       --clamp-mss-to-pmtu
              Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60
              for IPv6).  This may not function as desired where asymmetric
              routes with differing path MTU exist — the kernel uses the path
              MTU which it would use to send packets from itself to the source
              and destination IP addresses. Prior to Linux 2.6.25, only the
              path MTU to the destination IP address was considered by this
              option; subsequent kernels also consider the path MTU to the
              source IP address.

       ãããã®ãªãã·ã§ã³ã¯ã©ã¡ãã 1 ã¤ããæå®ã§ããªãã

   TCPOPTSTRIP
       ãã®ã¿ã¼ã²ãã㯠TCP ãã±ãããã TCP ãªãã·ã§ã³ãåé¤ãã (å®éã«ã¯ TCPãªãã·ã§ã³ã
       NO-OP ã§ç½®ãæãã)ã ãã®ã¿ã¼ã²ããã使ãã«ã¯ -p tcp
       ãã©ã¡ã¼ã¿ã¼ã使ãå¿è¦ãããã ããã

       --strip-options option[,option...]
              æå®ããããªãã·ã§ã³ (è¤æ°å¯) ãåé¤ããã ãªãã·ã§ã³ã¯ TCP
              ãªãã·ã§ã³çªå·ãã·ã³ãã«åã§æå®ããã iptables ã -j TCPOPTSTRIP -h
              ã§å¼ã³åºãã¨ãæå®ã§ãããªãã·ã§ã³ã®ã·ã³ãã«åãåå¾ã§ããã

   TEE
       TEE ã¿ã¼ã²ããã¯ã ãã±ããã®ã¯ãã¼ã³ãä½æãã ã¯ãã¼ã³ãããã±ãããã‐
       ã¼ã«ã«ãããã¯ã¼ã¯ã»ã°ã¡ã³ãã«ããå¥ã®ãã·ã³ã«ãªãã¤ã¬ã¯ãããã
       è¨ãæããã¨ããã¯ã¹ãããããã¿ã¼ã²ããã§ãªããã°ãªããªãã¨ãããã¨ã ã
       ã¤ã¾ããå¿è¦ã«å¿ãã¦ãã¯ã¹ãããããããã«ãã±ããã転éããããã«è¨å®ããå¿è¦ãããã¨ãããã¨ã ã

       --gateway ipaddr
              ã¯ãã¼ã³ãããã±ãããæå®ãã IP ã¢ãã¬ã¹ã§å±ããã¹ãã«éä¿¡ããã (IPv4 ã®å ´å)
              0.0.0.0ã (IPv6 ã®å ´å) :: ã¯ç¡å¹ã§ããã

       eth0 ã«å±ãããã¹ã¦ã®å¥åãã©ãã£ãã¯ããããã¯ã¼ã¯å±¤ã®ãã®ã³ã°ããã¯ã¹ã«è»¢éããã

       -t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1

   TOS
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ IPv4 ãããã¼ã® Type of Service ãã£ã¼ã«ã (ä¸ä½ããããå«ã) ã
       IPv6 ãããã¼ã® Priority ãã£ã¼ã«ããè¨å®ããã TOS 㯠DSCP 㨠ECN
       ã¨åãããããå±æããç¹ã«æ³¨æãããã¨ã TOS ã¿ã¼ã²ãã㯠mangle ãã¼ãã«ã§ã®ã¿æå¹ã§ããã

       --set-tos value[/mask]
              mask ã§æå®ããããããã 0 ã«ã (ä¸ã®ã注æããåç§)ã value 㨠TOS/Priority
              ãã£ã¼ã«ã ã® XOR ãåãã mask ãçç¥ãããå ´å㯠0xFF ã¨ã¿ãªãããã

       --set-tos symbol
              IPv4 ã® TOS ã¿ã¼ã²ããã使ç¨ããéã«ã¯ã·ã³ãã«åãæå®ãããã¨ãã§ããã
              æé»ã®ãã¡ 0xFF ã mask ã¨ãã¦ä½¿ç¨ããã (ä¸ã®ã注æããåç§)ã 使ç¨ã§ãã
              TOS åã®ãªã¹ã㯠iptables ã -j TOS -h ã§å¼ã³åºãã¨åå¾ã§ããã

       以ä¸ã®ç°¡æ表ç¾ãå©ç¨ã§ããã

       --and-tos bits
              TOS å¤ã¨ bits ã®ãããè«çç© (AND) ãåã (--set-tos 0/invbits
              ã®ç°¡æ表ç¾ã invbits 㯠bits ã®ãããåä½ã®å¦å®ã§ããã ä¸ã®ã注æããåç§)

       --or-tos bits
              TOS å¤ã¨ bits ã®ãããè«çå (OR) ãåã (--set-tos bits/bits
              ã®ç°¡æ表ç¾ãä¸ã®ã注æããåç§)

       --xor-tos bits
              TOS å¤ã¨ bits ã® XOR ãåã (--set-tos bits/0
              ã®ç°¡æ表ç¾ãä¸ã®ã注æããåç§)

       注æ: 2.6.38 以åã® Linux ã«ã¼ãã« (ãã ããé·æéãµãã¼ãã®ãªãªã¼ã¹ 2.6.32
       (>=.42), 2.6.33 (>=.15), 2.6.35 (>=.14) 以å¤) ã§ã¯ã IPv6 TOS mangling
       ãããã¥ã¡ã³ãã«æ¸ããã¦ããéãã«åä½ãããIPv4
       ãã¼ã¸ã§ã³ã®å ´åã¨ç°ãªãåä½ãããã¨ãããã°ãããã TOS mask ã¯ãããã 1
       ã®å ´åã«å¯¾å¿ãããããã 0 ã«ãããã¨ãæ示ããã®ã§ã åã® TOS ãã£ã¼ã«ãã« mask
       ãé©ç¨ããåã«å転ããå¿è¦ãããã ããããªããã ä¸è¨ã®ã«ã¼ãã«ã§ã¯ãã®å転ãæãã¦ãã
       --set-tos ã¨é¢é£ããç°¡æ表ç¾ãæ£ããåä½ããªãã

   TPROXY
       ãã®ã¿ã¼ã²ããã¯ã mangle ãã¼ãã«ã§ã PREROUTING ãã§ã¤ã³ã¨ã PREROUTING
       ãã§ã¤ã³ããå¼ã³åºããã ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã§ã®ã¿æå¹ã§ããã ãã®ã¿ã¼ã²ããã¯ã
       ãã®ãã±ããããã±ãããããã¼ãå¤æ´ããã«ãã®ã¾ã¾ãã¼ã«ã«ã½ã±ããã«ãªãã¤ã¬ã¯ãããã ã¾ãã
       mark å¤ãå¤æ´ãããã¨ãã§ãã ãã® mark
       å¤ã¯å¾ã§é«åº¦ãªã«ã¼ãã£ã³ã°ã«ã¼ã«ã§ä½¿ç¨ãããã¨ãã§ããã
       ãã®ã¿ã¼ã²ããã«ã¯ãªãã·ã§ã³ã 3 ã¤ãã:

       --on-port port
              ãã®ãªãã·ã§ã³ã¯ä½¿ç¨ããå®åãã¼ããæå®ããã ãã®ãªãã·ã§ã³ã¯å¿é ã§ã 0
              ã¯å®åãã¼ããåãã®å®åãã¼ãã¨åãã§ãããã¨ãæå³ããã ã«ã¼ã«ã -p tcp ã¾ã㯠-p
              udp ãæå®ãã¦ããå ´åã«ã®ã¿æå¹ã§ããã

       --on-ip address
              ãã®ãªãã·ã§ã³ã¯ä½¿ç¨ããå®åã¢ãã¬ã¹ãæå®ããã ããã©ã«ãã§ã¯ã
              ãã±ãããå°çããã¤ã³ã¿ãã§ã¼ã¹ã® IP ã¢ãã¬ã¹ã使ç¨ãããã ã«ã¼ã«ã -p tcp
              ã¾ã㯠-p udp ãæå®ãã¦ããå ´åã«ã®ã¿æå¹ã§ããã

       --tproxy-mark value[/mask]
              Marks packets with the given value/mask. The fwmark value set
              here can be used by advanced routing. (Required for transparent
              proxying to work: otherwise these packets will get forwarded,
              which is probably not what you want.)

   TRACE
       This target marks packets so that the kernel will log every rule which
       match the packets as those traverse the tables, chains, rules.

       A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded
       for this to be visible.  The packets are logged with the string prefix:
       "TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
       plain rule, "return" for implicit rule at the end of a user defined
       chain and "policy" for the policy of the built in chains.
       It can only be used in the raw table.

   TTL (IPv4 ã®å ´å)
       ãã®ã¿ã¼ã²ããã使ãã¨ã IPv4 ã® TTL ãããã¼ãã£ã¼ã«ããå¤æ´ã§ããã TTL
       ãã£ã¼ã«ãã«ããã TTL ããªããªãã¾ã§ã«ããã±ãããä½ããã (ä½åã®ã«ã¼ã¿)
       ãééã§ãããã決å®ãããã

       TTL ãã£ã¼ã«ããè¨å®ãããå¢ããã®ã¯ã å±éºæ§ãé常ã«ã¯ããã§ããã
       ãããã£ã¦ãå¯è½ãªéãé¿ããã¹ãã§ããã ãã®ã¿ã¼ã²ãã㯠mangle ãã¼ãã«ã§ã®ã¿æå¹ã§ããã

       決ãã¦ãã¼ã«ã«ãããã¯ã¼ã¯åã«çã¾ããã±ããã®ãã£ã¼ã«ãå¤ãè¨å®ãããå¢ããããããªããã¨ï¼

       --ttl-set value
              TTL å¤ã `value' ã«è¨å®ããã

       --ttl-dec value
              TTL å¤ã `value' åæ¸ç®ããã

       --ttl-inc value
              TTL å¤ã `value' åå ç®ããã

   ULOG (IPv4 ã®å ´å)
       ãã®ã¿ã¼ã²ãã㯠NFLOG ã¿ã¼ã²ããã®å身㧠IPv4
       å°ç¨ã§ãããç¾å¨ã¯éæ¨å¥¨ã¨ãªã£ã¦ããã ããããããã±ããã ã¦ã¼ã¶ã¼ç©ºéã§ã‐
       ã°è¨é²ããæ©è½ãæä¾ããã ãã®ã¿ã¼ã²ãããã«ã¼ã«ã«è¨å®ãããã¨ã Linux ã«ã¼ãã«ã¯ã
       ãã®ãã±ããã netlink ã½ã±ãããç¨ãã¦ãã«ããã£ã¹ãããã ããã¦ã 1
       ã¤ä»¥ä¸ã®ã¦ã¼ã¶ã¼ç©ºéããã»ã¹ã ãããããªãã«ããã£ã¹ãã°ã«ã¼ãã«ç»é²ããããªãã
       ãã±ãããåä¿¡ããã LOG ã¨åæ§ã ãã㯠"éçµäºã¿ã¼ã²ãã" ã§ããã
       ã«ã¼ã«ã®æ¢ç´¢ã¯æ¬¡ã®ã«ã¼ã«ã¸ã¨ç¶ç¶ãããã

       --ulog-nlgroup nlgroup
              ãã±ãããéä¿¡ãã netlink ã°ã«ã¼ã (1-32) ãæå®ããã ããã©ã«ãã®å¤ã¯ 1
              ã§ããã

       --ulog-prefix prefix
              æå®ãããã¬ãã£ãã¯ã¹ããã°ã¡ãã»ã¼ã¸ã®åã«ä»ããã 32 æåã¾ã§ã®æå®ã§ããã ã‐
              ã°ã®ä¸ã§ã¡ãã»ã¼ã¸ãåºå¥ããã®ã«ä¾¿å©ã§ããã

       --ulog-cprange size
              ã¦ã¼ã¶ã¼ç©ºéã«ã³ãã¼ãããã±ããã®ãã¤ãæ°ã å¤ã 0 ã®å ´åã
              ãµã¤ãºã«é¢ä¿ãªãå¨ãã±ãããã³ãã¼ããã ããã©ã«ã㯠0 ã§ããã

       --ulog-qthreshold size
              ã«ã¼ãã«åé¨ã®ãã¥ã¼ã«å¥ãããããã±ããã®æ°ã ä¾ãã°ã ãã®å¤ã 10 ã«ããå ´åã
              ã«ã¼ãã«åé¨ã§ 10 åã®ãã±ãããã¾ã¨ãã 1 ã¤ã® netlink
              ãã«ããã¼ãã¡ãã»ã¼ã¸ã¨ãã¦ã¦ã¼ã¶ã¼ç©ºéã«éãã (éå»ã®ãã®ã¨ã®äºææ§ã®ãã)
              ããã©ã«ã㯠1 ã§ããã



iptables 1.4.21                                         iptables-extensions(8)