iptables

IPTABLES(8)                            IPTABLES(8)åå
    iptables - IPv4 ã®ãã±ãããã£ã«ã¿ã¨ NAT ã管çãããã¼ã«

æ¸å¼
    iptables [-t table] -[AD] ãã§ã¤ã³ ã«ã¼ã«ã®è©³ç´° [ãªãã·ã§ã³]
    iptables [-t table] -I ãã§ã¤ã³ [ã«ã¼ã«çªå·] ã«ã¼ã«ã®è©³ç´° [ãªãã·ã§ã³]
    iptables [-t table] -R ãã§ã¤ã³ ã«ã¼ã«çªå· ã«ã¼ã«ã®è©³ç´° [ãªãã·ã§ã³]
    iptables [-t table] -D ãã§ã¤ã³ ã«ã¼ã«çªå· [ãªãã·ã§ã³]
    iptables [-t table] -[LFZ] [ãã§ã¤ã³] [ãªãã·ã§ã³]
    iptables [-t table] -N ãã§ã¤ã³
    iptables [-t table] -X [ãã§ã¤ã³]
    iptables [-t table] -P ãã§ã¤ã³ ã¿ã¼ã²ãã [ãªãã·ã§ã³]
    iptables [-t table] -E æ§ãã§ã¤ã³å æ°ãã§ã¤ã³å

説æ
    iptables 㯠Linux ã«ã¼ãã«ã® IP ãã±ãããã£ã«ã¿ã«ã¼ã«ã®ãã¼ãã«ã è¨‐
    å®ã»ç®¡çã»æ¤æ»ããããã«ä½¿ãããã è¤æ°ã®ç°ãªããã¼ãã«ãå®ç¾©ã§ããã
    åãã¼ãã«ã«ã¯ããããã®çµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ãå«ã¾ãã¦ããã
    ããã«ã¦ã¼ã¶ã¼å®ç¾©ã®ãã§ã¤ã³ãå ãããã¨ãã§ããã

    åãã§ã¤ã³ã¯ããã±ãã群ã«ãããããã«ã¼ã«ã®ãªã¹ãã§ããã åã«ã¼ã«ã¯
    ããããããã±ããã«å¯¾ãã¦ä½ãããããæå®ããã ããã¯ãã¿ã¼ã²ããã㨠å¼ã°ãã
    åããã¼ãã«åã®ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã«ã¸ã£ã³ããããã¨ãã§ããã


ã¿ã¼ã²ãã
    ãã¡ã¤ã¢ã¦ã©ã¼ã«ã®ã«ã¼ã«ã¯ããã±ãããå¤æããåºæºã¨ã¿ã¼ã²ãããæå®ããã
    ãã±ããããããããªãå ´åããã§ã¤ã³åã®æ¬¡ã®ã«ã¼ã«ãè©ä¾¡ãããã ãã±ããããããããå ´åã
    ã¿ã¼ã²ããã®å¤ã«ãã£ã¦æ¬¡ã®ã«ã¼ã«ãæå®ãããã
    ã¿ã¼ã²ããã®å¤ã¯ãã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã®ååãã¾ãã¯ç¹å¥ãªå¤ ACCEPT, DROP,
    QUEUE, RETURN ã®ãã¡ã® 1 ã¤ã§ããã

    ACCEPT ã¯ãã±ãããéãã¨ããæå³ã§ããã DROP ã¯ãã±ãããåºã«è½ã (æ¨ã¦ã) ã¨ããæå³ã§ããã
    QUEUE ã¯ãã±ãããã¦ã¼ã¶ã¼ç©ºéã«æ¸¡ãã¨ããæå³ã§ãã
    (ã«ã¼ãã«ããµãã¼ããã¦ããã°ã§ããã)ã RETURN ã¯ããã®ãã§ã¤ã³ã辿ãã®ãä¸æ¢ãã¦ã åã®
    (å¼ã³åºãå) ãã§ã¤ã³ã®æ¬¡ã®ã«ã¼ã«ããåéããã¨ããæå³ã§ããã
    çµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ã®æå¾ã«å°éããå ´åã ã¾ãã¯çµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ã§
    ã¿ã¼ã²ãã RETURN ãæã¤ã«ã¼ã«ã«ãããããå ´åã ãã§ã¤ã³ããªã·ã¼ã§æå®ãããã¿ã¼ã²ããã
    ãã±ããã®è¡æ¹ã決å®ããã

ãã¼ãã«
    ç¾å¨ã®ã¨ãã 3 ã¤ã®ç¬ç«ãªãã¼ãã«ãåå¨ãã (ããæç¹ã§ã©ã®ãã¼ãã«ãåå¨ãããã¯ã
    ã«ã¼ãã«ã®è¨å®ãã©ããã£ãã¢ã¸ã¥ã¼ã«ãåå¨ãããã«ä¾åãã)ã

    -t, --table table
       ãã®ãªãã·ã§ã³ã¯ããã®ã³ãã³ããæä½ãããã±ãããããã³ã°ãã¼ãã«ã æå®ããã
       ã«ã¼ãã«ã«èªåã¢ã¸ã¥ã¼ã«ãã¼ãã£ã³ã°ãè¨å®ããã¦ããå ´åã
       ãã®ãã¼ãã«ã«å¯¾ããé©åãªã¢ã¸ã¥ã¼ã«ãã¾ã ãã¼ãããã¦ããªããã°ã
       ãã®ã¢ã¸ã¥ã¼ã«ããã¼ããããã

       ãã¼ãã«ã¯ä»¥ä¸ã®éãã§ããã

       filter:
         (-t ãªãã·ã§ã³ãæå®ããã¦ããªãå ´åã¯) ãããããã©ã«ãã®ãã¼ãã«ã§ããã
         ããã«ã¯ INPUT (ãã·ã³èªä½ã«å¥ã£ã¦ãããã±ããã«å¯¾ãããã§ã¤ã³)ã»
         FORWARD (ãã·ã³ãçµç±ãããã±ããã«å¯¾ãããã§ã¤ã³)ã» OUTPUT (ã‐
         ã¼ã«ã«ãã·ã³ã§çæããããã±ããã«å¯¾ãããã§ã¤ã³) ã¨ãã
         çµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ãå«ã¾ããã

       nat:
         ãã®ãã¼ãã«ã¯æ°ããæ¥ç¶ãéããããªãã±ããã«å¯¾ãã¦åç§ãããã ããã«ã¯
         PREROUTING
         (ãã±ãããå¥ã£ã¦ããå ´åãããã«ãã®ãã±ãããå¤æããããã®ãã§ã¤ã³)ã» OUTPUT
         (ãã¼ã«ã«ã§çæããããã±ãããã«ã¼ãã£ã³ã°ã®åã«å¤æããããã®ãã§ã¤ã³)ã»
         POSTROUTING (ãã±ãããåºã¦è¡ãã¨ãã«å¤æããããã®ãã§ã¤ã³) ã¨ãã 3
         ã¤ã®çµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ãå«ã¾ããã

       mangle:
         ãã®ãã¼ãã«ã¯ç¹å¥ãªãã±ããå¤æã«ä½¿ãããã ã«ã¼ãã« 2.4.17 ã¾ã§ã¯ã
         PREROUTING (ãã±ãããå¥ã£ã¦ããå ´åã ããã«ãã®ãã±ãããå¤æãã
         ããã®ãã§ã¤ã³)ã» OUTPUT (ãã¼ã«ã«ã§çæããããã±ããã ã«ã¼ãã£ã³
         ã°ã®åã«å¤æããããã®ãã§ã¤ã³) ã¨ãã 2
         ã¤ã®çµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ãå«ã¾ ãã¦ããã ã«ã¼ãã« 2.4.18
         ããã¯ããããã®ä»ã« INPUT (ãã·ã³èªä½ã«
         å¥ã£ã¦ãããã±ããã«å¯¾ãããã§ã¤ã³)ã» FORWARD (ãã·ã³ãçµç±ãããã±ã
         ãã«å¯¾ãããã§ã¤ã³)ã» POSTROUTING (ãã±ãããåºã¦è¡ãã¨ãã«å¤æãã
         ããã®ãã§ã¤ã³)ã» ã¨ãã 3 ã¤ã®çµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ããµãã¼ããããã

ãªãã·ã§ã³
    iptables ã§ä½¿ãããªãã·ã§ã³ã¯ãããã¤ãã®ã°ã«ã¼ãã«åããããã

  ã³ãã³ã
    ãããã®ãªãã·ã§ã³ã¯ãå®è¡ããç¹å®ã®åä½ãæå®ããã 以ä¸ã®èª¬æã§æ³¨è¨ããã¦ããªãéãã
    ã³ãã³ãã©ã¤ã³ã§æå®ã§ããã®ã¯ãã®ä¸ã® 1 ã¤ã ãã§ããã
    é·ããã¼ã¸ã§ã³ã®ã³ãã³ãåã¨ãªãã·ã§ã³åã¯ã iptables
    ãä»ã®ã³ãã³ãåããªãã·ã§ã³åã¨åºå¥ã§ããç¯å²ã§ (æåãçç¥ãã¦) æå®ãããã¨ãã§ããã

    -A, --append chain rule-specification
       é¸æããããã§ã¤ã³ã®æå¾ã« 1 ã¤ä»¥ä¸ã®ã«ã¼ã«ã追å ããã
       éä¿¡åãéä¿¡åã®ååã®è§£æ±ºãè¡ã£ã¦ã 1 ã¤ä»¥ä¸ã®ã¢ãã¬ã¹ã«å±éããã
       å ´åã¯ãå¯è½ãªã¢ãã¬ã¹ã®çµåãããããã«å¯¾ãã¦ã«ã¼ã«ã追å ãããã

    -D, --delete chain rule-specification
    -D, --delete chain rulenum
       é¸æããããã§ã¤ã³ãã 1 ã¤ä»¥ä¸ã®ã«ã¼ã«ãåé¤ããã ãã®ã³ãã³ãã«ã¯ 2
       ã¤ã®ä½¿ãæ¹ããã: ãã§ã¤ã³ã®ä¸ã®çªå· (æåã®ã«ã¼ã«ã 1 ã¨ãã)
       ãæå®ããå ´åã¨ã ãããããã«ã¼ã«ãæå®ããå ´åã§ããã

    -I, --insert ãã§ã¤ã³ [ã«ã¼ã«çªå·] ã«ã¼ã«ã®è©³ç´°
       é¸æããããã§ã¤ã³ã«ã«ã¼ã«çªå·ãæå®ã㦠1 ã¤ä»¥ä¸ã®ã«ã¼ã«ãæ¿å¥ããã
       ã«ã¼ã«çªå·ã 1 ã®å ´åãã«ã¼ã«ã¯ãã§ã¤ã³ã®åé ã«æ¿å¥ãããã
       ããã¯ã«ã¼ã«çªå·ãæå®ãããªãå ´åã®ããã©ã«ãã§ãããã

    -R, --replace chain rulenum rule-specification
       é¸æããããã§ã¤ã³ã«ããã«ã¼ã«ãç½®ãæããã éä¿¡åãéä¿¡åã®ååã 1
       ã¤ä»¥ä¸ã®ã¢ãã¬ã¹ã«è§£æ±ºãããå ´åã¯ã
       ãã®ã³ãã³ãã¯å¤±æãããã«ã¼ã«çªå·ã¯ 1 ããã¯ãã¾ãã

    -L, --list [chain]
       é¸æããããã§ã¤ã³ã«ããå¨ã¦ã®ã«ã¼ã«ãä¸è¦§è¡¨ç¤ºããã
       ãã§ã¤ã³ãæå®ãããªãå ´åãå¨ã¦ã®ãã§ã¤ã³ã«ãããªã¹ããä¸è¦§è¡¨ç¤ºãããã
       ä»ã®å iptables ã³ãã³ãã¨åæ§ã«ãæå®ããããã¼ãã« (ããã©ã«ã㯠filter)
       ã«å¯¾ãã¦ä½ç¨ããã ãã£ã¦ NAT ã«ã¼ã«ã表示ããã«ã¯ä»¥ä¸ã®ããã«ããã
        iptables -t nat -n -L
       DNS ã®éå¼ããé¿ããããã«ããã -n ãªãã·ã§ã³ã¨å±ã«ä½¿ç¨ãããã -Z (ã¼ãå)
       ãªãã·ã§ã³ãåæã«æå®ãããã¨ãã§ããããã®å ´åã
       ãã§ã¤ã³ã¯è¦ç´ æ¯ã«ãªã¹ãããã¦ã (訳註: ãã±ããã«ã¦ã³ã¿ã¨ãã¤ã
       ã«ã¦ã³ã¿ã) ã¼ãã«ããããåºå表示ã¯åæã«ä¸ããããä»ã®å¼ãæ°ã«
       å½±é¿ãããã以ä¸ã®ããã«ã -v ãªãã·ã§ã³ãæå®ããªãéãã
       å®éã®ã«ã¼ã«ãã®ãã®ã¯è¡¨ç¤ºãããªãã
        iptables -L -v

    -F, --flush [chain]
       é¸æããããã§ã¤ã³ (ä½ãæå®ãããªããã°ãã¼ãã«åã®å¨ã¦ã®ãã§ã¤ã³)
       ã®å容ãå¨æ¶å»ãããããã¯å¨ã¦ã®ã«ã¼ã«ã 1 åãã¤åé¤ããã®ã¨ åãã§ããã

    -Z, --zero [chain]
       ãã¹ã¦ã®ãã§ã¤ã³ã®ãã±ããã«ã¦ã³ã¿ã¨ãã¤ãã«ã¦ã³ã¿ãã¼ãã«ããã
       ã¯ãªã¢ãããç´åã®ã«ã¦ã³ã¿ãè¦ãããã«ã -L, --list (ä¸è¦§è¡¨ç¤º)
       ãªãã·ã§ã³ã¨åæã«æå®ãããã¨ãã§ãã (ä¸è¨ãåç§)ã

    -N, --new-chain chain
       æå®ããååã§ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ãä½æããã åãååã®ã¿ã¼ã²ãããæ¢ã«å‐
       å¨ãã¦ã¯ãªããªãã

    -X, --delete-chain [chain]
       æå®ããã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ãåé¤ããã ãã®ãã§ã¤ã³ãåç§ããã¦ãã¦ã¯ ãªããªãã
       ãã§ã¤ã³ãåé¤ããåã«ããã®ãã§ã¤ã³ãåç§ãã¦ããã«ã¼ã«ã
       åé¤ãããç½®ãæãããããªããã°ãªããªãã å¼ãæ°ãä¸ããããªãå ´åããã¼
       ãã«ã«ãããã§ã¤ã³ã®ãã¡ çµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ã§ãªããã®ãå¨ã¦åé¤ããã

    -P, --policy chain target
       ãã§ã¤ã³ã®ããªã·ã¼ãæå®ããã¿ã¼ã²ããã«è¨å®ãããæå®å¯è½ãªã¿ã¼ã²ãã
       ã¯ãã¿ã¼ã²ãããã®ç« ãåç§ãããã¨ã (ã¦ã¼ã¶ã¼å®ç¾©ã§ã¯ãªã) çµã¿è¾¼ã¿
       æ¸ã¿ãã§ã¤ã³ã«ããããªã·ã¼ã¯è¨å®ã§ããªãã ã¾ããçµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ã
       ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã ããªã·ã¼ã®ã¿ã¼ã²ããã«è¨å®ãããã¨ã¯ã§ããªãã

    -E, --rename-chain old-chain new-chain
       ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ãæå®ããååã«å¤æ´ããã
       ããã¯è¦ãç®ã ãã®å¤æ´ãªã®ã§ããã¼ãã«ã®æ§é ã«ã¯ä½ãå½±é¿ããªãã

    -h   ãã«ãã (ä»ã®ã¨ããã¯ã¨ã¦ãç°¡åãª) ã³ãã³ãæ¸å¼ã®èª¬æã表示ããã

  ãã©ã¡ã¼ã¿
    以ä¸ã®ãã©ã¡ã¼ã¿ã¯ (add, delete, insert, replace, append
    ã³ãã³ãã§ç¨ãããã¦) ã«ã¼ã«ã®ä»æ§ã決ããã

    [!] -p, --protocol protocol
       ã«ã¼ã«ã§ä½¿ããããããã³ã«ãã¾ãã¯ãã§ãã¯ããããã±ããã®ãããã³ã«ã æå®ã§ãããã‐
       ãã³ã«ã¯ã tcp, udp, icmp, all ã®ãããã 1 ã¤ããæ°å¤ã§ããã
       æ°å¤ã«ã¯ããããã®ãããã³ã«ã®ã©ãããªããå¥ã®ãããã³ã«ã表ã
       æ°å¤ãæå®ãããã¨ãã§ããã /etc/protocols ã«ãããããã³ã«åãæå®ã§ããã ãã‐
       ãã³ã«ã®åã« "!" ãç½®ãã¨ããã®ãããã³ã«ãé¤å¤ããã¨ããæå³ã«ãªãã æ°å¤ 0 ã¯
       all ã¨çããã ãããã³ã« all ã¯å¨ã¦ã®ãããã³ã«ã¨ããããã
       ãã®ãªãã·ã§ã³ãçç¥ãããéã®ããã©ã«ãã§ããã

    [!] -s, --source address[/mask]
       éä¿¡åã®æå®ã address ã¯ãã¹ãå (DNS
       ã®ãããªãªã¢ã¼ãã¸ã®åãåããã§è§£æ±ºããååãæå®ããã®ã¯é常ã«è¯ããªã)
       ã»ãããã¯ã¼ã¯ IP ã¢ãã¬ã¹ (/mask ãæå®ãã)ã» é常㮠IP
       ã¢ãã¬ã¹ãã®ããããã§ããã mask ã¯ãããã¯ã¼ã¯ãã¹ã¯ãã
       ãããã¯ã¼ã¯ãã¹ã¯ã®å·¦å´ã«ãã 1 ã®æ°ãæå®ããæ°å¤ã§ããã ã¤ã¾ãã 24 ã¨ãã
       mask 㯠255.255.255.0 ã«çããã ã¢ãã¬ã¹æå®ã®åã« "!"
       ãç½®ãã¨ããã®ã¢ãã¬ã¹ãé¤å¤ããã¨ããæå³ã«ãªãã ãã©ã° --src
       ã¯ããã®ãªãã·ã§ã³ã®å¥åã§ããã

    [!] -d, --destination address[/mask]
       éä¿¡åã®æå®ã æ¸å¼ã®è©³ãã説æã«ã¤ãã¦ã¯ã -s (éä¿¡å)
       ãã©ã°ã®èª¬æãåç§ãããã¨ã ãã©ã° --dst ã¯ããã®ãªãã·ã§ã³ã®å¥åã§ããã

    -j, --jump target
       ã«ã¼ã«ã®ã¿ã¼ã²ãããã¤ã¾ãããã±ããããããããå ´åã«ã©ãããããæå®
       ãããã¿ã¼ã²ããã¯ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ (ãã®ã«ã¼ã«èªèº«ãå¥ã£ã¦ãã
       ãã§ã¤ã³ä»¥å¤) ã§ãããã±ããã®è¡æ¹ãå³æã«æ±ºå®ããç¹å¥ãªçµã¿è¾¼ã¿æ¸ã¿
       ã¿ã¼ã²ããã§ããæ¡å¼µãããã¿ã¼ã²ãã (以ä¸ã® ãã¿ã¼ã²ããã®æ¡å¼µã ã åç§)
       ã§ãããã ãã®ãªãã·ã§ã³ãã«ã¼ã«ã®ä¸ã§çç¥ãããå ´åã ã«ã¼ã«ã«
       ããããã¦ããã±ããã®è¡æ¹ã«ä½ãå½±é¿ããªããã ã«ã¼ã«ã®ã«ã¦ã³ã¿ã¯ 1 ã¤
       å ç®ãããã

    [!] -i, --in-interface name
       ãã±ãããåä¿¡ãããã¨ã«ãªãã¤ã³ã¿ã¼ãã§ã¼ã¹å (INPUT, FORWARD, PREROUTING
       ãã§ã¤ã³ã«å¥ããã±ããã®ã¿)ãã¤ã³ã¿ã¼ãã§ã¼ã¹åã®åã« "!" ãç½®ãã¨ã
       ãã®ã¤ã³ã¿ã¼ãã§ã¼ã¹ãé¤å¤ããã¨ããæå³ã«ãªãã ã¤ã³ã¿ã¼ãã§ã¼ã¹åã "+"
       ã§çµã£ã¦ããå ´åã ãã®ååã§å§ã¾ãä»»æã®
       ã¤ã³ã¿ã¼ãã§ã¼ã¹åã«ãããããããã®ãªãã·ã§ã³ãçç¥ãããå ´åã
       ä»»æã®ã¤ã³ã¿ã¼ãã§ã¼ã¹åã«ãããããã

    [!] -o, --out-interface name
       ãã±ãããéä¿¡ãããã¨ã«ãªãã¤ã³ã¿ã¼ãã§ã¼ã¹å (FORWARD, OUTPUT,
       POSTROUTING ãã§ã¤ã³ã«å¥ããã±ããã®ã¿)ã ã¤ã³ã¿ã¼ãã§ã¼ã¹åã®åã« "!"
       ãç½®ãã¨ã ãã®ã¤ã³ã¿ã¼ãã§ã¼ã¹ãé¤å¤ããã¨ããæå³ã«ãªãã
       ã¤ã³ã¿ã¼ãã§ã¼ã¹åã "+" ã§çµã£ã¦ããå ´åã
       ãã®ååã§å§ã¾ãä»»æã®ã¤ã³ã¿ã¼ãã§ã¼ã¹åã«ãããããã
       ãã®ãªãã·ã§ã³ãçç¥ãããå ´åã ä»»æã®ã¤ã³ã¿ã¼ãã§ã¼ã¹åã«ãããããã

    [!] -f, --fragment
       ãã®ãªãã·ã§ã³ã¯ãåå²ããããã±ãã (fragmented packet) ã®ãã¡ 2
       çªç®ä»¥éã®ãã±ããã ããåç§ããã«ã¼ã«ã§ãããã¨ãæå³ããã ãã®ãããªãã±ãã (ã¾ãã¯
       ICMP ã¿ã¤ãã®ãã±ãã) 㯠éä¿¡åã»éä¿¡åãã¼ããç¥ãæ¹æ³ããªãã®ã§ã
       éä¿¡åãéä¿¡åãæå®ãããããªã«ã¼ã«ã«ã¯ãããããªãã "-f" ãã©ã°ã®åã« "!"
       ãç½®ãã¨ã åå²ããããã±ããã®ãã¡æåã®ãã®ãã åå²ããã¦ããªããã±ããã ãã«ãããããã

    -c, --set-counters PKTS BYTES
       ãã®ãªãã·ã§ã³ã使ãã¨ã (insert, append, replace æä½ã«ããã¦)
       管çèã¯ãã±ããã«ã¦ã³ã¿ã¨ãã¤ãã«ã¦ã³ã¿ã åæåãããã¨ãã§ããã

  ãã®ä»ã®ãªãã·ã§ã³
    ãã®ä»ã«ä»¥ä¸ã®ãªãã·ã§ã³ãæå®ãããã¨ãã§ãã:

    -v, --verbose
       詳細ãªåºåãè¡ãã list ã³ãã³ãã®éã«ãã¤ã³ã¿ã¼ãã§ã¼ã¹åã» (ããããã°)
       ã«ã¼ã«ã®ãªãã·ã§ã³ã»TOS ãã¹ã¯ã表示ãããã
       ãã±ããã¨ãã¤ãã«ã¦ã³ã¿ã表示ãããã æ·»å 'K', 'M', 'G' ã¯ã ãããã 1000,
       1,000,000, 1,000,000,000 åã表ã (ãããå¤æ´ãã -x ãã©ã°ãè¦ã)ã
       ãã®ãªãã·ã§ã³ã append, insert, delete, replace ã³ãã³ãã«é©ç¨ããã¨ã
       ã«ã¼ã«ã«ã¤ãã¦ã®è©³ç´°ãªæå ±ã表示ããã

    -n, --numeric
       æ°å¤ã«ããåºåãè¡ãã IP ã¢ãã¬ã¹ããã¼ãçªå·ãæ°å¤ã«ãããã©ã¼ããã
       ã§è¡¨ç¤ºããã ããã©ã«ãã§ã¯ãiptables 㯠(å¯è½ã§ããã°) ãããã®æå ±ã
       ãã¹ãåã»ãããã¯ã¼ã¯åã»ãµã¼ãã¹åã§è¡¨ç¤ºãããã¨ããã

    -x, --exact
       å³å¯ãªæ°å¤ã§è¡¨ç¤ºããã ãã±ããã«ã¦ã³ã¿ã¨ãã¤ãã«ã¦ã³ã¿ãã K (1000
       ã®ä½åã)ã»M (1000K ã®ä½åã)ã»G (1000M ã®ä½åã) ã§ã¯ãªãã
       å³å¯ãªå¤ã§è¡¨ç¤ºããã ãã®ãªãã·ã§ã³ã¯ã -L ã³ãã³ãã¨ããé¢ä¿ããªãã

    --line-numbers
       ã«ã¼ã«ãä¸è¦§è¡¨ç¤ºããéããã®ã«ã¼ã«ããã§ã¤ã³ã®ã©ã®ä½ç½®ã«ãããã表ã
       è¡çªå·ãåè¡ã®å§ãã«ä»å ããã

    --modprobe=command
       ãã§ã¤ã³ã«ã«ã¼ã«ã追å ã¾ãã¯æ¿å¥ããéã«ã
       (ã¿ã¼ã²ããããããã³ã°ã®æ¡å¼µãªã©ã§) å¿è¦ãªã¢ã¸ã¥ã¼ã«ããã¼ãããããã«ä½¿ã
       command ãæå®ããã

ãããã³ã°ã®æ¡å¼µ
    iptables ã¯æ¡å¼µããããã±ãããããã³ã°ã¢ã¸ã¥ã¼ã«ã使ããã¨ãã§ããã
    ãããã®ã¢ã¸ã¥ã¼ã«ã¯ 2 種é¡ã®æ¹æ³ã§ãã¼ãããã: ã¢ã¸ã¥ã¼ã«ã¯ã -p ã¾ãã¯
    --protocol ã§æé»ã®ãã¡ã«æå®ããããã -m ã¾ã㯠--match
    ã®å¾ã«ã¢ã¸ã¥ã¼ã«åãç¶ãã¦æå®ãããã
    ãããã®ã¢ã¸ã¥ã¼ã«ã®å¾ãã«ã¯ãã¢ã¸ã¥ã¼ã«ã«å¿ãã¦
    ä»ã®ãããããªã³ãã³ãã©ã¤ã³ãªãã·ã§ã³ãæå®ãããã¨ãã§ããã
    è¤æ°ã®æ¡å¼µãããã³ã°ã¢ã¸ã¥ã¼ã«ãä¸è¡ã§æå®ãããã¨ãã§ããã
    ã¾ããã¢ã¸ã¥ã¼ã«ã«ç¹æã®ãã«ãã表示ãããããã«ã¯ã ã¢ã¸ã¥ã¼ã«ãæå®ããå¾ã§ -h
    ã¾ã㯠--help ãæå®ããã°ããã

    以ä¸ã®æ¡å¼µããã¼ã¹ããã±ã¼ã¸ã«å«ã¾ãã¦ããã大é¨åã®ãã®ã¯ã ! ã
    åã«ãããã¨ã«ãã£ã¦ãããã³ã°ã®æå³ãéã«ã§ããã

  ah
    ãã®ã¢ã¸ã¥ã¼ã«ã¯ IPSec ãã±ããã® AH ãããã¼ã® SPI å¤ã«ãããããã

    [!] --ahspi spi[:spi]

  conntrack
    ãã®ã¢ã¸ã¥ã¼ã«ã¯ãæ¥ç¶è¿½è·¡ (connection tracking) ã¨çµã¿åããã¦ç¨ããã¨ã
    "state" ããããããããã«å¤ãã®ã ãã±ããã«ã¤ãã¦ã®æ¥ç¶è¿½è·¡ç¶æãç¥ããã¨ãã§ãã
    (ãã®æ©è½ããµãã¼ãããã«ã¼ãã«ã®ãã¨ã§ iptables ãã³ã³ãã¤ã«ãããå ´å
    ã«ã®ã¿ããã®ã¢ã¸ã¥ã¼ã«ã¯åå¨ãã)ã

    --ctstate state
       state ã¯ããããã³ã°å¯¾è±¡ã¨ãªããã³ã³ãåºåãã®æ¥ç¶ç¶æãªã¹ãã§ããã
       æå®å¯è½ãª state ã¯ä»¥ä¸ã®éãã INVALID: ã¡ã¢ãªã使ãæãããçºãã
       æ¢ç¥ã®æ¥ç¶ã¨ã¯å¯¾å¿ããªã ICMP ã¨ã©ã¼ãªã©ã ä½ããã®çç±ã«ãããã±ãããè‐
       å¥ã§ããªãã ESTABLISHED:
       ãã®ãã±ããã¯ãéå»åæ¹åã«ãã±ãããããåããããæ¥ç¶ã«å±ãããã±ããã§ããã NEW:
       ãã®ãã±ãããæ°ããæ¥ç¶ãéå§ãããã
       åæ¹åã«ã¯ãã±ãããããåãããã¦ããªãæ¥ç¶ã«å±ãããã±ããã§ããã RELATED:
       ãã®ãã±ãããæ°ããæ¥ç¶ãéå§ãã¦ãããã FTP ãã¼ã¿è»¢éã ICMP
       ã¨ã©ã¼ã®ããã«ãæ¢åã®æ¥ç¶ã«é¢ä¿ãã¦ããã SNAT:
       ä»®æ³çãªç¶æã§ãããæ¸ãæãåã®éä¿¡åã¢ãã¬ã¹ãå¿çã®å®åã¢ãã¬ã¹ã¨
       ç°ãªãå ´åã«ãããããã DNAT: ä»®æ³çãªç¶æã§ãããæ¸ãæãåã®å®åã¢ãã¬ã¹ãå¿ç‐
       ã®éä¿¡åã¢ãã¬ã¹ã¨ ç°ãªãå ´åã«ãããããã

    --ctproto proto
       (ååã¾ãã¯æ°å¤ã§) æå®ããããããã³ã«ã«ãããããã

    [!] --ctorigsrc address[/mask]
       æ¸ãæãåã®éä¿¡åã¢ãã¬ã¹ã«ãããããã

    [!] --ctorigdst address[/mask]
       æ¸ãæãåã®å®åã¢ãã¬ã¹ã«ãããããã

    [!] --ctreplsrc address[/mask]
       å¿çã®éä¿¡åã¢ãã¬ã¹ã«ãããããã

    [!] --ctrepldst address[/mask]
       å¿çã®å®åã¢ãã¬ã¹ã«ãããããã

    --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED][,...]
       æ¥ç¶è¿½è·¡ã®åé¨çãªç¶æã«ãããããã

    --ctexpire time[:time]
       æå¹æéã®æ®ãç§æ°ãã¾ãã¯ãã®ç¯å²(両端ãå«ã)ã«ãããããã

  dscp
    ãã®ã¢ã¸ã¥ã¼ã«ã¯ãIP ãããã¼ã® TOS ãã£ã¼ã«ãåã«ããã 6 bit ã® DSCP
    ãã£ã¼ã«ãã«ãããããã IETF ã§ã¯ DSCP ã TOS ã«åã£ã¦ä»£ãã£ãã

    --dscp value
       (10 é²ã¾ã㯠16 é²ã®) æ°å¤ [0-63] ã«ãããããã

    --dscp-class DiffServ Class
       DiffServ ã¯ã©ã¹ã«ãããããã å¤ã¯ BE, EF, AFxx, CSx ã¯ã©ã¹ã®ããããã§ããã
       ãããã¯ã対å¿ããæ°å¤ã§æå®ããã®ã¨åãã§ããã

  esp
    ãã®ã¢ã¸ã¥ã¼ã«ã¯ IPSec ãã±ããã® ESP ãããã¼ã® SPI å¤ã«ãããããã

    [!] --espspi spi[:spi]

  helper
    ãã®ã¢ã¸ã¥ã¼ã«ã¯ãæå®ãããæ¥ç¶è¿½è·¡ãã«ãã¼ã¢ã¸ã¥ã¼ã«ã« é¢é£ãããã±ããã«ãããããã

    --helper string
       æå®ãããæ¥ç¶è¿½è·¡ãã«ãã¼ã¢ã¸ã¥ã¼ã«ã« é¢é£ãããã±ããã«ãããããã

       ããã©ã«ãã®ãã¼ãã使ã£ã ftp-ã»ãã·ã§ã³ã«é¢é£ãããã±ããã§ã¯ã string ã«
       "ftp" ã¨æ¸ããã ä»ã®ãã¼ãã§ã¯ "-ãã¼ãçªå·" ãå¤ã«ä»ãå ããã ããªãã¡
       "ftp-2121" ã¨ãªãã

       ä»ã®æ¥ç¶è¿½è·¡ãã«ãã¼ã§ãåãã«ã¼ã«ãé©ç¨ãããã

  icmp
    ãã®æ¡å¼µã¯ `--protocol icmp' ãæå®ãããå ´åã«ãã¼ãããã
    以ä¸ã®ãªãã·ã§ã³ãæä¾ããã:

    [!] --icmp-type typename
       ICMP ã¿ã¤ããæå®ã§ãããã¿ã¤ãæå®ã«ã¯ã æ°å¤ã® ICMP
       ã¿ã¤ããã¾ãã¯ä»¥ä¸ã®ã³ãã³ã ã§è¡¨ç¤ºããã ICMP ã¿ã¤ãåãæå®ã§ããã
        iptables -p icmp -h

  length
    ãã®ã¢ã¸ã¥ã¼ã«ã¯ãæå®ããããã±ããé·ãã¾ãã¯ãã®ç¯å²ã«ãããããã

    --length length[:length]

  limit
    ãã®ã¢ã¸ã¥ã¼ã«ã¯ããã¼ã¯ã³ãã±ããã£ã«ã¿ã使ãã åä½æéãããå¶éãã ãåæ°ã ããããããã
    ãã®æ¡å¼µã使ã£ãã«ã¼ã«ã¯ã(`!' ãã©ã°ãæå®ãã ãªãéã) å¶éã«éããã¾ã§ãããããã
    ä¾ãã°ããã®ã¢ã¸ã¥ã¼ã«ã¯ãã°è¨é² ãå¶éããããã« LOG
    ã¿ã¼ã²ããã¨çµã¿åããã¦ä½¿ããã¨ãã§ããã

    --limit rate
       åä½æéãããã®å¹³åãããåæ°ã®æ大å¤ã æ°å¤ã§æå®ãããæ·»å `/second',
       `/minute', `/hour', `/day' ãä»ãããã¨ãã§ããã ããã©ã«ã㯠3/hour ã§ããã

    --limit-burst number
       ãã±ããããããããåæ°ã®æ大åæå¤: ä¸ã®ãªãã·ã§ã³ã§æå®ããå¶éã« éããªããã°ã
       ãã®åº¦ãã¨ã«ããã®æ°å¤ã«ãªãã¾ã§ 1 åãã¤å¢ããããã ããã©ã«ã㯠5 ã§ããã

  mac
    [!] --mac-source address
       éä¿¡å MAC ã¢ãã¬ã¹ã«ãããããã address 㯠XX:XX:XX:XX:XX:XX ã¨
       ããå½¢å¼ã§ãªããã°ãªããªããã¤ã¼ãµã¼ãããããã¤ã¹ããå¥ã£ã¦ãããã±ã ãã§ã
       PREROUTING, FORWARD, INPUT ãã§ã¤ã³ã«å¥ããã±ããã«ãã æå³ããªãã

  mark
    ãã®ã¢ã¸ã¥ã¼ã«ã¯ãã±ããã«é¢é£ã¥ãããã netfilter ã® mark ãã£ã¼ã«ãã«ããããã
    (ãã®ãã£ã¼ã«ãã¯ã以ä¸ã® MARK ã¿ã¼ã²ããã§è¨å®ããã)ã

    --mark value[/mask]
       æå®ããã符å·ãªã mark å¤ã®ãã±ããã«ããããã (mask ãæå®ãããã¨ãæ¯è¼ã®åã«
       mask ã¨ã®è«çç© (AND) ãã¨ããã)ã

  multiport
    ãã®ã¢ã¸ã¥ã¼ã«ã¯éä¿¡åãéä¿¡åã®ãã¼ãã®éåã«ãããããã ãã¼ã㯠15 åã¾ã§æå®ã§ããã
    ãã®ã¢ã¸ã¥ã¼ã«ã¯ -p tcp ã¾ã㯠-p udp ã¨çµã¿åããã¦ä½¿ããã¨ããã§ããªãã

    --source-ports port[,port[,port...]]
       éä¿¡åãã¼ããæå®ããããã¼ãã®ãã¡ã®ããããã§ããã°ãããããã ãã©ã° --sports
       ã¯ããã®ãªãã·ã§ã³ã®ä¾¿å©ãªå¥åã§ããã

    --destination-ports port[,port[,port...]]
       å®åãã¼ããæå®ããããã¼ãã®ãã¡ã®ããããã§ããã°ãããããã ãã©ã° --dports
       ã¯ããã®ãªãã·ã§ã³ã®ä¾¿å©ãªå¥åã§ããã

    --ports port[,port[,port...]]
       éä¿¡åãã¼ãã¨å®åãã¼ããçããã ãã¤ãã®ãã¼ããæå®ããããã¼ãã®
       ãã¡ã®ããããã§ããã°ãããããã

  owner
    ãã®ã¢ã¸ã¥ã¼ã«ã¯ããã¼ã«ã«ã§çæããããã±ããã«ä»ãã¦ã
    ãã±ããçæèã®ãããããªç¹æ§ã«å¯¾ãã¦ããããè¡ãã ãã㯠OUTPUT
    ãã§ã¤ã³ã®ã¿ã§ããæå¹ã§ãªãã ã¾ãã(ICMP ping å¿çã®ãããª) ãã±ããã¯ã
    ææèãããªãã®ã§çµ¶å¯¾ã«ãããããªãã

    --uid-owner userid
       æå®ãããå®å¹ã¦ã¼ã¶ã¼ ID ã®ããã»ã¹ã«ãã ãã±ãããçæããã¦ããå ´åã«ãããããã

    --gid-owner groupid
       æå®ãããå®å¹ã°ã«ã¼ã ID ã®ããã»ã¹ã«ãã ãã±ãããçæããã¦ããå ´åã«ãããããã

    --pid-owner processid
       æå®ãããããã»ã¹ ID ã®ããã»ã¹ã«ãã ãã±ãããçæããã¦ããå ´åã«ãããããã

    --sid-owner sessionid
       æå®ãããã»ãã·ã§ã³ã°ã«ã¼ãã®ããã»ã¹ã«ãã ãã±ãããçæããã¦ããå ´åã«ãããããã

    --cmd-owner name
       æå®ãããã³ãã³ãåãæã¤ããã»ã¹ã«ãã ãã±ãããçæããã¦ããå ´åã«ããããã
       (ãã®æ©è½ããµãã¼ãããã«ã¼ãã«ã®ãã¨ã§ iptables ãã³ã³ãã¤ã«ãããå ´å
       ã«ã®ã¿ããã®ã¢ã¸ã¥ã¼ã«ã¯åå¨ãã)ã

  physdev
    ãã®ã¢ã¸ã¥ã¼ã«ã¯ãããªãã¸ããã¤ã¹ã®ã¹ã¬ã¼ãã«ãããã
    ããªãã¸ãã¼ãã®å¥åºåããã¤ã¹ã«ãããããã ãã®ã¢ã¸ã¥ã¼ã«ã¯ãããªãã¸ã«ããééç㪠IP
    ãã¡ã¤ã¢ã¦ã©ã¼ã«ã®åºç¤ã®ä¸é¨ã§ããã ã«ã¼ãã«ãã¼ã¸ã§ã³ 2.5.44
    以éã§ã®ã¿æå¹ã§ããã

    --physdev-in name
       ãã±ãããåä¿¡ãããããªãã¸ã®ãã¼ãå (INPUT, FORWARD, PREROUTING
       ãã§ã¤ã³ã«å¥ããã±ããã®ã¿)ã ã¤ã³ã¿ã¼ãã§ã¼ã¹åã "+" ã§çµã£ã¦ããå ´åã
       ãã®ååã§å§ã¾ãä»»æã®ã¤ã³ã¿ã¼ãã§ã¼ã¹åã«ãããããã
       ããªãã¸ããã¤ã¹ãéãã¦åãåãããªãã£ããã±ããã¯ã '!'
       ãæå®ããã¦ããªãéãããã®ãªãã·ã§ã³ã«ãããããªãã

    --physdev-out name
       ãã±ãããéä¿¡ãããã¨ã«ãªãããªãã¸ã®ãã¼ãå (FORWARD, OUTPUT, POSTROUTING
       ãã§ã¤ã³ã«å¥ããã±ããã®ã¿)ã ã¤ã³ã¿ã¼ãã§ã¼ã¹åã "+" ã§çµã£ã¦ããå ´åã
       ãã®ååã§å§ã¾ãä»»æã®ã¤ã³ã¿ã¼ãã§ã¼ã¹åã«ãããããã nat 㨠mangle
       ãã¼ãã«ã® OUTPUT ãã§ã¤ã³ã§ã¯ããªãã¸ã®åºåãã¼ãã«ãããããããã¨ãã§ããªããã
       filter ãã¼ãã«ã® OUPUT ãã§ã¤ã³ã§ã¯ãããå¯è½ã§ããã
       ãã±ãããããªãã¸ããã¤ã¹ããéãããªãã£ãå ´åã
       ã¾ãã¯ãã±ããã®åºåããã¤ã¹ãä¸æã§ãã£ãå ´åã¯ã '!'
       ãæå®ããã¦ããªãéãããã±ããã¯ãã®ãªãã·ã§ã³ã«ãããããªãã

    --physdev-is-in
       ãã±ãããããªãã¸ã¤ã³ã¿ã¼ãã§ã¼ã¹ã«å¥ã£ãå ´åã«ãããããã

    --physdev-is-out
       ãã±ãããããªãã¸ã¤ã³ã¿ã¼ãã§ã¼ã¹ããåºããã¨ããå ´åã«ãããããã

    --physdev-is-bridged
       ãã±ãããããªãã¸ããããã¨ã«ããã ã«ã¼ãã£ã³ã°ãããªãã£ãå ´åã«ãããããã ããã¯
       FORWARD, POSTROUTING ãã§ã¤ã³ã«ããã¦ã®ã¿å½¹ç«ã¤ã

  pkttype
    ãã®ã¢ã¸ã¥ã¼ã«ã¯ããªã³ã¯å±¤ã®ãã±ããã¿ã¤ãã«ãããããã

    --pkt-type [unicast|broadcast|multicast]

  state
    ãã®ã¢ã¸ã¥ã¼ã«ã¯ãæ¥ç¶è¿½è·¡ (connection tracking) ã¨çµã¿åããã¦ç¨ããã¨ã
    ãã±ããã«ã¤ãã¦ã®æ¥ç¶è¿½è·¡ç¶æãç¥ããã¨ãã§ããã

    --state state
       state ã¯ããããã³ã°ãè¡ãããã®ãã³ã³ãã§åºåãããæ¥ç¶ç¶æã®ãªã¹ãã§ããã
       æå®å¯è½ãª state ã¯ä»¥ä¸ã®éãã INVALID:
       ãã®ãã±ããã¯æ¢ç¥ã®æ¥ç¶ã¨é¢ä¿ãã¦ããªãã ESTABLISHED:
       ãã®ãã±ããã¯ãéå»åæ¹åã«ãã±ãããããåããããæ¥ç¶ã«å±ãããã±ããã§ããã NEW:
       ãã®ãã±ãããæ°ããæ¥ç¶ãéå§ãããã
       åæ¹åã«ã¯ãã±ãããããåãããã¦ããªãæ¥ç¶ã«å±ãããã±ããã§ããã RELATED:
       ãã®ãã±ãããæ°ããæ¥ç¶ãéå§ãã¦ãããã FTP ãã¼ã¿è»¢éã ICMP
       ã¨ã©ã¼ã®ããã«ãæ¢åã®æ¥ç¶ã«é¢ä¿ãã¦ããã

  tcp
    ãããã®æ¡å¼µã¯ `--protocol tcp' ãæå®ããå ´åã«ãã¼ãããã
    以ä¸ã®ãªãã·ã§ã³ãæä¾ããã:

    [!] --source-port port[:port]
       éä¿¡åãã¼ãã¾ãã¯ãã¼ãç¯å²ã®æå®ã ãµã¼ãã¹åã¾ãã¯ãã¼ãçªå·ãæå®ã§ ããã
       port:port ã¨ããå½¢å¼ã§ã2 ã¤ã®çªå·ãå«ãç¯å²ãæå®ããã㨠ãã§ããã
       æåã®ãã¼ããçç¥ããå ´åã"0" ãä»®å®ããã æå¾ã®ãã¼ãã çç¥ããå ´åã"65535"
       ãä»®å®ããã æåã®ãã¼ããæå¾ã®ãã¼ããã大ãã å ´åã2 ã¤ã¯å¥ãæããããã ãã©ã°
       --sport ã¯ããã®ãªãã·ã§ã³ã®ä¾¿å© ãªå¥åã§ããã

    [!] --destination-port port[:port]
       éä¿¡åãã¼ãã¾ãã¯ãã¼ãç¯å²ã®æå®ã ãã©ã° --dport
       ã¯ããã®ãªãã·ã§ã³ã®ä¾¿å©ãªå¥åã§ããã

    [!] --tcp-flags mask comp
       TCP ãã©ã°ãæå®ããããã®ã¨çããå ´åã«ãããããã 第 1 å¼ãæ°ã¯è©ä¾¡
       対象ã¨ãããã©ã°ã§ãã³ã³ãåºåãã®ãªã¹ãã§ããã 第 2 å¼ãæ°ã¯å¿ãè¨å®
       ããªããã°ãªããªããã©ã°ã§ãã³ã³ãåºåãã®ãªã¹ãã§ããã æå®ã§ãããã© ã°ã¯ SYN
       ACK FIN RST URG PSH ALL NONE ã§ããã ãã£ã¦ãã³ãã³ã
        iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
       ã¯ãSYN ãã©ã°ãè¨å®ãã ACK, FIN, RST ãã©ã°ãè¨å®ããã¦ããªã
       ãã±ããã«ã®ã¿ãããããã

    [!] --syn
       SYN ããããè¨å®ãã ACKãRST ããã³ FIN ããããã¯ãªã¢ããã¦ãã TCP ãã±ããã«
       ãããããããã®ãããªãã±ãã㯠TCP æ¥ç¶ã®éå§è¦æ±ã«ä½¿ããããä¾ã
       ã°ãããã¤ã³ã¿ã¼ãã§ã¼ã¹ã«å¥ã£ã¦ãããã®ãããªãã±ããããããã¯ããã°ã åå´ã¸ã®
       TCP æ¥ç¶ã¯ç¦æ¢ãããããå¤å´ã¸ã® TCP æ¥ç¶ã«ã¯å½±é¿ããªãã ãã ã¯
       --tcp-flags SYN,RST,ACK,FIN SYN ã¨çããã "--syn" ã®åã« "!" ãã©ã°
       ãç½®ãã¨ããã®æ¡ä»¶ãæºãããªããã±ããã«ãããããã

    [!] --tcp-option number
       TCP ãªãã·ã§ã³ãè¨å®ããã¦ããå ´åã«ãããããã

    --mss value[:value]
       æå®ããã MSS å¤ (ã®ç¯å²) ãæ㤠TCP ã® SYN ã¾ã㯠SYN/ACK
       ãã±ããã«ãããããã MSS ã¯æ¥ç¶ã«å¯¾ãããã±ããã®æ大ãµã¤ãºãå¶å¾¡ããã

  tos
    ãã®ã¢ã¸ã¥ã¼ã«ã¯ IP ãããã¼ã® 8 ãããã® (ã¤ã¾ãä¸ä½ããããå«ã) Type of Service
    ãã£ã¼ã«ãã«ãããããã

    --tos tos
       å¼ãæ°ã¯ãããããè¡ãæ¨æºçãªååã§ãæ°å¤ã§ããã (ååã®ãªã¹ããè¦ãã«ã¯
        iptables -m tos -h
       ã使ããã¨)ã

  ttl
    ãã®ã¢ã¸ã¥ã¼ã«ã¯ IP ãããã¼ã® time to live ãã£ã¼ã«ãã«ãããããã

    --ttl ttl
       æå®ããã TTL å¤ã«ãããããã

  udp
    ãããã®æ¡å¼µã¯ `--protocol udp' ãæå®ãããå ´åã«ãã¼ãããã
    以ä¸ã®ãªãã·ã§ã³ãæä¾ããã:

    [!] --source-port port[:port]
       éä¿¡åãã¼ãã¾ãã¯ãã¼ãç¯å²ã®æå®ã 詳細㯠TCP æ¡å¼µã® --source-port
       ãªãã·ã§ã³ã®èª¬æãåç§ãããã¨ã

    [!] --destination-port port[:port]
       éä¿¡åãã¼ãã¾ãã¯ãã¼ãç¯å²ã®æå®ã 詳細㯠TCP æ¡å¼µã®
       --destination-port ãªãã·ã§ã³ã®èª¬æãåç§ãããã¨ã

  unclean
    ãã®ã¢ã¸ã¥ã¼ã«ã«ã¯ãªãã·ã§ã³ããªããã ããããæ£å¸¸ã§ãªãããã«è¦ãããã±ããã«ãããããã
    ããã¯å®é¨çãªãã®ã¨ãã¦æ±ããã¦ããã

ã¿ã¼ã²ããã®æ¡å¼µ
    iptables ã¯æ¡å¼µã¿ã¼ã²ããã¢ã¸ã¥ã¼ã«ã使ããã¨ãã§ãã:
    以ä¸ã®ãã®ããæ¨æºçãªãã£ã¹ããªãã¥ã¼ã·ã§ã³ã«å«ã¾ãã¦ããã

  DNAT
    ãã®ã¿ã¼ã²ãã㯠nat ãã¼ãã«ã® PREROUTING, OUTPUT
    ãã§ã¤ã³ããããã®ãã§ã¤ã³ããå¼ã³åºããã ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã®ã¿ã§æå¹ã§ããã
    ãã®ã¿ã¼ã²ããã¯ãã±ããã®éä¿¡åã¢ãã¬ã¹ãä¿®æ£ãã (ãã®æ¥ç¶ã®ä»¥éã®ãã±ãããä¿®æ‐
    £ãã¦åãããªã (mangle) ãã)ã ããã«ãã«ã¼ã«ã«ãããã§ãã¯ãæ¢ããããã
    ãã®ã¿ã¼ã²ããã«ã¯ãªãã·ã§ã³ã 1 種é¡ãã:

    --to-destination ipaddr[-ipaddr][:port-port]
       1 ã¤ã®æ°ããéä¿¡å IP ã¢ãã¬ã¹ãã¾ã㯠IP ã¢ãã¬ã¹ã®ç¯å²ãæå®ã§ããã
       ãã¼ãã®ç¯å²ãæå®ãããã¨ãã§ãã (ããã¯ã«ã¼ã«ã§ -p tcp ã¾ã㯠-p udp
       ãæå®ãã¦ããå ´åã«ã®ã¿æå¹)ã
       ãã¼ãã®ç¯å²ãæå®ããã¦ããªãå ´åãéä¿¡åãã¼ãã¯å¤æ´ãããªãã

       è¤æ°ã® --to-destination ãªãã·ã§ã³ãæå®ãããã¨ãã§ããã
       ã¢ãã¬ã¹ã®ç¯å²ã«ãã£ã¦ã ãããã¯è¤æ°ã® --to-destination
       ãªãã·ã§ã³ã«ãã£ã¦ 2 ã¤ä»¥ä¸ã®éä¿¡åã¢ãã¬ã¹ãæå®ããå ´åã
       ãããã®ã¢ãã¬ã¹ã使ã£ãåç´ãªã©ã¦ã³ãã»ããã³ (é ãã«å¾ªç°ããã) ããããªãããã

  DSCP
    ãã®ã¿ã¼ã²ããã¯ãIPv4 ãã±ããã® TOS ãããã¼ã«ãã DSCP ãããã®å¤ã®æ¸ãæããå¯è½ã«ããã
    ããã¯ãã±ãããæä½ããã®ã§ãmangle ãã¼ãã«ã§ã®ã¿ä½¿ç¨ã§ããã

    --set-dscp value
       DSCP ãã£ã¼ã«ãã®æ°å¤ãè¨å®ãã (10 é²ã¾ã㯠16 é²)ã

    --set-dscp-class class
       DSCP ãã£ã¼ã«ãã® DiffServ ã¯ã©ã¹ãè¨å®ããã

  ECN
    ãã®ã¿ã¼ã²ãã㯠ECN ãã©ãã¯ãã¼ã«åé¡ã¸ã®å¯¾å¦ãå¯è½ã«ããã mangle
    ãã¼ãã«ã§ã®ã¿ä½¿ç¨ã§ããã

    --ecn-tcp-remove
       TCP ãããã¼ããå¨ã¦ã® ECN ããã (訳注: ECE/CWR ãã©ã°) ãåãé¤ãã å½ç¶ã
       -p tcp ãªãã·ã§ã³ã¨ã®çµåããã§ã®ã¿ä½¿ç¨ã§ããã

  LOG
    ããããããã±ãããã«ã¼ãã«ãã°ã«è¨é²ããã ãã®ãªãã·ã§ã³ãã«ã¼ã«ã«å¯¾ãã¦è¨å®ãããã¨ã
    Linux ã«ã¼ãã«ã¯ããããããã±ããã«ã¤ãã¦ã® (大é¨åã® IP ãããã¼ãã£ã¼ã«ãã®ãããª)
    ä½ããã®æå ±ã ã«ã¼ãã«ãã°ã«è¡¨ç¤ºãã (ã«ã¼ãã«ãã°ã¯ dmesg ã¾ã㯠syslogd(8)
    ã§è¦ããã¨ãã§ãã)ã ãã㯠"éçµäºã¿ã¼ã²ãã" ã§ããã
    ããªãã¡ãã«ã¼ã«ã®æ¤è¨ã¯ã次ã®ã«ã¼ã«ã¸ã¨ç¶ç¶ãããã ãã£ã¦ãæå¦ãããã±ãããã‐
    ã°è¨é²ããããã°ã åããããã³ã°å¤æåºæºãæ㤠2 ã¤ã®ã«ã¼ã«ã使ç¨ãã æåã®ã«ã¼ã«ã§
    LOG ã¿ã¼ã²ãããã 次ã®ã«ã¼ã«ã§ DROP (ã¾ã㯠REJECT) ã¿ã¼ã²ãããæå®ããã

    --log-level level
       ãã°è¨é²ã®ã¬ãã« (æ°å¤ã¦æå®ãããã(ååã§æå®ããå ´åã¯) syslog.conf(5)
       ãåç§ãããã¨)ã

    --log-prefix prefix
       æå®ãããã¬ãã£ãã¯ã¹ããã°ã¡ãã»ã¼ã¸ã®åã«ä»ããã ãã¬ãã£ãã¯ã¹ã¯ 29 æå‐
       ã¾ã§ã®é·ãã§ã ãã°ã®ä¸ã§ã¡ãã»ã¼ã¸ãåºå¥ããã®ã«å½¹ç«ã¤ã

    --log-tcp-sequence
       TCP ã·ã¼ã±ã³ã¹çªå·ããã°ã«è¨é²ããã ãã°ãã¦ã¼ã¶ã¼ããèªããå ´åãã»ã‐
       ã¥ãªãã£ä¸ã®å±éºãããã

    --log-tcp-options
       TCP ãã±ãããããã®ãªãã·ã§ã³ããã°ã«è¨é²ããã

    --log-ip-options
       IP ãã±ãããããã¼ã®ãªãã·ã§ã³ããã°ã«è¨é²ããã

  MARK
    ãã±ããã«é¢é£ã¥ãããã netfilter ã® mark å¤ãè¨å®ããã mangle
    ãã¼ãã«ã®ã¿ã§æå¹ã§ããã ä¾ãã°ãiproute2 ã¨çµã¿åããã¦ä½¿ããã¨ãã§ããã

    --set-mark value[/mask]

  MASQUERADE
    ãã®ã¿ã¼ã²ãã㯠nat ãã¼ãã«ã® POSTROUTING ãã§ã¤ã³ã®ã¿ã§æå¹ã§ããã åçå²ãå½ã¦
    IP (ãã¤ã¤ã«ã¢ãã) æ¥ç¶ã®å ´åã«ã®ã¿ä½¿ãã¹ãã§ããã åºå® IP ã¢ãã¬ã¹ãªãã°ãSNAT
    ã¿ã¼ã²ããã使ãã¹ãã§ããã ãã¹ã«ã¬ã¼ãã£ã³ã°ã¯ããã±ãããéä¿¡ãããã¤ã³ã¿ã¼ãã§ã¼ã¹ã®
    IP ã¢ãã¬ã¹ã¸ã®ãããã³ã°ãæå®ããã®ã¨åãã§ãããã ã¤ã³ã¿ã¼ãã§ã¼ã¹ãåæ‐
    ¢ããå ´åã«æ¥ç¶ãå¿ããã¨ããå¹æãããã
    次ã®ãã¤ã¤ã«ã¢ããã§ã¯åãã¤ã³ã¿ã¼ãã§ã¼ã¹ã¢ãã¬ã¹ã«ãªãå¯è½æ§ãä½ã
    (ãã®ãããåå確ç«ãããæ¥ç¶ã¯å¤±ããã) å ´åã ãã®åä½ã¯æ£ããã
    ãã®ã¿ã¼ã²ããã«ã¯ãªãã·ã§ã³ã 1 ã¤ããã

    --to-ports port[-port]
       ãã®ãªãã·ã§ã³ã¯ã使ç¨ããéä¿¡åãã¼ãã®ç¯å²ãæå®ãã ããã©ã«ãã® SNAT
       éä¿¡åãã¼ãã®é¸ææ¹æ³ (ä¸è¨) ãããåªåãããã ã«ã¼ã«ã -p tcp ã¾ã㯠-p udp
       ãæå®ãã¦ããå ´åã«ã®ã¿æå¹ã§ããã

  MIRROR
    å®é¨çãªãã¢ã³ã¹ãã¬ã¼ã·ã§ã³ç¨ã®ã¿ã¼ã²ããã§ããã IP
    ãããã¼ã®éä¿¡åã¨éä¿¡åãã£ã¼ã«ããå¥ãæãã ãã±ãããåéä¿¡ãããã®ã§ããã ãã㯠INPUT,
    FORWARD, PREROUTING ãã§ã¤ã³ã¨ããããã®ãã§ã¤ã³ããå¼ã³åºããã
    ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã ãã§æå¹ã§ããã ã«ã¼ãçã®åé¡ãåé¿ãããããå¤é¨ã«éããããã±ããã¯
    ãããªããã±ãããã£ã«ã¿ãªã³ã°ãã§ã¤ã³ã»æ¥ç¶è¿½è·¡ã»NAT ããã ç£è¦ãããªãã

  REDIRECT
    ãã®ã¿ã¼ã²ããã¯ã nat ãã¼ãã«åã® PREROUTING ãã§ã¤ã³åã³ OUTPUT
    ãã§ã¤ã³ãããã¦ããããã§ã¤ã³ããå¼ã³åºããã ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã§ã®ã¿æå¹ã§ããã
    ãã®ã¿ã¼ã²ããã¯ãã±ããã®éä¿¡å IP ã¢ãã¬ã¹ã ãã·ã³èªèº«ã® IP ã¢ãã¬ã¹ã«å¤æããã
    (ãã¼ã«ã«ã§çæããããã±ããã¯ãã¢ãã¬ã¹ 127.0.0.1 ã«ãããããã)ã
    ãã®ã¿ã¼ã²ããã«ã¯ãªãã·ã§ã³ã 1 ã¤ãã:

    --to-ports port[-port]
       ãã®ãªãã·ã§ã³ã¯ä½¿ç¨ãããéä¿¡åãã¼ãã»ãã¼ãç¯å²ã»è¤æ°ãã¼ããæå®ããã
       ãã®ãªãã·ã§ã³ãæå®ãããªãå ´åãéä¿¡åãã¼ãã¯å¤æ´ãããªãã ã«ã¼ã«ã -p tcp
       ã¾ã㯠-p udp ãæå®ãã¦ããå ´åã«ã®ã¿æå¹ã§ããã

  REJECT
    ããããããã±ããã®å¿çã¨ãã¦ã¨ã©ã¼ãã±ãããéä¿¡ããããã«ä½¿ãããã ã¨ã©ã¼ãã±ãããéããªããã°ã
    DROP ã¨åãã§ãããTARGET ãçµäºãã ã«ã¼ã«ã®æ¤è¨ãçµäºããã ãã®ã¿ã¼ã²ããã¯ã INPUT,
    FORWARD, OUTPUT ãã§ã¤ã³ã¨ããããã®ãã§ã¤ã³ããå¼ã°ãã ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³
    ã ãã§æå¹ã§ããã以ä¸ã®ãªãã·ã§ã³ã¯ãè¿ãããã¨ã©ã¼ãã±ããã®ç¹æ§ã å¶å¾¡ããã

    --reject-with type
       type ã¨ãã¦æå®å¯è½ãªãã®ã¯
       icmp-net-unreachable
       icmp-host-unreachable
       icmp-port-unreachable
       icmp-proto-unreachable
       icmp-net-prohibited
       icmp-host-prohibited or
       icmp-admin-prohibited (*)
       ã§ãããé©å㪠ICMP ã¨ã©ã¼ã¡ãã»ã¼ã¸ãè¿ã (port-unreachable
       ãããã©ã«ãã§ãã)ã TCP ãããã³ã«ã«ã®ã¿ãããããã«ã¼ã«ã«å¯¾ãã¦ããªãã·ã§ã³
       tcp-reset ã使ããã¨ãã§ããã ãã®ãªãã·ã§ã³ã使ãã¨ãTCP RST
       ãã±ãããéãè¿ãããã 主ã¨ã㦠ident (113/tcp) ã«ããæ¢æ»ãé»æ‐
       ¢ããã®ã«å½¹ç«ã¤ã ident ã«ããæ¢æ»ã¯ãå£ãã¦ãã (ã¡ã¼ã«ãåãåããªã)
       ã¡ã¼ã«ãã¹ãã« ã¡ã¼ã«ãéãããå ´åã«é »ç¹ã«èµ·ããã

       (*) icmp-admin-prohibited ããµãã¼ãããªãã«ã¼ãã«ã§ã
       icmp-admin-prohibited ã使ç¨ããã¨ã REJECT ã§ã¯ãªãåãªã DROP ã«ãªãã

  SNAT
    ãã®ã¿ã¼ã²ãã㯠nat ãã¼ãã«ã® POSTROUTING ãã§ã¤ã³ã®ã¿ã§æå¹ã§ããã
    ãã®ã¿ã¼ã²ããã¯ãã±ããã®éä¿¡åã¢ãã¬ã¹ãä¿®æ£ããã (ãã®æ¥ç¶ã®ä»¥éã®ãã±ãããä¿®æ‐
    £ãã¦åãããªã (mangle) ãã)ã ããã«ãã«ã¼ã«ãè©ä¾¡ãä¸æ¢ããããã«æ示ããã
    ãã®ã¿ã¼ã²ããã«ã¯ãªãã·ã§ã³ã 1 種é¡ãã:

    --to-source ipaddr[-ipaddr][:port-port]
       1 ã¤ã®æ°ããéä¿¡å IP ã¢ãã¬ã¹ãã¾ã㯠IP ã¢ãã¬ã¹ã®ç¯å²ãæå®ã§ããã
       ãã¼ãã®ç¯å²ãæå®ãããã¨ãã§ãã (ã«ã¼ã«ã -p tcp ã¾ã㯠-p udp
       ãæå®ãã¦ããå ´åã«ã®ã¿æå¹)ã ãã¼ãã®ç¯å²ãæå®ããã¦ããªãå ´åã 512
       æªæºã®éä¿¡åãã¼ãã¯ãä»ã® 512 æªæºã®ãã¼ãã«ãããã³ã°ãããã 512 ã 1023
       ã¾ã§ã®ãã¼ãã¯ã1024 æªæºã®ãã¼ãã«ãããã³ã°ãããã ãã以å¤ã®ãã¼ãã¯ã1024
       以ä¸ã®ãã¼ãã«ãããã³ã°ãããã å¯è½ã§ããã°ããã¼ãã®å¤æã¯èµ·ãããªãã

       è¤æ°ã® --to-source ãªãã·ã§ã³ãæå®ãããã¨ãã§ããã
       ã¢ãã¬ã¹ã®ç¯å²ã«ãã£ã¦ã ãããã¯è¤æ°ã® --to-source ãªãã·ã§ã³ã«ãã£ã¦ 2
       ã¤ä»¥ä¸ã®éä¿¡åã¢ãã¬ã¹ãæå®ããå ´åã
       ãããã®ã¢ãã¬ã¹ã使ã£ãåç´ãªã©ã¦ã³ãã»ããã³ (é ãã«å¾ªç°ããã) ããããªãããã

  TCPMSS
    ãã®ã¿ã¼ã²ãããç¨ããã¨ãTCP ã® SYN ãã±ããã® MSS å¤ãæ¸ãæãã
    ãã®ã³ãã¯ã·ã§ã³ã®æ大ãµã¤ãº (é常ã¯ãéä¿¡ã¤ã³ã¿ã¼ãã§ã¼ã¹ã® MTU ãã 40
    å¼ããå¤) ãå¶å¾¡ã§ããã ãã¡ãã -p tcp ã¨çµã¿åããã¦ãã使ããªãã
    ãã®ã¿ã¼ã²ããã¯ç¯ç½ªçã«é ã®ãããã ISP ã ICMP Fragmentation Needed ãã±ããããã‐
    ãã¯ãã¦ãã¾ããµã¼ãã¼ã ä¹ãè¶ããããã«ä½¿ç¨ããã Linux
    ãã¡ã¤ã¢ã¦ã©ã¼ã«/ã«ã¼ã¿ã¼ã§ã¯ä½ãåé¡ããªãã®ã«ã
    ããã«ã¶ãä¸ãããã·ã³ã§ã¯ä»¥ä¸ã®ããã«å¤§ããªãã±ããã
    ããã¨ãã§ããªãã¨ããã®ãããã®åé¡ã®ååã§ããã
    1) ã¦ã§ãã»ãã©ã¦ã¶ã§æ¥ç¶ããä½ã®ãã¼ã¿ãåãåããã«ãã³ã°ãã
    2) çãã¡ã¼ã«ã¯åé¡ãªãããé·ãã¡ã¼ã«ããã³ã°ãã
    3) ssh ã¯åé¡ãªãããscp ã¯æåã®ãã³ãã·ã§ã¼ã¯å¾ã«ãã³ã°ãã
    åé¿æ¹æ³: ãã®ãªãã·ã§ã³ãæå¹ã«ãã以ä¸ã®ãããªã«ã¼ã«ã ãã¡ã¤ã¢ã¦ã©ã¼ã«ã®è¨‐
    å®ã«è¿½å ããã
    iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
          -j TCPMSS --clamp-mss-to-pmtu

    --set-mss value
       MSS ãªãã·ã§ã³ã®å¤ã«æå®ããå¤ãæ示çã«è¨å®ããã

    --clamp-mss-to-pmtu
       èªåçã«ãMSS å¤ã (path_MTU - 40) ã«å¼·å¶ããã

    ãããã®ãªãã·ã§ã³ã¯ã©ã¡ãã 1 ã¤ããæå®ã§ããªãã

  TOS
    IP ãããã¼ã® 8 ãããã® Type of Service ãã£ã¼ã«ããè¨å®ããããã«ä½¿ãããã mangle
    ãã¼ãã«ã®ã¿ã§æå¹ã§ããã

    --set-tos tos
       TOS ãçªå·ã§æå®ãããã¨ãã§ããã ã¾ãã
        iptables -j TOS -h
       ãå®è¡ãã¦å¾ãããã使ç¨å¯è½ãª TOS åã®ä¸è¦§ã«ãã TOS åãæå®ã§ããã

  ULOG
    ãã®ã¿ã¼ã²ããã¯ãããããããã±ããã ã¦ã¼ã¶ã¼ç©ºéã§ãã°è¨é²ããæ©è½ãæä¾ããã
    ãã®ã¿ã¼ã²ãããã«ã¼ã«ã«è¨å®ãããã¨ã Linux ã«ã¼ãã«ã¯ããã®ãã±ããã netlink
    ã½ã±ãããç¨ãã¦ãã«ããã£ã¹ãããã ããã¦ã1 ã¤ä»¥ä¸ã®ã¦ã¼ã¶ã¼ç©ºéããã»ã¹ã
    ãããããªãã«ããã£ã¹ãã°ã«ã¼ãã«ç»é²ããããªãã ãã±ãããåä¿¡ããã LOG ã¨åæ§ãããã¯
    "éçµäºã¿ã¼ã²ãã" ã§ããã ã«ã¼ã«ã®æ¤è¨ã¯æ¬¡ã®ã«ã¼ã«ã¸ã¨ç¶ç¶ãããã

    --ulog-nlgroup nlgroup
       ãã±ãããéä¿¡ãã netlink ã°ã«ã¼ã (1-32) ãæå®ããã ããã©ã«ãã®å¤ã¯ 1
       ã§ããã

    --ulog-prefix prefix
       æå®ãããã¬ãã£ãã¯ã¹ããã°ã¡ãã»ã¼ã¸ã®åã«ä»ããã 32 æåã¾ã§ã®æå®ã§ããã ã‐
       ã°ã®ä¸ã§ã¡ãã»ã¼ã¸ãåºå¥ããã®ã«ä¾¿å©ã§ããã

    --ulog-cprange size
       ã¦ã¼ã¶ã¼ç©ºéã«ã³ãã¼ãããã±ããã®ãã¤ãæ°ã å¤ã 0
       ã®å ´åããµã¤ãºã«é¢ä¿ãªãå¨ãã±ãããã³ãã¼ããã ããã©ã«ã㯠0 ã§ããã

    --ulog-qthreshold size
       ã«ã¼ãã«åé¨ã®ãã¥ã¼ã«å¥ãããããã±ããã®æ°ã ä¾ãã°ããã®å¤ã 10 ã«ããå ´åã
       ã«ã¼ãã«åé¨ã§ 10 åã®ãã±ãããã¾ã¨ãã 1 ã¤ã® netlink
       ãã«ããã¼ãã¡ãã»ã¼ã¸ã¨ãã¦ã¦ã¼ã¶ã¼ç©ºéã«éãã (éå»ã®ãã®ã¨ã®äºææ§ã®ãã)
       ããã©ã«ã㯠1 ã§ããã

è¿ãå¤
    ãããããªã¨ã©ã¼ã¡ãã»ã¼ã¸ãæ¨æºã¨ã©ã¼ã«è¡¨ç¤ºãããã æ£ããæ©è½ããå ´åãçµäºã³ã¼ãã¯
    0 ã§ããã ä¸æ£ãªã³ãã³ãã©ã¤ã³ãã©ã¡ã¼ã¿ã«ããã¨ã©ã¼ãçºçããå ´åã¯ã çµäºã³ã¼ã 2
    ãè¿ãããã ãã®ä»ã®ã¨ã©ã¼ã®å ´åã¯ãçµäºã³ã¼ã 1 ãè¿ãããã

ãã°
    ãã°? ãã°ã£ã¦ä½? ;-) ãã¼ã¨â¦ãsparc64 ã§ã¯ã«ã¦ã³ã¿ã¼å¤ãä¿¡é ¼ã§ããªãã

IPCHAINS ã¨ã®äºææ§
    iptables ã¯ãRusty Russell ã® ipchains ã¨é常ã«ããä¼¼ã¦ããã
    大ããªéãã¯ããã§ã¤ã³ INPUT 㨠OUTPUT ãããããããã¼ã«ã«ãã¹ãã«å¥ã£ã¦ãããã±ããã¨ã
    ãã¼ã«ã«ãã¹ãããåºããããã±ããã®ã¿ãã調ã¹ãªãã¨ããç¹ã§ããã ãã£ã¦ã(INPUT 㨠OUTPUT
    ã®ä¸¡æ¹ã®ãã§ã¤ã³ãèµ·åãã ã«ã¼ãããã¯ãã©ãã£ãã¯ãé¤ã) å¨ã¦ã®ãã±ãã㯠3
    ã¤ãããã§ã¤ã³ã®ãã¡ 1 ããéããªãã 以å㯠(ipchains ã§ã¯)ã ãã©ã¯ã¼ãããããã±ããã¯
    3 ã¤ã®ãã§ã¤ã³å¨ã¦ãéã£ã¦ããã

    ãã®ä»ã®å¤§ããªéãã¯ã -i ã§å¥åã¤ã³ã¿ã¼ãã§ã¼ã¹ã -o
    ã§åºåã¤ã³ã¿ã¼ãã§ã¼ã¹ãåç§ãããã¨ã ããã¦ã¨ãã« FORWARD
    ãã§ã¤ã³ã«å¥ããã±ããã«å¯¾ãã¦æå®å¯è½ãªç¹ã§ããã

    NAT ã®ãããããªå½¢å¼ãåå²ãããã ãªãã·ã§ã³ã®æ¡å¼µã¢ã¸ã¥ã¼ã«ã¨ã¨ãã«
    ããã©ã«ãã®ããã£ã«ã¿ããã¼ãã«ãç¨ããå ´åã iptables ã¯ç´ç²ãªãã±ãããã£ã«ã¿ã¨ãªãã
    ããã¯ã以åã¿ããã IP ãã¹ã«ã¬ã¼ãã£ã³ã°ã¨ãã±ãããã£ã«ã¿ãªã³ã°ã®
    çµåãã«ããæ··ä¹±ãç°¡ç¥åããã ãã£ã¦ããªãã·ã§ã³
    -j MASQ
    -M -S
    -M -L
    ã¯å¥ã®ãã®ã¨ãã¦æ±ãããã iptables ã§ã¯ããã®ä»ã«ãããã¤ãã®å¤æ´ãããã

é¢é£é ç®
    iptables-save(8), iptables-restore(8), ip6tables(8), ip6tables-save(8),
    ip6tables-restore(8).

    ãã±ãããã£ã«ã¿ãªã³ã°ã«ã¤ãã¦ã®è©³ç´°ãª iptables ã®ä½¿ç¨æ³ã 説æãã¦ãã
    packet-filtering-HOWTOã NAT ã«ã¤ãã¦è©³ç´°ã«èª¬æãã¦ãã NAT-HOWTOã
    æ¨æºçãªéå¸ã«ã¯å«ã¾ããªãæ¡å¼µã®è©³ç´°ã 説æãã¦ãã
    netfilter-extensions-HOWTOã åé¨æ§é ã«ã¤ãã¦è©³ç´°ã«èª¬æãã¦ãã
    netfilter-hacking-HOWTOã
    http://www.netfilter.org/ ãåç§ã

ä½è
    Rusty Russell ã¯ãåæã®æ®µé㧠Michael Neuling ã«ç¸è«ã㦠iptables ãæ¸ããã

    Marc Boucher 㯠Rusty ã« iptables ã®ä¸è¬çãªãã±ããé¸æã®èãæ¹ãå§ãã¦ã
    ipnatctl ãæ¢ããããã ããã¦ãmangle ãã¼ãã«ã»ææèãããã³ã°ã» mark
    æ©è½ãæ¸ãããããã¨ããã§ä½¿ããã¦ããç´ æ´ãããã³ã¼ããæ¸ããã

    James Morris ã TOS ã¿ã¼ã²ãã㨠tos ãããã³ã°ãæ¸ããã

    Jozsef Kadlecsik ã REJECT ã¿ã¼ã²ãããæ¸ããã

    Harald Welte ã ULOG ã¿ã¼ã²ããã¨ã TTL, DSCP, ECN ã®ãããã»ã¿ã¼ã²ãããæ¸ããã

    Netfilter ã³ã¢ãã¼ã ã¯ãMarc Boucher, Martin Josefsson, Jozsef Kadlecsik,
    James Morris, Harald Welte, Rusty Russell ã§ããã

    man ãã¼ã¸ã¯ Herve Eychenne <rv@wallfire.org> ãæ¸ããã                 Mar 09, 2002           IPTABLES(8)