iptables

IPTABLES(8)                                                        IPTABLES(8)



åå
       iptables - IPv4 ã®ãã±ãããã£ã«ã¿ã¨ NAT ã管çãããã¼ã«

æ¸å¼
       iptables [-t table] -[AD] ãã§ã¤ã³ ã«ã¼ã«ã®è©³ç´° [ãªãã·ã§ã³]
       iptables [-t table] -I ãã§ã¤ã³ [ã«ã¼ã«çªå·] ã«ã¼ã«ã®è©³ç´° [ãªãã·ã§ã³]
       iptables [-t table] -R ãã§ã¤ã³ ã«ã¼ã«çªå· ã«ã¼ã«ã®è©³ç´° [ãªãã·ã§ã³]
       iptables [-t table] -D ãã§ã¤ã³ ã«ã¼ã«çªå· [ãªãã·ã§ã³]
       iptables [-t table] -[LFZ] [ãã§ã¤ã³] [ãªãã·ã§ã³]
       iptables [-t table] -N ãã§ã¤ã³
       iptables [-t table] -X [ãã§ã¤ã³]
       iptables [-t table] -P ãã§ã¤ã³ ã¿ã¼ã²ãã [ãªãã·ã§ã³]
       iptables [-t table] -E æ§ãã§ã¤ã³å æ°ãã§ã¤ã³å

説æ
       iptables 㯠Linux ã«ã¼ãã«ã® IP ãã±ãããã£ã«ã¿ã«ã¼ã«ã®ãã¼ãã«ã è¨‐
       å®ã»ç®¡çã»æ¤æ»ããããã«ä½¿ãããã è¤æ°ã®ç°ãªããã¼ãã«ãå®ç¾©ã§ããã
       åãã¼ãã«ã«ã¯ããããã®çµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ãå«ã¾ãã¦ããã
       ããã«ã¦ã¼ã¶ã¼å®ç¾©ã®ãã§ã¤ã³ãå ãããã¨ãã§ããã

       åãã§ã¤ã³ã¯ããã±ãã群ã«ãããããã«ã¼ã«ã®ãªã¹ãã§ããã åã«ã¼ã«ã¯
       ããããããã±ããã«å¯¾ãã¦ä½ãããããæå®ããã ããã¯ãã¿ã¼ã²ããã㨠å¼ã°ãã
       åããã¼ãã«åã®ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã«ã¸ã£ã³ããããã¨ãã§ããã


ã¿ã¼ã²ãã
       ãã¡ã¤ã¢ã¦ã©ã¼ã«ã®ã«ã¼ã«ã¯ããã±ãããå¤æããåºæºã¨ã¿ã¼ã²ãããæå®ããã
       ãã±ããããããããªãå ´åããã§ã¤ã³åã®æ¬¡ã®ã«ã¼ã«ãè©ä¾¡ãããã ãã±ããããããããå ´åã
       ã¿ã¼ã²ããã®å¤ã«ãã£ã¦æ¬¡ã®ã«ã¼ã«ãæå®ãããã
       ã¿ã¼ã²ããã®å¤ã¯ãã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã®ååãã¾ãã¯ç¹å¥ãªå¤ ACCEPT, DROP,
       QUEUE, RETURN ã®ãã¡ã® 1 ã¤ã§ããã

       ACCEPT ã¯ãã±ãããéãã¨ããæå³ã§ããã DROP ã¯ãã±ãããåºã«è½ã (æ¨ã¦ã) ã¨ããæå³ã§ããã
       QUEUE ã¯ãã±ãããã¦ã¼ã¶ã¼ç©ºéã«æ¸¡ãã¨ããæå³ã§ãã
       (ã«ã¼ãã«ããµãã¼ããã¦ããã°ã§ããã)ã RETURN ã¯ããã®ãã§ã¤ã³ã辿ãã®ãä¸æ¢ãã¦ã åã®
       (å¼ã³åºãå) ãã§ã¤ã³ã®æ¬¡ã®ã«ã¼ã«ããåéããã¨ããæå³ã§ããã
       çµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ã®æå¾ã«å°éããå ´åã ã¾ãã¯çµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ã§
       ã¿ã¼ã²ãã RETURN ãæã¤ã«ã¼ã«ã«ãããããå ´åã ãã§ã¤ã³ããªã·ã¼ã§æå®ãããã¿ã¼ã²ããã
       ãã±ããã®è¡æ¹ã決å®ããã

ãã¼ãã«
       ç¾å¨ã®ã¨ãã 3 ã¤ã®ç¬ç«ãªãã¼ãã«ãåå¨ãã (ããæç¹ã§ã©ã®ãã¼ãã«ãåå¨ãããã¯ã
       ã«ã¼ãã«ã®è¨å®ãã©ããã£ãã¢ã¸ã¥ã¼ã«ãåå¨ãããã«ä¾åãã)ã

       -t, --table table
              ãã®ãªãã·ã§ã³ã¯ããã®ã³ãã³ããæä½ãããã±ãããããã³ã°ãã¼ãã«ã æå®ããã
              ã«ã¼ãã«ã«èªåã¢ã¸ã¥ã¼ã«ãã¼ãã£ã³ã°ãè¨å®ããã¦ããå ´åã
              ãã®ãã¼ãã«ã«å¯¾ããé©åãªã¢ã¸ã¥ã¼ã«ãã¾ã ãã¼ãããã¦ããªããã°ã
              ãã®ã¢ã¸ã¥ã¼ã«ããã¼ããããã

              ãã¼ãã«ã¯ä»¥ä¸ã®éãã§ããã

              filter:
                  (-t ãªãã·ã§ã³ãæå®ããã¦ããªãå ´åã¯) ãããããã©ã«ãã®ãã¼ãã«ã§ããã
                  ããã«ã¯ INPUT (ãã·ã³èªä½ã«å¥ã£ã¦ãããã±ããã«å¯¾ãããã§ã¤ã³)ã»
                  FORWARD (ãã·ã³ãçµç±ãããã±ããã«å¯¾ãããã§ã¤ã³)ã» OUTPUT (ã‐
                  ã¼ã«ã«ãã·ã³ã§çæããããã±ããã«å¯¾ãããã§ã¤ã³) ã¨ãã
                  çµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ãå«ã¾ããã

              nat:
                  ãã®ãã¼ãã«ã¯æ°ããæ¥ç¶ãéããããªãã±ããã«å¯¾ãã¦åç§ãããã ããã«ã¯
                  PREROUTING
                  (ãã±ãããå¥ã£ã¦ããå ´åãããã«ãã®ãã±ãããå¤æããããã®ãã§ã¤ã³)ã» OUTPUT
                  (ãã¼ã«ã«ã§çæããããã±ãããã«ã¼ãã£ã³ã°ã®åã«å¤æããããã®ãã§ã¤ã³)ã»
                  POSTROUTING (ãã±ãããåºã¦è¡ãã¨ãã«å¤æããããã®ãã§ã¤ã³)  ã¨ãã 3
                  ã¤ã®çµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ãå«ã¾ããã

              mangle:
                  ãã®ãã¼ãã«ã¯ç¹å¥ãªãã±ããå¤æã«ä½¿ãããã ã«ã¼ãã« 2.4.17 ã¾ã§ã¯ã
                  PREROUTING (ãã±ãããå¥ã£ã¦ããå ´åã ããã«ãã®ãã±ãããå¤æãã
                  ããã®ãã§ã¤ã³)ã» OUTPUT (ãã¼ã«ã«ã§çæããããã±ããã ã«ã¼ãã£ã³
                  ã°ã®åã«å¤æããããã®ãã§ã¤ã³) ã¨ãã 2
                  ã¤ã®çµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ãå«ã¾ ãã¦ããã ã«ã¼ãã« 2.4.18
                  ããã¯ããããã®ä»ã« INPUT (ãã·ã³èªä½ã«
                  å¥ã£ã¦ãããã±ããã«å¯¾ãããã§ã¤ã³)ã» FORWARD (ãã·ã³ãçµç±ãããã±ã
                  ãã«å¯¾ãããã§ã¤ã³)ã» POSTROUTING (ãã±ãããåºã¦è¡ãã¨ãã«å¤æãã
                  ããã®ãã§ã¤ã³)ã» ã¨ãã 3 ã¤ã®çµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ããµãã¼ããããã

ãªãã·ã§ã³
       iptables ã§ä½¿ãããªãã·ã§ã³ã¯ãããã¤ãã®ã°ã«ã¼ãã«åããããã

   ã³ãã³ã
       ãããã®ãªãã·ã§ã³ã¯ãå®è¡ããç¹å®ã®åä½ãæå®ããã 以ä¸ã®èª¬æã§æ³¨è¨ããã¦ããªãéãã
       ã³ãã³ãã©ã¤ã³ã§æå®ã§ããã®ã¯ãã®ä¸ã® 1 ã¤ã ãã§ããã
       é·ããã¼ã¸ã§ã³ã®ã³ãã³ãåã¨ãªãã·ã§ã³åã¯ã iptables
       ãä»ã®ã³ãã³ãåããªãã·ã§ã³åã¨åºå¥ã§ããç¯å²ã§ (æåãçç¥ãã¦) æå®ãããã¨ãã§ããã

       -A, --append chain rule-specification
              é¸æããããã§ã¤ã³ã®æå¾ã« 1 ã¤ä»¥ä¸ã®ã«ã¼ã«ã追å ããã
              éä¿¡åãéä¿¡åã®ååã®è§£æ±ºãè¡ã£ã¦ã 1 ã¤ä»¥ä¸ã®ã¢ãã¬ã¹ã«å±éããã
              å ´åã¯ãå¯è½ãªã¢ãã¬ã¹ã®çµåãããããã«å¯¾ãã¦ã«ã¼ã«ã追å ãããã

       -D, --delete chain rule-specification
       -D, --delete chain rulenum
              é¸æããããã§ã¤ã³ãã 1 ã¤ä»¥ä¸ã®ã«ã¼ã«ãåé¤ããã ãã®ã³ãã³ãã«ã¯ 2
              ã¤ã®ä½¿ãæ¹ããã: ãã§ã¤ã³ã®ä¸ã®çªå· (æåã®ã«ã¼ã«ã 1 ã¨ãã)
              ãæå®ããå ´åã¨ã ãããããã«ã¼ã«ãæå®ããå ´åã§ããã

       -I, --insert ãã§ã¤ã³ [ã«ã¼ã«çªå·] ã«ã¼ã«ã®è©³ç´°
              é¸æããããã§ã¤ã³ã«ã«ã¼ã«çªå·ãæå®ã㦠1 ã¤ä»¥ä¸ã®ã«ã¼ã«ãæ¿å¥ããã
              ã«ã¼ã«çªå·ã 1 ã®å ´åãã«ã¼ã«ã¯ãã§ã¤ã³ã®åé ã«æ¿å¥ãããã
              ããã¯ã«ã¼ã«çªå·ãæå®ãããªãå ´åã®ããã©ã«ãã§ãããã

       -R, --replace chain rulenum rule-specification
              é¸æããããã§ã¤ã³ã«ããã«ã¼ã«ãç½®ãæããã éä¿¡åãéä¿¡åã®ååã 1
              ã¤ä»¥ä¸ã®ã¢ãã¬ã¹ã«è§£æ±ºãããå ´åã¯ã
              ãã®ã³ãã³ãã¯å¤±æãããã«ã¼ã«çªå·ã¯ 1 ããã¯ãã¾ãã

       -L, --list [chain]
              é¸æããããã§ã¤ã³ã«ããå¨ã¦ã®ã«ã¼ã«ãä¸è¦§è¡¨ç¤ºããã
              ãã§ã¤ã³ãæå®ãããªãå ´åãå¨ã¦ã®ãã§ã¤ã³ã«ãããªã¹ããä¸è¦§è¡¨ç¤ºãããã
              ä»ã®å iptables ã³ãã³ãã¨åæ§ã«ãæå®ããããã¼ãã« (ããã©ã«ã㯠filter)
              ã«å¯¾ãã¦ä½ç¨ããã ãã£ã¦ NAT ã«ã¼ã«ã表示ããã«ã¯ä»¥ä¸ã®ããã«ããã
               iptables -t nat -n -L
              DNS ã®éå¼ããé¿ããããã«ããã -n ãªãã·ã§ã³ã¨å±ã«ä½¿ç¨ãããã -Z (ã¼ãå)
              ãªãã·ã§ã³ãåæã«æå®ãããã¨ãã§ããããã®å ´åã
              ãã§ã¤ã³ã¯è¦ç´ æ¯ã«ãªã¹ãããã¦ã (訳註: ãã±ããã«ã¦ã³ã¿ã¨ãã¤ã
              ã«ã¦ã³ã¿ã) ã¼ãã«ããããåºå表示ã¯åæã«ä¸ããããä»ã®å¼ãæ°ã«
              å½±é¿ãããã以ä¸ã®ããã«ã -v ãªãã·ã§ã³ãæå®ããªãéãã
              å®éã®ã«ã¼ã«ãã®ãã®ã¯è¡¨ç¤ºãããªãã
               iptables -L -v

       -F, --flush [chain]
              é¸æããããã§ã¤ã³ (ä½ãæå®ãããªããã°ãã¼ãã«åã®å¨ã¦ã®ãã§ã¤ã³)
              ã®å容ãå¨æ¶å»ãããããã¯å¨ã¦ã®ã«ã¼ã«ã 1 åãã¤åé¤ããã®ã¨ åãã§ããã

       -Z, --zero [chain]
              ãã¹ã¦ã®ãã§ã¤ã³ã®ãã±ããã«ã¦ã³ã¿ã¨ãã¤ãã«ã¦ã³ã¿ãã¼ãã«ããã
              ã¯ãªã¢ãããç´åã®ã«ã¦ã³ã¿ãè¦ãããã«ã -L, --list (ä¸è¦§è¡¨ç¤º)
              ãªãã·ã§ã³ã¨åæã«æå®ãããã¨ãã§ãã (ä¸è¨ãåç§)ã

       -N, --new-chain chain
              æå®ããååã§ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ãä½æããã åãååã®ã¿ã¼ã²ãããæ¢ã«å‐
              å¨ãã¦ã¯ãªããªãã

       -X, --delete-chain [chain]
              æå®ããã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ãåé¤ããã ãã®ãã§ã¤ã³ãåç§ããã¦ãã¦ã¯ ãªããªãã
              ãã§ã¤ã³ãåé¤ããåã«ããã®ãã§ã¤ã³ãåç§ãã¦ããã«ã¼ã«ã
              åé¤ãããç½®ãæãããããªããã°ãªããªãã å¼ãæ°ãä¸ããããªãå ´åããã¼
              ãã«ã«ãããã§ã¤ã³ã®ãã¡ çµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ã§ãªããã®ãå¨ã¦åé¤ããã

       -P, --policy chain target
              ãã§ã¤ã³ã®ããªã·ã¼ãæå®ããã¿ã¼ã²ããã«è¨å®ãããæå®å¯è½ãªã¿ã¼ã²ãã
              ã¯ãã¿ã¼ã²ãããã®ç« ãåç§ãããã¨ã (ã¦ã¼ã¶ã¼å®ç¾©ã§ã¯ãªã) çµã¿è¾¼ã¿
              æ¸ã¿ãã§ã¤ã³ã«ããããªã·ã¼ã¯è¨å®ã§ããªãã ã¾ããçµã¿è¾¼ã¿æ¸ã¿ãã§ã¤ã³ã
              ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã ããªã·ã¼ã®ã¿ã¼ã²ããã«è¨å®ãããã¨ã¯ã§ããªãã

       -E, --rename-chain old-chain new-chain
              ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ãæå®ããååã«å¤æ´ããã
              ããã¯è¦ãç®ã ãã®å¤æ´ãªã®ã§ããã¼ãã«ã®æ§é ã«ã¯ä½ãå½±é¿ããªãã

       -h     ãã«ãã (ä»ã®ã¨ããã¯ã¨ã¦ãç°¡åãª) ã³ãã³ãæ¸å¼ã®èª¬æã表示ããã

   ãã©ã¡ã¼ã¿
       以ä¸ã®ãã©ã¡ã¼ã¿ã¯ (add, delete, insert, replace, append
       ã³ãã³ãã§ç¨ãããã¦) ã«ã¼ã«ã®ä»æ§ã決ããã

       [!] -p, --protocol protocol
              ã«ã¼ã«ã§ä½¿ããããããã³ã«ãã¾ãã¯ãã§ãã¯ããããã±ããã®ãããã³ã«ã æå®ã§ãããã‐
              ãã³ã«ã¯ã tcp, udp, icmp, all ã®ãããã 1 ã¤ããæ°å¤ã§ããã
              æ°å¤ã«ã¯ããããã®ãããã³ã«ã®ã©ãããªããå¥ã®ãããã³ã«ã表ã
              æ°å¤ãæå®ãããã¨ãã§ããã /etc/protocols ã«ãããããã³ã«åãæå®ã§ããã ãã‐
              ãã³ã«ã®åã« "!" ãç½®ãã¨ããã®ãããã³ã«ãé¤å¤ããã¨ããæå³ã«ãªãã æ°å¤ 0 ã¯
              all ã¨çããã ãããã³ã« all ã¯å¨ã¦ã®ãããã³ã«ã¨ããããã
              ãã®ãªãã·ã§ã³ãçç¥ãããéã®ããã©ã«ãã§ããã

       [!] -s, --source address[/mask]
              éä¿¡åã®æå®ã address ã¯ãã¹ãå (DNS
              ã®ãããªãªã¢ã¼ãã¸ã®åãåããã§è§£æ±ºããååãæå®ããã®ã¯é常ã«è¯ããªã)
              ã»ãããã¯ã¼ã¯ IP ã¢ãã¬ã¹ (/mask ãæå®ãã)ã» é常㮠IP
              ã¢ãã¬ã¹ãã®ããããã§ããã mask ã¯ãããã¯ã¼ã¯ãã¹ã¯ãã
              ãããã¯ã¼ã¯ãã¹ã¯ã®å·¦å´ã«ãã 1 ã®æ°ãæå®ããæ°å¤ã§ããã ã¤ã¾ãã 24 ã¨ãã
              mask 㯠255.255.255.0 ã«çããã ã¢ãã¬ã¹æå®ã®åã« "!"
              ãç½®ãã¨ããã®ã¢ãã¬ã¹ãé¤å¤ããã¨ããæå³ã«ãªãã ãã©ã° --src
              ã¯ããã®ãªãã·ã§ã³ã®å¥åã§ããã

       [!] -d, --destination  address[/mask]
              éä¿¡åã®æå®ã æ¸å¼ã®è©³ãã説æã«ã¤ãã¦ã¯ã -s (éä¿¡å)
              ãã©ã°ã®èª¬æãåç§ãããã¨ã ãã©ã° --dst ã¯ããã®ãªãã·ã§ã³ã®å¥åã§ããã

       -j, --jump target
              ã«ã¼ã«ã®ã¿ã¼ã²ãããã¤ã¾ãããã±ããããããããå ´åã«ã©ãããããæå®
              ãããã¿ã¼ã²ããã¯ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ (ãã®ã«ã¼ã«èªèº«ãå¥ã£ã¦ãã
              ãã§ã¤ã³ä»¥å¤) ã§ãããã±ããã®è¡æ¹ãå³æã«æ±ºå®ããç¹å¥ãªçµã¿è¾¼ã¿æ¸ã¿
              ã¿ã¼ã²ããã§ããæ¡å¼µãããã¿ã¼ã²ãã (以ä¸ã® ãã¿ã¼ã²ããã®æ¡å¼µã ã åç§)
              ã§ãããã ãã®ãªãã·ã§ã³ãã«ã¼ã«ã®ä¸ã§çç¥ãããå ´åã ã«ã¼ã«ã«
              ããããã¦ããã±ããã®è¡æ¹ã«ä½ãå½±é¿ããªããã ã«ã¼ã«ã®ã«ã¦ã³ã¿ã¯ 1 ã¤
              å ç®ãããã

       [!] -i, --in-interface name
              ãã±ãããåä¿¡ãããã¨ã«ãªãã¤ã³ã¿ã¼ãã§ã¼ã¹å (INPUT, FORWARD, PREROUTING
              ãã§ã¤ã³ã«å¥ããã±ããã®ã¿)ãã¤ã³ã¿ã¼ãã§ã¼ã¹åã®åã« "!" ãç½®ãã¨ã
              ãã®ã¤ã³ã¿ã¼ãã§ã¼ã¹ãé¤å¤ããã¨ããæå³ã«ãªãã ã¤ã³ã¿ã¼ãã§ã¼ã¹åã "+"
              ã§çµã£ã¦ããå ´åã ãã®ååã§å§ã¾ãä»»æã®
              ã¤ã³ã¿ã¼ãã§ã¼ã¹åã«ãããããããã®ãªãã·ã§ã³ãçç¥ãããå ´åã
              ä»»æã®ã¤ã³ã¿ã¼ãã§ã¼ã¹åã«ãããããã

       [!] -o, --out-interface name
              ãã±ãããéä¿¡ãããã¨ã«ãªãã¤ã³ã¿ã¼ãã§ã¼ã¹å (FORWARD, OUTPUT,
              POSTROUTING ãã§ã¤ã³ã«å¥ããã±ããã®ã¿)ã ã¤ã³ã¿ã¼ãã§ã¼ã¹åã®åã« "!"
              ãç½®ãã¨ã ãã®ã¤ã³ã¿ã¼ãã§ã¼ã¹ãé¤å¤ããã¨ããæå³ã«ãªãã
              ã¤ã³ã¿ã¼ãã§ã¼ã¹åã "+" ã§çµã£ã¦ããå ´åã
              ãã®ååã§å§ã¾ãä»»æã®ã¤ã³ã¿ã¼ãã§ã¼ã¹åã«ãããããã
              ãã®ãªãã·ã§ã³ãçç¥ãããå ´åã ä»»æã®ã¤ã³ã¿ã¼ãã§ã¼ã¹åã«ãããããã

       [!]  -f, --fragment
              ãã®ãªãã·ã§ã³ã¯ãåå²ããããã±ãã (fragmented packet) ã®ãã¡ 2
              çªç®ä»¥éã®ãã±ããã ããåç§ããã«ã¼ã«ã§ãããã¨ãæå³ããã ãã®ãããªãã±ãã (ã¾ãã¯
              ICMP ã¿ã¤ãã®ãã±ãã) 㯠éä¿¡åã»éä¿¡åãã¼ããç¥ãæ¹æ³ããªãã®ã§ã
              éä¿¡åãéä¿¡åãæå®ãããããªã«ã¼ã«ã«ã¯ãããããªãã "-f" ãã©ã°ã®åã« "!"
              ãç½®ãã¨ã åå²ããããã±ããã®ãã¡æåã®ãã®ãã åå²ããã¦ããªããã±ããã ãã«ãããããã

       -c, --set-counters PKTS BYTES
              ãã®ãªãã·ã§ã³ã使ãã¨ã (insert, append, replace æä½ã«ããã¦)
              管çèã¯ãã±ããã«ã¦ã³ã¿ã¨ãã¤ãã«ã¦ã³ã¿ã åæåãããã¨ãã§ããã

   ãã®ä»ã®ãªãã·ã§ã³
       ãã®ä»ã«ä»¥ä¸ã®ãªãã·ã§ã³ãæå®ãããã¨ãã§ãã:

       -v, --verbose
              詳細ãªåºåãè¡ãã list ã³ãã³ãã®éã«ãã¤ã³ã¿ã¼ãã§ã¼ã¹åã» (ããããã°)
              ã«ã¼ã«ã®ãªãã·ã§ã³ã»TOS ãã¹ã¯ã表示ãããã
              ãã±ããã¨ãã¤ãã«ã¦ã³ã¿ã表示ãããã æ·»å 'K', 'M', 'G' ã¯ã ãããã 1000,
              1,000,000, 1,000,000,000 åã表ã (ãããå¤æ´ãã -x ãã©ã°ãè¦ã)ã
              ãã®ãªãã·ã§ã³ã append, insert, delete, replace ã³ãã³ãã«é©ç¨ããã¨ã
              ã«ã¼ã«ã«ã¤ãã¦ã®è©³ç´°ãªæå ±ã表示ããã

       -n, --numeric
              æ°å¤ã«ããåºåãè¡ãã IP ã¢ãã¬ã¹ããã¼ãçªå·ãæ°å¤ã«ãããã©ã¼ããã
              ã§è¡¨ç¤ºããã ããã©ã«ãã§ã¯ãiptables 㯠(å¯è½ã§ããã°) ãããã®æå ±ã
              ãã¹ãåã»ãããã¯ã¼ã¯åã»ãµã¼ãã¹åã§è¡¨ç¤ºãããã¨ããã

       -x, --exact
              å³å¯ãªæ°å¤ã§è¡¨ç¤ºããã ãã±ããã«ã¦ã³ã¿ã¨ãã¤ãã«ã¦ã³ã¿ãã K (1000
              ã®ä½åã)ã»M (1000K ã®ä½åã)ã»G (1000M ã®ä½åã) ã§ã¯ãªãã
              å³å¯ãªå¤ã§è¡¨ç¤ºããã ãã®ãªãã·ã§ã³ã¯ã -L ã³ãã³ãã¨ããé¢ä¿ããªãã

       --line-numbers
              ã«ã¼ã«ãä¸è¦§è¡¨ç¤ºããéããã®ã«ã¼ã«ããã§ã¤ã³ã®ã©ã®ä½ç½®ã«ãããã表ã
              è¡çªå·ãåè¡ã®å§ãã«ä»å ããã

       --modprobe=command
              ãã§ã¤ã³ã«ã«ã¼ã«ã追å ã¾ãã¯æ¿å¥ããéã«ã
              (ã¿ã¼ã²ããããããã³ã°ã®æ¡å¼µãªã©ã§) å¿è¦ãªã¢ã¸ã¥ã¼ã«ããã¼ãããããã«ä½¿ã
              command ãæå®ããã

ãããã³ã°ã®æ¡å¼µ
       iptables ã¯æ¡å¼µããããã±ãããããã³ã°ã¢ã¸ã¥ã¼ã«ã使ããã¨ãã§ããã
       ãããã®ã¢ã¸ã¥ã¼ã«ã¯ 2 種é¡ã®æ¹æ³ã§ãã¼ãããã: ã¢ã¸ã¥ã¼ã«ã¯ã -p ã¾ãã¯
       --protocol ã§æé»ã®ãã¡ã«æå®ããããã -m ã¾ã㯠--match
       ã®å¾ã«ã¢ã¸ã¥ã¼ã«åãç¶ãã¦æå®ãããã
       ãããã®ã¢ã¸ã¥ã¼ã«ã®å¾ãã«ã¯ãã¢ã¸ã¥ã¼ã«ã«å¿ãã¦
       ä»ã®ãããããªã³ãã³ãã©ã¤ã³ãªãã·ã§ã³ãæå®ãããã¨ãã§ããã
       è¤æ°ã®æ¡å¼µãããã³ã°ã¢ã¸ã¥ã¼ã«ãä¸è¡ã§æå®ãããã¨ãã§ããã
       ã¾ããã¢ã¸ã¥ã¼ã«ã«ç¹æã®ãã«ãã表示ãããããã«ã¯ã ã¢ã¸ã¥ã¼ã«ãæå®ããå¾ã§ -h
       ã¾ã㯠--help ãæå®ããã°ããã

       以ä¸ã®æ¡å¼µããã¼ã¹ããã±ã¼ã¸ã«å«ã¾ãã¦ããã大é¨åã®ãã®ã¯ã ! ã
       åã«ãããã¨ã«ãã£ã¦ãããã³ã°ã®æå³ãéã«ã§ããã

   ah
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ IPSec ãã±ããã® AH ãããã¼ã® SPI å¤ã«ãããããã

       [!] --ahspi spi[:spi]

   conntrack
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ãæ¥ç¶è¿½è·¡ (connection tracking) ã¨çµã¿åããã¦ç¨ããã¨ã
       "state" ããããããããã«å¤ãã®ã ãã±ããã«ã¤ãã¦ã®æ¥ç¶è¿½è·¡ç¶æãç¥ããã¨ãã§ãã
       (ãã®æ©è½ããµãã¼ãããã«ã¼ãã«ã®ãã¨ã§ iptables ãã³ã³ãã¤ã«ãããå ´å
       ã«ã®ã¿ããã®ã¢ã¸ã¥ã¼ã«ã¯åå¨ãã)ã

       --ctstate state
              state ã¯ããããã³ã°å¯¾è±¡ã¨ãªããã³ã³ãåºåãã®æ¥ç¶ç¶æãªã¹ãã§ããã
              æå®å¯è½ãª state ã¯ä»¥ä¸ã®éãã INVALID: ã¡ã¢ãªã使ãæãããçºãã
              æ¢ç¥ã®æ¥ç¶ã¨ã¯å¯¾å¿ããªã ICMP ã¨ã©ã¼ãªã©ã ä½ããã®çç±ã«ãããã±ãããè‐
              å¥ã§ããªãã ESTABLISHED:
              ãã®ãã±ããã¯ãéå»åæ¹åã«ãã±ãããããåããããæ¥ç¶ã«å±ãããã±ããã§ããã NEW:
              ãã®ãã±ãããæ°ããæ¥ç¶ãéå§ãããã
              åæ¹åã«ã¯ãã±ãããããåãããã¦ããªãæ¥ç¶ã«å±ãããã±ããã§ããã RELATED:
              ãã®ãã±ãããæ°ããæ¥ç¶ãéå§ãã¦ãããã FTP ãã¼ã¿è»¢éã ICMP
              ã¨ã©ã¼ã®ããã«ãæ¢åã®æ¥ç¶ã«é¢ä¿ãã¦ããã SNAT:
              ä»®æ³çãªç¶æã§ãããæ¸ãæãåã®éä¿¡åã¢ãã¬ã¹ãå¿çã®å®åã¢ãã¬ã¹ã¨
              ç°ãªãå ´åã«ãããããã DNAT: ä»®æ³çãªç¶æã§ãããæ¸ãæãåã®å®åã¢ãã¬ã¹ãå¿ç‐
              ã®éä¿¡åã¢ãã¬ã¹ã¨ ç°ãªãå ´åã«ãããããã

       --ctproto proto
              (ååã¾ãã¯æ°å¤ã§) æå®ããããããã³ã«ã«ãããããã

       [!] --ctorigsrc address[/mask]
              æ¸ãæãåã®éä¿¡åã¢ãã¬ã¹ã«ãããããã

       [!] --ctorigdst address[/mask]
              æ¸ãæãåã®å®åã¢ãã¬ã¹ã«ãããããã

       [!] --ctreplsrc address[/mask]
              å¿çã®éä¿¡åã¢ãã¬ã¹ã«ãããããã

       [!] --ctrepldst address[/mask]
              å¿çã®å®åã¢ãã¬ã¹ã«ãããããã

       --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED][,...]
              æ¥ç¶è¿½è·¡ã®åé¨çãªç¶æã«ãããããã

       --ctexpire time[:time]
              æå¹æéã®æ®ãç§æ°ãã¾ãã¯ãã®ç¯å²(両端ãå«ã)ã«ãããããã

   dscp
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ãIP ãããã¼ã® TOS ãã£ã¼ã«ãåã«ããã 6 bit ã® DSCP
       ãã£ã¼ã«ãã«ãããããã IETF ã§ã¯ DSCP ã TOS ã«åã£ã¦ä»£ãã£ãã

       --dscp value
              (10 é²ã¾ã㯠16 é²ã®) æ°å¤ [0-63] ã«ãããããã

       --dscp-class DiffServ Class
              DiffServ ã¯ã©ã¹ã«ãããããã å¤ã¯ BE, EF, AFxx, CSx ã¯ã©ã¹ã®ããããã§ããã
              ãããã¯ã対å¿ããæ°å¤ã§æå®ããã®ã¨åãã§ããã

   esp
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ IPSec ãã±ããã® ESP ãããã¼ã® SPI å¤ã«ãããããã

       [!] --espspi spi[:spi]

   helper
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ãæå®ãããæ¥ç¶è¿½è·¡ãã«ãã¼ã¢ã¸ã¥ã¼ã«ã« é¢é£ãããã±ããã«ãããããã

       --helper string
              æå®ãããæ¥ç¶è¿½è·¡ãã«ãã¼ã¢ã¸ã¥ã¼ã«ã« é¢é£ãããã±ããã«ãããããã

              ããã©ã«ãã®ãã¼ãã使ã£ã ftp-ã»ãã·ã§ã³ã«é¢é£ãããã±ããã§ã¯ã string ã«
              "ftp" ã¨æ¸ããã ä»ã®ãã¼ãã§ã¯ "-ãã¼ãçªå·" ãå¤ã«ä»ãå ããã ããªãã¡
              "ftp-2121" ã¨ãªãã

              ä»ã®æ¥ç¶è¿½è·¡ãã«ãã¼ã§ãåãã«ã¼ã«ãé©ç¨ãããã

   icmp
       ãã®æ¡å¼µã¯ `--protocol icmp' ãæå®ãããå ´åã«ãã¼ãããã
       以ä¸ã®ãªãã·ã§ã³ãæä¾ããã:

       [!] --icmp-type typename
              ICMP ã¿ã¤ããæå®ã§ãããã¿ã¤ãæå®ã«ã¯ã æ°å¤ã® ICMP
              ã¿ã¤ããã¾ãã¯ä»¥ä¸ã®ã³ãã³ã ã§è¡¨ç¤ºããã ICMP ã¿ã¤ãåãæå®ã§ããã
               iptables -p icmp -h

   length
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ãæå®ããããã±ããé·ãã¾ãã¯ãã®ç¯å²ã«ãããããã

       --length length[:length]

   limit
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ããã¼ã¯ã³ãã±ããã£ã«ã¿ã使ãã åä½æéãããå¶éãã ãåæ°ã ããããããã
       ãã®æ¡å¼µã使ã£ãã«ã¼ã«ã¯ã(`!' ãã©ã°ãæå®ãã ãªãéã) å¶éã«éããã¾ã§ãããããã
       ä¾ãã°ããã®ã¢ã¸ã¥ã¼ã«ã¯ãã°è¨é² ãå¶éããããã« LOG
       ã¿ã¼ã²ããã¨çµã¿åããã¦ä½¿ããã¨ãã§ããã

       --limit rate
              åä½æéãããã®å¹³åãããåæ°ã®æ大å¤ã æ°å¤ã§æå®ãããæ·»å `/second',
              `/minute', `/hour', `/day' ãä»ãããã¨ãã§ããã ããã©ã«ã㯠3/hour ã§ããã

       --limit-burst number
              ãã±ããããããããåæ°ã®æ大åæå¤: ä¸ã®ãªãã·ã§ã³ã§æå®ããå¶éã« éããªããã°ã
              ãã®åº¦ãã¨ã«ããã®æ°å¤ã«ãªãã¾ã§ 1 åãã¤å¢ããããã ããã©ã«ã㯠5 ã§ããã

   mac
       [!] --mac-source address
              éä¿¡å MAC ã¢ãã¬ã¹ã«ãããããã address 㯠XX:XX:XX:XX:XX:XX ã¨
              ããå½¢å¼ã§ãªããã°ãªããªããã¤ã¼ãµã¼ãããããã¤ã¹ããå¥ã£ã¦ãããã±ã ãã§ã
              PREROUTING, FORWARD, INPUT ãã§ã¤ã³ã«å¥ããã±ããã«ãã æå³ããªãã

   mark
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ãã±ããã«é¢é£ã¥ãããã netfilter ã® mark ãã£ã¼ã«ãã«ããããã
       (ãã®ãã£ã¼ã«ãã¯ã以ä¸ã® MARK ã¿ã¼ã²ããã§è¨å®ããã)ã

       --mark value[/mask]
              æå®ããã符å·ãªã mark å¤ã®ãã±ããã«ããããã (mask ãæå®ãããã¨ãæ¯è¼ã®åã«
              mask ã¨ã®è«çç© (AND) ãã¨ããã)ã

   multiport
       ãã®ã¢ã¸ã¥ã¼ã«ã¯éä¿¡åãéä¿¡åã®ãã¼ãã®éåã«ãããããã ãã¼ã㯠15 åã¾ã§æå®ã§ããã
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ -p tcp ã¾ã㯠-p udp ã¨çµã¿åããã¦ä½¿ããã¨ããã§ããªãã

       --source-ports port[,port[,port...]]
              éä¿¡åãã¼ããæå®ããããã¼ãã®ãã¡ã®ããããã§ããã°ãããããã ãã©ã° --sports
              ã¯ããã®ãªãã·ã§ã³ã®ä¾¿å©ãªå¥åã§ããã

       --destination-ports port[,port[,port...]]
              å®åãã¼ããæå®ããããã¼ãã®ãã¡ã®ããããã§ããã°ãããããã ãã©ã° --dports
              ã¯ããã®ãªãã·ã§ã³ã®ä¾¿å©ãªå¥åã§ããã

       --ports port[,port[,port...]]
              éä¿¡åãã¼ãã¨å®åãã¼ããçããã ãã¤ãã®ãã¼ããæå®ããããã¼ãã®
              ãã¡ã®ããããã§ããã°ãããããã

   owner
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ããã¼ã«ã«ã§çæããããã±ããã«ä»ãã¦ã
       ãã±ããçæèã®ãããããªç¹æ§ã«å¯¾ãã¦ããããè¡ãã ãã㯠OUTPUT
       ãã§ã¤ã³ã®ã¿ã§ããæå¹ã§ãªãã ã¾ãã(ICMP ping å¿çã®ãããª) ãã±ããã¯ã
       ææèãããªãã®ã§çµ¶å¯¾ã«ãããããªãã

       --uid-owner userid
              æå®ãããå®å¹ã¦ã¼ã¶ã¼ ID ã®ããã»ã¹ã«ãã ãã±ãããçæããã¦ããå ´åã«ãããããã

       --gid-owner groupid
              æå®ãããå®å¹ã°ã«ã¼ã ID ã®ããã»ã¹ã«ãã ãã±ãããçæããã¦ããå ´åã«ãããããã

       --pid-owner processid
              æå®ãããããã»ã¹ ID ã®ããã»ã¹ã«ãã ãã±ãããçæããã¦ããå ´åã«ãããããã

       --sid-owner sessionid
              æå®ãããã»ãã·ã§ã³ã°ã«ã¼ãã®ããã»ã¹ã«ãã ãã±ãããçæããã¦ããå ´åã«ãããããã

       --cmd-owner name
              æå®ãããã³ãã³ãåãæã¤ããã»ã¹ã«ãã ãã±ãããçæããã¦ããå ´åã«ããããã
              (ãã®æ©è½ããµãã¼ãããã«ã¼ãã«ã®ãã¨ã§ iptables ãã³ã³ãã¤ã«ãããå ´å
              ã«ã®ã¿ããã®ã¢ã¸ã¥ã¼ã«ã¯åå¨ãã)ã

   physdev
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ãããªãã¸ããã¤ã¹ã®ã¹ã¬ã¼ãã«ãããã
       ããªãã¸ãã¼ãã®å¥åºåããã¤ã¹ã«ãããããã ãã®ã¢ã¸ã¥ã¼ã«ã¯ãããªãã¸ã«ããééç㪠IP
       ãã¡ã¤ã¢ã¦ã©ã¼ã«ã®åºç¤ã®ä¸é¨ã§ããã ã«ã¼ãã«ãã¼ã¸ã§ã³ 2.5.44
       以éã§ã®ã¿æå¹ã§ããã

       --physdev-in name
              ãã±ãããåä¿¡ãããããªãã¸ã®ãã¼ãå (INPUT, FORWARD, PREROUTING
              ãã§ã¤ã³ã«å¥ããã±ããã®ã¿)ã ã¤ã³ã¿ã¼ãã§ã¼ã¹åã "+" ã§çµã£ã¦ããå ´åã
              ãã®ååã§å§ã¾ãä»»æã®ã¤ã³ã¿ã¼ãã§ã¼ã¹åã«ãããããã
              ããªãã¸ããã¤ã¹ãéãã¦åãåãããªãã£ããã±ããã¯ã '!'
              ãæå®ããã¦ããªãéãããã®ãªãã·ã§ã³ã«ãããããªãã

       --physdev-out name
              ãã±ãããéä¿¡ãããã¨ã«ãªãããªãã¸ã®ãã¼ãå (FORWARD, OUTPUT, POSTROUTING
              ãã§ã¤ã³ã«å¥ããã±ããã®ã¿)ã ã¤ã³ã¿ã¼ãã§ã¼ã¹åã "+" ã§çµã£ã¦ããå ´åã
              ãã®ååã§å§ã¾ãä»»æã®ã¤ã³ã¿ã¼ãã§ã¼ã¹åã«ãããããã nat 㨠mangle
              ãã¼ãã«ã® OUTPUT ãã§ã¤ã³ã§ã¯ããªãã¸ã®åºåãã¼ãã«ãããããããã¨ãã§ããªããã
              filter ãã¼ãã«ã® OUPUT ãã§ã¤ã³ã§ã¯ãããå¯è½ã§ããã
              ãã±ãããããªãã¸ããã¤ã¹ããéãããªãã£ãå ´åã
              ã¾ãã¯ãã±ããã®åºåããã¤ã¹ãä¸æã§ãã£ãå ´åã¯ã '!'
              ãæå®ããã¦ããªãéãããã±ããã¯ãã®ãªãã·ã§ã³ã«ãããããªãã

       --physdev-is-in
              ãã±ãããããªãã¸ã¤ã³ã¿ã¼ãã§ã¼ã¹ã«å¥ã£ãå ´åã«ãããããã

       --physdev-is-out
              ãã±ãããããªãã¸ã¤ã³ã¿ã¼ãã§ã¼ã¹ããåºããã¨ããå ´åã«ãããããã

       --physdev-is-bridged
              ãã±ãããããªãã¸ããããã¨ã«ããã ã«ã¼ãã£ã³ã°ãããªãã£ãå ´åã«ãããããã ããã¯
              FORWARD, POSTROUTING ãã§ã¤ã³ã«ããã¦ã®ã¿å½¹ç«ã¤ã

   pkttype
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ããªã³ã¯å±¤ã®ãã±ããã¿ã¤ãã«ãããããã

       --pkt-type [unicast|broadcast|multicast]

   state
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ãæ¥ç¶è¿½è·¡ (connection tracking) ã¨çµã¿åããã¦ç¨ããã¨ã
       ãã±ããã«ã¤ãã¦ã®æ¥ç¶è¿½è·¡ç¶æãç¥ããã¨ãã§ããã

       --state state
              state ã¯ããããã³ã°ãè¡ãããã®ãã³ã³ãã§åºåãããæ¥ç¶ç¶æã®ãªã¹ãã§ããã
              æå®å¯è½ãª state ã¯ä»¥ä¸ã®éãã INVALID:
              ãã®ãã±ããã¯æ¢ç¥ã®æ¥ç¶ã¨é¢ä¿ãã¦ããªãã ESTABLISHED:
              ãã®ãã±ããã¯ãéå»åæ¹åã«ãã±ãããããåããããæ¥ç¶ã«å±ãããã±ããã§ããã NEW:
              ãã®ãã±ãããæ°ããæ¥ç¶ãéå§ãããã
              åæ¹åã«ã¯ãã±ãããããåãããã¦ããªãæ¥ç¶ã«å±ãããã±ããã§ããã RELATED:
              ãã®ãã±ãããæ°ããæ¥ç¶ãéå§ãã¦ãããã FTP ãã¼ã¿è»¢éã ICMP
              ã¨ã©ã¼ã®ããã«ãæ¢åã®æ¥ç¶ã«é¢ä¿ãã¦ããã

   tcp
       ãããã®æ¡å¼µã¯ `--protocol tcp' ãæå®ããå ´åã«ãã¼ãããã
       以ä¸ã®ãªãã·ã§ã³ãæä¾ããã:

       [!] --source-port port[:port]
              éä¿¡åãã¼ãã¾ãã¯ãã¼ãç¯å²ã®æå®ã ãµã¼ãã¹åã¾ãã¯ãã¼ãçªå·ãæå®ã§ ããã
              port:port ã¨ããå½¢å¼ã§ã2 ã¤ã®çªå·ãå«ãç¯å²ãæå®ããã㨠ãã§ããã
              æåã®ãã¼ããçç¥ããå ´åã"0" ãä»®å®ããã æå¾ã®ãã¼ãã çç¥ããå ´åã"65535"
              ãä»®å®ããã æåã®ãã¼ããæå¾ã®ãã¼ããã大ãã å ´åã2 ã¤ã¯å¥ãæããããã ãã©ã°
              --sport ã¯ããã®ãªãã·ã§ã³ã®ä¾¿å© ãªå¥åã§ããã

       [!] --destination-port port[:port]
              éä¿¡åãã¼ãã¾ãã¯ãã¼ãç¯å²ã®æå®ã ãã©ã° --dport
              ã¯ããã®ãªãã·ã§ã³ã®ä¾¿å©ãªå¥åã§ããã

       [!] --tcp-flags mask comp
              TCP ãã©ã°ãæå®ããããã®ã¨çããå ´åã«ãããããã 第 1 å¼ãæ°ã¯è©ä¾¡
              対象ã¨ãããã©ã°ã§ãã³ã³ãåºåãã®ãªã¹ãã§ããã 第 2 å¼ãæ°ã¯å¿ãè¨å®
              ããªããã°ãªããªããã©ã°ã§ãã³ã³ãåºåãã®ãªã¹ãã§ããã æå®ã§ãããã© ã°ã¯ SYN
              ACK FIN RST URG PSH ALL NONE ã§ããã ãã£ã¦ãã³ãã³ã
               iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
              ã¯ãSYN ãã©ã°ãè¨å®ãã ACK, FIN, RST ãã©ã°ãè¨å®ããã¦ããªã
              ãã±ããã«ã®ã¿ãããããã

       [!] --syn
              SYN ããããè¨å®ãã ACKãRST ããã³ FIN ããããã¯ãªã¢ããã¦ãã TCP ãã±ããã«
              ãããããããã®ãããªãã±ãã㯠TCP æ¥ç¶ã®éå§è¦æ±ã«ä½¿ããããä¾ã
              ã°ãããã¤ã³ã¿ã¼ãã§ã¼ã¹ã«å¥ã£ã¦ãããã®ãããªãã±ããããããã¯ããã°ã åå´ã¸ã®
              TCP æ¥ç¶ã¯ç¦æ¢ãããããå¤å´ã¸ã® TCP æ¥ç¶ã«ã¯å½±é¿ããªãã ãã ã¯
              --tcp-flags SYN,RST,ACK,FIN SYN ã¨çããã "--syn" ã®åã« "!" ãã©ã°
              ãç½®ãã¨ããã®æ¡ä»¶ãæºãããªããã±ããã«ãããããã

       [!] --tcp-option number
              TCP ãªãã·ã§ã³ãè¨å®ããã¦ããå ´åã«ãããããã

       --mss value[:value]
              æå®ããã MSS å¤ (ã®ç¯å²) ãæ㤠TCP ã® SYN ã¾ã㯠SYN/ACK
              ãã±ããã«ãããããã MSS ã¯æ¥ç¶ã«å¯¾ãããã±ããã®æ大ãµã¤ãºãå¶å¾¡ããã

   tos
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ IP ãããã¼ã® 8 ãããã® (ã¤ã¾ãä¸ä½ããããå«ã)  Type of Service
       ãã£ã¼ã«ãã«ãããããã

       --tos tos
              å¼ãæ°ã¯ãããããè¡ãæ¨æºçãªååã§ãæ°å¤ã§ããã (ååã®ãªã¹ããè¦ãã«ã¯
               iptables -m tos -h
              ã使ããã¨)ã

   ttl
       ãã®ã¢ã¸ã¥ã¼ã«ã¯ IP ãããã¼ã® time to live ãã£ã¼ã«ãã«ãããããã

       --ttl ttl
              æå®ããã TTL å¤ã«ãããããã

   udp
       ãããã®æ¡å¼µã¯ `--protocol udp' ãæå®ãããå ´åã«ãã¼ãããã
       以ä¸ã®ãªãã·ã§ã³ãæä¾ããã:

       [!] --source-port port[:port]
              éä¿¡åãã¼ãã¾ãã¯ãã¼ãç¯å²ã®æå®ã 詳細㯠TCP æ¡å¼µã® --source-port
              ãªãã·ã§ã³ã®èª¬æãåç§ãããã¨ã

       [!] --destination-port port[:port]
              éä¿¡åãã¼ãã¾ãã¯ãã¼ãç¯å²ã®æå®ã 詳細㯠TCP æ¡å¼µã®
              --destination-port ãªãã·ã§ã³ã®èª¬æãåç§ãããã¨ã

   unclean
       ãã®ã¢ã¸ã¥ã¼ã«ã«ã¯ãªãã·ã§ã³ããªããã ããããæ£å¸¸ã§ãªãããã«è¦ãããã±ããã«ãããããã
       ããã¯å®é¨çãªãã®ã¨ãã¦æ±ããã¦ããã

ã¿ã¼ã²ããã®æ¡å¼µ
       iptables ã¯æ¡å¼µã¿ã¼ã²ããã¢ã¸ã¥ã¼ã«ã使ããã¨ãã§ãã:
       以ä¸ã®ãã®ããæ¨æºçãªãã£ã¹ããªãã¥ã¼ã·ã§ã³ã«å«ã¾ãã¦ããã

   DNAT
       ãã®ã¿ã¼ã²ãã㯠nat ãã¼ãã«ã® PREROUTING, OUTPUT
       ãã§ã¤ã³ããããã®ãã§ã¤ã³ããå¼ã³åºããã ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã®ã¿ã§æå¹ã§ããã
       ãã®ã¿ã¼ã²ããã¯ãã±ããã®éä¿¡åã¢ãã¬ã¹ãä¿®æ£ãã (ãã®æ¥ç¶ã®ä»¥éã®ãã±ãããä¿®æ‐
       £ãã¦åãããªã (mangle) ãã)ã ããã«ãã«ã¼ã«ã«ãããã§ãã¯ãæ¢ããããã
       ãã®ã¿ã¼ã²ããã«ã¯ãªãã·ã§ã³ã 1 種é¡ãã:

       --to-destination ipaddr[-ipaddr][:port-port]
              1 ã¤ã®æ°ããéä¿¡å IP ã¢ãã¬ã¹ãã¾ã㯠IP ã¢ãã¬ã¹ã®ç¯å²ãæå®ã§ããã
              ãã¼ãã®ç¯å²ãæå®ãããã¨ãã§ãã (ããã¯ã«ã¼ã«ã§ -p tcp ã¾ã㯠-p udp
              ãæå®ãã¦ããå ´åã«ã®ã¿æå¹)ã
              ãã¼ãã®ç¯å²ãæå®ããã¦ããªãå ´åãéä¿¡åãã¼ãã¯å¤æ´ãããªãã

              è¤æ°ã® --to-destination ãªãã·ã§ã³ãæå®ãããã¨ãã§ããã
              ã¢ãã¬ã¹ã®ç¯å²ã«ãã£ã¦ã ãããã¯è¤æ°ã® --to-destination
              ãªãã·ã§ã³ã«ãã£ã¦ 2 ã¤ä»¥ä¸ã®éä¿¡åã¢ãã¬ã¹ãæå®ããå ´åã
              ãããã®ã¢ãã¬ã¹ã使ã£ãåç´ãªã©ã¦ã³ãã»ããã³ (é ãã«å¾ªç°ããã) ããããªãããã

   DSCP
       ãã®ã¿ã¼ã²ããã¯ãIPv4 ãã±ããã® TOS ãããã¼ã«ãã DSCP ãããã®å¤ã®æ¸ãæããå¯è½ã«ããã
       ããã¯ãã±ãããæä½ããã®ã§ãmangle ãã¼ãã«ã§ã®ã¿ä½¿ç¨ã§ããã

       --set-dscp value
              DSCP ãã£ã¼ã«ãã®æ°å¤ãè¨å®ãã (10 é²ã¾ã㯠16 é²)ã

       --set-dscp-class class
              DSCP ãã£ã¼ã«ãã® DiffServ ã¯ã©ã¹ãè¨å®ããã

   ECN
       ãã®ã¿ã¼ã²ãã㯠ECN ãã©ãã¯ãã¼ã«åé¡ã¸ã®å¯¾å¦ãå¯è½ã«ããã mangle
       ãã¼ãã«ã§ã®ã¿ä½¿ç¨ã§ããã

       --ecn-tcp-remove
              TCP ãããã¼ããå¨ã¦ã® ECN ããã (訳注: ECE/CWR ãã©ã°) ãåãé¤ãã å½ç¶ã
              -p tcp ãªãã·ã§ã³ã¨ã®çµåããã§ã®ã¿ä½¿ç¨ã§ããã

   LOG
       ããããããã±ãããã«ã¼ãã«ãã°ã«è¨é²ããã ãã®ãªãã·ã§ã³ãã«ã¼ã«ã«å¯¾ãã¦è¨å®ãããã¨ã
       Linux ã«ã¼ãã«ã¯ããããããã±ããã«ã¤ãã¦ã® (大é¨åã® IP ãããã¼ãã£ã¼ã«ãã®ãããª)
       ä½ããã®æå ±ã ã«ã¼ãã«ãã°ã«è¡¨ç¤ºãã (ã«ã¼ãã«ãã°ã¯ dmesg ã¾ã㯠syslogd(8)
       ã§è¦ããã¨ãã§ãã)ã ãã㯠"éçµäºã¿ã¼ã²ãã" ã§ããã
       ããªãã¡ãã«ã¼ã«ã®æ¤è¨ã¯ã次ã®ã«ã¼ã«ã¸ã¨ç¶ç¶ãããã ãã£ã¦ãæå¦ãããã±ãããã‐
       ã°è¨é²ããããã°ã åããããã³ã°å¤æåºæºãæ㤠2 ã¤ã®ã«ã¼ã«ã使ç¨ãã æåã®ã«ã¼ã«ã§
       LOG ã¿ã¼ã²ãããã 次ã®ã«ã¼ã«ã§ DROP (ã¾ã㯠REJECT) ã¿ã¼ã²ãããæå®ããã

       --log-level level
              ãã°è¨é²ã®ã¬ãã« (æ°å¤ã¦æå®ãããã(ååã§æå®ããå ´åã¯) syslog.conf(5)
              ãåç§ãããã¨)ã

       --log-prefix prefix
              æå®ãããã¬ãã£ãã¯ã¹ããã°ã¡ãã»ã¼ã¸ã®åã«ä»ããã ãã¬ãã£ãã¯ã¹ã¯ 29 æå‐
              ã¾ã§ã®é·ãã§ã ãã°ã®ä¸ã§ã¡ãã»ã¼ã¸ãåºå¥ããã®ã«å½¹ç«ã¤ã

       --log-tcp-sequence
              TCP ã·ã¼ã±ã³ã¹çªå·ããã°ã«è¨é²ããã ãã°ãã¦ã¼ã¶ã¼ããèªããå ´åãã»ã‐
              ã¥ãªãã£ä¸ã®å±éºãããã

       --log-tcp-options
              TCP ãã±ãããããã®ãªãã·ã§ã³ããã°ã«è¨é²ããã

       --log-ip-options
              IP ãã±ãããããã¼ã®ãªãã·ã§ã³ããã°ã«è¨é²ããã

   MARK
       ãã±ããã«é¢é£ã¥ãããã netfilter ã® mark å¤ãè¨å®ããã mangle
       ãã¼ãã«ã®ã¿ã§æå¹ã§ããã ä¾ãã°ãiproute2 ã¨çµã¿åããã¦ä½¿ããã¨ãã§ããã

       --set-mark value[/mask]

   MASQUERADE
       ãã®ã¿ã¼ã²ãã㯠nat ãã¼ãã«ã® POSTROUTING ãã§ã¤ã³ã®ã¿ã§æå¹ã§ããã åçå²ãå½ã¦
       IP (ãã¤ã¤ã«ã¢ãã) æ¥ç¶ã®å ´åã«ã®ã¿ä½¿ãã¹ãã§ããã åºå® IP ã¢ãã¬ã¹ãªãã°ãSNAT
       ã¿ã¼ã²ããã使ãã¹ãã§ããã ãã¹ã«ã¬ã¼ãã£ã³ã°ã¯ããã±ãããéä¿¡ãããã¤ã³ã¿ã¼ãã§ã¼ã¹ã®
       IP ã¢ãã¬ã¹ã¸ã®ãããã³ã°ãæå®ããã®ã¨åãã§ãããã ã¤ã³ã¿ã¼ãã§ã¼ã¹ãåæ‐
       ¢ããå ´åã«æ¥ç¶ãå¿ããã¨ããå¹æãããã
       次ã®ãã¤ã¤ã«ã¢ããã§ã¯åãã¤ã³ã¿ã¼ãã§ã¼ã¹ã¢ãã¬ã¹ã«ãªãå¯è½æ§ãä½ã
       (ãã®ãããåå確ç«ãããæ¥ç¶ã¯å¤±ããã) å ´åã ãã®åä½ã¯æ£ããã
       ãã®ã¿ã¼ã²ããã«ã¯ãªãã·ã§ã³ã 1 ã¤ããã

       --to-ports port[-port]
              ãã®ãªãã·ã§ã³ã¯ã使ç¨ããéä¿¡åãã¼ãã®ç¯å²ãæå®ãã ããã©ã«ãã® SNAT
              éä¿¡åãã¼ãã®é¸ææ¹æ³ (ä¸è¨) ãããåªåãããã ã«ã¼ã«ã -p tcp ã¾ã㯠-p udp
              ãæå®ãã¦ããå ´åã«ã®ã¿æå¹ã§ããã

   MIRROR
       å®é¨çãªãã¢ã³ã¹ãã¬ã¼ã·ã§ã³ç¨ã®ã¿ã¼ã²ããã§ããã IP
       ãããã¼ã®éä¿¡åã¨éä¿¡åãã£ã¼ã«ããå¥ãæãã ãã±ãããåéä¿¡ãããã®ã§ããã ãã㯠INPUT,
       FORWARD, PREROUTING ãã§ã¤ã³ã¨ããããã®ãã§ã¤ã³ããå¼ã³åºããã
       ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã ãã§æå¹ã§ããã ã«ã¼ãçã®åé¡ãåé¿ãããããå¤é¨ã«éããããã±ããã¯
       ãããªããã±ãããã£ã«ã¿ãªã³ã°ãã§ã¤ã³ã»æ¥ç¶è¿½è·¡ã»NAT ããã ç£è¦ãããªãã

   REDIRECT
       ãã®ã¿ã¼ã²ããã¯ã nat ãã¼ãã«åã® PREROUTING ãã§ã¤ã³åã³ OUTPUT
       ãã§ã¤ã³ãããã¦ããããã§ã¤ã³ããå¼ã³åºããã ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³ã§ã®ã¿æå¹ã§ããã
       ãã®ã¿ã¼ã²ããã¯ãã±ããã®éä¿¡å IP ã¢ãã¬ã¹ã ãã·ã³èªèº«ã® IP ã¢ãã¬ã¹ã«å¤æããã
       (ãã¼ã«ã«ã§çæããããã±ããã¯ãã¢ãã¬ã¹ 127.0.0.1 ã«ãããããã)ã
       ãã®ã¿ã¼ã²ããã«ã¯ãªãã·ã§ã³ã 1 ã¤ãã:

       --to-ports port[-port]
              ãã®ãªãã·ã§ã³ã¯ä½¿ç¨ãããéä¿¡åãã¼ãã»ãã¼ãç¯å²ã»è¤æ°ãã¼ããæå®ããã
              ãã®ãªãã·ã§ã³ãæå®ãããªãå ´åãéä¿¡åãã¼ãã¯å¤æ´ãããªãã ã«ã¼ã«ã -p tcp
              ã¾ã㯠-p udp ãæå®ãã¦ããå ´åã«ã®ã¿æå¹ã§ããã

   REJECT
       ããããããã±ããã®å¿çã¨ãã¦ã¨ã©ã¼ãã±ãããéä¿¡ããããã«ä½¿ãããã ã¨ã©ã¼ãã±ãããéããªããã°ã
       DROP ã¨åãã§ãããTARGET ãçµäºãã ã«ã¼ã«ã®æ¤è¨ãçµäºããã ãã®ã¿ã¼ã²ããã¯ã INPUT,
       FORWARD, OUTPUT ãã§ã¤ã³ã¨ããããã®ãã§ã¤ã³ããå¼ã°ãã ã¦ã¼ã¶ã¼å®ç¾©ãã§ã¤ã³
       ã ãã§æå¹ã§ããã以ä¸ã®ãªãã·ã§ã³ã¯ãè¿ãããã¨ã©ã¼ãã±ããã®ç¹æ§ã å¶å¾¡ããã

       --reject-with type
              type ã¨ãã¦æå®å¯è½ãªãã®ã¯
              icmp-net-unreachable
              icmp-host-unreachable
              icmp-port-unreachable
              icmp-proto-unreachable
              icmp-net-prohibited
              icmp-host-prohibited or
              icmp-admin-prohibited (*)
              ã§ãããé©å㪠ICMP ã¨ã©ã¼ã¡ãã»ã¼ã¸ãè¿ã (port-unreachable
              ãããã©ã«ãã§ãã)ã TCP ãããã³ã«ã«ã®ã¿ãããããã«ã¼ã«ã«å¯¾ãã¦ããªãã·ã§ã³
              tcp-reset ã使ããã¨ãã§ããã ãã®ãªãã·ã§ã³ã使ãã¨ãTCP RST
              ãã±ãããéãè¿ãããã 主ã¨ã㦠ident (113/tcp) ã«ããæ¢æ»ãé»æ‐
              ¢ããã®ã«å½¹ç«ã¤ã ident ã«ããæ¢æ»ã¯ãå£ãã¦ãã (ã¡ã¼ã«ãåãåããªã)
              ã¡ã¼ã«ãã¹ãã« ã¡ã¼ã«ãéãããå ´åã«é »ç¹ã«èµ·ããã

              (*) icmp-admin-prohibited ããµãã¼ãããªãã«ã¼ãã«ã§ã
              icmp-admin-prohibited ã使ç¨ããã¨ã REJECT ã§ã¯ãªãåãªã DROP ã«ãªãã

   SNAT
       ãã®ã¿ã¼ã²ãã㯠nat ãã¼ãã«ã® POSTROUTING ãã§ã¤ã³ã®ã¿ã§æå¹ã§ããã
       ãã®ã¿ã¼ã²ããã¯ãã±ããã®éä¿¡åã¢ãã¬ã¹ãä¿®æ£ããã (ãã®æ¥ç¶ã®ä»¥éã®ãã±ãããä¿®æ‐
       £ãã¦åãããªã (mangle) ãã)ã ããã«ãã«ã¼ã«ãè©ä¾¡ãä¸æ¢ããããã«æ示ããã
       ãã®ã¿ã¼ã²ããã«ã¯ãªãã·ã§ã³ã 1 種é¡ãã:

       --to-source  ipaddr[-ipaddr][:port-port]
              1 ã¤ã®æ°ããéä¿¡å IP ã¢ãã¬ã¹ãã¾ã㯠IP ã¢ãã¬ã¹ã®ç¯å²ãæå®ã§ããã
              ãã¼ãã®ç¯å²ãæå®ãããã¨ãã§ãã (ã«ã¼ã«ã -p tcp ã¾ã㯠-p udp
              ãæå®ãã¦ããå ´åã«ã®ã¿æå¹)ã ãã¼ãã®ç¯å²ãæå®ããã¦ããªãå ´åã 512
              æªæºã®éä¿¡åãã¼ãã¯ãä»ã® 512 æªæºã®ãã¼ãã«ãããã³ã°ãããã 512 ã 1023
              ã¾ã§ã®ãã¼ãã¯ã1024 æªæºã®ãã¼ãã«ãããã³ã°ãããã ãã以å¤ã®ãã¼ãã¯ã1024
              以ä¸ã®ãã¼ãã«ãããã³ã°ãããã å¯è½ã§ããã°ããã¼ãã®å¤æã¯èµ·ãããªãã

              è¤æ°ã® --to-source ãªãã·ã§ã³ãæå®ãããã¨ãã§ããã
              ã¢ãã¬ã¹ã®ç¯å²ã«ãã£ã¦ã ãããã¯è¤æ°ã® --to-source ãªãã·ã§ã³ã«ãã£ã¦ 2
              ã¤ä»¥ä¸ã®éä¿¡åã¢ãã¬ã¹ãæå®ããå ´åã
              ãããã®ã¢ãã¬ã¹ã使ã£ãåç´ãªã©ã¦ã³ãã»ããã³ (é ãã«å¾ªç°ããã) ããããªãããã

   TCPMSS
       ãã®ã¿ã¼ã²ãããç¨ããã¨ãTCP ã® SYN ãã±ããã® MSS å¤ãæ¸ãæãã
       ãã®ã³ãã¯ã·ã§ã³ã®æ大ãµã¤ãº (é常ã¯ãéä¿¡ã¤ã³ã¿ã¼ãã§ã¼ã¹ã® MTU ãã 40
       å¼ããå¤)  ãå¶å¾¡ã§ããã ãã¡ãã -p tcp ã¨çµã¿åããã¦ãã使ããªãã
       ãã®ã¿ã¼ã²ããã¯ç¯ç½ªçã«é ã®ãããã ISP ã ICMP Fragmentation Needed ãã±ããããã‐
       ãã¯ãã¦ãã¾ããµã¼ãã¼ã ä¹ãè¶ããããã«ä½¿ç¨ããã Linux
       ãã¡ã¤ã¢ã¦ã©ã¼ã«/ã«ã¼ã¿ã¼ã§ã¯ä½ãåé¡ããªãã®ã«ã
       ããã«ã¶ãä¸ãããã·ã³ã§ã¯ä»¥ä¸ã®ããã«å¤§ããªãã±ããã
       ããã¨ãã§ããªãã¨ããã®ãããã®åé¡ã®ååã§ããã
        1) ã¦ã§ãã»ãã©ã¦ã¶ã§æ¥ç¶ããä½ã®ãã¼ã¿ãåãåããã«ãã³ã°ãã
        2) çãã¡ã¼ã«ã¯åé¡ãªãããé·ãã¡ã¼ã«ããã³ã°ãã
        3) ssh ã¯åé¡ãªãããscp ã¯æåã®ãã³ãã·ã§ã¼ã¯å¾ã«ãã³ã°ãã
       åé¿æ¹æ³: ãã®ãªãã·ã§ã³ãæå¹ã«ãã以ä¸ã®ãããªã«ã¼ã«ã ãã¡ã¤ã¢ã¦ã©ã¼ã«ã®è¨‐
       å®ã«è¿½å ããã
        iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
                    -j TCPMSS --clamp-mss-to-pmtu

       --set-mss value
              MSS ãªãã·ã§ã³ã®å¤ã«æå®ããå¤ãæ示çã«è¨å®ããã

       --clamp-mss-to-pmtu
              èªåçã«ãMSS å¤ã (path_MTU - 40) ã«å¼·å¶ããã

       ãããã®ãªãã·ã§ã³ã¯ã©ã¡ãã 1 ã¤ããæå®ã§ããªãã

   TOS
       IP ãããã¼ã® 8 ãããã® Type of Service ãã£ã¼ã«ããè¨å®ããããã«ä½¿ãããã mangle
       ãã¼ãã«ã®ã¿ã§æå¹ã§ããã

       --set-tos tos
              TOS ãçªå·ã§æå®ãããã¨ãã§ããã ã¾ãã
               iptables -j TOS -h
              ãå®è¡ãã¦å¾ãããã使ç¨å¯è½ãª TOS åã®ä¸è¦§ã«ãã TOS åãæå®ã§ããã

   ULOG
       ãã®ã¿ã¼ã²ããã¯ãããããããã±ããã ã¦ã¼ã¶ã¼ç©ºéã§ãã°è¨é²ããæ©è½ãæä¾ããã
       ãã®ã¿ã¼ã²ãããã«ã¼ã«ã«è¨å®ãããã¨ã Linux ã«ã¼ãã«ã¯ããã®ãã±ããã netlink
       ã½ã±ãããç¨ãã¦ãã«ããã£ã¹ãããã ããã¦ã1 ã¤ä»¥ä¸ã®ã¦ã¼ã¶ã¼ç©ºéããã»ã¹ã
       ãããããªãã«ããã£ã¹ãã°ã«ã¼ãã«ç»é²ããããªãã ãã±ãããåä¿¡ããã LOG ã¨åæ§ãããã¯
       "éçµäºã¿ã¼ã²ãã" ã§ããã ã«ã¼ã«ã®æ¤è¨ã¯æ¬¡ã®ã«ã¼ã«ã¸ã¨ç¶ç¶ãããã

       --ulog-nlgroup nlgroup
              ãã±ãããéä¿¡ãã netlink ã°ã«ã¼ã (1-32) ãæå®ããã ããã©ã«ãã®å¤ã¯ 1
              ã§ããã

       --ulog-prefix prefix
              æå®ãããã¬ãã£ãã¯ã¹ããã°ã¡ãã»ã¼ã¸ã®åã«ä»ããã 32 æåã¾ã§ã®æå®ã§ããã ã‐
              ã°ã®ä¸ã§ã¡ãã»ã¼ã¸ãåºå¥ããã®ã«ä¾¿å©ã§ããã

       --ulog-cprange size
              ã¦ã¼ã¶ã¼ç©ºéã«ã³ãã¼ãããã±ããã®ãã¤ãæ°ã å¤ã 0
              ã®å ´åããµã¤ãºã«é¢ä¿ãªãå¨ãã±ãããã³ãã¼ããã ããã©ã«ã㯠0 ã§ããã

       --ulog-qthreshold size
              ã«ã¼ãã«åé¨ã®ãã¥ã¼ã«å¥ãããããã±ããã®æ°ã ä¾ãã°ããã®å¤ã 10 ã«ããå ´åã
              ã«ã¼ãã«åé¨ã§ 10 åã®ãã±ãããã¾ã¨ãã 1 ã¤ã® netlink
              ãã«ããã¼ãã¡ãã»ã¼ã¸ã¨ãã¦ã¦ã¼ã¶ã¼ç©ºéã«éãã (éå»ã®ãã®ã¨ã®äºææ§ã®ãã)
              ããã©ã«ã㯠1 ã§ããã

è¿ãå¤
       ãããããªã¨ã©ã¼ã¡ãã»ã¼ã¸ãæ¨æºã¨ã©ã¼ã«è¡¨ç¤ºãããã æ£ããæ©è½ããå ´åãçµäºã³ã¼ãã¯
       0 ã§ããã ä¸æ£ãªã³ãã³ãã©ã¤ã³ãã©ã¡ã¼ã¿ã«ããã¨ã©ã¼ãçºçããå ´åã¯ã çµäºã³ã¼ã 2
       ãè¿ãããã ãã®ä»ã®ã¨ã©ã¼ã®å ´åã¯ãçµäºã³ã¼ã 1 ãè¿ãããã

ãã°
       ãã°? ãã°ã£ã¦ä½? ;-)  ãã¼ã¨â¦ãsparc64 ã§ã¯ã«ã¦ã³ã¿ã¼å¤ãä¿¡é ¼ã§ããªãã

IPCHAINS ã¨ã®äºææ§
       iptables ã¯ãRusty Russell ã® ipchains ã¨é常ã«ããä¼¼ã¦ããã
       大ããªéãã¯ããã§ã¤ã³ INPUT 㨠OUTPUT ãããããããã¼ã«ã«ãã¹ãã«å¥ã£ã¦ãããã±ããã¨ã
       ãã¼ã«ã«ãã¹ãããåºããããã±ããã®ã¿ãã調ã¹ãªãã¨ããç¹ã§ããã ãã£ã¦ã(INPUT 㨠OUTPUT
       ã®ä¸¡æ¹ã®ãã§ã¤ã³ãèµ·åãã ã«ã¼ãããã¯ãã©ãã£ãã¯ãé¤ã)  å¨ã¦ã®ãã±ãã㯠3
       ã¤ãããã§ã¤ã³ã®ãã¡ 1 ããéããªãã 以å㯠(ipchains ã§ã¯)ã ãã©ã¯ã¼ãããããã±ããã¯
       3 ã¤ã®ãã§ã¤ã³å¨ã¦ãéã£ã¦ããã

       ãã®ä»ã®å¤§ããªéãã¯ã -i ã§å¥åã¤ã³ã¿ã¼ãã§ã¼ã¹ã -o
       ã§åºåã¤ã³ã¿ã¼ãã§ã¼ã¹ãåç§ãããã¨ã ããã¦ã¨ãã« FORWARD
       ãã§ã¤ã³ã«å¥ããã±ããã«å¯¾ãã¦æå®å¯è½ãªç¹ã§ããã

       NAT ã®ãããããªå½¢å¼ãåå²ãããã ãªãã·ã§ã³ã®æ¡å¼µã¢ã¸ã¥ã¼ã«ã¨ã¨ãã«
       ããã©ã«ãã®ããã£ã«ã¿ããã¼ãã«ãç¨ããå ´åã iptables ã¯ç´ç²ãªãã±ãããã£ã«ã¿ã¨ãªãã
       ããã¯ã以åã¿ããã IP ãã¹ã«ã¬ã¼ãã£ã³ã°ã¨ãã±ãããã£ã«ã¿ãªã³ã°ã®
       çµåãã«ããæ··ä¹±ãç°¡ç¥åããã ãã£ã¦ããªãã·ã§ã³
        -j MASQ
        -M -S
        -M -L
       ã¯å¥ã®ãã®ã¨ãã¦æ±ãããã iptables ã§ã¯ããã®ä»ã«ãããã¤ãã®å¤æ´ãããã

é¢é£é ç®
       iptables-save(8), iptables-restore(8), ip6tables(8), ip6tables-save(8),
       ip6tables-restore(8).

       ãã±ãããã£ã«ã¿ãªã³ã°ã«ã¤ãã¦ã®è©³ç´°ãª iptables ã®ä½¿ç¨æ³ã 説æãã¦ãã
       packet-filtering-HOWTOã NAT ã«ã¤ãã¦è©³ç´°ã«èª¬æãã¦ãã NAT-HOWTOã
       æ¨æºçãªéå¸ã«ã¯å«ã¾ããªãæ¡å¼µã®è©³ç´°ã 説æãã¦ãã
       netfilter-extensions-HOWTOã åé¨æ§é ã«ã¤ãã¦è©³ç´°ã«èª¬æãã¦ãã
       netfilter-hacking-HOWTOã
       http://www.netfilter.org/ ãåç§ã

ä½è
       Rusty Russell ã¯ãåæã®æ®µé㧠Michael Neuling ã«ç¸è«ã㦠iptables ãæ¸ããã

       Marc Boucher 㯠Rusty ã« iptables ã®ä¸è¬çãªãã±ããé¸æã®èãæ¹ãå§ãã¦ã
       ipnatctl ãæ¢ããããã ããã¦ãmangle ãã¼ãã«ã»ææèãããã³ã°ã» mark
       æ©è½ãæ¸ãããããã¨ããã§ä½¿ããã¦ããç´ æ´ãããã³ã¼ããæ¸ããã

       James Morris ã TOS ã¿ã¼ã²ãã㨠tos ãããã³ã°ãæ¸ããã

       Jozsef Kadlecsik ã REJECT ã¿ã¼ã²ãããæ¸ããã

       Harald Welte ã ULOG ã¿ã¼ã²ããã¨ã TTL, DSCP, ECN ã®ãããã»ã¿ã¼ã²ãããæ¸ããã

       Netfilter ã³ã¢ãã¼ã ã¯ãMarc Boucher, Martin Josefsson, Jozsef Kadlecsik,
       James Morris, Harald Welte, Rusty Russell ã§ããã

       man ãã¼ã¸ã¯ Herve Eychenne <rv@wallfire.org> ãæ¸ããã



                                 Mar 09, 2002                      IPTABLES(8)