· KLDP.org · KLDP.net · KLDP Wiki · KLDP BBS ·
Docbook Sgml/Netfilter-extensions-TRANS
Netfilter È®Àå HOWTO

Netfilter È®Àå HOWTO

MARIEFabrice



Á¤µÎ±â


ÀÌ ¹®¼­´Â ³ÝÇÊÅÍ¿¡ ´ëÇÑ iptables È®ÀåÀ» ¾î¶»°Ô »ç¿ëÇÏ°í ¼³Ä¡ÇÏ´Â Áö¸¦ ¼³¸íÇÑ´Ù.

고친 과정
고침 0.12002-01-28고친이 Á¤µÎ±â (darimtech.com)
ÃÖÃÊ ÀÛ¼º
차례
1. ¼Ò °³
2. Patch-O-Matic
2.1. Patch-O-MaticÀ̶õ ¹«¾ùÀΰ¡?
2.1. Patch-O-Matic ½ÇÇàÇϱâ
2.2. ±× ´ÙÀ½Àº ¹«¾ùÀ» Çϴ°¡ ?
1. »õ·Î¿î netfilter matches

1. ¼Ò °³

¾È³ç. ÀÌ ¹®¼­´Â ³ÝÇÊÅ͸¦ »ç¿ëÇÏ°í, ¹ö±× ¸®Æ÷ÆÃÀ» Çϸç, Å×½ºÆ®¸¦ ÇÏ°í, °³¹ßÇÏ´Â µ¥ ½Ã°£À» ¼Ò¸ðÇÏ´Â ¸ðµç »ç¶÷µéÇÑÅ× ³»°¡ °¨»çÇÒ ±âȸÀÌ´Ù.

ÀÌ ÇÏ¿ìÅõ´Â ·¯½ºÆ¼ÀÇ Linux 2.4 ÆÐŶ ÇÊÅ͸µ ÇÏ¿ìÅõ ¸¦ Àаí ÀÌÇØÇÑ´Ù´Â °¡Á¤ÇÏ¿¡ ¾²¿©Á³´Ù. ¶ÇÇÑ ´ç½ÅÀÌ Ä¿³ÎÀ» ÀûÀýÈ÷ ¼³Ä¡ÇÏ°í ÄÄÆÄÀÏÇÒ ¼ö ÀÖ´Ù°í °¡Á¤ÇÑ´Ù.

iptables ¹èÆ÷º»Àº ÀÏ¹Ý À¯ÀúµéÀ» À§ÇÑ °Í»Ó¸¸ ¾Æ´Ï¶ó ½ÇÇèÀûÀÎ À¯ÀúµéÀ» À§ÇÑ È®ÀåÀ» Æ÷ÇÔÇÏ°í ÀÖÀ¸¸ç, ¶ÇÇÑ ÀÌ È®ÀåÀº Ä¿³Î¿¡ ÀÇÁ¸ÀûÀÌ´Ù. ¿øÇÏÁö ¾Ê´Â´Ù¸é, ÀÌ È®ÀåÀº º¸Åë ÄÄÆÄÀϵÇÁö ¾Ê´Â´Ù.

ÀÌ ÇÏ¿ìÅõÀÇ ¸ñÇ¥´Â ³ÝÇÊÅÍ È®ÀåÀ» ¾î¶»°Ô ¼³Ä¡ÇÏ°í ¾î¶»°Ô ±âº»ÀûÀ¸·Î ´Ù·ç´ÂÁö¸¦ ½ÃÀÛÇÏ´Â »ç¶÷µé¿¡ ´ëÇÑ µµ¿òÀ» ÁÖ´Â °ÍÀÌ´Ù.

(C) 2001 Fabrice MARIE. GNU GPL ¶óÀ̼¾½º¸¦ µû¸¥´Ù.

2. Patch-O-Matic

2.1. Patch-O-MaticÀ̶õ ¹«¾ùÀΰ¡?

iptables ¸ÞÀÌÅ©ÆÄÀÏÀº `patch-o-matic' (¶Ç´Â `p-o-m')À̶ó ºÒ¸®´Â ±â´ÉÀ» Æ÷ÇÔÇÑ´Ù. p-o-m´Â ´ç½ÅÀÌ ¿øÇÏ´Â ÆÐÄ¡µéÀ» ¼±ÅÃÇÏ´Â °úÁ¤À¸·Î ¾È³»ÇØ ÁÖ°í, ´ç½ÅÀ» À§ÇØ Ä¿³ÎÀ» ÀÚµ¿À¸·Î ÆÐÄ¡ÇÑ´Ù.

óÀ½, ´ç½ÅÀº °¡Àå ÃÖ±ÙÀÇ CVS Æ®¸®¸¦ ¾ò¾î¾ß Çϸç, °¡Àå ÃÖ±ÙÀÇ È®ÀåÀ» »ç¿ëÇÏ°í ÀÖ´ÂÁö¸¦ È®ÀÎÇ϶ó. ±×·¸°Ô ÇÏ·Á¸é ´ÙÀ½°ú °°ÀÌ ÇØ¾ß ÇÑ´Ù : 

# cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login
# cvs -z3 -d :pserver:cvs@pserver.samba.org:/cvsroot co netfilter

ÀÌ°ÍÀº ÃÖ»óÀ§ µð·ºÅ丮 `netfilter/'¸¦ ¸¸µé °ÍÀÌ°í, ³»ºÎÀÇ ÆÄÀϵéÀ» °Ë»çÇÑ´Ù.

Ä¿³Î ¼Ò½º°¡ `/usr/src/linux/'¿¡ ÀÌ¹Ì ÀÖÀ½À» È®ÀÎÇ϶ó. ÀÇÁ¸¼ºÀÌ °Ë»çµÇ¾ú´ÂÁö¸¦ È®ÀÎÇÏ°í ±×·¸Áö ¾Ê´Ù¸é : 

# cd /usr/src/linux/
# make dep

±× ´ÙÀ½ `userspace/'¿¡ ÀÖ´Â ³ÝÇÊÅÍ µð·ºÅ丮·Î °¡¼­, p-o-mÀ» È£ÃâÇÒ¼ö ÀÖ´Ù.

2.1. Patch-O-Matic ½ÇÇàÇϱâ

`userspace/` µð·ºÅ丮¿¡¼­, p-o-mÀ» ½ÇÇàÇ϶ó : 

# make patch-o-matic

Welcome to Rusty's Patch-o-matic!

Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------

Already applied: 2.4.1 2.4.4
Testing... name_of_the_patch NOT APPLIED ( 2 missing files)
The name_of_the_patch patch:
	Here usually is the help text describing what
	the patch is for, what you can expect from it,
	and what you should not expect from it.
	Do you want to apply this patch [N/y/t/f/q/?]

p-o-mÀº °ü·ÃµÈ ¸ðµç ÆÐÄ¡¸¦ ½ÇÇàÇÑ´Ù. ÀÌ¹Ì ¸ðµÎ Àû¿ëµÇ¾î ÀÖ´Ù¸é, ùÁÙ¿¡ `Already applied:'¸¦ º¼ ¼ö ÀÖ´Ù. ±×·¸Áö ¾Ê´Ù¸é, ÆÐÄ¡ À̸§°ú ¾à°£ÀÇ ¼³¸íÀÌ Ç¥½ÃµÉ °ÍÀÌ´Ù. p-o-mÀº ¾î¶»°Ô ÁøÇàµÇ´ÂÁö¸¦ ¼³¸íÇÑ´Ù : `NOT APPLIED ( n missing files)'´Â ÆÐÄ¡°¡ ¾ÆÁ÷ Àû¿ëµÇÁö ¾Ê¾ÒÀ½À» ÀǹÌÇÏ°í, ¹Ý¸é¿¡ `NOT APPLIED ( n rejects out of n hunks)'´Â ÀϹÝÀûÀ¸·Î ´ÙÀ½À» ¶æÇÑ´Ù:

  1. ÆÐÄ¡°¡ ¿Ïº®ÇÏ°Ô Àû¿ëµÇÁö ¾Ê¾Ò°Å³ª...

  2. ...¶Ç´Â ÀÌ¹Ì ÆÐÄ¡ÇÏ·Á´Â Ä¿³Î¿¡ Æ÷ÇԵǾî ÀÖ´Â °æ¿ì

¸¶Áö¸·À¸·Î ÆÐÄ¡ÇÒ °ÍÀÎÁö ¾Æ´ÑÁö¸¦ °áÁ¤ÇÏ°Ô ÇÏ´Â ÇÁ·ÒÇÁÆ®°¡ º¸ÀÏ °ÍÀÌ´Ù.

  • ÆÐÄ¡Çϱ⸦ ¿øÇÏÁö ¾Ê´Â´Ù¸é ´Ü¼øÈ÷ ¿£ÅÍÅ°¸¸ ´©¸¥´Ù.

  • ÆÐÄ¡¸¦ Àû¿ëÇÏ°í Å×½ºÆ®Çϱâ À§ÇØ p-o-mÀ» ¿øÇÑ´Ù¸é `y'Å°¸¦ ´©¸¥´Ù, ¸¸¾à ½ÇÆÐÇÑ´Ù¸é ´Ù½Ã Çѹø È®ÀÎÀ» À§ÇÑ ÇÁ·ÒÇÁÆ®¸¦ º¸¿©ÁÙ °ÍÀÌ´Ù. ±×·¸Áö ¾Ê´Ù¸é, ÆÐÄ¡´Â Àû¿ëµÈ °ÍÀÌ°í, `Already Applied' ¶óÀο¡¼­ ÆÐÄ¡ÀÇ À̸§À» º¼ ¼ö ÀÖ´Ù.

  • ÆÐÄ¡°¡ Á¤»óÀûÀ¸·Î Àû¿ëµÇ´ÂÁö¸¦ Å×½ºÆ®ÇÏ·Á¸é `t'Å°¸¦ ´©¸¥´Ù.

  • ÆÐÅ°°¡ `p-o-m'¿¡ °­Á¦·Î Àû¿ëµÇ±â¸¦ ¿øÇÑ´Ù¸é `f'Å°¸¦ ´©¸¥´Ù.

  • ¸¶Áö¸·À¸·Î p-o-mÀ» Á¾·áÇϱ⸦ ¿øÇÑ´Ù¸é `q'Å°¸¦ ´©¸¥´Ù.

°æÇèÀûÀ¸·Î ½ÇÁ¦·Î ÆÐÄ¡¸¦ Àû¿ëÇϱâ Àü¿¡ °¢ ÆÐÄ¡¿¡ ´ëÇÑ ¾à°£ÀÇ ¼³¸íÀ» Á¶½É½º·´°Ô Àд °ÍÀÌ´Ù. ÇöÀç patch-o-matic¿¡ ´ëÇÑ ¸¹Àº °ø½Ä ÆÐÄ¡°¡ Àֱ⠶§¹®¿¡ (±×¸®°í ¾Æ¸¶µµ ´õ ¸¹Àº ºñ°ø½Ä ÆÐÄ¡µµ ÀÖÀ» °ÍÀÌ´Ù), ¸ðµÎ¸¦ Àû¿ëÇÏ´Â °ÍÀº ÃßõÇÏÁö ¾Ê´Â´Ù ! ºñ·Ï ´õ¸¹Àº ÆÐÄ¡°¡ ÇÊ¿äÇÒ¶§ ³ÝÇÊÅ͸¦ ÀçÄÄÆÄÀÏÇÏ´Â °ÍÀ» ÀǹÌÇÒ Áö¶ó°í, ¿øÇÏ´Â ÆÐÄ¡¸¸ Àû¿ëÇÏ´Â °ÍÀ» °í·ÁÇØ¾ß ÇÑ´Ù.

ÀÌÁ¦ patch-o-maticÀÇ »õ·Î¿î ÇüÅ°¡ ¸¸µé¾îÁ³À» °ÍÀÌ´Ù. ÀÌ°ÍÀº ´ÜÁö ±ú²ýÇÏ°Ô Àû¿ëµÇ¾îÁø ÆÐÄ¡µéÀ» º¸¿©ÁÙ »Ó¸¸ ¾Æ´Ï¶ó, Àû¿ëµÇÁö ¾ÊÀº ´Ù¸¥ ¸ðµç ÆÐÄ¡µµ º¸¿©ÁØ´Ù. À̸¦ ½ÇÇàÇϱâ À§Çؼ­, ´ÙÀ½°ú °°ÀÌ Ç϶ó : 

		
# make most-of-pom

ÀÌ°ÍÀº °ü·Ã ÆÐÄ¡¿Í ±×¸®°í ±×¿Í »óÈ£ÀÛ¿ëÀ» ÇÏ´Â °Í¿¡ °üÇؼ­´Â patch-o-matic°ú Á¤È®ÇÏ°Ô °°Àº ¹æ¹ýÀ¸·Î µ¿ÀÛÇÑ´Ù. `developer-only' ÆÐÄ¡¸¦ »ç¿ëÇÏ´Â °ÍÀº ÇÇÇ϶ó.

2.2. ±× ´ÙÀ½Àº ¹«¾ùÀ» Çϴ°¡ ?

Àû¿ëÇϱ⸦ ¿øÇÏ´Â ¸ðµç ÆÐÄ¡¸¦ Àû¿ëÇß´Ù¸é, ´ÙÀ½ ´Ü°è´Â Ä¿³ÎÀ» ÀçÄÄÆÄÀÏÇÏ°í ¼³Ä¡ÇÏ´Â °ÍÀÌ´Ù. ÀÌ ÇÏ¿ìÅõ´Â ±×°ÍÀ» ¾î¶»°Ô ÇÏ´ÂÁö¿¡ ´ëÇÑ ¼³¸íÀº ÇÏÁö ¾Ê´Â´Ù. ´ë½Å¿¡ ¸®´ª½º Ä¿³Î HOWTO ¸¦ º¸¶ó.

Ä¿³ÎÀ» À籸¼ºÇÏ´Â µ¿¾È, ``Networking Options -> Netfilter Configuration''¿¡¼­ »õ·Î¿î ¿É¼ÇµéÀ» º¼ ¼ö ÀÖ´Ù. ÇÊ¿ä·Î ÇÏ´Â ¿É¼ÇÀ» ¼±ÅÃÇÏ°í, Ä¿³ÎÀ» ÀçÄÄÆÄÀÏÇÏ°í ¼³Ä¡Ç϶ó.

Ä¿³ÎÀ» ¼³Ä¡Çϸé, `userspace/' µð·ºÅ丮¿¡ ÀÖ´Â ``iptables'' ÆÐÅ°Áö¸¦ ´ÙÀ½°ú °°ÀÌ ÄÄÆÄÀÏÇÏ°í ¼³Ä¡Ç϶ó 

# make all install

»õ·Î¿î iptables ÆÐÅ°Áö°¡ ¼³Ä¡µÈ °ÍÀÌ´Ù ! ÀÌÁ¦ »õ·Î¿î ±â´ÉÀ» »ç¿ëÇÒ ½Ã°£ÀÌ´Ù.

1. »õ·Î¿î netfilter matches

ÀÌ Àý¿¡¼­, »õ·Î¿î netfilter matchesÀÇ »ç¿ë¹ýÀ» ¼³¸íÇÒ °ÍÀÌ´Ù. ÀÌ ÆÐÄ¡µéÀº ¾ËÆĺª ¼ø¼­·Î ³ªÅ¸³¾ °ÍÀÌ´Ù. ºÎ°¡ÀûÀ¸·Î, ¿µÇâÀ» ¹ÌÄ¡´Â ´Ù¸¥ ÆÐÄ¡¿¡ ´ëÇÑ ¼³¸íÀº ¾ø´Ù. ÀÌ´Â ´ÙÀ½ ¹öÀü ¹®¼­¿¡ Æ÷Ç﵃ °ÍÀÌ´Ù.

ÀϹÝÀûÀ¸·Î, ´ÙÀ½°ú °°ÀÌ Çϸé Ưº°ÇÑ ¸ðµâ·ÎºÎÅÍ ÈùÆ®¸¦ ¾òÀ» ¼ö ÀÖ´Ù. 

# iptables -m the_match_you_want --help

ÀÌ´Â º¸ÅëÀÇ iptables µµ¿ò¸»À» º¸¿©ÁÖ°í, °Å±â¿¡ ´õÇؼ­ ³¡¿¡ ¸í½ÃµÈ ``¿øÇÏ´Â match''¿¡ ÇØ´çµÇ´Â µµ¿ò¸»À» º¸¿©ÁØ´Ù.

1.1. ah-esp patch

ÀÌ ÆÐÄ¡´Â Yon Uriarte <yon@astaro.de>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾ú°í ´ÙÀ½ÀÇ 2°¡Áö »õ·Î¿î matches¸¦ ÇÑ °ÍÀÌ´Ù :

  • ``ah'' : Security Parameter Index (SPI)¿¡ ±âÃÊÇÑ AH ÆÐŶÀ» matchÇÒ ¼ö ÀÖµµ·Ï ÇÑ´Ù.

  • ``esp'' : SPI¿¡ ±âÃÊÇÑ ESP ÆÐŶÀ» matchÇÒ ¼ö ÀÖµµ·Ï ÇÑ´Ù.

ÀÌ ÆÐÄ¡´Â SPI¿¡ ±âÃÊÇÑ ¿¬°áµéÀ» ±¸ºÐÁþ°íÀÚ IPSECÀ» »ç¿ëÇÏ´Â »ç¶÷µé¿¡°Ô À¯¿ëÇÒ ¼ö ÀÖ´Ù.

¿¹¸¦ µé¾î, ´ÙÀ½°ú °°ÀÌ Çϸé 500°ú ÀÏÄ¡ÇÏ´Â SPI¸¦ °¡Áö´Â ¸ðµç AH ÆÐŶÀ» µå·Ó½Ãų¼ö ÀÖ´Ù. 

# iptables -A INPUT -p 51 -m ah --ahspi 500 -j DROP

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       ipv6-auth--  anywhere             anywhere           ah spi:500

ah match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • --ahspi [!] spi[:spi] -> match spi (range)

esp matchµµ ¶È°°ÀÌ ÀÛ¿ëÇÑ´Ù. 

# iptables -A INPUT -p 50 -m esp --espspi 500 -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       ipv6-crypt--  anywhere             anywhere           esp spi:500

esp match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • --espspi [!] spi[:spi] -> match spi (range)

ah ¶Ç´Â esp match¸¦ »ç¿ëÇÒ¶§, ¶Ç´Â ¸í¹éÇÑ ÀÌÀ¯·Î ·ê ÷°¡¸¦ Áß´ÜÇÏ°íÀÚ ÇÒ¶§, ``-p 50'' ¶Ç´Â ``-p 51'' (esp & ah °¢°¢)À» ÅëÇØ ÀûÀýÇÑ ÇÁ·ÎÅäÄÝÀ» ¸í½ÃÇÏ´Â °ÍÀ» ÀØÁö ¸»¾Æ¾ß ÇÑ´Ù.

1.2. iplimit patch

ÀÌ ÆÐÄ¡´Â Gerd Knorr <kraxel@bytesex.org>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ƯÁ¤ È£½ºÆ®³ª ³×Æ®¿öÅ©·ÎºÎÅÍÀÇ TCP ¿¬°á °¹¼ö¸¦ ¾î¶»°Ô Á¦ÇÑÇÏ´ÂÁö¿¡ ´ëÇÑ »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.

¿¹¸¦ µé¾î, ÇÑ IP ÁÖ¼Ò¿¡ ÀÇÇÑ HTTP ¿¬°á °¹¼ö·Ñ 4°³·Î Á¦ÇÑÇÏ·Á°í Çϸé : 

# iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-above 4 -j REJECT

# iptables --list
Chain INPUT (policy ACCEPT)
target   prot opt source    destination         
REJECT   tcp  --  anywhere  anywhere     tcp dpt:http flags:SYN,RST,ACK/SYN #conn/32 > 4 reject-with icmp-port-unreachable

¶Ç´Â ¿¹¸¦ µé¾î class A ÀüüÀÇ ¿¬°á °¹¼ö¸¦ Á¦ÇÑÇϱ⸦ ¿øÇÑ´Ù¸é : 

# iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-mask 8 --iplimit-above 4 -j REJECT

# iptables --list
Chain INPUT (policy ACCEPT)
target   prot opt source    destination         
REJECT   tcp  --  anywhere  anywhere     tcp dpt:http flags:SYN,RST,ACK/SYN #conn/8 > 4 reject-with icmp-port-unreachable

iplimit patch°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • [!] --iplimit-above n -> ÇöÀç tcp ¿¬°á °¹¼ö¸¦ n°³ ÀÌ»óÀ¸·Î ÇÏ·Á¸é (ÇÏÁö ¾ÊÀ¸·Á¸é)

  • --iplimit-mask n -> subnet mask¸¦ »ç¿ëÇÏ´Â ±×·ì È£½ºÆ®µé

1.3. ipv4options patch

ÀÌ ÆÐÄ¡´Â Fabrice MARIE <fabrice@celestix.com>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ¼³Á¤µÈ IP ¿É¼Ç¿¡ ÀÇÇØ ÆÐŶÀ» matchÇÒ ¼ö ÀÖ°Ô ÇÒ ¼ö ÀÖµµ·Ï »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.

¿¹¸¦ µé¾î, IP ¿É¼Ç¿¡ ¼³Á¤µÈ record-route ¶Ç´Â timestamp¸¦ °¡Áø ¸ðµç ÆÐŶÀ» µå·ÓÇÏ·Á¸é ´ÙÀ½°ú °°ÀÌ ¼³Á¤ÇÑ´Ù : 

# iptables -A INPUT -m ipv4options --rr -j DROP
# iptables -A INPUT -m ipv4options --ts -j DROP

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            IPV4OPTS RR
DROP       all  --  anywhere             anywhere            IPV4OPTS TS

ipv4options match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • --ssrr -> strict source routing flag¿¡ matchµÇ´Â.

  • --lsrr -> loose source routing flag¿¡ matchµÇ´Â.

  • --no-srr -> source routingÀ» °¡ÁöÁö ¾Ê´Â ÆÐŶ¿¡ matchµÇ´Â.

  • --rr -> record route flag¿¡ matchµÇ´Â.

  • [!] --ts -> timestamp flag¿¡ matchµÇ´Â.

  • [!] --ra -> router-alert option¿¡ matchµÇ´Â.

  • [!] --any-opt -> Àû¾îµµ ÇϳªÀÇ IP ¿É¼Ç(¶Ç´Â !ÀÌ ¼±ÅõÇÁö ¾ÊÀº ¸ðµç IP ¿É¼Ç) À» °¡Áø ÆÐŶ¿¡ matchµÇ´Â.

1.4. length patch

ÀÌ ÆÐÄ¡´Â James Morris <jmorris@intercode.com.au>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ±æÀÌ¿¡ ±âÃÊÇÑ ÆÐŶÀ» matchÇÒ ¼ö ÀÖ°Ô »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.

¿¹¸¦ µé¾î, 85 ¹ÙÀÌÆ®º¸´Ù Å« ÆÐŶ Å©±â¸¦ °¡Áø ¸ðµç ping packetÀ» µå·ÓÇÏ·Á¸é ´ÙÀ½°ú °°ÀÌ ÇÑ´Ù : 

# iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 85:0xffff -j DROP

# ptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       icmp --  anywhere             anywhere           icmp echo-request length 85:65535

length match¿¡ ´ëÇÑ ºÎ°¡ÀûÀÎ ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • [!] --length length[:length] -> value ¶Ç´Â valueÀÇ ¹üÀ§¿¡ ´ëÇÑ ÆÐŶ ±æÀÌ¿¡ ÇØ´çÇÏ´Â.

Ç¥ÇöµÇÁö ¾ÊÀº valueÀÇ ¹üÀ§´Â ³»Æ÷µÇ¾î ÀÖÀ» °ÍÀÌ´Ù. ³»Æ÷µÈ value´Â ÃÖ¼Ò 0, ÃÖ°í 65535ÀÌ´Ù.

1.5. mport patch

ÀÌ ÆÐÄ¡´Â Andreas Ferber <af@devcon.net>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, TCP, UDP ¿¬°á¿¡ ´ëÇØ ´ÜÀÏÆ÷Æ®¿Í Æ÷Æ®¹üÀ§¸¦ Á¶ÇÕÇؼ­ Æ÷Æ®¸¦ ¸í½ÃÇÒ¼ö ÀÖµµ·Ï »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.

¿¹¸¦ µé¾î, ÇÑ ¶óÀο¡¼­ ftp, ssh, telnet, http¸¦ ¸·±â¸¦ ¿øÇÑ´Ù¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù : 

# iptables -A INPUT -p tcp -m mport --ports 20:23,80 -j DROP

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere           mport ports ftp-data:telnet,http

mport match¿¡ ´ëÇÑ ºÎ°¡ÀûÀÎ ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • --source-ports port[,port:port,port...] -> source port(s)¿¡ matchµÈ´Ù.

  • --sports port[,port:port,port...] -> source port(s)¿¡ matchµÈ´Ù.

  • --destination-ports port[,port:port,port...] -> destination port(s)¿¡ matchµÈ´Ù.

  • --dports port[,port:port,port...] -> destination port(s)¿¡ matchµÈ´Ù.

  • --ports port[,port:port,port] -> source and destination port(s) ¸ðµÎ¿¡ matchµÈ´Ù.

1.6. nth patch

ÀÌ ÆÐÄ¡´Â Fabrice MARIE <fabrice@celestix.com>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ·ê¿¡ ÀÇÇØ ¹ÞÀº ƯÁ¤ N¹ø° ÆÐŶÀ» matchÇÒ ¼ö ÀÖµµ·Ï »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.

¿¹¸¦ µé¾î, ¸Å 2¹ø° ÇÎ ÆÐŶÀ» µå·ÓÇÏ±æ ¿øÇÑ´Ù¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù : 

# iptables -A INPUT -p icmp --icmp-type echo-request -m nth --every 2 -j DROP

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       icmp --  anywhere             anywhere           icmp echo-request every 2th

ÀÌ ÆÐÄ¡´Â Richard Wagner <rwagner@cloudnet.com>¿¡ ÀÇÇØ È®ÀåµÇ¾ú´Âµ¥, ÀÌ´Â inbound¿Í outbound ¿¬°á¿¡ ´ëÇÑ ·Îµå ¹ë·±½ÌÀ» Á¦°øÇÏ´Â ½±°í ºü¸¥ ¹æ¹ýÀ» ¸¸µé ¼ö ÀÖ°Ô ÇØÁØ´Ù.

¿¹¸¦ µé¾î, 10.0.0.5, 10.0.0.6, 10.0.0.7ÀÇ 3°³ ÁÖ¼Ò¿¡ ´ëÇÑ ·Îµå ¹ë·±½ÌÀ» ¿øÇÑ´Ù¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù : 

# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 0 -j SNAT --to-source 10.0.0.5
# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 1 -j SNAT --to-source 10.0.0.6
# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 2 -j SNAT --to-source 10.0.0.7

# iptables -t nat --list
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  anywhere             anywhere           every 3th packet #0 to:10.0.0.5 
SNAT       all  --  anywhere             anywhere           every 3th packet #1 to:10.0.0.6 
SNAT       all  --  anywhere             anywhere           every 3th packet #2 to:10.0.0.7

nth match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • --every Nth -> ¸ðµç N¹ø° ÆÐŶ°ú ÀÏÄ¡

  • [--counter] num -> Ä«¿îÅÍ 0-15 (µðÆúÆ®°©:0) »ç¿ë.

  • [--start] num -> 0 ´ë½Å `num'À¸·Î Ä«¿îÅ͸¦ ÃʱâÈ­. ÀÌ numÀº 0¿¡¼­ (Nth-1) »çÀÌ¿©¾ß ÇÑ´Ù.

  • [--packet] num -> `num' ÆÐŶ°ú ÀÏÄ¡. 0 ~ (Nth-1) »çÀÌ¿©¾ß ÇÑ´Ù. `--packet'ÀÌ Ä«¿îÅÍ·Î »ç¿ëµÈ´Ù¸é 0¿¡¼­ (Nth-1)»çÀÌÀÇ ¸ðµç value¸¦ ó¸®Çϱâ À§ÇØ --packet ·ê¿¡ N¹ø° number°¡ ÀÖ¾î¾ß ÇÑ´Ù.

1.7. pkttype patch

ÀÌ ÆÐÄ¡´Â Michal Ludvig <michal@logix.cz>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, È£½ºÆ®/ºê·Îµåij½ºÆ®/¸ÖƼij½ºÆ® µî ±× ŸÀÔ¿¡ ±âÃÊÇÑ ÆÐŶÀ» matchÇÒ ¼ö ÀÖµµ·Ï »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.

¿¹¸¦ µé¾î, ¸ðµç ºê·Îµåij½ºÆ® ÆÐŶÀ» Á¶¿ëÈ÷ µå·Ó½ÃÅ°±æ ¿øÇÑ´Ù¸é : 

# iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           PKTTYPE = broadcast

pkttype match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • --pkt-type [!] packettype -> ÆÐŶ ŸÀÔÀÌ ´ÙÀ½Áß ÇϳªÀÏ °æ¿ì ÆÐŶ ŸÀÔÀ» ÀÏÄ¡½ÃŲ´Ù.

    • host -> ¸ðµÎ

    • broadcast -> Àüü

    • multicast -> ±×·ì

1.8. pool patch

Patrick Schaaf <bof@bof.de>.¿¡ ÀÇÇØ ÆÐÄ¡µÇ¾ú°í, Joakim Axelsson and Patrick¿¡ ÀÇÇØ ÀçÀÛ¼ºÁß¿¡ ÀÖ´Ù. ±×·¯¹Ç·Î ÀÌ ºÎºÐÀº °ð ¹Ù²ð °ÍÀÌ´Ù.

1.9. psd patch

ÀÌ ÆÐÄ¡´Â Dennis Koslowski <dkoslowski@astaro.de>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, Æ÷Æ® ½ºÄµÀ» ŽÁöÇϴµ¥ °üÇÑ »õ·Î¿î matchÀÌ´Ù.

°¡Àå °£´ÜÇÑ ÇüÅ·Î, psd match´Â ´ÙÀ½°ú °°ÀÌ »ç¿ëµÉ ¼ö ÀÖ´Ù : 

# iptables -A INPUT -m psd -j DROP

# iptables --list
Chain INPUT (policy ACCEPT)
target  prot opt source    destination         
DROP    all  --  anywhere  anywhere    psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-ports-weight: 1

psd match°¡ Á¦°øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • [--psd-weight-threshold threshold] -> Portscan ŽÁö °¡ÁßÄ¡

  • [--psd-delay-threshold delay] -> Portscan ŽÁö Áö¿¬Ä¡

  • [--psd-lo-ports-weight lo] -> well-known Æ÷Æ®(privileged port) °¡ÁßÄ¡

  • [--psd-hi-ports-weight hi] -> user Æ÷Æ®(High ports) °¡ÁßÄ¡

1.1. random patch

ÀÌ ÆÐÄ¡´Â Fabrice MARIE <fabrice@celestix.com>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ÁÖ¾îÁø È®·ü¿¡ ±âÃÊÇÑ ÆÐŶÀ» ·£´ýÇÏ°Ô °è»êÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î matchÀÌ´Ù.

¿¹¸¦ µé¾î, 50%ÀÇ ÇÎ ÆÐŶÀ» ·£´ýÇÏ°Ô µå·ÓÇϱ⸦ ¿øÇÑ´Ù¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù : 

# iptables -A INPUT -p icmp --icmp-type echo-request -m random --average 50 -j DROP

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source       destination         
DROP       icmp --  anywhere     anywhere        icmp echo-request  random 50%

random patch°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • [--average] percent -> match %¿¡ ´ëÇÑ È®·ü »ý·«µÈ´Ù¸é, 50%ÀÇ È®·üÀÌ ¼¼ÆõȴÙ. ÆÛ¼¾Æ®´Â 1°ú 99»çÀÌÀÇ ¼ýÀÚ¿©¾ß ÇÑ´Ù.

1.2. realm patch

ÀÌ ÆÐÄ¡´Â Sampsa Ranta <sampsa@netsonic.fi>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ÆÐŶ ºÐ·ùÀÚ¿¡ ³ªÅ¸³ª´Â Å°¿Í À¯»çÇÑ ±âÁØ°ú ÀÏÄ¡ÇÏ´Â °ÍÀ¸·Î½á ¶ó¿ìÆà ¿µ¿ª Å°¸¦ »ç¿ëÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î matchÀÌ´Ù.

¿¹¸¦ µé¾î, 10°³ÀÇ ¿µ¿ª¿¡¼­ ¿ÜºÎ·Î ÇâÇÏ´Â ÆÐŶÀ» ¸ðµÎ ·Î±×¿¡ ±â·ÏÇÏ·Á¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù : 

# iptables -A OUTPUT -m realm --realm 10 -j LOG

# iptables --list
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           REALM match 0xa LOG level warning

realm match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • --realm [!] value[/mask] -> ¿µ¿ª ÀÏÄ¡

1.3. record-rpc patch

ÀÌ ÆÐÄ¡´Â Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, È¿°úÀûÀÎ RPC ÇÊÅ͸µÀ» Çã¿ëÇϱâ À§ÇØ ÆÐŶ ¼Ò½º°¡ ÀÌÀü¿¡ portmapper¸¦ ÅëÇØ Æ÷Æ®¸¦ ¿äûÇßÀ» °æ¿ì, ¶Ç´Â portmapper¿¡ ´ëÇÑ »õ·Î¿î GET ¿äûÀÏ °æ¿ì matchÇÏ´Â µ¥ ´ëÇÑ »õ·Î¿î matchÀÌ´Ù.

RPC ¿¬°á ÃßÀû Á¤º¸¸¦ matchÇϱâ À§ÇØ, °£´ÜÈ÷ ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù : 

# iptables -A INPUT -m record_rpc -j ACCEPT

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination 
ACCEPT     all  --  anywhere             anywhere

record_rpc match´Â ¾î¶°ÇÑ ¿É¼Çµµ °¡ÁöÁö ¾Ê´Â´Ù.

match Á¤º¸°¡ ¾ø´Ù°í ¿°·ÁÇÒ °ÍÀº ¾ø´Ù. ÀÌ match¿¡ ´ëÇÑ print() functionÀÌ ºñ¾îÀֱ⠶§¹®¿¡ ÀÌ´Â °£´ÜÇÏ´Ù. 

/* Prints out the union ipt_matchinfo. */
static void
print(const struct ipt_ip *ip,
	const struct ipt_entry_match *match,
	int numeric)
{
}

1.4. string patch

ÀÌ ÆÐÄ¡´Â Emmanuel Roger <winfield@freegates.be>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ÆÐŶÀÇ ÇÑ ¹®ÀÚ¿­À» matchÇÏ´Â °Í¿¡ ´ëÇÑ »õ·Î¿î matchÀÌ´Ù.

¿¹¸¦ µé¾î, ``cmd.exe'' ¹®ÀÚ¿­À» Æ÷ÇÔÇÏ°í ÀÖ´Â ÆÐŶÀ» matchÇÏ°í userland IDS·Î º¸³»·Á¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù : 

# iptables -A INPUT -m string --string 'cmd.exe' -j QUEUE

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
QUEUE      all  --  anywhere             anywhere           STRING match cmd.exe

Á¶½É½º·´°Ô ÀÌ match¸¦ »ç¿ëÇØ¾ß ÇÑ´Ù. ¸¹Àº »ç¶÷µéÀÌ DROP taget¿¡ µû¶ó¼­ ¿ú ¹ÙÀÌ·¯½º¸¦ ¸ØÃß±â À§ÇØ ÀÌ match¸¦ »ç¿ëÇÏ±æ ¿øÇÑ´Ù. ÀÌ´Â Áß¿äÇÑ ½Ç¼öÀÌ´Ù. ƯÁ¤ IDS ħÀÔ ¹æ¹ýÀº À̸¦ ¹«·ÂÈ­ÇÒ¼ö ÀÖ´Ù.

À¯»çÇÑ °æÇâÀ¸·Î, ¸¹Àº »ç¶÷µéÀº POST ¹®ÀÚ¿­À» Æ÷ÇÔÇÏ´Â HTTP ÆÐŶÀ» µå·ÓÇÔÀ¸·Î½á POST³ª GET°°Àº HTTPÀÇ Æ¯Á¤ ±â´ÉÀ» ¸ØÃß±â À§ÇÑ ¼ö´ÜÀ¸·Î ÀÌ match¸¦ »ç¿ëÇϱ⸦ ¿øÇß¾ú´Ù. ÀÌ·¯ÇÑ ÀÛ¾÷Àº proxy¸¦ ÇÊÅ͸µÇÏ´Â °ÍÀÌ ´õ ÁÁÀº ¹æ¹ýÀÓÀ» ÀÌÇØÇ϶ó. ºÎ°¡ÀûÀ¸·Î POST¶õ ´Ü¾î¸¦ °¡Áö°í ÀÖ´Â HTML content´Â ÀÌÀü ¹æ¹ý(¼³Á¤)¿¡ ÀÇÇØ µå·ÓµÉ °ÍÀÌ´Ù. ÀÌ match´Â ´õ ÁÁÀº ºÐ¼®À» À§ÇØ À¯Àú¿µ¿ªÀÇ °ü½ÉÀÖ´Â ÆÐŶÀ» Å¥À×ÇÒ¼ö ÀÖ°Ô Çϱâ À§ÇØ ¼³°èµÇ¾ú´Ù. ÀÌ°ÍÀÌ ÀüºÎÀÌ´Ù. ÀÌ ¹æ¹ý¿¡ ÀÇÇØ ÆÐŶÀ» µå·ÓÇÏ´Â °ÍÀº ƯÁ¤ IDS ħÀÔ ¹æ¹ý¿¡ ÀÇÇØ ¹«·ÂÈ­µÉ ¼ö ÀÖ´Ù.

string match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • --string [!] string -> ÆÐŶÀÇ ¹®ÀÚ¿­À» ÀÏÄ¡½ÃŲ´Ù.

1.5. time patch

ÀÌ ÆÐÄ¡´Â Fabrice MARIE <fabrice@celestix.com>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, Ãâ¹ß ȤÀº µµÂø (·ÎÄÿ¡¼­ »ý¼ºµÈ ÆÐŶ) ½Ã°£¿¡ ±âÃÊÇÑ ÆÐŶÀ» matchÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î matchÀÌ´Ù.

¿¹¸¦ µé¾î, ¿ù¿äÀϺÎÅÍ ±Ý¿äÀϱîÁö 8:00ºÎÅÍ 18:00±îÁö µµÂø ½Ã°£À» °¡Áø ÆÐŶÀ» Çã¿ëÇÏ·Á¸é ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù : 

# iptables -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT

# iptables --list 
Chain INPUT (policy ACCEPT)
target     prot opt source           destination
ACCEPT     all  --  anywhere         anywhere        TIME from 8:0 to 18:0 on Mon,Tue,Wed,Thu,Fri

time match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • --timestart value -> ÃÖ¼Ò HH:MM

  • --timestop value -> ÃÖ´ë HH:MM

  • --days listofdays -> Àû¿ëµÇ´Â ¿äÀÏ ¸®½ºÆ®, (´ë¼Ò¹®ÀÚ ±¸ºÐ)

    • Mon

    • Tue

    • Wed

    • Thu

    • Fri

    • Sat

    • Sun

1.6. ttl patch

ÀÌ ÆÐÄ¡´Â Harald Welte <laforge@gnumonks.org>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, TTL¿¡ ±âÃÊÇÑ ÆÐŶÀ» matchÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î matchÀÌ´Ù.

¿¹¸¦ µé¾î, TTLÀÌ 5º¸´Ù ÀûÀº ÆÐŶÀ» ·Î±×¿¡ ±â·ÏÇÏ·Á¸é, ´ç½ÅÀº ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù : 

# iptables -A INPUT -m ttl --ttl-lt 5 -j LOG

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           TTL match TTL < 5 LOG level warning

ttl match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù.

  • --ttl-eq value -> time to live °ª°ú ÀÏÄ¡

  • --ttl-lt value -> TTL < value ÇÑ °Í°ú ÀÏÄ¡

  • --ttl-gt value -> TTL > value ÇÑ °Í°ú ÀÏÄ¡

1. »õ·Î¿î netfilter Ÿ°Ù

ÀÌ Àå¿¡¼­, »õ·Î¿î netfilter Ÿ°ÙÀÇ »ç¿ë¿¡ °üÇØ ¼³¸íÇÒ °ÍÀÌ´Ù. ÀÌ ÆÐÄ¡µéÀº ¾ËÆĺª ¼ø¼­·Î ³ªÅ¸³¾ °ÍÀÌ°í, ºÎ°¡ÀûÀ¸·Î ¿¬°üµÈ ´Ù¸¥ ÆÐÄ¡¿¡ ´ëÇÑ ¼³¸íÀº ÇÏÁö ¾Ê´Â´Ù. ÇÏÁö¸¸ ´ÙÀ½ ¹öÀü¿¡¼­´Â Ãß°¡µÉ °ÍÀÌ´Ù.

ÀϹÝÀûÀ¸·Î Ÿ°Ù¿¡ °üÇØ, ´ÙÀ½ÀÇ ³»¿ëó·³ Ưº°ÇÑ ¸ðµâ¿¡ ´ëÇÑ ÈùÆ®¸¦ ¾òÀ» ¼ö ÀÖ´Ù : 

# iptables -j THE_TARGET_YOU_WANT --help

ÀÌ´Â º¸ÅëÀÇ iptables µµ¿ò ¸Þ¼¼Áö¸¦ º¸¿©ÁÖ°í, ±× ³¡¿¡ ``THE_TARGET_YOU_WANT''Ÿ°ÙÀ» ¼³¸íÇÑ´Ù.

1.1. ftos patch

ÀÌ ÆÐÄ¡´Â Matthew G. Marsh <mgm@paktronix.com>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ÀÓÀÇÀÇ °ªÀ¸·Î TOS ÆÐŶÀ» ¼ÂÆÃÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î matchÀÌ´Ù.

¿¹¸¦ µé¾î, 15ÀÇ outgoing ÆÐŶÀÇ ¸ðµç TOS¸¦ ¼ÂÆÃÇÏ·Á¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù. 

# iptables -t mangle -A OUTPUT -j FTOS --set-ftos 15

# iptables -t mangle --list
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
FTOS       all  --  anywhere             anywhere           TOS set 0x0f

FTOS targetÀÌ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • --set-ftos value -> ÆÐŶ Çì´õÀÇ TOS field¸¦ ¾î¶² °ªÀ¸·Î ¼³Á¤. ÀÌ °ªÀÌ 10Áø¼ö°¡ µÉ ¼ö ÀÖ°í (ex: 32) 16Áø¼ö·Îµµ µÉ ¼ö ÀÖ´Ù. (ex: 0x20)

1.2. IPV4OPTSSTRIP patch

ÀÌ ÆÐÄ¡´Â Fabrice MARIE <fabrice@celestix.com>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç IPv4 ÆÐŶÀÇ ¸ðµç IP ¿É¼ÇÀ» Á¦°Å(strip)ÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î targetÀÌ´Ù.

´ÙÀ½°ú °°ÀÌ °¡Àå °£´ÜÇÏ°Ô ·ÎµåÇÒ ¼ö ÀÖ´Ù : 

# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP

# iptables -t mangle --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
IPV4OPTSSTRIP  all  --  anywhere             anywhere

ÀÌ Å¸°ÙÀº ¾î¶°ÇÑ ¿É¼Çµµ Áö¿øÇÏÁö ¾Ê´Â´Ù.

1.3. NETLINK patch

ÀÌ ÆÐÄ¡´Â Gianni Tedesco <gianni@ecsc.co.uk>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç netlink ¼ÒÄÏÀ» ÅëÇØ À¯Àú ¿µ¿ªÀ¸·Î µå·ÓµÈ ÆÐŶÀ» º¸³¾ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î Ÿ°ÙÀÌ´Ù.

¿¹¸¦ µé¾î, ¸ðµç ÇÎ ÆÐŶÀ» µå·ÓÇÏ°í À¯Àú¿µ¿ªÀÇ netlink ¼ÒÄÏÀ¸·Î ÆÐŶµéÀ» º¸³»·Á¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù : 

# iptables -A INPUT -p icmp --icmp-type echo-request -j NETLINK --nldrop

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
NETLINK    icmp --  anywhere             anywhere           icmp echo-request nldrop

NETLINK Ÿ°ÙÀÌ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • --nldrop -> ÆÐŶÀ» µå·ÓÇÑ´Ù.

  • --nlmark <number> -> ÆÐŶÀ» Ç¥½ÃÇÑ´Ù.

  • --nlsize <bytes> -> ÆÐŶ Å©±â¸¦ Á¦ÇÑÇÑ´Ù.

netlink socket¿¡ ´ëÇÑ ´õ ¸¹Àº Á¤º¸¸¦ ¿øÇÑ´Ù¸é, Netlink Sockets Tour¸¦ Âü°íÇ϶ó.

1.4. NETMAP patch

ÀÌ ÆÐÄ¡´Â Svenning Soerensen <svenning@post5.tele.dk>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç ¿ø·¡ÀÇ È£½ºÆ®ÁÖ¼Ò¸¦ À¯ÁöÇÏ´Â µ¿¾È ³×Æ®¿öÅ© ÁÖ¼Ò¿Í Á¤ÀûÀ¸·Î 1:1 ¸ÅÇÎÀ» ¸¸µé°Ô ÇÒ ¼ö ÀÖ´Â »õ·Î¿î Ÿ°ÙÀÌ´Ù.

¿¹¸¦ µé¾î, 1.2.3.0/24¿¡¼­ 5.6.7.0/24·Î ÇâÇÏ´Â incomming ¿¬°áÀÇ ¸ñÀûÁö¸¦ º¯°æÇÏ±æ ¿øÇÑ´Ù¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù : 

# iptables -t nat -A PREROUTING -d 1.2.3.0/24 -j NETMAP --to 5.6.7.0/24

# iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
NETMAP     all  --  anywhere             1.2.3.0/24         5.6.7.0/24

NETMAP Ÿ°ÙÀÌ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • --to address[/mask] -> ¸ÅÇÎÇÒ ³×Æ®¿öÅ© ÁÖ¼Ò

1.5. SAME patch

ÀÌ ÆÐÄ¡´Â Martin Josefsson <gandalf@wlug.westbo.se>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç SNAT¿Í À¯»çÇÏ°í °¢°¢ ¿¬°á¿¡ ´ëÇØ ÇÑ Å¬¶óÀ̾ðÆ®¿¡ °°Àº ÁÖ¼Ò¸¦ ºÎ¿©ÇÒ ¼ö ÀÖ´Â »õ·Î¿î Ÿ°ÙÀÌ´Ù.

¿¹¸¦ µé¾î, ¿¬°á¿¡ ´ëÇÑ ¼Ò½º ÁÖ¼Ò¸¦ 1.2.3.4-1.2.3.7·Î º¯°æÇÏ·Á¸é ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù : 

# iptables -t nat -A POSTROUTING -j SAME --to 1.2.3.4-1.2.3.7

# iptables -t nat --list
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SAME       all  --  anywhere             anywhere           same:1.2.3.4-1.2.3.7

SAME targetÀÌ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • --to <ipaddr>-<ipaddr> -> ¼Ò½º¿¡ ¸ÅÇÎµÈ ÁÖ¼Ò. ¾Æ¸¶µµ ´Ù¼öÀÇ ¿µ¿ª¿¡ ´ëÇÑ Çѹø ÀÌ»ó ±â¼úµÇ¾úÀ» °ÍÀÌ´Ù.

  • --nodst -> ¼Ò½º ¼±Åÿ¡ ´ëÇØ µµÂø IP¸¦ »ç¿ëÇÏÁö ¸»¶ó.

1.6. tcp-MSS patch

ÀÌ ÆÐÄ¡´Â Marc Boucher <marc+nf@mbsi.ca>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç ¿¬°á¿¡ ´ëÇÑ ÃÖ´ë Å©±â¸¦ Á¦¾îÇÒ ¼ö ÀÖµµ·Ï, TCP SYN ÆÐŶÀÇ MSS °ªÀ» º¯°æÇÏ°í °Ë»çÇÒ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î targetÀÌ´Ù.

Marc ÀÚ½ÅÀÌ ¼³¸íÇÑ ¹Ù¿¡ ÀÇÇϸé, ÀÌ°ÍÀº ÇØÅ·Àε¥(THIS IS A HACK), ICMP FragmentationÀÌ ÆÐŶÀ» ¿ä±¸ÇÏ´Â °ÍÀ» ¸·´Â ³ú»ç »óÅÂÀÇ ISPµé ¶Ç´Â ¼­¹öµéÀ» ±Øº¹Çϴµ¥ »ç¿ëµÈ´Ù.

ÀüÇüÀûÀÎ »ç¿ë¹æ¹ýÀº ´ÙÀ½°ú °°Àº °ÍÀÌ´Ù : 

# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# iptables --list
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
TCPMSS     tcp  --  anywhere             anywhere           tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

tcp-MSS targetÀÌ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù (»óÈ£ ¹èÁ¦) :

  • --set-mss value ƯÁ¤°ªÀ¸·Î MSS ¿É¼ÇÀ» ¸í¹éÈ÷ ¼ÂÆÃ

  • --clamp-mss-to-pmtu MSS °ªÀ» ÀÚµ¿À¸·Î °íÁ¤½ÃÅ´ (path_MTU - 40)

1.7. TTL patch

ÀÌ ÆÐÄ¡´Â Harald Welte <laforge@gnumonks.org>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ÁÖ¾îÁø °ª¿¡ ÀÇÇØ IP ÆÐŶÀÇ TTL °ªÀ» Áõ°¡/°¨¼Ò½ÃÅ°°Å³ª À¯Àú°¡ ¼ÂÆÃÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î targetÀÌ´Ù.

¿¹¸¦ µé¾î, ¸ðµç outgoing ¿¬°áÀÇ TTL°ªÀ» 126À¸·Î ¼ÂÆÃÇÏ·Á°í ÇÑ´Ù¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù : 

# iptables -t mangle -A OUTPUT -j TTL --ttl-set 126

# iptables -t mangle --list
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
TTL        all  --  anywhere             anywhere           TTL set to 126

TTL targetÀÌ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • --ttl-set value -> TTLÀ» <value>·Î ¼ÂÆÃ

  • --ttl-dec value -> TTLÀ» <value>¸¸Å­ °¨¼Ò

  • --ttl-inc value -> TTLÀ» <value>¸¸Å­ Áõ°¡

1.8. ulog patch

ÀÌ ÆÐÄ¡´Â Harald Welte <laforge@gnumonks.org>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, Ç¥ÁØ LOG targetº¸´Ù Áøº¸µÈ ·Î±ë ¸ÞÄ¿´ÏÁòÀ» Á¦°øÇÏ´Â »õ·Î¿î matchÀÌ´Ù. `libiptulog/'´Â ULOG ¸Þ¼¼Áö¸¦ ¹Þ´Â ¶óÀ̺귯¸®¸¦ Æ÷ÇÔÇÑ´Ù.

Harald´Â ULOG¿¡ ´ëÇÑ ÀûÀýÇÑ ¹®¼­¸¦ Æ÷ÇÔÇÏ´Â web page¸¦ º¸À¯ÇÑ´Ù. ±×·¡¼­ ¿©±â¼­´Â ¼³¸íÇÒ Æ¯º°ÇÑ ³»¿ëÀº ¾ø´Ù.

2. »õ·Î¿î ¿¬°á ÃßÀû ÆÐÄ¡µé

ÀÌ ´Ü¶ô¿¡¼­, »ç¿ë°¡´ÉÇÑ ¿¬°á ÃßÀû/NAT ÆÐÄ¡¸¦ º¼ ¼ö ÀÖ°í, ±×°ÍÀ» »ç¿ëÇϱâ À§ÇØ, ´Ü¼øÈ÷ ÇØ´ç ¸ðµâ (ÇÊ¿äÇÏ´Ù¸é ¿É¼ÇÀ¸·Î)À» ·ÎµùÇÑ´Ù.

2.1. eggdrop-conntrack patch

ÀÌ ÆÐÄ¡´Â Magnus Sandin <magnus@sandin.cx>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç ³×Æ®¿öÅ© eggdrop bot¿¡ ´ëÇÑ ¿¬°á ÃßÀûÀ» Áö¿øÇÑ´Ù.

2.2. ftp-fxp patch

ÀÌ ÆÐÄ¡´Â Magnus Sandin <magnus@sandin.cx>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç ftp ¿¬°á ÃßÀû¿¡ Áö¿øµÇ´Â FXP¸¦ ´õÇÑ´Ù. NATµÈ ftp µ¥¸ó¿¡ ´ëÇÑ FXPÈ­´Â ÀÛµ¿ÇÏÁö ¾Ê´Â´Ù. FXP ÃßÀûÀ» °¡´ÉÇÏ°Ô Çϱâ À§ÇØ, ´ÙÀ½°ú °°ÀÌ Ç϶ó : 

# modprobe ip_conntrack_ftp.o fxp=1

ÀÌ ÆÐÄ¡´Â º¸¾È °æ°í¸¦ ¾ð±ÞÇÑ´Ù : WARNING, ÀÌ ÆÐÄ¡¸¦ Àû¿ëÇÏ´Â °Í°ú WILL¸¦ °¡´ÉÇÏ°Ô ÇÏ´Â °ÍÀº FTP ¿¬°á ÃßÀû¿¡ Á¦°øµÇ´Â º¸¾ÈÀ» °¨¼Ò½ÃŲ´Ù. ÁÖÀÇÇؼ­ »ç¿ëÇ϶ó (´ç½ÅÀÌ ¾î¶»°Ô ÇÒ¼ö ÀÖ´Ù´Â ¹üÀ§ ÇÏ¿¡¼­¸¸)

2.3. irc-conntrack-nat patch

ÀÌ ÆÐÄ¡´Â Harald Welte <laforge@gnumonks.org>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç NAT¿Í ¿¬°á ÃßÀûÀ» ÅëÇØ ÀÛµ¿ÇÏ´Â DCC¸¦ °¡´ÉÇÏ°Ô ÇÑ´Ù.

2.4. record-rpc patch

ÀÌ ÆÐÄ¡´Â Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç TCP¿Í UDP¸¦ »ç¿ëÇÏ´Â portmapper ¿äûÀ» ÃßÀûÇϱâ À§ÇØ netfilter¸¦ Çã¿ëÇÑ´Ù.

2.5. snmp-nat patch

ÀÌ ÆÐÄ¡´Â James Morris <jmorris@intercode.com.au>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç ±âÃÊÀûÀÎ SNMP¸¦ NATÇÒ ¼ö ÀÖ´Â netfilter¸¦ Á¦°øÇÑ´Ù. ÀÌ´Â ``basic'' SNMP-ALG ÇüÅÂÀÌ°í, RFC 2962¿¡ ¼³¸íµÇ¾î ÀÖ´Ù. ÀÌ°ÍÀº IP ·¹À̾î NAT ¸ÅÇÎÀ» ÀÏÄ¡½ÃÅ°´Â SNMP ÆäÀÌ·Îµå ³»ºÎÀÇ IP ÁÖ¼Ò¸¦ º¯°æÇϴµ¥ ÀÛµ¿ÇÑ´Ù.

2.6. talk-conntrack-nat patch

ÀÌ ÆÐÄ¡´Â Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç talk ¿¬°áÀ» ÃßÀûÇÏ°í NATÇÏ´Â netfilter¸¦ Á¦°øÇÑ´Ù. µðÆúÆ®·Î otalk (UDP port 517), talk (UDP port 518) ¸ðµÎ Áö¿øÇÑ´Ù. otalk/talk´Â ip_conntrack_talk, ip_nat_talk ¸ðµâÀÇ ¸ðµâ ÆĶó¹ÌÅÍ¿¡ ÀÇÇØ ¼±ÅÃÀûÀ¸·Î °¡´É/ºÒ°¡´ÉÇÏ°Ô µÉ ¼ö ÀÖ´Ù. ÀÌ ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :

  • otalk = 0 | 1

  • talk = 0 | 1

ÁÖ¾îÁø ÇÁ·ÎÅäÄÝ¿¡¼­ 0Àº Áö¿øÇÏÁö ¾ÊÀ½, 1Àº Áö¿øÇÔÀ» ÀǹÌÇÑ´Ù.

2.7. tcp-window-tracking patch

ÀÌ ÆÐÄ¡´Â Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, Guido van RooijÀÇ Real Stateful TCP Packet Filtering in IP Filter ¿¡ µû¶ó TCP ¿¬°á ÃßÀûÀ» netfilter¿¡°Ô Çã¿ëÇÑ´Ù. ÀÌ°ÍÀº window Å©±âÁ¶ÀýÀ» Áö¿øÇϸç, ÀÌ¹Ì ¿¬°áµÈ ¿¬°áÀ» Çڵ鸵ÇÒ¼ö ÀÖµµ·Ï ÇÑ´Ù.

ÀÌ ÆÐÄ¡´Â ``ftp-fixes'' ÆÐÄ¡°¡ Àû¿ëµÇ´Â °ÍÀ» ¿ä±¸ÇÑ´Ù. ¾Æ¸¶µµ ±×°ÍÀº ¿äÁò Ç¥ÁØ Ä¿³ÎÀÇ ÀϺκÐÀÏ °ÍÀÌ´Ù ...

3. »õ·Î¿î IPv6 netfilter matches

In this section, we will attempt to explain the usage of new netfilter matches. The patches will appear in alphabetical order. Additionally, we will not explain patches that break other patches. But this might come later.

Generally speaking, for matches, you can get the help hints from a particular module by typing : 

# ip6tables -m the_match_you_want --help

This would display the normal ip6tables help message, plus the specific ``the_match_you_want'' match help message at the end.

3.1. agr patch

This patch by Andras Kis-Szabo <kisza@sch.bme.hu> adds 1 new match :

  • ``agr'' : lets you match the IPv6 packet based on it's addressing parameters.

This patch can be quite useful for people using EUI-64 IPv6 addressing scheme who are willing to check the packets based on the delivered address on a LAN.

For example, we will redirect the packets that have a correct EUI-64 address: 

# ip6tables -N ipv6ok
# ip6tables -A INPUT -m agr -j ipv6ok
# ip6tables -A INPUT -s ! 3FFE:2F00:A0::/64 -j ipv6ok
# ip6tables -A INPUT -j LOG
# ip6tables -A ipv6ok -j ACCEPT

# ip6tables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ipv6ok     all      anywhere             anywhere           AGR 
ipv6ok     all     !3ffe:2f00:a0::/64    anywhere           
LOG        all      anywhere             anywhere           LOG level warning 

Chain ipv6ok (2 references)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere

This match hasn't got any option.

3.2. ipv6header patch

This patch by Andras Kis-Szabo <kisza@sch.bme.hu> adds a new match that allows you to match a packet based on its extension headers.

For example, let's drop the packets which have got hop-by-hop, ipv6-route headers and a protocol payload: 

# ip6tables -A INPUT -m ipv6header --header hop-by-hop,ipv6-route,protocol -j DROP

# ip6tables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all      anywhere             anywhere           ipv6header flags:hop-by-hop,ipv6-route,protocol

And now, let's drop the packets which have got an ipv6-route extension header: 

# ip6tables -A INPUT -m ipv6header --header ipv6-route --soft -j DROP

# ip6ptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all      anywhere             anywhere           ipv6header flags:ipv6-route soft

Supported options for the length match are :

  • --header [!] headers -> You can specify the interested headers with this option. Accepted formats:

    • hop,dst,route,frag,auth,esp,none,proto

    • hop-by-hop,ipv6-opts,ipv6-route,ipv6-frag,ah,esp,ipv6-nonxt,protocol

    • 0,60,43,44,51,50,59

  • --soft -> You can specify the soft mode: in this mode the match checks the existance of the header, not the full match!

3.3. ipv6-ports patch

This patch by Jan Rekorajski <baggins@pld.org.pl> adds 4 new matches :

  • ``limit'' : lets you to restrict the number of parallel TCP connections from a particular host or network.

  • ``mac'' : lets you match a packet based on its MAC address.

  • ``multiport'' : lets you to specify ports with a mix of port-ranges and single ports for UDP and TCP protocols.

  • ``owner'' : lets you match a packet based on its originator process' owner id.

These matches are the ports of the IPv4 versions. See the main documentation for the details!

3.4. length patch

This patch by Imran Patel <ipatel@crosswinds.net> adds a new match that allows you to match a packet based on its length. (This patch is shameless adaption from the IPv4 match written by James Morris <jmorris@intercode.com.au>)

For example, let's drop all the pings with a packet size greater than 85 bytes : 

# ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-request -m length --length 85:0xffff -j DROP

# ip6ptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       ipv6-icmp --  anywhere             anywhere           ipv6-icmp echo-request length 85:65535

Supported options for the length match are :

  • [!] --length length[:length] -> Match packet length against value or range of values (inclusive)

Values of the range not present will be implied. The implied value for minimum is 0, and for maximum is 65535.

4. »õ·Î¿î IPv6 netfilter targets

In this section, we will attempt to explain the usage of new netfilter targets. The patches will appear in alphabetical order. Additionally, we will not explain patches that break other patches. But this might come later.

Generally speaking, for targets, you can get the help hints from a particular module by typing : 

# ip6tables -j THE_TARGET_YOU_WANT --help

This would display the normal iptables help message, plus the specific ``THE_TARGET_YOU_WANT'' target help message at the end.

4.1. LOG patch

This patch by Jan Rekorajski <baggins@pld.org.pl> adds a new target that allows you to LOG the packets as in the IPv4 version of iptables.

The examples are the same as in iptables. See the man page for details!

4.2. REJECT patch

This patch by Harald Welte <laforge@gnumonks.org> adds a new target that allows you to REJECT the packets as in the IPv4 version of iptables.

The examples are the same as in iptables. See the man page for details!

5. »õ·Î¿î IPv6 ¿¬°á ÃßÀû ÆÐÄ¡µé

The connection tracking hasn't supported, yet.

6. Contribution

6.1. »õ·Î¿î È®Àå¿¡ ´ëÇÑ °øÇå

Netfilter core-teamÀº Ç×»ó »õ·Î¿î È®Àå/¹ö±× ÇȽº¸¦ ȯ¿µÇÑ´Ù. ÀÌ ºÎºÐ¿¡¼­ ¿ì¸®´Â »õ·Î¿î È®ÀåÀÌ patch-o-matic¿¡ Æ÷ÇÔµÇ¾î ½±°Ô ÆÐŰ¡µÉ ¼ö Àִ°¡¿¡ ´ëÇؼ­´Â °ü½ÉÀÌ ¾ø´Ù. ÇÏÁö¸¸ ÀÌ´Â ÀÌ ÇÏ¿ìÅõÀÇ ´ÙÀ½ ¹öÀü¿¡ Æ÷Ç﵃ °ÍÀÌ´Ù.

¸ÕÀú, »õ·Î¿î È®Àå/¹ö±× ÇȽº¸¦ ÇÏ·Á´Â »ç¶÷Àº Netfilter Hacking HOWTO¿¡ Àͼ÷ÇØÁ®¾ß ÇÒ °ÍÀÌ´Ù.

Rusty´Â netfilter¿¡ ´ëÇÑ »õ·Î¿î ÆÐÄ¡¸¦ ¾î¶»°Ô Çϴ°¡¿¡ ´ëÇÑ °¡À̵å¶óÀÎÀ» ½è´Ù. ÀÌ´Â ¿©±â¿¡¼­ º¼ ¼ö ÀÖ´Ù: 

/path/to/netfiltercvs/netfilter/userspace/patch-o-matic/NEWPATCHES

¶Ç´Â ¿Â¶óÀλóÀÇ ÃֽŠ¹öÀüÀº ¿©±â¿¡ ÀÖ´Ù : NEWPATCHES.

¸¶Áö¸·À¸·Î, netfilter-devel ¸ÞÀϸµ ¸®½ºÆ®¿¡ Âü°¡ÇÏ´Â °ÍÀº ÁÁÀº ¾ÆÀ̵ð¾î´Ù. ¾î¶»°Ô Âü°¡Çϴ°¡¿¡ ´ëÇÑ ´õ ¸¹Àº Á¤º¸´Â netfilter ȨÆäÀÌÁö¿¡¼­ º¼ ¼ö ÀÖ´Ù.

6.2. ÀÌ ÇÏ¿ìÅõ¿¡ ´ëÇÑ °øÇå

ÀÌ ÇÏ¿ìÅõ¸¦ ¾÷µ¥ÀÌÆ®ÇÏ´Â °ÍÀº ȯ¿µÇÑ´Ù. ±×·¸°Ô Çϱâ À§Çؼ­ ÃßõµÇ´Â ¹æ¹ýÀº netfilter-devel ¸ÞÀϸµ ¸®½ºÆ®·Î ÀÌ ¹®¼­ÀÇ SGML °ü¸®ÀÚ¿¡°Ô ÆÐÄ¡¸¦ º¸³»´Â °ÍÀÌ´Ù.

6.3. ¿ªÀÚÀÇ ¸» (-_-;)

óÀ½À¸·Î DocBookÀ¸·Î ¸¸µé¾î º¸´Â ¹®¼­¶ó ÇãÁ¢ÇÔÀÌ ¸¹½À´Ï´Ù. ¶Ç ¹ø¿ª¿¡µµ ½º½º·Î ¸¸Á·ÀÌ ¾ÈµÇ´Â ºÎºÐÀÌ °÷°÷¿¡ º¸ÀÔ´Ï´Ù(½Ç·ÂÀÌ µþ·Á¼­ --;). ¹ø¿ª¿¡ ÀÌ»óÀÌ Àְųª ¼öÁ¤ÇÒ Á¡ÀÌ ÀÖÀ¸¸é Á¦ ¸ÞÀÏ·Î º¸³»ÁÖ½Ã±æ ¹Ù¶ø´Ï´Ù. ÀÌ»ó DeepBlueÀÇ ÇãÁ¢ÇÑ ¹ø¿ªÀ̾ú½À´Ï´Ù -_-;;

ID
Password
Join
He who invents adages for others to peruse takes along rowboat when going on cruise.
DontFeedTheTroll
KTUG
HelpOnFormatting
wsjoung


sponsored by andamiro
sponsored by cdnetworks
sponsored by HP

Valid XHTML 1.0! Valid CSS! powered by MoniWiki
last modified 2003-08-10 11:52:29
Processing time 0.0030 sec