Netfilter È®Àå HOWTO
Fabrice
MARIE
fabrice (at) celestix.com
ÀÌ ¹®¼´Â ³ÝÇÊÅÍ¿¡ ´ëÇÑ iptables È®ÀåÀ» ¾î¶»°Ô »ç¿ëÇÏ°í ¼³Ä¡ÇÏ´Â Áö¸¦ ¼³¸íÇÑ´Ù.
µÎ±â
Á¤
doogie (at) darimtech.com
0.1
2002-01-28
Á¤µÎ±â (darimtech.com)
ÃÖÃÊ ÀÛ¼º
¼Ò °³
¾È³ç. ÀÌ ¹®¼´Â ³ÝÇÊÅ͸¦ »ç¿ëÇÏ°í, ¹ö±× ¸®Æ÷ÆÃÀ» Çϸç, Å×½ºÆ®¸¦ ÇÏ°í, °³¹ßÇÏ´Â µ¥ ½Ã°£À» ¼Ò¸ðÇÏ´Â
¸ðµç »ç¶÷µéÇÑÅ× ³»°¡ °¨»çÇÒ ±âȸÀÌ´Ù.
ÀÌ ÇÏ¿ìÅõ´Â ·¯½ºÆ¼ÀÇ Linux
2.4 ÆÐŶ ÇÊÅ͸µ ÇÏ¿ìÅõ
¸¦ Àаí ÀÌÇØÇÑ´Ù´Â °¡Á¤ÇÏ¿¡ ¾²¿©Á³´Ù. ¶ÇÇÑ ´ç½ÅÀÌ Ä¿³ÎÀ» ÀûÀýÈ÷ ¼³Ä¡ÇÏ°í ÄÄÆÄÀÏÇÒ ¼ö ÀÖ´Ù°í °¡Á¤ÇÑ´Ù.
iptables ¹èÆ÷º»Àº ÀÏ¹Ý À¯ÀúµéÀ» À§ÇÑ °Í»Ó¸¸
¾Æ´Ï¶ó ½ÇÇèÀûÀÎ À¯ÀúµéÀ» À§ÇÑ È®ÀåÀ» Æ÷ÇÔÇÏ°í ÀÖÀ¸¸ç, ¶ÇÇÑ ÀÌ È®ÀåÀº Ä¿³Î¿¡
ÀÇÁ¸ÀûÀÌ´Ù.
¿øÇÏÁö ¾Ê´Â´Ù¸é, ÀÌ È®ÀåÀº º¸Åë ÄÄÆÄÀϵÇÁö ¾Ê´Â´Ù.
ÀÌ ÇÏ¿ìÅõÀÇ ¸ñÇ¥´Â ³ÝÇÊÅÍ È®ÀåÀ» ¾î¶»°Ô ¼³Ä¡ÇÏ°í ¾î¶»°Ô ±âº»ÀûÀ¸·Î ´Ù·ç´ÂÁö¸¦ ½ÃÀÛÇÏ´Â
»ç¶÷µé¿¡ ´ëÇÑ µµ¿òÀ» ÁÖ´Â °ÍÀÌ´Ù.
(C) 2001 Fabrice MARIE. GNU GPL ¶óÀ̼¾½º¸¦ µû¸¥´Ù.
Patch-O-Matic
Patch-O-MaticÀ̶õ ¹«¾ùÀΰ¡?
iptables ¸ÞÀÌÅ©ÆÄÀÏÀº `patch-o-matic' (¶Ç´Â `p-o-m')À̶ó ºÒ¸®´Â ±â´ÉÀ» Æ÷ÇÔÇÑ´Ù.
p-o-m´Â ´ç½ÅÀÌ ¿øÇÏ´Â ÆÐÄ¡µéÀ» ¼±ÅÃÇÏ´Â °úÁ¤À¸·Î ¾È³»ÇØ ÁÖ°í, ´ç½ÅÀ» À§ÇØ Ä¿³ÎÀ» ÀÚµ¿À¸·Î
ÆÐÄ¡ÇÑ´Ù.
óÀ½, ´ç½ÅÀº °¡Àå ÃÖ±ÙÀÇ CVS Æ®¸®¸¦ ¾ò¾î¾ß Çϸç, °¡Àå ÃÖ±ÙÀÇ È®ÀåÀ» »ç¿ëÇÏ°í
ÀÖ´ÂÁö¸¦ È®ÀÎÇ϶ó. ±×·¸°Ô ÇÏ·Á¸é ´ÙÀ½°ú °°ÀÌ ÇØ¾ß ÇÑ´Ù :
# cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login
# cvs -z3 -d :pserver:cvs@pserver.samba.org:/cvsroot co netfilter
ÀÌ°ÍÀº ÃÖ»óÀ§ µð·ºÅ丮 `netfilter/'¸¦ ¸¸µé °ÍÀÌ°í, ³»ºÎÀÇ ÆÄÀϵéÀ» °Ë»çÇÑ´Ù.
Ä¿³Î ¼Ò½º°¡ `/usr/src/linux/'¿¡ ÀÌ¹Ì ÀÖÀ½À» È®ÀÎÇ϶ó.
ÀÇÁ¸¼ºÀÌ °Ë»çµÇ¾ú´ÂÁö¸¦ È®ÀÎÇÏ°í ±×·¸Áö ¾Ê´Ù¸é :
# cd /usr/src/linux/
# make dep
±× ´ÙÀ½ `userspace/'¿¡ ÀÖ´Â ³ÝÇÊÅÍ µð·ºÅ丮·Î °¡¼, p-o-mÀ» È£ÃâÇÒ¼ö ÀÖ´Ù.
Patch-O-Matic ½ÇÇàÇϱâ
`userspace/` µð·ºÅ丮¿¡¼, p-o-mÀ» ½ÇÇàÇ϶ó :
# make patch-o-matic
Welcome to Rusty's Patch-o-matic!
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------
Already applied: 2.4.1 2.4.4
Testing... name_of_the_patch NOT APPLIED ( 2 missing files)
The name_of_the_patch patch:
Here usually is the help text describing what
the patch is for, what you can expect from it,
and what you should not expect from it.
Do you want to apply this patch [N/y/t/f/q/?]
p-o-mÀº °ü·ÃµÈ ¸ðµç ÆÐÄ¡¸¦ ½ÇÇàÇÑ´Ù. ÀÌ¹Ì ¸ðµÎ Àû¿ëµÇ¾î ÀÖ´Ù¸é, ùÁÙ¿¡ `Already applied:'¸¦ º¼ ¼ö ÀÖ´Ù.
±×·¸Áö ¾Ê´Ù¸é, ÆÐÄ¡ À̸§°ú ¾à°£ÀÇ ¼³¸íÀÌ Ç¥½ÃµÉ °ÍÀÌ´Ù.
p-o-mÀº ¾î¶»°Ô ÁøÇàµÇ´ÂÁö¸¦ ¼³¸íÇÑ´Ù : `NOT APPLIED ( n missing files)'´Â ÆÐÄ¡°¡ ¾ÆÁ÷ Àû¿ëµÇÁö
¾Ê¾ÒÀ½À» ÀǹÌÇÏ°í, ¹Ý¸é¿¡ `NOT APPLIED ( n rejects out of n hunks)'´Â ÀϹÝÀûÀ¸·Î ´ÙÀ½À» ¶æÇÑ´Ù:
ÆÐÄ¡°¡ ¿Ïº®ÇÏ°Ô Àû¿ëµÇÁö ¾Ê¾Ò°Å³ª...
...¶Ç´Â ÀÌ¹Ì ÆÐÄ¡ÇÏ·Á´Â Ä¿³Î¿¡ Æ÷ÇԵǾî ÀÖ´Â °æ¿ì
¸¶Áö¸·À¸·Î ÆÐÄ¡ÇÒ °ÍÀÎÁö ¾Æ´ÑÁö¸¦ °áÁ¤ÇÏ°Ô ÇÏ´Â ÇÁ·ÒÇÁÆ®°¡ º¸ÀÏ °ÍÀÌ´Ù.
ÆÐÄ¡Çϱ⸦ ¿øÇÏÁö ¾Ê´Â´Ù¸é ´Ü¼øÈ÷ ¿£ÅÍÅ°¸¸ ´©¸¥´Ù.
ÆÐÄ¡¸¦ Àû¿ëÇÏ°í Å×½ºÆ®Çϱâ À§ÇØ p-o-mÀ» ¿øÇÑ´Ù¸é `y'Å°¸¦ ´©¸¥´Ù,
¸¸¾à ½ÇÆÐÇÑ´Ù¸é ´Ù½Ã Çѹø È®ÀÎÀ» À§ÇÑ ÇÁ·ÒÇÁÆ®¸¦ º¸¿©ÁÙ °ÍÀÌ´Ù.
±×·¸Áö ¾Ê´Ù¸é, ÆÐÄ¡´Â Àû¿ëµÈ °ÍÀÌ°í, `Already Applied' ¶óÀο¡¼ ÆÐÄ¡ÀÇ À̸§À» º¼ ¼ö ÀÖ´Ù.
ÆÐÄ¡°¡ Á¤»óÀûÀ¸·Î Àû¿ëµÇ´ÂÁö¸¦ Å×½ºÆ®ÇÏ·Á¸é `t'Å°¸¦ ´©¸¥´Ù.
ÆÐÅ°°¡ `p-o-m'¿¡ °Á¦·Î Àû¿ëµÇ±â¸¦ ¿øÇÑ´Ù¸é `f'Å°¸¦ ´©¸¥´Ù.
¸¶Áö¸·À¸·Î p-o-mÀ» Á¾·áÇϱ⸦ ¿øÇÑ´Ù¸é `q'Å°¸¦ ´©¸¥´Ù.
°æÇèÀûÀ¸·Î ½ÇÁ¦·Î ÆÐÄ¡¸¦ Àû¿ëÇϱâ Àü¿¡ °¢ ÆÐÄ¡¿¡ ´ëÇÑ ¾à°£ÀÇ ¼³¸íÀ» Á¶½É½º·´°Ô Àд °ÍÀÌ´Ù.
ÇöÀç patch-o-matic¿¡ ´ëÇÑ ¸¹Àº °ø½Ä ÆÐÄ¡°¡ Àֱ⠶§¹®¿¡ (±×¸®°í ¾Æ¸¶µµ ´õ ¸¹Àº ºñ°ø½Ä ÆÐÄ¡µµ ÀÖÀ» °ÍÀÌ´Ù),
¸ðµÎ¸¦ Àû¿ëÇÏ´Â °ÍÀº ÃßõÇÏÁö ¾Ê´Â´Ù !
ºñ·Ï ´õ¸¹Àº ÆÐÄ¡°¡ ÇÊ¿äÇÒ¶§ ³ÝÇÊÅ͸¦ ÀçÄÄÆÄÀÏÇÏ´Â °ÍÀ» ÀǹÌÇÒ Áö¶ó°í,
¿øÇÏ´Â ÆÐÄ¡¸¸ Àû¿ëÇÏ´Â °ÍÀ» °í·ÁÇØ¾ß ÇÑ´Ù.
ÀÌÁ¦ patch-o-maticÀÇ »õ·Î¿î ÇüÅ°¡ ¸¸µé¾îÁ³À» °ÍÀÌ´Ù. ÀÌ°ÍÀº ´ÜÁö ±ú²ýÇÏ°Ô Àû¿ëµÇ¾îÁø ÆÐÄ¡µéÀ»
º¸¿©ÁÙ »Ó¸¸ ¾Æ´Ï¶ó, Àû¿ëµÇÁö ¾ÊÀº ´Ù¸¥ ¸ðµç ÆÐÄ¡µµ º¸¿©ÁØ´Ù. À̸¦ ½ÇÇàÇϱâ À§Çؼ,
´ÙÀ½°ú °°ÀÌ Ç϶ó :
# make most-of-pom
ÀÌ°ÍÀº °ü·Ã ÆÐÄ¡¿Í ±×¸®°í ±×¿Í »óÈ£ÀÛ¿ëÀ» ÇÏ´Â °Í¿¡ °üÇؼ´Â patch-o-matic°ú Á¤È®ÇÏ°Ô °°Àº
¹æ¹ýÀ¸·Î µ¿ÀÛÇÑ´Ù. `developer-only' ÆÐÄ¡¸¦ »ç¿ëÇÏ´Â °ÍÀº ÇÇÇ϶ó.
±× ´ÙÀ½Àº ¹«¾ùÀ» Çϴ°¡ ?
Àû¿ëÇϱ⸦ ¿øÇÏ´Â ¸ðµç ÆÐÄ¡¸¦ Àû¿ëÇß´Ù¸é, ´ÙÀ½ ´Ü°è´Â Ä¿³ÎÀ» ÀçÄÄÆÄÀÏÇÏ°í ¼³Ä¡ÇÏ´Â °ÍÀÌ´Ù.
ÀÌ ÇÏ¿ìÅõ´Â ±×°ÍÀ» ¾î¶»°Ô ÇÏ´ÂÁö¿¡ ´ëÇÑ ¼³¸íÀº ÇÏÁö ¾Ê´Â´Ù.
´ë½Å¿¡ ¸®´ª½º
Ä¿³Î HOWTO
¸¦ º¸¶ó.
Ä¿³ÎÀ» À籸¼ºÇÏ´Â µ¿¾È, ``Networking Options -> Netfilter Configuration''¿¡¼ »õ·Î¿î ¿É¼ÇµéÀ»
º¼ ¼ö ÀÖ´Ù. ÇÊ¿ä·Î ÇÏ´Â ¿É¼ÇÀ» ¼±ÅÃÇÏ°í, Ä¿³ÎÀ» ÀçÄÄÆÄÀÏÇÏ°í ¼³Ä¡Ç϶ó.
Ä¿³ÎÀ» ¼³Ä¡Çϸé, `userspace/' µð·ºÅ丮¿¡ ÀÖ´Â ``iptables'' ÆÐÅ°Áö¸¦ ´ÙÀ½°ú °°ÀÌ ÄÄÆÄÀÏÇÏ°í ¼³Ä¡Ç϶ó
# make all install
»õ·Î¿î iptables ÆÐÅ°Áö°¡ ¼³Ä¡µÈ °ÍÀÌ´Ù ! ÀÌÁ¦ »õ·Î¿î ±â´ÉÀ» »ç¿ëÇÒ ½Ã°£ÀÌ´Ù.
»õ·Î¿î netfilter matches
ÀÌ Àý¿¡¼, »õ·Î¿î netfilter matchesÀÇ »ç¿ë¹ýÀ» ¼³¸íÇÒ °ÍÀÌ´Ù.
ÀÌ ÆÐÄ¡µéÀº ¾ËÆĺª ¼ø¼·Î ³ªÅ¸³¾ °ÍÀÌ´Ù. ºÎ°¡ÀûÀ¸·Î, ¿µÇâÀ» ¹ÌÄ¡´Â ´Ù¸¥ ÆÐÄ¡¿¡ ´ëÇÑ
¼³¸íÀº ¾ø´Ù. ÀÌ´Â ´ÙÀ½ ¹öÀü ¹®¼¿¡ Æ÷Ç﵃ °ÍÀÌ´Ù.
ÀϹÝÀûÀ¸·Î, ´ÙÀ½°ú °°ÀÌ Çϸé Ưº°ÇÑ ¸ðµâ·ÎºÎÅÍ ÈùÆ®¸¦ ¾òÀ» ¼ö ÀÖ´Ù.
# iptables -m the_match_you_want --help
ÀÌ´Â º¸ÅëÀÇ iptables µµ¿ò¸»À» º¸¿©ÁÖ°í, °Å±â¿¡ ´õÇؼ ³¡¿¡ ¸í½ÃµÈ ``¿øÇÏ´Â match''¿¡
ÇØ´çµÇ´Â µµ¿ò¸»À» º¸¿©ÁØ´Ù.
ah-esp patch
ÀÌ ÆÐÄ¡´Â Yon Uriarte <yon@astaro.de>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾ú°í ´ÙÀ½ÀÇ 2°¡Áö »õ·Î¿î matches¸¦ ÇÑ °ÍÀÌ´Ù :
``ah'' : Security Parameter Index (SPI)¿¡ ±âÃÊÇÑ AH ÆÐŶÀ» matchÇÒ ¼ö ÀÖµµ·Ï ÇÑ´Ù.
``esp'' : SPI¿¡ ±âÃÊÇÑ ESP ÆÐŶÀ» matchÇÒ ¼ö ÀÖµµ·Ï ÇÑ´Ù.
ÀÌ ÆÐÄ¡´Â SPI¿¡ ±âÃÊÇÑ ¿¬°áµéÀ» ±¸ºÐÁþ°íÀÚ IPSECÀ» »ç¿ëÇÏ´Â »ç¶÷µé¿¡°Ô À¯¿ëÇÒ ¼ö ÀÖ´Ù.
¿¹¸¦ µé¾î, ´ÙÀ½°ú °°ÀÌ Çϸé 500°ú ÀÏÄ¡ÇÏ´Â SPI¸¦ °¡Áö´Â ¸ðµç AH ÆÐŶÀ» µå·Ó½Ãų¼ö ÀÖ´Ù.
# iptables -A INPUT -p 51 -m ah --ahspi 500 -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP ipv6-auth-- anywhere anywhere ah spi:500
ah match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--ahspi [!] spi[:spi] -> match spi (range)
esp matchµµ ¶È°°ÀÌ ÀÛ¿ëÇÑ´Ù.
# iptables -A INPUT -p 50 -m esp --espspi 500 -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP ipv6-crypt-- anywhere anywhere esp spi:500
esp match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--espspi [!] spi[:spi] -> match spi (range)
ah ¶Ç´Â esp match¸¦ »ç¿ëÇÒ¶§, ¶Ç´Â ¸í¹éÇÑ ÀÌÀ¯·Î ·ê ÷°¡¸¦ Áß´ÜÇÏ°íÀÚ ÇÒ¶§,
``-p 50'' ¶Ç´Â ``-p 51'' (esp & ah °¢°¢)À» ÅëÇØ ÀûÀýÇÑ ÇÁ·ÎÅäÄÝÀ» ¸í½ÃÇÏ´Â °ÍÀ» ÀØÁö ¸»¾Æ¾ß ÇÑ´Ù.
iplimit patch
ÀÌ ÆÐÄ¡´Â Gerd Knorr <kraxel@bytesex.org>¿¡ ÀÇÇØ
ÀÛ¼ºµÇ¾úÀ¸¸ç, ƯÁ¤ È£½ºÆ®³ª ³×Æ®¿öÅ©·ÎºÎÅÍÀÇ
TCP ¿¬°á °¹¼ö¸¦ ¾î¶»°Ô Á¦ÇÑÇÏ´ÂÁö¿¡ ´ëÇÑ »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.
¿¹¸¦ µé¾î, ÇÑ IP ÁÖ¼Ò¿¡ ÀÇÇÑ HTTP ¿¬°á °¹¼ö·Ñ 4°³·Î Á¦ÇÑÇÏ·Á°í Çϸé :
# iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-above 4 -j REJECT
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN #conn/32 > 4 reject-with icmp-port-unreachable
¶Ç´Â ¿¹¸¦ µé¾î class A ÀüüÀÇ ¿¬°á °¹¼ö¸¦ Á¦ÇÑÇϱ⸦ ¿øÇÑ´Ù¸é :
# iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-mask 8 --iplimit-above 4 -j REJECT
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN #conn/8 > 4 reject-with icmp-port-unreachable
iplimit patch°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
[!] --iplimit-above n -> ÇöÀç tcp ¿¬°á °¹¼ö¸¦ n°³ ÀÌ»óÀ¸·Î ÇÏ·Á¸é (ÇÏÁö ¾ÊÀ¸·Á¸é)
--iplimit-mask n -> subnet mask¸¦ »ç¿ëÇÏ´Â ±×·ì È£½ºÆ®µé
ipv4options patch
ÀÌ ÆÐÄ¡´Â Fabrice MARIE <fabrice@celestix.com>¿¡ ÀÇÇØ
ÀÛ¼ºµÇ¾úÀ¸¸ç,
¼³Á¤µÈ IP ¿É¼Ç¿¡ ÀÇÇØ ÆÐŶÀ» matchÇÒ ¼ö ÀÖ°Ô ÇÒ ¼ö ÀÖµµ·Ï »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.
¿¹¸¦ µé¾î, IP ¿É¼Ç¿¡ ¼³Á¤µÈ record-route ¶Ç´Â timestamp¸¦ °¡Áø ¸ðµç ÆÐŶÀ» µå·ÓÇÏ·Á¸é
´ÙÀ½°ú °°ÀÌ ¼³Á¤ÇÑ´Ù :
# iptables -A INPUT -m ipv4options --rr -j DROP
# iptables -A INPUT -m ipv4options --ts -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere IPV4OPTS RR
DROP all -- anywhere anywhere IPV4OPTS TS
ipv4options match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--ssrr -> strict source routing flag¿¡ matchµÇ´Â.
--lsrr -> loose source routing flag¿¡ matchµÇ´Â.
--no-srr -> source routingÀ» °¡ÁöÁö ¾Ê´Â ÆÐŶ¿¡
matchµÇ´Â.
--rr -> record route flag¿¡ matchµÇ´Â.
[!] --ts -> timestamp flag¿¡ matchµÇ´Â.
[!] --ra -> router-alert option¿¡ matchµÇ´Â.
[!] --any-opt -> Àû¾îµµ ÇϳªÀÇ IP ¿É¼Ç(¶Ç´Â !ÀÌ ¼±ÅõÇÁö ¾ÊÀº ¸ðµç IP ¿É¼Ç)
À» °¡Áø ÆÐŶ¿¡ matchµÇ´Â.
length patch
ÀÌ ÆÐÄ¡´Â James Morris <jmorris@intercode.com.au>¿¡ ÀÇÇØ
ÀÛ¼ºµÇ¾úÀ¸¸ç, ±æÀÌ¿¡ ±âÃÊÇÑ ÆÐŶÀ»
matchÇÒ ¼ö ÀÖ°Ô »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.
¿¹¸¦ µé¾î, 85 ¹ÙÀÌÆ®º¸´Ù Å« ÆÐŶ Å©±â¸¦ °¡Áø ¸ðµç ping packetÀ» µå·ÓÇÏ·Á¸é ´ÙÀ½°ú °°ÀÌ ÇÑ´Ù :
# iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 85:0xffff -j DROP
# ptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp echo-request length 85:65535
length match¿¡ ´ëÇÑ ºÎ°¡ÀûÀÎ ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
[!] --length length[:length] -> value ¶Ç´Â valueÀÇ ¹üÀ§¿¡ ´ëÇÑ
ÆÐŶ ±æÀÌ¿¡ ÇØ´çÇÏ´Â.
Ç¥ÇöµÇÁö ¾ÊÀº valueÀÇ ¹üÀ§´Â ³»Æ÷µÇ¾î ÀÖÀ» °ÍÀÌ´Ù. ³»Æ÷µÈ value´Â ÃÖ¼Ò 0, ÃÖ°í 65535ÀÌ´Ù.
mport patch
ÀÌ ÆÐÄ¡´Â Andreas Ferber <af@devcon.net>¿¡ ÀÇÇØ
ÀÛ¼ºµÇ¾úÀ¸¸ç, TCP, UDP ¿¬°á¿¡ ´ëÇØ ´ÜÀÏÆ÷Æ®¿Í Æ÷Æ®¹üÀ§¸¦
Á¶ÇÕÇؼ Æ÷Æ®¸¦ ¸í½ÃÇÒ¼ö ÀÖµµ·Ï »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.
¿¹¸¦ µé¾î, ÇÑ ¶óÀο¡¼ ftp, ssh, telnet, http¸¦ ¸·±â¸¦ ¿øÇÑ´Ù¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A INPUT -p tcp -m mport --ports 20:23,80 -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere mport ports ftp-data:telnet,http
mport match¿¡ ´ëÇÑ ºÎ°¡ÀûÀÎ ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--source-ports port[,port:port,port...] -> source
port(s)¿¡ matchµÈ´Ù.
--sports port[,port:port,port...] -> source
port(s)¿¡ matchµÈ´Ù.
--destination-ports port[,port:port,port...] ->
destination port(s)¿¡ matchµÈ´Ù.
--dports port[,port:port,port...] -> destination
port(s)¿¡ matchµÈ´Ù.
--ports port[,port:port,port] -> source and
destination port(s) ¸ðµÎ¿¡ matchµÈ´Ù.
nth patch
ÀÌ ÆÐÄ¡´Â Fabrice MARIE <fabrice@celestix.com>¿¡ ÀÇÇØ
ÀÛ¼ºµÇ¾úÀ¸¸ç, ·ê¿¡ ÀÇÇØ ¹ÞÀº ƯÁ¤ N¹ø° ÆÐŶÀ» matchÇÒ ¼ö
ÀÖµµ·Ï »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.
¿¹¸¦ µé¾î, ¸Å 2¹ø° ÇÎ ÆÐŶÀ» µå·ÓÇÏ±æ ¿øÇÑ´Ù¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A INPUT -p icmp --icmp-type echo-request -m nth --every 2 -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp echo-request every 2th
ÀÌ ÆÐÄ¡´Â Richard Wagner <rwagner@cloudnet.com>¿¡ ÀÇÇØ È®ÀåµÇ¾ú´Âµ¥,
ÀÌ´Â inbound¿Í outbound ¿¬°á¿¡ ´ëÇÑ ·Îµå ¹ë·±½ÌÀ» Á¦°øÇÏ´Â ½±°í ºü¸¥ ¹æ¹ýÀ» ¸¸µé ¼ö ÀÖ°Ô ÇØÁØ´Ù.
¿¹¸¦ µé¾î, 10.0.0.5, 10.0.0.6, 10.0.0.7ÀÇ 3°³ ÁÖ¼Ò¿¡ ´ëÇÑ ·Îµå ¹ë·±½ÌÀ» ¿øÇÑ´Ù¸é,
´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 0 -j SNAT --to-source 10.0.0.5
# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 1 -j SNAT --to-source 10.0.0.6
# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 2 -j SNAT --to-source 10.0.0.7
# iptables -t nat --list
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere every 3th packet #0 to:10.0.0.5
SNAT all -- anywhere anywhere every 3th packet #1 to:10.0.0.6
SNAT all -- anywhere anywhere every 3th packet #2 to:10.0.0.7
nth match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--every Nth -> ¸ðµç N¹ø° ÆÐŶ°ú ÀÏÄ¡
[--counter] num -> Ä«¿îÅÍ 0-15 (µðÆúÆ®°©:0) »ç¿ë.
[--start] num -> 0 ´ë½Å `num'À¸·Î Ä«¿îÅ͸¦ ÃʱâÈ. ÀÌ numÀº 0¿¡¼ (Nth-1) »çÀÌ¿©¾ß ÇÑ´Ù.
[--packet] num -> `num' ÆÐŶ°ú ÀÏÄ¡. 0 ~ (Nth-1) »çÀÌ¿©¾ß ÇÑ´Ù.
`--packet'ÀÌ Ä«¿îÅÍ·Î »ç¿ëµÈ´Ù¸é 0¿¡¼ (Nth-1)»çÀÌÀÇ ¸ðµç value¸¦ ó¸®Çϱâ À§ÇØ --packet ·ê¿¡ N¹ø° number°¡ ÀÖ¾î¾ß ÇÑ´Ù.
pkttype patch
ÀÌ ÆÐÄ¡´Â Michal Ludvig <michal@logix.cz>¿¡ ÀÇÇØ
ÀÛ¼ºµÇ¾úÀ¸¸ç, È£½ºÆ®/ºê·Îµåij½ºÆ®/¸ÖƼij½ºÆ® µî
±× ŸÀÔ¿¡ ±âÃÊÇÑ ÆÐŶÀ» matchÇÒ ¼ö ÀÖµµ·Ï »õ·Î¿î match¸¦ ÇÑ °ÍÀÌ´Ù.
¿¹¸¦ µé¾î, ¸ðµç ºê·Îµåij½ºÆ® ÆÐŶÀ» Á¶¿ëÈ÷ µå·Ó½ÃÅ°±æ ¿øÇÑ´Ù¸é :
# iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
pkttype match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--pkt-type [!] packettype -> ÆÐŶ ŸÀÔÀÌ ´ÙÀ½Áß ÇϳªÀÏ °æ¿ì ÆÐŶ ŸÀÔÀ» ÀÏÄ¡½ÃŲ´Ù.
host -> ¸ðµÎ
broadcast -> Àüü
multicast -> ±×·ì
pool patch
Patrick Schaaf <bof@bof.de>.¿¡ ÀÇÇØ ÆÐÄ¡µÇ¾ú°í, Joakim Axelsson and Patrick¿¡ ÀÇÇØ ÀçÀÛ¼ºÁß¿¡ ÀÖ´Ù.
±×·¯¹Ç·Î ÀÌ ºÎºÐÀº °ð ¹Ù²ð °ÍÀÌ´Ù.
psd patch
ÀÌ ÆÐÄ¡´Â Dennis Koslowski <dkoslowski@astaro.de>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, Æ÷Æ® ½ºÄµÀ»
ŽÁöÇϴµ¥ °üÇÑ »õ·Î¿î matchÀÌ´Ù.
°¡Àå °£´ÜÇÑ ÇüÅ·Î, psd match´Â ´ÙÀ½°ú °°ÀÌ »ç¿ëµÉ ¼ö ÀÖ´Ù :
# iptables -A INPUT -m psd -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-ports-weight: 1
psd match°¡ Á¦°øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
[--psd-weight-threshold threshold] -> Portscan ŽÁö °¡ÁßÄ¡
[--psd-delay-threshold delay] -> Portscan ŽÁö Áö¿¬Ä¡
[--psd-lo-ports-weight lo] -> well-known Æ÷Æ®(privileged port) °¡ÁßÄ¡
[--psd-hi-ports-weight hi] -> user Æ÷Æ®(High ports) °¡ÁßÄ¡
random patch
ÀÌ ÆÐÄ¡´Â Fabrice MARIE <fabrice@celestix.com>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ÁÖ¾îÁø È®·ü¿¡ ±âÃÊÇÑ
ÆÐŶÀ» ·£´ýÇÏ°Ô °è»êÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î matchÀÌ´Ù.
¿¹¸¦ µé¾î, 50%ÀÇ ÇÎ ÆÐŶÀ» ·£´ýÇÏ°Ô µå·ÓÇϱ⸦ ¿øÇÑ´Ù¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A INPUT -p icmp --icmp-type echo-request -m random --average 50 -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp echo-request random 50%
random patch°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
[--average] percent -> match %¿¡ ´ëÇÑ È®·ü
»ý·«µÈ´Ù¸é, 50%ÀÇ È®·üÀÌ ¼¼ÆõȴÙ. ÆÛ¼¾Æ®´Â 1°ú 99»çÀÌÀÇ ¼ýÀÚ¿©¾ß ÇÑ´Ù.
realm patch
ÀÌ ÆÐÄ¡´Â Sampsa Ranta <sampsa@netsonic.fi>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ÆÐŶ ºÐ·ùÀÚ¿¡ ³ªÅ¸³ª´Â Å°¿Í
À¯»çÇÑ ±âÁØ°ú ÀÏÄ¡ÇÏ´Â °ÍÀ¸·Î½á ¶ó¿ìÆà ¿µ¿ª Å°¸¦ »ç¿ëÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î matchÀÌ´Ù.
¿¹¸¦ µé¾î, 10°³ÀÇ ¿µ¿ª¿¡¼ ¿ÜºÎ·Î ÇâÇÏ´Â ÆÐŶÀ» ¸ðµÎ ·Î±×¿¡ ±â·ÏÇÏ·Á¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A OUTPUT -m realm --realm 10 -j LOG
# iptables --list
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere REALM match 0xa LOG level warning
realm match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--realm [!] value[/mask] -> ¿µ¿ª ÀÏÄ¡
record-rpc patch
ÀÌ ÆÐÄ¡´Â Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, È¿°úÀûÀÎ RPC ÇÊÅ͸µÀ»
Çã¿ëÇϱâ À§ÇØ ÆÐŶ ¼Ò½º°¡ ÀÌÀü¿¡ portmapper¸¦ ÅëÇØ Æ÷Æ®¸¦ ¿äûÇßÀ» °æ¿ì, ¶Ç´Â portmapper¿¡ ´ëÇÑ »õ·Î¿î GET ¿äûÀÏ
°æ¿ì matchÇÏ´Â µ¥ ´ëÇÑ »õ·Î¿î matchÀÌ´Ù.
RPC ¿¬°á ÃßÀû Á¤º¸¸¦ matchÇϱâ À§ÇØ, °£´ÜÈ÷ ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A INPUT -m record_rpc -j ACCEPT
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
record_rpc match´Â ¾î¶°ÇÑ ¿É¼Çµµ °¡ÁöÁö ¾Ê´Â´Ù.
match Á¤º¸°¡ ¾ø´Ù°í ¿°·ÁÇÒ °ÍÀº ¾ø´Ù. ÀÌ match¿¡ ´ëÇÑ print() functionÀÌ
ºñ¾îÀֱ⠶§¹®¿¡ ÀÌ´Â °£´ÜÇÏ´Ù.
/* Prints out the union ipt_matchinfo. */
static void
print(const struct ipt_ip *ip,
const struct ipt_entry_match *match,
int numeric)
{
}
string patch
ÀÌ ÆÐÄ¡´Â Emmanuel Roger <winfield@freegates.be>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ÆÐŶÀÇ
ÇÑ ¹®ÀÚ¿À» matchÇÏ´Â °Í¿¡ ´ëÇÑ »õ·Î¿î matchÀÌ´Ù.
¿¹¸¦ µé¾î, ``cmd.exe'' ¹®ÀÚ¿À» Æ÷ÇÔÇÏ°í ÀÖ´Â ÆÐŶÀ» matchÇÏ°í userland IDS·Î º¸³»·Á¸é,
´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A INPUT -m string --string 'cmd.exe' -j QUEUE
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
QUEUE all -- anywhere anywhere STRING match cmd.exe
Á¶½É½º·´°Ô ÀÌ match¸¦ »ç¿ëÇØ¾ß ÇÑ´Ù. ¸¹Àº »ç¶÷µéÀÌ DROP taget¿¡ µû¶ó¼ ¿ú ¹ÙÀÌ·¯½º¸¦ ¸ØÃß±â À§ÇØ
ÀÌ match¸¦ »ç¿ëÇÏ±æ ¿øÇÑ´Ù. ÀÌ´Â Áß¿äÇÑ ½Ç¼öÀÌ´Ù. ƯÁ¤ IDS ħÀÔ ¹æ¹ýÀº À̸¦ ¹«·ÂÈÇÒ¼ö ÀÖ´Ù.
À¯»çÇÑ °æÇâÀ¸·Î, ¸¹Àº »ç¶÷µéÀº POST ¹®ÀÚ¿À» Æ÷ÇÔÇÏ´Â HTTP ÆÐŶÀ» µå·ÓÇÔÀ¸·Î½á POST³ª GET°°Àº
HTTPÀÇ Æ¯Á¤ ±â´ÉÀ» ¸ØÃß±â À§ÇÑ ¼ö´ÜÀ¸·Î ÀÌ match¸¦ »ç¿ëÇϱ⸦ ¿øÇß¾ú´Ù. ÀÌ·¯ÇÑ ÀÛ¾÷Àº
proxy¸¦ ÇÊÅ͸µÇÏ´Â °ÍÀÌ ´õ ÁÁÀº ¹æ¹ýÀÓÀ» ÀÌÇØÇ϶ó. ºÎ°¡ÀûÀ¸·Î POST¶õ ´Ü¾î¸¦ °¡Áö°í ÀÖ´Â
HTML content´Â ÀÌÀü ¹æ¹ý(¼³Á¤)¿¡ ÀÇÇØ µå·ÓµÉ °ÍÀÌ´Ù.
ÀÌ match´Â ´õ ÁÁÀº ºÐ¼®À» À§ÇØ À¯Àú¿µ¿ªÀÇ °ü½ÉÀÖ´Â ÆÐŶÀ»
Å¥À×ÇÒ¼ö ÀÖ°Ô Çϱâ À§ÇØ ¼³°èµÇ¾ú´Ù. ÀÌ°ÍÀÌ ÀüºÎÀÌ´Ù.
ÀÌ ¹æ¹ý¿¡ ÀÇÇØ ÆÐŶÀ» µå·ÓÇÏ´Â °ÍÀº ƯÁ¤ IDS ħÀÔ ¹æ¹ý¿¡ ÀÇÇØ ¹«·Â鵃 ¼ö ÀÖ´Ù.
string match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--string [!] string -> ÆÐŶÀÇ ¹®ÀÚ¿À» ÀÏÄ¡½ÃŲ´Ù.
time patch
ÀÌ ÆÐÄ¡´Â Fabrice MARIE <fabrice@celestix.com>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, Ãâ¹ß ȤÀº µµÂø (·ÎÄÿ¡¼ »ý¼ºµÈ ÆÐŶ)
½Ã°£¿¡ ±âÃÊÇÑ ÆÐŶÀ» matchÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î matchÀÌ´Ù.
¿¹¸¦ µé¾î, ¿ù¿äÀϺÎÅÍ ±Ý¿äÀϱîÁö 8:00ºÎÅÍ 18:00±îÁö µµÂø ½Ã°£À» °¡Áø ÆÐŶÀ» Çã¿ëÇÏ·Á¸é
´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere TIME from 8:0 to 18:0 on Mon,Tue,Wed,Thu,Fri
time match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--timestart value -> ÃÖ¼Ò HH:MM
--timestop value -> ÃÖ´ë HH:MM
--days listofdays -> Àû¿ëµÇ´Â ¿äÀÏ ¸®½ºÆ®, (´ë¼Ò¹®ÀÚ ±¸ºÐ)
Mon
Tue
Wed
Thu
Fri
Sat
Sun
ttl patch
ÀÌ ÆÐÄ¡´Â Harald Welte <laforge@gnumonks.org>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, TTL¿¡ ±âÃÊÇÑ ÆÐŶÀ»
matchÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î matchÀÌ´Ù.
¿¹¸¦ µé¾î, TTLÀÌ 5º¸´Ù ÀûÀº ÆÐŶÀ» ·Î±×¿¡ ±â·ÏÇÏ·Á¸é, ´ç½ÅÀº ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A INPUT -m ttl --ttl-lt 5 -j LOG
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere TTL match TTL < 5 LOG level warning
ttl match°¡ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù.
--ttl-eq value -> time to live °ª°ú ÀÏÄ¡
--ttl-lt value -> TTL < value ÇÑ °Í°ú ÀÏÄ¡
--ttl-gt value -> TTL > value ÇÑ °Í°ú ÀÏÄ¡
»õ·Î¿î netfilter Ÿ°Ù
ÀÌ Àå¿¡¼, »õ·Î¿î netfilter Ÿ°ÙÀÇ »ç¿ë¿¡ °üÇØ ¼³¸íÇÒ °ÍÀÌ´Ù.
ÀÌ ÆÐÄ¡µéÀº ¾ËÆĺª ¼ø¼·Î ³ªÅ¸³¾ °ÍÀÌ°í, ºÎ°¡ÀûÀ¸·Î ¿¬°üµÈ ´Ù¸¥ ÆÐÄ¡¿¡ ´ëÇÑ ¼³¸íÀº
ÇÏÁö ¾Ê´Â´Ù. ÇÏÁö¸¸ ´ÙÀ½ ¹öÀü¿¡¼´Â Ãß°¡µÉ °ÍÀÌ´Ù.
ÀϹÝÀûÀ¸·Î Ÿ°Ù¿¡ °üÇØ, ´ÙÀ½ÀÇ ³»¿ëó·³ Ưº°ÇÑ ¸ðµâ¿¡ ´ëÇÑ ÈùÆ®¸¦ ¾òÀ» ¼ö ÀÖ´Ù :
# iptables -j THE_TARGET_YOU_WANT --help
ÀÌ´Â º¸ÅëÀÇ iptables µµ¿ò ¸Þ¼¼Áö¸¦ º¸¿©ÁÖ°í, ±× ³¡¿¡ ``THE_TARGET_YOU_WANT''Ÿ°ÙÀ»
¼³¸íÇÑ´Ù.
ftos patch
ÀÌ ÆÐÄ¡´Â Matthew G. Marsh <mgm@paktronix.com>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç, ÀÓÀÇÀÇ °ªÀ¸·Î
TOS ÆÐŶÀ» ¼ÂÆÃÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î matchÀÌ´Ù.
¿¹¸¦ µé¾î, 15ÀÇ outgoing ÆÐŶÀÇ ¸ðµç TOS¸¦ ¼ÂÆÃÇÏ·Á¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù.
# iptables -t mangle -A OUTPUT -j FTOS --set-ftos 15
# iptables -t mangle --list
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
FTOS all -- anywhere anywhere TOS set 0x0f
FTOS targetÀÌ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--set-ftos value -> ÆÐŶ Çì´õÀÇ TOS field¸¦ ¾î¶² °ªÀ¸·Î ¼³Á¤. ÀÌ °ªÀÌ 10Áø¼ö°¡ µÉ ¼ö ÀÖ°í (ex: 32)
16Áø¼ö·Îµµ µÉ ¼ö ÀÖ´Ù. (ex: 0x20)
IPV4OPTSSTRIP patch
ÀÌ ÆÐÄ¡´Â Fabrice MARIE <fabrice@celestix.com>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç IPv4 ÆÐŶÀÇ ¸ðµç
IP ¿É¼ÇÀ» Á¦°Å(strip)ÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î targetÀÌ´Ù.
´ÙÀ½°ú °°ÀÌ °¡Àå °£´ÜÇÏ°Ô ·ÎµåÇÒ ¼ö ÀÖ´Ù :
# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP
# iptables -t mangle --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
IPV4OPTSSTRIP all -- anywhere anywhere
ÀÌ Å¸°ÙÀº ¾î¶°ÇÑ ¿É¼Çµµ Áö¿øÇÏÁö ¾Ê´Â´Ù.
NETLINK patch
ÀÌ ÆÐÄ¡´Â Gianni Tedesco <gianni@ecsc.co.uk>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç netlink ¼ÒÄÏÀ» ÅëÇØ
À¯Àú ¿µ¿ªÀ¸·Î µå·ÓµÈ ÆÐŶÀ» º¸³¾ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î Ÿ°ÙÀÌ´Ù.
¿¹¸¦ µé¾î, ¸ðµç ÇÎ ÆÐŶÀ» µå·ÓÇÏ°í À¯Àú¿µ¿ªÀÇ netlink ¼ÒÄÏÀ¸·Î ÆÐŶµéÀ» º¸³»·Á¸é, ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -A INPUT -p icmp --icmp-type echo-request -j NETLINK --nldrop
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
NETLINK icmp -- anywhere anywhere icmp echo-request nldrop
NETLINK Ÿ°ÙÀÌ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--nldrop -> ÆÐŶÀ» µå·ÓÇÑ´Ù.
--nlmark <number> -> ÆÐŶÀ» Ç¥½ÃÇÑ´Ù.
--nlsize <bytes> -> ÆÐŶ Å©±â¸¦ Á¦ÇÑÇÑ´Ù.
netlink socket¿¡ ´ëÇÑ ´õ ¸¹Àº Á¤º¸¸¦ ¿øÇÑ´Ù¸é,
Netlink
Sockets Tour¸¦ Âü°íÇ϶ó.
NETMAP patch
ÀÌ ÆÐÄ¡´Â Svenning Soerensen <svenning@post5.tele.dk>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç
¿ø·¡ÀÇ È£½ºÆ®ÁÖ¼Ò¸¦ À¯ÁöÇÏ´Â µ¿¾È ³×Æ®¿öÅ© ÁÖ¼Ò¿Í Á¤ÀûÀ¸·Î 1:1 ¸ÅÇÎÀ» ¸¸µé°Ô ÇÒ ¼ö ÀÖ´Â »õ·Î¿î Ÿ°ÙÀÌ´Ù.
¿¹¸¦ µé¾î, 1.2.3.0/24¿¡¼ 5.6.7.0/24·Î ÇâÇÏ´Â incomming ¿¬°áÀÇ ¸ñÀûÁö¸¦ º¯°æÇÏ±æ ¿øÇÑ´Ù¸é,
´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -t nat -A PREROUTING -d 1.2.3.0/24 -j NETMAP --to 5.6.7.0/24
# iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
NETMAP all -- anywhere 1.2.3.0/24 5.6.7.0/24
NETMAP Ÿ°ÙÀÌ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--to address[/mask] -> ¸ÅÇÎÇÒ ³×Æ®¿öÅ© ÁÖ¼Ò
SAME patch
ÀÌ ÆÐÄ¡´Â Martin Josefsson <gandalf@wlug.westbo.se>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç
SNAT¿Í À¯»çÇÏ°í °¢°¢ ¿¬°á¿¡ ´ëÇØ ÇÑ Å¬¶óÀ̾ðÆ®¿¡ °°Àº ÁÖ¼Ò¸¦ ºÎ¿©ÇÒ ¼ö ÀÖ´Â »õ·Î¿î Ÿ°ÙÀÌ´Ù.
¿¹¸¦ µé¾î, ¿¬°á¿¡ ´ëÇÑ ¼Ò½º ÁÖ¼Ò¸¦ 1.2.3.4-1.2.3.7·Î º¯°æÇÏ·Á¸é ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -t nat -A POSTROUTING -j SAME --to 1.2.3.4-1.2.3.7
# iptables -t nat --list
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SAME all -- anywhere anywhere same:1.2.3.4-1.2.3.7
SAME targetÀÌ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--to <ipaddr>-<ipaddr> -> ¼Ò½º¿¡ ¸ÅÇÎµÈ ÁÖ¼Ò.
¾Æ¸¶µµ ´Ù¼öÀÇ ¿µ¿ª¿¡ ´ëÇÑ Çѹø ÀÌ»ó ±â¼úµÇ¾úÀ» °ÍÀÌ´Ù.
--nodst -> ¼Ò½º ¼±Åÿ¡ ´ëÇØ µµÂø IP¸¦ »ç¿ëÇÏÁö ¸»¶ó.
tcp-MSS patch
ÀÌ ÆÐÄ¡´Â Marc Boucher <marc+nf@mbsi.ca>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç
¿¬°á¿¡ ´ëÇÑ ÃÖ´ë Å©±â¸¦ Á¦¾îÇÒ ¼ö ÀÖµµ·Ï, TCP SYN ÆÐŶÀÇ MSS °ªÀ» º¯°æÇÏ°í °Ë»çÇÒ¼ö ÀÖµµ·Ï
ÇÏ´Â »õ·Î¿î targetÀÌ´Ù.
Marc ÀÚ½ÅÀÌ ¼³¸íÇÑ ¹Ù¿¡ ÀÇÇϸé, ÀÌ°ÍÀº ÇØÅ·Àε¥(THIS IS A HACK), ICMP FragmentationÀÌ ÆÐŶÀ» ¿ä±¸ÇÏ´Â
°ÍÀ» ¸·´Â ³ú»ç »óÅÂÀÇ ISPµé ¶Ç´Â ¼¹öµéÀ» ±Øº¹Çϴµ¥ »ç¿ëµÈ´Ù.
ÀüÇüÀûÀÎ »ç¿ë¹æ¹ýÀº ´ÙÀ½°ú °°Àº °ÍÀÌ´Ù :
# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# iptables --list
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
tcp-MSS targetÀÌ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù (»óÈ£ ¹èÁ¦) :
--set-mss value ƯÁ¤°ªÀ¸·Î MSS ¿É¼ÇÀ» ¸í¹éÈ÷ ¼ÂÆÃ
--clamp-mss-to-pmtu MSS °ªÀ» ÀÚµ¿À¸·Î °íÁ¤½ÃÅ´ (path_MTU - 40)
TTL patch
ÀÌ ÆÐÄ¡´Â Harald Welte <laforge@gnumonks.org>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç,
ÁÖ¾îÁø °ª¿¡ ÀÇÇØ IP ÆÐŶÀÇ TTL °ªÀ» Áõ°¡/°¨¼Ò½ÃÅ°°Å³ª À¯Àú°¡ ¼ÂÆÃÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â »õ·Î¿î targetÀÌ´Ù.
¿¹¸¦ µé¾î, ¸ðµç outgoing ¿¬°áÀÇ TTL°ªÀ» 126À¸·Î ¼ÂÆÃÇÏ·Á°í ÇÑ´Ù¸é,
´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù :
# iptables -t mangle -A OUTPUT -j TTL --ttl-set 126
# iptables -t mangle --list
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TTL all -- anywhere anywhere TTL set to 126
TTL targetÀÌ Áö¿øÇÏ´Â ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
--ttl-set value -> TTLÀ» <value>·Î ¼ÂÆÃ
--ttl-dec value -> TTLÀ» <value>¸¸Å °¨¼Ò
--ttl-inc value -> TTLÀ» <value>¸¸Å Áõ°¡
ulog patch
ÀÌ ÆÐÄ¡´Â Harald Welte <laforge@gnumonks.org>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç,
Ç¥ÁØ LOG targetº¸´Ù Áøº¸µÈ ·Î±ë ¸ÞÄ¿´ÏÁòÀ» Á¦°øÇÏ´Â »õ·Î¿î matchÀÌ´Ù.
`libiptulog/'´Â ULOG ¸Þ¼¼Áö¸¦ ¹Þ´Â ¶óÀ̺귯¸®¸¦ Æ÷ÇÔÇÑ´Ù.
Harald´Â ULOG¿¡ ´ëÇÑ ÀûÀýÇÑ ¹®¼¸¦ Æ÷ÇÔÇÏ´Â
web
page¸¦ º¸À¯ÇÑ´Ù. ±×·¡¼ ¿©±â¼´Â
¼³¸íÇÒ Æ¯º°ÇÑ ³»¿ëÀº ¾ø´Ù.
»õ·Î¿î ¿¬°á ÃßÀû ÆÐÄ¡µé
ÀÌ ´Ü¶ô¿¡¼, »ç¿ë°¡´ÉÇÑ ¿¬°á ÃßÀû/NAT ÆÐÄ¡¸¦ º¼ ¼ö ÀÖ°í, ±×°ÍÀ» »ç¿ëÇϱâ À§ÇØ,
´Ü¼øÈ÷ ÇØ´ç ¸ðµâ (ÇÊ¿äÇÏ´Ù¸é ¿É¼ÇÀ¸·Î)À» ·ÎµùÇÑ´Ù.
eggdrop-conntrack patch
ÀÌ ÆÐÄ¡´Â Magnus Sandin <magnus@sandin.cx>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç
³×Æ®¿öÅ© eggdrop bot¿¡ ´ëÇÑ ¿¬°á ÃßÀûÀ» Áö¿øÇÑ´Ù.
ftp-fxp patch
ÀÌ ÆÐÄ¡´Â Magnus Sandin <magnus@sandin.cx>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç
ftp ¿¬°á ÃßÀû¿¡ Áö¿øµÇ´Â FXP¸¦ ´õÇÑ´Ù. NATµÈ ftp µ¥¸ó¿¡ ´ëÇÑ FXPÈ´Â ÀÛµ¿ÇÏÁö ¾Ê´Â´Ù.
FXP ÃßÀûÀ» °¡´ÉÇÏ°Ô Çϱâ À§ÇØ, ´ÙÀ½°ú °°ÀÌ Ç϶ó :
# modprobe ip_conntrack_ftp.o fxp=1
ÀÌ ÆÐÄ¡´Â º¸¾È °æ°í¸¦ ¾ð±ÞÇÑ´Ù : WARNING, ÀÌ ÆÐÄ¡¸¦ Àû¿ëÇÏ´Â °Í°ú WILL¸¦ °¡´ÉÇÏ°Ô
ÇÏ´Â °ÍÀº FTP ¿¬°á ÃßÀû¿¡ Á¦°øµÇ´Â º¸¾ÈÀ» °¨¼Ò½ÃŲ´Ù.
ÁÖÀÇÇؼ »ç¿ëÇ϶ó (´ç½ÅÀÌ ¾î¶»°Ô ÇÒ¼ö ÀÖ´Ù´Â ¹üÀ§ ÇÏ¿¡¼¸¸)
irc-conntrack-nat patch
ÀÌ ÆÐÄ¡´Â Harald Welte <laforge@gnumonks.org>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç
NAT¿Í ¿¬°á ÃßÀûÀ» ÅëÇØ ÀÛµ¿ÇÏ´Â DCC¸¦ °¡´ÉÇÏ°Ô ÇÑ´Ù.
record-rpc patch
ÀÌ ÆÐÄ¡´Â Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç
TCP¿Í UDP¸¦ »ç¿ëÇÏ´Â portmapper ¿äûÀ» ÃßÀûÇϱâ À§ÇØ netfilter¸¦ Çã¿ëÇÑ´Ù.
snmp-nat patch
ÀÌ ÆÐÄ¡´Â James Morris <jmorris@intercode.com.au>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç ±âÃÊÀûÀÎ SNMP¸¦
NATÇÒ ¼ö ÀÖ´Â netfilter¸¦ Á¦°øÇÑ´Ù. ÀÌ´Â ``basic'' SNMP-ALG ÇüÅÂÀÌ°í,
RFC
2962¿¡ ¼³¸íµÇ¾î ÀÖ´Ù.
ÀÌ°ÍÀº IP ·¹À̾î NAT ¸ÅÇÎÀ» ÀÏÄ¡½ÃÅ°´Â SNMP ÆäÀÌ·Îµå ³»ºÎÀÇ IP ÁÖ¼Ò¸¦ º¯°æÇϴµ¥ ÀÛµ¿ÇÑ´Ù.
talk-conntrack-nat patch
ÀÌ ÆÐÄ¡´Â Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç talk ¿¬°áÀ» ÃßÀûÇÏ°í
NATÇÏ´Â netfilter¸¦ Á¦°øÇÑ´Ù. µðÆúÆ®·Î otalk (UDP port 517), talk (UDP port 518) ¸ðµÎ Áö¿øÇÑ´Ù.
otalk/talk´Â ip_conntrack_talk, ip_nat_talk ¸ðµâÀÇ ¸ðµâ ÆĶó¹ÌÅÍ¿¡ ÀÇÇØ ¼±ÅÃÀûÀ¸·Î
°¡´É/ºÒ°¡´ÉÇÏ°Ô µÉ ¼ö ÀÖ´Ù. ÀÌ ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù :
otalk = 0 | 1
talk = 0 | 1
ÁÖ¾îÁø ÇÁ·ÎÅäÄÝ¿¡¼ 0Àº Áö¿øÇÏÁö ¾ÊÀ½, 1Àº Áö¿øÇÔÀ» ÀǹÌÇÑ´Ù.
tcp-window-tracking patch
ÀÌ ÆÐÄ¡´Â Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>¿¡ ÀÇÇØ ÀÛ¼ºµÇ¾úÀ¸¸ç,
Guido van RooijÀÇ Real
Stateful TCP Packet Filtering in IP Filter
¿¡ µû¶ó TCP ¿¬°á ÃßÀûÀ» netfilter¿¡°Ô Çã¿ëÇÑ´Ù. ÀÌ°ÍÀº window Å©±âÁ¶ÀýÀ» Áö¿øÇϸç,
ÀÌ¹Ì ¿¬°áµÈ ¿¬°áÀ» Çڵ鸵ÇÒ¼ö ÀÖµµ·Ï ÇÑ´Ù.
ÀÌ ÆÐÄ¡´Â ``ftp-fixes'' ÆÐÄ¡°¡ Àû¿ëµÇ´Â °ÍÀ» ¿ä±¸ÇÑ´Ù. ¾Æ¸¶µµ ±×°ÍÀº ¿äÁò Ç¥ÁØ Ä¿³ÎÀÇ ÀϺκÐÀÏ °ÍÀÌ´Ù ...
»õ·Î¿î IPv6 netfilter matches
In this section, we will attempt to explain the usage of new netfilter matches.
The patches will appear in alphabetical order. Additionally, we will not explain
patches that break other patches. But this might come later.
Generally speaking, for matches, you can get the help hints from a particular
module by typing :
# ip6tables -m the_match_you_want --help
This would display the normal ip6tables help message, plus the specific
``the_match_you_want'' match help message at the end.
agr patch
This patch by Andras Kis-Szabo <kisza@sch.bme.hu> adds 1 new match :
``agr'' : lets you match the IPv6 packet based on it's addressing parameters.
This patch can be quite useful for people using EUI-64 IPv6 addressing scheme
who are willing to check the packets based on the delivered address on a LAN.
For example, we will redirect the packets that have a correct EUI-64 address:
# ip6tables -N ipv6ok
# ip6tables -A INPUT -m agr -j ipv6ok
# ip6tables -A INPUT -s ! 3FFE:2F00:A0::/64 -j ipv6ok
# ip6tables -A INPUT -j LOG
# ip6tables -A ipv6ok -j ACCEPT
# ip6tables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ipv6ok all anywhere anywhere AGR
ipv6ok all !3ffe:2f00:a0::/64 anywhere
LOG all anywhere anywhere LOG level warning
Chain ipv6ok (2 references)
target prot opt source destination
ACCEPT all anywhere anywhere
This match hasn't got any option.
ipv6header patch
This patch by Andras Kis-Szabo <kisza@sch.bme.hu> adds a new match
that allows you to match a packet based on its extension headers.
For example, let's drop the packets which have got hop-by-hop, ipv6-route
headers and a protocol payload:
# ip6tables -A INPUT -m ipv6header --header hop-by-hop,ipv6-route,protocol -j DROP
# ip6tables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere ipv6header flags:hop-by-hop,ipv6-route,protocol
And now, let's drop the packets which have got an ipv6-route extension header:
# ip6tables -A INPUT -m ipv6header --header ipv6-route --soft -j DROP
# ip6ptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere ipv6header flags:ipv6-route soft
Supported options for the length match are :
--header [!] headers -> You can specify the interested
headers with this option. Accepted formats:
hop,dst,route,frag,auth,esp,none,proto
hop-by-hop,ipv6-opts,ipv6-route,ipv6-frag,ah,esp,ipv6-nonxt,protocol
0,60,43,44,51,50,59
--soft -> You can specify the soft mode: in this mode
the match checks the existance of the header, not the full match!
ipv6-ports patch
This patch by Jan Rekorajski <baggins@pld.org.pl> adds 4 new matches :
``limit'' : lets you to restrict the number of parallel TCP connections from a particular host or network.
``mac'' : lets you match a packet based on its MAC address.
``multiport'' : lets you to specify ports with a mix of port-ranges and single ports for UDP and TCP protocols.
``owner'' : lets you match a packet based on its originator process' owner id.
These matches are the ports of the IPv4 versions. See the main documentation for the details!
length patch
This patch by Imran Patel <ipatel@crosswinds.net> adds a new match
that allows you to match a packet based on its length. (This patch is shameless adaption from the
IPv4 match written by James Morris <jmorris@intercode.com.au>)
For example, let's drop all the pings with a packet size greater than
85 bytes :
# ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-request -m length --length 85:0xffff -j DROP
# ip6ptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP ipv6-icmp -- anywhere anywhere ipv6-icmp echo-request length 85:65535
Supported options for the length match are :
[!] --length length[:length] -> Match packet length
against value or range of values (inclusive)
Values of the range not present will be implied. The implied value for minimum
is 0, and for maximum is 65535.
»õ·Î¿î IPv6 netfilter targets
In this section, we will attempt to explain the usage of new netfilter targets.
The patches will appear in alphabetical order. Additionally, we will not explain
patches that break other patches. But this might come later.
Generally speaking, for targets, you can get the help hints from a particular
module by typing :
# ip6tables -j THE_TARGET_YOU_WANT --help
This would display the normal iptables help message, plus the specific
``THE_TARGET_YOU_WANT'' target help message at the end.
LOG patch
This patch by Jan Rekorajski <baggins@pld.org.pl> adds a new target that allows you
to LOG the packets as in the IPv4 version of iptables.
The examples are the same as in iptables. See the man page for details!
REJECT patch
This patch by Harald Welte <laforge@gnumonks.org> adds a new target that allows you
to REJECT the packets as in the IPv4 version of iptables.
The examples are the same as in iptables. See the man page for details!
»õ·Î¿î IPv6 ¿¬°á ÃßÀû ÆÐÄ¡µé
The connection tracking hasn't supported, yet.
Contribution
»õ·Î¿î È®Àå¿¡ ´ëÇÑ °øÇå
Netfilter core-teamÀº Ç×»ó »õ·Î¿î È®Àå/¹ö±× ÇȽº¸¦ ȯ¿µÇÑ´Ù. ÀÌ
ºÎºÐ¿¡¼ ¿ì¸®´Â »õ·Î¿î È®ÀåÀÌ patch-o-matic¿¡ Æ÷ÇÔµÇ¾î ½±°Ô
ÆÐŰ¡µÉ ¼ö Àִ°¡¿¡ ´ëÇؼ´Â °ü½ÉÀÌ ¾ø´Ù. ÇÏÁö¸¸ ÀÌ´Â ÀÌ
ÇÏ¿ìÅõÀÇ ´ÙÀ½ ¹öÀü¿¡ Æ÷Ç﵃ °ÍÀÌ´Ù.
¸ÕÀú, »õ·Î¿î È®Àå/¹ö±× ÇȽº¸¦ ÇÏ·Á´Â »ç¶÷Àº Netfilter
Hacking HOWTO¿¡ Àͼ÷ÇØÁ®¾ß ÇÒ °ÍÀÌ´Ù.
Rusty´Â netfilter¿¡ ´ëÇÑ »õ·Î¿î ÆÐÄ¡¸¦ ¾î¶»°Ô Çϴ°¡¿¡ ´ëÇÑ
°¡À̵å¶óÀÎÀ» ½è´Ù. ÀÌ´Â ¿©±â¿¡¼ º¼ ¼ö ÀÖ´Ù:
/path/to/netfiltercvs/netfilter/userspace/patch-o-matic/NEWPATCHES
¶Ç´Â ¿Â¶óÀλóÀÇ ÃֽŠ¹öÀüÀº ¿©±â¿¡ ÀÖ´Ù :
NEWPATCHES.
¸¶Áö¸·À¸·Î, netfilter-devel ¸ÞÀϸµ ¸®½ºÆ®¿¡ Âü°¡ÇÏ´Â °ÍÀº ÁÁÀº
¾ÆÀ̵ð¾î´Ù. ¾î¶»°Ô Âü°¡Çϴ°¡¿¡ ´ëÇÑ ´õ ¸¹Àº Á¤º¸´Â netfilter
ȨÆäÀÌÁö¿¡¼ º¼ ¼ö ÀÖ´Ù.
<!--
Contributing to this HOWTO
-->
ÀÌ ÇÏ¿ìÅõ¿¡ ´ëÇÑ °øÇå
ÀÌ ÇÏ¿ìÅõ¸¦ ¾÷µ¥ÀÌÆ®ÇÏ´Â °ÍÀº ȯ¿µÇÑ´Ù. ±×·¸°Ô Çϱâ À§Çؼ
ÃßõµÇ´Â ¹æ¹ýÀº netfilter-devel ¸ÞÀϸµ ¸®½ºÆ®·Î ÀÌ ¹®¼ÀÇ SGML
°ü¸®ÀÚ¿¡°Ô ÆÐÄ¡¸¦ º¸³»´Â °ÍÀÌ´Ù.
¿ªÀÚÀÇ ¸» (-_-;)
óÀ½À¸·Î DocBookÀ¸·Î ¸¸µé¾î º¸´Â ¹®¼¶ó ÇãÁ¢ÇÔÀÌ ¸¹½À´Ï´Ù.
¶Ç ¹ø¿ª¿¡µµ ½º½º·Î ¸¸Á·ÀÌ ¾ÈµÇ´Â ºÎºÐÀÌ °÷°÷¿¡ º¸ÀÔ´Ï´Ù(½Ç·ÂÀÌ µþ·Á¼ --;).
¹ø¿ª¿¡ ÀÌ»óÀÌ Àְųª ¼öÁ¤ÇÒ Á¡ÀÌ ÀÖÀ¸¸é Á¦ ¸ÞÀÏ·Î º¸³»Áֽñæ
¹Ù¶ø´Ï´Ù.
ÀÌ»ó DeepBlueÀÇ ÇãÁ¢ÇÑ ¹ø¿ªÀ̾ú½À´Ï´Ù -_-;;