4. ±q 2.0 ¨ì 2.2 ®Ö¤ßªº§Ö³tÂàÅÜ

«D±`©êºp¡M°²¦p±z¤´µM¦£©ó±q 2.0(ipfwadm) ¨ì 2.2(ipchains) ªºÂ૬ªº¸Ü¡C¤£¹L¡M³o¤]¬O­Ó³ß¼ °Ñ¥bªº®ø®§°Õ¡C

­º¥ý¡M±z¥i¥H»´©öªº¤@¦p©¹©õ¦a¨Ï¥Î ipchains ©M ipfwadm¡C­n³o¼Ë°µªº¸Ü¡M±z»Ý­n±N³Ì·sªº netfilter ®M¥ó¤¤ªº `ipchains.o' ©Î `ipfwadm.o' ®Ö¤ß¼Ò²Õ¸ü¤J¡C¥¦­Ì¬O¬Û¤¬±Æ¥¸ªº(±zÀ³¤wÀòĵ§i¤F)¡M¦P®É¤]¤£¯à©M¨ä¥¦ netfilter ¼Ò²Õ¦P®É¾ã¦X¦b¤@°_¡C

¤@¥¹¨ä¤¤¤@­Ó¼Ò²Õ³Q¸ü¤J¡M±z´N¥i¥H¦p±`¨Ï¥Î ipchains ©M ipfwadm ¤F¡M¦ý¤]¦³¦p¤U¤@¨ÇÅܤưաR

• ¥Î ipchains -M -S¡M©Î¬O ipfwadm -M -s §@°°¸Ë¹O®É±N¤£¦A¦³®Ä¡C¦]¬°¹O®É³]©w¤w¸g²¾¦Ü·sªº NAT ¬ºc¤¤¡M©Ò¥H³o¸Ì¤]´N¨S¤°»ò©Ò¿×¤F¡C
• ¦b°°¸Ë¦Cªí¤¤Åã¥Üªº ini seq¡Ndelte¡N©M previous delta Äæ¦ì¡M±N¥Ã»·¬°¹s¡C
• ¦P®ÉÂk¹s(zeroing)©M¦C¥Ü°O¼Æ¾¹(counter)ªº `-Z -L' ¤wµL§@¥Î¡R°O¼Æ¾¹±N¤£¯à¦AÂk¹s¤F¡C

Hacker ­Ì¤´­n¯d·N¤§³B¡R

• ±z²{¦b¥i¥H®¹¸j 61000-65095 ¤§¶¡ªº°ð¤f¡M¦ÓµL»Ý²z·|±z¬O§_¨Ï¥Î«Ê¥]°°¸Ë§Þ³N¡C¦b¹L¥h¡M«Ê¥]°°¸Ëµ{¦¡·|§â¦¹­È°ì¤ºªº©Ò¦³ªF¦è®·Àò¶i¨Ó¡M©Ò¥H¨ä¥¦µ{¦¡´N¤£¥i¥Î¤§¤F¡C
• ¦Ü©ó(©|¥¼¦¨¤å¤§) getsockname ¯}¸Ñ¡M¦b¹L¥h¡M³z©ú¥N²zµ{¦¡¥i¥H§ä¥X¨º¨Ç¤£¦A¦³®Ä³s½u¤§¯u¥¿¥Øªº¦a¡C
• ¦Ü©ó(©|¥¼¦¨¤å¤§) bind-to-foreign-address ¯}¸Ñ¡M¦P¼Ë©|¥¼¹ê§@¡Q³o¦b¹L¥h¥Î¥H§¹µ½³z©ú¥N²zªººc·Q¡C

4.1 ±Ï©R°Ú¡T§Ú¥u·Q­n«Ê¥]°°¸Ë¦Ó¤w¡T

¨S¿ù¡M³o¤]¬O¤j¦h¼ÆªB¤Í¤§»Ý¡C¦pªG±z¥Î PPP ¼·±µÀò±oªº°ÊºA IP (¦pªG±z¤£¤F¸Ñªº¸Ü¡M¨º±zÀ³¸Ó¬O¤F)¡M±z©Î³\¥u·Q³æ¯Â§i¶D±zªº¥D¾÷Åý©Ò¦³¨Ó¦Û±z¤º³¡ºô¸ôªº«Ê¥]¡M¬Ý°_¨Ó¦p¨Ó¦Û¸Ó PPP ¼·±µ¥D¾÷¤@¼Ë¡C

# Load the NAT module (this pulls in all the others).
modprobe iptable_nat

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

µù¡R±z³o¸Ì¨Ã¨S°µ¥ô¦ó«Ê¥]¹LÂo¡R¦p­nªº¸Ü¡M½Ð°Ñ¦Ò Packet Filtering HOWTO¡R±N NAT ©M«Ê¥]¹LÂo¦X¨Ö°_¨Ó´N¬O¤F¡C

4.2 ¨º ipmasqadm «ç»ò¤F¡S

³o­Ó¨ä¹ê¨ú¨M©ó¨Ï¥ÎªÌ¦Ó¤w¡M©Ò¥H§Ú¨Ã¤£¬O«Ü¬°¦V«á­Ý®e°ÝÃD¦Ó¾á¤ß¡C±z¥i¥H³æ¯Â¨Ï¥Î iptables -t nat °µ port forwarding ªº°Ê§@¡C¨Ò¦p¡M¦b Linux 2.2 ±z©Î³\¤w¸g³o¼Ë°µ¤F¡R

# Linux 2.2
# Forward TCP packets going to port 8080 on 1.2.3.4 to 192.168.1.1's port 80
ipmasqadm portfw -a -P tcp -L 1.2.3.4 8080 -R 192.168.1.1 80

¦Ó²{¦b¡M¦p¦¹«h¥i¡R

# Linux 2.4
# Append a rule pre-routing (-A PREROUTING) to the NAT table (-t nat) that
# TCP packets (-p tcp) going to 1.2.3.4 (-d 1.2.3.4) port 8080 (--dport 8080)
# have their destination mapped (-j DNAT) to 192.168.1.1, port 80
# (--to 192.168.1.1:80).
iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 8080 \
        -j DNAT --to 192.168.1.1:80

°²¦p±z·QÅý³o±ø³W«h¦P®É­×§ï¥»¾÷³s½uªº¸Ü(¦p¡M§Y¨Ï¦b NAT ¥D¾÷¥»¨­¡M­n³s±µ 1.2.3.4 ªº 8080 °ð¤f¤§ telnet ³s½u¡M·|À°±z³s±µ¦Ü 192.168.1.1 ªº 80 °ð¤f)¡M±z´N¥i¥H´¡¤J¬Û¦Pªº³W«h¦Ü OUTPUT Ã줤(¥¦¥u¾A¥Î©ó¥»¾÷¶Ç¥Xªº«Ê¥])¡R

# Linux 2.4
iptables -A OUTPUT -t nat -p tcp -d 1.2.3.4 --dport 8080 \
        -j DNAT --to 192.168.1.1:80