¤³¤Î¥á¥Ã¥»¡¼¥¸¤Ï¡¢¥Þ¥ë¥Á¥¥ã¥¹¥È¡¦¥Ñ¥±¥Ã¥È¤¬ NAT ¥Æ¡¼¥Ö¥ë¤òÄ̤ëºÝ¤Ë NAT ¤Î¥³¡¼¥É¤Ë¤è¤ê½ÐÎϤµ¤ì¤ë¤â¤Î¤Ç¡¢º£¤Î¤È¤³¤í¥³¥Í¥¯¥·¥ç¥óÄÉÀ×Éô¤¬ ¥Þ¥ë¥Á¥¥ã¥¹¥È¡¦¥Ñ¥±¥Ã¥È¤ò¤¦¤Þ¤¯½èÍý¤Ç¤¤Ê¤¤¤Î¤¬¸¶°ø¤Ç¤¹¡£ ¥Þ¥ë¥Á¥¥ã¥¹¥È¤¬²¿¤Ç¤¢¤ë¤«Ê¬¤«¤é¤Ê¤¤¤«¡¢ ¤Þ¤¿¤Ï¥Þ¥ë¥Á¥¥ã¥¹¥È¤ò¤Þ¤Ã¤¿¤¯É¬ÍפȤ·¤Ê¤¤¤Ê¤é¡¢ °Ê²¼¤Î¤è¤¦¤Ë¤·¤Æ¤¯¤À¤µ¤¤:
iptables -t mangle -I PREROUTING -j DROP -d 224.0.0.0/8
syslog ¤«¥³¥ó¥½¡¼¥ë¤Ë°Ê²¼¤Î¥á¥Ã¥»¡¼¥¸¤¬É½¼¨¤µ¤ì¤Þ¤¹:
NAT: X dropping untracked packet Y Z aaa.aaa.aaa.aaa -> bbb.bbb.bbb.bbb
¤³¤Î¥á¥Ã¥»¡¼¥¸¤Ï¡¢NAT ¤Î¥³¡¼¥É¤Ë¤è¤êɽ¼¨¤µ¤ì¤Þ¤¹¡£ NAT ¤ò¹Ô¤¦¤Ë¤Ï¡¢Í¸ú¤Ê¥³¥Í¥¯¥·¥ç¥óÄÉÀ×¾ðÊ󤬤ʤ¤¤È¤¤¤±¤Ê¤¤¤Î¤Ç¡¢ ¥Ñ¥±¥Ã¥È¤òÇË´þ¤·¤Æ¤¤¤ë¤Î¤Ç¤¹¡£¥³¥Í¥¯¥·¥ç¥óÄÉÀ×Éô¤¬ conntrack ¾ðÊó¤ò·èÄê¤Ç¤¤Ê¤«¤Ã¤¿¥Ñ¥±¥Ã¥È¤¹¤Ù¤Æ¤ËÂФ·¡¢¤³¤Î¥á¥Ã¥»¡¼¥¸¤¬É½¼¨¤µ¤ì¤Þ¤¹¡£
¹Í¤¨¤é¤ì¤ëÍýͳ¤È¤·¤Æ¤Ï:
¤³¤¦¤·¤¿¥Ñ¥±¥Ã¥È¤Î¤â¤Ã¤È¾ÜºÙ¤Ê¥í¥°¤ò¼è¤ê¤¿¤¤¤Ê¤é(¤Ä¤Þ¤ê¡¢ ¥ê¥â¡¼¥È¡¦¥×¥í¡¼¥Ö¤ä¥¹¥¥ã¥Ë¥ó¥°¡¦¥Ñ¥±¥Ã¥È¤À¤Èµ¿¤¦¤Ê¤é)¡¢ °Ê²¼¤Î¥ë¡¼¥ë¤òÍøÍѤ·¤Æ¤¯¤À¤µ¤¤:
iptables -t mangle -A PREROUTING -j LOG -m state --state INVALID
¤½¤¦¤Ç¤¹¡¢¥Ñ¥±¥Ã¥È¤Ï¥Õ¥£¥ë¥¿¡¦¥Æ¡¼¥Ö¥ë¤ËÅþ㤹¤ëÁ°¤Ë¡¢NAT ¤Î¥³¡¼¥É¤Ë¤è¤Ã¤ÆÇË´þ¤µ¤ì¤Æ¤·¤Þ¤¦¤Î¤Ç¡¢¤³¤Î¥ë¡¼¥ë¤ò mangle ¥Æ¡¼¥Ö¥ë¤ËÀßÄꤷ¤Ê¤¯¤Æ¤Ï¤Ê¤ê¤Þ¤»¤ó¡£
¤Ä¤Þ¤ê¡¢´°Á´¤ÊÆ©²á·¿¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤ò¹½ÃÛ¤·¤¿¤¤¤ï¤±¤Ç¤¹¤Í¡© ÁÇÀ²¤é¤·¤¤¹Í¤¨¤Ç¤¹¤Í¡ª »ÄÇ°¤Ç¤¹¤¬¡¢¥Ö¥ê¥Ã¥¸¤Î¥³¡¼¥É¤Ï¡¢netfilter ¤ò´Þ¤àÉáÄ̤Υͥåȥ¥¯¡¦¥¹¥¿¥Ã¥¯¤ò±ª²ó¤·¤Æ¤·¤Þ¤¦¤Î¤Ç¤¹¡£
¤·¤«¤·¡¢´û¸¤Î¥Ö¥ê¥Ã¥¸¤Î¥³¡¼¥É¤òÂåÂؤ¹¤ë¤â¤Î¤ò½ñ¤¤¤Æ¤¤¤ë¿Í¤¬¤¤¤Þ¤¹¡£ http://www.math.leidenuniv.nl/~buytenh/bridge/ ¤ò¤´Í÷¤¯¤À¤µ¤¤¡£
¥Ö¥ê¥Ã¥¸¥ó¥°¡¦¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Î¥µ¥Ý¡¼¥È¤Ï¡¢ Èó¾ï¤Ë¼Â¸³Åª¤È¤ß¤Ê¤µ¤ì¤Æ¤¤¤ë¤³¤È¤Ë¤´Ãí°Õ¤¯¤À¤µ¤¤¡£
¤½¤¦¤Ç¤¹¤Í¡¢¤½¤ì¤ÏȾʬËÜÅö¤Î¤³¤È¤Ç¤¹¡£NAT ¥â¥¸¥å¡¼¥ë¤À¤±¤Ç¤Ï ½èÍý¤Ç¤¤Þ¤»¤ó¡£NAT È´¤¤Ç¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤òÍøÍѤ¹¤ì¤Ð¡¢ ¤½¤ì¤Ï¤¦¤Þ¤¯¤¤¤¤Þ¤¹¡£
netfilter ¤Ï¡¢¤Ç¤¤ë¸Â¤ê¥Ñ¥±¥Ã¥È¤Ë¼ê¤ò²Ã¤¨¤Ê¤¤¤è¤¦¤ËÅؤá¤Þ¤¹¡£ ¤Ç¤¹¤Î¤Ç¡¢²æ¡¹¤Î¤È¤³¤í¤Ë¥ê¥Ö¡¼¥È¤·¤¿¤Æ¤Î¥Þ¥·¥ó¤¬¤¢¤ê¡¢ SNAT ¥Ü¥Ã¥¯¥¹¤ÎÇظå¤Ë¤¤¤ë狼¤¬¥í¡¼¥«¥ë¡¦¥Ý¡¼¥È 1234 È֤ǥ³¥Í¥¯¥·¥ç¥ó¤ò³«¤¤¤¿¾ì¹ç¡¢netfilter ¥Ü¥Ã¥¯¥¹¤Ï IP ¥¢¥É¥ì¥¹¤À¤±¤Ë¼ê¤ò²Ã¤¨¡¢¥Ý¡¼¥ÈÈÖ¹æ¤Ï¤½¤Î¤Þ¤Þ¤Ë¤·¤Æ¤ª¤¤Þ¤¹¡£
SNAT ÍѤΠIP ¥¢¥É¥ì¥¹¤¬°ì¸Ä¤·¤«¤Ê¤¤¾ì¹ç¡¢Ã¯¤«¤¬Æ±¤¸Á÷¿®¸µ¥Ý¡¼¥ÈÈÖ¹æ ¤ÇÊ̤Υ³¥Í¥¯¥·¥ç¥ó¤ò³«¤¯¤ÈƱ»þ¤Ë¡¢netfilter ¤Ï IP ¥¢¥É¥ì¥¹¤È¥Ý¡¼¥ÈÈÖ¹æ¤ÎξÊý¤Ë¼ê¤ò²Ã¤¨¤Ê¤¯¤Æ¤Ï¤Ê¤é¤Ê¤¯¤Ê¤ê¤Þ¤¹¡£
¤·¤«¤·¡¢»ÈÍѲÄǽ¤Ê IP ¥¢¥É¥ì¥¹¤¬°ì¸Ä°Ê¾å¤¢¤ë¤Ê¤é¡¢ ¤³¤Î¾ì¹ç¤â IP Éô¤Ë¼ê¤ò²Ã¤¨¤ë¤À¤±¤Ç¤¹¤ß¤Þ¤¹¡£
¤³¤Î¥á¥Ã¥»¡¼¥¸¤¬ syslog ¤ÎÃæ¤Ë¤¢¤ë¤Î¤Ëµ¤ÉÕ¤¤¤¿¤é¡¢¤´ÍøÍѤδĶ²¼¤Ç¤Ï¡¢ ¤É¤¦¤ä¤é conntrack ¥Ç¡¼¥¿¥Ù¡¼¥¹¤¬½½Ê¬¤Ê¿ô¤Î¥¨¥ó¥È¥ê¤ò»ý¤Ã¤Æ¤Ê¤¤¤è¤¦¤Ç¤¹¡£ ¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¡¢¥³¥Í¥¯¥·¥ç¥óÄÉÀ×Éô¤Î½èÍý¤Ç¤¤ëƱ»þÀܳ¿ô¤Ë¤Ï¡¢ ¤¢¤ë°ìÄê¤Î¾å¸Â¤¬¤¢¤ê¤Þ¤¹¡£ ¤³¤Î¿ô¤Ï¡¢¤´ÍøÍѤΥ·¥¹¥Æ¥à¤Î¥á¥â¥ê¡¦¥µ¥¤¥º¤Î¾å¸Â¤Ë°Í¤ê¤Þ¤¹ (¥á¥â¥ê¤¬ 64MB ¤Ç¤·¤¿¤é 4096 ¸Ä¡¢128MB ¤Ç¤·¤¿¤é 8192 ¸Ä ...)¡£
ÄÉÀפ¹¤ë¥³¥Í¥¯¥·¥ç¥ó¤Î¿ô¤Î¾å¸Â¤òÁý¤ä¤¹¤³¤È¤Ï´Êñ¤Ë¤Ç¤¤Þ¤¹¤¬¡¢ ÄÉÀפ¹¤ë¥³¥Í¥¯¥·¥ç¥ó¿ô¤Ò¤È¤Ä¤¢¤¿¤ê¡¢swap ¤Ç¤¤Ê¤¤¥«¡¼¥Í¥ë¡¦¥á¥â¥ê¤òÌó 350 ¥Ð¥¤¥È¿©¤¦¤³¤È¤ò¤ªËº¤ì¤Ê¤¯¡ª
¾å¸Â¤òÎ㤨¤Ð 8192 ¤ËÁý¤ä¤¹¤Ë¤Ï¡¢°Ê²¼¤Î¤è¤¦¤ËÆþÎϤ·¤Æ¤¯¤À¤µ¤¤:
echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max
proc ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥àÃæ¤Ë¡¢/proc/net/ip_conntrack
¤È¤¤¤¦Ì¾Á°¤Î¥Õ¥¡¥¤¥ë¤¬¤¢¤ê¤Þ¤¹¡£°Ê²¼¤Î¤è¤¦¤Ë¤¹¤ì¤Ð¡¢
¤³¤Î¥Õ¥¡¥¤¥ë¤ò½ÐÎϤ·¤Æɽ¼¨¤Ç¤¤Þ¤¹¡£
cat /proc/net/ip_conntrack
͸ú¤Ê¤¹¤Ù¤Æ¤Î IP ¥Æ¡¼¥Ö¥ë¤Ï¡¢°Ê²¼¤Î¤è¤¦¤Ë¤·¤Æ¥ê¥¹¥Èɽ¼¨¤µ¤ì¤Þ¤¹¡£
cat /proc/net/ip_tables_names
´ûÃΤΥХ°¤Ç¤¹¡£¤Ç¤¤ë¤À¤±Â®¤ä¤«¤Ë¡¢ºÇ¿·¤Î CVS ¤Î¥½¡¼¥¹¤«¡¢ 1.2.1 °Ê¹ß¤Î iptables ¤Ë¥¢¥Ã¥×¥°¥ì¡¼¥É¤·¤Æ¤¯¤À¤µ¤¤¡£
¤³¤ì¤Ï iptables ¤¬ IP ¥¢¥É¥ì¥¹Ëè¤Ë DNS ¸¡º÷¤ò¹Ô¤Ã¤Æ¤¤¤ë¤¿¤á¤Ç¤¹¡£ ³Æ¥ë¡¼¥ë 2 ¤Ä¤Î¥¢¥É¥ì¥¹¤«¤é¹½À®¤µ¤ì¤Þ¤¹¤Î¤Ç¡¢ºÇ°¤Î¾ì¹ç¡¢ ¥ë¡¼¥ëËè¤Ë 2 ²ó DNS ¸¡º÷¤¬Æþ¤ê¤Þ¤¹¡£
ÌäÂê¤È¤Ê¤ë¤Î¤Ï¡¢¥×¥é¥¤¥Ù¡¼¥È IP ¥¢¥É¥ì¥¹(10.x.x.x ¤ä 192.168.x.x ¤Ê¤É) ¤ò»È¤Ã¤Æ¤¤¤ë¾ì¹ç¤Ç¡¢DNS ¤Ï¥Û¥¹¥È̾¤ò²ò·è¤Ç¤¤º¡¢¥¿¥¤¥à¥¢¥¦¥È¤·¤Þ¤¹¡£ ¤³¤¦¤·¤¿¥¿¥¤¥à¥¢¥¦¥È¤Î¹ç·×¤¬¡¢¤´ÍøÍѤΥ롼¥ë¥»¥Ã¥È¤Ë¤è¤Ã¤Æ¤Ï¡¢ ¤È¤Æ¤âŤ¤»þ´Ö¤Ë¤Ê¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¡£
DNS ¤ÎµÕ°ú¤¤ò¹Ô¤ï¤Ê¤¤¤è¤¦¤Ë¤¹¤ë¤Ë¤Ï¡¢-n (numeric)¥ª¥×¥·¥ç¥ó¤òÆþ¤ì¤Æ¡¢ iptables ¤ò¤ª»È¤¤¤¯¤À¤µ¤¤¡£
syslogd ¤òŬÀÚ¤ËÀßÄꤷ¤Ê¤¯¤Æ¤Ï¤Ê¤ê¤Þ¤»¤ó - LOG ¥¿¡¼¥²¥Ã¥È¤Ï¡¢¥×¥é¥¤¥ª¥ê¥Æ¥£ÃÍ warning(4) ¤Ç¡¢¥Õ¥¡¥·¥ê¥Æ¥£ÃÍ kern ¤Î¥í¥®¥ó¥°¤ò¹Ô¤¤¤Þ¤¹¡£ ¥Õ¥¡¥·¥ê¥Æ¥£Ãͤȥץ饤¥ª¥ê¥Æ¥£ÃͤˤĤ¤¤Æ¤Î¾ÜºÙ¤Ï¡¢ syslogd.conf ¤Î man ¥Ú¡¼¥¸¤ò»²¾È¤·¤Æ¤¯¤À¤µ¤¤¡£
¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¡¢¥×¥é¥¤¥ª¥ê¥Æ¥£Ãͤ¬ debug(7) ¤è¤ê½ÅÍפʥ«¡¼¥Í¥ë¤Î¥á¥Ã¥»¡¼¥¸¤¬¤¹¤Ù¤Æ¥³¥ó¥½¡¼¥ë¤ËÁ÷¤é¤ì¤Þ¤¹¡£ ¤³¤ÎÃͤò 7 ¤«¤é 4 ¤Þ¤Ç¾å¤²¤ì¤Ð¡¢¥³¥ó¥½¡¼¥ë¾å¤Ë LOG ¥á¥Ã¥»¡¼¥¸¤¬É½¼¨¤µ¤ì¤ë¤³¤È¤Ï¤¢¤ê¤Þ¤»¤ó¡£
¤³¤¦¤¹¤ë¤È¡¢Â¾¤Î½ÅÍפʥá¥Ã¥»¡¼¥¸¤â¥³¥ó¥½¡¼¥ë¤Ëɽ¼¨¤µ¤ì¤Ê¤¯ ¤Ê¤ë¤«¤âÃΤì¤Þ¤»¤ó¡£µ¤¤ò¤Ä¤±¤Æ¤¯¤À¤µ¤¤ (syslog ¥Õ¥¡¥¤¥ë¤Ë¤Ï±Æ¶Á¤·¤Þ¤»¤ó)¡£
¤Þ¤ºÂè°ì¤Ë¡¢ÅöÁ³¤Ê¤¬¤é¡¢Å¬ÀÚ¤Ê DNAT ¤« REDIRECT ¤Î¥ë¡¼¥ë¤¬É¬ÍפȤʤê¤Þ¤¹¡£ squid ¤¬ NAT ¥Ü¥Ã¥¯¥¹¼«¿È¤Î¾å¤ÇÆ°¤¯¤Ê¤é¡¢REDIRECT ¤Î¤ß»È¤Ã¤Æ¤¯¤À¤µ¤¤¡£ Î㤨¤Ð:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.22.33:3128
¤½¤Î¸å¡¢squid ¤òÀµ¤·¤¯ÀßÄꤷ¤Ê¤¯¤Æ¤Ï¤Ê¤ê¤Þ¤»¤ó¡£ ²æ¡¹¤¬¤³¤³¤ÇÄ󶡤Ǥ¤ë¾ðÊó¤Ï¸Â¤é¤ì¤Æ¤¤¤Þ¤¹¤Î¤Ç¡¢ ¹¹¤Ë¾Ü¤·¤¤¾ðÊó¤Ë¤Ä¤¤¤Æ¤Ï¡¢squid ¤Î¥É¥¥å¥á¥ó¥È¤ò»²¾È¤¯¤À¤µ¤¤¡£
Squid 2.3 ¤Ç¤Î squid.conf ¤Ë¡¢°Ê²¼¤Î¤è¤¦¤ÊÀßÄ꤬ɬÍפǤ¹:
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
httpd_accel_single_host off
LOG ¥¿¡¼¥²¥Ã¥È¤Ï¡¢¤¤¤ï¤æ¤ë¡Ö½ªÎ»¤·¤Ê¤¤¥¿¡¼¥²¥Ã¥È¡×¤Ç¤¹¡£ ¤Ä¤Þ¤ê¤½¤ì¤Ï¡¢¥Ñ¥±¥Ã¥È¤¬¥ë¡¼¥ë¤ËŬ¹ç¤·¤Æ¤â¡¢¤½¤³¤Ç½ªÎ»¤·¤Þ¤»¤ó¡£ LOG ¥¿¡¼¥²¥Ã¥È¤òÍøÍѤ¹¤ë¤È¡¢¥Ñ¥±¥Ã¥È¤Ï¥í¥®¥ó¥°¤µ¤ì¡¢ ¥ë¡¼¥ëŬ¹ç¤Î¸¡º÷¤¬¼¡¤Î¥ë¡¼¥ë¤Ë°ú¤·Ñ¤¬¤ì¤Þ¤¹¡£
¤Ç¤Ï¡¢¥í¥°¤ò¼è¤ê¡¢Æ±»þ¤ËÇË´þ¤¹¤ë¤Ë¤Ï¤É¤¦¤¹¤ì¤Ð¤è¤¤¤Î¤Ç¤·¤ç¤¦¡© ºÇ¤â´Êñ¤Ê¤Î¤Ï¡¢Æó¤Ä¤Î¥ë¡¼¥ë¤ò´Þ¤à¥Á¥§¥¤¥ó¤ò¤¢¤Ä¤é¤¨¤ë¤³¤È¤Ç¤¹:
iptables -N logdrop
iptables -A logdrop -j LOG
iptables -A logdrop -j DROP
º£¸å¥Ñ¥±¥Ã¥È¤ò¥í¥°¤ËµÏ¿¤·¤Æ¤«¤éÇË´þ¤·¤¿¤¤¾ì¹ç¤Ï¡¢ "-j logdrop" ¤ò»È¤¦¤À¤±¤Ç¤¹¤ß¤Þ¤¹¡£