Âè 7¾Ï. ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë

¾ðÊ󥻥­¥å¥ê¥Æ¥£¤Ï1¤Ä¤Î¥×¥í¥»¥¹¤Ç¤¢¤êÀ½ÉʤǤϤʤ¤¤È¤è¤¯»×¤ï¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢ ɸ½àŪ¤Ê¥»¥­¥å¥ê¥Æ¥£¤Î»Ü¹Ô¤ÏÄ̾ ¥¢¥¯¥»¥¹ÆÃ¸¢¤òÀ©¸æ¤¹¤ë¤Ê¤ó¤é¤«¤ÎÀìÍѥᥫ¥Ë¥º¥à¤Î·Á¤ò¤È¤ê¡¢ µö²Ä¤¬¤¢¤ê¡¢¼±Ê̤¬²Äǽ¤Ç¥È¥ì¡¼¥¹¤¬¤Ç¤­¤ë¥æ¡¼¥¶¡¼¤ËÂФ·¤Æ¥Í¥Ã¥È¥ï¡¼¥¯¥ê¥½¡¼¥¹¤òÀ©¸Â¤·¤Þ¤¹¡£ Red Hat Enterprise Linux ¤Ë¤Ï¡¢¥Í¥Ã¥È¥ï¡¼¥¯¥ì¥Ù¥ë¤Ç¤Î¥¢¥¯¥»¥¹À©¸æ¤ÎÌäÂê¤ò»ý¤Ä ´ÉÍý¼Ô¤ä¥»¥­¥å¥ê¥Æ¥£¥¨¥ó¥¸¥Ë¥¢¤ÎÊý¡¹¤ò»Ù±ç¤¹¤ë¤¤¤¯¤Ä¤«¤Î¶¯ÎϤʥġ¼¥ë¤¬´Þ¤Þ¤ì¤Æ¤¤¤Þ¤¹¡£

CIPE¤äIPsec(Âè6¾Ï¤ÇÀâÌÀ)¤Ê¤É¤ÎVPN¥½¥ê¥å¡¼¥·¥ç¥ó¤È¤ÏÊ̤ˡ¢ ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Ï¥Í¥Ã¥È¥ï¡¼¥¯¥»¥­¥å¥ê¥Æ¥£»Ü¹Ô¤Î³Ë¤Î¤Ò¤È¤Ä¤Ê¤ë¥³¥ó¥Ý¡¼¥Í¥ó¥È¤Ç¤¹¡£ ¥Û¡¼¥à¥æ¡¼¥¶¡¼¸þ¤±1Âæ¤ÎPCÊݸ¤é¡¢ ½ÅÍפʴë¶È¾ðÊó¤ò°ÂÁ´¤ËÊݸ¤ë¥Ç¡¼¥¿¥»¥ó¥¿¡¼¥½¥ê¥å¡¼¥·¥ç¥ó¤Þ¤Ç¡¢ »Ô¾ì¤¹¤Ù¤Æ¤Ë¸þ¤±¤Æ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¥½¥ê¥å¡¼¥·¥ç¥ó¤òÄ󶡤·¤Æ¤¤¤ë¥á¡¼¥«¡¼¤¬¤¤¤¯¤Ä¤«¤¢¤ê¤Þ¤¹¡£ ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Ï¡¢Cisco¡¢Nokia¡¢Sonicwall¤Ê¤É¤¬Ä󶡤·¤Æ¤¤¤ë¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë´ïµ¡¤Ê¤É¤Î ÆÈΩ·¿¥Ï¡¼¥É¥¦¥§¥¢¥½¥ê¥å¡¼¥·¥ç¥ó¤Ç¤â¹½¤¤¤Þ¤»¤ó¡£¤Þ¤¿¡¢checkpoint¡¢McAfee¡¢Symantec¤Ê¤É¤Î ¥á¡¼¥«¡¼¤Ë¤è¤Ã¤Æ¼«Âð»ÅÍͤ«¤é¥Ó¥¸¥Í¥¹»ÅÍͤޤǹ­¤¯³«È¯¤µ¤ì¤¿ ¥½¥Õ¥È¥¦¥§¥¢¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¥½¥ê¥å¡¼¥·¥ç¥óÀ½Éʤ⤢¤ê¤Þ¤¹¡£

¥Ï¡¼¥É¥¦¥§¥¢¤Î¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤È¥½¥Õ¥È¥¦¥§¥¢¤Î¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Î°ã¤¤¤ÏÊ̤ˤ·¤Æ¡¢ ¥½¥ê¥å¡¼¥·¥ç¥óËè¤Ë°Û¤Ê¤ë¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Îµ¡Ç½¤Î»ÅÊý¤â°Û¤Ê¤ê¤Þ¤¹¡£ ɽ7-1¤Ç¤Ï¤è¤¯¤¢¤ë3¤Ä¤Î¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¥¿¥¤¥×¤È ¤½¤Îµ¡Ç½¤Ë¤Ä¤¤¤ÆÀâÌÀ¤·¤Æ¤¤¤Þ¤¹¡£

ÊýË¡¾ÜºÙĹ½êû½ê
NATNAT(Network Address Translation)¤Ï¡¢ ÆâÉô¥Í¥Ã¥È¥ï¡¼¥¯IP¥µ¥Ö¥Í¥Ã¥È¥ï¡¼¥¯¤ò1¤Ä¤Î³°ÉôIP¥¢¥É¥ì¥¹¤Þ¤¿¤Ï1·²¤Î³°ÉôIP¥¢¥É¥ì¥¹¤Î Æâ¦¤ËÇÛÃÖ¤·¡¢¤¹¤Ù¤Æ¤ÎÍ×µá¤òÊ£¿ô¤Ç¤Ï¤Ê¤¯1¤Ä¤Î¥½¡¼¥¹¤Ë¥Þ¥¹¥«¥ì¡¼¥É¤·¤Þ¤¹¡£

· LAN¾å¤Î¥Þ¥·¥ó¤ËÆ©²áŪ¤ËÀßÄê¤Ç¤­¤ë
· 1¤Ä°Ê¾å¤Î³°ÉôIP¥¢¥É¥ì¥¹Æâ¤Ë¤¢¤ë¿¤¯¤Î¥Þ¥·¥ó¤È¥µ¡¼¥Ó¥¹¤ÎÊݸ ´ÉÍý¶È̳¤ò´Êñ¤Ë¤¹¤ë
· ¥æ¡¼¥¶¡¼¤ÈLAN´Ö¤Î¥¢¥¯¥»¥¹¤ÎÀ©¸Â¤Ï NAT¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë/¥²¡¼¥È¥¦¥§¥¤¾å¤Î¥Ý¡¼¥È¤ò³«¤¯/ÊĤ¸¤ë¤³¤È¤ÇÀßÄê¤Ç¤­¤ë

· ¥æ¡¼¥¶¡¼¤¬¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Î³°Â¦¤Ë¤¢¤ë¥µ¡¼¥Ó¥¹¤Ë Àܳ¤¹¤ë¤È°­°Õ¤¢¤ë¥¢¥¯¥Æ¥£¥Ó¥Æ¥£¤òËɤ°¤³¤È¤¬¤Ç¤­¤Ê¤¤

¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Ï¡¢LAN¤Î³°Â¦µÚ¤ÓÆâ¦¤Ç¤ä¤ê¤È¤ê¤µ¤ì¤ë ³Æ¥Ç¡¼¥¿¥Ñ¥±¥Ã¥È¤òÆÉ¤ß¹þ¤ß¤Þ¤¹¡£¥Ø¥Ã¥À¾ðÊó¤Ç¥Ñ¥±¥Ã¥È¤òÆÉ¤ß¹þ¤ó¤Ç¤«¤é½èÍý¤·¤Æ¡¢ ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë´ÉÍý¼Ô¤Ë¤è¤ê¼Â¹Ô¤µ¤ì¤Æ¤¤¤ë¥×¥í¥°¥é¥à²Äǽ¤Ê¥ë¡¼¥ë¥»¥Ã¥È¤Ë±þ¤¸¤Æ ¥Ñ¥±¥Ã¥È¤ò¥Õ¥£¥ë¥¿¤·¤Þ¤¹¡£Linux¥«¡¼¥Í¥ë netfilter¥«¡¼¥Í¥ë¥µ¥Ö¥·¥¹¥Æ¥à»È¤¦ ¥Ó¥ë¥È¥¤¥ó¤Î¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°µ¡Ç½¤ò»ý¤Ã¤Æ¤¤¤Þ¤¹¡£

· iptables¥Õ¥í¥ó¥È¥¨¥ó¥É ¥æ¡¼¥Æ¥£¥ê¥Æ¥£¤Ç¥«¥¹¥¿¥Þ¥¤¥º¤¬²Äǽ
· ¤¹¤Ù¤Æ¤Î¥Í¥Ã¥È¥ï¡¼¥¯¥¢¥¯¥Æ¥£¥Ó¥Æ¥£¤¬¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¥ì¥Ù¥ë¤Ç¤Ï¤Ê¤¯¡¢ ¥ë¡¼¥¿¥ì¥Ù¥ë¤Ç¥Õ¥£¥ë¥¿¥ê¥ó¥°¤µ¤ì¤ë¤¿¤á¡¢¥¯¥é¥¤¥¢¥ó¥È¥µ¥¤¥É¤Ç¤Î ¥«¥¹¥¿¥Þ¥¤¥º¤¬ÉÔÍ×
· ¥Ñ¥±¥Ã¥È¤¬¥×¥í¥­¥·¤òÄ̤·¤Æ Á÷¿®¤µ¤ì¤º¡¢¥¯¥é¥¤¥¢¥ó¥È¤«¤é¥ê¥â¡¼¥È¥Û¥¹¥È¤Ø¤Î¥À¥¤¥ì¥¯¥ÈÀܳ¤Ë¤Ê¤ë¤¿¤á¡¢ ¥Í¥Ã¥È¥ï¡¼¥¯¥Ñ¥Õ¥©¡¼¥Þ¥ó¥¹¤¬¹â®²½¤·¤Þ¤¹¡£

· ¥×¥í¥­¥·¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Î¤è¤¦¤Ê¥³¥ó¥Æ¥ó¥È¤ËÂФ·¤Æ¤Ï ¥Ñ¥±¥Ã¥È¤ò¥Õ¥£¥ë¥¿¤Ç¤­¤Ê¤¤
· ¥×¥í¥È¥³¥ëÁؤǥѥ±¥Ã¥È¤ò½èÍý¤¹¤ë¤¬¡¢ ¥¢¥×¥ê¥±¡¼¥·¥ç¥óÁؤǤϥѥ±¥Ã¥È¤ò¥Õ¥£¥ë¥¿¤Ç¤­¤Ê¤¤
· ÆÃ¤ËIP ¥Þ¥¹¥«¥ì¡¼¥É¤«¡¢ ¥í¡¼¥«¥ë¥µ¥Ö¥Í¥Ã¥È¤ÈDMZ¥Í¥Ã¥È¥ï¡¼¥¯¤ÇÀܳ¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢ Ê£»¨¤Ê¥Í¥Ã¥È¥ï¡¼¥¯¥¢¡¼¥­¥Æ¥¯¥Á¥ã¤Ç¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°¤Î¥ë¡¼¥ë³ÎΩ¤¬Æñ¤·¤¯¤Ê¤ë²ÄǽÀ­¤¬¤¢¤ë

¥×¥í¥­¥·¥×¥í¥­¥·¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Ï¡¢LAN¥¯¥é¥¤¥¢¥ó¥È¤«¤é¥×¥í¥­¥·¥Þ¥·¥ó¤Ø¤ÎÆÃÄê¤Î¥×¥í¥È¥³¥ë ¤Þ¤¿¤Ï¥¿¥¤¥×¤ÎÍ׵᤹¤Ù¤Æ¤ò¥Õ¥£¥ë¥¿¤·¤Þ¤¹¡£¼¡¤Ë¡¢¤½¤ÎÍ×µá¤ò¥í¡¼¥«¥ë¥¯¥é¥¤¥¢¥ó¥È¤ËÂå¤ï¤Ã¤Æ ¥¤¥ó¥¿¡¼¥Í¥Ã¥È¤ËÁ÷¤ê¤Þ¤¹¡£¥×¥í¥­¥·¥Þ¥·¥ó¤Ï¡¢°­°Õ¤¢¤ë¥ê¥â¡¼¥È¥æ¡¼¥¶¡¼¤È ¥Í¥Ã¥È¥ï¡¼¥¯¥¯¥é¥¤¥¢¥ó¥È¥Þ¥·¥ó´Ö¤Î¥Ð¥Ã¥Õ¥¡¤È¤·¤ÆÆ°ºî¤·¤Þ¤¹¡£

· LAN¤Î³°¤Çµ¡Ç½¤¹¤ë¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤È¥×¥í¥È¥³¥ë¤ò ´ÉÍý¼Ô¤ËÀ©¸æ¤µ¤»¤ë
· ¥×¥í¥­¥·¥µ¡¼¥Ð¡¼¤ÎÃæ¤Ë¤Ï¡¢ ¥Ç¡¼¥¿¤ò¥­¥ã¥Ã¥·¥å¤Ç¤­¤ë¤â¤Î¤¬¤¢¤ê¡¢¥¯¥é¥¤¥¢¥ó¥È¤ÏÉÑÈˤËÍ׵ᤵ¤ì¤ë¥Ç¡¼¥¿¤òÍ׵᤹¤ë¤Î¤Ë ¥¤¥ó¥¿¡¼¥Í¥Ã¥ÈÀܳ¤ò»È¤¦¤Î¤Ç¤Ï¤Ê¤¯¡¢¥í¡¼¥«¥ë¥­¥ã¥Ã¥·¥å¤«¤é¤½¤Î¥Ç¡¼¥¿¤Ë ¥¢¥¯¥»¥¹¤Ç¤­¤ë¡£¤³¤ì¤ÏÉÔɬÍפʥХó¥ÉÉý¤Î¾ÃÈñ¤òºï¸º¤¹¤ë¤Î¤ËÊØÍø¡£
· ¥×¥í¥­¥·¥µ¡¼¥Ó¥¹¤Ï¥í¥°¤ò¤È¤Ã¤¿¤ê¡¢¸·½Å¤Ë´Æ»ë¤¹¤ë¤³¤È¤¬¤Ç¤­¡¢ ¥Í¥Ã¥È¥ï¡¼¥¯¾å¤Î¥ê¥½¡¼¥¹ÍøÍѤò¸·¤·¤¯À©¸æ¤¹¤ë¤³¤È¤¬¤Ç¤­¤ë¡£

· ¥×¥í¥­¥·¤Ï¤è¤¯¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¸ÇÍ­¤Ç¤¢¤Ã¤¿¤ê (HTTP¡¢telnet¡¢¤Ê¤É)¡¢¥×¥í¥È¥³¥ë¤ËÀ©¸Â¤¬¤¢¤Ã¤¿¤ê¤¹¤ë(¤Û¤È¤ó¤É¤Î¥×¥í¥­¥·¤Ï ¥µ¡¼¥Ó¥¹¤Î¤ß¤ËÀܳ¤µ¤ì¤Æ¤¤¤ëTCP¤Çµ¡Ç½)
· ¥¢¥×¥ê¥±¡¼¥·¥ç¥ó ¥µ¡¼¥Ó¥¹¤Ï¥×¥í¥­¥·Æâ¤Ç²Ôư¤Ç¤­¤Ê¤¤¤¿¤á¡¢¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¥µ¡¼¥Ð¡¼¤ÏÊ̤ηÁÂ֤Π¥Í¥Ã¥È¥ï¡¼¥¯¥»¥­¥å¥ê¥Æ¥£¤ò»ÈÍѤ¹¤ëɬÍפ¬¤¢¤ë¡£
¤¹¤Ù¤Æ¤ÎÍ×µá¤ÈÅÁÁ÷¤Ï¡¢¥¯¥é¥¤¥¢¥ó¥È¤«¤é¥ê¥â¡¼¥È¥µ¡¼¥Ó¥¹Àܳ¤ËľÀÜ·Ò¤¬¤ë¤Î¤Ç¤Ï¤Ê¤¯¡¢ 1¤Ä¤Î¥½¡¼¥¹¤«¤é¤ä¤ê¤È¤ê¤µ¤ì¤ë¤¿¤á¡¢¥×¥í¥­¥·¤Ï¥Í¥Ã¥È¥ï¡¼¥¯¤Î¥Ü¥È¥ë¥Í¥Ã¥¯¤Ë¤Ê¤ë²ÄǽÀ­¤¬¤¢¤ë

ɽ 7-1. ¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤Î¥¿¥¤¥×

7.1. Netfilter ¤È IPTables

Linux¥«¡¼¥Í¥ë¤Ï¡¢netfilter¤È¸Æ¤Ð¤ì¤ë ¶¯ÎϤʥͥåȥ¥¯¥µ¥Ö¥·¥¹¥Æ¥à¤¬ÆÃħ¤Ç¤¹¡£netfilter ¥µ¥Ö¥·¥¹¥Æ¥à¤Ï ¥¹¥Æ¡¼¥È¥Õ¥ë¤Þ¤¿¤Ï¥¹¥Æ¡¼¥È¥ì¥¹¤Ê¥Ñ¥±¥Ã¥È¥Õ¥£¥ë¥¿¥ê¥ó¥°µ¡Ç½¡¢Æ±ÍÍ¤Ë NATµÚ¤ÓIP¥Þ¥¹¥«¥ì¡¼¥É¥µ¡¼¥Ó¥¹¤âÄ󶡤·¤Æ¤¤¤Þ¤¹¡£ ¤Þ¤¿¡¢Netfilter¤Ë¤Ï¡¢¹âÅ٤ʥ롼¥Æ¥£¥ó¥°µÚ¤ÓÀܳ¾õÂÖ´ÉÍý¤Î¤¿¤á¤ÎIP¥Ø¥Ã¥À¾ðÊó¤ò mangle¤¹¤ëµ¡Ç½¤â¤¢¤ê¤Þ¤¹¡£ Netfilter¤ÏIPTables¥æ¡¼¥Æ¥£¥ê¥Æ¥£¡¼¤ÇÀ©¸æ¤·¤Þ¤¹¡£

7.1.1. IPTables ¤Î³µÍ×

netfilter¤Î¤½¤Î¥Ñ¥ï¡¼¤È½ÀÆðÀ­¤ÏIPTables¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤Ç¼Â¸½¤µ¤ì¤Þ¤¹¡£ ¤³¤Î¥³¥Þ¥ó¥É¥é¥¤¥ó¥Ä¡¼¥ë¤Ï¡¢¹½Ê¸¤Ï°ÊÁ°¤ÎIPChains¤Ë»÷¤Æ¤¤¤Þ¤¹¤¬¡¢ IPTables¤Ïnetfilter¥µ¥Ö¥·¥¹¥Æ¥à¤ò»ÈÍѤ·¤Æ¥Í¥Ã¥È¥ï¡¼¥¯Àܳ¡¢¥¤¥ó¥¹¥Ú¥¯¥·¥ç¥ó¡¢ ½èÍý¤Ê¤É¤ò¶¯²½¤·¤Þ¤¹¡£°ìÊý¡¢IPChains¤Ï¡¢¥Õ¥£¥ë¥¿¥ê¥ó¥°¥½¡¼¥¹µÚ¤ÓÌÜŪÃϤؤΥѥ¹¡¢ ƱÍͤËξÊý¤ÎÀܳ¥Ý¡¼¥È¤ËÂФ·¤ÆÊ£»¨¤Ê¥ë¡¼¥ë¥»¥Ã¥È¤ò»ÈÍѤ·¤Æ¤¤¤Þ¤·¤¿¡£ IPTables¤Ï¡¢¹âÅÙ¤Ê¥í¥®¥ó¥°¡¢pre- ¤È post- ¤Î¥ë¡¼¥Æ¥£¥ó¥°Æ°ºî¡¢ Network Address Translation¡¢¥Ý¡¼¥È¥Õ¥©¥ï¡¼¥Ç¥£¥ó¥°¤Îµ¡Ç½¤¹¤Ù¤Æ¤ò ¥ª¡¼¥ë¥¤¥ó¥ï¥ó¤Î1¤Ä¤Î¥³¥Þ¥ó¥É¥é¥¤¥ó¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤Ç¼Â¸½¤·¤Þ¤¹¡£

¤³¤Î¥»¥¯¥·¥ç¥ó¤Ç¤ÏIPTables¤Î³µÍפòÀâÌÀ¤·¤Æ¤¤¤Þ¤¹¡£ IPTables¤Ä¤¤¤Æ¤Î¾ÜºÙ¤Ï¡¢Red Hat Enterprise Linux ¥ê¥Õ¥¡¥ì¥ó¥¹¥¬¥¤¥É¤ò»²¾È¤·¤Æ¤¯¤À¤µ¤¤¡£