isn't there documentation in japanese for this already?
http://www.netfilter.org/documentati...ilter-faq.html
ok, maybe it's complicated, but here's how you start:
1) take a very basic firewall (i'll provide it and comment it)
2) look through each of the rules to understand how packets get through or get stopped (there's not that many)
3) add rules as necessary. one at a time preferably
if you have further specific questions, ask after reading through this:
(all this goes where your usual firewall script goes)
# begin radix's firewall script
# variable definitions
IPTABLES="/usr/sbin/iptables"
LOG_LEVEL="info"
# load appropriate modules to do the filtering (i've loaded a
# bunch, but you won't need all of them immediately)
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
# /proc setup
# you'll need this if you have a network setup where
# more than one computer is "behind" the linux firewall
echo "1" > /proc/sys/net/ipv4/ip_forward
# flushing old rulesets
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -X
# setting default policies for base chains
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
##################
# rules for INPUT
##################
# accept inbound packets from the loopback
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
# this only allows established and related connections inbound
# from the interface eth0; this is to stop people from making
# NEW connections to your computer (that's GOOD)
$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
###################
# rules for OUTPUT
###################
# allow the loopback packets out
$IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
# let all traffic that is not (!) INVALID out the interface eth0
$IPTABLES -A OUTPUT -p ALL -o eth0 -m state ! --state INVALID -j ACCEPT
(EOF)
from here add your own rules, it's not that hard :P.
cheers,
y-p