ࡱ>  YbjbjVV 2<<Qv v < DNMMMMR \6N8N8N8N8N8N8N$uPS\N  \NMqN+++ &M6N+ 6N++RKMMPpU(nL"NN0N,LSB+S<MSM( + \N\N+ N S v : LINUX Firewall iptables Originally, the most popular firewall/NAT package running on Linux was ipchains. To address a number of shortcomings, the Netfilter organization created a new product called iptables . Considered a faster and more secure alternative to ipchains, iptables has become the default firewall package installed under RedHat and Fedora Linux with the following improvements: Better integration with the Linux kernel with the capability of loading iptables-specific kernel modules designed for improved speed and reliability. Stateful packet inspection. This means that the firewall keeps track of each connection passing through it and in certain cases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. This is an important feature in the support of active FTP and DNS, as well as many other network services. Filtering packets based on a MAC address and the values of the flags in the TCP header. This is helpful in preventing attacks using malformed packets and in restricting access from locally attached servers to other networks in spite of their IP addresses. System logging that provides the option of adjusting the level of detail of the reporting. Better network address translation. Support for transparent integration with such Web proxy programs as Squid. A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks. Iptables Package Installation and Startup The iptables RPM filename usually starts with the software package name by a version number, as in iptables-1.2.9-1.0.i386.rpm and the associated Gnome configuration front-end system-config-firewall. You can start, stop, and restart iptables after booting by using the commands: service iptables start service iptables stop service iptables restart To get iptables configured to start at boot, use the chkconfig command: chkconfig iptables on You can determine whether iptables is running or not via the service iptables status command. Fedora Core will give a simple status message. For example service iptables status You can determine current ipttables rule status with the following command: iptables L The iptables application requires you to load certain kernel modules to activate some of its functions. Whenever any type of NAT is required, the iptable_nat module needs to be loaded. The ip_conntrack_ftp module needs to be added for FTP support and should always be loaded with the ip_conntrack module which tracks TCP connection states. As most scripts probably will keep track of connection states, the ip_conntrack module will be needed in any case. The ip_nat_ftp module also needs to be loaded for FTP servers behind a NAT firewall. /etc/sysconfig/iptables file doesn't support the loading of modules, so you'll have to add these statements to your /etc/rc.local file. For example # File: /etc/rc.local # Module to track the state of connections modprobe ip_conntrack # Load the iptables active FTP module, requires ip_conntrack modprobe ip_conntrack_ftp # Load iptables NAT module when required modprobe iptable_nat # Module required for active an FTP server using NAT modprobe ip_nat_ftp Packet Processing In iptables All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain. There are three tables in total. - The first table is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. This is not used in a general firewall environmentt. - The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules. These are the: Forward chain: Filters packets to servers protected by the firewall. Input chain: Filters packets destined for the firewall. Output chain: Filters packets originating from the firewall. - The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are: Pre-routing chain: NATs packets when the destination address of the packet needs to be changed. Post-routing chain: NATs packets when the source address of the packet needs to be changed Processing For Packets Routed By The Firewall Queue TypeQueue FunctionPacket transformation chain in QueueChain FunctionFilterPacket filteringFORWARDFilters packets to servers accessible by another NIC on the firewall.INPUTFilters packets destined to the firewall.OUTPUTFilters packets originating from the firewallNatNetwork Address TranslationPREROUTINGAddress translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall's routing table. Used with NAT of the destination IP address, also known as destination NAT or DNAT.POSTROUTINGAddress translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT.OUTPUTNetwork address translation for packets generated by the firewall. (MangleTCP header modificationPREROUTING POSTROUTING OUTPUT INPUT FORWARDModification of the TCP packet quality of service bits before routing occurs  You need to specify the table and the chain for each firewall rule you create. There is an exception: Most rules are related to filtering, so iptables assumes that any chain that's defined without an associated table will be a part of the filter table. The filter table is therefore the default. To look at the way packets are handled by iptables refernce the below figure:. A TCP packet from the Internet arrives at the firewall's interface on Network A to create a data connection. The packet is first examined by your rules in the mangle table's PREROUTING chain, if any. It is then inspected by the rules in the nat table's PREROUTING chain to see whether the packet requires DNAT. It is then routed. If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of the filter table and, if necessary, the packet undergoes SNAT in the POSTROUTING chain before arriving at Network B. When the destination server decides to reply, the packet undergoes the same sequence of steps. Both the FORWARD and POSTROUTING chains may be configured to implement quality of service (QoS) features in their mangle tables. If the packet is destined for the firewall itself, then it passes through the mangle table of the INPUT chain, if configured, before being filtered by the rules in the INPUT chain of the filter table before. If it successfully passes these tests then it is processed by the intended application on the firewall. At some point, the firewall needs to reply. This reply is routed and inspected by the rules in the OUTPUT chain of the mangle table, if any. Next, the rules in the OUTPUT chain of the nat table determine whether DNAT is required and the rules in the OUTPUT chain of the filter table are then inspected to help restrict unauthorized packets. Finally, before the packet is sent back to the Internet, SNAT and QoS mangling is done by the POSTROUTING chain Iptables Packet Flow Diagram  Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort of operation. Once a target is identified, the packet needs to jump over to it for further processing. Commonly Used Targets TargetDescriptionMost common optionsACCEPT> iptables stops further processing. > The packet is handed over to the end application or the operating system for processingN/ADROP> iptables stops further processing. > The packet is blockedN/A LOG> The packet information is sent to the syslog daemon for logging > iptables continues processing with the next rule in the table > As you can't log and drop at the same time, it is common to have two similar rules in sequence. The first will log the packet, the second will drop it.--log-prefix "string" Tells iptables to prefix all log messages with a user defined string. Frequently used to tell why the logged packet was droppedREJECT> Works like the DROP target, but will also return an error message to the host sending the packet that the packet was blocked--reject-with qualifier The qualifier tells what type of reject message is returned. Qualifiers include: icmp-port-unreachable (default) icmp-net-unreachable icmp-host-unreachable icmp-proto-unreachable icmp-net-prohibited icmp-host-prohibited tcp-reset echo-replyDNAT> Used to do destination network address translation. ie. rewriting the destination IP address of the packet--to-destination ipaddress Tells iptables what the destination IP address should beSNAT> Used to do source network address translation rewriting the source IP address of the packet > The source IP address is user defined--to-source
[-
][:-] Specifies the source IP address and ports to be used by SNAT.MASQUERADE > Used to do Source Network Address Translation. > By default the source IP address is the same as that used by the firewall's interface[--to-ports [-]] Specifies the range of source ports to which the original source port can be mapped. Each line of an iptables script not only has a jump, but they also have a number of command line options that are used to append rules to chains that match your defined packet characteristics, such the source IP address and TCP port. There are also options that can be used to just clear a chain so you can start all over again. General Iptables Match Criteria iptables command SwitchDescription-t If you don't specify a table, then the filter table is assumed. As discussed before, the possible built-in tables include: filter, nat, mangle-j Jump to the specified target chain when the packet matches the current rule.-AAppend rule to end of a chain-FFlush. Deletes all the rules in the selected table-p Match protocol. Types include, icmp, tcp, udp, and all-s Match source IP address-d Match destination IP address-i Match "input" interface on which the packet enters.-o Match "output" interface on which the packet exitsExample: iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address destined for the firewall's IP address of 192.168.1.1. The 0/0 representation of an IP address means any. iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT Common TCP and UDP Match Criteria SwitchDescription-p tcp --sport TCP source port Can be a single value or a range in the format: start-port-number:end-port-number-p tcp --dport TCP destination port Can be a single value or a range in the format: starting-port:ending-port-p tcp --synUsed to identify a new TCP connection request ! --syn means, not a new connection request-p udp --sport UDP source port Can be a single value or a range in the format: starting-port:ending-port-p udp --dport UDP destination port Can be a single value or a range in the format: starting-port:ending-port Example: iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination port is port 80 (www/http). iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP --sport 1024:65535 --dport 80 -j ACCEPT ICMP (Ping) Match Criteria Matches used with ---icmp-typeDescription --icmp-type The most commonly used types are echo-reply and echo-request Example: iptables is being configured to allow the firewall to send ICMP echo-requests (pings) and in turn, accept the expected ICMP echo-replies. iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT Example: The limit feature in iptables specifies the maximum average number of matches to allow per second. You can specify time intervals in the format /second, /minute, /hour, or /day, or you can use abbreviations so that 3/second is the same as 3/s. iptables -A INPUT -p icmp --icmp-type echo-request: -m limit --limit 1/s -i eth0 -j ACCEPT Example: ICMP echo requests are restricted to no more than one per second. When tuned correctly, this feature allows you to filter unusually high volumes of traffic that characterize denial of service (DOS) attacks and Internet worms. You can expand on the limit feature of iptables to reduce your vulnerability to certain types of denial of service attack. Here a defense for SYN flood attacks was created by limiting the acceptance of TCP segments with the SYN bit set to no more than five per second. iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT Extended Match Criteria SwitchDescription-m multiport --sport A variety of TCP/UDP source ports separated by commas. Unlike when -m isn't used, they do not have to be within a range. -m multiport --dport A variety of TCP/UDP destination ports separated by commas. Unlike when -m isn't used, they do not have to be within a range.-m multiport --ports A variety of TCP/UDP ports separated by commas. Source and destination ports are assumed to be the same and they do not have to be within a range.-m --state The most frequently tested states are: ESTABLISHED: The packet is part of a connection that has seen packets in both directions NEW: The packet is the start of a new connection RELATED: The packet is starting a new secondary connection. This is a common feature of such protocols such as an FTP data transfer, or an ICMP error. INVALID: The packet couldn't be identified. Could be due to insufficient system resources, or ICMP errors that don't match an existing data flow.Expansion on the previous example: Here iptables is being configured to allow the firewall to accept TCP packets to be routed when they enter on interface eth0 from any IP address destined for IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination ports are port 80 (www/http) and 443 (https). The return packets from 192.168.1.58 are allowed to be accepted too. Instead of stating the source and destination ports, you can simply allow packets related to established connections using the -m state and --state ESTABLISHED options. iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP --sport 1024:65535 -m multiport --dport 80,443 -j ACCEPT iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP -m state --state ESTABLISHED -j ACCEPT User Defined Chains As you may remember, you can configure iptables to have user-defined chains. This feature is frequently used to help streamline the processing of packets. For example, instead of using a single, built-in chain for all protocols, you can use the chain to determine the protocol type for the packet and then hand off the actual final processing to a user-defined, protocol-specific chain in the filter table. In other words, you can replace a long chain with a stubby main chain pointing to multiple stubby chains, thereby shortening the total length of all chains the packet has to pass through. For example iptables -A INPUT -i eth0 -d 206.229.110.2 -j fast-input-queue iptables -A OUTPUT -o eth0 -s 206.229.110.2 -j fast-output-queue iptables -A fast-input-queue -p icmp -j icmp-queue-in iptables -A fast-output-queue -p icmp -j icmp-queue-out iptables -A icmp-queue-out -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT iptables -A icmp-queue-in -p icmp --icmp-type echo-reply -j ACCEPT Custom Queues Example ChainDescriptionINPUTThe regular built-in INPUT chain in iptablesOUTPUTThe regular built-in OUTPUT chain in iptablesfast-input-queueInput chain dedicated to identifying specific protocols and shunting the packets to protocol specific chains.fast-output-queueOutput chain dedicated to identifying specific protocols and shunting the packets to protocol specific chains.icmp-queue-outOutput queue dedicated to ICMPicmp-queue-inInput queue dedicated to ICMP iptables Scripts There are many iptables canned scripts available on the Internet, so samples will nt be provided here. The service iptables save command permanently saves the iptables configuration in the /etc/sysconfig/iptables file. When the system reboots, the iptables-restore program reads the configuration and makes it the active configuration. The format of the /etc/sysconfig/iptables file is different from the commands shown previously - initialization of built-in chains is automatic and the string "iptables" is omitted from the rule statements. Direct edit of this script is not recommended because it is always overwritten by the save command and it doesn't save any comments at all, which can also make it extremely difficult to follow. For these reasons, you're better off writing and applying a customized script and then using the service iptables save command to make the changes permanent. A sample /etc/sysconfig/iptables configuration allowing ICMP, IPSec (ESP and AH packets), already established connections, and inbound SSH. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [144:12748] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT Fedora comes with a program called lokkit that you can use to generate a very rudimentary firewall rule set. Like the service iptables save command, lokkit saves the firewall rules in a new /etc/sysconfig/iptables file for use on the next reboot. And also a GNOME desktop configurator in the system-config-firewall package. You can use the iptables-save and iptables-restore commands to assist you with the continued management of the server. Unlike the service iptables save command, which actually saves a permanent copy of the firewall's active configuration in the /etc/sysconfig/iptables file, iptables-save displays the active configuration to the screen in /etc/sysconfig/iptables format. If you redirect the iptables-save screen output to a file with the > symbol, then you can edit the output and reload the updated rules when they meet your new criteria with the iptables-restore command. iptables-save > firewall-config After editing the firewall-config file with the commands you need, you can reload it into the active firewall rule set with the iptables-restore command. iptables-restore < firewall-config Finally, you should permanently save the active configuration so that it will be loaded automatically when the system reboots: service iptables save Troubleshooting iptables Rules You track packets passing through the iptables list of rules using the LOG target added to the end of any rule. The results wind up in /var/log/messages. If you want to log only unwanted traffic, therefore, you have to add a matching rule with a DROP target immediately after the LOG rule outherwise you'll log both desired and unwanted traffic with no way of discerning between the two, because by default iptables doesn't state why the packet was logged in its log message. iptables Won't Start The iptables startup script expects to find the /etc/sysconfig/iptables before it starts. If none exists, then symptoms include the firewall status always being stopped and the /etc/init.d/iptables script running without the typical [OK] or [FAILED] messages. If you have just installed iptables and have never applied a policy, then you will face this problem. Unfortunately, running the service iptables save command before restarting won't help either. You have to create this file and start the service. touch /etc/sysconfig/iptables chmod 600 /etc/sysconfig/iptables service iptables start Applying iptables firewall rules: [ OK ]  123|-EFVWS(V[\`afgop   @޻ͻޯޡxxh/;OJQJ^Jh/;CJOJPJQJ^JaJh/;h/;5B*\phhbZOJQJ^JmH sH hbZh/;5mH sH #hbZh/;5OJQJ^JmH sH hbZh/;OJQJ^JmH sH h/;OJQJ^JmH sH jh/;UmH sH h/;mH sH / " u v C 23|-EF[$\$ & Fdd[$\$STj+@u{-sk & Fdd[$\$[$\$k(V\agp$dd$If[$\$a$ & Fdd[$\$  [K>K> dd$If[$\$$dd$If[$\$a$kd$$IfT\   ````(62H4ap(T  @wjwd$If dd$If[$\$$dd$If[$\$a$xkd$$IfT\  622H4aT@ACELzwjwd$If dd$If[$\$$dd$If[$\$a$xkd$$IfT\  622H4aT@ALz{}%*%G%H%J%&,&2&3&>&?&R&S&T&\&c&&&&&&&&'#'8'?'ͿͥͿ͚h/;CJOJQJ^JaJh/;5B*\phjK h/;UmH sH huCOJQJ^JmH sH h/;OJQJ^JmH sH h/;mH sH h/;5OJQJ\^Jh/;OJQJ^Jh/;h/;CJOJPJQJ^JaJ7z{wjwj dd$If[$\$$dd$If[$\$a$xkd$$IfT\  622H4aTwjwj dd$If[$\$$dd$If[$\$a$xkd$$IfT\  622H4aTwjwj dd$If[$\$$dd$If[$\$a$xkd$$IfT\  622H4aT %Qwjwjj dd$If[$\$$dd$If[$\$a$xkd$$IfT\  622H4aTe H!("a##$~|||wwwwwwww & F[$\$xkd{ $$IfT\  622H4aT $*%G%I%J%&,&3&?&S&$dd$If[$\$a$ P^P`[$\$ & F S&T&[&&&&qdWWJ dd$If[$\$ $If[$\$ $If[$\$kd,_$$IfTFjyV" ```6    24ab pT&&&'9'='?'ww dd$If[$\$ $If[$\$$Ifhkd"`$$IfTFjyV"6    24ab T?'@'D'''r(()wq$If dd$If[$\$ $If[$\$$Ifhkd`$$IfTFjyV"6    24ab T?'@'E'L'''''q(() )))))*******(+1+j+k+l+r+y+++++,,,4,q,s,t,~,,,,,--2----...𞖋h/;5B*\phh/;mH sH h/;OJQJ^JmH sH h/;CJOJQJ^JaJh/;5OJQJ\^Jh/;6OJQJ]^Jh/;h/;CJOJQJ^JaJh/;OJQJ^Jh/;CJOJPJQJ^JaJ6) )))))*3*I*`*t****ww dd$If[$\$ $If[$\$$Ifhkda$$IfTFjyV"6    24ab T ***+2+k+ww dd$If[$\$ $If[$\$$IfhkdMb$$IfTFjyV"6    24ab Tk+l+q++,5,s,ww dd$If[$\$ $If[$\$$Ifhkdc$$IfTFjyV"6    24ab Ts,t,,,,-3--ww dd$If[$\$ $If[$\$$Ifhkdc$$IfTFjyV"6    24ab T----.../ //{{{k$dd$If[$\$a$ $$Ifa$  ^ `[$\$hkdxd$$IfTFjyV"6    24ab T ..// / ////$/%/////000000103040g0h0z0{000000000 1 111R1S1f1g111222222333333X3ỳទh/;6OJQJ]^Jh/;OJQJ^Jh/;5\mH sH h/;mH sH h/;OJQJ^JmH sH h/;OJQJ^Jh/;CJOJQJ^JaJh/;CJOJPJQJ^JaJh/;5B*\phh/;9//%///~+Skdf$$IfT0&k E i624abT$If dd$If[$\$mkd1e$$IfT0&k E i ``624abpT//000001040g0FSkdPg$$IfT0&k E i624abTSkdf$$IfT0&k E i624abT$If dd$If[$\$g0h0{00000FSkdh$$IfT0&k E i624abT$If dd$If[$\$Skdg$$IfT0&k E i624abT000 1 11R1FSkdi$$IfT0&k E i624abT$If dd$If[$\$SkdHi$$IfT0&k E i624abTR1S1g11122FD;[$\$Skd@k$$IfT0&k E i624abT$If dd$If[$\$Skdj$$IfT0&k E i624abT2222333(3X3z3uhbbb$If dd$If[$\$mkdk$$IfT0o   ``624aybpT$dd$If[$\$a$  ^ ` X3y3z3{333333333Y4Z4[4j4p4q4444444'5@5A5B5C566677$7%7.707<7=7H7R7S7e7f777798;88899::<U<վ߶߶h/;5B*\phh/;5\mH sH h/;OJQJ^JmH sH h/;mH sH h/;6OJQJ]^Jh/;OJQJ^Jh/;OJQJ^Jh/;CJOJPJQJ^JaJh/;h/;6OJQJ]^J9z3{3333333,4.4PMkdmm$$IfT0o  624ayT$If dd$If[$\$Mkdl$$IfT0o  624ayT .4Z4[4q4444444PMkdn$$IfT0o  624ayT dd$If[$\$Mkdn$$IfT0o  624ayT$If 4'5A5B5C56667%7/7=7R7{$dd$If[$\$a$ $$Ifa$ ^`[$\$Mkdeo$$IfT0o  624ayT$If R7S7f777~+Skdp$$IfT0 624a|bT$If dd$If[$\$mkd p$$IfT0  ``624a|bpT7798;8y88899::<<U<V<n<u<<$dd$If[$\$a$  ^ `[$\$U<n<t<u<<<<<<==@=A=====u>v>>>>>> ? ?;?B???d@e@@BBCC F!FGGGGGGGG˰ٕy h/;5OJQJ\^JmH sH h/;5\mH sH h/;OJQJ^JmH sH h/;5OJQJ\^J h/;6CJOJQJ]^JaJh/;OJQJ^Jh/;CJOJQJ^JaJh/;CJOJPJQJ^JaJh/;h/;5B*\phh/;mH sH .<<<==A=~0Mkdar$$IfT0 624aT$If dd$If[$\$mkdq$$IfT0  ``624abpTA====u>v>>> ?;?VMkds$$IfT0 624aTMkd s$$IfT0 624aT dd$If[$\$ ;??d@e@BBBCCCC F!FaFFFGmGG[$\$MkdYt$$IfT0 624aT dd$If[$\$GGGGGGG Huo$Ifmkdu$$IfT0j @  ``624abpT$dd$If[$\$a$ ^`GGG HHHHCHDHTHUHHHHHEIFITIUItIuIIIIIIvJJK8,DτPR-UUÜ!L) |C]Gik B~oJ;Jw4qO    c5Xm6jn>aR*|6)|lcTmS؆J|4- >nce >jt- >l +|LP*|lDT TU؀'1Ay#OQc6PUcF m F|?^k۩C*KH$vv-\ז";:TGJUUyظY{bGV:}׏e[EuĚ3>R!tPƝ*V_quMJ/4ٜ?Y!>*=tsV~ͬᣉ(12y۽]ORjQֵ~, LLT\L.M/%/qC왜,e IFLXǯkf-s6AG橦$Z{E(˜Ĺ rȓX9(16o 3#GSWE>ˣҧ} Bq Ӑ,]e e4t-L쟿"֟%QSZX4^V;s^iq=.IŸ|ԮA['ߏy)/coدVcQ.Q^uf=b(¢ G!e:jvsŔBqR!-jQ=m wk=]ulO|\cVeI֎#R/];{ݷzCB~BM=Jmt-<0eO׳;|o8mQJ &dX!~2SwTQD<D (*z'@`LFS3@ bƀ3Jl;3&Gs9Tkwv6E rO8>*;oA38XL+nnaR7Qo\gg|sb]˶ul|8g'~W=nr:1W7Mq|U! _jp:V=N@n;ĖvoR+ǂƧh@Z#0sS7s ƄHk`Kupi7@ ոW0;NrѢ JT$0i{j\Ƙڸ!K (ܺӢGqIK/cL]sڱ~vtYc8 ~`Tmtx,h|5:)2z+\f#L$6g/h$͜V9@c wMۏ`NFػPfs6q. q33 zo[3x;1|"}I2\D\AH?&EL .YH+™nEO~O-Ƞ[-S>>-\膇 a8`E&ucX?? o$Ѷa=%v:dٖCPժ?nw%տ{i=_WCN,OMXr̩o׺}O{_Է,]ϱQ~Z::߲:G&Ǖڼ])>Z5>k؃?';ΣK?$h*pyJ؃1M vn)%dp:ZRRYF[I9m{XtVyXm2vNtpʥQց}(|HjȚ݇‡L|v RȪ݇‡T|YP]x|*Q뗌Ə J;wx)~6+Owx>;%{qPZċLx3i@͏ͤڌ5Lb)|̤ڌ5Lb)|̤ڌ5Lb)|̤ڌ5Lb)|̤ڌ5LbIxۃN/~B p(qzY2d&\~V2T~|tR(CJNs჆eVE}(Rza~ i2Bk.aE d8!$nyuUFE)92->;\(T! {1^`,V,qBHs8ё_GC'5Y5?䤌20a\@{gjȬq8t~fT96xDF:O"ai}\ ,⃩A4,?)i Dh/zWƬ?rjnvG??utLlv7_~BONc@|lCܤ߿4k:F5U ŪK8P b .J,mq--.Z,Y9&߈;k@ ~~]?~7|ry?~NAgׯ;/zwq=.e~Y7.;y{J_r~F?kC~vo =quX%I$gyTi//O)n╇_ ˲X|7V gy'm3Zҋ.sgp!UG|Vr3?0ޣ&BVUlgb*bO\2 Ycq%kķ%RB>&.5օNA $rsًr`$?sh0<#=sh}` =hZL\"J\e@>رʘqQcş/HV^]RYn%KHwVZHGzG8/ge˕Ο1҂_{#I&#=lm[MV-d/yY^1v+ŏ#ˮ-\00Vĕe0.?BFs':G"#s)"*1,kbS깼@^ ~ 0 륝XwQKG|̯K7>Zù ֢FE?Idg  TBqONV  gOȋ$^}50\\aO,p />L,$! FVeRφOڐO꤄5 4;g5 Txпgdohk&z#gtY^i 8/}(ES&ZF~W| .Nc1ǞWϏ׌q PX˃rm>`\,3%Xa<(|,6KLc VX. ˵8SX˃rm>`!6y.}٭~7߾&ˍ_E轨cѭh`uՖ+@tkWl~?Ld*r$+Ț;K1'*եYm-%/ʿ%܍Jz^w<&x{(@3vG ZȚGH>NC9Uy8@{_>6@f0,da(|, cGcaY;  3ؑ,.Bo"v%_ff'/mm"䥧Cit*KG/y­PeIv+oH0i,cFI L!pħb]P*~^(_D.m,sůCZM(, yIL$_+I(b:[YBiš Y&dA iqGb){n1Vj}H eᙶ}ߺj^53 <{pl5w.y0CI #4 2{4H{/Oܦk5a.b:P tBH<\Bv_,n#z{"_e?3<.:X~-mq--<F?YrL+g b Aozu9ׯ?|{/8K_q虺űky?I gy߸|o +t ~ j/ G M|eJew0rF*YhiI ri#-P% 8%bJMS@ueY,^HES̭yԒuCr@#>@|&Q{$VAuЪs$W|r 30%W'!wB@ ";KhWJ BvKTlB 'y @JVEùE90ď94+><_uh}`Ek!uues}$;@"1L[5^395fQrZh!`yX&ijPWI[k!>\"UT؞.W1A/G=Nx, *vQ&◅˙I gy-Ƙ'ZW_G]/-.\0?.@qepbofM>RX0Rdd8EDe"%uM =pjW= DWݏaf!~Zx7Z:c~TDZV6xXʺ*a>r^'= =|9/`h{/a@AF!gxIJG`s%EG0PY}SB FVeR'm/0uRF!A9ac= ?S$3xS Dc<^k&6)7݄8zJ'-z02'RbL01(8\}^c͏=_ ?4+,f )|, AcYg KryPXm\>k%p+,f )|, ACm\n[¹l.k_ˇ^I/"^ԱVn~1gjTK@Ɗ ۫:nOc]#D_hȁ[+^lpOƳVG 9_Y=Mϭ-s|ڦ~|ڼ6u.dO@t &7@Kdy/cӺ}(*X迿P܇r z݇<|݇r kvqqʁ}H贪īz248~xWW:dꡳS>ڹfXgρ"v~mEoч‡dǃ)J/_>Dz! ;~l,U UOg]΂݄LhTŹ4Ƨsig3:T sig3:T sig3:T sig3:T sig3:Ts2MfY3!HT#>9 1X[(\,M9{y|GYπ8BT%)ዦ\y},;Jەh &\I"3iI70#D>(e&9d Q<β~ R9*mIa鴀Xzxtx^zB3À(dNy)9x[JB~Gː~n.r&@zKoVZӂ83gbFM L]GG?N}1@ *Z "iLQڱ*NQ#uESт%} {0lzLc>a*.857k"Ye%mT0La( Ώ0Xt^Q :h^Pu<>iQŠ` ũu:pA(O<>kY0Wzw{_Xb4>2qs,%r&\i9?h|0#1HάcgEk||shJ >]ϡpl߇>qw;ru.s4>J֧pZnָ<,Ij̢$qA2ΏǷ짥ݑ "PA쐶$Ō+Ɔ ǦUkz^=sghy}(|v\Z^o 38Wxۇzm >^=sZsn}oD^1z/ҽVn~Bg|ꆩ2QiX~_wX:QtjیT29k@ %A5ʁ_&֦~|{*|yv}j׾S8'זy&GˍgZmu/0ϭ~&I_ιAuH8@}<ȯ>a4tM;y^!\܇r kvGUqdZsfC t=GOWy`gs[9\IY TC*ݺ݇‡Tx ]PշLng|  >hAl$v!iyma -+|pm#HOzc‡$|rnz1FC>rĖs㫍1 э-+1 6;(|̍Oe1Fcf||[Vc>ױe1FcN||c>fǽز1>ǖu02(|̄>e1Fc|-1 swlue 3cHlĘ,>[hXl9geq0o-(|LrP;c>&cLl9w/?(|LǸز1cjb||-4)ܖtOɾh1Fc<>>ǖ)e&NE)v}1ۋQJ)EnᢐR VQ̮c>FF^Œ0qV03X& K8?1[ʒU]y=] *(|\G$n n&ޱj4͇1wj(v"1=\`Dj~E4=?y?rڱU#L9)_P@W7 my˰m:y#1p}z͐a)UXgkO5Ebc0rGnAѽ(3? aΛX7v;3d[ŬXhz@Z#c^4>*;~=nIj;뺎G;~qsM :>&̹eai144>@L~2C?psET HLAfI"L qr A_apz&qLC^~y,زG!0.xvz諽<:󿃇(qlE} ^)2,L|F|jjȋ* #>罢B 0A 5݂PRdp|BO PO}xAӧ2BFEPXZqIǟq. ,gbD:iΊ $C%z12ZKfS(Dht}We\mF5f3xN*"ƀeq^ Iߡ: pYfzozǖJ~N'NU dvMqɞ_G ܐscvpL}(_~X/? A0ld޾l=ٚULrΌ{ ncL}l1ag.>p b` es֩Q4NGb 3x!EXqt۾??v'gAbCYn1 Ɵk০c@`_'{Cؤt@83$DcK_QnS7ۃ~妲;ύRXL{-Sy\en+̱RlRN>w-m1}_-/`1|R:b'ƘeqԚcFǖ<1@Y_cǖ<_Wߔc[T|11&,&G6HTc9߆xuj1 >(|R2Cbw$z:m+?Lۓj.~OO=J1-ՇcV[>O1fMEᣏyc[>پ_{1feEᣟɇ>Ƭ-(| |ĘZآ1}1k- }=܇آ1+tcJcGs/y1k-\Ϳ%7.RCKfר텰.Λ ^2?oɬmY\e{ !ƄqfV?y:tސ%86(R|W'g(}dzŁȾفHYW>.#<+|g=_sӓϳb)Ί1y iS <+| OǓxVfs'\I<>g3 5Da`37rmpkiFVmLIM<1u٭ߧd<Ԇjkc6SIc3%(mfL=JPQjL%͘z ԶJ 1(A>Fm3>6cQJGY&'~Q|ʫT.ϐ>\=g W'+*ss#YY[v+W7r 1C y.|=Q U]:EJ!M0IݱS@fbp`L!#{}euHf|c%?egÇӪ:N9v/6b}$'-sňi<φ\4A(Cu 0 ߯:x6N չSdA Ƈug}<ωٵY |!ۣ^'fhLJ@ IciPwSȕgLhQ#ݣq7ɽJﳖqޣL1̳.ze2oy2&/,zܲʉr1.5LNc.ԬTPD]j>%Fy&Ĝ->ጚOf015LÜ]PBFSxʠArT<2o'Tn=A-d>Xf F'51-H; (&F{x2p>E֠xLa5̟,2L hq NF x4>bZp i , ON{B7y[} Rg0A,cRl -NN4GNM%9e'9H^Qf(;Tpˢkb&5J}`m >C -4IӅhSG7\?'ພ$ $ "#t`MSukXPVR@oEXse5SX҃JQh| ݣ|8b0P n/)#M KDf: R3 'I`" 曣"n < NIQ(tj{ycj=ANED4+OQ{"E[~>7#&[zZ5i}D5Y_cvSxJĽ?)}N)<}HxU/5 uj ^aPd\C(HE-DePd̚D|pc,<|Ȣ9yh݇r m0(zO!ETPd];g]/K}(2?@ΛnqqʁH0ՁHvKN ?@U|8~;Q t1g]yS8;]_ڒ|N ˪QɁHw⋲\ #٣rճօ>X+Ҹ>>֊p Op klo>~eqy/5|vӂ;útx6??%8u? 7\5 Mw ߨJn|1 .H.HD (|LP*|lDT TU؀'1Ay#OQc6PUcF m4|fqQ)M@~*zb&$ !-mhU>Pu,,c]4PABKϯCO$|@Jy!!./e ^RB)P\K] T뢄2qUgZҎ?KQ&t2҄5y t]%fd 3(t<Ѐn!KVMR&Y< ju>$7&ϴ:4yOcseuHY2( i.&,ZvvA&Ed2ju>β$8~Bd@JK$naᜋ*@]\΃Ezu'Y )(P6:{ K({)g0pz{'Y/B~"4P#J#8y IrڏtY3תqޣܥC֟>کp}$5UYxUͫU KF3P]$/QT LGQ#)P!{ע@ؕI^Fѭar@:=_lVP3tR*~Cۯ~qo߿A(okqkq^+(?ۿi/0P~~~O8_x7\oC"G[>N?sp2=rs, $,onj0S $y-P%mp WV0]P DN^xt|aFbq*'>֐:"J >ALT(1L.`~%Hk:50QPePEà\ -GţQLE:t x-d>Xf F'51[l5ͰRS <'?L(@Y d\g !2*֎iT;B`4F_р?JL3j0 Ǥʝ5ZhNƇ͝\Q:gKr"=Ns)|EDW>fӰO}`m >C -4IӅ,Eţ£z]O|?ؖv C"ƭ d}.}T0 %9eYZa!=xHTG >`(qB)m4K86)t*8f"N8Oꤌ`)Z0 {2B)riVE%<܌W<,j_ɥUPxѯ:*.>^u;KWi~*|NRU_G ӫTxѯ:*.>^u{޼V ]e&T~oT T_|z>>'j'k6΍mrHOn/ٜHޣտޭB/+b"}?aA,@f y\©'k@">} ʁL+>yqg[>Pd}j\?uʁHi}t:i8@x9$iR>C9 :c0@$@di t*Qg"} Ac)s3>v:>BTc7ht!-(sՀH} f:w ݇‡< m܇‡\+JlP/‚Oɲ9^}>t;iaY%]V1F|th߯ { ݮ_?\$I'߻ooT%74x*(KҞbXT (|Vg2Tu3ՙ +|!+*+s216l < q!'#$5ħ⥑TP9BJ.f[ 'j"J[{fnshlo}vqA"TƳ)bW JӄN p`L:0ð-@2#2Ζ, *|Vݳ*$(MmcMyŜ9v~q<-峬=Ezu]3J|Q1 2 ߯:gz1'>XF^(mpl5wn ` j צ81DsG&6@8bT5 \,Ҷ#\QURO?j+n#{9BȄN 94|Ĝ߭)*)- ;+>ȃW*؏ č'9 RtttGaɘM LQ 0UG^;T)- >+>8cfx(\ՉѢ_j~*8l[EQ(s~znV0 FzMg[xx 3bfZd|9&KSXp4Y'(B8I-^( b6GIQA2QA IoQ9#Q9̈WFyY ({p*+2>&ig|nHʪs4ύfUU\T|YUÓrlDN>h[,%Ze9<)|,KDcVYO ˱9QXUÓrlDN>h[,o8uvdU@E?o f]C6 !d>`>,|@:s4&/D@_tAƧ6^O7ze?I>ŗ'iݴ#٣R "}(|bTPX+><}(|@>Ko4zV,x`G{FOl+}Y+Wb{PPPP?jn 6s'OXBZ=>kX .HI@NY kXR-]^"Ҥ T(ez*QB`)ZGx}(2#„%23`a׮(6qyY0$64-Ygq?,";φ{մ4|\8r\F+9nME rY]2dmNed%*4|`{\9Id\=;;D?1H8LJ.3qr" Ds=/MGC}EiX5 qJmlIK٫UZ+ -aPo&K36@L|=/sC .ё I1iX<{"%!{W1O '>j|yT5|1t~IY=+I}?KN˲Z,exc}4rv^ q{a66zOjR.R6]>-&ghNDQdܻvՁyf(M&(|kq9#Q9̈WFy*LJq#LWpuxOQ/}f55b8ˇQwƲ1Vs ) ݼdb>r^',=!,082n֩Q4#U9m-#yBRPR><嵟I <1Lg ㉹dPfG'#8(bZ#>.D/I5jZj3Q=)Ӽ8vy\P/̗]=}mW^W}lj_9S~WCU\L!p;N upC[gC;R?RǧF2 C,JрT|HX5L (|ggrLm/+|vs) \h:M+pYFg~lT1u)5ٔ"PEYOA†&P\%tW \ A&˥b 9'+|ٚ]ltf,Jk 7sM5? '*&C4sC#_V݂Kb'@8L\ {>={ 3ŐblX.K Sl+cUƖv^@3EF'A^d{g+t*?B@p$P!܇6w{ Mum6|^A6_|{ P;;Q*;S+x"Ƈ4⣳STlx"VW58`"5l#%㶟4?sӣCǎdnkuw4-1N X!蕛B|u\ࣄC:Hf6DVe ul& *kqd~@5s~W@!f  qb74=n*w  ~h>FqEQ@Bm3X2. 2ED9-2KjԬkˆ/;4:.ڏtuRArV ݣqDs)zt;گq`[,3h7(?{$v?b|CX?I%<R lW9L1,]nAu)ƙ@Yi8gEOW\c cL}@jx44OE'GaGi U|wίhw<~x~Kq*E;-b\n;?(,lBa ']HyJ(;,.3Cy B@Ua _6Ϧ5va=.5j8!&g}JA4npZ^adO/2|{$M,pPaADϮG]࿪ B&Oä$yJx*jsdl}de8Mc#PF{A#TQF\:j|_Z@~ʹ@ yt,Gq-Rɳ.90ZZft j5=G $)U\.YLX_9@ IɈGpoy05IIF sAnX,dc ҄uF6bwOy Cc'%]S7'> u&FuZBt웽^88lɚy`4a ddĠn0#!Ӓϣf^.L3 sN4sm-b~[{߾z~z E<)l{/< O*<3H[,R6 HΛYu*ŋ>oL=t!z<9Y9KU8fj; aêpR4ES6BxgD[^+&2 cݲF9cl7zuE5h)pwv?_J)| T7guVd҈e_SfEXpH><7Z=ˋ\09j ]9qdIEjH@}I,Kxqn|)GOE=(6e|hPkTʌeo0۾λ[ᣧ$#IwY!4saNDc/;u\Y8ZWe|Liv0.x CIԺ?7CښVlՉjbZc<+nrG"nr!t}d~HzSQ~%5}tY ϷN4dia>ziBUU4hЏU Ô K7 7 C:l氢ZsTJ^u4G'Tuaj91 )l',XRxjt׹bQz)|ފ<>F:'ԭ/tWjCY%8vzթ1Nj]}Nj&o㐗jgrGݿ@c(| }PeÁ}.0ƧtZh^w(٘]zTb6s|#l i{vS? .礜5D#\O c8L;_êC5Z?b>ɿ_? BwdF/_(#Co^'xQkQ=J4PS:ȻIvן`5=YA7j|a߾>yBh݇a/9b>5!eY}T|15laVkH~zТYs8n垥tw>)Wz&ij`[1F]e󄘟HcT8E>:Y ƴ1G] tL;+|̡mMaF7ٯb>SVhھnVݿ:..A픇TO7m՞gpO#p,}+4|ӑQv0vSrkX}5%\W#nep ])1@YjA|J SCbye8$nPflYmQ;4.-}8Seفs(s:=yzs-jC|hm;u>c1*|v(|lc$U7of;*Iiװ4 JH_Z gIFxLViewPro200ؙIENDB`$$Ifj!vh55A5#v#vA#v:V ```6555/ /  / 24 pT$$Ifj!vh55A5#v#vA#v:V 6555/ / / /  24 T$$Ifj!vh55A5#v#vA#v:V 6555/ / / /  24 T$$Ifj!vh55A5#v#vA#v:V 6555/ / / /  24 T$$Ifj!vh55A5#v#vA#v:V 6555/ / / /  24 T$$Ifj!vh55A5#v#vA#v:V 6555/ / / /  24 T$$Ifj!vh55A5#v#vA#v:V 6555/ / / /  24 T$$Ifj!vh55A5#v#vA#v:V 6555/ / / /  24 T$$If&!vh5E 5i#vE #vi:V ``65E 5i/ /  / 24 apT$$If&!vh5E 5i#vE #vi:V 65E 5i/ / / /  24 aT$$If&!vh5E 5i#vE #vi:V 65E 5i/ / / /  24 aT$$If&!vh5E 5i#vE #vi:V 65E 5i/ / / /  24 aT$$If&!vh5E 5i#vE #vi:V 65E 5i/ / / /  24 aT$$If&!vh5E 5i#vE #vi:V 65E 5i/ / / /  24 aT$$If&!vh5E 5i#vE #vi:V 65E 5i/ / / /  24 aT$$If&!vh5E 5i#vE #vi:V 65E 5i/ / / /  24 aT$$If&!vh5E 5i#vE #vi:V 65E 5i/ / / /  24 aT$$If&!vh5E 5i#vE #vi:V 65E 5i/ / / /  24 aT$$If!vh5 5#v #v:V ``65 5/  /  / / 24 aypT$$If!vh5 5#v #v:V 65 5/ / / /  24 ayT$$If!vh5 5#v #v:V 65 5/ / / /  24 ayT$$If!vh5 5#v #v:V 65 5/ / / /  24 ayT$$If!vh5 5#v #v:V 65 5/ / / /  24 ayT$$If!vh5 5#v #v:V 65 5/ / / /  24 ayT$$If!vh5 5#v #v:V ``65 5/ /  / 24 a|pT$$If!vh5 5#v #v:V 65 5/ / / /  24 a|T$$If!vh5 5#v #v:V ``65 5/  /  / / 24 apT$$If!vh5 5#v #v:V 65 5/ / / /  24 aT$$If!vh5 5#v #v:V 65 5/ / / /  24 aT$$If!vh5 5#v #v:V 65 5/ / / /  24 aT$$If!vh5 5#v #v:V 65 5/ / / /  24 aT$$Ifj!vh5@ 5#v@ #v:V ``65@ 5/ /  / 24 pT$$Ifj!vh5@ 5#v@ #v:V 65@ 5/ / / /  24 T$$Ifj!vh5@ 5#v@ #v:V 65@ 5/ / / /  24 T$$Ifj!vh5@ 5#v@ #v:V 65@ 5/ / / /  24 T$$Ifj!vh5@ 5#v@ #v:V 65@ 5/ / / /  24 T$$Ifj!vh5@ 5#v@ #v:V 65@ 5/ / / /  24 T$$Ifj!vh5@ 5#v@ #v:V 65@ 5/ / / /  24 T^ 2 0@P`p2( 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p8XV~_HmH nH sH tH P`P Normal(CJOJPJQJ^J_HaJmH sH tH RR  Heading 1dd@&[$\$5CJ0KH$\aJ0N@"N  Heading 2dd@&[$\$5CJ$\aJ$N@2N  Heading 3dd@&[$\$5CJ\aJN@RN  Heading 5dd@&[$\$5CJ\aJDA D Default Paragraph FontVi@V  Table Normal :V 44 la (k (No List B^@B Normal (Web)dd[$\$6U6 Hyperlink >*B*phFVF FollowedHyperlink >*B* ph*!* tocnumber&1& toctext|e@B| HTML Preformatted7 2( Px 4 #\'*.25@9CJaJ<OR< h3bulletsdd[$\$f\f z-Top of Form$&dPa$<CJOJQJ^JaJl]lz-Bottom of Form$$dNa$<CJOJQJ^JaJPK![Content_Types].xmlj0Eжr(΢Iw},-j4 wP-t#bΙ{UTU^hd}㨫)*1P' ^W0)T9<l#$yi};~@(Hu* Dנz/0ǰ $ X3aZ,D0j~3߶b~i>3\`?/[G\!-Rk.sԻ..a濭?PK!֧6 _rels/.relsj0 }Q%v/C/}(h"O = C?hv=Ʌ%[xp{۵_Pѣ<1H0ORBdJE4b$q_6LR7`0̞O,En7Lib/SeеPK!kytheme/theme/themeManager.xml M @}w7c(EbˮCAǠҟ7՛K Y, e.|,H,lxɴIsQ}#Ր ֵ+!,^$j=GW)E+& 8PK!Ptheme/theme/theme1.xmlYOo6w toc'vuر-MniP@I}úama[إ4:lЯGRX^6؊>$ !)O^rC$y@/yH*񄴽)޵߻UDb`}"qۋJחX^)I`nEp)liV[]1M<OP6r=zgbIguSebORD۫qu gZo~ٺlAplxpT0+[}`jzAV2Fi@qv֬5\|ʜ̭NleXdsjcs7f W+Ն7`g ȘJj|h(KD- dXiJ؇(x$( :;˹! I_TS 1?E??ZBΪmU/?~xY'y5g&΋/ɋ>GMGeD3Vq%'#q$8K)fw9:ĵ x}rxwr:\TZaG*y8IjbRc|XŻǿI u3KGnD1NIBs RuK>V.EL+M2#'fi ~V vl{u8zH *:(W☕ ~JTe\O*tHGHY}KNP*ݾ˦TѼ9/#A7qZ$*c?qUnwN%Oi4 =3ڗP 1Pm \\9Mؓ2aD];Yt\[x]}Wr|]g- eW )6-rCSj id DЇAΜIqbJ#x꺃 6k#ASh&ʌt(Q%p%m&]caSl=X\P1Mh9MVdDAaVB[݈fJíP|8 քAV^f Hn- "d>znNJ ة>b&2vKyϼD:,AGm\nziÙ.uχYC6OMf3or$5NHT[XF64T,ќM0E)`#5XY`פ;%1U٥m;R>QD DcpU'&LE/pm%]8firS4d 7y\`JnίI R3U~7+׸#m qBiDi*L69mY&iHE=(K&N!V.KeLDĕ{D vEꦚdeNƟe(MN9ߜR6&3(a/DUz<{ˊYȳV)9Z[4^n5!J?Q3eBoCM m<.vpIYfZY_p[=al-Y}Nc͙ŋ4vfavl'SA8|*u{-ߟ0%M07%<ҍPK! ѐ'theme/theme/_rels/themeManager.xml.relsM 0wooӺ&݈Э5 6?$Q ,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JЊT8V"AȻHu}|$b{P8g/]QAsم(#L[PK-![Content_Types].xmlPK-!֧6 +_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!Ptheme/theme/theme1.xmlPK-! ѐ' theme/theme/_rels/themeManager.xml.relsPK] Q @?'.X3U<GY-4>DKQVk @z$S&&?')*k+s,-//g00R12z3.44R77<A=;?G HHtIISY./012356789:;<=?@ABCEFGHIJLMNOPRSTUWXYZ[ 8@0(  B S  ? IntroductionWhat_Is_iptables.3F(Download_And_Install_The_Iptables_PackagHow_To_Start_iptables"Determining_The_Status_of_iptablesPacket_Processing_In_iptables(Table_14-1_Processing_For_Packets_Routed(Figure_14-1_Iptables_Packet_Flow_DiagramTargets_And_Jumps(Table_14-2_Descriptions_Of_The_Most_Comm(Important_Iptables_Command_Switch_Operat(Table_14-2_General_Iptables_Match_Criter(Table_14-4_Common_TCP_and_UDP_Match_Crit(Table_14-5_Common_ICMP_.28Ping.29_Match_(Table_14-6_Common_Extended_Match_CriteriUsing_User_Defined_Chains(Table_14.7_Custom_Queues_Example_ListingSaving_Your_iptables_ScriptsRecovering_From_A_Lost_Script(Loading_Kernel_Modules_Needed_By_iptableTroubleshooting_iptablesiptables_Won.27t_Start (*J%&*.U4;?AUIMMOQ  (*J%&*.U4;?AUIMMOQhkhi{|    13`hq|E`in   C F Q V j l   @ B VdfGH&)`boqpqG\,ckrx !""""3"7"I"M"`"d"t"x"""""(#1#8#@#%&&&&''(((((((((( ) ))))***++c+m+~++++++++++2,5,^,a,,,,,,,0-;-C-..///3/7/J/O/U/Y////80;000000011111122222333 44U4V4n4.535e8888:;;>!>`>a>??M?N????@ @:@B@FAJAuAyAAAAAAAAAAAAAAAAAAAAAAAABBBB B B BBBBB BvBwBBBCCCEE=EtEuEEEEEEEEEFF HH{H|HIITIVIIIJJKKKKTLULxLyLLLMM!Q"QQ  |-4] m + 3 u } ILck""**..;0C0y001144::B;J;!>)>a>i>>>>>??m?u?AAB BEEEEEFFF5F7FFF]GiGITIKKULeLLMOO"Q'Q@QEQbQiQQQQ33333333333333333333333333333333333333333333333333jjzzVWGHJJMMMM Q"Q@Q@QbQbQQ 0Hqnv]"?:&9rjc8^31':,G4r;4\6%;ꛜ*R`Rhgf>qg@~py4V ^`CJOJQJo(^`CJOJQJo(opp^p`CJOJQJo(@ @ ^@ `CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(PP^P`CJOJQJo(^`CJOJQJo(^`CJOJQJo(opp^p`CJOJQJo(@ @ ^@ `CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(PP^P`CJOJQJo(^`CJOJQJo(^`CJOJQJo(opp^p`CJOJQJo(@ @ ^@ `CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(PP^P`CJOJQJo(^`CJOJQJo(^`CJOJQJo(opp^p`CJOJQJo(@ @ ^@ `CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(PP^P`CJOJQJo(^`CJOJQJo(^`CJOJQJo(opp^p`CJOJQJo(@ @ ^@ `CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(PP^P`CJOJQJo(^`CJOJQJo(^`CJOJQJo(opp^p`CJOJQJo(@ @ ^@ `CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(PP^P`CJOJQJo(^`CJOJQJo(^`CJOJQJo(opp^p`CJOJQJo(@ @ ^@ `CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(PP^P`CJOJQJo(^`CJOJQJo(^`OJPJQJ^Jo(-pp^p`CJOJQJo(@ @ ^@ `CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(PP^P`CJOJQJo(^`CJOJQJo(^`CJOJQJo(opp^p`CJOJQJo(@ @ ^@ `CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(PP^P`CJOJQJo(^`CJOJQJo(^`CJOJQJo(opp^p`CJOJQJo(@ @ ^@ `CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(PP^P`CJOJQJo(^`CJOJQJo(^`CJOJQJo(opp^p`CJOJQJo(@ @ ^@ `CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(PP^P`CJOJQJo(^`CJOJQJo(^`CJOJQJo(opp^p`CJOJQJo(@ @ ^@ `CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(PP^P`CJOJQJo( pyRhgc8%;31':*R4r;>qg0]":&q djкn,AN:6J]̬0>A(,$Q8s,ƓrJЌ`@z:\*l(vKtn]Bj%ʘh= @tRxa$_@G~Jy|vqzy6XZXz"zcq<`jCGƪN 0~VDBbtX)$"S&;ĴnPvNצUb:"L4dlbӒj0lo=4=\6G\nT4 /86JᲃR/v;^(o6xfvn* |vnnPB,b!~.XZ4)<<6p89SI"ĦP߮N?w gBbQ@FTp\XfL't*J"yz~'LPܭZ{/;uCF{bZQQ@QX@UnknownG* Times New Roman5Symbol3. * Arial?= * Courier NewI. ??Arial Unicode MS;WingdingsA BCambria Math"qhHʹfzA/ uE)/ uE)%2t{Q{Q3QLP ?F{2!xxKQuick HOWTO : Ch14 : Linux Firewalls Using iptables - Linux Home Networking Image v5.05Prtaylor<         Oh+'0(< LX x  LQuick HOWTO : Ch14 : Linux Firewalls Using iptables - Linux Home NetworkingImage v5.05P Normal.dotmrtaylor7Microsoft Office Word@Ɣ @@Զ@l!eU/ uE՜.+,0@ hp  RR Donnelley){Q LQuick HOWTO : Ch14 : Linux Firewalls Using iptables - Linux Home Networking Title  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry F@~pUData ]y1Table9TWordDocument2SummaryInformation(DocumentSummaryInformation8CompObjy  F'Microsoft Office Word 97-2003 Document MSWordDocWord.Document.89q