Manual prctico de iptables sobre

GNU/Linux
Alvaro Mourio <alvaro@mourino.net> 139531
Enrique Garca <enrique.garcia@gmail.com> 123456
Nicols Moreira <nic_more1@hotmail.com> 654321
Universidad ORT Uruguay
Docente Roberto Ambrosoni
http://ort-sya.googlecode.com/
Copyright 2008
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software
Foundation; with no Invariant Sections, no Front-Cover Texts and
no Back-Cover Texts. A copy of the license is included in the
section entitled "GNU Free Documentation License".
http://www.gnu.org/licenses/fdl-1.2-standalone.html
http://ort-sya.googlecode.com/
Introduccin
Netfilter es un framework desarrollado en C y licenciado como Software Libre bajo la licencia !L disponible
en el n"cleo Linu# con el fin de interceptar y manipular pa$uetes de red. %icho framework permite reali&ar el
manejo de pa$uetes en diferentes estados del procesamiento. Netfilter es tambi'n el nombre $ue recibe el
proyecto $ue se encarga de ofrecer herramientas libres para cortafuegos basados en N(/Linu#.
)l componente m*s popular construido sobre Netfilter es iptables+ una herramientas de cortafuegos $ue
permite no solamente filtrar pa$uetes+ sino tambi'n reali&ar traducci,n de direcciones de red -N./0 para
1!23 o mantener registros de log. )l proyecto ofrec4a compatibilidad hacia atr*s con ipchains hasta hace
relati2amente poco+ aun$ue hoy d4a dicho soporte ya ha sido retirado al considerarse una herramienta
obsoleta. )l proyecto Netfilter no s,lo ofrece componentes disponibles como m,dulos del n"cleo sino $ue
tambi'n ofrece herramientas de espacio de usuario y bibliotecas.
)n definiti2a iptables es el nombre de la herramienta de espacio de usuario mediante la cual el
administrador puede definir pol4ticas de filtrado del tr*fico $ue circula por la red. )l filtrado se define
mediante reglas $ue se e2al"an secuencialmente+ las cuales se agrupan en cadenas. . su 2e& las cadenas
se agrupan en tablas asociadas a diferentes tipos de procesamiento de pa$uetes. )l nombre iptables se
utili&a frecuentemente de forma err,nea para referirse a toda la infraestructura ofrecida por el proyecto
Netfilter. Sin embargo+ el proyecto ofrece otros subsistemas independientes de iptables tales como el
connection tracking system -sistema de seguimiento de cone#iones0 o queue+ $ue permite encolar pa$uetes
para $ue sean tratados desde espacio de usuario.
Cada regla especifica $u' pa$uetes la cumplen -match0 y un destino $ue indica $u' hacer con el pa$uete si
'ste cumple la regla. Cada pa$uete de red $ue llega a una computadora o $ue se en24a desde una
computadora recorre por lo menos una cadena y cada regla de esa cadena se e2al"a contra el pa$uete. Si
el datagrama cumple con las condiciones establecidas en la regla+ no se continuan e2aluando las otras
reglas y el destino dicta lo $ue se debe hacer con el pa$uete. Si el pa$uete alcan&a el fin de una cadena sin
haber correspondido con ning"n filtro de la cadena+ la pol4tica de destino de la cadena dicta $u' hacer con
el pa$uete.
5irtualmente todas las distribuciones de N(/Linu# actualmente incluyen Netfilter/iptables por omisi,n.
http://ort-sya.googlecode.com/
Instalacin
)n primer lugar che$ueemos $ue no lo tengamos ya instalado ejecutando el comando iptables como root.
Si recibimos el mensaje 6command not found7 entonces debemos instalarlo.
!ara esto descargamos los fuentes de kernel.org o de los repositorios de tu distro fa2orita+ los
descomprimimos y ejecutamos el men" de configuraci,n.
8abilitamos la opci,n 1!9N:91!/.;L)S y continuamos compilando.
Tablas
)n iptables+ las reglas se agrupan en cadenas y las cadenas en tablas.
8ay tres tablas ya incorporadas aun$ue es posibe crear todas las $ue se consideren necesarias. )sto es "til
para agrupar en forma l,gica las cadenas y mantenerlas ordenadas.
filter table -Tabla de filtros0 < )sta tabla es la responsable del filtrado -es decir+ de blo$uear o
permitir $ue un pa$uete contin"e su camino0. /odos los pa$uetes pasan a tra2's de la tabla de
filtros. Contiene las siguientes cadenas predefinidas y cual$uier pa$uete pasar* por una de ellas:
INPUT chain -Cadena de )N/=.%.0 < /odos los pa$uetes destinados a este sistema
atra2iesan esta cadena -y por esto se la llama algunas 2eces LOCALINPUT o
!NT"A#ALOCAL0
OUTPUT chain -Cadena de S.L1%.0 < /odos los pa$uetes creados por este sistema
atra2iesan esta cadena -a la $ue tambi'n se la conoce como LOCALOUTPUT o
$ALI#ALOCAL0
%O"&A"# chain -Cadena de =)%1=)CC1>N0 < /odos los pa$uetes $ue meramente
pasan por este sistema para ser encaminados a su destino recorren esta cadena
nat table -Tabla de traducci'n de direcciones de red0 < )sta tabla es la responsable de configurar
las reglas de reescritura de direcciones o de puertos de los pa$uetes. )l primer pa$uete en
cual$uier cone#i,n pasa a tra2's de esta tabla? los 2eredictos determinan como 2an a reescribirse
todos los pa$uetes de esa cone#i,n. Contiene las siguientes cadenas predefinidas:
P"!"OUTIN( chain -Cadena de !=)=(/)@0 < Los pa$uetes entrantes pasan a tra2's
de esta cadena antes de $ue se consulte la tabla de ruteo local+ principalmente para %N./
-destination-N./ o traducci,n de direcciones de red de destino0
PO$T"OUTIN( chain -Cadena de !@S=(/)@0 < Los pa$uetes salientes pasan por esta
cadena despu's de haberse tomado la decisi,n del ruteo+ principalmente para SN./
-source-N./ o traducci,n de direcciones de red de origen0
OUTPUT chain -Cadena de S.L1%.0 < !ermite hacer un %N./ limitado en pa$uetes
generados localmente
mangle table -Tabla de destro)o0 < )sta tabla es la responsable de ajustar las opciones de los
pa$uetes+ como por ejemplo la calidad de ser2icio. /odos los pa$uetes pasan por esta tabla. %ebido
a $ue est* diseAada para efectos a2an&ados+ contiene todas las cadenas predefinidas posibles:
P"!"OUTIN( chain -Cadena de !=)=(/)@0 < /odos los pa$uetes $ue logran entrar a
este sistema+ antes de $ue el ruteo decida si el pa$uete debe ser reen2iado -cadena de
=))N5B@0 o si tiene destino local -cadena de )N/=.%.0
INPUT chain -Cadena de )N/=.%.0 < /odos los pa$uetes destinados para este sistema
pasan a tra2's de esta cadena.
%O"&A"# chain -Cadena de =)%1=)CC1>N0 < /odos los pa$uetes $ue e#actamente
pasan por este sistema pasan a tra2's de esta cadena.
OUTPUT chain -Cadena de S.L1%.0 < /odos los pa$uetes creados en este sistema pasan
a tra2's de esta cadena.
PO$T"OUTIN( chain -Cadena de !@S=(/)@0 < /odos los pa$uetes $ue abandonan
este sistema pasan a tra2's de esta cadena.
Cadenas
(na cadena es un conjunto de condiciones $ue se e2aluar*n contra cada pa$uetes 1!. Cuando se recibe un
pa$uete se lo compara+ en orden+ contra cada regla en la cadena. La regla especifica $u' propiedades debe
tener el pa$uete para $ue la regla lo matchee+ como n"mero de puerto o direcci,n 1!. Si la regla no lo
matchea+ el procesamiento contin"a con la regla siguiente. Si la regla+ por el contrario+ matchea el pa$uete+
las instrucciones de destino de las reglas se siguen -y cual$uier otro procesamiento de la cadena
normalmente se aborta0. .lgunas propiedades de los pa$uetes solo pueden e#aminarse en ciertas cadenas
-por ejemplo+ la interfa& de red de S.L1%. no es 2*lida en la cadena de )N/=.%.0. .lgunos destinos solo
pueden usarse en ciertas cadenas y/o en ciertas tablas -por ejemplo+ el destino $NAT solo puede usarse en
la cadena de !@S=(/)@ de la tabla de traducci,n de direcciones de red0.
)#isten tres cadenas b*sicas: INPUT+ OUTPUT y %O"&A"# *)N/=.%.+ S.L1%. y =))N5B@0 aun$ue
pueden ser creadas tantas como desee el usuario.
(na cadena podr4a ser:
iptables -A INPUT -i lo -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
)sta cadena niega todo el tr*fico entrante+ ya sea para el o para otro e$uipo+ e#cepto el $ue llegue por la
interfa& de loopback -localhost0.
Condiciones
Se pueden especificar m"ltiples condiciones al momento de e2aluar un pa$uete. )n este manual 2eremos
las mas comunes.
Tipo de trfico: -A cadena
Se puede definir $ue tr*fico $ueremos e2aluar+ si el saliente -@(/!(/0 el $ue tiene como
destinto esta misma m*$uina -1N!(/0 o el entrante $ue tiene como destino otro e$uipo
-:@=C.=%0
Interfaz entrante: -i nombre
Datchea todo el tr*fico $ue ingrese por dicha interfa&. !ara 2er un listado de las posibles
interfaces ejecutamos como root:
Interfaz saliente: -o nombre
Datchea todo el tr*fico $ue tenga como destino la interfa& definida.
Protocolo: -p protocolo
!odemos filtrar el tr*fico seg"n el protocolo sobre el cual es transportado. Las posibles
opciones son tcp+ udp+ icmp+ all o cual$uiera de los contenidos en /etc/protocols.
Accin: -j destino
Con este par*metro definimos $ue hacer con el pa$uete en cuesti,n. La opci,n destino es
una cadena+ generalmente una predefinida como .CC)!/+ =)E)C/ o %=@!+ pero puede
ser tambi'n una definida por el usuario.
Origen: -s direccin[/mscara
Datchea todo el tr*fico originado desde una direcci,n ip dada+ y opcionalmente una
m*scara.@b2iamente la direcci,n puede ser tanto de un host como de una red+ pero
adem*s permite nombres de host+ aun$ue especificar nombres $ue re$uieran consultas
e#ternas -por ejemplo a un %NS0 es una mala idea.
!estino: -d direccin[/mscara
)l par*metro -d permite las mismas opciones $ue -s+ aun$ue en este caso+ como ya te
habr*s imaginado+ matchea todo el tr*fico $ue tiene como destino la direcci,n especificada.
Puerto origen: --sport puerto[:puerto
)sta opci,n especifica de $ue puerto -o rango de puertos0 debe proceder el pa$uete para
cumplir con la regla.
Puerto destino: --dport puerto[:puerto
Similar a la opci,n anterior+ solo $ue en 2e& de puerto origen+ condiciona el puerto al $ue el
pa$uete est* dirigido.
"it #$%: --s&n
Solo matchear a$uellos pa$uetes con su bit SFN en G+ pero con los bits .CH+ =S/ and :1N
bits en I. )stos pa$uetes son utili&ados para solicitar el inicio de una cone#i,n /C!. )sto es
"til para e2itar todas las cone#iones /C! entrantes+ manteniendo las salientes intactas.
En la mayora de los casos se puede especificar luego de la opcin (y antes de sus parmetros,
cuando corresponde) la bandera ! que niega la condicin. or e!emplo, si incluimos "o ! at#$ en
la condicin, estaremos #aciendo referencia a todos los paquetes que no tengan la interfa% at#$
como interfa% de salida. Esto no es posible en los parmetros "&, "!.
Ejemplos
iptables -S J
:iltrar http+ smtp
por ip origen
por ip red
por protocolo
listas de acceso con s$uid
Bibliografa
!ara la reali&aci,n de este manual se consultaron las siguientes fuentes:
Cikipedia+ la enciclopedia libre
http://www.wikipedia.org/
entoo N(/Linu# Ciki
http://www.gentoo-wiki.com/
)ste documento fue creado con:
@pen@ffice.org K.3
%ebian N(/Linu#
Linu# K.L.K3
iptables 2G.3.G.G
!or m*s informaci,n+ =/:D M0
GNU Free Documentation License
5ersion G.K+ No2ember KIIK
Copyright (C) !!!"!!#"!! Free $o%t&are Fo'()atio(" I(*+
,# Fra(-li( $t" Fi%th Floor" .osto(" /A !##!-#0!# U$A
E1eryo(e is per2itte) to *opy a() )istrib'te 1erbati2 *opies
o% this li*e(se )o*'2e(t" b't *ha(gi(g it is (ot allo&e)+
'( P)*A+",*
/he purpose of this License is to make a manual+ te#tbook+ or other functional and useful
document NfreeN in the sense of freedom: to assure e2eryone the effecti2e freedom to copy
and redistribute it+ with or without modifying it+ either commercially or noncommercially.
Secondarily+ this License preser2es for the author and publisher a way to get credit for
their work+ while not being considered responsible for modifications made by others.
/his License is a kind of NcopyleftN+ which means that deri2ati2e works of the document
must themsel2es be free in the same sense. 1t complements the N( eneral !ublic
License+ which is a copyleft license designed for free software.
Ce ha2e designed this License in order to use it for manuals for free software+ because
free software needs free documentation: a free program should come with manuals
pro2iding the same freedoms that the software does. ;ut this License is not limited to
software manuals? it can be used for any te#tual work+ regardless of subject matter or
whether it is published as a printed book. Ce recommend this License principally for works
whose purpose is instruction or reference.
-( APP,I.A"I,IT$ A%! !*/I%ITIO%#
/his License applies to any manual or other work+ in any medium+ that contains a notice
placed by the copyright holder saying it can be distributed under the terms of this License.
Such a notice grants a world-wide+ royalty-free license+ unlimited in duration+ to use that
work under the conditions stated herein. /he N%ocumentN+ below+ refers to any such
manual or work. .ny member of the public is a licensee+ and is addressed as NyouN. Fou
accept the license if you copy+ modify or distribute the work in a way re$uiring permission
under copyright law.
. NDodified 5ersionN of the %ocument means any work containing the %ocument or a
portion of it+ either copied 2erbatim+ or with modifications and/or translated into another
language.
. NSecondary SectionN is a named appendi# or a front-matter section of the %ocument that
deals e#clusi2ely with the relationship of the publishers or authors of the %ocument to the
%ocumentOs o2erall subject -or to related matters0 and contains nothing that could fall
directly within that o2erall subject. -/hus+ if the %ocument is in part a te#tbook of
mathematics+ a Secondary Section may not e#plain any mathematics.0 /he relationship
could be a matter of historical connection with the subject or with related matters+ or of
legal+ commercial+ philosophical+ ethical or political position regarding them.
/he N1n2ariant SectionsN are certain Secondary Sections whose titles are designated+ as
being those of 1n2ariant Sections+ in the notice that says that the %ocument is released
under this License. 1f a section does not fit the abo2e definition of Secondary then it is not
allowed to be designated as 1n2ariant. /he %ocument may contain &ero 1n2ariant Sections.
1f the %ocument does not identify any 1n2ariant Sections then there are none.
/he NCo2er /e#tsN are certain short passages of te#t that are listed+ as :ront-Co2er /e#ts
or ;ack-Co2er /e#ts+ in the notice that says that the %ocument is released under this
License. . :ront-Co2er /e#t may be at most P words+ and a ;ack-Co2er /e#t may be at
most KP words.
. N/ransparentN copy of the %ocument means a machine-readable copy+ represented in a
format whose specification is a2ailable to the general public+ that is suitable for re2ising the
document straightforwardly with generic te#t editors or -for images composed of pi#els0
generic paint programs or -for drawings0 some widely a2ailable drawing editor+ and that is
suitable for input to te#t formatters or for automatic translation to a 2ariety of formats
suitable for input to te#t formatters. . copy made in an otherwise /ransparent file format
whose markup+ or absence of markup+ has been arranged to thwart or discourage
subse$uent modification by readers is not /ransparent. .n image format is not
/ransparent if used for any substantial amount of te#t. . copy that is not N/ransparentN is
called N@pa$ueN.
)#amples of suitable formats for /ransparent copies include plain .SC11 without markup+
/e#info input format+ La/eQ input format+ SDL or QDL using a publicly a2ailable %/%+
and standard-conforming simple 8/DL+ !ostScript or !%: designed for human
modification. )#amples of transparent image formats include !N+ QC: and E!. @pa$ue
formats include proprietary formats that can be read and edited only by proprietary word
processors+ SDL or QDL for which the %/% and/or processing tools are not generally
a2ailable+ and the machine-generated 8/DL+ !ostScript or !%: produced by some word
processors for output purposes only.
/he N/itle !ageN means+ for a printed book+ the title page itself+ plus such following pages
as are needed to hold+ legibly+ the material this License re$uires to appear in the title page.
:or works in formats which do not ha2e any title page as such+ N/itle !ageN means the te#t
near the most prominent appearance of the workOs title+ preceding the beginning of the
body of the te#t.
. section N)ntitled QFRN means a named subunit of the %ocument whose title either is
precisely QFR or contains QFR in parentheses following te#t that translates QFR in another
language. -8ere QFR stands for a specific section name mentioned below+ such as
N.cknowledgementsN+ N%edicationsN+ N)ndorsementsN+ or N8istoryN.0 /o N!reser2e the /itleN
of such a section when you modify the %ocument means that it remains a section N)ntitled
QFRN according to this definition.
/he %ocument may include Carranty %isclaimers ne#t to the notice which states that this
License applies to the %ocument. /hese Carranty %isclaimers are considered to be
included by reference in this License+ but only as regards disclaiming warranties: any other
implication that these Carranty %isclaimers may ha2e is 2oid and has no effect on the
meaning of this License.
0( 1*)"ATI+ .OP$I%2
Fou may copy and distribute the %ocument in any medium+ either commercially or
noncommercially+ pro2ided that this License+ the copyright notices+ and the license notice
saying this License applies to the %ocument are reproduced in all copies+ and that you add
no other conditions whatsoe2er to those of this License. Fou may not use technical
measures to obstruct or control the reading or further copying of the copies you make or
distribute. 8owe2er+ you may accept compensation in e#change for copies. 1f you
distribute a large enough number of copies you must also follow the conditions in section
S.
Fou may also lend copies+ under the same conditions stated abo2e+ and you may publicly
display copies.
3( .OP$I%2 I% 45A%TIT$
1f you publish printed copies -or copies in media that commonly ha2e printed co2ers0 of the
%ocument+ numbering more than GII+ and the %ocumentOs license notice re$uires Co2er
/e#ts+ you must enclose the copies in co2ers that carry+ clearly and legibly+ all these Co2er
/e#ts: :ront-Co2er /e#ts on the front co2er+ and ;ack-Co2er /e#ts on the back co2er.
;oth co2ers must also clearly and legibly identify you as the publisher of these copies. /he
front co2er must present the full title with all words of the title e$ually prominent and
2isible. Fou may add other material on the co2ers in addition. Copying with changes
limited to the co2ers+ as long as they preser2e the title of the %ocument and satisfy these
conditions+ can be treated as 2erbatim copying in other respects.
1f the re$uired te#ts for either co2er are too 2oluminous to fit legibly+ you should put the first
ones listed -as many as fit reasonably0 on the actual co2er+ and continue the rest onto
adjacent pages.
1f you publish or distribute @pa$ue copies of the %ocument numbering more than GII+ you
must either include a machine-readable /ransparent copy along with each @pa$ue copy+
or state in or with each @pa$ue copy a computer-network location from which the general
network-using public has access to download using public-standard network protocols a
complete /ransparent copy of the %ocument+ free of added material. 1f you use the latter
option+ you must take reasonably prudent steps+ when you begin distribution of @pa$ue
copies in $uantity+ to ensure that this /ransparent copy will remain thus accessible at the
stated location until at least one year after the last time you distribute an @pa$ue copy
-directly or through your agents or retailers0 of that edition to the public.
1t is re$uested+ but not re$uired+ that you contact the authors of the %ocument well before
redistributing any large number of copies+ to gi2e them a chance to pro2ide you with an
updated 2ersion of the %ocument.
6( +O!I/I.ATIO%#
Fou may copy and distribute a Dodified 5ersion of the %ocument under the conditions of
sections K and S abo2e+ pro2ided that you release the Dodified 5ersion under precisely
this License+ with the Dodified 5ersion filling the role of the %ocument+ thus licensing
distribution and modification of the Dodified 5ersion to whoe2er possesses a copy of it. 1n
addition+ you must do these things in the Dodified 5ersion:
A( (se in the /itle !age -and on the co2ers+ if any0 a title distinct from that of the
%ocument+ and from those of pre2ious 2ersions -which should+ if there were any+ be
listed in the 8istory section of the %ocument0. Fou may use the same title as a
pre2ious 2ersion if the original publisher of that 2ersion gi2es permission.
"( List on the /itle !age+ as authors+ one or more persons or entities responsible for
authorship of the modifications in the Dodified 5ersion+ together with at least fi2e of
the principal authors of the %ocument -all of its principal authors+ if it has fewer than
fi2e0+ unless they release you from this re$uirement.
.( State on the /itle page the name of the publisher of the Dodified 5ersion+ as the
publisher.
!( !reser2e all the copyright notices of the %ocument.
*( .dd an appropriate copyright notice for your modifications adjacent to the other
copyright notices.
/( 1nclude+ immediately after the copyright notices+ a license notice gi2ing the public
permission to use the Dodified 5ersion under the terms of this License+ in the form
shown in the .ddendum below.
2( !reser2e in that license notice the full lists of 1n2ariant Sections and re$uired
Co2er /e#ts gi2en in the %ocumentOs license notice.
7( 1nclude an unaltered copy of this License.
I( !reser2e the section )ntitled N8istoryN+ !reser2e its /itle+ and add to it an item
stating at least the title+ year+ new authors+ and publisher of the Dodified 5ersion as
gi2en on the /itle !age. 1f there is no section )ntitled N8istoryN in the %ocument+
create one stating the title+ year+ authors+ and publisher of the %ocument as gi2en
on its /itle !age+ then add an item describing the Dodified 5ersion as stated in the
pre2ious sentence.
8( !reser2e the network location+ if any+ gi2en in the %ocument for public access to
a /ransparent copy of the %ocument+ and likewise the network locations gi2en in
the %ocument for pre2ious 2ersions it was based on. /hese may be placed in the
N8istoryN section. Fou may omit a network location for a work that was published at
least four years before the %ocument itself+ or if the original publisher of the 2ersion
it refers to gi2es permission.
9( :or any section )ntitled N.cknowledgementsN or N%edicationsN+ !reser2e the /itle
of the section+ and preser2e in the section all the substance and tone of each of the
contributor acknowledgements and/or dedications gi2en therein.
,( !reser2e all the 1n2ariant Sections of the %ocument+ unaltered in their te#t and in
their titles. Section numbers or the e$ui2alent are not considered part of the section
titles.
+( %elete any section )ntitled N)ndorsementsN. Such a section may not be included
in the Dodified 5ersion.
%( %o not retitle any e#isting section to be )ntitled N)ndorsementsN or to conflict in
title with any 1n2ariant Section.
O( !reser2e any Carranty %isclaimers.
1f the Dodified 5ersion includes new front-matter sections or appendices that $ualify as
Secondary Sections and contain no material copied from the %ocument+ you may at your
option designate some or all of these sections as in2ariant. /o do this+ add their titles to
the list of 1n2ariant Sections in the Dodified 5ersionOs license notice. /hese titles must be
distinct from any other section titles.
Fou may add a section )ntitled N)ndorsementsN+ pro2ided it contains nothing but
endorsements of your Dodified 5ersion by 2arious parties--for e#ample+ statements of
peer re2iew or that the te#t has been appro2ed by an organi&ation as the authoritati2e
definition of a standard.
Fou may add a passage of up to fi2e words as a :ront-Co2er /e#t+ and a passage of up to
KP words as a ;ack-Co2er /e#t+ to the end of the list of Co2er /e#ts in the Dodified
5ersion. @nly one passage of :ront-Co2er /e#t and one of ;ack-Co2er /e#t may be
added by -or through arrangements made by0 any one entity. 1f the %ocument already
includes a co2er te#t for the same co2er+ pre2iously added by you or by arrangement
made by the same entity you are acting on behalf of+ you may not add another? but you
may replace the old one+ on e#plicit permission from the pre2ious publisher that added the
old one.
/he author-s0 and publisher-s0 of the %ocument do not by this License gi2e permission to
use their names for publicity for or to assert or imply endorsement of any Dodified 5ersion.
:( .O+"I%I%2 !O.5+*%T#
Fou may combine the %ocument with other documents released under this License+ under
the terms defined in section 3 abo2e for modified 2ersions+ pro2ided that you include in the
combination all of the 1n2ariant Sections of all of the original documents+ unmodified+ and
list them all as 1n2ariant Sections of your combined work in its license notice+ and that you
preser2e all their Carranty %isclaimers.
/he combined work need only contain one copy of this License+ and multiple identical
1n2ariant Sections may be replaced with a single copy. 1f there are multiple 1n2ariant
Sections with the same name but different contents+ make the title of each such section
uni$ue by adding at the end of it+ in parentheses+ the name of the original author or
publisher of that section if known+ or else a uni$ue number. Dake the same adjustment to
the section titles in the list of 1n2ariant Sections in the license notice of the combined work.
1n the combination+ you must combine any sections )ntitled N8istoryN in the 2arious original
documents+ forming one section )ntitled N8istoryN? likewise combine any sections )ntitled
N.cknowledgementsN+ and any sections )ntitled N%edicationsN. Fou must delete all
sections )ntitled N)ndorsements.N
;( .O,,*.TIO%# O/ !O.5+*%T#
Fou may make a collection consisting of the %ocument and other documents released
under this License+ and replace the indi2idual copies of this License in the 2arious
documents with a single copy that is included in the collection+ pro2ided that you follow the
rules of this License for 2erbatim copying of each of the documents in all other respects.
Fou may e#tract a single document from such a collection+ and distribute it indi2idually
under this License+ pro2ided you insert a copy of this License into the e#tracted document+
and follow this License in all other respects regarding 2erbatim copying of that document.
<( A22)*2ATIO% =IT7 I%!*P*%!*%T =O)9#
. compilation of the %ocument or its deri2ati2es with other separate and independent
documents or works+ in or on a 2olume of a storage or distribution medium+ is called an
NaggregateN if the copyright resulting from the compilation is not used to limit the legal
rights of the compilationOs users beyond what the indi2idual works permit. Chen the
%ocument is included in an aggregate+ this License does not apply to the other works in
the aggregate which are not themsel2es deri2ati2e works of the %ocument.
1f the Co2er /e#t re$uirement of section S is applicable to these copies of the %ocument+
then if the %ocument is less than one half of the entire aggregate+ the %ocumentOs Co2er
/e#ts may be placed on co2ers that bracket the %ocument within the aggregate+ or the
electronic e$ui2alent of co2ers if the %ocument is in electronic form. @therwise they must
appear on printed co2ers that bracket the whole aggregate.
>( T)A%#,ATIO%
/ranslation is considered a kind of modification+ so you may distribute translations of the
%ocument under the terms of section 3. =eplacing 1n2ariant Sections with translations
re$uires special permission from their copyright holders+ but you may include translations
of some or all 1n2ariant Sections in addition to the original 2ersions of these 1n2ariant
Sections. Fou may include a translation of this License+ and all the license notices in the
%ocument+ and any Carranty %isclaimers+ pro2ided that you also include the original
)nglish 2ersion of this License and the original 2ersions of those notices and disclaimers.
1n case of a disagreement between the translation and the original 2ersion of this License
or a notice or disclaimer+ the original 2ersion will pre2ail.
1f a section in the %ocument is )ntitled N.cknowledgementsN+ N%edicationsN+ or N8istoryN+
the re$uirement -section 30 to !reser2e its /itle -section G0 will typically re$uire changing
the actual title.
?( T*)+I%ATIO%
Fou may not copy+ modify+ sublicense+ or distribute the %ocument e#cept as e#pressly
pro2ided for under this License. .ny other attempt to copy+ modify+ sublicense or distribute
the %ocument is 2oid+ and will automatically terminate your rights under this License.
8owe2er+ parties who ha2e recei2ed copies+ or rights+ from you under this License will not
ha2e their licenses terminated so long as such parties remain in full compliance.
-'( /5T5)* )*1I#IO%# O/ T7I# ,I.*%#*
/he :ree Software :oundation may publish new+ re2ised 2ersions of the N( :ree
%ocumentation License from time to time. Such new 2ersions will be similar in spirit to the
present 2ersion+ but may differ in detail to address new problems or concerns. See
http://www.gnu.org/copyleft/.
)ach 2ersion of the License is gi2en a distinguishing 2ersion number. 1f the %ocument
specifies that a particular numbered 2ersion of this License Nor any later 2ersionN applies to
it+ you ha2e the option of following the terms and conditions either of that specified 2ersion
or of any later 2ersion that has been published -not as a draft0 by the :ree Software
:oundation. 1f the %ocument does not specify a 2ersion number of this License+ you may
choose any 2ersion e2er published -not as a draft0 by the :ree Software :oundation.
:w$