Iptables-1.4.12
Introduction to Iptables
The next part of this chapter deals with firewalls. The principal
firewall tool for Linux is iptables. You will need to install
iptables if you intend on using
any form of a firewall.
This package is known to build and work properly using an LFS-7.0
platform.
Package Information
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/iptables
Kernel
Configuration
A firewall in Linux is accomplished through a portion of the kernel
called netfilter. The interface to netfilter is iptables. To use it, the appropriate kernel
configuration parameters are found in Networking Support ⇒
Networking Options ⇒ Network Packet Filtering Framework.
Installation of Iptables
Note
The installation below does not include building some specialized
extension libraries which require the raw headers in the
Linux source code. If you wish
to build the additional extensions (if you aren't sure, then you
probably don't), you can look at the INSTALL
file to see an example of how to change
the KERNEL_DIR=
parameter
to point at the Linux source
code. Note that if you upgrade the kernel version, you may also
need to recompile iptables and
that the BLFS team has not tested using the raw kernel headers.
For some non-x86 architectures, the raw kernel headers may be
required. In that case, modify the KERNEL_DIR=
parameter to point at
the Linux source code.
Install iptables by running the
following commands:
sed -i '/if_packet/i#define __aligned_u64 __u64 __attribute__((aligned(8)))' \
extensions/libxt_pkttype.c &&
./configure --prefix=/usr \
--bindir=/sbin \
--sbindir=/sbin \
--libdir=/lib \
--libexecdir=/lib \
--with-pkgconfigdir=/usr/lib/pkgconfig &&
make
This package does not come with a test suite.
Now, as the root
user:
make install &&
ln -sfv xtables-multi /sbin/iptables-xml
Command Explanations
sed -i '/if_packet/i#define
...: This sed fixes compiling iptables with the linux-3.2 kernel headers
installed. It's not needed if you built LFS with an older kernel's
headers, but in that case it does no harm.
--bindir=/sbin
, --sbindir=/sbin
: Ensure all the
executables go in /sbin
.
--libdir=/lib
, --libexecdir=/lib
: Ensure all the
libraries are in the /lib
directory
tree.
--with-pkgconfigdir=/usr/lib/pkgconfig
:
Ensure all the pkgconfig files are in the standard location.
ln -sfv xtables-multi
/sbin/iptables-xml: Ensure the symbolic link for
iptables-xml is
relative.
Configuring Iptables
Introductory instructions for configuring your firewall are
presented in the next section: Firewalling
Boot Script
To set up the iptables firewall at boot, install the /etc/rc.d/init.d/iptables
init script included
in the blfs-bootscripts-20111226 package.
make install-iptables
Contents
Installed Programs:
iptables, iptables-restore,
iptables-save, iptables-xml, iptables-multi, ip6tables,
ip6tables-restore, ip6tables-save, and ip6tables-multii
Installed Libraries:
libip4tc.so, libip6tc.so, libiptc.so,
libxtables.so, and numerous modules in /lib/xtables/
Installed Directories:
/lib/xtables/xtables and
/usr/include/libiptc
Short Descriptions
iptables
|
is used to set up, maintain, and inspect the tables of IP
packet filter rules in the Linux kernel. It is a symbolic
link to iptables-multi.
|
iptables-restore
|
is used to restore IP Tables from data specified on
STDIN. Use I/O redirection provided by your shell to read
from a file. It is a symbolic link to iptables-multi.
|
iptables-save
|
is used to dump the contents of an IP Table in easily
parseable format to STDOUT. Use I/O-redirection provided
by your shell to write to a file. It is a symbolic link
to iptables-multi.
|
iptables-xml
|
is used to convert the output of iptables-save to an XML
format. Using the iptables.xslt stylesheet converts the
XML back to the format of iptables-restore. It is
a symbolic link to iptables-multi.
|
ip6tables*
|
are a set of commands for IPV6 that parallel the iptables
commands above. All of these commands are symbolic links
to ip6tables-multi.
|
Last updated on 2012-01-12 23:45:55 +0000