Introduction to Iptables

The next part of this chapter deals with firewalls. The principal firewall tool for Linux, as of the 2.4 kernel series, is iptables. It replaces ipchains from the 2.2 series and ipfwadm from the 2.0 series. You will need to install iptables if you intend on using any form of a firewall.

Package Information

Kernel Configuration

A firewall in Linux is accomplished through a portion of the kernel called netfilter. The interface to netfilter is iptables. To use it, the appropriate kernel configuration parameters are found in Device Drivers -> Networking Support -> Networking Options -> Network Packet Filtering -> IP: Netfilter Configuration.

Installation of Iptables



Installation of iptables will fail if raw kernel headers are found in /usr/src/linux either as actual files or a symlink. As of the Linux 2.6 kernel series, this directory should no longer exist because appropriate headers were installed from the Linux-Libc-Headers package during the base LFS installation.

For some non-x86 architectures, the raw kernel headers may be required. In that case, add the environment variable KERNEL_DIR=/usr/src/linux to the make commands below.

Install iptables by running the following commands:

make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin

Now, as the root user:

make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install

Command Explanations

PREFIX=/usr LIBDIR=/lib BINDIR=/sbin: Compiles and installs iptables libraries into /lib, binaries into /sbin and the remainder into the /usr hierarchy instead of /usr/local. Firewalls are generally activated during the boot process and /usr may not be mounted at that time.

Configuring Iptables

Introductory instructions for configuring your firewall are presented in the next section: Firewalling

Boot Script

To set up the iptables firewall at boot, install the /etc/rc.d/init.d/iptables init script included in the blfs-bootscripts-6.1 package.

make install-iptables


Installed Programs: iptables, iptables-restore, iptables-save and ip6tables
Installed Libraries: libip6t_*.so and libipt_*.so
Installed Directory: /lib/iptables

Short Descriptions


is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.


is used to restore IP Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file.


is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file.


is used to set up, maintain, and inspect the tables of IPv6 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.


library modules are various modules (implemented as dynamic libraries) which extend the core functionality of iptables.

Last updated on 2005-08-01 13:29:19 -0600