Beyond Linux® From Scratch - Version svn-20070421

Chapter 4. Security

Iptables-1.3.6

Introduction to Iptables

The next part of this chapter deals with firewalls. The principal firewall tool for Linux, as of the 2.4 kernel series, is iptables. It replaces ipchains from the 2.2 series and ipfwadm from the 2.0 series. You will need to install iptables if you intend on using any form of a firewall.

Package Information

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/iptables

Kernel Configuration

A firewall in Linux is accomplished through a portion of the kernel called netfilter. The interface to netfilter is iptables. To use it, the appropriate kernel configuration parameters are found in Networking ⇒ Networking Options ⇒ Network Packet Filtering ⇒ Core Netfilter Configuration (and) IP: Netfilter Configuration.

Installation of Iptables

[Note]

Note

The installation below does not include building some specialized extension libraries which require the raw headers in the Linux source code. If you wish to build the additional extensions (if you aren't sure, then you probably don't), you can look at the INSTALL file to see an example of how to change the KERNEL_DIR= parameter to point at the Linux source code. Note that if you upgrade the kernel version, you may also need to recompile iptables and that the BLFS team has not tested using the raw kernel headers.

For some non-x86 architectures, the raw kernel headers may be required. In that case, modify the KERNEL_DIR= parameter to point at the Linux source code.

Install iptables by running the following commands: 

make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin KERNEL_DIR=/usr

This package does not come with a test suite.

Now, as the root user: 

make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin KERNEL_DIR=/usr install

Command Explanations

PREFIX=/usr LIBDIR=/lib BINDIR=/sbin: Compiles and installs iptables libraries into /lib, binaries into /sbin and the remainder into the /usr hierarchy instead of /usr/local. Firewalls are generally activated during the boot process and /usr may not be mounted at that time.

KERNEL_DIR=/usr: This parameter is used to point at the sanitized kernel headers in /usr and not use the raw kernel headers in /usr/src/linux.

Configuring Iptables

Introductory instructions for configuring your firewall are presented in the next section: Firewalling

Boot Script

To set up the iptables firewall at boot, install the /etc/rc.d/init.d/iptables init script included in the blfs-bootscripts-20060910 package. 

make install-iptables

Contents

Installed Programs: iptables, iptables-restore, iptables-save and ip6tables
Installed Libraries: libip6t_*.so and libipt_*.so
Installed Directory: /lib/iptables

Short Descriptions

iptables

is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.

iptables-restore

is used to restore IP Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file.

iptables-save

is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file.

ip6tables

is used to set up, maintain, and inspect the tables of IPv6 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

libip*.so

library modules are various modules (implemented as dynamic libraries) which extend the core functionality of iptables.

Last updated on 2007-04-04 21:42:53 +0200