Iptables-1.6.1
Introduction to Iptables
The next part of this chapter deals with firewalls. The principal
firewall tool for Linux is Iptables. You will need to install
Iptables if you intend on using
any form of a firewall.
This package is known to build and work properly using an LFS-8.1
platform.
Package Information
Iptables Dependencies
Optional
nftables
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/iptables
Kernel
Configuration
A firewall in Linux is accomplished through a portion of the kernel
called netfilter. The interface to netfilter is Iptables. To use it, the appropriate kernel
configuration parameters are found in:
[*] Networking support ---> [CONFIG_NET]
Networking Options --->
[*] Network packet filtering framework (Netfilter) ---> [CONFIG_NETFILTER]
Installation of Iptables
Note
The installation below does not include building some specialized
extension libraries which require the raw headers in the
Linux source code. If you wish
to build the additional extensions (if you aren't sure, then you
probably don't), you can look at the INSTALL
file to see an example of how to change
the KERNEL_DIR=
parameter
to point at the Linux source
code. Note that if you upgrade the kernel version, you may also
need to recompile Iptables and
that the BLFS team has not tested using the raw kernel headers.
For some non-x86 architectures, the raw kernel headers may be
required. In that case, modify the KERNEL_DIR=
parameter to point at
the Linux source code.
Install Iptables by running the
following commands:
./configure --prefix=/usr \
--sbindir=/sbin \
--disable-nftables \
--enable-libipq \
--with-xtlibdir=/lib/xtables &&
make
This package does not come with a test suite.
Now, as the root
user:
make install &&
ln -sfv ../../sbin/xtables-multi /usr/bin/iptables-xml &&
for file in ip4tc ip6tc ipq iptc xtables
do
mv -v /usr/lib/lib${file}.so.* /lib &&
ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
done
Command Explanations
--disable-nftables
: This
switch disables building nftables compat. Omit this switch if you
have installed nftables.
--enable-libipq
: This
switch enables building of libipq.so
which can be used by some packages outside of BLFS.
--with-xtlibdir=/lib/xtables
: Ensure
all Iptables modules are installed
in the /lib/xtables
directory.
--enable-nfsynproxy
: This switch
enables installation of nfsynproxy
SYNPROXY configuration tool.
ln -sfv ../../sbin/xtables-multi
/usr/bin/iptables-xml: Ensure the symbolic link for
iptables-xml is
relative.
Configuring Iptables
Introductory instructions for configuring your firewall are
presented in the next section: Firewalling
Boot Script
To set up the iptables firewall at boot, install the /etc/rc.d/init.d/iptables
init script included
in the blfs-bootscripts-20170731 package.
make install-iptables
Contents
Installed Programs:
ip6tables, ip6tables-restore,
ip6tables-save, iptables, iptables-restore, iptables-save,
iptables-xml, nfsynproxy (optional) and xtables-multi
Installed Libraries:
libip4tc.so, libip6tc.so, libipq.so,
libiptc.so, and libxtables.so
Installed Directories:
/lib/xtables and
/usr/include/libiptc
Short Descriptions
iptables
|
is used to set up, maintain, and inspect the tables of IP
packet filter rules in the Linux kernel.
|
iptables-restore
|
is used to restore IP Tables from data specified on
STDIN. Use I/O redirection provided by your shell to read
from a file.
|
iptables-save
|
is used to dump the contents of an IP Table in easily
parseable format to STDOUT. Use I/O-redirection provided
by your shell to write to a file.
|
iptables-xml
|
is used to convert the output of iptables-save to an XML
format. Using the iptables.xslt stylesheet converts the
XML back to the format of iptables-restore.
|
ip6tables*
|
are a set of commands for IPV6 that parallel the iptables
commands above.
|
nfsynproxy
|
(optional) configuration tool. SYNPROXY target makes
handling of large SYN floods possible without the large
performance penalties imposed by the connection tracking
in such cases.
|
xtables-multi
|
is a binary that behaves according to the name it is
called by.
|
Last updated on 2017-08-25 14:22:07 -0700