%general-entities; ]> $LastChangedBy$ $Date$ Iptables The next part of this chapter deals with firewalls. The principal firewall tool for Linux is iptables. You will need to install iptables if you intend on using any form of a firewall. &lfs70_checked; Package Information Download (HTTP): Download (FTP): Download MD5 sum: &iptables-md5sum; Download size: &iptables-size; Estimated disk space required: &iptables-buildsize; Estimated build time: &iptables-time; User Notes: A firewall in Linux is accomplished through a portion of the kernel called netfilter. The interface to netfilter is iptables. To use it, the appropriate kernel configuration parameters are found in Networking Support ⇒ Networking Options ⇒ Network Packet Filtering Framework. Iptables The installation below does not include building some specialized extension libraries which require the raw headers in the Linux source code. If you wish to build the additional extensions (if you aren't sure, then you probably don't), you can look at the INSTALL file to see an example of how to change the KERNEL_DIR= parameter to point at the Linux source code. Note that if you upgrade the kernel version, you may also need to recompile iptables and that the BLFS team has not tested using the raw kernel headers. For some non-x86 architectures, the raw kernel headers may be required. In that case, modify the KERNEL_DIR= parameter to point at the Linux source code. Install iptables by running the following commands: sed -i '/if_packet/i#define __aligned_u64 __u64 __attribute__((aligned(8)))' \ extensions/libxt_pkttype.c && ./configure --prefix=/usr \ --exec-prefix= \ --bindir=/sbin \ --with-xtlibdir=/lib/xtables \ --with-pkgconfigdir=/usr/lib/pkgconfig && make This package does not come with a test suite. Now, as the root user: make install && ln -sfv xtables-multi /sbin/iptables-xml sed -i '/if_packet/i#define ...: This sed fixes compiling iptables with the linux-3.2 kernel headers installed. It's not needed if you built LFS with an older kernel's headers, but in that case it does no harm. --exec-prefix=: Ensure all binaries and libraries end up in / directory tree. --bindir=/sbin: Ensure all the executables go in /sbin. --with-xtlibdir=/lib/xtables: Ensure all iptables modules are installed in the /lib/xtables directory. --with-pkgconfigdir=/usr/lib/pkgconfig: Ensure all the pkgconfig files are in the standard location. ln -sfv xtables-multi /sbin/iptables-xml: Ensure the symbolic link for iptables-xml is relative. Introductory instructions for configuring your firewall are presented in the next section: To set up the iptables firewall at boot, install the /etc/rc.d/init.d/iptables init script included in the package. iptables make install-iptables Installed Programs Installed Libraries Installed Directories iptables, iptables-restore, iptables-save, iptables-xml, ip6tables, ip6tables-restore, ip6tables-save, and xtables-multi libip4tc.so, libip6tc.so, libiptc.so, libxtables.so, and numerous modules in /lib/xtables /lib/xtables, /usr/include/libiptc and /usr/share/xtables Short Descriptions iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. It is a symbolic link to xtables-multi. iptables iptables-restore is used to restore IP Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file. It is a symbolic link to xtables-multi. iptables-restore iptables-save is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file. It is a symbolic link to xtables-multi. iptables-save iptables-xml is used to convert the output of iptables-save to an XML format. Using the iptables.xslt stylesheet converts the XML back to the format of iptables-restore. It is a symbolic link to xtables-multi. iptables-xml ip6tables* are a set of commands for IPV6 that parallel the iptables commands above. All of these commands are symbolic links to xtables-multi. ip6tables