source: postlfs/security/iptables.xml@ 0aeb696

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 0aeb696 was 0aeb696, checked in by Randy McMurchy <randy@…>, 18 years ago

Added a comment to each file that may need a mention of a test suite added to it, this allows closing of bug #1697

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@5951 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 9.2 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!-- Inserted as a reminder to do this. The mention of a test suite
8 is usually right before the root user installation commands. Please
9 delete these 12 (including one blank) lines after you are done.-->
10
11 <!-- Use one of the two mentions below about a test suite,
12 delete the line that is not applicable. Of course, if the
13 test suite uses syntax other than "make check", revise the
14 line to reflect the actual syntax to run the test suite -->
15
16 <!-- <para>This package does not come with a test suite.</para> -->
17 <!-- <para>To test the results, issue: <command>make check</command>.</para> -->
18
19 <!ENTITY iptables-download-http "http://www.iptables.org/files/iptables-&iptables-version;.tar.bz2">
20 <!ENTITY iptables-download-ftp "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2">
21 <!ENTITY iptables-md5sum "00fb916fa8040ca992a5ace56d905ea5">
22 <!ENTITY iptables-size "187 KB">
23 <!ENTITY iptables-buildsize "5.0 MB">
24 <!ENTITY iptables-time "0.2 SBU">
25]>
26
27<sect1 id="iptables" xreflabel="iptables-&iptables-version;">
28 <?dbhtml filename="iptables.html"?>
29
30 <sect1info>
31 <othername>$LastChangedBy$</othername>
32 <date>$Date$</date>
33 <keywordset>
34 <keyword role="package">iptables-&iptables-version;.tar</keyword>
35 <keyword role="ftpdir">iptables</keyword>
36 </keywordset>
37 </sect1info>
38
39 <title>Iptables-&iptables-version;</title>
40
41 <indexterm zone="iptables">
42 <primary sortas="a-Iptables">Iptables</primary>
43 </indexterm>
44
45 <sect2 role="package">
46 <title>Introduction to Iptables</title>
47
48 <para>The next part of this chapter deals with firewalls. The principal
49 firewall tool for Linux, as of the 2.4 kernel series, is
50 <application>iptables</application>. It replaces
51 <application>ipchains</application> from the 2.2 series and
52 <application>ipfwadm</application> from the 2.0 series. You will need to
53 install <application>iptables</application> if you intend on using any
54 form of a firewall.</para>
55
56 <bridgehead renderas="sect3">Package Information</bridgehead>
57 <itemizedlist spacing="compact">
58 <listitem>
59 <para>Download (HTTP): <ulink url="&iptables-download-http;"/></para>
60 </listitem>
61 <listitem>
62 <para>Download (FTP): <ulink url="&iptables-download-ftp;"/></para>
63 </listitem>
64 <listitem>
65 <para>Download MD5 sum: &iptables-md5sum;</para>
66 </listitem>
67 <listitem>
68 <para>Download size: &iptables-size;</para>
69 </listitem>
70 <listitem>
71 <para>Estimated disk space required: &iptables-buildsize;</para>
72 </listitem>
73 <listitem>
74 <para>Estimated build time: &iptables-time;</para>
75 </listitem>
76 </itemizedlist>
77
78 <para condition="html" role="usernotes">User Notes:
79 <ulink url="&blfs-wiki;/iptables"/></para>
80
81</sect2>
82
83 <sect2 role="kernel" id='iptables-kernel'>
84 <title>Kernel Configuration</title>
85
86 <para>A firewall in Linux is accomplished through a portion of the
87 kernel called netfilter. The interface to netfilter is
88 <application>iptables</application>. To use it, the appropriate
89 kernel configuration parameters are found in Device Drivers -&gt;
90 Networking Support -&gt; Networking Options -&gt;
91 Network Packet Filtering -&gt; IP: Netfilter Configuration.</para>
92
93 <indexterm zone="iptables iptables-kernel">
94 <primary sortas="d-iptables">Iptables</primary>
95 </indexterm>
96
97 </sect2>
98
99 <sect2 role="installation">
100 <title>Installation of Iptables</title>
101
102 <note>
103 <para>Installation of <application>iptables</application> will fail
104 if raw kernel headers are found in <filename
105 class='directory'>/usr/src/linux</filename> either as actual files
106 or a symlink. As of the Linux 2.6 kernel series, this directory
107 should no longer exist because appropriate headers were installed
108 from the <application>Linux-Libc-Headers</application> package during
109 the base LFS installation.</para>
110
111 <para>For some non-x86 architectures, the raw kernel headers may be
112 required. In that case, add the environment variable
113 <envar>KERNEL_DIR=/usr/src/linux</envar> to the make commands below.</para>
114 </note>
115
116 <para>Install <application>iptables</application> by running the following
117 commands:</para>
118
119<screen><userinput>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</userinput></screen>
120
121 <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
122
123<screen role="root"><userinput>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install</userinput></screen>
124
125 </sect2>
126
127 <sect2 role="commands">
128 <title>Command Explanations</title>
129
130 <para><parameter>PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</parameter>:
131 Compiles and installs <application>iptables</application> libraries
132 into <filename class="directory">/lib</filename>, binaries into
133 <filename class="directory">/sbin</filename> and the remainder into
134 the <filename class="directory">/usr</filename> hierarchy instead of
135 <filename class="directory">/usr/local</filename>. Firewalls are
136 generally activated during the boot process and
137 <filename class="directory">/usr</filename> may not be mounted at
138 that time.</para>
139
140 </sect2>
141
142 <sect2 role="configuration">
143 <title>Configuring Iptables</title>
144
145 <para>Introductory instructions for configuring your firewall are
146 presented in the next section: <xref linkend='fw-firewall'/></para>
147
148 <sect3 id="iptables-init">
149 <title>Boot Script</title>
150
151 <para>To set up the iptables firewall at boot, install the
152 <filename>/etc/rc.d/init.d/iptables</filename> init script included
153 in the <xref linkend="bootscripts"/> package.</para>
154
155 <indexterm zone="iptables iptables-init">
156 <primary sortas="f-iptables">iptables</primary>
157 </indexterm>
158
159<screen role="root"><userinput>make install-iptables</userinput></screen>
160
161 </sect3>
162
163 </sect2>
164
165 <sect2 role="content">
166 <title>Contents</title>
167
168 <segmentedlist>
169 <segtitle>Installed Programs</segtitle>
170 <segtitle>Installed Libraries</segtitle>
171 <segtitle>Installed Directory</segtitle>
172
173 <seglistitem>
174 <seg>iptables, iptables-restore, iptables-save and ip6tables</seg>
175 <seg>libip6t_*.so and libipt_*.so</seg>
176 <seg>/lib/iptables</seg>
177 </seglistitem>
178 </segmentedlist>
179
180 <variablelist>
181 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
182 <?dbfo list-presentation="list"?>
183 <?dbhtml list-presentation="table"?>
184
185 <varlistentry id="iptables-prog">
186 <term><command>iptables</command></term>
187 <listitem>
188 <para>is used to set up, maintain, and inspect the tables of
189 IP packet filter rules in the Linux kernel.</para>
190 <indexterm zone="iptables iptables-prog">
191 <primary sortas="b-iptables">iptables</primary>
192 </indexterm>
193 </listitem>
194 </varlistentry>
195
196 <varlistentry id="iptables-restore">
197 <term><command>iptables-restore</command></term>
198 <listitem>
199 <para>is used to restore IP Tables from data
200 specified on STDIN. Use I/O redirection provided by your
201 shell to read from a file.</para>
202 <indexterm zone="iptables iptables-restore">
203 <primary sortas="b-iptables-restore">iptables-restore</primary>
204 </indexterm>
205 </listitem>
206 </varlistentry>
207
208 <varlistentry id="iptables-save">
209 <term><command>iptables-save</command></term>
210 <listitem>
211 <para>is used to dump the contents of an IP Table
212 in easily parseable format to STDOUT. Use I/O-redirection
213 provided by your shell to write to a file.</para>
214 <indexterm zone="iptables iptables-save">
215 <primary sortas="b-iptables-save">iptables-save</primary>
216 </indexterm>
217 </listitem>
218 </varlistentry>
219
220 <varlistentry id="ip6tables">
221 <term><command>ip6tables</command></term>
222 <listitem>
223 <para>is used to set up, maintain, and inspect the tables of
224 IPv6 packet filter rules in the Linux kernel. Several different
225 tables may be defined. Each table contains a number of built-in
226 chains and may also contain user-defined chains.</para>
227 <indexterm zone="iptables ip6tables">
228 <primary sortas="b-ip6tables">ip6tables</primary>
229 </indexterm>
230 </listitem>
231 </varlistentry>
232
233 <varlistentry id="libip-iptables">
234 <term><filename class='libraryfile'>libip*.so</filename></term>
235 <listitem>
236 <para>library modules are various modules (implemented as dynamic
237 libraries) which extend the core functionality of
238 <command>iptables</command>.</para>
239 <indexterm zone="iptables libip-iptables">
240 <primary sortas="c-libip-iptables">libip*.so</primary>
241 </indexterm>
242 </listitem>
243 </varlistentry>
244
245 </variablelist>
246
247 </sect2>
248
249</sect1>
Note: See TracBrowser for help on using the repository browser.