source: postlfs/security/iptables.xml@ b4b71892

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since b4b71892 was b4b71892, checked in by Bruce Dubbs <bdubbs@…>, 17 years ago

New XML Chapter 4

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2288 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 5.5 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY iptables-download-http "http://www.iptables.org/files/iptables-&iptables-version;.tar.bz2">
8 <!ENTITY iptables-download-ftp "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2">
9 <!ENTITY iptables-size "183 KB">
10 <!ENTITY iptables-buildsize "3.4 MB">
11 <!ENTITY iptables-time "0.13 SBU">
12]>
13
14<sect1 id="postlfs-security-iptables">
15<?dbhtml filename="iptables.html"?>
16<title>iptables-&iptables-version;</title>
17
18<para>The next part of this chapter deals with firewalls. The principle
19firewall tool for Linux, as of the 2.4 kernel series, is
20<application>iptables</application>. It replaces
21<application>ipchains</application> from the 2.2 series and
22<application>ipfwadm</application> from the 2.0 series. You will need to
23install <application>iptables</application> if you intend on using any form of
24a firewall.</para>
25
26<sect2>
27<title>Introduction to <application>iptables</application></title>
28
29<para>To use a firewall, as well as installing
30<application>iptables</application>, you will need
31to configure the relevant options into your kernel. This is discussed
32in the next part of this chapter - <xref linkend="postlfs-security-fw-kernel"/>.</para>
33
34<para>If you intend to use <acronym>IP</acronym>v6 you might consider extending
35the kernel by running <command>make patch-o-matic</command> in the top-level
36directory of the sources of <application>iptables</application>. If you are
37going to do this, on a freshly untarred kernel, you need to run
38<command>yes "" | make config &amp;&amp; make dep</command> first because
39otherwise the patch-o-matic command is likely to fail while setting up
40some dependencies.</para>
41
42<para>If you are going to patch the kernel, you need to do it before you
43compile <application>iptables</application>, because during the compilation,
44the kernel source tree is checked (if it is available at <filename
45class="directory">/usr/src/linux-<replaceable>[version]</replaceable>
46</filename>) to see which features are available. Support will only be compiled
47into <application>iptables</application> for the features recognized at
48compile-time. Applying a kernel patch may result in errors, often because the
49hooks for the patches have changed or because the runme script doesn't
50recognize that a patch has already been incorporated.</para>
51
52<para>Note that for most people, patching the kernel is unnecessary.
53With the later 2.4.x kernels, most functionality is already available
54and those who need to patch it are generally those who need a specific
55feature; if you don't know why you need to patch the kernel, you're
56unlikely to need to!</para>
57
58<sect3><title>Package information</title>
59<itemizedlist spacing='compact'>
60<listitem><para>Download (HTTP): <ulink
61url="&iptables-download-http;"/></para></listitem>
62<listitem><para>Download (FTP): <ulink
63url="&iptables-download-ftp;"/></para></listitem>
64<listitem><para>Download size: &iptables-size;</para></listitem>
65<listitem><para>Estimated Disk space required:
66&iptables-buildsize;</para></listitem>
67<listitem><para>Estimated build time:
68&iptables-time;</para></listitem></itemizedlist>
69</sect3>
70
71</sect2>
72
73
74<sect2>
75<title>Installation of <application>iptables</application></title>
76
77<para>Install <application>iptables</application> by running the following commands:</para>
78
79<screen><userinput><command>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin &amp;&amp;
80make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install</command></userinput></screen>
81
82</sect2>
83
84
85<sect2>
86<title>Command explanations</title>
87
88<para><parameter>PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</parameter>: Compiles and installs
89<application>iptables</application> libraries into <filename
90class="directory">/lib</filename>, binaries into <filename
91class="directory">/sbin</filename> and the remainder into the
92<filename class="directory">/usr</filename> hierarchy instead of
93<filename class="directory">/usr/local</filename>. Firewalls are
94generally set during the boot process and <filename
95class="directory">/usr</filename> may not be mounted at that time.</para>
96
97</sect2>
98
99<sect2>
100<title>Contents</title>
101
102<para>The <application>iptables</application> package contains <command>iptables</command>,
103<command>iptables-restore</command>, <command>iptables-save</command>,
104<command>ip6tables</command> and some libraries.</para>
105
106</sect2>
107
108<sect2><title>Description</title>
109
110<sect3><title>iptables</title>
111<para><command>iptables</command> is used to set up, maintain, and inspect the
112tables of <acronym>IP</acronym> packet filter rules in the Linux kernel.</para>
113</sect3>
114
115<sect3><title>iptables-restore, iptables-save</title>
116<para>These are used to save and to restore your elaborated set of chains and
117rules. Until <application>iptables</application>-1.2.5, they were declared
118experimental.</para>
119</sect3>
120
121<sect3 id="ip6tables" xreflabel="ip6tables"><title>ip6tables</title>
122<para>This is the same as <command>iptables</command> but for use with
123<acronym>IP</acronym>v6. As of v1.2.5, it is not as complete as the standard
124<acronym>IP</acronym>v4 version, especially with regard to some of the modules.</para>
125</sect3>
126
127<sect3><title>libip*.so</title>
128<para>These are various modules (implemented as dynamic libraries) which
129extend the core functionality of <command>iptables</command>.</para>
130</sect3>
131
132</sect2>
133
134</sect1>
Note: See TracBrowser for help on using the repository browser.