source: postlfs/security/iptables.xml@ cbc3f97

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY iptables-download-http "http://www.netfilter.org/projects/iptables/files/iptables-&iptables-version;.tar.bz2">
  <!ENTITY iptables-download-ftp  "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2">
  <!ENTITY iptables-md5sum        "27ba3451cb622467fc9267a176f19a31">
  <!ENTITY iptables-size          "596 KB">
  <!ENTITY iptables-buildsize     "19 MB">
  <!ENTITY iptables-time          "0.1 SBU">
]>

<sect1 id="iptables" xreflabel="Iptables-&iptables-version;">
  <?dbhtml filename="iptables.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>Iptables-&iptables-version;</title>

  <indexterm zone="iptables">
    <primary sortas="a-Iptables">Iptables</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to Iptables</title>

    <para>
      The next part of this chapter deals with firewalls. The principal
      firewall tool for Linux is <application>Iptables</application>. You will
      need to install <application>Iptables</application> if you intend on using
      any form of a firewall.
    </para>

    &lfs77_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&iptables-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&iptables-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &iptables-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &iptables-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &iptables-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &iptables-time;
        </para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Iptables Dependencies</bridgehead>
    
    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">
      <ulink url="http://www.netfilter.org/projects/nftables/index.html">nftables</ulink>
    </para>

    <para condition="html" role="usernotes">User Notes:
      <ulink url="&blfs-wiki;/iptables"/>
    </para>
  </sect2>

  <sect2 role="kernel" id="iptables-kernel">
    <title>Kernel Configuration</title>

    <para>
      A firewall in Linux is accomplished through a portion of the
      kernel called netfilter. The interface to netfilter is
      <application>Iptables</application>. To use it, the appropriate
      kernel configuration parameters are found in:
    </para>

<screen><literal>[*] Networking support  ---&gt;                                    [CONFIG_NET]
      Networking Options  ---&gt;
        [*] Network packet filtering framework (Netfilter) ---&gt; [CONFIG_NETFILTER]</literal></screen>

    <indexterm zone="iptables iptables-kernel">
      <primary sortas="d-iptables">Iptables</primary>
    </indexterm>

  </sect2>

    <sect2 role="installation">
      <title>Installation of Iptables</title>

    <note>
      <para>
        The installation below does not include building some specialized
        extension libraries which require the raw headers in the
        <application>Linux</application> source code. If you wish to build the
        additional extensions (if you aren't sure, then you probably don't), you
        can look at the <filename>INSTALL</filename> file to see an example of
        how to change the <parameter>KERNEL_DIR=</parameter> parameter to point
        at the <application>Linux</application> source code. Note that if you
        upgrade the kernel version, you may also need to recompile
        <application>Iptables</application> and that the BLFS team has not tested
        using the raw kernel headers.
      </para>

      <para>
        For some non-x86 architectures, the raw kernel headers may be
        required. In that case, modify the <parameter>KERNEL_DIR=</parameter>
        parameter to point at the <application>Linux</application> source
        code.
      </para>
    </note>

    <para>
      Install <application>Iptables</application> by running the following
      commands:
    </para>

<screen><userinput>./configure --prefix=/usr   \
            --sbindir=/sbin \
            --disable-nftables \
            --enable-libipq \
            --with-xtlibdir=/lib/xtables &amp;&amp;
make</userinput></screen>

    <para>This package does not come with a test suite.</para>

    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>

<screen role="root"><userinput>make install &amp;&amp;
ln -sfv ../../sbin/xtables-multi /usr/bin/iptables-xml &amp;&amp;

for file in ip4tc ip6tc ipq iptc xtables
do
  mv -v /usr/lib/lib${file}.so.* /lib &amp;&amp;
  ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
done</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para>
      <parameter>--disable-nftables</parameter>: This switch disables building
      nftables compatibility. Omit this switch if you have installed nftables.
    </para>

    <para>
      <option>--enable-libipq</option>: This switch enables building
      of <filename class="libraryfile">libipq.so</filename> which
      can be used by some packages outside of BLFS.
    </para>

    <para>
      <option>--enable-nfsynproxy</option>: This switch enables installation
      of <application>nfsynproxy</application> SYNPROXY configuration tool.
    </para>

    <para>
      <option>--with-xtlibdir=/lib/xtables</option>: Ensure all
      <application>iptables</application> modules are installed in the
      <filename class="directory">/lib/xtables</filename> directory.
    </para>

    <para>
      <command>ln -sfv ../../sbin/xtables-multi /usr/bin/iptables-xml</command>:
      Ensure the symbolic link for <command>iptables-xml</command> is relative.
    </para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring Iptables</title>

    <para>
      Introductory instructions for configuring your firewall are
      presented in the next section: <xref linkend="fw-firewall"/>
    </para>

    <sect3  id="iptables-init">
      <title>Systemd Units</title>

      <para>
        To set up the <application>Iptables</application> firewall at boot,
        install the systemd unit from the <xref linkend="bootscripts"/>
        package by running the following command as the
        <systemitem class="username">root</systemitem> user:
      </para>

      <indexterm zone="iptables iptables-init">
        <primary sortas="f-iptables">iptables</primary>
      </indexterm>

<screen role="root"><userinput>make install-iptables</userinput></screen>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>
          ip6tables, 
          ip6tables-restore, 
          ip6tables-save, 
          iptables, 
          iptables-restore,
          iptables-save, 
          iptables-xml, 
          nfsynproxy (optional) and xtables-multi
        </seg>
        <seg>
          libip4tc.so, 
          libip6tc.so, 
          libipq.so, 
          libiptc.so, 
          and libxtables.so
        </seg>
        <seg>
          /lib/xtables 
          and /usr/include/libiptc
        </seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="iptables-prog">
        <term><command>iptables</command></term>
        <listitem>
          <para>
            is used to set up, maintain, and inspect the tables of
            IP packet filter rules in the Linux kernel.
          </para>
          <indexterm zone="iptables iptables-prog">
            <primary sortas="b-iptables">iptables</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="iptables-restore">
        <term><command>iptables-restore</command></term>
        <listitem>
          <para>
            is used to restore IP Tables from data specified on
            STDIN. Use I/O redirection provided by your
            shell to read from a file.
          </para>
          <indexterm zone="iptables iptables-restore">
            <primary sortas="b-iptables-restore">iptables-restore</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="iptables-save">
        <term><command>iptables-save</command></term>
        <listitem>
          <para>
            is used to dump the contents of an IP Table in easily
            parseable format to STDOUT. Use I/O-redirection
            provided by your shell to write to a file.
          </para>
          <indexterm zone="iptables iptables-save">
            <primary sortas="b-iptables-save">iptables-save</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="iptables-xml">
        <term><command>iptables-xml</command></term>
        <listitem>
          <para>
            is used to convert the output of
            <command>iptables-save</command> to an XML format. Using the
            <filename>iptables.xslt</filename> stylesheet converts the XML
            back to the format of <command>iptables-restore</command>.
          </para>
          <indexterm zone="iptables iptables-xml">
            <primary sortas="b-iptables-xml">iptables-xml</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ip6tables">
        <term><command>ip6tables*</command></term>
        <listitem>
          <para>
            are a set of commands for IPV6 that parallel the iptables
            commands above.
          </para>
          <indexterm zone="iptables ip6tables">
            <primary sortas="b-ip6tables">ip6tables</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="nfsynproxy">
        <term><command>nfsynproxy</command></term>
        <listitem>
          <para>
            (optional) configuration tool. SYNPROXY target makes handling of
            large SYN floods possible without the large performance penalties
            imposed by the connection tracking in such cases.
          </para>
          <indexterm zone="iptables nfsynproxy">
            <primary sortas="b-nfsynproxy">nfsynproxy</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="xtables-multi">
        <term><command>xtables-multi</command></term>
        <listitem>
          <para>
            is a binary that behaves according to the name it is called by.
          </para>
          <indexterm zone="iptables xtables-multi">
            <primary sortas="b-xtables-multi">xtables-multi</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>