source: postlfs/security/iptables.xml@ f8962fe

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY iptables-download-http "http://www.iptables.org/files/iptables-&iptables-version;.tar.bz2">
  <!ENTITY iptables-download-ftp  "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2">
  <!ENTITY iptables-md5sum        "c3358a3bd0d7755df0b64a5063db296b">
  <!ENTITY iptables-size          "177 KB">
  <!ENTITY iptables-buildsize     "3.8 MB">
  <!ENTITY iptables-time          "0.14 SBU">
]>

<sect1 id="iptables" xreflabel="iptables-&iptables-version;">
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<?dbhtml filename="iptables.html"?>
<title>iptables-&iptables-version;</title>

<indexterm zone="iptables">
  <primary sortas="a-Iptables">Iptables</primary>
</indexterm>

<para>The next part of this chapter deals with firewalls.  The principal
firewall tool for Linux, as of the 2.4 kernel series, is
<application>iptables</application>.  It replaces
<application>ipchains</application> from the 2.2 series and
<application>ipfwadm</application> from the 2.0 series. You will need to
install <application>iptables</application> if you intend on using any form of
a firewall.</para>

<sect2>
<title>Introduction to <application>iptables</application></title>

<para>To use a firewall, as well as installing
<application>iptables</application>, you will need
to configure the relevant options into your kernel.  This is discussed
in the next part of this chapter &ndash; 
<xref linkend="fw-kernel"/>.</para>

<para>If you intend to use <acronym>IP</acronym>v6 you might consider extending
the kernel by running <command>make patch-o-matic</command> in the top-level
source tree directory of <application>iptables</application>.  If you are 
going to do this, on a freshly untarred kernel, you need to run 
<command>yes "" | make config &amp;&amp; make dep</command> first because 
otherwise the patch-o-matic command is likely to fail while setting up
some dependencies.</para>

<para>If you are going to patch the kernel, you need to do it before you
compile <application>iptables</application>, because during the compilation, 
the kernel source tree is checked (if it is available at <filename
class="directory">/usr/src/linux-<replaceable>[version]</replaceable>
</filename>) to see which features are available.  Support will only be compiled
into <application>iptables</application> for the features recognized at 
compile-time.  Applying a kernel patch may result in errors, often because the 
hooks for the patches have changed or because the <command>runme</command> 
script doesn't recognize that a patch has already been incorporated.</para>

<para>Note that for most people, patching the kernel is unnecessary.
With the later 2.4.x kernels, most functionality is already available
and those who need to patch it are generally those who need a specific
feature; if you don't know why you need to patch the kernel, you're 
unlikely to need to!</para>

<sect3>
<title>Package information</title>
<itemizedlist spacing='compact'>
  <listitem><para>Download (HTTP): <ulink url="&iptables-download-http;"/></para></listitem>
  <listitem><para>Download (FTP): <ulink url="&iptables-download-ftp;"/></para></listitem>
  <listitem><para>Download MD5 sum: &iptables-md5sum;</para></listitem>
  <listitem><para>Download size: &iptables-size;</para></listitem>
  <listitem><para>Estimated disk space required: &iptables-buildsize;</para></listitem>
  <listitem><para>Estimated build time: &iptables-time;</para></listitem>
</itemizedlist>
</sect3>

</sect2>

<sect2>
<title>Installation of <application>iptables</application></title>

<note>
  <para>Installation of <application>iptables</application> will fail if raw
  kernel headers are found in <filename
  class='directory'>/usr/src/linux</filename> either as actual files or a
  symlink.  As of the Linux 2.6 kernel series, this directory should no longer
  exist because appropriate headers were installed in the linux-libc-headers
  package during the base <acronym>LFS</acronym> installation.  </para>

  <para>For some non-x86 architectures, the raw kernel headers may be required.
  In that case, add the environment variable KERNEL_DIR=/usr/src/linux to the
  make commands below.</para>
</note>

<para>Install <application>iptables</application> by running the following 
commands:</para>

<screen><userinput><command>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</command></userinput></screen>

<para>Now, as the root user:</para>

<screen><userinput role='root'><command>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install</command></userinput></screen>

</sect2>

<sect2>
<title>Command explanations</title>

<para><parameter>PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</parameter>: Compiles 
and installs <application>iptables</application> libraries into 
<filename class="directory">/lib</filename>, binaries into 
<filename class="directory">/sbin</filename> and the remainder into the 
<filename class="directory">/usr</filename> hierarchy instead of 
<filename class="directory">/usr/local</filename>. Firewalls are
generally activated during the boot process and 
<filename class="directory">/usr</filename> may not be mounted at that 
time.</para>

</sect2>

<sect2>
<title>Contents</title>

<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directory</segtitle>

<seglistitem>
<seg>iptables, iptables-restore, iptables-save and ip6tables</seg>
<seg>libip6t_*.so and libipt_*.so</seg>
<seg>/lib/iptables</seg>
</seglistitem>
</segmentedlist>

<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>

<varlistentry id="iptables-prog">
  <term><command>iptables</command></term>
  <listitem><para>is used to set up, maintain, and inspect the tables of 
    <acronym>IP</acronym> packet filter rules in the Linux kernel.</para>
    <indexterm zone="iptables iptables-prog">
      <primary sortas="b-iptables">iptables</primary>
    </indexterm>
  </listitem>
</varlistentry>

<varlistentry id="iptables-restore">
  <term><command>iptables-restore</command></term>
  <listitem><para>is used to restore <acronym>IP</acronym> Tables from data 
    specified on <acronym>STDIN</acronym>. Use I/O redirection provided by your 
    shell to read from a file.</para>
    <indexterm zone="iptables iptables-restore">
      <primary sortas="b-iptables-restore">iptables-restore</primary>
    </indexterm>
  </listitem>
</varlistentry>

<varlistentry id="iptables-save">
  <term><command>iptables-save</command></term>
  <listitem><para>is used to dump the contents of an <acronym>IP</acronym> Table 
    in easily parseable format to <acronym>STDOUT</acronym>. Use I/O-redirection 
    provided by your shell to write to a file.</para>
    <indexterm zone="iptables iptables-save">
      <primary sortas="b-iptables-save">iptables-save</primary>
    </indexterm>
  </listitem>
</varlistentry>

<varlistentry id="ip6tables">
  <term><command>ip6tables</command></term>
  <listitem><para>is used to set up, maintain, and inspect the tables of 
    <acronym>IP</acronym>v6 packet filter rules in the Linux kernel. Several 
    different tables may be defined. Each table contains a number of built-in 
    chains and may also contain user-defined chains.</para>
    <indexterm zone="iptables ip6tables">
      <primary sortas="b-ip6tables">ip6tables</primary>
    </indexterm>
  </listitem>
</varlistentry>

<varlistentry id="libip-iptables">
  <term><filename class='libraryfile'>libip*.so</filename></term>
  <listitem><para>library modules are various modules (implemented as dynamic 
    libraries) which extend the core functionality of 
    <command>iptables</command>.</para>
    <indexterm zone="iptables libip-iptables">
      <primary sortas="c-libip-iptables">libip*.so</primary>
    </indexterm>
  </listitem>
</varlistentry>

</variablelist>
</sect2>
</sect1>