source: postlfs/security/iptables/iptables-intro.xml@ 64d97b7c

<sect2>
<title>Introduction to iptables</title>

<screen>Download location (HTTP):       <ulink url="&iptables-download-http;"/>
Download location (FTP):        <ulink url="&iptables-download-ftp;"/>
Version used:                   &iptables-version;
Package size:                   &iptables-size;
Estimated Disk space required:  &iptables-buildsize;</screen>

<para>To use firewalling, as well as installing iptables, you will need
to configure the relevant options into your kernel.  This is discussed
in the next part of this chapter - <xref linkend="postlfs-security-fw-kernel"/>.</para>

<para>If you intend to use IPv6 you might consider extending the kernel
by running <userinput>make patch-o-matic</userinput> in the top-level
directory of the sources of iptables.  If you are going to do this, on a
freshly untarred kernel, you need to run <userinput>yes "" | make config
&amp;&amp; make dep</userinput> first because otherwise the
patch-o-matic command is likely to fail while setting up
some dependencies.</para>

<para>If you are going to patch the kernel, you need to do it before you
compile iptables, because during the compilation, the kernel source tree
is checked (if it is available at <filename>/usr/src/linux</filename> to
see which features are available.  Support will only be compiled into
iptables for the features recognized at compile-time.  Applying a kernel
patch may result in errors, often because the hooks for the patches
have changed or because the runme script doesn't recognize that a patch
has already been incorporated.</para>

<para>Note that for most people, patching the kernel is unnecessary.
With the later 2.4.x kernels, most functionality is already available
and those who need to patch it are generally those who need a specific
feature; if you don't know why you need to patch the kernel, you're 
unlikely to need to!</para>

</sect2>