Context Navigation

-              ra8f9c437
+              r4591404
   <!ENTITY iptables-download-http "http://www.netfilter.org/projects/iptables/files/iptables-&iptables-version;.tar.bz2">
   <!ENTITY iptables-download-ftp  "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2">
   <!ENTITY iptables-md5sum        "5ab24ad683f76689cfe7e0c73f44855d">
   <!ENTITY iptables-size          "500 KB">
   <!ENTITY iptables-buildsize     "17 MB">
+  <!ENTITY iptables-md5sum        "8bf564ea8348522fc1db727868828def">
+  <!ENTITY iptables-size          "504 KB">
+  <!ENTITY iptables-buildsize     "15 MB">
   <!ENTITY iptables-time          "0.2 SBU">
 ]>
 <sect1 id="iptables" xreflabel="iptables-&iptables-version;">
+<sect1 id="iptables" xreflabel="Iptables-&iptables-version;">
   <?dbhtml filename="iptables.html"?>
 …
     <title>Introduction to Iptables</title>
+  <para>The next part of this chapter deals with firewalls.  The principal
+  firewall tool for Linux is <application>iptables</application>.  You will
+  need to install <application>iptables</application> if you intend on using
+  any form of a firewall.</para>
+  &lfs71_checked;
+    <para>
+      The next part of this chapter deals with firewalls.  The principal
+      firewall tool for Linux is <application>Iptables</application>. You will
+      need to install <application>Iptables</application> if you intend on using
+      any form of a firewall.
+    </para>
+    &lfs71_checked;
     <bridgehead renderas="sect3">Package Information</bridgehead>
     <itemizedlist spacing="compact">
       <listitem>
+        <para>Download (HTTP): <ulink url="&iptables-download-http;"/></para>
+      </listitem>
+      <listitem>
+        <para>Download (FTP): <ulink url="&iptables-download-ftp;"/></para>
+      </listitem>
+      <listitem>
+        <para>Download MD5 sum: &iptables-md5sum;</para>
+      </listitem>
+      <listitem>
+        <para>Download size: &iptables-size;</para>
+      </listitem>
+      <listitem>
+        <para>Estimated disk space required: &iptables-buildsize;</para>
+      </listitem>
+      <listitem>
+        <para>Estimated build time: &iptables-time;</para>
+        <para>
+          Download (HTTP): <ulink url="&iptables-download-http;"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download (FTP): <ulink url="&iptables-download-ftp;"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download MD5 sum: &iptables-md5sum;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download size: &iptables-size;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Estimated disk space required: &iptables-buildsize;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Estimated build time: &iptables-time;
+        </para>
       </listitem>
     </itemizedlist>
     <para condition="html" role="usernotes">User Notes:
     <ulink url="&blfs-wiki;/iptables"/></para>
   </sect2>
   <sect2 role="kernel" id='iptables-kernel'>
+      <ulink url="&blfs-wiki;/iptables"/>
+    </para>
+  </sect2>
+  <sect2 role="kernel" id="iptables-kernel">
     <title>Kernel Configuration</title>
+    <para>A firewall in Linux is accomplished through a portion of the
+    kernel called netfilter. The interface to netfilter is
+    <application>iptables</application>. To use it, the appropriate
+    kernel configuration parameters are found in Networking Support &rArr;
+    Networking Options &rArr; Network Packet Filtering Framework.</para>
+    <para>
+      A firewall in Linux is accomplished through a portion of the
+      kernel called netfilter. The interface to netfilter is
+      <application>Iptables</application>. To use it, the appropriate
+      kernel configuration parameters are found in Networking Support &rArr;
+      Networking Options &rArr; Network Packet Filtering Framework.
+    </para>
     <indexterm zone="iptables iptables-kernel">
 …
     <note>
+      <para>The installation below does not include building some specialized
+      extension libraries which require the raw headers in the
+      <application>Linux</application> source code. If you wish to build the
+      additional extensions (if you aren't sure, then you probably don't), you
+      can look at the <filename>INSTALL</filename> file to see an example of
+      how to change the <parameter>KERNEL_DIR=</parameter> parameter to point
+      at the <application>Linux</application> source code. Note that if you
+      upgrade the kernel version, you may also need to recompile
+      <application>iptables</application> and that the BLFS team has not tested
+      using the raw kernel headers.</para>
+      <para>For some non-x86 architectures, the raw kernel headers may be
+      required. In that case, modify the <parameter>KERNEL_DIR=</parameter>
+      parameter to point at the <application>Linux</application> source
+      code.</para>
+      <para>
+        The installation below does not include building some specialized
+        extension libraries which require the raw headers in the
+        <application>Linux</application> source code. If you wish to build the
+        additional extensions (if you aren't sure, then you probably don't), you
+        can look at the <filename>INSTALL</filename> file to see an example of
+        how to change the <parameter>KERNEL_DIR=</parameter> parameter to point
+        at the <application>Linux</application> source code. Note that if you
+        upgrade the kernel version, you may also need to recompile
+        <application>Iptables</application> and that the BLFS team has not tested
+        using the raw kernel headers.
+      </para>
+      <para>
+        For some non-x86 architectures, the raw kernel headers may be
+        required. In that case, modify the <parameter>KERNEL_DIR=</parameter>
+        parameter to point at the <application>Linux</application> source
+        code.
+      </para>
     </note>
+    <para>Install <application>iptables</application> by running the following
+    commands:</para>
+<screen><userinput>./configure --prefix=/usr     \
+            --exec-prefix=    \
+            --bindir=/sbin    \
+            --with-xtlibdir=/lib/xtables \
+            --with-pkgconfigdir=/usr/lib/pkgconfig &amp;&amp;
+    <para>
+      Install <application>Iptables</application> by running the following
+      commands:
+    </para>
+<screen><userinput>./configure --prefix=/usr                          \
+            --exec-prefix=                         \
+            --bindir=/sbin                         \
+            --with-xtlibdir=/lib/xtables           \
+            --with-pkgconfigdir=/usr/lib/pkgconfig \
+            --enable-libipq                        \
+            --enable-devel &amp;&amp;
 make</userinput></screen>
 …
     <title>Command Explanations</title>
+    <para><parameter>--exec-prefix=</parameter>: Ensure all binaries and
+    libraries end up in <filename class="directory">/</filename> directory
+    tree.</para>
+    <para><parameter>--bindir=/sbin</parameter>: Ensure all the executables go
+    in <filename class="directory">/sbin</filename>.</para>
+    <para><parameter>--with-xtlibdir=/lib/xtables</parameter>: Ensure all
+    iptables modules are installed in the
+    <filename class="directory">/lib/xtables</filename> directory.</para>
+    <para><parameter>--with-pkgconfigdir=/usr/lib/pkgconfig</parameter>:
+    Ensure all the pkgconfig files are in the standard location.</para>
+    <para><command>ln -sfv xtables-multi /sbin/iptables-xml</command>: Ensure
+    the symbolic link for <command>iptables-xml</command> is relative.</para>
+    <para>
+      <parameter>--exec-prefix=</parameter>: Ensure all binaries and
+      libraries end up in <filename class="directory">/</filename>
+      directory tree.
+    </para>
+    <para>
+      <parameter>--bindir=/sbin</parameter>: Ensure all the executables go
+      in <filename class="directory">/sbin</filename>.
+    </para>
+    <para>
+      <parameter>--with-xtlibdir=/lib/xtables</parameter>: Ensure all
+      Iptables modules are installed in the
+      <filename class="directory">/lib/xtables</filename> directory.
+    </para>
+    <para>
+      <parameter>--with-pkgconfigdir=/usr/lib/pkgconfig</parameter>:
+      Ensure all the pkgconfig files are in the standard location.
+    </para>
+    <para>
+      <option>--enable-libipq</option>: This switch enables building
+      of <filename class="libraryfile">libipq.so</filename> which
+      can be used by some packages outside of BLFS.
+    </para>
+    <para>
+      <option>--enable-devel</option>: This switch enables installation
+      of <application>Iptables</application> development headers that
+      can be used by some packages outside of BLFS.
+    </para>
+    <para>
+      <command>ln -sfv xtables-multi /sbin/iptables-xml</command>: Ensure
+      the symbolic link for <command>iptables-xml</command> is relative.
+    </para>
   </sect2>
 …
     <title>Configuring Iptables</title>
+    <para>Introductory instructions for configuring your firewall are
+    presented in the next section: <xref linkend="fw-firewall"/></para>
+    <para>
+      Introductory instructions for configuring your firewall are
+      presented in the next section: <xref linkend="fw-firewall"/>
+    </para>
     <sect3  id="iptables-init">
       <title>Boot Script</title>
+      <para>To set up the iptables firewall at boot, install the
+      <filename>/etc/rc.d/init.d/iptables</filename> init script included
+      in the <xref linkend="bootscripts"/> package.</para>
+      <para>
+        To set up the iptables firewall at boot, install the
+        <filename>/etc/rc.d/init.d/iptables</filename> init script included
+        in the <xref linkend="bootscripts"/> package.
+      </para>
       <indexterm zone="iptables iptables-init">
 …
       <seglistitem>
+        <seg>iptables, iptables-restore, iptables-save, iptables-xml,
+        ip6tables, ip6tables-restore, ip6tables-save,
+        and xtables-multi</seg>
+        <seg>libip4tc.so, libip6tc.so, libiptc.so, libxtables.so,
+        and numerous modules in /lib/xtables</seg>
+        <seg>/lib/xtables, /usr/include/libiptc and /usr/share/xtables</seg>
+        <seg>
+          ip6tables, ip6tables-restore, ip6tables-save, iptables, iptables-restore,
+          iptables-save, iptables-xml and xtables-multi
+        </seg>
+        <seg>
+          libip4tc.so, libip6tc.so, libipq.so, libiptc.so and libxtables.so
+        </seg>
+        <seg>
+          /lib/xtables and /usr/include/libiptc
+        </seg>
       </seglistitem>
     </segmentedlist>
 …
         <term><command>iptables</command></term>
         <listitem>
+          <para>is used to set up, maintain, and inspect the tables of
+          IP packet filter rules in the Linux kernel.  It is a
+          symbolic link to xtables-multi.</para>
+          <para>
+            is used to set up, maintain, and inspect the tables of
+            IP packet filter rules in the Linux kernel.
+          </para>
           <indexterm zone="iptables iptables-prog">
             <primary sortas="b-iptables">iptables</primary>
 …
         <term><command>iptables-restore</command></term>
         <listitem>
+          <para>is used to restore IP Tables from data
+          specified on STDIN. Use I/O redirection provided by your
+          shell to read from a file. It is a symbolic link to
+          xtables-multi.</para>
+          <para>
+            is used to restore IP Tables from data specified on
+            STDIN. Use I/O redirection provided by your
+            shell to read from a file.
+          </para>
           <indexterm zone="iptables iptables-restore">
             <primary sortas="b-iptables-restore">iptables-restore</primary>
 …
         <term><command>iptables-save</command></term>
         <listitem>
+          <para>is used to dump the contents of an IP Table
+          in easily parseable format to STDOUT. Use I/O-redirection
+          provided by your shell to write to a file. It is a symbolic link to
+          xtables-multi.</para>
+          <para>
+            is used to dump the contents of an IP Table in easily
+            parseable format to STDOUT. Use I/O-redirection
+            provided by your shell to write to a file.
+          </para>
           <indexterm zone="iptables iptables-save">
             <primary sortas="b-iptables-save">iptables-save</primary>
 …
         <term><command>iptables-xml</command></term>
         <listitem>
+          <para>is used to convert the output of
+          <command>iptables-save</command> to an XML format. Using the
+          <filename>iptables.xslt</filename> stylesheet converts the XML
+          back to the format of <command>iptables-restore</command>.
+          It is a symbolic link to xtables-multi.</para>
+          <para>
+            is used to convert the output of
+            <command>iptables-save</command> to an XML format. Using the
+            <filename>iptables.xslt</filename> stylesheet converts the XML
+            back to the format of <command>iptables-restore</command>.
+          </para>
           <indexterm zone="iptables iptables-xml">
             <primary sortas="b-iptables-xml">iptables-xml</primary>
 …
         <term><command>ip6tables*</command></term>
         <listitem>
+          <para>are a set of commands for IPV6 that parallel the iptables
+          commands above.  All of these commands are symbolic
+          links to xtables-multi.</para>
+          <para>
+            are a set of commands for IPV6 that parallel the iptables
+            commands above.
+          </para>
           <indexterm zone="iptables ip6tables">
             <primary sortas="b-ip6tables">ip6tables</primary>

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 4591404 for postlfs/security/iptables.xml

Legend:

postlfs/security/iptables.xml

Download in other formats: