Changeset 71072bbe
- Timestamp:
- 05/14/2005 11:01:30 AM (19 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- c7eb655
- Parents:
- 3493b1f
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/iptables.xml
r3493b1f r71072bbe 14 14 15 15 <sect1 id="iptables" xreflabel="iptables-&iptables-version;"> 16 <sect1info>17 <othername>$LastChangedBy$</othername> 18 <date>$Date$</date>19 </sect1info>20 <?dbhtml filename="iptables.html"?>21 <title>iptables-&iptables-version;</title>22 23 <indexterm zone="iptables">24 <primary sortas="a-Iptables">Iptables</primary> 25 </indexterm>26 27 <para>The next part of this chapter deals with firewalls. The principal 28 firewall tool for Linux, as of the 2.4 kernel series, is 29 <application>iptables</application>. It replaces 30 <application>ipchains</application> from the 2.2 series and 31 <application>ipfwadm</application> from the 2.0 series. You will need to 32 install <application>iptables</application> if you intend on using any form of 33 a firewall.</para> 34 35 <sect2 id='iptables-kernel'> 36 <title>Introduction to <application>iptables</application></title> 37 38 <para>A firewall in Linux is accomplished through a portion of the kernel 39 called netfilter. The interface to netfilter is <application>iptables</application>. 40 To use it, the appropriate kernel configuration parameters are found in 41 Device Drivers -> Networking Support -> Networking Options -> 42 Network Packet Filtering -> IP: Netfilter Configuration. 43 44 <indexterm zone="iptables iptables-kernel"> 45 <primary sortas="d-iptables">Iptables</primary>46 </indexterm>47 48 </para>49 50 <sect3>51 <title>Package information</title>52 <itemizedlist spacing='compact'>53 <listitem><para>Download (HTTP): <ulink url="&iptables-download-http;"/></para></listitem>54 <listitem><para>Download (FTP): <ulink url="&iptables-download-ftp;"/></para></listitem>55 <listitem><para>Download MD5 sum: &iptables-md5sum;</para></listitem>56 <listitem><para>Download size: &iptables-size;</para></listitem>57 <listitem><para>Estimated disk space required: &iptables-buildsize;</para></listitem>58 <listitem><para>Estimated build time: &iptables-time;</para></listitem>59 </itemizedlist>60 </sect3>16 <?dbhtml filename="iptables.html"?> 17 18 <sect1info> 19 <othername>$LastChangedBy$</othername> 20 <date>$Date$</date> 21 </sect1info> 22 23 <title>Iptables-&iptables-version;</title> 24 25 <indexterm zone="iptables"> 26 <primary sortas="a-Iptables">Iptables</primary> 27 </indexterm> 28 29 <sect2 role="package"> 30 <title>Introduction to Iptables</title> 31 32 <para>The next part of this chapter deals with firewalls. The principal 33 firewall tool for Linux, as of the 2.4 kernel series, is 34 <application>iptables</application>. It replaces 35 <application>ipchains</application> from the 2.2 series and 36 <application>ipfwadm</application> from the 2.0 series. You will need to 37 install <application>iptables</application> if you intend on using any 38 form of a firewall.</para> 39 40 <bridgehead renderas="sect3">Package Information</bridgehead> 41 <itemizedlist spacing="compact"> 42 <listitem> 43 <para>Download (HTTP): <ulink url="&iptables-download-http;"/></para> 44 </listitem> 45 <listitem> 46 <para>Download (FTP): <ulink url="&iptables-download-ftp;"/></para> 47 </listitem> 48 <listitem> 49 <para>Download MD5 sum: &iptables-md5sum;</para> 50 </listitem> 51 <listitem> 52 <para>Download size: &iptables-size;</para> 53 </listitem> 54 <listitem> 55 <para>Estimated disk space required: &iptables-buildsize;</para> 56 </listitem> 57 <listitem> 58 <para>Estimated build time: &iptables-time;</para> 59 </listitem> 60 </itemizedlist> 61 61 62 62 </sect2> 63 63 64 <sect2> 65 <title>Installation of <application>iptables</application></title> 66 67 <note> 68 <para>Installation of <application>iptables</application> will fail if raw 69 kernel headers are found in <filename class='directory'>/usr/src/linux</filename> 70 either as actual files or a symlink. As of the Linux 2.6 kernel series, 71 this directory should no longer exist because appropriate headers were installed 72 in the linux-libc-headers package during the base <acronym>LFS</acronym> installation. 73 </para> 74 75 <para>For some non-x86 architectures, the raw kernel headers may be required. 76 In that case, add the environment variable KERNEL_DIR=/usr/src/linux to the 77 make commands below.</para> 78 </note> 79 80 <para>Install <application>iptables</application> by running the following 81 commands:</para> 82 83 <screen><userinput><command>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</command></userinput></screen> 84 85 <para>Now, as the root user:</para> 86 87 <screen><userinput role='root'><command>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install</command></userinput></screen> 88 89 </sect2> 90 91 <sect2> 92 <title>Command explanations</title> 93 94 <para><parameter>PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</parameter>: Compiles 95 and installs <application>iptables</application> libraries into 96 <filename class="directory">/lib</filename>, binaries into 97 <filename class="directory">/sbin</filename> and the remainder into the 98 <filename class="directory">/usr</filename> hierarchy instead of 99 <filename class="directory">/usr/local</filename>. Firewalls are 100 generally activated during the boot process and 101 <filename class="directory">/usr</filename> may not be mounted at that 102 time.</para> 103 104 </sect2> 105 106 <sect2> 107 <title>Installing the iptables bootscript</title> 108 109 <para id="iptables-init">To set up the iptables firewall at boot, install the 110 <filename>/etc/rc.d/init.d/iptables</filename> init script included in the 111 <xref linkend="intro-important-bootscripts"/> package.</para> 112 113 <indexterm zone="iptables iptables-init"> 114 <primary sortas="f-iptables">iptables</primary> 115 </indexterm> 116 117 <screen><userinput role='root'><command>make install-iptables</command></userinput></screen> 118 119 <para>Introductory instructions for configuring your firewall are presented 120 in the next section: <xref linkend='fw-firewall'/> </para> 121 122 </sect2> 123 124 125 <sect2> 126 <title>Contents</title> 127 128 <segmentedlist> 129 <segtitle>Installed Programs</segtitle> 130 <segtitle>Installed Libraries</segtitle> 131 <segtitle>Installed Directory</segtitle> 132 133 <seglistitem> 134 <seg>iptables, iptables-restore, iptables-save and ip6tables</seg> 135 <seg>libip6t_*.so and libipt_*.so</seg> 136 <seg>/lib/iptables</seg> 137 </seglistitem> 138 </segmentedlist> 139 140 <variablelist> 141 <bridgehead renderas="sect3">Short Descriptions</bridgehead> 142 <?dbfo list-presentation="list"?> 143 144 <varlistentry id="iptables-prog"> 145 <term><command>iptables</command></term> 146 <listitem><para>is used to set up, maintain, and inspect the tables of 147 <acronym>IP</acronym> packet filter rules in the Linux kernel.</para> 148 <indexterm zone="iptables iptables-prog"> 149 <primary sortas="b-iptables">iptables</primary> 64 <sect2 role="kernel" id='iptables-kernel'> 65 <title>Kernel Configuration</title> 66 67 <para>A firewall in Linux is accomplished through a portion of the 68 kernel called netfilter. The interface to netfilter is 69 <application>iptables</application>. To use it, the appropriate 70 kernel configuration parameters are found in Device Drivers -> 71 Networking Support -> Networking Options -> 72 Network Packet Filtering -> IP: Netfilter Configuration.</para> 73 74 <indexterm zone="iptables iptables-kernel"> 75 <primary sortas="d-iptables">Iptables</primary> 150 76 </indexterm> 151 </listitem> 152 </varlistentry> 153 154 <varlistentry id="iptables-restore"> 155 <term><command>iptables-restore</command></term> 156 <listitem><para>is used to restore <acronym>IP</acronym> Tables from data 157 specified on <acronym>STDIN</acronym>. Use I/O redirection provided by your 158 shell to read from a file.</para> 159 <indexterm zone="iptables iptables-restore"> 160 <primary sortas="b-iptables-restore">iptables-restore</primary> 161 </indexterm> 162 </listitem> 163 </varlistentry> 164 165 <varlistentry id="iptables-save"> 166 <term><command>iptables-save</command></term> 167 <listitem><para>is used to dump the contents of an <acronym>IP</acronym> Table 168 in easily parseable format to <acronym>STDOUT</acronym>. Use I/O-redirection 169 provided by your shell to write to a file.</para> 170 <indexterm zone="iptables iptables-save"> 171 <primary sortas="b-iptables-save">iptables-save</primary> 172 </indexterm> 173 </listitem> 174 </varlistentry> 175 176 <varlistentry id="ip6tables"> 177 <term><command>ip6tables</command></term> 178 <listitem><para>is used to set up, maintain, and inspect the tables of 179 <acronym>IP</acronym>v6 packet filter rules in the Linux kernel. Several 180 different tables may be defined. Each table contains a number of built-in 181 chains and may also contain user-defined chains.</para> 182 <indexterm zone="iptables ip6tables"> 183 <primary sortas="b-ip6tables">ip6tables</primary> 184 </indexterm> 185 </listitem> 186 </varlistentry> 187 188 <varlistentry id="libip-iptables"> 189 <term><filename class='libraryfile'>libip*.so</filename></term> 190 <listitem><para>library modules are various modules (implemented as dynamic 191 libraries) which extend the core functionality of 192 <command>iptables</command>.</para> 193 <indexterm zone="iptables libip-iptables"> 194 <primary sortas="c-libip-iptables">libip*.so</primary> 195 </indexterm> 196 </listitem> 197 </varlistentry> 198 199 </variablelist> 200 </sect2> 77 78 </sect2> 79 80 <sect2 role="installation"> 81 <title>Installation of Iptables</title> 82 83 <note> 84 <para>Installation of <application>iptables</application> will fail 85 if raw kernel headers are found in <filename 86 class='directory'>/usr/src/linux</filename> either as actual files 87 or a symlink. As of the Linux 2.6 kernel series, this directory 88 should no longer exist because appropriate headers were installed 89 in the linux-libc-headers package during the base LFS installation.</para> 90 91 <para>For some non-x86 architectures, the raw kernel headers may be 92 required. In that case, add the environment variable 93 <envar>KERNEL_DIR=/usr/src/linux</envar> to the make commands below.</para> 94 </note> 95 96 <para>Install <application>iptables</application> by running the following 97 commands:</para> 98 99 <screen><userinput>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</userinput></screen> 100 101 <para>Now, as the <systemitem class="username">root</systemitem> user:</para> 102 103 <screen role="root"><userinput>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install</userinput></screen> 104 105 </sect2> 106 107 <sect2 role="commands"> 108 <title>Command Explanations</title> 109 110 <para><parameter>PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</parameter>: 111 Compiles and installs <application>iptables</application> libraries 112 into <filename class="directory">/lib</filename>, binaries into 113 <filename class="directory">/sbin</filename> and the remainder into 114 the <filename class="directory">/usr</filename> hierarchy instead of 115 <filename class="directory">/usr/local</filename>. Firewalls are 116 generally activated during the boot process and 117 <filename class="directory">/usr</filename> may not be mounted at 118 that time.</para> 119 120 </sect2> 121 122 <sect2 role="configuration"> 123 <title>Configuring Iptables</title> 124 125 <para>Introductory instructions for configuring your firewall are 126 presented in the next section: <xref linkend='fw-firewall'/></para> 127 128 <sect3 id="iptables-init"> 129 <title>Boot Script</title> 130 131 <para>To set up the iptables firewall at boot, install the 132 <filename>/etc/rc.d/init.d/iptables</filename> init script included 133 in the <xref linkend="intro-important-bootscripts"/> package.</para> 134 135 <indexterm zone="iptables iptables-init"> 136 <primary sortas="f-iptables">iptables</primary> 137 </indexterm> 138 139 <screen role="root"><userinput>make install-iptables</userinput></screen> 140 141 </sect3> 142 143 </sect2> 144 145 <sect2 role="content"> 146 <title>Contents</title> 147 148 <segmentedlist> 149 <segtitle>Installed Programs</segtitle> 150 <segtitle>Installed Libraries</segtitle> 151 <segtitle>Installed Directory</segtitle> 152 153 <seglistitem> 154 <seg>iptables, iptables-restore, iptables-save and ip6tables</seg> 155 <seg>libip6t_*.so and libipt_*.so</seg> 156 <seg>/lib/iptables</seg> 157 </seglistitem> 158 </segmentedlist> 159 160 <variablelist> 161 <bridgehead renderas="sect3">Short Descriptions</bridgehead> 162 <?dbfo list-presentation="list"?> 163 <?dbhtml list-presentation="table"?> 164 165 <varlistentry id="iptables-prog"> 166 <term><command>iptables</command></term> 167 <listitem> 168 <para>is used to set up, maintain, and inspect the tables of 169 IP packet filter rules in the Linux kernel.</para> 170 <indexterm zone="iptables iptables-prog"> 171 <primary sortas="b-iptables">iptables</primary> 172 </indexterm> 173 </listitem> 174 </varlistentry> 175 176 <varlistentry id="iptables-restore"> 177 <term><command>iptables-restore</command></term> 178 <listitem> 179 <para>is used to restore IP Tables from data 180 specified on STDIN. Use I/O redirection provided by your 181 shell to read from a file.</para> 182 <indexterm zone="iptables iptables-restore"> 183 <primary sortas="b-iptables-restore">iptables-restore</primary> 184 </indexterm> 185 </listitem> 186 </varlistentry> 187 188 <varlistentry id="iptables-save"> 189 <term><command>iptables-save</command></term> 190 <listitem> 191 <para>is used to dump the contents of an IP Table 192 in easily parseable format to STDOUT. Use I/O-redirection 193 provided by your shell to write to a file.</para> 194 <indexterm zone="iptables iptables-save"> 195 <primary sortas="b-iptables-save">iptables-save</primary> 196 </indexterm> 197 </listitem> 198 </varlistentry> 199 200 <varlistentry id="ip6tables"> 201 <term><command>ip6tables</command></term> 202 <listitem> 203 <para>is used to set up, maintain, and inspect the tables of 204 IPv6 packet filter rules in the Linux kernel. Several different 205 tables may be defined. Each table contains a number of built-in 206 chains and may also contain user-defined chains.</para> 207 <indexterm zone="iptables ip6tables"> 208 <primary sortas="b-ip6tables">ip6tables</primary> 209 </indexterm> 210 </listitem> 211 </varlistentry> 212 213 <varlistentry id="libip-iptables"> 214 <term><filename class='libraryfile'>libip*.so</filename></term> 215 <listitem> 216 <para>library modules are various modules (implemented as dynamic 217 libraries) which extend the core functionality of 218 <command>iptables</command>.</para> 219 <indexterm zone="iptables libip-iptables"> 220 <primary sortas="c-libip-iptables">libip*.so</primary> 221 </indexterm> 222 </listitem> 223 </varlistentry> 224 225 </variablelist> 226 227 </sect2> 228 201 229 </sect1>
Note:
See TracChangeset
for help on using the changeset viewer.