Iptables-1.4.20

Introduction to Iptables

The next part of this chapter deals with firewalls. The principal firewall tool for Linux is Iptables. You will need to install Iptables if you intend on using any form of a firewall.

This package is known to build and work properly using an LFS-7.4 platform.

Package Information

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/iptables

Kernel Configuration

A firewall in Linux is accomplished through a portion of the kernel called netfilter. The interface to netfilter is Iptables. To use it, the appropriate kernel configuration parameters are found in Networking Support ⇒ Networking Options ⇒ Network Packet Filtering Framework.

Installation of Iptables

[Note]

Note

The installation below does not include building some specialized extension libraries which require the raw headers in the Linux source code. If you wish to build the additional extensions (if you aren't sure, then you probably don't), you can look at the INSTALL file to see an example of how to change the KERNEL_DIR= parameter to point at the Linux source code. Note that if you upgrade the kernel version, you may also need to recompile Iptables and that the BLFS team has not tested using the raw kernel headers.

For some non-x86 architectures, the raw kernel headers may be required. In that case, modify the KERNEL_DIR= parameter to point at the Linux source code.

Install Iptables by running the following commands:

./configure --prefix=/usr                          \
            --exec-prefix=                         \
            --bindir=/usr/bin                      \
            --with-xtlibdir=/lib/xtables           \
            --with-pkgconfigdir=/usr/lib/pkgconfig \
            --enable-libipq                        \
            --enable-devel &&
make

This package does not come with a test suite.

Now, as the root user:

make install &&
ln -sfv ../../sbin/xtables-multi /usr/bin/iptables-xml &&
for file in libip4tc libip6tc libipq libiptc libxtables
do
  ln -sfv ../../lib/`readlink /lib/${file}.so` /usr/lib/${file}.so &&
  rm -v /lib/${file}.so &&
  mv -v /lib/${file}.la /usr/lib &&
  sed -i "s@libdir='@&/usr@g" /usr/lib/${file}.la
done

Command Explanations

--exec-prefix=: Ensure all binaries and libraries end up in / directory tree.

--with-xtlibdir=/lib/xtables: Ensure all Iptables modules are installed in the /lib/xtables directory.

--with-pkgconfigdir=/usr/lib/pkgconfig: Ensure all the pkgconfig files are in the standard location.

--enable-libipq: This switch enables building of libipq.so which can be used by some packages outside of BLFS.

--enable-devel: This switch enables installation of Iptables development headers that can be used by some packages outside of BLFS.

ln -sfv ../../sbin/xtables-multi /usr/bin/iptables-xml: Ensure the symbolic link for iptables-xml is relative.

Configuring Iptables

Introductory instructions for configuring your firewall are presented in the next section: Firewalling

Boot Script

To set up the iptables firewall at boot, install the /etc/rc.d/init.d/iptables init script included in the blfs-bootscripts-20130908 package.

make install-iptables

Contents

Installed Programs: ip6tables, ip6tables-restore, ip6tables-save, iptables, iptables-restore, iptables-save, iptables-xml, and xtables-multi
Installed Libraries: libip4tc.so, libip6tc.so, libipq.so, libiptc.so, and libxtables.so
Installed Directories: /lib/xtables and /usr/include/libiptc

Short Descriptions

iptables

is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.

iptables-restore

is used to restore IP Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file.

iptables-save

is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file.

iptables-xml

is used to convert the output of iptables-save to an XML format. Using the iptables.xslt stylesheet converts the XML back to the format of iptables-restore.

ip6tables*

are a set of commands for IPV6 that parallel the iptables commands above.

Last updated on 2013-08-20 13:22:42 -0700