iptables-1.2.7a

The next part of this chapter deals with firewalling. The principle firewalling tool for Linux, as of the 2.4 kernel series, is iptables. It replaces ipchains from the 2.2 series and ipfwadm from the 2.0 series. You will need to install iptables if you intend on using any form of firewalling.

Introduction to iptables

Download location (HTTP):       http://www.iptables.org/files/iptables-1.2.7a.tar.bz2
Download location (FTP):        ftp://ftp.netfilter.org/pub/iptables/iptables-1.2.7a.tar.bz2
Version used:			1.2.7a
Package size:			115 KB
Estimated Disk space required:	2.4 MB

To use firewalling, as well as installing iptables, you will need to configure the relevant options into your kernel. This is discussed in the next part of this chapter - getting a firewalling-enabled Kernel.

If you intend to use IPv6 you might consider extending the kernel by running make patch-o-matic in the top-level directory of the sources of iptables. If you are going to do this, on a freshly untarred kernel, you need to run yes "" | make config && make dep first because otherwise the patch-o-matic command is likely to fail while setting up some dependencies.

If you are going to patch the kernel, you need to do it before you compile iptables, because during the compilation, the kernel source tree is checked (if it is available at /usr/src/linux to see which features are available. Support will only be compiled into iptables for the features recognized at compile-time. Applying a kernel patch may result in errors, often because the hooks for the patches have changed or because the runme script doesn't recognize that a patch has already been incorporated.

Note that for most people, patching the kernel is unnecessary. With the later 2.4.x kernels, most functionality is already available and those who need to patch it are generally those who need a specific feature; if you don't know why you need to patch the kernel, you're unlikely to need to!

Installation of iptables

Install iptables by running the following commands:

make PREFIX=/usr &&
make PREFIX=/usr install

Command explanations

PREFIX=/usr : Compiles and installs iptables into the /usr hierarchy instead of /usr/local.

Contents

The iptables-package contains iptables, ip6tables and some libraries.

Description

iptables

iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.

iptables-save, ~-restore

These are used to save and to restore your elaborated set of chains and rules. Until iptables-1.2.5 they were declared experimental.

ip6tables

This is the same as iptables but for use with IPv6. As of v1.2.5, it is not as complete as the standard IPv4 version, especially with regard to some of the modules.

libip*.so

These are various modules (implemented as dynamic libraries) which extend the core functionality of iptables.