Beyond Linux® From Scratch (System V Edition) - Version 9.1

Chapter 4. Security

iptables-1.8.4

Introduction to iptables

iptables is a userspace command line program used to configure Linux 2.4 and later kernel packet filtering ruleset.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

iptables Dependencies

Optional

libpcap-1.9.1 (required for nfsypproxy support), bpf-utils (required for Berkely Packet Filter support), libnfnetlink (required for connlabel support), and libnetfilter_conntrack" (required for connlabel support)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/iptables

Kernel Configuration

A firewall in Linux is accomplished through the netfilter interface. To use iptables to configure netfilter, the following kernel configuration parameters are required: 

[*] Networking support  --->                                          [CONFIG_NET]
      Networking Options  --->
        [*] Network packet filtering framework (Netfilter) --->       [CONFIG_NETFILTER]
          [*] Advanced netfilter configuration                        [CONFIG_NETFILTER_ADVANCED]
          Core Netfilter Configuration --->
            <*/M> Netfilter connection tracking support               [CONFIG_NF_CONNTRACK]
            <*/M> Netfilter Xtables support (required for ip_tables)  [CONFIG_NETFILTER_XTABLES]
            <*/M> LOG target support                                  [CONFIG_NETFILTER_XT_TARGET_LOG]
          IP: Netfilter Configuration --->
            <*/M> IP tables support (required for filtering/masq/NAT) [CONFIG_IP_NF_IPTABLES]

Include any connection tracking protocols that will be used, as well as any protocols that you wish to use for match support under the "Core Netfilter Configuration" section.

Installation of iptables

[Note]

Note

The installation below does not include building some specialized extension libraries which require the raw headers in the Linux source code. If you wish to build the additional extensions (if you aren't sure, then you probably don't), you can look at the INSTALL file to see an example of how to change the KERNEL_DIR= parameter to point at the Linux source code. Note that if you upgrade the kernel version, you may also need to recompile iptables and that the BLFS team has not tested using the raw kernel headers.

Install iptables by running the following commands: 

./configure --prefix=/usr      \
            --sbindir=/sbin    \
            --disable-nftables \
            --enable-libipq    \
            --with-xtlibdir=/lib/xtables &&
make

This package does not come with a test suite.

Now, as the root user: 

make install &&
ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml &&

for file in ip4tc ip6tc ipq xtables
do
  mv -v /usr/lib/lib${file}.so.* /lib &&
  ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
done

Command Explanations

--disable-nftables: This switch disables building nftables compat.

--enable-libipq: This switch enables building of libipq.so which can be used by some packages outside of BLFS.

--with-xtlibdir=/lib/xtables: Ensure all iptables modules are installed in the /lib/xtables directory.

--enable-nfsynproxy: This switch enables installation of nfsynproxy SYNPROXY configuration tool.

ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml: Ensure the symbolic link for iptables-xml is relative.

Contents

Installed Programs: ip6tables, ip6tables-restore, ip6tables-save, iptables, iptables-restore, iptables-save, iptables-xml, nfsynproxy (optional) and xtables-multi
Installed Libraries: libip4tc.so, libip6tc.so, libipq.so, libiptc.so, and libxtables.so
Installed Directories: /lib/xtables and /usr/include/libiptc

Short Descriptions

iptables

is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.

iptables-restore

is used to restore IP Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file.

iptables-save

is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file.

iptables-xml

is used to convert the output of iptables-save to an XML format. Using the iptables.xslt stylesheet converts the XML back to the format of iptables-restore.

ip6tables*

are a set of commands for IPV6 that parallel the iptables commands above.

nfsynproxy

(optional) configuration tool. SYNPROXY target makes handling of large SYN floods possible without the large performance penalties imposed by the connection tracking in such cases.

xtables-multi

is a binary that behaves according to the name it is called by.

Last updated on 2020-02-26 08:20:10 -0800