mirror of
https://github.com/Zeckmathederg/glfs.git
synced 2025-02-01 04:52:12 +08:00
32739aff9f
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@5992 af4574ff-66df-0310-9fd7-8a98e5e911e0
250 lines
9.2 KiB
XML
250 lines
9.2 KiB
XML
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
|
|
<!ENTITY % general-entities SYSTEM "../../general.ent">
|
|
%general-entities;
|
|
|
|
<!-- Inserted as a reminder to do this. The mention of a test suite
|
|
is usually right before the root user installation commands. Please
|
|
delete these 12 (including one blank) lines after you are done.-->
|
|
|
|
<!-- Use one of the two mentions below about a test suite,
|
|
delete the line that is not applicable. Of course, if the
|
|
test suite uses syntax other than "make check", revise the
|
|
line to reflect the actual syntax to run the test suite -->
|
|
|
|
<!-- <para>This package does not come with a test suite.</para> -->
|
|
<!-- <para>To test the results, issue: <command>make check</command>.</para> -->
|
|
|
|
<!ENTITY iptables-download-http "http://www.iptables.org/files/iptables-&iptables-version;.tar.bz2">
|
|
<!ENTITY iptables-download-ftp "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2">
|
|
<!ENTITY iptables-md5sum "00fb916fa8040ca992a5ace56d905ea5">
|
|
<!ENTITY iptables-size "187 KB">
|
|
<!ENTITY iptables-buildsize "5.0 MB">
|
|
<!ENTITY iptables-time "0.2 SBU">
|
|
]>
|
|
|
|
<sect1 id="iptables" xreflabel="iptables-&iptables-version;">
|
|
<?dbhtml filename="iptables.html"?>
|
|
|
|
<sect1info>
|
|
<othername>$LastChangedBy$</othername>
|
|
<date>$Date$</date>
|
|
<keywordset>
|
|
<keyword role="package">iptables-&iptables-version;.tar</keyword>
|
|
<keyword role="ftpdir">iptables</keyword>
|
|
</keywordset>
|
|
</sect1info>
|
|
|
|
<title>Iptables-&iptables-version;</title>
|
|
|
|
<indexterm zone="iptables">
|
|
<primary sortas="a-Iptables">Iptables</primary>
|
|
</indexterm>
|
|
|
|
<sect2 role="package">
|
|
<title>Introduction to Iptables</title>
|
|
|
|
<para>The next part of this chapter deals with firewalls. The principal
|
|
firewall tool for Linux, as of the 2.4 kernel series, is
|
|
<application>iptables</application>. It replaces
|
|
<application>ipchains</application> from the 2.2 series and
|
|
<application>ipfwadm</application> from the 2.0 series. You will need to
|
|
install <application>iptables</application> if you intend on using any
|
|
form of a firewall.</para>
|
|
|
|
<bridgehead renderas="sect3">Package Information</bridgehead>
|
|
<itemizedlist spacing="compact">
|
|
<listitem>
|
|
<para>Download (HTTP): <ulink url="&iptables-download-http;"/></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Download (FTP): <ulink url="&iptables-download-ftp;"/></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Download MD5 sum: &iptables-md5sum;</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Download size: &iptables-size;</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Estimated disk space required: &iptables-buildsize;</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Estimated build time: &iptables-time;</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para condition="html" role="usernotes">User Notes:
|
|
<ulink url="&blfs-wiki;/iptables"/></para>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="kernel" id='iptables-kernel'>
|
|
<title>Kernel Configuration</title>
|
|
|
|
<para>A firewall in Linux is accomplished through a portion of the
|
|
kernel called netfilter. The interface to netfilter is
|
|
<application>iptables</application>. To use it, the appropriate
|
|
kernel configuration parameters are found in Networking ⇒
|
|
Networking Options ⇒ Network Packet Filtering ⇒
|
|
Core Netfilter Configuration (and) IP: Netfilter Configuration.</para>
|
|
|
|
<indexterm zone="iptables iptables-kernel">
|
|
<primary sortas="d-iptables">Iptables</primary>
|
|
</indexterm>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="installation">
|
|
<title>Installation of Iptables</title>
|
|
|
|
<note>
|
|
<para>Installation of <application>iptables</application> will fail
|
|
if raw kernel headers are found in <filename
|
|
class='directory'>/usr/src/linux</filename> either as actual files
|
|
or a symlink. As of the Linux 2.6 kernel series, this directory
|
|
should no longer exist because appropriate headers were installed
|
|
from the <application>Linux-Libc-Headers</application> package during
|
|
the base LFS installation.</para>
|
|
|
|
<para>For some non-x86 architectures, the raw kernel headers may be
|
|
required. In that case, add the environment variable
|
|
<envar>KERNEL_DIR=/usr/src/linux</envar> to the make commands below.</para>
|
|
</note>
|
|
|
|
<para>Install <application>iptables</application> by running the following
|
|
commands:</para>
|
|
|
|
<screen><userinput>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</userinput></screen>
|
|
|
|
<para>Now, as the <systemitem class="username">root</systemitem> user:</para>
|
|
|
|
<screen role="root"><userinput>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install</userinput></screen>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="commands">
|
|
<title>Command Explanations</title>
|
|
|
|
<para><parameter>PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</parameter>:
|
|
Compiles and installs <application>iptables</application> libraries
|
|
into <filename class="directory">/lib</filename>, binaries into
|
|
<filename class="directory">/sbin</filename> and the remainder into
|
|
the <filename class="directory">/usr</filename> hierarchy instead of
|
|
<filename class="directory">/usr/local</filename>. Firewalls are
|
|
generally activated during the boot process and
|
|
<filename class="directory">/usr</filename> may not be mounted at
|
|
that time.</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="configuration">
|
|
<title>Configuring Iptables</title>
|
|
|
|
<para>Introductory instructions for configuring your firewall are
|
|
presented in the next section: <xref linkend='fw-firewall'/></para>
|
|
|
|
<sect3 id="iptables-init">
|
|
<title>Boot Script</title>
|
|
|
|
<para>To set up the iptables firewall at boot, install the
|
|
<filename>/etc/rc.d/init.d/iptables</filename> init script included
|
|
in the <xref linkend="bootscripts"/> package.</para>
|
|
|
|
<indexterm zone="iptables iptables-init">
|
|
<primary sortas="f-iptables">iptables</primary>
|
|
</indexterm>
|
|
|
|
<screen role="root"><userinput>make install-iptables</userinput></screen>
|
|
|
|
</sect3>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="content">
|
|
<title>Contents</title>
|
|
|
|
<segmentedlist>
|
|
<segtitle>Installed Programs</segtitle>
|
|
<segtitle>Installed Libraries</segtitle>
|
|
<segtitle>Installed Directory</segtitle>
|
|
|
|
<seglistitem>
|
|
<seg>iptables, iptables-restore, iptables-save and ip6tables</seg>
|
|
<seg>libip6t_*.so and libipt_*.so</seg>
|
|
<seg>/lib/iptables</seg>
|
|
</seglistitem>
|
|
</segmentedlist>
|
|
|
|
<variablelist>
|
|
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
|
<?dbfo list-presentation="list"?>
|
|
<?dbhtml list-presentation="table"?>
|
|
|
|
<varlistentry id="iptables-prog">
|
|
<term><command>iptables</command></term>
|
|
<listitem>
|
|
<para>is used to set up, maintain, and inspect the tables of
|
|
IP packet filter rules in the Linux kernel.</para>
|
|
<indexterm zone="iptables iptables-prog">
|
|
<primary sortas="b-iptables">iptables</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="iptables-restore">
|
|
<term><command>iptables-restore</command></term>
|
|
<listitem>
|
|
<para>is used to restore IP Tables from data
|
|
specified on STDIN. Use I/O redirection provided by your
|
|
shell to read from a file.</para>
|
|
<indexterm zone="iptables iptables-restore">
|
|
<primary sortas="b-iptables-restore">iptables-restore</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="iptables-save">
|
|
<term><command>iptables-save</command></term>
|
|
<listitem>
|
|
<para>is used to dump the contents of an IP Table
|
|
in easily parseable format to STDOUT. Use I/O-redirection
|
|
provided by your shell to write to a file.</para>
|
|
<indexterm zone="iptables iptables-save">
|
|
<primary sortas="b-iptables-save">iptables-save</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="ip6tables">
|
|
<term><command>ip6tables</command></term>
|
|
<listitem>
|
|
<para>is used to set up, maintain, and inspect the tables of
|
|
IPv6 packet filter rules in the Linux kernel. Several different
|
|
tables may be defined. Each table contains a number of built-in
|
|
chains and may also contain user-defined chains.</para>
|
|
<indexterm zone="iptables ip6tables">
|
|
<primary sortas="b-ip6tables">ip6tables</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="libip-iptables">
|
|
<term><filename class='libraryfile'>libip*.so</filename></term>
|
|
<listitem>
|
|
<para>library modules are various modules (implemented as dynamic
|
|
libraries) which extend the core functionality of
|
|
<command>iptables</command>.</para>
|
|
<indexterm zone="iptables libip-iptables">
|
|
<primary sortas="c-libip-iptables">libip*.so</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|