Installing and Getting iptables Running

Having built my own linux system from source in accordance with the Linux from Scratch website, I had gotten fairly far with my system by the time I began to miss some basic security. I know that iptables is far from just a simple firewalling solution, but I am a lamer on a 33600 dialup and that is the primary feature concerning me at the moment regarding iptables. If I'm going to be using this custom-built system of mine, I'll be damned if I don't take advantage of the kernel's packet filtering features. Besides, I don't like that naked X service hanging off of port 6000... I will be building iptables from source, needless to say.

Versions Used

The iptables version is 1.2.6.a. The kernel on this machine is a 2.4.10. Close enough to the bleeding edge for the likes of me. You will of course need the kernel sources installed. iptables 1.2.6a requires a kernel version greater than 2.4.4.

Procedure

Getting the Source Tarball and Unpacking It

iptables can be gotten from freshmeat in .tar.bz or .tar.gz format. I personally prefer .bz due to superior comression ratios. Either way, you unpack the archive thus:

cd /usr/src/
cp ...path to tarball.../iptables-1.2.6a.tar.bz ./
or cp ...path to tarball.../iptables-1.2.6a.tar.gz ./
with tar.gz: tar xvzf filename.tar.gz
with tar.bz: bzcat filename.tar.bz | tar xv
cd ./iptables-1.2.6a

To Patch or Not to Patch

The INSTALL file in the top level of the freshly unpacked iptables-1.2.6a directory suggests to begin with that we check our current kernel version against patches included in the iptables distribution. These are bugfixes/tweaks that did not make it into the kernel yet. It's not a bad idea to do this step here just to understand what it does. The following command accomplishes this:

make pending-patches KERNEL_DIR=/usr/src/linux/

The KERNEL_DIR option points to the base where you have the kernel sources installed. On my system, that's /usr/src/linux . This should give you something along the following lines:

Welcome to Rusty's Patch-o-matic!

Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------
Testing... 2.4.14.patch NOT APPLIED ( 10 missing files)
The submitted/2.4.14 patch:
   Author: Harald Welte  and others.
   Status: Recommended (Already in 2.4.14 and above).

   This contains numerous fixes and new features:

   1) new IPv6 port of owner match
   2) fixes for IPv6 limit, mac and multiport matches
   3) new IRC (DCC) connection tracking and NAT support
   4) new SNMP NAT (ALG) support
   5) new TTL match
   6) new length match
   7) new LOG target for IPv6
   8) fix logging of ECN bits in LOG target

-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?]

10 patches missing on my system to bring it up to 2.4.14. Type 'q' here and you exit the pending patches routine. Note here that my kernel version permits me to skip this step. I have only done this with 2.4.10 and none other, so be advised that YMMV. In any case, with a kernel version greater than 2.4.4, you should be fine. More generally, if you don't know what these 'numerous new fixes and new features' are, then you don't need them.

Building

Having decided not ot patch the kernel, we now proceed to actually compiling the package, binary and shared libraries. The command is as follows:

make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man

On a recent system, things will grind along fairly quickly and it shouldn't take more than a minute before your new binary and libraries are ready for delivery in your system. Note that the BINDIR, LIBDIR, and MANDIR options are to install the package in the /usr heirarchy. The default behaviour, without these options, is the /usr/local/ heirarchy.

Installing

The following command will install the binary, libraries, and manpages:

make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man install

This takes the compiled binaries and libraries and installs them; the binaries in /usr/bin and the libraries in /usr/lib/iptables . The manpages, of course, go in /usr/man/man8/ .

Alternatively, should you wish to install in the /usr/local heirarchy, it's actually that little bit simpler. You just eliminate the BINDIR, LIBDIR, and MANDIR options like this:

make && make install

And you get the files in the /usr/local heirarchy.

Testing the Installation

It's always good to verify that what you've installed works properly. We will do a simple test here, by no means comprehensive yet at least indicative of an installation that didn't quite go to Hell. Let's start off with running this command:

ping -c 3 127.0.0.1

The result should look something like this:

PING 127.0.0.1 (127.0.0.1): 56 octets data
64 octets from 127.0.0.1: icmp_seq=0 ttl=255 time=0.3 ms
64 octets from 127.0.0.1: icmp_seq=1 ttl=255 time=0.3 ms
64 octets from 127.0.0.1: icmp_seq=2 ttl=255 time=0.2 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.3 ms

You just sent an icmp echo-request to yourself, and schizophrenically enough got a reply. Now let's type in these two commands:

iptables -F
iptables -A INPUT -p icmp --icmp-type echo-reply -s 0/0 -j REJECT

The first line is an initialization of the iptables ruleset. The -F switch flushes the ruleset. The second command sets up a rule to reject incoming icmp packets of type echo-reply. You can probably work out for yourself where this is headed. Try this now:

ping -c 3 127.0.0.1

The result should look like this:

PING 127.0.0.1 (127.0.0.1): 56 octets data

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

The operative bit here is the '100% packet loss' bit. That tells you your iptables installation is up and running. Flush your ruleset again and that's it for this walkthrough.