Tony Whitmore's Homepage

Netfilter Iptables

This document covers the compilation, installation and basic testing of iptables. More advanced configuration is covered in many books and online documents. A good place to start is the iptables website.
If you install this software it is highly recommended that you keep up-to-date with security advisories published on the iptables website.
I cannot be held responsible for the security of your system. It is up to you to understand the software you are running. The setup detailed here is that of a single ping-based rule test, nothing more. I have chosen not to give any specific guidance on firewall rules, as the rules required will vary from system to system, depending on the purpose of the system.
It is generally believed within computing security communities that a firewalling technology on its own is insufficient to protect a system, and that it should be coupled with an IDS like Snort. Also, firewall logs should be regularly examined.
If you spot any major errors on this page, please e-mail me using the link above.

In order to support iptables, certain options must be compiled in the kernel. The various module options available to you are documented here. If you have to recompile your kernel in order to support iptables, you may want to follow the guide here.
It is assumed that this installation takes place on a computer on which Core Linux has been successfully installed.
No software other than the packages bundled with Core Linux have been installed.
As described in the installation guide, it is assumed that any downloaded application source code is stored in a directory called /apps on the CD-R.
It is assumed that the Core Linux computer is attached to a network on which there is at least one other machine with internet access and a CD burner.

Download the iptables source code from www.iptables.org.
Burn the file iptables-1.2.7a.tar.bz2 to a CD. This page assumes that the subdirectory /apps is used for the .tar.bz2 file. The CD-ROM can be a multi-session disk.

Place the CD-R in the CD-ROM drive. Mount the CD-ROM drive under /mnt/cdrom.
Change to the /apps directory on the CD-R.
Copy the iptables-1.2.7a.tar.bz2 file to the directory /usr/src.
Change to the /usr/src directory and extract the source from the .tar.bz2 file.

Change to the /usr/src/iptables-1.2.7a directory.
Run the make program as shown below:
make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man KERNEL_DIR=/usr/src/linux
Run the make program as shown below:
make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man KERNEL_DIR=/usr/src/linux install

Ping the IP address 127.0.0.1. Your pings should be returned.
Add the following rule using the iptables command:
iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
Ping the IP address 127.0.0.1. Your pings should not be returned.

These pages will not tell you how to configure your firewall. The appropriate configuration of your firewall will depend on the services you wish to offer. There are also many tips for tightening firewall security, which are beyond the scope of this page. Rather than provide incomplete information on this topic, and maybe creating a false sense of security, I chose to provide none. If you are looking for more information on configuring firewall rules, then visit www.iptables.org.

Create a script called /etc/firewall listing all your iptables rules.
Change the properties of the file /etc/firewall to make it executable.
Append the following line to the /etc/rc.d/rc.mu script:
/etc/firewall
You can also add comments and echoes for your own information.
Reboot the system and check that your firewall rules are implemented.

The text of this page is licensed under a Creative Commons License.