Installing Iptables


Install hints

This is a quick overview. See the sections below for more details. Note that you do not need to compile the kernel before you compile and install Iptables and certain things are not available as kernel options (later) unless you patch your kernel with 'make patch-o-matic'.

  • Do a 'make oldconfig' (or 'make menuconfig' if you don't have a working .config file) in your /usr/src/linux.
  • Do a 'make && make install' where you untarred the iptables archive.
  • Do a 'make patch-o-matic' and apply the patches that you need (I would advise testing first to see if it applies cleanly as not all patches are compatible with each other).
  • Go back to /usr/src/linux and do a 'make menuconfig' and select the newly available/desired options.
  • Finish your normal kernel compile (make dep; make clean; make bzImage, etc.)

Compiling - Compiling Iptables is fairly simple, unless you decide to get fancy.

  • 'make && make install' will do a minimalist install in the default (/usr/local) locations.
  • 'make pending-patches' will offer to patch the standard kernel with some outstanding bugfixes or tweaks.
  • 'make patch-o-matic' will offer to patch the standard kernel with enhanced/experimental features.
  • 'make experimental && make install-experimental' will create the iptables-save and iptables-restore binaries.
  • Preface the compile options with 'BINDIR=/usr/sbin LIBDIR=/usr/lib MANDIR=/usr/man' if you'd like to change the default locations. This includes 'make install' (e.g. 'make BINDIR=/usr/sbin LIBDIR=/usr/lib MANDIR=/usr/man install')

Patch-O-Matic - "Welcome to Rusty's Patch-o-matic! Each patch is a new feature: many have minimal impact, some do not. Almost every one has bugs, so I don't recommend applying them all!" Note: The following is an example lifted from v1.2.1a patch-o-matic and is not current. While some options have changed, a current list will be displayed when you do a 'make patch-o-matic'.

  • CONFIG_IP_NF_TARGET_BALANCE option, which is similar to
    DNAT: it takes a range of addresses (`--to-dest') and
    spreads the load out over them.
    target that sends dropped packets to userspace via a netlink socket.
    It replaces the old ipchains -o option.
  • CONFIG_IP_NF_TARGET_SAME option, which is similar to
    SNAT: it takes a range of addresses (`--to-source') and
    gives a client the same address for each connection.
  • CONFIG_IP_NF_TARGET_TTL option, which enables the user
    to set the TTL value of an IP packet or to increment / decrement it
    by a given value.
  • CONFIG_IP_NF_MATCH_AH_ESP, which supplies two match
    extensions (`ah' and `esp') allow you to match a range of SPIs inside
    AH or ESP headers of IPSec packets.
  • CONFIG_IP_NF_DROPTABLE option. Packets which are going to be dropped
    by the NAT or routing code (among others) will traverse this table,
    allowing them to be logged.
    This patch is INVASIVE, and will break many of the other patches.
  • CONFIG_IP_NF_EGG: Connection tracking for eggdrop bot networks.
  • CONFIG_IP_NF_TARGET_FTOS option, which allows setting the
    TOS field within the packet to any value between 0x0 and 0xff. This
    includes all legal TOS values. It does not take account of the DiffServ
    split of the field nor does it account for the ECN bit states.
    Basically you can set the TOS field to whatever value you want.
  • ftp-multi.patch allows ftp connection tracking and NAT to operate on up to
    8 ports, using the `ports=' option to the ip_conntrack_ftp and
    ip_nat_ftp modules. Without the option, port 21 is used as normal.
    In addition, it adds support for FXP (direct FTP 2 FTP transport). To
    enable FXP support, use a module load parameter of `fxp=1`
  • ftp-pasv-fix.patch makes it possible to do statefull firewalling on a machine
    running any ftp server, using the ip_conntrack_ftp.o module.
    The standard module only works with ftp servers sending the literal string
    "227 Entering Passive Mode (", but the ftp-rfc's don't require the literal
    text "Entering Passive Mode", they merely suggest it. This patch makes
    ip_conntrack_ftp.o recognize any text between the '227 ' and the '('.
  • CONFIG_IP_NF_MATCH_IPLIMIT match allows you to restrict the
    number of parallel TCP connections to a server per client IP address
    (or address block).
    # allow 2 telnet connections per client host
    iptables -p tcp -dport 23 -m iplimit --iplimit-above 2 -j REJECT
    # you can also match the other way around:
    iptables -p tcp -dport 23 -m iplimit ! --iplimit-above 2 -j ACCEPT
    # limit the nr of parallel http requests to 16 per class C sized
    # network (24 bit netmask)
    iptables -p tcp -dport 80 -m iplimit --iplimit-above 16 --iplimit-mask 24 -j REJECT
  • CONFIG_IP_NF_IRC: IRC support module for netfilter
    connection tracking and NAT. This allows DCC to work though NAT and
    connection tracking.
    This patch depends on dropped-table and seqoffset
  • masquerade+fwmark.patch is a fix for complex routing setups, where route by firewall mark
    is combined with the MASQUERADE NAT target
  • nat+conntrack-hashsize.patch makes the hash table size of the connection tracking code and NAT
    code a module parameter (hashsize=XXX), and makes the default for NAT
    1/16384 of memory (much better than the previous default of 64 for
    large machines).
  • CONFIG_IP_NF_POOL, which provides a match which lets you use
    bitmaps with one bit per address from some range of IP addresses; the
    match depends on whether a checked source or destination address has
    its bit set in the pool. It also provides a POOL target, which can be
    used to add or remove the addresses of a packet to/from a pool.
    The userspace program ippool(8) is also compiled (in the ippool/
    directory), and is used to define the pools and their bounds.
  • CONFIG_IP_NF_MATCH_PSD, which supplies portscan
    detection match (PSD). This match will attempt to detect TCP and UDP
    port scans. This match was derived from Solar Designer´s scanlogd.
    Suppported options are:
    --psd-weight-threshold <threshold>
    Total weight of the latest TCP/UDP packets with different
    destination ports coming from the same host to be treated as port
    scan sequence.
    --psd-delay-threshold <delay>
    Delay (in hundredths of second) for the packets with different
    destination ports coming from the same host to be treated as
    possible port scan subsequence.
    --psd-lo-ports-weight <weight>
    Weight of the packet with privileged (<=1024) destination port.
    --psd-hi-ports-weight <weight>
    Weight of the packet with non-priviliged destination port.
  • CONFIG_IP_NF_MATCH_RPC, which supplies two modules,
    ip_conntrack_rpc_udp and ip_conntrack_rpc_tcp, which track portmapper
    requests using UDP and TCP respectively. It also adds the record_rpc
    match for iptables, which matches if the source of the packet has
    requested that port through the portmapper before, or it is a new GET
    request to the portmapper, allowing effective RPC filtering.
  • seqoffset.patch - New API functions for NAT helper. This API hides all the nifty details about
    packet resizing and the resulting sequence number offset when NATing protocols
    like ftp / irc
    REQUIREMENTS: You need at least Kernel 2.4.2 for this patch!
    dropped-table-patch from netfilter patch-o-matic
    support. This is the "basic" form of SNMP-ALG, as described in
    RFC 2962; it works by modifying IP addresses inside SNMP payloads
    to match IP-layer NAT mapping.
  • CONFIG_IP_NF_MATCH_STRING which allows you to
    match a string in a whole packet.
  • tcp-window-tracking.patch is an implementation of TCP connection tracking according
    to the article 'Real Stateful TCP Packet Filtering in IP Filter' by
    Guido van Rooij [1]. It contains the new TCP connection tracking with
    support to handle already established connections. Window scaling
    support is added.
  • CONFIG_IP_NF_MATCH_TTL option, which enables the user to
    match packets by their TTL value.
  • CONFIG_IP_NF_TARGET_ULOG option, which supplies a more
    advanced packet logging mechanism than the standard LOG target. The
    libiptulog/ directory contains a library for receiving the ULOG
    See for more information
  • CONFIG_IP6_NF_TARGET_LOG option, which adds a LOG target
    to ip6tables.
  • CONFIG_IP6_NF_TARGET_REJECT option, which adds a REJECT target
    to ip6tables. Please keep in mind that the icmp-types are different from
    the icmpv6 types (see ip6tables -j REJECT -h for more info)
  • ipv6-ports.patch.ipv6 contains IPv6 port of owner match form IPv4 and fixes for limit, mac
    and multiport matches.

Note: The highlighted patches above does not represent what I think you should compile into your kernel. They are simply patches that I find interesting. Should you apply any of the above patches into your kernel and change your mind, you can reverse the patch by copying the appropriate patch from the patch-o-matic directory into your /usr/src/linux and running 'patch -R -p1 < name_of_the_patch'.