1 - download new iptables http://www.samba.org/netfilter
, http://netfilter.gnumonks.org/
or http://antarctica.penguincomputing.com/~netfilter/
2 - su to become root and move the iptables source to /usr/src/linux and then unpack the iptables source with:
tar yxvf iptables-XXX.tar.bz2 -- (for some versions of tar)
tar -Ixvf iptablesXXX.tar.bz2 -- (for other versions of tar)
4 - cd iptables-x.x.x where x is the version number
5 - make to make it (if it bombs, try make all )
6 - make install to install it
7 - cd.. to change back into the /usr/src/linux directory.
8 - make menuconfig to recompile the kernel.
9 - goto the Code maturity level options at the top and
select Prompt for development and/or incomplete code/drivers Built- in(*) is ok.
10 - goto Networking options. Select (*) Packet socket, Network packet filtering, networkpacket filtering debugging, Unix domain sockets, TCP/IP networking,IP: aliasing support and IP:TCP syncookie support. (Note: IP aliasing support option is not on some config options - it is defaulted in already)
10a - Under IP: Netfilter Configuration select Connection tracking, FTP protocol support, IP tables support, Packet Filtering, Full NAT, Masquerade target support, Redirect target support and Packet mangling.
Note: be sure to enable the TCP syncookie support. It needs to
be enabled with a:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
I was surprised to find /var/log/messages recorded about 1 possible SYN
attack on a pre iptables Loblolly.net per week.
Also Note: be sure to enable IP Forward. It needs to be enabled
with a:
echo 1 > /proc/sys/net/ipv4/ip_forward
11 - goto Network device support and select your ethernet device(s)
if you have not already done so.. If the module version does not work try the
compiled version or vice versa.
12 -make dep clean (clean is optional)
13 - make modules modules_install
14 - make bzImage ( kernel now is generally to large to use make zImage)
15 - Slackware - cp arch/i386/boot/bzImage /vmlinuxXXX (or whatever name you want)
15a) - For Redhat cp arch/i386/boot/bzImage /boot//vmlinuxXXX
also - cp System.map /boot/System.map-XXX (where XXX is version or whatever)
then link it to the Sytem.map with ln -s /boot/System.map-XXX Sytem.map
16 - Make sure /etc/lilo.conf can give you two or more optional boot up kernels..Keep the known working kernel as the first image in /etc/lilo.conf... Otherwise you may well end up booting from a floppy or CDROM if your new kernel crashes. In compiling new kernels the if in crashing is more a when it crashes. You can edit /etc/lilo.conf and have multiple kernels to select from for booting.
***Make sure there is a line towards the top with just prompt
***Having a delay nn or timeout nn line will cause lilo to wait nn tenths of second before loading the first image. This is normally just under the prompt line.
For Slackware -- these 3 lines for each kernel option
image = /vmlinuxXXX(or whatever name - must match the name in step 13)
root = /dev/hda1(or whatever the default was)
label = linuxXXX(or whatever reference name you want)
For Redhat -- these 3 lines for each kernel option
image = /boot/vmlinuxXXX (or whatever name - must match the name in step 13)
root = /dev/hda1(or whatever the default was)
label = linuxXXX (or whatever reference name you want)
17 - lilo - Rerun lilo to setup. Should get no errors. Will not ask any questions.
18 - shutdown -r now (time to try it out)
19 - Press the Tab key when you get the lilo prompt on rebooting.
select the kernel to boot and type it in..
20 - Does it work??? If not the way you want then go back to step 7.
If it crashes while booting then try booting on the old kernel...
21 - Now that your kernel works, it's time for iptables.. see Rusty's Remarkably Unreliable Guides for info and setup help on using iptables and NAT -Network Address Translation.Also see the man iptables.
22 - The following three lines will allow your linux 2.3.x or 2.4 kernel server to act as gateway/firewall for a local network of PCs to surf the net using the IP of the linux server. Where eth0 connects to the internet and eth1 connects to your local lan. CAUTION: these are just enough to get connected and may not be suitable for a secure firewall.
/usr/local/sbin/iptables -F
/usr/local/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/usr/local/sbin/iptables -A FORWARD -j ACCEPT
These three lines can be put in /etc/rc.inet1 in Slackware or /etc/rc.d/init.d/network in Red Hat after the ethernet devices are configured with ifconfig and assigned their IP addresses. You can easily see where your iptables are located with a which iptables. Mine were installed in the /usr/local/sbin directory. Slackware has an /etc/rc.firewall that is the logical place to put these commands. rc.firewall is called at the very end of rc.inet1 script at boot.
Be sure that the tcp_syncookies and ip_forward are enabled.. You can check with grep tcp_syncookies rc.* or a grep ip_forward rc.* on Slackware. If in doubt it doesn't hurt to add the echo 1 > /proc/sys/net/ipv4/tcp_syncookies and echo 1 > /proc/sys/net/ipv4/ip_forward lines just before your lines for iptables.
Here is an example of a rc.firewall.
# !/bin/sh
# firewall/ip filtering using new iptables
# see http://www.samba.org/netfilter
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_forward
# now to flush/clear out the iptables first
/usr/local/sbin/iptables -F
/usr/local/sbin/iptables -t Nat -A POSTROUTING -o eth0 -j MASQUERADE
/usr/local/sbin/iptables -A FORWARD -j ACCEPT
# now to list the iptables
/usr/local/sbin/iptables -L
23 - On your win9x pc's on your local net you will need to set the gateway to be the IP address of eth1 on your linux server. On your Win9x PC goto Start->Settings->Control Panel->Network->TCP/IP for your Ethernet card->Gateway.
24 - once your win9x pc reboots, bring up a MSDOS prompt on your win9x PC and try pinging an outside address like your ISP's DNS servers. If that does not work, try pinging your Linux server's Internet IP address, then your Linux servers local net IP address - your gateway.
25 -- If you can ping an outside Internet IP address then bring up a web browser on your win9x PC
26 -- See if it works. If you now are connecting on a Win9x PC, your IP address of ( 38.107.191.119 ) should be the same as the IP address of eth0 on your Linux Server.
27 - You can get a good idea of how secure your PC's are by getting a port scan from DSLReports.com.
28 - Check your system with a netstat or netstat -tn to see who is using or trying to abuse your Linux server. If for example, you see an IP address of 62.13.43.60 with several SYN_RECV on port 80 -the web servers port, you can block their IP with:
iptables -A INPUT -s 62.13.43.60 -j DROP
You can either wait for them to time out or kill and start the web server. A graceful restart may not knock them off for while. Stoping and then starting should do it.. Remember- stoping the web server also affects legitimate web users.
29 - Good luck! If problems arise check back at http://www.samba.org/netfilter or some of the HOWTOs
Last modfied on Wednesday, 08-May-2002 17:21:59 CDT
rddecker@lanranger.net