<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML ><HEAD ><TITLE >Preparation</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE="Linux IPv6 HOWTO (en)" HREF="index.html"><LINK REL="UP" TITLE="Firewalling" HREF="chapter-firewalling-security.html"><LINK REL="PREVIOUS" TITLE="Firewalling using netfilter6 " HREF="firewalling-netfilter6..html"><LINK REL="NEXT" TITLE="Usage" HREF="x2181.html"></HEAD ><BODY CLASS="SECT1" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >Linux IPv6 HOWTO (en)</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="firewalling-netfilter6..html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" >Chapter 17. Firewalling</TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="x2181.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A NAME="AEN2103" ></A >17.2. Preparation</H1 ><P >This step is only needed if distributed kernel and netfilter doesn't fit your requirements and new features are available but still not built-in.</P ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN2106" ></A >17.2.1. Get sources</H2 ><P >Get the latest kernel source: <A HREF="http://www.kernel.org/" TARGET="_top" >http://www.kernel.org/</A ></P ><P >Get the latest iptables package: </P ><P ></P ><UL ><LI ><P >Source tarball (for kernel patches): <A HREF="http://www.netfilter.org/" TARGET="_top" >http://www.netfilter.org/</A ></P ></LI ></UL ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN2115" ></A >17.2.2. Extract sources</H2 ><P >Change to source directory: </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># cd /path/to/src </PRE ></FONT ></TD ></TR ></TABLE ><P >Unpack and rename kernel sources </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># tar z|jxf kernel-version.tar.gz|bz2 # mv linux linux-version-iptables-version+IPv6 </PRE ></FONT ></TD ></TR ></TABLE ><P >Unpack iptables sources </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># tar z|jxf iptables-version.tar.gz|bz2 </PRE ></FONT ></TD ></TR ></TABLE ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN2123" ></A >17.2.3. Apply latest iptables/IPv6-related patches to kernel source</H2 ><P >Change to iptables directory </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># cd iptables-version </PRE ></FONT ></TD ></TR ></TABLE ><P >Apply pending patches </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-version/ </PRE ></FONT ></TD ></TR ></TABLE ><P >Apply additional IPv6 related patches (still not in the vanilla kernel included) </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-version/ </PRE ></FONT ></TD ></TR ></TABLE ><P >Say yes at following options (iptables-1.2.2) </P ><P ></P ><UL ><LI ><P >ah-esp.patch </P ></LI ><LI ><P >masq-dynaddr.patch (only needed for systems with dynamic IP assigned WAN connections like PPP or PPPoE) </P ></LI ><LI ><P >ipv6-agr.patch.ipv6 </P ></LI ><LI ><P >ipv6-ports.patch.ipv6 </P ></LI ><LI ><P >LOG.patch.ipv6 </P ></LI ><LI ><P >REJECT.patch.ipv6 </P ></LI ></UL ><P >Check IPv6 extensions </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># make print-extensions Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport</PRE ></FONT ></TD ></TR ></TABLE ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN2147" ></A >17.2.4. Configure, build and install new kernel</H2 ><P >Change to kernel sources </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># cd /path/to/src/linux-version-iptables-version/ </PRE ></FONT ></TD ></TR ></TABLE ><P >Edit Makefile </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" >- EXTRAVERSION = + EXTRAVERSION = -iptables-version+IPv6-try </PRE ></FONT ></TD ></TR ></TABLE ><P >Run configure, enable IPv6 related </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" > Code maturity level options Prompt for development and/or incomplete code/drivers : yes Networking options Network packet filtering: yes The IPv6 protocol: module IPv6: Netfilter Configuration IP6 tables support: module All new options like following: limit match support: module MAC address match support: module Multiple port match support: module Owner match support: module netfilter MARK match support: module Aggregated address check: module Packet filtering: module REJECT target support: module LOG target support: module Packet mangling: module MARK target support: module </PRE ></FONT ></TD ></TR ></TABLE ><P >Configure other related to your system, too </P ><P >Compilation and installing: see the kernel section here and other HOWTOs </P ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN2157" ></A >17.2.5. Rebuild and install binaries of iptables</H2 ><P >Make sure, that upper kernel source tree is also available at /usr/src/linux/ </P ><P >Rename older directory </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># mv /usr/src/linux /usr/src/linux.old </PRE ></FONT ></TD ></TR ></TABLE ><P >Create a new softlink </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># ln -s /path/to/src/linux-version-iptables-version /usr/src/linux </PRE ></FONT ></TD ></TR ></TABLE ><P >Rebuild SRPMS </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm </PRE ></FONT ></TD ></TR ></TABLE ><P >Install new iptables packages (iptables + iptables-ipv6) </P ><P ></P ><UL ><LI ><P >On RH 7.1 systems, normally, already an older version is installed, therefore use "freshen" </P ></LI ></UL ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm </PRE ></FONT ></TD ></TR ></TABLE ><P ></P ><UL ><LI ><P >If not already installed, use "install" </P ></LI ></UL ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm </PRE ></FONT ></TD ></TR ></TABLE ><P ></P ><UL ><LI ><P >On RH 6.2 systems, normally, no kernel 2.4.x is installed, therefore the requirements don't fit. Use "--nodeps" to install it </P ></LI ></UL ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># rpm -ihv --nodeps /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm </PRE ></FONT ></TD ></TR ></TABLE ><P >Perhaps it's necessary to create a softlink for iptables libraries where iptables looks for them </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># ln -s /lib/iptables/ /usr/lib/iptables </PRE ></FONT ></TD ></TR ></TABLE ></DIV ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="firewalling-netfilter6..html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="x2181.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Firewalling using netfilter6</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="chapter-firewalling-security.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Usage</TD ></TR ></TABLE ></DIV ></BODY ></HTML >