Kernel Configuration for iptables Before you can use iptables , you must build support for it into the Linux kernel. What's more, some iptables features are only useful if you've activated appropriate iptables kernel suboptions. All of these kernel features can be found in the Networking Options menu in the 2.4. x kernel configuration tree, or in submenus off the Networking Options menu. Features you should check include the following: -
Network Packet Filtering ” The Network Packet Filtering option is in the main Networking Options configuration menu. -
Connection Tracking ” This option is available in the Netfilter Configuration menu off the Networking Options menu. It's required for NAT. (All subsequent options are in the same Netfilter Configuration menu.) -
FTP Protocol Support ” FTP is a tricky protocol for NAT. In Linux, NAT support for FTP requires this special kernel module. -
IP Tables Support ” This option is another that's required for NAT. A large number of suboptions become available when you select this one, corresponding to various tests you might want to perform. For best flexibility, select all of these suboptions. The Connection State Match Support option is particularly noteworthy because it's required for stateful packet inspection. -
Packet Filtering ” Although not absolutely required for firewalls or NAT, this option enhances the range of features available to you. I recommend you enable it. -
REJECT Target Support ” This suboption of Packet Filtering adds a rule that can be helpful in creating firewalls. It's therefore best to enable this feature. -
Full NAT ” This option is required for many NAT features, including those described in this chapter. -
MASQUERADE Target Support ” This suboption of the Full NAT option is required for IP masquerading ”the form of NAT that is described in the upcoming section, "Configuring NAT with iptables." Note that the Help option for this item implies that it's only necessary if you use a dynamic external IP address, but this is incorrect; it's required for IP masquerading whether or not your external IP address is dynamic. -
Packet Mangling ” This kernel feature is required if you want to use the mangle table, described earlier. I recommend you enable it. -
LOG Target Support ” If you want to log firewall or router activity, this option allows you to do so. -
ipchains (2.2-style) Support ” If you want to use an older ipchains -based firewall script, you need to activate this option. You'll also need the ipchains tool itself. -
ipfwadm (2.0-style) Support ” If you want to use an older ipfwadm -based firewall script, you need to activate this option. You'll also need the ipfwadm tool itself. TIP  | The ipchains and ipfwadm support options are mutually exclusive, and both are incompatible with the IP Tables Support and Connection Tracking options. Therefore, you cannot compile support for both iptables and an earlier tool into the same kernel. You can, however, compile all of these tools as modules, and select which you want to use by loading the appropriate kernel module. You might want to compile your kernel this way if you currently have an older tool and want to migrate it to the newer iptables as time permits . Many distributions ship their default kernels like this. |
If you compile support for features as modules, you may need to load the appropriate modules in your firewall startup script. For instance, the basic iptables functionality is in the ip_tables module, so your startup script might need the command insmod ip_tables . Check the /lib/ modules/ version /net/ipv4/netfilter directory for other modules you may need to explicitly load. To avoid manually loading modules, you can compile the support directly into the kernel, but this will increase your kernel file's size .  |
