Difference between revisions of "IPv6 Firewall: Persiapan Menggunakan netfilter6"

18.2. Preparation

This step is only needed if distributed kernel and netfilter doesn't fit your requirements and new features are available but still not built-in. 18.2.1. Get sources

Get the latest kernel source: http://www.kernel.org/

Get the latest iptables package:

   Source tarball (for kernel patches): http://www.netfilter.org/

18.2.2. Extract sources

Change to source directory:

# cd /path/to/src 

Unpack and rename kernel sources

# tar z|jxf kernel-version.tar.gz|bz2 
# mv linux linux-version-iptables-version+IPv6 

Unpack iptables sources

1. tar z|jxf iptables-version.tar.gz|bz2

18.2.3. Apply latest iptables/IPv6-related patches to kernel source

Change to iptables directory

# cd iptables-version 

Apply pending patches

# make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-version/ 

Apply additional IPv6 related patches (still not in the vanilla kernel included)

# make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-version/ 

Say yes at following options (iptables-1.2.2)

   ah-esp.patch

   masq-dynaddr.patch (only needed for systems with dynamic IP assigned WAN connections like PPP or PPPoE)

   ipv6-agr.patch.ipv6

   ipv6-ports.patch.ipv6

   LOG.patch.ipv6

   REJECT.patch.ipv6 

Check IPv6 extensions

# make print-extensions 

Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport

18.2.4. Configure, build and install new kernel

Change to kernel sources

# cd /path/to/src/linux-version-iptables-version/ 

Edit Makefile

- EXTRAVERSION = 
+ EXTRAVERSION = -iptables-version+IPv6-try 

Run configure, enable IPv6 related

           Code maturity level options 
                 Prompt for development and/or incomplete code/drivers : yes 
           Networking options 
                 Network packet filtering: yes 
                 The IPv6 protocol: module 
                      IPv6: Netfilter Configuration 
                            IP6 tables support: module 
                            All new options like following: 
                                  limit match support: module 
                                  MAC address match support: module 
                                  Multiple port match support: module 
                                  Owner match support: module 
                                  netfilter MARK match support: module 
                                  Aggregated address check: module 
                                  Packet filtering: module 
                                       REJECT target support: module 
                                       LOG target support: module 
                                  Packet mangling: module 
                                  MARK target support: module 

Configure other related to your system, too

Compilation and installing: see the kernel section here and other HOWTOs

18.2.5. Rebuild and install binaries of iptables

Make sure, that upper kernel source tree is also available at /usr/src/linux/

Rename older directory

# mv /usr/src/linux /usr/src/linux.old 

Create a new softlink

# ln -s /path/to/src/linux-version-iptables-version /usr/src/linux 

Rebuild SRPMS

# rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm 

Install new iptables packages (iptables + iptables-ipv6)

   On RH 7.1 systems, normally, already an older version is installed, therefore use "freshen" 

# rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm 

   If not already installed, use "install" 

# rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm 

   On RH 6.2 systems, normally, no kernel 2.4.x is installed, therefore the requirements don't fit. Use "--nodeps" to install it 

# rpm -ihv --nodeps /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm 

Perhaps it's necessary to create a softlink for iptables libraries where iptables looks for them

# ln -s /lib/iptables/ /usr/lib/iptables