Difference between revisions of "IPv6 Firewall: Persiapan Menggunakan netfilter6"

Latest revision as of 09:27, 26 June 2015

Langkah ini hanya perlu dilakukan jika kernel dan netfilter bawaan distribusi tidak sesuai dengan kebutuhkan kita dan kita membutuhkan fitur baru yang belum built-in.

Ambil Source

Ambil source dari

http://www.kernel.org

Ambil iptables terakhir (kernel patch) dari

http://www.netfilter.org/

Buka source

Pindah ke directory source

# cd /path/to/src

Buka dan and rename kernel source

# tar z|jxf kernel-version.tar.gz|bz2 
# mv linux linux-version-iptables-version+IPv6

Unpack iptables source

# tar z|jxf iptables-version.tar.gz|bz2

Apply latest iptables/IPv6-related patches to kernel source

Pindah ke directory iptables

# cd iptables-version

Lakukan pending patche

# make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-version/

Lakukan patch terkait IPv6 (still not in the vanilla kernel included)

# make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-version/

Pilih yes pada opsi berikut (iptables-1.2.2)

ah-esp.patch
masq-dynaddr.patch (only needed for systems with dynamic IP assigned WAN connections like PPP or PPPoE)
ipv6-agr.patch.ipv6
ipv6-ports.patch.ipv6
LOG.patch.ipv6
REJECT.patch.ipv6

Cek IPv6 extension

# make print-extensions

Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport

Configure, build and install new kernel

Change to kernel sources

# cd /path/to/src/linux-version-iptables-version/

Edit Makefile

- EXTRAVERSION = 
+ EXTRAVERSION = -iptables-version+IPv6-try

Run configure, enable IPv6 related

           Code maturity level options 
                 Prompt for development and/or incomplete code/drivers : yes 
           Networking options 
                 Network packet filtering: yes 
                 The IPv6 protocol: module 
                      IPv6: Netfilter Configuration 
                            IP6 tables support: module 
                            All new options like following: 
                                  limit match support: module 
                                  MAC address match support: module 
                                  Multiple port match support: module 
                                  Owner match support: module 
                                  netfilter MARK match support: module 
                                  Aggregated address check: module 
                                  Packet filtering: module 
                                       REJECT target support: module 
                                       LOG target support: module 
                                  Packet mangling: module 
                                  MARK target support: module

Configure other related to your system, too

Compilation and installing: see the kernel section here and other HOWTOs

Rebuild dan install binary dari iptables

Pastikan bahwa kernel source tree yang paling atas juga tersedia di /usr/src/linux/

Rename directory yang lama

# mv /usr/src/linux /usr/src/linux.old

Buat softlink yang baru

# ln -s /path/to/src/linux-version-iptables-version /usr/src/linux

Rebuild SRPMS

# rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm

Install iptables package (iptables + iptables-ipv6)

Di RH 7.1 system, biasanya, sudah tersedia versi lama yang terinstall, oleh karena itu kita perlu memperbaharui-nya

# rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm

Jika belum di instalasi, gunakan "install"

# rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm

Di sistem RH 6.2, biasanya, kernel 2.4.x tidak di install, oleh karena kebutuhan yang kita butuhkan tidak cocok. Gunakan "--nodeps" untuk menginstalasinya

# rpm -ihv --nodeps /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm

Perhaps it's necessary to create a softlink for iptables libraries where iptables looks for them

# ln -s /lib/iptables/ /usr/lib/iptables