IPv6 Firewall: Persiapan Menggunakan netfilter6

18.2. Preparation

This step is only needed if distributed kernel and netfilter doesn't fit your requirements and new features are available but still not built-in. 18.2.1. Get sources

Get the latest kernel source: http://www.kernel.org/

Get the latest iptables package:

   Source tarball (for kernel patches): http://www.netfilter.org/

18.2.2. Extract sources

Change to source directory:

1. cd /path/to/src

Unpack and rename kernel sources

1. tar z|jxf kernel-version.tar.gz|bz2
2. mv linux linux-version-iptables-version+IPv6

Unpack iptables sources

1. tar z|jxf iptables-version.tar.gz|bz2

18.2.3. Apply latest iptables/IPv6-related patches to kernel source

Change to iptables directory

1. cd iptables-version

Apply pending patches

1. make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-version/

Apply additional IPv6 related patches (still not in the vanilla kernel included)

1. make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-version/

Say yes at following options (iptables-1.2.2)

   ah-esp.patch

   masq-dynaddr.patch (only needed for systems with dynamic IP assigned WAN connections like PPP or PPPoE)

   ipv6-agr.patch.ipv6

   ipv6-ports.patch.ipv6

   LOG.patch.ipv6

   REJECT.patch.ipv6 

Check IPv6 extensions

1. make print-extensions

Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport

18.2.4. Configure, build and install new kernel

Change to kernel sources

1. cd /path/to/src/linux-version-iptables-version/

Edit Makefile

- EXTRAVERSION = + EXTRAVERSION = -iptables-version+IPv6-try

Run configure, enable IPv6 related

           Code maturity level options 
                 Prompt for development and/or incomplete code/drivers : yes 
           Networking options 
                 Network packet filtering: yes 
                 The IPv6 protocol: module 
                      IPv6: Netfilter Configuration 
                            IP6 tables support: module 
                            All new options like following: 
                                  limit match support: module 
                                  MAC address match support: module 
                                  Multiple port match support: module 
                                  Owner match support: module 
                                  netfilter MARK match support: module 
                                  Aggregated address check: module 
                                  Packet filtering: module 
                                       REJECT target support: module 
                                       LOG target support: module 
                                  Packet mangling: module 
                                  MARK target support: module 

Configure other related to your system, too

Compilation and installing: see the kernel section here and other HOWTOs 18.2.5. Rebuild and install binaries of iptables

Make sure, that upper kernel source tree is also available at /usr/src/linux/

Rename older directory

1. mv /usr/src/linux /usr/src/linux.old

Create a new softlink

1. ln -s /path/to/src/linux-version-iptables-version /usr/src/linux

Rebuild SRPMS

1. rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm

Install new iptables packages (iptables + iptables-ipv6)

   On RH 7.1 systems, normally, already an older version is installed, therefore use "freshen" 

1. rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm

   If not already installed, use "install" 

1. rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm

   On RH 6.2 systems, normally, no kernel 2.4.x is installed, therefore the requirements don't fit. Use "--nodeps" to install it 

1. rpm -ihv --nodeps /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm

Perhaps it's necessary to create a softlink for iptables libraries where iptables looks for them

1. ln -s /lib/iptables/ /usr/lib/iptables