IPv6 Firewall: Persiapan Menggunakan netfilter6
Langkah ini hanya perlu dilakukan jika kernel dan netfilter bawaan distribusi tidak sesuai dengan kebutuhkan kita dan kita membutuhkan
This step is only needed if distributed kernel and netfilter doesn't fit your requirements and new features are available but still not built-in. 18.2.1. Get sources
Get the latest kernel source: http://www.kernel.org/
Get the latest iptables package:
Source tarball (for kernel patches): http://www.netfilter.org/
18.2.2. Extract sources
Change to source directory:
# cd /path/to/src
Unpack and rename kernel sources
# tar z|jxf kernel-version.tar.gz|bz2 # mv linux linux-version-iptables-version+IPv6
Unpack iptables sources
- tar z|jxf iptables-version.tar.gz|bz2
Change to iptables directory
# cd iptables-version
Apply pending patches
# make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-version/
Apply additional IPv6 related patches (still not in the vanilla kernel included)
# make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-version/
Say yes at following options (iptables-1.2.2)
ah-esp.patch
masq-dynaddr.patch (only needed for systems with dynamic IP assigned WAN connections like PPP or PPPoE)
ipv6-agr.patch.ipv6
ipv6-ports.patch.ipv6
LOG.patch.ipv6
REJECT.patch.ipv6
Check IPv6 extensions
# make print-extensions
Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport
18.2.4. Configure, build and install new kernel
Change to kernel sources
# cd /path/to/src/linux-version-iptables-version/
Edit Makefile
- EXTRAVERSION = + EXTRAVERSION = -iptables-version+IPv6-try
Run configure, enable IPv6 related
Code maturity level options Prompt for development and/or incomplete code/drivers : yes Networking options Network packet filtering: yes The IPv6 protocol: module IPv6: Netfilter Configuration IP6 tables support: module All new options like following: limit match support: module MAC address match support: module Multiple port match support: module Owner match support: module netfilter MARK match support: module Aggregated address check: module Packet filtering: module REJECT target support: module LOG target support: module Packet mangling: module MARK target support: module
Configure other related to your system, too
Compilation and installing: see the kernel section here and other HOWTOs
18.2.5. Rebuild and install binaries of iptables
Make sure, that upper kernel source tree is also available at /usr/src/linux/
Rename older directory
# mv /usr/src/linux /usr/src/linux.old
Create a new softlink
# ln -s /path/to/src/linux-version-iptables-version /usr/src/linux
Rebuild SRPMS
# rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm
Install new iptables packages (iptables + iptables-ipv6)
On RH 7.1 systems, normally, already an older version is installed, therefore use "freshen"
# rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
If not already installed, use "install"
# rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
On RH 6.2 systems, normally, no kernel 2.4.x is installed, therefore the requirements don't fit. Use "--nodeps" to install it
# rpm -ihv --nodeps /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
Perhaps it's necessary to create a softlink for iptables libraries where iptables looks for them
# ln -s /lib/iptables/ /usr/lib/iptables