iptables Howto (1)

From RaySoft

This howto is based on the following documentation:

Installation

Synchronize the repository and show dependencies: 

emaint --auto sync
emerge --update --pretend 'net-firewall/iptables'

Install the package: 

emerge --update 'net-firewall/iptables'

Configuration

Include the daemon to the start procedure: 

rc-update add 'iptables' 'default'
rc-update add 'ip6tables' 'default'
rc-update show | grep 'ip.\?tables'

Output: 

            ip6tables |      default
             iptables |      default

Kernel

Activate the following kernel options: 

[*] Networking support  --->
    -- Networking support
        Networking options  --->
        [*] TCP/IP networking
        [*]   IP: multicasting
        [*]   IP: advanced router
        ...
        [*]   IP: kernel level autoconfiguration
        [*]     IP: DHCP support
        ...
        [*]   IP: TCP syncookie support
        ...
        <M>   Large Receive Offload (ipv4/tcp)
        <*>   INET: socket monitoring interface
        ...
        <M>   The IPv6 protocol  --->
            --- The IPv6 protocol
            ...
        [*] Network packet filtering framework (Netfilter)  --->
            --- Network packet filtering framework (Netfilter)
            [ ] Network packet filtering debugging
            [*] Advanced netfilter configuration
                Core Netfilter Configuration  --->
                    ...
                    <M> Netfilter connection tracking support
                    -*- Connection mark tracking support
                    ...
                    {M} Netfilter Xtables support (required for ip_tables)
                    ...
                    <M>   LOG target support
                    < >   "MARK" target support
                    -M-   "SNAT and DNAT" targets support
                    ...
                    <M>   "comment" match support
                    ...
                    <M>   "conntrack" connection tracking match support
                    ...
                    <M>   "length" match support
                    <M>   "limit" match support
                    ...
                    <M>   "multiport" Multiple port match support
                    ...
                    <M>   "recent" match support
                    ...
                    <M>   "u32" match support
            < >   IP set support  ----
            < >   IP virtual server support  ----
                  IP: Netfilter Configuration  --->
                    <M> IPv4 connection tracking support (required for NAT)
                    < > ARP packet logging
                    {M} IPv4 packet logging
                    < > IPv4 packet rejection
                    -M- IPv4 NAT
                    -M-   IPv4 masquerade support
                    <M> IP tables support (required for filtering/masq/NAT)
                    ...
                    <M>   "rpfilter" reverse path filter match support
                    < >   "ttl" match support
                    <M>   Packet filtering
                    ...
                    <M>   iptables NAT support
                    <M>     MASQUERADE target support
                    ...
                    <M>   raw table support (required for NOTRACK/TRACE)
                    ...
                IPv6: Netfilter Configuration  --->
                    ...
                    -M- IPv6 packet logging
                    ...

Edit the following file:

Rule set

Firewall

Edit the following file:

Run the script: 

/root/bin/mk-iptables-conf-fw.sh

Save the rules: 

/etc/init.d/iptables save
/etc/init.d/ip6tables save
Client

Edit the following file:

Run the script: 

/root/bin/mk-iptables-conf-client.sh

Save the rules: 

/etc/init.d/iptables save
/etc/init.d/ip6tables save
Retrieved from "https://www.raysoft.ch/w/index.php?title=iptables_Howto_(1)&oldid=40523"