- Introduction
- Backward Compatibility
- Netfilter and iptables
- Configuring Your Kernel
- The Netfilter Modules
- IPTABLES
Configuring Your Kernel
Before you dive in and decide that you need to rebuild your kernel, take a look to see if your distribution includes the Netfilter modules. Thanks to some last- minute changes, they're not as easy to find. But take a look in /lib/modules/2.4.x/kernel/net/ipv4/Netfilter/ (where x is the specific revision number) and /lib/modules/2.4.x/kernel/net/ipv6/Netfilter/ for the modules. If they're there, and they probably are, skip down to the next section. Your distribution took into account that most systems require at least some filter protection. If you have no modules for Netfilter, prepare to compile. I know a few folks who think that kernel compiling is as much fun as sticking forks in their eyes, but it really isn't that bad. You can take the opportunity to make your kernel lean and mean—for a fast machine. Seriously, if you have the proper distribution packages installed (just select all packages), you're on your way. For Caldera, Red Hat, and Red Hat-like distributions, download new, pristine kernel source (the distribution-provided source is often modified and sometimes requires special procedure to compile, so don't use it). Make sure you have the ncurses-devel libraries loaded, the glibc-devel libraries, the bin86 package, and the gcc or egcs package and all of its libraries loaded.
Unzip the tarball, and cd into the directory created:
tar xzvf linux-2.4.x.tar.gz
Or, use this command:
bzcat linux-2.4.x.tar.bz2 | tar xv
Then do this:
cd linux
Once you've accomplished this, the hard part's done—aside from deciding what to and what not to include in your kernel.
Just follow this recipe:
make mrproper menuconfig
When the menu comes up, configure your kernel. But pay attention to the following configuration options:
In the Code Maturity Level Options, choose Prompt for Development and/or Include Code/Drivers.
In the Loadable Module Support section, choose at least Enable Loadable Module Support.
When you get to the Networking Options section, choose Network Packet Filtering (Replaces ipchains).
You may want to forgo selecting Network Packet Filtering Debugging, unless you have a lot of disk space, because this will rapidly fill your logs.
If you want to do anything fancy with your packets that involves marking the packets for special dispensation, you'll want to select the following options:
You may also want to select IP: Fast Network Address Translation.
The IP: Use TOS Value as Routing Key option will allow you to change selected packets' Type of Service bit. This can be useful on a network with several users sharing narrow bandwidth to the Internet.
Further down, you'll see IP: Netfilter Configuration. Selecting this will take you to another menu, which will allow you to select the Netfilter modules that you want to include in your build. Be greedy, take them all. You never know which ones you'll need, and as modules, they take up memory only when loaded.
If you select the IPv6 protocol, you'll be able to see the IPv6: Netfilter Configuration selection, which will take you to a menu with the Netfilter IPv6 modules. If you have selected IPv6, build the Netfilter IPv6 modules.
Danger, Will Robinson! Do not select Fast Switching. This code will allow packets to completely bypass the Netfilter code. It's also a good idea not to select any protocols other than IPv4 and IPv6.
Finally, you might want to choose QoS and/or Fair Queuing, which will allow you to turn on a myriad of modules for queuing. While most will require iproute2 more than Netfilter, some of these modules will allow you to do interesting things, such as bandwidth limiting to some IPs, while allowing others more bandwidth. These are not needed for our discussion of Netfilter, but they are fun to play with (if you're into routing).
When you've finished configuring the rest of the kernel, just issue this command:
make dep clean bzImage modules modules_install
Then take a lunch or dinner break. When your build finishes, copy System.map and arch/i386/boot/bzImage to wherever your distribution puts copies of your kernel. Personally, I like to name them both with the kernel version because I like to keep several working kernels available. So, I would name each something like /boot/System.map-2.4.1 and /boot/bzImage-2.4.1.
The kernel build performed a depmod -a for you, just in case you didn't watch the entire compilation process. So, you don't need to worry about this; you just need to reconfigure /etc/lilo.conf, rerun lilo, and reboot.