Introduction
Main Features
What's new
License

Downloads
Mirrors
CVS

Support
Mailing lists
Useful links

Documentation
Installation
Configuration
Modules
Gateway

About us
Thanks
Testimonials
Help Us
 
GIPTables Firewall Homepage
Thanks to our friends from Open Network Architecture for their support!
GIPTables Firewall Installation Guide

Written by: Adrian Pascalau apascalau@openna.com
Written by: Gerhard Mourani gmourani@openna.com
Last update: June 08, 2002

Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.1
or any later version published by the Free Software Foundation;
with the Invariant Sections being LIST THEIR TITLES, with the
Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
A copy of the license is included in the section entitled 
GNU Free Documentation License.
This document describe the installation procedure of the GIPTables Firewall package on a RedHat Linux or compatible system.

If you are using OpenNA Linux BETA3 or newer, you do not have to take care of the installation of GIPTables Firewall, because it comes by default installed as a rpm package.

All steps in the installation require using the super-user account root. The kernel recompilation may be required.

We have only tested GIPTables Firewall on OpenNA Linux and RedHat Linux 7.2, but the procedures given in this chapter are likely to work on all GNU/Linux platforms. Please regularly check our homepage for the latest status.

Source code is available from GIPTables Firewall download page. You must be sure to download the latest stable package.

Prerequisites

GIPTables Firewall requires that the listed software below is already installed on your system to be able to run and work successfully. If this is not the case, you must install them from your GNU/Linux CD-ROM or source archive file. Please make sure you have all of these programs installed on your machine before you proceed.

  • kernel 2.4.x or newer is required to set up GIPTables Firewall in your system.
  • iptables package, is the new secure and more powerful program used by Linux kernel to set up GIPTables Firewall in your system.
Building a kernel with iptables support

The first thing you need to do is to ensure that your kernel has been built with the iptables infrastructure compiled in it: iptables is a general framework inside the Linux kernel, which other things (such as the iptables modules) can plug into. This means you need kernel 2.4.x and to answer y, n or m to the following questions depending of the kernel type you have configured.

For a Monolithic Kernel, you would answer the questions y and if your are happier running a Modularized Kernel, you would answer the questions m. It is important to understand that if iptables is not enabled in your kernel, NONE of the information contained in this document will work.

If your kernel is one that comes directly from your GNU/Linux vendor or is unmodified, then there is a good chance that your kernel is already built to handle iptables, therefore you wouldn't have to recompile it and/or go through the setup steps below.

Here are the required kernel setups for all type of servers except for a Gateway/Proxy:

* Networking options
*
Packet socket (CONFIG_PACKET) ? Y
Packet socket: mmapped IO (CONFIG_PACKET_MMAP) ? Y
Netlink device emulation (CONFIG_NETLINK_DEV) ? Y
Network packet filtering (replaces ipchains) (CONFIG_NETFILTER) ? Y
Network packet filtering debugging (CONFIG_NETFILTER_DEBUG) ? Y
Socket Filtering (CONFIG_FILTER) ? N
Unix domain sockets (CONFIG_UNIX) ? Y
TCP/IP networking (CONFIG_INET) ? Y
IP: multicasting (CONFIG_IP_MULTICAST) ? N
IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) ? N
IP: kernel level autoconfiguration (CONFIG_IP_PNP) ? N
IP: tunneling (CONFIG_NET_IPIP) ? Answer N here
IP: GRE tunnels over IP (CONFIG_NET_IPGRE) ? N
IP: TCP Explicit Congestion Notification support (CONFIG_INET_ECN) ? N
IP: TCP syncookie support (disabled per default) (CONFIG_SYN_COOKIES) ? Y
*
*   IP: Netfilter Configuration
*
Connection tracking (required for masq/NAT) (CONFIG_IP_NF_CONNTRACK) ? Y
FTP protocol support (CONFIG_IP_NF_FTP) ? Y
IRC protocol support (CONFIG_IP_NF_IRC) ? N
IP tables support (required for filtering/masq/NAT) (CONFIG_IP_NF_IPTABLES) ? Y
limit match support (CONFIG_IP_NF_MATCH_LIMIT) ? Y
MAC address match support (CONFIG_IP_NF_MATCH_MAC) ? Y
netfilter MARK match support (CONFIG_IP_NF_MATCH_MARK) ? Y
Multiple port match support (CONFIG_IP_NF_MATCH_MULTIPORT) ? Y
TOS match support (CONFIG_IP_NF_MATCH_TOS) ? Y
LENGTH match support (CONFIG_IP_NF_MATCH_LENGTH) ? Y
TTL match support (CONFIG_IP_NF_MATCH_TTL) ? Y
tcpmss match support (CONFIG_IP_NF_MATCH_TCPMSS) ? Y
Connection state match support (CONFIG_IP_NF_MATCH_STATE) ? Y
Packet filtering (CONFIG_IP_NF_FILTER) ? Y
REJECT target support (CONFIG_IP_NF_TARGET_REJECT) ? Y
Full NAT (CONFIG_IP_NF_NAT) ? Y
Packet mangling (CONFIG_IP_NF_MANGLE) ? Y
TOS target support (CONFIG_IP_NF_TARGET_TOS) ? Y
MARK target support (CONFIG_IP_NF_TARGET_MARK) ? Y
LOG target support (CONFIG_IP_NF_TARGET_LOG) ? Y
TCPMSS target support (CONFIG_IP_NF_TARGET_TCPMSS) ? Y
Here are the required kernel setups for a Gateway/Proxy server:
* Networking options
*
Packet socket (CONFIG_PACKET) ? Y
Packet socket: mmapped IO (CONFIG_PACKET_MMAP) ? Y
Netlink device emulation (CONFIG_NETLINK_DEV) ? Y
Network packet filtering (replaces ipchains) (CONFIG_NETFILTER) ? Y
Network packet filtering debugging (CONFIG_NETFILTER_DEBUG) ? Y
Socket Filtering (CONFIG_FILTER) ? Y
Unix domain sockets (CONFIG_UNIX) ? Y
TCP/IP networking (CONFIG_INET) ? Y
IP: multicasting (CONFIG_IP_MULTICAST) ? Y
IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) ? Y
IP: policy routing (CONFIG_IP_MULTIPLE_TABLES) ? Y
IP: use netfilter MARK value as routing key (CONFIG_IP_ROUTE_FWMARK) ? Y
IP: fast network address translation (CONFIG_IP_ROUTE_NAT) ? Y
IP: equal cost multipath (CONFIG_IP_ROUTE_MULTIPATH) ? Y
IP: use TOS value as routing key (CONFIG_IP_ROUTE_TOS) ? Y
IP: verbose route monitoring (CONFIG_IP_ROUTE_VERBOSE) ? Y
IP: large routing tables (CONFIG_IP_ROUTE_LARGE_TABLES) ? Y
IP: kernel level autoconfiguration (CONFIG_IP_PNP) ? N
IP: tunneling (CONFIG_NET_IPIP) ? Y
IP: GRE tunnels over IP (CONFIG_NET_IPGRE) ? Y
IP: TCP Explicit Congestion Notification support (CONFIG_INET_ECN) ? N
IP: TCP syncookie support (disabled per default) (CONFIG_SYN_COOKIES) ? Y
*
*   IP: Netfilter Configuration
*
Connection tracking (required for masq/NAT) (CONFIG_IP_NF_CONNTRACK) ? Y
FTP protocol support (CONFIG_IP_NF_FTP) ? Y
IRC protocol support (CONFIG_IP_NF_IRC) ? Y
IP tables support (required for filtering/masq/NAT) (CONFIG_IP_NF_IPTABLES) ? Y
limit match support (CONFIG_IP_NF_MATCH_LIMIT) ? Y
MAC address match support (CONFIG_IP_NF_MATCH_MAC) ? Y
netfilter MARK match support (CONFIG_IP_NF_MATCH_MARK) ? Y
Multiple port match support (CONFIG_IP_NF_MATCH_MULTIPORT) ? Y
TOS match support (CONFIG_IP_NF_MATCH_TOS) ? Y
LENGTH match support (CONFIG_IP_NF_MATCH_LENGTH) ? Y
TTL match support (CONFIG_IP_NF_MATCH_TTL) ? Y
tcpmss match support (CONFIG_IP_NF_MATCH_TCPMSS) ? Y
Connection state match support (CONFIG_IP_NF_MATCH_STATE) ? Y
Packet filtering (CONFIG_IP_NF_FILTER) ? Y
REJECT target support (CONFIG_IP_NF_TARGET_REJECT) ? Y
Full NAT (CONFIG_IP_NF_NAT) ? Y
MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE) ? Y
REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT) ? Y
Packet mangling (CONFIG_IP_NF_MANGLE) ? Y
TOS target support (CONFIG_IP_NF_TARGET_TOS) ? Y
MARK target support (CONFIG_IP_NF_TARGET_MARK) ? Y
LOG target support (CONFIG_IP_NF_TARGET_LOG) ? Y
TCPMSS target support (CONFIG_IP_NF_TARGET_TCPMSS) ? Y
ipchains (2.2-style) support (CONFIG_IP_NF_COMPAT_IPCHAINS) ? N
ipfwadm (2.0-style) support (CONFIG_IP_NF_COMPAT_IPFWADM) ? N
Installing GIPTables Firewall

To install the GIPTables Firewall software on your system, just download the latest version of the software from GIPTables Firewall download page, and then as user root expand the archive under your /var/tmp directory.

To accomplish this use the following commands:
[root@deep /]# cp giptables-<version>.tar.gz /var/tmp/
[root@deep /]# cd /var/tmp/
[root@deep tmp]# tar xzpf giptables-<version>.tar.gz
Next, move into the newly created GIPTables source directory and perform the following steps to install the software for your system:
[root@deep tmp]# cd giptables-1.1/
[root@deep giptables-1.1]# ./install.sh
The install.sh script file will simply install any GIPTables Firewall components on your system to the right location.

If a previous installation of GIPTables FIrewall is found on your system, the installation program will ask for confirmation, in order to overwrite the older configuration files:
[root@deep giptables-1.1]# ./install.sh
WARNING!
install.sh detected previous installation of  GIPTables Firewall.
If you continue the installation, the following files will be overwrited:
    /lib/giptables/conf/giptables.conf.dns1
    /lib/giptables/conf/giptables.conf.dns2
    /lib/giptables/conf/giptables.conf.ftpserver
    /lib/giptables/conf/giptables.conf.gateway
    /lib/giptables/conf/giptables.conf.mailserver
    /lib/giptables/conf/giptables.conf.ppp
    /lib/giptables/conf/giptables.conf.README
    /lib/giptables/conf/giptables.conf.virtual
    /lib/giptables/conf/giptables.conf.webserver
    /lib/giptables/conf/giptables.conf.workstation
However, the following files will NOT be overwrited:
    /etc/rc.d/rc.giptables.blocked
    /etc/rc.d/rc.giptables.custom
Do you still want to continue the installation? <yes/no> [no]
The default is no so that if you just press enter, the installation will be canceled. This is good oportunity to make backups of the configuration files that you would like to keep. If you type yes to the answer, the installation will continue and will overwrite all your configuration files.

Here is a list with all GIPTables Firewall files that were installed on your machine:
/etc/init.d/giptables
/etc/rc.d/rc.giptables.blocked
/etc/rc.d/rc.giptables.custom
/lib/giptables/conf/giptables.conf.dns1
/lib/giptables/conf/giptables.conf.dns2
/lib/giptables/conf/giptables.conf.ftpserver
/lib/giptables/conf/giptables.conf.gateway
/lib/giptables/conf/giptables.conf.mailserver
/lib/giptables/conf/giptables.conf.ppp
/lib/giptables/conf/giptables.conf.README
/lib/giptables/conf/giptables.conf.virtual
/lib/giptables/conf/giptables.conf.webserver
/lib/giptables/conf/giptables.conf.workstation
/lib/giptables/documentation/configuration.html
/lib/giptables/documentation/gateway.html
/lib/giptables/documentation/index.html
/lib/giptables/documentation/installation.html
/lib/giptables/documentation/modules.html
/lib/giptables/documentation/style.css
/lib/giptables/modules/giptables-ANY
/lib/giptables/modules/giptables-AUTH
/lib/giptables/modules/giptables-DHCP
/lib/giptables/modules/giptables-DNS
/lib/giptables/modules/giptables-FINGER
/lib/giptables/modules/giptables-FTP
/lib/giptables/modules/giptables-HTTP
/lib/giptables/modules/giptables-HTTPS
/lib/giptables/modules/giptables-ICMP
/lib/giptables/modules/giptables-IMAP
/lib/giptables/modules/giptables-IMAPS
/lib/giptables/modules/giptables-LDAP
/lib/giptables/modules/giptables-LDAPS
/lib/giptables/modules/giptables-LPD
/lib/giptables/modules/giptables-MSSQL
/lib/giptables/modules/giptables-MYSQL
/lib/giptables/modules/giptables-NETBIOS
/lib/giptables/modules/giptables-NNTP
/lib/giptables/modules/giptables-NNTPS
/lib/giptables/modules/giptables-NTP
/lib/giptables/modules/giptables-ORACLE
/lib/giptables/modules/giptables-POP3
/lib/giptables/modules/giptables-POP3S
/lib/giptables/modules/giptables-POSTGRES
/lib/giptables/modules/giptables-SMTP
/lib/giptables/modules/giptables-SMTPS
/lib/giptables/modules/giptables-SNMP
/lib/giptables/modules/giptables-SOCKS
/lib/giptables/modules/giptables-SQUID
/lib/giptables/modules/giptables-SSH
/lib/giptables/modules/giptables-SYSLOG
/lib/giptables/modules/giptables-TELNET
/lib/giptables/modules/giptables-TELNETS
/lib/giptables/modules/giptables-TRACEROUTE
/lib/giptables/modules/giptables-VNC
/lib/giptables/modules/giptables-WEBCACHE
/lib/giptables/modules/giptables-WHOIS
/lib/giptables/modules/giptables-X11
/lib/giptables/AUTHORS
/lib/giptables/COPYING
/lib/giptables/giptables-main
/lib/giptables/if_ipaddr
/lib/giptables/README
Once the installation of GIPTables has been completed, we can free up some disk space by deleting both the program tar archive and the related source directory since they are no longer needed.

To delete GIPTables Firewall tar archive and its related source directory, use the commands:
[root@deep /]# cd /var/tmp/
[root@deep tmp]# rm -rf giptables-<version>/
[root@deep tmp]# rm -f giptables-<version>.tar.gz
The rm command as used above will remove all the source files we have used to install GIPTables Firewall. It will also remove the GIPTables compressed archive from the /var/tmp directory.

After installing the GIPTables Firewall, please read the GIPTables Firewall Main Configuration Guide and the GIPTables Firewall Modules Configuration Guide for further configuration instructions. Please check our documentation page and our FAQ for more informations regarding GIPTables Firewall.

Back

Written by: Adrian Pascalau apascalau@openna.com
Written by: Gerhard Mourani gmourani@openna.com
Last update: June 08, 2002

powered by Linux
Copyright © 2002 Adrian Pascalau. All Rights Reserved.
All other logos and trademarks in this site are property of their respective owner.