لطفا منتظر باشید ...
Kernel
Configuration for iptables
Before you can use iptables , you
must build support for it into the Linux kernel. What's more, some iptables features are only useful if you've activated appropriate iptables kernel
suboptions. All of these kernel features can be found in the Networking Options
menu in the 2.4.x kernel configuration tree, or
in submenus off the Networking Options menu. Features you should check
include the following: Network Packet
Filtering The Network Packet Filtering option
is in the main Networking Options configuration menu. Connection Tracking This option is available in the Netfilter Configuration menu off
the Networking Options menu. It's required for NAT. (All subsequent options are
in the same Netfilter Configuration menu.) FTP Protocol Support FTP is a tricky protocol for NAT. In Linux, NAT support for FTP
requires this special kernel module. IP Tables Support This option is another that's required for NAT. A large number of suboptions
become available when you select this one, corresponding to various tests you
might want to perform. For best flexibility, select all of these suboptions.
The Connection State Match Support option is particularly noteworthy because
it's required for stateful packet inspection. Packet Filtering Although not absolutely required for firewalls or NAT, this option
enhances the range of features available to you. I recommend you enable
it. REJECT Target Support This suboption of Packet Filtering adds a rule that can be helpful
in creating firewalls. It's therefore best to enable this feature. Full NAT This option is required for many NAT features, including those
described in this chapter. MASQUERADE Target
Support This suboption of the Full NAT option
is required for IP masqueradingthe form of NAT that is described in the
upcoming section, "
only necessary if you use a dynamic external IP address, but this is incorrect;
it's required for IP masquerading whether or not your external IP address is
dynamic. Packet Mangling This kernel feature is required if you want to use the mangle table,
described earlier. I recommend you enable it. LOG Target Support If you want to log firewall or router activity, this option allows
you to do so. ipchains (2.2-style) Support If you want to use an older ipchains -based firewall
script, you need to activate this option. You'll also need the ipchains tool itself. ipfwadm (2.0-style) Support If you want to use an older ipfwadm -based firewall
script, you need to activate this option. You'll also need the ipfwadm tool itself.TIP
align=left border=0> The ipchains and ipfwadm support options are mutually exclusive, and both are incompatible with the IP
Tables Support and Connection Tracking options. Therefore, you cannot compile
support for both iptables and an earlier tool into the same kernel. You can, however,
compile all of these tools as modules, and select which you want to use by
loading the appropriate kernel module. You might want to compile your kernel
this way if you currently have an older tool and want to migrate it to the
newer iptables as time permits. Many distributions ship their default
kernels like this.
If you compile support for features as
modules, you may need to load the appropriate modules in your firewall startup
script. For instance, the basic iptables functionality is in the ip_tables module, so your startup script might need the command insmod ip_tables . Check the /lib/
modules/version/net/ipv4/netfilter directory
for other modules you may need to explicitly load. To avoid manually loading
modules, you can compile the support directly into the kernel, but this will
increase your kernel file's size.
