Linux IPv6 HOWTO (en)
Prev	Chapter 17. Firewalling	Next

17.2. Preparation

This step is only needed if distributed kernel and netfilter doesn't fit your requirements and new features are available but still not built-in.

17.2.1. Get sources

Get the latest kernel source: https://www.kernel.org/

Get the latest iptables package:

Source tarball (for kernel patches): https://www.netfilter.org/

17.2.2. Extract sources

Change to source directory:

# cd /path/to/src

Unpack and rename kernel sources

# tar z|jxf kernel-version.tar.gz|bz2 
# mv linux linux-version-iptables-version+IPv6

Unpack iptables sources

# tar z|jxf iptables-version.tar.gz|bz2

17.2.3. Apply latest iptables/IPv6-related patches to kernel source

Change to iptables directory

# cd iptables-version

Apply pending patches

# make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-version/

Apply additional IPv6 related patches (still not in the vanilla kernel included)

# make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-version/

Say yes at following options (iptables-1.2.2)

ah-esp.patch
masq-dynaddr.patch (only needed for systems with dynamic IP assigned WAN connections like PPP or PPPoE)
ipv6-agr.patch.ipv6
ipv6-ports.patch.ipv6
LOG.patch.ipv6
REJECT.patch.ipv6

Check IPv6 extensions

# make print-extensions 
Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport

17.2.4. Configure, build and install new kernel

Change to kernel sources

# cd /path/to/src/linux-version-iptables-version/

Edit Makefile

- EXTRAVERSION = 
+ EXTRAVERSION = -iptables-version+IPv6-try

Run configure, enable IPv6 related

            Code maturity level options 
                  Prompt for development and/or incomplete code/drivers : yes 
            Networking options 
                  Network packet filtering: yes 
                  The IPv6 protocol: module 
                       IPv6: Netfilter Configuration 
                             IP6 tables support: module 
                             All new options like following: 
                                   limit match support: module 
                                   MAC address match support: module 
                                   Multiple port match support: module 
                                   Owner match support: module 
                                   netfilter MARK match support: module 
                                   Aggregated address check: module 
                                   Packet filtering: module 
                                        REJECT target support: module 
                                        LOG target support: module 
                                   Packet mangling: module 
                                   MARK target support: module

Configure other related to your system, too

Compilation and installing: see the kernel section here and other HOWTOs

17.2.5. Rebuild and install binaries of iptables

Make sure, that upper kernel source tree is also available at /usr/src/linux/

Rename older directory

# mv /usr/src/linux /usr/src/linux.old

Create a new softlink

# ln -s /path/to/src/linux-version-iptables-version /usr/src/linux

Rebuild SRPMS

# rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm

Install new iptables packages (iptables + iptables-ipv6)

On RH 7.1 systems, normally, already an older version is installed, therefore use "freshen"

# rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm

If not already installed, use "install"

# rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm

On RH 6.2 systems, normally, no kernel 2.4.x is installed, therefore the requirements don't fit. Use "--nodeps" to install it

# rpm -ihv --nodeps /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm

Perhaps it's necessary to create a softlink for iptables libraries where iptables looks for them

# ln -s /lib/iptables/ /usr/lib/iptables

Prev	Home	Next
Firewalling using netfilter6	Up	Usage