Configuring kernel options and installing packages

Configuring networking options

Start by running the kernel configuration menu as usual.

lisa ~ # cd /usr/src/linux
lisa linux # make menuconfig

Now navigate to the Networking Options menu, find the Netfilter option as shown below and enable it.

Networking options
[*]	Network packet filtering framework (Netfilter) --->	CONFIG_NETFILTER

Ensure that network packet filtering debugging is disabled as shown below.

Network packet filtering framework (Netfilter)
--- [ ] [*] [ ]	Network packet filtering framework (Netfilter) Network packet filtering debugging Advanced netfilter configuration Core Netfilter Configuration ---> IP virtual server support IP: Netfilter Configuration --->	CONFIG_NETFILTER_DEBUG CONFIG_NETFILTER_ADVANCED CONFIG_IP_VS

Configuring core Netfilter options

We can now configure the core Netfilter components that we require. Depending on your security policy and firewall application you may need to include some extra components or, if they are not required, exclude some components.

If you intend to follow all the steps in this guide then you will need to include at least the components listed below.

Core Netfilter Configuration
[ ] [ ] [] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [] [ ] [ ] [ ] [] [ ] [ ] [ ] [ ] [] [ ] [ ] [ ] [ ] [ ] [ ] [] [ ] [ ] [ ] [ ] [ ] [] [ ] [] [] [] [ ] [] [ ] [ ] [] [] [] [ ] [ ] [] [ ] [ ]	Netfilter NFQUEUE over NFNETLINK interface Netfilter LOG over NFNETLINK interface Netfilter connection tracking support Connection tracking flow accounting Connection mark tracking support Connection tracking events DCCP protocol connection tracking support SCTP protocol connection tracking support UDP-Lite protocol connection tracking support Amanda backup protocol support FTP protocol support H.323 protocol support IRC protocol support NetBIOS name service protocol support PPtP protocol support SANE protocol support SIP protocol support TFTP protocol support Connection tracking netlink interface Netfilter Xtables support (required for ip_tables) "CLASSIFY" target support "CONNMARK" target support "MARK" target support "NFLOG" target Support "NFQUEUE" target Support "RATEEST" target support "TCPMSS" target support "cluster" match support "comment" match support "connbytes" per-connection counter match support "connlimit" match support "connmark" connection mark match support "conntrack" connection tracking match support "DCCP" protocol match support "hashlimit" match support "helper" match support IP range match support "length" match support "limit" match support "mac" address match support "mark" match support "multiport" Multiple port match support IPsec "policy" match support "pkttype" packet type match support "realm" match support "sctp" protocol match support "state" match support "string" match support "tcpmss" match support	CONFIG_NETFILTER_NETLINK_QUEUE CONFIG_NETFILTER_NETLINK_LOG CONFIG_NF_CONNTRACK CONFIG_NF_CT_ACCT CONFIG_NF_CONNTRACK_MARK CONFIG_NF_CONNTRACK_EVENTS CONFIG_NF_CT_PROTO_DCCP CONFIG_NF_CT_PROTO_SCTP CONFIG_NF_CT_PROTO_UDPLITE CONFIG_NF_CONNTRACK_AMANDA CONFIG_NF_CONNTRACK_FTP CONFIG_NF_CONNTRACK_H323 CONFIG_NF_CONNTRACK_IRC CONFIG_NF_CONNTRACK_NETBIOS_NS CONFIG_NF_CONNTRACK_PPTP CONFIG_NF_CONNTRACK_SANE CONFIG_NF_CONNTRACK_SIP CONFIG_NF_CONNTRACK_TFTP CONFIG_NF_CT_NETLINK CONFIG_NETFILTER_XTABLES CONFIG_NETFILTER_XT_TARGET_CLASSIFY CONFIG_NETFILTER_XT_TARGET_CONNMARK CONFIG_NETFILTER_XT_TARGET_MARK CONFIG_NETFILTER_XT_TARGET_NFLOG CONFIG_NETFILTER_XT_TARGET_NFQUEUE CONFIG_NETFILTER_XT_TARGET_RATEEST CONFIG_NETFILTER_XT_TARGET_TCPMSS CONFIG_NETFILTER_XT_MATCH_CLUSTER CONFIG_NETFILTER_XT_MATCH_COMMENT CONFIG_NETFILTER_XT_MATCH_CONNBYTES CONFIG_NETFILTER_XT_MATCH_CONNLIMIT CONFIG_NETFILTER_XT_MATCH_CONNMARK CONFIG_NETFILTER_XT_MATCH_CONNTRACK CONFIG_NETFILTER_XT_MATCH_DCCP CONFIG_NETFILTER_XT_MATCH_HASHLIMIT CONFIG_NETFILTER_XT_MATCH_HELPER CONFIG_NETFILTER_XT_MATCH_IPRANGE CONFIG_NETFILTER_XT_MATCH_LENGTH CONFIG_NETFILTER_XT_MATCH_LIMIT CONFIG_NETFILTER_XT_MATCH_MAC CONFIG_NETFILTER_XT_MATCH_MARK CONFIG_NETFILTER_XT_MATCH_MULTIPORT CONFIG_NETFILTER_XT_MATCH_POLICY CONFIG_NETFILTER_XT_MATCH_PKTTYPE CONFIG_NETFILTER_XT_MATCH_REALM CONFIG_NETFILTER_XT_MATCH_SCTP CONFIG_NETFILTER_XT_MATCH_STATE CONFIG_NETFILTER_XT_MATCH_STRING CONFIG_NETFILTER_XT_MATCH_TCPMSS

Configuring IP Netfilter options

Once the core Netfilter components have been configured we can proceed with configuration of the IP specific components of the Netfilter framework. As before you may need to include some extra components or, if they are not required, exclude some components depending on your security policy and the intended application of your firewall.

If you intend to follow all the steps in this guide then you will need to include at least the components listed below.

IP: Netfilter Configuration
[] [] [ ] [] [] [ ] [ ] [ ] [] [] [] [ ] [] [] [] [] [ ] [] [ ] [ ] [ ] [ ] [ ]	IPv4 connection tracking support (required for NAT) proc/sysctl compatibility with old connection tracking IP Userspace queueing via NETLINK (OBSOLETE) IP tables support (required for filtering/masq/NAT) "addrtype"address type match support "ah" match support "ecn" match support "ttl" match support Packet filtering REJECT target support LOG target support ULOG target support (OBSOLETE) Full NAT MASQUERADE target support NETMAP target support REDIRECT target support Basic SNMP-ALG support Packet mangling CLUSTERIP target support ECN target support TTL target support raw table support (required for NOTRACK/TRACE) ARP tables support	CONFIG_NF_CONNTRACK_IPV4 CONFIG_NF_CONNTRACK_PROC_COMPAT CONFIG_IP_NF_QUEUE CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_MATCH_ADDRTYPE CONFIG_IP_NF_MATCH_AH CONFIG_IP_NF_MATCH_ECN CONFIG_IP_NF_MATCH_TTL CONFIG_IP_NF_FILTER CONFIG_IP_NF_TARGET_REJECT CONFIG_IP_NF_TARGET_LOG CONFIG_IP_NF_TARGET_ULOG CONFIG_NF_NAT CONFIG_IP_NF_TARGET_MASQUERADE CONFIG_IP_NF_TARGET_NETMAP CONFIG_IP_NF_TARGET_REDIRECT CONFIG_NF_NAT_SNMP_BASIC CONFIG_IP_NF_MANGLE CONFIG_IP_NF_TARGET_CLUSTERIP CONFIG_IP_NF_TARGET_ECN CONFIG_IP_NF_TARGET_TTL CONFIG_IP_NF_RAW CONFIG_IP_NF_ARPTABLES

Building and installing the kernel

With the kernel configuration completed all that remains is to build and install the new kernel in the usual way.

If you have built the Netfilter or iptables modules as loadable kernel modules then you will have to ensure that they are loaded before continuing. The easiest method is to add them to the /etc/modules.autoload.d/kernel-2.6 file so they will be automatically loaded when the system starts, and thus when the system is restarted with the new kernel.

Installing the userspace tools

As usual with Gentoo installation of the userspace tools is trivial. Simply emerge the iptables package and add iptables to the default run-level as shown below.

lisa ~ # emerge iptables
lisa ~ # rc-update add iptables default

If you have built the Netfilter components into the kernel, instead of compiling them as loadable modules, you can add iptables to the boot run-level and have it start before the net scripts.