Author: bdubbs
Date: 2012-10-16 11:13:00 -0600 (Tue, 16 Oct 2012)
New Revision: 10735
Modified:
trunk/BOOK/general.ent
trunk/BOOK/introduction/welcome/changelog.xml
trunk/BOOK/postlfs/security/firewalling.xml
trunk/BOOK/postlfs/security/iptables.xml
Log:
Update to iptables-1.4.16.2.
Fix firewall scripts to be compatible with current iptables.
Modified: trunk/BOOK/general.ent
===================================================================
--- trunk/BOOK/general.ent 2012-10-15 20:05:23 UTC (rev 10734)
+++ trunk/BOOK/general.ent 2012-10-16 17:13:00 UTC (rev 10735)
@@ -176,7 +176,7 @@
<!ENTITY gnupg2-version "2.0.19">
<!ENTITY gnutls-version "3.0.24">
<!ENTITY gpgme-version "1.3.2">
-<!ENTITY iptables-version "1.4.15">
+<!ENTITY iptables-version "1.4.16.2">
<!ENTITY libcap2-version "2.22">
<!ENTITY liboauth-version "0.9.7">
<!ENTITY libpwquality-version "1.2.0">
Modified: trunk/BOOK/introduction/welcome/changelog.xml
===================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml 2012-10-15 20:05:23 UTC
(rev 10734)
+++ trunk/BOOK/introduction/welcome/changelog.xml 2012-10-16 17:13:00 UTC
(rev 10735)
@@ -45,6 +45,21 @@
-->
<listitem>
+ <para>October 16th, 2012</para>
+ <itemizedlist>
+ <listitem>
+ <para>[bdubbs] - Update to iptables-1.4.16.2. Fixes
+ <ulink url="&blfs-ticket-root;3595">#3595</ulink>.</para>
+ </listitem>
+ <listitem>
+ <para>[bdubbs] - Fixed firewall scripts to be compatible with
+ current iptables. Fixes
+ <ulink url="&blfs-ticket-root;3626">#3626</ulink>.</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+
+ <listitem>
<para>October 15th, 2012</para>
<itemizedlist>
<listitem>
Modified: trunk/BOOK/postlfs/security/firewalling.xml
===================================================================
--- trunk/BOOK/postlfs/security/firewalling.xml 2012-10-15 20:05:23 UTC (rev
10734)
+++ trunk/BOOK/postlfs/security/firewalling.xml 2012-10-16 17:13:00 UTC (rev
10735)
@@ -180,16 +180,12 @@
<screen role="root"><?dbfo keep-together="auto"?><userinput>cat >
/etc/rc.d/rc.iptables << "EOF"
<literal>#!/bin/sh
-# Begin $rc_base/rc.iptables
+# Begin rc.iptables
# Insert connection-tracking modules
# (not needed if built into the kernel)
-modprobe ip_tables
-modprobe iptable_filter
-modprobe ip_conntrack
-modprobe ip_conntrack_ftp
-modprobe ipt_state
-modprobe ipt_LOG
+modprobe nf_conntrack
+modprobe xt_LOG
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
@@ -248,7 +244,7 @@
# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
-iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
@@ -290,7 +286,7 @@
<screen role="root"><?dbfo keep-together="auto"?><userinput>cat >
/etc/rc.d/rc.iptables << "EOF"
<literal>#!/bin/sh
-# Begin $rc_base/rc.iptables
+# Begin rc.iptables
echo
echo "You're using the example configuration for a setup of a firewall"
@@ -306,16 +302,11 @@
# Insert iptables modules (not needed if built into the kernel).
-modprobe ip_tables
-modprobe iptable_filter
-modprobe ip_conntrack
-modprobe ip_conntrack_ftp
-modprobe ipt_state
-modprobe iptable_nat
-modprobe ip_nat_ftp
-modprobe ipt_MASQUERADE
-modprobe ipt_LOG
-modprobe ipt_REJECT
+modprobe nf_conntrack
+modprobe nf_conntrack_ftp
+modprobe xt_conntrack
+modprobe xt_LOG
+modprobe xt_state
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
@@ -365,8 +356,8 @@
iptables -A OUTPUT -o lo -j ACCEPT
# Allow forwarding if the initiated on the intranet
-iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-iptables -A FORWARD -i ! ppp+ -m state --state NEW -j ACCEPT
+iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD -i ! ppp+ -m conntrack --ctstate NEW -j ACCEPT
# Do masquerading
# (not needed if intranet is not using private ip-addresses)
@@ -436,7 +427,7 @@
themselves, you could open OUTPUT generally and restrict
INPUT.</para>
-<screen><literal>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
+<screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED
-j ACCEPT
iptables -A OUTPUT -j ACCEPT</literal></screen>
<para>However, it is generally not advisable to leave OUTPUT
@@ -457,7 +448,7 @@
<para>Squid is caching the web:</para>
<screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
-iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
+iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
-j ACCEPT</literal></screen>
</listitem>
@@ -496,9 +487,9 @@
that came in after netfilter's timeout or some types of
network scans) insert these rules at the top of the chain:</para>
-<screen><literal>iptables -I INPUT 0 -p tcp -m state --state INVALID \
+<screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
-j LOG --log-prefix "FIREWALL:INVALID "
-iptables -I INPUT 1 -p tcp -m state --state INVALID -j DROP</literal></screen>
+iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j
DROP</literal></screen>
</listitem>
<listitem>
Modified: trunk/BOOK/postlfs/security/iptables.xml
===================================================================
--- trunk/BOOK/postlfs/security/iptables.xml 2012-10-15 20:05:23 UTC (rev
10734)
+++ trunk/BOOK/postlfs/security/iptables.xml 2012-10-16 17:13:00 UTC (rev
10735)
@@ -6,9 +6,9 @@
<!ENTITY iptables-download-http
"http://www.netfilter.org/projects/iptables/files/iptables-&iptables-version;.tar.bz2";>
<!ENTITY iptables-download-ftp
"ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2";>
- <!ENTITY iptables-md5sum "8bf564ea8348522fc1db727868828def">
- <!ENTITY iptables-size "504 KB">
- <!ENTITY iptables-buildsize "15 MB">
+ <!ENTITY iptables-md5sum "57220bb26866a713073e5614f88071fc">
+ <!ENTITY iptables-size "532 KB">
+ <!ENTITY iptables-buildsize "13 MB">
<!ENTITY iptables-time "0.2 SBU">
]>
@@ -71,7 +71,7 @@
</para>
</listitem>
</itemizedlist>
-
+<!--
<bridgehead renderas="sect3">Additional Downloads</bridgehead>
<itemizedlist spacing="compact">
<listitem>
@@ -81,7 +81,7 @@
</para>
</listitem>
</itemizedlist>
-
+-->
<para condition="html" role="usernotes">User Notes:
<ulink url="&blfs-wiki;/iptables"/>
</para>
@@ -134,8 +134,7 @@
commands:
</para>
-<screen><userinput>patch -Np1 -i
../iptables-&iptables-version;-missing-includes-1.patch &&
-./configure --prefix=/usr \
+<screen><userinput>./configure --prefix=/usr \
--exec-prefix= \
--bindir=/sbin \
--with-xtlibdir=/lib/xtables \
--
http://linuxfromscratch.org/mailman/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
