Kernel Support
Check to see if you have kernel support for netfilter / iptables
zgrep -i netfilter /proc/config.gz CONFIG_NETFILTER=y
or
grep -i netfilter /usr/src/linux/.config CONFIG_NETFILTER=y
If not then
cp /usr/src/linux/.config /etc/linux-config.bak emerge sync && USE=symlink emerge -nk genkernel gentoo-sourcescd /usr/src/linux cp /etc/linux-config.bak /usr/src/linux/.config make menuconfig
Linux Kernel Configuration: Netfilter |
As for the kernel all you must do is enable iptable support.
Networking ----> Networking options ----> Network Packet Filtering (replaces Ipchains)---> Netfilter Configuration Or Networking support ---> Networking options ---> Network packet filtering ---> IP: Netfilter Configuration ---> |
Linux Kernel Configuration: Netfilter |
As for kernel 2.6.16 up you have to enable Xtables support first, iptables next
Networking ----> Networking options ----> Network Packet Filtering (replaces Ipchains)---> Core Netfilter Configuration ----> ["enable"] Netfilter Xtables support (required for ip_tables) ["enable"] Netfilter Xtables_Match_State, most firewall scripts use state...including the sample here. IP: Netfilter Configuration ---> ["enable"] IP tables support (required for filtering/masq/NAT) ["enable"] Packet Filtering IPv6: Netfilter Configuration (EXPERIMENTAL) ---> IP6 tables support (required for filtering/masq/NAT) |
Select the IPv6 option only if you need it.
If you intend to load iptables as a module,
Linux Kernel Configuration: Loadable Module Support |
also make sure you have automatic kernel module loading enabled
Loadable module support ---> [*] Enable loadable module support [ ] ... [*] Automatic kernel module loading |
Build the kernel:
make && make modules_install
If you’re just a newbie (hence this guide) then just go ahead and enable all of the options as modules – if you don’t upgrade the kernel you won’t even have to reboot to use iptables. Enable the various target/match support options also.
Because you’ll likely want the iptables module to load every time you boot:
echo "ip_tables" >> /etc/modules.autoload.d/kernel-2.6 echo "iptable_filter" >> /etc/modules.autoload.d/kernel-2.6 modules-update
iptables configuration
You’ll need to get the userland utilities. Don’t forget to modprobe ip_tables and modprobe iptable_filter if you have built them as a module.
emerge iptables