[Tfug] ip_tables kernel code no longer possible to build into the kernel?

John Gruenenfelder johng at as.arizona.edu
Wed May 24 00:41:59 MST 2006 

On Wed, May 24, 2006 at 12:19:19AM -0700, t takahashi wrote:
>what i need is normal, basic, usual iptables capabilities.  like
>blocking ports and port ranges and limiting and logging,
>
>so is this module (or rather all these tiny little iptables-related modules):
>
>1.  something that looks EXACTLY like it's what i need but is not?
>i.e. it is for some advanced thing?
>
>or:
>
>2.  just what i need?

(Note: I'm no kernel master, so if I get any of this wrong, somebody please
correct me.)

They are what you need.  Despite the confusing names, I think the easiest way
to think about it is that iptables is the user frontend to the whole process.
Linux used to have ipchains, then came iptables, now it's netfilter.  Each
time it became a more general system.

So, in the newest kernels, the packet filtering is handled by the netfilter
subsystem.  You use the iptables program to interact with netfilter.

>i pulled your trick on XTABLES and it still looks like what i need.
>so why would it not default to yes?

In general, most of the default suggestions you get in the kernel are not
based on reality.  Linus has said in the past that there aren't really any
"default" settings for the kernel.  Of course, this does make configuring the
kernel more difficult because you might accidentally leave out an option which
you really need.  Since you're somewhat new at this, I think you're taking the
right approach by using the Debian kernel .config as a starting point.

>i kind of found out via make menuconfig just before you posted that it
>might have something to do with a higher level setting being a module.
> it looks like that might be the reason.
>
>as for using a module, i can, but there were dozens and i didn't want
>to have to keep track of them just to do basic things.  why would i
>have to reenable iptables, then set modules for every tiny little part
>of it, like port ranges and limiting and the like?  i'd think it would
>be mostly on by default.

The simplest method to deal with this, and what I do, is to just make
everything in the netfilter menu a module.  You are correct that you will then
need to figure out which of those to load, but it really isn't all that many
in general.  And when you pick a few, modprobe will automatically load the
others it depends on.


-- 
--John Gruenenfelder    Research Assistant, UMass Amherst student
                        Systems Manager, MKS Imaging Technology, LLC.
Try Weasel Reader for PalmOS  --  http://gutenpalm.sf.net
"This is the most fun I've had without being drenched in the blood
of my enemies!"
        --Sam of Sam & Max

More information about the tfug mailing list