Linux Firewalls - Michael Rash [12]
$ tar xfj linux-2.6.20.1.tar.bz2
$ ls -ld linux-2.6.20.1
drwxr-xr-x 18 mbr users 600 Jun 16 20:48 linux-2.6.20.1
Although I have chosen specific kernel versions in the commands above, the analogous commands apply for newer kernel versions. For example when, say, the 2.6.20.2 kernel is released, you only need to substitute 2.6.20.1 with 2.6.20.2 in the above commands.
Note
One thing to keep in mind is that the load on the kernel.org webserver has been steadily increasing over the years, and a random glance at the bandwidth utilization graphs on http://www.kernel.org shows the current utilization at well over 300 Mbps. To help reduce the load, the kernel can be downloaded from one of the mirrors listed at http://www.kernel.org/mirrors. Once you have a particular version of the kernel sources on your system, you can download and apply a kernel patch file to upgrade to the next version. (The patch files are much smaller than the kernel itself.)
Kernel Configuration
Before you can begin compiling, you must construct a kernel configuration file. Fortunately, the process of building this file has been automated by kernel developers, and it can be initiated with a single command (within the /usr/src/linux-2.6.20.1 directory):
$ make menuconfig
The make menuconfig command launches the Ncurses interface in which you can select various compile options. (You can call the X Windows or terminal interface with the commands make xconfig and make config, respectively.) I've chosen the Ncurses interface because it provides a nice balance between the spartan terminal interface and the relatively expensive X Windows interface. The Ncurses interface also easily lends itself to the configuration of a remote Linux kernel across an SSH session without having to forward an X Windows connection.
After executing make menuconfig, we are presented with several configuration sections ranging from Code Maturity Level options to Library Routines. Most Netfilter compilation options for the 2.6-series kernel are located within a section called Network Packet Filtering Framework (Netfilter) under Networking ▸ Networking Options.
Essential Netfilter Compilation Options
Some of the more important options to enable within the kernel configuration file include Netfilter connection tracking, logging, and packet filtering. (Recall that iptables builds a policy by using the in-kernel framework provided by Netfilter.)
There are two additional configuration sections in the Network Packet Filtering Framework (Netfilter) section—Core Netfilter Configuration and IP: Netfilter Configuration.
Core Netfilter Configuration
The Core Netfilter Configuration section contains several important options that should all be enabled:
Comment match support
FTP support
Length match support
Limit match support
MAC address match support
MARK target support
Netfilter connection tracking support
Netfilter LOG over NFNETLINK interface
Netfilter netlink interface
Netfilter Xtables support
State match support
String match support
IP: Netfilter Configuration
With the Core Netfilter Configuration section completed, we'll move on to the IP: Netfilter Configuration section. The options that should be enabled within this section are as follows:
ECN target support
Full NAT
IP address range match support
IP tables support (required for filtering/masq/NAT)
IPv4 connection tracking support (required for NAT)
LOG target support
MASQUERADE target support
Owner match support
Packet filtering
Packet mangling
raw table support (required for NOTRACK/TRACE)
Recent match support
REJECT target support
TOS match support
TOS target support
TTL match support
TTL target support
ULOG target support
In the 2.6 kernel series, the individual compilation sections underwent a major reorganization. In the older 2.4 series, the IP: Netfilter Configuration section can be found underneath Networking Options, and this section is only visible if the Network Packet Filtering option is enabled.
Finishing the Kernel Configuration
Having configured the 2.6.20.1