Extracted from iptables-1.2.11/debian/control:
==============================================
iptables - Linux kernel 2.4+ iptables administration tools
netfilter and iptables provide a Linux kernel framework for
stateful and stateless packet filtering, network and port addresss
translation, and other IP packet manipulation. The framework is the
successor to ipchains.
netfilter and iptables are used in applications such as Internet
connection sharing, firewalls, IP accounting, transparent proxying,
advanced routing and traffic control.
iptables web site: http://www.iptables.org/
iptables-dev - development files for iptable's libipq and libiptc
Header files, static libs and documentation for libipq (iptables
user-space packet queuing library) and libiptc.
Extracted from iptables-1.2.11/debian/changelog:
================================================
iptables (1.2.11-10.0) unstable; urgency=medium
* NMU
* Added the imq patch
-- Russell Stuart <russell-debian@NOSPAM> Thu, 24 Nov 2005 14:17:37 +1000
iptables (1.2.11-10) unstable; urgency=medium
* fixed scripts/prep.sh: patching and patch ordering
* fixed a bashism reported by Geller Sandor in Bug#283822. Thanks.
-- Laurence J. Lane <ljlane@NOSPAM> Wed, 1 Dec 2004 19:11:34 -0500
iptables-1.2.11/debian/copyright:
=================================
Christoph Lameter (christoph@NOSPAM) created the Debian iptables
package on March 26, 2000.
iptables sources were downloaded from:
source code and changelogs:
http://www.iptables.org/files/
SGML HOWTOs:
http://www.iptables.org/documentation/HOWTO/
iptables authors:
The core team:
Jozsef Kadlecsik, Harald Welte, James Morris, Marc Boucher, Rusty Russell
Additional contributors listed at:
http://www.iptables.org/about.html#contrib
iptables copyright:
iptables is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published
by the Free Software Foundation; either version 2, or (at your
option) any later version.
iptables is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
with your Debian GNU system, in /usr/share/common-licenses/GPL, or
with the Debian GNU gnupg source package as the file COPYING. If
not, write to the Free Software Foundation, Inc., 59 Temple Place,
Suite 330, Boston, MA 02111-1307, USA.
linux kernel sources were downloaded from:
http://www.kernel.org/pub/linux/kernel/v2.4/
linux kernel author:
Linus Torvalds and many, many others. See the CREDITS file in
the top dir of the linux kernel source for a partial list of
contributors.
linux kernel copyright:
NOTE! This copyright does *not* cover user programs that
use kernel services by normal system calls - this is merely
considered normal use of the kernel, and does *not* fall under
the heading of "derived work". Also note that the GPL below is
copyrighted by the Free Software Foundation, but the instance of
code that it refers to (the Linux kernel) is copyrighted by me
and others who actually wrote it.
Also note that the only valid version of the GPL as far as
the kernel is concerned is _this_ particular version of the
license (ie v2, not v2.2 or v3.x or whatever), unless explicitly
otherwise stated.
Linus Torvalds
You should have received a copy of the GNU General Public License
with your Debian GNU system, in /usr/share/common-licenses/GPL-2, or
with the Debian GNU gnupg source package as the file COPYING. If
not, write to the Free Software Foundation, Inc., 59 Temple Place,
Suite 330, Boston, MA 02111-1307, USA.
iptables-1.2.11/debian/README.Debian:
=====================================
iptables for Debian
===================
0. introduction
1. upgrade notes
2. quick start
3. running iptables
4. kernel configuration
5. extension and compilation notes
6. help! help! help!
[ 0. introduction ]
The iptables binary is basically a user-space configuration tool
for the linux kernel's netfilter packet filtering. It can be used
to configure NAT/MASQUERADING (Network Address Translation),
firewalling, ip accounting and other things. The package does not
provide any default rules or security.
[ 1. upgrade notes ]
init scripts
If you have upgraded from an earlier version of the iptables
package, you may still have the deprecated init.d scripts and
state information installed, but orphaned from the package.
This was necessary to preserve existing configurations. Run
"update-rc.d -f iptables remove" and delete this list of files
and directories to get rid of it all:
/etc/default/iptables
/etc/init.d/iptables
/var/lib/iptables/
/var/lib/ip6tables/
I'm certain someone will file a bug report about the orphaned
files, but it was done intentionally. Suggestions for a better
approach are welcomed.
owner module
owner module support for kernels versions less than 2.4.20 was
officially removed with the 1.2.9-7 upload. It was broken since
at least 1.2.9-6.
[ 2. quick start ]
Here is a quick example of using ifupdown, possibly the simplest
method of initiating a packet filtering script in Debian. This is
an example of "auto" and "iface" stanzas in /etc/network/interfaces
that run the a packet filtering script (with the interface
name and address as arguments) before actually bringing up the
interface.
auto eth0
iface eth0 inet dhcp
pre-up /etc/myfirewall.sh $IFACE $IF_ADDRESS
The next example uses inline calls to iptables to configure ip
masquerading (basically, connection sharing) for a ppp or pppoe
provider. This example is not intended to secure or anything.
auto ppp0
iface ppp0 inet ppp
provider bobsispchickenandribshack
pre-up echo 1 > /proc/sys/net/ipv4/ip_forward
pre-up iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
[ 3. running iptables ]
There are a number of ways to "run" iptables in Debian. The
closest to standard is the ipmasq package, which walks the
user through a series of questions to produce a packet filter
configuration.
Others may prefer packages like firehol, shorewall, firestarter,
ipmenu, fireflier, ferm, firewall-easy, fwbuilder-iptables, fwctl,
gfcc, lokkit, gnome-lokkit, guarddog, hlfl, knetfilter, mason,
lokkit, easyfw, fiaif, filtergen, guidedog, or uif -- just to name
some that are packaged for Debian, to configure maintain packet
filtering rules.
Do-it-yourselfers may prefer any variety of self-written or
acquired scripts to run at system startup. These are relatively
easy to incorporate into Debian's SysV init tree by placing
the executable script into /etc/init.d and applying it with
update-rc.d, preferably at a level before any network interfaces
are configured. (This example calls the script before network
interfaces are enabled.):
update-rc.d myfirewall start 40 S . stop 89 0 6 .
Some may prefer to use iptables-save and iptables-restore to save
rule sets. The deprecated iptables init.d script in included in
the example section as a reference for a state based init script.
You can get the same basic functionality by using saving your
rules with iptables-save and using ifupdown to apply them.
# sample /etc/network/interfaces lines
pre-up iptables-restore < /etc/iptables.up.rules
post-down iptables-restore < /etc/iptables.down.rules
One of the more powerful packet filter configurations is a number
of scripts called through Debian's ifupdown system. Here is a
brief introduction to ifupdown:
Debian uses ifupdown (see ifup(8), ifdown(8) and interfaces(5))
to manipulate network interfaces. Each interface is provided
with several scripting hooks: pre-up, up, down, and post-down.
These hooks are available to each interface as in-line
directives in /etc/network/interfaces and also as *.d/
directories called with run-parts (see run-parts(8)):
/etc/network/if-up.d/
/etc/network/if-pre-up.d/
/etc/network/if-down.d/
/etc/network/if-post-down.d/
There are a couple of caveats with the .d/ directories. They
are run automatically when interfaces go up and down -- they
are not the place to store arbitrary scripts. Also, run-parts
runs all the scripts in those dirs, once for each interface that
changes state. You can do something like this in shell scripts
to prevent unwanted duplicate execution:
test "$IFACE"="eth0" || exit
A useful set of variables are passed to the environment of
the hooks with either the in-line directives or the *.d
sub-directories. Here is a sample of such variables passed to a
hook for eth0:
IFACE=eth0
IF_ADDRESS=192.168.2.2
IF_BROADCAST=192.168.2.255
IF_GATEWAY=192.168.2.1
IF_NETMASK=255.255.255.0
IF_NETWORK=192.168.2.0
[ 4. kernel configuration ]
iptables requires kernel netfilter support and support for various
netfilter capabilities. Here are a hints from the menuconfig
selections in the kernel source for 2.4.19.
Networking options --->
[X] Network packet filtering (replaces ipchains)
IP: Netfilter Configuration --->
ip6tables requires additional settings.
Code maturity level options --->
[X] Prompt for development and/or incomplete code/drivers
Networking options --->
<M> The IPv6 protocol (EXPERIMENTAL) (NEW)
IPv6: Netfilter Configuration --->
[ 5. extension and compilation notes ]
iptables extensions (plug-ins) are installed in /lib/iptables/.
There are generally two types of extensions: targets and matches.
Targets usually have an upper-case portion of the filename: i.e,.
libipt_SNAT.so is used as "--jump SNAT". Matches are usually all
lower case: i.e., libipt_owner.so is used as "--match owner".
The various extensions are built based on the kernel source used
to compile iptables. iptables source code includes kernel patches
that will allow additional extensions to be built. The additions
are not official and are not documented in the iptables man page.
A number of the extensions conflict with one another, some are
broken, and some require kernel level changes to netfilter that
require a specific iptables build. A custom iptables build may
require a custom kernel build. The custom iptables binaries may
not work with "regular" and stock kernel builds and packages.
An innocuous set of additional extensions are included with the
package as a user convenience, but they are only useful with
upgraded or custom kernels. No third-party-source is included.
[ 6. help! help! help! ]
Need more help? You can find more information in
/usr/share/doc/iptables/. The NAT and packet filtering HOWTOS are
there in English in HTML format -- other languages are available
at http://www.iptables.org/ and http://www.netfilter.org/.
There are example packet filtering scripts available in
/usr/share/doc/iptables/examples/.
For any problems specific to the Debian iptables package, you can
send e-mail to iptables@NOSPAM or file bug reports.
See http://bugs.debian.org/ and please use the reportbug program
in the reportbug package for sending bug reports if possible.
Debian mailing lists, such as debian-firewall and debian-user are
also available. See http://lists.debian.org/ for more information.
The iptables/netfilter sites (the URLs are above) also host useful
mailing lists.
The End.
iptables-1.2.11/README:
=======================
iptables has numerous upstream sources used to create the actual
Debian package. All of those pristine sources are in the upstream
subdirectory of this archive. The linux kernel sources have been
pruned to just the COPYRIGHT, MAINTAINER, and CREDITS files along
with netfilter directories and files.
To unpack and prepare everything, run "make" in the top directory.
Be aware that the results are all expanded to a temporary work
space, debian/build/, and the prep.sh script has no provision for
reversing anything.
Select patch-o-matic patches are applied to the kernel source tree
that is unpacked into debian/build/; however, the kernel source trees
used to build the iptables packages are absolutely NOT left in a
state intended for any particular use beyond the iptables package
build. And some of the patching is entirely pointless.
Current local patches/* patches applied to source code:
all/###-link_with_gcc.patch
link with gcc instead of ldd, Bug#12271, addresses build failure
on HP and other archs. Courtesy of Lamont Jones.
http://bugs.debian.org/122712
all/###-weird_spelling.patch
spelling correction, s/wierd/weird/
all/###-weird_character.patch
avoid "weird character" warning for interface names that contain
dashes
all/###-man_pages.patch
sed 's/is the examined/is examined/' iptables.8.old > iptables.8
also adds information about the default logging level
all/###-multiple-ip.patch
by upstream, corrects segfault when a hostname
resolves to multiple IP addresses, see Bug#263154
hppa/###-atomic_t_silly_hack.patch
s390/###-atomic_t_silly_hack.patch
This is a silly, possibly detrimental hppa and s390 hack, which
copies the atmomic_t typedef out of /usr/include/asm/atom.h
instead of including that header. If anyone knows how to fix the
FTBFS in Bug#232418 (http://bugs.debian.org/232418), please mail
iptables@NOSPAM.
all/###-modprobe.patch
upstream patch corrects modprobe handling. See Bug#219686 and
CAN-2004-0986
all/###-libipt_time_struct.patch
"In C, we declare variables at the top of function (Olivier
Clerget)" ... move "struct tm *t" to the top of the function,
patch already commited upstream. See Bug#279285
all/###-008-policy_printf.patch
extraneous printf("\n") in extensions/libipt_policy.c causes
bad iptables-save ouput that cannot bb restored
Name Last modified Size
![[DIR]](/icons/back.gif)
Parent Directory -
![[ ]](/icons/unknown.gif)
Contents-i386 09-Oct-2008 07:08 15K
Contents-i386.bz2 09-Oct-2008 07:08 1.4K
![[ ]](/icons/compressed.gif)
Contents-i386.gz 09-Oct-2008 07:08 1.3K
iptables-dev_1.2.11-10.0_i386.deb 08-Feb-2006 23:39 123K
iptables_1.2.11-10.0.dsc 09-Oct-2008 05:44 556
iptables_1.2.11-10.0.tar.gz 08-Feb-2006 23:38 1.3M
iptables_1.2.11-10.0_i386.changes 08-Feb-2006 23:39 872
iptables_1.2.11-10.0_i386.deb 08-Feb-2006 23:39 374K
override 08-Feb-2006 23:39 51
Packages 09-Oct-2008 07:08 1.3K
Packages.bz2 09-Oct-2008 07:08 750
Packages.gz 09-Oct-2008 07:08 698
Release 09-Oct-2008 07:08 843
Release.gpg 09-Oct-2008 18:41 189
Sources 09-Oct-2008 07:08 397
Sources.bz2 09-Oct-2008 07:08 336
Sources.gz 09-Oct-2008 07:08 301