2. Preparation

This step is only needed if distributed kernel and netfilter doesn't fit your requirements and new features are available but still not built-in.

2.1. Get sources

Get the latest kernel source: http://www.kernel.org/

Get the latest iptables package:

2.2. Extract sources

Change to source directory:

# cd /path/to/src 

Unpack and rename kernel sources

# tar z|jxf kernel-version.tar.gz|bz2 
# mv linux linux-version-iptables-version+IPv6 

Unpack iptables sources

# tar z|jxf iptables-version.tar.gz|bz2 

2.3. Apply latest iptables/IPv6-related patches to kernel source

Change to iptables directory

# cd iptables-version 

Apply pending patches

# make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-version/ 

Apply additional IPv6 related patches (still not in the vanilla kernel included)

# make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-version/ 

Say yes at following options (iptables-1.2.2)

  • ah-esp.patch

  • masq-dynaddr.patch (only needed for systems with dynamic IP assigned WAN connections like PPP or PPPoE)

  • ipv6-agr.patch.ipv6

  • ipv6-ports.patch.ipv6

  • LOG.patch.ipv6

  • REJECT.patch.ipv6

Check IPv6 extensions

# make print-extensions 
Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport

2.4. Configure, build and install new kernel

Change to kernel sources

# cd /path/to/src/linux-version-iptables-version/ 

Edit Makefile

- EXTRAVERSION = 
+ EXTRAVERSION = -iptables-version+IPv6-try 

Run configure, enable IPv6 related

            Code maturity level options 
                  Prompt for development and/or incomplete code/drivers : yes 
            Networking options 
                  Network packet filtering: yes 
                  The IPv6 protocol: module 
                       IPv6: Netfilter Configuration 
                             IP6 tables support: module 
                             All new options like following: 
                                   limit match support: module 
                                   MAC address match support: module 
                                   Multiple port match support: module 
                                   Owner match support: module 
                                   netfilter MARK match support: module 
                                   Aggregated address check: module 
                                   Packet filtering: module 
                                        REJECT target support: module 
                                        LOG target support: module 
                                   Packet mangling: module 
                                   MARK target support: module 

Configure other related to your system, too

Compilation and installing: see the kernel section here and other HOWTOs

2.5. Rebuild and install binaries of iptables

Make sure, that upper kernel source tree is also available at /usr/src/linux/

Rename older directory

# mv /usr/src/linux /usr/src/linux.old 

Create a new softlink

# ln -s /path/to/src/linux-version-iptables-version /usr/src/linux 

Rebuild SRPMS

# rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm 

Install new iptables packages (iptables + iptables-ipv6)

  • On RH 7.1 systems, normally, already an older version is installed, therefore use "freshen"

# rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm 
  • If not already installed, use "install"

# rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm 
  • On RH 6.2 systems, normally, no kernel 2.4.x is installed, therefore the requirements don't fit. Use "--nodeps" to install it

# rpm -ihv --nodeps /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm 

Perhaps it's necessary to create a softlink for iptables libraries where iptables looks for them

# ln -s /lib/iptables/ /usr/lib/iptables