[CentOS] Centos VPS Kernel 2.6.35.4 & 'string-less' IP tables

Thu Sep 1 06:08:02 UTC 2011
Walter Haidinger <walter at doxlock.com>

Am 31.08.2011 15:35, schrieb Karanbir Singh:
>> PS: To install iptables from source is pretty straightforward:
>>      get the tarball from netfilter.org, unpack and run:
>>      ./configure --prefix=/opt/iptables&&  make&&  make install
> 
> And at that point you lose. All management capability or the ability to 
> audit / track or even upgrade along the distro. Installing from source, 
> is almost always the wrong solution; There are *some* places where it 

Yes, it should be an exception. I wanted to present a fix to the OP problem.
The correct solution would be to point him to a repository from where he can
install/update a newer iptables package. Unfortunately, I don't know any.

Installing from source should be considered the "quick & dirty" solution.
That is why I install to a _distinct_ /opt directory, _not_ overwriting
any rpm-owned files, and set the path to it only where needed, not globally.

Your advice holds true if one is not careful to keep the distro "clean",
i.e. prevent mixing it with non-distro files when running just running
configure without --prefix (thus installing to /usr/local or, even worse,
to /usr) or by installing "alien" other-distro rpm packages.

Maybe it should be emphasized that it is _critical_ to keep a "clean"
distribution. Otherwise yes, I absolutely agree with your statement above. 

Installing a few packages to a distinct directory don't hurt cleanliness, 
IMHO. It is not in the PATH by default and can easily be "uninstalled" by
a "rm -r /opt/foo".

Not to forget: Any manually installed package must be maintained anyways,
regardless if built from source or installed by rpm. 

> might be a workable solution, but really do you want your first line of 
> machine defence to be from source ? Just the amount of effort needed to 
> make something like that work is huge.

In my particular case, the new iptables are _only_ used to fill the mangle
table. Anything else is done by the stock iptables, so only the QoS rules
would be affected. Not that critical.

Of course, when running a newer (read: unsupported) kernel, such as 2.6.32
or 2.6.35, on CentOS 5, you'd better verify everything works for you in a test
environment before deploying it in the wild. 

Regards,
Walter