Shulou(Shulou.com)06/01 Report--

This article shows you how to compile and apply the netfilter/iptables module. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

By KindGeorge # yahoo.com 2005.4.2 at ChinaUnix.net

I believe many people will use iptables, and I always use it, and I use it every day. Especially after reading the introduction of platinum, I feel it is necessary to have an in-depth understanding of its extended functions. So download immediately, first check its description, its functions are very exciting, such as: comment (remarks matching), string (string matching, which can be used for content filtering), iprang (ip range matching), time (time matching), ipp2p (peer-to-peer matching), connlimit (matching the number of connections at the same time), Nth (matching the nth packet), geoip (matching according to country and region). Ipp2p (point-to-point matching), quota (quota matching), and many more. After compiling and testing, the extension function is successfully added under rh7.3 kernel2.4.18-3 and rh9.0 kernel2.4.20-8. The following is an introduction to some of its functions and compilation methods. Environment rh9.0 kernel2.4.20-8. Root identity.

One, prepare the original code.

1. Kernel source code: in order to reduce complexity and not compile all kernels and modules, it is recommended to find a kernel source code that is the same as the current version.

A. [root@kindgeorge] uname-r (view current version)

2.4.20-8

You can cd / usr/src to see if this directory exists. 2.4.20-8

b. Or [root@kindgeorge] rpm-qa | grep kernel

Kernel-source-2.4.20-8 has been installed if there is this description.

If it is not installed, you can copy it or install rpm-ivh kernel-source-2.4.18-3.i386.rpm on the second CD of RH. After installation, the linux-2.4 connection and the linux-2.4.20-8 directory appear in / usr/src/.

c. Download a kernel source code with the current version at http://www.kernel.org or www.redhat.com.

two。 Get the latest information first, of course, to http://www.netfilter.org or http://www.iptables.org (both sites are the same).

The download column on the left side of the website already shows the latest version of iptables-1.3.1.

[root@kindgeorge src] cd / usr/src/

a. Get the latest iptables: wget http://www.netfilter.org/files/iptables-1.3.1.tar.bz2

Decompress: tar xjvf iptables-1.3.1.tar.bz2

b. Get the address of the latest patch-o-matic-ng: ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/

[root@kindgeorge src] wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20050331.tar.bz2

Decompress: tar xjvf patch-o-matic-ng-20050331.tar.bz2

two。 Installation instructions

(1). Deal with kernel source code.

1. [root@kindgeorge src] # cd / usr/src/linux-2.4

2. [root@kindgeorge linux-2.4] # vi Makefile

VERSION = 2

PATCHLEVEL = 4

SUBLEVEL = 20

EXTRAVERSION =-8custom

Change "EXTRAVERSION =-8custom" to "EXTRAVERSION =-8"

That is:

VERSION = 2

PATCHLEVEL = 4

SUBLEVEL = 20

EXTRAVERSION =-8

Why do we have to amend it? Because different versions of the content cannot be used, it becomes this version (2.4.20-8custom) when it is not modified, and the error is like this when it is different:

/ lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/ipt_iprange.o: kernel-module version mismatch (version error)

/ lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/ipt_iprange.o was compiled for kernel version 2.4.20-8custom

While this kernel is version 2.4.20-8.

/ lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/ipt_iprange.o: insmod / lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/ipt_iprange.o failed

/ lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/ipt_iprange.o: insmod ipt_iprange failed

3. [root@kindgeorge linux-2.4] # make mrproper

4. [root@kindgeorge linux-2.4] # make oldconfig

'make oldconfig'-uses the previous .config file (useful at compile time)

Tip: when we are faced with many options in make menuconfig, we often don't know how to choose. At this time, we can copy the installation configuration file into / usr/src/linux- 2.4: cp / boot/config-2.4.* / usr/src/linux-2.4/.config, then compile with make menuconfig, and it will read the original configuration information in .config.

(2) Patch netfilter

Unlock the tar xjvf patch-o-matic-ng-20050331.tar.bz2 package, enter the directory, you will find that there are many directories, in fact, each directory corresponds to a module.

We can choose according to different repositories submitted | pending | base | extra, for example:

KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1. / runme base.

Or: KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1. / runme extra

After execution, it will test whether you have applied the module and prompt you to apply the module, but this will traverse all modules, many of which are not needed, and may conflict with the system version, regardless of whether you choose all of them. There are usually errors in compilation and use. Therefore, it is recommended to use cat / module directory name / info and cat / module directory name / help after reading it and think it is suitable for you.

I am aiming at a purposeful application after seeing it above, by doing this:

KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1. / runme string

After execution, it will test whether the module has been applied and prompt you to apply the module, press "y" to apply. Then move on to the next one.

KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1. / runme comment

KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1. / runme connlimit

KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1. / runme time

KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1. / runme iprange

KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1. / runme geoip

KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1. / runme nth

KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1. / runme ipp2p

KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1. / runme quota

After all the above is done,

Cd / usr/src/linux-2.4

Make menuconfig, confirm

Prompt for development and/or incomplete code/drivers to select

Then enter the Networking options

When you enter IP:Netfilter Configuration, you will see that many modules have been added, each of which will be followed by a "NEW". Select the desired module as "M".

Save and exit. At this point, patch the netfilter.

(III)。 Compile the netfilter module

1. Here you only need to compile netfilter, not the entire kernel and modules. All I need here is ipv4. I haven't used ipv6 yet, so I don't care.

Cd / usr/src/linux-2.4

Make dep

Make modules SUBDIRS=net/ipv4/netfilter

two。 Create a new directory to back up the original module, just in case:

Mkdir / usr/src/netfilter

Cp / lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/*.o / usr/src/netfilter/

3. Apply new modules

Cp-f / usr/src/linux-2.4/net/ipv4/netfilter/*.o / lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/

4. Update your modules.dep

Depmod-a

When this occurs, you can ignore it, because ipchains and ipfwadm modules are useless, and you can delete errors.

Depmod: * Unresolved symbols in / lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/ipchains_core.o

Depmod: * Unresolved symbols in / lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/ipfwadm_core.o

(4). Compile and install the new iptables

There is a directory iptables-1.3.1 after decompression.

Cd / usr/src/iptables-1.3.1

Export KERNEL_DIR=/usr/src/linux-2.4

Export IPTABLES_DIR=/usr/src/iptables-1.3.1

Make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install

three。 Installation completion, testing and application

1. Content filtering

Iptables-I FORWARD-m string-string "Tencent"-j DROP

Iptables-I FORWARD-s 192.168.3.159-m string-- string "qq.com"-j DROP

Iptables-I FORWARD-d 192.168.3.0 pound 24-m string-- string "Broadband Cinema"-j DROP

Iptables-I FORWARD-s 192.168.3.0 string 24-m string-- string "porn"-j DROP

Iptables-I FORWARD-p tcp-- sport 80-m string-- string "advertisement"-j DROP

two。 Remarks application

Iptables-I FORWARD-s 192.168.3.159-p tcp-- dport 80-j DROP-m comment-- comment "the bad guy can not online"

Iptables-I FORWARD-s 192.168.3.159-m string-string "qq.com"-j DROP-m comment-comment "denny go to qq.com"

3. Concurrent connection application

Module connlimit function: connection limit

-- how many connlimit-above n is limited to

-- connlimit-mask n the mask of this group of hosts. The default is connlimit-mask 32, that is, per ip.

This mainly limits the network usage of intranet users, while for servers, it can limit the number of connections initiated by each ip. More practical

For example, only 5 ports 80 per ip are allowed to be forwarded at the same time, and discarded if more than:

Iptables-I FORWARD-p tcp-- syn-- dport 80-m connlimit--connlimit-above 5-j DROP

For example, only 10 ports 80 per group of ip are allowed to forward simultaneously:

Iptables-I FORWARD-p tcp-- syn-- dport 80-m connlimit--connlimit-above 10-- connlimit-mask 24-j DROP

For example, to prevent too many DOS connections, you can allow up to 15 initial connections, more than discarded.

/ sbin/iptables-An INPUT-s 192.186.1.0 connlimit-above 24-p tcp-- syn-m connlimit--connlimit-above 15-j DROP

/ sbin/iptables-An INPUT-s 192.186.1.0 ACCEPT 24-p tcp-m state-- state ESTABLISHED,RELATED-j ACCEPT

4.ip range application

Iptables-A FORWARD-m iprange-- src-range 192.168.1.5-192.168.1.124-j ACCEPT

5. Every N matches

Iptables-t mangle-A PREROUTING-m nth-- every 10-j DROP

6. Block BT P2P software

Iptables-A FORWARD-m ipp2p-- edk-- kazaa-- bit-j DROP

Iptables-A FORWARD-p tcp-m ipp2p-- ares-j DROP

Iptables-A FORWARD-p udp-m ipp2p-- kazaa-j DROP

7. Quota matching

Iptables-I FORWARD-s 192.168.3.159-p tcp-- dport 80-m quota-- quota 500-j DROP

Iptables-I FORWARD-s 192.168.3.159-p tcp-- dport 80-m quota-- quota 500-j ACCEPT

All the above tests passed, only the geoipdb.bin of geoip was not downloaded, so there was no test.

The above content is netfilter/iptables module compilation and how to apply, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.