Linux-Noob Forums

Full Version: iptable power compiling extentions
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

This tutorial is going to be on iptables how to compile extensions which allow you to accomplish the following

tasks by just using iptables;
  • Account - This allows you to take statistics of certain machines on your network e.g. how much bandwidth your web server uses

  • Nth - This allows you to setup loading balance, who said you had to sped a lot of cash on this??

  • XOR - This allows you to encrypt your traffic between two servers or between two networks

  • ipp2p - This allows you to filter all the file sharing programs e.g. eDonkey, eMule, Kademlia, KaZaA, FastTrack, BitTorrent, etc

  • Quotas - This allows you to set quotas on your network traffic e.g. once you have used 2Gig of bandwdith drop all other packets

Well now you have a taste of what you can accomplish with iptables I am sure you want to dive in :) well before

we do. We will need to recompile the kernel and recompile the iptables with the extensions applied to the kernel. I would only recommend doing

this procedure if you are confident about compiling your own kernel.

 

Let's get started, the first step is to collect the necessary packages to get the extensions to work and compile into your kernel, so you will need:
Once you have downloaded all your source files move them into /usr/src/ as shown below:

 



Code:
mv patch-o-matic-ng-20051203.tar.bz2 /usr/src
mv linux-2.6.16.tar.bz2 /usr/src/
mv iptables-1.3.5.tar.bz2 /usr/src




 

Once this has been done you can start to decompress the source files as shown below:

 



Code:
tar vxf patch-o-matic-ng-20051203.tar.bz2
tar vxf linux-2.6.16.tar.bz2
tar vxf iptables-1.3.5.tar.bz2




 

Now that is done I would suggest renaming linux-2.6.16 to linux and iptables-1.3.5 to iptables as show below:

 



Code:
mv linux-2.6.16 linux
mv iptables-1.3.5 iptables




 

Right you are almost ready to start applying the patches. First you need to run the make menuconfig command to

preconfigure the kernel otherwise *PATCHING WILL FAIL* this is what catches people out!. So change into

your linux directory and run the make menuconfig command as shown below:

 



Code:
cd linux
make menuconfig




 

Once thats done just exit and save the config file. Now you will need to go into the patch-o-matic directory and issue the following

command:

 



Code:
KERNEL_DIR=/usr/src/linux ./runme extras




 

Note Replace /usr/src/linux with the path to the kernel source if your is different

 

Once you issue that command you will be prompt with the following:

 



Code:
Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables]




 

If you have renamed your iptables like I said earlier you can just hit enter or else you have to enter the path

to your iptables source code.

 

Once that is done you will be prompt for which patches you would like to apply, they also give you a little description on

what each patch does.

 

Once you have finished selecting which patches you want installed you will need to compile your iptables so you will

need to do the following in the iptables source directory:

 



Code:
make KERNEL_DIR=/usr/src/linux
make install KERNEL_DIR=/usr/src/linux
make clean




 

Woot your iptables have been compiled :)now its just a case of compiling your kernel :)so you can issue the following

in the kernel source directory:

 



Code:
make oldconfig
make
make modules
make modules_install
make install
make clean




 

Now your kernel is ready along with your new patches just reboot and enjoy. :)well thats it for the compiling side of things

I hope you were successful.

 

The seconded part of this tutorial is just to have a mess with some of the cool iptable features you have compiled. To check to see

if the extension is there type iptables -m extension_name --help.

 

So lets start with Nth. Check to make sure its there:

 



Code:
iptables -m nth --help




 

You should get output like so:

 



Code:
nth v1.3.5 options:
  --every     Nth              Match every Nth packet
[--counter   num ]            Use counter 0-15 (default:0)
[--start     num ]            Initialize the counter at the number 'num'
                            instead of 0. Must be between 0 and Nth-1
[--packet    num ]            Match on 'num' packet. Must be between 0
                            and Nth-1.

                            If --packet is used for a counter than
                            there must be Nth number of --packet
                            rules, covering all values between 0 and
                            Nth-1 inclusively.




This loading balance has been provided by netfilter:

 

Quote:if you want to balance the load to the 3 addresses 10.0.0.5, 10.0.0.6 and 10.0.0.7, then you can do as follows : 

# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 0 -j SNAT --to-source 10.0.0.5

# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 1 -j SNAT --to-source 10.0.0.6

# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 2 -j SNAT --to-source 10.0.0.7
time patch 

Quote:iptables -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT
 

This time patch can be used to allow access to certain service on different days and times, nice little feature :)

 

Quota patch

 

Quote:iptables -A INPUT -p tcp --dport 80 -m quota --quota 52428800 -j ACCEPTiptables -A INPUT -p tcp --dport 80 -j DROP
 

This quota patch can be used to make sure you dont go over bandwidth limits, The above limit is set to 50GIG

52428800KB = 50GB. If the 50GB is reached it will drop all traffic until it resets.

 

Well thats it If you would like more help on using the extentions check out netfilters homepage: [url=http://www.netfilter.org/documentation/HOW...ions-HOWTO.html]http://www.netfilter.org/documentation/HOW...ions-HOWTO.html who needs CISCO when you got iptables ;)

HOLY! .. thats amazing stuff.. iptables is really becoming a killer app.. nice tut xDamox :)