2006-03-24, 09:34 PM
This tutorial is going to be on iptables how to compile extensions which allow you to accomplish the following
tasks by just using iptables;
- Account - This allows you to take statistics of certain machines on your network e.g. how much bandwidth your web server uses
- Nth - This allows you to setup loading balance, who said you had to sped a lot of cash on this??
- XOR - This allows you to encrypt your traffic between two servers or between two networks
- ipp2p - This allows you to filter all the file sharing programs e.g. eDonkey, eMule, Kademlia, KaZaA, FastTrack, BitTorrent, etc
- Quotas - This allows you to set quotas on your network traffic e.g. once you have used 2Gig of bandwdith drop all other packets
we do. We will need to recompile the kernel and recompile the iptables with the extensions applied to the kernel. I would only recommend doing
this procedure if you are confident about compiling your own kernel.
Let's get started, the first step is to collect the necessary packages to get the extensions to work and compile into your kernel, so you will need:
- iptables source - Download from: [/url]http://www.netfilter.org/projects/iptables/downloads.html
- patch-o-matic - Downlaod form: http://ipset.netfilter.org/patch-o-matic-ng-20051203.tar.bz2
- Linux kernel source - Download from: www.kernel.org
Code:
mv patch-o-matic-ng-20051203.tar.bz2 /usr/src
mv linux-2.6.16.tar.bz2 /usr/src/
mv iptables-1.3.5.tar.bz2 /usr/srcOnce this has been done you can start to decompress the source files as shown below:
Code:
tar vxf patch-o-matic-ng-20051203.tar.bz2
tar vxf linux-2.6.16.tar.bz2
tar vxf iptables-1.3.5.tar.bz2Now that is done I would suggest renaming linux-2.6.16 to linux and iptables-1.3.5 to iptables as show below:
Code:
mv linux-2.6.16 linux
mv iptables-1.3.5 iptablesRight you are almost ready to start applying the patches. First you need to run the make menuconfig command to
preconfigure the kernel otherwise *PATCHING WILL FAIL* this is what catches people out!. So change into
your linux directory and run the make menuconfig command as shown below:
Code:
cd linux
make menuconfigOnce thats done just exit and save the config file. Now you will need to go into the patch-o-matic directory and issue the following
command:
Code:
KERNEL_DIR=/usr/src/linux ./runme extrasNote Replace /usr/src/linux with the path to the kernel source if your is different
Once you issue that command you will be prompt with the following:
Code:
Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables]If you have renamed your iptables like I said earlier you can just hit enter or else you have to enter the path
to your iptables source code.
Once that is done you will be prompt for which patches you would like to apply, they also give you a little description on
what each patch does.
Once you have finished selecting which patches you want installed you will need to compile your iptables so you will
need to do the following in the iptables source directory:
Code:
make KERNEL_DIR=/usr/src/linux
make install KERNEL_DIR=/usr/src/linux
make cleanWoot your iptables have been compiled :)now its just a case of compiling your kernel :)so you can issue the following
in the kernel source directory:
Code:
make oldconfig
make
make modules
make modules_install
make install
make cleanNow your kernel is ready along with your new patches just reboot and enjoy. :)well thats it for the compiling side of things
I hope you were successful.
The seconded part of this tutorial is just to have a mess with some of the cool iptable features you have compiled. To check to see
if the extension is there type iptables -m extension_name --help.
So lets start with Nth. Check to make sure its there:
Code:
iptables -m nth --helpYou should get output like so:
Code:
nth v1.3.5 options:
--every Nth Match every Nth packet
[--counter num ] Use counter 0-15 (default:0)
[--start num ] Initialize the counter at the number 'num'
instead of 0. Must be between 0 and Nth-1
[--packet num ] Match on 'num' packet. Must be between 0
and Nth-1.
If --packet is used for a counter than
there must be Nth number of --packet
rules, covering all values between 0 and
Nth-1 inclusively.This loading balance has been provided by netfilter:
Quote:if you want to balance the load to the 3 addresses 10.0.0.5, 10.0.0.6 and 10.0.0.7, then you can do as follows :time patch
# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 0 -j SNAT --to-source 10.0.0.5
# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 1 -j SNAT --to-source 10.0.0.6
# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 2 -j SNAT --to-source 10.0.0.7
Quote:iptables -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT
This time patch can be used to allow access to certain service on different days and times, nice little feature :)
Quota patch
Quote:iptables -A INPUT -p tcp --dport 80 -m quota --quota 52428800 -j ACCEPTiptables -A INPUT -p tcp --dport 80 -j DROP
This quota patch can be used to make sure you dont go over bandwidth limits, The above limit is set to 50GIG
52428800KB = 50GB. If the 50GB is reached it will drop all traffic until it resets.
Well thats it If you would like more help on using the extentions check out netfilters homepage: [url=http://www.netfilter.org/documentation/HOW...ions-HOWTO.html]http://www.netfilter.org/documentation/HOW...ions-HOWTO.html who needs CISCO when you got iptables ;)
