View previous topic :: View next topic |
Author |
Message |
ScRaTcHi n00b
Joined: 21 Dec 2004 Posts: 62
|
Posted: Sat Jun 11, 2005 7:03 pm Post subject: [HOWTO] iptables patch-o-matic-ng extensions |
|
|
[HOWTO] iptables patch-o-matic-ng extensions (for better searching in forums)
I've been searching these forums long time to find working iptables + patch-o-matic + extensions tutorial.
I did find some, but none was fully functional/working so here is mine:
(Working with kernel 2.6.x)
1. Check if your /usr/src/linux is pointing to sources for currently running kernel
(if You don't want to compile new kernel and restart during this howto)
Code: | uname -rv
ls -ga /usr/src/linux |
Should be the same date and version (if You didn't mess with it)
2. Download newest patch-o-matic-ng archive from ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/.
At the date of writing this it was patch-o-matic-ng-20050610.tar.bz2.
Code: | wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20050610.tar.bz2 |
Unpack it to e.g. /tmp
Code: | tar xvjf ./patch-o-matic-ng-20050610.tar.bz2 -C /tmp/ |
3. Check if Your iptables was compiled with the extensions USE flag.
Code: | emerge -pv iptables
[ebuild R ] net-firewall/iptables-1.3.1-r4 -debug +extensions +ipv6 -static 0 kB |
If not, add this USE flag to /etc/portage/package.use
Code: | cat /etc/portage/package.use
net-firewall/iptables extensions |
4. Unpack iptables sources (change Your version according to emerge -pv iptables)
Code: | ebuild /usr/portage/net-firewall/iptables/iptables-1.3.1-r4.ebuild unpack |
5. Change dir to unpacked patch-o-matic-ng dir
Code: | cd /tmp/patch-o-matic-ng-20050610/ |
From there execute this one-liner (you need to change KERNEL_DIR [/usr/src/linux],
IPTABLES_DIR [1.3.1-r4] and patches from p-o-m You want to apply [TTL geoip])
Code: | IPTABLES_DIR=/var/tmp/portage/iptables-1.3.1-r4/work/iptables-1.3.1/ KERNEL_DIR=/usr/src/linux ./runme TTL geoip |
6. Now kernel and iptables sources are patched. It's time to rebuild kernel (modules ) and iptables.
Change to Your kernel sources dir
Make oldconfig
and mark new items as modules (m) or instantly compiled into the kernel (y).
The latter requires restart soon.
7. Now rebuild kernel modules and install them
Code: | make modules modules_install |
mount Your /boot partition and copy newly created System.map file overwriting original.
Code: | mount /boot
cp System.map /boot/System.map |
8. If You need to build new kernel do so now. (I won't run into this here...) Don't forget to update grub/lilo.
If You recompiled entire kernel restart and load system using this new kernel.
9. Now You need to compile and install iptables (change dirs accordingly)
Code: | ebuild /usr/portage/net-firewall/iptables/iptables-1.3.1-r4.ebuild install
ebuild /usr/portage/net-firewall/iptables/iptables-1.3.1-r4.ebuild qmerge |
10. If You have automatic kernel module loading compiled in the kernel Your modules will be loaded
automatically each time iptables need it. Else You should load appropriate modules
Quote: | modprobe ipt_TTL ipt_geoip |
11. Change iptables script and test it!
Don't forget! You need to repeat this whole procedure each time You update Your kernel or iptables!!!!
Enjoy!
Please make any corrections if I'm wrong somewhere (including spelling ) _________________ ScRaTcHi
-----------------------------------------------------------
Never trust an operating system you don't have sources for. |
|
Back to top |
|
|
aquadog n00b
Joined: 28 Dec 2002 Posts: 28 Location: Johannesburg, South Africa
|
Posted: Thu Mar 09, 2006 9:22 am Post subject: |
|
|
Thanks for this. It's been pretty handy for me. |
|
Back to top |
|
|
ixion l33t
Joined: 16 Dec 2002 Posts: 708
|
Posted: Mon Mar 20, 2006 10:56 pm Post subject: |
|
|
I agree, this is wonderful.. I'm running a binary-only server, and being able to package the patched iptables is great!
One thing to note, IPTABLES_DIR is now:
Code: |
/var/tmp/portage/iptables-1.3.4/work/iptables-1.3.4/
|
To package the file for binary distribution, this works well:
Code: |
ebuild /usr/portage/net-firewall/iptables/iptables-1.3.4.ebuild package
|
_________________ only the paranoid survive |
|
Back to top |
|
|
jkroon Tux's lil' helper
Joined: 15 Oct 2003 Posts: 110 Location: South Africa
|
Posted: Mon Mar 27, 2006 10:02 pm Post subject: |
|
|
Ah sweet. Does patch patch-o-matic provide a way of only getting the diffs? Aka, produce me some .diff or patch files that I can apply manually with patch?
The problem as it stands is that you will need to manually upgrade iptables every single time from this point onward. I've got a very nasty idea (which the gentoo devs already told me will _not_ go into portage) that will negate this need, iff we can get some patch files. _________________ There are 10 kinds of people in the world,
those who understand binary and who don't |
|
Back to top |
|
|
|