I want to block kazaa connections on my gentoo-based router by using
$IPTABLES -A FORWARD -p tcp -m string --string "X-Kazaa-Username:" -j REJECT --reject-with tcp-reset
but iptables can't create that rule, it says:
iptables v1.2.8: Couldn't load match `string':/lib/iptables/libipt_string.so: cannot open shared object file: No such file or directory
What is wrong? How can I use rules like the on above?
Thanks in advance,
Robby
iptables -m string not working
Message
It sounds as if you didn't select the required options while configuring your kernel. You'll need to do a 'cd /usr/src/linux && make menuconfig' and go to the 'Networking options' category. Obviously, select 'Network packet filtering (replaces ipchains)'. Scroll down and select 'IP: Netfilter Configuration --->' (a subcategory).
There's a myriad of options here. I believe what you're looking for will be display under 'IP Table support (required for...)' - look for the mark and match options. If you are concerned about kernel size, build them as modules. If you don't like building things as modules and you're concerned about kernel size, you'll have to make a choice.
HTH.
There's a myriad of options here. I believe what you're looking for will be display under 'IP Table support (required for...)' - look for the mark and match options. If you are concerned about kernel size, build them as modules. If you don't like building things as modules and you're concerned about kernel size, you'll have to make a choice.
HTH.
I compiled all these modules of the kernel, and I can use all of them (eg. for active ftp over masquerading), but there is no module for this string issue...
I read something about -m string not being available in all distros, and that people should download latest iptables source + kernel patches to get this feature working. What patches do I need? Isn't the gentoo iptables able to work with the string option somehow?
I read something about -m string not being available in all distros, and that people should download latest iptables source + kernel patches to get this feature working. What patches do I need? Isn't the gentoo iptables able to work with the string option somehow?
Download the latest patch-o-matic from here:
http://www.netfilter.org/downloads.html#pom-20030912
Unpack it and run with ./runme extra, say yes to everything you want in the kernel, libipt_string.so will be one of them.
Config and build the kernel(modules) and re-emerge iptables.
You will need to have a 2.4 kernel (haven't tried 2.6 yet), but string support does not work with 2.4.9
Now if only I could get the TARPIT module to work...
http://www.netfilter.org/downloads.html#pom-20030912
Unpack it and run with ./runme extra, say yes to everything you want in the kernel, libipt_string.so will be one of them.
Config and build the kernel(modules) and re-emerge iptables.
You will need to have a 2.4 kernel (haven't tried 2.6 yet), but string support does not work with 2.4.9
Now if only I could get the TARPIT module to work...
I tried the latest patch-o-matic
I've tried the latest patch-o-matic on the gentoo-sources kernel with the following command:
but the script returns that the code has already been patched and should be up to date
so i tried recompiling the kernel and iptables one more time (I compiled the match string into the kernel, not as a module)
and ran
but it returned as always
does anyone have netfilter string support working with gentoo-sources?
doesn't the .so file imply that it is trying to load it from a module? If so, it was compiled into the kernel, not a module.
thanks
Wing
also, while going throught the make bzImage output, i found the following
most of the other functions didn't have warnings...
Code: Select all
./runme extra/string.patchCode: Select all
Welcome to Rusty's Patch-o-matic!
Kernel: /usr/src/linux-2.4.20-gentoo-r6
Userspace: /tmp
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------
Already applied: extra/string
-----------------------------------------------------------------
No more patches to apply! Q to Quit or ? for options [Q/a/r/b/?]
and ran
Code: Select all
iptables -m string --helpCode: Select all
iptables v1.2.8: Couldn't load match `string':/lib/iptables/libipt_string.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
doesn't the .so file imply that it is trying to load it from a module? If so, it was compiled into the kernel, not a module.
thanks
Wing
also, while going throught the make bzImage output, i found the following
Code: Select all
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=pentium4 -nostdinc -iwithprefix include -DKBUILD_BASENAME=ipt_string -c -o ipt_string.o ipt_string.c
ipt_string.c: In function `search_sublinear':
ipt_string.c:53: warning: subscript has type `char'
ipt_string.c:78: warning: subscript has type `char'