首页 > Linux安全防护 > IPtables extensions

IPtables extensions

2016年11月8日

IPtables extensions
http://www.mad-hacking.net/documentation/linux/security/iptables/extensions.xml
Obtaining and installing the extensions

While the standard kernel comes with a variety of NetFilter and xtables modules there are also some extra modules available which are not included in the standard “vanilla” kernel for one reason or another. These extra modules can be found on the Netfilter web site◳.

The extension modules are added to the kernel sources using a tool called patch-o-matic-ng which is released regularly. You should browse the snapshots◳ directory for the latest available snapshot of patch-o-matic-ng and replace the URL and filenames below as appropriate.

firewall ~ # wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070107.tar.bz2
firewall ~ # tar -jxf patch-o-matic-ng-20070107.tar.bz2
firewall ~ # rm patch-o-matic-ng-20070107.tar.bz2
Now that we have downloaded the extension modules, and the patch-o-matic-ng tool with which to apply them to our kernel, all that remains is to install the extension modules into our current kernel source tree.

The first step is to ensure that iptables has been installed with the extensions use flag set. If not add an entry to /etc/portage/package.use as shown below.

firewall ~ # emerge -pv iptables

These are the packages that would be merged, in order:

Calculating dependencies… done!
[ebuild N ] net-firewall/iptables-1.3.5-r4 USE=”-extensions -imq -ipv6 -l7filter -static”

firewall ~ # echo “net-firewall/iptables extensions” >> /etc/portage/package.use
firewall ~ # emerge -pv iptables

These are the packages that would be merged, in order:

Calculating dependencies… done!
[ebuild N ] net-firewall/iptables-1.3.5-r4 USE=”extensions -imq -ipv6 -l7filter -static”
Once we are sure that iptables will be installed with the correct use-flags set we can determine which ebuild will be used with the following command.

firewall ~ # equery which iptables

/usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild
Now that we know which ebuild would be used by portage to install iptables we can use it to unpack the source with the following commands. The ebuild will display a message detailing the path of the unpacked sources which we shall need in the next step.

firewall ~ # ebuild /usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild clean
firewall ~ # ebuild /usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild unpack

>>> Unpacking iptables-1.3.5.tar.bz2 to /var/tmp/portage/iptables-1.3.5-r4/work
Armed with this information we are ready to apply the kernel patches using the patch-o-matic-ng tool, our existing kernel sources, and the iptables sources which we obtained above. The following commands will start the patch-o-matic-ng tool and begin the patching process. You will need to modify the paths as appropriate for the version of iptables and the patch-o-matic-ng tool which you are using.

firewall ~ # cd patch-o-matic-ng-20070107
firewall patch-o-matic-ng-20070107 # IPTABLES_DIR=/var/tmp/portage/iptables-1.3.5-r4/work/iptables-1.3.5/ KERNEL_DIR=/usr/src/linux ./runme extra
Selecting the extensions

When patch-o-matic-ng is run, assuming that the iptables and kernel source directories can be located, you should be greeted with a screen similar to that shown below.

Welcome to Patch-o-matic ($Revision$)!

Kernel: 2.6.17, /usr/src/linux
Iptables: 1.3.5, /var/tmp/portage/iptables-1.3.5-r4/work/iptables-1.3.5/

Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don’t apply what you don’t need!
——————————————————-
Already applied: ROUTE

Testing TARPIT… not applied
The TARPIT patch:
Author: “Aaron Hopkins”
Status: Works for me

Adds a TARPIT target to iptables, which captures and holds incoming TCP
connections using no local per-connection resources. Connections are
accepted, but immediately switched to the persist state (0 byte window), in
which the remote side stops sending data and asks to continue every 60-240
seconds. Attempts to close the connection are ignored, forcing the remote
side to time out the connection in 12-24 minutes.

—————————————————————–
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]
As you can see the first few lines are taken up by a greeting, some status information, and a warning about the potential instability of any experimental modules. The next section details the currently applied patches, in this case the ROUTE target has been applied already. Following that is a section providing detailed information about the current patch including some brief usage instructions and the current status of the patch.

Rebuilding iptables and the kernel

With the desired patches applied to both the kernel and the iptables sources we are now in a position where both can be built and installed. We can use portage and the ebuild to do all the work for us when it comes to completing the installation of iptables as shown below.

firewall ~ # ebuild /usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild compile
firewall ~ # ebuild /usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild install
firewall ~ # ebuild /usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild qmerge
You will have to build and install the kernel by hand in the usual way. Remember to ensure that any extension modules you have patched into the kernel sources have been enabled in the kernel configuration as they are all disabled by default.

分类: Linux安全防护 标签:
本文的评论功能被关闭了.