首页 > Linux安全防护 > 给iptables添加模块

给iptables添加模块

2016年11月8日

给iptables添加模块
http://blog.chinaunix.net/uid-56355-id-2735665.html
准备工作:
1, 最新的patch-o-matic-ng,在下面的地址可以下载到最新的:
http://ftp.netfilter.org/pub/patch-o-matic-ng/
2, 最新的iptables源代码:
http://www.netfilter.org
3, 内核源代码:
http://www.kernel.org
4, L7-filter 补丁以及协议描述文件:
http://sourceforge.net/project/showfiles.php?group_id=80085
5, geoip文件下载
http://people.netfilter.org/peejix/geoip/database/20050410/geoipdb.idx
http://people.netfilter.org/peejix/geoip/database/20050410/geoipdb.bin
Iptables添加模块 For kernel 2.6
准备工作:
1, 最新的patch-o-matic-ng,在下面的地址可以下载到最新的:
http://ftp.netfilter.org/pub/patch-o-matic-ng/
2, 最新的iptables源代码:
http://www.netfilter.org
3, 内核源代码:
http://www.kernel.org
4, L7-filter 补丁以及协议描述文件:
http://sourceforge.net/project/showfiles.php?group_id=80085
5, geoip文件下载
http://people.netfilter.org/peejix/geoip/database/20050410/geoipdb.idx
http://people.netfilter.org/peejix/geoip/database/20050410/geoipdb.bin

cd /usr/src/kernels/linux-2.6.14
make mrproper
make menuconfig(注意一定要生成.config)

[[email protected] iptables-1.3.4]# cd /root/iptables/patch-o-matic-ng-20051215
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme string #2.6内核不用该选项
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme comment
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme connlimit
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme time
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme iprange
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme geoip
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme nth
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme ipp2p
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme quota
[[email protected] patch-o-matic-ng-20051215]# cd /usr/src/kernels/linux-2.6.14/
[[email protected] linux-2.6.14]# patch -p1 [[email protected] linux-2.6.14]# cd /usr/src/iptables-1.3.4
[[email protected] iptables-1.3.4]# patch -p1 [[email protected] iptables-1.3.4]#

编译内核:
make menuconfig (在这里选择你添加的netfilter的模块)
make
make modules_install install
编译iptables:
cd /usr/src/iptables-1.3.4
chmod a+x extensions/.layer7-test
export KERNEL_DIR=/usr/src/kernels/linux-2.6.14/
export IPTABLES_DIR=/usr/src/iptables-1.3.4
make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin && make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install
注意:
[[email protected] iptables-1.3.4]# ll extensions/.layer7-test
-rw-r–r– 1 root root 87 Dec 16 16:51 extensions/.layer7-test
[[email protected] iptables-1.3.4]# chmod a+x extensions/.layer7-test
[[email protected] iptables]# cd l7-protocols-2005-12-16
[[email protected] l7-protocols-2005-12-16]# make install

http://www.douzhe.com/article/data/7/681.html
http://www.douzhe.com/article/data/7/685.html
http://bbs.chinaunix.net/viewthread.php?tid=585771&extra=&page=1
http://ftp.jyt.com.cn/baijin/book/netfilter-extensions-HOWTO-CN.pdf
http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO.html
http://phorum.study-area.org/viewtopic.php?t=33426&postdays=0&postorder=asc&start=30&sid=a405f0a8f0fb7dc05fa32372e6a2e2fc
http://www.router.net.cn/softrouter/CoyoteLinux/200503/1748.html
http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-pptp-conntrack-nat

注: [[email protected] linux-2.4]# make oldconfig
‘make oldconfig’ – 采用以前的 .config 文件 (编译时十分有用)
技巧:在make menuconfig时,我们面对众多的选项常常不知道该如何选择,此时可以把安装时的配置文件copy到/usr/src/linux-2.4中:cp /boot/config-2.4.* /usr/src/linux-2.4/.config,再用make menuconfig编译,它会读取.config中原来的配置信息.

geoip
The only extra files you need is a binary db (geoipdb.bin) & its index file (geoipdb.idx).Both files are generated from a countries & subnets database with the csv2bin tool,available at www.cookinglinux.org/geoip/. Both files MUST also be moved in /var/geoip/ as the shared library is statically looking for that pathname (ex.: /var/geoip/geoipdb.bin).
这个你需要额外的二进位文件geoipdb.bin 和它的索引文件geoipdb.idx.这两个文件是国家地区网络数据库,是用csv2bin 工具生成的,可以在www.cookinglinux.org/geoip/得到.这些文件必须放在/var/geoip/下,作为一个共享库查找路径名字如/var/geoip/geoipdb.bin

分类: Linux安全防护 标签:
本文的评论功能被关闭了.