[[linux:iptables:l7patch]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
Next revision Both sides next revision
linux:iptables:l7patch [2006/03/28 02:03]
a created 		linux:iptables:l7patch [2007/06/09 17:31]
a
Line 21: Line 21:
  
  
 +
 +====== Another way to do it ======
 +FIXME Need some styling
 +
 +I downloaded the source package for ''iptables v1.3.5'' and copied the source in  '/usr/src/iptables-1.3.5.0debian1''. Install the iptables-dev package (although I think it's not necessary if you install the iptables source package). You'll need the kernel-headers package too. I sent you my ''**Makefile**.'' With this setup you just need to do make in the directory where the sources are. If you succeed, you will find a dynamic library ''libipt_ipp2p.so'', which you'll have to copy to ''/lib/iptables/'' and a kernel module called ''ipt_ipp2p.ko'' (supposing you have a 2.6.x kernel in your system). Copy ''ipt_ipp2p.ko'' in '/lib/modules/<your_kernel_version>/kernel/net/ipv4/netfilter/ipt_ipp2p.ko'' and type ''depmod -a''.
 +
 +Try loading the module with modprobe ipt_ipp2p. If everything is OK try the following command:
 +
 +   iptables -m ipp2p --help
 +
 +You should see some info about the usage of this module.
 +
 +Thanks to //Abel Martín// at debian-firewall mailinglist.
 +
 +==== ipp2p best practices ====
 +
 +I suggest the following tcp and udp for connection tracking (see docu section)
 +
 +   01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
 +   02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
 +   03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1
 +   04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark
 +   05# iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK --set-mark 1
 +
 +detect **TCP FIRST, SAVE MARK** , and detect udp after you saved the mark !!
 +You will have now every p2p packet marked, but a dramtic reduce of udp
 +mismatches.
 +
 +===== Yet another way to do it .. =====
 +
 +  1) Download:
 +   * iptables-dev (apt-get)
 +   * kernel-headers-2.x.x (your kernel, "uname -r")
 +   * src of your iptables (iptables -V and apt-get source)
 +   * ipp2p-0.8.0.tar.gz (stable)
 +   2) untar ipp2p and cd ipp2p
 +   3) Edit Makefile, if it's necesary:
 +   * IPTABLES_SRC = /usr/src/iptables
 +   * In my case, the headers are detected automaticaly.
 +   4) make (WITHOUT ERRORS!!! ;) )
 +   5) cp libipt_ipp2p.so /lib/iptables
 +   6) cp ipt_ipp2p.ko /lib/modules/`uname -r`/kernel/net/ipv4/netfilter
 +   7) depmod -A
 +   8) insmod ipt_ipp2p.ko (or modprobe)
 +   9) lsmod | grep ipp2p
 +  10) iptables -m ipp2p --help
 +
 +   root@servidor:/usr/src/ipp2p-0.8.0# make
 +   make -C /lib/modules/2.6.15-28-386/build SUBDIRS=/usr/src/ipp2p-0.8.0 
 +   modules
 +   make[1]: se ingresa al directorio `/usr/src/linux-headers-2.6.15-28-386'
 +     CC [M]  /usr/src/ipp2p-0.8.0/ipt_ipp2p.o
 +     Building modules, stage 2.
 +     MODPOST
 +     CC      /usr/src/ipp2p-0.8.0/ipt_ipp2p.mod.o
 +     LD [M]  /usr/src/ipp2p-0.8.0/ipt_ipp2p.ko
 +     make[1]: se sale del directorio `/usr/src/linux-headers-2.6.15-28-386'
 +    gcc -O3 -Wall -DIPTABLES_VERSION=\"\" -I/usr/src/iptables-1.3.3/include 
 +   -fPIC -c  libipt_ipp2p.c
 +   ld -shared -o libipt_ipp2p.so libipt_ipp2p.o
linux/iptables/l7patch.txt · Last modified: 2009/05/25 00:35 (external edit)
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready