Differences

This shows you the differences between two versions of the page.

--- linux:iptables:l7patch [2006/11/03 18:03]
a another way
+++ linux:iptables:l7patch [2007/06/09 17:31]
a
@@ Line 17: / Line 17: @@
 .. more to come
@@ Line 23: / Line 25: @@
 FIXME Need some styling
-I downloaded the source package for ''iptables v1.3.5'' and copied the source in  '/usr/src/iptables-1.3.5.0debian1''. Install the iptables-dev package (although I think it's not necessary if you install the iptables source package). You'll need the kernel-headers package too. I sent you my ''**Makefile**.'' With this setup you just need to do make in the directory where the sources are. If you succeed, you will find a dynamic library ''libipt_ipp2p.so'', which you'll have to copy to ''/lib/iptables/'' and a kernel module called ''ipt_ipp2p.ko'' (supposing you have a 2.6.x kernel in your system). Copy ''ipt_ipp2p.ko'' in ''/lib/modules/<your_kernel_version>/kernel/net/ipv4/netfilter/ipt_ipp2p.ko'' and type ''depmod -a''.
+I downloaded the source package for ''iptables v1.3.5'' and copied the source in  '/usr/src/iptables-1.3.5.0debian1''. Install the iptables-dev package (although I think it's not necessary if you install the iptables source package). You'll need the kernel-headers package too. I sent you my ''**Makefile**.'' With this setup you just need to do make in the directory where the sources are. If you succeed, you will find a dynamic library ''libipt_ipp2p.so'', which you'll have to copy to ''/lib/iptables/'' and a kernel module called ''ipt_ipp2p.ko'' (supposing you have a 2.6.x kernel in your system). Copy ''ipt_ipp2p.ko'' in '/lib/modules/<your_kernel_version>/kernel/net/ipv4/netfilter/ipt_ipp2p.ko'' and type ''depmod -a''.
 Try loading the module with modprobe ipt_ipp2p. If everything is OK try the following command:
@@ Line 32: / Line 34: @@
 Thanks to //Abel Martín// at debian-firewall mailinglist.
+==== ipp2p best practices ====
+I suggest the following tcp and udp for connection tracking (see docu section)
+# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
+# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
+# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1
+# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark
+# iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK --set-mark 1
+detect **TCP FIRST, SAVE MARK** , and detect udp after you saved the mark !!
+You will have now every p2p packet marked, but a dramtic reduce of udp
+mismatches.
+===== Yet another way to do it .. =====
+) Download:
+   * iptables-dev (apt-get)
+   * kernel-headers-2.x.x (your kernel, "uname -r")
+   * src of your iptables (iptables -V and apt-get source)
+   * ipp2p-0.8.0.tar.gz (stable)
+) untar ipp2p and cd ipp2p
+) Edit Makefile, if it's necesary:
+   * IPTABLES_SRC = /usr/src/iptables
+   * In my case, the headers are detected automaticaly.
+) make (WITHOUT ERRORS!!! ;) )
+) cp libipt_ipp2p.so /lib/iptables
+) cp ipt_ipp2p.ko /lib/modules/`uname -r`/kernel/net/ipv4/netfilter
+) depmod -A
+) insmod ipt_ipp2p.ko (or modprobe)
+) lsmod | grep ipp2p
+) iptables -m ipp2p --help
+   root@servidor:/usr/src/ipp2p-0.8.0# make
+   make -C /lib/modules/2.6.15-28-386/build SUBDIRS=/usr/src/ipp2p-0.8.0
+   modules
+   make[1]: se ingresa al directorio `/usr/src/linux-headers-2.6.15-28-386'
+     CC [M]  /usr/src/ipp2p-0.8.0/ipt_ipp2p.o
+     Building modules, stage 2.
+     MODPOST
+     CC      /usr/src/ipp2p-0.8.0/ipt_ipp2p.mod.o
+     LD [M]  /usr/src/ipp2p-0.8.0/ipt_ipp2p.ko
+     make[1]: se sale del directorio `/usr/src/linux-headers-2.6.15-28-386'
+    gcc -O3 -Wall -DIPTABLES_VERSION=\"\" -I/usr/src/iptables-1.3.3/include
+   -fPIC -c  libipt_ipp2p.c
+   ld -shared -o libipt_ipp2p.so libipt_ipp2p.o