Bass 's Blog (เขียน Blog แบบ บ่นๆ ตามฉบับ นายเบส)

Latest Updates: blockbit RSS

• 

  IPSET Installation With Compile For iptables

  bass 12:45 on 01/01/2010 | 0 Permalink | Reply
  Tags: blockbit, compile (2), Debian (20), ipset, ubuntu (11)

  The installation requires the following steps

  it is assumed that you have got the kernel source tree, configured and at least the modules compiled
  donwload and unpack the source
  run KERNEL_DIR= make to compile the userspace tool and the kernel modules
  run KERNEL_DIR= make install to install the ipset userspace tool and the kernel modules
  In order to use to the set match and SET target
  you need iptables 1.4.4 (or above), or
  due to the ipset protocol change, you have to recompile iptables before 1.4.4 to get ipset 3.0 (or above) supported:
  Copy the file kernel/include/linux/netfilter_ipv4/ip_set.h from the source tree of ipset-3.9 to include/linux/netfilter_ipv4 in the source of iptables
  Recompile iptables
  and ready!

  Refer : http://ipset.netfilter.org/install.html

   

  Reply กดที่นี่เพื่อยกเลิกการตอบ

  Name (required)

  Email (required)

  Web Site

   
• 

  Compile Debian + L7

  bass 01:40 on 11/03/2009 | 0 Permalink | Reply
  Tags: blockbit, compile (2), Debian (20), imq (2), kernel, layer7, routing (2)

  Debian Lenny Compile Kernel
  

  apt-get install gzip unzip bzip2 patch
  apt-get install debhelper screen fakeroot zlib1g-dev build-essential libncurses5-dev kernel-package

  apt-get install linux-source-2.6

  cd /usr/src/

  wget http://downloads.sourceforge.net/project/l7-filter/l7-filter%20kernel%20version/2.22/netfilter-layer7-v2.22.tar.gz
  wget http://downloads.sourceforge.net/project/l7-filter/Protocol%20definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz

  wget http://www.ssi.bg/~ja/routes-2.6.26-15.diff

  wget http://www.linuximq.net/patchs/linux-2.6.26.8-imq-test2.diff
  wget http://www.linuximq.net/patchs/iptables-1.4.3.2-imq_xt.diff

  wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.3.2.tar.bz2

  tar jxf linux-source-2.6.26.tar.bz2
  tar zxf netfilter-layer7-v2.22.tar.gz
  tar zxf l7-protocols-2009-05-28.tar.gz
  tar jxf iptables-1.4.3.2.tar.bz2

  ln -sd linux-source-2.6.26 ./linux

  cd linux

  patch -p1 < /usr/src/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
  patch -p1 < /usr/src/routes-2.6.26-15.diff
  patch -p1 < /usr/src/linux-2.6.26.8-imq-test2.diff

  Networking options > Network packet filtering framework (Netfilter) > Core Netfilter Configuration.
  [ ] layer7 match support

  [*] select all
  [M] select all

  "IMQ" target support
  "layer7" match support
  [ ] "Layer7" debugging output

  ติดตั้งแบบ ด่วน
  make && make modules && make modules_install && make install
  cd /boot
  mkinitramfs -o initrd.img-2.6.26.19 2.6.26.19
  update-grub
  reboot

  สำหรับสร้างเพื่อไป Install ที่อื่น (.deb)

  make clean && make mrproper
  make menuconfig

  make-kpkg clean
  fakeroot make-kpkg –initrd –append-to-version=-l7imq kernel_image kernel_headers
  cd /usr/src
  dpkg -i linux-image-*
  dpkg -i linux-headers-*

  reboot

  iptables v1.4.3.2 เพื่อให้รองรับกับ layer7
  cd /usr/src/iptables-1.4.3.2
  patch -p1 < /usr/src/iptables-1.4.3.2-imq_xt.diff
  cp /usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* /usr/src/iptables-1.4.3.2/extensions/
  ./configure –with-kernel=/usr/src/linux
  make
  make install
  cd /usr/src/l7-protocols-2009-05-28
  make install

  modprobe xt_layer7

  Files rc.local

  modprobe xt_rateest
  modprobe xt_helper
  modprobe xt_dccp
  modprobe xt_TPROXY
  modprobe xt_NFLOG
  modprobe xt_limit
  modprobe xt_tcpmss
  modprobe xt_connbytes
  modprobe xt_owner
  modprobe xt_sctp
  modprobe xt_DSCP
  modprobe xt_MARK
  modprobe xt_IMQ
  modprobe xt_statistic
  modprobe xt_quota
  modprobe xt_layer7
  modprobe xt_TCPOPTSTRIP
  modprobe xt_recent
  modprobe xt_NOTRACK
  modprobe xt_iprange
  modprobe xt_CONNSECMARK
  modprobe xt_multiport
  modprobe xt_CONNMARK
  modprobe xt_RATEEST
  modprobe xt_policy
  modprobe xt_dscp
  modprobe xt_pkttype
  modprobe xt_length
  modprobe xt_CLASSIFY
  modprobe xt_physdev
  modprobe xt_SECMARK
  modprobe xt_connlimit
  modprobe xt_tcpudp
  modprobe xt_TRACE
  modprobe xt_realm
  modprobe xt_conntrack
  modprobe xt_string
  modprobe xt_hashlimit
  modprobe xt_mac
  modprobe xt_time
  modprobe xt_mark
  modprobe xt_comment
  modprobe xt_u32
  modprobe xt_NFQUEUE
  modprobe xt_TCPMSS
  modprobe xt_socket
  modprobe xt_esp
  modprobe xt_state
  modprobe xt_connmark
  modprobe nf_conntrack_ftp
  modprobe nf_conntrack
  modprobe nf_nat_ftp
  modprobe nf_nat

  ทดสอบ Layer7
  iptables -m layer7 -h

  Block Bit
  iptables -A FORWARD -m layer7 –l7proto bittorrent -j DROP

  iptables -nvL | grep LAYER

  ทดสอบ IMQ
  http://www.linuximq.net/usage.html

  Refer : http://www.linuximq.net
  http://www.ssi.bg/~ja/
  http://l7-filter.sourceforge.net/
  http://mscompute.com/wiki/index.php/Layer7_IMQ_Route_Multipath_Loadbalance_Debian_Lenny_2.6.28