Previous chapter
Network Address Translation (NAT)
Index
 
Next chapter (none)

IPtables extensions

Obtaining and installing the extensions

While the standard kernel comes with a variety of NetFilter and xtables modules there are also some extra modules available which are not included in the standard "vanilla" kernel for one reason or another. These extra modules can be found on the Netfilter web site.

The extension modules are added to the kernel sources using a tool called patch-o-matic-ng which is released regularly. You should browse the snapshots directory for the latest available snapshot of patch-o-matic-ng and replace the URL and filenames below as appropriate.

firewall wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070107.tar.bz2
firewall tar -jxf patch-o-matic-ng-20070107.tar.bz2
firewall rm patch-o-matic-ng-20070107.tar.bz2

Now that we have downloaded the extension modules, and the patch-o-matic-ng tool with which to apply them to our kernel, all that remains is to install the extension modules into our current kernel source tree.

The first step is to ensure that iptables has been installed with the extensions use flag set. If not add an entry to /etc/portage/package.use as shown below.

firewall emerge -pv iptables
 
These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild      ] net-firewall/iptables-1.3.5-r4  USE="-extensions -imq -ipv6 -l7filter -static" 
 
firewall echo "net-firewall/iptables extensions" >> /etc/portage/package.use
firewall emerge -pv iptables
 
These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild      ] net-firewall/iptables-1.3.5-r4  USE="extensions  -imq -ipv6 -l7filter -static"

Once we are sure that iptables will be installed with the correct use-flags set we can determine which ebuild will be used with the following command.

firewall equery which iptables
 
/usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild 

Now that we know which ebuild would be used by portage to install iptables we can use it to unpack the source with the following commands. The ebuild will display a message detailing the path of the unpacked sources which we shall need in the next step.

firewall ebuild /usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild clean
firewall ebuild /usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild unpack
 
>>> Unpacking iptables-1.3.5.tar.bz2 to /var/tmp/portage/iptables-1.3.5-r4/work 

Armed with this information we are ready to apply the kernel patches using the patch-o-matic-ng tool, our existing kernel sources, and the iptables sources which we obtained above. The following commands will start the patch-o-matic-ng tool and begin the patching process. You will need to modify the paths as appropriate for the version of iptables and the patch-o-matic-ng tool which you are using.

firewall cd patch-o-matic-ng-20070107
firewall patch-o-matic-ng-20070107 IPTABLES_DIR=/var/tmp/portage/iptables-1.3.5-r4/work/iptables-1.3.5/ KERNEL_DIR=/usr/src/linux ./runme extra

Selecting the extensions

When patch-o-matic-ng is run, assuming that the iptables and kernel source directories can be located, you should be greeted with a screen similar to that shown below. 

Welcome to Patch-o-matic ($Revision$)! 
 
Kernel:   2.6.17, /usr/src/linux 
Iptables: 1.3.5, /var/tmp/portage/iptables-1.3.5-r4/work/iptables-1.3.5/ 
 
Each patch is a new feature: many have minimal impact, some do not. 
Almost every one has bugs, so don't apply what you don't need! 
------------------------------------------------------- 
Already applied: ROUTE 
 
Testing TARPIT... not applied 
The TARPIT patch: 
   Author: "Aaron Hopkins" 
   Status: Works for me 
 
Adds a TARPIT target to iptables, which captures and holds incoming TCP 
connections using no local per-connection resources.  Connections are 
accepted, but immediately switched to the persist state (0 byte window), in 
which the remote side stops sending data and asks to continue every 60-240 
seconds.  Attempts to close the connection are ignored, forcing the remote 
side to time out the connection in 12-24 minutes. 
 
----------------------------------------------------------------- 
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] 

As you can see the first few lines are taken up by a greeting, some status information, and a warning about the potential instability of any experimental modules. The next section details the currently applied patches, in this case the ROUTE target has been applied already. Following that is a section providing detailed information about the current patch including some brief usage instructions and the current status of the patch.

Rebuilding iptables and the kernel

With the desired patches applied to both the kernel and the iptables sources we are now in a position where both can be built and installed. We can use portage and the ebuild to do all the work for us when it comes to completing the installation of iptables as shown below.

firewall ebuild /usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild compile
firewall ebuild /usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild install
firewall ebuild /usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild qmerge

You will have to build and install the kernel by hand in the usual way. Remember to ensure that any extension modules you have patched into the kernel sources have been enabled in the kernel configuration as they are all disabled by default.