LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices

Reply
 
Search this Thread
Old 07-29-2005, 01:05 PM   #1
ddaas
Member
 
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 453

Rep: Reputation: 30
iptables -m layer7 - RPM


Hello,
I am using FC3 with 2.6.11 kernel.
I want to use -m layer7 option of iptables (for Qos). It seams it is not compiled with this version of iptables. v.1.2.11.
I manage the system with apt/synaptic and I don't want to compile from source (only if it really necessary).

The first question:
1 )Does anybody know/has an iptables and kernel rpm which has this option enabled (-m layer7) ?
2) How can I see the kernel and iptables compilation options (having just an installed rpm)?

Thanks
 
Old 08-02-2005, 08:31 AM   #2
ddaas
Member
 
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 453

Original Poster
Rep: Reputation: 30
I've compiled my kernel (2.6.12.3) and iptables (1.3.3) and now -m layer7 option from iptables works (i don't get any error when run the iptables command with -m layer7).
The problem is that no packet is matched. For example iptables -A INPUT -p tcp -m layer7 --l7proto http -j ACCEPT doesn't match http packets. The same for dns and ssh.
So, what am I doing wrong? Is this extension for iptables really working??
Iíve tried on 2 systems (fc3 and slack 10.1)

Here is my iptables test script:
#!/bin/bash
iptables -F


iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp -m layer7 --l7dir /home/dda/l7dir --l7proto http -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m layer7 --l7dir /home/dda/l7dir --l7proto http -j ACCEPT


iptables -A INPUT -i eth0 -p udp -m layer7 --l7dir /home/dda/l7dir --l7proto dns -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m layer7 --l7dir /home/dda/l7dir --l7proto dns -j ACCEPT

iptables -P INPUT DROP
iptables -P OUTPUT DROP

and now: iptables -vnL after generating some http and dns traffic


Chain INPUT (policy DROP 56 packets, 8892 bytes)
pkts bytes target prot opt in out source destination
3340 134K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
129 9208 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto http
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto dns

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3340 134K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
90 12254 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:22
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto http
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto dns
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables -m layer7 - doesn't work (after patching) ddaas Linux - Security 1 07-28-2005 09:53 PM
cat layer7 pattern to /proc/net/layer7_protocols joirnange Linux - Newbie 1 12-29-2004 02:58 AM
enable Layer7 Classifier? joirnange Linux - Networking 2 12-28-2004 10:22 PM
Error :patch layer7 in 2.6 joirnange Linux - Networking 2 12-28-2004 10:46 AM
.src.rpm, .i386.rpm and .i686.rpm hhegab Linux - Software 2 06-19-2003 07:19 AM


All times are GMT -5. The time now is 04:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration