Kernel Compilation and Iptables Issues

Peter_APIIT · 07-22-2007, 03:06 AM

Hello all expert Linux administrator, i am a beginner of Linux user. I using Fedora 7. My kernel version is 2.6.22.1-27.fc7.

I wonder my iptables is secure enough or not.

Therefore, i would like to add additional modules for iptables where i can check the ACN, SYN, RST tcp flags.

These are the files under directory /proc/sys/net/netfilter/nf_conntrack_

nf_conntrack_buckets
nf_conntrack_checksum
nf_conntrack_count
nf_conntrack_generic_timeout
nf_conntrack_icmp_timeout
nf_conntrack_log_invalid
nf_conntrack_max
nf_conntrack_tcp_be_liberal
nf_conntrack_tcp_loose
nf_conntrack_tcp_max_retrans
nf_conntrack_tcp_timeout_close
nf_conntrack_tcp_timeout_close_wait
nf_conntrack_tcp_timeout_established
nf_conntrack_tcp_timeout_fin_wait
nf_conntrack_tcp_timeout_last_ack
nf_conntrack_tcp_timeout_max_retrans
nf_conntrack_tcp_timeout_syn_recv
nf_conntrack_tcp_timeout_syn_sent
nf_conntrack_tcp_timeout_time_wait
nf_conntrack_udp_timeout
nf_conntrack_udp_timeout_stream

I wonder any missing modules.

I have downloaded some files from netfilter such as below.

libnfnetlink-0.0.25.tar.bz2
libnfnetlink_queue-0.0.10.tar.bz2
ipset-2.2.8-20051203.tar.bz2.
patch-o-matic-20031219.tar.bz2

I wonder how to install those files.

Below is my understanding of compile kernel.

Quote:

1. make xconfig
2. make dep
Builds the tree of interdependencies in the kernel sources
3. make clean
Clean any unwanted files
4. make bzImage
Compress kernel
5. make modules
6. cp /usr/Linux/src/arch/i386/boot/bzImage /boot/ newkernel
7. make modules_install

I don't understand step 6 and 7.

How to edit the grub bootloader and ready to boot new kernel?

Do unchecked any unnecessary features of kernel improve performance ?

Thanks for your help.

Your help is greatly appreciated by me and others.

Peter_APIIT · 07-22-2007, 03:17 AM

*

ipt_limit
*

ipt_REJECT
*

ipt_multiport
*

ipt_MASQUERADE
*

ipt_REDIRECT
*

ipt_state
*

ipt_LOG
*

iptable_drop
*

iptable_filter
*

iptable_nat
*

ip_conntrack
*

ip_nat_ftp
*

ip_tables
*

ip_conntrack_ftp

I don't know i have this.

jayjwa · 07-23-2007, 03:26 AM

Quote:

Originally Posted by Peter_APIIT

These are the files under directory /proc/sys/net/netfilter/nf_conntrack_

nf_conntrack_buckets
nf_conntrack_checksum
nf_conntrack_count
nf_conntrack_generic_timeout
nf_conntrack_icmp_timeout
nf_conntrack_log_invalid
nf_conntrack_max
nf_conntrack_tcp_be_liberal
nf_conntrack_tcp_loose
nf_conntrack_tcp_max_retrans
nf_conntrack_tcp_timeout_close
nf_conntrack_tcp_timeout_close_wait
nf_conntrack_tcp_timeout_established
nf_conntrack_tcp_timeout_fin_wait
nf_conntrack_tcp_timeout_last_ack
nf_conntrack_tcp_timeout_max_retrans
nf_conntrack_tcp_timeout_syn_recv
nf_conntrack_tcp_timeout_syn_sent
nf_conntrack_tcp_timeout_time_wait
nf_conntrack_udp_timeout
nf_conntrack_udp_timeout_stream

These are mostly conntrack related files that let you see what's up with conntrack. To do much with conntrack, you need conntrack tools and all the conntrack/netlink stuff turned on in the kernel.

Code:

conntrack
Tool to manipulate conntrack and expectations. Version 1.00beta2
Usage: conntrack [commands] [options]

Commands:
  -L [table] [options]          List conntrack or expectation table
  -G [table] parameters         Get conntrack or expectation
  -D [table] parameters         Delete conntrack or expectation
  -I [table] parameters         Create a conntrack or expectation
  -U [table] parameters         Update a conntrack
  -E [table] [options]          Show events
  -F [table]                    Flush table

Tables: conntrack, expect

Conntrack parameters and options:
  -a, --nat-range min_ip[-max_ip]       NAT ip range
  -m, --mark mark                       Set mark
  -e, --event-mask eventmask            Event mask, eg. NEW,DESTROY
  -z, --zero                            Zero counters while listing

Expectation parameters and options:
  --tuple-src ip        Source address in expect tuple
  --tuple-dst ip        Destination address in expect tuple
  --mask-src ip         Source mask address
  --mask-dst ip         Destination mask address

Common parameters and options:
  -s, --orig-src ip             Source address from original direction
  -d, --orig-dst ip             Destination address from original direction
  -r, --reply-src ip            Source addres from reply direction
  -q, --reply-dst ip            Destination address from reply direction
  -p, --protonum proto          Layer 4 Protocol, eg. 'tcp'
  -f, --family proto            Layer 3 Protocol, eg. 'ipv6'
  -t, --timeout timeout         Set timeout
  -u, --status status           Set status, eg. ASSURED
  -i, --id [id]                 Show or set conntrack ID

Quote:

I wonder any missing modules.

Probably not. Fedora installs everything including the kitchen sink, as far as I can tell.

Quote:

I have downloaded some files from netfilter such as below.

libnfnetlink-0.0.25.tar.bz2
libnfnetlink_queue-0.0.10.tar.bz2
ipset-2.2.8-20051203.tar.bz2.
patch-o-matic-20031219.tar.bz2

I wonder how to install those files.

These are source tar archives of add-ons to the netfilter system in the kernel. Part of netfilter is in the kernel. There is alot more of it that isn't in the main kernel tree. Mostly it is extra stuff for people that need to do special stuff with packet filtering, or what a more efficient way of doing it. If you're using a distribution of Linux, I'd suggest to stick with what they provide, as mixing packages with self-built sources can get ugly. For example, many times there will be patches and changes made to one of the things the source depends on, that will cause the source to fail.

The first two are libraries used by conntrack tools, the third, ipset is the user-land tools part of the kernel match, ipset. patch-o-matic is what adds all the different add-ons to the kernel sources. You must always use the ones that go with your kernel: brand new kernel means using snapshots. It has the date in the file name, yours above suggests Dec. 19 2003 for patch-o-matic, much, much too old for any 2.6 kernel.

Before you start with patch-o-matic, I must warn that almost every time the kernel maintainers change something in the kernel involving networking, it breaks patch-o-matic. This is the case now with 2.6.22.1 and patch-o-matic-ng-20070722.tar.bz2. The changes to 'sk_buff' structure they did broke almost all of the working patches left (I watched ipv4stripopts and Tarpit error out, and that was enough for me. I am not giving up my tarpit!) This means, at best, you'd need to re-write your firewalls to not use anything you had depended on that no longer works. Patch-o-matic used to be quite good, with geoip, string, osf, psd, and lots I forgot. Slowly they have all been broke and never fixed again, really a shame.

Quote:

Below is my understanding of compile kernel.

I don't understand step 6 and 7.

This is basically what I do...

Unpack sources to /usr/src/linux-(version), symlink that to /usr/src/linux
Jump in, 'make mrproper' (not really needed if you've not touched anything inside). Make sure 'asm' is linked to '(arch)-asm' in /usr/src/linux/include/
Apply any patches: patch-o-matic, your own, whatever
make {menu|g|old}config
make; make modules_install (while that builds, I rebuild iptables and ipset)
cp -f .config /boot/config; cp -f System.map /boot; cp -f arch/i386/boot/bzImage /boot ; cp -f vmlinux /boot (for kernel symbols)
find /lib/modules -name \*.ko -exec gzip -f9 '{}' ';'
depmod -e -F /boot/System.map (kernel version)
emacs /etc/lilo.conf /etc/modprobe.conf /etc/rc.d/rc.modules; lilo (For Lilo-based setup, other boot loaders are likely similar; also you might have another file than rc.modules to load mods at boot time)
Reboot & cross your fingers

Quote:

How to edit the grub bootloader and ready to boot new kernel?

Got me there...I use Lilo

Quote:

Do unchecked any unnecessary features of kernel improve performance ?

Indeed. A full kernel, even with some fancy extras, weighs in at about 1.2mb as of 2.6.21.5

Peter_APIIT · 07-24-2007, 02:39 AM

I typed the conntrack -L filter but the bash has return no such comamnd.

I also installed geoip but don't know how to use it.

iptables -m geoip. iptables v1.3.7: Couldn't load match `geoip':/lib/iptables/libipt_geoip.so: cannot open shared object file: No such file or directory

I very very appreciated your help.

A billion thanks for your help.

jayjwa · 07-25-2007, 09:17 PM

Quote:

Originally Posted by Peter_APIIT

I typed the conntrack -L filter but the bash has return no such comamnd.

Likely you don't have /usr/sbin/conntrack installed. "filter" isn't a valid table for it, only "conntrack" or "expect".

Quote:

iptables -m geoip. iptables v1.3.7: Couldn't load match `geoip':/lib/iptables/libipt_geoip.so: cannot open shared object file: No such file or directory

Hmmm... doesn't look like it is installed, at least the user-land part of it. Remember, iptables needs to be built after the kernel is configured: it looks at what is enabled then makes the user-land shared objects to match. Geoip is two-part, one part is the kernel patch, the other part is the iptables shared library, libipt_geoip.so. There's also two files geoipdb.bin, and geoipdb.idx that you need.

Geoip won't work with any where recent kernels, so there's little to be gained from installing it. I've seen some patches to geoip out of patch-o-matic (patch the patches?) that claim it will work with 2.6.20 or thereabouts, but I've not actually got it working in a long, long time. Better to stick with iprange, and work with addresses a range at a time instead of a country. From what I'm guessing, the maintainer gave up on it (like so many of the patch-o-matic add-on's

)

Peter_APIIT · 07-26-2007, 10:05 PM

Thanks for your explanation. Your explanation is so detail and yet useful.

A billion thank for your help.

Peter_APIIT · 08-02-2007, 03:46 AM

How to edit the grub bootloader and ready to boot new kernel?