LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   About iptables with u32 module (https://www.linuxquestions.org/questions/linux-software-2/about-iptables-with-u32-module-736452/)

skiron.liu 06-29-2009 12:33 PM

About iptables with u32 module
 
I have installed iptables v1.4.4 via source, but I can't use u32 match.
below is my environment:
CentOs 5.2 kernel 2.6.18-92
iptables v1.4.4 installed in /opt/iptables-1.4.4
(I have been linked /opt/iptables-1.4.4/sbin/iptables to /sbin/iptables)
when i type:
[root@localhost]#iptables -t mangle -I PREROUTING -p udp ! -f -m u32 --u32 "0>>22&0x3c@8>>24&0xff=0x02" -j DROP
iptabls: No chain/target/match by that name.
above command I can use in Ubuntu8.1 no any problem.(It's match QQ program's package of udp)

(PS:Sorry for my poor English because English is not my mother language. Hope everyone can understand I meaning.)

chrism01 06-29-2009 08:44 PM

Probably the easiest option is

man iptables

to see if that option exists.

david1941 06-29-2009 09:12 PM

I have found http://iptables-tutorial.frozentux.n...-tutorial.html to be helpful. But I still have problems decoding the match u32 codes: I have a rule that looks like this:
Code:

$/sbin/iptables -A INPUT -j DROP -p udp --dport domain -m u32\
 --u32  "0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"\
 -m comment --comment "DDoS reflector"

and it works. Your rule appears similar. The target in your rule is DROP and it should be OK.

I'll leave it to you to look through the tutorial, though.

skiron.liu 06-30-2009 11:06 AM

Quote:

Originally Posted by chrism01 (Post 3590841)
Probably the easiest option is

man iptables

to see if that option exists.

Now I known where is problem. The problem is "iptables" the "-m" option. When I enter "iptables -A INPUT -m u32", it will show "iptabls: No chain/target/match by that name." How to fix it? Module is all in the "/opt/iptables-1.4.4/libexec/xtables" directory.
Whether kernel don't suppord 1.4.4?

david1941 06-30-2009 05:23 PM

What do you get with "iptables -m u32 -h"? I'm on iptables v1.4.1.1 with 2.6.27.25-78.2.56.fc9.x86_64 kernel, fedora 9 and the modules are in the kernel sources (/lib/modules/2.6.27.25-78.2.56.fc9.x86_64/kernel/net/netfilter)

skiron.liu 06-30-2009 09:42 PM

It show me help information. In the last few lines is:
u32 match options:
[!] --u32 tests
tests := location "=" value | test "&&" location "=" value
...
...
... and so on

looks like have loaded moudle is success!

If I enter "iptables -m u3a -h"
It show me some "Couldn't load match 'u3a'" and so on.
Whether I need patch netfilter moudle into kernel?
Because I see /lib/modules/$(uname -r)/kernel/net/netfilter/xt_u32.ko in Ubuntu8.1 but CentOs5.2 not

david1941 07-02-2009 08:48 AM

Here's an interesting thread about Centos 5. Although it is about a different module, it is a start.
http://www.linuxquestions.org/questi...ptable-737116/

skiron.liu 07-03-2009 10:38 AM

Quote:

Originally Posted by david1941 (Post 3594299)
Here's an interesting thread about Centos 5. Although it is about a different module, it is a start.
http://www.linuxquestions.org/questi...ptable-737116/

You are good man~thanks~

Is kernel version of the problem. I have Updated kernel version solved this problem.


All times are GMT -5. The time now is 08:10 PM.