MEPIS This forum is for the discussion of MEPIS Linux. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-30-2006, 07:46 PM
|
#1
|
Member
Registered: Jan 2006
Location: Killarney, QLD Australia
Distribution: Mepis 3.4-3; Puppy 2.12; WinXP Pro (rarely)
Posts: 54
Rep:
|
MEPIS 3.4-3 - Patching kernel - do I need to re-compile?
Hi group,
Am running MEPIS 3.4-3, with kernel 2.6.15-1-586tsc and various extra packages installed - WORKS VERY WELL - JUST AS I WANT IT!!!
However I'd like to improve the firewall (iptables) side as the current kernel does not have the 'ipt_owner' for iptables configured - neither built-in nor as a module. Checked the kernel config file /boot/config-2.6.15-1-586tsc for what's enabled or not and 'ipt_owner' is not mentioned at all - so assume not configured!! If any of you out there are running MEPIS 3.4-3 and have 'uid-owner' or 'gid-owner' options applied in your iptables file, please advise as to how you got it to install and work!
Question 1: if I patch the kernel to include the 'ipt_owner' module - do I have to re-compile the kernel?
Question 2: if so - how do I re-compile - any guides available?
Question 3: anybody advise as to where I can get the relevant patches for 'ipt_owner' module from please?
TYIA
Oz-Rod
|
|
|
09-30-2006, 10:09 PM
|
#2
|
Member
Registered: Jan 2006
Location: Killarney, QLD Australia
Distribution: Mepis 3.4-3; Puppy 2.12; WinXP Pro (rarely)
Posts: 54
Original Poster
Rep:
|
RE: MEPIS 3.4-3 - Patching kernel - do I need to re-compile?
Hi all,
I'm not certain - but I may have found my answer to the above post!!
I rechecked the /boot/config-2.6.15-1-586tsc file for my running kernel and find that maybe the 'ipt-owner' options are enabled it seems:
<snip>:
>IP: Netfilter Configuration
>
>...............
>...............
>CONFIG_IP_NF_MATCH_OWNER=m
>...............
>...............
<end snip>
Also checked for possible modules and found:
/lib/modules/2.6.15-1-586tsc/kernel/net/ipv4/netfilter/ipt_owner.ko
and
/lib/iptables/libipt_owner.so
QUES: This looks like the kernel 'ipt-owner' option is enabled - is this correct?
QUES: If I include the following to my iptables firewall script in /etc/rc.firewall - what code do I add to it to allow me to log (confirm) that script snippet works?
"# Allow packets by UID
Listuid="$(gawk -F:'{print $3}' /etc/passwd)"
for Xuid in $Listuid; do
iptables -t filter -A chk-own -o ppp0 -m owner --uid-owner $Xuid -j RETURN
done
iptables -t filter -A chk-own -m limit --limit 10/s -j logdrop5
"
and for 'logdrop5':
"iptables -N logdrop5
iptables -A logdrop5 -j LOG --log-prefix "ILLEGAL packet owner: "
iptables -A logdrop5 -j DROP
"
NOTE:- the "logdrop5" section logs and drops the packet ONLY if it is illegal - not if it is ok. I also want to log if it IS OK (to confirm that the 'match' option is working).
Any help would be appreciated.
Oz-Rod
|
|
|
09-30-2006, 11:25 PM
|
#3
|
LQ Veteran
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 21,251
|
Yes, it looks like it is enabled - as a module.
Try "lsmod | grep -i owner". If it comes back with nothing, you'll need to load it; "modprobe ipt_owner". Then re-run the first command - you should see it now.
You'll need to add it to the initscripts to ensure it's always loaded.
As for how to use it, I have no bloody idea.
As for your initial query, Warren used to have a /usr/src/KERNEL-README (??? something like that) that had info on compiling a new (source) kernel for Mepis.
Have a look for that.
|
|
|
10-01-2006, 01:03 AM
|
#4
|
Member
Registered: Jan 2006
Location: Killarney, QLD Australia
Distribution: Mepis 3.4-3; Puppy 2.12; WinXP Pro (rarely)
Posts: 54
Original Poster
Rep:
|
RE: MEPIS 3.4-3 - Patching kernel - do I need to re-compile?
Hi syg00,
Thanks for you reply.
Tried your lsmod command - nothing as expected!! Did the modprobe, then the lsmod again - success!!!!!!
As to the initscripts - will load it within the iptables firewall script /etc/rc.firewall.
Haven't been able to find Warren's /usr/src/KERNEL-README - at least not on my machine - maybe someone can point me to where?
Any thoughts re my 2nd question in my 2nd post (i.e.. Allow packets by UID...)?
Any assistance would be appreciated!!!
Oz-Rod
|
|
|
10-01-2006, 01:32 AM
|
#5
|
LQ Veteran
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 21,251
|
Happy to help - as I said, you'll have to wait for others to answer.
What do the Queen Mary Falls look like these days - did that recent rain do you folks any good ???.
Might duck up and have a look this week (I'm in Brisbane)
|
|
|
10-01-2006, 01:44 AM
|
#6
|
Member
Registered: Jan 2006
Location: Killarney, QLD Australia
Distribution: Mepis 3.4-3; Puppy 2.12; WinXP Pro (rarely)
Posts: 54
Original Poster
Rep:
|
RE: MEPIS 3.4-3 - Patching kernel - do I need to re-compile?
Hi sygOO,
The falls have a little bit more water over them now - don't look too bad actually.
If you do come up - come into Killarney and drop in for a cuppa & chat - you'll find that we be friendly folk. Send me an email before you come up and I'll send one back with our address.
Oz-Rod
Just checked - my email address not listed in the forum profile!!
'craftybytes_at_dodo_dot_com_dot_au' will find me_ ..
Last edited by craftybytes; 10-01-2006 at 01:48 AM.
|
|
|
All times are GMT -5. The time now is 10:32 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|