Configuring layer7 + iptables 1.4.3.2 on Slackware 12 Kernel 2.6.21
After some problems with this, i’ll post a how-to configuration tested and running. 😀
First, we need to download these packages:
– iptables-1.4.3.2: http://netfilter.org/projects/iptables/files/iptables-1.4.3.2.tar.bz2
– layer7 patch: http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.21.tar.gz
– layer7 protocols: http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2009-05-10.tar.gz
Now, extract the packages to an especific folder ( I’m using /usr/src )
#tar jxvf iptables-1.4.3.2.tar.bz2 -C /usr/src/
#tar zxvf netfilter-layer7-v2.21.tar.gz -C /usr/src
#tar zxvf l7-protocols-2009-05-10.tar.gz -C /usr/src
Remove the old iptables installation
#removepkg iptables
Applying the layer7 patch
#cd /usr/src/linux
#patch -p1 < ../netfilter-layer7-v2.21/for_older_kernels/kernel-2.6.20-2.6.21-layer7-2.16.1.patch
Now, we need to compile the kernel to activate layer7 and string match modules
#cd /usr/src/linux
#make oldconfig ( if you be asked about layer7 modules, hit enter )
#make menuconfig
Check this options
Networking–>
Networking options –>
Network Packet Filtering framework (Netfilter) –>
Core Netfilter Configuration –>
(M) layer7 match suport <- check this
[ ] layer7 debugging output <- don’t check this
(M) string match support <- check this
#make
#make modules
#make modules_install
# cp /usr/src/linux/arch/i386/boot/bzImage /boot/bzImage
# cp /usr/src/linux/System.map /boot/
# cd /boot
# rm -rf vmlinuz
# ln -s bzImage vmlinuz
We’ll install ne new iptables version, in this version it’s needed to do some modifications on the patch, so, I published this modified files in this link: http://www.easy-share.com/1905337902/libxt_layer7.rar
Extract this files to this: /usr/src/iptables-1.4.3.2/extensions/, then compile it
# ./configure –with-ksource=/usr/src/linux-2.6.21.5/
# make SBIN_DIR=/sbin LIBDIR=/lib
# make SBIN_DIR=/sbin LIBDIR=/lib install
Install the layer7 prococols
#cd /usr/src/l7-protocols-2009-05-10/
#make install
To finish… make sure that it’s working.
# iptables -A FORWARD -m layer7 –l7proto msnmessenger -j DROP
#iptables -L -nChain FORWARD (policy ACCEPT)target prot opt source destinationDROP all — 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto msnmessenger
If you get this with no error, means that you have a iptables with layer7 working. If you get some error, post here that I’ll try to help you.
More information about supported protocols can be found at this address: http://l7-filter.sourceforge.net/protocols
1 out of 1 hunk FAILED — saving rejects to file net/netfilter/nf_conntrack_standalone.c.rej
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/xt_layer7.c
The patch version that you’re using is correct?? There are diferent versions in the package…
Check it.. I’m waiting your response..
how to compile???????????????
Already extarcted libxt_layer7.man and libxt_layer7.c to specified path.
then tpye the command: ./configure –with-ksource=/usr/src/linux-2.6.21.5/
output: -sh: ./configure: No such file or directory
hi Marlou,
are you sure that you’re in iptables source path??
check if exists the configure file..
Im having the following error when i run the command # iptables -A FORWARD -m layer7 –l7proto msnmessenger -j DROP
iptables v1.4.5: option ‘layer7’ requires an argument.
Try ‘iptables -h’ or ‘iptables –help’ for more information.
hi Anitha, sorry for my late response..
but, r u using slackware?
i don’t known this errror, but it seems like a sintax error.. please check the space between layer7 and -l7proto
thanks
Yeah.. I have given the wrong syntax.. Now its working.. And im using Fedora.. Thank u dekne…