Small doubt from a newbie :)

Small doubt from a newbie :)

[utteerna]

Hi all,

I want to use the iptables "-m random" option.

I visited - http://www.netfilter.org/documentati...O-2.html#ss2.1 
<http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-2.html#ss2.1>

to get p-o-m but login failed. Can anyone guide me on how to install 
this patch.

In the iptables source dowloaded from net i see the libipt_random.c but 
when i do a make it doesn't complile to generate a ".so".

Can someone tell me how to

Thanks
Uttee :)

Re: Small doubt from a newbie :)

[Rob Sterenborg]

On Tue, November 7, 2006 09:34, utteerna wrote:
> Hi all,
>
>
> I want to use the iptables "-m random" option.
>
>
> I visited - http://www.netfilter.org/documentati...O-2.html#ss2.1
> <http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-2.htm
> l#ss2.1>
>
> to get p-o-m but login failed. Can anyone guide me on how to install this
> patch.

To download a new pom (pom-ng nowadays) go to the Netfilter FTP site
(ftp.netfilter.org/pub/patch-o-matic-ng/) and download it there; one of the
snapshots should do.

> In the iptables source dowloaded from net i see the libipt_random.c but
> when i do a make it doesn't complile to generate a ".so".

You have to configure your kernel to include "random" support and install it.
I just checked but the "random" match is not in 2.4.33.3 or 2.6.18.2 so you'll
have to patch your kernel for this to work. Then compile and install iptables.

To patch the kernel:
- untar kernel source
- untar iptables source
- untar pom-ng source
- run:
  KERNEL_DIR=/path/to/kernel \
  IPTABLES_DIR=/path/to/iptables \
  ./runme extra


Grts,
Rob

Re: Small doubt from a newbie :)

[Marco Berizzi]

utteerna wrote:

> I want to use the iptables "-m random" option.

download linux >2.6.18 & iptables 1.3.6,
it is called "statistic match".

Re: Small doubt from a newbie :)

[utteerna]

I tried this. But whatever patch, i try to apply i get the message "n 
missing files "(n=1,2,3 etc..) and patch fails. Is it possible to apply 
only the random patch and skip others. Also why am i getting these 
missing file messages. I took the iptables source from the location

ftp://ftp.netfilter.org/pub/iptables/iptables-1.3.6.tar.bz

Thanks
Uttee

##########################################################################
Welcome to Patch-o-matic (1.17)!

Kernel:   2.6.17, /usr/src/linux-2.6.17.13
Iptables: 1.3.6, /usr/src/iptables-1.3.6
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
02_linux-2.4.24.patch does not match your source trees, skipping...
Already applied: 01_iptables-1.2.10.patch 01_linux-2.6.3.patch

Testing 02_linux-2.6.4.patch... not applied
The 02_linux-2.6.4.patch patch:
   Author: Various
   Status: Mandatory

This patch contains all netfilter changes between stock kernel
versions 2.6.4 and 2.6.5.

+ Fix ip_conntrack_helper dependency in ip_conntrack.h
  (Sergio Monteiro Basto)
  
(http://lists.netfilter.org/pipermail/netfilter-devel/2002-November/009928.html)
+ Missing null mapping for local->local traffic
  with CONFIG_IP_NF_NAT_LOCAL disabled (KOVACS Krisztian)
+ ipt_MASQUERADE.c bugfix to compile it cleanly when debugging
  is enabled (Harald Welte)
+ Let the user send reset packet for bridged frames in the
  FORWARD chain with ip forwarding disabled (Bart de Schuymer)
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
cannot apply (2 missing files)
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]
##################################################################################################

Rob Sterenborg wrote:
> On Tue, November 7, 2006 09:34, utteerna wrote:
>   
>> Hi all,
>>
>>
>> I want to use the iptables "-m random" option.
>>
>>
>> I visited - http://www.netfilter.org/documentati...O-2.html#ss2.1
>> <http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-2.htm
>> l#ss2.1>
>>
>> to get p-o-m but login failed. Can anyone guide me on how to install this
>> patch.
>>     
>
> To download a new pom (pom-ng nowadays) go to the Netfilter FTP site
> (ftp.netfilter.org/pub/patch-o-matic-ng/) and download it there; one of the
> snapshots should do.
>
>   
>> In the iptables source dowloaded from net i see the libipt_random.c but
>> when i do a make it doesn't complile to generate a ".so".
>>     
>
> You have to configure your kernel to include "random" support and install it.
> I just checked but the "random" match is not in 2.4.33.3 or 2.6.18.2 so you'll
> have to patch your kernel for this to work. Then compile and install iptables.
>
> To patch the kernel:
> - untar kernel source
> - untar iptables source
> - untar pom-ng source
> - run:
>   KERNEL_DIR=/path/to/kernel \
>   IPTABLES_DIR=/path/to/iptables \
>   ./runme extra
>
>
> Grts,
> Rob
>
>
>
>
>   

Re: Small doubt from a newbie :)

[Rob Sterenborg]

On Tue, November 7, 2006 12:26, utteerna wrote:
> I tried this. But whatever patch, i try to apply i get the message "n

Go for Marco Berizzi's solution.


Grts,
Rob

Re: Small doubt from a newbie :)

[utteerna]

I tried the following

1) Took 2.6.18.2 kernel source - Compiled it with "statistic match" 
option on
2) Then compiled iptables 1.3.6  and installed it

But still doesn't work. Can you please tell me a step by step 
description of what to do (when i said newbie - i really meant it :))

Thanks
Utteerna

Marco Berizzi wrote:
> utteerna wrote:
>
>   
>> I want to use the iptables "-m random" option.
>>     
>
> download linux >2.6.18 & iptables 1.3.6,
> it is called "statistic match".
>
>
>
>   

Re: Small doubt from a newbie :)

[Marco Berizzi]

utteerna wrote:


> I tried the following
>
> 1) Took 2.6.18.2 kernel source - Compiled it with "statistic match"
> option on
> 2) Then compiled iptables 1.3.6  and installed it
>
> But still doesn't work.

Error messages?

Re: Small doubt from a newbie :)

[utteerna]

Here's steps i followed and error details. Please let me know if i 
missed something

1)Downloaded linux-2.6.18.2 and put it in /usr/src dir and untarred it
2)Downloaded iptables-1.3.6 and put it in /usr/src dir and untarred it
3)Downloaded patch-o-matic-ng-20061108.tar and put it in /usr/src dir 
and untarred it

4)cd /usr/src/patch-o-matic-ng-20061108
[/usr/src/patch-o-matic-ng-20061108]# export 
KERNEL_DIR=/usr/src/linux-2.6.18.2
[/usr/src/patch-o-matic-ng-20061108]# 
exportIPTABLES_DIR=/usr/src/iptables-1.3.6
[/usr/src/patch-o-matic-ng-20061108]# ./runme extra
Applied the following patches : IPV4OPTSSTRIP, ipv4options,ROUTE 
,TARPIT,sip-conntrack-nat
---QUESTION-->>I didn't find any patch called "random" here. Where to 
get it???

6) cd /usr/src/linux-2.6.18.2
[/usr/src/linux-2.6.18.2]# make clean
[/usr/src/linux-2.6.18.2]#make mrproper
[/usr/src/linux-2.6.18.2]#make xconfig
  Under Networking-->Networking options-->Network packet 
filtering-->Core netfilter configuration-->Netfilter Xtables support, i 
selected ALL the options (including "statistic") and set it compile as  
modules.
---QUESTION-->> Do i have to compile them in to the kernel rather than 
compiling them as modules???
[/usr/src/linux-2.6.18.2]#make bzImage
[/usr/src/linux-2.6.18.2]#make modules
[/usr/src/linux-2.6.18.2]#make modules_install
[/usr/src/linux-2.6.18.2]#make install

7)Now i boot with my new kernel

8) cd /usr/src/iptables-1.3.6
[/usr/src/iptables-1.3.6]# make clean
[/usr/src/iptables-1.3.6]#make
[/usr/src/iptables-1.3.6]#make install

9) Now when i execute
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
........some other commands..................
iptables -t mangle -A OUTPUT -o ! eth0 -m random --average 50 -j ACCEPT
........some other commands..................

i get the error
##############################################################################
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.6: Couldn't load match 
`random':/usr/local/lib/iptables/libipt_random.so: cannot open shared 
object file: No such file or directory
##############################################################################
---QUESTION-->> Do i have to load some other modules???
---QUESTION-->>Is the way i do the compiling and installing correct or 
am i missing something???

Thanks
Utteerna

Marco Berizzi wrote:
> utteerna wrote:
>
>
>   
>> I tried the following
>>
>> 1) Took 2.6.18.2 kernel source - Compiled it with "statistic match"
>> option on
>> 2) Then compiled iptables 1.3.6  and installed it
>>
>> But still doesn't work.
>>     
>
> Error messages?
>
>
>
>   

Re: Small doubt from a newbie :)

[Marco Berizzi]

utteerna wrote:

> 3)Downloaded patch-o-matic-ng-20061108.tar and put it in /usr/src dir
> and untarred it

You don't need POM.

> ---QUESTION-->> Do i have to compile them in to the kernel rather than
> compiling them as modules???

There is no difference. If you compile as a module
you must load it before use. Nothing else.

> 8) cd /usr/src/iptables-1.3.6
> [/usr/src/iptables-1.3.6]# make clean
> [/usr/src/iptables-1.3.6]#make

Nope! You must run 'make KERNEL_DIR=/usr/src/linux-2.6.18.2'

> [/usr/src/iptables-1.3.6]#make install

Nope! You must run 'make install KERNEL_DIR=/usr/src/linux-2.6.18.2'

Re: Small doubt from a newbie :)

[Pollywog]

On Friday 10 November 2006 08:38, utteerna wrote:
> Here's steps i followed and error details. Please let me know if i
> missed something

Are you running Debian or a Debian derivative?

>
> 1)Downloaded linux-2.6.18.2 and put it in /usr/src dir and untarred it
> 2)Downloaded iptables-1.3.6 and put it in /usr/src dir and untarred it
> 3)Downloaded patch-o-matic-ng-20061108.tar and put it in /usr/src dir
> and untarred it

Since you are installing patch-o-matic, I assume you are going to compile 
ipsets... is that why you need patch-o-matic?  I just did this recently 
because I use ipsets with Shorewall.

I am also not sure why you did not install the iptables package that comes 
with your distribution, unless it is because you need a newer version for 
ipsets.

I would configure the kernel first, and least through the 'make config' part 
even if you don't compile it.  If you do that and then apply the patches, all 
you need to do is run 'make oldconfig' if you are running Linux.  Then you 
know that you will need to say "Y" to the new options.

After you have patched the kernel and added the new options as I mentioned 
above, you can compile the kernel.  Also, if you are running Debian or a 
derivative of Debian, I can explain how to compile a kernel the Debian way.

I have not had to do it "the old way" in a long time.

8)

Re: Small doubt from a newbie :)

[utteerna]

Working finally :) :) :).
Thank you Marco for your time and patience for helping me out. I really 
appreciate it :).

Marco Berizzi wrote:
> utteerna wrote:
>
>   
>> 3)Downloaded patch-o-matic-ng-20061108.tar and put it in /usr/src dir
>> and untarred it
>>     
>
> You don't need POM.
>
>   
>> ---QUESTION-->> Do i have to compile them in to the kernel rather than
>> compiling them as modules???
>>     
>
> There is no difference. If you compile as a module
> you must load it before use. Nothing else.
>
>   
>> 8) cd /usr/src/iptables-1.3.6
>> [/usr/src/iptables-1.3.6]# make clean
>> [/usr/src/iptables-1.3.6]#make
>>     
>
> Nope! You must run 'make KERNEL_DIR=/usr/src/linux-2.6.18.2'
>
>   
>> [/usr/src/iptables-1.3.6]#make install
>>     
>
> Nope! You must run 'make install KERNEL_DIR=/usr/src/linux-2.6.18.2'
>
>
>
>