Monday, June 24, 2013

Nefilter extensions using xtables-addons on ubuntu 9.04

I wanted to use IPP2P extensions and TARPIT target on my Linux box running Ubuntu 9.04. IPP2P allows me to block some common peer to peer applications while Tarpit target slows down the tcp connections by setting the tcp window size to 0 after a successful TCP handshake is completed .



Here are the steps that I followed to install those netfilter extensions using xtables-addons.


[1] Download the xtables-addons package

root@lin-bin-box:~# wget -c http://nchc.dl.sourceforge.net/project/xtables-addons/Xtables-addons/1.19/xtables-addons-1.19.tar.bz2

[2] Install related Packages
root@lin-bin-box:~# aptitude -y install iptables-dev linux-source linux-headers


root@lin-bin-box:~# tar jxvf xtables-addons-1.19.tar.bz2

root@lin-bin-box:~# cd xtables-addons-1.19

[3] Upgrade itpables

If you read the INSTALL file that comes with xtables-addons it states that the iptables version required is iptables >= 1.4.3

root@lin-bin-box:~/xtables-addons-1.19# iptables -V
iptables v1.4.1.1

Since our iptables version is old ; we need to upgrade it :

root@lin-bin-box:~# cd ..
root@lin-bin-box:~# wget -c http://ftp.netfilter.org/pub/iptables/iptables-1.4.5.tar.bz2
root@lin-bin-box:~# tar jxvf iptables-1.4.5.tar.bz2
root@lin-bin-box:~# cd iptables-1.4.5
root@lin-bin-box:~# ./configure
root@lin-bin-box:~# make && make install

The latest iptables binaries will be installed in /usr/local/sbin. You can check the iptables version like this :

root@lin-bin-box:/usr/local/sbin# /usr/local/sbin/iptables -V
iptables v1.4.5

[4] Install xtables-addons and select the required modules

root@lin-bin-box:~# cd xtables-addons-1.19
Choose the modules you want by modifying the mconfig file. I only choose ipp2p and tarpit.

Now its time to compile those extensions.

root@lin-bin-box:~# ./configure
root@lin-bin-box:~# make
root@lin-bin-box:~# make install

[5] Check to see if the extensions work or not :

Check ipp2p extension :
root@lin-bin-box:~# /usr/local/sbin/iptables -t filter -m ipp2p --help

Check the TARPIT extension :
root@lin-bin-box:~# /usr/local/sbin/iptables -t filter -A INPUT -s 0/0 -p tcp --dport 25 -j TARPIT 


(Source)

No comments: