在Debian下给iptables添加connlimit layer7 ipp2p IPID等模块
网关使用的是Debian,使用的内核linux-2.6.15.4和iptables-1.3.5从2006年到现在已经有近一年了,近来看到 layer7和ipp2p都有新的东东出来,加上在此内核上编译IPID一直没有通过,所以决定升级下内核和iptables。最后选定的2.6.18和 iptables-1.3.6。这些东东都可以从官方站点下载到。
1、下载、解压
下面假设下载的源代码都放在/usr/src目录下:
cd /usr/src
wget http://ftp.netfilter.org/pub/iptables/iptables-1.3.6.tar.bz2
wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20071128.tar.bz2
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.18.tar.bz2
wget http://downloads.sourceforge.net/l7-filter/l7-protocols-2007-11-03.tar.gz?modtime=1194049671&big_mirror=0
wget http://downloads.sourceforge.net/l7-filter/netfilter-layer7-v2.15.tar.gz?modtime=1194499659&big_mirror=0
解压:
tar jxvf linux-2.6.18.tar.bz2
tar jxvf iptables-1.3.6.tar.bz2
tar jxvf patch-o-matic-ng-20071128.tar.bz2
tar zxvf netfilter-layer7-v2.14.tar.gz
tar zxvf l7-protocols-2007-10-10.tar.gz
做个链接,方便后续的工作。
ln -s linux-2.6.18 linux
ln -s iptables-1.3.6 iptables
2、下载新的ng
cd /usr/src/patch-o-matic-ng-20071128
看看sources.list,需要下geoip、condition、IPMARK、ROUTE、connlimit、ipp2p等external patch
#./runme --download
就会下载相关的patch了。在这过程中,你需要指定内核和iptables源码的目录,由于我在上面做了链接,直接默认的就可以了。
Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
./patchlets/ipv4options exists and is not external
./patchlets/TARPIT exists and is not external
Successfully downloaded external patch ACCOUNT
Successfully downloaded external patch pknock
Hey! KERNEL_DIR is not set.
Where is your kernel source directory? [/usr/src/linux]
Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables]
Loading patchlet definitions......................... done
Excellent! Source trees are ready for compilation.