[xDamox]

This tutorial is going to be on iptables how to compile extensions which allow you to accomplish the following
tasks by just using iptables;

• Account - This allows you to take statistics of certain machines on your network e.g. how much bandwidth your web server uses
  
• Nth - This allows you to setup loading balance, who said you had to sped a lot of cash on this??
  
• XOR - This allows you to encrypt your traffic between two servers or between two networks
  
• ipp2p - This allows you to filter all the file sharing programs e.g. eDonkey, eMule, Kademlia, KaZaA, FastTrack, BitTorrent, etc
  
• Quotas - This allows you to set quotas on your network traffic e.g. once you have used 2Gig of bandwdith drop all other packets

Well now you have a taste of what you can accomplish with iptables I am sure you want to dive in well before
we do. We will need to recompile the kernel and recompile the iptables with the extensions applied to the kernel. I would only recommend doing
this procedure if you are confident about compiling your own kernel.

Let's get started, the first step is to collect the necessary packages to get the extensions to work and compile into your kernel, so you will need:

• iptables source - Download from: http://www.netfilter.../downloads.html
  
• patch-o-matic - Downlaod form: http://ipset.netfilt...0051203.tar.bz2
  
• Linux kernel source - Download from: www.kernel.org

Once you have downloaded all your source files move them into /usr/src/ as shown below:

mv patch-o-matic-ng-20051203.tar.bz2 /usr/src
mv linux-2.6.16.tar.bz2 /usr/src/
mv iptables-1.3.5.tar.bz2 /usr/src

Once this has been done you can start to decompress the source files as shown below:

tar vxf patch-o-matic-ng-20051203.tar.bz2 
tar vxf linux-2.6.16.tar.bz2
tar vxf iptables-1.3.5.tar.bz2

Now that is done I would suggest renaming linux-2.6.16 to linux and iptables-1.3.5 to iptables as show below:

mv linux-2.6.16 linux
mv iptables-1.3.5 iptables

Right you are almost ready to start applying the patches. First you need to run the make menuconfig command to
preconfigure the kernel otherwise *PATCHING WILL FAIL* this is what catches people out!. So change into
your linux directory and run the make menuconfig command as shown below:

cd linux
make menuconfig

Once thats done just exit and save the config file. Now you will need to go into the patch-o-matic directory and issue the following
command:

KERNEL_DIR=/usr/src/linux ./runme extras

Note Replace /usr/src/linux with the path to the kernel source if your is different

Once you issue that command you will be prompt with the following:

Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables]

If you have renamed your iptables like I said earlier you can just hit enter or else you have to enter the path
to your iptables source code.

Once that is done you will be prompt for which patches you would like to apply, they also give you a little description on
what each patch does.

Once you have finished selecting which patches you want installed you will need to compile your iptables so you will
need to do the following in the iptables source directory:

make KERNEL_DIR=/usr/src/linux
make install KERNEL_DIR=/usr/src/linux
make clean

Woot your iptables have been compiled now its just a case of compiling your kernel so you can issue the following
in the kernel source directory:

make oldconfig
make
make modules
make modules_install
make install
make clean

Now your kernel is ready along with your new patches just reboot and enjoy. well thats it for the compiling side of things
I hope you were successful.

The seconded part of this tutorial is just to have a mess with some of the cool iptable features you have compiled. To check to see
if the extension is there type iptables -m extension_name --help.

So lets start with Nth. Check to make sure its there:

iptables -m nth --help

You should get output like so:

nth v1.3.5 options:
   --every	 Nth			  Match every Nth packet
  [--counter   num ]			Use counter 0-15 (default:0)
  [--start	 num ]			Initialize the counter at the number 'num'
								instead of 0. Must be between 0 and Nth-1
  [--packet	num ]			Match on 'num' packet. Must be between 0
								and Nth-1.

								If --packet is used for a counter than
								there must be Nth number of --packet
								rules, covering all values between 0 and
								Nth-1 inclusively.

This loading balance has been provided by netfilter:

Quote

if you want to balance the load to the 3 addresses 10.0.0.5, 10.0.0.6 and 10.0.0.7, then you can do as follows :

# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 0 -j SNAT --to-source 10.0.0.5
# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 1 -j SNAT --to-source 10.0.0.6
# iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 --every 3 --packet 2 -j SNAT --to-source 10.0.0.7

time patch

Quote

iptables -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT

This time patch can be used to allow access to certain service on different days and times, nice little feature

Quota patch

Quote

iptables -A INPUT -p tcp --dport 80 -m quota --quota 52428800 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

This quota patch can be used to make sure you dont go over bandwidth limits, The above limit is set to 50GIG
52428800KB = 50GB. If the 50GB is reached it will drop all traffic until it resets.

Well thats it If you would like more help on using the extentions check out netfilters homepage: http://www.netfilter...ions-HOWTO.html who needs CISCO when you got iptables

[znx]

HOLY! .. thats amazing stuff.. iptables is really becoming a killer app.. nice tut xDamox