- Iptables v1.2.2 (http://netfilter.samba.org/iptables-1.2.2.tar.bz2) md5sum 7d065a5d1e7003a0e61bece79a88d903
- Linux kernel v2.4.5 (http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.5.tar.bz2)
This is a quick overview. See the sections below for more details. Note that you do not need to compile the kernel before you compile and install Iptables and certain things are not available as kernel options (later) unless you patch your kernel with 'make patch-o-matic'.
- Do a 'make oldconfig' (or 'make menuconfig' if you don't have a working .config file) in your /usr/src/linux.
- Do a 'make && make install' where you untarred the iptables archive.
- Do a 'make patch-o-matic' and apply the patches that you need (I would advise testing first to see if it applies cleanly as not all patches are compatible with each other).
- Go back to /usr/src/linux and do a 'make menuconfig' and select the newly available/desired options.
- Finish your normal kernel compile (make dep; make clean; make
- 'make && make install' will do a minimalist install in the default (/usr/local) locations.
- 'make pending-patches' will offer to patch the standard kernel with some outstanding bugfixes or tweaks.
- 'make patch-o-matic' will offer to patch the standard kernel with enhanced/experimental features.
- 'make experimental && make install-experimental' will create the iptables-save and iptables-restore binaries.
- Preface the compile options with 'BINDIR=/usr/sbin LIBDIR=/usr/lib MANDIR=/usr/man' if you'd like to change the default locations. This includes 'make install' (e.g. 'make BINDIR=/usr/sbin LIBDIR=/usr/lib MANDIR=/usr/man install')
Patch-O-Matic - "Welcome to Rusty's Patch-o-matic! Each patch is a new feature: many have minimal impact, some do not. Almost every one has bugs, so I don't recommend applying them all!" Note: The following is an example lifted from v1.2.1a patch-o-matic and is not current. While some options have changed, a current list will be displayed when you do a 'make patch-o-matic'.
- CONFIG_IP_NF_TARGET_BALANCE option, which is similar to
DNAT: it takes a range of addresses (`--to-dest 126.96.36.199-188.8.131.52') and
spreads the load out over them.
- CONFIG_IP_NF_TARGET_NETLINK, which adds a NETLINK
target that sends dropped packets to userspace via a netlink socket.
It replaces the old ipchains -o option.
- CONFIG_IP_NF_TARGET_SAME option, which is similar to
SNAT: it takes a range of addresses (`--to-source 184.108.40.206-220.127.116.11') and
gives a client the same address for each connection.
- CONFIG_IP_NF_TARGET_TTL option, which enables the user
to set the TTL value of an IP packet or to increment / decrement it
by a given value.
- CONFIG_IP_NF_MATCH_AH_ESP, which supplies two match
extensions (`ah' and `esp') allow you to match a range of SPIs inside
AH or ESP headers of IPSec packets.
- CONFIG_IP_NF_DROPTABLE option. Packets which are going to be
by the NAT or routing code (among others) will traverse this table,
allowing them to be logged.
This patch is INVASIVE, and will break many of the other patches.
- CONFIG_IP_NF_EGG: Connection tracking for eggdrop bot networks.
- CONFIG_IP_NF_TARGET_FTOS option, which allows setting the
TOS field within the packet to any value between 0x0 and 0xff. This
includes all legal TOS values. It does not take account of the DiffServ
split of the field nor does it account for the ECN bit states.
Basically you can set the TOS field to whatever value you want.
- ftp-multi.patch allows ftp connection tracking and NAT to operate on up
8 ports, using the `ports=' option to the ip_conntrack_ftp and
ip_nat_ftp modules. Without the option, port 21 is used as normal.
In addition, it adds support for FXP (direct FTP 2 FTP transport). To
enable FXP support, use a module load parameter of `fxp=1`
- ftp-pasv-fix.patch makes it possible to do statefull firewalling on a
running any ftp server, using the ip_conntrack_ftp.o module.
The standard module only works with ftp servers sending the literal string
"227 Entering Passive Mode (", but the ftp-rfc's don't require the literal
text "Entering Passive Mode", they merely suggest it. This patch makes
ip_conntrack_ftp.o recognize any text between the '227 ' and the '('.
- CONFIG_IP_NF_MATCH_IPLIMIT match allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).
# allow 2 telnet connections per client host
iptables -p tcp -dport 23 -m iplimit --iplimit-above 2 -j REJECT
# you can also match the other way around:
iptables -p tcp -dport 23 -m iplimit ! --iplimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp -dport 80 -m iplimit --iplimit-above 16 --iplimit-mask 24 -j REJECT
- CONFIG_IP_NF_IRC: IRC support module for netfilter
connection tracking and NAT. This allows DCC to work though NAT and
This patch depends on dropped-table and seqoffset
- masquerade+fwmark.patch is a fix for complex routing setups, where route
by firewall mark
is combined with the MASQUERADE NAT target
- nat+conntrack-hashsize.patch makes the hash table size of the connection
tracking code and NAT
code a module parameter (hashsize=XXX), and makes the default for NAT
1/16384 of memory (much better than the previous default of 64 for
- CONFIG_IP_NF_POOL, which provides a match which lets you use
bitmaps with one bit per address from some range of IP addresses; the
match depends on whether a checked source or destination address has
its bit set in the pool. It also provides a POOL target, which can be
used to add or remove the addresses of a packet to/from a pool.
The userspace program ippool(8) is also compiled (in the ippool/
directory), and is used to define the pools and their bounds.
- CONFIG_IP_NF_MATCH_PSD, which supplies portscan
detection match (PSD). This match will attempt to detect TCP and UDP
port scans. This match was derived from Solar Designer´s scanlogd.
Suppported options are:
Total weight of the latest TCP/UDP packets with different
destination ports coming from the same host to be treated as port
Delay (in hundredths of second) for the packets with different
destination ports coming from the same host to be treated as
possible port scan subsequence.
Weight of the packet with privileged (<=1024) destination port.
Weight of the packet with non-priviliged destination port.
- CONFIG_IP_NF_MATCH_RPC, which supplies two
ip_conntrack_rpc_udp and ip_conntrack_rpc_tcp, which track portmapper
requests using UDP and TCP respectively. It also adds the record_rpc
match for iptables, which matches if the source of the packet has
requested that port through the portmapper before, or it is a new GET
request to the portmapper, allowing effective RPC filtering.
- seqoffset.patch - New API functions for NAT helper. This API hides all
the nifty details about
packet resizing and the resulting sequence number offset when NATing protocols
like ftp / irc
REQUIREMENTS: You need at least Kernel 2.4.2 for this patch!
dropped-table-patch from netfilter patch-o-matic
- CONFIG_IP_NF_NAT_SNMP_BASIC for basic SNMP NAT
support. This is the "basic" form of SNMP-ALG, as described in
RFC 2962; it works by modifying IP addresses inside SNMP payloads
to match IP-layer NAT mapping.
- CONFIG_IP_NF_MATCH_STRING which allows you to
match a string in a whole packet.
- tcp-window-tracking.patch is an implementation of TCP connection tracking
to the article 'Real Stateful TCP Packet Filtering in IP Filter' by
Guido van Rooij . It contains the new TCP connection tracking with
support to handle already established connections. Window scaling
support is added.
- CONFIG_IP_NF_MATCH_TTL option, which enables the user to
match packets by their TTL value.
- CONFIG_IP_NF_TARGET_ULOG option, which supplies a more
advanced packet logging mechanism than the standard LOG target. The
libiptulog/ directory contains a library for receiving the ULOG
See http://www.gnumonks.org/projects/ulogd for more information
- CONFIG_IP6_NF_TARGET_LOG option, which adds a LOG target
- CONFIG_IP6_NF_TARGET_REJECT option, which adds a REJECT target
to ip6tables. Please keep in mind that the icmp-types are different from
the icmpv6 types (see ip6tables -j REJECT -h for more info)
- ipv6-ports.patch.ipv6 contains IPv6 port of owner match form IPv4 and
fixes for limit, mac
and multiport matches.
Note: The highlighted patches above does not represent what I think you should compile into your kernel. They are simply patches that I find interesting. Should you apply any of the above patches into your kernel and change your mind, you can reverse the patch by copying the appropriate patch from the patch-o-matic directory into your /usr/src/linux and running 'patch -R -p1 < name_of_the_patch'.