- 论坛徽章:
- 0
|
本帖最后由 navywang 于 2011-08-24 14:28 编辑
回复 1# platinum
请教环境搭建工作
感谢白金的辛苦工作
白金的教程如下:
欢迎使用 iptables-modules 集成环境 (v1.0.0, 20100807)
作者:白金(ChinaUnix-platinum)
目录中集成了 iptables-1.4.6,ACCOUNT,layer7,ipp2p,domain 模块
安装环境:
将 2.6.34 内核解压放置在 /usr/src/linux 中
编译并重启进入新的 2.6.34 内核
安装 iptables-1.4.6:
# cd iptables-1.4.6
# make
# make install
cd ..
安装 ACCOUNT 用户态程序 iptaccount
# cd ACCOUNT
# ./configure
# make
# make install
# cd ..
编译 layer7 所需的内核
# cp layer7_kernel.patch /usr/src/linux/
# cd /usr/src/linux
# patch -p1 < layer7_kernel.patch
# make
# make modules_install
# make install
# reboot(重启系统进入新的 2.6.34 内核)
编译安装 ipt_ACCOUT,rx_layer7,ipt_ipp2p,ipt_domain 模块
# make
# make install
使用方法:
ACCOUNT:
iptables -A FORWARD -j ACCOUNT --addr 192.168.1.0/24 --tname LOCAL
iptaccount -l LOCAL
或者
iptaccount -l LOCAL -f
layer7:
iptables -A FORWARD -m layer7 --l7proto qqdownload -j DROP
ipp2p:
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
domain:
iptables -A FORWARD -m domain --name "chinaunix.net" -j DROP
我的目前工作如下
目前环境centos5.5 (32位) IP 192.168.40.25
按照iptables-modules 集成环境 (v1.0.0, 20100807)搭建,首先安装2.6.34
过程
#yum install gcc ncurses-devel -y
3. 编译和安装
# make mrproper
# cp /boot/config-2.6.18-194.el5 .config
# make menuconfig
Load an Alternate Configuration File ->导入.config文件 -> Save an Alternate Configuration
File ->Exit
# vim .config
CONFIG_SYSFS_DEPRECATED_V2 is not set -> CONFIG_SYSFS_DEPRECATED_V2=y
# make all && make modules_install && make install
4. 修改initrd
# cp /boot/initrd-2.6.34.img /tmp
# mv /boot/initrd-2.6.34.img /boot/initrd-2.6.34.img.bak
# cd /tmp
# mkdir newinitrd
# cd newinitrd/
# zcat ../initrd-2.6.34.img |cpio -i
# ls
bin dev etc init lib proc sbin sys sysroot
# vim init
echo "Loading dm-region-hash.ko module"
insmod /lib/dm-region-hash.ko
这两行出现重复,删除下面的重复部分,否则使用新内核启动时会出现错误:
insmod: error inserting '/lib/dm-region-hash.ko': -1 File exists
# find .|cpio -c -o > ../initrd
# cd ..
# gzip -9 < initrd > initrd-2.6.34.img
# cp initrd-2.6.34.img /boot
# reboot
进入新内核2.6.34
[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.34 #1 SMP Fri Aug 19 00:13:32 CST 2011 i686 i686 i386 GNU/Linux
安装 iptables-1.4.6:
# cd iptables-1.4.6
# make
# make install
cd ..
安装 ACCOUNT 用户态程序 iptaccount
# cd ACCOUNT
# ./configure
# make
# make install
# cd ..
为内核打layer7补丁
#cp layer7_kernel.patch /usr/src/linux/
# cd /usr/src/linux
# patch -p1 < layer7_kernel.patch
出现人如下错误[root@localhost linux
CHK include/linux/version.h
CHK include/generated/utsrelease.h
CALL scripts/checksyscalls.sh
CHK include/generated/compile.h
Kernel: arch/x86/boot/bzImage is ready (#1)
Building modules, stage 2.
MODPOST 993 modules
WARNING: modpost: Found 5 section mismatch(es).
To see full details build your kernel with:
'make CONFIG_DEBUG_SECTION_MISMATCH=y'
patching file net/netfilter/nf_conntrack_core.c
Hunk #1 succeeded at 202 with fuzz 1 (offset 1 line).
patching file net/netfilter/nf_conntrack_standalone.c
Hunk #1 succeeded at 178 with fuzz 2 (offset 13 lines).
patching file include/net/netfilter/nf_conntrack.h
Hunk #1 succeeded at 116 (offset -2 lines).
继续安装
#make
#make modules_install
INSTALL net/wireless/cfg80211.ko
INSTALL net/wireless/lib80211.ko
INSTALL net/wireless/lib80211_crypt_ccmp.ko
INSTALL net/wireless/lib80211_crypt_tkip.ko
INSTALL net/wireless/lib80211_crypt_wep.ko
INSTALL net/xfrm/xfrm_ipcomp.ko
INSTALL samples/tracepoints/tracepoint-probe-sample.ko
INSTALL samples/tracepoints/tracepoint-probe-sample2.ko
INSTALL samples/tracepoints/tracepoint-sample.ko
DEPMOD 2.6.34
#make install
sh /usr/src/linux/arch/x86/boot/install.sh 2.6.34 arch/x86/boot/bzImage \
System.map "/boot"
# reboot(重启系统进入新的 2.6.34 内核)
验证iptables
[root@localhost ~]# iptables -V
iptables v1.4.6
编译安装 ipt_ACCOUT,rx_layer7,ipt_ipp2p,ipt_domain 模块,出现如下错误
[root@localhost iptables-modules-1.0.0]# make
make -C /lib/modules/2.6.34/build M=/usr/src/iptables-modules-1.0.0 modules
make[1]: Entering directory `/usr/src/linux'
CC [M] /usr/src/iptables-modules-1.0.0/ipt_domain.o
CC [M] /usr/src/iptables-modules-1.0.0/ipt_ACCOUNT.o
CC [M] /usr/src/iptables-modules-1.0.0/xt_layer7.o
In file included from /usr/src/iptables-modules-1.0.0/xt_layer7.c:26:
include/net/netfilter/nf_conntrack.h:94: error: field 鈉t_general?has incomplete type
include/net/netfilter/nf_conntrack.h: In function 鈔f_ct_get?
include/net/netfilter/nf_conntrack.h:194: error: 鈉onst struct sk_buff?has no member named 鈔fct?
include/net/netfilter/nf_conntrack.h: In function 鈔f_ct_put?
include/net/netfilter/nf_conntrack.h:201: error: implicit declaration of function 鈔f_conntrack_put?
include/net/netfilter/nf_conntrack.h: In function 鈔f_ct_is_untracked?
include/net/netfilter/nf_conntrack.h:310: error: 鈉onst struct sk_buff?has no member named 鈔fct?
In file included from include/net/netfilter/nf_conntrack_core.h:18,
from /usr/src/iptables-modules-1.0.0/xt_layer7.c:27:
include/net/netfilter/nf_conntrack_ecache.h: In function 鈔f_ct_ecache_ext_add?
include/net/netfilter/nf_conntrack_ecache.h:35: error: 鈙truct net?has no member named 鈉t?
In file included from /usr/src/iptables-modules-1.0.0/xt_layer7.c:27:
include/net/netfilter/nf_conntrack_core.h: In function 鈔f_conntrack_confirm?
include/net/netfilter/nf_conntrack_core.h:60: error: 鈙truct sk_buff?has no mem
请白金或其他配置完成的高手指教,先行谢过 |
|
免费注册
楼主: platinum
发表于 2011-08-23 15:52
发表于 2011-11-04 11:37
