Search Posts:



January 2014

1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31

The kernel that ships with Debian includes most options that anybody is likely to need out of the box. Lacking, though, are some of the nice additions to the kernel's IP filtering (and also the userland iptables tool) provided by the netfilter project's patch-o-matic. pptp-conntrack-nat is what I was looking for to use on the NAT firewall at work (it allows netfilter to track pptp connections and disconnect cleanly, needed for users vpn'ing into one of our client's networks).

The patch-o-matic stuff is not yet considered stable enough for the Linux kernel proper, and as such it won't ship with Debian. Luckily, even though these patches are considered "use at your own risk," for the most part they work fine - in fact, I've been using ipcop for a while, which includes several of these patches.

I couldn't get the conntrack module to work with the 2.6 kernel sources, so I had to use 2.4. That's not really a big issue, as 2.4 is just fine and dandy for a NAT firewall.

So, onto the good stuff. Let's patch and build (the Debian way) kernel and iptables packages, which we'll install using dpkg.

1) Install packages

You'll need the kernel source and the iptables source, which is very easy to get with Debian. I use the "Debianized" kernel source, which includes all of the Debian patches already - it's quite possible some patch-o-matic modules may conflict with something, and if you run into that just use the vanilla sources.

You'll need apt-src, so grab it if you don't have it already:

aptitude install apt-src

You'll also want kernel-package, which gives us the tools to make a debianized kernel package:

aptitude install kernel-package

Now, get the kernel and iptables sources:

cd /usr/src
aptitude install kernel-source-2.4.x
apt-src install iptables

2) Extract the sources

apt gives us some .tar.bz2 files, so we need to extract them. We're already in our /usr/src directory, so let's just do it:

tar -xjf kernel-source-2.4.x.tar.bz2
tar -xjf iptables-1.2.x.tar.bz2

Now we symlink our source directory to "/usr/src/linux" If you already have a "linux" symlink, you should remove it first, then:

ln -s kernel-source-2.4.x linux

3) patch the kernel

To use patch-o-matic, we must patch both the kernel and iptables sources. The patches we want for both are currently included in the iptables source package:

cd /usr/src/iptables-1.2.x/upstream

Extract both the "pristine" iptables source and the patch-o-matic source:

tar -xjf iptables-1.2.x.tar.bz2
tar -xjf patch-o-matic-xxxxxxxx.tar.bz2

Set some environment variables, so p-o-m can find our sources:

export KERNEL_DIR=/usr/src/linux
export IPTABLES_DIR=/usr/src/iptables-1.2.x/upstream/iptables-1.2.x

Run the patch you want:

cd patch-o-matic-xxxxxxxx
./runme pptp-conntrack-nat

Note that 'pptp-conntrack-nat' is the name of the module I'm adding. Several others may provide additional functionality you want, check the netfilter web site to decide what you want to include. Don't go overboard - remember, all these patches are still "unstable," so if you don't need it, don't include it! Answer "y" to the question and move on.

4) Configure the new kernel

Now you must make a choice - do you wish to create your own kernel config from scratch, or do you want to start with the debian base kernel config? Unless you have a specific need to reduce your kernel size, or if you know exactly what you're doing and have free time, I recommend starting with an existing debian configuration. There are advantages to having a lean kernel, primarilly in compile time, but you must wade through the kernel config and make sure you select the appropriate options.

I opted to start with the existing 2.4.x kernel config file, which can be found in /boot and will be named 'config-2.4.x-arch'

Copy the file to your source directory:
cd /usr/src/linux
cp /boot/config-2.4.x-arch ./.config

Now you have a starting place - configure your kernel:

make menuconfig

(Note you need ncurses, if make complains you don't have it just 'aptitude install libncurses5')

The only changes you should need to make will be under "Networking Options" -> "IP: Netfilter Configuration." In my case, I enabled GRE and pptp as modules under "connection tracking."

5) Compile the kernel

We're doing this the Debian way, so forget the standard way to compile and install a kernel. Luckily for us, it's even easier in Debian:

make-kpkg clean
make-kpkg --initrd --append-to-version=-pom kernel_image

I use the "append-to-version=-pom" flag to help me identify the kernel as being "patch-o-matic"ed. This will be used in both the name of the kernel itself and in the name of its .deb package. Note that this will take a while! Depending on the speed of your system this could take hours, so it is recommended that you do it within a screen session or with nohup if you're logging in remotely. While this is running, you can start on the next step.

6) Configure and compile a custom iptables package

While your system is busy compiling the kernel, you can get started on creating an iptables package to match it. You must patch iptables with the same p-o-m patches as the kernel, or they might not be compatible!

You might be thinking we've already done this, and you'd be right. However, we want to do things the Debian way to create a nice iptables deb package, so we'll have to do a little extra work.

cd /usr/src/iptables-1.2.x
vi scripts/prep.sh

Now, change the "pomng_extensions" variable in this file to include the names of your additional p-o-m modules. You may also edit the kernel version in this file, but it doesn't seem to have any impact(?) Save your changes, then run:


Yes, you're also building the kernel at the same time, but iptables isn't that large and it won't take too long even so. When done, in the /usr/src directory you'll have a shiny new iptables_1.2.x_arch.deb file waiting for you.

7) Install the new packages

Once the kernel finishes compiling, you'll want to install both it and your new iptables package. Be sure to remove the old iptables package if you already have it installed.

cd /usr/src
dpkg -i kernel-image-2.4.x-pom_10.00.Custom_arch.deb
dpkg -i iptables_1.2.x_arch.deb

8) Make the new kernel the default, reboot

vi /boot/grub/menu.lst
Change "default" to represent the number of your new kernel (note the first kernel is 0, second is 1, etc). Now you'll want to reboot, but a word of warning - if something didn't go according to plan, your system may not reboot at all! If you have any doubts, make sure you have physical access to the machine before rebooting so you can fall back to an old kernel from your grub menu.

9) Load modules

Once the kernel reboots, try to load your new modules:

insmod ip_nat_proto_gre
insmod ip_conntrack_proto_gre
insmod ip_nat_pptp
insmod ip_conntrack_pptp

They should all show up in the list! Test iptables to make sure it's working as well (if you don't have a save file, just add some rules manually):

iptables_restore your.iptables.save.file
iptables -L

And that should just about do it. You'll probably want to load those modules with the same script from which you're currently loading your firewall rules.

New Comment

Author (required)

Email (required)


Spam validation (required)
Enter the sum of 7 and 6:

Body (required)

Comments |Back