Comments on Xtables-Addons On Centos 6 & Iptables GeoIP Filtering

Xtables-Addons On Centos 6 & Iptables GeoIP Filtering This tutorial will explain how to install aditional modules for the kernel to use with iptables rules sets (netfilter modules). Xtables-addons is the successor to patch-o-matic(-ng). Likewise, it contains extensions that were not, or are not yet, accepted in the main kernel/iptables packages. Xtables-addons is different from patch-o-matic in that you do not have to patch or recompile the kernel.

22 Comment(s)

Add comment

Comments

By: Pieter

I do not understand why HowToForge keeps giving users BAD advice to turn off SELinux. You really should stop doing that. SELinux is a tremendously good help to keep your server secure. And if some apps do not work with SELinux then those apps should ship with a proper SELinux policy. Turning off SELinux is NOT the solution and BAD advice.

By:

i agree , but most people don't know how to work with selinux permissions so that was the easy way to get arround it.

and here is the not so hard way to load the modules with selinux enabled and enforced, you have to change the security context permisions of the modules

chcon -vR --user=system_u /lib/modules/*/extra/*.ko

and

chcon -vR --type=lib_t /lib/xtables/*.so

By: Anonymous

thanks !!!

http://www.mytricks.in/2011/09/guide-installing-centos-6-on-vmware.html

By:

by the way , maxmind geoip database is updated at the begining of every month so you should rebuild the database on you box also once in a while

By: Anonymous

Thanks for writing this article. The information you have provided here will definitely help protect my email server from the Chinese/Korean/Russian spammers. Defense in depth is always a good thing.

I do have to agree with the previous poster's comment re: SELinux. It performs an important function and in my opinion should not be disabled. Usually people disable it because they don't understand it, and until I took some time to learn it, I was one of those folks, too. Now that I've learned the basics of it, I always leave it on and make an exception--if I need to--for the specific service that's affected by it. Or, even better, I'll just change the security context of the applicable file/object. SETroubleshoot is very helpful in these cases to track down what needs to be tweaked.

One other thing. For those who prefer not to install the RPMForge repository, you can get the same module directly from CPAN. It's the "Text::CSV_XS" module. This should work on any GNU/Linux distro.

By: Ankush Grover

If somehow the "make" fails on Centos 6 with the latest version of xtables-addons(1.3.9) then please disable "build_ipset6=m " in mconfig file. Regards Ankush

By: Anonymous

I am installing xtables_addons 1.47.1 in CentOS 6.5 x86_64

and I have obtain this error.

Do you know why? Could you help me please? I need install this extensions. I dont have build_ipset6 in mconfig

# make

make  all-recursive

make[1]: se ingresa al directorio `/var/sources/src/xtables-addons-1.47.1'

Making all in extensions

make[2]: se ingresa al directorio `/var/sources/src/xtables-addons-1.47.1/extensions'

Xtables-addons 1.47.1 - Linux 2.6.32-431.el6.x86_64

if [ -n "/lib/modules/2.6.32-431.el6.x86_64/build" ]; then make -C /lib/modules/2.6.32-431.el6.x86_64/build M=/var/sources/src/xtables-addons-1.47.1/extensions modules; fi;

make[3]: se ingresa al directorio `/usr/src/kernels/2.6.32-431.el6.x86_64'

  CC [M]  /var/sources/src/xtables-addons-1.47.1/extensions/compat_xtables.o

/var/sources/src/xtables-addons-1.47.1/extensions/compat_xtables.c: En la función ‘xtnu_ipv6_find_hdr’:

/var/sources/src/xtables-addons-1.47.1/extensions/compat_xtables.c:633: error: faltan argumentos para la función ‘ipv6_find_hdr’

make[4]: *** [/var/sources/src/xtables-addons-1.47.1/extensions/compat_xtables.o] Error 1

make[3]: *** [_module_/var/sources/src/xtables-addons-1.47.1/extensions] Error 2

make[3]: se sale del directorio `/usr/src/kernels/2.6.32-431.el6.x86_64'

make[2]: *** [modules] Error 2

make[2]: se sale del directorio `/var/sources/src/xtables-addons-1.47.1/extensions'

make[1]: *** [all-recursive] Error 1

make[1]: se sale del directorio `/var/sources/src/xtables-addons-1.47.1'

make: *** [all] Error 2

Thanks in advance

By: adoyl

/lib/modules/your_kernel_version/build/include/linux/autoconf.h comment this #define CONFIG_IP6_NF_IPTABLES_MODULE 1

By: Anonymous

Thanks, adoyl:

I've been looking it, but the line you say was commented.

Any other idea?

By: adoyl

You can write this /*#define CONFIG_IP6_NF_IPTABLES_MODULE 1*/

By: Anonymous

It runs with this comment. Thank you very much.

The file is in /usr/src/kernels/2.6.32-431.5.1.el6.x86_64/include/linux/autoconf.h

/usr/src/kernels/kernelversion/include/linux/autoconf.h

In my case, the build link in /lib/modules/2.6.32-431.el6.x86_64 is broken in CentOS 6.5.

Regards

By: Anonymous

It is harmful. Doing that change will cause kernel modules built afterwards to be potentially incompatible with your kernel and cause crashes.

The proper solution is not to doctor around with config switches, but instead to prepare the source to compile with the very special RHEL kernel API.

Sincerely.

By: gadelkareem

You can also use a list of IPs in a file to block them through Iptables

Using iptables to block ips that spam or attack your server

By: Will not working

I become many errors on this and found nothing to make it right.

# make
make all-recursive
make[1]: Entering directory `/root/xtables-addons-2.1'
Making all in extensions
make[2]: Entering directory `/root/xtables-addons-2.1/extensions'
Xtables-addons 2.1 - Linux 2.6.32-279.14.1.el6.x86_64
if [ -n "/lib/modules/2.6.32-279.14.1.el6.x86_64/build" ]; then make -C /lib/modules/2.6.32-279.14.1.el6.x86_64/build M=/root/xtables-addons-2.1/extensions modules; fi;
make[3]: Entering directory `/usr/src/kernels/2.6.32-279.14.1.el6.x86_64'
CC [M] /root/xtables-addons-2.1/extensions/compat_xtables.o
/root/xtables-addons-2.1/extensions/compat_xtables.c:24:26: error: linux/export.h: No such file or directory
In file included from /root/xtables-addons-2.1/extensions/compat_xtables.c:26:
/root/xtables-addons-2.1/extensions/compat_xtnu.h:21: warning: ‘struct xt_action_param’ declared inside parameter list
/root/xtables-addons-2.1/extensions/compat_xtnu.h:21: warning: its scope is only this definition or declaration, which is probably not what you want
/root/xtables-addons-2.1/extensions/compat_xtnu.h:36: warning: ‘struct xt_action_param’ declared inside parameter list
/root/xtables-addons-2.1/extensions/compat_xtables.c:32: warning: ‘struct xt_action_param’ declared inside parameter list
/root/xtables-addons-2.1/extensions/compat_xtables.c: In function ‘xtnu_target_run’:
/root/xtables-addons-2.1/extensions/compat_xtables.c:34: error: dereferencing pointer to incomplete type
/root/xtables-addons-2.1/extensions/compat_xtables.c:36: warning: passing argument 2 of ‘nt->target’ from incompatible pointer type
/root/xtables-addons-2.1/extensions/compat_xtables.c:36: note: expected ‘const struct xt_action_param *’ but argument is of type ‘const struct xt_action_param *’
/root/xtables-addons-2.1/extensions/compat_xtables.c: In function ‘xtnu_register_target’:
/root/xtables-addons-2.1/extensions/compat_xtables.c:60: warning: assignment from incompatible pointer type
/root/xtables-addons-2.1/extensions/compat_xtables.c:61: warning: assignment from incompatible pointer type
make[4]: *** [/root/xtables-addons-2.1/extensions/compat_xtables.o] Error 1
make[3]: *** [_module_/root/xtables-addons-2.1/extensions] Error 2
make[3]: Leaving directory `/usr/src/kernels/2.6.32-279.14.1.el6.x86_64'
make[2]: *** [modules] Error 2
make[2]: Leaving directory `/root/xtables-addons-2.1/extensions'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/xtables-addons-2.1'
make: *** [all] Error 2

By: Anonymous

Use 1.47 for that kernel version.

By: Anonymous

Thank you ;)

Now it works fine ;)

By: Anonymous

Follow step by step in this tutorial.
Eeverything is describe, how to install and use iptables with geoip to block countries.
http://terminal28.com/how-to-block-countries-using-iptables-debian/

By: Johan

Make, run just fine but make install stops with this fault. (I have tried version 1.37,1.39 and 1.47 same problem.)

DEPMOD 2.6.32-431.3.1.el6.x86_64
/bin/sh: line 1: 29955 Killed /sbin/depmod -ae -F System.map

Does some one have a fix or a hint to this problem.

uname -ra

2.6.32-431.3.1.el6.x86_64 #1 SMP Fri Jan 3 21:39:27 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Making install in extensions
make[1]: Entering directory `/usr/local/src/xtables-addons-1.39/extensions'
Xtables-addons 1.39 - Linux 2.6.32-431.3.1.el6.x86_64
if [ -n "/lib/modules/2.6.32-431.3.1.el6.x86_64/build" ]; then make -C /lib/modules/2.6.32-431.3.1.el6.x86_64/build M=/usr/local                                                                               /src/xtables-addons-1.39/extensions modules; fi;
make[2]: Entering directory `/usr/src/kernels/2.6.32-431.3.1.el6.x86_64'
Building modules, stage 2.
MODPOST 20 modules
make[2]: Leaving directory `/usr/src/kernels/2.6.32-431.3.1.el6.x86_64'
make -f ../Makefile.iptrules all;
make[2]: Entering directory `/usr/local/src/xtables-addons-1.39/extensions'
make[3]: Entering directory `/usr/local/src/xtables-addons-1.39/extensions/ACCOUNT'
make -f ../../Makefile.iptrules all;
make[4]: Entering directory `/usr/local/src/xtables-addons-1.39/extensions/ACCOUNT'
make[4]: Leaving directory `/usr/local/src/xtables-addons-1.39/extensions/ACCOUNT'
make[3]: Leaving directory `/usr/local/src/xtables-addons-1.39/extensions/ACCOUNT'
make[3]: Entering directory `/usr/local/src/xtables-addons-1.39/extensions/pknock'
make -f ../../Makefile.iptrules all;
make[4]: Entering directory `/usr/local/src/xtables-addons-1.39/extensions/pknock'
make[4]: Leaving directory `/usr/local/src/xtables-addons-1.39/extensions/pknock'
make[3]: Leaving directory `/usr/local/src/xtables-addons-1.39/extensions/pknock'
make[2]: Leaving directory `/usr/local/src/xtables-addons-1.39/extensions'
make[2]: Entering directory `/usr/local/src/xtables-addons-1.39/extensions'
if [ -n "/lib/modules/2.6.32-431.3.1.el6.x86_64/build" ]; then make -C /lib/modules/2.6.32-431.3.1.el6.x86_64/build M=/usr/local                                                                               /src/xtables-addons-1.39/extensions INSTALL_MOD_PATH= ext-mod-dir='${INSTALL_MOD_DIR}' modules_install; fi;
make[3]: Entering directory `/usr/src/kernels/2.6.32-431.3.1.el6.x86_64'
INSTALL /usr/local/src/xtables-addons-1.39/extensions/ACCOUNT/xt_ACCOUNT.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/compat_xtables.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/pknock/xt_pknock.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_CHAOS.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_DELUDE.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_DHCPMAC.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_DNETMAP.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_IPMARK.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_LOGMARK.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_STEAL.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_TARPIT.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_condition.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_fuzzy.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_geoip.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_iface.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_ipp2p.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_ipv4options.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_lscan.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_psd.ko
INSTALL /usr/local/src/xtables-addons-1.39/extensions/xt_quota2.ko
DEPMOD 2.6.32-431.3.1.el6.x86_64
/bin/sh: line 1: 29955 Killed                  /sbin/depmod -ae -F System.map 2.6.32-431.3.1.el6.x86_64
make[3]: *** [_emodinst_post] Error 137
make[3]: Leaving directory `/usr/src/kernels/2.6.32-431.3.1.el6.x86_64'
make[2]: *** [modules_install] Error 2
make[2]: Leaving directory `/usr/local/src/xtables-addons-1.39/extensions'
make[1]: *** [install-am] Error 2
make[1]: Leaving directory `/usr/local/src/xtables-addons-1.39/extensions'
make: *** [install-recursive] Error 1

By: Johan

I figured it out. I was runnig a virtual server with only 512 mb ram and that was the problem add more ram and it installed.

By: Johan

This happend when you have little memory on the box

By:

in Centos 6.5 x64 with kernel 2.6.32-431.3.1.el6.centos.plus.x86_64 I have compilation error with conflicting types for PDE_DATA.
How to fix it ?
Is it possible to exclude this xt_CHAOS module from compilation ?

<code>
make all-recursive
make[1]: Entering directory `/root/xtables-addons-2.4'
Making all in extensions
make[2]: Entering directory `/root/xtables-addons-2.4/extensions'
Xtables-addons 2.4 - Linux 2.6.32-431.5.1.el6.centos.plus.x86_64
if [ -n "/lib/modules/2.6.32-431.3.1.el6.centos.plus.x86_64/build" ]; then make -C /lib/modules/2.6.32-431.3.1.el6.centos.plus.x86_64/build M=/root/xtables-addons-2.4/extensions modules; fi;
make[3]: Entering directory `/usr/src/kernels/2.6.32-431.5.1.el6.centos.plus.x86_64'
CC [M] /root/xtables-addons-2.4/extensions/xt_CHAOS.o
In file included from /root/xtables-addons-2.4/extensions/compat_xtables.h:7,
from /root/xtables-addons-2.4/extensions/xt_CHAOS.c:24:
/root/xtables-addons-2.4/extensions/compat_xtnu.h:16: warning: âstruct xt_action_paramâ declared inside parameter list
/root/xtables-addons-2.4/extensions/compat_xtnu.h:16: warning: its scope is only this definition or declaration, which is probably not what you want
/root/xtables-addons-2.4/extensions/compat_xtnu.h:31: warning: âstruct xt_action_paramâ declared inside parameter list
In file included from /root/xtables-addons-2.4/extensions/xt_CHAOS.c:24:
/root/xtables-addons-2.4/extensions/compat_xtables.h:12:3: warning: #warning Kernels below 3.7 not supported.
In file included from /root/xtables-addons-2.4/extensions/xt_CHAOS.c:24:
/root/xtables-addons-2.4/extensions/compat_xtables.h:54: error: expected declaration specifiers or â...â before âkuid_tâ
/root/xtables-addons-2.4/extensions/compat_xtables.h:54: error: expected declaration specifiers or â...â before âkgid_tâ
/root/xtables-addons-2.4/extensions/compat_xtables.h: In function âproc_set_userâ:
/root/xtables-addons-2.4/extensions/compat_xtables.h:56: error: âuidâ undeclared (first use in this function)
/root/xtables-addons-2.4/extensions/compat_xtables.h:56: error: (Each undeclared identifier is reported only once
/root/xtables-addons-2.4/extensions/compat_xtables.h:56: error: for each function it appears in.)
/root/xtables-addons-2.4/extensions/compat_xtables.h:57: error: âgidâ undeclared (first use in this function)
/root/xtables-addons-2.4/extensions/compat_xtables.h: At top level:
/root/xtables-addons-2.4/extensions/compat_xtables.h:60: error: conflicting types for âPDE_DATAâ
include/linux/proc_fs.h:328: note: previous definition of âPDE_DATAâ was here
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:49: warning: âstruct xt_action_paramâ declared inside parameter list
/root/xtables-addons-2.4/extensions/xt_CHAOS.c: In function âxt_chaos_totalâ:
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:51: error: dereferencing pointer to incomplete type
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:60: error: storage size of âlocal_parâ isnât known
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:61: error: dereferencing pointer to incomplete type
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:62: error: dereferencing pointer to incomplete type
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:62: warning: left-hand operand of comma expression has no effect
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:63: warning: left-hand operand of comma expression has no effect
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:60: warning: unused variable âlocal_parâ
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:76: error: storage size of âlocal_parâ isnât known
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:77: error: dereferencing pointer to incomplete type
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:78: error: dereferencing pointer to incomplete type
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:79: error: dereferencing pointer to incomplete type
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:81: error: dereferencing pointer to incomplete type
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:82: error: dereferencing pointer to incomplete type
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:76: warning: unused variable âlocal_parâ
/root/xtables-addons-2.4/extensions/xt_CHAOS.c: At top level:
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:88: warning: âstruct xt_action_paramâ declared inside parameter list
/root/xtables-addons-2.4/extensions/xt_CHAOS.c: In function âchaos_tgâ:
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:98: error: dereferencing pointer to incomplete type
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:102: error: storage size of âlocal_parâ isnât known
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:103: error: dereferencing pointer to incomplete type
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:104: error: dereferencing pointer to incomplete type
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:105: error: dereferencing pointer to incomplete type
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:102: warning: unused variable âlocal_parâ
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:114: error: dereferencing pointer to incomplete type
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:115: warning: passing argument 2 of âxt_chaos_totalâ from incompatible pointer type
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:49: note: expected âconst struct xt_action_param *â but argument is of type âconst struct xt_action_param *â
/root/xtables-addons-2.4/extensions/xt_CHAOS.c: At top level:
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:145: warning: initialization from incompatible pointer type
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:146: warning: initialization from incompatible pointer type
/root/xtables-addons-2.4/extensions/xt_CHAOS.c: In function âchaos_tg_initâ:
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:155: error: implicit declaration of function âxt_request_find_matchâ
/root/xtables-addons-2.4/extensions/xt_CHAOS.c:155: warning: assignment makes pointer from integer without a cast
make[4]: *** [/root/xtables-addons-2.4/extensions/xt_CHAOS.o] Error 1
make[3]: *** [_module_/root/xtables-addons-2.4/extensions] Error 2
make[3]: Leaving directory `/usr/src/kernels/2.6.32-431.5.1.el6.centos.plus.x86_64'
make[2]: *** [modules] Error 2

make[2]: Leaving directory `/root/xtables-addons-2.4/extensions'

</code>

By: Michael

One bit that isn't obvious concerns two folders into which the database files go.

I stumbled upon this which I think should be included in the installition explaination:

The packed data files are placed in sub-folders (and, after looking at the source, the ‘BE/LE’ folders are for ‘big endian/little endian’ which implies that the data files are indeed different…) *.iv4 ~= IPv4 space; *.iv6 ~= IPv6 space; *.iv0 ~= (most likely) IPv4 space – (guessing about this…)

-rw-r--r--. 1 root root 13776 Sep 11 20:57 BE/CN.iv0 -rw-r--r--. 1 root root 13776 Sep 11 20:55 BE/CN.iv4 -rw-r--r--. 1 root root 4544 Sep 11 20:55 BE/CN.iv6 -rw-r--r--. 1 root root 13776 Sep 11 20:57 LE/CN.iv0 -rw-r--r--. 1 root root 13776 Sep 11 20:55 LE/CN.iv4 -rw-r--r--. 1 root root 4544 Sep 11 20:55 LE/CN.iv6Even the author of that tidbit wasn't sure. I put all of mine in the LE folder and I'm guessing I don't need the BE folder.

Log in or Sign up

Comments on Xtables-Addons On Centos 6 & Iptables GeoIP Filtering

22 Comment(s)

Comments