How to get the Linux Kernel 2.6.24 working with Iptables, ipp2p and L7-Filter to control Peer to Peer flow on a network



  The described process below works for Kernel 2.6.24 and has been tested on Debian Etch 4.0
If you have questions contact me at nicolas_henry [(]At})] orange.fr

So here is the deal.

I wanted to have my Debian 4.0 box filter P2P trafic, like Bittorrent and Edonkey, and this under the Kernel 2.6.24. Well that is of course possible, but it involves to patch things at multiple level, and finally the solution for ipp2p came from a web site in Thailand (?unsure) that located Gentoo (!) patches that applies and fix latest build/compile issues with ipp2p.

Suchart Blog :
http://suchart.wordpress.com/2008/02/02/kernel-2624-iptables-140-l7-filter-217-ipp2p-082-on-debian-40/

I also copied on my site the Gentoo ipp2P patches to make sure they do not disapear from the cyberspace :
Patch for Iptables : ipp2p-0.8.2-iptables-1.4.0.patch
Patch for Kernel 2.6.24 : ipp2p-0.8.2-kernel-2.6.22.patch

and I made a patch for the ipp2p Makefile changes, that is a bit tricky to handle :
Patch for ipp2p Makefile : ipp2p-0.8.2-makefile-patch


The patch for Kernel 2.6.22 works fine for Kernel 2.6.24.

1. Install the needed sources in the /usr/src directory.

cd /usr/src/
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.tar.bz2
wget http://mesh.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.17.tar.gz
wget http://surfnet.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2008-02-20.tar.gz
wget http://iptables.org/projects/iptables/files/iptables-1.4.0.tar.bz2
wget http://www.ipp2p.org/downloads/ipp2p-0.8.2.tar.gz
wget http://www.caronico.com/linux/ipp2p-0.8.2-iptables-1.4.0.patch
wget http://www.caronico.com/linux/ipp2p-0.8.2-kernel-2.6.22.patch
wget http://www.caronico.com/linux/ipp2p-0.8.2-makefile-patch

tar xvjf linux-2.6.24.tar.bz2
tar xvzf netfilter-layer7-v2.17.tar.gz
tar xvzf l7-protocols-2008-02-20.tar.gz
tar xvjf iptables-1.4.0.tar.bz2
tar xvzf ipp2p-0.8.2.tar.gz

ln -s linux-2.6.24 linux
ln -s iptables-1.4.0 iptables

2. Patch the Kernel

cd /usr/src/linux
patch -p1 < ../netfilter-layer7-v2.17/kernel-2.6.22-2.6.24-layer7-2.17.patch
patch -p1 < ../ipp2p-0.8.2-kernel-2.6.22.patch


3. Patch iptables

cd ../iptables
patch -p1 < ../netfilter-layer7-v2.17/iptables-1.4-for-kernel-2.6.20forward-layer7-2.17.patch
patch -p1 < ../ipp2p-0.8.2-iptables-1.4.0.patch


4. Configure and compile the Kernel

cd /usr/src/linux
make menuconfig
 Configure your Kernel with your modules and drivers has needed.
Make sure to select the right option to activate Layer 7 filtering :
Networking
- Networking options
- - Network packet filtering framework (Netfilter)
- - - Core netfilter configuration
Netfilter connection tracking support
“layer7″ match support
I have not activated the debugging on my machine

In the options "Netfilter Configuration", I suggest you to check all as modules, specifically Full NAT and connection tracking support otherwise the ipp2p and L7 won't be able to track the connection and identify who is P2P and who is not.

make
make modules_install
make install
update-grub
 (I have grub as boot manager on my machine)
reboot and boot to the new kernel


5. Compile and install ip-tables 1.4.0

cd /usr/src/iptables
make KERNEL_DIR=/usr/src/linux
make install


6. Install the list of protocol for L7

mv /usr/src/l7-protocols-2008-02-20 /etc/l7-protocols

7. Patch and compile ipp2p (that was the tough part for me)

cd /usr/src/ipp2p-0.8.2
patch -p0 <../ipp2p-0.8.2-kernel-2.6.22.patch
patch -p0 <../ipp2p-0.8.2-iptables-1.4.0.patch
patch -p0 <../ipp2p-0.8.2-makefile-patch
make
cp libipt_ipp2p.so /usr/local/lib/iptables/
cp ipt_ipp2p.ko /lib/modules/2.6.24/kernel/net/netfilter/
depmod -a


8. Load the modules and have a look

iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables -A FORWARD -m layer7 --l7proto bittorrent -j DROP

This should load both modules and will drop connections identified as P2P/bittorrent
You can also run iptables to list the rules in FILTER or MANGLE (the one before was a FILTER rule).

iptables -nvL
 An lsmod should also report the ipp2p module and the layer7 module loaded.


ENJOY !		  

 
Ok ... now return to the linux page