How to install xtables-addons on CentOS 6

1 Preliminary Note

Before we start, make sure that SELinux is disabled. Run

system-config-securitylevel

or edit /etc/selinux/config

# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted

to disable SELinux, and ...

echo 0 > /selinux/enforce

... for the change to take effect.

 

2 Supported Configurations

* iptables >= 1.4.3

* kernel-source >= 2.6.29

For ipset-6 you need:

* libmnl

* Linux kernel >= 2.6.35

 

3 Installing Packages

Note: you'll need the same version of kernel-devel package as your current kernel!

uname -r

2.6.32-71.el6.i686

yum install gcc gcc-c++ make automake unzip zip xz kernel-devel-`uname -r` iptables-devel

In this case kernel-devel-2.6.32-71.el6.i686

Install rpmforge repo for perl-Text-CSV_XS package:

rpm -i http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm

yum install perl-Text-CSV_XS

 

4 Compile xtables-addons

Get xtables-addons source and unarchive it:

wget http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/1.37/xtables-addons-1.37.tar.xz

tar xvf xtables-addons-1.37.tar.xz

Compile modules:

cd xtables-addons-1.37/

Note: You can edit the "mconfig" file to select what modules to build and install. By default, all modules are enabled.

./configure

make && make install

 

5 Setting Up geoip Module

Create geoip database for iptables geoip match:

cd geoip/

Using the scripts form geoip folder download and compile MaxMind GeoIPCountry database:

./xt_geoip_dl

./xt_geoip_build GeoIPCountryWhois.csv

Move the files to their default location:

mkdir -p /usr/share/xt_geoip/

cp -r {BE,LE} /usr/share/xt_geoip/

Test it like this:

iptables -I INPUT -m geoip --src-cc CN -j DROP

This will drop all incoming connections from China.

 

Add to Favourites  Add to Favourites    Print this Article  Print this Article

Was this answer helpful?