Right then, back to the post topic, compiling ip6tables. For this, not only did I compile the kernel modules but the ip6tables binaries. From last time you should have the cross-compile environment set up. Add the toolchain relevant to you to you path:
# PATH=$PATH:/opt/toolchain-mipsel_3.3.6_BRCM24/binI've used the gcc3.3 version of the toolchain as I had some display issues when compiling with 4.2.
First, we'll compile the needed kernel modules. This line I did steal from the other blog. I distinctly remeber running into this error, so in you linux source directory, run
# echo "#define JHASH_GOLDEN_RATIO 0x9e3779b9" >> include/linux/jhash2.hI added to following kernel options to .config
CONFIG_NF_CONNTRACK_IPV6=m CONFIG_IP6_NF_IPTABLES=m CONFIG_IP6_NF_MATCH_RT=m CONFIG_IP6_NF_MATCH_OPTS=m CONFIG_IP6_NF_MATCH_FRAG=m CONFIG_IP6_NF_MATCH_HL=m CONFIG_IP6_NF_MATCH_OWNER=m CONFIG_IP6_NF_MATCH_IPV6HEADER=m CONFIG_IP6_NF_MATCH_AH=m CONFIG_IP6_NF_MATCH_MH=m CONFIG_IP6_NF_MATCH_EUI64=m CONFIG_IP6_NF_FILTER=m CONFIG_IP6_NF_TARGET_LOG=m CONFIG_IP6_NF_TARGET_REJECT=m CONFIG_IP6_NF_MANGLE=m CONFIG_IP6_NF_TARGET_HL=m CONFIG_IP6_NF_RAW=mOnce you've added that, make sure that all dependencies are selected. You may also be asked for more options.
# make oldconfigAnd to compile
# make modulesIf you get errors about madwifi that force the build to fail, and don't need the madwifi drivers, the other blog mentioned earlier has a small snippet to get rid if that error.
The next thing to do is cd into the folder with the ip6tables modules and strip debugging symbols to make it nice and small.
# cd net/ipv6/netfilter # mipsel-linux-uclibc-strip --strip-unneeded *.koAnd that should be it. You have now compiled all the modules we need to make ip6tables work. Copy these onto your router.
Now we'll move on to something more useful to our followers, compiling applications. The first one we'll do is the ip6tables userspace utilities. Please bear in mind that not all applications will compile easily or without tweaking. Firstly, grab and unpack the source code.
# wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.10.tar.bz2 # tar -xjvf iptables-1.4.10.tar.bz2 # cd iptables-1.4.10Now ip6tables is one of the easiest things to compile, as it seems to need little or now tweaking. Most configure scripts support a --host parameter which enables you to specify which platform to cross compile to. I also use --prefix=/opt so I can find just the binaries once compiled easily. We also only want the IPv6 version, as the IPv4 version is already installed.
# ./configure --prefix=/opt --host=mipsel-linux-uclibc --disable-ipv4If that worked without any errors, you can now build ip6tables and optionally install them to whatever you set prefix as above. If you need to, run the install as root.
# make # sudo make installAs I install DD-WRT stuff only to /opt, we can go though all the directories to strip the binaries to make them smaller.
$ cd /opt/bin $ mipsel-linux-uclibc-strip --strip-unneeded * $ cd /opt/sbin $ mipsel-linux-uclibc-strip --strip-unneeded * $ cd /opt/lib $ mipsel-linux-uclibc-strip --strip-unneeded *.so $ cd /opt/libexec/xtables $ mipsel-linux-uclibc-strip --strip-unneeded *.soWe can also dispense with any man pages
$ rm -rf /opt/shareI find the easiest way to get these files onto the router is to tar them, scp the tar and extract it on the router. I have my usb stick mounted to /opt, too.
$ tar czvf ~/opt.tar.gz /opt $ scp ~/opt.tar.gz root@router:/tmp $ ssh root@router (ssh) $ tar xzvf /tmp/opt.tar.gz -C / (ssh) $ rm /tmp/opt.tar.gzIf all went well, you should now be able to run the following command without errors:
$ ip6tables -LThat's about it really, doesn't that look less painful. No we just need to create some rules! There are some things to remember here, certain classes of icmpv6 messages are required in all cases. I've not distinguished between them, however. For now, this should be sufficient:
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT ip6tables -P INPUT DROPThat allows the required icmpv6, related connections and ssh connections over IPv6 to the router. We'll add more later on when we come to use DHCPv6 and then DNS over IPv6. It may be wise to add these commands to startup.
Next time we'll have a go at DHCPv6, a more complicated example which took me many hours and much Googling just to get passed the configure stage. I'm also going to attempt kismet drone at some point in the near future.
No comments:
Post a Comment