Sunday, 13 February 2011

Compiling ip6tables DD-WRT

Firstly, I'd just like to inform you all that it appears that I'm not the only person to have done this. Whilst Googleing certain terms, I discovered another blog containing posts on setting up aiccu, radvd and ip6tables on DD-WRT here: http://blog.dest-unreach.be/. Please be aware that these blog have both been written independently no-one has stolen anything from the other.

Right then, back to the post topic, compiling ip6tables. For this, not only did I compile the kernel modules but the ip6tables binaries. From last time you should have the cross-compile environment set up. Add the toolchain relevant to you to you path:
# PATH=$PATH:/opt/toolchain-mipsel_3.3.6_BRCM24/bin
I've used the gcc3.3 version of the toolchain as I had some display issues when compiling with 4.2.

First, we'll compile the needed kernel modules. This line I did steal from the other blog. I distinctly remeber running into this error, so in you linux source directory, run
# echo "#define JHASH_GOLDEN_RATIO    0x9e3779b9" >> include/linux/jhash2.h
I added to following kernel options to .config
CONFIG_NF_CONNTRACK_IPV6=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AH=m
CONFIG_IP6_NF_MATCH_MH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_RAW=m
Once you've added that, make sure that all dependencies are selected. You may also be asked for more options.
# make oldconfig
And to compile
# make modules
If you get errors about madwifi that force the build to fail, and don't need the madwifi drivers, the other blog mentioned earlier has a small snippet to get rid if that error.

The next thing to do is cd into the folder with the ip6tables modules and strip debugging symbols to make it nice and small.
# cd net/ipv6/netfilter
# mipsel-linux-uclibc-strip --strip-unneeded *.ko
And that should be it. You have now compiled all the modules we need to make ip6tables work. Copy these onto your router.

Now we'll move on to something more useful to our followers, compiling applications. The first one we'll do is the ip6tables userspace utilities. Please bear in mind that not all applications will compile easily or without tweaking. Firstly, grab and unpack the source code.
# wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.10.tar.bz2
# tar -xjvf iptables-1.4.10.tar.bz2
# cd iptables-1.4.10
Now ip6tables is one of the easiest things to compile, as it seems to need little or now tweaking. Most configure scripts support a --host parameter which enables you to specify which platform to cross compile to. I also use --prefix=/opt so I can find just the binaries once compiled easily. We also only want the IPv6 version, as the IPv4 version is already installed.
# ./configure --prefix=/opt --host=mipsel-linux-uclibc --disable-ipv4
If that worked without any errors, you can now build ip6tables and optionally install them to whatever you set prefix as above. If you need to, run the install as root.
# make
# sudo make install
As I install DD-WRT stuff only to /opt, we can go though all the directories to strip the binaries to make them smaller.
$ cd /opt/bin
$ mipsel-linux-uclibc-strip --strip-unneeded *
$ cd /opt/sbin
$ mipsel-linux-uclibc-strip --strip-unneeded *
$ cd /opt/lib
$ mipsel-linux-uclibc-strip --strip-unneeded *.so
$ cd /opt/libexec/xtables
$ mipsel-linux-uclibc-strip --strip-unneeded *.so
We can also dispense with any man pages
$ rm -rf /opt/share
I find the easiest way to get these files onto the router is to tar them, scp the tar and extract it on the router. I have my usb stick mounted to /opt, too.
$ tar czvf ~/opt.tar.gz /opt
$ scp ~/opt.tar.gz root@router:/tmp
$ ssh root@router
(ssh) $ tar xzvf /tmp/opt.tar.gz -C /
(ssh) $ rm /tmp/opt.tar.gz
If all went well, you should now be able to run the following command without errors:
$ ip6tables -L
That's about it really, doesn't that look less painful. No we just need to create some rules! There are some things to remember here, certain classes of icmpv6 messages are required in all cases. I've not distinguished between them, however. For now, this should be sufficient:
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -P INPUT DROP
That allows the required icmpv6, related connections and ssh connections over IPv6 to the router. We'll add more later on when we come to use DHCPv6 and then DNS over IPv6. It may be wise to add these commands to startup.

Next time we'll have a go at DHCPv6, a more complicated example which took me many hours and much Googling just to get passed the configure stage. I'm also going to attempt kismet drone at some point in the near future.

No comments:

Post a Comment