Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] iptables patch-o-matic-ng extensions
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message

Joined: 21 Dec 2004
Posts: 62

PostPosted: Sat Jun 11, 2005 7:03 pm    Post subject: [HOWTO] iptables patch-o-matic-ng extensions Reply with quote

[HOWTO] iptables patch-o-matic-ng extensions (for better searching in forums)

I've been searching these forums long time to find working iptables + patch-o-matic + extensions tutorial.
I did find some, but none was fully functional/working so here is mine:

(Working with kernel 2.6.x)

1. Check if your /usr/src/linux is pointing to sources for currently running kernel
(if You don't want to compile new kernel and restart during this howto)
uname -rv
ls -ga /usr/src/linux

Should be the same date and version (if You didn't mess with it)

2. Download newest patch-o-matic-ng archive from
At the date of writing this it was patch-o-matic-ng-20050610.tar.bz2.

Unpack it to e.g. /tmp
tar xvjf ./patch-o-matic-ng-20050610.tar.bz2 -C /tmp/

3. Check if Your iptables was compiled with the extensions USE flag.

emerge -pv iptables
[ebuild   R   ] net-firewall/iptables-1.3.1-r4  -debug +extensions +ipv6 -static 0 kB

If not, add this USE flag to /etc/portage/package.use

cat /etc/portage/package.use
net-firewall/iptables extensions

4. Unpack iptables sources (change Your version according to emerge -pv iptables)
ebuild /usr/portage/net-firewall/iptables/iptables-1.3.1-r4.ebuild unpack

5. Change dir to unpacked patch-o-matic-ng dir
cd /tmp/patch-o-matic-ng-20050610/

From there execute this one-liner (you need to change KERNEL_DIR [/usr/src/linux],
IPTABLES_DIR [1.3.1-r4] and patches from p-o-m You want to apply [TTL geoip])
IPTABLES_DIR=/var/tmp/portage/iptables-1.3.1-r4/work/iptables-1.3.1/ KERNEL_DIR=/usr/src/linux ./runme TTL geoip

6. Now kernel and iptables sources are patched. It's time to rebuild kernel (modules ) and iptables.
Change to Your kernel sources dir
cd /usr/src/linux

Make oldconfig
make oldconfig

and mark new items as modules (m) or instantly compiled into the kernel (y).
The latter requires restart soon.

7. Now rebuild kernel modules and install them
make modules modules_install

mount Your /boot partition and copy newly created file overwriting original.
mount /boot
cp /boot/

8. If You need to build new kernel do so now. (I won't run into this here...) Don't forget to update grub/lilo.
If You recompiled entire kernel restart and load system using this new kernel.

9. Now You need to compile and install iptables (change dirs accordingly)
ebuild /usr/portage/net-firewall/iptables/iptables-1.3.1-r4.ebuild install
ebuild /usr/portage/net-firewall/iptables/iptables-1.3.1-r4.ebuild qmerge

10. If You have automatic kernel module loading compiled in the kernel Your modules will be loaded
automatically each time iptables need it. Else You should load appropriate modules
modprobe ipt_TTL ipt_geoip

11. Change iptables script and test it!

Don't forget! You need to repeat this whole procedure each time You update Your kernel or iptables!!!!


Please make any corrections if I'm wrong somewhere (including spelling ;))


Never trust an operating system you don't have sources for.
Back to top
View user's profile Send private message

Joined: 28 Dec 2002
Posts: 28
Location: Johannesburg, South Africa

PostPosted: Thu Mar 09, 2006 9:22 am    Post subject: Reply with quote

Thanks for this. It's been pretty handy for me.
Back to top
View user's profile Send private message

Joined: 16 Dec 2002
Posts: 708

PostPosted: Mon Mar 20, 2006 10:56 pm    Post subject: Reply with quote

I agree, this is wonderful.. I'm running a binary-only server, and being able to package the patched iptables is great!

One thing to note, IPTABLES_DIR is now:


To package the file for binary distribution, this works well:

ebuild /usr/portage/net-firewall/iptables/iptables-1.3.4.ebuild package

only the paranoid survive
Back to top
View user's profile Send private message
Tux's lil' helper
Tux's lil' helper

Joined: 15 Oct 2003
Posts: 110
Location: South Africa

PostPosted: Mon Mar 27, 2006 10:02 pm    Post subject: Reply with quote

Ah sweet. Does patch patch-o-matic provide a way of only getting the diffs? Aka, produce me some .diff or patch files that I can apply manually with patch?

The problem as it stands is that you will need to manually upgrade iptables every single time from this point onward. I've got a very nasty idea (which the gentoo devs already told me will _not_ go into portage) that will negate this need, iff we can get some patch files.
There are 10 kinds of people in the world,
those who understand binary and who don't
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum