[HOWTO] iptables patch-o-matic-ng extensions
Joined: 21 Dec 2004
Posts: 62

PostPosted: Sat Jun 11, 2005 7:03 pm

[HOWTO] iptables patch-o-matic-ng extensions (for better searching in forums)

I've been searching these forums long time to find working iptables + patch-o-matic + extensions tutorial.
I did find some, but none was fully functional/working so here is mine:

(Working with kernel 2.6.x)

1. Check if your /usr/src/linux is pointing to sources for currently running kernel
(if You don't want to compile new kernel and restart during this howto)
uname -rv
ls -ga /usr/src/linux

Should be the same date and version (if You didn't mess with it)

2. Download newest patch-o-matic-ng archive from
At the date of writing this it was patch-o-matic-ng-20050610.tar.bz2.

Unpack it to e.g. /tmp
tar xvjf ./patch-o-matic-ng-20050610.tar.bz2 -C /tmp/

3. Check if Your iptables was compiled with the extensions USE flag.

emerge -pv iptables
[ebuild   R   ] net-firewall/iptables-1.3.1-r4  -debug +extensions +ipv6 -static 0 kB

If not, add this USE flag to /etc/portage/package.use

cat /etc/portage/package.use
net-firewall/iptables extensions

4. Unpack iptables sources (change Your version according to emerge -pv iptables)
ebuild /usr/portage/net-firewall/iptables/iptables-1.3.1-r4.ebuild unpack

5. Change dir to unpacked patch-o-matic-ng dir
cd /tmp/patch-o-matic-ng-20050610/

From there execute this one-liner (you need to change KERNEL_DIR [/usr/src/linux],
IPTABLES_DIR [1.3.1-r4] and patches from p-o-m You want to apply [TTL geoip])
IPTABLES_DIR=/var/tmp/portage/iptables-1.3.1-r4/work/iptables-1.3.1/ KERNEL_DIR=/usr/src/linux ./runme TTL geoip

6. Now kernel and iptables sources are patched. It's time to rebuild kernel (modules ) and iptables.
Change to Your kernel sources dir
cd /usr/src/linux

Make oldconfig
make oldconfig

and mark new items as modules (m) or instantly compiled into the kernel (y).
The latter requires restart soon.

7. Now rebuild kernel modules and install them
make modules modules_install

mount Your /boot partition and copy newly created file overwriting original.
mount /boot
cp /boot/

8. If You need to build new kernel do so now. (I won't run into this here...) Don't forget to update grub/lilo.
If You recompiled entire kernel restart and load system using this new kernel.

9. Now You need to compile and install iptables (change dirs accordingly)
ebuild /usr/portage/net-firewall/iptables/iptables-1.3.1-r4.ebuild install
ebuild /usr/portage/net-firewall/iptables/iptables-1.3.1-r4.ebuild qmerge

10. If You have automatic kernel module loading compiled in the kernel Your modules will be loaded
automatically each time iptables need it. Else You should load appropriate modules
modprobe ipt_TTL ipt_geoip

11. Change iptables script and test it!

Don't forget! You need to repeat this whole procedure each time You update Your kernel or iptables!!!!


Please make any corrections if I'm wrong somewhere (including spelling ;))


Never trust an operating system you don't have sources for.
Joined: 28 Dec 2002
Posts: 28
Location: Johannesburg, South Africa

PostPosted: Thu Mar 09, 2006 9:22 am

Thanks for this. It's been pretty handy for me.
Joined: 16 Dec 2002
Posts: 708

PostPosted: Mon Mar 20, 2006 10:56 pm

I agree, this is wonderful.. I'm running a binary-only server, and being able to package the patched iptables is great!

One thing to note, IPTABLES_DIR is now:


To package the file for binary distribution, this works well:

ebuild /usr/portage/net-firewall/iptables/iptables-1.3.4.ebuild package

Joined: 15 Oct 2003
Posts: 110
Location: South Africa

PostPosted: Mon Mar 27, 2006 10:02 pm

Ah sweet. Does patch patch-o-matic provide a way of only getting the diffs? Aka, produce me some .diff or patch files that I can apply manually with patch?

The problem as it stands is that you will need to manually upgrade iptables every single time from this point onward. I've got a very nasty idea (which the gentoo devs already told me will _not_ go into portage) that will negate this need, iff we can get some patch files.
