Gentoo Blog

I required the module connlimit to limit the number of connections on one of our Debian firewall boxes. After a while of try and error i found out that the iptables version shipped with debian 1.3.6 doesn’t support the new module format used in 2.6.23+ kernels. So i looked for a backported version of iptables which i did not find So i thought i would try and install iptables from source. First download the latest iptables version from Netfilter.

Unpack the tarball

tar -xjvf iptables-1.4.2.tar.bz2

Change directory

cd iptables-1.4.2

configure iptables

./configure --prefix=/usr libdir=/lib bindir=/sbin mandir=/usr/share/man

if you just use ./configure then everything will be installed to /usr/local

make and install iptables

make prefix=/usr libdir=/lib bindir=/sbin mandir=/usr/share/man install

I don’t know why but a few binaries landed in /usr/sbin instead of /sbin so i copied them to the desired location

After that you can check your new iptables version

iptables -v

The only problem i encountered is apps which need iptables as dependency beacuse aptitude will try and install the old version of iptables again as a dependency. Either you install those apps from source as well. Or you can install two versions of iptables one under /usr/local and one under /sbin which can be confusing.

1. Download the newest patch-0-matic snapshot from

ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/.

2. unpack with tar -xjvf filename

3. Check if Your iptables was compiled with the extensions USE flag.

4. run ebuild /usr/portage/net-firewall/iptables/iptables-1.3.8-r1.ebuild unpack

5. run ebuild /usr/portage/net-firewall/iptables/iptables-1.3.8-r1.ebuild compile

6. Change dir to unpacked patch-o-matic-ng dir

7. For the patch-o-matic module connlimit you must run ./runme --download

8. From there execute this one-liner

(you need to change KERNEL_DIR [/usr/src/linux],
IPTABLES_DIR [1.3.8-r1] and patches from p-o-m You want to apply [connlimit])

IPTABLES_DIR=/var/tmp/portage/net-firewall/iptables-1.3.8-r1/work/iptables-1.3.8 KERNEL_DIR=/usr/src/linux ./runme connlimit

9. Now kernel and iptables sources are patched. It’s time to rebuild kernel (modules ) and iptables. Change to Your kernel sources dir

10. cd /usr/src/linux

11. make menuconfig

12 . And choose you new modules

13. Now rebuild kernel modules and install them

14. make modules modules_install

15. Now You need to compile and install iptables (change dirs accordingly)

15. ebuild /usr/portage/net-firewall/iptables/iptables-1.3.8-r1.ebuild install
ebuild /usr/portage/net-firewall/iptables/iptables-1.3.8-r1.ebuild qmerge

16. If You have automatic kernel module loading compiled in the kernel Your modules will be loaded
automatically each time iptables need it. Else You should load appropriate modules

17. modprobe ipt_connlimit

Don’t forget! You need to repeat this whole procedure each time You update Your kernel or iptables!!!!