|
本帖最后由 秦时老猫 于 2019-8-6 14:40 编辑
环境使用的 XQ7打包的4.18.7版本
懒得去下载新版本,再来一边配置.。所以就把 xt_FULLCONENAT , libipt_FULLCONENAT 在 armbian 环境下 编译了出来...
分享给需要的人吧。。。..
安装:
cp libipt_FULLCONENAT.so /usr/lib/aarch64-linux-gnu/xtables/
cp xt_FULLCONENAT.ko /lib/modules/4.18.7-aml-s9xxx/kernel/net/netfilter
depmod -a
modproe xt_FULLCONENAT
#加载后dmesg 会报一条 :xt_FULLCONENAT: loading out-of-tree module taints kernel. 搜索了一番 大概是校验的问题。 ..
使用:
iptables -t nat -A PREROUTING -i pppX -j FULLCONENAT
iptables -t nat -A POSTROUTING -o pppX -j FULLCONENAT
Armbian 下编译:
mkdir build
cd build
git clone https://github.com/150balbes/Amlogic_s905-kernel.git
git checkout 20181012
cd Amlogic_s905-kernel
cp /boot/config-4.18.7-aml-s9xxx .config
grep "CONFIG_NF_CONNTRACK_EVENTS" .config #确定 CONFIG_NF_CONNTRACK_EVENTS=y
make prepare
make scripts
cd ..
git clone https://github.com/Chion82/netfilter-full-cone-nat
cd netfilter-full-cone-nat
cp xt_FULLCONENAT.c Amlogic_s905-kernel/net/netfilter/
cd ../Amlogic_s905-kernel
编辑 Amlogic_s905-kernel/net/netfilter/Makefile 末尾插入:
obj-$(CONFIG_NETFILTER_XT_TARGET_FULLCONENAT) += xt_FULLCONENAT.o
编辑 Amlogic_s905-kernel/net/ipv4/netfilter/Kconfig 在 IP_NF_TARGET_NETMAP section 后插入:
config IP_NF_TARGET_FULLCONENAT
tristate "FULLCONENAT target support"
depends on NETFILTER_ADVANCED
select NETFILTER_XT_TARGET_FULLCONENAT
---help---
This is a backwards-compat option for the user's convenience
(e.g. when running oldconfig). It selects
CONFIG_NETFILTER_XT_TARGET_FULLCONENAT.
编辑 Amlogic_s905-kernel/net/netfilter/Kconfig 在 NETFILTER_XT_TARGET_NETMAP section 后插入:
config NETFILTER_XT_TARGET_FULLCONENAT
tristate '"FULLCONENAT" target support'
depends on NF_NAT
---help---
Full Cone NAT
To compile it as a module, choose M here. If unsure, say N.
运行: make menuconfig
Networking support -> Network options -> Network packet filtering framework (Netfilter) -> IP: Netfilter Configuration -> FULLCONENAT target support (按M)
make LOCALVERSION="-aml-s9xxx" M=net/netfilter/ CONFIG_NETFILTER_XT_TARGET_FULLCONENAT=m modules -j 4
cp net/netfilter/xt_FULLCONENAT.ko /lib/modules/4.18.7-aml-s9xxx/kernel/net/netfilter
depmod -a
modproe xt_FULLCONENAT
cd ..
git clone git://git.netfilter.org/iptables.git
cp netfilter-full-cone-nat/libipt_FULLCONENAT.c iptables/extensions
cd iptables
sh autogen.sh
./configurg
make
cp libipt_FULLCONENAT.so /usr/lib/aarch64-linux-gnu/xtables/
防火墙一些设置避免路由暴露在公网:
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEP
iptables -A INPUT -i eth0 -j ACCEPT
#iptables -A INPUT -m string --algo bm --string "sex" -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o pppX -j ACCEPT #//FullConeiptables -A FORWARD -i pppX -o eth0 -j ACCEPT #//FullCone
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?立即注册
×
|