
	Links: { Chris Lowth's Home Page \| LinWiz \| Kazaa Blocking 'FTWall' }

HOWTO: Install ftwall on IPCop 1.3.0

"Ftwall" is part of the "P2Pwall" project, and provides logic for iptables based linux firewalls that allows the control of traffic from Kazaa and it's clones.

"IPCop" is a linux-based open-source firewall. Downloads and information are available from www.ipcop.org.

This document is currently a little "thin" in terms of explanation of why you are doing what you are doing - I'll pad it out a little in due course. In the meantime, please treat these directions as "experimental" - and report any issues you have with then to the project "help" forum.

Either -- 1a: BUILD AN UPDATED IPCOP KERNEL

IPCop 1.3.0 does not (by default) support the "string" or "queue" modules of iptables. In order to use ftwall with IPCop, you must add these features to your system. This is a matter of a kernel rebuild.

If you dont want to build the new kernel yourself, jump to step 1b (below) for directions on DOWNLOADING a pre-compiled version. If you want to roll your own, read on...

Take latest IPCop 1.3.0 sources snapshot from..

   http://ipcop.sourceforge.net/cvs_snapshot

The file name will be like ipcop-dev-v130-YYYYMMDD.tgz

Restore to a directory of your choice on a RedHat 7.2 or 7.3 development system (see www.ipcop.org for information on how the build process works and the system requirements for building the IPCop software).

Now you need to make a number of edits to the "make.sh" script, as follows...

Add the following line to "make.sh" after the "runme base" line (at or near line 1149)

  yes 'y' | KERNEL_DIR=$TMPDIR/linux/ ./runme extra/string.patch >> $LOGFILE 2>&1

Change the kernel.config copying line (at or near line 1161 of "make.sh") from

  cp $BASEDIR/config/kernel/kernel.config .config

  fgrep -v CONFIG_IP_NF_QUEUE $BASEDIR/config/kernel/kernel.config > .config

Add the following lines immediately before "make oldconfig" at or near line 1163 of "make.sh"..

  ed Makefile <<-END
	/^EXTRAVERSION =/s/.*/EXTRAVERSION = -P2PWall/
	w
	q
  END
  KERNEL_VERSION=${KERNEL_VERSION}-P2PWall

Change the "make oldconfig" line (at or near line 1162 of "make.sh") to read..

  make oldconfig CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_MATCH_STRING=m >>$LOGFILE 2>&1

Comment out the following line (at or near line 1207 of "make.sh")

  rm -rf $TMPDIR/build/sbin/iptables-*

Run the commands..

  export IPCOP_FILE_CACHE=/home/ipcop/files
  chmod +x make.sh
  ./make.sh build

If there are files that wont download, then you may have to adjust the src/FILES file to list more appropriate versions. Then run the "make.sh" step again. - Until the trace messages show that the build is finished.

Create a "tarball" of the relevant changes..

  cd /var/tmp/ipcop.build.NUMBER/build
  tar cfz /tmp/IPCop-hack.tgz boot/*P2PWall lib/modules sbin/iptables* lib/iptables

Or -- 1b: DOWNLOAD THE PRE-COMPILED KERNEL

If you dont want to build your own updated IPCop kernel, you can download a pre-compiled one from the p2pwall project web site. But please note ...

This software comes with NO WARRANTY OR GUARANTEES AT ALL - even the implied warranty of suitability for use. This means - I *think* this works, but all the risk and responsibility for using it is yours. See the GPL Licence for fuller details.

For the most recent version, I am asking a $10.00 download donation. This is to help cover recent hardware costs I have incurred in making this software available to a growing audience. You will note that the download mechanism will not prevent you taking a copy without paying (and if you really cant afford it, then please be my guest), but please do make the payment if at all possible, in order that I can continue to provide "current" pre-built versions of the kernel for IPCop users. Payment can be made in (virtually) any currency.

IPCop Version Kernel Version IPTables Version Download Donation Download link
1.3.0 upto fixes 7 2.4.21 1.2.7a Free Download here
1.3.0 fixes 8 2.4.24 1.2.7a $10.00 (USD) - Click to pay ...

(I am trusting you to pay)
Download here

2: INSTALL THE MODIFIED (HACKED) KERNEL

N.B. These instructions modify the linux kernel installed on your IPCop. Moreover; they are provided with NO WARRANTY what so ever. If you break your system by following them (or attempting to follow them), you are on your own.

If you dont like the sound of this, then STOP NOW!!

Copy the tarball file to the "/tmp" directory of your ipcop system using "scp", and restore with "working directory" set to "/" -- thus ..

  cd /
  tar xvfz /tmp/IPCop-hack.tgz

Edit the /etc/lilo.conf file on the firewall to refer to the new kernel. Here's an example of the modified file with the changes coloured green..

	boot    = /dev/harddisk
	map     = /boot/map
	install = /boot/boot.b
	message = /boot/message
	default = IPCop-P2PWall
	timeout = 50
	read-only
	prompt
	linear

	image   = /boot/vmlinuz
	  root    = /dev/harddisk4
	  label   = IPCop

	image   = /boot/vmlinuz-2.4.20
	  root    = /dev/harddisk4
	  label   = IPCop.old

	image   = /boot/vmlinuz-2.4.21-P2PWall
	  root    = /dev/harddisk4
	  label   = IPCop-P2PWall

Note: If you are using IPCop 1.3.0 with fixes number 8, and the 2.4.24 kernel; then you should replace the string "2.4.21" with "2.4.24" on the "image = ...." line near the bottom of the file.

Run the "lilo" command to register the new kernel as bootable. Reboot and verify that the system "comes up".

3: INSTALL AND CONFIGURE FTWALL

Verify (using "uname -a") that you are really running the updated kernel.

Now you (should) have all the OS stuff required by ftwall in place on your IPCop firewall. Now you need the "ftwall" program itself.

You can either build the "ftwall" program on a RedHat 7.2, 7,3, 8.0 or 9 system (not on IPCop since IPCop does not include a C compiler), or download a pre-compiled binary version. The instructions for getting hold of the IPCop version of the ftwall binary are now included in the e-mail that is sent to you when you request a download from the project home page.

Once you have built or downloaded the "ftwall" binary..

copy it on to the firewall (possibly using "scp")
"gunzip" it (if you downloaded it) using the "gunzip" command
move it to /sbin/ftwall using the "mv" command
render it "executable". by running the command: chmod +x /sbin/ftwall

Edit /etc/rc.d/rc.local to start the ftwall software and create the relevant IPTABLES rules. The modified file should look like this (if it was empty to start with)..

	#!/bin/sh
	. /var/ipcop/ethernet/settings
	/sbin/insmod ip_queue
	/sbin/insmod ipt_string
	rm -rf /var/log/ftwall.clients
	mkdir /var/log/ftwall.clients
	echo 128000 > /proc/sys/net/core/rmem_max
	/sbin/ftwall -b 128000 -l pc -c /var/log/ftwall.clients
 	/sbin/iptables -A CUSTOMFORWARD -p udp -i $GREEN_DEV -m length --length 40 -m string --string KaZaA -j QUEUE
	/sbin/iptables -A CUSTOMFORWARD -p tcp -i $GREEN_DEV --syn -j QUEUE
	/sbin/iptables -A CUSTOMFORWARD -p tcp -i $GREEN_DEV -m string --string X-Kazaa -j QUEUE
	/sbin/iptables -A CUSTOMINPUT   -p udp -i $GREEN_DEV --dport 1219 -m length --length 41 -j QUEUE

You can download a copy of this file from here.

Be sure that you copy the file to the IPCop system using UNIX end-of-line sequences, not DOS/Windows ones. You can check that the format is right by running "cat -v rc.local" and checking that the lines do NOT end with "^M" characters.

Once you have created or editted this file, make sure it is "executable" by running the command..

    chmod +x /etc/rc.d/rc.local

4: PRAY (IT WORKS), REBOOT AND PAY $10.00

Now reboot your IPCop - and (if everything has gone to plan) ftwall will now be blocking Kazaa and other "Fast-track" traffic.

If you downloaded a version of the pre-built kernel for which a download donation is requested and it is all working for you but you have not yet made the payment - then please make your $10.00 donation now using the button below. Thanks

News, Forums and Announcements

Please do NOT e-mail the author directly about this software unless..

you are offering to get involved with the development of the project.
you are offering funding.
you are interested in alternative licenses.

(You will find my e-mail address by following the "Chris Lowth's home page" link at the top of this page).

For all other matters, please use the mailing list and forums..

Annoucements about new releases of this document and software (etc) will be made from time to time in the "comp.os.linux.announce" news group. Keep an eye on this group if you wish to be informed about updates etc.
You can also subscribe to the "p2pwall-announce@sourceforge.net" mailing list. That way you will receive p2pwall annoucements without having to check the news group.
Support and help on the use of this software can be obtained from "Help forum". Post here if you have problems getting it working, but please use the Open discussion forum (below) for requests for new features.
General open discussion (including requests for features and success stories) can be posted to the "Open discussion forum".