Linux Kernel 2.6.24 with iptables 1.4.0, ipp2p -0.8.2 and L7-filter 2.17

Linux Kernel 2.6.24 with iptables 1.4.0, ipp2p -0.8.2 and L7-filter 2.17.

The described process below works for Kernel 2.6.24 and has been tested on Debian Etch 4.0

Please note the the ipp2p project is no longer supported – Added 25/11/2009

The patch for Kernel 2.6.22 works fine for Kernel 2.6.24.

1. Install the needed sources in the /usr/src directory.

cd /usr/src/

Always check for the latest


tar xvjf linux-2.6.24.tar.bz2
tar xvzf netfilter-layer7-v2.17.tar.gz
tar xvzf l7-protocols-2008-02-20.tar.gz
tar xvjf iptables-1.4.0.tar.bz2
tar xvzf ipp2p-0.8.2.tar.gz

ln -s linux-2.6.24 linux
ln -s iptables-1.4.0 iptables

2. Patch the Kernel

cd /usr/src/linux
patch -p1 < ../netfilter-layer7-v2.17/kernel-2.6.22-2.6.24-layer7-2.17.patch
patch -p1 < ../ipp2p-0.8.2-kernel-2.6.22.patch

3. Patch iptables

cd ../iptables
patch -p1 < ../netfilter-layer7-v2.17/iptables-1.4-for-kernel-2.6.20forward-layer7-2.17.patch
patch -p1 < ../ipp2p-0.8.2-iptables-1.4.0.patch

4. Configure and compile the Kernel

cd /usr/src/linux
make menuconfig
Configure your Kernel with your modules and drivers has needed.
Make sure to select the right option to activate Layer 7 filtering :
- Networking options
- - Network packet filtering framework (Netfilter)
- - - Core netfilter configuration
Netfilter connection tracking support
“layer7″ match support
I have not activated the debugging on my machine

In the options “Netfilter Configuration”, I suggest you to check all as modules, specifically Full NAT and connection tracking support otherwise the ipp2p and L7 won’t be able to track the connection and identify who is P2P and who is not.

make modules_install
make install
(I have grub as boot manager on my machine)
reboot and boot to the new kernel

5. Compile and install ip-tables 1.4.0

cd /usr/src/iptables
make KERNEL_DIR=/usr/src/linux
make install

6. Install the list of protocol for L7

mv /usr/src/l7-protocols-2008-02-20 /etc/l7-protocols

7. Patch and compile ipp2p (that was the tough part for me)

cd /usr/src/ipp2p-0.8.2
patch -p0 <../ipp2p-0.8.2-kernel-2.6.22.patch
patch -p0 <../ipp2p-0.8.2-iptables-1.4.0.patch
patch -p0 <../ipp2p-0.8.2-makefile-patch
cp /usr/local/lib/iptables/
cp ipt_ipp2p.ko /lib/modules/2.6.24/kernel/net/netfilter/
depmod -a

8. Load the modules and have a look

iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables -A FORWARD -m layer7 --l7proto bittorrent -j DROP

This should load both modules and will drop connections identified as P2P/bittorrent
You can also run iptables to list the rules in FILTER or MANGLE (the one before was a FILTER rule).

iptables -nvL
An lsmod should also report the ipp2p module and the layer7 module loaded.

Bad Behavior has blocked 196 access attempts in the last 7 days.