iptables mirror target for linux kernel 3.3

After my last kernel upgrade I tried to build the iptables mirror target published here. The iptables mirror target takes the packet sent to your machine and returns the same packet to the machine the packet came from. Thus, let’s say someone tries to scan your machine or tries an attack he would scan his own machine or even attack his own machine. When I tried it with kernel version 3.3 , it did not build anymore with the current linux kernel. However, this time only a minor modification has been neccesary. Another header file had to be included and a function name has changed.  You can download the newer release for kernel version 3.3 and probably future kernels here:

[download#86] gplv3-127x51

The kernel module has been tested with kernel version linux-3.3-vserver- To build the module, boot the kernel you want to use the module with. Afterwards unpack the archive and run the compile.sh script to build the module. Then run the install.sh script for installing the compiled module into the /lib/modules directory for your kernel.

Now you may use the mirror target in place of the REJECT or DROP target in the INPUT, FORWARD and PREROUTING chains, like this in your firewall script:


Beware: The use of the mirror target may lead to strange results, in example if you want to connect to an iptables protected machine which uses the mirror target, you may end up connecting to the local machine without recognizing it. It also may use much bandwith. The worst case occurs if you have two machines using the module. These machines may end up playing ping pong. So you have been warned, use with caution and at your own risk. For more information see: MIRROR target.

Downloads for older kernel versions are below. Notice the version numbering 2.6.25 works for kernels up to 2.6.27. 2.6.28 also works for 2.6.29 and 2.6.30 kernels. The 2.6.13 version of the module should work up to kernel version 2.6.16.





1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)

udev-182 needs CONFIG_ DEVTMPFS in kernel

After the latest upgrades on my gentoo vserver system running a 3.3.0 Linux  vserver-kernel (vserver-sources-, the system did not start up properly anymore. No kernel modules got loaded and even the network devices have not been available after a reboot. This is more or less the worst case, since then one has to be physically in front of the machine and can not repair the system via ssh remote login.

The kernel upgrade was not the reason for this,  but the upgrade to udev-182. This is what the log said:

Mar 21 17:20:05 mittelerde /etc/init.d/sshd[5563]: ERROR: cannot start sshd as net.eth0 would not start
Mar 21 17:20:09 mittelerde /etc/init.d/udev-mount[6075]: Udev uses a devtmpfs mounted on /dev to manage devices.
Mar 21 17:20:09 mittelerde /etc/init.d/udev-mount[6076]: This means that CONFIG_DEVTMPFS=y is required
Mar 21 17:20:09 mittelerde /etc/init.d/udev-mount[6077]: in the kernel configuration.
Mar 21 17:20:09 mittelerde /etc/init.d/udev-mount[6067]: ERROR: udev-mount failed to start
Mar 21 17:20:09 mittelerde /etc/init.d/udev[6066]: ERROR: cannot start udev as udev-mount would not start
Mar 21 17:21:06 mittelerde /etc/init.d/net.eth0[6463]: ERROR: interface eth0 does not exist

With the information “CONFIG_DEVTMPFS=y is required” the log contains the necessary hint to get things to work. The CONFIG_DEVTMPFS option had to be enabled in the kernel. Afterwards the kernel has to be recompiled. The option can be found in menuconfig under Device Drivers-> Generic Driver options and is called Maintain a devtmpfs filesystem to mount at /dev.  For getting the devfs automatically mounted at boot time it makes sense to also enable the option Automount devtmpfs at /dev, after the kernel mounted the rootfs (CONFIG_DEVTMPFS_MOUNT).

It is safe to enable these options with older udev versions. Doing so protects your system from not working any more when you get the udev update later.


1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)

One hundredth article anniversary

We, the authors of MyGNU.de are proud to celebrate an anniversary today. This is the one hundredth article published on this blog. But how does one celebrate such an anniversary? For sure, the best way is to write another article. Well, and perhaps drinking a beer or two.

Lets summarize some history. This blog, MyGNU.de started on November 29th 2008 – roughly three years ago. During these years Thorsten and I had the opportunity to provide useful information, helpful scripts and programs to you, our readers. – At least we hope so. This way we have been able to give something back to the open source community that has supported us in so many ways. We have written about solutions to many problems, regarding the Linux operating system, we encountered. It would be to much to write if I tried to mention every single article now, but some have to be mentioned.  For sure the highlights, that can be found on this website are SIV, the stereoscopic image viewer and vrtrack the headtracking driver for the Vuzix VR920 head mounted display.  The most popular download until now has been the Iptables Mirror target, which I ported to 2.6 and 3.x Linux kernels. The kernel module enables one to create a more active Iptables firewall by returning the attack to the attacker. In total it got 5897 hits until today. In the beginning some of the articles were shorter than the more recent ones, but with time our knowledge and writing skills evolved and some recent articles are of quite high quality. We hope you have enjoyed reading the articles and got some useful insights and information.

For the future we hope to keep on this way and improve our skills, to write better and more useful articles and software and publish these on MyGNU.de.

“So say we all.”

Well, now there is only one last thing to to do. To say thank you! We have to say thanks to you for reading, and we have to say thank you to our company the main-host.de GmbH for providing the webspace for this blog.

Happy anniversary MyGNU.de!

best regards and keep on reading


1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

zen-sources-3.2 with tuxonice

Starting with the 2.6.36 kernel, tuxonice has been removed from zen-sources. The latest official tuxonice patch, that is available at present, is for the linux kernel 3.0. In the meanwhile more recent patches, for kernel version 3.2.1 and 3.2.10, have appeared at crow202.org. So I patched the zen-stable-3.2 sources with the 3.2.1 tuxonice patch from there.

Suspend to RAM works with this kernel, at least on my Dell Precison M65 and my Desktop, as well as suspend to disk does. Furthermore I can confirm, that the 3.2.1 patch also works on the x86_64 architecture.

To get things to work, download the zen-stable-3.2 kernel tree from zen-kernel.org and extract it. Afterwards download the 3.2.1 tuxonice patch from crow202.org and apply it. After applying the patch you can continue with the standard kernel building process. As with zen-sources-3.1,  no additional patch is necessary for the zcache feature, the fix is already included in zen-stable-3.2. The zcache feature doubles RAM efficiency while providing a significant performance boosts on many workloads. The zcache feature is located under staging drivers in the kernel tree and depends on the cleancache feature, which is located under processor types and features. To enable the zcache feature, you have to pass the zcache keyword to your kernel, in example in your grub.conf.

Example: kernel /bzImage panic=60 root=/dev/hda3 zcache

For Gentoo users there is a more easy way: Download my modified overlay from [download#84] and extract it in /usr/local/portage. The overlay contains all necessary patches. Be sure to include the following line in your /etc/make.conf:


If you want to use tuxonice include tuxonice in your USE-flags. Then emerge zen-sources and build the kernel as you like.

Tuxonice is not officially supported in current zen-sources. So If you’re using the files above, don’t report any bugs to zen-sources.org. You are on your own.

For my Precision M65 I used the following kernel config: [download#85]

For more information on the zen-sources patchset see www.zen-sources.org.

best regards


1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Small bugfix in extcalllog callerid modification for N900

In the article Looking up phone numbers with the N900 I described a solution to perform reverse phone number lookups from within the N900s extended call log. The patch and thus also the binary package there contained a small bug. Whenever there were international calls, beginning with “00”, in the log, the reverse lookup failed due to the callerid application not interpreting the “00” correctly. The fixed extcalllog application now translates these trailing zeros to a “+” which gets interpreted correctly by the callerid application.

The downloads in the original article have been updated now.




1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)