1、CentOS6.7下编译Xtables-Addons
到http://sourceforge.net/projects/xtables-addons/files/Xtables-addons/ 下载1.47.1版包,2.x以上版本编译会报错。

2、编译

./configure
make
make install

会报错

make  all-recursive
make[1]: Entering directory `/tmp/xtables-addons-1.47.1'
Making all in extensions
make[2]: Entering directory `/tmp/xtables-addons-1.47.1/extensions'
Xtables-addons 1.47.1 - Linux 2.6.32-573.3.1.el6.x86_64
if [ -n "/lib/modules/2.6.32-573.3.1.el6.x86_64/build" ]; then make -C /lib/modules/2.6.32-573.3.1.el6.x86_64/build M=/tmp/xtables-addons-1.47.1/extensions modules; fi;
make[3]: Entering directory `/usr/src/kernels/2.6.32-573.3.1.el6.x86_64'
  CC [M]  /tmp/xtables-addons-1.47.1/extensions/compat_xtables.o
/tmp/xtables-addons-1.47.1/extensions/compat_xtables.c: In function ‘xtnu_ipv6_find_hdr’:
/tmp/xtables-addons-1.47.1/extensions/compat_xtables.c:633: error: too few arguments to function ‘ipv6_find_hdr’
make[4]: *** [/tmp/xtables-addons-1.47.1/extensions/compat_xtables.o] Error 1
make[3]: *** [_module_/tmp/xtables-addons-1.47.1/extensions] Error 2
make[3]: Leaving directory `/usr/src/kernels/2.6.32-573.3.1.el6.x86_64'
make[2]: *** [modules] Error 2
make[2]: Leaving directory `/tmp/xtables-addons-1.47.1/extensions'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/xtables-addons-1.47.1'
make: *** [all] Error 2

Google一下找到一种解决方法:
参考:http://www.devopscareer.com/debug/xtables-addons-error-too-few-arguments-to-function-ipv6_find_hdr/
修改/usr/src/kernels/2.6.32-573.3.1.el6.x86_64/include/linux/autoconf.h中的
#define CONFIG_IP6_NF_IPTABLES_MODULE 1

/*#define CONFIG_IP6_NF_IPTABLES_MODULE 1*/
注释屏蔽掉ipv6

但是不建议使用这种方法!!!

另外一个更好的方法,参考:
https://gist.github.com/bodgit/92c9412ec648959d0da4

解决错误可以使用这个补丁文件:
xtables-addons-1.47.1-el6.patch

bodgit还做了spec文件,也可以使用rpmbuild直接打成rpm包

附:
http://www.linuxwizard.org/centos/xtables-addons-centos-6-iptables-geoip-filtering/

Title: Xtables-Addons On Centos 6 & Iptables GeoIP Filtering

To install aditional modules for the kernel to use with iptables rules sets (netfilter modules). Xtables-addons is the successor to patch-o-matic(-ng). Likewise, it contains extensions that were not, or are not yet, accepted in the main kernel/iptables packages. Xtables-addons is different from patch-o-matic in that you do not have to patch or recompile the kernel.

1 Preliminary Note

SELinux is disabled. Run

system-config-securitylevel
edit /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted – Targeted processes are protected,
# mls – Multi Level Security protection.
SELINUXTYPE=targeted
to disable SELinux
echo 0 > /selinux/enforce

2 Supported Configurations

* iptables >= 1.4.3

* kernel-source >= 2.6.29

For ipset-6 you need:

* libmnl

* Linux kernel >= 2.6.35

3 Installing Packages

uname -r
2.6.32-71.el6.i686
yum install gcc gcc-c++ make automake unzip zip xz kernel-devel-`uname -r` iptables-devel
Install rpmforge repo for perl-Text-CSV_XS

rpm -i http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm

yum install perl-Text-CSV_XS

4 Compile xtables-addons

wget http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/1.37/xtables-addons-1.37.tar.xz

tar xvf xtables-addons-1.37.tar.xz
Compile modules

cd xtables-addons-1.37/
./configure make && make install

5 Setting Up geoip Module

Create geoip database for iptables geoip match

cd geoip/

Using the scripts form geoip folder download and compile

./xt_geoip_dl
./xt_geoip_build GeoIPCountryWhois.csv

Move the files to their default location:

mkdir -p /usr/share/xt_geoip/

cp -r {BE,LE} /usr/share/xt_geoip/

Test it like this:

iptables -I INPUT -m geoip --src-cc CN -j DROP