Installation

Each Netfilter module needs to operate at two layers, the kernel space and user space.  The user space supports the arguments for the "iptables" binary needed for that specific module.  For example the user space code supports the "--funccode", "--unitid" "--len" etc.  It parses the arguments, passes them to the kernel space module and it registers itself with the kernel space module.  The kernel space module is the one which actually parses the packets hitting it and checks its contents against the user supplied values.  As with any other Netfilter module, the compilation for this module should be done at both kernel and userspace as explained below.  The kernel space patch goes into the Linux kernel code, into net/ipv4/netfilter/ directory, adds a new kernel module(ipt_modbus.o) upon compilation.  The user space patch patches the iptables source code and adds a new shared library(libipt_modbus.so) upon compilation.  The kernel module should be loaded into the kernel and the shared library should be placed inside the directory where all other shared libraries for iptables exist(usually /lib/iptables) so that  iptables will go find it when a "-m modbus" argument is specified.

Kernel space

• Download the kernel space patch into your kernel source directory, /usr/src/linux or whatever your kernel source code is
• Apply patch, [patch -p1 < kernelspace.patch]
• Configure the kernel and compile the module either in-built into the kernel or as a stand-alone module: Make your favorite config [make menuconfig] and select the "Network packet filtering" option inside "Networking Options". Select "Netfilter Configuration" and select "Modbus firewall support" as either modular or inbuilt into the kernel.
• Compile the kernel [make dep; make modules]. The ipt_modbus.so should be in the net/ipv4/netfilter/ directory

User space

• Download the iptables source code and unzip it.
• Copy userspace.patch into the "extensions" directory inside the unzipped iptables directory. Apply the userspace patch [patch -p1 < userspace.patch]
• Make the new iptables binary and userspace modbus module: [make KERNEL_DIR=your
  linux source location]
• The new iptables binary should be in the top iptables*.*.* directory and libipt_modbus.so should be in the extensions directory. You might want to move libipt_modbus.so file to /lib/iptables/ directory so that the iptables binary will be able to find it. You can use the old iptables binary, there should be changes to the iptables binary itself.

Usage

• On the kernel sideLoad the modbus module: [# modprobe ipt_modbus]

  On the user side

  Make a iptables entry specifying what needs to be filtered. Right now the supported options are function code (--funccode), unit ID (--unitid), reference number (--refnum) and length(--len). The match will trigger when anyone of the given parameters matachess

  Examples

  # iptables -A INPUT -p tcp -m modbus --funccode 16 –allowtcp 0 -j DROP

  (Drops whenever the functioni code of the received packet is 16}

  # iptables -A INPUT -p tcp -m modbus --funccode ! 16 –allowtcp 0 -j DROP

  (Drops whenever the functioni code of the received packet is NOT 16)

  # iptables -A INPUT -p tcp -m modbus --funccode 16 –allowtcp 0 --unitid !3 --refnum 5433 -j DROP

  (The packet will the dropped when either function code is 16, OR unitid is not 3 OR reference number is 5433)

  # iptables -A INPUT -p tcp -m modbus --funccode 16-23 –allowtcp 0 --unitid !3 --refnum 5433 –len 64 -j DROP

  (The packet will the dropped when either function code is between 16 and 23, OR unitid is not 3 OR reference number is 5433 OR the length is 64)

  # iptables -A INPUT -p tcp -m modbus --funccode 16-23 --unitid !3 --refnum 5433 –len lt64 –allowtcp 0 -j DROP

  (The packet will the dropped when either function code is between 16 and 23, OR unitid is not 3 OR reference number is 5433 OR the length less than 64)