本人安装时本来在虚拟机上测试多次,但是报错。一直安装不上。(貌似虚拟机内核不能升级)。

本人操作系统为CentOS

此layer 7 在最低2.28上安装。(更高的也可以)

下面是步骤:

1下载
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.bz2wget http://netfilter.org/projects/iptables/files/iptables-1.4.7.tar.bz2wget http://downloads.sourceforge.net/project/l7-filter/Protocol%20definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz?use_mirror=nchcwget http://downloads.sourceforge.net/project/l7-filter/l7-filter%20kernel%20version/2.22/netfilter-layer7-v2.22.tar.gz?use_mirror=nchc


2
下载所需的软件包

wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.bz2
wget http://netfilter.org/projects/iptables/files/iptables-1.4.7.tar.bz2
wget http://downloads.sourceforge.net/project/l7-filter/Protocol%20definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz?use_mirror=nchc
wget http://downloads.sourceforge.net/project/l7-filter/l7-filter%20kernel%20version/2.22/netfilter-layer7-v2.22.tar.gz?use_mirror=nchc

 
解压以上文件

tar jxvf linux-2.6.28.tar.bz2 -C /usr/src
tar jxvf iptables-1.4.7.tar.bz2 -C /usr/src
tar zxvf l7-protocols-2009-05-28.tar.gz -C /usr/src
tar zxvf netfilter-layer7-v2.22.tar.gz -C /usr/src

 
安装Layer 7
  
 
给新内核加入 Layer 7补丁
cd /usr/src/linux-2.6.28/
patch -p1 〈 /usr/src/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
 
 
以上操作完成后就可以开始编译内核加入 Layer 7的支持了,需注意的是在编译内核中有些选项的选取上一定要注意,安装的成功与否很大程度上取决于内核编译是否成功,内核编译参数如下表所示。
make menuconfig
 
 
General setup  --- 
      Prompt for development and/or incomplete code/drivers       必选
   Networking  --- 
       Networking options  --- 
            Network packet filtering framework (Netfilter)  --- 
                 Core Netfilter Configuration  ---                            该项下的所有项目建议都选上
                      Netfilter connection tracking support          必选
                               "layer7" match support                     必选                             
                                  Layer 7 debugging output                    必选  
        IP: Netfilter Configuration  ---                                        必选
 
 
编译内核

make clean
make
make modules
make modules_install
make install

 
 
更改启动项后并重启系统

vi /etc/grup.conf

 

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
#          initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashp_w_picpath=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.28)
        root (hd0,0)
        kernel /vmlinuz-2.6.28 ro root=/dev/VolGroup00/LogVol00
        initrd /initrd-2.6.28.img
title CentOS (2.6.18-164.el5)
        root (hd0,0)
        kernel /vmlinuz-2.6.18-164.el5 ro root=/dev/VolGroup00/LogVol00
        initrd /initrd-2.6.18-164.el5.img

 
 
编译安装 iptables并支持Layer 7

cd iptables-1.4.7/
cp /usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* extensions/
./configure --with-ksource=/usr/src/linux-2.6.28/
cp /usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/*.* extensions/
./configure --with-ksource=/usr/src/linux-2.6.28
make
make install

安装 Layer 7协议

cd l7-protocols-2009-05-28/
make install

测试

iptables -V
iptables -m layer7 –help

最后实例:
iptables -A FORWARD -m layer7 --l7proto qq -j DROP
成功