利用iptables+l7-filter+opendpi封QQ和迅雷

利用iptables+l7-filter+opendpi封QQ和迅雷

作者：刘运锋                                            时间：2011-09-21

1、            前言

参加2011架构师大会，有幸聆听白金大师的讲解，其中对于iptables封QQ以及迅雷等白金介绍了l7-filter和ipp2p两种插件，但是在笔者的实验中发现ipp2p目前官方已经停止维护，而是靠国内的兴趣爱好者对ipp2p进行维护和更新。同时ipp2p对各个版本的内核兼容性并不是很好，因此阅读了ipp2p官网推荐的其替代品opendpi的相关文档，发现国内对opendp的文档实在太少，有幸尝试，记录下过程和注意事项，以便阅读理解。

结合环境的实际情况，应用环境和安装过程如下：

2、            环境介绍

系统	CentOS 5.5
内核	kernel 2.6.18-194.el5
Iptables	iptables v1.3.5

3、            软件及下载地址：

软件	地址
kernel 2.6.25.7	http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.25.7.tar.bz2
Iptables 1.4.3.2	http://www.netfilter.org/projects/iptables/files/iptables-1.4.3.2.tar.bz2
netfilter-layer7	http://cdnetworks-kr-2.dl.sourceforge.net/project/l7-filter/l7-filter%20kernel%20version/2.22/netfilter-layer7-v2.22.tar.gz
l7-protocols	http://cdnetworks-kr-2.dl.sourceforge.net/project/l7-filter/Protocol%20definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz
Opendpi	http://opendpi.googlecode.com/files/opendpi-1.3.0.tar.gz
opendpi-netfilter-wrapper	http://opendpi.googlecode.com/files/opendpi-netfilter-wrapper-1.2.tar.gz
ipp2p-0.99.15-k2.6.28-i1.4.7	http://bbs.chinaunix.net/attachment.php?aid=NDU3OTgzfDc3NDZiZmRifDEzMTY1MDUzNjV8YmVjNUk4bFFOTkJiRkk2TUZPNEdhNU82dU9RaXF5azlRWkIyV0ZqbHdiY1dZRFE%3D

将以上软件放置到/usr/src下。

这里之所以选择kernel 2.6.25.7是因为笔者在测试的过程中试用了高版本的内核，但是编译opendpi时通不过，因此只好选用kernel 2.6.25.7。

遇到的错误如下：

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:362: warning: ‘struct nf_ct_event’ declared inside parameter list

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:362: warning: its scope is only this definition or declaration, which is probably not what you want

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c: In function ‘opendpi_conntrack_event’:

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:364: error: dereferencing pointer to incomplete type

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c: At top level:

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:383: error: variable ‘osdpi_notifier’ has initializer but incomplete type

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:384: error: unknown field ‘fcn’ specified in initializer

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:384: warning: excess elements in struct initializer

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:384: warning: (near initialization for ‘osdpi_notifier’)

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c: In function ‘opendpi_cleanup’:

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:591: warning: passing argument 1 of ‘nf_conntrack_unregister_notifier’ from incompatible pointer type

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c: In function ‘opendpi_mt_init’:

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:677: warning: passing argument 1 of ‘nf_conntrack_register_notifier’ from incompatible pointer type

make[3]: *** [/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.o] Error 1

make[2]: *** [_module_/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src] Error 2

make[2]: Leaving directory `/usr/src/linux-2.6.28'

make[1]: *** [all] Error 2

make[1]: Leaving directory `/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src'

make: *** [all] Error 2

笔者已经和opendpi联系，目前尚无回复！

4、            重新编译内核：

#tar -jxvf linux-2.6.25.7.tar.bz2

#tar -zxvf netfilter-layer7-v2.22.tar.gz

#tar -zxvf l7-protocols-2009-05-28.tar.gz

#cd linux-2.6.28

#patch -p1 < /usr/src/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch

patching file net/netfilter/Kconfig

patching file net/netfilter/Makefile

patching file net/netfilter/xt_layer7.c

patching file net/netfilter/regexp/regexp.c

patching file net/netfilter/regexp/regexp.h

patching file net/netfilter/regexp/regmagic.h

patching file net/netfilter/regexp/regsub.c

patching file net/netfilter/nf_conntrack_core.c

patching file net/netfilter/nf_conntrack_standalone.c

patching file include/net/netfilter/nf_conntrack.h

patching file include/linux/netfilter/xt_layer7.h

#cp /boot/config-2.6.18-194.el5 /usr/src/linux-2.6.25.7/.config

#make  menuconfig（注意，这里要在图形界面下操作）

（1）Networking support → Networking Options →Network packet filtering framework →Code Netfilter Configuration

Netfilter connection tracking support 

[*]   Connection tracking events  

   "connlimit" match support" 

   Connection tracking netlink interface

  FTP protocol support

  “layer7” match support

  “string” match support

  “time”  match support

  “iprange”  match support

  “connlimit”  match support

  “state”  match support

  “conntrack”  connection  match support

  “mac”  address  match support

   "multiport" Multiple port match support

       （2）Networking support → Networking Options →Network packet filtering framework → IP: Netfilter Configuration IPv4 connection tracking support (required for NAT)

   Full NAT

MASQUERADEtargetsupport

NETMAPtargetsupport

REDIRECT target support

#make && make modules_install && make install

这里编译需要至少半个小时的时间，这段时间可以做其他的事情。编译完成后：

       #vi /etc/grub.conf

 

# grub.conf generated by anaconda

#

# Note that you do not have to rerun grub after making changes to this file

# NOTICE:  You have a /boot partition.  This means that

#          all kernel and initrd paths are relative to /boot/, eg.

#          root (hd0,0)

#          kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00

#          initrd /initrd-version.img

#boot=/dev/sda

default=1  ----- 改为default=0

timeout=5

splashimage=(hd0,0)/grub/splash.xpm.gz

hiddenmenu

title CentOS (2.6.25.7)

        root (hd0,0)

        kernel /vmlinuz-2.6.25.7 ro root=/dev/VolGroup00/LogVol00 rhgb quiet

        initrd /initrd-2.6.25.7.img

title CentOS (2.6.18-194.el5)

        root (hd0,0)

        kernel /vmlinuz-2.6.18-194.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet

        initrd /initrd-2.6.18-194.el5.img

#reboot

#uname –a

Linux proxytest 2.6.25.7 #1 SMP Wed Sep 21 19:01:12 CST 2011 i686 i686 i386 GNU/Linux

重启系统之后查看，系统的内核已经升级到新内核。至此内核编译的工作已经完成。

 

5、            更新升级Iptalbes的Layer7补丁

#cd /usr/src

# tar -zxvf netfilter-layer7-v2.22.tar.gz

# tar -jxvf iptables-1.4.3.2.tar.bz2

# cp /usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* /usr/src/iptables-1.4.3.2/extensions/

# cd /usr/src/iptables-1.4.3.2

# ./configure --with-ksource=/usr/src/linux-2.6.25.7

# make && make install

# iptables -V

iptables v1.4.3.2   #已经更新至新版本

 

6、            安装Layer7 协议文件

# cd /usr/src

# tar -zxvf l7-protocols-2009-05-28.tar.gz

# cd l7-protocols-2009-05-28

# make install

7、            Layer7规则

# iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP (禁止edonkey)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止edonkey)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto xunlei -j DROP (禁止迅雷)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto kugoo -j DROP (禁止kugoo)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto yahoo -j DROP (禁止Yahoo! Messenger)

8、            安装opendpi

(1)安装opendpi-netfilter

#cd /usr/src

#tar -zxvf opendpi-1.3.0.tar.gz

#tar -zxvf opendpi-netfilter-wrapper-1.2.tar.gz

#cd opendpi-netfilter-wrapper-1.2/wrapper

#export OPENDPI_PATH=/usr/src/opendpi-1.3.0

# OPENDPI_PATH=/usr/src/opendpi-1.3.0  make

# make modules_install

# cp ipt/libxt_opendpi.so /usr/local/libexec/xtables

# iptables -m opendpi --help

如果显示出相关信息，则编译成功。

 

（2）安装opendpi

#cd /usr/src/opendpi-1.3.0

#./configure

# make

如果报错如下：

OpenDPI_demo.c:42:18: error: pcap.h: No such file or directory

OpenDPI_demo.c:50: error: ‘PCAP_ERRBUF_SIZE’ undeclared here (not in a function)

OpenDPI_demo.c:51: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token

OpenDPI_demo.c: In function ‘openPcapFile’:

OpenDPI_demo.c:457: error: ‘_pcap_handle’ undeclared (first use in this function)

OpenDPI_demo.c:457: error: (Each undeclared identifier is reported only once

OpenDPI_demo.c:457: error: for each function it appears in.)

OpenDPI_demo.c: In function ‘closePcapFile’:

OpenDPI_demo.c:468: error: ‘_pcap_handle’ undeclared (first use in this function)

OpenDPI_demo.c: At top level:

OpenDPI_demo.c:474: warning: ‘struct pcap_pkthdr’ declared inside parameter list

OpenDPI_demo.c:474: warning: its scope is only this definition or declaration, which is probably not what you want

OpenDPI_demo.c: In function ‘pcap_packet_callback’:

OpenDPI_demo.c:485: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:486: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:497: error: ‘DLT_EN10MB’ undeclared (first use in this function)

OpenDPI_demo.c:503: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:505: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:505: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:515: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:517: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:517: error: dereferencing pointer to incomplete type

OpenDPI_demo.c: In function ‘runPcapLoop’:

OpenDPI_demo.c:524: error: ‘_pcap_handle’ undeclared (first use in this function)

make[1]: *** [OpenDPI_demo.o] Error 1

make[1]: Leaving directory `/usr/src/opendpi-1.3.0/src/examples/OpenDPI_demo'

make: *** [all-recursive] Error 1

请安装libpcap-devel

#yum install libpcap-devel

#make

#make install

 

（3）规则实例：

iptables -A OUTPUT -m opendpi --http -j REJECT （封http协议）

iptables -A OUTPUT -m opendpi --thunder -j REJECT （封迅雷协议）

iptables -A OUTPUT -m opendpi --pplive -j REJECT （封pplive协议）

……

如是还有很多，详细可以参见iptables -m opendpi --help