debian 6上安装l7 filter在应用层禁用xunlei

平台：debian 6 x86_64，在linode里选择内核版本2.6.28，l7 filter官网说改版本内核可用

1,准备环境

apt-get update

apt-get upgrade -y

apt-get install -y build-essential libncurses5-dev gcc grub-legacy

2，下载相关安装包

wget http://download.clearfoundation.com/l7-filter/netfilter-layer7-v2.22.tar.gz

wget http://download.clearfoundation.com/l7-filter/l7-protocols-2009-05-28.tar.gz

wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.21.tar.bz2

wget https://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.bz2

3，编译新内核

tar xvf linux-2.6.28.tar.bz2 -C /usr/src

tar xvf netfilter-layer7-v2.22.tar.gz

cd /usr/src

ln -s linux-2.6.28 linux

cd linux

patch -p1 < /root/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch

zcat /proc/config.gz > .config

make oldconfig   #自选提示的新功能和驱动，基本上加上layer7模块

make menuconfig    #选择需要增加的模块

Networking support → Networking Options → Network packet filtering framework → Core Netfilter Configuration

<M>  Netfilter connection tracking support

<M>  "connlimit"  match support

<M>  "conntrack"  connection  match support

<M>  "iprange"  match support

<M>  "mac"  address  match support

<M>  "multiport" Multiple port match support

<M>  "state"  match support

<M>  "layer7" match support

<M>  "string" match support

<M>  "time"  match support

Networking support → Networking Options →Network packet filtering framework → IP Netfilter Configuration

<M> IPv4 connection tracking support (required for NAT)

<M> Full NAT

<M> MASQUERADE target support

<M> NETMAP target support                            

<M> REDIRECT target support

make -j3 bzImage

make -j3 modules

make

make modules_install

make install

ls /boot检查生成的文件vmlinuz-2.6.28

cd /boot

mkdir grub

cd grub

vi menu.lst

default 0

timeout 5

title           Custom Compiled, kernel 2.6.28

root            (hd0)

kernel          /boot/vmlinuz-2.6.28 root=/dev/xvda ro quite

linode manager里对profile修改kernel为pv-grub-x86_64

重启后验证

uname -a

4，升级iptables

apt-get remove iptables -y

tar xvf iptables-1.4.21.tar.bz2

cp netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.* /root/iptables-1.4.21/extensions/

cd iptables-1.4.21

./configure --prefix=/usr --with-ksource=/usr/src/linux

make

make install

iptables -V  #查看版本是否正确

iptables -m layer7 --help  #查看帮助信息

5，安装协议特征包：

tar xvf l7-protocols-2009-05-28.tar.gz 

cd l7-protocols-2009-05-28

make install 

可查看支持的部分协议：

ls protocols/

6，设置iptables规则

iptables -t mangle -I POSTROUTING -m layer7 --l7proto xunlei -j DROP

iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP

iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP

7，经过测试，xunlei仍然可用，呵呵

难道迅雷的信息都加密过吗？小记折腾经过。