(收藏大鬼不动Blog)
平台:CentOS release 5.3 (Final)
ChinaUnix个人空间 v+^0r:d G\u0003P
内核:2.6.18-128.el5
ChinaUnix个人空间&a\u0013D\u001B?\u0001U$a.^\u001Cl\u001A]*D\u000Eh
iptables:1.3.5
ChinaUnix个人空间\u001BI\u001ER\u001DE\u0015E\u0015Q
1、准备阶段
ChinaUnix个人空间 R!R8j-W\u0004U$L\u0010M3Y6R
1、kernel-2.6.28:
'W)J\u0013B(^\u001A{ V\u0003l\u0008m0ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-2.6.27.tar.gz
ChinaUnix个人空间1]\u0008k\u0004V c(e.c*J\u0014L\u001AX)p(R
2、iptables-1.4.1.1:
ChinaUnix个人空间4?0k\u0002]?a\u0019V7@\u0014`\u001A{/a
http://www.netfilter.org/projects/iptables/files/iptables-1.4.1.1.tar.bz2
\u0017W\u0008?'}%W\u0012o\u0002n'W2s\u0014A03、netfilter-layer7:
ChinaUnix个人空间6v\u001BR\u0016d6Z4\\u000Eo
http://nchc.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.21.tar.gz
ChinaUnix个人空间\u001E].~ A\u0018_\u0005[(J:T
帮助
文件:
ChinaUnix个人空间1u\u001BJ6A/F7M {(M!{\u001Dy
http://l7-filter.sf.net/HOWTO-kernel
\u0008F2F\u001FK\u0004_\u0018r7@%k0非常不错的帮助文档,如果安装前详细阅读,安装过程中能减少很多错误,因为没有事先看,害得我重编译了好多次;
\u000E};D\u001BE8~ i#R04、l7-protocols-2008-12-18:
ChinaUnix个人空间\u001E\;C\u0004l$@6~\u0003i5G6w\u0006x i
http://nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2008-12-18.tar.gz
ChinaUnix个人空间\u0013W,s,]\u000CY\u000FK0D\u001ER
5、将上述文件下载至/usr/src 下,解压:
5^5G"d\u000Cx+F\u000Eq0[root@ 大鬼不动 src]# tar jxvf iptables-1.4.1.1.tar.bz2 && tar zxvf linux-2.6.27.tar.gz && tar zxvf netfilter-layer7-v2.21.tar.gz
\u0012I2v6D%o1R'L\u000El0&& tar zxvf l7-protocols-2008-12-18.tar.gz
\u0003d\u0015z9z5Y\u0007`02、开始编译
ChinaUnix个人空间1d\u0011g\u000FJ\u0014c\u0011O\u0013b+G
1、切换到 l7-protocols-2008-12-18 目录,执行 make install
:Y(y(a S\u0018d\u0018\0[root@大鬼不动 src]# cd l7-protocols-2008-12-18
ChinaUnix个人空间\u001DM!?.|\u0011v n
[root@大鬼不动 l7-protocols-2008-12-18]# cat Makefile
ChinaUnix个人空间\u0004}&Q\u000Fi?K-N
all:
0f4{2H\u0007v"w\u001B\*f\u0008y0 @echo Nothing to compile, just run \'make install\' #提示、帮助、说明;
ChinaUnix个人空间\u0010p\u0015_1F\u0005E\u000E}2j
@echo \(This simply copies this directory into $(PREFIX)/etc/l7-protocols \)
6x\u000Fn\u0015k f4j {\u000CI\u0013I0 install:
\u0004\\u0002|2D\u0018O X0 mkdir -p $(PREFIX)/etc/l7-protocols
\u0018d2M\u0007L3Y\u0006w0 cp -R * $(PREFIX)/etc/l7-protocols
0`\u0008g$k\u001E`1{\u001Ey7\0不执行 make install 也可以,就将该目录下的所有文件、目录拷贝到/etc/l7-protocols/下;
ChinaUnix个人空间9z\u0007f)u?u/P
[root@大鬼不动 l7-protocols-2008-12-18]# make install
\u0014H4{ _(K"e#I)z!t02、切换至 linux-2.6.28 目录,编译 kernel
\u0019n\u0008b$Q3c\u001DX\u001A?0[root@大鬼不动 l7-protocols-2008-12-18]# cd ../linux-2.6.27
ChinaUnix个人空间\u0015h\u000B]\u0006J\u001Cc\u0007o j\u0008H\u001Fz\u0011_+M
#利用发行版本提供的.config 来配置, 这样方便点;
\u0008R\u0016R\u0016D\u0010u I\u0019[0[root@大鬼不动 linux-2.6.27]# cp /boot/config-2.6.18-128.el5 .config
\u001CS\u0015?4f\u0018R\u0003r\u001EW\u001B`\u0011z0[root@大鬼不动 linux-2.6.27]# patch -p1 < /usr/src/netfilter-layer7-v2.21/kernel-2.6.25-2.6.28-layer7-2.21.patch
)R\u000CA,F\u0001m(O#A0 1
ChinaUnix个人空间4D?d8o*W\u000B_\u0014K/l1n)b![
How to patch a source tree
^9z q\u001Aq\u0010A\u0003c\u000BX\u0016\1A0 Suppose you have a patch called happy.patch. To apply it, go into the root directory of the
ChinaUnix个人空间:[\u0008Q*V.B U\u0013q\u0006P7l6c3P
source tree you want to patch and run "patch -p1 < happy.patch"
2L)_/^$t$D\u0014y(r0[root@大鬼不动 linux-2.6.27]# make menuconfig #需要 gcc 和 ncurses-devel 的支持,如果没有安装,yum 安装;
ChinaUnix个人空间+]\u000Ew\u0005@2F$^
Load an Alternate Configuration Fileà载入刚才复制过来的.config,然后执行下面操作:
0V v\u001Bk\u0004S\u0019n\u0017Y4N9n\u0004L!m0make menuconfig-->Networking support-->Networking options-->Network packet filtering framework (Netfilter)
B\u001CC4C\u0019C!@1W\u001Fp5~\u001DY\u0005k\u001Aj0勾选需要的模块,然后退出,保存至.config。
ChinaUnix个人空间*n\u0007i8h\u001Da\u0015A\u0010o\u0005e+J
备注:
\u0001b H\u0015J0x\u0018|\u0002]0 内核配置有两种方法,一种是直接置入内核 * ;另一种是编成模块 M ;两种方法各有优点;直接编入内核的,
ChinaUnix个人空间1w\u0001Z*G5g\u0004d\u0012m\u000F~\u001FX
比如设备的启动,不再需要加载模块的这一过程了;而编译成模块,则需要加载设备的内核支持的模块;但直接把
\u0013J\u0008^&}\u0005~\u0002r R:]0所有的东西都编入内核也不是可行的,内核体积会变大,系统负载也会过重。我们编内核时最好把极为重要的编入
ChinaUnix个人空间 [\u0014f3^9B6b\u0003k a
内核;其它的如果您不明白的,最好用默认。
ChinaUnix个人空间\u0004z-g%G\u001EY3a G
如果不勾选“Netfilter connection tracking support” ,那么“”layer7” match support”将不会在这里显示出来,
1W$\ V\u0002T2N p\u001Fq\u0005z\u0015h%H0务必将“Netfilter connection tracking support”打上对勾。
ChinaUnix个人空间$F8j*r)d\u0001@\u0003e\u0012B\u0019K\u0001u.H
[root@大鬼不动 linux-2.6.27]# make && make modules_install && make install
ChinaUnix个人空间\u0007_+_?~ a,d\u0014S4M\u0014D!p&F
[root@大鬼不动 linux-2.6.27]# vi /boot/grub/grub.conf #以新内核启动
系统,重启系统;
8?\u0012A8i,N\u001Ck\u001D{;`"f*~03、切换至 iptables-1.4.1.1 目录,编译 iptables
ChinaUnix个人空间\u0011e `\u0019k\u0003C6G\u0016Z\u0012]$j
查看 layer7 官方帮助:
ChinaUnix个人空间*b\u000Bt#I\u0015^\u0015W7u p?G ?
http://l7-filter.sf.net/HOWTO-kernel
+M U-i\u0006b e0 iptables 1.4.1.1 and newer
\u0003F\u0011j\u000Co\u0012`\u0017F\u0003e*n v0 Copy libxt_layer7.c and libxt_layer7.man (from the subdirectory of the "Layer 7 patches"
;?)L3F\u0008a\u0008y\u0016^#O3\?w\u0008r ]0 package that the README points you to) to the extensions/ directory of your iptables source.
ChinaUnix个人空间\u0016k&e1o\u0015B\u0006m
Then:
ChinaUnix个人空间\u0013_;o\u0011n:E\u0010q\u0004d\u0004w\u0004p
"./configure --with-ksource=/path/to/patched/kernel_source" (use the full path)
1t\u0010e\u001D]#M#N3} @\u0012p0 •
\u000Bz\u001AP+b2V5c\u000FY#~0f\u0006E\u0013y e\u0018G0 "make"
:[\u001AM R\u0011T\u0015t\u0007Y t0 •
ChinaUnix个人空间 h'C.W\u001AB\u001AZ\u0004Z\u001ER)d\u0008i
(as root) "make install"
:j7?\u0018k\u000E@ O,I2c0 •
\u000Ez:X\u0014b!H\u0005r/{ v\u000Bg0[root@大鬼不动 linux-2.6.27]# cd ../iptables-1.4.1.1
ChinaUnix个人空间#[\u000Fe J\u0007a\u0017O\u0016M\u001DX\u0010b
[root@大鬼不动 iptables-1.4.1.1]# cp ../netfilter-layer7-v2.21/iptables-1.4.1.1-for-kernel-2.6.20forward/* extensions/
ChinaUnix个人空间,W\u0002Z'g H;u\u0003q-A
[root@ 大鬼不动 iptables-1.4.1.1]# ./configure --with-ksource=/usr/src/linux-2.6.27 && make && make install && reboot
3n)e$E#Y7i\u0011M._)t9C0备注:
ChinaUnix个人空间7|\u001B}\u001DA\u0007~\u0013N\u000F_/L
如果不将/usr/src/netfilter-layer7-v2.21/iptables-1.4.1.1-for-kernel-2.6.20forward/下的 libxt_layer7.c、 libxt_layer7.man
ChinaUnix个人空间(N\u0014N\u0016a\u000CK'K
拷贝至/usr/src/iptables-1.4.1.1/extensions/下,编译时将出现大量错误提示,编译失败,另外执行 iptables 规则时将出
5O&@\u000B}9X\u001DY\u0017]7r\u001F@)~\u001FF0现以下错误提示:
ChinaUnix个人空间\u0019e\u001B[,q'`3^?S\u000Fa
iptables v1.4.1.1: Couldn't load match `layer7':/usr/local/libexec/xtables/libipt_layer7.so: cannot open shared object file:
ChinaUnix个人空间'f\u0013@3?\u001Do u\u0005V
No such file or directory
\u001Fm"j\u0003r8N\u000B|\u0014K\u0013D\u001Fv-X\u0001S\u0006x0 Try `iptables -h' or 'iptables --help' for more information.
\u000CM5U!G6j)X A03、测试
ChinaUnix个人空间/c&e\u0001K4O3D;K:l#B\u0004E
根据自己的需求测试吧!
*P\u0001D\u0004w g.Y `04、结束
\u0007s2a\u001Ey\u0015[\u001AT2H3d9Z&d0 本文同样适合于 RHEL5.3,同样也适合 kernel-2.6.28+iptables-1.4.1.1;
iptables+l7-filter 封QQ MSN和P2P
在网关上如果要封杀 QQ、MSN 或者 P2P 等软件的通讯,单纯用 iptables 逐一封服务端IP或者封通讯端口都不是很好的办法,最简单的方法是使用L7-filter。
2.配置编译新内核
首先将所下载的软件都放置于/usr/src目录下
L7-filter (Application Layer Packet Classifier for Linux), 是 Linux netfilter 的外挂模块, 它能使 Linux 的 iptables 支持 Layer 7 (Application 应用层) 过滤功能, 限制封杀 P2P、即时通讯软件。
Centos 4.4
Kernel 2.6.9-42.0.3.EL
Iptables 1.2.11
1.下载所需软件包:
1.下载所需软件包:
kernel 2.6.19.7
# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.19.7.tar.bz2
# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.19.7.tar.bz2
iptables 1.3.7
# wget http://www.netfilter.org/projects/iptables/files/iptables-1.3.7.tar.bz2
# wget http://www.netfilter.org/projects/iptables/files/iptables-1.3.7.tar.bz2
L7-filter http://sourceforge.net/project/showfiles.php?group_id=80085
netfilter-layer7-v2.12.tar.gz
l7-protocols-2007-06-22.tar.gz
netfilter-layer7-v2.12.tar.gz
l7-protocols-2007-06-22.tar.gz
2.配置编译新内核
首先将所下载的软件都放置于/usr/src目录下
# tar zxvf netfilter-layer7-v2.12.tar.gz
# tar xjvf linux.2.6.19.7.tar.bz2
# ln -s linux.2.6.19.7 linux
# cd linux
# patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch (打L7-filter的内核补丁)
# tar xjvf linux.2.6.19.7.tar.bz2
# ln -s linux.2.6.19.7 linux
# cd linux
# patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch (打L7-filter的内核补丁)
# make oldconfig
(如果之前曾经编译过,需要先执行 make mrproper 。make oldconfig会自动对比之前的kernel config,根据之前版本的配置生成一个kernel config,这样方便我们在编译新核心的时候,无须在从头修改所有的核心设置)
(如果之前曾经编译过,需要先执行 make mrproper 。make oldconfig会自动对比之前的kernel config,根据之前版本的配置生成一个kernel config,这样方便我们在编译新核心的时候,无须在从头修改所有的核心设置)
# make menuconfig 设定内核参数,具体参数可以参考这篇文章 内核编译详解
核心不同,内核选项的排列方式有可能不一样,仔细找一下可以找到:Code maturity level options �C> [*] Prompt for development and/or incomplete code/driversNetworking �C> Networking options �C>
[*] Network packet filtering (replaces ipchains) �C>
IP: Netfilter Configuration �C>
<M> Connection tracking (required for masq/NAT)[*] Connection tracking flow accounting<M> IP tables support (required for filtering/masq/NAT)<M> Layer 7 match support
# make
# make modules
# make modules_install
# make install
# reboot
# uame -a
Linux jason.10235 2.6.19.7 #1 Fri Jul 6 11:56:11 CST 2007 i686 i686 i386 GNU/Linux
系统已经更新至新内核 2.6.19.7
# make modules
# make modules_install
# make install
# reboot
# uame -a
Linux jason.10235 2.6.19.7 #1 Fri Jul 6 11:56:11 CST 2007 i686 i686 i386 GNU/Linux
系统已经更新至新内核 2.6.19.7
3.更新升级Iptalbes的Layer7补丁
# cd /usr/src
# tar xjvf iptables-1.3.7.tar.bz2
# cd iptables-1.3.7
# patch -p < ../netfilter-layer7-v2.0/iptables-layer7-2.0.patch
# chmod +x extensions/.layer7-test
# export KERNEL_DIR=/usr/src/linux-2.6.19.7
# export IPTABLES_DIR=/usr/src/iptables-1.3.7
# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
# iptables -V
iptables v1.3.7 已经更新至新版本
4. 安装Layer7 协议文件
# cd /usr/src
# tar zxvf l7-protocols-2007-06-22.tar.gz
# cd l7-protocols-2007-06-22
# make install
5.使用iptables layer-7 filter:
# tar xjvf iptables-1.3.7.tar.bz2
# cd iptables-1.3.7
# patch -p < ../netfilter-layer7-v2.0/iptables-layer7-2.0.patch
# chmod +x extensions/.layer7-test
# export KERNEL_DIR=/usr/src/linux-2.6.19.7
# export IPTABLES_DIR=/usr/src/iptables-1.3.7
# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
# iptables -V
iptables v1.3.7 已经更新至新版本
4. 安装Layer7 协议文件
# cd /usr/src
# tar zxvf l7-protocols-2007-06-22.tar.gz
# cd l7-protocols-2007-06-22
# make install
5.使用iptables layer-7 filter:
# iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto xunlei -j DROP (禁止迅雷)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto kugoo -j DROP (禁止kugoo)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto yahoo -j DROP (禁止Yahoo! Messenger)
禁MSN传送文件的方法
iptables 七层实现的。
iptables -A FORWARD -m layer7 --l7proto msn-filetransfer -j DROP
转文一:
作者:何祖彬[RobinHe] Mail:[email protected]
始于2008年8月3日 上午
版本号:KernelLayer7-V1.0-20080803,2008年8月3日首版
转载请注明出处,本文也是采用两篇网友的大部分内容,因此转载时,请也将下面“参考文章”的出处也一并加入!谢谢!
本文中难免有不足、遗漏、错别字和句子不通之处,如发现、或者有更新改变之处,请与我联系以及时修正和完善!
系统信息:
OS : Debian 4.0 rc3
使用说明:
绿色加粗字体的绝大部分是输入的命令和系统输出显示的结果。
参考文章:
��作 Layer 7 封包�^�V
http://ms.ntcb.edu.tw/~steven/article/kernel-layer7-filter.htm
Thank for Steven!
Debian Linux系统编译内核标准方式介绍
http://tech.itzero.com/2008/0728/article_38241.html
升级、编译自己的内核―― Debian篇
http://fanqiang.chinaunix.net/system/linux/2005-05-02/3211.shtml
第一步,要下载和安装要用的工具及相关软件:
#apt-get install debhelper modutils kernel-package libncurses5-dev fakeroot
#apt-get install gcc g++ make
注意:
因为Debian系统的内核编译跟Redhat有所不同,它在编译的时候会需要make-kpkg和fakeroot[可选]命令,因此需要安装以上的软件包才行!
我为了安装mysql、php、apache等软件还要装以及相关的软件以及常用的工具
#apt-get install vim elinks gcc g++ make libncurses5-dev libpng12-dev libjpeg62-dev zlib1g-dev libxml2-dev
第二步,下载并解开所需的源代码软件到相应的位置:
要编译内核并加入layer7模块,必须需要以下的软件的源代码:
linux kernel source
iptables source
l7-filter patch
l7-filter protocols
我选用的以上软件的版本如下:
kernel:2.6.24
iptables:1.4.0
l7-filter patch:2.17
l7-filter protocols:2008-02-20
完整下载如下:
root # wget ftp://ftp.tw.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.4.tar.bz2root # wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2root # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.17.tar.gzroot # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2008-02-20.tar.gz或者直接从我们自已的服务器下载全部的压缩包:
http://pt.cjcht.com:85/l7.tar.gz //文件大小有60MB左右,还有包括两个新版的软件,我暂时没用,有空可以自已试试,就用Steven所使用的软件版本!
#cd /usr/local/src
#wget http://pt.cjcht.com:85/l7.tar.gz
#tar -zxvf l7.tar.gz
按我的习惯,将这些软件解压到:/usr/local/src/Layer7下面:
因为是编译新的内核,我习惯将编译内核的源代码放在/usr/src下面,并建一个新的目录kernels,觉得Steven的习惯不错,以后也养成这个习惯!
#cd /usr/src
#mkdir kernels
#cd kernels
解开要用的软件包到 /usr/src/kernels下面:
#tar -zxvf /usr/local/src/Layer7/linux-2.6.24.4.tar.bz2
#tar -zxvf /usr/local/src/Layer7/iptables-1.4.0.tar.gz
#tar -zxvf /usr/local/src/Layer7/netfilter-layer7-v2.17.tar.gz
#tar -zxvf /usr/local/src/Layer7/l7-protocols-2008-02-20.tar.gz
第三步,将Layer7加入新的内核中并进行编译:
为了方便,做一个符号链接,并进入新内核源代码的目录:
#ln -s linux-2.6.24 linux
#cd linux
如果你要用延续使用旧版本内核中的模块中的功能,你要将/boot/config-kernel-version文件copy到当前的内核目录,并命名为.config
#cp /boot/config-2.6.18-6-686 ./.config
为内核源代码打上layer7的补丁:
#patch -p1 < ../netfilter-layer7-v2.17/kernel-2.6.22-2.6.24-layer7-2.17.patch
结果如下:
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file include/net/netfilter/nf_conntrack.h
patching file include/linux/netfilter/xt_layer7.h
为内核选择layer7及相关的模块:
#make menuconfig
选项如下:
General setup ---> [*] Prompt for development and/or incomplete code/drivers Networking ---> Networking options ---> [*] Network packet filtering framework (Netfilter) ---> Core Netfilter Configuration ---> <M> Netfilter connection tracking support -*- Connection tracking flow accounting -*- Connection mark tracking support [*] Connection tracking security mark support [*] Connection tracking events (EXPERIMENTAL) <M> SCTP protocol connection tracking support (EXPERIMENTAL) <M> UDP-Lite protocol connection tracking support (EXPERIMENTAL) <M> Amanda backup protocol support <M> FTP protocol support <M> H.323 protocol support (EXPERIMENTAL) <M> IRC protocol support <M> NetBIOS name service protocol support (EXPERIMENTAL) <M> PPtP protocol support <M> SANE protocol support (EXPERIMENTAL) <M> SIP protocol support (EXPERIMENTAL) <M> TFTP protocol support <M> Connection tracking netlink interface (EXPERIMENTAL) {M} Netfilter Xtables support (required for ip_tables) <M> "CLASSIFY" target support <M> "CONNMARK" target support <M> "DSCP" target support <M> "MARK" target support <M> "NFQUEUE" target Support <M> "NFLOG" target support <M> "NOTRACK" target support <M> "TRACE" target support <M> "TRACE" target support <M> "SECMARK" target support <M> "CONNSECMARK" target support <M> "TCPMSS" target support <M> "comment" match support <M> "connbytes" per-connection counter match support <M> "connlimit" match support" <M> "connmark" connection mark match support <M> "conntrack" connection tracking match support <M> "DCCP" protocol match support <M> "DCCP" protocol match support <M> "DSCP" match support <M> "ESP" match support <M> "helper" match support <M> "length" match support <M> "limit" match support <M> "mac" address match support <M> "mark" match support <M> IPsec "policy" match support <M> Multiple port match support <M> "physdev" match support <M> "pkttype" packet type match support <M> "quota" match support <M> "realm" match support <M> "sctp" protocol match support (EXPERIMENTAL) <M> "state" match support <M> "layer7" match support [*] Layer 7 debugging output <M> "statistic" match support <M> "string" match support <M> "tcpmss" match support <M> "time" match support <M> "u32" match support <M> "hashlimit" match support IP: Netfilter Configuration ---> <M> IPv4 connection tracking support (required for NAT) [*] proc/sysctl compatibility with old connection tracking (NEW <M> IP Userspace queueing via NETLINK (OBSOLETE) <M> IP tables support (required for filtering/masq/NAT) <M> IP range match support <M> TOS match support <M> recent match support <M> ECN match support <M> AH match support <M> TTL match support <M> Owner match support <M> address type match support <M> Packet filtering <M> REJECT target support <M> LOG target support <M> ULOG target support <M> Full NAT (NEW) <M> MASQUERADE target support <M> REDIRECT target support <M> NETMAP target support <M> SAME target support (OBSOLETE) <M> Basic SNMP-ALG support (EXPERIMENTAL) <M> Packet mangling <M> TOS target support注意,刚开始时,我一直找不到:<M> "layer7" match support 和 [*] Layer 7 debugging output 这两个模块,浪费了很多时间,后来发现是因为这两个模块是属于:<> Netfilter connection tracking support 这个模块,因此得先选择<M> Netfilter connection tracking support 这样下面才有Layer7及相关模块!
其中time模块就是可以通过iptables可以控制上网的时间等功能,就是时间控制的模块!
一步一步的"EXIT"后,会提示你是否保存刚才的选择更改结果,我们选“YES”!
注意:
按以往Redhat或者其它版本的编译过程就得用make及要关命令来进行编译,但是在这里,我们需要用到Debian的专门工具make-kpkg,我想这个工具也是基于make,只是经过加工以方便Debian用户使用吧,因为Debian的启动内核参数跟别的系统有所差异!本文刚开始提到的安装那些软件包#apt-get install debhelper modutils kernel-package libncurses5-dev fakeroot就是为了这一步而做的!
清除源码树并复原 kernel-package 参数
#make-kpkg clean
然后进行编译并生成.deb的包,以供安装时使用:
#fakeroot make-kpkg --append_to_version -686 --initrd --revision=2.6.24 kernel_image modules_image
说明:fakeroot是切换到root用户环境,如果你现在当前用户不是root,你要用这个命令,否则这个命令可以省!
好像用make-kpkg这个命令在编译内核时比以往省了很多步骤!有空研究一下这东东!
同时在做这一步时需要花挺长时间进行编译工作以及后期的工作,看你的机器配置而异!普通机器 1.7G 128M内存,得需要2小时,因此你现在可以喝杯茶,去做别的事了,我找一台C533,128MB的机器,好像编译花了6个多小时,郁闷呀...
--revision=2.6.24 这个参数是指定新内核的版本号
--append_to_version -686 这个参数是指定内核的子版本
.........................
喝茶,看电视球赛中...
.........................
哎,我的老电脑[Intel(R) Celeron(TM) CPU 1100MHz,128MB, 810主板]编译这一步,花了我3小时!
编译完成后,在/usr/src/kernels下生成linux-image-2.6.24-686_2.6.24_i386.deb文件,即在 linux新内核的上一级目录!
安装新的内核:
#dpkg -i linux-image-2.6.24-686_2.6.24_i386.deb
这时,会将新内核安装到相应的位置,同时会在/boot/grub/menu.lst增加新内核的条目:
title Debian GNU/Linux, kernel 2.6.24-686
root (hd0,0)
kernel /boot/vmlinuz-2.6.24-686 root=/dev/hda1 ro
initrd /boot/initrd.img-2.6.24-686
savedefault
title Debian GNU/Linux, kernel 2.6.24-686 (single-user mode)
root (hd0,0)
kernel /boot/vmlinuz-2.6.24-686 root=/dev/hda1 ro single
initrd /boot/initrd.img-2.6.24-686
savedefault
这两条已经提到最前面,也就是说,如果我们没动这个文件的话,下次下机时,会去执行新的内核!
第四步,为iptables打补丁,并安装之...
进入iptables源代码目录:
#cd /usr/src/kernels/iptables-1.4.0
为源代码打上补丁:
#patch -p1 < ../netfilter-layer7-v2.17/iptables-1.4-for-kernel-2.6.20forward-layer7-2.17.patch
结果如下:
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
patching file extensions/.layer7-test
设置KERNEL_DIR 与 IPTABLES_DIR 环境变量,并开始编译安装:
#export KERNEL_DIR=/usr/src/kernels/linux
#export IPTABLES_DIR=/usr/src/kernels/iptables-1.4.0
#chmod +x extensions/.layer7-test
#make
#make install
安装Layer7第七层协议协议定义文件: /*TCP/IP第七层就是应用层,就是针对网络应用软件的设计,比如QQ,MSN等...
使用Layer模块时,请参考/etc/l7-protocols文件中的定义,各种协议,比如QQ,MSN的特征都在这个目下:
#cd /usr/src/kernels/l7-protocols-2008-02-20/
#make install
执行结果:
mkdir -p /etc/l7-protocols
cp -R * /etc/l7-protocols
看执行的结果就知道,它在做什么了!
这样新的内核都弄好了,iptables也装好了,就可以重新开机了!
重新开机后,就会执行新的内核和iptables,就可以测试它是否正常了!
#shutdown -r now
第五步,测试
先测试Kernel和iptables的版本是不是我们刚才编译的那个:
#uname -a
Linux aaa.aa.com 2.6.241980 #1 SMP Sun Aug 3 09:43:54 CST 2008 i686 GNU/Linux
#iptables -V
iptables v1.4.0
再测试iptables的layer7是否可用:
# iptables -m layer7 --help
iptables v1.4.0
Usage: iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain] List the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain] Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--proto -p [!] proto protocol: by number or name, eg. `tcp'
--source -s [!] address[/mask]
source specification
--destination -d [!] address[/mask]
destination specification
--in-interface -i [!] input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
--out-interface -o [!] output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
LAYER7 match v1.4.0 options:
--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/
(--l7dir must be specified before --l7proto if used!)
--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat
还没增加layer7模块前的情况如下:
#iptables -m layer7 --help
iptables v1.3.6: Couldn't load match `layer7':/lib/iptables/libipt_layer7.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
说明一切正常。
这时再测试一下能不能挡MSN和QQ[我们以这台机器为router为例,挡经过这个路由器的MSN和QQ封包]:
MSN,QQ & bt:
# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止msn)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)
看一下结果:
# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere LAYER7 l7proto bittorrent
DROP all -- anywhere anywhere LAYER7 l7proto qq
DROP all -- anywhere anywhere LAYER7 l7proto msnmessenger
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
再尝试一下登录一下你的MSN,QQ以及BT软件,如果不能上线,恭喜你,成功了...
希望本文章能够帮到需要的网友们,晚安!
祖彬于2008年8月3日午夜...
本文终于2008年8月3日午夜
睡了........
到夜里12:00了...ZZZzzzzz~~zzz~zzzzZZZZ~~~!
参考文章:
------------------------------------------------------------------------------------------------------------------------
http://ms.ntcb.edu.tw/~steven/article/kernel-layer7-filter.htm
��作 Layer 7 封包�^�V
�⒖假Y�
* L7-filter Kernel Version HOWTO
* L7-filter 安�b���
下�d�n案
要手�泳��g新版本的核心�K加入 layer7 封包�^�V�x�的�,需要俱�湟韵绿准�:
* linux kernel source
* iptables source
* l7-filter patch
* l7-filter protocols
在本文��中,所重新��g的版本如下:
* kernel:2.6.24.4
* iptables:1.4.0
* l7-filter patch:2.17
* l7-filter protocols:2008-02-20
�榱朔奖愎芾恚�把以上套件均放在 /usr/src/kernels。
0001
root # cd /usr/src/kernels/
可以�x�袢魏慰上螺d�W路�n案的工具,如 lynx、wget,或 mozilla、firefox 等等工具下�d,在此�例使用 wget,方法如下:
root # wget ftp://ftp.tw.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.4.tar.bz2
root # wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
root # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.17.tar.gz
root # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2008-02-20.tar.gz
�⑻准�解�嚎s。
0001
root # tar -jxvf linux-2.6.24.4.tar.bz2; tar -zxvf l7-protocols-2008-02-20.tar.gz; tar -zxvf netfilter-layer7-v2.17.tar.gz; tar -jxvf iptables-1.4.0.tar.bz2
更新 kernel
�榱税惭b方便,我���� linux-2.6.24.4 �@��目�建位一����B�Y,以便切�Q目�。
更新 kernel patch,增加 layer7 filter �x�。
root # ln -s linux-2.6.24.4 linux; cd linux
若您想延�m使用�f版 kernel 的�x�的�,您可以把 .config �n案�}制到新 kernel 的目�下,此�r重新�x�耥�目�r就��延用之前的�O定。
�� kernel source 上 layer7 的 patch。
root # patch -p1 < ../netfilter-layer7-v2.17/kernel-2.6.22-2.6.24-layer7-2.17.patch
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file include/net/netfilter/nf_conntrack.h
patching file include/linux/netfilter/xt_layer7.h
�x�� layer 7 相�P�x�
在 kernel �x��e,需要把相�P的�O定�x�衿�聿趴梢裕�以下�橥暾�有�P layer 7 的�目。
root # make menuconfig
General setup --->
[*] Prompt for development and/or incomplete code/drivers
Networking --->
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
<M> Netfilter connection tracking support
-*- Connection tracking flow accounting
-*- Connection mark tracking support
[*] Connection tracking security mark support
[*] Connection tracking events (EXPERIMENTAL)
<M> SCTP protocol connection tracking support (EXPERIMENTAL)
<M> UDP-Lite protocol connection tracking support (EXPERIMENTAL)
<M> Amanda backup protocol support
<M> FTP protocol support
<M> H.323 protocol support (EXPERIMENTAL)
<M> IRC protocol support
<M> NetBIOS name service protocol support (EXPERIMENTAL)
<M> PPtP protocol support
<M> SANE protocol support (EXPERIMENTAL)
<M> SIP protocol support (EXPERIMENTAL)
<M> TFTP protocol support
<M> Connection tracking netlink interface (EXPERIMENTAL)
{M} Netfilter Xtables support (required for ip_tables)
<M> "CLASSIFY" target support
<M> "CONNMARK" target support
<M> "DSCP" target support
<M> "MARK" target support
<M> "NFQUEUE" target Support
<M> "NFLOG" target support
<M> "NOTRACK" target support
<M> "TRACE" target support
<M> "TRACE" target support
<M> "SECMARK" target support
<M> "CONNSECMARK" target support
<M> "TCPMSS" target support
<M> "comment" match support
<M> "connbytes" per-connection counter match support
<M> "connlimit" match support"
<M> "connmark" connection mark match support
<M> "conntrack" connection tracking match support
<M> "DCCP" protocol match support
<M> "DCCP" protocol match support
<M> "DSCP" match support
<M> "ESP" match support
<M> "helper" match support
<M> "length" match support
<M> "limit" match support
<M> "mac" address match support
<M> "mark" match support
<M> IPsec "policy" match support
<M> Multiple port match support
<M> "physdev" match support
<M> "pkttype" packet type match support
<M> "quota" match support
<M> "realm" match support
<M> "sctp" protocol match support (EXPERIMENTAL)
<M> "state" match support
<M> "layer7" match support
[*] Layer 7 debugging output
<M> "statistic" match support
<M> "string" match support
<M> "tcpmss" match support
<M> "time" match support
<M> "u32" match support
<M> "hashlimit" match support
IP: Netfilter Configuration --->
<M> IPv4 connection tracking support (required for NAT)
[*] proc/sysctl compatibility with old connection tracking (NEW
<M> IP Userspace queueing via NETLINK (OBSOLETE)
<M> IP tables support (required for filtering/masq/NAT)
<M> IP range match support
<M> TOS match support
<M> recent match support
<M> ECN match support
<M> AH match support
<M> TTL match support
<M> Owner match support
<M> address type match support
<M> Packet filtering
<M> REJECT target support
<M> LOG target support
<M> ULOG target support
<M> Full NAT (NEW)
<M> MASQUERADE target support
<M> REDIRECT target support
<M> NETMAP target support
<M> SAME target support (OBSOLETE)
<M> Basic SNMP-ALG support (EXPERIMENTAL)
<M> Packet mangling
<M> TOS target support
�^�橹匾�的是 "layer7" match support �目�c IPv4 connection tracking support (required for NAT) �目,若您不知道的�就�把 Core Netfilter Configuration �c IP: Netfilter Configuration �e的�x�全部�x起�砑纯伞�
�V 告
��g�K安�b新版核心
重 kernel 2.6 �_始,��g核心就�得更�楹��危�只需要��� make 的指令即可,安�b完後��自�有薷� GRUB 的�x�,不需手�有薷模��p少了手�有薷腻e�`的危�U。
root # make
root # make modules
root # make modules_install
root # make install
sh /usr/src/kernels/linux-2.6.24.4/arch/x86/boot/install.sh 2.6.24.4 arch/x86/boot/bzImage System.map "/boot"
更新 iptables patch
更新 iptables 需注意是否在�F有的 kernel 中 netfilter 子系�y相符合,若使用了不在 kernel 所支援的模�M,在�O定 iptables ��出�F�e�`。以下指令可新增 laery7 模�M的指令。
root # cd /usr/src/kernels/iptables-1.4.0
root # patch -p1 < ../netfilter-layer7-v2.17/iptables-1.4-for-kernel-2.6.20forward-layer7-2.17.patch
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
patching file extensions/.layer7-test
�O定 KERNEL_DIR �c IPTABLES_DIR �h境��担��K�_始��g安�b。
root # export KERNEL_DIR=/usr/src/kernels/linux; export IPTABLES_DIR=/usr/src/kernels/iptables-1.4.0
root # chmod +x extensions/.layer7-test
root # make && make install
root #
安�b通�定�h�n
使用 layer7 模�M�r,���⒖� /etc/l7-protocols 目�下的定�h�n,各通��f定的封包特徵��在 l7-protocols 的套件�e,解�_之後直接安�b即可。
root # cd /usr/src/kernels/l7-protocols-2008-02-20
root # make install
mkdir -p /etc/l7-protocols
cp -R * /etc/l7-protocols
重新�_�C
重新��g了核心之後,需要重新��与��X才能套用新的核心套件,�使用 uname 指令查看是否�O定成功。
0001
0002
0003
root # uname -a; iptables -V
Linux localhost.localdomain 2.6.24.4 #1 SMP Thu Apr 10 23:21:08 CST 2008 i686 i686 i386 GNU/Linux
iptables v1.4.0
�y�
MSN Messenger
以下�y���拒�^�B出 MSN Menssenger 封包,在 iptables 的 OUTPUT 政策�e,我��在 X-Window �绦� GAIM �B出�r,���l�F msnmessenger 的封包被 DROP。
�Z法:
iptables -A OUTPUT -m layer7 --l7proto msnmessenger -j DROP
root # iptables -A OUTPUT -m layer7 --l7proto msnmessenger -j DROP
root # iptables -L -n -v
Chain INPUT (policy ACCEPT 3056 packets, 394K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1274 packets, 159K bytes)
pkts bytes target prot opt in out source destination
34 2584 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto msnmessenger
BitTorrent
第二���y�拒�^�B出 BitTorrent 封包,我��在�O定好拒�^ bittorrent 封包後,在本�C使用 BT 下�d�n案均失�。�可�� iptables 指令查出。
�Z法:
iptables -A OUTPUT -m layer7 --l7proto bittorrent -j DROP
root # iptables -A OUTPUT -m layer7 --l7proto bittorrent -j DROP
root # iptables -L -n -v
Chain INPUT (policy ACCEPT 33768 packets, 33M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 25235 packets, 2362K bytes)
pkts bytes target prot opt in out source destination
91 6916 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto msnmessenger
78 7920 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto bittorrent
若您把 layer7 安�b在�W路�l道 (Gateway) 上的�,那�N�使用 PREROUTING 或 FORWARD �B�才��有效。iptables 可�⒖� iptables 封包�^�o��t (new window)。
後�:
若您打算在您的防火��上使用 layer7 封包�^�V功能的�,那�N所需的����w�c CPU ��更多,若您的使用者�B��低�一�r�g超�^百人,�K且�l繁的取存�W路的�,那�N可能需要考�]使用�^高效能的�W路卡�c更多的����w。若您在�⒂� layer7 功能後�l�F�W路�得很慢的�,那�N就需要�z查您的�W卡�c����w是否足�颉�
04/12/2008
首�
-----------------------------------------------------------------------------------------------------------------------
Debian Linux系统编译内核标准方式介绍
http://tech.itzero.com/2008/0728/article_38241.html
Debian 标准方式
关心一下有关 kernel-package、gcc、binutils 和 modutils 的错误报告。在需要时使用较新的版本。
在 Debian 系统中用源码编译自定义内核要特别小心。用 make-kpkg 的 --append_to_version 选项来创建多重内核镜像比较安全。
# apt-get install debhelper modutils kernel-package libncurses5-dev
# apt-get install kernel-source-2.4.18 # 使用最新版本
# apt-get install fakeroot
# vi /etc/kernel-pkg.conf # 输入我的名字和 email
$ cd /usr/src # 创建目录
$ tar --bzip2 -xvf kernel-source-2.4.18.tar.bz2
$ cd kernel-source-2.4.18 # 如果这是你的内核源码
$ cp /boot/config-2.4.18-386 .config # 将当前配置设定为默认配置
$ make menuconfig # 按自己的喜好来定制
$ make-kpkg clean # 必须执行这步(per: man make-kpkg)
$ fakeroot make-kpkg --append_to_version -486 --initrd --revision=rev.01 kernel_image modules_image # modules_image 可以是 pcmcia-cs* 等。
$ cd ..
# dpkg -i kernel-image*.deb pcmcia-cs*.deb # 安装
make-kpkg kernel_image 实际上执行了 make oldconfig 和 make dep。如果没使用 initrd 就不要使用 --initrd 选项。
如果想加载 pcmcia-cs 模块或内核 pcmcia 源码中没有的模块,应该在 make menuconfig 后选“General setup ―>”进入“PCMCIA/CardBus support ―>”,配置“< > PCMCIA/CardBus support”选项(例如,取消复选项)。
对于 SMP 机器,参照 kernel-pkg.conf(5) 的说明设置 CONCURRENCY_LEVEL。
参考iptables实例:
使用iptables layer-7 filter:
# iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto xunlei -j DROP (禁止迅雷)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto kugoo -j DROP (禁止kugoo)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto yahoo -j DROP (禁止Yahoo! Messenger)
本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/zubin006/archive/2008/08/03/2760600.aspx转文二:
��作 Layer 7 封包�^�V
2009年07月28日 星期二 12:37
�⒖假Y�
- L7-filter Kernel Version HOWTO
- L7-filter 安�b���
Debian 使用者可�⒖季W友 何祖彬 http://blog.csdn.net/zubin006/archive/2008/08/03/2760600.aspx 的文章。
下�d�n案
要手�泳��g新版本的核心�K加入 layer7 封包�^�V�x�的�,需要俱�湟韵绿准�:
- linux kernel source
- iptables source
- l7-filter patch
- l7-filter protocols
在本文��中,所重新��g的版本如下:
- kernel:2.6.24.4
- iptables:1.4.0
- l7-filter patch:2.17
- l7-filter protocols:2008-02-20
�榱朔奖愎芾恚�把以上套件均放在 /usr/src/kernels。
0001
root # cd /usr/src/kernels/
可以�x�袢魏慰上螺d�W路�n案的工具,如 lynx、wget,或 mozilla、firefox 等等工具下�d,在此�例使用 wget,方法如下:
0001
0002
0003
0004
root # wget ftp://ftp.tw.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.4.tar.bz2
root # wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
root # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.17.tar.gz
root # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2008-02-20.tar.gz
�⑻准�解�嚎s。
0001
root # tar -jxvf linux-2.6.24.4.tar.bz2; tar -zxvf l7-protocols-2008-02-20.tar.gz; tar -zxvf netfilter-layer7-v2.17.tar.gz; tar -jxvf iptables-1.4.0.tar.bz2
更新 kernel
�榱税惭b方便,我���� linux-2.6.24.4 �@��目�建位一����B�Y,以便切�Q目�。
更新 kernel patch,增加 layer7 filter �x�。
0001
root # ln -s linux-2.6.24.4 linux; cd linux
若您想延�m使用�f版 kernel 的�x�的�,您可以把 .config �n案�}制到新 kernel 的目�下,此�r重新�x�耥�目�r就��延用之前的�O定。
�� kernel source 上 layer7 的 patch。
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
root # patch -p1 < ../netfilter-layer7-v2.17/kernel-2.6.22-2.6.24-layer7-2.17.patch
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file include/net/netfilter/nf_conntrack.h
patching file include/linux/netfilter/xt_layer7.h
�x�� layer 7 相�P�x�
在 kernel �x��e,需要把相�P的�O定�x�衿�聿趴梢裕�以下�橥暾�有�P layer 7 的�目。
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
0013
0014
0015
0016
0017
0018
0019
0020
0021
0022
0023
0024
0025
0026
0027
0028
0029
0030
0031
0032
0033
0034
0035
0036
0037
0038
0039
0040
0041
0042
0043
0044
0045
0046
0047
0048
0049
0050
0051
0052
0053
0054
0055
0056
0057
0058
0059
0060
0061
0062
0063
0064
0065
0066
0067
0068
0069
0070
0071
0072
0073
0074
0075
0076
0077
0078
0079
0080
0081
0082
0083
0084
0085
0086
0087
0088
0089
0090
0091
0092
root # make menuconfig
General setup --->
[*] Prompt for development and/or incomplete code/drivers
Networking --->
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
<M> Netfilter connection tracking support
-*- Connection tracking flow accounting
-*- Connection mark tracking support
[*] Connection tracking security mark support
[*] Connection tracking events (EXPERIMENTAL)
<M> SCTP protocol connection tracking support (EXPERIMENTAL)
<M> UDP-Lite protocol connection tracking support (EXPERIMENTAL)
<M> Amanda backup protocol support
<M> FTP protocol support
<M> H.323 protocol support (EXPERIMENTAL)
<M> IRC protocol support
<M> NetBIOS name service protocol support (EXPERIMENTAL)
<M> PPtP protocol support
<M> SANE protocol support (EXPERIMENTAL)
<M> SIP protocol support (EXPERIMENTAL)
<M> TFTP protocol support
<M> Connection tracking netlink interface (EXPERIMENTAL)
{M} Netfilter Xtables support (required for ip_tables)
<M> "CLASSIFY" target support
<M> "CONNMARK" target support
<M> "DSCP" target support
<M> "MARK" target support
<M> "NFQUEUE" target Support
<M> "NFLOG" target support
<M> "NOTRACK" target support
<M> "TRACE" target support
<M> "TRACE" target support
<M> "SECMARK" target support
<M> "CONNSECMARK" target support
<M> "TCPMSS" target support
<M> "comment" match support
<M> "connbytes" per-connection counter match support
<M> "connlimit" match support"
<M> "connmark" connection mark match support
<M> "conntrack" connection tracking match support
<M> "DCCP" protocol match support
<M> "DCCP" protocol match support
<M> "DSCP" match support
<M> "ESP" match support
<M> "helper" match support
<M> "length" match support
<M> "limit" match support
<M> "mac" address match support
<M> "mark" match support
<M> IPsec "policy" match support
<M> Multiple port match support
<M> "physdev" match support
<M> "pkttype" packet type match support
<M> "quota" match support
<M> "realm" match support
<M> "sctp" protocol match support (EXPERIMENTAL)
<M> "state" match support
<M> "layer7" match support
[*] Layer 7 debugging output
<M> "statistic" match support
<M> "string" match support
<M> "tcpmss" match support
<M> "time" match support
<M> "u32" match support
<M> "hashlimit" match support
IP: Netfilter Configuration --->
<M> IPv4 connection tracking support (required for NAT)
[*] proc/sysctl compatibility with old connection tracking (NEW
<M> IP Userspace queueing via NETLINK (OBSOLETE)
<M> IP tables support (required for filtering/masq/NAT)
<M> IP range match support
<M> TOS match support
<M> recent match support
<M> ECN match support
<M> AH match support
<M> TTL match support
<M> Owner match support
<M> address type match support
<M> Packet filtering
<M> REJECT target support
<M> LOG target support
<M> ULOG target support
<M> Full NAT (NEW)
<M> MASQUERADE target support
<M> REDIRECT target support
<M> NETMAP target support
<M> SAME target support (OBSOLETE)
<M> Basic SNMP-ALG support (EXPERIMENTAL)
<M> Packet mangling
<M> TOS target support
�^�橹匾�的是 "layer7" match support �目�c IPv4 connection tracking support (required for NAT) �目,若您不知道的�就�把 Core Netfilter Configuration �c IP: Netfilter Configuration �e的�x�全部�x起�砑纯伞�
��g�K安�b新版核心
重 kernel 2.6 �_始,��g核心就�得更�楹��危�只需要��� make 的指令即可,安�b完後��自�有薷� GRUB 的�x�,不需手�有薷模��p少了手�有薷腻e�`的危�U。
0001
0002
0003
0004
0005
root # make
root # make modules
root # make modules_install
root # make install
sh /usr/src/kernels/linux-2.6.24.4/arch/x86/boot/install.sh 2.6.24.4 arch/x86/boot/bzImage System.map "/boot"
更新 iptables patch
- iptables 1.4.0 (含) 之前版本
更新 iptables 需注意是否在�F有的 kernel 中 netfilter 子系�y相符合,若使用了不在 kernel 所支援的模�M,在�O定 iptables ��出�F�e�`。以下指令可新增 laery7 模�M的指令。
0001
0002
0003
0004
0005
root # cd /usr/src/kernels/iptables-1.4.0
root # patch -p1 < ../netfilter-layer7-v2.17/iptables-1.4-for-kernel-2.6.20forward-layer7-2.17.patch
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
patching file extensions/.layer7-test
�O定 KERNEL_DIR �c IPTABLES_DIR �h境��担��K�_始��g安�b。
0001
0002
0003
0004
root # export KERNEL_DIR=/usr/src/kernels/linux; export IPTABLES_DIR=/usr/src/kernels/iptables-1.4.0
root # chmod +x extensions/.layer7-test
root # make && make install
root #
- iptables 1.4.1.1 (含) 之後版本
在 iptables 1.4.1.1 之後的 layer 7 模�M已�不需要使用 patch 方式�硇薷模�只要把修正�n�}�u到 extensions �Y料�A即可。
0001
0002
0003
0004
0005
root # cd iptables-1.4.2
root # cp ../netfilter-layer7-v2.21/iptables-1.4.1.1-for-kernel-2.6.20forward/libxt_layer7.* extensions/
root # ./configure --with-ksource=/usr/src/kernels/linux
root # make
root # make install
安�b通�定�h�n
使用 layer7 模�M�r,���⒖� /etc/l7-protocols 目�下的定�h�n,各通��f定的封包特徵��在 l7-protocols 的套件�e,解�_之後直接安�b即可。
0001
0002
0003
0004
root # cd /usr/src/kernels/l7-protocols-2008-02-20
root # make install
mkdir -p /etc/l7-protocols
cp -R * /etc/l7-protocols
重新�_�C
重新��g了核心之後,需要重新��与��X才能套用新的核心套件,�使用 uname 指令查看是否�O定成功。
0001
0002
0003
root # uname -a; iptables -V
Linux localhost.localdomain 2.6.24.4 #1 SMP Thu Apr 10 23:21:08 CST 2008 i686 i686 i386 GNU/Linux
iptables v1.4.0
�y�
MSN Messenger
以下�y���拒�^�B出 MSN Menssenger 封包,在 iptables 的 OUTPUT 政策�e,我��在 X-Window �绦� GAIM �B出�r,���l�F msnmessenger 的封包被 DROP。
�Z法:
iptables -A OUTPUT -m layer7 --l7proto msnmessenger -j DROP
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
root # iptables -A OUTPUT -m layer7 --l7proto msnmessenger -j DROP
root # iptables -L -n -v
Chain INPUT (policy ACCEPT 3056 packets, 394K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1274 packets, 159K bytes)
pkts bytes target prot opt in out source destination
34 2584 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto msnmessenger
BitTorrent
第二���y�拒�^�B出 BitTorrent 封包,我��在�O定好拒�^ bittorrent 封包後,在本�C使用 BT 下�d�n案均失�。�可�� iptables 指令查出。
�Z法:
iptables -A OUTPUT -m layer7 --l7proto bittorrent -j DROP
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
root # iptables -A OUTPUT -m layer7 --l7proto bittorrent -j DROP
root # iptables -L -n -v
Chain INPUT (policy ACCEPT 33768 packets, 33M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 25235 packets, 2362K bytes)
pkts bytes target prot opt in out source destination
91 6916 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto msnmessenger
78 7920 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto bittorrent
若您把 layer7 安�b在�W路�l道 (Gateway) 上的�,那�N�使用 PREROUTING 或 FORWARD �B�才��有效。iptables 可�⒖� iptables 封包�^�o��t (new window)。
後�:
若您打算在您的防火��上使用 layer7 封包�^�V功能的�,那�N所需的����w�c CPU ��更多,若您的使用者�B��低�一�r�g超�^百人,�K且�l繁的取存�W路的�,那�N可能需要考�]使用�^高效能的�W路卡�c更多的����w。若您在�⒂� layer7 功能後�l�F�W路�得很慢的�,那�N就需要�z查您的�W卡�c����w是否足�颉�
009-08-17 | CentOS 5.3 内核+防火墙升级方案(收藏大鬼不动Blog)
标签: