iptables七层访问控制

iptables本身不支持七层防控，需要修改内核并打一个“Layer7”补丁才能支持。

首先进入new_layer7目录拷贝文件：
tar xvf  iptables-1.4.3.1.tar.bz2 -C /usr/local/src/
tar xvf l7-protocols-2009-05-28.tar -C /usr/local/src/
tar xvf netfileter-layer7-v2.22.tar -C /usr/local/src/
给内核打补丁
cd /usr/local/src/linux-2.6.28/
patch -p1<../netfilter-layer7-v2.22/linux-2.6.28/layer7-v2.22.path

重新编译内核

make oldconfig    保持默认
make menuconfig    进入选项菜单

进入General setup选项

Prompt for development and/or incomplete code/drivers    必须选

再进入到

Networking目录----->

       Networking options ---->

               Network packet filtering framework (Netfilter)---->

                       Core Netfilter Configuration 该项下的全部项目都选上

<M> Netfilter connection tracking support 必选

<M> "layer7" match support 必选

Layer 7 debugging output 必选

IP: Netfilter Configuration 必选

编译并安装新内核

make
make modules_install
make install

重启机器，选定内核!并修改grub指定新的默认内核！

升级iptables并删除旧的iptables

rpm -e --nodeps $(rpm -qa|grep iptables)

cd /usr/local/src/iptables-1.4.3.2/

cp ../netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.*   extensions/

./configure --prefix=/ --with-ksource=/usr/local/src/linux-2.6.28/

make

make install

安装layer7策略包

cd /usr/local/src/l7-protocols-2009-10-6
make install
depmod -a
iptebles -m layer7 -h   会报一些数据

使用iptables layer-7 filter
iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP
iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP
iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP
iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP
iptables -t mangle -I PREROUTING -m layer7 --l7proto xunlei -j DROP
iptables -t mangle -I PREROUTING -m layer7 --l7proto kugoo -j DROP
iptables -t mangle -I PREROUTING -m layer7 --l7proto yahoo -j DROP
iptables -I FORWARD -m string --string "腾讯" -j DROP
iptables -I FORWARD -s 192.168.3.159 -m string --string" -j DROP
iptables -I FORWARD -d 192.168.3.0/24 -m string --string "宽频影院" -j DROP
iptables -I FORWARD -s 192.168.3.0/24 -m string --string "色情" -j DROP
iptables -I FORWARD -p tcp --sport 80 -m string --string "广告" -j DROP

本文出自 “nginxs小白” 博客，转载请与作者联系！