Iptables-l7编译
===========================================================
软件包选择
===========================================================
a) Netfilter-layer7-v2.21.tar.gz
b) L7-protocols-2009-05-10.tar.gz
c) Linux-2.6.28.8.tar.bz2
d) Iptables-1.4.2.tar.bz2
===========================================================
编译linux内核,加载l7支持
===========================================================
a) 解压Netfilter-layer7-v2.21.tar.gz、Linux-2.6.28.8.tar.bz2,使用patch工具合并补丁
---------------------------------------------------------------------------------------
#cd /usr/src/linux-2.6.28.8
#patch �Cp1 <../netfliter-layer7-v2.21/kernel-2.6.25-2.6.28-layer7-2.21.patch
---------------------------------------------------------------------------------------
b) 重新编译内核,添加state机制及layer7支持
---------------------------------------------------------------------------------------
#cp /boot/config-2.6.18-8.e15 .config
#makemenuconfig
i. Corenetfilter configuration网络过滤代码配置
展开顺序为:Networkingànetworking optionsànetwork packet filteringframework(netfilter)àcore netfilter configurationà
到此使用空格键将 Netfilter connection tracking support ==》编译为模块(M)à”layer7” match supportà”string” match supportà”time”match supportà”iprange” address range match supportà”conlimit” match supportà”state” match supportàconnection tracking security mark supportàconnection tracking match supportà”mac” address match supportàIPsec “policy” match support
ii. IP包过滤功能配置 IP:Netfilter Configuration
展开顺序为:NetworkingàNetworking OptionsàNetwork Packet filtering framework(netfilter)àIP:Netfilter ConfigurationààIPv4 connection tracking support (requirefor NAT)àFullNATàMASQUERADEtarget supportàREDIRECTtarget support
---------------------------------------------------------------------------------------
c) 编译新内核,并安装新内核文件、复制模块文件
---------------------------------------------------------------------------------------
#make
#make modules_install
#make install
---------------------------------------------------------------------------------------
d) 调整grub引导菜单
---------------------------------------------------------------------------------------
#vi /boot/grub/grub.confàdefault=0
===========================================================
重新编译安装iptables并安装L7-protocols协议包
===========================================================
a) 卸载系统现有的iptables相关软件包
---------------------------------------------------------------------------------------
#rpm �Ce iptables-ipv6 iptablesiptstate �Cnodeps
#cd /usr/src/iptables-1.4.2/
#cp/usr/src/netfilter-layter7-v2.21/ >iptables-1.4.1.1-for-kernel-2.6.20forward/libxt_layer7.* extensions/
---------------------------------------------------------------------------------------
b) 配置、编译安装iptables
---------------------------------------------------------------------------------------
#./configure �Cprefix=/ --with-ksource=/usr/src/linux-2.6.28.8
#make
#make install
---------------------------------------------------------------------------------------
c) 安装l7-protocols协议定义包
---------------------------------------------------------------------------------------
#cd l7-protocols-2009-05-10
#make install
===========================================================
使用iptables设置应用层过滤规则
===========================================================
a) 使用layer7显式匹配策略过滤使用qq、msn、edonkey
#iptables �CA FORWARD �Cm layer7 �Cl7protoqq �Cj DROP
#iptables �CA FORWARD �Cm layer7 �Cl7protomsn-filetransfer �Cj DROP
#iptables �CA FORWARD �Cm layer7 �Cl7protomsnmessenger �Cj DROP
b) 使用“--connlimit”显式匹配进行数据并发连接控制,超过100个并发连接时将拒接
#iptables �CA FORWARD �Cp tcp �Csyn �Cmconnlimit �Cconnlimit-above 100 �Cj DROP
c) 使用”--time”显式匹配根据时间范围设置数据访问策略,允许周一到周五8:00~18:00之间的数据访问
#iptables �CA FORWARD �Cp tcp �Cdport80 �Cm time �Ctimestart 8:30 �Ctimestop 18:00 �Cweekdays Mon,tue,wed,thu,fri �CjACCEPT
d) 使用”string”显式匹配策略过滤包含“tencent”、”verycd”、”***”、”***”的网络访问数据。
#iptables �CA FORWARD �Cp udp �Cdport53 �Cm string �Cstring “tencent” �Calgo bm �Cj DROP
#iptables �CA FORWARD �Cp udp �Cdport53 �Cm string �Cstring “verycd” �Calgo bm �Cj DROP
#iptables �CA FORWARD �Cp udp �Cdport53 �Cm string �Cstring “***” �Calgo bm �Cj DROP
#iptables �CA FORWARD �Cp udp �Cdport53 �Cm string �Cstring “***” �Calgo bm �Cj DROP
e) 禁止转发来自MAC地址为00:0C:29:27:55:3F的主机的数据包
#iptables �CA FORWARD �Cm mac �Cmac-source00:0C:29:27:55:3F �Cj DROP