iptables实现7层过滤

软件包    

    l7-protocols-2009-05-28.tar.gz

    linux-2.6.28.10.tar.gz

    netfilter-layer7-v2.22.tar.gz

    iptables-1.4.6.tar.bz2

解压内核源码和netfilter-L7源码

[root@station1 ~]# tar xf linux-2.6.28.10.tar.gz -C /usr/src/

[root@station1 ~]# tar xf netfilter-layer7-v2.22.tar.gz -C /usr/src/

[root@station1 ~]# 


编译内核

[root@station1 linux]# cp /boot/config-2.6.18-308.el5 .config

[root@station1 linux]# make menuconfig

选择顺序

Networking support --->  Networking options  ---> Network packet filtering framework (Netfilter)  ---> 

Core Netfilter Configuration  --->

    <M> Netfilter connection tracking support

    <M>   "layer7" match support     

进行编译

[root@station1 linux]# make

[root@station1 linux]# make modules_install

[root@station1 linux]# make install

重启后查看内核版本

[root@station1 ~]# uname -r

2.6.28.10-l7

[root@station1 ~]# 

安装新的iptables

[root@station1 ~]# rpm -e iptables-ipv6 iptables --nodeps 

warning: /etc/sysconfig/iptables-config saved as /etc/sysconfig/iptables-config.rpmsave

[root@station1 ~]# 

[root@station1 ~]# tar xf iptables-1.4.6.tar.bz2 -C /usr/src/

[root@station1 ~]# cd /usr/src/iptables-1.4.6/extensions/

[root@station1 extensions]# 

[root@station1 netfilter-layer7-v2.22]# cp iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.* ../iptables-1.4.6/extensions/

[root@station1 netfilter-layer7-v2.22]# 

[root@station1 src]# cd iptables-1.4.6/

[root@station1 iptables-1.4.6]# 

[root@station1 iptables-1.4.6]# ./configure --prefix=/usr/ --with-ksource=/usr/src/linux

[root@station1 iptables-1.4.6]# make 

[root@station1 iptables-1.4.6]# make install

[root@station1 iptables-1.4.6]# 

安装layer-7

[root@station1 ~]# tar xf l7-protocols-2009-05-28.tar.gz 

[root@station1 ~]# cd l7-protocols-2009-05-28

[root@station1 l7-protocols-2009-05-28]# make install

mkdir -p /etc/l7-protocols

cp -R * /etc/l7-protocols

[root@station1 l7-protocols-2009-05-28]# 

实现禁止qq

iptables -A FORWARD -s 10.10.1.0/24 -m layer7 --l7proto qq -j DROP



你可能感兴趣的:(linux,iptables)