利用iptables+l7-filter+opendpi封QQ和迅雷

利用iptables+l7-filter+opendpi封QQ和迅雷

作者:刘运锋                                            时间:2011-09-21

1、            前言

参加2011架构师大会,有幸聆听白金大师的讲解,其中对于iptables封QQ以及迅雷等白金介绍了l7-filter和ipp2p两种插件,但是在笔者的实验中发现ipp2p目前官方已经停止维护,而是靠国内的兴趣爱好者对ipp2p进行维护和更新。同时ipp2p对各个版本的内核兼容性并不是很好,因此阅读了ipp2p官网推荐的其替代品opendpi的相关文档,发现国内对opendp的文档实在太少,有幸尝试,记录下过程和注意事项,以便阅读理解。

结合环境的实际情况,应用环境和安装过程如下:

2、            环境介绍

系统

CentOS 5.5

内核

kernel 2.6.18-194.el5

Iptables

iptables v1.3.5

3、            软件及下载地址:

软件

地址

kernel 2.6.25.7

http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.25.7.tar.bz2

Iptables 1.4.3.2

http://www.netfilter.org/projects/iptables/files/iptables-1.4.3.2.tar.bz2

netfilter-layer7

http://cdnetworks-kr-2.dl.sourceforge.net/project/l7-filter/l7-filter%20kernel%20version/2.22/netfilter-layer7-v2.22.tar.gz

l7-protocols

http://cdnetworks-kr-2.dl.sourceforge.net/project/l7-filter/Protocol%20definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz

Opendpi

http://opendpi.googlecode.com/files/opendpi-1.3.0.tar.gz

opendpi-netfilter-wrapper

http://opendpi.googlecode.com/files/opendpi-netfilter-wrapper-1.2.tar.gz

ipp2p-0.99.15-k2.6.28-i1.4.7

http://bbs.chinaunix.net/attachment.php?aid=NDU3OTgzfDc3NDZiZmRifDEzMTY1MDUzNjV8YmVjNUk4bFFOTkJiRkk2TUZPNEdhNU82dU9RaXF5azlRWkIyV0ZqbHdiY1dZRFE%3D

将以上软件放置到/usr/src下。

这里之所以选择kernel 2.6.25.7是因为笔者在测试的过程中试用了高版本的内核,但是编译opendpi时通不过,因此只好选用kernel 2.6.25.7。

遇到的错误如下:

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:362: warning: ‘struct nf_ct_event’ declared inside parameter list

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:362: warning: its scope is only this definition or declaration, which is probably not what you want

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c: In function ‘opendpi_conntrack_event’:

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:364: error: dereferencing pointer to incomplete type

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c: At top level:

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:383: error: variable ‘osdpi_notifier’ has initializer but incomplete type

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:384: error: unknown field ‘fcn’ specified in initializer

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:384: warning: excess elements in struct initializer

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:384: warning: (near initialization for ‘osdpi_notifier’)

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c: In function ‘opendpi_cleanup’:

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:591: warning: passing argument 1 of ‘nf_conntrack_unregister_notifier’ from incompatible pointer type

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c: In function ‘opendpi_mt_init’:

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:677: warning: passing argument 1 of ‘nf_conntrack_register_notifier’ from incompatible pointer type

make[3]: *** [/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.o] Error 1

make[2]: *** [_module_/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src] Error 2

make[2]: Leaving directory `/usr/src/linux-2.6.28'

make[1]: *** [all] Error 2

make[1]: Leaving directory `/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src'

make: *** [all] Error 2

笔者已经和opendpi联系,目前尚无回复!

4、            重新编译内核:

#tar -jxvf linux-2.6.25.7.tar.bz2

#tar -zxvf netfilter-layer7-v2.22.tar.gz

#tar -zxvf l7-protocols-2009-05-28.tar.gz

#cd linux-2.6.28

#patch -p1 < /usr/src/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch

patching file net/netfilter/Kconfig

patching file net/netfilter/Makefile

patching file net/netfilter/xt_layer7.c

patching file net/netfilter/regexp/regexp.c

patching file net/netfilter/regexp/regexp.h

patching file net/netfilter/regexp/regmagic.h

patching file net/netfilter/regexp/regsub.c

patching file net/netfilter/nf_conntrack_core.c

patching file net/netfilter/nf_conntrack_standalone.c

patching file include/net/netfilter/nf_conntrack.h

patching file include/linux/netfilter/xt_layer7.h

#cp /boot/config-2.6.18-194.el5 /usr/src/linux-2.6.25.7/.config

#make  menuconfig(注意,这里要在图形界面下操作)

(1)Networking support → Networking Options →Network packet filtering framework →Code Netfilter Configuration

<M> Netfilter connection tracking support 

[*]   Connection tracking events  

<M>   "connlimit" match support" 

<M>   Connection tracking netlink interface

<M>  FTP protocol support

<M>  “layer7” match support

<M>  “string” match support

<M>  “time”  match support

<M>  “iprange”  match support

<M>  “connlimit”  match support

<M>  “state”  match support

<M>  “conntrack”  connection  match support

<M>  “mac”  address  match support

<M>   "multiport" Multiple port match support

       (2)Networking support → Networking Options →Network packet filtering framework → IP: Netfilter Configuration<M> IPv4 connection tracking support (required for NAT)

<M>   Full NAT

<M>MASQUERADEtargetsupport

<M>NETMAPtargetsupport

<M> REDIRECT target support

#make && make modules_install && make install

这里编译需要至少半个小时的时间,这段时间可以做其他的事情。编译完成后:

       #vi /etc/grub.conf

 

# grub.conf generated by anaconda

#

# Note that you do not have to rerun grub after making changes to this file

# NOTICE:  You have a /boot partition.  This means that

#          all kernel and initrd paths are relative to /boot/, eg.

#          root (hd0,0)

#          kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00

#          initrd /initrd-version.img

#boot=/dev/sda

default=1  ----- 改为default=0

timeout=5

splashimage=(hd0,0)/grub/splash.xpm.gz

hiddenmenu

title CentOS (2.6.25.7)

        root (hd0,0)

        kernel /vmlinuz-2.6.25.7 ro root=/dev/VolGroup00/LogVol00 rhgb quiet

        initrd /initrd-2.6.25.7.img

title CentOS (2.6.18-194.el5)

        root (hd0,0)

        kernel /vmlinuz-2.6.18-194.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet

        initrd /initrd-2.6.18-194.el5.img

#reboot

#uname –a

Linux proxytest 2.6.25.7 #1 SMP Wed Sep 21 19:01:12 CST 2011 i686 i686 i386 GNU/Linux

重启系统之后查看,系统的内核已经升级到新内核。至此内核编译的工作已经完成。

 

5、            更新升级Iptalbes的Layer7补丁

#cd /usr/src

# tar -zxvf netfilter-layer7-v2.22.tar.gz

# tar -jxvf iptables-1.4.3.2.tar.bz2

# cp /usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* /usr/src/iptables-1.4.3.2/extensions/

# cd /usr/src/iptables-1.4.3.2

# ./configure --with-ksource=/usr/src/linux-2.6.25.7

# make && make install

# iptables -V

iptables v1.4.3.2   #已经更新至新版本

 

6、            安装Layer7 协议文件

# cd /usr/src

# tar -zxvf l7-protocols-2009-05-28.tar.gz

# cd l7-protocols-2009-05-28

# make install

7、            Layer7规则

# iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP (禁止edonkey)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止edonkey)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto xunlei -j DROP (禁止迅雷)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto kugoo -j DROP (禁止kugoo)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto yahoo -j DROP (禁止Yahoo! Messenger)

8、            安装opendpi

(1)安装opendpi-netfilter

#cd /usr/src

#tar -zxvf opendpi-1.3.0.tar.gz

#tar -zxvf opendpi-netfilter-wrapper-1.2.tar.gz

#cd opendpi-netfilter-wrapper-1.2/wrapper

#export OPENDPI_PATH=/usr/src/opendpi-1.3.0

# OPENDPI_PATH=/usr/src/opendpi-1.3.0  make

# make modules_install

# cp ipt/libxt_opendpi.so /usr/local/libexec/xtables

# iptables -m opendpi --help

如果显示出相关信息,则编译成功。

 

(2)安装opendpi

#cd /usr/src/opendpi-1.3.0

#./configure

# make

如果报错如下:

OpenDPI_demo.c:42:18: error: pcap.h: No such file or directory

OpenDPI_demo.c:50: error: ‘PCAP_ERRBUF_SIZE’ undeclared here (not in a function)

OpenDPI_demo.c:51: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token

OpenDPI_demo.c: In function ‘openPcapFile’:

OpenDPI_demo.c:457: error: ‘_pcap_handle’ undeclared (first use in this function)

OpenDPI_demo.c:457: error: (Each undeclared identifier is reported only once

OpenDPI_demo.c:457: error: for each function it appears in.)

OpenDPI_demo.c: In function ‘closePcapFile’:

OpenDPI_demo.c:468: error: ‘_pcap_handle’ undeclared (first use in this function)

OpenDPI_demo.c: At top level:

OpenDPI_demo.c:474: warning: ‘struct pcap_pkthdr’ declared inside parameter list

OpenDPI_demo.c:474: warning: its scope is only this definition or declaration, which is probably not what you want

OpenDPI_demo.c: In function ‘pcap_packet_callback’:

OpenDPI_demo.c:485: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:486: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:497: error: ‘DLT_EN10MB’ undeclared (first use in this function)

OpenDPI_demo.c:503: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:505: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:505: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:515: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:517: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:517: error: dereferencing pointer to incomplete type

OpenDPI_demo.c: In function ‘runPcapLoop’:

OpenDPI_demo.c:524: error: ‘_pcap_handle’ undeclared (first use in this function)

make[1]: *** [OpenDPI_demo.o] Error 1

make[1]: Leaving directory `/usr/src/opendpi-1.3.0/src/examples/OpenDPI_demo'

make: *** [all-recursive] Error 1

请安装libpcap-devel

#yum install libpcap-devel

#make

#make install

 

(3)规则实例:

iptables -A OUTPUT -m opendpi --http -j REJECT (封http协议)

iptables -A OUTPUT -m opendpi --thunder -j REJECT (封迅雷协议)

iptables -A OUTPUT -m opendpi --pplive -j REJECT (封pplive协议)

……

如是还有很多,详细可以参见iptables -m opendpi --help

你可能感兴趣的:(qq,function,centos,File,layer,networking)