利用iptables+l7-filter+opendpi封QQ和迅雷
作者:刘运锋 时间:2011-09-21
1、 前言
参加2011架构师大会,有幸聆听白金大师的讲解,其中对于iptables封QQ以及迅雷等白金介绍了l7-filter和ipp2p两种插件,但是在笔者的实验中发现ipp2p目前官方已经停止维护,而是靠国内的兴趣爱好者对ipp2p进行维护和更新。同时ipp2p对各个版本的内核兼容性并不是很好,因此阅读了ipp2p官网推荐的其替代品opendpi的相关文档,发现国内对opendp的文档实在太少,有幸尝试,记录下过程和注意事项,以便阅读理解。
结合环境的实际情况,应用环境和安装过程如下:
2、 环境介绍
系统 |
CentOS 5.5 |
内核 |
kernel 2.6.18-194.el5 |
Iptables |
iptables v1.3.5 |
3、 软件及下载地址:
软件 |
地址 |
kernel 2.6.25.7 |
http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.25.7.tar.bz2 |
Iptables 1.4.3.2 |
http://www.netfilter.org/projects/iptables/files/iptables-1.4.3.2.tar.bz2 |
netfilter-layer7 |
http://cdnetworks-kr-2.dl.sourceforge.net/project/l7-filter/l7-filter%20kernel%20version/2.22/netfilter-layer7-v2.22.tar.gz |
l7-protocols |
http://cdnetworks-kr-2.dl.sourceforge.net/project/l7-filter/Protocol%20definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz |
Opendpi |
http://opendpi.googlecode.com/files/opendpi-1.3.0.tar.gz |
opendpi-netfilter-wrapper |
http://opendpi.googlecode.com/files/opendpi-netfilter-wrapper-1.2.tar.gz |
ipp2p-0.99.15-k2.6.28-i1.4.7 |
http://bbs.chinaunix.net/attachment.php?aid=NDU3OTgzfDc3NDZiZmRifDEzMTY1MDUzNjV8YmVjNUk4bFFOTkJiRkk2TUZPNEdhNU82dU9RaXF5azlRWkIyV0ZqbHdiY1dZRFE%3D |
将以上软件放置到/usr/src下。
这里之所以选择kernel 2.6.25.7是因为笔者在测试的过程中试用了高版本的内核,但是编译opendpi时通不过,因此只好选用kernel 2.6.25.7。
遇到的错误如下:
/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:362: warning: ‘struct nf_ct_event’ declared inside parameter list
/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:362: warning: its scope is only this definition or declaration, which is probably not what you want
/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c: In function ‘opendpi_conntrack_event’:
/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:364: error: dereferencing pointer to incomplete type
/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c: At top level:
/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:383: error: variable ‘osdpi_notifier’ has initializer but incomplete type
/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:384: error: unknown field ‘fcn’ specified in initializer
/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:384: warning: excess elements in struct initializer
/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:384: warning: (near initialization for ‘osdpi_notifier’)
/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c: In function ‘opendpi_cleanup’:
/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:591: warning: passing argument 1 of ‘nf_conntrack_unregister_notifier’ from incompatible pointer type
/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c: In function ‘opendpi_mt_init’:
/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:677: warning: passing argument 1 of ‘nf_conntrack_register_notifier’ from incompatible pointer type
make[3]: *** [/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.o] Error 1
make[2]: *** [_module_/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src] Error 2
make[2]: Leaving directory `/usr/src/linux-2.6.28'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src'
make: *** [all] Error 2
笔者已经和opendpi联系,目前尚无回复!
4、 重新编译内核:
#tar -jxvf linux-2.6.25.7.tar.bz2
#tar -zxvf netfilter-layer7-v2.22.tar.gz
#tar -zxvf l7-protocols-2009-05-28.tar.gz
#cd linux-2.6.28
#patch -p1 < /usr/src/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file include/net/netfilter/nf_conntrack.h
patching file include/linux/netfilter/xt_layer7.h
#cp /boot/config-2.6.18-194.el5 /usr/src/linux-2.6.25.7/.config
#make menuconfig(注意,这里要在图形界面下操作)
(1)Networking support → Networking Options →Network packet filtering framework →Code Netfilter Configuration
<M> Netfilter connection tracking support
[*] Connection tracking events
<M> "connlimit" match support"
<M> Connection tracking netlink interface
<M> FTP protocol support
<M> “layer7” match support
<M> “string” match support
<M> “time” match support
<M> “iprange” match support
<M> “connlimit” match support
<M> “state” match support
<M> “conntrack” connection match support
<M> “mac” address match support
<M> "multiport" Multiple port match support
(2)Networking support → Networking Options →Network packet filtering framework → IP: Netfilter Configuration<M> IPv4 connection tracking support (required for NAT)
<M> Full NAT
<M>MASQUERADEtargetsupport
<M>NETMAPtargetsupport
<M> REDIRECT target support
#make && make modules_install && make install
这里编译需要至少半个小时的时间,这段时间可以做其他的事情。编译完成后:
#vi /etc/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
# initrd /initrd-version.img
#boot=/dev/sda
default=1 ----- 改为default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.25.7)
root (hd0,0)
kernel /vmlinuz-2.6.25.7 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.25.7.img
title CentOS (2.6.18-194.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-194.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.18-194.el5.img
#reboot
#uname –a
Linux proxytest 2.6.25.7 #1 SMP Wed Sep 21 19:01:12 CST 2011 i686 i686 i386 GNU/Linux
重启系统之后查看,系统的内核已经升级到新内核。至此内核编译的工作已经完成。
5、 更新升级Iptalbes的Layer7补丁
#cd /usr/src
# tar -zxvf netfilter-layer7-v2.22.tar.gz
# tar -jxvf iptables-1.4.3.2.tar.bz2
# cp /usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* /usr/src/iptables-1.4.3.2/extensions/
# cd /usr/src/iptables-1.4.3.2
# ./configure --with-ksource=/usr/src/linux-2.6.25.7
# make && make install
# iptables -V
iptables v1.4.3.2 #已经更新至新版本
6、 安装Layer7 协议文件
# cd /usr/src
# tar -zxvf l7-protocols-2009-05-28.tar.gz
# cd l7-protocols-2009-05-28
# make install
7、 Layer7规则
# iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto xunlei -j DROP (禁止迅雷)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto kugoo -j DROP (禁止kugoo)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto yahoo -j DROP (禁止Yahoo! Messenger)
8、 安装opendpi
(1)安装opendpi-netfilter
#cd /usr/src
#tar -zxvf opendpi-1.3.0.tar.gz
#tar -zxvf opendpi-netfilter-wrapper-1.2.tar.gz
#cd opendpi-netfilter-wrapper-1.2/wrapper
#export OPENDPI_PATH=/usr/src/opendpi-1.3.0
# OPENDPI_PATH=/usr/src/opendpi-1.3.0 make
# make modules_install
# cp ipt/libxt_opendpi.so /usr/local/libexec/xtables
# iptables -m opendpi --help
如果显示出相关信息,则编译成功。
(2)安装opendpi
#cd /usr/src/opendpi-1.3.0
#./configure
# make
如果报错如下:
OpenDPI_demo.c:42:18: error: pcap.h: No such file or directory
OpenDPI_demo.c:50: error: ‘PCAP_ERRBUF_SIZE’ undeclared here (not in a function)
OpenDPI_demo.c:51: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token
OpenDPI_demo.c: In function ‘openPcapFile’:
OpenDPI_demo.c:457: error: ‘_pcap_handle’ undeclared (first use in this function)
OpenDPI_demo.c:457: error: (Each undeclared identifier is reported only once
OpenDPI_demo.c:457: error: for each function it appears in.)
OpenDPI_demo.c: In function ‘closePcapFile’:
OpenDPI_demo.c:468: error: ‘_pcap_handle’ undeclared (first use in this function)
OpenDPI_demo.c: At top level:
OpenDPI_demo.c:474: warning: ‘struct pcap_pkthdr’ declared inside parameter list
OpenDPI_demo.c:474: warning: its scope is only this definition or declaration, which is probably not what you want
OpenDPI_demo.c: In function ‘pcap_packet_callback’:
OpenDPI_demo.c:485: error: dereferencing pointer to incomplete type
OpenDPI_demo.c:486: error: dereferencing pointer to incomplete type
OpenDPI_demo.c:497: error: ‘DLT_EN10MB’ undeclared (first use in this function)
OpenDPI_demo.c:503: error: dereferencing pointer to incomplete type
OpenDPI_demo.c:505: error: dereferencing pointer to incomplete type
OpenDPI_demo.c:505: error: dereferencing pointer to incomplete type
OpenDPI_demo.c:515: error: dereferencing pointer to incomplete type
OpenDPI_demo.c:517: error: dereferencing pointer to incomplete type
OpenDPI_demo.c:517: error: dereferencing pointer to incomplete type
OpenDPI_demo.c: In function ‘runPcapLoop’:
OpenDPI_demo.c:524: error: ‘_pcap_handle’ undeclared (first use in this function)
make[1]: *** [OpenDPI_demo.o] Error 1
make[1]: Leaving directory `/usr/src/opendpi-1.3.0/src/examples/OpenDPI_demo'
make: *** [all-recursive] Error 1
请安装libpcap-devel
#yum install libpcap-devel
#make
#make install
(3)规则实例:
iptables -A OUTPUT -m opendpi --http -j REJECT (封http协议)
iptables -A OUTPUT -m opendpi --thunder -j REJECT (封迅雷协议)
iptables -A OUTPUT -m opendpi --pplive -j REJECT (封pplive协议)
……
如是还有很多,详细可以参见iptables -m opendpi --help