debian l7-filter
http://www.netfilter.org/projects/iptables/files/iptables-1.4.7.tar.bz2
http://download.clearfoundation.com/l7-filter/l7-protocols-2009-05-28.tar.gz
http://download.clearfoundation.com/l7-filter/netfilter-layer7-v2.22.tar.gz
卸载旧iptables
# cd /usr/src/linux-2.6.28
# patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
# make menuconfig
General setup --->
[*] Prompt for development and/or incomplete code/drivers
Networking --->
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration ---> 全选
[ ] layer 7 debugging output 不选,否则会不停的输出拦截信息
IP: Netfilter Configuration ---> 全选
# make
# make modules
# make modules_install
# make install
# cp /usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* /usr/src/iptables-1.4.7/extensions
# cd /usr/src/iptables-1.4.7
# ./configure --with-ksource=/usr/src/linux-2.6.28
# cd /usr/src/l7-protocols-2009-05-28
# make install
重启后卸载旧内核
# iptables -A FORWARD -m layer7 --l7proto qq -j DROP
# iptables -L -n -v --line-number
nf_conntrack version 0.5.0 (8046 buckets, 32184 max)
CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
nf_conntrack.acct=1 kernel paramater, acct=1 nf_conntrack module option or
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.