l7-filter安装

L7-filter (Application Layer Packet Classifier for Linux), 是 Linux netfilter 的外挂模块, 它能使 Linux 的 iptables 支持 Layer 7 (Application 应用层) 过滤功能, 限制封杀 P2P、即时通讯软件。
Centos 4.4
Kernel 2.6.9-42.0.3.EL
Iptables 1.2.11

1.下载所需软件包:
kernel 2.6.19.7
# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.19.7.tar.bz2
iptables 1.3.7
# wget http://www.netfilter.org/projects/iptables/files/iptables-1.3.7.tar.bz2
L7-filter http://sourceforge.net/project/showfiles.php?group_id=80085
netfilter-layer7-v2.12.tar.gz
l7-protocols-2007-06-22.tar.gz

2.配置编译新内核
首先将所下载的软件都放置于/usr/src目录下
# tar zxvf netfilter-layer7-v2.12.tar.gz
# tar xjvf linux.2.6.19.7.tar.bz2
# ln -s linux.2.6.19.7 linux
# cd linux
# patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch (打L7-filter的内核补丁)
# make oldconfig
(如果之前曾经编译过,需要先执行 make mrproper 。make oldconfig会自动对比之前的kernel config,根据之前版本的配置生成一个kernel config,这样方便我们在编译新核心的时候,无须在从头修改所有的核心设置)
# make menuconfig 设定内核参数,具体参数可以参考这篇文章 内核编译详解
核心不同,内核选项的排列方式有可能不一样,仔细找一下可以找到:
Code maturity level options –> [*] Prompt for development and/or incomplete code/drivers
Networking –> Networking options –>
     [*] Network packet filtering (replaces ipchains) –>
         IP: Netfilter Configuration –>
             <M> Connection tracking (required for masq/NAT)
            [*] Connection tracking flow accounting
            <M> IP tables support (required for filtering/masq/NAT)
            <M> Layer 7 match support
# make
# make modules
# make modules_install
# make install
# reboot
# uame -a
Linux jason.10235 2.6.19.7 #1 Fri Jul 6 11:56:11 CST 2007 i686 i686 i386 GNU/Linux
系统已经更新至新内核 2.6.19.7
3.更新升级Iptalbes的Layer7补丁
# cd /usr/src
# tar xjvf iptables-1.3.7.tar.bz2
# cd iptables-1.3.7
# patch -p < ../netfilter-layer7-v2.0/iptables-layer7-2.0.patch
# chmod +x extensions/.layer7-test
# export KERNEL_DIR=/usr/src/linux-2.6.19.7
# export IPTABLES_DIR=/usr/src/iptables-1.3.7
# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
# iptables -V
iptables v1.3.7 已经更新至新版本

4. 安装Layer7 协议文件

# cd /usr/src
# tar zxvf l7-protocols-2007-06-22.tar.gz
# cd l7-protocols-2007-06-22
# make install

5.使用iptables layer-7 filter:

# iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto xunlei -j DROP (禁止迅雷)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto kugoo -j DROP (禁止kugoo)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto yahoo -j DROP (禁止Yahoo! Messenger)
 
 
禁MSN传送文件的方法
iptables 七层实现的。
iptables -A FORWARD -m layer7 --l7proto msn-filetransfer -j DROP
 
转文一:
作者:何祖彬[RobinHe] Mail:[email protected]
始于2008年8月3日 上午
版本号:KernelLayer7-V1.0-20080803,2008年8月3日首版
转载请注明出处,本文也是采用两篇网友的大部分内容,因此转载时,请也将下面“参考文章”的出处也一并加入!谢谢!
本文中难免有不足、遗漏、错别字和句子不通之处,如发现、或者有更新改变之处,请与我联系以及时修正和完善!
系统信息:
OS : Debian 4.0 rc3
使用说明:
绿色加粗字体的绝大部分是输入的命令和系统输出显示的结果。
参考文章:
實作 Layer 7 封包過濾
http://ms.ntcb.edu.tw/~steven/article/kernel-layer7-filter.htm
Thank for Steven!
Debian Linux系统编译内核标准方式介绍
http://tech.itzero.com/2008/0728/article_38241.html
升级、编译自己的内核—— Debian篇
http://fanqiang.chinaunix.net/system/linux/2005-05-02/3211.shtml

第一步,要下载和安装要用的工具及相关软件:
#apt-get install debhelper modutils kernel-package libncurses5-dev fakeroot
#apt-get install gcc g++ make
注意:
因为Debian系统的内核编译跟Redhat有所不同,它在编译的时候会需要make-kpkg和fakeroot[可选]命令,因此需要安装以上的软件包才行!
我为了安装mysql、php、apache等软件还要装以及相关的软件以及常用的工具
#apt-get install vim elinks gcc g++ make libncurses5-dev libpng12-dev libjpeg62-dev zlib1g-dev libxml2-dev

第二步,下载并解开所需的源代码软件到相应的位置:
要编译内核并加入layer7模块,必须需要以下的软件的源代码:
linux kernel source
iptables source
l7-filter patch
l7-filter protocols
我选用的以上软件的版本如下:
kernel:2.6.24
iptables:1.4.0
l7-filter patch:2.17
l7-filter protocols:2008-02-20
完整下载如下:
root # wget ftp://ftp.tw.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.4.tar.bz2root # wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2root # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.17.tar.gzroot # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2008-02-20.tar.gz或者直接从我们自已的服务器下载全部的压缩包:
http://pt.cjcht.com:85/l7.tar.gz    //文件大小有60MB左右,还有包括两个新版的软件,我暂时没用,有空可以自已试试,就用Steven所使用的软件版本!
#cd /usr/local/src
#wget http://pt.cjcht.com:85/l7.tar.gz
#tar -zxvf l7.tar.gz
按我的习惯,将这些软件解压到:/usr/local/src/Layer7下面:
因为是编译新的内核,我习惯将编译内核的源代码放在/usr/src下面,并建一个新的目录kernels,觉得Steven的习惯不错,以后也养成这个习惯!
#cd /usr/src
#mkdir kernels
#cd kernels
解开要用的软件包到 /usr/src/kernels下面:
#tar -zxvf /usr/local/src/Layer7/linux-2.6.24.4.tar.bz2
#tar -zxvf /usr/local/src/Layer7/iptables-1.4.0.tar.gz
#tar -zxvf /usr/local/src/Layer7/netfilter-layer7-v2.17.tar.gz
#tar -zxvf /usr/local/src/Layer7/l7-protocols-2008-02-20.tar.gz

第三步,将Layer7加入新的内核中并进行编译:
为了方便,做一个符号链接,并进入新内核源代码的目录:
#ln -s linux-2.6.24 linux
#cd linux
如果你要用延续使用旧版本内核中的模块中的功能,你要将/boot/config-kernel-version文件copy到当前的内核目录,并命名为.config
#cp /boot/config-2.6.18-6-686 ./.config
为内核源代码打上layer7的补丁:
#patch -p1 < ../netfilter-layer7-v2.17/kernel-2.6.22-2.6.24-layer7-2.17.patch
结果如下:
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file include/net/netfilter/nf_conntrack.h
patching file include/linux/netfilter/xt_layer7.h
为内核选择layer7及相关的模块:
#make menuconfig
选项如下:
 General setup  --->     [*] Prompt for development and/or incomplete code/drivers Networking  --->       Networking options  --->           [*] Network packet filtering framework (Netfilter)  --->                 Core Netfilter Configuration  --->                     <M> Netfilter connection tracking support                     -*- Connection tracking flow accounting                     -*- Connection mark tracking support                     [*] Connection tracking security mark support                     [*] Connection tracking events (EXPERIMENTAL)                     <M> SCTP protocol connection tracking support (EXPERIMENTAL)                     <M> UDP-Lite protocol connection tracking support (EXPERIMENTAL)                     <M> Amanda backup protocol support                     <M> FTP protocol support                     <M> H.323 protocol support (EXPERIMENTAL)                     <M> IRC protocol support                     <M> NetBIOS name service protocol support (EXPERIMENTAL)                     <M> PPtP protocol support                     <M> SANE protocol support (EXPERIMENTAL)                     <M> SIP protocol support (EXPERIMENTAL)                     <M> TFTP protocol support                     <M> Connection tracking netlink interface (EXPERIMENTAL)                     {M} Netfilter Xtables support (required for ip_tables)                     <M>   "CLASSIFY" target support                     <M>   "CONNMARK" target support                     <M>   "DSCP" target support                     <M>   "MARK" target support                     <M>   "NFQUEUE" target Support                     <M>   "NFLOG" target support                     <M>   "NOTRACK" target support                     <M>   "TRACE" target support                     <M>   "TRACE" target support                     <M>   "SECMARK" target support                     <M>   "CONNSECMARK" target support                     <M>   "TCPMSS" target support                     <M>   "comment" match support                     <M>   "connbytes" per-connection counter match support                     <M>   "connlimit" match support"                     <M>   "connmark" connection mark match support                     <M>   "conntrack" connection tracking match support                     <M>   "DCCP" protocol match support                     <M>   "DCCP" protocol match support                     <M>   "DSCP" match support                     <M>   "ESP" match support                     <M>   "helper" match support                     <M>   "length" match support                     <M>   "limit" match support                     <M>   "mac" address match support                     <M>   "mark" match support                     <M>   IPsec "policy" match support                     <M>   Multiple port match support                     <M>   "physdev" match support                     <M>   "pkttype" packet type match support                     <M>   "quota" match support                     <M>   "realm" match support                     <M>   "sctp" protocol match support (EXPERIMENTAL)                     <M>   "state" match support                     <M>   "layer7" match support                     [*]     Layer 7 debugging output                     <M>   "statistic" match support                     <M>   "string" match support                     <M>   "tcpmss" match support                     <M>   "time" match support                     <M>   "u32" match support                     <M>   "hashlimit" match support                 IP: Netfilter Configuration  --->                     <M> IPv4 connection tracking support (required for NAT)                     [*]   proc/sysctl compatibility with old connection tracking (NEW                     <M> IP Userspace queueing via NETLINK (OBSOLETE)                     <M> IP tables support (required for filtering/masq/NAT)                     <M>   IP range match support                     <M>   TOS match support                     <M>   recent match support                     <M>   ECN match support                     <M>   AH match support                     <M>   TTL match support                     <M>   Owner match support                     <M>   address type match support                     <M>   Packet filtering                     <M>     REJECT target support                     <M>   LOG target support                     <M>   ULOG target support                     <M>   Full NAT (NEW)                     <M>     MASQUERADE target support                     <M>     REDIRECT target support                     <M>     NETMAP target support                     <M>     SAME target support (OBSOLETE)                     <M>     Basic SNMP-ALG support (EXPERIMENTAL)                     <M>   Packet mangling                     <M>     TOS target support注意,刚开始时,我一直找不到:<M> "layer7" match support 和 [*] Layer 7 debugging output 这两个模块,浪费了很多时间,后来发现是因为这两个模块是属于:<> Netfilter connection tracking support 这个模块,因此得先选择<M> Netfilter connection tracking support 这样下面才有Layer7及相关模块!
其中time模块就是可以通过iptables可以控制上网的时间等功能,就是时间控制的模块!
一步一步的"EXIT"后,会提示你是否保存刚才的选择更改结果,我们选“YES”!
注意:
按以往Redhat或者其它版本的编译过程就得用make及要关命令来进行编译,但是在这里,我们需要用到Debian的专门工具make-kpkg,我想这个工具也是基于make,只是经过加工以方便Debian用户使用吧,因为Debian的启动内核参数跟别的系统有所差异!本文刚开始提到的安装那些软件包#apt-get install debhelper modutils kernel-package libncurses5-dev fakeroot就是为了这一步而做的!
清除源码树并复原 kernel-package 参数
#make-kpkg clean
然后进行编译并生成.deb的包,以供安装时使用:
#fakeroot make-kpkg --append_to_version -686 --initrd --revision=2.6.24 kernel_image modules_image
说明:fakeroot是切换到root用户环境,如果你现在当前用户不是root,你要用这个命令,否则这个命令可以省!
好像用make-kpkg这个命令在编译内核时比以往省了很多步骤!有空研究一下这东东!
同时在做这一步时需要花挺长时间进行编译工作以及后期的工作,看你的机器配置而异!普通机器 1.7G 128M内存,得需要2小时,因此你现在可以喝杯茶,去做别的事了,我找一台C533,128MB的机器,好像编译花了6个多小时,郁闷呀...
--revision=2.6.24  这个参数是指定新内核的版本号
--append_to_version -686 这个参数是指定内核的子版本
.........................
喝茶,看电视球赛中...
.........................
哎,我的老电脑[Intel(R) Celeron(TM) CPU   1100MHz,128MB, 810主板]编译这一步,花了我3小时!
编译完成后,在/usr/src/kernels下生成linux-image-2.6.24-686_2.6.24_i386.deb文件,即在 linux新内核的上一级目录!
安装新的内核:
#dpkg -i linux-image-2.6.24-686_2.6.24_i386.deb
这时,会将新内核安装到相应的位置,同时会在/boot/grub/menu.lst增加新内核的条目:
title           Debian GNU/Linux, kernel 2.6.24-686
root            (hd0,0)
kernel          /boot/vmlinuz-2.6.24-686 root=/dev/hda1 ro
initrd          /boot/initrd.img-2.6.24-686
savedefault
title           Debian GNU/Linux, kernel 2.6.24-686 (single-user mode)
root            (hd0,0)
kernel          /boot/vmlinuz-2.6.24-686 root=/dev/hda1 ro single
initrd          /boot/initrd.img-2.6.24-686
savedefault
这两条已经提到最前面,也就是说,如果我们没动这个文件的话,下次下机时,会去执行新的内核!

第四步,为iptables打补丁,并安装之...
进入iptables源代码目录:
#cd /usr/src/kernels/iptables-1.4.0
为源代码打上补丁:
#patch -p1 < ../netfilter-layer7-v2.17/iptables-1.4-for-kernel-2.6.20forward-layer7-2.17.patch
结果如下:
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
patching file extensions/.layer7-test
设置KERNEL_DIR 与 IPTABLES_DIR 环境变量,并开始编译安装:
#export KERNEL_DIR=/usr/src/kernels/linux
#export IPTABLES_DIR=/usr/src/kernels/iptables-1.4.0
#chmod +x extensions/.layer7-test
#make
#make install
安装Layer7第七层协议协议定义文件:     /*TCP/IP第七层就是应用层,就是针对网络应用软件的设计,比如QQ,MSN等...
使用Layer模块时,请参考/etc/l7-protocols文件中的定义,各种协议,比如QQ,MSN的特征都在这个目下:
#cd /usr/src/kernels/l7-protocols-2008-02-20/
#make install
执行结果:
mkdir -p /etc/l7-protocols
cp -R * /etc/l7-protocols
看执行的结果就知道,它在做什么了!
这样新的内核都弄好了,iptables也装好了,就可以重新开机了!
重新开机后,就会执行新的内核和iptables,就可以测试它是否正常了!
#shutdown -r now

第五步,测试
先测试Kernel和iptables的版本是不是我们刚才编译的那个:
#uname -a
Linux aaa.aa.com 2.6.241980 #1 SMP Sun Aug 3 09:43:54 CST 2008 i686 GNU/Linux
#iptables -V
iptables v1.4.0
再测试iptables的layer7是否可用:
# iptables -m layer7 --help
iptables v1.4.0
Usage: iptables -[AD] chain rule-specification [options]
       iptables -[RI] chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LFZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)
Commands:
Either long or short options are allowed.
  --append  -A chain            Append to chain
  --delete  -D chain            Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain]          List the rules in a chain or all chains
  --flush   -F [chain]          Delete all rules in  chain or all chains
  --zero    -Z [chain]          Zero counters in chain or all chains
  --new     -N chain            Create a new user-defined chain
  --delete-chain
            -X [chain]          Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
                                Change chain name, (moving any references)
Options:
  --proto       -p [!] proto    protocol: by number or name, eg. `tcp'
  --source      -s [!] address[/mask]
                                source specification
  --destination -d [!] address[/mask]
                                destination specification
  --in-interface -i [!] input name[+]
                                network interface name ([+] for wildcard)
  --jump        -j target
                                target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match       -m match
                                extended match (may load extension)
  --numeric     -n              numeric output of addresses and ports
  --out-interface -o [!] output name[+]
                                network interface name ([+] for wildcard)
  --table       -t table        table to manipulate (default: `filter')
  --verbose     -v              verbose mode
  --line-numbers                print line numbers when listing
  --exact       -x              expand numbers (display exact values)
[!] --fragment  -f              match second or further fragments only
  --modprobe=<command>          try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V              print package version.
LAYER7 match v1.4.0 options:
--l7dir <directory>  : Look for patterns here instead of /etc/l7-protocols/
                       (--l7dir must be specified before --l7proto if used!)
--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat
还没增加layer7模块前的情况如下:
#iptables -m layer7 --help
iptables v1.3.6: Couldn't load match `layer7':/lib/iptables/libipt_layer7.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.

说明一切正常。
这时再测试一下能不能挡MSN和QQ[我们以这台机器为router为例,挡经过这个路由器的MSN和QQ封包]:
MSN,QQ & bt:
# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止msn)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)
看一下结果:
# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            LAYER7 l7proto bittorrent
DROP       all  --  anywhere             anywhere            LAYER7 l7proto qq
DROP       all  --  anywhere             anywhere            LAYER7 l7proto msnmessenger
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

再尝试一下登录一下你的MSN,QQ以及BT软件,如果不能上线,恭喜你,成功了...
希望本文章能够帮到需要的网友们,晚安!
祖彬于2008年8月3日午夜...
本文终于2008年8月3日午夜
睡了........
到夜里12:00了...ZZZzzzzz~~zzz~zzzzZZZZ~~~!
 
 
 
 
 
 
 
 
 
 
参考文章:
------------------------------------------------------------------------------------------------------------------------
http://ms.ntcb.edu.tw/~steven/article/kernel-layer7-filter.htm
實作 Layer 7 封包過濾
參考資訊
    * L7-filter Kernel Version HOWTO
    * L7-filter 安裝實錄
下載檔案
要手動編譯新版本的核心並加入 layer7 封包過濾選項的話,需要俱備以下套件:
    * linux kernel source
    * iptables source
    * l7-filter patch
    * l7-filter protocols
在本文當中,所重新編譯的版本如下:
    * kernel:2.6.24.4
    * iptables:1.4.0
    * l7-filter patch:2.17
    * l7-filter protocols:2008-02-20
為了方便管理,把以上套件均放在 /usr/src/kernels。
0001
   
root # cd /usr/src/kernels/
可以選擇任何可下載網路檔案的工具,如 lynx、wget,或 mozilla、firefox 等等工具下載,在此範例使用 wget,方法如下:
 
root # wget ftp://ftp.tw.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.4.tar.bz2
root # wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
root # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.17.tar.gz
root # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2008-02-20.tar.gz
將套件解壓縮。
0001
   
root # tar -jxvf linux-2.6.24.4.tar.bz2; tar -zxvf l7-protocols-2008-02-20.tar.gz; tar -zxvf netfilter-layer7-v2.17.tar.gz; tar -jxvf iptables-1.4.0.tar.bz2
更新 kernel
為了安裝方便,我們為 linux-2.6.24.4 這個目錄建位一個軟連結,以便切換目錄。
更新 kernel patch,增加 layer7 filter 選項。

root # ln -s linux-2.6.24.4 linux; cd linux
若您想延續使用舊版 kernel 的選項的話,您可以把 .config 檔案複制到新 kernel 的目錄下,此時重新選擇項目時就會延用之前的設定。
為 kernel source 上 layer7 的 patch。

root # patch -p1 < ../netfilter-layer7-v2.17/kernel-2.6.22-2.6.24-layer7-2.17.patch
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file include/net/netfilter/nf_conntrack.h
patching file include/linux/netfilter/xt_layer7.h
選擇 layer 7 相關選項
在 kernel 選項裡,需要把相關的設定選擇起來才可以,以下為完整有關 layer 7 的項目。
 
root # make menuconfig
 General setup  --->
     [*] Prompt for development and/or incomplete code/drivers
 Networking  --->
       Networking options  --->
           [*] Network packet filtering framework (Netfilter)  --->
                 Core Netfilter Configuration  --->
                     <M> Netfilter connection tracking support
                     -*- Connection tracking flow accounting
                     -*- Connection mark tracking support
                     [*] Connection tracking security mark support
                     [*] Connection tracking events (EXPERIMENTAL)
                     <M> SCTP protocol connection tracking support (EXPERIMENTAL)
                     <M> UDP-Lite protocol connection tracking support (EXPERIMENTAL)
                     <M> Amanda backup protocol support
                     <M> FTP protocol support
                     <M> H.323 protocol support (EXPERIMENTAL)
                     <M> IRC protocol support
                     <M> NetBIOS name service protocol support (EXPERIMENTAL)
                     <M> PPtP protocol support
                     <M> SANE protocol support (EXPERIMENTAL)
                     <M> SIP protocol support (EXPERIMENTAL)
                     <M> TFTP protocol support
                     <M> Connection tracking netlink interface (EXPERIMENTAL)
                     {M} Netfilter Xtables support (required for ip_tables)
                     <M>   "CLASSIFY" target support
                     <M>   "CONNMARK" target support
                     <M>   "DSCP" target support
                     <M>   "MARK" target support
                     <M>   "NFQUEUE" target Support
                     <M>   "NFLOG" target support
                     <M>   "NOTRACK" target support
                     <M>   "TRACE" target support
                     <M>   "TRACE" target support
                     <M>   "SECMARK" target support
                     <M>   "CONNSECMARK" target support
                     <M>   "TCPMSS" target support
                     <M>   "comment" match support
                     <M>   "connbytes" per-connection counter match support
                     <M>   "connlimit" match support"
                     <M>   "connmark" connection mark match support
                     <M>   "conntrack" connection tracking match support
                     <M>   "DCCP" protocol match support
                     <M>   "DCCP" protocol match support
                     <M>   "DSCP" match support
                     <M>   "ESP" match support
                     <M>   "helper" match support
                     <M>   "length" match support
                     <M>   "limit" match support
                     <M>   "mac" address match support
                     <M>   "mark" match support
                     <M>   IPsec "policy" match support
                     <M>   Multiple port match support
                     <M>   "physdev" match support
                     <M>   "pkttype" packet type match support
                     <M>   "quota" match support
                     <M>   "realm" match support
                     <M>   "sctp" protocol match support (EXPERIMENTAL)
                     <M>   "state" match support
                     <M>   "layer7" match support
                     [*]     Layer 7 debugging output
                     <M>   "statistic" match support
                     <M>   "string" match support
                     <M>   "tcpmss" match support
                     <M>   "time" match support
                     <M>   "u32" match support
                     <M>   "hashlimit" match support
                 IP: Netfilter Configuration  --->
                     <M> IPv4 connection tracking support (required for NAT)
                     [*]   proc/sysctl compatibility with old connection tracking (NEW
                     <M> IP Userspace queueing via NETLINK (OBSOLETE)
                     <M> IP tables support (required for filtering/masq/NAT)
                     <M>   IP range match support
                     <M>   TOS match support
                     <M>   recent match support
                     <M>   ECN match support
                     <M>   AH match support
                     <M>   TTL match support
                     <M>   Owner match support
                     <M>   address type match support
                     <M>   Packet filtering
                     <M>     REJECT target support
                     <M>   LOG target support
                     <M>   ULOG target support
                     <M>   Full NAT (NEW)
                     <M>     MASQUERADE target support
                     <M>     REDIRECT target support
                     <M>     NETMAP target support
                     <M>     SAME target support (OBSOLETE)
                     <M>     Basic SNMP-ALG support (EXPERIMENTAL)
                     <M>   Packet mangling
                     <M>     TOS target support
較為重要的是 "layer7" match support 項目與 IPv4 connection tracking support (required for NAT) 項目,若您不知道的話就請把 Core Netfilter Configuration 與 IP: Netfilter Configuration 裡的選項全部選起來即可。
廣 告
編譯並安裝新版核心
重 kernel 2.6 開始,編譯核心就變得更為簡單,只需要幾個 make 的指令即可,安裝完後會自動修改 GRUB 的選項,不需手動修改,減少了手動修改錯誤的危險。

   
root # make
root # make modules
root # make modules_install
root # make install
sh /usr/src/kernels/linux-2.6.24.4/arch/x86/boot/install.sh 2.6.24.4 arch/x86/boot/bzImage System.map "/boot"
更新 iptables patch
更新 iptables 需注意是否在現有的 kernel 中 netfilter 子系統相符合,若使用了不在 kernel 所支援的模組,在設定 iptables 會出現錯誤。以下指令可新增 laery7 模組的指令。

root # cd /usr/src/kernels/iptables-1.4.0
root # patch -p1 < ../netfilter-layer7-v2.17/iptables-1.4-for-kernel-2.6.20forward-layer7-2.17.patch
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
patching file extensions/.layer7-test
設定 KERNEL_DIR 與 IPTABLES_DIR 環境變數,並開始編譯安裝。
 
root # export KERNEL_DIR=/usr/src/kernels/linux; export IPTABLES_DIR=/usr/src/kernels/iptables-1.4.0
root # chmod +x extensions/.layer7-test
root # make && make install
root #
安裝通訊定議檔
使用 layer7 模組時,會參考 /etc/l7-protocols 目錄下的定議檔,各通訊協定的封包特徵會在 l7-protocols 的套件裡,解開之後直接安裝即可。
root # cd /usr/src/kernels/l7-protocols-2008-02-20
root # make install
mkdir -p /etc/l7-protocols
cp -R * /etc/l7-protocols
重新開機
重新編譯了核心之後,需要重新啟動電腦才能套用新的核心套件,請使用 uname 指令查看是否設定成功。
0001
0002
0003
   
root # uname -a; iptables -V
Linux localhost.localdomain 2.6.24.4 #1 SMP Thu Apr 10 23:21:08 CST 2008 i686 i686 i386 GNU/Linux
iptables v1.4.0
測試
MSN Messenger
以下測試會拒絕連出 MSN Menssenger 封包,在 iptables 的 OUTPUT 政策裡,我們在 X-Window 執行 GAIM 連出時,會發現 msnmessenger 的封包被 DROP。
語法:
iptables -A OUTPUT -m layer7 --l7proto msnmessenger -j DROP
root # iptables -A OUTPUT  -m layer7 --l7proto msnmessenger -j DROP
root # iptables -L -n -v
Chain INPUT (policy ACCEPT 3056 packets, 394K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 1274 packets, 159K bytes)
 pkts bytes target     prot opt in     out     source               destination
   34  2584 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto msnmessenger
BitTorrent
第二個測試拒絕連出 BitTorrent 封包,我們在設定好拒絕 bittorrent 封包後,在本機使用 BT 下載檔案均失敗,可從 iptables 指令查出。
語法:
iptables -A OUTPUT -m layer7 --l7proto bittorrent -j DROP
 
root # iptables -A OUTPUT  -m layer7 --l7proto bittorrent -j DROP
root # iptables -L -n -v
Chain INPUT (policy ACCEPT 33768 packets, 33M bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 25235 packets, 2362K bytes)
 pkts bytes target     prot opt in     out     source               destination
   91  6916 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto msnmessenger
   78  7920 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto bittorrent
若您把 layer7 安裝在網路閘道 (Gateway) 上的話,那麼請使用 PREROUTING 或 FORWARD 連線才會有效。iptables 可參考 iptables 封包過瀘規則 (new window)。
後記:
若您打算在您的防火牆上使用 layer7 封包過濾功能的話,那麼所需的記憶體與 CPU 會更多,若您的使用者連線數同一時間超過百人,並且頻繁的取存網路的話,那麼可能需要考慮使用較高效能的網路卡與更多的記憶體。若您在啟用 layer7 功能後發現網路變得很慢的話,那麼就需要檢查您的網卡與記憶體是否足夠。
04/12/2008
首頁
 

-----------------------------------------------------------------------------------------------------------------------
Debian Linux系统编译内核标准方式介绍
http://tech.itzero.com/2008/0728/article_38241.html

Debian 标准方式
 
关心一下有关 kernel-package、gcc、binutils 和 modutils 的错误报告。在需要时使用较新的版本。
 
在 Debian 系统中用源码编译自定义内核要特别小心。用 make-kpkg 的 --append_to_version 选项来创建多重内核镜像比较安全。
 
# apt-get install debhelper modutils kernel-package libncurses5-dev
# apt-get install kernel-source-2.4.18 # 使用最新版本
# apt-get install fakeroot
# vi /etc/kernel-pkg.conf # 输入我的名字和 email
$ cd /usr/src # 创建目录
$ tar --bzip2 -xvf kernel-source-2.4.18.tar.bz2
$ cd kernel-source-2.4.18 # 如果这是你的内核源码
$ cp /boot/config-2.4.18-386 .config # 将当前配置设定为默认配置
$ make menuconfig # 按自己的喜好来定制
$ make-kpkg clean # 必须执行这步(per: man make-kpkg)
$ fakeroot make-kpkg --append_to_version -486 --initrd --revision=rev.01 kernel_image modules_image # modules_image 可以是 pcmcia-cs* 等。
$ cd ..
# dpkg -i kernel-image*.deb pcmcia-cs*.deb # 安装
 
make-kpkg kernel_image 实际上执行了 make oldconfig 和 make dep。如果没使用 initrd 就不要使用 --initrd 选项。
 
如果想加载 pcmcia-cs 模块或内核 pcmcia 源码中没有的模块,应该在 make menuconfig 后选“General setup —>”进入“PCMCIA/CardBus support —>”,配置“< > PCMCIA/CardBus support”选项(例如,取消复选项)。
 
对于 SMP 机器,参照 kernel-pkg.conf(5) 的说明设置 CONCURRENCY_LEVEL。
 
参考iptables实例:
使用iptables layer-7 filter:
# iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto xunlei -j DROP (禁止迅雷)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto kugoo -j DROP (禁止kugoo)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto yahoo -j DROP (禁止Yahoo! Messenger)

本文来自CSDN博客,转载请标明出处: http://blog.csdn.net/zubin006/archive/2008/08/03/2760600.aspx
 
转文二:
 
實作 Layer 7 封包過濾
2009年07月28日 星期二 12:37
參考資訊
  • L7-filter Kernel Version HOWTO
  • L7-filter 安裝實錄
Debian 使用者可參考網友 何祖彬 http://blog.csdn.net/zubin006/archive/2008/08/03/2760600.aspx 的文章。
下載檔案
要手動編譯新版本的核心並加入 layer7 封包過濾選項的話,需要俱備以下套件:
  • linux kernel source
  • iptables source
  • l7-filter patch
  • l7-filter protocols
在本文當中,所重新編譯的版本如下:
  • kernel:2.6.24.4
  • iptables:1.4.0
  • l7-filter patch:2.17
  • l7-filter protocols:2008-02-20
為了方便管理,把以上套件均放在 /usr/src/kernels。
0001
root # cd /usr/src/kernels/
可以選擇任何可下載網路檔案的工具,如 lynx、wget,或 mozilla、firefox 等等工具下載,在此範例使用 wget,方法如下:
0001
0002
0003
0004
root # wget ftp://ftp.tw.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.4.tar.bz2
root # wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
root # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.17.tar.gz
root # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2008-02-20.tar.gz
將套件解壓縮。
0001
root # tar -jxvf linux-2.6.24.4.tar.bz2; tar -zxvf l7-protocols-2008-02-20.tar.gz; tar -zxvf netfilter-layer7-v2.17.tar.gz; tar -jxvf iptables-1.4.0.tar.bz2
更新 kernel
為了安裝方便,我們為 linux-2.6.24.4 這個目錄建位一個軟連結,以便切換目錄。
更新 kernel patch,增加 layer7 filter 選項。
0001
root # ln -s linux-2.6.24.4 linux; cd linux
若您想延續使用舊版 kernel 的選項的話,您可以把 .config 檔案複制到新 kernel 的目錄下,此時重新選擇項目時就會延用之前的設定。
為 kernel source 上 layer7 的 patch。
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
root # patch -p1 < ../netfilter-layer7-v2.17/kernel-2.6.22-2.6.24-layer7-2.17.patch
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file include/net/netfilter/nf_conntrack.h
patching file include/linux/netfilter/xt_layer7.h
選擇 layer 7 相關選項
在 kernel 選項裡,需要把相關的設定選擇起來才可以,以下為完整有關 layer 7 的項目。
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
0013
0014
0015
0016
0017
0018
0019
0020
0021
0022
0023
0024
0025
0026
0027
0028
0029
0030
0031
0032
0033
0034
0035
0036
0037
0038
0039
0040
0041
0042
0043
0044
0045
0046
0047
0048
0049
0050
0051
0052
0053
0054
0055
0056
0057
0058
0059
0060
0061
0062
0063
0064
0065
0066
0067
0068
0069
0070
0071
0072
0073
0074
0075
0076
0077
0078
0079
0080
0081
0082
0083
0084
0085
0086
0087
0088
0089
0090
0091
0092
root # make menuconfig
 General setup  --->
     [*] Prompt for development and/or incomplete code/drivers
 Networking  --->
       Networking options  --->
           [*] Network packet filtering framework (Netfilter)  --->
                 Core Netfilter Configuration  --->
                     <M> Netfilter connection tracking support
                     -*- Connection tracking flow accounting
                     -*- Connection mark tracking support
                     [*] Connection tracking security mark support
                     [*] Connection tracking events (EXPERIMENTAL)
                     <M> SCTP protocol connection tracking support (EXPERIMENTAL)
                     <M> UDP-Lite protocol connection tracking support (EXPERIMENTAL)
                     <M> Amanda backup protocol support
                     <M> FTP protocol support
                     <M> H.323 protocol support (EXPERIMENTAL)
                     <M> IRC protocol support
                     <M> NetBIOS name service protocol support (EXPERIMENTAL)
                     <M> PPtP protocol support
                     <M> SANE protocol support (EXPERIMENTAL)
                     <M> SIP protocol support (EXPERIMENTAL)
                     <M> TFTP protocol support
                     <M> Connection tracking netlink interface (EXPERIMENTAL)
                     {M} Netfilter Xtables support (required for ip_tables)
                     <M>   "CLASSIFY" target support
                     <M>   "CONNMARK" target support
                     <M>   "DSCP" target support
                     <M>   "MARK" target support
                     <M>   "NFQUEUE" target Support
                     <M>   "NFLOG" target support
                     <M>   "NOTRACK" target support
                     <M>   "TRACE" target support
                     <M>   "TRACE" target support
                     <M>   "SECMARK" target support
                     <M>   "CONNSECMARK" target support
                     <M>   "TCPMSS" target support
                     <M>   "comment" match support
                     <M>   "connbytes" per-connection counter match support
                     <M>   "connlimit" match support"
                     <M>   "connmark" connection mark match support
                     <M>   "conntrack" connection tracking match support
                     <M>   "DCCP" protocol match support
                     <M>   "DCCP" protocol match support
                     <M>   "DSCP" match support
                     <M>   "ESP" match support
                     <M>   "helper" match support
                     <M>   "length" match support
                     <M>   "limit" match support
                     <M>   "mac" address match support
                     <M>   "mark" match support
                     <M>   IPsec "policy" match support
                     <M>   Multiple port match support
                     <M>   "physdev" match support
                     <M>   "pkttype" packet type match support
                     <M>   "quota" match support
                     <M>   "realm" match support
                     <M>   "sctp" protocol match support (EXPERIMENTAL)
                     <M>   "state" match support
                     <M>   "layer7" match support
                     [*]     Layer 7 debugging output
                     <M>   "statistic" match support
                     <M>   "string" match support
                     <M>   "tcpmss" match support
                     <M>   "time" match support
                     <M>   "u32" match support
                     <M>   "hashlimit" match support
                 IP: Netfilter Configuration  --->
                     <M> IPv4 connection tracking support (required for NAT)
                     [*]   proc/sysctl compatibility with old connection tracking (NEW
                     <M> IP Userspace queueing via NETLINK (OBSOLETE)
                     <M> IP tables support (required for filtering/masq/NAT)
                     <M>   IP range match support
                     <M>   TOS match support
                     <M>   recent match support
                     <M>   ECN match support
                     <M>   AH match support
                     <M>   TTL match support
                     <M>   Owner match support
                     <M>   address type match support
                     <M>   Packet filtering
                     <M>     REJECT target support
                     <M>   LOG target support
                     <M>   ULOG target support
                     <M>   Full NAT (NEW)
                     <M>     MASQUERADE target support
                     <M>     REDIRECT target support
                     <M>     NETMAP target support
                     <M>     SAME target support (OBSOLETE)
                     <M>     Basic SNMP-ALG support (EXPERIMENTAL)
                     <M>   Packet mangling
                     <M>     TOS target support
較為重要的是 "layer7" match support 項目與 IPv4 connection tracking support (required for NAT) 項目,若您不知道的話就請把 Core Netfilter Configuration 與 IP: Netfilter Configuration 裡的選項全部選起來即可。
 
 
編譯並安裝新版核心
重 kernel 2.6 開始,編譯核心就變得更為簡單,只需要幾個 make 的指令即可,安裝完後會自動修改 GRUB 的選項,不需手動修改,減少了手動修改錯誤的危險。
0001
0002
0003
0004
0005
root # make
root # make modules
root # make modules_install
root # make install
sh /usr/src/kernels/linux-2.6.24.4/arch/x86/boot/install.sh 2.6.24.4 arch/x86/boot/bzImage System.map "/boot"
更新 iptables patch
  • iptables 1.4.0 (含) 之前版本
更新 iptables 需注意是否在現有的 kernel 中 netfilter 子系統相符合,若使用了不在 kernel 所支援的模組,在設定 iptables 會出現錯誤。以下指令可新增 laery7 模組的指令。
0001
0002
0003
0004
0005
root # cd /usr/src/kernels/iptables-1.4.0
root # patch -p1 < ../netfilter-layer7-v2.17/iptables-1.4-for-kernel-2.6.20forward-layer7-2.17.patch
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
patching file extensions/.layer7-test
設定 KERNEL_DIR 與 IPTABLES_DIR 環境變數,並開始編譯安裝。
0001
0002
0003
0004
root # export KERNEL_DIR=/usr/src/kernels/linux; export IPTABLES_DIR=/usr/src/kernels/iptables-1.4.0
root # chmod +x extensions/.layer7-test
root # make && make install
root #
  • iptables 1.4.1.1 (含) 之後版本
在 iptables 1.4.1.1 之後的 layer 7 模組已經不需要使用 patch 方式來修改,只要把修正檔複製到 extensions 資料夾即可。
0001
0002
0003
0004
0005
root # cd iptables-1.4.2
root # cp ../netfilter-layer7-v2.21/iptables-1.4.1.1-for-kernel-2.6.20forward/libxt_layer7.* extensions/
root # ./configure --with-ksource=/usr/src/kernels/linux
root # make
root # make install
安裝通訊定議檔
使用 layer7 模組時,會參考 /etc/l7-protocols 目錄下的定議檔,各通訊協定的封包特徵會在 l7-protocols 的套件裡,解開之後直接安裝即可。
0001
0002
0003
0004
root # cd /usr/src/kernels/l7-protocols-2008-02-20
root # make install
mkdir -p /etc/l7-protocols
cp -R * /etc/l7-protocols
重新開機
重新編譯了核心之後,需要重新啟動電腦才能套用新的核心套件,請使用 uname 指令查看是否設定成功。
0001
0002
0003
root # uname -a; iptables -V
Linux localhost.localdomain 2.6.24.4 #1 SMP Thu Apr 10 23:21:08 CST 2008 i686 i686 i386 GNU/Linux
iptables v1.4.0

測試
MSN Messenger
以下測試會拒絕連出 MSN Menssenger 封包,在 iptables 的 OUTPUT 政策裡,我們在 X-Window 執行 GAIM 連出時,會發現 msnmessenger 的封包被 DROP。
語法:
iptables -A OUTPUT -m layer7 --l7proto msnmessenger -j DROP
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
root # iptables -A OUTPUT -m layer7 --l7proto msnmessenger -j DROP
root # iptables -L -n -v
Chain INPUT (policy ACCEPT 3056 packets, 394K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1274 packets, 159K bytes)
 pkts bytes target     prot opt in     out     source               destination
   34  2584 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto msnmessenger
BitTorrent
第二個測試拒絕連出 BitTorrent 封包,我們在設定好拒絕 bittorrent 封包後,在本機使用 BT 下載檔案均失敗,可從 iptables 指令查出。
語法:
iptables -A OUTPUT -m layer7 --l7proto bittorrent -j DROP
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
root # iptables -A OUTPUT -m layer7 --l7proto bittorrent -j DROP
root # iptables -L -n -v
Chain INPUT (policy ACCEPT 33768 packets, 33M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 25235 packets, 2362K bytes)
 pkts bytes target     prot opt in     out     source               destination
   91  6916 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto msnmessenger
   78  7920 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto bittorrent
若您把 layer7 安裝在網路閘道 (Gateway) 上的話,那麼請使用 PREROUTING 或 FORWARD 連線才會有效。iptables 可參考 iptables 封包過瀘規則 (new window)
後記:
若您打算在您的防火牆上使用 layer7 封包過濾功能的話,那麼所需的記憶體與 CPU 會更多,若您的使用者連線數同一時間超過百人,並且頻繁的取存網路的話,那麼可能需要考慮使用較高效能的網路卡與更多的記憶體。若您在啟用 layer7 功能後發現網路變得很慢的話,那麼就需要檢查您的網卡與記憶體是否足夠。

你可能感兴趣的:(l7-filter安装)