转自:http://blog.csdn.net/liuyunfengheda/article/details/6797524
L7-filter (Application Layer Packet Classifier for Linux), 是 Linux netfilter 的外挂模块, 它能使 Linux 的 iptables 支持 Layer 7 (Application 应用层) 过滤功能, 限制封杀 P2P、即时通讯软件。 对于iptables封QQ以及迅雷等白金介绍了l7-filter和ipp2p两种插件,但是在笔者的实验中发现ipp2p目前官方已经停止维护,而是靠国内的兴趣爱好者对ipp2p进行维护和更新。同时ipp2p对各个版本的内核兼容性并不是很好,因此阅读了ipp2p官网推荐的其替代品opendpi的相关文档,发现国内对opendp的文档实在太少,有幸尝试,记录下过程和注意事项,以便阅读理解。
1.下载所需软件包:
netfilter-layer7-v2.21.tar.gz
2.配置编译新内核
首先将所下载的软件都放置于/usr/src目录下
#tar -jxvf linux-2.6.25.7.tar.bz2
#tar -zxvf netfilter-layer7-v2.22.tar.gz
#tar -zxvf l7-protocols-2009-05-28.tar.gz
#cd linux-2.6.28
#patch -p1 < /usr/src/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file include/net/netfilter/nf_conntrack.h
patching file include/linux/netfilter/xt_layer7.h
#cp /boot/config-2.6.18-194.el5 /usr/src/linux-2.6.25.7/.config
#make menuconfig(注意,这里要在图形界面下操作)
(1)Networking support → Networking Options →Network packet filtering framework →Code Netfilter Configuration
<M> Netfilter connection tracking support
[*] Connection tracking events
<M> "connlimit" match support"
<M> Connection tracking netlink interface
<M> FTP protocol support
<M> “layer7” match support
<M> “string” match support
<M> “time” match support
<M> “iprange” match support
<M> “connlimit” match support
<M> “state” match support
<M> “conntrack” connection match support
<M> “mac” address match support
<M> "multiport" Multiple port match support
(2)Networking support → Networking Options →Network packet filtering framework → IP: Netfilter Configuration<M> IPv4 connection tracking support (required for NAT)
<M> Full NAT
<M>MASQUERADEtargetsupport
<M>NETMAPtargetsupport
<M> REDIRECT target support
#make && make modules_install && make install
这里编译需要至少半个小时的时间,这段时间可以做其他的事情。编译完成后:
# reboot# uame -a
这里编译需要至少半个小时的时间,这段时间可以做其他的事情。编译完成后:
#vi /etc/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
# initrd /initrd-version.img
#boot=/dev/sda
default=1 ----- 改为default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.25.7)
root (hd0,0)
kernel /vmlinuz-2.6.25.7 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.25.7.img
title CentOS (2.6.18-194.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-194.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.18-194.el5.img
#reboot
#uname –a
Linux proxytest 2.6.25.7 #1 SMP Wed Sep 21 19:01:12 CST 2011 i686 i686 i386 GNU/Linux
重启系统之后查看,系统的内核已经升级到新内核。至此内核编译的工作已经完成。
5、 更新升级Iptalbes的Layer7补丁
#cd /usr/src
# tar -zxvf netfilter-layer7-v2.22.tar.gz
# tar -jxvf iptables-1.4.3.2.tar.bz2
# cp /usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* /usr/src/iptables-1.4.3.2/extensions/
# cd /usr/src/iptables-1.4.3.2
# ./configure --with-ksource=/usr/src/linux-2.6.25.7
# make && make install
# iptables -V
iptables v1.4.3.2 #已经更新至新版本
6、 安装Layer7 协议文件
# cd /usr/src
# tar -zxvf l7-protocols-2009-05-28.tar.gz
# cd l7-protocols-2009-05-28
# make install
7、 Layer7规则
# iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto xunlei -j DROP (禁止迅雷)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto kugoo -j DROP (禁止kugoo)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto yahoo -j DROP (禁止Yahoo! Messenger)
8、 安装opendpi
(1)安装opendpi-netfilter
#cd /usr/src
#tar -zxvf opendpi-1.3.0.tar.gz
#tar -zxvf opendpi-netfilter-wrapper-1.2.tar.gz
#cd opendpi-netfilter-wrapper-1.2/wrapper
#export OPENDPI_PATH=/usr/src/opendpi-1.3.0
# OPENDPI_PATH=/usr/src/opendpi-1.3.0 make
# make modules_install
# cp ipt/libxt_opendpi.so /usr/local/libexec/xtables
# iptables -m opendpi --help
如果显示出相关信息,则编译成功。
(2)安装opendpi
#cd /usr/src/opendpi-1.3.0
#./configure
# make
如果报错如下:
OpenDPI_demo.c:42:18: error: pcap.h: No such file or directory
OpenDPI_demo.c:50: error: ‘PCAP_ERRBUF_SIZE’ undeclared here (not in a function)
OpenDPI_demo.c:51: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token
OpenDPI_demo.c: In function ‘openPcapFile’:
OpenDPI_demo.c:457: error: ‘_pcap_handle’ undeclared (first use in this function)
OpenDPI_demo.c:457: error: (Each undeclared identifier is reported only once
OpenDPI_demo.c:457: error: for each function it appears in.)
OpenDPI_demo.c: In function ‘closePcapFile’:
OpenDPI_demo.c:468: error: ‘_pcap_handle’ undeclared (first use in this function)
OpenDPI_demo.c: At top level:
OpenDPI_demo.c:474: warning: ‘struct pcap_pkthdr’ declared inside parameter list
OpenDPI_demo.c:474: warning: its scope is only this definition or declaration, which is probably not what you want
OpenDPI_demo.c: In function ‘pcap_packet_callback’:
OpenDPI_demo.c:485: error: dereferencing pointer to incomplete type
OpenDPI_demo.c:486: error: dereferencing pointer to incomplete type
OpenDPI_demo.c:497: error: ‘DLT_EN10MB’ undeclared (first use in this function)
OpenDPI_demo.c:503: error: dereferencing pointer to incomplete type
OpenDPI_demo.c:505: error: dereferencing pointer to incomplete type
OpenDPI_demo.c:505: error: dereferencing pointer to incomplete type
OpenDPI_demo.c:515: error: dereferencing pointer to incomplete type
OpenDPI_demo.c:517: error: dereferencing pointer to incomplete type
OpenDPI_demo.c:517: error: dereferencing pointer to incomplete type
OpenDPI_demo.c: In function ‘runPcapLoop’:
OpenDPI_demo.c:524: error: ‘_pcap_handle’ undeclared (first use in this function)
make[1]: *** [OpenDPI_demo.o] Error 1
make[1]: Leaving directory `/usr/src/opendpi-1.3.0/src/examples/OpenDPI_demo'
make: *** [all-recursive] Error 1
请安装libpcap-devel
#yum install libpcap-devel
#make
#make install
(3)规则实例:
iptables -A OUTPUT -m opendpi --http -j REJECT (封http协议)
iptables -A OUTPUT -m opendpi --thunder -j REJECT (封迅雷协议)
iptables -A OUTPUT -m opendpi --pplive -j REJECT (封pplive协议)
……
如是还有很多,详细可以参见iptables -m opendpi --help