29_01iptables系列之layer7

DMZ(非军事化区域)

内核编译:
配置: .config (/proc/cpuinfo,lspci,lsusb,hal-device)
make menuconfig
编译:
make
只编译部分源码:
make SUBDIR=arch/
make drivers/net/pcnet32.ko
转存编译结果
make O=/path/to/somewhere
安装内核模块
make modules_install
安装内核
make install

layer7–l7
应用:xunlei,qq,netfilter<–patch

-m layer7 –l7proto xunlei -j DROP

1、给内核打补丁，并重新编译内核
2、给iptables源码打补丁，并重新编译iptables
3、安装l7proto

Kernel Patch

1 2 3 4 5 6 7 8 9

#tar xf linux-version.tar.gz -C /usr/src #tar xf netfilter.version.tar.gz -C /usr/src #cd /usr/src #ln -s linux-version linux #cd /usr/src/linux/ #patch -p1 <../netfilter-version/kernel-version-version-layer7-version.patch #cp /boot/config-version /usr/src/linux/.config #make menuconfig

Networking support->Networking Options->Network packet filtering framework->Core Netfilter Configuration

Netfilter connection tracking support

“Layer7” match support

“string” match support

“time” match support

“iprange” match support

“connlimit” match support

“state” match support

“conntrack” connection match support

“mac” address match support

“multiport” Multiple port match support

Networking support -> Networking Options ->Network packet filtering framework ->IP:Netfilter Configuration

IPv4 connection tracking support (required for NAT)

Full NAT MASQUERADE target support NETMAP target support REDIRECT target support

#make

#make modules_install

#make install

Complies iptables:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

#cp /etc/init.d/iptables ~/iptables #cp /etc/sysconfig/iptables-config ~/ && cp /etc/sysconfig/iptables ~/iptables-rules #service iptables off && chkconfig iptables off #rpm -e iptables-ipv6 iptables iptstate --nodeps #tar xf iptables-version.tar.bz2 -C /usr/src #cd /usr/src/iptables-version #cp ../netfilter-layer7-version/iptables-versionforward-for-kernel-versionforward/libxt_layer7.* ./extensions/ #./configure -prefix=/usr --with-ksource=/usr/src/linux #make #make install #tar xf l7-protocols-version.tar.gz #cd l7-protocol-version #make install #mv ~/iptables /etc/rc.d/init.d/ && 修改iptables的路径，默认编译在/usr/sbin/iptables #chkconfig --add iptables && cp ~/iptables-config /etc/sysconfig/ #service iptables start l7-filter uses the standard iptables extension syntax #iptables [specity table & chain] -m layer7 --l7proto [protocol name] -j [action]