Iptables-l7编译

===========================================================

  • 软件包选择

===========================================================

  1. a)      Netfilter-layer7-v2.21.tar.gz

  2. b)     L7-protocols-2009-05-10.tar.gz

  3. c)      Linux-2.6.28.8.tar.bz2

  4. d)     Iptables-1.4.2.tar.bz2

===========================================================

  • 编译linux内核,加载l7支持

===========================================================

  1. a)      解压Netfilter-layer7-v2.21.tar.gzLinux-2.6.28.8.tar.bz2,使用patch工具合并补丁

---------------------------------------------------------------------------------------

#cd /usr/src/linux-2.6.28.8

#patch –p1 <../netfliter-layer7-v2.21/kernel-2.6.25-2.6.28-layer7-2.21.patch

---------------------------------------------------------------------------------------

  1. b)     重新编译内核,添加state机制及layer7支持

---------------------------------------------------------------------------------------

#cp /boot/config-2.6.18-8.e15  .config

#makemenuconfig

                       i.             Corenetfilter configuration网络过滤代码配置

展开顺序为:Networkingànetworking optionsànetwork packet filteringframework(netfilter)àcore netfilter configurationà

到此使用空格键将 Netfilter connection tracking support ==》编译为模块(Mà”layer7” match supportà”string” match supportà”time”match supportà”iprange” address range match supportà”conlimit” match supportà”state” match supportàconnection tracking security mark supportàconnection tracking match supportà”mac” address match supportàIPsec “policy” match support

                     ii.             IP包过滤功能配置 IPNetfilter Configuration

展开顺序为:NetworkingàNetworking OptionsàNetwork Packet filtering framework(netfilter)àIP:Netfilter ConfigurationààIPv4 connection tracking support (requirefor NAT)àFullNATàMASQUERADEtarget supportàREDIRECTtarget support

              ---------------------------------------------------------------------------------------

  1. c)      编译新内核,并安装新内核文件、复制模块文件

---------------------------------------------------------------------------------------

#make

#make modules_install

#make install

---------------------------------------------------------------------------------------

  1. d)     调整grub引导菜单

---------------------------------------------------------------------------------------

#vi /boot/grub/grub.confàdefault=0

===========================================================

  • 重新编译安装iptables并安装L7-protocols协议包

===========================================================

  1. a)      卸载系统现有的iptables相关软件包

---------------------------------------------------------------------------------------

#rpm –e iptables-ipv6 iptablesiptstate –nodeps

#cd /usr/src/iptables-1.4.2/

#cp/usr/src/netfilter-layter7-v2.21/ >iptables-1.4.1.1-for-kernel-2.6.20forward/libxt_layer7.*  extensions/

---------------------------------------------------------------------------------------

  1. b)     配置、编译安装iptables

---------------------------------------------------------------------------------------

#./configure –prefix=/  --with-ksource=/usr/src/linux-2.6.28.8

#make

#make install

---------------------------------------------------------------------------------------

  1. c)      安装l7-protocols协议定义包

---------------------------------------------------------------------------------------

#cd l7-protocols-2009-05-10

#make install

===========================================================

  • 使用iptables设置应用层过滤规则

===========================================================

  1. a)      使用layer7显式匹配策略过滤使用qqmsnedonkey

#iptables –A FORWARD –m layer7 –l7protoqq –j DROP

#iptables –A FORWARD –m layer7 –l7protomsn-filetransfer –j DROP

#iptables –A FORWARD –m layer7 –l7protomsnmessenger –j DROP

  1. b)     使用“--connlimit”显式匹配进行数据并发连接控制,超过100个并发连接时将拒接

#iptables –A FORWARD –p tcp –syn –mconnlimit –connlimit-above 100 –j DROP

  1. c)      使用”--time”显式匹配根据时间范围设置数据访问策略,允许周一到周五8:00~18:00之间的数据访问

#iptables –A FORWARD –p tcp –dport80 –m time –timestart 8:30 –timestop 18:00 –weekdays Mon,tue,wed,thu,fri –jACCEPT

  1. d)     使用”string”显式匹配策略过滤包含“tencent”、”verycd”******的网络访问数据。

#iptables –A FORWARD –p udp –dport53 –m string –string “tencent” –algo bm –j DROP

#iptables –A FORWARD –p udp –dport53 –m string –string “verycd” –algo bm –j DROP

#iptables –A FORWARD –p udp –dport53 –m string –string “***” –algo bm –j DROP

#iptables –A FORWARD –p udp –dport53 –m string –string “***” –algo bm –j DROP

  1. e)      禁止转发来自MAC地址为00:0C:29:27:55:3F的主机的数据包

#iptables –A FORWARD –m mac –mac-source00:0C:29:27:55:3F –j DROP