一、安装前准备
1.所需要软件包
linux-2.6.28.tar.gz http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.gz
iptables-1.4.3.2.tar.bz2 http://netfilter.org/projects/iptables/files/iptables-1.4.3.2.tar.bz2
netfilter-layer7-v2.22.tar.gz http://sourceforge.net/projects/l7-filter/files/l7-filter kernel version/2.22/netfilter-layer7-v2.22.tar.gz/download
l7-protocols-2009-05-28.tar.gz http://sourceforge.net/projects/l7-filter/files/Protocol definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz/download
2.把以上内核和软件包解压到/usr/src下
tar -zxvf linux-2.6.28.tar.gz -C /usr/src
tar -zxvf netfilter-layer7-v2.22.tar.gz -C /usr/src
tar -zxvf l7-protocols-2009-05-28.tar.gz -C /usr/src
tar -jxvf iptables-1.4.3.2.tar.bz2 -C /usr/src
3.查看系统自带的iptables
rpm -qa | grep iptables 列出已安装的iptables包
二、安装layer7
1.给新内核安装layer7补丁
cd /usr/src/linux-2.6.28/
patch -p1 < /usr/src/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
2.编译新内核
2.1修改内核配置项
make oldconfig 全部保持默认
make menuconfig
General setup --->
Prompt for development and/or incomplete code/drivers 必选
Networking --->
Networking options --->
Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration ---> 该项下的所有项目建议都选上
<M> Netfilter connection tracking support 这个项目必需选上,下面才会出现layer7的选项
<M> "layer7" match support 必选
Layer 7 debugging output 必选
IP: Netfilter Configuration ---> 该项下的所有项目必需都选上
2.2编译并安装新内核
make
make modules_install
make install
2.3 设置新内核为默认启动的内核,如果是远程连接服务器,必须要修改这项,否则重启后默认加载旧的kernel
vim /boot/gurb/gurb.conf
default=1 把1改为0
timeout=15 设置等候时间
splashp_w_picpath=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.28)
root (hd0,0)
kernel /boot/vmlinuz-2.6.28 ro root=LABEL=/ rhgb quiet
initrd /boot/initrd-2.6.28.img
title CentOS (2.6.18-164.el5)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-164.el5 ro root=LABEL=/ rhgb quiet
initrd /boot/initrd-2.6.18-164.el5.img
保存退出
reboot
3.编译安装iptables并支持layer7
[root@localhost ~]# cd /usr/src/iptables-1.4.3.2
[root@localhost iptables-1.4.3.2]#cp /usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/*.* extensions/
./configure --with-ksource=/usr/src/linux-2.6.28
make
make install
4.安装l7协议
cd /usr/src/l7-protocols-2009-05-28
make install
5.测试
iptables -V
回显:
iptables v1.4.3.2
iptables -m layer7 --help
回显:
Usage: iptables -[AD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain] Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
[!] --proto -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask]
source specification
[!] --destination -d address[/mask]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
layer7 match options:
--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/
(--l7dir must be specified before --l7proto if used)
[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat
至此安装过程完全完成
三、利用l7filter来封禁迅雷、qq、msn….
首先我们查看一下l7filter支持的封禁列表:
# ls /etc/l7-protocols/protocols/
100bao.pat doom3.pat jabber.pat radmin.pat teamfortress2.pat
aim.pat edonkey.pat kugoo.pat rdp.pat teamspeak.pat
aimwebcontent.pat fasttrack.pat live365.pat replaytv-ivs.pat telnet.pat
applejuice.pat finger.pat liveforspeed.pat rlogin.pat tesla.pat
ares.pat freenet.pat lpd.pat rtp.pat tftp.pat
armagetron.pat ftp.pat mohaa.pat rtsp.pat thecircle.pat
battlefield1942.pat gkrellm.pat msn-filetransfer.pat runesofmagic.pat tonghuashun.pat
battlefield2142.pat gnucleuslan.pat msnmessenger.pat shoutcast.pat tor.pat
battlefield2.pat gnutella.pat mute.pat sip.pat tsp.pat
bgp.pat goboogy.pat napster.pat skypeout.pat unknown.pat
biff.pat gopher.pat nbns.pat skypetoskype.pat unset.pat
bittorrent.pat guildwars.pat ncp.pat smb.pat uucp.pat
chikka.pat h323.pat netbios.pat smtp.pat validcertssl.pat
cimd.pat halflife2-deathmatch.pat nntp.pat snmp.pat ventrilo.pat
cisco***.pat hddtemp.pat ntp.pat socks.pat vnc.pat
citrix.pat hotline.pat openft.pat soribada.pat whois.pat
counterstrike-source.pat http.pat pcanywhere.pat soulseek.pat worldofwarcraft.pat
cvs.pat http-rtsp.pat poco.pat ssdp.pat x11.pat
dayofdefeat-source.pat ident.pat pop3.pat ssh.pat xboxlive.pat
dazhihui.pat imap.pat pplive.pat ssl.pat xunlei.pat
dhcp.pat imesh.pat qq.pat stun.pat yahoo.pat
directconnect.pat ipp.pat quake1.pat subspace.pat zmaap.pat
dns.pat irc.pat quake-halflife.pat subversion.pat
我们可以看到,l7filter支持的封禁协议相当丰富,并且支持都很好。
# iptables -t mangle -I POSTROUTING -m layer7 --l7proto msnmessenger -j DROP
# iptables -t mangle -I POSTROUTING -m layer7 --l7proto qq -j DROP
# iptables -t mangle -I POSTROUTING -m layer7 --l7proto xunlei -j DROP
#iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP
#iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP
上面命令将msn、qq、迅雷、电驴、BT进行了封禁。
其中红色部分就在我们用命令# ls /etc/l7-protocols/protocols/所看到的列表中。
启动IP转发,使客户端可以通过pppoe服务器访问外网
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
下面我们进行测试(l7filter服务器作为企业网络的网关,这里IP为192.168.1.251):
查看当前封禁情况:
# iptables -t mangle -L POSTROUTING -v
Chain POSTROUTING (policy ACCEPT 386 packets, 41321 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere LAYER7 l7proto aim
0 0 DROP all -- any any anywhere anywhere LAYER7 l7proto bittorrent
0 0 DROP all -- any any anywhere anywhere LAYER7 l7proto edonkey
0 0 DROP all -- any any anywhere anywhere LAYER7 l7proto xunlei
0 0 DROP all -- any any anywhere anywhere LAYER7 l7proto qq
0 0 DROP all -- any any anywhere anywhere LAYER7 l7proto msnmessenger
qq的连接失败信息:
系统log信息:
L7filter的处理图示:
转载于:https://blog.51cto.com/alex2012/620295
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
