iptables添加7层过滤模块

据说Linux的iptables7层过滤功能不错，在iptables 1.4版本以后才支持这个功能，我当前的linux版本是RHEL 5.2版本，iptables的版本是1.3.5

1.准备工作

1.1) Download L7-filter kernel

wget http://downloads.sourceforge.net/l7-filter/netfilter-layer7-v2.19.tar.gz

1.2) Download L7-filter userspace

wget http://downloads.sourceforge.net/l7-filter/l7-filter-userspace-0.7.tar.gz

1.3) Download L7-filter Protocol definitions

wget http://downloads.sourceforge.net/l7-filter/l7-protocols-2008-04-23.tar.gz

1.4) Download Linux Iptables 1.4.0

wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.0.tar.bz2

1.5) Download Linux Kernel 2.6.26

wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.26.tar.bz2

2.安装 L7-filter

tar -xvf linux-2.6.26.tar.bz2

tar -xvf netfilter-layer7-v2.19.tar.gz

2.1 Apply patch to Linux kernel source

cd linux-2.6.26
patch -p1 < ../netfilter-layer7-v2.19/kernel-2.6.25-layer7-2.19.patch

2.2 Apply patch & install iptables 1.4.0

tar -xvf iptables-1.4.0.tar.bz2
cd iptables-1.4.0
patch -p1 < ../netfilter-layer7-v2.19/iptables-1.4-for-kernel-2.6.20forward-layer7-2.19.patch
chmod +x extensions/.layer7-test
make KERNEL_DIR=~/linux-2.6.26
make install KERNEL_DIR=~/linux-2.6.26

2.3 Installing protocol definitions

tar -xvf l7-protocols-2008-04-23.tar.gz
cd l7-protocols-2008-04-23
mkdir /etc/l7-protocols
cp protocols/* /etc/l7-protocols

2.4 Compiling & installing new linux kernel

cd linux-2.6.26
make menuconfig
sudo make all                   
sudo make modules_install
sudo make install

在这里必须要使用sudo去编译安装，要不然iptables加载不了新的内核中。

 

* "Network packet filtering framework(Netfilter)" (Networking → Networking option)
* "Netfilter connection tracking support" (... → Network packet filtering framework(Netfilter) → Core Netfilter Configuration)
* "Connection tracking flow accounting" (on the same screen)
* Finally, "Layer 7 match support"
* Optional but highly recommended: Lots of other Netfilter options, notably "FTP support" and other matches. If you don't know what you're doing, go ahead and enable all of them.

 

2.5 Check GRUB setting

  Vim /boot/grub/grub.conf

Default=0

 

 

Test l7-filter

Iptables –m layer7 –help

经测试，一切OK！

 

转载于:https://blog.51cto.com/wjjeff/637231