1.所需要软件包 linux-2.6.28.tar.gz http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.gz iptables-1.4.3.2.tar.bz2 http://netfilter.org/projects/iptables/files/iptables-1.4.3.2.tar.bz2 netfilter-layer7-v2.22.tar.gz http://sourceforge.net/projects/l7-filter/files/l7-filter kernel version/2.22/netfilter-layer7-v2.22.tar.gz/download l7-protocols-2009-05-28.tar.gz http://sourceforge.net/projects/l7-filter/files/Protocol definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz/download
2.把以上内核和软件包解压到/usr/src下
tar -zxvf linux-2.6.28.tar.gz -C /usr/src tar -zxvf netfilter-layer7-v2.22.tar.gz -C /usr/src tar -zxvf l7-protocols-2009-05-28.tar.gz -C /usr/src tar -jxvf iptables-1.4.3.2.tar.bz2 -C /usr/src
3.查看系统自带的iptables rpm -qa | grep iptables 列出已安装的iptables包
二、安装layer7
1.给新内核安装layer7补丁 cd /usr/src/linux-2.6.28/ patch -p1 /usr/src/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
2.编译新内核
2.1修改内核配置项 make oldconfig 全部保持默认 make menuconfig General setup — Prompt for development and/or incomplete code/drivers 必选 Networking — Networking options — Network packet filtering framework (Netfilter) — Core Netfilter Configuration — 该项下的所有项目建议都选上 M Netfilter connection tracking support 这个项目必需选上,下面才会出现layer7的选项 M layer7 match support 必选 Layer 7 debugging output 必选 IP: Netfilter Configuration — 该项下的所有项目必需都选上
2.2编译并安装新内核 make make modules_install make install
2.3 设置新内核为默认启动的内核,如果是远程连接服务器,必须要修改这项,否则重启后默认加载旧的kernel vim /boot/gurb/gurb.conf
default=1 把1改为0timeout=15 设置等候时间splashimage=(hd0,0)/boot/grub/splash.xpm.gzhiddenmenutitle CentOS (2.6.28) root (hd0,0) kernel /boot/vmlinuz-2.6.28 ro root=LABEL=/ rhgb quiet initrd /boot/initrd-2.6.28.imgtitle CentOS (2.6.18-164.el5) root (hd0,0) kernel /boot/vmlinuz-2.6.18-164.el5 ro root=LABEL=/ rhgb quiet initrd /boot/initrd-2.6.18-164.el5.img保存退出reboot
3.编译安装iptables并支持layer7
[root@localhost ~]# cd /usr/src/iptables-1.4.3.2 [root@localhost iptables-1.4.3.2]#cp /usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/*.* extensions/ ./configure –with-ksource=/usr/src/linux-2.6.28 make make install4.安装l7协议cd /usr/src/l7-protocols-2009-05-28make install
5.测试 iptables -V 回显: iptables v1.4.3.2
iptables -m layer7 –help 回显: Usage: iptables -[AD] chain rule-specification [options] iptables -I chain [rulenum] rule-specification [options] iptables -R chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LS] [chain [rulenum]] [options] iptables -[FZ] [chain] [options] iptables -[NX] chain iptables -E old-chain-name new-chain-name iptables -P chain target [options] iptables -h (print this help information)
Commands:Either long or short options are allowed. –append -A chain Append to chain –delete -D chain Delete matching rule from chain –delete -D chain rulenum Delete rule rulenum (1 = first) from chain –insert -I chain [rulenum] Insert in chain as rulenum (default 1=first) –replace -R chain rulenum Replace rule rulenum (1 = first) in chain –list -L [chain [rulenum]] List the rules in a chain or all chains –list-rules -S [chain [rulenum]] Print the rules in a chain or all chains –flush -F [chain] Delete all rules in chain or all chains –zero -Z [chain] Zero counters in chain or all chains –new -N chain Create a new user-defined chain –delete-chain -X [chain] Delete a user-defined chain –policy -P chain target Change policy on chain to target –rename-chain -E old-chain new-chain Change chain name, (moving any references)Options:[!] –proto -p proto protocol: by number or name, eg. `tcp'[!] –source -s address[/mask] source specification[!] –destination -d address[/mask] destination specification[!] –in-interface -i input name[+] network interface name ([+] for wildcard)–jump -j target target for rule (may load target extension) –goto -g chain jump to chain with no return –match -m match extended match (may load extension) –numeric -n numeric output of addresses and ports[!] –out-interface -o output name[+] network interface name ([+] for wildcard) –table -t table table to manipulate (default: `filter’) –verbose -v verbose mode –line-numbers print line numbers when listing –exact -x expand numbers (display exact values)[!] –fragment -f match second or further fragments only –modprobe= command try to insert modules using this command –set-counters PKTS BYTES set the counter during insert/append[!] –version -V print package version.
layer7 match options: –l7dir directory : Look for patterns here instead of /etc/l7-protocols/ (–l7dir must be specified before –l7proto if used)[!] –l7proto name : Match named protocol using /etc/l7-protocols/…/name.pat
至此安装过程完全完成
三、利用l7filter来封禁迅雷、qq、msn .
首先我们查看一下l7filter支持的封禁列表:
# ls /etc/l7-protocols/protocols/
100bao.pat doom3.pat jabber.pat radmin.pat teamfortress2.pataim.pat edonkey.pat kugoo.pat rdp.pat teamspeak.pataimwebcontent.pat fasttrack.pat live365.pat replaytv-ivs.pat telnet.patapplejuice.pat finger.pat liveforspeed.pat rlogin.pat tesla.patares.pat freenet.pat lpd.pat rtp.pat tftp.patarmagetron.pat ftp.pat mohaa.pat rtsp.pat thecircle.patbattlefield1942.pat gkrellm.pat msn-filetransfer.pat runesofmagic.pat tonghuashun.patbattlefield2142.pat gnucleuslan.pat msnmessenger.pat shoutcast.pat tor.patbattlefield2.pat gnutella.pat mute.pat sip.pat tsp.patbgp.pat goboogy.pat napster.pat skypeout.pat unknown.patbiff.pat gopher.pat nbns.pat skypetoskype.pat unset.patbittorrent.pat guildwars.pat ncp.pat smb.pat uucp.patchikka.pat h323.pat netbios.pat smtp.pat validcertssl.patcimd.pat halflife2-deathmatch.pat nntp.pat snmp.pat ventrilo.patciscovpn.pat hddtemp.pat ntp.pat socks.pat vnc.patcitrix.pat hotline.pat openft.pat soribada.pat whois.patcounterstrike-source.pat http.pat pcanywhere.pat soulseek.pat worldofwarcraft.patcvs.pat http-rtsp.pat poco.pat ssdp.pat x11.patdayofdefeat-source.pat ident.pat pop3.pat ssh.pat xboxlive.patdazhihui.pat imap.pat pplive.pat ssl.pat xunlei.patdhcp.pat imesh.pat qq.pat stun.pat yahoo.patdirectconnect.pat ipp.pat quake1.pat subspace.pat zmaap.patdns.pat irc.pat quake-halflife.pat subversion.pat
我们可以看到,l7filter支持的封禁协议相当丰富,并且支持都很好。
# iptables -t mangle -I POSTROUTING -m layer7 –l7proto msnmessenger -j DROP
# iptables -t mangle -I POSTROUTING -m layer7 –l7proto qq -j DROP
# iptables -t mangle -I POSTROUTING -m layer7 –l7proto xunlei -j DROP
#iptables -t mangle -I PREROUTING -m layer7 –l7proto edonkey -j DROP
#iptables -t mangle -I PREROUTING -m layer7 –l7proto bittorrent -j DROP
上面命令将msn、qq、迅雷、电驴、BT进行了封禁。
其中红色部分就在我们用命令# ls /etc/l7-protocols/protocols/所看到的列表中。
启动IP转发,使客户端可以通过pppoe服务器访问外网
# echo 1 /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
下面我们进行测试(l7filter服务器作为企业网络的网关,这里IP为192.168.1.251):
查看当前封禁情况:
# iptables -t mangle -L POSTROUTING -v
Chain POSTROUTING (policy ACCEPT 386 packets, 41321 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all — any any anywhere anywhere LAYER7 l7proto aim
0 0 DROP all — any any anywhere anywhere LAYER7 l7proto bittorrent
0 0 DROP all — any any anywhere anywhere LAYER7 l7proto edonkey
0 0 DROP all — any any anywhere anywhere LAYER7 l7proto xunlei
0 0 DROP all — any any anywhere anywhere LAYER7 l7proto qq
0 0 DROP all — any any anywhere anywhere LAYER7 l7proto msnmessenger
qq的连接失败信息:
系统log信息:
L7filter的处理图示:
梦想让我与众不同,奋斗让我改变命运!
