• 51272

    文章

  • 499

    评论

  • 40

    友链

  • 最近新加了换肤功能,大家多来逛逛吧~~~~
  • 喜欢这个网站的朋友可以加一下QQ群,我们一起交流技术。

iptables练习环境下的七层防火墙

695856371Web网页设计师②群 | 172816590(满)Web网页设计师①群, 喜欢本站的朋友可以收藏本站,或者加入我们大家一起来交流技术!

欢迎来到梁钟霖个人博客网站。本个人博客网站提供最新的站长新闻,各种互联网资讯。 还提供个人博客模板,最新最全的java教程,java面试题。在此我将尽我最大所能将此个人博客网站做的最好! 谢谢大家,愿大家一起进步!

把new_layer7拷贝到本地

[root@clx ~]# cd new_layer7/

[root@clx ~]# tar xf iptables-1.4.3.2.tar.bz2 -C /usr/local/src/

[root@clx ~]# tar xf l7-protocols-2009-05-28.tar -C /usr/local/src/

[root@clx ~]# tar xf linux-2.6.28.tar.bz2 -C /usr/local/src/

[root@clx ~]# tar xf netfilter-layer7-v2.22.tar -C /usr/local/src/

1,给内核源码打layer7补丁

[root@clx ~]# cd /usr/local/src/linux-2.6.28/

[root@clx ~]# patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch

2,编译

2.1修改内核配置项

make oldconfig #全部保持默认 如果之前编译过:make mrproper

make menuconfig

General setup --->

Prompt for development and/or incomplete code/drivers #必选

Networking --->

Networking options --->

Network packet filtering framework (Netfilter) --->

Core Netfilter Configuration ---> #该项下的所有项目建议都选上

<M> Netfilter connection tracking support #这个项目必需选上,下面才会出现layer7的选项

<M> "layer7" match support #必选

Layer 7 debugging output #必选

IP: Netfilter Configuration ---> #该项下的所有项目必需都选上 (NAT表这些)

2.2编译并安装新内核

make

make modules_install

make install

3,完了可以重启机器,已经有编译完的可使用kernel选择

vim /boot/grub/grub.conf

设置启动选择新内核,自己根据情况来

4,升级iptables支持layer7.删除旧的

[root@clx ~]# rpm -qa | grep iptables

iptables-ipv6-1.3.5-5.3.el5_4.1

iptables-1.3.5-5.3.el5_4.1

[root@clx ~]# rpm -e --nodeps iptables-ipv6-1.3.5-5.3.el5_4.1 iptables-1.3.5-5.3.el5_4.1

编译新的

[root@clx ~]# cd /usr/local/src/iptables-1.4.3.2/

[root@localhostiptables-1.4.3.2]#cp ../netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.* extensions/

用的是kernel2.6.28版本的,所以都要指定kernel源代码路径

[root@localhost iptables-1.4.3.2]# ./configure --with-ksource=/usr/local/src/linux-2.6.28/

[root@localhost iptables-1.4.3.2]# make

[root@localhost iptables-1.4.3.2]# make install

5,装软件layer7策略包

[root@localhost iptables-1.4.3.2]# cd /usr/local/src/l7-protocols-2009-05-28

[root@localhost l7-protocols-2009-05-28]# make install

可看到下面有很多协议,有qq,iptv

[root@clx ~]# ls /etc/l7-protocols/protocols/

[root@clx ~]# depmod -a

[root@clx ~]# iptables -V

iptables v1.4.3.2

[root@clx ~]# iptables -m layer7 –h 能看到下面就表示成功了

layer7 match options:

--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/

(--l7dir must be specified before --l7proto if used)

[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat

6、接下来,你就可以iptables语句利用layer7模块打标签了。例如:

[root@clx ~]# iptables -t mangle -I POSTROUTING -m layer7 --l7proto msnmessenger -j DROP

[root@clx ~]# iptables -t mangle -I POSTROUTING -m layer7 --l7proto qq -j DROP

[root@clx ~]# iptables -t mangle -I POSTROUTING -m layer7 --l7proto xunlei -j DROP

[root@clx ~]# iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP

[root@clx ~]# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP

上面命令将msn、qq、迅雷、电驴、BT进行了封禁。

7.英文介绍,http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7

layer7-protocol is a method of searching for patterns in ICMP/TCP/UDP streams.

L7 matcher is collecting first 10 packets of connection or first 2KB of connection and searches for pattern in collected data. If pattern is not found in collected data, matcher is not inspecting further. Allocated memory is freed and protocol is considered as unknown. You should take into account that a lot of connections will significantly increase memory usage. To avoid it add regular firewall matchers to reduce amount of data passed to layer-7 filters.

Additional requirement is that layer7 matcher must see both directions of traffic(incoming and outgoing). To satisfy this requirement l7 rules should be set in forward chain. If rule is set in input/prerouting chain then the same rule must be set also in output/postrouting chain, otherwise collected data may not be complete resulting in incorrectly matched pattern.

 


 转载至链接:https://my.oschina.net/u/3635497/blog/2878167。


转载原创文章请注明出处,转载至: 梁钟霖个人博客www.liangzl.com

您觉喜欢本网站,或者觉得本文章对您有帮助,那么可以选择打赏。
打赏多少,您高兴就行,谢谢您对梁钟霖这小子的支持! ~(@^_^@)~

  • 微信扫一扫

  • 支付宝扫一扫

    支付宝打赏

0条评论

Loading...


发表评论

电子邮件地址不会被公开。 必填项已用*标注

自定义皮肤
注册梁钟霖个人博客