Previous Article Next Article iptables + Layer7 filter
Posted in Linux

iptables + Layer7 filter

iptables + Layer7 filter Posted on 2006 年 11 月 14 日Leave a comment

fedora core4

[1.]
cd /usr/src/kernels
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.15.3.tar.bz2
wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.1.tar.gz
wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2006-01-22.tar.gz
wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.3.5.tar.bz2

[2.]
tar jxvf linux-2.6.15.3.tar.bz2
tar zxvf netfilter-layer7-v2.1.tar.gz
cp netfilter-layer7-v2.1/kernel-2.6.13-2.6.15-layer7-2.1.patch linux-2.6.15.3/
cd linux-2.6.15.3/
patch -p1 < kernel-2.6.13-2.6.15-layer7-2.1.patch

make menuconfig

Networking —>
    Networking options —>
        [*] Network packet filtering (replaces ipchains) —>
            IP: Netfilter Configuration —>
                <M> Connection tracking (required for masq/NAT)
                [*] Connection tracking flow accounting
                <M> IP tables support (required for filtering/masq/NAT)
                <M> Layer 7 match support (EXPERIMENTAL)

vi Makefile

EXTRAVERSION = .3-l7filter

make
make modules_install
make install
reboot

[3.]
tar jxvf iptables-1.3.5.tar.bz2
cd iptables-1.3.5
cp ../netfilter-layer7-v2.1/iptables-layer7-2.1.patch ./
patch -p1 < iptables-layer7-2.1.patch
chmod +x extensions/.layer7-test
make KERNEL_DIR=/usr/src/kernels/linux-2.6.15.3
make install KERNEL_DIR=/usr/src/kernels/linux-2.6.15.3

[4.]
tar zxvf l7-protocols-2006-01-22.tar.gz
mv l7-protocols-2006-01-22 /etc/l7-protocols

[5.]
/usr/local/sbin/iptables -V

iptables v1.3.5

[6.] 測試,–l7proto後面接的名稱由/etc/l7-protocols目錄中得知
/usr/local/sbin/iptables -t mangle -I POSTROUTING -m layer7 –l7proto http -j DROP
/usr/local/sbin/iptables -t mangle -I POSTROUTING -m layer7 –l7proto msnmessenger -j DROP
/usr/local/sbin/iptables -t mangle -I POSTROUTING -m layer7 –l7proto yahoo -j DROP
/usr/local/sbin/iptables -t mangle -I POSTROUTING -m layer7 –l7proto aim -j DROP

發表迴響

你的電子郵件位址並不會被公開。 必要欄位標記為 *