iptables练习环境下的七层防火墙

changlexuan

把new_layer7拷贝到本地
[root@clx ~]# cd new_layer7/
[root@clx ~]# tar xf iptables-1.4.3.2.tar.bz2 -C /usr/local/src/
[root@clx ~]# tar xf l7-protocols-2009-05-28.tar -C /usr/local/src/
[root@clx ~]# tar xf linux-2.6.28.tar.bz2 -C /usr/local/src/
[root@clx ~]# tar xf netfilter-layer7-v2.22.tar -C /usr/local/src/

1,给内核源码打layer7补丁
[root@clx ~]# cd /usr/local/src/linux-2.6.28/
[root@clx ~]# patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
2,编译
2.1修改内核配置项
make oldconfig         #全部保持默认 如果之前编译过：make mrproper
make menuconfig
General setup --->
    Prompt for development and/or incomplete code/drivers     #必选
Networking --->
    Networking options --->
        Network packet filtering framework (Netfilter) --->
            Core Netfilter Configuration --->             #该项下的所有项目建议都选上
            <M> Netfilter connection tracking support     #这个项目必需选上，下面才会出现layer7的选项
            <M> "layer7" match support             #必选
                Layer 7 debugging output             #必选
        IP: Netfilter Configuration --->                 #该项下的所有项目必需都选上 （NAT表这些）

2.2编译并安装新内核
make
make modules_install
make install

3,完了可以重启机器，已经有编译完的可使用kernel选择
vim /boot/grub/grub.conf
设置启动选择新内核，自己根据情况来

4,升级iptables支持layer7.删除旧的
[root@clx ~]# rpm -qa | grep iptables
iptables-ipv6-1.3.5-5.3.el5_4.1
iptables-1.3.5-5.3.el5_4.1
[root@clx ~]# rpm -e --nodeps iptables-ipv6-1.3.5-5.3.el5_4.1 iptables-1.3.5-5.3.el5_4.1
编译新的
[root@clx ~]# cd /usr/local/src/iptables-1.4.3.2/
[root@localhostiptables-1.4.3.2]#cp ../netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.* extensions/
用的是kernel2.6.28版本的，所以都要指定kernel源代码路径
[root@localhost iptables-1.4.3.2]# ./configure --with-ksource=/usr/local/src/linux-2.6.28/
[root@localhost iptables-1.4.3.2]# make
[root@localhost iptables-1.4.3.2]# make install

5,装软件layer7策略包
[root@localhost iptables-1.4.3.2]# cd /usr/local/src/l7-protocols-2009-05-28
[root@localhost l7-protocols-2009-05-28]# make install
可看到下面有很多协议，有qq,iptv等
[root@clx ~]# ls /etc/l7-protocols/protocols/
[root@clx ~]# depmod -a
[root@clx ~]# iptables -V
iptables v1.4.3.2
[root@clx ~]# iptables -m layer7 –h 能看到下面就表示成功了
layer7 match options:
    --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/
            (--l7dir must be specified before --l7proto if used)
    [!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat

6、接下来，你就可以iptables语句利用layer7模块打标签了。例如：
[root@clx ~]# iptables -t mangle -I POSTROUTING -m layer7 --l7proto msnmessenger -j DROP
[root@clx ~]# iptables -t mangle -I POSTROUTING -m layer7 --l7proto qq -j DROP
[root@clx ~]# iptables -t mangle -I POSTROUTING -m layer7 --l7proto xunlei -j DROP
[root@clx ~]# iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP
[root@clx ~]# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP
上面命令将msn、qq、迅雷、电驴、BT进行了封禁。

7.英文介绍,http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7
layer7-protocol is a method of searching for patterns in ICMP/TCP/UDP streams.
L7 matcher is collecting first 10 packets of connection or first 2KB of connection and searches for pattern in collected data. If pattern is not found in collected data, matcher is not inspecting further. Allocated memory is freed and protocol is considered as unknown. You should take into account that a lot of connections will significantly increase memory usage. To avoid it add regular firewall matchers to reduce amount of data passed to layer-7 filters.
Additional requirement is that layer7 matcher must see both directions of traffic (incoming and outgoing). To satisfy this requirement l7 rules should be set in forward chain. If rule is set in input/prerouting chain then the same rule must be set also in output/postrouting chain, otherwise collected data may not be complete resulting in incorrectly matched pattern.

[此贴子已经被作者于2013-12-20 11:56:37编辑过]