{"id":609,"date":"2009-08-23T14:18:00","date_gmt":"2009-08-23T06:18:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=609"},"modified":"2023-11-04T14:25:05","modified_gmt":"2023-11-04T06:25:05","slug":"iptables-with-l7-filter","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/609","title":{"rendered":"iptables with l7-filter"},"content":{"rendered":"\n

\u7c21\u4ecb
Linux netfilter\u7684\u5916\u639b\u6a21\u7d44,\u53ef\u8b93iptables\u5c0d\u61c9\u7528\u5c64\u904e\u6ffe\u5206\u6790,\u50cf\u662fp2p,im,..\u7b49
(http:\/\/l7-filter.sourceforge.net\/)<\/p>\n\n\n\n

\u5b89\u88ddl7-filter\u9700\u8981\u4ee5\u4e0b\u6a94\u6848
Linux kernel source(http:\/\/www.kernel.org)
iptables source(http:\/\/netfilter.org)
netfilter-layer7(http:\/\/sourceforge.net\/project\/showfiles.php?group_id=80085)
l7-protocols definitions(http:\/\/sourceforge.net\/project\/showfiles.php?group_id=80085)<\/p>\n\n\n\n

ps:Kernel compatibility
http:\/\/l7-filter.sourceforge.net\/kernelcompat<\/p>\n\n\n\n

……………………………………………………………………………………..<\/p>\n\n\n\n

\u5b89\u88dd\u6b65\u9a5f

1
\u5148\u4e0b\u8f09\u6240\u9700\u8981\u7684\u6a94\u6848<\/p>\n\n\n\n

2
kernel\u90e8\u4efd
ps:\u9700\u5df2\u5b89\u88dd\u904ekernel source,\u4e26\u8b93\/usr\/src\/linux\u53ef\u6307\u5411\u6838\u5fc3
2.1\u4fee\u6b63\u6838\u5fc3patch
\u7528netfilter-layer7-vX.Y\/kernel-2.6.*-layer7-X.Y.patch\u4fee\u6b63\u6838\u5fc3patch
ps:patch\u7248\u672c\u5fc5\u9808\u8207\u76ee\u524d\u6838\u5fc3\u76f8\u540c,\u53ef\u770bnetfilter-layer7-vX.Y\/readme
2.2\u91cd\u65b0\u7de8\u8b6f\u6838\u5fc3,\u4e26\u589e\u52a0Layer 7 match support
2.3\u958b\u59cb\u7de8\u8b6f\u6838\u5fc3
2.4\u78ba\u8a8d\u958b\u6a5f\u6a94\u662f\u7528\u65b0\u7684\u6838\u5fc3,\u4e26reboot<\/p>\n\n\n\n

3
iptables\u90e8\u4efd
3.1\u4fee\u6b63iptables\u7684patch
\u7528netfilter-layer7-vX.Y\/iptables-layer7-X.Y.patch\u4fee\u6b63iptables source,\u4e26\u5b89\u88dd\u4fee\u6b63\u904e\u7684iptables
3.2\u5c07iptables\u6307\u4ee4,\u6307\u5411\u4fee\u6b63\u904e\u7684iptables
3.3\u5b89\u88ddl7-protocols definitions
\u9810\u8a2d\u6703\u88dd\u5728\/etc\/l7-protocols\/

…….<\/p>\n\n\n\n

\u5b89\u88dd\u904e\u7a0b\u5927\u81f4\u5982\u4e0b
1
\u4e0b\u8f09\u4ee5\u4e0b\u6a94\u6848\u5f8c\u89e3\u58d3\u7e2e\u5230\/usr\/local\/src
netfilter-layer7-v2.0
iptables-1.4.0
l7-protocols-2005-12-16

2.1
cd \/usr\/src\/linux
patch -p1 < \/usr\/local\/src\/netfilter-layer7-v2.0\/kernel-2.6.13-2.6.14-layer7-2.0.patch
2.2
make mrproper
make oldconfig
\u6703\u51fa\u73fe Layer 7 match support (EXPERIMENTAL)… [N\/m\/?] (NEW) -> \u53ef\u9078m\u6216\u6309enter
make menuconfig
\u78ba\u5b9a\u662f\u5426\u70ba Layer 7 match support
2.3
make clean
make bzImage
make modules
make modules_install
make install
2.4
reboot

3.1
cd \/usr\/local\/src\/iptables-1.4.0
patch -p1 < ..\/netfilter-layer7-v2.0\/iptables-layer7-2.0.patch
chmod +x .\/extensions\/.layer7-test
make clean
make KERNEL_DIR=\/usr\/src\/linux
make install KERNEL_DIR=\/usr\/src\/linux
3.2
cd \/sbin
mv iptables iptables.old
ln -s \/usr\/local\/sbin\/iptables iptables
3.3
cd \/usr\/local\/src\/l7-protocols-2005-12-16
make install<\/p>\n\n\n\n

……………………………………………………………………………<\/p>\n\n\n\n

\u7528\u6cd5
-m layer7 –l7proto < protocol> -j < target>
\u53ef\u904e\u6ffe\u7684protocol\u53ef\u53c3\u8003http:\/\/l7-filter.sourceforge.net\/protocols
\u5e38\u898bp2p protocol\u5982\u4e0b
gnutella \u53ef\u963b\u64cbfoxy
bittorrent \u53ef\u963b\u64cbbittorrent \u901a\u8a0a\u5354\u5b9a
fasttrack \u53ef\u963b\u64cbkazaa
edonkey \u53ef\u963b\u64cbeDonkey,eMule
xunlei \u53ef\u963b\u64cb\u8fc5\u96f7
ex:
\u5728prerouting\u5c01\u9396\u5373\u6642\u901a
iptables -t mangle -A PREROUTING -m layer7 –l7proto yahoo -j DROP
\u4e0d\u8b93edonkey\u80fd\u9032\u5165\u672c\u6a5f
iptables -I INPUT -m layer7 –l7proto edonkey -j DROP
\u5c01\u9396foxy
iptables -t mangle -A PREROUTING -m layer7 –l7proto gnutella -j DROP
iptables -t mangle -A POSTROUTING -m layer7 –l7proto gnutella -j DROP<\/p>\n\n\n\n


\u5176\u4ed6\u53c3\u8003
http:\/\/l7-filter.sourceforge.net\/L7-HOWTO-Netfilter<\/p>\n","protected":false},"excerpt":{"rendered":"

\u7c21\u4ecbLinux netfilter\u7684\u5916\u639b\u6a21\u7d44,\u53ef\u8b93iptab …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[17],"tags":[],"class_list":["post-609","post","type-post","status-publish","format-standard","hentry","category-systemtool"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/609","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=609"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/609\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}