iptables練習環境下的七層防火牆

把new_layer7拷貝到本地

[root@clx ~]# cd new_layer7/

[root@clx ~]# tar xf iptables-1.4.3.2.tar.bz2 -C /usr/local/src/

[root@clx ~]# tar xf l7-protocols-2009-05-28.tar -C /usr/local/src/

[root@clx ~]# tar xf linux-2.6.28.tar.bz2 -C /usr/local/src/

[root@clx ~]# tar xf netfilter-layer7-v2.22.tar -C /usr/local/src/

1,給內核源碼打layer7補丁

[root@clx ~]# cd /usr/local/src/linux-2.6.28/

[root@clx ~]# patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch

2,編譯

2.1修改內核配置項

make oldconfig #所有保持默認 若是以前編譯過：make mrproper

make menuconfig

General setup --->

Prompt for development and/or incomplete code/drivers #必選

Networking --->

Networking options --->

Network packet filtering framework (Netfilter) --->

Core Netfilter Configuration ---> #該項下的全部項目建議都選上

<M> Netfilter connection tracking support #這個項目必需選上，下面纔會出現layer7的選項

<M> "layer7" match support #必選

Layer 7 debugging output #必選

IP: Netfilter Configuration ---> #該項下的全部項目必需都選上 （NAT表這些）

2.2編譯並安裝新內核

make

make modules_install

make install

3,完了能夠重啓機器，已經有編譯完的可以使用kernel選擇

vim /boot/grub/grub.conf

設置啓動選擇新內核，本身根據狀況來

4,升級iptables支持layer7.刪除舊的

[root@clx ~]# rpm -qa | grep iptables

iptables-ipv6-1.3.5-5.3.el5_4.1

iptables-1.3.5-5.3.el5_4.1

[root@clx ~]# rpm -e --nodeps iptables-ipv6-1.3.5-5.3.el5_4.1 iptables-1.3.5-5.3.el5_4.1

編譯新的

[root@clx ~]# cd /usr/local/src/iptables-1.4.3.2/

[root@localhostiptables-1.4.3.2]#cp ../netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.* extensions/

用的是kernel2.6.28版本的，因此都要指定kernel源代碼路徑

[root@localhost iptables-1.4.3.2]# ./configure --with-ksource=/usr/local/src/linux-2.6.28/

[root@localhost iptables-1.4.3.2]# make

[root@localhost iptables-1.4.3.2]# make install

5,裝軟件layer7策略包

[root@localhost iptables-1.4.3.2]# cd /usr/local/src/l7-protocols-2009-05-28

[root@localhost l7-protocols-2009-05-28]# make install

可看到下面有不少協議，有qq,iptv等

[root@clx ~]# ls /etc/l7-protocols/protocols/

[root@clx ~]# depmod -a

[root@clx ~]# iptables -V

iptables v1.4.3.2

[root@clx ~]# iptables -m layer7 –h 能看到下面就表示成功了

layer7 match options:

--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/

(--l7dir must be specified before --l7proto if used)

[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat

六、接下來，你就能夠iptables語句利用layer7模塊打標籤了。例如：

[root@clx ~]# iptables -t mangle -I POSTROUTING -m layer7 --l7proto msnmessenger -j DROP

[root@clx ~]# iptables -t mangle -I POSTROUTING -m layer7 --l7proto qq -j DROP

[root@clx ~]# iptables -t mangle -I POSTROUTING -m layer7 --l7proto xunlei -j DROP

[root@clx ~]# iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP

[root@clx ~]# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP

上面命令將msn、qq、迅雷、電驢、BT進行了封禁。

7.英文介紹,http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7

layer7-protocol is a method of searching for patterns in ICMP/TCP/UDP streams.

L7 matcher is collecting first 10 packets of connection or first 2KB of connection and searches for pattern in collected data. If pattern is not found in collected data, matcher is not inspecting further. Allocated memory is freed and protocol is considered as unknown. You should take into account that a lot of connections will significantly increase memory usage. To avoid it add regular firewall matchers to reduce amount of data passed to layer-7 filters.

Additional requirement is that layer7 matcher must see both directions of traffic(incoming and outgoing). To satisfy this requirement l7 rules should be set in forward chain. If rule is set in input/prerouting chain then the same rule must be set also in output/postrouting chain, otherwise collected data may not be complete resulting in incorrectly matched pattern.