centos 6 上安裝l7 filter嘗試過濾xunlei

平臺：Centos 6 x86_64，默認內核版本2.6.34
1,準備
yum update -y
yum install -y ncurses-devel gcc make bc wget patch grub
2，下載相關安裝包
wget http://download.clearfoundation.com/l7-filter/netfilter-layer7-v2.23.tar.gz
wget http://download.clearfoundation.com/l7-filter/l7-protocols-2009-05-28.tar.gz
wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.21.tar.bz2
wget https://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.35.8.tar.gz
3，編譯新內核
tar xvf linux-2.6.35.8.tar.gz -C /usr/src
tar xvf netfilter-layer7-v2.23.tar.gz
cd /usr/src
ln -s linux-2.6.35.8 linux
cd linux
patch -p1 < /root/netfilter-layer7-v2.23/kernel-2.6.35-layer7-2.23.patch
zcat /proc/config.gz > .config
make oldconfig   #自選提示的新功能和驅動
make menuconfig    #須要增長的編譯模塊
Networking support → Networking Options → Network packet filtering framework → Core Netfilter Configuration
<M>  Netfilter connection tracking support
<M>  "connlimit"  match support
<M>  "conntrack"  connection  match support
<M>  "iprange"  match support
<M>  "mac"  address  match support
<M>  "multiport" Multiple port match support
<M>  "state"  match support
<M>  "layer7" match support
<M>  "string" match support
<M>  "time"  match support
Networking support → Networking Options →Network packet filtering framework → IP Netfilter Configuration
<M> IPv4 connection tracking support (required for NAT)
<M> Full NAT
<M> MASQUERADE target support
<M> NETMAP target support                            
<M> REDIRECT target support
sed -i 's/# CONFIG_SYSFS_DEPRECATED_V2 is not set/CONFIG_SYSFS_DEPRECATED_V2=y/' .config
make CONFIG_DEBUG_SECTION_MISMATCH=y 
make -j3 bzImage
make -j3 modules
make
make modules_install
make install    #出現‘Cannot find LILO.’不用管它，系統沒裝也不會用LILO，並且已生成/boot/vmlinuz文件
mv /boot/vmlinuz /boot/vmlinuz-2.6.35 
mkinitrd -o initrd-2.6.35.img
cd /boot
mv initramfs-2.6.34-x86_64-linode14.img initrd-2.6.35.img (實際上仍是用原系統鏡像啓動滴)
vi /boot/grub/menu.lst
default 0
timeout 5
title           Custom Compiled, kernel 2.6.35
root            (hd0)
kernel          /boot/vmlinuz-2.6.35 root=/dev/xvda ro quite
initrd          /boot/initrd-2.6.35.img
linode manager裏對profile修改kernel爲pv-grub-x86_64
重啓後驗證
uname -a
4，安裝iptables
cp /etc/init.d/iptables /tmp/
cp /etc/sysconfig/iptables-config /tmp/
rpm -e iptables-ipv6 iptables --nodeps
tar xvf iptables-1.4.21.tar.bz2
cp /root/netfilter-layer7-v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.* /root/iptables-1.4.21/extensions/
cd iptables-1.4.21
./configure --prefix=/usr --with-ksource=/usr/src/linux   #提示Iptables modules that will not be built:  connlabel不知道是否有關係，先忽略
make 
make install
mv /tmp/iptables-config /etc/sysconfig/ 
mv /tmp/iptables /etc/rc.d/init.d/
vi /etc/init.d/iptables
修改路徑以下
if [ ! -x /usr/sbin/$IPTABLES ]; then
    echo -n $"${IPTABLES}:/usr/sbin/$IPTABLES does not exist."; warning; echo
    exit 5
fi
在   for i in $tables; do
        echo -n "$i "
        case "$i" in
加入如下內容------------------
            security)
                $IPTABLES -t filter -P INPUT $policy \
                    && $IPTABLES -t filter -P OUTPUT $policy \
                    && $IPTABLES -t filter -P FORWARD $policy \
                    || let ret+=1
                ;;
分界線  ------------------
            raw)
service iptables restart
iptables -V  #查看版本是否正確
5，安裝協議特徵包：
tar xvf l7-protocols-2009-05-28.tar.gz 
cd l7-protocols-2009-05-28
make install 
可查看支持的部分協議：
ls protocols/
6，設置iptables規則
iptables -t mangle -I POSTROUTING -m layer7 --l7proto xunlei -j DROP
iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP
iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP
7，通過測試也不行。找到一個網友的話說：禁止是沒有用的，而人類是靈動的，總有人會繞過或者突破禁忌！
看來只有限速了。。