作者/来源:yixinu.com
栏目:运维/编程
日期:2013-06-19 15:55:24
1、软件需求
netfilter-layer7-v2.22.tar.gz
l7-protocols-2009-05-28.tar.gz
iptables-1.4.8.tar.bz2
linux-2.6.34.14.tar.gz(这是我更新的内核)
实现目标 :给新内核源码包打上Layer7的补丁,对内核进行重新编译,编译前添加L7的相关模块,最终实现基于L7的七层过滤功能,实现对于应用层的过滤,完成基于L7的过滤的应用.
2、操作步骤
给新版内核打上L7的补丁.
tar -xzvf linux-2.6.34.14.tar.gz tar -xzvf netfilter-layer7-v2.22.tar.gz cd /usr/local/src/linux-2.6.34.14 patch -p1 < /usr/local/src/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
配置新内核,把旧的内核配置文件拷过来
cp /boot/config-2.6.32-279.el6.x86_64 .config make menuconfig
完成后保存退出,这样就给新内核添加了L7模块了,下面就能进行内核编译了.
make
make modules_install && make install
重新编译配置iptables
rpm -e iptables --nodeps (取消依赖关系)
[root@hnlmserver src]# cd /usr/local/src [root@hnlmserver src]# tar -xjvf iptables-1.4.8.tar.bz2
[root@hnlmserver src]# cd /usr/local/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/ [root@hnlmserver iptables-1.4.3forward-for-kernel-2.6.20forward]# cp libxt_layer7.* /usr/local/src/iptables-1.4.8/extensions/
编译安装iptables
[root@hnlmserver iptables-1.4.3forward-for-kernel-2.6.20forward]# cd /usr/local/src/iptables-1.4.8 [root@hnlmserver iptables-1.4.8]# ./configure --prefix=/ --with-ksource=/usr/local/src/linux-2.6.34.14 [root@hnlmserver iptables-1.4.8]# make && make install
安装L7-protocols模式包
[root@hnlmserver src]# cd /usr/local/src [root@hnlmserver src]# tar -xzvf l7-protocols-2009-05-28.tar.gz -C /etc [root@hnlmserver src]# mv /etc/l7-protocols-2009-05-28 /etc/l7-protocols
重启系统 ,使用新内核启动
设置nat,使服务器具有路由功能
[root@hnlmserver src]# echo 1 > /proc/sys/net/ipv4/ip_forward [root@hnlmserver src]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE
上面第2行表示,把从192.168.100.0这个网段的请求转发到 eth0这个接口
加载模块
modprobe xt_multiport modprobe xt_mac modprobe xt_time modprobe xt_layer7
加入iptables 规则
# Generated by iptables-save v1.4.8 on Wed Jun 19 16:24:38 2013 *nat :PREROUTING ACCEPT [102828:9081556] :OUTPUT ACCEPT [16985:1000855] :POSTROUTING ACCEPT [16579:976499] -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Wed Jun 19 16:24:38 2013 # Generated by iptables-save v1.4.8 on Wed Jun 19 16:24:38 2013 *mangle :PREROUTING ACCEPT [1732040:484376339] :INPUT ACCEPT [1589834:391825779] :FORWARD ACCEPT [142203:92550382] :OUTPUT ACCEPT [1443454:961434895] :POSTROUTING ACCEPT [1524635:1048177835] -A PREROUTING -m layer7 --l7proto pplive -j DROP -A PREROUTING -m layer7 --l7proto bittorrent -j DROP -A PREROUTING -m layer7 --l7proto xunlei -j DROP COMMIT # Completed on Wed Jun 19 16:24:38 2013 # Generated by iptables-save v1.4.8 on Wed Jun 19 16:24:38 2013 *filter :INPUT DROP [39448:3548587] :FORWARD DROP [10:760] :OUTPUT DROP [0:0] -A INPUT -s 192.168.100.0/24 -p tcp -m tcp --dport 953 -j ACCEPT -A INPUT -s 192.168.100.0/24 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 9080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 9088 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 40000:40080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 177 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8180 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 953 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 6060 -j ACCEPT -A INPUT -p udp -m udp --dport 6060 -j ACCEPT -A FORWARD -m layer7 --l7proto qq -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -s 127.0.0.1/32 -j ACCEPT -A OUTPUT -s 192.168.1.2/32 -j ACCEPT -A OUTPUT -p icmp -j ACCEPT -A OUTPUT -p udp -m udp --sport 53 -j ACCEPT -A OUTPUT -p udp -m udp --sport 953 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 8080 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 9080 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 8088 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 9088 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 8180 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 3306 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 6060 -j ACCEPT -A OUTPUT -p udp -m udp --sport 6060 -j ACCEPT COMMIT # Completed on Wed Jun 19 16:24:38 2013
这是设置iptables规则的脚本
首先把22号端口在INPUT和OUTPUT中添加,要不然等下把默认规则改DROP,ssh就连不上去了。 iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
只允许80、443端口、qq通讯、icmp协议,因为之前把forward默认规则设置了drop,所以现在客户端是不能使用迅雷或者pptv,pps下载 电影的。
-A FORWARD -m layer7 --l7proto qq -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT