|
系统环境:RHEL5[2.6.18-8.el5xen]软件环境:http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.25.19.tar.bz2http://www.netfilter.org/projects/iptables/files/iptables-1.4.2.tar.bz2http://ie.archive.ubuntu.com/sourceforge/l/l7/l7-filter/netfilter-layer7-v2.20.tar.gzhttp://ie.archive.ubuntu.com/sourceforge/l/l7/l7-filter/l7-protocols-2008-10-04.tar.gz目标功能:为iptables增加layer7补丁,实现应用层过滤。################################################################一、重新编译内核1、合并kernel+layer7补丁shell>tar-jxvflinux-2.6.25.19.tar.bz2-C/usr/src/shell>tar-zxvfnetfilter-layer7-v2.20.tar.gz-C/usr/src/shell>cd/usr/src/linux-2.6.25.19/shell>patch-p1</usr/src/netfilter-layer7-v2.20/kernel-2.6.25-layer7-2.20.patch查看当前的内核将新的内核和补丁下载到linux上拆包内核和补丁[root@localhost~]#tar-jxvflinux-2.6.25.19.tar.bz2-C/usr/src/[root@localhost~]#tar-jxvfnetfilter-layer7-v2.20.tar.gz-C/usr/src/2.配置内核shell>cp/boot/config-2.6.18-8.el5.config//配置内核时,在“Networking--->NetworkingOptions--->NetworkPacketfilteringframework(Netfilter)”处主要注意两个地方:1)--->CodeNetfilterConfiguration//将“Netfilterconnectiontrackingsuport(NEW)”选择编译为模块(M),需选取此项才能看到layer7支持的配置。//将layer7、string、state、time、IPsec、iprange、connlimit……等编译成模块,根据需要看着办。2)--->IP:NetfilterConfiguration//将“IPv4connectiontrackingsupport(requireforNAT)”编译成模块。//将“FullNAT”下的“MASQUERADEtargetsupport”和“REDIRECTtargetsupport”编译成模块。3、编译及安装模块、新内核shell>make&&makemodules_install&&makeinstall//编译安装成后后,重启选择使用新的内核(2.6.25.19)引导系统这个过程会花费很多时间,不急,慢慢来二、重新编译iptables1、卸载现有iptablesshell>rpm-eiptablesiptstat--nodeps2、合并iptables+layer7补丁shell>tarjxvfiptables-1.4.2.tar.bz2-C/usr/src/shell>cd/usr/src/netfilter-layer7-v2.20/iptables-1.4.1.1-for-kernel-2.6.20forward/shell>cplibxt_layer7.clibxt_layer7.man/usr/src/iptables-1.4.2/extensions/3、编译安装shell>cd/usr/src/iptables-1.4.2/4、安装l7-protocols模式包shell>tarzxvfl7-protocols-2008-10-04.tar.gz-C/etc/shell>mv/etc/l7-protocols-2008-10-04/etc/l7-protocols三、layer7规则示例1、layer7matchshell>iptables-AFORWARD-mlayer7--l7protoqq-jDROPshell>iptables-AFORWARD-mlayer7--l7protomsnmessenger-jDROPshell>iptables-AFORWARD-mlayer7--l7protomsn-filetransfer-jDROPshell>iptables-AFORWARD-mlayer7--l7protoxunlei-jDROPshell>iptables-AFORWARD-mlayer7--l7protoedonkey-jDROPshell>iptables-AFORWARD-mlayer7--l7protobittorrent-jDROP2、stringmatchshell>iptables-AFORWARD-pudp--dport53-mstring--string"tencent"--algobm-jDROPshell>iptables-AFORWARD-pudp--dport53-mstring--string"verycd"--algobm-jDROPshell>iptables-AFORWARD-ptcp--dport80-mstring--string"sex"--algobm-jDROP3、statematchshell>iptables-AFORWARD-mstate--stateNEW-ptcp!--syn-jDROPshell>iptables-AFORWARD-mstate--stateESTABLISHED,RELATED-jACCEPT4、connlimitmatchshell>iptables-AFORWARD-ptcp--syn-mconnlimit--connlimit-above100--connlimit-mask24-jDROP5、timematchshell>iptables-AFORWARD-ptcp--dport80-mtime--timestart8:00--timestop17:00--weekdaysMon,Tue,Wed,Thu,Fri-jACCEPT
(以上内容不代表本站观点。) --------------------------------- |
本網站是"非商業"(non-commercial)。
