System Environment
RHEL5 [2.6.18-164. el5]
Software Environment
Http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.25.19.tar.bz2
Http://www.netfilter.org/projects/iptables/files/iptables-1.4.2.tar.bz2
Http://ie.archive.Ubuntu.com/sourceforge/l/l7/l7-filter/netfilter-layer7-v2.20.tar.gz
Http://ie.archive.ubuntu.com/sourceforge/l/l7/l7-filter/l7-protocols-2008-10-04.tar.gz
Target Features
Add the layer7 patch for iptables to implement Application Layer filtering.
I. recompile the kernel
1. download the required software and upload it to the home directory.
[Root @ localhost ~] # Ll
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/225915K32-0.jpg "title =" qq2013093020.153.jpg "alt =" 134025151.jpg"/>
2. Merge kernel + layer7 Patches
[Root @ localhost ~] # Tar jxvf linux-2.6.25.19.tar.bz2-C/usr/src/
[Root @ localhost ~] # Tar zxvf netfilter-layer7-v2.20.tar.gz-C/usr/src/
[Root @ localhost ~] # Cd/usr/src/linux-2.6.25.19/
[Root @ localhost linux-2.6.25.19] # patch-p1 </usr/src/netfilter-layer7-v2.20/kernel-2.6.25-layer7-2.20.patch
3. Configure the new kernel
[Root @ localhost linux-2.6.25.19] # cp/boot/config-2.6.18-164.el5. config // use the old Kernel
[Root @ localhost linux-2.6.25.19] # make menuconfig
// When configuring the kernel, pay attention to the following two points in "Networking ---> Networking Options --- & gt; Network Packet filtering framework (Netfilter:
1) --- & gt; Core Netfilter Configuration
// Compile "Netfilter connection tracking suport (NEW)" into a module (M). Select this option to see the configuration supported by layer7.
// Set layer7, string, state, time, IPsec, iprange, connlimit, tcp ...... .
2) --- & gt; IP: Netfilter Configuration
// Compile "IPv4 connection tracking support (require for NAT)" into a module.
// Compile "MASQUERADE target support" and "REDIRECT target support" under "Full NAT" into a module.
4. Compile and install modules and new kernels
[Root @ localhost linux-2.6.25.19] make & make modules_install & make install
5. After compilation and installation, restart and choose to use the new kernel 2.6.25.19) boot System
Ii. recompile iptables
1. Back up the original iptables
[Root @ localhost ~] # Uname-r
2.6.25.19 // view the kernel version
Go to the/etc/init. d/directory.
[Root @ localhost init. d] # cp iptables. bak
[Root @ localhost init. d] # iptables // view the original iptables version
Iptables v1.3.5: no command specified
Try 'iptables-H' or 'iptables -- help' for more information.
2. Uninstall existing iptables
[Root @ localhost init. d] # rpm-e iptables -- nodeps
Warning:/etc/sysconfig/iptables-config saved as/etc/sysconfig/iptables-config.rpmsave
3. Merge iptables + layer7 Patches
[Root @ localhost ~] # Tar-jxvf iptables-1.4.2.tar.bz2-C/usr/src/
[Root @ localhost ~] # CdS/usr/src/netfilter-layer7-v2.20/iptables-1.4.1.1-for-kernel-2.6.20forward/
[Root @ localhost iptables-1.4.1.1-for-kernel-2.6.20forward] # ll
Total 16
-Rw-r -- 1 1000 1000 9356 2008-08-22 libxt_layer7.c
-Rw-r -- 1 1000 1000 648 2008-08-22 libxt_layer7.man
[Root @ localhost iptables-1.4.1.1-for-kernel-2.6.20forward] # cp */usr/src/iptables-1.4.2/extensions/
4. Compile and install
[Root @ localhost iptables-1.4.1.1-for-kernel-2.6.20forward] # cd/usr/src/iptables-1.4.2/
[Root @ localhost iptables-1.4.2] #./configure -- prefix =/-- with-ksouce =/usr/src/linux-2.6.25.19/
[Root @ localhost iptables-1.4.2] # make & make install
5. restore the original backup iptables
# Mv/etc/init. d/iptables. bak/etc/init. d/iptables
[Root @ localhost iptables-1.4.2] # ll/etc/init. d/iptables
-Rwxr-xr-x 1 root 7460 09-18/etc/init. d/iptables
6. Start iptables
[Root @ localhost ~] # Service iptables save
7. Install the l7-protocols mode package
[Root @ localhost ~] # Tar-zxvf l7-protocols-2008-10-04.tar.gz-C/etc/
[Root @ localhost ~] # Mv/etc/l7-protocols-2008-10-04/etc/l7-protocols
8. Test
[Root @ localhost ~] # Iptables-t filter-a forward-m layer7 -- l7proto qq-j DROP
[Root @ localhost ~] # Iptables-L
This article is from the "Qian Kun's blog". For more information, contact the author!