Netfilter/layer7
By default, NetFilter can filter only two or three or four layers of data, but the application layer of data (such as QQ, thunder video, etc.) is not filtered out. We also know that NetFilter is working in the kernel, so the data that NetFilter supports filtering LAYER7 application layer protocols must be recompiled. Because Iptables is a rule-editing tool, you also recompile iptables so that it can support the authoring of LAYER7 application-layer protocols.
The overall steps are as follows:
First, the need to use the software
Kernel Source: linux-2.6.28.10.tar.gz
Iptables version: iptables-1.4.3.tar.bz2
NetFilter Application Layer Patches: netfilter-layer7-v2.22.tar.gz (to compile some features into the kernel)
Layer7 version: L7-protocols-2009-05-28.tar.gz This software contains a variety of protocol (application layer) matching mode. They are stored in the/root/l7-protocols-2009-05-28/protocols directory, and the file suffix ends with. Pat.
Second, compile the kernel, and give the kernel netfilter-layer7 this patch
# tar zxvf linux-2.6.28.10.tar.gz-c/usr/src
# tar zxvf netfilter-layer7-v2.22.tar.gz-c/usr/src
# CD/USR/SRC
# Ln–s linux-2.6.28.10 Linux
# cd/usr/src/linux/
# PATCH-P1 <. /netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
To improve the success rate of the compilation, we copy the config file of the current kernel to/usr/src/linux/and rename it to. config
# Cp/boot/config-2.6.18-164.el5/usr/src/linux/.config
# Make Menuconfig
and compile the following into a kernel module or compile into the kernel
Networking support→networking options→network Packet filtering Framework→core netfilter Configuration
<M> NetFilter Connection Tracking support
<M> "Layer7" match support
<M> "string" Match support
<M> "Time" match support
<M> "IPRange" match support
<M> "Connlimit" match support
<M> ' state ' match support
<M> "Conntrack" Connection match support
<M> "Mac" address match support
<M> "Multiport" multiple port match support
Networking support→networking options→network packet filtering Framework→ip:netfilter Configuration
<M> IPV4 Connection Tracking Support (required for NAT)
<M> Full NAT
<M> Masquerade Target Support
<M> Netmap Target Support
<M> REDIRECT Target Support
Execute the following command to install the module
# make
# Make Modules_install
# make Install
Third, compile and install iptables enable it to support Layer7 Application layer protocol (such as QQ, Thunderbolt, etc.)
Before compiling the installation we can copy the previous Iptables startup script in the/tmp directory for later use
You can also save/etc/sysconfig/iptables for later use.
# Cp/etc/init.d/iptables/tmp/iptables
# Cp/etc/sysconfig/iptables/tmp/iptables.rule
# rpm-e Iptables-ipv6 iptables iptstate--nodeps
# tar JXVF iptables-1.4.6.tar.bz2–c/usr/src
# cd/usr/src/iptables-1.4.6
# CP.. /netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.*./extensions/
#./configure--prefix=/usr--with-ksource=/usr/src/linux (specify Linux source location)
# make
# make Install
Iv. installing Layer7 Software (which contains various application layer protocols and their matching modes)
# tar ZXVF l7-protocols-2009-05-28.tar.gz
# CD L7-protocols-2009-05-28
# make Install
#mv/tmp/iptables/etc/init.d/
#vim/etc/init.d/iptables
In this script, change the binary path of the iptables used previously to/usr/sbin/iptables
#service iptables Start
The above steps allow NetFilter and iptables to support filtering the application layer protocol.
The syntax for filtering the iptables of the Layer7 Application layer protocol is as follows:
iptables [-t TABLES] COMMAND CHAIN match condition-m Layer7--l7proto Application layer protocol-J processing action
For example: Prohibit 192.168.10.0/24 users in this network segment to log in QQ
#iptables-A forward-s 192.168.10.0/24-m layer7--l7proto qq-j DROP
Add a time-based extension here, and just compile the kernel as a module. So here we can use time-based extensions to limit some applications
-M time--datestart Yyyy[-mm[-dd[thh[:mm[:ss]]]--datestop YYYY[-MM[-DD[THH[:MM[:SS] []]
# # #这个是表示日期型的限制
-M time--timestart Hh:mm[:ss]--timestop Hh:mm[:ss]
# # #这个是表示每天的某个阶段作出限制
For example: Prohibit 192.168.10.0/24 this network segment of the user daily in 08:00-20:00 this time of the Internet.
#iptables-A forward-s 192.168.10.0/24-m time--timestart--timestop 20:00-j DROP
This article is from the "Linux Learning path" blog, so be sure to keep this source http://xslwahaha.blog.51cto.com/4738972/1570947
Compile kernel let NetFilter support filtering Layer7 Application layer protocol