Centos 5.1 acts as a NAT proxy to implement thunder blocking, BT, and PPLIVE.

Recently, the company had a requirement to block something unrelated to the office and did not want to buy a hardware firewall. I had to use iptables to implement it. The 2.6 kernel compiled the kernel and added the module to IPTABLES.
Block (ipp2p + l7 Protocol). Let's write about what we need in our recent work today. The technology is simple and I dare not say it is original. I have learned a lot from our predecessors and hope you will not laugh at it.

System installation CentOS5.1 default kernel Linux-2.6.18-53.el5, default

The iptables version of is 1.3.5.

Put the required installation package under/root.

Kernel-2.6.18-53.el5.src.rpm // kernel source package //

Iptables-1.3.5.tar.bz2 // iptables-1.3.5 installation source package //

Dhcp-3.0.5-7.el5.i386.rpm // dhcp service package //

Libpcap-0.9.4-11.el5.i386.rpm // driver package attached to many network software //

Libpcap-devel-0.9.4-11.el5.i386.rpm // libcap Development Kit //

L7-protocols-2008-02-20.tar.gz // layer7 protocol installation package //

Netfilter-layer7-v2.17.tar.gz // kernel and iptables patches //

Ipp2p-0.99.15.tar.gz // ip2p2 module, which can restrict thunder. BT. qqcyclone and mainstream network TV //

Tcptrack-1.2.0.tar.gz // a simple traffic viewing tool //

Disable Firewall

Disable SELINUX

Configure Nic IP Address

Network Configuration Information

NIC: 192.168.0.1 255.255.255.0

NIC: 192.168.3.1 255.255.255.0

Default Gateway: 192.168.0.1

DNS: 219.141.136.10

211.94.69.34

You can configure the above configurations based on your actual needs.

Root Login after system installation

# Rpm-qa | grep kernel

Remove the kernel-smp *. rpm and kernel-smp-devel *. rpm packages.

# Rpm-e -- nodeps kernel-smp

# Rpm-e -- nodeps kernel-smp-devel

View grub. the conf startup Item is changed to one. Otherwise, the default startup Item of the system is SMP multi-processor. My machine has only one CPU, so it will be removed, of course, if you have dual-core or multiple CPUs, do not uninstall them.

# Cat/boot/grub/menu. lst
# Grub. conf generated by anaconda

#

# Note that you do not have to rerun grub after making changes to this file

# NOTICE: You do not have a/boot partition. This means that
# All kernel and initrd paths are relative to/, eg.

# Root (hd0, 0)

# Kernel/boot/vmlinuz-version ro root =/dev/hda1

# Initrd/boot/initrd-version.img

# Boot =/dev/hda

Default = 0
Timeout = 1

Splashimage = (hd0, 0)/boot/grub/splash.xpm.gz

Hiddenmenu
Title CentOS (2.6.18-53. el5)

Root (hd0, 0)

Kernel/boot/vmlinuz-2.6.18-53.el5 ro root = LABEL =/1
Initrd/boot/initrd-2.6.18-53.el5.img

Modify SSH remote enable root Login

# Vi/etc/ssh/sshd_config

# PermitRootLogin yes Find this sentence and remove the previous # comment. Save and exit.

Note: Because iptables will be configured later, we will choose not to enable it during installation. That is to say, your current machine INPUT and OUTPUT are all ACCEPT. If you do not select a firewall, you cannot connect to SSH, it can be stopped. We will write scripts after upgrading it. Otherwise, it is unnecessary to upgrade it.

Now we need to disable some unimportant services.

# Ntsysv

Only the following services are retained.
Crond

Microcode_ctl

Network

Syslog

Sshd

Save and exit after selecting

Restart # reboot

Okay. The above steps are all done on the host. We can use SSH on the terminal later.
Construction started !!!

Uncompress all packages

# Tar zxvf ipp2p-0.99.15.tar.gz-C/usr/src/

# Tar zxvf l7-protocols-2008-02-20.tar.gz-C/usr/src/

# Tar zxvf netfilter-layer7-v2.17.tar.gz-C/usr/src/
# Tar xvjf iptables-1.3.5.tar.bz2-C/usr/src/

Fixed rpm package installation key warning

# Rpm -- import/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

Users who need to install the kernel source code package

# Useradd mockbuild

Install source package exam a copy of the kernel to/usr/src/linux-2.6.18 for compilation, if the compilation fails, you can delete and then test the new so it is not recommended to do soft connection operations

# Rpm-ivh kernel-2.6.18-53.el5.src.rpm
# Cd/usr/src/redhat/SPECS

# Rpmbuild-bp -- target = i686 kernel-2.6.spec

# Cp-a/usr/src/redhat/BUILD/kernel-2.6.18/linux-2.6.18.i686/usr/src/linux-2.6.18
Modify the copied kernel to be consistent with the current system kernel version (it is very important, otherwise the compiled module cannot be used by the kernel)

# Linux-2.6.18/CD/usr/src/

# Vi makefile

Modify extraversion =-prep
The value is extraversion =-53. EL5.

Check whether it is consistent with the uname-R version.

# Uname-R

2.6.18-53. EL5
# Head-N4 makefile

Version = 2

Patchlevel = 6

Sublevel = 18

Extraversion =-53. EL5

# Make mrproper

This command ensures that the source code directory does not contain the correct. o file and file dependencies.

# Make oldconfig
This command is the kernel configuration file generated. The. config file will be generated after running.

Now, patch the kernel and add modules.

Set environment variables for kernel and iptables

# Export KERNEL_DIR =/usr/src/linux-2.6.18 // set the kernel source code path //

# Export IPTABLES_DIR =/usr/src/iptables-1.3.5 // set the iptables-1.3.5 source code path //

Add Layer-7 module

# Linux-2.6.18/cd/usr/src/

# Patch-p1 </usr/src/netfilter-layer7-v2.17/for_older_kernels/kernel-2.6.18-2.6.19-layer7-2.9.patch

// Patch the kernel //

# Iptables-1.3.5/cd/usr/src/
# Patch-p1 <
/Usr/src/netfilter-layer7-v2.6/iptables-layer7-2.6.patch // iptables
Patch //

# Chmod + x extensions/. layer7-test

L7-filter module added

Install l7 Protocol

# Cd/usr/src/l7-protocols-2008-02-20 (Prompt: if the current system time is incorrect, the installation will report an error. Delete the/etc/l7-protocols folder, adjust the system time, and then install)

# Make install

 

Select a new module for the kernel

# Linux-2.6.18/cd/usr/src/
# Make menuconfig

Enter Kernel configuration

Option Path 1: loadable module support --->

Source checksum for all modules !!! Do not check the module source

Option Path 2: Networking --->

Networking options --->

Network Packet Filtering (replaces ipchains) --->

IP: netfilter configuration --->

The newly added modules are all selected here.
<M> Layer 7 match support (experimental) // select L7 //

[] Layer 7 debugging output (new) (This debug should not be selected)

(2048) buffer size for application layer data (new)

Save and exit
Before re-compiling the kernel, We need to rename the existing Module Directory. In this way, even if the compilation fails, you only need to change the Module Directory name back to the original, and the system is still the same as the previous ~ Haha

# Mv/lib/modules/2.6.18-53. EL5/lib/modules/2.6.18-53. el5.old

Now, recompile the kernel! This process is very long. Please wait. In fact, modules can be added without re-compiling the kernel, but many functions are not supported well. An error always occurs after execution.

Start to recompile the kernel.

# Make bzImage // The letter "I" is in upper case. Pay more attention to it //
After executing this command, you can wait for a while.

# Make modules // compile each module for a long time //

# Make modules_install // installation module //

# Mv/boot/System. map-2.6.18-53.el5/boot/System. map-2.6.18-53.el5.old // back up the original map file //

# Cp System. map/boot/System. map-2.6.18-53.el5 // copy the map file under the kernel source directory to the "/boot" folder //
# Reboot // restart and use the new kernel //

Use the root user to log on to ssh again
Start to install the new iptables

(What does this comment mean)

# Vi/usr/src/linux-2.6.18/include/linux/config. h

Use /// to comment out the three middle lines below

# Include <linux/autoconf. h>

// # If! Defined (_ KERNEL __)&&! Defined (_ KERNGLUE __)

// # Error including kernel header in userspace; use the glibc headers instead!

// # Endif

# Endif
Save and exit

# Iptables-1.3.5/cd/usr/src/

# Export KERNEL_DIR =/usr/src/linux-2.6.18

# Export IPTABLES_DIR =/usr/src/iptables-1.3.5

Make sure that these two environment variables exist (you have already done this. You can use echo $ KERNEL_DIR and echo $ IPTABLES_DIR to check whether the directory settings are correct) and then install

# Make BINDIR =/sbin LIBDIR =/lib MANDIR =/usr/share/man install

Install the ipp2p module to support more protocols.

# Ipp2p-0.99.15/cd/usr/src/
# Vi Makefile

Modify the following content

Set # KERNEL_SRC =/usr/src/linux

Change to KERNEL_SRC =/usr/src/linux-2.6.18

Set KERNEL_SRC? = $ (Firstword $ (wildcard/lib/modules/$ (shell uname-r)/build/usr/src/linux ))
Changed to # KERNEL_SRC? = $ (Firstword $ (wildcard/lib/modules/$ (shell uname-r)/build/usr/src/linux ))

The above is actually the path to change the kernel source code and iptables source code !! Make sure to change it !!!

Set $ (CC)-shared-O libipt_ipp2p.so libipt_ipp2p.o

Change to LD-shared-O libipt_ipp2p.so libipt_ipp2p.o

Modified

# Make

CP libipt_ipp2p.so/lib/iptables // copy the compiled libipt_ipp2p.so module //

CP ipt_ipp2p.ko/lib/modules/2.6.18-53. EL5/kernel/NET/IPv4/netfilter // copy the compiled ipt_ipp2p.ko module //

All modules are installed.

# Depmod-A // update the dependency of the kernel module //

Installation Complete

Test

1. view the iptables version.

# Iptables-V
Iptables v1.3.5

View ipp2p version

# Iptables-M ipp2p-H | grep ipp2p

Ipp2p v0.99.15 options:

The following is my iptables rule script.

# Vi/root/firewall_acl
Echo "1">/proc/sys/NET/IPv4/ip_forward

Modprobe ip_tables

Modprobe ip_nat_ftp
Modprobe ip_conntrack

Modprobe ip_conntrack_ftp
/Sbin/iptables-F

/Sbin/iptables-x

/Sbin/iptables-z
/Sbin/iptables-F-T Nat

/Sbin/iptables-X-T Nat

/Sbin/iptables-Z-t nat

/Sbin/iptables-P INPUT DROP
/Sbin/iptables-P OUTPUT ACCEPT

/Sbin/iptables-P FORWARD ACCEPT

/Sbin/iptables-a forward-p tcp-m multiport -- dport 80,443-m layer7 -- l7proto qq-j DROP # QQ

/Sbin/iptables-a forward-p udp -- dport 4000-j DROP # QQ

/Sbin/iptables-a forward-p udp -- dport 8000-j DROP # QQ
/Sbin/iptables-a forward-p tcp-m layer7 -- l7proto socks-j DROP # use socks proxy

/Sbin/iptables-a forward-p tcp-m layer7 -- l7proto httpagentqq-j DROP

/Sbin/iptables-a forward-m layer7 -- l7proto msnmessenger-j DROP # MSN

/Sbin/iptables-a forward-p udp -- dport 53-m string -- hex-string "| 7171036f6d |" -- algo bm-j DROP

# Filter tencent characters

/Sbin/iptables-a forward-p tcp-m ipp2p -- edk -- kazaa -- gnu -- bit -- apple -- soul -- xunlei -- pp-j DROP

# Filter thunder, bt, and QQ tornado, QQ live broadcast, pplive, ppstarm, and limit thunder to a single thread to download TCP Packets

/Sbin/iptables-a forward-p udp-m ipp2p -- edk -- kazaa -- gnu -- bit
-- Apple -- soul -- xunlei -- pp-j DROP
# Filter thunder, bt, and QQ tornado, QQ live broadcast, pplive, ppstarm, and limit thunder to a single thread to download UDP Packets

/Sbin/iptables-a input-m state -- state RELATED, ESTABLISHED-j ACCEPT # connection status tracking
/Sbin/iptables-a input-I lo-j ACCEPT

/Sbin/iptables-a input-I eth0-p udp-j ACCEPT

/Sbin/iptables-a input-I eth1-p udp-j ACCEPT

/Sbin/iptables-a input-I eth0-p icmp-j ACCEPT
/Sbin/iptables-a input-I eth1-p icmp-j ACCEPT

/Sbin/iptables-a input-p tcp-I eth0 -- dport 22-j ACCEPT

/Sbin/iptables-a input-p tcp-I eth1 -- dport 22-j ACCEPT

#/Sbin/iptables-a forward-s 192.168.3.0/24-m limit -- limit 500/s-j ACCEPT

# These two are not necessary. If you want to limit the traffic of this segment !!!

#/Sbin/iptables-a forward-s 192.168.3.0/24-j DROP

# Same as above, these two must appear in pairs, otherwise they do not take effect !!!
/Sbin/iptables-T nat-P prerouting accept

/Sbin/iptables-T nat-P postrouting accept

/Sbin/iptables-T nat-P output accept

/Sbin/iptables-T Nat-A postrouting-O eth1-s 192.168.3.0/24-J Masquerade

/Etc/rc. d/init. d/DHCPD start
Save and exit

# Chmod 755 firewall_acl

# Vi/etc/l7-protocols/protocols/httpagentqq. Pat // create an L7 rule file to seal QQ, the content is as follows //

# The httpagentqq CONNECT action
Httpagentqq

^/X43/x4f/x4e/x4e. +/x0d/x0a $

Save and exit

The firewall is complete, and DHCP service is now available.

# Rpm-ivh dhcp-3.0.5-7.el5.i386.rpm

Then

# Cd/root
# Vi dhcpd. conf // edit the most basic configuration file of the dhcp service. The DNS and IP address pool can be changed to what you actually need //

Default-lease-time 259200;

Max-lease-time 518400;
Option domain-name "dhcp3.ibexrouter.com ";

Option domain-name-servers 219.141.136.10, 211.94.69.34;

Ddns-update-style interim;

Subnet 192.168.3.0 netmask 255.255.255.0 {
Range 192.168.3.2 192.168.3.100;

Option broadcast-address 192.168.3.255;

Option routers 192.168.3.1;

}

Save and exit

# Cp DHCPD. CONF/etc/

The system will prompt you to overwrite by Y.
Then you need to change the DHCP to work on that Nic. Of course, it's the internal Nic.

VI/etc/sysconfig/DHCPD

Dhcpdargs = eth0

Save and exit, so that DHCP works on the eth0 Nic, that is, my Nic
# Service DHCPD start // start the DHCP service //

# Netstat-aunp

Active Internet connections (servers and established)

PROTO Recv-Q send-Q local address foreign address State PID/program name

UDP 0 0 0.0.0.0: 67 0.0.0.0: * 1820/DHCPD
The above information indicates that DHCP is successfully started ~ If not, take a closer look at the configuration file/etc/DHCPD. conf.

After DHCP is installed, tcptrack, a simple traffic check tool, is installed.

# Cd/root

# Rpm-ivh libpcap-0.9.4-11.el5.i386.rpm // driver package attached to many network software //

# Rpm-ivh libpcap-devel-0.9.4-11.el5.i386.rpm // libcap Development Kit //

# Tar zxvf tcptrack-1.2.0.tar.gz
# Cd tcptrack-1.2.0

#./Configure

# Make

# Make install

Now you can use tcptrack to view the traffic.

# Tcptrack-I eth0 // if you want to view the network card, replace eth0 with the corresponding network card name //
Now the work is coming to an end.

Vi/etc/rc. d/rc/local

#! /Bin/sh

#

# This script will be executed * after * all the other init scripts.
# You can put your own initialization stuff in here if you don't

# Want to do the full sys V style init stuff.

Touch/var/lock/subsys/local
/Root/firewall_acl // Add a line. This line is used to load this script at startup, which is our iptables rule! //

Okay, now you can reboot.

After restarting, the iptables rule takes effect!

DHCP can automatically assign IP addresses to segments.

A simple Nat server is complete.