CentOS under Iptables to realize Internet access and access control

As the company's Internet router needs to implement the functions of NAT address translation, DHCP, DNS caching, flow control, application programs, NAT address translation through the iptables can be directly implemented, DHCP services need to install Dhcpd,dns caching features need to use BIND, Flow control can use TC, application control: for example, the blocking of QQ can be implemented using netfilter-layer7-v2.22+17-protocols-2009-05-28.tar.gz

1. Network Planning

2. Installation DHCPD

Yum Install Dhcp-3.0.5-31.el5
Vim/etc/dhcp/dhcpd.conf
Ddns-update-style Interim;
Ignore client-updates;
Subnet 10.0.0.0 netmask 255.255.255.0 {
Option routers 10.0.0.1;
Option Subnet-mask 255.255.255.0;
Option Domain-name-servers 10.0.0.1;
Range DYNAMIC-BOOTP 10.0.0.100 10.0.0.200;
Default-lease-time 21600;
Max-lease-time 43200;
}

3, install BIND, implement DNS cache

Yum Install bind97.i386 bind97-libs.i386 bind97-utils.i386
Vim/etc/named.conf
Options {
Directory "/var/named";
allow-recursion {10.0.0.0/24;};
recursion Yes;
Forward; #将所有请求都进行转发
Forwarders {114.114.114.114;}; #定义转发服务器地址
};
Zone "." in {
Type hint;
File "named.ca";
};
Zone "localhost" in {
Type master;
File "Named.localhost";
Allow-transfer {none;};
};
Zone "0.0.127.in-addr.arpa" in {
Type master;
File "Named.loopback";
Allow-transfer {none;};
};

Creates a root domain file, which defaults to

Dig-t NS. >/var/named/named.ca
chown:named/var/named/named.ca

Creates a local forward resolution file, which defaults to

Vim/var/named/named.localhost
$TTL 1D
@ in SOA @ rname.invalid. (
0; Serial
1D; Refresh
1H; Retry
1W; Expire
3H); Minimum
NS @
A 127.0.0.1
Chown:named/var/named/named.localhost

Creates a local reverse resolution file, which defaults to

Vim/var/named/named.loopback
$TTL 1D
@ in SOA @ rname.invalid. (
0; Serial
1D; Refresh
1H; Retry
1W; Expire
3H); Minimum
NS @
A 127.0.0.1
PTR localhost.
Chown:named/var/named/named.loopback

Check master configuration file
Named-checkconf
Check the root zone configuration file
Named-checkzone "."/var/named/named.ca
Check Zone files
Named-checkzone "localhost"/var/named/named.localhost
Start a service
Service named start


4. Recompile the compilation kernel and iptables to support application layer filtering

Because of the firewall function is the NetFilter kernel module, so need to recompile the kernel, need to download the new kernel source, and use netfilter-layer7-v2.22 as a kernel of the patch together to compile into the kernel. The control Netfiler is the Iptables tool, so iptables must recompile the installation and finally install the application filtering signature library 17-protocols-2009-05028.tar.gz

1, to the core patching, and recompile the kernel
2, to Iptables source code patching, and recompile iptables
3, Installation 17proto

Backing up iptables scripts and configuration files

Cp/etc/rc.d/init.d/iptables/root/iptables.sysv
Cp/etc/sysconfig/iptables-config/root/iptables-config

2.6 Kernel Download Address

https://www.kernel.org/pub/linux/kernel/v2.6/

NetFilter Download Address

http://download.clearfoundation.com/l7-filter/

iptables Source Download Address

Http://www.netfilter.org/projects/iptables/downloads.html

Application Signature Library Download address

http://download.clearfoundation.com/l7-filter/

Xz-d LINUX-2.6.28.10.TAR.XZ
TAR-XVF linux-2.6.28.10.tar.gz-c/usr/src #新的内核源码, for recompilation
TAR-ZXVF netfilter-layer7-v2.22.tar.gz-c/usr/src #内核补丁和iptables补丁, only support to 2.6.28



#进入解压目录并创建软连接

Cd/usr/src
LN-SV linux-2.6.28.10 Linux

#进入内核目录

Cd/usr/src/linux

#为当前内核打补丁

Patch-p1 < ... /netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.path

#为了方便编译内核将系统上的内核配置文件复制过来

Cp/boot/config-2.6.18-164.el5/usr/src/linux/.config

Compiling the kernel

Make Menuconfig
Networking Support-> networking Options-> network packet filtering framework-> Core NetFilter Configuration
<M> NetFilter Connection Tracking support
<M> "Lawyer7" match support
<M> "string" Match support
<M> "Time" match support
<M> "IPRange" match support
<M> "Connlimit" match support
<M> "State" match support
<M> "Conntrack" Connection match support
<M> "Mac" address match support
<M> "Multiport" multiple port match support
Networking support-> networign options-> network packet filtering framework-> ip:netfiltr Configuration
<M> IPV4 Connection Tracking Support (required for NAT)
<M> Full NAT
<M> Masquerade Target Support
<M> Netmap Target Support
<M> REDIRECT Target Support

Select networking options in Networking support

Find the network packet filtering Framework (NetFilter) –>core Netfiler the Configrationg–>netfilter connection tracking Support (new), "Layer7″match support" (new), "Time" match support (new), "IPRange"

Find Ip:netfilter CONFIGURATION–&GT;IPV4 Connection tracking Support,full NAT (NEW)

Make
Make Modules_install
Make install

Reboot the operating system select New Kernel Login

Uninstall the old iptables

Rpm-e iptables-1.3.5-9.1.el5 Iptables-ipv6-1.3.5-9.1.el5 Iptstate-1.4-2.el5--nodeps

Install new iptables to support new Netfiler modules

TAR-JSVF iptables-1.4.6.tar.bz2-c/USR/SRC
cd/usr/src/iptables-1.4.6
CD Iptables-1.4.3forward-for-kernel-2.6.20forward
CP */usr/src/iptables-1.4.6/extensions/
cd/usr/src/iptables-1.4.6/
./configure--PREFIX=/USR--with-ksource=/usr/src/linux
Make
Make install

To view the Iptables files after installation

Ls/usr/sbin |grep iptables
Ls/usr/libexec/xtables

configuration files and scripts that were backed up before replication

cp/root/iptables-config/etc/sysconfig/
Cp/root/iptables.sysv/etc/rc.d/init.d/iptables

Modify the path of the iptables in the script

Vim/etc/rc.d/init.d/iptables
:., $s @/sbin/$IPTABLES @/usr/sbin/$IPTABLES @g

Enable Iptables service to boot automatically

Chkconfig--add iptables

modifying iptables configuration Files
The/etc/sysconfig/iptables-config in the
iptables_modules= "Ip_conntrack_netbios_ns" comment out

Installation Protocol Signature

Tar xvf 17-protocols-2009-05028.tar.gz
Make install

File will be generated at/etc/l7-protocols when finished
Supported Protocols/etc/l7-protocols/protocols

Add Iptables policy, run internal network Internet, prohibit QQ and video

Iptables-t nat-a postrouting-s 10.0.0.0/24-j SNAT--to-soure
Iptables-a forward-m layer7--l7proto qq-j DROP
Iptables-a forward-m layer7--l7proto httpvideo-j DROP
Iptables-a forward-m layer7--l7proto httpaudio-j DROP

Specify no Internet access at 8 to 12 points

Iptables-a forward-m time--timestart 08:00--timestop 12:00-j DROP

5, the use of TC control bandwidth

For example, the company's export bandwidth is 10Mbps, user a allocates 500KB maximum download bandwidth, the maximum download bandwidth allocated to User B is 200KB
A user ip:10.0.0.100
b User ip:10.0.0.101

#在eth0网卡上创建一个根队列规则, the algorithm for queue rules uses Htb,default 2 to specify a default category number, the default flow control policy, and if the IP is not matched in the filter behind, it has this strategy

TC Qdisc Add dev eth0 root handle 1:0 HTB default 2

#在eth0网卡上定义一个类, the 1 in Prant 1:0 corresponds to the handle 1:0,classid 1:2 in the root queue rule, which represents the identity of the current class, used in the subsequent get filter, and rate 200kbsp for bandwidth 200kb/s. Ceil 200kbps indicates that the maximum bandwidth is also 200kb/s,prio 2 is the priority

TC class Add dev eth0 parent 1:0 classid 1:2 HTB rate 200kbps ceil 200kbps prio 2
TC class Add dev eth0 parent 1:0 classid 1:3 HTB rate 500kbps ceil 500kbps prio 2

#将两个类的默认的fifq队列规则改为sfq

TC Qdisc Add dev eth0 parent 1:2 handle SFQ
TC Qdisc Add dev eth0 parent 1:3 handle SFQ

#在网卡eth0上的1:0 nodes (corresponding to handle 1:0 in Qdisc) to add a u32 filter rule, priority is 1, the target address is 10.0.0.100 packets are used 1:2 categories (corresponding to ClassID 1:2 of the Class)

TC Filter Add dev eth0 parent 1:0 protocol IP prio 1 u32 match IP DST 10.0.0.100 flowid 1:2
TC Filter Add dev eth0 parent 1:0 protocol IP prio 1 u32 match IP DST 10.0.0.101 flowid 1:3

If there are other users such as users C and D IP is 102, 103, the required download bandwidth also requires 500 so in the join

TC Filter Add dev eth0 parent 1:0 protocol IP prio 1 u32 match IP DST 10.0.0.102 flowid 1:3
TC Filter Add dev eth0 parent 1:0 protocol IP prio 1 u32 match IP DST 10.0.0.103 flowid 1:3

Clear the rules on the eth0

TC Qdisc del Dev eth1 root>/dev/null