CentOS5.3 + iptables + L7-filter + IPP2P implementation!

In the past two days, a friend and I have studied how to add new modules in IPTABLES. I checked some information on the Internet, but it was not successfully implemented. Finally, it was finally implemented through testing and debugging. Now I will post the specific steps and share them with you. Personal suggestion: before installing the latest software, you 'd better check their version and the appropriate version. Otherwise

In the past two days, a friend and I have studied how to add new modules in IPTABLES.

I checked some information on the Internet, but it was not successfully implemented. Finally, it was finally implemented through testing and debugging.

Now I will post the specific steps and share them with you.

Personal suggestion: before installing the latest software, you 'd better check their version and the appropriate version. Otherwise, the cause cannot be found!

System environment:

CentOS 1, 5.3

Kernel 2.6.18-128. el5

IptablesUninstalled (install with source code)

1. download the required software package

Kernel 2.6.19.7
# Wgethttp: // www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.19.7.tar.bz2

Iptables 1.3.7
# Wgethttp: // www.netfilter.org/projects/iptables/files/iptables-1.3.7.tar.bz2

L7-filterhttp: // sourceforge.net/project/showfiles.php? Group_id = 80085
Netfilter-layer7-v2.9.tar.gz

L7-protocols-2007-06-22.tar.gz

All the above software is downloaded to the user's home directory, and all are decompressed to/usr/src/

2. configure and compile the new kernel

Package the kernel first: (current directory/usr/src)

# Cd linux-2.6.19.7

# Patch-p1

Next, compile the kernel.

# Make menuconfig

Select layer 7 (as follows)

-> Networking x
X-> Networking support (NET [= y]) x
X-> Networking options x
X-> Network packet filtering (replaces ipchains) (NETFILTER [= y]) x
X-> IP: Netfilter Configuration x
X-> IP tables support (required for filtering/masq/NAT) (IP_NF_IP x
X-> Layer 7 match support (EXPERIMENTAL) (IP_NF_MATCH_LAYER7 [= x

# Make bzImage

# Make modules

# Make modules_install

The above three steps took a long time. during the experiment, I did it several times. it was depressing !!!!

# Make install

# Reboot (select the compiled kernel to start the system, or set it in/etc/grub. conf, so you do not need to select it at startup)

# Uname-r (view new kernel)

3. update the Layer7 patch for Iptalbes: (current directory/usr/src)

# Cd iptables-1.3.7

# Patch-p1

# Chmod + x extensions/. layer7-test

# Make KERNEL_DIR =/usr/src/linux-2.6.19.7

# Make install KERNEL_DIR =/usr/src/linux-2.6.19.7

# Iptables-V (view the version of IPTABLES)
4. install the Layer7 protocol File: (current directory/usr/src)

# Cd l7-protocols-2007-06-22

# Make install

5. use iptables layer-7 filter:

# Iptables-t mangle-I PREROUTING-m layer7? L7proto edonkey-jDROP (disable edonkey)
# Iptables-t mangle-I PREROUTING-m layer7? L7proto bittorrent-jDROP (bt prohibited)
# Iptables-t mangle-I PREROUTING-m layer7? L7proto qq-j DROP (prohibit QQ communication)
# Iptables-t mangle-I PREROUTING-m layer7? L7proto msnmessenger-j DROP (disable edonkey)
# Iptables-t mangle-I PREROUTING-m layer7? L7proto xunlei-jDROP (Thunder forbidden)
# Iptables-t mangle-I PREROUTING-m layer7? L7proto kugoo-j DROP (disable kugoo)
# Iptables-t mangle-I PREROUTING-m layer7? L7proto yahoo-j DROP (disable Yahoo! Messenger)

6. added iptables's ipp2p module:

Download patch-o-matic-ng-20060701 software

Ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/

Install IPTABLES patches

Cd/usr/src/patch-o-matic-ng-20060701

# Export KERNEL_DIR =/usr/src/linux-2.6.19.7

# Export IPTABLES_DIR =/usr/src/iptables-1.3.7

#./Runme ipp2p

Compile the kernel

# Linux-2.6.19.7/cd/usr/src/
# Make modules SUBDIRS = net/ipv4/netfilter

Cp-f/usr/src/linux-2.6.19.7/net/ipv4/netfilter/*. ko/lib/modules/2.6.19.7/kernel/net/ipv4/netfilter

Chmod + x/lib/modules/2.6.19.7/kernel/net/ipv4/netfilter/*. ko

Install ipp2p protocol

Cd ipp2p-0.8.2/

Make

Cp libipt_ipp2p.so/usr/local/lib/iptables/

Cp ipt_ipp2p.ko/lib/modules/'uname-r'/kernel/net/ipv4/netfilter/

Chmod + x/lib/modules/'uname-r'/kernel/net/ipv4/netfilter/ipt_ipp2p.ko

Depmod-

Test

Iptables-a forward-m ipp2p? Edk? Kazaa? Bit-j DROP
Iptables-a forward-p tcp-m ipp2p? Ares-j DROP
Iptables-a forward-p udp-m ipp2p? Kazaa-j DROP

Because there are no conditions for testing, the specific test is not carried out. if you have the conditions, you can test it in the environment on your own !!