Install L7 Filter on CentOS 6 to try filtering Xunlei

Platform: Centos 6 x86_64, default kernel version 2.6.34

1, prepare

Yum Update-y

Yum install-y ncurses-devel gcc make BC wget patch Grub

2, download the relevant installation package

wget http://download.clearfoundation.com/l7-filter/netfilter-layer7-v2.23.tar.gz

wget http://download.clearfoundation.com/l7-filter/l7-protocols-2009-05-28.tar.gz

wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.21.tar.bz2

wget https://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.35.8.tar.gz

3, compiling the new kernel

Tar xvf linux-2.6.35.8.tar.gz-c/usr/src

Tar xvf netfilter-layer7-v2.23.tar.gz

Cd/usr/src

Ln-s linux-2.6.35.8 Linux

CD Linux

Patch-p1 </root/netfilter-layer7-v2.23/kernel-2.6.35-layer7-2.23.patch

zcat/proc/config.gz >. config

Make Oldconfig #自选提示的新功能和驱动

Make Menuconfig #需要增加的编译模块

Networking support→networking options→network Packet filtering Framework→core netfilter Configuration

<M> NetFilter Connection Tracking support

<M> "Connlimit" match support

<M> "Conntrack" Connection match support

<M> "IPRange" match support

<M> "Mac" address match support

<M> "Multiport" multiple port match support

<M> ' state ' match support

<M> "Layer7" match support

<M> "string" Match support

<M> "Time" match support

Networking support→networking options→network Packet filtering Framework→ip netfilter Configuration

<M> IPV4 Connection Tracking Support (required for NAT)

<M> Full NAT

<M> Masquerade Target Support

<M> Netmap Target Support

<M> REDIRECT Target Support

Sed-i ' s/# config_sysfs_deprecated_v2 is not set/config_sysfs_deprecated_v2=y/'. CONFIG

Make Config_debug_section_mismatch=y

Make-j3 Bzimage

MAKE-J3 Modules

Make

Make Modules_install

Make install #出现 ' cannot find lilo. ' Don't worry about it, the system is not installed and will not use LILO, and the/boot/vmlinuz file has been generated

mv/boot/vmlinuz/boot/vmlinuz-2.6.35

Mkinitrd-o initrd-2.6.35.img

Cd/boot

MV Initramfs-2.6.34-x86_64-linode14.img initrd-2.6.35.img (actually starting drip with the original system image)

Vi/boot/grub/menu.lst

Default 0

Timeout 5

Title Custom Compiled, kernel 2.6.35

Root (hd0)

kernel/boot/vmlinuz-2.6.35 Root=/dev/xvda Ro quite

Initrd/boot/initrd-2.6.35.img

Linode Manager changes kernel to profile in pv-grub-x86_64

Verify after reboot

Uname-a

4, install Iptables

cp/etc/init.d/iptables/tmp/

cp/etc/sysconfig/iptables-config/tmp/

Rpm-e Iptables-ipv6 iptables--nodeps

Tar xvf iptables-1.4.21.tar.bz2

cp/root/netfilter-layer7-v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.*/root/ iptables-1.4.21/extensions/

CD iptables-1.4.21

./configure--PREFIX=/USR--with-ksource=/usr/src/linux #提示Iptables modules that won't be built:connlabel don't know if there is a relationship, first Ignore

Make

Make install

mv/tmp/iptables-config/etc/sysconfig/

mv/tmp/iptables/etc/rc.d/init.d/

Vi/etc/init.d/iptables

Modify the path as follows

if [!-X /usr/sbin/$IPTABLES]; Then

Echo-n $ "${iptables}:/usr/sbin/$IPTABLES does not exist."; Warning Echo

Exit 5

Fi

In the for I in $tables; Do

Echo-n "$i"

Case ' $i ' in

Add the following content------------------

security)

$IPTABLES-t filter-p INPUT $policy \

&& $IPTABLES-t filter-p OUTPUT $policy \

&& $IPTABLES-t filter-p FORWARD $policy \

|| Let Ret+=1

;;

Sub-boundary------------------

Raw

Service Iptables Restart

Iptables-v #See if the version is correct

5, install the Protocol Feature Pack:

Tar xvf l7-protocols-2009-05-28.tar.gz

CD l7-protocols-2009-05-28

Make install

You can view the supported partial protocols:

LS protocols/

6, set iptables rule

Iptables-t mangle-i postrouting-m layer7--l7proto xunlei-j DROP

Iptables-t mangle-i prerouting-m layer7--l7proto edonkey-j DROP

Iptables-t mangle-i prerouting-m layer7--l7proto bittorrent-j DROP

7, after testing also not. Find a Netizen said: Prohibition is useless, and human is smart, always someone will bypass or break through the taboo!

It seems that there is only a speed limit.

Install L7 Filter on CentOS 6 to try filtering Xunlei