Iptables + L7 +squid Implement firewall function

Last Update:2017-02-27 Source: Internet

Author: User

Tags filter bz2 config iptables firewall linux

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Iptables + L7 +squid Implement firewall function

Add Layer7 Patch for iptables (Linux2.6.25 kernel)

################################################################

System environment: RHEL5 [2.6.18-8.el5xen]

Software Environment:

http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.25.19.tar.bz2

http://www.netfilter.org/projects/iptables/files/iptables-1.4.2.tar.bz2

Http://ie.archive.ubuntu.com/sourceforge/l/l7/l7-filter/netfilter-layer7-v2.20.tar.gz

Http://ie.archive.ubuntu.com/sourceforge/l/l7/l7-filter/l7-protocols-2008-10-04.tar.gz

Target function:

Add Layer7 patches for iptables to implement application layer filtering.

################################################################

First, recompile the kernel

1, combined Kernel+layer7 patch

Shell> tar jxvf linux-2.6.25.19.tar.gz2-c/usr/src/

Shell> Tar zxvf netfilter-layer7-v2.20.tar.gz-c/usr/src/

Shell> cd/usr/src/linux-2.6.25.19/

Shell> Patch-p1 </usr/src/netfilter-layer7-v2.20/kernel-2.6.25-layer7-2.20.patch

2. Configure the new kernel

shell> cp/boot/config-2.6.18-8.el5. config//Steal a lazy, follow the old kernel configuration

Shell> make Menuconfig

When configuring the kernel, focus on two places in the networking---> Networking Options---> Network Packet Filtering Framework (NetFilter):

1)---> Code netfilter Configuration

Select the NetFilter connection tracking Suport (NEW) to compile as a module (M) to see Layer7 supported configurations.

Layer7, string, state, time, IPsec, IPRange, Connlimit ... etc. compiled into modules, according to the need to look at the office.

2)---> Ip:netfilter Configuration

Compile the IPV4 connection tracking support (require for NAT) into a module.

Compile the "Masquerade target Support" and "REDIRECT target support" under "full NAT" into modules.

3, compile and install the module, the new kernel

Shell> make && make Modules_install && make install

After the compilation is installed, reboot Select to use the new kernel (2.6.25.19) boot system

Second, recompile iptables

1. Uninstall existing Iptables

shell> rpm-e iptables Iptstat--nodeps

2, combined Iptables+layer7 patch

Shell> tar jxvf iptables-1.4.2.tar.bz2-c/usr/src/

Shell> cd/usr/src/netfilter-layer7-v2.20/iptables-1.4.1.1-for-kernel-2.6.20forward/

shell> CP libxt_layer7.c libxt_layer7.man/usr/src/iptables-1.4.2/extensions/

3. Compile and install

Shell> cd/usr/src/iptables-1.4.2/

shell>./configure--prefix=/--with-ksource=/usr/src/linux-2.6.25.19

Shell> make && make install

4. Install L7-protocols mode pack

Shell> Tar zxvf l7-protocols-2008-10-04.tar.gz-c/etc/

Shell> Mv/etc/l7-protocols-2008-10-04/etc/l7-protocols

Iii. Layer7 Rule Example

1, Layer7 match

shell> iptables-a forward-m layer7--l7proto qq-j DROP

shell> iptables-a forward-m layer7--l7proto msnmessenger-j DROP

shell> iptables-a forward-m layer7--l7proto msn-filetransfer-j DROP

shell> iptables-a forward-m layer7--l7proto xunlei-j DROP

shell> iptables-a forward-m layer7--l7proto edonkey-j DROP

shell> iptables-a forward-m layer7--l7proto bittorrent-j DROP

2. String match

shell> iptables-a forward-p UDP--dport 53-m string--string "Tencent"--algo bm-j DROP

shell> iptables-a forward-p UDP--dport 53-m string--string "VERYCD"--algo bm-j DROP

shell> iptables-a forward-p tcp--dport 80-m string--string "Sex"--algo bm-j DROP

3, State match

shell> iptables-a forward-m State--state new-p TCP! --syn-j DROP

shell> iptables-a forward-m State--state established,related-j ACCEPT

4, Connlimit match

shell> iptables-a forward-p TCP--syn-m connlimit--connlimit-above---connlimit-mask DROP

5, Time match

shell> iptables-a forward-p TCP--dport 80-m time--timestart 8:00--timestop 17:00--weekdays Mon,Tue,Wed,Thu,Fri- J ACCEPT

Case

Three Departments

Engineering Department 192.168.145.10-192.168.145.20

Software Department 192.168.145.21-192.168.145.30

Manager's Office 192.168.145.31-192.168.145.40

Engineering department work time FTP server does not allow chat QQ does not allow HTTP Internet access

Unlimited after work

Software Department working time HTTP Sina China website Unlimited

Music site www.552211.com restricted content "no sound"

Chat QQ not allowed

Unlimited after work

Manager Office hours HTTP QQ SMTP POP3

Unlimited after work

Configuration

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Iptables + L7 +squid Implement firewall function

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support

Iptables + L7 +squid Implement firewall function

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

Trending Topic

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support