Iptables + L7 +squid Implement firewall function
Add Layer7 Patch for iptables (Linux2.6.25 kernel)
################################################################
System environment: RHEL5 [2.6.18-8.el5xen]
Software Environment:
http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.25.19.tar.bz2
http://www.netfilter.org/projects/iptables/files/iptables-1.4.2.tar.bz2
Http://ie.archive.ubuntu.com/sourceforge/l/l7/l7-filter/netfilter-layer7-v2.20.tar.gz
Http://ie.archive.ubuntu.com/sourceforge/l/l7/l7-filter/l7-protocols-2008-10-04.tar.gz
Target function:
Add Layer7 patches for iptables to implement application layer filtering.
################################################################
First, recompile the kernel
1, combined Kernel+layer7 patch
Shell> tar jxvf linux-2.6.25.19.tar.gz2-c/usr/src/
Shell> Tar zxvf netfilter-layer7-v2.20.tar.gz-c/usr/src/
Shell> cd/usr/src/linux-2.6.25.19/
Shell> Patch-p1 </usr/src/netfilter-layer7-v2.20/kernel-2.6.25-layer7-2.20.patch
2. Configure the new kernel
shell> cp/boot/config-2.6.18-8.el5. config//Steal a lazy, follow the old kernel configuration
Shell> make Menuconfig
When configuring the kernel, focus on two places in the networking---> Networking Options---> Network Packet Filtering Framework (NetFilter):
1)---> Code netfilter Configuration
Select the NetFilter connection tracking Suport (NEW) to compile as a module (M) to see Layer7 supported configurations.
Layer7, string, state, time, IPsec, IPRange, Connlimit ... etc. compiled into modules, according to the need to look at the office.
2)---> Ip:netfilter Configuration
Compile the IPV4 connection tracking support (require for NAT) into a module.
Compile the "Masquerade target Support" and "REDIRECT target support" under "full NAT" into modules.
3, compile and install the module, the new kernel
Shell> make && make Modules_install && make install
After the compilation is installed, reboot Select to use the new kernel (2.6.25.19) boot system
Second, recompile iptables
1. Uninstall existing Iptables
shell> rpm-e iptables Iptstat--nodeps
2, combined Iptables+layer7 patch
Shell> tar jxvf iptables-1.4.2.tar.bz2-c/usr/src/
Shell> cd/usr/src/netfilter-layer7-v2.20/iptables-1.4.1.1-for-kernel-2.6.20forward/
shell> CP libxt_layer7.c libxt_layer7.man/usr/src/iptables-1.4.2/extensions/
3. Compile and install
Shell> cd/usr/src/iptables-1.4.2/
shell>./configure--prefix=/--with-ksource=/usr/src/linux-2.6.25.19
Shell> make && make install
4. Install L7-protocols mode pack
Shell> Tar zxvf l7-protocols-2008-10-04.tar.gz-c/etc/
Shell> Mv/etc/l7-protocols-2008-10-04/etc/l7-protocols
Iii. Layer7 Rule Example
1, Layer7 match
shell> iptables-a forward-m layer7--l7proto qq-j DROP
shell> iptables-a forward-m layer7--l7proto msnmessenger-j DROP
shell> iptables-a forward-m layer7--l7proto msn-filetransfer-j DROP
shell> iptables-a forward-m layer7--l7proto xunlei-j DROP
shell> iptables-a forward-m layer7--l7proto edonkey-j DROP
shell> iptables-a forward-m layer7--l7proto bittorrent-j DROP
2. String match
shell> iptables-a forward-p UDP--dport 53-m string--string "Tencent"--algo bm-j DROP
shell> iptables-a forward-p UDP--dport 53-m string--string "VERYCD"--algo bm-j DROP
shell> iptables-a forward-p tcp--dport 80-m string--string "Sex"--algo bm-j DROP
3, State match
shell> iptables-a forward-m State--state new-p TCP! --syn-j DROP
shell> iptables-a forward-m State--state established,related-j ACCEPT
4, Connlimit match
shell> iptables-a forward-p TCP--syn-m connlimit--connlimit-above---connlimit-mask DROP
5, Time match
shell> iptables-a forward-p TCP--dport 80-m time--timestart 8:00--timestop 17:00--weekdays Mon,Tue,Wed,Thu,Fri- J ACCEPT
Case
Three Departments
Engineering Department 192.168.145.10-192.168.145.20
Software Department 192.168.145.21-192.168.145.30
Manager's Office 192.168.145.31-192.168.145.40
Engineering department work time FTP server does not allow chat QQ does not allow HTTP Internet access
Unlimited after work
Software Department working time HTTP Sina China website Unlimited
Music site www.552211.com restricted content "no sound"
Chat QQ not allowed
Unlimited after work
Manager Office hours HTTP QQ SMTP POP3
Unlimited after work
Configuration