IPtables 5: Load Layer 7 matching application layer data packets

Previous: http://www.bkjia.com/Article/201207/143938.html

For iptables to be overly concerned at the application layer, we must first patch layer7 for the kernel and iptables definition tools at the application layer to enable Feature Matching for different application data packets at the application layer.

 

Therefore, we need to re-patch the kernel and load layer7 modules when re-compiling the kernel.

Second, uninstall the rule definition tool iptables at the application layer, and download the source code of iptables to re-compile and install it.
In this way, the layer7 module is supported at the kernel layer and the user layer. to match the rules of different application layer protocols, you also need to download and install the rule definition package.

 

To sum up the above, to add the layer7 layer overhead module in iptables, you need the following

1. layer7 patch

2. Protocol matching package

3. Source Code of iptables

4. linux kernel source code

 

 

Next, start the specific implementation process

First, check my current kernel version (centos6.2 system)

Go to the official website to download the kernel source code closest to my version.

Http://www.kernel.org/

I downloaded the linux-2.6.32.59 package, you can download the corresponding source package according to your actual situation

Iptables source code

Ftp://ftp.netfilter.org/pub/iptables/

Layer7 patch and matching rules, pay attention to patch

Http://sourceforge.net/

I package these packages into one for you to download (the kernel source code is relatively large, please download it as needed)

First, add the layer7 patch to the Linux kernel (there are two layer7 patches, one is the kernel patch and the other is the patch of the iptables program in the user space) and re-compile the kernel.

 

 

Step 1:Patch the kernel and re-compile the kernel.

 

Unpackage kernel source code

[Root @ localhost ~] # Tar-xf linux-2.6.32.59.tar.bz2-C/usr/src/

Cd past

[Root @ localhost ~] # Cd! $

Create a soft connection

[Root @ localhost src] # ln-sv linux-2.6.32.59/linux

"Linux"-& gt; "linux-2.6.32.59 /"

Decompress the patch package

[Root @ localhost ~] # Tar-xf netfilter-layer7-v2.22.tar.gz-C/usr/src/

Patch the kernel source code

[Root @ localhost src] # cd/usr/src/linux

[Root @ localhost src] # patch-p1 & lt;/usr/src/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch

Configure the kernel compilation file (I used the. config configuration file of the original installation system as the blueprint for modification)

[Root @ localhost linux] # cp/boot/config-2.6.32-220.el6.i686. config

[Root @ localhost linux] # make menuconfig # ensure that the development environment has been installed

Enable network-related support

Network options

Network packet filtering framework

Core Configuration

Select this option to enable layer7 module support.

Compile the kernel after saving it.

[Root @ localhost linux] # make # Turn on your phone and drink tea slowly...

Installation Module

[Root @ localhost linux] # make modules_install

Install new kernel

[Root @ localhost linux] # make install

Restart and select the new kernel

 

Step 2:Patch iptables and re-compile iptables

 

First uninstall the original iptables

[Root @ localhost ~] # Rpm-e iptables iptables-ipv6-nodeps # note that iptables may depend on other packages and do not detach other dependency packages.

Decompress the iptables source code package.

[Root @ localhost ~] # Tar iptables-1.4.9.tar.bz2-C/usr/src/

Add the layer7 module Patch to the source package, copy the files under iptables under the netfilter-layer7 to the extensions under the iptables source code folder

[Root @ localhost ~] # Cp/usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/*/usr/src/iptables-1.4.9/extensions/

Configure the compilation configuration file

[Root @ localhost iptables-1.4.9] #./configure -- prefix =/usr -- with-ksource =/usr/src/linux

Compile and install

[Root @ localhost iptables-1.4.9] # make & make install

 

Step 3:Install the rule definition package of layer7

 

[Root @ localhost ~] # Tar xf l7-protocols-2009-05-28.tar.gz

[Root @ localhost l7-protocols-2009-05-28] # make install

It will create a l7-protocols folder under/etc, which contains the layer7 configuration file and rule definition file, when using iptables to define the layer7 rule, it will call the configuration file here

Data Packet rule definition file in the/etc/l7-protocols/protocols, the strength can also write their own rules here, and then use iptables direct call can be

 

 

OK. Now it's all done. In fact, we will re-compile the kernel, re-compile and install iptables, and finally install the layer7 rule definition.

After installing the layer7 support module, you can define it according to the existing rules.

If the host is a gateway, applications such as QQ and Thunder can be prohibited from accessing the Internet.

[Root @ localhost ~] # Iptables-a forward-m layer7 -- l7proto xunlei-j DROP

[Root @ localhost ~] # Iptables-a forward-m layer7 -- l7proto qq-j DROP

(Well, I admit that it is immoral to prohibit qq... However, the speed control module can limit the download speed of others, which is quite useful)

This article is from the "lustlost-lost in desire" blog