Linux Firewall (below): iptables extension module-l7-filter installation and function implementation

If you work as a network administrator in the company, the boss may ask you to block QQ and Xunlei. If you use iptables to implement these functions?

First of all, we need to know that QQ and Xunlei are both specific services. When transmitting data, they will inevitably include some feature values in the data. If our iptables wants to intercept the data, you need to know their data feature values. And l7-filter exists for this purpose. (Of course, not only QQ and Xunlei are supported by many protocols)

Iptables supports many modules, while the l7-filter is a patch for iptabels. However, to add this extension function to iptables, you need to add the L7 module to the Linux system, that is, you need to re-compile the kernel.
Next we will implement this process. Although the process is complex, we can give iptables a lot of functionality in the enterprise's Filtering Field.

Lf-filter Official Website: l7-filter-sourceforge.net l7-filter.clearfoundation.com
# Sourceforge.net is the world's largest open-source project website, with hundreds of thousands of open-source projects.

To implement compilation configuration l7-filter, we need to prepare:
Linux 2.6 kernel (l7 does not support the new kernel well)
L7-protocols
Iptables-1.4.6
Netfilter-layer7-v2.22

Implementation process:
0) first save the local iptables table.

iptables-save > /etc/sysconfig/iptables.bak

Used for recovery

iptables-restore < /etc/sysconfig/iptables.bak

1) download the inetfilter package, iptables 1.4.6, and kernel source code package (we recommend using iptables 1.4.6 kernel 2.6.28.10) and decompress the package:

tar xf linux-  -C /usr/srctar netfilter-la  -C /usr/srctar iptables -C /usr/srccd /usr/src

2) patch the kernel

Ln-SV Linux-linuxcd linuxpatch-P1 <.. /netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patchcp/boot/config-2.6.18-164.el5. /. config # copy the Kernel configuration file of your current host. during compilation, you only need to add the L7 module to make menuconfig.

Select the following items

make && make modules install && make install

2. After compilation and installation are complete (the new kernel needs to be restarted), uninstall the original version iptables and install the new version.

# Copy the configuration file CP/etc/init. d/iptables ~ /Ipteblescp/etc/sysconfig/iptables-config ~ /# Uninstall rpm-e iptables-ipv6 iptables iptate -- nodepsls/usr/src/iptables-1.4.6/extensions # There are various iptables patches # point to your own compiled kernel during compilation. /configure -- prefix =/usr-with-ksource =/usr/src/Linux

3. Install l7-protocols-2009-05-28.tar.gz

# You can download the latest version unzip to/etc directly make installtar l7-protocols-C/etccd/etc/l7-protocolsmake install

Ls/etc/l7-protocols/protocol # Inside is the feature of various protocols, let's take a look at the feature of QQ cat QQ. pat # Tencent QQ protocol-Chinese instant messenger protocol-http://www.qq.com # pattern attributes: Good Notsofast fast # protocol groups: chat # wiki: http://www.protocolinfo.org/wiki/QQ# copyright (c) 2008 Matthew strait, Ethan Sommer; see .. /License # over six million people use QQ in China, according to wsgtrsys. # this pattern has Been tested and is believed to work well. # QQ uses three (two ?) Methods To connect to server (s ?). # One is UDP, and another is TCP # UDP Protocol: the first byte is 02 and last byte is 03 # TCP protocol: the second byte is 02 and last byte is 03 # Tony on protocolinfo.org says that now the * Third * byte is 02: # "But when I tested on my PC, I found that when qq2007/qq2008 # use TCP protocol, the third byte instead of the second is always 02. # So the QQ protocol changed again, or I have made a mista Ke, I wonder # That. "# So now the pattern allows any of the first three bytes to be 02. Delete # One of ".? "To restore to the old behaviour. # pattern written by www.routerclub.com wsgtrsysqq ^ .?.? \ X02. + \ x03 $

3. Copy the iptables configuration file backed up in step 1 to the iptables configuration file location of the current new kernel.

CP iptables/etc/init. DCP iptables-config/etc/sysconfig/# modify the iptables command path defined in iptabels to/usr/sbin/$ iptables, and run Vim/etc/init in line 3. d/iptables

Try the effect and disable QQ (assume that your host is in the 192.168.10.0 network segment)

iptables -t filter -A FORWARD -s 192.168.10.0/24 -m layer7 --l7-proto qq -j REJECT

Can't I go to QQ?

Supplement:
All the commands you use are saved in the hash file. It saves the used command path cache, so that the next time you call a command that has already been played, the speed will be faster, but it has a disadvantage, because we have changed the iptables path, the system will save the error again.
So we use
Hash-R to clear the hash Cache