Linux firewall iptables (iii)

Source: Internet
Author: User
Tags iptables

Linux firewall iptables (iii)
Our previous two articles have introduced iptables more fully, today a iptables on layer 7 practice. We said that Iptables/netfilter work in the kernel space is not support application layer protocol, but such as QQ, MSN, thunder and other applications we can not be completely closed in the Transport layer or network layer, Because they are very cunning to find that their ports are blocked and then use other open ports to transfer data, it is only possible to close them in layer 7. So someone has developed two iptables/netfilter for this situation, wrote some patches, and we patched these patches to enable iptables to support the 7 layer protocol.
Because the IPTABLES-L7 author has not updated this patch after 09 years, so it relies on the kernel version and the Iptables package are older, so we need to compile the kernel itself, compiled iptables to use.
We need to use the following packages:

Install the build environment:

Create the required user for compilation, unzip the kernel file:

Patch layer 7 to the kernel:

To configure and compile the kernel:

为了节省时间,我们用系统自带的config文件做模板在其基础上进行修改

Select Network Features:

Select network Options:

Select the NetFilter module:

Select the NetFilter core configuration:

Add support Layer7 Layer module:

To turn off the Redhat kernel module checksum:

Save exit:

因为红帽为了防止其它人更改其内核模块进行二次发行,所以添加了模块签名机制,我们的模块没有红帽的签名,所以需要关闭这个功能才能编译成功。

#yum Install Screen-y
#screen
#make –j 4
#make Modules_install
#make Install
To see if the new kernel is installed successfully:

Start with the new kernel:

Pre-compilation preparations:

Compile and install:

To set up the matching scripts and configuration files:

To install Layer7 patches:

To turn on the connection tracking function:

To build an experimental topology:
NAT server:192.168.1.0/24, 192.168.23.0/24
Client:192.168.23.0/24

To create a NAT entry:

You can see that the client is actually online via NAT server:

Now QQ can also login:

Set the LAYER7 layer entry to deny QQ:

The Login failed:

Rules that match to the Layer7:

Still able to surf the Internet:

NAT rules to match:

The principle of rejecting QQ connection:

OK, our experiment has been successful. Can effectively prevent QQ login, but also can surf the internet. Although we can do this even limit more than 7 layers of services, but I do not agree with the use of the company, because only the free and open companies have vitality, by the right to prohibit certain things in the final analysis of the symptoms do not cure. Please note if there are any errors.

Linux firewall iptables (iii)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.