Home > Developer > Linux

Linux firewall iptables (iii)

Source: Internet
Author: User
Tags iptables
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Linux firewall iptables (iii)
Our previous two articles have introduced iptables more fully, today a iptables on layer 7 practice. We said that Iptables/netfilter work in the kernel space is not support application layer protocol, but such as QQ, MSN, thunder and other applications we can not be completely closed in the Transport layer or network layer, Because they are very cunning to find that their ports are blocked and then use other open ports to transfer data, it is only possible to close them in layer 7. So someone has developed two iptables/netfilter for this situation, wrote some patches, and we patched these patches to enable iptables to support the 7 layer protocol.
Because the IPTABLES-L7 author has not updated this patch after 09 years, so it relies on the kernel version and the Iptables package are older, so we need to compile the kernel itself, compiled iptables to use.
We need to use the following packages:

Install the build environment:

Create the required user for compilation, unzip the kernel file:

Patch layer 7 to the kernel:

To configure and compile the kernel:

为了节省时间,我们用系统自带的config文件做模板在其基础上进行修改

Select Network Features:

Select network Options:

Select the NetFilter module:

Select the NetFilter core configuration:

Add support Layer7 Layer module:

To turn off the Redhat kernel module checksum:

Save exit:

因为红帽为了防止其它人更改其内核模块进行二次发行,所以添加了模块签名机制,我们的模块没有红帽的签名,所以需要关闭这个功能才能编译成功。

#yum Install Screen-y
#screen
#make –j 4
#make Modules_install
#make Install
To see if the new kernel is installed successfully:

Start with the new kernel:

Pre-compilation preparations:

Compile and install:

To set up the matching scripts and configuration files:

To install Layer7 patches:

To turn on the connection tracking function:

To build an experimental topology:
NAT server:192.168.1.0/24, 192.168.23.0/24
Client:192.168.23.0/24

To create a NAT entry:

You can see that the client is actually online via NAT server:

Now QQ can also login:

Set the LAYER7 layer entry to deny QQ:

The Login failed:

Rules that match to the Layer7:

Still able to surf the Internet:

NAT rules to match:

The principle of rejecting QQ connection:

OK, our experiment has been successful. Can effectively prevent QQ login, but also can surf the internet. Although we can do this even limit more than 7 layers of services, but I do not agree with the use of the company, because only the free and open companies have vitality, by the right to prohibit certain things in the final analysis of the symptoms do not cure. Please note if there are any errors.

Linux firewall iptables (iii)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
linux firewall iptables iptables linux firewall configuration firewall linux iptables firewall iptables centos firewall iptables iptables firewall example server firewall iptables

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More