Summary L7-filter

1. Overview

 

L7-filter (application layer packet classifier for Linux), is a plug-in module of Linux netfilter, it can make Linux iptables support Layer 7 (OSI Application Layer) filtering function, restrict and block P2P and instant messaging (MSN, QQ, and aim) software.

 

Official site http://l7-filter.sourceforge.net/

 

2. l7filter

 

L7filter is a data packet Classifier in Linux. As an extension of iptables, it enhances the capability of iptables in packet analysis. iptables is not simply based on the port number of a network application when processing packets, instead, the regular expression is used to match the data transmitted by the layer7 Application Protocol (HTTP, FTP), so as to analyze data packets more accurately.

 

1. The l7filter has a certain impact on the performance because it needs to process application-layer package information. It is mainly used for situations where packet information cannot be processed based on ports. As follows:

 

Analyze unpredictable and unfixed port protocols (such as P2P)

Non-Standard Port data packets (such as HTTP 8080, 442)

Multiple protocols share one port (port 80 for P2P)

2) Main Functions

 

Application Service prohibited (HTTP, MSN, QQ)

Traffic limit

Accouting

3) There are currently two versions of l7filter.

 

. Kernel version kernel and iptables patch, relatively stable

User space version also needs to re-compile the kernel and install the application in the kernel shell

3. Install l7filter

 

L7filter installation includes kernel compilation (patching), iptables compilation (patching), and l7protocols installation.

 

Required software packages

Kernel kernel 2.6.21.1

 

Http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.21.1.tar.gz

 

Not all kernel has been tested, the following link lists the testing of the kernel, here we choose 2.6.21.1 http://l7-filter.sourceforge.net/kernelcompat.en.php

 

Iptables 1.3.8

 

Http://www.netfilter.org/projects/iptables/files/iptables-1.3.8.tar.bz2

 

Kernel version l7filter 2.17

 

Http://jaist.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.17.tar.gz

 

The package contains kernel and iptables patches.

 

Application Layer Protocol definition (11.22)

 

Http://nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2007-11-22.tar.gz

 

2) Installation Steps

 

Decompress l7filter

CD/root/

 

Tar xzf netfilter-layer7-v2.17.tar.gz

 

The kernel and iptables patches are provided.

 

Patch Kernel

CD netfilter-layer7-v2.17

 

CP for_older_kernels/kernel-2.6.20-2.6.21-layer7-2.16.1.patch/usr/src/linux-2.6.21.1/

 

CD/usr/src/linux-2.6.21.1

 

Patch-P1 <kernel-2.6.20-2.6.21-layer7-2.16.1.patch

 

Re-compile the kernel enable the following options

"Prompt for development and/or incomplete code/drivers" ("code maturity level options)

 

"Network packet filtering framework" (networking → networking options)

 

"Netfilter xtables support" (... → network packet filtering framework (netfilter) → core netfilter configuration)

 

"Netfilter Connection Tracking Support" (same screen), select "Layer 3 independent connection tracking"

 

"Connection Tracking flow accounting" (same screen)

 

"Layer 7 match support" (same screen)

 

"FTP protocol support", "irc protocol support"

 

It is best to select all the options under netfilter.

 

Patch iptables

Decompress iptables1.3.8

 

CD/usr/local/src/

 

Tar jxf iptables-1.3.8.tar.bz2

 

Copy the current directory of the netfilter-layer iptables patch.

 

CP/root/netfilter-layer7-v2.17/iptables-1.3-for-kernel-2.6.20forward-layer7-2.17.patch ./

 

CD iptables-1.3.8

 

Patch-P1 <iptables-1.3-for-kernel-2.6.20forward-layer7-2.17.patch

 

Chmod + x extensions/. layer7-test

 

Make kernel_dir =/usr/src/linux-2.6.21.1

 

Make install kernel_dir =/usr/src/linux-2.6.21.1

 

Link iptables to the new/usr/local/sbin/iptables

 

CD/sbin/

 

MV iptables. Old

Ln-S/usr/local/sbin/iptables

 

Install layer7 protocols

Tar zxf l7-protocols-2007-11-22.tar.gz

 

CD l7-protocols-2007-11-22

Make install

 

Layer7 protocol after installation path:/etc/l7-protocols/

 

4. Use l7filter

 

1) protocol matching File

 

Iptables transfers data packets to the l7filter module, while l7filter uses the string-Match Method of the regular expression to identify data packets. L7filter identifies network data streams based on the keywords provided by the/etc/l7-protocols/protocols/. Pat file.

 

? /P>

 

FTP

 

^ 220 [x09-x0d-~] * FTP | 331 [x09-x0d-~] * Password

 

HTTP

 

HTTP/(0.9 | 1.0 | 1.1) [1-5] [0-9] [0-9] [x09-x0d-~] *

 

(Connection: | Content-Type: | Content-Length: | Date :) | post [x09-x0d-~] * Http/[01]. [019]

 

Qq

 

^ .? X02. + x03 $

 

 

Table 1 partten example

 

Table 1: FTP, HTTP, and QQ. Pat files

 

FTP: the packet header is "220" followed by "ftp", and "331" followed by "password", the connection is determined to be an FTP service.

 

HTTP: when the data package contains content such as "HTTP", "connection:", "Content-Type:", and "Content-Length:", it is determined that the connection is an HTTP service.

 

Some. Pat files can be modified, or you can write your own. Pat files. L7filter supports most of the application protocols. The following table lists the effects of the tests.

 

Protocol Description: http://l7-filter.sourceforge.net/protocols

 

? /P>

 

Category

Application Protocol

 

Great

FTP, DNS, HTTP, IMAP, IRC, POP3, SMTP, SSH

 

Good

Aim, BitTorrent, Gopher, jabber, MSN-filetransfer, msnmessenger, QQ, NTP, RTSP, SNMP, socks, SSL, telnet, Yahoo, Xunlei, Whois, ident, DHCP, CVS,

 

OK

H323, HTTP-RTSP, kugoo, sip, skypeout, skypetoskype, uucp,

 

Poor

Mute, netbois, TFTP

 

 

Table 2

 

L7filter can also restrict network data packets based on filetype: JPG, EXE, GIF, htm, FLV, tar, etc.

 

2) firewall settings

 

L7filter provides functions such as network packet filtering and traffic management. As an extension of iptables, the command syntax for iptables to load l7filter is

 

Iptables [specify table & Chain]-M layer7 -- l7proto [name of Protocol]-J [action]

 

Generally, the mangle table for iptables operations is as follows:

 

Iptables-T mangle-A postrouting-M layer7 -- l7proto [etc.]

 

Disable Application Layer services

The l7filter can disable QQ, HTTP, FTP, MSN, P2P and other application services. If we make the following rules, users are not allowed to use MSN. the iptables command rule is

 

Iptables-T mangle-A postrouting-M layer7 -- l7proto msnmessenger-J Drop

 

-- L7proto followed by/etc/l7-protocols/Protocols Protocol name msnmessenger

 

Restrict a single IP Address

 

Iptables-s 192.168.100.161-T mangle-A postrouting-M layer7 -- l7proto msnmessenger-J Drop

 

Restrict subnet access

 

Iptables-s 192.168.100.0/24-T mangle-A postrouting-M layer7 -- l7proto msnmessenger-J Drop

 

Traffic limit

The traffic limit is also the combination of iptables and TC to control application service traffic. Only the iptables rules are different. An official shell script automatically loads iptables policies.

 

Http://l7-filter.sourceforge.net/l7-netfilter-example-nonbridge.

 

Delete iptables mangle and TC policies

 

Iptables-T mangle-F

 

TC qdisc del Dev eth0 Root

 

# Default Control

 

TC qdisc add Dev eth0 root handle 1: htb default 10

 

# Set the class 1:1 Total Bandwidth

 

TC class add Dev eth0 parent 1: classid htb rate 1200 kbps Ceil 1200 kbps

 

# Set HTTP traffic

 

TC class add Dev eth0 parent classid htb rate 300 kbps Ceil 500 kbps PRIO 1

 

# Set BT

 

TC class add Dev eth0 parent classid htb rate 20 kbps Ceil 200 kbps PRIO 3

 

# Set queue rules

 

TC qdisc add Dev eth0 parent :10 handle 11: SFQ perturb 10

 

TC qdisc add Dev eth0 parent :20 handle 12: SFQ perturb 10

 

# Setting filter rules

 

TC filter add Dev eth0 Protocol IP parent 1:0 PRIO 1 handle 1 FW flowid

 

TC filter add Dev eth0 Protocol IP parent 1:0 PRIO 1 handle 2 FW flowid

 

# Setting iptables

 

Iptables-T mangle-A postrouting-M layer7 -- l7proto http-J mark -- Set-mark 1

 

Iptables-T mangle-A postrouting-M layer7 -- l7proto BitTorrent-J mark -- Set-mark 2

 

We can see that it is mainly controlled in iptables. TC is the same as normal control.

 

Accouting

Collect statistics on the traffic of the application service, such as HTTP and POP3.

 

Iptables-T mangle-A postrouting-M layer7 -- l7proto HTTP

 

Iptables-T mangle-A postrouting-M layer7 -- l7proto POP3

 

# View traffic

 

Iptables-l-T mangle-NV

 

5. References

 

Http://l7-filter.sourceforge.net/

Http://l7-filter.sourceforge.net/HOWTO-kernel.en.php

Http://l7-filter.sourceforge.net/Pattern-HOWTO

Http://l7-filter.sourceforge.net/protocols

Http://netfilter.org/

Http://l7-filter.sourceforge.net/kernelcompat

Http://l7-filter.sourceforge.net/PacketFlow.png

Http://www.turbolinux.com.cn/turbo/wiki/doku.php? Id = traffic-control: TC % E6 % B5 % 81% E9 % 87% 8f % E7 % AE % a1 % E7 % 90% E7 % AE % 86% E4 % BB % 8b

 

Article Source: feino Network (www.firnow.com): http://dev.firnow.com/course/6_system/linux/Linuxjs/20100609/208913.html