1. Overview
L7-filter (application layer packet classifier for Linux), is a plug-in module of Linux netfilter, it can make Linux iptables support Layer 7 (OSI Application Layer) filtering function, restrict and block P2P and instant messaging (MSN, QQ, and aim) software.
Official site http://l7-filter.sourceforge.net/
2. l7filter
L7filter is a data packet Classifier in Linux. As an extension of iptables, it enhances the capability of iptables in packet analysis. iptables is not simply based on the port number of a network application when processing packets, instead, the regular expression is used to match the data transmitted by the layer7 Application Protocol (HTTP, FTP), so as to analyze data packets more accurately.
1. The l7filter has a certain impact on the performance because it needs to process application-layer package information. It is mainly used for situations where packet information cannot be processed based on ports. As follows:
Analyze unpredictable and unfixed port protocols (such as P2P)
Non-Standard Port data packets (such as HTTP 8080, 442)
Multiple protocols share one port (port 80 for P2P)
2) Main Functions
Application Service prohibited (HTTP, MSN, QQ)
Traffic limit
Accouting
3) There are currently two versions of l7filter.
. Kernel version kernel and iptables patch, relatively stable
User space version also needs to re-compile the kernel and install the application in the kernel shell
3. Install l7filter
L7filter installation includes kernel compilation (patching), iptables compilation (patching), and l7protocols installation.
Required software packages
Kernel kernel 2.6.21.1
Http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.21.1.tar.gz
Not all kernel has been tested, the following link lists the testing of the kernel, here we choose 2.6.21.1 http://l7-filter.sourceforge.net/kernelcompat.en.php
Iptables 1.3.8
Http://www.netfilter.org/projects/iptables/files/iptables-1.3.8.tar.bz2
Kernel version l7filter 2.17
Http://jaist.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.17.tar.gz
The package contains kernel and iptables patches.
Application Layer Protocol definition (11.22)
Http://nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2007-11-22.tar.gz
2) Installation Steps
Decompress l7filter
CD/root/
Tar xzf netfilter-layer7-v2.17.tar.gz
The kernel and iptables patches are provided.
Patch Kernel
CD netfilter-layer7-v2.17
CP for_older_kernels/kernel-2.6.20-2.6.21-layer7-2.16.1.patch/usr/src/linux-2.6.21.1/
CD/usr/src/linux-2.6.21.1
Patch-P1 <kernel-2.6.20-2.6.21-layer7-2.16.1.patch
Re-compile the kernel enable the following options
"Prompt for development and/or incomplete code/drivers" ("code maturity level options)
"Network packet filtering framework" (networking → networking options)
"Netfilter xtables support" (... → network packet filtering framework (netfilter) → core netfilter configuration)
"Netfilter Connection Tracking Support" (same screen), select "Layer 3 independent connection tracking"
"Connection Tracking flow accounting" (same screen)
"Layer 7 match support" (same screen)
"FTP protocol support", "irc protocol support"
It is best to select all the options under netfilter.
Patch iptables
Decompress iptables1.3.8
CD/usr/local/src/
Tar jxf iptables-1.3.8.tar.bz2
Copy the current directory of the netfilter-layer iptables patch.
CP/root/netfilter-layer7-v2.17/iptables-1.3-for-kernel-2.6.20forward-layer7-2.17.patch ./
CD iptables-1.3.8
Patch-P1 <iptables-1.3-for-kernel-2.6.20forward-layer7-2.17.patch
Chmod + x extensions/. layer7-test
Make kernel_dir =/usr/src/linux-2.6.21.1
Make install kernel_dir =/usr/src/linux-2.6.21.1
Link iptables to the new/usr/local/sbin/iptables
CD/sbin/
MV iptables. Old
Ln-S/usr/local/sbin/iptables
Install layer7 protocols
Tar zxf l7-protocols-2007-11-22.tar.gz
CD l7-protocols-2007-11-22
Make install
Layer7 protocol after installation path:/etc/l7-protocols/
4. Use l7filter
1) protocol matching File
Iptables transfers data packets to the l7filter module, while l7filter uses the string-Match Method of the regular expression to identify data packets. L7filter identifies network data streams based on the keywords provided by the/etc/l7-protocols/protocols/. Pat file.
? /P>
FTP
^ 220 [x09-x0d-~] * FTP | 331 [x09-x0d-~] * Password
HTTP
HTTP/(0.9 | 1.0 | 1.1) [1-5] [0-9] [0-9] [x09-x0d-~] *
(Connection: | Content-Type: | Content-Length: | Date :) | post [x09-x0d-~] * Http/[01]. [019]
Qq
^ .? X02. + x03 $
Table 1 partten example
Table 1: FTP, HTTP, and QQ. Pat files
FTP: the packet header is "220" followed by "ftp", and "331" followed by "password", the connection is determined to be an FTP service.
HTTP: when the data package contains content such as "HTTP", "connection:", "Content-Type:", and "Content-Length:", it is determined that the connection is an HTTP service.
Some. Pat files can be modified, or you can write your own. Pat files. L7filter supports most of the application protocols. The following table lists the effects of the tests.
Protocol Description: http://l7-filter.sourceforge.net/protocols
? /P>
Category
Application Protocol
Great
FTP, DNS, HTTP, IMAP, IRC, POP3, SMTP, SSH
Good
Aim, BitTorrent, Gopher, jabber, MSN-filetransfer, msnmessenger, QQ, NTP, RTSP, SNMP, socks, SSL, telnet, Yahoo, Xunlei, Whois, ident, DHCP, CVS,
OK
H323, HTTP-RTSP, kugoo, sip, skypeout, skypetoskype, uucp,
Poor
Mute, netbois, TFTP
Table 2
L7filter can also restrict network data packets based on filetype: JPG, EXE, GIF, htm, FLV, tar, etc.
2) firewall settings
L7filter provides functions such as network packet filtering and traffic management. As an extension of iptables, the command syntax for iptables to load l7filter is
Iptables [specify table & Chain]-M layer7 -- l7proto [name of Protocol]-J [action]
Generally, the mangle table for iptables operations is as follows:
Iptables-T mangle-A postrouting-M layer7 -- l7proto [etc.]
Disable Application Layer services
The l7filter can disable QQ, HTTP, FTP, MSN, P2P and other application services. If we make the following rules, users are not allowed to use MSN. the iptables command rule is
Iptables-T mangle-A postrouting-M layer7 -- l7proto msnmessenger-J Drop
-- L7proto followed by/etc/l7-protocols/Protocols Protocol name msnmessenger
Restrict a single IP Address
Iptables-s 192.168.100.161-T mangle-A postrouting-M layer7 -- l7proto msnmessenger-J Drop
Restrict subnet access
Iptables-s 192.168.100.0/24-T mangle-A postrouting-M layer7 -- l7proto msnmessenger-J Drop
Traffic limit
The traffic limit is also the combination of iptables and TC to control application service traffic. Only the iptables rules are different. An official shell script automatically loads iptables policies.
Http://l7-filter.sourceforge.net/l7-netfilter-example-nonbridge.
Delete iptables mangle and TC policies
Iptables-T mangle-F
TC qdisc del Dev eth0 Root
# Default Control
TC qdisc add Dev eth0 root handle 1: htb default 10
# Set the class 1:1 Total Bandwidth
TC class add Dev eth0 parent 1: classid htb rate 1200 kbps Ceil 1200 kbps
# Set HTTP traffic
TC class add Dev eth0 parent classid htb rate 300 kbps Ceil 500 kbps PRIO 1
# Set BT
TC class add Dev eth0 parent classid htb rate 20 kbps Ceil 200 kbps PRIO 3
# Set queue rules
TC qdisc add Dev eth0 parent :10 handle 11: SFQ perturb 10
TC qdisc add Dev eth0 parent :20 handle 12: SFQ perturb 10
# Setting filter rules
TC filter add Dev eth0 Protocol IP parent 1:0 PRIO 1 handle 1 FW flowid
TC filter add Dev eth0 Protocol IP parent 1:0 PRIO 1 handle 2 FW flowid
# Setting iptables
Iptables-T mangle-A postrouting-M layer7 -- l7proto http-J mark -- Set-mark 1
Iptables-T mangle-A postrouting-M layer7 -- l7proto BitTorrent-J mark -- Set-mark 2
We can see that it is mainly controlled in iptables. TC is the same as normal control.
Accouting
Collect statistics on the traffic of the application service, such as HTTP and POP3.
Iptables-T mangle-A postrouting-M layer7 -- l7proto HTTP
Iptables-T mangle-A postrouting-M layer7 -- l7proto POP3
# View traffic
Iptables-l-T mangle-NV
5. References
Http://l7-filter.sourceforge.net/
Http://l7-filter.sourceforge.net/HOWTO-kernel.en.php
Http://l7-filter.sourceforge.net/Pattern-HOWTO
Http://l7-filter.sourceforge.net/protocols
Http://netfilter.org/
Http://l7-filter.sourceforge.net/kernelcompat
Http://l7-filter.sourceforge.net/PacketFlow.png
Http://www.turbolinux.com.cn/turbo/wiki/doku.php? Id = traffic-control: TC % E6 % B5 % 81% E9 % 87% 8f % E7 % AE % a1 % E7 % 90% E7 % AE % 86% E4 % BB % 8b
Article Source: feino Network (www.firnow.com): http://dev.firnow.com/course/6_system/linux/Linuxjs/20100609/208913.html