Using L7-filter to filter QQ, thunder, Electric Donkey, etc. under Linux

Last Update:2015-04-13 Source: Internet

Author: User

Tags bz2

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Environment:

Rhel6.6-x86_64

iptables-1.4.21.tar.bz2

L7-protocols-2009-05-28.tar.gz

Netfilter-layer7-v2.23.tar.gz

Kernel-2.6.35.8-l7

Want to prohibit employees from playing buckle during work, download movies waste valuable bandwidth? L7-filter is a good choice.

1. Patching the kernel

# Tar XF linux-2.6.35.8.tar.gz-c/usr/src

# Tar XF netfilter-layer7-v2.23

# CD/USR/SRC

# ln-s linux-2.6.35.8 Linux

# CD Linux

# PATCH-P1 </root/netfilter-layer7-v2.23/kernel-2.6.35-layer7-2.23.patch

# Cp/boot/config-2.6.32-504.el6.x86_64/usr/src/linux/.config

# Make Menuconfig

Choose from the following to make a kernel module

Networking Support---> Networking options---> Network packet filtering Framework (NetFilter)---> Core netfil ter Configuration---> <M> NETFILTER connection Tracking support

Networking Support---> Networking options---> Network packet filtering Framework (NetFilter)---> Core netfil ter Configuration---> <M> "Layer7" Match support

Networking Support---> Networking options---> Network packet filtering Framework (NetFilter)---> Core netfil ter Configuration---> <M> "iprange" address range match support

Networking Support---> Networking options---> Network packet filtering Framework (NetFilter)--->ip: NetFilter Configuration---> <M> IPV4 Connection Tracking Support (required for NAT) <M> full nat　　　　

# make

# Make Modules_install

# make Install

Reboot after kernel compiles

# uname-a

Linux localhost.localdomain 2.6.35.8-l7 #1 SMP Mon Apr 13:44:31 CST x86_64 x86_64 x86_64 gnu/linux

2, installation Iptables

Rpm-e iptables-ipv5 iptables--nodeps

# Cp/etc/init.d/iptables/

# Tar XF iptables-1.4.21.tar.bz2

# cp/root/netfilter-layer7-v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.*/root/ iptables-1.4.21/extensions/

# CD iptables-1.4.21

#./configure--prefix=/usr--with-ksource=/usr/src/linux

# make

# make Install

# Cp/iptables-config/etc/sysconfig/iptables-config

# Cp/iptables/etc/init.d/iptables

/etc/init.d/iptables configuration file

......... The red part is the part you want to modify

if [!-X /usr/sbin/$IPTABLES]; Then

Echo-n $ "${iptables}:/usr/sbin/$IPTABLES does not exist."; Warning Echo

Exit 5

# service Iptables Start

3. Installation Protocol Feature Pack:

# Tar XF l7-protocols-2009-05-28

# CD L7-protocols-2009-05-28

# make Install

To view supported partial protocols:

# ls protocols/

100bao.pat Doom3.pat Jabber.pat Radmin.pat Teamfortress2.pat

Aim.pat edonkey.pat kugoo.pat rdp.pat TEAMSPEAK.PA T

Aimwebcontent.pat Fasttrack.pat Live365.pat Replaytv-ivs.pat Telnet.pat

Applejuice.pat Finger.pat Liveforspeed.pat Rlogin.pat Tesla.pat

..........................

.........................

Dayofdefeat-source.pat Ident.pat Pop3.pat Ssh.pat Xboxlive.pat

Dazhihui.pat imap.pat pplive.pat ssl.pat xunlei.pat

Dhcp.pat imesh.pat qq.pat stun.pat Yahoo.pat

Directconnect.pat Ipp.pat Quake1.pat Subspace.pat Zmaap.pat

Dns.pat Irc.pat Quake-halflife.pat Subversion.pat

4. Use QQ test

The installation part has been completed, next use QQ to do test, whether can refuse QQ login

Two host computers:

Host a two network cards corresponding to 192.168.1.123 192.168.8.131 two IP-------> specify a rule

Host B 192.168.8.128-------> Login QQ

Host B wants to connect to the Internet needs to be forwarded through host A, Host B's gateway for 192.168.8.131 point to host A, the following rules are set:

# iptables-t nat-a postrouting-s 192.168.8.0/24-j SNAT--to-source 192.168.1.123

# iptables-a forward-s 192.168.8.0/24-m layer7--l7proto qq-j DROP

Through the above two rules, 192.168.8 this network segment of all the hosts can not login QQ.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6B/31/wKioL1Urmz_CXFb9AAFXtV-xYeI112.jpg "title=" qq.png "alt=" Wkiol1urmz_cxfb9aafxtv-xyei112.jpg "/>

You can see that the rule has been matched to:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6B/29/wKiom1Url6mw__NlAAKaIXtSaH0468.jpg "title=" Qq20150413181543.png "alt=" Wkiom1url6mw__nlaakaixtsah0468.jpg "/>

[Email protected] ~]# iptables-d FORWARD 1

Log on normally after you delete a rule

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6B/20/wKioL1UrmFyhibSrAADQewOe3TE645.jpg "title=" Qq2.png "alt=" Wkiol1urmfyhibsraadqewoe3te645.jpg "/>

This article is from the "on the Road" blog, please be sure to keep this source http://mingxiao.blog.51cto.com/8124243/1631963

Using L7-filter to filter QQ, thunder, Electric Donkey, etc. under Linux

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More