L7-filter (Application Layer Packet Classifier for
Linux), 是 Linux netfilter 的外掛模塊, 它能使 Linux 的 iptables 支持 Layer 7
(Application 應用層) 過濾功能, 限制封殺 P2P、即時通訊軟件。
Centos 4.4
Kernel 2.6.9-42.0.3.EL
Iptables 1.2.11
1.下載所需軟件包:
1.下載所需軟件包:
kernel 2.6.19.7
# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.19.7.tar.bz2
# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.19.7.tar.bz2
iptables 1.3.7
# wget http://www.netfilter.org/projects/iptables/files/iptables-1.3.7.tar.bz2
# wget http://www.netfilter.org/projects/iptables/files/iptables-1.3.7.tar.bz2
L7-filter http://sourceforge.net/project/showfiles.php?group_id=80085
netfilter-layer7-v2.12.tar.gz
l7-protocols-2007-06-22.tar.gz
netfilter-layer7-v2.12.tar.gz
l7-protocols-2007-06-22.tar.gz
2.配置編譯新內核
首先將所下載的軟件都放置於/usr/src目錄下
# tar zxvf netfilter-layer7-v2.12.tar.gz
# tar xjvf linux.2.6.19.7.tar.bz2
# ln -s linux.2.6.19.7 linux
# cd linux
# patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch (打L7-filter的內核補丁)
# tar xjvf linux.2.6.19.7.tar.bz2
# ln -s linux.2.6.19.7 linux
# cd linux
# patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch (打L7-filter的內核補丁)
# make oldconfig
(如果之前曾經編譯過,需要先執行 make mrproper 。make oldconfig會自動對比之前的kernel config,根據之前版本的配置生成一個kernel config,這樣方便我們在編譯新核心的時候,無須在從頭修改所有的核心設置)
(如果之前曾經編譯過,需要先執行 make mrproper 。make oldconfig會自動對比之前的kernel config,根據之前版本的配置生成一個kernel config,這樣方便我們在編譯新核心的時候,無須在從頭修改所有的核心設置)
# make menuconfig 設定內核參數,具體參數可以參考這篇文章 內核編譯詳解
核心不同,內核選項的排列方式有可能不一樣,仔細找一下可以找到:Code maturity level options –> [*] Prompt for development and/or incomplete code/driversNetworking –> Networking options –>
[*] Network packet filtering (replaces ipchains) –>
IP: Netfilter Configuration –>
<M> Connection tracking (required for masq/NAT)[*] Connection tracking flow accounting<M> IP tables support (required for filtering/masq/NAT)<M> Layer 7 match support
# make
# make modules
# make modules_install
# make install
# reboot
# uame -a
Linux jason.10235 2.6.19.7 #1 Fri Jul 6 11:56:11 CST 2007 i686 i686 i386 GNU/Linux
系統已經更新至新內核 2.6.19.7
# make modules
# make modules_install
# make install
# reboot
# uame -a
Linux jason.10235 2.6.19.7 #1 Fri Jul 6 11:56:11 CST 2007 i686 i686 i386 GNU/Linux
系統已經更新至新內核 2.6.19.7
3.更新升級Iptalbes的Layer7補丁
# cd /usr/src
# tar xjvf iptables-1.3.7.tar.bz2
# cd iptables-1.3.7
# patch -p < ../netfilter-layer7-v2.0/iptables-layer7-2.0.patch
# chmod +x extensions/.layer7-test
# export KERNEL_DIR=/usr/src/linux-2.6.19.7
# export IPTABLES_DIR=/usr/src/iptables-1.3.7
# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
# iptables -V
iptables v1.3.7 已經更新至新版本
4. 安裝Layer7 協議文件
# cd /usr/src
# tar zxvf l7-protocols-2007-06-22.tar.gz
# cd l7-protocols-2007-06-22
# make install
5.使用iptables layer-7 filter:
# tar xjvf iptables-1.3.7.tar.bz2
# cd iptables-1.3.7
# patch -p < ../netfilter-layer7-v2.0/iptables-layer7-2.0.patch
# chmod +x extensions/.layer7-test
# export KERNEL_DIR=/usr/src/linux-2.6.19.7
# export IPTABLES_DIR=/usr/src/iptables-1.3.7
# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
# iptables -V
iptables v1.3.7 已經更新至新版本
4. 安裝Layer7 協議文件
# cd /usr/src
# tar zxvf l7-protocols-2007-06-22.tar.gz
# cd l7-protocols-2007-06-22
# make install
5.使用iptables layer-7 filter:
# iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通訊)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto xunlei -j DROP (禁止迅雷)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto kugoo -j DROP (禁止kugoo)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto yahoo -j DROP (禁止Yahoo! Messenger)
禁MSN傳送文件的方法
iptables 七層實現的。
iptables -A FORWARD -m layer7 --l7proto msn-filetransfer -j DROP
轉文一:
作者:何祖彬[RobinHe] Mail:[email protected]
始於2008年8月3日 上午
版本號:KernelLayer7-V1.0-20080803,2008年8月3日首版
轉載請註明出處,本文也是採用兩篇網友的大部分內容,因此轉載時,請也將下面“參考文章”的出處也一併加入!謝謝!
本文中難免有不足、遺漏、錯別字和句子不通之處,如發現、或者有更新改變之處,請與我聯繫以及時修正和完善!
系統信息:
OS : Debian 4.0 rc3
使用說明:
綠色加粗字體的絕大部分是輸入的命令和系統輸出顯示的結果。
參考文章:
實作 Layer 7 封包過濾
http://ms.ntcb.edu.tw/~steven/article/kernel-layer7-filter.htm
Thank for Steven!
Debian Linux系統編譯內核標準方式介紹
http://tech.itzero.com/2008/0728/article_38241.html
升級、編譯自己的內核—— Debian篇
http://fanqiang.chinaunix.net/system/linux/2005-05-02/3211.shtml
第一步,要下載和安裝要用的工具及相關軟件:
#apt-get install debhelper modutils kernel-package libncurses5-dev fakeroot
#apt-get install gcc g++ make
#apt-get install gcc g++ make
注意:
因爲Debian系統的內核編譯跟Redhat有所不同,它在編譯的時候會需要make-kpkg和fakeroot[可選]命令,因此需要安裝以上的軟件包才行!
因爲Debian系統的內核編譯跟Redhat有所不同,它在編譯的時候會需要make-kpkg和fakeroot[可選]命令,因此需要安裝以上的軟件包才行!
我爲了安裝mysql、php、apache等軟件還要裝以及相關的軟件以及常用的工具
#apt-get install vim elinks gcc g++ make libncurses5-dev libpng12-dev libjpeg62-dev zlib1g-dev libxml2-dev
#apt-get install vim elinks gcc g++ make libncurses5-dev libpng12-dev libjpeg62-dev zlib1g-dev libxml2-dev
第二步,下載並解開所需的源代碼軟件到相應的位置:
要編譯內核並加入layer7模塊,必須需要以下的軟件的源代碼:
linux kernel source
iptables source
l7-filter patch
l7-filter protocols
我選用的以上軟件的版本如下:
iptables source
l7-filter patch
l7-filter protocols
我選用的以上軟件的版本如下:
kernel:2.6.24
iptables:1.4.0
l7-filter patch:2.17
l7-filter protocols:2008-02-20
完整下載如下:
iptables:1.4.0
l7-filter patch:2.17
l7-filter protocols:2008-02-20
完整下載如下:
root # wget ftp://ftp.tw.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.4.tar.bz2root # wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2root # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.17.tar.gzroot # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2008-02-20.tar.gz或者直接從我們自已的服務器下載全部的壓縮包:
http://pt.cjcht.com:85/l7.tar.gz //文件大小有60MB左右,還有包括兩個新版的軟件,我暫時沒用,有空可以自已試試,就用Steven所使用的軟件版本!
http://pt.cjcht.com:85/l7.tar.gz //文件大小有60MB左右,還有包括兩個新版的軟件,我暫時沒用,有空可以自已試試,就用Steven所使用的軟件版本!
按我的習慣,將這些軟件解壓到:/usr/local/src/Layer7下面:
因爲是編譯新的內核,我習慣將編譯內核的源代碼放在/usr/src下面,並建一個新的目錄kernels,覺得Steven的習慣不錯,以後也養成這個習慣!
#cd /usr/src
#mkdir kernels
#cd kernels
#mkdir kernels
#cd kernels
解開要用的軟件包到 /usr/src/kernels下面:
#tar -zxvf /usr/local/src/Layer7/linux-2.6.24.4.tar.bz2
#tar -zxvf /usr/local/src/Layer7/iptables-1.4.0.tar.gz
#tar -zxvf /usr/local/src/Layer7/netfilter-layer7-v2.17.tar.gz
#tar -zxvf /usr/local/src/Layer7/l7-protocols-2008-02-20.tar.gz
#tar -zxvf /usr/local/src/Layer7/iptables-1.4.0.tar.gz
#tar -zxvf /usr/local/src/Layer7/netfilter-layer7-v2.17.tar.gz
#tar -zxvf /usr/local/src/Layer7/l7-protocols-2008-02-20.tar.gz
第三步,將Layer7加入新的內核中並進行編譯:
爲了方便,做一個符號鏈接,並進入新內核源代碼的目錄:
#ln -s linux-2.6.24 linux
#cd linux
#ln -s linux-2.6.24 linux
#cd linux
如果你要用延續使用舊版本內核中的模塊中的功能,你要將/boot/config-kernel-version文件copy到當前的內核目錄,並命名爲.config
#cp /boot/config-2.6.18-6-686 ./.config
#cp /boot/config-2.6.18-6-686 ./.config
爲內核源代碼打上layer7的補丁:
#patch -p1 < ../netfilter-layer7-v2.17/kernel-2.6.22-2.6.24-layer7-2.17.patch
結果如下:
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file include/net/netfilter/nf_conntrack.h
patching file include/linux/netfilter/xt_layer7.h
#patch -p1 < ../netfilter-layer7-v2.17/kernel-2.6.22-2.6.24-layer7-2.17.patch
結果如下:
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file include/net/netfilter/nf_conntrack.h
patching file include/linux/netfilter/xt_layer7.h
爲內核選擇layer7及相關的模塊:
#make menuconfig
選項如下:
選項如下:
General setup ---> [*] Prompt for development and/or
incomplete code/drivers Networking ---> Networking options
---> [*] Network packet filtering framework (Netfilter)
---> Core Netfilter Configuration
---> <M> Netfilter connection tracking
support -*- Connection tracking flow
accounting -*- Connection mark tracking
support [*] Connection tracking security mark
support [*] Connection tracking events
(EXPERIMENTAL) <M> SCTP protocol connection
tracking support (EXPERIMENTAL) <M> UDP-Lite
protocol connection tracking support (EXPERIMENTAL)
<M> Amanda backup protocol support <M>
FTP protocol support <M> H.323 protocol
support (EXPERIMENTAL) <M> IRC protocol
support <M> NetBIOS name service protocol
support (EXPERIMENTAL) <M> PPtP protocol
support <M> SANE protocol support
(EXPERIMENTAL) <M> SIP protocol support
(EXPERIMENTAL) <M> TFTP protocol
support <M> Connection tracking netlink
interface (EXPERIMENTAL) {M} Netfilter Xtables
support (required for ip_tables) <M>
"CLASSIFY" target support <M> "CONNMARK"
target support <M> "DSCP" target
support <M> "MARK" target
support <M> "NFQUEUE" target
Support <M> "NFLOG" target
support <M> "NOTRACK" target
support <M> "TRACE" target
support <M> "TRACE" target
support <M> "SECMARK" target
support <M> "CONNSECMARK" target
support <M> "TCPMSS" target
support <M> "comment" match
support <M> "connbytes" per-connection
counter match support <M> "connlimit" match
support" <M> "connmark" connection mark
match support <M> "conntrack" connection
tracking match support <M> "DCCP" protocol
match support <M> "DCCP" protocol match
support <M> "DSCP" match
support <M> "ESP" match
support <M> "helper" match
support <M> "length" match
support <M> "limit" match
support <M> "mac" address match
support <M> "mark" match
support <M> IPsec "policy" match
support <M> Multiple port match
support <M> "physdev" match
support <M> "pkttype" packet type match
support <M> "quota" match
support <M> "realm" match
support <M> "sctp" protocol match support
(EXPERIMENTAL) <M> "state" match
support <M> "layer7" match
support [*] Layer 7 debugging
output <M> "statistic" match
support <M> "string" match
support <M> "tcpmss" match
support <M> "time" match
support <M> "u32" match
support <M> "hashlimit" match
support IP: Netfilter Configuration
---> <M> IPv4 connection tracking support
(required for NAT) [*] proc/sysctl compatibility
with old connection tracking (NEW <M> IP
Userspace queueing via NETLINK (OBSOLETE) <M>
IP tables support (required for filtering/masq/NAT)
<M> IP range match support <M> TOS
match support <M> recent match
support <M> ECN match
support <M> AH match
support <M> TTL match
support <M> Owner match
support <M> address type match
support <M> Packet
filtering <M> REJECT target
support <M> LOG target
support <M> ULOG target
support <M> Full NAT
(NEW) <M> MASQUERADE target
support <M> REDIRECT target
support <M> NETMAP target
support <M> SAME target support
(OBSOLETE) <M> Basic SNMP-ALG support
(EXPERIMENTAL) <M> Packet
mangling <M> TOS target
support注意,剛開始時,我一直找不到:<M> "layer7" match support 和 [*] Layer 7
debugging output 這兩個模塊,浪費了很多時間,後來發現是因爲這兩個模塊是屬於:<> Netfilter
connection tracking support 這個模塊,因此得先選擇<M> Netfilter connection
tracking support 這樣下面纔有Layer7及相關模塊!
其中time模塊就是可以通過iptables可以控制上網的時間等功能,就是時間控制的模塊!
其中time模塊就是可以通過iptables可以控制上網的時間等功能,就是時間控制的模塊!
一步一步的"EXIT"後,會提示你是否保存剛纔的選擇更改結果,我們選“YES”!
注意:
按以往Redhat或者其它版本的編譯過程就得用make及要關命令來進行編譯,但是在這裏,我們需要用到Debian的專門工 具make-kpkg,我想這個工具也是基於make,只是經過加工以方便Debian用戶使用吧,因爲Debian的啓動內核參數跟別的系統有所差異! 本文剛開始提到的安裝那些軟件包#apt-get install debhelper modutils kernel-package libncurses5-dev fakeroot就是爲了這一步而做的!
按以往Redhat或者其它版本的編譯過程就得用make及要關命令來進行編譯,但是在這裏,我們需要用到Debian的專門工 具make-kpkg,我想這個工具也是基於make,只是經過加工以方便Debian用戶使用吧,因爲Debian的啓動內核參數跟別的系統有所差異! 本文剛開始提到的安裝那些軟件包#apt-get install debhelper modutils kernel-package libncurses5-dev fakeroot就是爲了這一步而做的!
清除源碼樹並復原 kernel-package 參數
#make-kpkg clean
#make-kpkg clean
然後進行編譯並生成.deb的包,以供安裝時使用:
#fakeroot make-kpkg --append_to_version -686 --initrd --revision=2.6.24 kernel_image modules_image
#fakeroot make-kpkg --append_to_version -686 --initrd --revision=2.6.24 kernel_image modules_image
說明:fakeroot是切換到root用戶環境,如果你現在當前用戶不是root,你要用這個命令,否則這個命令可以省!
好像用make-kpkg這個命令在編譯內核時比以往省了很多步驟!有空研究一下這東東!
同時在做這一步時需要花挺長時間進行編譯工作以及後期的工作,看你的機器配置而異!普通機器 1.7G 128M內存,得需要2小時,因此你現在可以喝杯茶,去做別的事了,我找一臺C533,128MB的機器,好像編譯花了6個多小時,鬱悶呀...
--revision=2.6.24 這個參數是指定新內核的版本號
--append_to_version -686 這個參數是指定內核的子版本
好像用make-kpkg這個命令在編譯內核時比以往省了很多步驟!有空研究一下這東東!
同時在做這一步時需要花挺長時間進行編譯工作以及後期的工作,看你的機器配置而異!普通機器 1.7G 128M內存,得需要2小時,因此你現在可以喝杯茶,去做別的事了,我找一臺C533,128MB的機器,好像編譯花了6個多小時,鬱悶呀...
--revision=2.6.24 這個參數是指定新內核的版本號
--append_to_version -686 這個參數是指定內核的子版本
.........................
喝茶,看電視球賽中...
.........................
.........................
哎,我的老電腦[Intel(R) Celeron(TM) CPU 1100MHz,128MB, 810主板]編譯這一步,花了我3小時!
編譯完成後,在/usr/src/kernels下生成linux-image-2.6.24-686_2.6.24_i386.deb文件,即在 linux新內核的上一級目錄!
安裝新的內核:
#dpkg -i linux-image-2.6.24-686_2.6.24_i386.deb
這時,會將新內核安裝到相應的位置,同時會在/boot/grub/menu.lst增加新內核的條目:
title Debian GNU/Linux, kernel 2.6.24-686
root (hd0,0)
kernel /boot/vmlinuz-2.6.24-686 root=/dev/hda1 ro
initrd /boot/initrd.img-2.6.24-686
savedefault
#dpkg -i linux-image-2.6.24-686_2.6.24_i386.deb
這時,會將新內核安裝到相應的位置,同時會在/boot/grub/menu.lst增加新內核的條目:
title Debian GNU/Linux, kernel 2.6.24-686
root (hd0,0)
kernel /boot/vmlinuz-2.6.24-686 root=/dev/hda1 ro
initrd /boot/initrd.img-2.6.24-686
savedefault
title Debian GNU/Linux, kernel 2.6.24-686 (single-user mode)
root (hd0,0)
kernel /boot/vmlinuz-2.6.24-686 root=/dev/hda1 ro single
initrd /boot/initrd.img-2.6.24-686
savedefault
root (hd0,0)
kernel /boot/vmlinuz-2.6.24-686 root=/dev/hda1 ro single
initrd /boot/initrd.img-2.6.24-686
savedefault
這兩條已經提到最前面,也就是說,如果我們沒動這個文件的話,下次下機時,會去執行新的內核!
第四步,爲iptables打補丁,並安裝之...
進入iptables源代碼目錄:
#cd /usr/src/kernels/iptables-1.4.0
#cd /usr/src/kernels/iptables-1.4.0
爲源代碼打上補丁:
#patch -p1 < ../netfilter-layer7-v2.17/iptables-1.4-for-kernel-2.6.20forward-layer7-2.17.patch
結果如下:
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
patching file extensions/.layer7-test
#patch -p1 < ../netfilter-layer7-v2.17/iptables-1.4-for-kernel-2.6.20forward-layer7-2.17.patch
結果如下:
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
patching file extensions/.layer7-test
設置KERNEL_DIR 與 IPTABLES_DIR 環境變量,並開始編譯安裝:
#export KERNEL_DIR=/usr/src/kernels/linux
#export IPTABLES_DIR=/usr/src/kernels/iptables-1.4.0
#chmod +x extensions/.layer7-test
#export KERNEL_DIR=/usr/src/kernels/linux
#export IPTABLES_DIR=/usr/src/kernels/iptables-1.4.0
#chmod +x extensions/.layer7-test
#make
#make install
#make install
安裝Layer7第七層協議協議定義文件: /*TCP/IP第七層就是應用層,就是針對網絡應用軟件的設計,比如QQ,MSN等...
使用Layer模塊時,請參考/etc/l7-protocols文件中的定義,各種協議,比如QQ,MSN的特徵都在這個目下:
使用Layer模塊時,請參考/etc/l7-protocols文件中的定義,各種協議,比如QQ,MSN的特徵都在這個目下:
#cd /usr/src/kernels/l7-protocols-2008-02-20/
#make install
執行結果:
mkdir -p /etc/l7-protocols
cp -R * /etc/l7-protocols
#make install
執行結果:
mkdir -p /etc/l7-protocols
cp -R * /etc/l7-protocols
看執行的結果就知道,它在做什麼了!
這樣新的內核都弄好了,iptables也裝好了,就可以重新開機了!
重新開機後,就會執行新的內核和iptables,就可以測試它是否正常了!
#shutdown -r now
重新開機後,就會執行新的內核和iptables,就可以測試它是否正常了!
#shutdown -r now
第五步,測試
先測試Kernel和iptables的版本是不是我們剛纔編譯的那個:
#uname -a
Linux aaa.aa.com 2.6.241980 #1 SMP Sun Aug 3 09:43:54 CST 2008 i686 GNU/Linux
#iptables -V
iptables v1.4.0
#uname -a
Linux aaa.aa.com 2.6.241980 #1 SMP Sun Aug 3 09:43:54 CST 2008 i686 GNU/Linux
#iptables -V
iptables v1.4.0
再測試iptables的layer7是否可用:
# iptables -m layer7 --help
iptables v1.4.0
# iptables -m layer7 --help
iptables v1.4.0
Usage: iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain] List the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain] Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--proto -p [!] proto protocol: by number or name, eg. `tcp'
--source -s [!] address[/mask]
source specification
--destination -d [!] address[/mask]
destination specification
--in-interface -i [!] input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
--out-interface -o [!] output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain] List the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain] Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--proto -p [!] proto protocol: by number or name, eg. `tcp'
--source -s [!] address[/mask]
source specification
--destination -d [!] address[/mask]
destination specification
--in-interface -i [!] input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
--out-interface -o [!] output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
LAYER7 match v1.4.0 options:
--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/
(--l7dir must be specified before --l7proto if used!)
--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat
--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/
(--l7dir must be specified before --l7proto if used!)
--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat
還沒增加layer7模塊前的情況如下:
#iptables -m layer7 --help
iptables v1.3.6: Couldn't load match `layer7':/lib/iptables/libipt_layer7.so: cannot open shared object file: No such file or directory
#iptables -m layer7 --help
iptables v1.3.6: Couldn't load match `layer7':/lib/iptables/libipt_layer7.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
說明一切正常。
這時再測試一下能不能擋MSN和QQ[我們以這臺機器爲router爲例,擋經過這個路由器的MSN和QQ封包]:
MSN,QQ & bt:
# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止msn)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通訊)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通訊)
看一下結果:
# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere LAYER7 l7proto bittorrent
DROP all -- anywhere anywhere LAYER7 l7proto qq
DROP all -- anywhere anywhere LAYER7 l7proto msnmessenger
# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere LAYER7 l7proto bittorrent
DROP all -- anywhere anywhere LAYER7 l7proto qq
DROP all -- anywhere anywhere LAYER7 l7proto msnmessenger
Chain INPUT (policy ACCEPT)
target prot opt source destination
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
target prot opt source destination
再嘗試一下登錄一下你的MSN,QQ以及BT軟件,如果不能上線,恭喜你,成功了...