L7-filter (Application Layer Packet Classifier for
Linux), 是 Linux netfilter 的外挂模块, 它能使 Linux 的 iptables 支持 Layer 7
(Application 应用层) 过滤功能, 限制封杀 P2P、即时通讯软件。
Centos 4.4
Kernel 2.6.9-42.0.3.EL
Iptables 1.2.11
1.下载所需软件包:
1.下载所需软件包:
kernel 2.6.19.7
# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.19.7.tar.bz2
# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.19.7.tar.bz2
iptables 1.3.7
# wget http://www.netfilter.org/projects/iptables/files/iptables-1.3.7.tar.bz2
# wget http://www.netfilter.org/projects/iptables/files/iptables-1.3.7.tar.bz2
L7-filter http://sourceforge.net/project/showfiles.php?group_id=80085
netfilter-layer7-v2.12.tar.gz
l7-protocols-2007-06-22.tar.gz
netfilter-layer7-v2.12.tar.gz
l7-protocols-2007-06-22.tar.gz
2.配置编译新内核
首先将所下载的软件都放置于/usr/src目录下
# tar zxvf netfilter-layer7-v2.12.tar.gz
# tar xjvf linux.2.6.19.7.tar.bz2
# ln -s linux.2.6.19.7 linux
# cd linux
# patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch (打L7-filter的内核补丁)
# tar xjvf linux.2.6.19.7.tar.bz2
# ln -s linux.2.6.19.7 linux
# cd linux
# patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch (打L7-filter的内核补丁)
# make oldconfig
(如果之前曾经编译过,需要先执行 make mrproper 。make oldconfig会自动对比之前的kernel config,根据之前版本的配置生成一个kernel config,这样方便我们在编译新核心的时候,无须在从头修改所有的核心设置)
(如果之前曾经编译过,需要先执行 make mrproper 。make oldconfig会自动对比之前的kernel config,根据之前版本的配置生成一个kernel config,这样方便我们在编译新核心的时候,无须在从头修改所有的核心设置)
# make menuconfig 设定内核参数,具体参数可以参考这篇文章 内核编译详解
核心不同,内核选项的排列方式有可能不一样,仔细找一下可以找到:Code maturity level options –> [*] Prompt for development and/or incomplete code/driversNetworking –> Networking options –>
[*] Network packet filtering (replaces ipchains) –>
IP: Netfilter Configuration –>
<M> Connection tracking (required for masq/NAT)[*] Connection tracking flow accounting<M> IP tables support (required for filtering/masq/NAT)<M> Layer 7 match support
# make
# make modules
# make modules_install
# make install
# reboot
# uame -a
Linux jason.10235 2.6.19.7 #1 Fri Jul 6 11:56:11 CST 2007 i686 i686 i386 GNU/Linux
系统已经更新至新内核 2.6.19.7
# make modules
# make modules_install
# make install
# reboot
# uame -a
Linux jason.10235 2.6.19.7 #1 Fri Jul 6 11:56:11 CST 2007 i686 i686 i386 GNU/Linux
系统已经更新至新内核 2.6.19.7
3.更新升级Iptalbes的Layer7补丁
# cd /usr/src
# tar xjvf iptables-1.3.7.tar.bz2
# cd iptables-1.3.7
# patch -p < ../netfilter-layer7-v2.0/iptables-layer7-2.0.patch
# chmod +x extensions/.layer7-test
# export KERNEL_DIR=/usr/src/linux-2.6.19.7
# export IPTABLES_DIR=/usr/src/iptables-1.3.7
# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
# iptables -V
iptables v1.3.7 已经更新至新版本
4. 安装Layer7 协议文件
# cd /usr/src
# tar zxvf l7-protocols-2007-06-22.tar.gz
# cd l7-protocols-2007-06-22
# make install
5.使用iptables layer-7 filter:
# tar xjvf iptables-1.3.7.tar.bz2
# cd iptables-1.3.7
# patch -p < ../netfilter-layer7-v2.0/iptables-layer7-2.0.patch
# chmod +x extensions/.layer7-test
# export KERNEL_DIR=/usr/src/linux-2.6.19.7
# export IPTABLES_DIR=/usr/src/iptables-1.3.7
# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
# iptables -V
iptables v1.3.7 已经更新至新版本
4. 安装Layer7 协议文件
# cd /usr/src
# tar zxvf l7-protocols-2007-06-22.tar.gz
# cd l7-protocols-2007-06-22
# make install
5.使用iptables layer-7 filter:
# iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto xunlei -j DROP (禁止迅雷)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto kugoo -j DROP (禁止kugoo)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto yahoo -j DROP (禁止Yahoo! Messenger)
禁MSN传送文件的方法
iptables 七层实现的。
iptables -A FORWARD -m layer7 --l7proto msn-filetransfer -j DROP
转文一:
作者:何祖彬[RobinHe] Mail:[email protected]
始于2008年8月3日 上午
版本号:KernelLayer7-V1.0-20080803,2008年8月3日首版
转载请注明出处,本文也是采用两篇网友的大部分内容,因此转载时,请也将下面“参考文章”的出处也一并加入!谢谢!
本文中难免有不足、遗漏、错别字和句子不通之处,如发现、或者有更新改变之处,请与我联系以及时修正和完善!
系统信息:
OS : Debian 4.0 rc3
使用说明:
绿色加粗字体的绝大部分是输入的命令和系统输出显示的结果。
参考文章:
实作 Layer 7 封包过滤
http://ms.ntcb.edu.tw/~steven/article/kernel-layer7-filter.htm
Thank for Steven!
Debian Linux系统编译内核标准方式介绍
http://tech.itzero.com/2008/0728/article_38241.html
升级、编译自己的内核—— Debian篇
http://fanqiang.chinaunix.net/system/linux/2005-05-02/3211.shtml
第一步,要下载和安装要用的工具及相关软件:
#apt-get install debhelper modutils kernel-package libncurses5-dev fakeroot
#apt-get install gcc g++ make
#apt-get install gcc g++ make
注意:
因为Debian系统的内核编译跟Redhat有所不同,它在编译的时候会需要make-kpkg和fakeroot[可选]命令,因此需要安装以上的软件包才行!
因为Debian系统的内核编译跟Redhat有所不同,它在编译的时候会需要make-kpkg和fakeroot[可选]命令,因此需要安装以上的软件包才行!
我为了安装mysql、php、apache等软件还要装以及相关的软件以及常用的工具
#apt-get install vim elinks gcc g++ make libncurses5-dev libpng12-dev libjpeg62-dev zlib1g-dev libxml2-dev
#apt-get install vim elinks gcc g++ make libncurses5-dev libpng12-dev libjpeg62-dev zlib1g-dev libxml2-dev
第二步,下载并解开所需的源代码软件到相应的位置:
要编译内核并加入layer7模块,必须需要以下的软件的源代码:
linux kernel source
iptables source
l7-filter patch
l7-filter protocols
我选用的以上软件的版本如下:
iptables source
l7-filter patch
l7-filter protocols
我选用的以上软件的版本如下:
kernel:2.6.24
iptables:1.4.0
l7-filter patch:2.17
l7-filter protocols:2008-02-20
完整下载如下:
iptables:1.4.0
l7-filter patch:2.17
l7-filter protocols:2008-02-20
完整下载如下:
root # wget ftp://ftp.tw.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.4.tar.bz2root # wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2root # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.17.tar.gzroot # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2008-02-20.tar.gz或者直接从我们自已的服务器下载全部的压缩包:
http://pt.cjcht.com:85/l7.tar.gz //文件大小有60MB左右,还有包括两个新版的软件,我暂时没用,有空可以自已试试,就用Steven所使用的软件版本!
http://pt.cjcht.com:85/l7.tar.gz //文件大小有60MB左右,还有包括两个新版的软件,我暂时没用,有空可以自已试试,就用Steven所使用的软件版本!
按我的习惯,将这些软件解压到:/usr/local/src/Layer7下面:
因为是编译新的内核,我习惯将编译内核的源代码放在/usr/src下面,并建一个新的目录kernels,觉得Steven的习惯不错,以后也养成这个习惯!
#cd /usr/src
#mkdir kernels
#cd kernels
#mkdir kernels
#cd kernels
解开要用的软件包到 /usr/src/kernels下面:
#tar -zxvf /usr/local/src/Layer7/linux-2.6.24.4.tar.bz2
#tar -zxvf /usr/local/src/Layer7/iptables-1.4.0.tar.gz
#tar -zxvf /usr/local/src/Layer7/netfilter-layer7-v2.17.tar.gz
#tar -zxvf /usr/local/src/Layer7/l7-protocols-2008-02-20.tar.gz
#tar -zxvf /usr/local/src/Layer7/iptables-1.4.0.tar.gz
#tar -zxvf /usr/local/src/Layer7/netfilter-layer7-v2.17.tar.gz
#tar -zxvf /usr/local/src/Layer7/l7-protocols-2008-02-20.tar.gz
第三步,将Layer7加入新的内核中并进行编译:
为了方便,做一个符号链接,并进入新内核源代码的目录:
#ln -s linux-2.6.24 linux
#cd linux
#ln -s linux-2.6.24 linux
#cd linux
如果你要用延续使用旧版本内核中的模块中的功能,你要将/boot/config-kernel-version文件copy到当前的内核目录,并命名为.config
#cp /boot/config-2.6.18-6-686 ./.config
#cp /boot/config-2.6.18-6-686 ./.config
为内核源代码打上layer7的补丁:
#patch -p1 < ../netfilter-layer7-v2.17/kernel-2.6.22-2.6.24-layer7-2.17.patch
结果如下:
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file include/net/netfilter/nf_conntrack.h
patching file include/linux/netfilter/xt_layer7.h
#patch -p1 < ../netfilter-layer7-v2.17/kernel-2.6.22-2.6.24-layer7-2.17.patch
结果如下:
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file include/net/netfilter/nf_conntrack.h
patching file include/linux/netfilter/xt_layer7.h
为内核选择layer7及相关的模块:
#make menuconfig
选项如下:
选项如下:
General setup ---> [*] Prompt for development and/or
incomplete code/drivers Networking ---> Networking options
---> [*] Network packet filtering framework (Netfilter)
---> Core Netfilter Configuration
---> <M> Netfilter connection tracking
support -*- Connection tracking flow
accounting -*- Connection mark tracking
support [*] Connection tracking security mark
support [*] Connection tracking events
(EXPERIMENTAL) <M> SCTP protocol connection
tracking support (EXPERIMENTAL) <M> UDP-Lite
protocol connection tracking support (EXPERIMENTAL)
<M> Amanda backup protocol support <M>
FTP protocol support <M> H.323 protocol
support (EXPERIMENTAL) <M> IRC protocol
support <M> NetBIOS name service protocol
support (EXPERIMENTAL) <M> PPtP protocol
support <M> SANE protocol support
(EXPERIMENTAL) <M> SIP protocol support
(EXPERIMENTAL) <M> TFTP protocol
support <M> Connection tracking netlink
interface (EXPERIMENTAL) {M} Netfilter Xtables
support (required for ip_tables) <M>
"CLASSIFY" target support <M> "CONNMARK"
target support <M> "DSCP" target
support <M> "MARK" target
support <M> "NFQUEUE" target
Support <M> "NFLOG" target
support <M> "NOTRACK" target
support <M> "TRACE" target
support <M> "TRACE" target
support <M> "SECMARK" target
support <M> "CONNSECMARK" target
support <M> "TCPMSS" target
support <M> "comment" match
support <M> "connbytes" per-connection
counter match support <M> "connlimit" match
support" <M> "connmark" connection mark
match support <M> "conntrack" connection
tracking match support <M> "DCCP" protocol
match support <M> "DCCP" protocol match
support <M> "DSCP" match
support <M> "ESP" match
support <M> "helper" match
support <M> "length" match
support <M> "limit" match
support <M> "mac" address match
support <M> "mark" match
support <M> IPsec "policy" match
support <M> Multiple port match
support <M> "physdev" match
support <M> "pkttype" packet type match
support <M> "quota" match
support <M> "realm" match
support <M> "sctp" protocol match support
(EXPERIMENTAL) <M> "state" match
support <M> "layer7" match
support [*] Layer 7 debugging
output <M> "statistic" match
support <M> "string" match
support <M> "tcpmss" match
support <M> "time" match
support <M> "u32" match
support <M> "hashlimit" match
support IP: Netfilter Configuration
---> <M> IPv4 connection tracking support
(required for NAT) [*] proc/sysctl compatibility
with old connection tracking (NEW <M> IP
Userspace queueing via NETLINK (OBSOLETE) <M>
IP tables support (required for filtering/masq/NAT)
<M> IP range match support <M> TOS
match support <M> recent match
support <M> ECN match
support <M> AH match
support <M> TTL match
support <M> Owner match
support <M> address type match
support <M> Packet
filtering <M> REJECT target
support <M> LOG target
support <M> ULOG target
support <M> Full NAT
(NEW) <M> MASQUERADE target
support <M> REDIRECT target
support <M> NETMAP target
support <M> SAME target support
(OBSOLETE) <M> Basic SNMP-ALG support
(EXPERIMENTAL) <M> Packet
mangling <M> TOS target
support注意,刚开始时,我一直找不到:<M> "layer7" match support 和 [*] Layer 7
debugging output 这两个模块,浪费了很多时间,后来发现是因为这两个模块是属于:<> Netfilter
connection tracking support 这个模块,因此得先选择<M> Netfilter connection
tracking support 这样下面才有Layer7及相关模块!
其中time模块就是可以通过iptables可以控制上网的时间等功能,就是时间控制的模块!
其中time模块就是可以通过iptables可以控制上网的时间等功能,就是时间控制的模块!
一步一步的"EXIT"后,会提示你是否保存刚才的选择更改结果,我们选“YES”!
注意:
按以往Redhat或者其它版本的编译过程就得用make及要关命令来进行编译,但是在这里,我们需要用到Debian的专门工 具make-kpkg,我想这个工具也是基于make,只是经过加工以方便Debian用户使用吧,因为Debian的启动内核参数跟别的系统有所差异! 本文刚开始提到的安装那些软件包#apt-get install debhelper modutils kernel-package libncurses5-dev fakeroot就是为了这一步而做的!
按以往Redhat或者其它版本的编译过程就得用make及要关命令来进行编译,但是在这里,我们需要用到Debian的专门工 具make-kpkg,我想这个工具也是基于make,只是经过加工以方便Debian用户使用吧,因为Debian的启动内核参数跟别的系统有所差异! 本文刚开始提到的安装那些软件包#apt-get install debhelper modutils kernel-package libncurses5-dev fakeroot就是为了这一步而做的!
清除源码树并复原 kernel-package 参数
#make-kpkg clean
#make-kpkg clean
然后进行编译并生成.deb的包,以供安装时使用:
#fakeroot make-kpkg --append_to_version -686 --initrd --revision=2.6.24 kernel_image modules_image
#fakeroot make-kpkg --append_to_version -686 --initrd --revision=2.6.24 kernel_image modules_image
说明:fakeroot是切换到root用户环境,如果你现在当前用户不是root,你要用这个命令,否则这个命令可以省!
好像用make-kpkg这个命令在编译内核时比以往省了很多步骤!有空研究一下这东东!
同时在做这一步时需要花挺长时间进行编译工作以及后期的工作,看你的机器配置而异!普通机器 1.7G 128M内存,得需要2小时,因此你现在可以喝杯茶,去做别的事了,我找一台C533,128MB的机器,好像编译花了6个多小时,郁闷呀...
--revision=2.6.24 这个参数是指定新内核的版本号
--append_to_version -686 这个参数是指定内核的子版本
好像用make-kpkg这个命令在编译内核时比以往省了很多步骤!有空研究一下这东东!
同时在做这一步时需要花挺长时间进行编译工作以及后期的工作,看你的机器配置而异!普通机器 1.7G 128M内存,得需要2小时,因此你现在可以喝杯茶,去做别的事了,我找一台C533,128MB的机器,好像编译花了6个多小时,郁闷呀...
--revision=2.6.24 这个参数是指定新内核的版本号
--append_to_version -686 这个参数是指定内核的子版本
.........................
喝茶,看电视球赛中...
.........................
.........................
哎,我的老电脑[Intel(R) Celeron(TM) CPU 1100MHz,128MB, 810主板]编译这一步,花了我3小时!
编译完成后,在/usr/src/kernels下生成linux-image-2.6.24-686_2.6.24_i386.deb文件,即在 linux新内核的上一级目录!
安装新的内核:
#dpkg -i linux-image-2.6.24-686_2.6.24_i386.deb
这时,会将新内核安装到相应的位置,同时会在/boot/grub/menu.lst增加新内核的条目:
title Debian GNU/Linux, kernel 2.6.24-686
root (hd0,0)
kernel /boot/vmlinuz-2.6.24-686 root=/dev/hda1 ro
initrd /boot/initrd.img-2.6.24-686
savedefault
#dpkg -i linux-image-2.6.24-686_2.6.24_i386.deb
这时,会将新内核安装到相应的位置,同时会在/boot/grub/menu.lst增加新内核的条目:
title Debian GNU/Linux, kernel 2.6.24-686
root (hd0,0)
kernel /boot/vmlinuz-2.6.24-686 root=/dev/hda1 ro
initrd /boot/initrd.img-2.6.24-686
savedefault
title Debian GNU/Linux, kernel 2.6.24-686 (single-user mode)
root (hd0,0)
kernel /boot/vmlinuz-2.6.24-686 root=/dev/hda1 ro single
initrd /boot/initrd.img-2.6.24-686
savedefault
root (hd0,0)
kernel /boot/vmlinuz-2.6.24-686 root=/dev/hda1 ro single
initrd /boot/initrd.img-2.6.24-686
savedefault
这两条已经提到最前面,也就是说,如果我们没动这个文件的话,下次下机时,会去执行新的内核!
第四步,为iptables打补丁,并安装之...
进入iptables源代码目录:
#cd /usr/src/kernels/iptables-1.4.0
#cd /usr/src/kernels/iptables-1.4.0
为源代码打上补丁:
#patch -p1 < ../netfilter-layer7-v2.17/iptables-1.4-for-kernel-2.6.20forward-layer7-2.17.patch
结果如下:
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
patching file extensions/.layer7-test
#patch -p1 < ../netfilter-layer7-v2.17/iptables-1.4-for-kernel-2.6.20forward-layer7-2.17.patch
结果如下:
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
patching file extensions/.layer7-test
设置KERNEL_DIR 与 IPTABLES_DIR 环境变量,并开始编译安装:
#export KERNEL_DIR=/usr/src/kernels/linux
#export IPTABLES_DIR=/usr/src/kernels/iptables-1.4.0
#chmod +x extensions/.layer7-test
#export KERNEL_DIR=/usr/src/kernels/linux
#export IPTABLES_DIR=/usr/src/kernels/iptables-1.4.0
#chmod +x extensions/.layer7-test
#make
#make install
#make install
安装Layer7第七层协议协议定义文件: /*TCP/IP第七层就是应用层,就是针对网络应用软件的设计,比如QQ,MSN等...
使用Layer模块时,请参考/etc/l7-protocols文件中的定义,各种协议,比如QQ,MSN的特征都在这个目下:
使用Layer模块时,请参考/etc/l7-protocols文件中的定义,各种协议,比如QQ,MSN的特征都在这个目下:
#cd /usr/src/kernels/l7-protocols-2008-02-20/
#make install
执行结果:
mkdir -p /etc/l7-protocols
cp -R * /etc/l7-protocols
#make install
执行结果:
mkdir -p /etc/l7-protocols
cp -R * /etc/l7-protocols
看执行的结果就知道,它在做什么了!
这样新的内核都弄好了,iptables也装好了,就可以重新开机了!
重新开机后,就会执行新的内核和iptables,就可以测试它是否正常了!
#shutdown -r now
重新开机后,就会执行新的内核和iptables,就可以测试它是否正常了!
#shutdown -r now
第五步,测试
先测试Kernel和iptables的版本是不是我们刚才编译的那个:
#uname -a
Linux aaa.aa.com 2.6.241980 #1 SMP Sun Aug 3 09:43:54 CST 2008 i686 GNU/Linux
#iptables -V
iptables v1.4.0
#uname -a
Linux aaa.aa.com 2.6.241980 #1 SMP Sun Aug 3 09:43:54 CST 2008 i686 GNU/Linux
#iptables -V
iptables v1.4.0
再测试iptables的layer7是否可用:
# iptables -m layer7 --help
iptables v1.4.0
# iptables -m layer7 --help
iptables v1.4.0
Usage: iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain] List the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain] Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--proto -p [!] proto protocol: by number or name, eg. `tcp'
--source -s [!] address[/mask]
source specification
--destination -d [!] address[/mask]
destination specification
--in-interface -i [!] input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
--out-interface -o [!] output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain] List the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain] Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--proto -p [!] proto protocol: by number or name, eg. `tcp'
--source -s [!] address[/mask]
source specification
--destination -d [!] address[/mask]
destination specification
--in-interface -i [!] input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
--out-interface -o [!] output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
LAYER7 match v1.4.0 options:
--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/
(--l7dir must be specified before --l7proto if used!)
--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat
--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/
(--l7dir must be specified before --l7proto if used!)
--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat
还没增加layer7模块前的情况如下:
#iptables -m layer7 --help
iptables v1.3.6: Couldn't load match `layer7':/lib/iptables/libipt_layer7.so: cannot open shared object file: No such file or directory
#iptables -m layer7 --help
iptables v1.3.6: Couldn't load match `layer7':/lib/iptables/libipt_layer7.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
说明一切正常。
这时再测试一下能不能挡MSN和QQ[我们以这台机器为router为例,挡经过这个路由器的MSN和QQ封包]:
MSN,QQ & bt:
# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止msn)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)
看一下结果:
# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere LAYER7 l7proto bittorrent
DROP all -- anywhere anywhere LAYER7 l7proto qq
DROP all -- anywhere anywhere LAYER7 l7proto msnmessenger
# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere LAYER7 l7proto bittorrent
DROP all -- anywhere anywhere LAYER7 l7proto qq
DROP all -- anywhere anywhere LAYER7 l7proto msnmessenger
Chain INPUT (policy ACCEPT)
target prot opt source destination
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
target prot opt source destination
再尝试一下登录一下你的MSN,QQ以及BT软件,如果不能上线,恭喜你,成功了...