scholarzhang在ubuntu9.10下編譯安裝實際操作

周海漢 /文

 

下載源碼：
xxx@yyy:~/svn checkout http://scholarzhang.googlecode.com/svn/trunk/ scholarzhang-read-only

環境
xxx@yyy:~/scholarzhang-read-only/west-chamber$ iptables --version
iptables v1.4.4
xxx@yyy:~/scholarzhang-read-only/west-chamber$ uname -a
Linux zhh64 2.6.31-20-generic #58-Ubuntu SMP Fri Mar 12 04:38:19 UTC 2010 x86_64 GNU/Linux

編譯：
需要下載安裝autoconf,automake,libtool
xxx@yyy:~/scholarzhang-read-only/west-chamber$ ./autogen.sh
./autogen.sh: line 3: autoreconf：找不到命令
xxx@yyy:~/scholarzhang-read-only/west-chamber$ autoconf
程序“autoconf”已包含在下列軟件包中：
 * autoconf
 * autoconf2.13
請嘗試：sudo apt-get install <選定的軟件包>
autoconf: command not found
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo apt-get install autoconf
xxx@yyy:~/scholarzhang-read-only/west-chamber$ ./autogen.sh
Can't exec "libtoolize": 沒有那個文件或目錄 at /usr/bin/autoreconf line 190.
Use of uninitialized value $libtoolize in pattern match (m//) at /usr/bin/autoreconf line 190.
configure.ac:9: error: possibly undefined macro: AC_DISABLE_STATIC
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
configure.ac:10: error: possibly undefined macro: AC_PROG_LIBTOOL
autoreconf: /usr/bin/autoconf failed with exit status: 1

xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo apt-get install libtool
將會安裝下列額外的軟件包：
  libltdl-dev
建議安裝的軟件包：
  libtool-doc gfortran fortran95-compiler gcj
下列【新】軟件包將被安裝：
  libltdl-dev libtool
xxx@yyy:~/scholarzhang-read-only/west-chamber$ ./autogen.sh
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./config.guess'
libtoolize: copying file `./config.sub'
libtoolize: copying file `./install-sh'
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
configure.ac:8: installing `./compile'
configure.ac:6: installing `./missing'
extensions/ipset/Makefile.am: installing `./depcomp'

configure不加參數，沒有看到報錯。make和make install也沒看到錯誤。但在增加iptables時發現沒有ZHANG這條規則
xxx@yyy:~/scholarzhang-read-only/west-chamber$ ./configure
...
checking for libxtables... configure: error: Package requirements (xtables >= 1.4.3) were not met:
No package 'xtables' found

Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.

Alternatively, you may set the environment variables libxtables_CFLAGS
and libxtables_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.

xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo apt-cache search xtables
iptables-dev - iptables development files
xtables-addons-common - Userspace components of xtables-addons
xtables-addons-source - Source for the xtables-addons driver
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo apt-get install iptables-dev
xxx@yyy:~/scholarzhang-read-only/west-chamber$ ./configure
xxx@yyy:~/scholarzhang-read-only/west-chamber$ make
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo make install
無報錯
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo ipset -R
-N YOUTUBE nethash --hashsize 50 --probes 1
-A YOUTUBE 64.15.112.0/20
-A YOUTUBE 82.129.37.0/24
-A YOUTUBE 208.65.152.0/22
-A YOUTUBE 208.117.224.0/19
-A YOUTUBE 213.146.171.0/24
COMMIT
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo ipset -R
-N NOCLIP setlist --size 4
-A NOCLIP GOOGLE
-A NOCLIP YOUTUBE
COMMIT
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo iptables /
> -A INPUT /
> -p tcp --sport 80 --tcp-flags FIN,SYN,RST,ACK SYN,ACK /
> -m state --state ESTABLISHED /
> -m set --match-set NOCLIP src /
> -j ZHANG /
> -m comment --comment "client-side connection obfuscation"
iptables v1.4.4: Couldn't load target `ZHANG':/lib/xtables/libipt_ZHANG.so: cannot open shared object file: No such file or directory

根據INSTALL說明重新configure
xxx@yyy:~/scholarzhang-read-only/west-chamber$ ./configure CFLAGS="" --prefix=/usr --libexecdir=/lib
xxx@yyy:~/scholarzhang-read-only/west-chamber$ make
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo make install
沒有報錯。
檢查一下安裝生成的文件，都存在：
xxx@yyy:~/scholarzhang-read-only/west-chamber$ ls /lib/xtables/ -tl
總用量 1272
-rwxr-xr-x 1 root root 13605 2010-03-31 10:24 libipset_setlist.so
-rwxr-xr-x 1 root root 13367 2010-03-31 10:24 libipset_portmap.so
-rwxr-xr-x 1 root root 13606 2010-03-31 10:24 libipset_nethash.so
-rwxr-xr-x 1 root root 13895 2010-03-31 10:24 libipset_macipmap.so
-rwxr-xr-x 1 root root 13657 2010-03-31 10:24 libipset_iptreemap.so
-rwxr-xr-x 1 root root 13578 2010-03-31 10:24 libipset_iptree.so
-rwxr-xr-x 1 root root 18127 2010-03-31 10:24 libipset_ipportnethash.so
-rwxr-xr-x 1 root root 17955 2010-03-31 10:24 libipset_ipportiphash.so
-rwxr-xr-x 1 root root 13833 2010-03-31 10:24 libipset_ipporthash.so
-rwxr-xr-x 1 root root 13610 2010-03-31 10:24 libipset_ipmap.so
-rwxr-xr-x 1 root root 13404 2010-03-31 10:24 libipset_iphash.so
-rwxr-xr-x 1 root root  8308 2010-03-31 10:24 libxt_gfw.so
-rwxr-xr-x 1 root root  8324 2010-03-31 10:24 libxt_ZHANG.so
-rwxr-xr-x 1 root root  8314 2010-03-31 10:24 libxt_CUI.so

再根據USAGE來配置：
1.ZHANG 客戶端連接混亂
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo iptables -A INPUT -p tcp --sport 80 --tcp-flags FIN,SYN,RST,ACK SYN,ACK -m state --state ESTABLISHED -m set --match-set NOCLIP src -j ZHANG -m comment --comment "client-side connection obfuscation"
2.CUI 服務器端連接混亂
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo iptables -A INPUT -p tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m set --match-set CHINA src -j CUI -m comment --comment "server-side connection obfuscation"
iptables v1.4.4: Set CHINA doesn't exist.
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo ipset -R < ./examples/CHINA
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo iptables -A INPUT -p tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m set --match-set CHINA src -j CUI -m comment --comment "server-side connection obfuscation"
3.記錄gfw reset到syslog
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -m gfw -j LOG --log-level info --log-prefix "gfw: " -m comment --comment "log gfw tcp resets"
4.反GFW DNS劫持
可以直接修改/etc/resolve.conf
增加nameserver 8.8.8.8
或修改dhclient.conf:
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo vi /etc/dhcp3/dhclient.conf
找到prepend domain-name-servers，去掉註釋，並將8.8.8.8等牆外dns放在後面
讓dhclient生效：ifconfig eth0 down; ifconfig eth0 up

保存iptables成果：
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo iptables-save > /etc/iptables.up.rules
bash: /etc/iptables.up.rules: 權限不夠
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo -s
root@zhh64:~/scholarzhang-read-only/west-chamber# iptables-save > /etc/iptables.up.rules
root@zhh64:~/scholarzhang-read-only/west-chamber# exit
exit
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo vi /etc/network/interfaces
增加：
pre-up iptables-restore < /etc/iptables.up.rules
這樣重啓系統後防火牆還能生效。

檢測：
xxx@yyy:~/scholarzhang-read-only/west-chamber$ host -tA twitter.com
twitter.com has address 93.46.8.89