centos 5.4+Layer7封杀qq、msn和p2p下载

一、安装前准备

1.所需要软件包

   linux-2.6.28.tar.gz                  http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.gz

   iptables-1.4.3.2.tar.bz2            http://netfilter.org/projects/iptables/files/iptables-1.4.3.2.tar.bz2

   netfilter-layer7-v2.22.tar.gz      http://sourceforge.net/projects/l7-filter/files/l7-filter kernel version/2.22/netfilter-layer7-v2.22.tar.gz/download

   l7-protocols-2009-05-28.tar.gz   http://sourceforge.net/projects/l7-filter/files/Protocol definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz/download

2.把以上内核和软件包解压到/usr/src下

  tar -zxvf linux-2.6.28.tar.gz -C /usr/src

   tar -zxvf netfilter-layer7-v2.22.tar.gz -C /usr/src

   tar -zxvf l7-protocols-2009-05-28.tar.gz -C /usr/src

   tar -jxvf iptables-1.4.3.2.tar.bz2 -C /usr/src

3.查看系统自带的iptables

   rpm -qa | grep iptables   列出已安装的iptables包

二、安装layer7

1.给新内核安装layer7补丁

   cd /usr/src/linux-2.6.28/

   patch -p1 < /usr/src/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch

2.编译新内核

2.1修改内核配置项

    make oldconfig 全部保持默认

    make menuconfig

    General setup  --->

       Prompt for development and/or incomplete code/drivers  必选

    Networking  --->

        Networking options  --->

             Network packet filtering framework (Netfilter)  --->

                  Core Netfilter Configuration  --->   该项下的所有项目建议都选上

                       <M> Netfilter connection tracking support  这个项目必需选上，下面才会出现layer7的选项

                             <M>   "layer7" match support         必选                             

                                   Layer 7 debugging output   必选 

         IP: Netfilter Configuration  --->    该项下的所有项目必需都选上

2.2编译并安装新内核

    make

    make modules_install

    make install

2.3 设置新内核为默认启动的内核，如果是远程连接服务器，必须要修改这项，否则重启后默认加载旧的kernel

    vim /boot/gurb/gurb.conf

 default=1     把1改为0

 timeout=15    设置等候时间

 splashimage=(hd0,0)/boot/grub/splash.xpm.gz

 hiddenmenu

 title CentOS (2.6.28）

         root (hd0,0)

         kernel /boot/vmlinuz-2.6.28 ro root=LABEL=/ rhgb quiet

         initrd /boot/initrd-2.6.28.img

 title CentOS (2.6.18-164.el5)

         root (hd0,0)

         kernel /boot/vmlinuz-2.6.18-164.el5 ro root=LABEL=/ rhgb quiet

         initrd /boot/initrd-2.6.18-164.el5.img

 保存退出

 reboot

3.编译安装iptables并支持layer7

  [root@localhost ~]# cd /usr/src/iptables-1.4.3.2

   [root@localhost iptables-1.4.3.2]#cp /usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/*.*  extensions/

   ./configure --with-ksource=/usr/src/linux-2.6.28

   make

   make install

 4.安装l7协议

 cd /usr/src/l7-protocols-2009-05-28

 make install

5.测试

   iptables -V

   回显：

   iptables v1.4.3.2

  iptables -m layer7 --help

   回显：

   Usage: iptables -[AD] chain rule-specification [options]

        iptables -I chain [rulenum] rule-specification [options]

        iptables -R chain rulenum rule-specification [options]

        iptables -D chain rulenum [options]

        iptables -[LS] [chain [rulenum]] [options]

        iptables -[FZ] [chain] [options]

        iptables -[NX] chain

        iptables -E old-chain-name new-chain-name

        iptables -P chain target [options]

        iptables -h (print this help information)

Commands:

 Either long or short options are allowed.

   --append  -A chain            Append to chain

   --delete  -D chain            Delete matching rule from chain

   --delete  -D chain rulenum

                                 Delete rule rulenum (1 = first) from chain

   --insert  -I chain [rulenum]

                                 Insert in chain as rulenum (default 1=first)

   --replace -R chain rulenum

                                 Replace rule rulenum (1 = first) in chain

   --list    -L [chain [rulenum]]

                                 List the rules in a chain or all chains

   --list-rules -S [chain [rulenum]]

                                 Print the rules in a chain or all chains

   --flush   -F [chain]          Delete all rules in  chain or all chains

   --zero    -Z [chain]          Zero counters in chain or all chains

   --new     -N chain            Create a new user-defined chain

   --delete-chain

             -X [chain]          Delete a user-defined chain

   --policy  -P chain target

                                 Change policy on chain to target

   --rename-chain

             -E old-chain new-chain

                                 Change chain name, (moving any references)

 Options:

 [!] --proto     -p proto        protocol: by number or name, eg. `tcp'

 [!] --source    -s address[/mask]

                                 source specification

 [!] --destination -d address[/mask]

                                 destination specification

 [!] --in-interface -i input name[+]

                                 network interface name ([+] for wildcard)

 --jump -j target

                                 target for rule (may load target extension)

   --goto      -g chain

                               jump to chain with no return

   --match       -m match

                                 extended match (may load extension)

   --numeric     -n              numeric output of addresses and ports

 [!] --out-interface -o output name[+]

                                 network interface name ([+] for wildcard)

   --table       -t table        table to manipulate (default: `filter')

   --verbose     -v              verbose mode

   --line-numbers                print line numbers when listing

   --exact       -x              expand numbers (display exact values)

 [!] --fragment  -f              match second or further fragments only

   --modprobe=<command>          try to insert modules using this command

   --set-counters PKTS BYTES     set the counter during insert/append

 [!] --version   -V              print package version.

layer7 match options:

     --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/

                           (--l7dir must be specified before --l7proto if used)

 [!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat

至此安装过程完全完成

三、利用l7filter来封禁迅雷、qq、msn….

首先我们查看一下l7filter支持的封禁列表：

# ls /etc/l7-protocols/protocols/

 100bao.pat                doom3.pat                 jabber.pat            radmin.pat        teamfortress2.pat

 aim.pat                   edonkey.pat               kugoo.pat             rdp.pat           teamspeak.pat

 aimwebcontent.pat         fasttrack.pat             live365.pat           replaytv-ivs.pat  telnet.pat

 applejuice.pat            finger.pat                liveforspeed.pat      rlogin.pat        tesla.pat

 ares.pat                  freenet.pat               lpd.pat               rtp.pat           tftp.pat

 armagetron.pat            ftp.pat                   mohaa.pat             rtsp.pat          thecircle.pat

 battlefield1942.pat       gkrellm.pat               msn-filetransfer.pat  runesofmagic.pat  tonghuashun.pat

 battlefield2142.pat       gnucleuslan.pat           msnmessenger.pat      shoutcast.pat     tor.pat

 battlefield2.pat          gnutella.pat              mute.pat              sip.pat           tsp.pat

 bgp.pat                   goboogy.pat               napster.pat           skypeout.pat      unknown.pat

 biff.pat                  gopher.pat                nbns.pat              skypetoskype.pat  unset.pat

 bittorrent.pat            guildwars.pat             ncp.pat               smb.pat           uucp.pat

 chikka.pat                h323.pat                  netbios.pat           smtp.pat          validcertssl.pat

 cimd.pat                  halflife2-deathmatch.pat  nntp.pat              snmp.pat          ventrilo.pat

 ciscovpn.pat              hddtemp.pat               ntp.pat               socks.pat         vnc.pat

 citrix.pat                hotline.pat               openft.pat            soribada.pat      whois.pat

 counterstrike-source.pat  http.pat                  pcanywhere.pat        soulseek.pat      worldofwarcraft.pat

 cvs.pat                   http-rtsp.pat             poco.pat              ssdp.pat          x11.pat

 dayofdefeat-source.pat    ident.pat                 pop3.pat              ssh.pat           xboxlive.pat

 dazhihui.pat              imap.pat                  pplive.pat            ssl.pat           xunlei.pat

 dhcp.pat                  imesh.pat                 qq.pat                stun.pat          yahoo.pat

 directconnect.pat         ipp.pat                   quake1.pat            subspace.pat      zmaap.pat

 dns.pat                   irc.pat                   quake-halflife.pat    subversion.pat

我们可以看到，l7filter支持的封禁协议相当丰富，并且支持都很好。

# iptables -t mangle -I POSTROUTING -m layer7 --l7proto msnmessenger -j DROP

# iptables -t mangle -I POSTROUTING -m layer7 --l7proto qq -j DROP

# iptables -t mangle -I POSTROUTING -m layer7 --l7proto xunlei -j DROP

#iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP

#iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP

上面命令将msn、qq、迅雷、电驴、BT进行了封禁。

其中红色部分就在我们用命令# ls /etc/l7-protocols/protocols/所看到的列表中。

启动IP转发，使客户端可以通过pppoe服务器访问外网

# echo 1 > /proc/sys/net/ipv4/ip_forward

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

下面我们进行测试（l7filter服务器作为企业网络的网关，这里IP为192.168.1.251）：

查看当前封禁情况：

# iptables -t mangle -L POSTROUTING -v

Chain POSTROUTING (policy ACCEPT 386 packets, 41321 bytes)

pkts bytes target     prot opt in     out     source               destination      

    0     0 DROP       all  --  any    any     anywhere             anywhere            LAYER7 l7proto aim

    0     0 DROP       all  --  any    any     anywhere             anywhere            LAYER7 l7proto bittorrent

    0     0 DROP       all  --  any    any     anywhere             anywhere            LAYER7 l7proto edonkey

    0     0 DROP       all  --  any    any     anywhere             anywhere            LAYER7 l7proto xunlei

    0     0 DROP       all  --  any    any     anywhere             anywhere            LAYER7 l7proto qq

    0     0 DROP       all  --  any    any     anywhere             anywhere            LAYER7 l7proto msnmessenger

qq的连接失败信息：

系统log信息：

L7filter的处理图示：

本文出自 “会飞的鱼” 博客