Iptables增加 L7- Fiter 封包過濾教學

確認所需套件

Linux Kernel source 網址: https://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.33.1.tar.bz2

版本是 2.6.33.1

iptables source     網址: http://www.netfilter.org/projects/iptables/files/iptables-1.4.8.tar.bz2

版本是 1.4.8

l7-filter patch網址:

https://sourceforge.net/projects/l7-filter/files/l7-filter%20kernel%20version/2.22/netfilter-layer7-v2.22.tar.gz/download

l7-filter protocols  網址:

https://sourceforge.net/projects/l7-filter/files/Protocol%20definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz/download

解壓縮/安裝

cd /usr/src/kernels
wget https://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.33.1.tar.bz2
wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.8.tar.bz2
wget https://sourceforge.net/projects/l7-filter/files/Protocol%20definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz/download
wget https://sourceforge.net/projects/l7-filter/files/l7-filter%20kernel%20version/2.22/netfilter-layer7-v2.22.tar.gz/download
tar xjvf linux-2.6.33.1.tar.bz2
tar xjvf iptables-1.4.8.tar.bz2
tar zxvf l7-protocols-2009-05-28.tar.gz
tar zxvf netfilter-layer7-v2.22.tar.gz

使kernel support 應用層過濾的patch ,執行如下patch

cd linux-2.6.33.1

patch -p1< ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch

修改kernel選項

cp -avp /boot/config-2.6.32-573.el6.x86_64 .config

這裡是複製系統的版本，不同版本要有所更動

make menuconfig

進入選單

接著按exit，跳出

選Yes，存檔。

編譯kernel

[root@fw linux-2.6.33.1]# make
[root@fw linux-2.6.33.1]# make modules_install
[root@fw linux-2.6.33.1]# make install

移除原iptables套件

[root@fw linux-2.6.33.1]# rpm -e iptables  -- nodeps
[root@fw linux-2.6.33.1]# cd ..
[root@fw kernels]# cd netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/
[root@GW-80 iptables-1.4.3forward]#cp libxt_layer7.c libxt_layer7.man ../../iptables-1.4.8/extensions/
[root@GW-80 iptables-1.4.3forward]# cd ../../iptables-1.4.8
[root@fw iptables-1.4.8]# ./configure --prefix=/ --with-ksource=/usr/src/kernels/linux-2.6.33.1
[root@fw iptables-1.4.8]# make
[root@fw iptables-1.4.8]# make install
[root@fw kernels]# mkdir /etc/l7-protocols
[root@fw kernels]# cp -rv l7-protocols-2009-05-28/* /etc/l7-protocols/
[root@fw kernels]#sync;sync;sync;reboot

重開機後,確認KERNEL及iptables 版本

[root@GW-80 linux-2.6.33.1]# uname -a;iptables -V
Linux GW-80 2.6.33.1 #1 SMP Wed May 31 18:15:19 CST 2017 x86_64 x86_64 x86_64 GNU/Linux
iptables v1.4.8

查看L7-Filter module

[root@GW-80 linux-2.6.33.1]# modinfo xt_layer7
filename:       /lib/modules/2.6.33.1/kernel/net/netfilter/xt_layer7.ko
version:        2.21
alias:          ipt_layer7
description:    iptables application layer match module
author:         Matthew Strait <[email protected]>, Ethan Sommer <[email protected]>
license:        GPL
srcversion:     CBD50B3A0711C7D64C461C1
depends:        nf_conntrack
vermagic:       2.6.33.1 SMP mod_unload modversions
parm:           maxdatalen:maximum bytes of data looked at by l7-filter (int)

重開機，在開機選單時，選

Scientific Linux (2.6.33.1)