iptables之layer7扩展

L7-filter：
    提供了更多的netfilter模块，可以基于应用层为iptables提供更多功能。类似的还有ipp2p。

    注意：软件官网上表明支持的最新内核版本为2.6.x，已经好久没有更新了。3.x的内核未测试。

    需要软件包：
        kernel-xxx.tar.gz 内核源码包
        iptables-xxx.tar.bz2 iptables源码包
        netfilter-layer7-xxx.tar.gz l7源码包
        l7-protocols-xxx.tar.gz l7的特征码包

    方法：
        1.给内核打补丁，重新编译并使用内核。
            # tar zxvf  kernel-xxx。tar.gz  -C  /usr/src
            # tar zxvf  netfilter-layer7-xxx.tar.gz  -C  /usr/src
            # cd /usr/src
            # ln –s  kernel-xxx linux
            # cd /usr/src/linux/
            # patch -p1  <  ../netfilter-layer7-xxx/kernel-xxx-layer7-xxx.patch

            # cp /boot/config-xxx  /usr/src/linux/.config
            # make  menuconfig
                注意编译内核根据需要进行，这里只显示关键部分

                General setup --> Local version
                    -l7 patched 自定义kernel 发行版本

                Networking support  -->  Networking Options  --> Network packet filtering framework  --> Core Netfilter Configuration
                    <M>  FTP protocol support  不选定FTP的RELATED的状态无法使用
                    <M>  Connection trackint netlink interface
                    <M>  Netfilter connection tracking support
                    <M>  “layer7” match support
                    <M>  “string” match support
                    <M>  “time”  match support
                    <M>  “iprange”  match support
                    <M>  “connlimit”  match support
                    <M>  “state”  match support
                    <M>  “conntrack”  connection  match support
                    <M>  “mac”  address  match support
                    <M>   "multiport" Multiple port match support


                Networking support  -->  Networking Options  --> Network packet filtering framework  -->  IP: Netfilter Configuration
                    <M>  IPv4 connection tracking support (required for NAT)
                    <M>  Full NAT
                    <M>  MASQUERADE target support                                                                                   
                    <M>  NETMAP target support                                                                               
                    <M>  REDIRECT target support

            # make
            # make modules_install
            # make install

            注意：内核能识别的模块为libxt*，iptables的模块为libipt*


        2.给iptables打补丁，重新编译iptables并启用。

            # cp /etc/init.d/iptables  /tmp/ipables 复制iptables脚本
            # cp /etc/sysconfig/iptables-config /tmp/iptables-config 复制配置文件
            #cp /etc/sysconfig/iptables  /tmp/iptables-rule 复制规则文件

            #service iptables stop
            # rpm  -e  iptables-ipv6  iptables  iptstate  --nodeps 强制卸载

            # tar jxvf iptables-xxx.tar.bz2 –C  /usr/src
            # cd /usr/src/iptables-xxx
            # cp ../netfilter-layer7-xxx/iptables-xxxforward-for-kernel-xxxforward/libxt_layer7.*   ./extensions/ 复制l7的模块和man文件到iptables的扩展

            # ./configure  --prefix=/usr  --with-ksource=/usr/src/linux
            # make
            # make install

            #which iptables 查看编译安装的iptables的路径
                /usr/sbin/iptables
            #vim /tmp/iptables 修改脚本文件，更正路径
                /sbin/$IPTABLES --> /usr/sbin/$IPTABLES

            #cp /tmp/iptables /etc/init.d/ 复制脚本文件
            #cp /tmp/iptables-config /etc/sysconfig/ 复制配置文件
            #cp /tmp/iptables-rule /etc/sysconfig/iptables 复制规则

        3.安装l7-protocols包。
            # tar zxvf l7-protocols-xxx.tar.gz
            # cd l7-protocols-xxx
            # make install 本质上将文件夹内的特征码复制到/etc下

        4.启动iptables服务
            #service iptables restart