环境:
RHEL6.6-x86_64
iptables-1.4.21.tar.bz2
l7-protocols-2009-05-28.tar.gz
netfilter-layer7-v2.23.tar.gz
kernel-2.6.35.8-l7
想禁止员工上班期间玩扣扣,下载电影浪费宝贵的带宽吗?l7-filter是个不错的选择。。
1、给内核打补丁
# tar xf linux-2.6.35.8.tar.gz -C /usr/src
# tar xf netfilter-layer7-v2.23
# cd /usr/src
# ln -s linux-2.6.35.8 linux
# cd linux
# patch -p1 < /root/netfilter-layer7-v2.23/kernel-2.6.35-layer7-2.23.patch
# cp /boot/config-2.6.32-504.el6.x86_64 /usr/src/linux/.config
# make menuconfig
选择以下几项做成内核模块
Networking support ---> Networking options ---> Network packet filtering framework (Netfilter) ---> Core Netfilter Configuration ---> <M> Netfilter connection tracking support
Networking support ---> Networking options ---> Network packet filtering framework (Netfilter) ---> Core Netfilter Configuration ---> <M> "layer7" match support
Networking support ---> Networking options ---> Network packet filtering framework (Netfilter) ---> Core Netfilter Configuration ---> <M> "iprange" address range match support
Networking support ---> Networking options ---> Network packet filtering framework (Netfilter)--->IP: Netfilter Configuration ---> <M> IPv4 connection tracking support (required for NAT) <M> Full NAT
# make
# make modules_install
# make install
内核编译完以后重启
# uname -a
Linux localhost.localdomain 2.6.35.8-l7 #1 SMP Mon Apr 13 13:44:31 CST 2015 x86_64 x86_64 x86_64 GNU/Linux
2、安装iptables
rpm -e iptables-ipv5 iptables --nodeps
# cp /etc/init.d/iptables /
# tar xf iptables-1.4.21.tar.bz2
# cp /root/netfilter-layer7-v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.* /root/iptables-1.4.21/extensions/
# cd iptables-1.4.21
# ./configure --prefix=/usr --with-ksource=/usr/src/linux
# make
# make install
# cp /iptables-config /etc/sysconfig/iptables-config
# cp /iptables /etc/init.d/iptables
/etc/init.d/iptables配置文件
.........红色部分为要修改的部分
if [ ! -x /usr/sbin/$IPTABLES ]; then
echo -n $"${IPTABLES}:/usr/sbin/$IPTABLES does not exist."; warning; echo
exit 5
fi
# service iptables start
3、安装协议特征包:
# tar xf l7-protocols-2009-05-28
# cd l7-protocols-2009-05-28
# make install
查看支持的部分协议:
# ls protocols/
100bao.pat doom3.pat jabber.pat radmin.pat teamfortress2.pat
aim.pat edonkey.pat kugoo.pat rdp.pat teamspeak.pat
aimwebcontent.pat fasttrack.pat live365.pat replaytv-ivs.pat telnet.pat
applejuice.pat finger.pat liveforspeed.pat rlogin.pat tesla.pat
..........................
.........................
dayofdefeat-source.pat ident.pat pop3.pat ssh.pat xboxlive.pat
dazhihui.pat imap.pat pplive.pat ssl.pat xunlei.pat
dhcp.pat imesh.pat qq.pat stun.pat yahoo.pat
directconnect.pat ipp.pat quake1.pat subspace.pat zmaap.pat
dns.pat irc.pat quake-halflife.pat subversion.pat
4、使用QQ测试
安装部分已经完成,接下来使用QQ做测试,是否能拒绝QQ登录
两台主机:
主机A两个网卡分别对应 192.168.1.123 192.168.8.131 两个IP ------->指定规则
主机B 192.168.8.128 -------> 登录QQ
主机B想要连接互联网需要通过主机A转发,主机B的网关为192.168.8.131指向主机A,制定定以下规则:
# iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -j SNAT --to-source 192.168.1.123
# iptables -A FORWARD -s 192.168.8.0/24 -m layer7 --l7proto qq -j DROP
通过上面两条规则,192.168.8这个网段内的所有主机都无法登录QQ。
可以看到下图中规则已经被匹配到:
[root@localhost ~]# iptables -D FORWARD 1
删除规则后可正常登录