本人安装时本来在虚拟机上测试多次,但是报错。一直安装不上。(貌似虚拟机内核不能升级)。
本人操作系统为CentOS
此layer 7 在最低2.28上安装。(更高的也可以)
下面是步骤:
1下载
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.bz2wget http://netfilter.org/projects/iptables/files/iptables-1.4.7.tar.bz2wget http://downloads.sourceforge.net/project/l7-filter/Protocol%20definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz?use_mirror=nchcwget http://downloads.sourceforge.net/project/l7-filter/l7-filter%20kernel%20version/2.22/netfilter-layer7-v2.22.tar.gz?use_mirror=nchc
2
下载所需的软件包
解压以上文件
|
tar jxvf linux-2.6.28.tar.bz2 -C /usr/src
tar jxvf iptables-1.4.7.tar.bz2 -C /usr/src tar zxvf l7-protocols-2009-05-28.tar.gz -C /usr/src tar zxvf netfilter-layer7-v2.22.tar.gz -C /usr/src |
安装Layer 7
给新内核加入Layer 7补丁
cd /usr/src/linux-2.6.28/
patch -p1 〈 /usr/src/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
patch -p1 〈 /usr/src/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
以上操作完成后就可以开始编译内核加入Layer 7的支持了,需注意的是在编译内核中有些选项的选取上一定要注意,安装的成功与否很大程度上取决于内核编译是否成功,内核编译参数如下表所示。
make menuconfig
General setup ---
Prompt for development and/or incomplete code/drivers 必选
Networking ---
Networking options ---
Network packet filtering framework (Netfilter) ---
Core Netfilter Configuration --- 该项下的所有项目建议都选上
<M> Netfilter connection tracking support 必选
<M> "layer7" match support 必选
Layer 7 debugging output 必选
IP: Netfilter Configuration --- 必选
Prompt for development and/or incomplete code/drivers 必选
Networking ---
Networking options ---
Network packet filtering framework (Netfilter) ---
Core Netfilter Configuration --- 该项下的所有项目建议都选上
<M> Netfilter connection tracking support 必选
<M> "layer7" match support 必选
Layer 7 debugging output 必选
IP: Netfilter Configuration --- 必选
编译内核
|
make clean
make make modules
make modules_install make install |
更改启动项后并重启系统
|
vi /etc/grup.conf
|
|
# grub.conf generated by anaconda
# # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00 # initrd /initrd-version.img #boot=/dev/sda default=0 timeout=5 splashp_w_picpath=(hd0,0)/grub/splash.xpm.gz hiddenmenu title CentOS (2.6.28) root (hd0,0) kernel /vmlinuz-2.6.28 ro root=/dev/VolGroup00/LogVol00 initrd /initrd-2.6.28.img title CentOS (2.6.18-164.el5) root (hd0,0) kernel /vmlinuz-2.6.18-164.el5 ro root=/dev/VolGroup00/LogVol00 initrd /initrd-2.6.18-164.el5.img |
编译安装iptables并支持Layer 7
|
cd iptables-1.4.7/
cp /usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* extensions/ ./configure --with-ksource=/usr/src/linux-2.6.28/ cp /usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/*.* extensions/ ./configure --with-ksource=/usr/src/linux-2.6.28 make make install |
安装Layer 7协议
|
cd l7-protocols-2009-05-28/
make install |
测试
|
iptables -V
iptables -m layer7 –help |
最后实例:
iptables -A FORWARD -m layer7 --l7proto qq -j DROP
成功
