OS:CentOS5.5 release (Final)
Kernel:2.6.18-194.el5
iptables:iptables v1.3.5
安裝套件:
linux-2.6.30.5.tar.bz2
(http://ftp.isu.edu.tw/pub/Linux/kernel/v2.6/linux-2.6.30.5.tar.bz2)
netfilter-layer7-v2.22.tar.gz
(http://sourceforge.net/projects/l7-filter/files/l7-filter%20kernel%20version/2.22/netfilter-layer7-v2.22.tar.gz/download)
l7-protocols-2009-05-28.tar.gz
(http://sourceforge.net/projects/l7-filter/files/Protocol%20definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz/download)
iptables-1.4.6.tar.bz2
(http://www.netfilter.org/projects/iptables/files/iptables-1.4.6.tar.bz2)
其他:
L7測試相容性表:
http://l7-filter.sourceforge.net/kernelcompat
作業前準備:
關閉SELinux
[root@CentOS ~]# vi /etc/sysconfig/selinux
# Ts file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
修改SELINUX=enforcing→SELINUX=disabled
一.將所有套件下載至/usr/src/
二.編譯核心
[root@CentOS src]# tar xf linux-2.6.30.5.tar.bz2
[root@CentOS src]# tar xzf netfilter-layer7-v2.22.tar.gz
patch kernel
[root@CentOS src]#cd linux-2.6.30.5
[root@CentOS linux-2.6.30.5]# patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
.....
[root@CentOS linux-2.6.30.5]#cp /boot/config-`uname -r` .config
(複製現行核心設定檔 )
[root@CentOS linux-2.6.30.5]#make menuconfig
(若無安裝gcc、ncurses-devel無法make menuconfig)
.....
* "Prompt for development and/or incomplete code/drivers" (under "Code maturity level options")
* "Network packet filtering framework" (Networking → Networking support → Networking Options)
* "Netfilter Xtables support" (on the same screen)
* "Netfilter connection tracking support" (... → Network packet filtering framework → Core Netfilter Configuration), select "Layer 3 Independent Connection tracking"
* "Connection tracking flow accounting" (on the same screen)
* And finally, "Layer 7 match support"
* Optional but highly recommended: Lots of other Netfilter options, notably "FTP support" and other matches. If you don't know what you're doing, go ahead and enable all of them.
* "layer7" match support (需要 Netfilter connection tracking support 才會出現)
* IPv4 connection tracking support (required for NAT)
勾選部分參考
http://charlothuang.blogspot.com/2010/02/l7-filter-on-centos-54.html
http://sacs.twgg.org/content/l7-filter-centos-52
[root@CentOS linux-2.6.30.5]#make
....
[root@CentOS linux-2.6.30.5]#make modules_install
....
[root@CentOS linux-2.6.30.5]#make install
....
[root@CentOS linux-2.6.30.5]#vi /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
# initrd /initrd-version.img
#boot=/dev/hda
default=1
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.30.5 )
root (hd0,0)
kernel /vmlinuz-2.6.30.5 ro root=/dev/VolGroup00/LogVol00
initrd /initrd-2.6.30.5.img
title CentOS (2.6.18-194.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-194.el5 ro root=/dev/VolGroup00/LogVol00
initrd /initrd-2.6.18-194.el5.img
修改部分
default=1→default=0
title CentOS (2.6.30.5 )→title CentOS (2.6.30.5 inculde l7-filter)
二.安裝iptables 1.46
[root@CentOS ~]#cp /etc/init.d/iptables /etc/init.d/iptables.bak
(備份iptables script)
[root@CentOS ~]#yum remove iptables
(移除舊版本iptables)
.....
[root@CentOS ~]# cd /usr/src
[root@CentOS src]#
[root@CentOS src]#patch -p1 < /netfilter-layer7-v2.21/iptables-1.3-for-kernel-pre2.6.20-layer7-2.21.patch
.....
[root@CentOS src]# tar xjf iptables-1.4.6.tar.bz2
[root@CentOS src]#cp netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* iptables-1.4.6/extensions/
[root@CentOS src]#cd iptables-1.4.6/
[root@CentOS iptables-1.4.6]#./configure --with-ksource=~/linux/linux-2.6.30.5
[root@CentOS iptables-1.4.6]#make
[root@CentOS iptables-1.4.6]#make install
[root@CentOS ~]#cp /etc/init.d/iptables.bak /etc/init.d/iptables
(還原腳本)
三.安裝規則分析表
[root@CentOS iptables-1.4.6]#cd ../
[root@CentOS src]#tar xzf l7-protocols-2009-05-28.tar.gz
[root@CentOS src]#cd l7-protocols-2009-05-28
[root@CentOS l7-protocols-2009-05-28]#make install
四.設定NAT
[root@CentOS ~]#vi /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
.....................
修改部分
net.ipv4.ip_forward = 0→net.ipv4.ip_forward = 1
#[root@CentOS ~]#iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
[root@CentOS ~]#/vi /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Aug 26 11:52:40 2010
*nat
:PREROUTING ACCEPT [10:1270]
:POSTROUTING ACCEPT [1:40]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-OUTPUT -o eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
----------以上修改後規則(藍字為增加部份)-----------
五.測試SKYPE、MSN、HTTP、Yahoo messenger
支援軟體 參考http://l7-filter.sourceforge.net/protocols
(一.)在尚未套用規則軟體界可使用
(二.)
套用以下規則
iptables -t mangle -A PREROUTING -m layer7 --l7proto http -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto msnmessenger -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto yahoo -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto skypeout -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto skypetoskype -j DROP
skypeout該筆規則會導致網路速度變慢,雖然官方有提醒:
This is slow, but not as bad as you might think 但是在使用上出現網頁異常慢,甚至有無法現象狀況(測試部分有telnet ftp都無法連線
沒有留言:
張貼留言