_iptables系列之layer7
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了_iptables系列之layer7相关的知识,希望对你有一定的参考价值。
uname -r查看内核版本。
[[email protected] ~]# ls
anaconda-ks.cfg install.log.syslog l7-protocols-2009-05-28.tar.gz netfilter-layer7-v2.22.tar.gz
install.log iptables-1.4.6.tar.bz2 linux-2.6.28.10.tar.bz2
[[email protected] ~]# tar xf linux-2.6.28.10.tar.bz2 -C /usr/src
[[email protected] ~]# tar xf netfilter-layer7-v2.22.tar.gz -C /usr/src
[[email protected] ~]# cd /usr/src/
[[email protected] src]# ls
debug kernels linux-2.6.28.10 netfilter-layer7-v2.22
[[email protected] src]#
[[email protected] src]# ln -sv linux-2.6.28.10 linux
`linux‘ -> `linux-2.6.28.10‘
[[email protected] src]# cd linux
打补丁
[[email protected] linux]# patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file include/net/netfilter/nf_conntrack.h
patching file include/linux/netfilter/xt_layer7.h
[[email protected] linux]#
[[email protected] linux]# yum -y groupinstall "Development Tools"
[[email protected] linux]# cp /boot/config-2.6.32-431.el6.x86_64 .config
[[email protected] linux]# yum install ncurses ncurses-devel ncurses-libs
[[email protected] linux]# make menuconfig
添加 Local version -append to kernel release
-l7 让系统支持layer7
Processor type and features --->
Processor family (Generic-x86-64) ---> 把处理器改为自己的处理器最接近的型号
-*- Networking support --->
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
<M> Netfilter connection tracking support 启用
<M> "layer7" match support 启用
<M> "time" match support 启用
<M> "iprange" address range match support 启用
<M> FTP protocol support 启用
<M> Connection tracking netlink interface 启用
IP: Netfilter Configuration --->
<M> IPv4 connection tracking support (required for NAT) 启用
<M> Full NAT 启用
[ ] Wireless ---> 去掉
< > Bluetooth subsystem support ---> 去掉
Device Drivers --->
< > Sound card support ---> 声卡去掉
< > InfiniBand support ---> 去掉
[*] Network device support --->
[ ] Ethernet (1000 Mbit) ---> 1000M网卡去掉
[ ] Ethernet (10000 Mbit) ---> 万M网卡去掉
[ ] Token Ring driver support ---> 令牌环网去掉
[ ] PCMCIA network device support ---> PCI的去掉
[ ] Wan interfaces support ---> 去掉
[ ] ATM drivers --->去掉
[ ] FDDI driver support 去掉
[ ] Virtualization --->去掉
File systems --->
< > GFS2 file system support去掉
DOS/FAT/NT Filesystems --->
<M> NTFS file system support NTFS可以启用
保存退出
yum -y install screen
[[email protected] linux]# screen 为了保证编译时连接中断造成影响打开此工具
[[email protected] linux]# make
Ctrl+a d 拆掉
[[email protected] linux]# screen -ls 查看会话
[[email protected] linux]# screen -r 26296 重连会话
[[email protected] linux]# make modules_install
[[email protected] linux]# make install
[[email protected] ~]# vim /etc/grub.conf 安装成功以后会在此文件生成一条新的条目
default=0 修改默认启动哪个内核
重启主机选择使用新版本的内核
uname -r 可以查看一下当前 内核是否切换
编译新版的iptables
[[email protected] ~]# cp /etc/init.d/iptables ~/ 先备份一下启动脚本
[[email protected] ~]# cp /etc/sysconfig/iptables-config ~/
[[email protected] ~]# cp /etc/sysconfig/iptables ~/iptables.bak 备份已有规则
[[email protected] ~]# service iptables stop 卸载前 先停止服务
[[email protected] ~]# chkconfig iptables off
[[email protected] ~]# rpm -e iptables-ipv6 iptables iptstate --nodeps
[[email protected] ~]# tar xf iptables-1.4.6.tar.bz2 -C /usr/src
[[email protected] src]# cd /usr/src/iptables-1.4.6/
[[email protected] iptables-1.4.6]# cp ../netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.* ./extensions/
[[email protected] iptables-1.4.6]# ./configure --prefix=/usr --with-ksource=/usr/src/linux
make
make install
[[email protected] iptables-1.4.6]# which iptables
/usr/sbin/iptables
[[email protected] ~]# vim iptables
修改iptbales的路径为/usr/sbin
[[email protected] ~]# cp iptables /etc/init.d/iptables
[[email protected] ~]# cp iptables-config /etc/sysconfig/
[[email protected] ~]# cp iptables.bak /etc/sysconfig/iptables
[[email protected] ~]# tar xf l7-protocols-2009-05-28 -C /usr/src协议特征码
[[email protected] ~]# cd /usr/src
[[email protected] src]# make install
lsmod查看当前系统所加载的模块
[[email protected] ~]# vim /etc/sysctl.conf 开启nat
[[email protected] ~]# sysctl -p
拒绝用户使用QQ
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 172.16.10.6
iptables -A FORWARD -s 192.168.0.0/24 -m layer7 --l7proto qq -j DROP
iptables -L -n -t nat
-m time
--datestart --datestop
--timestart --timestop
拒绝用户某个时间段上网
iptables -A FORWARD -s 192.168.0.0/24 -m time --timestart 08:00:00 --timestart 12:00:00 -j DROP
service iptables save
iptables-save >/etc/sysconfig/iptables.tus 保存规则
iptables-restore </etc/sysconfig/iptables.tus 重新载入
#!/bin/bash
#
ipt=/usr/sbin/iptables
einterface=eth0
iinterface=eth1
eip=10.10.10.2
iip=192.168.10.6
$ipt -t nat -F
$ipt -t filter -F
$ipt -t mangle -F
$ipt -N clean_up
$ipt -A clean_up -d 255.255.255.255 -p icmp -j DROP
$ipt -A clean_up -j RETURN
$iptables -A
.....
[[email protected] ~]# vim /etc/rc.d/rc3.d/S99local 可以把iptables规则写成脚本开机自动运行
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don‘t
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
/tmp/iptables
系统启动过程
POST-->MBR(bootloader)-->Kernel(initrd)--init(/etc/inittab)
1.设定默认级别
2.系统初始化脚本
3.运行指定级别的服务
/etc/rc.d/rc 0
/etc/rc.d/rcN.d/
S*
K*
/etc/rc.d/rc.local
/etc/rc.local
/etc/rc.d/rc3.d/S99local
IDS: 入侵检测系统
nids:snort+iptables=NIPS 网络入侵防御系统
hids:
本文出自 “运维成长路” 博客,谢绝转载!
以上是关于_iptables系列之layer7的主要内容,如果未能解决你的问题,请参考以下文章