禁止http访问

禁止浏览器访问80端口：

deiptables -I OUTPUT -p tcp -m string --string HTTP --algo kmp --dport 80 -j DROP

代码：

#include <linux/kernel.h>#include <linux/init.h>#include <linux/module.h>#include <linux/version.h>#include <linux/string.h>#include <linux/kmod.h>#include <linux/vmalloc.h>#include <linux/workqueue.h>#include <linux/spinlock.h>#include <linux/socket.h>#include <linux/net.h>#include <linux/in.h>#include <linux/skbuff.h>#include <linux/ip.h>#include <linux/tcp.h>#include <linux/netfilter.h>#include <linux/netfilter_ipv4.h>#include <linux/icmp.h>#include <net/sock.h>#include <asm/uaccess.h>#include <asm/unistd.h>//#include "inet_addr.h"MODULE_LICENSE("GPL");MODULE_AUTHOR("xsc");static struct nf_hook_ops nfho;unsigned int hook_func(unsigned int hooknum,                       struct sk_buff *skb,                       const struct net_device *in,                       const struct net_device *out,                       int (*okfn)(struct sk_buff *)){        struct sk_buff *sk = skb_copy(skb, 1);struct tcphdr *tcph = NULL;const struct iphdr *iph = NULL;        struct iphdr *ip; __be16 dport;        if (!sk)                return NF_ACCEPT;ip = ip_hdr(sk);iph = ip_hdr(skb);if(ip->protocol == IPPROTO_TCP){tcph = (void *) iph + iph->ihl * 4;dport = tcph->dest;if(ntohs(dport) == 80 ){return NF_DROP;}else{return NF_ACCEPT;}}        return NF_ACCEPT;}static int kexec_test_init(void){    printk("kexec test start ...\n");    nfho.hook = hook_func;    nfho.owner = NULL;    nfho.pf = PF_INET;    nfho.hooknum = NF_INET_LOCAL_OUT;    nfho.priority = NF_IP_PRI_FIRST;        nf_register_hook(&nfho);    return 0;}static void kexec_test_exit(void){    printk("kexec test exit ...\n");    nf_unregister_hook(&nfho);}module_init(kexec_test_init);module_exit(kexec_test_exit);