利用iptables+l7-filter+opendpi封QQ和迅雷

来源：互联网发布：无名体育淘宝编辑：程序博客网时间：2024/04/17 04:11

利用iptables+l7-filter+opendpi封QQ和迅雷

作者：刘运锋时间：2011-09-21

1、前言

参加2011架构师大会，有幸聆听白金大师的讲解，其中对于iptables封QQ以及迅雷等白金介绍了l7-filter和ipp2p两种插件，但是在笔者的实验中发现ipp2p目前官方已经停止维护，而是靠国内的兴趣爱好者对ipp2p进行维护和更新。同时ipp2p对各个版本的内核兼容性并不是很好，因此阅读了ipp2p官网推荐的其替代品opendpi的相关文档，发现国内对opendp的文档实在太少，有幸尝试，记录下过程和注意事项，以便阅读理解。

结合环境的实际情况，应用环境和安装过程如下：

2、环境介绍

系统

CentOS 5.5

内核

kernel 2.6.18-194.el5

Iptables

iptables v1.3.5

3、软件及下载地址：

软件

地址

kernel 2.6.25.7

http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.25.7.tar.bz2

Iptables 1.4.3.2

http://www.netfilter.org/projects/iptables/files/iptables-1.4.3.2.tar.bz2

netfilter-layer7

http://cdnetworks-kr-2.dl.sourceforge.net/project/l7-filter/l7-filter%20kernel%20version/2.22/netfilter-layer7-v2.22.tar.gz

l7-protocols

http://cdnetworks-kr-2.dl.sourceforge.net/project/l7-filter/Protocol%20definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz

Opendpi

http://opendpi.googlecode.com/files/opendpi-1.3.0.tar.gz

opendpi-netfilter-wrapper

http://opendpi.googlecode.com/files/opendpi-netfilter-wrapper-1.2.tar.gz

ipp2p-0.99.15-k2.6.28-i1.4.7

http://bbs.chinaunix.net/attachment.php?aid=NDU3OTgzfDc3NDZiZmRifDEzMTY1MDUzNjV8YmVjNUk4bFFOTkJiRkk2TUZPNEdhNU82dU9RaXF5azlRWkIyV0ZqbHdiY1dZRFE%3D

将以上软件放置到/usr/src下。

这里之所以选择kernel 2.6.25.7是因为笔者在测试的过程中试用了高版本的内核，但是编译opendpi时通不过，因此只好选用kernel 2.6.25.7。

遇到的错误如下：

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:362: warning: ‘struct nf_ct_event’ declared inside parameter list

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:362: warning: its scope is only this definition or declaration, which is probably not what you want

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c: In function ‘opendpi_conntrack_event’:

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:364: error: dereferencing pointer to incomplete type

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c: At top level:

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:383: error: variable ‘osdpi_notifier’ has initializer but incomplete type

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:384: error: unknown field ‘fcn’ specified in initializer

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:384: warning: excess elements in struct initializer

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:384: warning: (near initialization for ‘osdpi_notifier’)

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c: In function ‘opendpi_cleanup’:

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:591: warning: passing argument 1 of ‘nf_conntrack_unregister_notifier’ from incompatible pointer type

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c: In function ‘opendpi_mt_init’:

/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.c:677: warning: passing argument 1 of ‘nf_conntrack_register_notifier’ from incompatible pointer type

make[3]: *** [/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src/main.o] Error 1

make[2]: *** [_module_/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src] Error 2

make[2]: Leaving directory `/usr/src/linux-2.6.28'

make[1]: *** [all] Error 2

make[1]: Leaving directory `/usr/src/opendpi-netfilter-wrapper-1.2/wrapper/src'

make: *** [all] Error 2

笔者已经和opendpi联系，目前尚无回复！

4、重新编译内核：

#tar -jxvf linux-2.6.25.7.tar.bz2

#tar -zxvf netfilter-layer7-v2.22.tar.gz

#tar -zxvf l7-protocols-2009-05-28.tar.gz

#cd linux-2.6.28

#patch -p1 < /usr/src/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch

patching file net/netfilter/Kconfig

patching file net/netfilter/Makefile

patching file net/netfilter/xt_layer7.c

patching file net/netfilter/regexp/regexp.c

patching file net/netfilter/regexp/regexp.h

patching file net/netfilter/regexp/regmagic.h

patching file net/netfilter/regexp/regsub.c

patching file net/netfilter/nf_conntrack_core.c

patching file net/netfilter/nf_conntrack_standalone.c

patching file include/net/netfilter/nf_conntrack.h

patching file include/linux/netfilter/xt_layer7.h

#cp /boot/config-2.6.18-194.el5 /usr/src/linux-2.6.25.7/.config

#make menuconfig（注意，这里要在图形界面下操作）

（1）Networking support → Networking Options →Network packet filtering framework →Code Netfilter Configuration

<M> Netfilter connection tracking support

[*] Connection tracking events

<M> "connlimit" match support"

<M> Connection tracking netlink interface

<M> FTP protocol support

<M> “layer7” match support

<M> “string” match support

<M> “time” match support

<M> “iprange” match support

<M> “connlimit” match support

<M> “state” match support

<M> “conntrack” connection match support

<M> “mac” address match support

<M> "multiport" Multiple port match support

（2）Networking support → Networking Options →Network packet filtering framework → IP: Netfilter Configuration<M> IPv4 connection tracking support (required for NAT)

<M> Full NAT

<M>MASQUERADEtargetsupport

<M>NETMAPtargetsupport

<M> REDIRECT target support

#make && make modules_install && make install

这里编译需要至少半个小时的时间，这段时间可以做其他的事情。编译完成后：

#vi /etc/grub.conf

# grub.conf generated by anaconda

# Note that you do not have to rerun grub after making changes to this file

# NOTICE: You have a /boot partition. This means that

# all kernel and initrd paths are relative to /boot/, eg.

# root (hd0,0)

# kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00

# initrd /initrd-version.img

#boot=/dev/sda

default=1 ----- 改为default=0

timeout=5

splashimage=(hd0,0)/grub/splash.xpm.gz

hiddenmenu

title CentOS (2.6.25.7)

root (hd0,0)

kernel /vmlinuz-2.6.25.7 ro root=/dev/VolGroup00/LogVol00 rhgb quiet

initrd /initrd-2.6.25.7.img

title CentOS (2.6.18-194.el5)

root (hd0,0)

kernel /vmlinuz-2.6.18-194.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet

initrd /initrd-2.6.18-194.el5.img

#reboot

#uname –a

Linux proxytest 2.6.25.7 #1 SMP Wed Sep 21 19:01:12 CST 2011 i686 i686 i386 GNU/Linux

重启系统之后查看，系统的内核已经升级到新内核。至此内核编译的工作已经完成。

5、更新升级Iptalbes的Layer7补丁

#cd /usr/src

# tar -zxvf netfilter-layer7-v2.22.tar.gz

# tar -jxvf iptables-1.4.3.2.tar.bz2

# cp /usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* /usr/src/iptables-1.4.3.2/extensions/

# cd /usr/src/iptables-1.4.3.2

# ./configure --with-ksource=/usr/src/linux-2.6.25.7

# make && make install

# iptables -V

iptables v1.4.3.2 #已经更新至新版本

6、安装Layer7 协议文件

# cd /usr/src

# tar -zxvf l7-protocols-2009-05-28.tar.gz

# cd l7-protocols-2009-05-28

# make install

7、 Layer7规则

# iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP (禁止edonkey)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止edonkey)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto xunlei -j DROP (禁止迅雷)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto kugoo -j DROP (禁止kugoo)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto yahoo -j DROP (禁止Yahoo! Messenger)

8、安装opendpi

(1)安装opendpi-netfilter

#cd /usr/src

#tar -zxvf opendpi-1.3.0.tar.gz

#tar -zxvf opendpi-netfilter-wrapper-1.2.tar.gz

#cd opendpi-netfilter-wrapper-1.2/wrapper

#export OPENDPI_PATH=/usr/src/opendpi-1.3.0

# OPENDPI_PATH=/usr/src/opendpi-1.3.0 make

# make modules_install

# cp ipt/libxt_opendpi.so /usr/local/libexec/xtables

# iptables -m opendpi --help

如果显示出相关信息，则编译成功。

（2）安装opendpi

#cd /usr/src/opendpi-1.3.0

#./configure

# make

如果报错如下：

OpenDPI_demo.c:42:18: error: pcap.h: No such file or directory

OpenDPI_demo.c:50: error: ‘PCAP_ERRBUF_SIZE’ undeclared here (not in a function)

OpenDPI_demo.c:51: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token

OpenDPI_demo.c: In function ‘openPcapFile’:

OpenDPI_demo.c:457: error: ‘_pcap_handle’ undeclared (first use in this function)

OpenDPI_demo.c:457: error: (Each undeclared identifier is reported only once

OpenDPI_demo.c:457: error: for each function it appears in.)

OpenDPI_demo.c: In function ‘closePcapFile’:

OpenDPI_demo.c:468: error: ‘_pcap_handle’ undeclared (first use in this function)

OpenDPI_demo.c: At top level:

OpenDPI_demo.c:474: warning: ‘struct pcap_pkthdr’ declared inside parameter list

OpenDPI_demo.c:474: warning: its scope is only this definition or declaration, which is probably not what you want

OpenDPI_demo.c: In function ‘pcap_packet_callback’:

OpenDPI_demo.c:485: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:486: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:497: error: ‘DLT_EN10MB’ undeclared (first use in this function)

OpenDPI_demo.c:503: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:505: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:515: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:517: error: dereferencing pointer to incomplete type

OpenDPI_demo.c: In function ‘runPcapLoop’:

OpenDPI_demo.c:524: error: ‘_pcap_handle’ undeclared (first use in this function)

make[1]: *** [OpenDPI_demo.o] Error 1

make[1]: Leaving directory `/usr/src/opendpi-1.3.0/src/examples/OpenDPI_demo'

make: *** [all-recursive] Error 1

请安装libpcap-devel

#yum install libpcap-devel

#make

#make install

（3）规则实例：

iptables -A OUTPUT -m opendpi --http -j REJECT （封http协议）

iptables -A OUTPUT -m opendpi --thunder -j REJECT （封迅雷协议）

iptables -A OUTPUT -m opendpi --pplive -j REJECT （封pplive协议）

……

如是还有很多，详细可以参见iptables -m opendpi --help

http://blog.csdn.net/liuyunfengheda/article/details/6797524