利用iptables+l7-filter+opendpi封QQ和迅雷

转自：http://blog.csdn.net/liuyunfengheda/article/details/6797524

 

L7-filter (Application Layer Packet Classifier for Linux), 是 Linux netfilter 的外挂模块, 它能使 Linux 的 iptables 支持 Layer 7 (Application 应用层) 过滤功能, 限制封杀 P2P、即时通讯软件。 对于iptables封QQ以及迅雷等白金介绍了l7-filter和ipp2p两种插件，但是在笔者的实验中发现ipp2p目前官方已经停止维护，而是靠国内的兴趣爱好者对ipp2p进行维护和更新。同时ipp2p对各个版本的内核兼容性并不是很好，因此阅读了ipp2p官网推荐的其替代品opendpi的相关文档，发现国内对opendp的文档实在太少，有幸尝试，记录下过程和注意事项，以便阅读理解。

redhat

Kernel 2.6.9-11.0.3.EL

Iptables 1.2.11

1.下载所需软件包：

kernel 2.6.25

# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.25.tar.bz2

iptables-1.4.7.tar.bz2

下载地址：http://download.csdn.net/detail/gnodiuhnil/2690383

其他# wget http://www.netfilter.org/projects/iptables/files/iptables-1.3.7.tar.bz2

L7-filter http://sourceforge.net/project/showfiles.php?group_id=80085

 netfilter-layer7-v2.21.tar.gz

l7-protocols-2009-05-10.tar.gz

 

2.配置编译新内核
首先将所下载的软件都放置于/usr/src目录下

重新编译内核：

#tar -jxvf linux-2.6.25.7.tar.bz2

#tar -zxvf netfilter-layer7-v2.22.tar.gz

#tar -zxvf l7-protocols-2009-05-28.tar.gz

#cd linux-2.6.28

#patch -p1 < /usr/src/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch

patching file net/netfilter/Kconfig

patching file net/netfilter/Makefile

patching file net/netfilter/xt_layer7.c

patching file net/netfilter/regexp/regexp.c

patching file net/netfilter/regexp/regexp.h

patching file net/netfilter/regexp/regmagic.h

patching file net/netfilter/regexp/regsub.c

patching file net/netfilter/nf_conntrack_core.c

patching file net/netfilter/nf_conntrack_standalone.c

patching file include/net/netfilter/nf_conntrack.h

patching file include/linux/netfilter/xt_layer7.h

#cp /boot/config-2.6.18-194.el5 /usr/src/linux-2.6.25.7/.config

#make  menuconfig（注意，这里要在图形界面下操作）

（1）Networking support → Networking Options →Network packet filtering framework →Code Netfilter Configuration

<M> Netfilter connection tracking support 

[*]   Connection tracking events  

<M>   "connlimit" match support" 

<M>   Connection tracking netlink interface

<M>  FTP protocol support

<M>  “layer7” match support

<M>  “string” match support

<M>  “time”  match support

<M>  “iprange”  match support

<M>  “connlimit”  match support

<M>  “state”  match support

<M>  “conntrack”  connection  match support

<M>  “mac”  address  match support

<M>   "multiport" Multiple port match support

       （2）Networking support → Networking Options →Network packet filtering framework → IP: Netfilter Configuration<M> IPv4 connection tracking support (required for NAT)

<M>   Full NAT

<M>MASQUERADEtargetsupport

<M>NETMAPtargetsupport

<M> REDIRECT target support

#make && make modules_install && make install

这里编译需要至少半个小时的时间，这段时间可以做其他的事情。编译完成后：

# reboot
# uame -a

这里编译需要至少半个小时的时间，这段时间可以做其他的事情。编译完成后：

       #vi /etc/grub.conf

 

# grub.conf generated by anaconda

#

# Note that you do not have to rerun grub after making changes to this file

# NOTICE:  You have a /boot partition.  This means that

#          all kernel and initrd paths are relative to /boot/, eg.

#          root (hd0,0)

#          kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00

#          initrd /initrd-version.img

#boot=/dev/sda

default=1  ----- 改为default=0

timeout=5

splashimage=(hd0,0)/grub/splash.xpm.gz

hiddenmenu

title CentOS (2.6.25.7)

        root (hd0,0)

        kernel /vmlinuz-2.6.25.7 ro root=/dev/VolGroup00/LogVol00 rhgb quiet

        initrd /initrd-2.6.25.7.img

title CentOS (2.6.18-194.el5)

        root (hd0,0)

        kernel /vmlinuz-2.6.18-194.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet

        initrd /initrd-2.6.18-194.el5.img

#reboot

#uname –a

Linux proxytest 2.6.25.7 #1 SMP Wed Sep 21 19:01:12 CST 2011 i686 i686 i386 GNU/Linux

重启系统之后查看，系统的内核已经升级到新内核。至此内核编译的工作已经完成。

 

5、            更新升级Iptalbes的Layer7补丁

#cd /usr/src

# tar -zxvf netfilter-layer7-v2.22.tar.gz

# tar -jxvf iptables-1.4.3.2.tar.bz2

# cp /usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* /usr/src/iptables-1.4.3.2/extensions/

# cd /usr/src/iptables-1.4.3.2

# ./configure --with-ksource=/usr/src/linux-2.6.25.7

# make && make install

# iptables -V

iptables v1.4.3.2   #已经更新至新版本

 

6、            安装Layer7 协议文件

# cd /usr/src

# tar -zxvf l7-protocols-2009-05-28.tar.gz

# cd l7-protocols-2009-05-28

# make install

7、            Layer7规则

# iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP (禁止edonkey)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止edonkey)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto xunlei -j DROP (禁止迅雷)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto kugoo -j DROP (禁止kugoo)

# iptables -t mangle -I PREROUTING -m layer7 --l7proto yahoo -j DROP (禁止Yahoo! Messenger)

8、            安装opendpi

(1)安装opendpi-netfilter

#cd /usr/src

#tar -zxvf opendpi-1.3.0.tar.gz

#tar -zxvf opendpi-netfilter-wrapper-1.2.tar.gz

#cd opendpi-netfilter-wrapper-1.2/wrapper

#export OPENDPI_PATH=/usr/src/opendpi-1.3.0

# OPENDPI_PATH=/usr/src/opendpi-1.3.0  make

# make modules_install

# cp ipt/libxt_opendpi.so /usr/local/libexec/xtables

# iptables -m opendpi --help

如果显示出相关信息，则编译成功。

 

（2）安装opendpi

#cd /usr/src/opendpi-1.3.0

#./configure

# make

如果报错如下：

OpenDPI_demo.c:42:18: error: pcap.h: No such file or directory

OpenDPI_demo.c:50: error: ‘PCAP_ERRBUF_SIZE’ undeclared here (not in a function)

OpenDPI_demo.c:51: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token

OpenDPI_demo.c: In function ‘openPcapFile’:

OpenDPI_demo.c:457: error: ‘_pcap_handle’ undeclared (first use in this function)

OpenDPI_demo.c:457: error: (Each undeclared identifier is reported only once

OpenDPI_demo.c:457: error: for each function it appears in.)

OpenDPI_demo.c: In function ‘closePcapFile’:

OpenDPI_demo.c:468: error: ‘_pcap_handle’ undeclared (first use in this function)

OpenDPI_demo.c: At top level:

OpenDPI_demo.c:474: warning: ‘struct pcap_pkthdr’ declared inside parameter list

OpenDPI_demo.c:474: warning: its scope is only this definition or declaration, which is probably not what you want

OpenDPI_demo.c: In function ‘pcap_packet_callback’:

OpenDPI_demo.c:485: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:486: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:497: error: ‘DLT_EN10MB’ undeclared (first use in this function)

OpenDPI_demo.c:503: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:505: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:505: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:515: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:517: error: dereferencing pointer to incomplete type

OpenDPI_demo.c:517: error: dereferencing pointer to incomplete type

OpenDPI_demo.c: In function ‘runPcapLoop’:

OpenDPI_demo.c:524: error: ‘_pcap_handle’ undeclared (first use in this function)

make[1]: *** [OpenDPI_demo.o] Error 1

make[1]: Leaving directory `/usr/src/opendpi-1.3.0/src/examples/OpenDPI_demo'

make: *** [all-recursive] Error 1

请安装libpcap-devel

#yum install libpcap-devel

#make

#make install

 

（3）规则实例：

iptables -A OUTPUT -m opendpi --http -j REJECT （封http协议）

iptables -A OUTPUT -m opendpi --thunder -j REJECT （封迅雷协议）

iptables -A OUTPUT -m opendpi --pplive -j REJECT （封pplive协议）

……

如是还有很多，详细可以参见iptables -m opendpi --help