_iptables系列之layer7

uname -r查看内核版本。

[[email protected] ~]# ls

anaconda-ks.cfg  install.log.syslog      l7-protocols-2009-05-28.tar.gz  netfilter-layer7-v2.22.tar.gz

install.log      iptables-1.4.6.tar.bz2  linux-2.6.28.10.tar.bz2

[[email protected] ~]# tar xf linux-2.6.28.10.tar.bz2   -C /usr/src

[[email protected] ~]# tar xf netfilter-layer7-v2.22.tar.gz  -C /usr/src

[[email protected] ~]# cd /usr/src/

[[email protected] src]# ls

debug  kernels  linux-2.6.28.10  netfilter-layer7-v2.22

[[email protected] src]#

[[email protected] src]# ln -sv linux-2.6.28.10 linux

`linux‘ -> `linux-2.6.28.10‘

[[email protected] src]# cd linux

打补丁

[[email protected] linux]# patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch

patching file net/netfilter/Kconfig

patching file net/netfilter/Makefile

patching file net/netfilter/xt_layer7.c

patching file net/netfilter/regexp/regexp.c

patching file net/netfilter/regexp/regexp.h

patching file net/netfilter/regexp/regmagic.h

patching file net/netfilter/regexp/regsub.c

patching file net/netfilter/nf_conntrack_core.c

patching file net/netfilter/nf_conntrack_standalone.c

patching file include/net/netfilter/nf_conntrack.h

patching file include/linux/netfilter/xt_layer7.h

[[email protected] linux]#

[[email protected] linux]# yum -y groupinstall "Development Tools"

[[email protected] linux]# cp /boot/config-2.6.32-431.el6.x86_64  .config

[[email protected] linux]#  yum install  ncurses ncurses-devel ncurses-libs

[[email protected] linux]# make menuconfig

添加 Local version -append to kernel release

-l7 让系统支持layer7

Processor type and features --->

Processor family (Generic-x86-64)  ---> 把处理器改为自己的处理器最接近的型号

-*- Networking support  --->

Networking options  --->

[*] Network packet filtering framework (Netfilter)  --->

Core Netfilter Configuration  --->

<M> Netfilter connection tracking support 启用

<M>   "layer7" match support 启用

<M>   "time" match support 启用

<M>   "iprange" address range match support 启用

<M>   FTP protocol support 启用

<M>   Connection tracking netlink interface 启用

IP: Netfilter Configuration  --->

<M> IPv4 connection tracking support (required for NAT)   启用

<M>   Full NAT  启用

[ ]   Wireless  ---> 去掉

< >   Bluetooth subsystem support  ---> 去掉

Device Drivers  --->

< > Sound card support  --->  声卡去掉

< > InfiniBand support  --->   去掉

[*] Network device support  --->

[ ]   Ethernet (1000 Mbit)  --->   1000M网卡去掉

[ ]   Ethernet (10000 Mbit)  --->   万M网卡去掉

[ ]   Token Ring driver support  ---> 令牌环网去掉

[ ]   PCMCIA network device support  --->  PCI的去掉

[ ]   Wan interfaces support  --->    去掉

[ ]   ATM drivers  --->去掉

[ ]   FDDI driver support 去掉

[ ] Virtualization  --->去掉

File systems  --->

< > GFS2 file system support去掉

DOS/FAT/NT Filesystems  --->

<M> NTFS file system support NTFS可以启用

保存退出

yum -y install screen

[[email protected] linux]# screen  为了保证编译时连接中断造成影响打开此工具

[[email protected] linux]# make

Ctrl+a d 拆掉

[[email protected] linux]# screen -ls 查看会话

[[email protected] linux]# screen -r 26296 重连会话

[[email protected] linux]# make modules_install

[[email protected] linux]# make install

[[email protected] ~]# vim /etc/grub.conf 安装成功以后会在此文件生成一条新的条目

default=0 修改默认启动哪个内核

重启主机选择使用新版本的内核

uname -r 可以查看一下当前 内核是否切换

编译新版的iptables

[[email protected] ~]# cp /etc/init.d/iptables  ~/ 先备份一下启动脚本

[[email protected] ~]# cp /etc/sysconfig/iptables-config  ~/

[[email protected] ~]# cp /etc/sysconfig/iptables  ~/iptables.bak 备份已有规则

[[email protected] ~]# service iptables stop 卸载前 先停止服务

[[email protected] ~]# chkconfig iptables off

[[email protected] ~]# rpm -e iptables-ipv6 iptables iptstate --nodeps

[[email protected] ~]# tar xf iptables-1.4.6.tar.bz2  -C /usr/src

[[email protected] src]# cd /usr/src/iptables-1.4.6/

[[email protected] iptables-1.4.6]# cp ../netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.*  ./extensions/

[[email protected] iptables-1.4.6]# ./configure  --prefix=/usr --with-ksource=/usr/src/linux

make

make install

[[email protected] iptables-1.4.6]# which iptables

/usr/sbin/iptables

[[email protected] ~]# vim iptables

修改iptbales的路径为/usr/sbin

[[email protected] ~]# cp iptables /etc/init.d/iptables

[[email protected] ~]# cp iptables-config /etc/sysconfig/

[[email protected] ~]# cp iptables.bak  /etc/sysconfig/iptables

[[email protected] ~]# tar xf l7-protocols-2009-05-28 -C /usr/src协议特征码

[[email protected] ~]# cd /usr/src

[[email protected] src]# make install

lsmod查看当前系统所加载的模块

[[email protected] ~]# vim /etc/sysctl.conf 开启nat

[[email protected] ~]# sysctl -p

拒绝用户使用QQ

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source  172.16.10.6

iptables -A FORWARD -s 192.168.0.0/24 -m layer7 --l7proto qq -j DROP

iptables -L -n -t nat

-m time

--datestart --datestop

--timestart  --timestop

拒绝用户某个时间段上网

iptables -A FORWARD -s 192.168.0.0/24 -m time --timestart 08:00:00  --timestart 12:00:00 -j DROP

service iptables save

iptables-save >/etc/sysconfig/iptables.tus 保存规则

iptables-restore </etc/sysconfig/iptables.tus 重新载入

#!/bin/bash

#

ipt=/usr/sbin/iptables

einterface=eth0

iinterface=eth1

eip=10.10.10.2

iip=192.168.10.6

$ipt -t nat -F

$ipt -t filter -F

$ipt -t mangle -F

$ipt -N clean_up

$ipt -A clean_up -d 255.255.255.255 -p  icmp -j DROP

$ipt -A clean_up -j RETURN

$iptables -A

.....

[[email protected] ~]# vim /etc/rc.d/rc3.d/S99local  可以把iptables规则写成脚本开机自动运行

#!/bin/sh

#

# This script will be executed *after* all the other init scripts.

# You can put your own initialization stuff in here if you don‘t

# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

/tmp/iptables

系统启动过程

POST-->MBR(bootloader)-->Kernel(initrd)--init(/etc/inittab)

1.设定默认级别

2.系统初始化脚本

3.运行指定级别的服务

/etc/rc.d/rc 0

/etc/rc.d/rcN.d/

S*

K*

/etc/rc.d/rc.local

/etc/rc.local

/etc/rc.d/rc3.d/S99local

IDS: 入侵检测系统

nids：snort+iptables=NIPS 网络入侵防御系统

hids: