linux系统之编译内核实现iptables应用层过滤
2014-04-02 21:00
411 查看
温馨提示:
之前己经介绍了Linux防火墙iptables的原理及命令用法,在前面说过iptables防火墙是工作在网络层,针对TCP/IP数据包实施过滤和限制,属于典型的包过滤防火墙。以基于网络层的数据包过滤机制为主,同时提供少量的传输层、数据链路层的过滤功能。难以判断数据包对应于何种应用程序(如:视频,QQ)
一、前言:
为了解决上述问题,可以为netfilter打上补丁,由于netfilter是基于Linux内核的,所以要重新编译,而后也要为iptables添加相应的补丁文件,重新编译安装后提供基于应用层(第7层)的扩展功能。通过独立的l7-protocols协议包提供对各种应用层协议的特征识别与定义,从而达到限定应用程序的目的。
二、具体实现过程
注:
1、 目前,官网的layer7只支持到内核版本较低,如要使用,只有两个办法,第一种方法将内核降级,另一个是修改layer7中的源代码,使之适用于当前内核的版本。2、这里所说的内核版本是指redhat再编译整合后的发布的内核版本,并不是kernel.org中的内核版本。所以要使用请到redhat的ftp站点去下载。=========================================================================================1、实验所需要的相关包
内核源码包:kernel-2.6.32-431.11.2.el6.src.rpm 下载地址iptables:iptables-1.4.7-11.el6.src.rpm 下载地址l7-protocols协议包:l7-protocols-2009-05-28.tar.gz 下载地址
2、安装过程
⑴、 获取并编译内核
# useradd mockbuild 添加安装src格式的软件包需要的用户
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/70a64f77e76cda78c41f6ab67fbd635a.jpg)
解压缩到指定的目录中
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/eb27b2f4ed53d35d808361e739308e54.jpg)
制作软链接,便于以后使用
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/ef4f24d16add44e3e588d00c0f6dfaa7.jpg)
⑵、为内核打上netfilter-layer7-v2.23补丁
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/949689d02bd0ea6884046d0f00c57bdc.jpg)
⑶、基于本地系统中的内核配置文件编译此内核
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/d4adc6a5c44bf1e275828103f6b515ba.jpg)
②、参数设定子项
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/86e91e9330329a67ffa3f2d1ed435daf.jpg)
③、设定过滤模板
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/09ce5d13919ea344a713064d175d2f02.jpg)
④、核心过滤配置
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/e907baf09ccd115996531e9d5739d4f7.jpg)
⑤、支持layer7匹配器
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/bc2e8ca6b0b979466d15ca6ee9521d71.jpg)
⑥、确保支持连接追踪
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/864507d576201f5cd3e838fb52130114.jpg)
⑦、基于IP过滤配置
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/1374961d969310b50ddbd1834db3afdc.jpg)
⑧、ipv4的nat连接追踪功能
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/84418146ada41e0444fd71711f57717d.jpg)
⑨、取消编译验证
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/f3d2aea787aec19836665fd15254f7f2.jpg)
⑩、取消模块签名认证
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/3f962a167a7b02aa39a2963b8e7d663d.jpg)
进入API接口
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/ccbab3491dba4fa4b5874dc120c5abd0.jpg)
取消签名检查
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/26543a27a91a435c6fa8baf8b1de4298.jpg)
退出并保存
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/f660115a5475a4edf1fa44355db43630.jpg)
⑷、编译并安装内核
(5)、重启系统,启用新内核
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/2caa31698ab1deaaf7cf33dba8aa91de.jpg)
3、编译iptables
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/06a345590b2664868a8157a3df789a9e.jpg)
备份启动脚本与配置文件
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/06a9fcf0f057ec9eb9829bc24c40957c.jpg)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/3de0db018c1b796b02dc8f499e787774.jpg)
还原启动脚本与配置文件
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/a70f7fdd88502cbdd103921915ef41cd.jpg)
4、为layer7模块提供其所识别的协议的特征码
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/b06a5c7d42fc9da5ee62e56d3aa1ae4c.jpg)
5、如何使用layer7模块
⑴、安装完成后,查看iptabels的版本。
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/048aa0c398aac731d3b2c3014fe9022b.jpg)
⑵、修改脚本
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/b719f4e1653ebbe37298e2354df1817e.jpg)
⑶、ACCT的功能已经可以在内核参数中按需启用或禁用。此参数需要装载nf_conntrack模块后方能生效
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/9406cfa630eee8519049fcfed1ea7ccd.jpg)
⑷、加载nf_conntrack模块(之前警告处提示的那个)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/4c7e39eb2b719bde2e7568de001e8522.jpg)
6、测试layer7应用层程序限定注:更新后iptables在原有基础上新增了应用层的扩展语法,支持更多的扩展功能。其格式如:# iptables [specify table & chain] -m layer7 --l7proto [protocol name] -j [action] 三、测试环境系统 :windows xp 安装软件QQ 系统 :linux 基于iptables 的防火墙。1、网络属性:windows xp
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/e8e13f641c22c06db4a6d9239456c01b.jpg)
linux网络属性
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/d6b9f0afcb75679641aca81e448a9d2b.jpg)
2、配置完成后,测试windows xp与linux的连通性注:但无法ping通物理机所在的192.168.1.0网段中的网关(192.168.1.253)3、linux开启包转发与地址伪装
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/29652d2faa900f15abc03c41e56e5a2d.jpg)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/8d8ea24af4691e62d2d4a279c9c53231.jpg)
4、xp上网测试
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/fae4e538bd72e3c557edde3b1f239730.jpg)
5、限定某一网络内的主机不可以上QQ#iptables -I FORWARD -m layer7 --l7proto qq -j REJECT
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/374b92d72c49bfeded963ab8941687f8.jpg)
6、查看效果
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/7142a2e63e552f0a31d7c6130f2a2333.jpg)
注:如果想了解更多的l7-protocols支持对那些应用程序限定,请移步官网
====================================完=============================================
本文出自 “和风细雨” 博客,请务必保留此出处http://essun.blog.51cto.com/721033/1389297
之前己经介绍了Linux防火墙iptables的原理及命令用法,在前面说过iptables防火墙是工作在网络层,针对TCP/IP数据包实施过滤和限制,属于典型的包过滤防火墙。以基于网络层的数据包过滤机制为主,同时提供少量的传输层、数据链路层的过滤功能。难以判断数据包对应于何种应用程序(如:视频,QQ)
一、前言:
为了解决上述问题,可以为netfilter打上补丁,由于netfilter是基于Linux内核的,所以要重新编译,而后也要为iptables添加相应的补丁文件,重新编译安装后提供基于应用层(第7层)的扩展功能。通过独立的l7-protocols协议包提供对各种应用层协议的特征识别与定义,从而达到限定应用程序的目的。
二、具体实现过程
注:
1、 目前,官网的layer7只支持到内核版本较低,如要使用,只有两个办法,第一种方法将内核降级,另一个是修改layer7中的源代码,使之适用于当前内核的版本。2、这里所说的内核版本是指redhat再编译整合后的发布的内核版本,并不是kernel.org中的内核版本。所以要使用请到redhat的ftp站点去下载。=========================================================================================1、实验所需要的相关包
内核源码包:kernel-2.6.32-431.11.2.el6.src.rpm 下载地址iptables:iptables-1.4.7-11.el6.src.rpm 下载地址l7-protocols协议包:l7-protocols-2009-05-28.tar.gz 下载地址
2、安装过程
⑴、 获取并编译内核
# useradd mockbuild 添加安装src格式的软件包需要的用户
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/70a64f77e76cda78c41f6ab67fbd635a.jpg)
解压缩到指定的目录中
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/eb27b2f4ed53d35d808361e739308e54.jpg)
制作软链接,便于以后使用
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/ef4f24d16add44e3e588d00c0f6dfaa7.jpg)
⑵、为内核打上netfilter-layer7-v2.23补丁
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/949689d02bd0ea6884046d0f00c57bdc.jpg)
⑶、基于本地系统中的内核配置文件编译此内核
# cp /boot/config-2.6.32-431.el6.x86_64 .config # make menuconfig①、网络支持
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/d4adc6a5c44bf1e275828103f6b515ba.jpg)
②、参数设定子项
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/86e91e9330329a67ffa3f2d1ed435daf.jpg)
③、设定过滤模板
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/09ce5d13919ea344a713064d175d2f02.jpg)
④、核心过滤配置
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/e907baf09ccd115996531e9d5739d4f7.jpg)
⑤、支持layer7匹配器
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/bc2e8ca6b0b979466d15ca6ee9521d71.jpg)
⑥、确保支持连接追踪
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/864507d576201f5cd3e838fb52130114.jpg)
⑦、基于IP过滤配置
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/1374961d969310b50ddbd1834db3afdc.jpg)
⑧、ipv4的nat连接追踪功能
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/84418146ada41e0444fd71711f57717d.jpg)
⑨、取消编译验证
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/f3d2aea787aec19836665fd15254f7f2.jpg)
⑩、取消模块签名认证
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/3f962a167a7b02aa39a2963b8e7d663d.jpg)
进入API接口
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/ccbab3491dba4fa4b5874dc120c5abd0.jpg)
取消签名检查
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/26543a27a91a435c6fa8baf8b1de4298.jpg)
退出并保存
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/f660115a5475a4edf1fa44355db43630.jpg)
⑷、编译并安装内核
# make # make modules_install # make install这样就会在/boot/grub/grub.conf文件中有一个新的内核版本,将default设置到此内核版本次序上,就可以启动新的内核了。
(5)、重启系统,启用新内核
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/2caa31698ab1deaaf7cf33dba8aa91de.jpg)
3、编译iptables
#cd /download # tar xf iptables-1.4.20.tar.bz2 # cp /download/netfilter-layer7-v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/* extensions/说明:之前己经将nerfilter编译到内核中了,在此将netfilter新的功能支持到kernel2.6.20之后的版本复制到iptabels扩展功能中。
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/06a345590b2664868a8157a3df789a9e.jpg)
备份启动脚本与配置文件
# cp /etc/rc.d/init.d/iptables /download # cp /etc/sysconfig/iptables-config /download
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/06a9fcf0f057ec9eb9829bc24c40957c.jpg)
# make && make install注:在此处出现如下警告,提示netfilter_conntrack没有找到,这个可以忽略,在安装完成后使用 modprobe加载即可。
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/3de0db018c1b796b02dc8f499e787774.jpg)
还原启动脚本与配置文件
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/a70f7fdd88502cbdd103921915ef41cd.jpg)
4、为layer7模块提供其所识别的协议的特征码
# tar zxvf l7-protocols-2009-05-28.tar.gz # cd l7-protocols-2009-05-28 # make install
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/b06a5c7d42fc9da5ee62e56d3aa1ae4c.jpg)
5、如何使用layer7模块
⑴、安装完成后,查看iptabels的版本。
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/048aa0c398aac731d3b2c3014fe9022b.jpg)
⑵、修改脚本
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/b719f4e1653ebbe37298e2354df1817e.jpg)
⑶、ACCT的功能已经可以在内核参数中按需启用或禁用。此参数需要装载nf_conntrack模块后方能生效
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/9406cfa630eee8519049fcfed1ea7ccd.jpg)
⑷、加载nf_conntrack模块(之前警告处提示的那个)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/4c7e39eb2b719bde2e7568de001e8522.jpg)
6、测试layer7应用层程序限定注:更新后iptables在原有基础上新增了应用层的扩展语法,支持更多的扩展功能。其格式如:# iptables [specify table & chain] -m layer7 --l7proto [protocol name] -j [action] 三、测试环境系统 :windows xp 安装软件QQ 系统 :linux 基于iptables 的防火墙。1、网络属性:windows xp
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/e8e13f641c22c06db4a6d9239456c01b.jpg)
linux网络属性
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/d6b9f0afcb75679641aca81e448a9d2b.jpg)
2、配置完成后,测试windows xp与linux的连通性注:但无法ping通物理机所在的192.168.1.0网段中的网关(192.168.1.253)3、linux开启包转发与地址伪装
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/29652d2faa900f15abc03c41e56e5a2d.jpg)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/8d8ea24af4691e62d2d4a279c9c53231.jpg)
4、xp上网测试
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/fae4e538bd72e3c557edde3b1f239730.jpg)
5、限定某一网络内的主机不可以上QQ#iptables -I FORWARD -m layer7 --l7proto qq -j REJECT
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/374b92d72c49bfeded963ab8941687f8.jpg)
6、查看效果
![](https://oscdn.geek-share.com/Uploads/Images/Content/201908/31/7142a2e63e552f0a31d7c6130f2a2333.jpg)
注:如果想了解更多的l7-protocols支持对那些应用程序限定,请移步官网
====================================完=============================================
本文出自 “和风细雨” 博客,请务必保留此出处http://essun.blog.51cto.com/721033/1389297
相关文章推荐
- Web开发中常用的linux命令 详解
- Web开发中Linux下常用命令和应用部署
- linux系统之iptables其三NAT的用法
- gcc编译器相关
- Linux系统的机器上查看MBR数据 (续)
- 解决:kali linux 在vmware 虚拟机中使用bridge模式上网的问题
- linux内核源码结构
- linux中TFTP配置
- Linux常用快捷键
- Linux netstat命令详解
- 基于busybox搭建功能完善的小型linux(一)
- Centos6.5 安装JDK
- linux sort,uniq,cut,wc命令详解
- 红黑树(三)之 Linux内核中红黑树的经典实现
- 配置jdk路径 linux
- linux awk编程入门
- [Linux内存]linux内存学习(二)——分段和分页
- Linux下安装eclipse
- Linux 系统下vi和vim编辑器的使用
- Linux下高并发socket最大连接数所受的各种限制