_iptables系列之layer7

uname -r查看內核版本。

[root@localhost ~]# ls

anaconda-ks.cfg  install.log.syslog      l7-protocols-2009-05-28.tar.gz  netfilter-layer7-v2.22.tar.gz

install.log      iptables-1.4.6.tar.bz2  linux-2.6.28.10.tar.bz2

[root@localhost ~]# tar xf linux-2.6.28.10.tar.bz2   -C /usr/src

[root@localhost ~]# tar xf netfilter-layer7-v2.22.tar.gz  -C /usr/src

[root@localhost ~]# cd /usr/src/

[root@localhost src]# ls

debug  kernels  linux-2.6.28.10  netfilter-layer7-v2.22

[root@localhost src]# 

[root@localhost src]# ln -sv linux-2.6.28.10 linux

`linux' -> `linux-2.6.28.10'

[root@localhost src]# cd linux

打補丁

[root@localhost linux]# patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch 

patching file net/netfilter/Kconfig

patching file net/netfilter/Makefile

patching file net/netfilter/xt_layer7.c

patching file net/netfilter/regexp/regexp.c

patching file net/netfilter/regexp/regexp.h

patching file net/netfilter/regexp/regmagic.h

patching file net/netfilter/regexp/regsub.c

patching file net/netfilter/nf_conntrack_core.c

patching file net/netfilter/nf_conntrack_standalone.c

patching file include/net/netfilter/nf_conntrack.h

patching file include/linux/netfilter/xt_layer7.h

[root@localhost linux]# 

[root@localhost linux]# yum -y groupinstall "Development Tools"

[root@localhost linux]# cp /boot/config-2.6.32-431.el6.x86_64  .config

[root@localhost linux]#  yum install  ncurses ncurses-devel ncurses-libs

[root@localhost linux]# make menuconfig

添加 Local version -append to kernel release

        -l7 讓系統支持layer7

Processor type and features --->

     Processor family (Generic-x86-64)  ---> 把處理器改爲自己的處理器最接近的型號

-*- Networking support  --->

     Networking options  --->

     [*] Network packet filtering framework (Netfilter)  --->

        Core Netfilter Configuration  ---> 

  <M> Netfilter connection tracking support 啓用

                       <M>   "layer7" match support 啓用

  <M>   "time" match support 啓用

  <M>   "iprange" address range match support 啓用

  <M>   FTP protocol support 啓用

  <M>   Connection tracking netlink interface 啓用

            IP: Netfilter Configuration  --->                                                       

                  <M> IPv4 connection tracking support (required for NAT)   啓用

  <M>   Full NAT  啓用

[ ]   Wireless  ---> 去掉

< >   Bluetooth subsystem support  ---> 去掉

Device Drivers  ---> 

   < > Sound card support  --->  聲卡去掉

   < > InfiniBand support  --->   去掉

   [*] Network device support  --->

          [ ]   Ethernet (1000 Mbit)  --->   1000M網卡去掉

 [ ]   Ethernet (10000 Mbit)  --->   萬M網卡去掉

          [ ]   Token Ring driver support  ---> 令牌環網去掉

 [ ]   PCMCIA network device support  --->  PCI的去掉

 [ ]   Wan interfaces support  --->    去掉                                                    

 [ ]   ATM drivers  --->去掉

          [ ]   FDDI driver support 去掉

[ ] Virtualization  --->去掉

File systems  ---> 

    < > GFS2 file system support去掉  

    DOS/FAT/NT Filesystems  --->  

  <M> NTFS file system support NTFS可以啓用

保存退出

yum -y install screen 

[root@localhost linux]# screen  爲了保證編譯時連接中斷造成影響打開此工具

[root@localhost linux]# make

Ctrl+a d 拆掉

[root@localhost linux]# screen -ls 查看會話

[root@localhost linux]# screen -r 26296 重連會話

[root@localhost linux]# make modules_install

[root@localhost linux]# make install 

[root@localhost ~]# vim /etc/grub.conf 安裝成功以後會在此文件生成一條新的條目

default=0 修改默認啓動哪個內核

重啓主機選擇使用新版本的內核

uname -r 可以查看一下當前 內核是否切換

編譯新版的iptables

[root@localhost ~]# cp /etc/init.d/iptables  ~/ 先備份一下啓動腳本

[root@localhost ~]# cp /etc/sysconfig/iptables-config  ~/

[root@localhost ~]# cp /etc/sysconfig/iptables  ~/iptables.bak 備份已有規則

[root@localhost ~]# service iptables stop 卸載前 先停止服務

[root@localhost ~]# chkconfig iptables off

[root@localhost ~]# rpm -e iptables-ipv6 iptables iptstate --nodeps

[root@localhost ~]# tar xf iptables-1.4.6.tar.bz2  -C /usr/src

[root@localhost src]# cd /usr/src/iptables-1.4.6/

[root@localhost iptables-1.4.6]# cp ../netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.*  ./extensions/

[root@localhost iptables-1.4.6]# ./configure  --prefix=/usr --with-ksource=/usr/src/linux 

make

make install

[root@localhost iptables-1.4.6]# which iptables

/usr/sbin/iptables

[root@localhost ~]# vim iptables 

修改iptbales的路徑爲/usr/sbin

[root@localhost ~]# cp iptables /etc/init.d/iptables

[root@localhost ~]# cp iptables-config /etc/sysconfig/

[root@localhost ~]# cp iptables.bak  /etc/sysconfig/iptables

[root@localhost ~]# tar xf l7-protocols-2009-05-28 -C /usr/src協議特徵碼

[root@localhost ~]# cd /usr/src

[root@localhost src]# make install

lsmod查看當前系統所加載的模塊

[root@localhost ~]# vim /etc/sysctl.conf 開啓nat

[root@localhost ~]# sysctl -p

拒絕用戶使用QQ

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source  172.16.10.6

iptables -A FORWARD -s 192.168.0.0/24 -m layer7 --l7proto qq -j DROP

iptables -L -n -t nat

-m time 

  --datestart --datestop

  --timestart  --timestop

  

拒絕用戶某個時間段上網

iptables -A FORWARD -s 192.168.0.0/24 -m time --timestart 08:00:00  --timestart 12:00:00 -j DROP 

service iptables save

iptables-save >/etc/sysconfig/iptables.tus 保存規則

iptables-restore </etc/sysconfig/iptables.tus 重新載入

#!/bin/bash

#

ipt=/usr/sbin/iptables

einterface=eth0

iinterface=eth1

eip=10.10.10.2

iip=192.168.10.6

$ipt -t nat -F

$ipt -t filter -F

$ipt -t mangle -F

$ipt -N clean_up

$ipt -A clean_up -d 255.255.255.255 -p  icmp -j DROP

$ipt -A clean_up -j RETURN

$iptables -A 

.....

[root@localhost ~]# vim /etc/rc.d/rc3.d/S99local  可以把iptables規則寫成腳本開機自動運行

#!/bin/sh

#

# This script will be executed *after* all the other init scripts.

# You can put your own initialization stuff in here if you don't

# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

/tmp/iptables

系統啓動過程

POST-->MBR(bootloader)-->Kernel(initrd)--init(/etc/inittab)

1.設定默認級別

2.系統初始化腳本 

3.運行指定級別的服務

 /etc/rc.d/rc 0

   /etc/rc.d/rcN.d/

     S* 

K* 

 

/etc/rc.d/rc.local

/etc/rc.local

/etc/rc.d/rc3.d/S99local

IDS: ***檢測系統

 nids：snort+iptables=NIPS 網絡***防禦系統

 hids: