centos 6 上安装l7 filter尝试过滤xunlei

标签：

平台：Centos 6 x86_64，默认内核版本2.6.34

1,准备

yum update -y

yum install -y ncurses-devel gcc make bc wget patch grub

2，下载相关安装包

wget http://download.clearfoundation.com/l7-filter/netfilter-layer7-v2.23.tar.gz

wget http://download.clearfoundation.com/l7-filter/l7-protocols-2009-05-28.tar.gz

wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.21.tar.bz2

wget https://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.35.8.tar.gz

3，编译新内核

tar xvf linux-2.6.35.8.tar.gz -C /usr/src

tar xvf netfilter-layer7-v2.23.tar.gz

cd /usr/src

ln -s linux-2.6.35.8 linux

cd linux

patch -p1 < /root/netfilter-layer7-v2.23/kernel-2.6.35-layer7-2.23.patch

zcat /proc/config.gz > .config

make oldconfig   #自选提示的新功能和驱动

make menuconfig    #需要增加的编译模块

Networking support → Networking Options → Network packet filtering framework → Core Netfilter Configuration

<M>  Netfilter connection tracking support

<M>  "connlimit"  match support

<M>  "conntrack"  connection  match support

<M>  "iprange"  match support

<M>  "mac"  address  match support

<M>  "multiport" Multiple port match support

<M>  "state"  match support

<M>  "layer7" match support

<M>  "string" match support

<M>  "time"  match support

Networking support → Networking Options →Network packet filtering framework → IP Netfilter Configuration

<M> IPv4 connection tracking support (required for NAT)

<M> Full NAT

<M> MASQUERADE target support

<M> NETMAP target support                            

<M> REDIRECT target support

sed -i ‘s/# CONFIG_SYSFS_DEPRECATED_V2 is not set/CONFIG_SYSFS_DEPRECATED_V2=y/‘ .config

make CONFIG_DEBUG_SECTION_MISMATCH=y 

make -j3 bzImage

make -j3 modules

make

make modules_install

make install    #出现‘Cannot find LILO.’不用管它，系统没装也不会用LILO，而且已生成/boot/vmlinuz文件

mv /boot/vmlinuz /boot/vmlinuz-2.6.35 

mkinitrd -o initrd-2.6.35.img

cd /boot

mv initramfs-2.6.34-x86_64-linode14.img initrd-2.6.35.img (实际上还是用原系统镜像启动滴)

vi /boot/grub/menu.lst

default 0

timeout 5

title           Custom Compiled, kernel 2.6.35

root            (hd0)

kernel          /boot/vmlinuz-2.6.35 root=/dev/xvda ro quite

initrd          /boot/initrd-2.6.35.img

linode manager里对profile修改kernel为pv-grub-x86_64

重启后验证

uname -a

4，安装iptables

cp /etc/init.d/iptables /tmp/

cp /etc/sysconfig/iptables-config /tmp/

rpm -e iptables-ipv6 iptables --nodeps

tar xvf iptables-1.4.21.tar.bz2

cp /root/netfilter-layer7-v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.* /root/iptables-1.4.21/extensions/

cd iptables-1.4.21

./configure --prefix=/usr --with-ksource=/usr/src/linux   #提示Iptables modules that will not be built:  connlabel不知道是否有关系，先忽略

make 

make install

mv /tmp/iptables-config /etc/sysconfig/ 

mv /tmp/iptables /etc/rc.d/init.d/

vi /etc/init.d/iptables

修改路径如下

if [ ! -x /usr/sbin/$IPTABLES ]; then

    echo -n $"${IPTABLES}:/usr/sbin/$IPTABLES does not exist."; warning; echo

    exit 5

fi

在   for i in $tables; do

        echo -n "$i "

        case "$i" in

加入以下内容------------------

            security)

                $IPTABLES -t filter -P INPUT $policy \

                    && $IPTABLES -t filter -P OUTPUT $policy \

                    && $IPTABLES -t filter -P FORWARD $policy \

                    || let ret+=1

                ;;

分界限  ------------------

            raw)

service iptables restart

iptables -V  #查看版本是否正确

5，安装协议特征包：

tar xvf l7-protocols-2009-05-28.tar.gz 

cd l7-protocols-2009-05-28

make install 

可查看支持的部分协议：

ls protocols/

6，设置iptables规则

iptables -t mangle -I POSTROUTING -m layer7 --l7proto xunlei -j DROP

iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP

iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP

7，经过测试也不行。找到一个网友的话说：禁止是没有用的，而人类是灵动的，总有人会绕过或者突破禁忌！

看来只有限速了。。

centos 6 上安装l7 filter尝试过滤xunlei

标签：

原文地址：http://my.oschina.net/u/2404183/blog/530100