參考文件: yjchen's blog l7-filter on CentOS-5.2 http://sacs.twgg.org/en/node/70
流程
1. 把 l7 編進 Kernel 的 netfilter 裡
2. 把 l7 編進 iptables
3. 安裝 l7 分析規則庫
環境
CentOS release 5.4 (Final)
Kernel 2.6.18-164.el5 smp i386
iptables v1.3.5
套件
linux-2.6.28.10.tar.bz2 http://ftp.isu.edu.tw/pub/Linux/kernel/v2.6/linux-2.6.28.10.tar.bz2
netfilter-layer7-v2.22.tar.gz http://sourceforge.net/projects/l7-filter/files/
l7-protocols-2009-05-28.tar.gz http://sourceforge.net/projects/l7-filter/files/
iptables-1.4.6.tar.bz2 http://www.netfilter.org/projects/iptables/files/iptables-1.4.6.tar.bz2
編譯核心
tar xjf linux-2.6.28.10.tar.bz2
tar xzf netfilter-layer7-v2.22.tar.gz
cd linux-2.6.28.10/
patch kernel
patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
設定核心
複製目前運行的核心設定檔
cp /boot/config-2.6.18-164.el5 .config
make menuconfig
Networking support
-> Networking options
[*] Network packet filtering framework (Netfilter)
Networking support
-> Networking options
-> Network packet filtering framework (Netfilter)
-> Core Netfilter Configuration
-> Networking options
-> Network packet filtering framework (Netfilter)
-> Core Netfilter Configuration
<*> Netfilter connection tracking support
[*] Connection tracking flow accounting
[*] Connection mark tracking support
[*] Connection tracking security mark support
[*] Connection tracking events
<M> DCCP protocol connection tracking support (EXPERIMENTAL)
<M> SCTP protocol connection tracking support (EXPERIMENTAL)
<M> UDP-Lite protocol connection tracking support
<M> Amanda backup protocol support
<M> FTP protocol support
<M> H.323 protocol support
<M> IRC protocol support
<M> NetBIOS name service protocol support
<M> PPtP protocol support
<M> SANE protocol support (EXPERIMENTAL)
<M> SIP protocol support
<M> TFTP protocol support
<M> Connection tracking netlink interface
<M> Transparent proxying support (EXPERIMENTAL)
:
:
{*} Netfilter Xtables support (required for ip_tables)
::
:
<M> "layer7" match support
[ ] Layer 7 debugging output
沒有需要不要選,否則 console 及 /var/log/messages 會一直出現訊息
:[ ] Layer 7 debugging output
沒有需要不要選,否則 console 及 /var/log/messages 會一直出現訊息
:
:
<M> "u32" match support
最好把所有的項目都選起來
Networking support
-> Networking options
-> Network packet filtering framework (Netfilter)
-> IP: Netfilter Configuration
-> Network packet filtering framework (Netfilter)
-> IP: Netfilter Configuration
[*] proc/sysctl compatibility with old connection tracking
Networking support
-> Networking options
-> Network packet filtering framework (Netfilter)
-> IP: Netfilter Configuration
<M> IP tables support (required for filtering/masq/NAT)
:
:
:
<M> Full NAT
<M> MASQUERADE target support
<M> NETMAP target support
<M> REDIRECT target support
<M> Basic SNMP-ALG support
:
:
:
<M> Security table
最好把所有的項目都選起來
編譯與安裝
make
make modules_install
make install
修改開機選單
vi /boot/grub/grub.conf
default=0
timeout=5
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.28.10 include l7-filter)
root (hd0,0)kernel /boot/vmlinuz-2.6.28.10 ro root=LABEL=/ rhgb quiet
initrd /boot/initrd-2.6.28.10.img
重新開機
init 6
重新開機後出現:
insmod: error inserting '/lib/dm-region-hash.ko' : -1 File exists
原因是開機時重覆載入 dm-region-hash.ko 模組,並沒有影響,如果覺得礙眼,可以參考以下作法,將它修正:
解開 initrd-2.6.28.10.img
# cd /tmp
# mkdir initrd
# cd initrd
# cp /boot/initrd-2.6.28.10.img /tmp
# zcat ../initrd-2.6.28.10.img | cpio -i
編輯 init,找到重覆載入dm-region-hash.ko 的四行 script,並刪除其中的一組,只留下一組(二行)就好
echo "Loading dm-region-hash.ko module"
insmod /lib/dm-region-hash.ko
echo "Loading dm-region-hash.ko module"
insmod /lib/dm-region-hash.ko
壓縮 initrd-2.6.28.10.img
# find . | cpio -c -o > /boot/initrd-2.6.28.10
# cd ..
# gzip -9 < nitrd-2.6.28.10 > initrd-2.6.28.10.img
# mv /boot/initrd-2.6.28.10.img /boot/initrd-2.6.28.10.img.bak
# mv initrd-2.6.28.10.img /boot
# chmod 600 /boot/initrd-2.6.28.10.img
再重新開機一次,看看訊息是否消失
# init 6
編譯 iptables
tar xjf iptables-1.4.6.tar.bz2
cp netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* iptables-1.4.6/extensions/
cd iptables-1.4.6/
./configure --with-ksource=/usr/src/kernels/linux-2.6.28.10
make
make install
cd ../
rm -rf iptables-1.4.6/
/usr/local/sbin/iptables -V
確定編譯及安裝完成。
修改 iptables link,否則採 daemon 方式啟動時會失敗,因為 /etc/rc.d/init.d/iptables 這支script 的路徑設定因素,使用到原來的 iptable 版本 :
mv /sbin/iptables /sbin/iptables.orig
ln -s /usr/local/sbin/iptables /sbin/iptables
mv /sbin/iptables-restore /sbin/iptables-restore.orig
ln -s /usr/local/sbin/iptables-restore /sbin/iptables-restore
mv /sbin/iptables-save /sbin/iptables-save.orig
ln -s /usr/local/sbin/iptables-save /sbin/iptables-save
mv /sbin/ip6tables /sbin/ip6tables.orig
ln -s /usr/local/sbin/iptables /sbin/iptables
mv /sbin/ip6tables-restore /sbin/ip6tables-restore.orig
ln -s /usr/local/sbin/ip6tables-restore /sbin/ip6tables-restore
mv /sbin/ip6tables-save /sbin/ip6tables-save.orig
ln -s /usr/local/sbin/ip6tables-save /sbin/ip6tables-save
iptables -V
確定修改完成。
安裝分析規則庫
tar xzf l7-protocols-2009-05-28.tar.gz
cd l7-protocols-2009-05-28/
make install
cd ../
rm -rf l7-protocols-2009-05-28/
測試
iptables -t mangle -A PREROUTING -m layer7 --l7proto http -j DROP