首页 > 代码库 > iptables实现7层过滤
iptables实现7层过滤
软件包
l7-protocols-2009-05-28.tar.gz
linux-2.6.28.10.tar.gz
netfilter-layer7-v2.22.tar.gz
iptables-1.4.6.tar.bz2
解压内核源码和netfilter-L7源码
[root@station1 ~]# tar xf linux-2.6.28.10.tar.gz -C /usr/src/
[root@station1 ~]# tar xf netfilter-layer7-v2.22.tar.gz -C /usr/src/
[root@station1 ~]#
编译内核
[root@station1 linux]# cp /boot/config-2.6.18-308.el5 .config
[root@station1 linux]# make menuconfig
选择顺序
Networking support ---> Networking options ---> Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
<M> Netfilter connection tracking support
<M> "layer7" match support
进行编译
[root@station1 linux]# make
[root@station1 linux]# make modules_install
[root@station1 linux]# make install
重启后查看内核版本
[root@station1 ~]# uname -r
2.6.28.10-l7
[root@station1 ~]#
安装新的iptables
[root@station1 ~]# rpm -e iptables-ipv6 iptables --nodeps
warning: /etc/sysconfig/iptables-config saved as /etc/sysconfig/iptables-config.rpmsave
[root@station1 ~]#
[root@station1 ~]# tar xf iptables-1.4.6.tar.bz2 -C /usr/src/
[root@station1 ~]# cd /usr/src/iptables-1.4.6/extensions/
[root@station1 extensions]#
[root@station1 netfilter-layer7-v2.22]# cp iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.* ../iptables-1.4.6/extensions/
[root@station1 netfilter-layer7-v2.22]#
[root@station1 src]# cd iptables-1.4.6/
[root@station1 iptables-1.4.6]#
[root@station1 iptables-1.4.6]# ./configure --prefix=/usr/ --with-ksource=/usr/src/linux
[root@station1 iptables-1.4.6]# make
[root@station1 iptables-1.4.6]# make install
[root@station1 iptables-1.4.6]#
安装layer-7
[root@station1 ~]# tar xf l7-protocols-2009-05-28.tar.gz
[root@station1 ~]# cd l7-protocols-2009-05-28
[root@station1 l7-protocols-2009-05-28]# make install
mkdir -p /etc/l7-protocols
cp -R * /etc/l7-protocols
[root@station1 l7-protocols-2009-05-28]#
实现禁止qq
iptables -A FORWARD -s 10.10.1.0/24 -m layer7 --l7proto qq -j DROP
iptables实现7层过滤