linux下iptables lay7配置下
| vX.Y.tar.gz) v "Protocol definitions" package (l7-protocols-YYYY-MM-DD.tar.gz) 拥有帝国一切,皆有可能。欢迎访问phome.net 步骤如下: ü # tar zxvf linux-2.6.28.10.tar.gz -C /usr/src ü # tar zxvf netfilter-layer7-v2.22.tar.gz -C /usr/src ü # ln –s /usr/src/linux-2.6.28.10/ /usr/src/linux ü # cd /usr/src/linux/ ü # patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch # cp /boot/config-2.6.18-164.el5 /usr/src/linux/.config # make menuconfig 这里我们需要实现安装好对应的开发包 pirut & 命令编辑 我们需要选择好下面的这些模块: v Networking support → Networking Options →Network packet filtering framework →Code Netfilter Configuration ü <M> Netfilter connection tracking support ü <M> “layer7” match support ü <M> “string” match support ü <M> FTP protocol support ü <M> “time” match support ü <M> “iprange” match support ü <M> “connlimit” match support ü <M> “state” match support ü <M> “conntrack” connection match support ü <M> “mac” address match support ü <M> "multiport" Multiple port match support v Networking support → Networking Options →Network packet filtering framework → IP: Netfilter Configuration ü <M> IPv4 connection tracking support (required for NAT) ü <M> Full NAT ? <M> MASQUERADE target support <M> NETMAP target support <M> REDIRECT target support v Start compiling and installing ü make ü make modules_install ü make install v Edit the /boot/grub/grub.conf, set the default booting kernel to the new kernel v Restart v # cp /etc/rc.d/init.d/iptables ~/iptables v # rpm -e iptables-ipv6 iptables iptstate --nodeps v # tar jxvf iptables-1.4.6.tar.bz2 –C /usr/src 拥有帝国一切,皆有可能。欢迎访问phome.netv # cd /usr/src/iptables-1.4.6 v # cp ../netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.* ./extensions/ v ./configure --prefix=/usr --with-ksource=/usr/src/linux v make v make install v # tar zxvf l7-protocols-2009-05-28.tar.gz v # cd l7-protocols-2009-05-28 v # make install v # mv ~/iptables /etc/rc.d/init.d/ v #ln –sv /usr/sbin/iptables /sbin/iptables v 注意这里第一次启动无法service iptables start 需要先setup,再service iptables start 2.6.28.10 内核中 ip_conntrack_ftp 改名为 nf_conntrack_ftp 加模块: modprobe nf_conntrack_ftp 支持的协议种类: v bittorrent ü P2P filesharing / publishing tool v edonkey ü eDonkey2000 - P2P filesharing v kugoo ü KuGoo - a Chinese P2P program v msn-filetransfer ü MSN (Micosoft Network) Messenger file transfers v msnmessenger ü Microsoft Network chat client v pplive ü Chinese P2P streaming video v qq v xunlei 用法 ü iptables [specify table & chain] -m layer7 --l7proto [protocol name] -j [action] 禁止外网访问firewall的web ,ssh,telnet服务 [root@station93 ~]# iptables -A INPUT -p tcp -m multiport --source-por |
凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn 为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢! |
