linux iptables L7-filter
作者 佚名技术
来源 Linux系统
浏览
发布时间 2012-05-17
| ocols/* /etc/ l7-protocols The /etc/l7-protocols folder is the default folder for pattern files, and iptables will look into it and its subfolders, but not recursively. This means that iptables will search for pattern files in /etc/l7-protocols and in any /etc/l7-protocols/subdir, but not in /etc/l7-protocols/subdir/subsubdir. If you don''t wish to set up the /etc/l7-protocols folder, you can specify the pattern files folder by doing: iptables […] –m layer7 –-l7dir /path-to/patterns –-l7proto […] Please note that you have to specify the patterns folder before the protocol. Testing the Installation First, we might want to see if our module is in place. We can do that using the modinfo command: router:~# modinfo ipt_layer7 filename: /lib/modules/2.6.12.5-home.made/kernel/net/ipv4/ netfilter/ipt_layer7.ko author: Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net> license: GPL description: iptables application layer match module vermagic: 2.6.12.5-home.made preempt PENTIUMIII gcc-3.3 depends: ip_tables The output shows that we have a module called ipt_layer7 and some information about it, such as filename, author, license, description, version, and other module dependencies. Next, we will try to load the module using the modprobe command: router:~# modprobe ipt_layer7 router:~# lsmod Module Size Used by ipt_layer7 12364 0 The modprobe command didn''t produce any errors. By using the lsmod command, we can see the module loaded into the kernel, its size, and the number of processes it is used by (in our case 0), because we didn''t used it yet. Next, we might want to test it and see if it works. We will do that by using Apache web server, placing some files in the web folder and downloading them. When downloading the files, we should see that all packets are matched. First, we will use the command iptables –Z to zero the counters of all the rules in all chains, and then we will insert an accounting rule in the OUTPUT chain to match all the outgoing HTTP traffic. router:~# iptables -Z router:~# iptables -A OUTPUT -m layer7 --l7proto http router:~# iptables -L OUTPUT -n -v Chain OUTPUT (policy ACCEPT 10168 packets, 3433K bytes) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto http Next, we download the file whale.qt (for example) from this server; and look in the apache access.log: "GET /whale.qt HTTP/1.1" 200 11727970 "-" So we must have 11 Mb matched the accounting rule in the OUTPUT chain. router:~# iptables -L OUTPUT -n -v Chain OUTPUT (policy ACCEPT 172K packets, 65M bytes) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto http router:~# Oops! No packet was matched. Did we do something wrong or is L7-filter not good at all? Well, in most cases, the first option is valid, so when looking again at the ipt_layer7 module, we can see that it depends ly the ip_tables module. We now quickly verify what modules are loaded in the kernel, but we don''t |
凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn 为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢! |
你可能对下面的文章感兴趣
关于linux iptables L7-filter的所有评论
