linux iptables L7-filter
作者 佚名技术
来源 Linux系统
浏览
发布时间 2012-05-17
| see the ip_conntrack module. Normally, ipt_layer7 should have had ip_conntrack in the dependencies, but it doesn''t. That is why we neither got any errors while loading the module nor did we get any result. We know that L7-filter uses the ip_conntrack module; so we need to load it. Let''s see what happens now. router:~# modprobe ip_conntrack router:~# iptables -L OUTPUT -n -v Chain OUTPUT (policy ACCEPT 457K packets, 159M bytes) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto http router:~# wget http://127.0.0.1/whale.qt --00:37:21-- http://127.0.0.1/whale.qt => `whale.qt'' Connecting to 127.0.0.1:80... connected. HTTP request sent, awaiting response... 200 OK Length: 11,727,970 [video/quicktime] 100%[==================================================================================>] 11,727,970 12.74M/s 00:37:22 (12.71 MB/s) - `whale.qt'' saved [11727970/11727970] router:~# iptables -L OUTPUT -n -v Chain OUTPUT (policy ACCEPT 467K packets, 175M bytes) pkts bytes target prot opt in out source destination 1433 12M all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto http Well, as you can see, it worked. Now we have a Linux router with application layer filtering capabilities. L7-filter Applications We can use L7-filter with any iptables option; after all, L7-filter provides just another match option. However, not all the things we can do with our new match option are recommended, because L7-filter might match packets belonging to other applications than the e you want. # matches everything and too much # ^(xe3|xc5|xd4) # ipp2p essentially uses "xe3....x47", which doesn''t seem at all right to me. # bandwidtharbitrator uses # e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey # no comments to explain what all the mush is, of course... Well, they all use different patterns, which explains the difference. BitTorrent values are closer between IPP2P and L7-filter, but we can''t tell which e is closer to the truth. To be able to make such an affirmation, we have to set up a test lab and I really don''t think it''s worth the trouble. DC data, however, has the most differences. In this case, I''m 90% sure that L7-filter was way more accurate that IPP2P, because I saw a few of the users behind that Linux router our DC hub during the time that I waited for these values. |
凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn 为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢! |
你可能对下面的文章感兴趣
关于linux iptables L7-filter的所有评论
