Blocked using Linux l7filter Thunder, QQ, MSN

—————— CentOS 5.2 Linux server most stable

Linux kernel 2.6.19-2.6.19.tar.gz ————–

iptables iptables-1.4.1.1.tar.gz-main program ————

program l7filter netfilter-layer7 v2.21.tar.gz-main———-

l7-protocols-2008-12-18.tar.gz ——– l7filter-protocol script block

l7filter and related sites:

http://l7-filter.sourceforge.net/protocols

http://sourceforge.net/projects/l7-filter/

http://protocolinfo.org/wiki/Main_Page

See Note

netfilter-layer7-v2.21.tar.gz README to determine the kernel version.

iptables-1.4-for-kernel-2.6.20forward-layer7-[version] l7-filter. patch

support before version kernel 2.6.20 or later.

iptables-1.3-for-kernel-pre2.6.20-layer7-[version] l7-filter. patch

pre

expressed support for the version of kernel 2.6.20 kernel before the previous version, 2.4

We chose

Kernel patches: kernel-2.6.25-2.6.28-layer7-2.21.patch

Iptables is

patch: iptables-1.4.1.1-to-kernel-2.6.20forward

Select the kernel version: linux-2.6.27

choice iptables: iptables-1.4.1.1.tar

1. To play l7filter patch the kernel and iptables

GCC 1.1 installation

CentOS5.2 installation used a custom software, then select the function “and cancel all other selected installation base.Installé in the system, first install the GCC.

# Rpm-ivhU kernel-headers-2.6.18-92.el5.i386.rpm

# Rpm-ivhU glibc-headers-2.5-24.i386.rpm

# Rpm-ivhU glibc-devel-2.5-24.i386.rpm

# Rpm-libgomp-4.1.2-42.el5.i386.rpm ivhU

# Rpm-cpp-4.1.2-42.el5.i386.rpm ivhU

# Rpm-ivhU-42.el5.i386.rpm gcc-4.1.2

check the version of GCC:

# gcc-v

gcc version 4.1.2 20071124

(Red Hat 4.1.2-42)

Then display the current kernel version:

# Uname-r

2.6.19-default

Also need to install the following RPM package, this package is the # make menuconfig when necessary, otherwise the error:

# Rpm-devel-ivhU ncurses-5.5-24.20060715.i386.rpm

1.2 to patch the kernel

l7filter First extract:

# Tar zxvf

netfilter-layer7-v2.21.tar.gz

Give

kernel patch to play l7filter:

# Tar zxvf

linux-2.6.27.tar.gz

Cd # linux-2.6.27

# Patch-p1 .. / netfilter-layer7-v2.21/kernel-2.6.25-2.6.28-layer7-2.21.patch

Also need to edit the following files, or compile error:

Scripts

# Vi / kconfig / mconf.c

static structure current_menu * menu; reviewing this line

add struct * current_menu menu, as follows:

/ / Static struct menu * current_menu

struct menu *

current_menu

previous configuration files are copied to the kernel during inherit the original configuration:

# Cp / boot/config-2.6.18-92.el5. /. Config

Make mrproper # @ @ @ delete unnecessary files and directories, first compile the kernel does not need

# Make clean

@ @ @ delete unnecessary files and modules

Make menuconfig # @ @ @ text-based interface configuration menu of the terminal character, recommended

Select the appropriate configuration, there are three options, which represent the following meanings:

Y – features included in the kernel

N – function not compiled into the kernel

M – function can be dynamically compiled when needed in the kernel module

Networking Support – Networking options – Network packet filtering framework (Netfilter) – Core Netfilter Configuration –

Select the following two lines:

“support Layer7 match”

[*] Layer 7 debugging

shown below:

Then save the kernel configuration mode.

# make dep

@ @ @ link code and function libraries

Make bzImage # @ @ @ begin compiling the kernel, this step takes about 25 minutes

# make modules @ @ @ begin gathering plug-in modules, this step takes about 1 hour

modules_install # make install @ @ @ compiled modules completed

# Make install @ @ @ will compile just completed the installation of the system in the kernel

Kernel compilation is complete, start the new kernel, and then enter the system

Look

the current kernel:

# Uname-r

02/06/27

1.3 install iptables

following patch to iptables to play l7filter and compile, install:

# iptables-Tar jxvf 1.4.1.1.tar.bz2

Cd # iptables-1.4.1.1

# Ln-s / home/l7filter/linux-2.6.27 / usr / src / linux

# Cp netfilter-layer7-v2.21/iptables-1.4.1.1-for-kernel-2.6.20forward/libxt_layer7 iptables-1.4.1.1/extensions. * /

#. / Configure – with-ksource = / usr / src / linux /

# Make

# Make install

Watch iptables version information:

# iptables-v

iptables v1.4.1.1: no command specified

Try `iptables-h iptables” or” -” More help for.

Well, now we have completed the kernel and iptables support work began on the following parameters l7filter.

1.4 Installing the l7-filter protocol file:

# Tar zxvf

l7-protocols-2008-12-18.tar.gz

Cd # l7-protocols-12.18.2008

# Make install @ @ @ to install, just copy some files in the directory / etc

mkdir-p / etc/l7-protocols

conf cp-R data backup bin config eshow_sitemap.html generate.sh log maint sitemap.html svn tmp / etc/l7-protocols

2. L7filter block the use of Thunder, QQ, MSN ….

We first examine the list by category l7filter support:

# Ls / etc/l7-protocols/protocols /

100bao.pat ssdp.pat ncp.pat gkrellm.pat

aim.pat ssh.pat netbios.pat gnucleuslan.pat

aimwebcontent.pat ssl.pat nntp.pat gnutella.pat

applejuice.pat stun.pat ntp.pat goboogy.pat

ares.pat subspace.pat openft.pat gopher.pat

armagetron.pat subversion.pat pcanywhere.pat guildwars.pat

battlefield1942.pat teamfortress2.pat poco.pat h323.pat

battlefield2142.pat teamspeak.pat pop3.pat HalfLife2-deathmatch.pat

battlefield2.pat telnet.pat pplive.pat hddtemp.pat

bgp.pat tesla.pat qq.pat hotline.pat

biff.pat tftp.pat quake1.pat http.pat

bittorrent.pat thecircle.pat http-rtsp.pat earthquake halflife.pat

chikka.pat tor.pat radmin.pat ident.pat

cimd.pat tsp.pat rdp.pat imap.pat

unknown.pat imesh.pat ciscovpn.pat ReplayTV-ivs.pat

citrix.pat unset.pat rlogin.pat ipp.pat

counterstrike-source.pat uucp.pat rtp.pat irc.pat

cvs.pat validcertssl.pat rtsp.pat jabber.pat

dayofdefeat-source.pat ventrilo.pat shoutcast.pat kugoo.pat

dhcp.pat vnc.pat sip.pat live365.pat

directconnect.pat whois.pat skypeout.pat liveforspeed.pat

dns.pat worldofwarcraft.pat skypetoskype.pat lpd.pat

doom3.pat x11.pat smb.pat mohaa.pat

edonkey.pat xboxlive.pat smtp.pat msn-filetransfer.pat

fasttrack.pat xunlei.pat snmp.pat msnmessenger.pat

finger.pat yahoo.pat socks.pat mute.pat

freenet.pat zmaap.pat soribada.pat napster.pat

soulseek.pat nbns.pat ftp.pat

We can see

, support l7filter rich block an agreement, and support are good.

# iptables-t mangle-I POSTROUTING-m layer7 – l7proto MSNMessenger-j DROP

# iptables-t mangle-I POSTROUTING-m layer7 – l7proto qq-j DROP

# iptables-t mangle-I POSTROUTING-m layer7 – Xunlei l7proto-j DROP

# iptables-t mangle-I PREROUTING-m layer7 – l7proto edonkey-j DROP

# iptables-t mangle-I PREROUTING-m layer7 – l7proto bittorrent-j DROP

above command MSN, QQ, Thunder, eMule, BT was sealed.

red is our command # ls / etc/l7-protocols/protocols / See the list.

Start

IP routing, so that customers can access external networks through the PPPoE server

# Echo 1 / proc/sys/net/ipv4/ip_forward

# iptables-t nat-A POSTROUTING-o eth0-j MASQUERADE-s 0/0

Here we test (l7filter the gateway server enterprise network, where IP is 192.168.1.251):

See location

current block:

# POSTROUTING iptables-t mangle-L-v

Chain POSTROUTING (policy ACCEPT 386 packets, 41321 bytes)

pkts bytes target prot

opt-in source to destination

0 0 DROP all – any any anywhere anywhere LAYER7 purpose l7proto

0 0 DROP all – any any anywhere anywhere bittorrent LAYER7 l7proto

0 0 DROP all – any any anywhere anywhere edonkey LAYER7 l7proto

0 0 DROP all – any any anywhere anywhere LAYER7 l7proto Xunlei

0 0 DROP all – any any anywhere anywhere qq LAYER7 l7proto

0 0 DROP all – any any anywhere anywhere MSNMessenger LAYER7 l7proto

QQ and MSN login failure message:

log information system

L7filter processing icon:

! – [If!] VML –

! – [endif] –

other cases more block 11 shows, l7filter is a very powerful functional Seven Network, and other research.

Leave a Comment