29_01iptables系列之layer7

DMZ(非军事化区域)

内核编译:
    配置: .config (/proc/cpuinfo,lspci,lsusb,hal-device)
        make menuconfig
    编译:
        make
        只编译部分源码:
            make SUBDIR=arch/
            make drivers/net/pcnet32.ko
        转存编译结果
            make O=/path/to/somewhere
    安装内核模块
        make modules_install
    安装内核
        make install
       
    
layer7–l7
应用:xunlei,qq,netfilter<–patch

-m layer7 –l7proto xunlei -j DROP

1、给内核打补丁,并重新编译内核
2、给iptables源码打补丁,并重新编译iptables
3、安装l7proto

Kernel Patch 

1
2
3
4
5
6
7
8
9
#tar xf linux-version.tar.gz -C /usr/src 
#tar xf netfilter.version.tar.gz -C /usr/src 
#cd /usr/src 
#ln -s linux-version linux 
#cd /usr/src/linux/ 
#patch -p1 <../netfilter-version/kernel-version-version-layer7-version.patch 
 
#cp /boot/config-version /usr/src/linux/.config 
#make menuconfig

Networking support->Networking Options->Network packet filtering framework->Core Netfilter Configuration

Netfilter connection tracking support
“Layer7” match support
“string” match support
“time” match support
“iprange” match support
“connlimit” match support
“state” match support
“conntrack” connection match support
“mac” address match support
“multiport” Multiple port match support

Networking support -> Networking Options ->Network packet filtering framework ->IP:Netfilter Configuration
IPv4 connection tracking support (required for NAT)
Full NAT
     MASQUERADE target support
     NETMAP target support
     REDIRECT target support
    
#make
#make modules_install
#make install

Complies iptables: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#cp /etc/init.d/iptables ~/iptables 
#cp /etc/sysconfig/iptables-config ~/ && cp /etc/sysconfig/iptables ~/iptables-rules 
#service iptables off && chkconfig iptables off 
#rpm -e iptables-ipv6 iptables iptstate --nodeps 
#tar xf iptables-version.tar.bz2 -C /usr/src 
#cd /usr/src/iptables-version 
#cp ../netfilter-layer7-version/iptables-versionforward-for-kernel-versionforward/libxt_layer7.* ./extensions/ 
 
#./configure -prefix=/usr --with-ksource=/usr/src/linux 
#make 
#make install 
 
#tar xf l7-protocols-version.tar.gz 
#cd l7-protocol-version 
#make install 
 
#mv ~/iptables /etc/rc.d/init.d/ && 修改iptables的路径,默认编译在/usr/sbin/iptables 
#chkconfig --add iptables && cp ~/iptables-config /etc/sysconfig/ 
#service iptables start 
 
l7-filter uses the standard iptables extension syntax 
#iptables [specity table & chain] -m layer7 --l7proto [protocol name] -j [action]

                                                                                                                                                                

谢谢你请我吃糖果

支付宝

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

探索世界美好的存在。