Chinaunix首页 | 论坛 | 博客
  • 博客访问: 3056260
  • 博文数量: 535
  • 博客积分: 15788
  • 博客等级: 上将
  • 技术积分: 6507
  • 用 户 组: 普通用户
  • 注册时间: 2007-03-07 09:11
文章分类

全部博文(535)

文章存档

2016年(1)

2015年(1)

2014年(10)

2013年(26)

2012年(43)

2011年(86)

2010年(76)

2009年(136)

2008年(97)

2007年(59)

分类: LINUX

2008-10-30 10:52:25

First
 about Xunlei ("Thunder" in English)
 layer 7 can not match xunlei
you can see /etc/l7-protocols/protocols/xunlei.pat
# Xunlei (Chinese P2P) traffic is not matched anymore by layer7 xunlei
# pattern. It used to work in the past but not anymore. Maybe Xunlei was
# updated and pattern should be adapted?


Introduction
   This tutorial will walk you through setting up a Linux layer 7 packet classifier on RHEL 5.2, this can easily be adapted to any other Linux distribution out there.
   L7-filter is a classifier for the Linux Netfilter that identifies packets based on patterns in application layer data. This allows correct classification of P2P traffics. It can classify packets such as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, etc., that uses unpredictable ports as well as standard protocols running on non-standard ports. It complements existing classifiers that match on IP address, port numbers and so on.

1  Download required packages
1.1) Download L7-filter kernel
1.2) Download L7-filter Protocol definitions
Important Note: Always download the latest version of L7-filter from
1.3) Download Linux Iptables 1.4.2
1.5) Download Linux Kernel 2.6.26.3


2  installing new linux kernel
2.1)prepare
tar -C /usr/src -xvzf linux-2.6.26.3.tar.gz 
tar -C /usr/src -xvzf netfilter-layer7-v2.20.tar.gz 
tar -C /usr/src -xvf iptables-1.4.2.tar.bz2.tar

2.2) Apply patch to Linux kernel source,
cd /usr/src/linux-2.6.26.3/
patch -p1 < ../netfilter-layer7-v2.20/kernel-2.6.25-layer7-2.20.patch

2.3) Compiling & installing new linux kernel
cd /usr/src/linux-2.6.26.3/

make menuconfig
------------------------------------------------
Networking-->
   Networking options --> 
      Network Packet Filtering framework (Netfilter) -->
         Core Netfilter Configuration --> 
    Netfilter connection tracking support
         -*-   Connection tracking flow accounting
               -*-   Connection mark tracking support
      [ ]   Connection tracking security mark support (NEW)                            
               [ ]   Connection tracking events (NEW)
               "layer7" match support
            [ ]     Layer 7 debugging output (NEW)  
  IP: Netfilter Configuration  ---> 
    IPv4 connection tracking support (required for NAT)  
      Full NAT 
  Full NAT
    MASQUERADE target support
    REDIRECT target support
    NETMAP target support
    Basic SNMP-ALG support 
* Optional but highly recommended: Lots of other Netfilter options, notably “FTP support” and other matches. If you don’t 

know what you’re doing, go ahead and enable all of them.

* notice  you must selcet the module "<> Netfilter connection tracking support" first , the " "layer7" match support" 

module will appear.


*you can cancel module list below
Networking-->
    < >   Bluetooth subsystem support  --->
          Wireless  --->
< > Improved wireless configuration API 
                [ ] Wireless extensions 
< > Generic IEEE 802.11 Networking Stack (mac80211)
< > Generic IEEE 802.11 Networking Stack (DEPRECATED)
  Networking options --> 
     < >   The IPv6 protocol  ---> 

Device Drivers  --->
  < > ISDN support  --->
  [*] Network device support  ---> 
[ ]   Token Ring driver support  --->  
[ ]   FDDI driver support 

[ ] Virtualization  --->
--------------------------------------------------

make 
make modules_install
make install

2.4) Check GRUB setting
vim /etc/grub.conf

It must look like this:

default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.26.3)
        root (hd0,0)
        kernel /vmlinuz-2.6.26.3 ro root=/dev/VolGroup00/LogVol01 rhgb quiet
        initrd /initrd-2.6.26.3.img
title Red Hat Enterprise Linux Server (2.6.18-92.el5)
        root (hd0,0)
        kernel /vmlinuz-2.6.18-92.el5 ro root=/dev/VolGroup00/LogVol01 rhgb quiet
        initrd /initrd-2.6.18-92.el5.img


3 patch & install iptables 1.4.2
cd /usr/src/iptables-1.4.2/
cp /usr/src/netfilter-layer7-v2.20/iptables-1.4.1.1-for-kernel-2.6.20forward/* /usr/src/iptables-1.4.2/extensions/
./configure --with-ksource=/usr/src/linux-2.6.26.3
make 
make install 

* notice
do not patch the patch "iptables-1.4-for-kernel-2.6.20forward-layer7-2.20.patch" for iptables 1.4.1.1 and newer.
if you do that there is an error will be appear:
libipt_layer7.c: In function 'help':
libipt_layer7.c:41: error: 'IPTABLES_VERSION' undeclared (first use in this function)
libipt_layer7.c:41: error: (Each undeclared identifier is reported only once
libipt_layer7.c:41: error: for each function it appears in.)




4 Installing protocol definitions

tar -C /usr/src -xvzf l7-protocols-2008-10-04.tar.gz 
cd l7-protocols-2008-10-04
make install


5 Finally
Well we are done, restart the system and enjoy.

reboot

6 Test l7-filter
iptables -m layer7 --help

Have fun!


7 how to use
iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP
iptables -t mangle -I PREROUTING -m layer7 --l7proto xunlei -j DROP

about protocol name,you can see /etc/l7-protocols/protocols

examine:
iptables -t mangle -nL -v


8 about Xunlei ("Thunder" in English)
 layer 7 can not match xunlei
you can see /etc/l7-protocols/protocols/xunlei.pat
# Xunlei (Chinese P2P) traffic is not matched anymore by layer7 xunlei
# pattern. It used to work in the past but not anymore. Maybe Xunlei was
# updated and pattern should be adapted?

9 about qq
This pattern has been tested and is believed to work well.
if you quit qq, you can not connect to server anymore.
阅读(3150) | 评论(1) | 转发(0) |
给主人留下些什么吧!~~

chinaunix网友2008-10-30 19:50:50

有个WEBSPHERE的小问题,给您留言了.麻烦您帮忙解决下.谢谢...