First
about Xunlei ("Thunder" in English)
layer 7 can not match xunlei
you can see /etc/l7-protocols/protocols/xunlei.pat
# Xunlei (Chinese P2P) traffic is not matched anymore by layer7 xunlei
# pattern. It used to work in the past but not anymore. Maybe Xunlei was
# updated and pattern should be adapted?
Introduction
This tutorial will walk you through setting up a Linux layer 7 packet classifier on RHEL 5.2, this can easily be adapted to any other Linux distribution out there.
L7-filter is a classifier for the Linux Netfilter that identifies packets based on patterns in application layer data. This allows correct classification of P2P traffics. It can classify packets such as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, etc., that uses unpredictable ports as well as standard protocols running on non-standard ports. It complements existing classifiers that match on IP address, port numbers and so on.
1 Download required packages
1.1) Download L7-filter kernel
1.2) Download L7-filter Protocol definitions
Important Note: Always download the latest version of L7-filter from
1.3) Download Linux Iptables 1.4.2
1.5) Download Linux Kernel 2.6.26.3
2 installing new linux kernel
2.1)prepare
tar -C /usr/src -xvzf linux-2.6.26.3.tar.gz
tar -C /usr/src -xvzf netfilter-layer7-v2.20.tar.gz
tar -C /usr/src -xvf iptables-1.4.2.tar.bz2.tar
2.2) Apply patch to Linux kernel source,
cd /usr/src/linux-2.6.26.3/
patch -p1 < ../netfilter-layer7-v2.20/kernel-2.6.25-layer7-2.20.patch
2.3) Compiling & installing new linux kernel
cd /usr/src/linux-2.6.26.3/
make menuconfig
------------------------------------------------
Networking-->
Networking options -->
Network Packet Filtering framework (Netfilter) -->
Core Netfilter Configuration -->
Netfilter connection tracking support
-*- Connection tracking flow accounting
-*- Connection mark tracking support
[ ] Connection tracking security mark support (NEW)
[ ] Connection tracking events (NEW)
"layer7" match support
[ ] Layer 7 debugging output (NEW)
IP: Netfilter Configuration --->
IPv4 connection tracking support (required for NAT)
Full NAT
Full NAT
MASQUERADE target support
REDIRECT target support
NETMAP target support
Basic SNMP-ALG support
* Optional but highly recommended: Lots of other Netfilter options, notably “FTP support” and other matches. If you don’t
know what you’re doing, go ahead and enable all of them.
* notice you must selcet the module "<> Netfilter connection tracking support" first , the " "layer7" match support"
module will appear.
*you can cancel module list below
Networking-->
< > Bluetooth subsystem support --->
Wireless --->
< > Improved wireless configuration API
[ ] Wireless extensions
< > Generic IEEE 802.11 Networking Stack (mac80211)
< > Generic IEEE 802.11 Networking Stack (DEPRECATED)
Networking options -->
< > The IPv6 protocol --->
Device Drivers --->
< > ISDN support --->
[*] Network device support --->
[ ] Token Ring driver support --->
[ ] FDDI driver support
[ ] Virtualization --->
--------------------------------------------------
make
make modules_install
make install
2.4) Check GRUB setting
vim /etc/grub.conf
It must look like this:
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.26.3)
root (hd0,0)
kernel /vmlinuz-2.6.26.3 ro root=/dev/VolGroup00/LogVol01 rhgb quiet
initrd /initrd-2.6.26.3.img
title Red Hat Enterprise Linux Server (2.6.18-92.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-92.el5 ro root=/dev/VolGroup00/LogVol01 rhgb quiet
initrd /initrd-2.6.18-92.el5.img
3 patch & install iptables 1.4.2
cd /usr/src/iptables-1.4.2/
cp /usr/src/netfilter-layer7-v2.20/iptables-1.4.1.1-for-kernel-2.6.20forward/* /usr/src/iptables-1.4.2/extensions/
./configure --with-ksource=/usr/src/linux-2.6.26.3
make
make install
* notice
do not patch the patch "iptables-1.4-for-kernel-2.6.20forward-layer7-2.20.patch" for iptables 1.4.1.1 and newer.
if you do that there is an error will be appear:
libipt_layer7.c: In function 'help':
libipt_layer7.c:41: error: 'IPTABLES_VERSION' undeclared (first use in this function)
libipt_layer7.c:41: error: (Each undeclared identifier is reported only once
libipt_layer7.c:41: error: for each function it appears in.)
4 Installing protocol definitions
tar -C /usr/src -xvzf l7-protocols-2008-10-04.tar.gz
cd l7-protocols-2008-10-04
make install
5 Finally
Well we are done, restart the system and enjoy.
reboot
6 Test l7-filter
iptables -m layer7 --help
Have fun!
7 how to use
iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP
iptables -t mangle -I PREROUTING -m layer7 --l7proto xunlei -j DROP
about protocol name,you can see /etc/l7-protocols/protocols
examine:
iptables -t mangle -nL -v
8 about Xunlei ("Thunder" in English)
layer 7 can not match xunlei
you can see /etc/l7-protocols/protocols/xunlei.pat
# Xunlei (Chinese P2P) traffic is not matched anymore by layer7 xunlei
# pattern. It used to work in the past but not anymore. Maybe Xunlei was
# updated and pattern should be adapted?
9 about qq
This pattern has been tested and is believed to work well.
if you quit qq, you can not connect to server anymore.