2010年(4)
分类: LINUX
2010-06-04 21:24:37
一、安装前准备
1.所需要软件包
linux-2.6.28.tar.gz
iptables-1.4.3.2.tar.bz2
netfilter-layer7-v2.22.tar.gz
l7-protocols-2009-05-28.tar.gz
2.把以上内核和
软件包解压到/usr/src下(这个是我个人的习惯)
tar -zxvf
linux-2.6.28.tar.gz -C /usr/src
tar -zxvf
netfilter-layer7-v2.22.tar.gz -C /usr/src
tar -zxvf
l7-protocols-2009-05-28.tar.gz -C /usr/src
tar -jxvf
iptables-1.4.3.2.tar.bz2 -C /usr/src
3.卸载系统自
带的iptables
rpm -qa | grep
iptables 列出已安装的iptables包
rpm -e
--nodeps ~~
二、安装layer7
1.给新内核安装layer7补丁
cd /usr/src/linux-2.6.28/
patch -p1 <
/usr/src/netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
2.编译新
内核
2.1修改内核配置项
make
oldconfig 全部保持默认
make menuconfig
General
setup --->
Prompt for development and/or incomplete
code/drivers 必选
Networking --->
Networking
options --->
Network
packet filtering framework
(Netfilter) --->
Core
Netfilter
Configuration --->
该项下的所有项目建议都选上
Layer 7
debugging
output
必选
IP: Netfilter
Configuration --->
该项下的所有项目必需都选上
2.2编译并安装新内核
make
make modules_install
make install
2.3 设置新内核为默认启动的内核,如果是远程连接服务器,必须要修改这项,否则重启后默认加载旧的kernel
vim
/boot/gurb/gurb.conf
default=1
把1改为0
timeout=15 设置等候时间
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.28)
root
(hd0,0)
kernel
/boot/vmlinuz-2.6.28 ro root=LABEL=/ rhgb quiet
initrd
/boot/initrd-2.6.28.img
title CentOS (2.6.18-164.el5)
root
(hd0,0)
kernel
/boot/vmlinuz-2.6.18-164.el5 ro root=LABEL=/ rhgb quiet
initrd
/boot/initrd-2.6.18-164.el5.img
保存退出
reboot
3.编译安装iptables并支持layer7
cd
/usr/src/iptables-1.4.3.2/
cp
/usr/src/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/*.*
extensions/
./configure
--with-ksource=/usr/src/linux-2.6.28
make
make install
4.测试
iptables -V
回显:
iptables v1.4.3.2
iptables -m layer7 --help
回显:
Usage: iptables -[AD] chain
rule-specification [options]
iptables -I chain [rulenum] rule-specification
[options]
iptables -R chain rulenum rule-specification
[options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A
chain
Append to
chain
--delete -D
chain
Delete
matching rule from chain
--delete -D
chain rulenum
Delete rule
rulenum (1 = first) from chain
--insert -I
chain [rulenum]
Insert in
chain as rulenum (default 1=first)
--replace -R chain
rulenum
Replace rule
rulenum (1 = first) in chain
--list
-L [chain [rulenum]]
List the
rules in a chain or all chains
--list-rules -S [chain
[rulenum]]
Print the
rules in a chain or all chains
--flush
-F [chain]
Delete all
rules in chain or all
chains
--zero
-Z [chain]
Zero
counters in chain or all chains
--new
-N
chain
Create a new
user-defined chain
--delete-chain
-X
[chain]
Delete a
user-defined chain
--policy -P
chain target
Change policy
on chain to target
--rename-chain
-E old-chain
new-chain
Change chain
name, (moving any references)
Options:
[!] --proto
-p
proto
protocol: by
number or name, eg. `tcp'
[!] --source -s
address[/mask]
source
specification
[!] --destination -d address[/mask]
destination
specification
[!] --in-interface -i input name[+]
network
interface name ([+] for wildcard)
--jump -j target
target for
rule (may load target extension)
--goto
-g
chain
jump to
chain with no return
--match
-m
match
extended
match (may load extension)
--numeric
-n
numeric
output of addresses and ports
[!] --out-interface -o output name[+]
network
interface name ([+] for wildcard)
--table
-t
table
table to
manipulate (default: `filter')
--verbose
-v
verbose
mode
--line-numbers
print line
numbers when listing
--exact
-x
expand
numbers (display exact values)
[!]
--fragment -f
match second
or further fragments only
--modprobe=
--set-counters PKTS
BYTES
set the
counter during insert/append
[!] --version
-V
print package
version.
layer7 match options:
--l7dir
(--l7dir must
be specified before --l7proto if used)
[!] --l7proto
至此安装过程完全完成
