感謝 study-area 站長 Netman 網中人提供資料 原文出處:
觀念解說:
本程式是透過 iptables 指令導引至 kernal 做 l7 filter 分析,
不如說是行為特徵比對.舉例來說一般為了想讓公司內部的員工禁用 IM 軟體如 MSN 但往往只能針對連線 Server & port
做封鎖,但此軟體又會 嘗試走 proxy 方式做連線,讓能防不勝防!如今打造此核心程式後就能迎 刃而解!為何如此說?因該程式會讓第一個封包產生
ESTABLISHED 之後就 Drop 掉以後封包讓該程式無法再轉由 proxy 做連線.
所有要做特徵比對參考檔案皆位在
/etc/l7-protocols/protocols 目錄下,只要在命令內加入如此 --l7proto msnmessenger 就開始做分析!
我 OS 環境: Redhat 9.0 Kernel: 2.4.20-42.9.legacy iptables:
1.2.11
技 巧︰ 1﹒抓的是 bz2 的壓縮﹐所以用 j 參數﹐ 抓的是 gz 格式﹐ 就用 z 參數。
2﹒可藉由 yum update 參數更新至上述核心!或者手動方式自行下載
3﹒在移除舊版 iptables 時記得先行備份此檔 /etc/init.d/iptables 再執行
yum remove iptables 4﹒由於 fro_older_kernels\kernel-2.4-layer7-0.9.1.patch 此檔,
是針對 linux-2.4.26-stock 做 patch ,而我的核心碼確非該版故 只能手動修改相關檔案位置插入要新增程式碼!如以下所述。
5﹒定期更新 Protocol definitions 檔案即可!位置如下:
6﹒kernel
在 2.4.20-28.9 以後版本 QOS 已支援 HBT Function,只要重編 核心選取即可。差意點在與 iprouter2 元件中 tc
指令並不支援, 故 Redhat 9 必須 update 該套件才能用。(套件名稱如後所指!) 而 tc 一般在設計上只能針對單一 device
做設定,而往往申請 ADSL 皆是非對稱式,故在使用上︰將下載設為對內網卡(本例為 eth0), 上行設為對外網卡(本例為 eth1)。
7﹒在實例應用︰預設禁止使用 msn,只開放少數人使用。 其語法不能如此下︰ #iptables -t mangle -A
POSTROUTING -m layer7 --l7proto msnmessenger -j DROP 結果是︰所有封包皆以啟動核心比對!因用
iptables -L -n 或者 iptables -t nat -L 查看發現它不會顯示在 rule 內,以至於在下任何 iptables
指令皆無效!正確做法如 下所述 案例二方式,誤犯我相同錯誤觀念:-)
8﹒ 從 下載核心
patch-o-matic-20030912.tar.bz2 包 就可以新增如下 Function 給予參考! ./runme
base/iprange.patch
說明如下:
---------------------------------------------------------------------
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
------------------------------------------------------- Testing...
iprange.patch NOT APPLIED (2 missing files) The base/iprange patch:
Author: Jozsef Kadlecsik Status: Works
This patch makes possible to match
source/destination IP addresses against inclusive IP address ranges.
Examples.
iptables -A FORWARD -m iprange --src-range
192.168.1.5-192.168.1.124 -j ACCEPT iptables -A FORWARD -m iprange
--dst-range 10.0.0.0-10.5.255.255.255 -j ACCEPT
---------------------------------------------------------------------
~正式開始︰~
------------------------------------------------------------------------
~可先做此步驟︰ [root@linux2005 temp]# gunzip
l7-protocols-2005-02-06.tar.gz [root@linux2005 temp]# tar -xvf
l7-protocols-2005-02-06.tar [root@linux2005 l7-protocols-2005-02-06]# make
install
內容說明︰ all: @echo Nothing to compile, just run \'make
install\' @echo \(This just copies this directory into
$(PREFIX)/etc/l7-protocols \) install: mkdir -p
$(PREFIX)/etc/l7-protocols cp -R * $(PREFIX)/etc/l7-protocols
~修正核心 patch 1、先解壓縮並做 kernel & iptables path
[root@linux2005 temp]# gunzip netfilter-layer7-v1.0.tar.gz
[root@linux2005 temp]# tar -xvf netfilter-layer7-v1.0.tar
[root@linux2005 temp]# cd netfilter-layer7-v1.0 [root@linux2005
netfilter-layer7-v1.0]# cd for_older_kernels/ [root@linux2005
for_older_kernels]# cp kernel-2.4-layer7-0.9.1.patch /usr/src/.
手動編修下列檔案修改內容,參考 kernel-2.4-layer7-0.9.1.patch
linux-2.4.26-stock/Documentation/Configure.help
linux-2.4.26-stock/include/linux/netfilter_ipv4/ip_conntrack.h
linux-2.4.26-stock/include/linux/netfilter_ipv4/ipt_layer7.h
linux-2.4.26-stock/net/ipv4/netfilter/Config.in
linux-2.4.26-stock/net/ipv4/netfilter/Makefile
linux-2.4.26-stock/net/ipv4/netfilter/ip_conntrack_core.c
linux-2.4.26-stock/net/ipv4/netfilter/ip_conntrack_standalone.c
linux-2.4.26-stock/net/ipv4/netfilter/ipt_layer7.c
~ mkdir regexp 目錄
linux-2.4.26-stock/net/ipv4/netfilter/regexp/regexp.c
linux-2.4.26-stock/net/ipv4/netfilter/regexp/regexp.h
linux-2.4.26-stock/net/ipv4/netfilter/regexp/regmagic.h
linux-2.4.26-stock/net/ipv4/netfilter/regexp/regsub.c
2、
[root@linux2005 src]# pwd /usr/src [root@linux2005 src]# ln -sf
linux-2.4.20-42.9.legacy linux
3、開始核心編譯 [root@linux2005 linux-2.4]#
pwd /usr/src/linux-2.4 [root@linux2005 linux-2.4]# make mrproper <--
去除 .o 的編譯過的檔案
相同版本核心編譯可借用原始 .config 設定檔︰ [root@linux2005 linux-2.4]#
cp /boot/config-2.4.20-42.9.legacy /usr/src/linux-2.4/.config
[root@linux2005 linux-2.4]# make oldconfig ... 會顯現新的選項:
Layer 7 match support
(EXPERIMENTAL) (CONFIG_IP_NF_MATCH_LAYER7) [N/m/?] (NEW) m Layer 7 debugging
output (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_LAYER7_DEBUG) [N/y/?] (NEW) y
Buffer size for application layer data (256-65536)
(CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN) [2048] (NEW) 2048 ... *** End of
Linux kernel configuration. *** Check the top-level Makefile for additional
configuration. *** Next, you must run 'make dep'.
核心重新選取︰
[root@linux2005 linux-2.4]# make menuconfig
[root@linux2005
linux-2.4]# make clean <-- 新的核心才需執行! 或者 [root@linux2005 linux-2.4]#
make dep <-- 相同核心執行此步驟 !!重要!! 若使用 make dep 方式原有 /lib/modules
目錄下核心目錄不能 移除或更名!
--------------------------------------------------------- #make bzImage
<--開始編譯核心!這個步驟很長,因核心是經過壓縮 放置位址
/usr/src/linux-2.4.20-20.7/arch/i386/boot/bzImage #make modules
<--開始編譯模組! #make modules_install <--將模組資料安裝在 /lib/modules/'uname -r'
裡面 #make install <--將剛 bzimage 建立完成核心給他安裝上來!
4、 編修開機檔
[root@linux2005 linux]# cd /boot/grub [root@linux2005 grub]# vi
grub.conf .... default=0 timeout=5
title Red Hat Linux
(2.4.20-42.9.legacycustom) root (hd0,0) kernel
/vmlinuz-2.4.20-42.9.legacycustom ro root=LABEL=/ initrd
/initrd-2.4.20-42.9.legacycustom.img
~ Ipatbles Patch
[root@linux2005 src]# pwd /usr/local/src [root@linux2005 src]# tar
-jxvf iptables-1.2.11.tar.bz2 [root@linux2005 src]# cp
/temp/netfilter-layer7-v1.0/iptables-layer7-1.0.patch . [root@linux2005
src]# patch -p1 < iptables-layer7-1.0.patch patching file
extensions/.layer7-test patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
[root@linux2005
extensions]# pwd /usr/local/src/iptables-1.2.11/extensions
[root@linux2005 extensions]# cp /usr/local/src/extensions/* .
[root@linux2005 extensions]# cp /usr/local/src/extensions/.layer7-test .
[root@linux2005 extensions]# chmod 755 .layer7-test
[root@linux2005 src]# cd iptables-1.2.11/ 附註: 需重編核心要執行下列步驟︰
[root@linux2005 iptables-1.2.11]# pwd /usr/local/src/iptables-1.2.11
[root@linux2005 iptables-1.2.11]# make clean
正常方式︰
[root@linux2005 iptables-1.2.11]# make KERNEL_DIR= /usr/src/linux-2.4
[root@linux2005 iptables-1.2.11]# make install KERNEL_DIR=
/usr/src/linux-2.4
安裝完後,要確認下列目錄有此檔案︰ iptables v1.2.11: Couldn't load match
`layer7':/usr/local/lib/iptables/libipt_layer7.so
_使用方式︰ QoS to
filter iptables -t mangle -A POSTROUTING -m layer7 --l7proto imap -j MARK
--set-mark 3
The number "3" is arbitrary. It can be any unsigned 32-bit
integer. Then you can use tc tc filter add dev eth0 protocol ip parent 1:0
prio 1 handle 3 fw flowid 1:3
當下此命令是所有 http protocol 皆被拒絕掉!
[root@linux2005 /]# iptables -t mangle -A POSTROUTING -m layer7 --l7proto
http -j DROP
~ iptables 掛為 Deamon 模式 [root@linux2005 init.d]#
chkconfig -h chkconfig version 1.3.8 - Copyright (C) 1997-2000 Red Hat, Inc.
This may be freely redistributed under the terms of the GNU Public License.
usage: chkconfig --list [name] chkconfig --add
chkconfig --del chkconfig [--level ]
) [root@linux2005 init.d]# pwd
/etc/init.d [root@linux2005 init.d]# chkconfig --add iptables
[root@linux2005 init.d]# chkconfig --level 3 iptables on
[root@linux2005 init.d]# locate iptables |more
/usr/local/sbin/iptables /usr/local/sbin/iptables-save
/usr/local/sbin/iptables-restore
[root@linux2005 init.d]# cp
/usr/local/sbin/iptables /sbin/. 因為 /etc/init.d/iptables 內定義執行程式是在 /sbin 目錄內
~ QOS __ HTTB [root@linux2005 temp]# rpm -Uvh
iproute-2.4.7-7.90.1.htb.i386.rpm Preparing...
########################################### [100%] 1:iproute
########################################### [100%] 主要更新 iptables 內 tc 套件能支援
htb 模組.
[root@linux2005 rc.d]# ./hbt_ebt
QOS 查驗方式︰ # tc -s
-d qdisc show dev eth1 # tc -s -d class show dev eth1
[root@linux2005 rc.d]# tc -s -d qdisc show dev eth1 qdisc sfq 8004:
quantum 1514b limit 128p flows 128/1024 perturb 10sec Sent 0 bytes 0 pkts
(dropped 0, overlimits 0)
qdisc sfq 8003: quantum 1514b limit 128p flows
128/1024 perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc htb 3: r2q 10 default 3 direct_packets_stat 0 ver 3.10 Sent 0
bytes 0 pkts (dropped 0, overlimits 0)
[root@linux2005 rc.d]#
[root@linux2005 rc.d]# tc -s -d class show dev eth1 class htb
3:1 root rate 960Kbit ceil 1Mbit burst 2827b/8 mpu 0b cburst 2909b/8 mpu 0b
level 7 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0
borrowed: 0 giants: 0 tokens: 18853 ctokens: 18187
class htb 3:2
parent 3:1 leaf 8003: prio 0 quantum 8192 rate 640Kbit ceil 1Mbit burst 2418b/8
mpu 0b cburst 2909b/8 mpu 0b level 0 Sent 0 bytes 0 pkts (dropped 0,
overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 24189 ctokens:
18187
class htb 3:3 parent 3:1 leaf 8004: prio 0 quantum 4096 rate
320Kbit ceil 512Kbit burst 2008b/8 mpu 0b cburst 2254b/8 mpu 0b level 0 Sent
0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0
tokens: 40179 ctokens: 28187
[root@linux2005 rc.d]#
_案例一︰透過 l7_filter 轉至 QOS (鎖住下載對內網卡 eth0) 執行方法︰
[root@linux2005 rc.d]# iptables -t mangle -A POSTROUTING -m layer7
--l7proto http -j MARK --set-mark 3 [root@linux2005 rc.d]# tc filter add dev
eth0 protocol ip parent 3:1 prio 1 handle 3 fw flowid 3:3
結 果: 當導入
Qos 頻寬管理後包含在 IE 網頁上直接下載 .exe 檔案皆會被限頻在你 所定規則內,本例是導入 classid 3:3 規則頻寬則設限為 20
KB/秒 範圍內.
~ HBT_EBT 定義內容如下︰ DEV_1="eth0"
EXT_IF="97.24.2.250"
# Up:_128 Kbps For DEV_1 InterNet eth2 #
---------------------------------------------------------------------------
# 128 KByte x 8 = 1024 Kbit
tc qdisc del root dev $DEV_1 tc
qdisc add dev $DEV_1 root handle 3:0 htb default 3 tc class add dev $DEV_1
parent 3:0 classid 3:1 htb rate 960kbit ceil 1024kbit
# tc class add
dev $DEV_1 parent 3:1 classid 3:2 htb rate 640kbit ceil 1024kbit tc class
add dev $DEV_1 parent 3:1 classid 3:3 htb rate 160kbit ceil 160kbit
_案例二︰限制單一 IP 97.24.2.22 使用 MSN 軟體
iptables -s 97.24.2.22 -t
mangle -A POSTROUTING -m layer7 --l7proto msnmessenger -j DROP
﹒倘若規則成立則
Linux 主機上會顯示如下訊息︰ → layer7: regexec positive: msnmessenger!
﹒也可由
/var/log/messages 檔案 log 內容得知!
Q&A: 1、重開機啟動後檢查 layer7
module 有無載入?如有!應出現如下訊息。
[root@linux2005 /]# lsmod Module Size Used
by Not tainted cls_fw 3480 1 (autoclean) ipt_MARK 1432 1 (autoclean)
ipt_layer7 11260 1 (autoclean) ... ip_conntrack 27016 2 [ipt_layer7
ipt_MASQUERADE ip_conntrack_ftp ip_nat_ftp iptable_nat] ip_tables 14648 8
[ipt_MARK ipt_layer7 ipt_MASQUERADE iptable_mangle iptable_filter iptable_nat]
...
2、By default, l7-filter looks at the first 8 packets or 2kB,
whichever is smaller. You can alter the number of packets through
/proc/net/layer7_numpackets. i.e. "echo "12" >
/proc/net/layer7_numpackets". 如編譯完在 /proc/net 目錄下無此 layer7_numpackets
檔案,而又需此功能!
_作者回覆︰ Well, I have no idea why you aren't getting the
proc file. Perhaps it is because you are using a Redhat kernel and one of
their patches breaks it. If you really need a higher numpackets, you can
modify the default value in linux/net/ipv4/netfilter/ipt_layer7.c,
recompile, reinstall.
Near the top:
static int num_packets =
8;
|