(注意! 本文僅供參考 , 如與其他版本不符,請自行斟酌)
下載檔案需手動編譯新版本的核心並加入 layer7 封包過濾選項的話,需要俱備以下套件:
* iptables source
* l7-filter patch
* l7-filter protocols
* iptables:iptables-1.4.2.tar
* l7-filter patch:netfilter-layer7-v2.21.tar.gz (修補kernel與iptables)
* l7-filter protocols:l7-protocols-2009-05-28.tar.gz (layer7所支援的定義檔)
# cd /usr/src
# wget ftp://ftp.tw.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.1.tar.gz
# wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.2.tar
# wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.21.tar.gz
# wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2009-05-28.tar.gz
更新Kernel , 並 patch kernel 支援layer7 封包過濾選項
# cd /usr/src
# tar zxvf linux-2.6.28.1.tar.gz
# tar zxvf
netfilter-layer7-v2.21.tar.gz
# tar xvf iptables-1.4.2.tar
# tar zxvf
l7-protocols-2009-05-28.tar.gz
# cd
/usr/src/netfilter-layer7-v2.21
# cp kernel-2.6.25-2.6.28-layer7-2.21.patch
../linx-2.6.28.1
# cd /usr/src/linux-2.6.28.1
# patch -p1 <
kernel-2.6.25-2.6.28-layer7-2.21.patch
patching file
net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching
file net/netfilter/regexp/regexp.c
patching file
net/netfilter/regexp/regexp.h
patching file
net/netfilter/regexp/regmagic.h
patching file
net/netfilter/regexp/regsub.c
patching file
net/netfilter/nf_conntrack_core.c
patching file
net/netfilter/nf_conntrack_standalone.c
patching file
include/net/netfilter/nf_conntrack.h
patching file
include/linux/netfilter/xt_layer7.h
# cd
/usr/src/linux-2.6.28.1
# vi Makefile
PATCHLEVEL = 6
SUBLEVEL = 28
EXTRAVERSION
= .1 ==> 改成 EXTRAVERSION =-L7filter
# make
menuconfig
Networking options
--->
[*] Network packet filtering framework (Netfilter)
--->
[*] Network packet filtering debugging
[*]
Advanced netfilter configuration (NEW)
Core Netfilter
Configuration --->
<*> Netfilter connection tracking
support
<M> "layer7" match
support
IP: Netfilter Configuration
--->
以上相關的選項都選擇 , 比較保險
# make modules_install
# depmod
-a
# mkinitrd /boot/initrd-2.6.28-L7filter.img 2.6.28-L7filter
# cp
System.map /boot/Sytem.map-2.6.28-L7filter
# cp
/usr/src/linux-2.6.28.1/arch/x86_64/boot/bzImage
/boot/vmlinuz-2.6.28-L7filter
#mkinitrd -o
initrd-2.6.28-L7filter.img 2.6.25-L7filter
修改GRUB開機,加入新的Kernel開機選項
# vi
/etc/grub.conf
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title
CentOS (2.6.28-L7filter)
root (hd0,0)
kernel
/vmlinuz-2.6.28-L7filter ro root=LABEL=/ rhgb quiet
initrd
/initrd-2.6.28-L7filter.img
title CentOS (2.6.18-92.el5)
root
(hd0,0)
kernel /vmlinuz-2.6.18-92.el5 ro root=LABEL=/ rhgb
quiet
initrd /initrd-2.6.18-92.el5.img
# sync
# reboot
# uname -a
(查看核心版本)
iptables 1.4.1.1 (含) 之後版本的 layer 7 模組已經不需要使用
patch 方式來修改,
只要把修正檔複製到 extensions 資料夾即可。
# cd
/usr/src/netfilter-layer7-v2.21/iptables-1.4.1.1-for-kernel-2.6.20forward
#
cp libxt_layer7.* ../../iptables-1.4.2/extensions/
# make
# make
install
# cd /usr/src/l7-protocols-2009-05-28
# make
install
cp -R *
/etc/l7-protocols
重新開機
# sync
# reboot
#
iptables -V (檢查iptables版本)
# cd
/sbin
# mv /sbin/iptables /sbin/iptables.1.3.5
# mv
/sbin/iptables-restore /sbin/iptables-restore.1.3.5
# mv /sin/iptables-save
/sbin/iptables-save.1.3.5
# ln -s /usr/local/sbin/iptables iptables
# ln
-s /usr/local/sbin/iptables-restore iptables-restore
# ln -s
/usr/local/sbin/iptables-save iptables-save
# iptables -m
layer7 --help
# iptables -t mangle -I
POSTROUTING -m layer7 --l7proto msnmessenger -j DROP
留言列表