2008年1月10日 星期四

Using L7-filterto block p2p program(bt, e-mule)

Due to that the upstream or official kernel doesn't include it, we have to patch the

kernel ourself
OS : Ubuntu7.10
Package : netfilter-layer7-v2.14.tar.gz, l7-protocols-2007-11-03.tar.gz, iptables-1.3.8.tar.bz2
linux-source-2.6.22.tar.bz2
Patches are available for 2.6
We need to patch the source of iptables to enable L7-filter
(1)Get kernel from http://www.kernel.org source code
(2)Download the protocol definitions from above site http://sourceforge.net/projects/l7-filter
(3)Download the protocol definitions from above site http://netfilter.org/

Start to patch and compile Kernel for 2.6.23

[/usr/src]$tar jxvf linux-source-2.6.22.tar.bz2
[/usr/src]$tar zxvf netfilter-layer7-v2.14.tar.gz
[/usr/src]$mv netfilter-layer7-v2.14 netfilter-layer7
[/usr/src]$cd netfilter-layer7
[/usr/src/netfilter-layer7]$cp kernel-2.6.22-layer7-2.14.patch ../linux-source-2.6.22
[/usr/src/netfilter-layer7]$cd ../linux-source-2.6.22
[/usr/src/linux-source-2.6.22]$patch –p1 kernel-2.6.22-layer7-2.14.patch
[/usr/src/linux-source-2.6.22]$vi Makefile
Change EXTRAVERSION = 9 to -L7filter

Setting Kernel config
[/usr/src/linux-source-2.6.22]$cp /booot/config-2.6.22-14-generic .config
[/usr/src/linux-source-2.6.22]$make menuconfig
Note, you should enable, save config to default
Code maturity level options --> [*] Prompt for development and/or incomplete code/drivers
Networking --> Networking options -->
[*] Network packet filtering (replaces ipchains) -->
IP: Netfilter Configuration -->
Connection tracking (required for masq/NAT)
[*] Connection tracking flow accounting
IP tables support (required for filtering/masq/NAT)
Layer 7 match support

[/usr/src/linux-source-2.6.22]$make ; make modules_install
[/usr/src/linux-source-2.6.22]$make install
[/usr/src/linux-source-2.6.22]$cd /boot
[/boot]$ mkinitramfs –d /etc/initramfs-tools/ -o /dev/sda1 2.6.22-L7filter
[/boot]$ vi /boot/grub/menu.lst to enabe new kernel
[/boot]$reboot

Start to patch and compile for iptables
[/usr/src]$tar jxvf iptables-1.3.8.tar.bz2
[/usr/src]$cd iptables-1.3.8
[/usr/src/iptables-1.3.8]$cp netfilter-layer/iptables-for-kernel-2.6.20forward-layer7-2.14.patch .
[/usr/src/iptables-1.3.8]$patch –p1 < iptables-for-kernel-2.6.20forward-layer7-2.14.patch
[/usr/src/iptables-1.3.8]$chmod +x extensions/.layer7-test
[/usr/src/iptables-1.3.8]$make KERNEL_DIR=/usr/src/linux-source-2.6.22
[/usr/src/iptables-1.3.8]$make install KERNEL_DIR=/usr/src/linux-source-2.6.22

Install Layer 7 Protocol definitions first.
[/usr/src]$tar zxvf l7-protocols-2007-11-03.tar.gz
[/usr/src]$cp –R l7-protocols-2007-11-03 /etc/l7-protocols
[/usr/src]$reboot

Reboot your computer, and congratulate your first totch with L7-filter.

沒有留言:
標籤:
訂閱: 文章 (Atom)

 Ubuntu has a mechanism, that is, the installed network card (NIC) will be renamed to another name when the system is booted. Although there...