实作 Layer 7 封包过滤

参考资讯

下载档案

要手动编译新版本的核心并加入 layer7 封包过滤选项的话,需要俱备以下套件:

在本文当中,所重新编译的版本如下:

为了方便管理,把以上套件均放在 /usr/src/kernels。

0001

root # cd /usr/src/kernels/

可以选择任何可下载网路档案的工具,如 lynx、wget,或 mozilla、firefox 等等工具下载,在此范例使用 wget,方法如下:

0001
0002
0003
0004
 
root # wget ftp://ftp.tw.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.4.tar.bz2
root # wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
root # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.17.tar.gz
root # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2008-02-20.tar.gz

将套件解压缩。

0001

root # tar -jxvf linux-2.6.24.4.tar.bz2; tar -zxvf l7-protocols-2008-02-20.tar.gz; tar -zxvf netfilter-layer7-v2.17.tar.gz; tar -jxvf iptables-1.4.0.tar.bz2

更新 kernel

为了安装方便,我们为 linux-2.6.24.4 这个目录建位一个软连结,以便切换目录。

更新 kernel patch,增加 layer7 filter 选项。

0001

root # ln -s linux-2.6.24.4 linux; cd linux

若您想延续使用旧版 kernel 的选项的话,您可以把 .config 档案复制到新 kernel 的目录下,此时重新选择项目时就会延用之前的设定。

为 kernel source 上 layer7 的 patch。

0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012

root # patch -p1 < ../netfilter-layer7-v2.17/kernel-2.6.22-2.6.24-layer7-2.17.patch
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file include/net/netfilter/nf_conntrack.h
patching file include/linux/netfilter/xt_layer7.h

选择 layer 7 相关选项

在 kernel 选项里,需要把相关的设定选择起来才可以,以下为完整有关 layer 7 的项目。

0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
0013
0014
0015
0016
0017
0018
0019
0020
0021
0022
0023
0024
0025
0026
0027
0028
0029
0030
0031
0032
0033
0034
0035
0036
0037
0038
0039
0040
0041
0042
0043
0044
0045
0046
0047
0048
0049
0050
0051
0052
0053
0054
0055
0056
0057
0058
0059
0060
0061
0062
0063
0064
0065
0066
0067
0068
0069
0070
0071
0072
0073
0074
0075
0076
0077
0078
0079
0080
0081
0082
0083
0084
0085
0086
0087
0088
0089
0090
0091
0092

root # make menuconfig
 General setup  --->
     [*] Prompt for development and/or incomplete code/drivers
 Networking  --->
       Networking options  --->
           [*] Network packet filtering framework (Netfilter)  --->
                 Core Netfilter Configuration  --->
                     <M> Netfilter connection tracking support
                     -*- Connection tracking flow accounting
                     -*- Connection mark tracking support
                     [*] Connection tracking security mark support
                     [*] Connection tracking events (EXPERIMENTAL)
                     <M> SCTP protocol connection tracking support (EXPERIMENTAL)
                     <M> UDP-Lite protocol connection tracking support (EXPERIMENTAL)
                     <M> Amanda backup protocol support
                     <M> FTP protocol support
                     <M> H.323 protocol support (EXPERIMENTAL)
                     <M> IRC protocol support
                     <M> NetBIOS name service protocol support (EXPERIMENTAL)
                     <M> PPtP protocol support
                     <M> SANE protocol support (EXPERIMENTAL)
                     <M> SIP protocol support (EXPERIMENTAL)
                     <M> TFTP protocol support
                     <M> Connection tracking netlink interface (EXPERIMENTAL)
                     {M} Netfilter Xtables support (required for ip_tables)
                     <M>   "CLASSIFY" target support
                     <M>   "CONNMARK" target support
                     <M>   "DSCP" target support
                     <M>   "MARK" target support
                     <M>   "NFQUEUE" target Support
                     <M>   "NFLOG" target support
                     <M>   "NOTRACK" target support
                     <M>   "TRACE" target support
                     <M>   "TRACE" target support
                     <M>   "SECMARK" target support
                     <M>   "CONNSECMARK" target support
                     <M>   "TCPMSS" target support
                     <M>   "comment" match support
                     <M>   "connbytes" per-connection counter match support
                     <M>   "connlimit" match support"
                     <M>   "connmark" connection mark match support
                     <M>   "conntrack" connection tracking match support
                     <M>   "DCCP" protocol match support
                     <M>   "DCCP" protocol match support
                     <M>   "DSCP" match support
                     <M>   "ESP" match support
                     <M>   "helper" match support
                     <M>   "length" match support
                     <M>   "limit" match support
                     <M>   "mac" address match support
                     <M>   "mark" match support
                     <M>   IPsec "policy" match support
                     <M>   Multiple port match support
                     <M>   "physdev" match support
                     <M>   "pkttype" packet type match support
                     <M>   "quota" match support
                     <M>   "realm" match support
                     <M>   "sctp" protocol match support (EXPERIMENTAL)
                     <M>   "state" match support
                     <M>   "layer7" match support
                     [*]     Layer 7 debugging output
                     <M>   "statistic" match support
                     <M>   "string" match support
                     <M>   "tcpmss" match support
                     <M>   "time" match support
                     <M>   "u32" match support
                     <M>   "hashlimit" match support
                 IP: Netfilter Configuration  --->
                     <M> IPv4 connection tracking support (required for NAT)
                     [*]   proc/sysctl compatibility with old connection tracking (NEW
                     <M> IP Userspace queueing via NETLINK (OBSOLETE)
                     <M> IP tables support (required for filtering/masq/NAT)
                     <M>   IP range match support
                     <M>   TOS match support
                     <M>   recent match support
                     <M>   ECN match support
                     <M>   AH match support
                     <M>   TTL match support
                     <M>   Owner match support
                     <M>   address type match support
                     <M>   Packet filtering
                     <M>     REJECT target support
                     <M>   LOG target support
                     <M>   ULOG target support
                     <M>   Full NAT (NEW)
                     <M>     MASQUERADE target support
                     <M>     REDIRECT target support
                     <M>     NETMAP target support
                     <M>     SAME target support (OBSOLETE)
                     <M>     Basic SNMP-ALG support (EXPERIMENTAL)
                     <M>   Packet mangling
                     <M>     TOS target support

较为重要的是 "layer7" match support 项目与 IPv4 connection tracking support (required for NAT) 项目,若您不知道的话就请把 Core Netfilter Configuration 与 IP: Netfilter Configuration 里的选项全部选起来即可。

编译并安装新版核心

重 kernel 2.6 开始,编译核心就变得更为简单,只需要几个 make 的指令即可,安装完后会自动修改 GRUB 的选项,不需手动修改,减少了手动修改错误的危险。

0001
0002
0003
0004
0005

root # make
root # make modules
root # make modules_install
root # make install
sh /usr/src/kernels/linux-2.6.24.4/arch/x86/boot/install.sh 2.6.24.4 arch/x86/boot/bzImage System.map "/boot"

更新 iptables patch

更新 iptables 需注意是否在现有的 kernel 中 netfilter 子系统相符合,若使用了不在 kernel 所支援的模组,在设定 iptables 会出现错误。以下指令可新增 laery7 模组的指令。

0001
0002
0003
0004
0005

root # cd /usr/src/kernels/iptables-1.4.0
root # patch -p1 < ../netfilter-layer7-v2.17/iptables-1.4-for-kernel-2.6.20forward-layer7-2.17.patch
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
patching file extensions/.layer7-test

设定 KERNEL_DIR 与 IPTABLES_DIR 环境变数,并开始编译安装。

0001
0002
0003
0004

root # export KERNEL_DIR=/usr/src/kernels/linux; export IPTABLES_DIR=/usr/src/kernels/iptables-1.4.0
root # chmod +x extensions/.layer7-test
root # make && make install
root #

安装通讯定议档

使用 layer7 模组时,会参考 /etc/l7-protocols 目录下的定议档,各通讯协定的封包特徵会在 l7-protocols 的套件里,解开之后直接安装即可。

0001
0002
0003
0004

root # cd /usr/src/kernels/l7-protocols-2008-02-20
root # make install
mkdir -p /etc/l7-protocols
cp -R * /etc/l7-protocols

重新开机

重新编译了核心之后,需要重新启动电脑才能套用新的核心套件,请使用 uname 指令查看是否设定成功。

0001
0002
0003

root # uname -a; iptables -V
Linux localhost.localdomain 2.6.24.4 #1 SMP Thu Apr 10 23:21:08 CST 2008 i686 i686 i386 GNU/Linux
iptables v1.4.0

测试

MSN Messenger

以下测试会拒绝连出 MSN Menssenger 封包,在 iptables 的 OUTPUT 政策里,我们在 X-Window 执行 GAIM 连出时,会发现 msnmessenger 的封包被 DROP。

语法:

iptables -A OUTPUT -m layer7 --l7proto msnmessenger -j DROP

0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011

root # iptables -A OUTPUT  -m layer7 --l7proto msnmessenger -j DROP
root # iptables -L -n -v
Chain INPUT (policy ACCEPT 3056 packets, 394K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1274 packets, 159K bytes)
 pkts bytes target     prot opt in     out     source               destination
   34  2584 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto msnmessenger

BitTorrent

第二个测试拒绝连出 BitTorrent 封包,我们在设定好拒绝 bittorrent 封包后,在本机使用 BT 下载档案均失败,可从 iptables 指令查出。

语法:

iptables -A OUTPUT -m layer7 --l7proto bittorrent -j DROP

0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012

root # iptables -A OUTPUT  -m layer7 --l7proto bittorrent -j DROP
root # iptables -L -n -v
Chain INPUT (policy ACCEPT 33768 packets, 33M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 25235 packets, 2362K bytes)
 pkts bytes target     prot opt in     out     source               destination
   91  6916 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto msnmessenger
   78  7920 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto bittorrent

若您把 layer7 安装在网路闸道 (Gateway) 上的话,那么请使用 PREROUTING 或 FORWARD 连线才会有效。iptables 可参考 iptables 封包过泸规则 (new window)

后记:

若您打算在您的防火墙上使用 layer7 封包过滤功能的话,那么所需的记忆体与 CPU 会更多,若您的使用者连线数同一时间超过百人,并且频繁的取存网路的话,那么可能需要考虑使用较高效能的网路卡与更多的记忆体。若您在启用 layer7 功能后发现网路变得很慢的话,那么就需要检查您的网卡与记忆体是否足够。

04/12/2008

首页