1.
在Debian etch上
为内核添加netfilter-layer7-v2 ,ipp2p-0.8.2模块:
说明:
1>
当前系统内核为:2.6.18-6-486,32位系统
2>
本次安装选择内核为:2.6.24,iptables为:1.4.0
1.1
软件下载:cd /usr/src/L7/
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.tar.gz
wget http://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
wget http://www.sfr-fresh.com/unix/privat/netfilter-layer7-v2.19.tar.gz
wget http://www.sfr-fresh.com/unix/privat/l7-protocols-2008-04-23.tar.gz
wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080717.tar.bz2
wget http://ipp2p.org/downloads/ipp2p-0.8.2.tar.gz
wget http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/net-firewall/ipp2p/files/ipp2p-0.8.2-kernel-2.6.22.patch
wget http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/net-firewall/ipp2p/files/ipp2p-0.8.2-iptables-1.4.0.patch
1.2
安装编译环境和依赖包:apt-get install debhelper kernel-package fakeroot libncurses5-dev build-essential
apt-get install linux-headers-`uname -r`
1.3
编译内核:1.3.1
解压我们要安装的包:cd /usr/src/L7/
tar xzvf *.gz
tar xjvf *.bz2
ln -s /usr/src/L7/linux-2.6.24 /usr/src/linux
ln -s /usr/src/L7/iptables-1.4.0 /usr/src/iptables
1.3.2
添加内核补丁1>打external patch补丁
cd /usr/src/L7/patch-o-matic-ng-20080717
export KERNEL_DIR=/usr/src/linux IPTABLES_DIR=/usr/src/iptables
下载geoip、connlimit、ipp2p等external patch:
./runme –download
往内核和iptables打我们需要的external patch补丁
./runme connlimit
./runme geoip
./runme ipp2p
./runme time
./runme u32
以上都选y后回车即可
2>给kernel和iptables打l7补丁:
cd /usr/src/linux
patch -p1 < /usr/src/L7/netfilter-layer7-v2.19/for_older_kernels/kernel-2.6.22-2.6.24-layer7-2.18.patch
cd /usr/src/iptables
patch -p1 < /usr/src/L7/netfilter-layer7-v2.19/iptables-1.4-for-kernel-2.6.20forward-layer7-2.19.patch
3>选择要编译的内核模块参数:
cd /usr/src/linux
#make mrproper
以系统原有的内核配置为蓝本,只需添加新的模块就可以
cp /boot/config-2.6.18-6-486 /usr/src/linux/.config
#make menuconfig:
<1>
Networking –> Networking options –> Network packet filtering framework (Netfilter) –> Core netfilter configuration
<M>
"layer7" match support
x x
Layer 7 debugging output
<2>
Networking –> Networking options –> Network packet filtering framework (Netfilter) –> Core netfilter configuration
{M} Netfilter Xtables support (required for ip_tables)
<M>
"time" match support
<M>
"u32" match support
<M>
"geoip" match support
<M>
Connections/IP limit match support
<3>
Networking –> Networking options –> Network packet filtering framework -> IP: Netfilter Configuration :
<M> IPv4 connection tracking support (required for NAT)
<4>
Networking –> Networking options –> Network packet filtering framework -> IP: Netfilter Configuration :
<M> IP tables support (required for filtering/masq/NAT)
<M> IPP2P match support
<M>
Full NAT
注意:该处的time,u32,geoip,connlimit不要选了,它们已归属Netfilter Xtables support
了,如果在 IP tables support下选择了它们编译时就会报错,我在这儿吃了大亏.另外如果你没有以你原来系统的内核配置文件为基础,则要仔细选择你需要的其它内核模块,应为2.6.24好多模块默认是不编译的,比如 Full NAT,以及Serial ATA (prod) and Parallel ATA驱动默认都不编译,如果你的硬盘是sata硬盘,则编译安装内核后,重新启动后就找不到root 文件系统了.
保存内核配置文件后就开始编译吧:
#make-kpkg clean
#make-kpkg --revision layer7 --append-to-version .20080822 --initrd binary-arch
编译完成后在/usr/src/L7/目录下生成:
linux-image-2.6.24.20080822_layer7_i386.deb
linux-headers-2.6.24.20080822_layer7_i386.deb
安装新生成的内核包:
dpkg –i linux-image-2.6.24.20080822_layer7_i386.de
安装新生成的内核头文件:
dpkg –i linux-headers-2.6.24.20080822_layer7_i386.deb
重起机器后,在新的系统环境下编译安装iptables
4>补充一些其他编译内核的方法:
<1>只编译内核的部分模块,对于测试我们选择的内核参数是否正确很有帮助:
make mrproper
make menuconfig
make modules_prepare
只编译net/ipv4/netfiler的文件
make M=net/ipv4/netfilter
<2>已原有的内核参数配置文件为基础,添加新的内核参数:
#make mrproper
#cp /boot/config-2.6.18-6-486 /usr/src/linux/.config
# make oldconfig
Make oldconfig会自动对比之前的kernel config,根据之前版本的配置生成一个kernel config,这样方便我们在编译新核心的时候,无须在从头修改所有的核心设置,就是不用执行make menuconfig了
生成debian的deb安装包的方法如下:
#make-kpkg clean
#make-kpkg --revision layer7 --append-to-version .20080822 --initrd binary-arch
如果我们不生成debian安装包,直接编译安装如下:
make mrproper
make menuconfig
make bzImage
make modules
make modules_install
make install
好了内核编译就说这么多吧!
1.4
编译iptables:重起机器后,在新的系统环境下编译安装iptables:
cd /usr/src/iptables
chmod 775 /usr/src/iptables/extensions/.layer7-test
make KERNEL_DIR=/usr/src/linux BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/man
发现编译进入了死循环,原来它发现需要的系统命令的md5的检验和不对了。原因在于我们给iptable打补丁时用的是内核为:2.6.18下的系统命令,而现在是2.6.24的了,所以我把打了补丁的iptabls删除,然后解压iptables-1.4.0.tar.bz2得到原始的源码,然后重复一下步骤:
1>
ln -s /usr/src/L7/iptables-1.4.0 /usr/src/iptables
cd /usr/src/L7/patch-o-matic-ng-20080717
export KERNEL_DIR=/usr/src/linux IPTABLES_DIR=/usr/src/iptables
./runme connlimit
./runme geoip
./runme ipp2p
./runme time
./runme u32
cd /usr/src/iptables
patch -p1 < /usr/src/L7/netfilter-layer7-v2.19/iptables-1.4-for-kernel-2.6.20forward-layer7-
现在再编译:
make KERNEL_DIR=/usr/src/linux BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/man
编译成功!
安装:
make install KERNEL_DIR=/usr/src/linux BINDIR=/sbin LIBDIR=/lib
1.5
升级ipp2p到ipp2p-0.8.2:cd /usr/src/L7
cp -a ipp2p-0.8.2 ipp2p-0.8.2.orig
cd ipp2p-0.8.2
patch -p1 <../ipp2p-0.8.2-kernel-2.6.22.patch
patch -p1 <../ipp2p-0.8.2-iptables-1.4.0.patch
#make
cp libipt_ipp2p.so
/lib/iptables/
cp ipt_ipp2p.ko /lib/modules/2.6.24.20080822/kernel/net/netfilter/
1.6
安装L7-protocols:
cd l7-protocols-2008-04-23
#make install
depmod可检测模块的相依性,供modprobe在安装模块时使用:
depmod –a
1.7
测试:
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables -A INPUT -i $EXTIF -p tcp --syn -m connlimit --connlimit-above 15 -j DROP
iptables -t mangle -I POSTROUTING -m layer7 --l7proto msnmessenger -j DROP
iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 8:00 --timestop 12:00 -j DROP
iptables -A FORWARD -m layer7 --l7proto msnmessenger -j ACCEPT
iptables -A FORWARD -m layer7 --l7proto msn-filetransfer -j ACCEPT
iptables -A FORWARD -m layer7 --l7proto worldofwarcraft -j ACCEPT
iptables -A FORWARD -m layer7 --l7proto ftp -j ACCEPT
以上测试都通过,但time的—days参数使用不了,报如下错误:
Unknown arg `--days'
如执行:
iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 13:30 --timestop 21:00 --days Sun,Mon,Tue,Wed,Thu,Fri,Sat -j DROP
就会报上面的错误,但只要去掉--days Sun,Mon,Tue,Wed,Thu,Fri,Sat就没有问题。
在Debian etch上
为内核添加netfilter-layer7-v2 ,ipp2p-0.8.2模块:
说明:
1>
当前系统内核为:2.6.18-6-486,32位系统
2>
本次安装选择内核为:2.6.24,iptables为:1.4.0
1.1
软件下载:cd /usr/src/L7/
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.tar.gz
wget http://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
wget http://www.sfr-fresh.com/unix/privat/netfilter-layer7-v2.19.tar.gz
wget http://www.sfr-fresh.com/unix/privat/l7-protocols-2008-04-23.tar.gz
wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080717.tar.bz2
wget http://ipp2p.org/downloads/ipp2p-0.8.2.tar.gz
wget http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/net-firewall/ipp2p/files/ipp2p-0.8.2-kernel-2.6.22.patch
wget http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/net-firewall/ipp2p/files/ipp2p-0.8.2-iptables-1.4.0.patch
1.2
安装编译环境和依赖包:apt-get install debhelper kernel-package fakeroot libncurses5-dev build-essential
apt-get install linux-headers-`uname -r`
1.3
编译内核:1.3.1
解压我们要安装的包:cd /usr/src/L7/
tar xzvf *.gz
tar xjvf *.bz2
ln -s /usr/src/L7/linux-2.6.24 /usr/src/linux
ln -s /usr/src/L7/iptables-1.4.0 /usr/src/iptables
1.3.2
添加内核补丁1>打external patch补丁
cd /usr/src/L7/patch-o-matic-ng-20080717
export KERNEL_DIR=/usr/src/linux IPTABLES_DIR=/usr/src/iptables
下载geoip、connlimit、ipp2p等external patch:
./runme –download
往内核和iptables打我们需要的external patch补丁
./runme connlimit
./runme geoip
./runme ipp2p
./runme time
./runme u32
以上都选y后回车即可
2>给kernel和iptables打l7补丁:
cd /usr/src/linux
patch -p1 < /usr/src/L7/netfilter-layer7-v2.19/for_older_kernels/kernel-2.6.22-2.6.24-layer7-2.18.patch
cd /usr/src/iptables
patch -p1 < /usr/src/L7/netfilter-layer7-v2.19/iptables-1.4-for-kernel-2.6.20forward-layer7-2.19.patch
3>选择要编译的内核模块参数:
cd /usr/src/linux
#make mrproper
以系统原有的内核配置为蓝本,只需添加新的模块就可以
cp /boot/config-2.6.18-6-486 /usr/src/linux/.config
#make menuconfig:
<1>
Networking –> Networking options –> Network packet filtering framework (Netfilter) –> Core netfilter configuration
<M>
"layer7" match support
x x
Layer 7 debugging output
<2>
Networking –> Networking options –> Network packet filtering framework (Netfilter) –> Core netfilter configuration
{M} Netfilter Xtables support (required for ip_tables)
<M>
"time" match support
<M>
"u32" match support
<M>
"geoip" match support
<M>
Connections/IP limit match support
<3>
Networking –> Networking options –> Network packet filtering framework -> IP: Netfilter Configuration :
<M> IPv4 connection tracking support (required for NAT)
<4>
Networking –> Networking options –> Network packet filtering framework -> IP: Netfilter Configuration :
<M> IP tables support (required for filtering/masq/NAT)
<M> IPP2P match support
<M>
Full NAT
注意:该处的time,u32,geoip,connlimit不要选了,它们已归属Netfilter Xtables support
了,如果在 IP tables support下选择了它们编译时就会报错,我在这儿吃了大亏.另外如果你没有以你原来系统的内核配置文件为基础,则要仔细选择你需要的其它内核模块,应为2.6.24好多模块默认是不编译的,比如 Full NAT,以及Serial ATA (prod) and Parallel ATA驱动默认都不编译,如果你的硬盘是sata硬盘,则编译安装内核后,重新启动后就找不到root 文件系统了.
保存内核配置文件后就开始编译吧:
#make-kpkg clean
#make-kpkg --revision layer7 --append-to-version .20080822 --initrd binary-arch
编译完成后在/usr/src/L7/目录下生成:
linux-image-2.6.24.20080822_layer7_i386.deb
linux-headers-2.6.24.20080822_layer7_i386.deb
安装新生成的内核包:
dpkg –i linux-image-2.6.24.20080822_layer7_i386.de
安装新生成的内核头文件:
dpkg –i linux-headers-2.6.24.20080822_layer7_i386.deb
重起机器后,在新的系统环境下编译安装iptables
4>补充一些其他编译内核的方法:
<1>只编译内核的部分模块,对于测试我们选择的内核参数是否正确很有帮助:
make mrproper
make menuconfig
make modules_prepare
只编译net/ipv4/netfiler的文件
make M=net/ipv4/netfilter
<2>已原有的内核参数配置文件为基础,添加新的内核参数:
#make mrproper
#cp /boot/config-2.6.18-6-486 /usr/src/linux/.config
# make oldconfig
Make oldconfig会自动对比之前的kernel config,根据之前版本的配置生成一个kernel config,这样方便我们在编译新核心的时候,无须在从头修改所有的核心设置,就是不用执行make menuconfig了
生成debian的deb安装包的方法如下:
#make-kpkg clean
#make-kpkg --revision layer7 --append-to-version .20080822 --initrd binary-arch
如果我们不生成debian安装包,直接编译安装如下:
make mrproper
make menuconfig
make bzImage
make modules
make modules_install
make install
好了内核编译就说这么多吧!
1.4
编译iptables:重起机器后,在新的系统环境下编译安装iptables:
cd /usr/src/iptables
chmod 775 /usr/src/iptables/extensions/.layer7-test
make KERNEL_DIR=/usr/src/linux BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/man
发现编译进入了死循环,原来它发现需要的系统命令的md5的检验和不对了。原因在于我们给iptable打补丁时用的是内核为:2.6.18下的系统命令,而现在是2.6.24的了,所以我把打了补丁的iptabls删除,然后解压iptables-1.4.0.tar.bz2得到原始的源码,然后重复一下步骤:
1>
ln -s /usr/src/L7/iptables-1.4.0 /usr/src/iptables
cd /usr/src/L7/patch-o-matic-ng-20080717
export KERNEL_DIR=/usr/src/linux IPTABLES_DIR=/usr/src/iptables
./runme connlimit
./runme geoip
./runme ipp2p
./runme time
./runme u32
cd /usr/src/iptables
patch -p1 < /usr/src/L7/netfilter-layer7-v2.19/iptables-1.4-for-kernel-2.6.20forward-layer7-
现在再编译:
make KERNEL_DIR=/usr/src/linux BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/man
编译成功!
安装:
make install KERNEL_DIR=/usr/src/linux BINDIR=/sbin LIBDIR=/lib
1.5
升级ipp2p到ipp2p-0.8.2:cd /usr/src/L7
cp -a ipp2p-0.8.2 ipp2p-0.8.2.orig
cd ipp2p-0.8.2
patch -p1 <../ipp2p-0.8.2-kernel-2.6.22.patch
patch -p1 <../ipp2p-0.8.2-iptables-1.4.0.patch
#make
cp libipt_ipp2p.so
/lib/iptables/
cp ipt_ipp2p.ko /lib/modules/2.6.24.20080822/kernel/net/netfilter/
1.6
安装L7-protocols:
cd l7-protocols-2008-04-23
#make install
depmod可检测模块的相依性,供modprobe在安装模块时使用:
depmod –a
1.7
测试:
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables -A INPUT -i $EXTIF -p tcp --syn -m connlimit --connlimit-above 15 -j DROP
iptables -t mangle -I POSTROUTING -m layer7 --l7proto msnmessenger -j DROP
iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 8:00 --timestop 12:00 -j DROP
iptables -A FORWARD -m layer7 --l7proto msnmessenger -j ACCEPT
iptables -A FORWARD -m layer7 --l7proto msn-filetransfer -j ACCEPT
iptables -A FORWARD -m layer7 --l7proto worldofwarcraft -j ACCEPT
iptables -A FORWARD -m layer7 --l7proto ftp -j ACCEPT
以上测试都通过,但time的—days参数使用不了,报如下错误:
Unknown arg `--days'
如执行:
iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 13:30 --timestop 21:00 --days Sun,Mon,Tue,Wed,Thu,Fri,Sat -j DROP
就会报上面的错误,但只要去掉--days Sun,Mon,Tue,Wed,Thu,Fri,Sat就没有问题。