|
|
编译64位deiban内核,安装Layer 7过滤软件
作者:Xliu
Msn:6160@9.cn
首先从debian的官方网站下载ISO镜像,下载地址:http://www.debian.org/distrib/。官方网站上有各种不同CPU架构的安装镜像下载,其中标识i386就是我们常用的32位系统镜像,IA64是专用于安腾64位处理器,本文所要使用的是64位系统,就选择标识为amd64的镜像。需要注意的是,amd64架构不是单指AMD的64位处理器,也包括支持INTEL EMT64技术的处理器(如现在流行的酷睿系列处理器)。镜像也分为DVD和CD两种,建议有条件的话,还是下载DVD的,毕竟包含的软件多。一般来说只需下载第一张镜像光盘就可以了,这次实验下载的镜像卷标为debian-501-amd64-DVD-1.iso
接下来刻盘安装,安装过程就不说了,网上教程很多,系统安装完成后,配置好IP,配置好SSH服务。
然后打开putty(一个用来登录远程服务器的工具),通过SSH登录debian服务器,输入root帐号、密码,登录成功。如下图。(图片1)
接下来要更改apt源、准备内核和过滤工具的源代码。
cd /etc/apt
cp sources.list sources.list.bak
在sources.list中修改apt源列表,
nano sources.list
可以用删除键把里面所用的字符完全删除,接着输入apt的源,在中国大陆目前还是163的源最快最稳定,强烈建议使用。163是门户网站中第一个为开源软件提供镜像的公司。在这里顺便感谢下163。感谢为开源事业所做出的贡献。
deb http://mirrors.163.com/debian lenny main non-free contrib
deb-src http://mirrors.163.com/debian lenny main non-free contrib
(图片2)
完成后,按ctrl+o敲下回车保存,再按ctrl+x退出。
输入apt-get update更新源列表
(图片3)
更新完成,安装编译所需的工具:
apt-get install zip
apt-get install bzip2
apt-get install make
apt-get install debhelper
apt-get install kernel-package
apt-get install libncurses5-dev
apt-get install fakeroot
接下来该下载内核和过滤工具的源代码,为了方便管理,新建目录
mkdir /usr/src/kernels
内核和过滤工具的源代码就放在kernels目录。进入kernels目录
cd /usr/src/kernels
(图片4)
用wget命令下载内核和过滤工具的源代码
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.10.tar.bz2
wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.2.tar.bz2
wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.21.tar.gz
wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2009-05-10.tar.gz
用ls命令查看下,应该可以看到下载完的软件包
(图片5)
解压以上文件:
tar -jxvf linux-2.6.28.10.tar.bz2; tar -zxvf l7-protocols-2009-05-10.tar.gz; tar -zxvf netfilter-layer7-v2.21.tar.gz; tar -jxvf iptables-1.4.2.tar.bz2
为了方便,做一个符号链接,并进入新内核源代码目录:
ln -s linux-2.6.28.10 linux
cd linux
为内核源代码打下layer7的补丁
patch -p1 < ../netfilter-layer7-v2.21/kernel-2.6.25-2.6.28-layer7-2.21.patch
(图片6)
接下来进入关键的步骤,为内核选择layer7及相关的模块;
make menuconfig
让新内核读取旧内核的配置:
在出现的菜单选项中选中“Load an Alternate Configuration File”,输入旧内核配置文件的路径/boot/config-2.6.26-2-amd64,然后确认,开始选择内核模块
选项如下:
General setup --->
Prompt for development and/or incomplete code/drivers
Networking --->
Networking options --->
Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
<M> Netfilter connection tracking support
-*- Connection tracking flow accounting
-*- Connection mark tracking support
Connection tracking security mark support
Connection tracking events (EXPERIMENTAL)
<M> SCTP protocol connection tracking support (EXPERIMENTAL)
<M> UDP-Lite protocol connection tracking support (EXPERIMENTAL)
<M> Amanda backup protocol support
<M> FTP protocol support
<M> H.323 protocol support (EXPERIMENTAL)
<M> IRC protocol support
<M> NetBIOS name service protocol support (EXPERIMENTAL)
<M> PPtP protocol support
<M> SANE protocol support (EXPERIMENTAL)
<M> SIP protocol support (EXPERIMENTAL)
<M> TFTP protocol support
<M> Connection tracking netlink interface (EXPERIMENTAL)
{M} Netfilter Xtables support (required for ip_tables)
<M> "CLASSIFY" target support
<M> "CONNMARK" target support
<M> "DSCP" target support
<M> "MARK" target support
<M> "NFQUEUE" target Support
<M> "NFLOG" target support
<M> "NOTRACK" target support
<M> "TRACE" target support
<M> "TRACE" target support
<M> "SECMARK" target support
<M> "CONNSECMARK" target support
<M> "TCPMSS" target support
<M> "comment" match support
<M> "connbytes" per-connection counter match support
<M> "connlimit" match support"
<M> "connmark" connection mark match support
<M> "conntrack" connection tracking match support
<M> "DCCP" protocol match support
<M> "DCCP" protocol match support
<M> "DSCP" match support
<M> "ESP" match support
<M> "helper" match support
<M> "length" match support
<M> "limit" match support
<M> "mac" address match support
<M> "mark" match support
<M> IPsec "policy" match support
<M> Multiple port match support
<M> "physdev" match support
<M> "pkttype" packet type match support
<M> "quota" match support
<M> "realm" match support
<M> "sctp" protocol match support (EXPERIMENTAL)
<M> "state" match support
<M> "layer7" match support
Layer 7 debugging output
<M> "statistic" match support
<M> "string" match support
<M> "tcpmss" match support
<M> "time" match support
<M> "u32" match support
<M> "hashlimit" match support
IP: Netfilter Configuration --->
<M> IPv4 connection tracking support (required for NAT)
proc/sysctl compatibility with old connection tracking (NEW
<M> IP Userspace queueing via NETLINK (OBSOLETE)
<M> IP tables support (required for filtering/masq/NAT)
<M> IP range match support
<M> TOS match support
<M> recent match support
<M> ECN match support
<M> AH match support
<M> TTL match support
<M> Owner match support
<M> address type match support
<M> Packet filtering
<M> REJECT target support
<M> LOG target support
<M> ULOG target support
<M> Full NAT (NEW)
<M> MASQUERADE target support
<M> REDIRECT target support
<M> NETMAP target support
<M> SAME target support (OBSOLETE)
<M> Basic SNMP-ALG support (EXPERIMENTAL)
<M> Packet mangling
<M> TOS target support
建议把Core Netfilter Configuration和IP: Netfilter Configuration的所有选项都选中。注意,刚开始时,我一直找不到:<M> "layer7" match support 和 Layer 7 debugging output 这两个模块,浪费了很多时间,后来发现是因为这两个模块是属于:<> Netfilter connection tracking support 这个模块,因此得先选择<M> Netfilter connection tracking support 这样下面才有Layer7及相关模块,在内核选项建议把你所有的网卡驱动选中,其中time模块就是可以通过iptables可以控制上网的时间等功能,就是时间控制的模块!
一步一步的"EXIT"后,会提示你是否保存刚才的选择更改结果,我们选“YES”!
清除源码树并复原 kernel-package 参数
#make-kpkg clean
然后进行编译并生成.deb的包,以供安装时使用:
fakeroot make-kpkg --append_to_version -adm64 --initrd --revision=2.6.28.10 kernel_image modules_image
下面系统就可以编译内核了,这是一个漫长的过程,在我机器上用了一个小时才编译完成。
(图片7)
退回kernels目录:
cd ..
安装新的内核:
dpkg -i linux-image-2.6.28.10-adm64_2.6.28.10_amd64.deb
(图片8)
这时,会将新内核安装到相应的位置,同时会在/boot/grub/menu.lst增加新内核的条目
为iptables打补丁,并安装之
cd iptables-1.4.2
cp ../netfilter-layer7-v2.21/iptables-1.4.1.1-for-kernel-2.6.20forward/libxt_layer7.* extensions/
./configure --with-ksource=/usr/src/kernels/linux
make
make install
安装通讯定义档
cd /usr/src/kernels/l7-protocols-2009-05-10
make install
(图片9)
看执行的结果就知道,它在做什么了!
这样新的内核都弄好了,iptables也装好了,重启计算机:
shutdown -r now
启动完成后,用命令查看新内核与iptalbes是否安装成功:
uname -a;iptables -V
(图片10)
再测试layer7是否可用:
iptables -m layer7 --help
(图片11)
如果出现上面的信息就说明layer已经可以正常工具了。到这一步就算大功告成了。
附:阻挡qq.bt.msn通讯的命令
iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止msn)
iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)
iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)
在写作本文的过程中,参考了以下两篇文章,在这里向两位作者表示感谢。
http://blog.csdn.net/zubin006/archive/2008/08/03/2760600.aspx
http://ms.ntcb.edu.tw/~steven/article/kernel-layer7-filter.htm |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?注册
x
|
IP卡
狗仔卡
发表于 2009-5-25 17:27:55
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主