linux+squid利用Layer7限制迅雷下载、QQ、MSN方法
迅雷会向WEB服务提交如下HTTP请求头: POST / HTTP/1.1Host: 58.61.39.206:80
Content-type: application/octet-stream
Content-Length: 140
Connection: Keep-Alive
Squid配置如下:
acl IP dstdom_regex $
acl ROOT urlpath_regex ^/$
acl POST method POST
acl Octet_Stream req_mime_type application/octet-stream
http_access deny IP ROOT POST Octet_Stream
linux+squid利用Layer7限制迅雷下载、QQ、MSN方法
http://www.humin.com.cn/limited-use-of-linux-squid-thunder-download-qq-msn-method.html
L7-filter (Application Layer Packet Classifier for Linux), 是 Linux netfilter 的外挂模块, 它能使 Linux 的 iptables 支持 Layer 7 (Application 应用层) 过滤功能, 限制封杀 P2P、即时通讯软件。
Centos 4.4
Kernel 2.6.9-42.0.3.EL
Iptables 1.2.11
1.下载所需软件包:
kernel 2.6.19.7
# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.19.7.tar.bz2
iptables 1.3.7
# wget http://www.netfilter.org/projects/iptables/files/iptables-1.3.7.tar.bz2
L7-filter http://sourceforge.net/project/showfiles.php?group_id=80085
netfilter-layer7-v2.12.tar.gz
l7-protocols-2007-06-22.tar.gz
2.配置编译新内核
首先将所下载的软件都放置于/usr/src目录下
# tar zxvf netfilter-layer7-v2.12.tar.gz
# tar xjvf linux.2.6.19.7.tar.bz2
# ln -s linux.2.6.19.7 linux
# cd linux
# patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch (打L7-filter的内核补丁)
# make oldconfig
(如果之前曾经编译过,需要先执行 make mrproper 。make oldconfig会自动对比之前的kernel config,根据之前版本的配置生成一个kernel config,这样方便我们在编译新核心的时候,无须在从头修改所有的核心设置)
# make menuconfig 设定内核参数,具体参数可以参考这篇文章 内核编译详解
核心不同,内核选项的排列方式有可能不一样,仔细找一下可以找到:
Code maturity level options –>
[*] Prompt for development and/or incomplete code/drivers
Networking –> Networking options –>
[*] Network packet filtering (replaces ipchains) –>
IP: Netfilter Configuration –>
Connection tracking (required for masq/NAT)
[*] Connection tracking flow accounting
IP tables support (required for filtering/masq/NAT)
Layer 7 match support
# make
# make modules
# make modules_install
# make install
# reboot
# uame -a
Linux jason.10235 2.6.19.7 #1 Fri Jul 6 11:56:11 CST 2007 i686 i686 i386 GNU/Linux
系统已经更新至新内核 2.6.19.7
3.更新升级Iptalbes的Layer7补丁
# cd /usr/src
# tar xjvf iptables-1.3.7.tar.bz2
# cd iptables-1.3.7
# patch -p < ../netfilter-layer7-v2.0/iptables-layer7-2.0.patch
# chmod +x extensions/.layer7-test
# export KERNEL_DIR=/usr/src/linux-2.6.19.7
# export IPTABLES_DIR=/usr/src/iptables-1.3.7
# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
# iptables -V
iptables v1.3.7 已经更新至新版本
4. 安装Layer7 协议文件
# cd /usr/src
# tar zxvf l7-protocols-2007-06-22.tar.gz
# cd l7-protocols-2007-06-22
# make install
5.使用iptables layer-7 filter:
# iptables -t mangle -I PREROUTING -m layer7 –l7proto edonkey -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 –l7proto bittorrent -j DROP (禁止bt)
# iptables -t mangle -I PREROUTING -m layer7 –l7proto qq -j DROP (禁止QQ通讯)
# iptables -t mangle -I PREROUTING -m layer7 –l7proto msnmessenger -j DROP (禁止edonkey)
# iptables -t mangle -I PREROUTING -m layer7 –l7proto xunlei -j DROP (禁止迅雷)
# iptables -t mangle -I PREROUTING -m layer7 –l7proto kugoo -j DROP (禁止kugoo)
# iptables -t mangle -I PREROUTING -m layer7 –l7proto yahoo -j DROP (禁止Yahoo! Messenger)
页:
[1]