Dia: 2 de fevereiro de 2008
Iptables trabalhando com Layer7
Pessoal, to colocando aqui como instalar o patch layer7 no Kernel e iptables. Esse patch permite que o Netfilter consiga tratar a camada de aplicação possibilitando tratar os protocolos de aplicações como msn, jabber, p2p e vários outros.
Arquivos necessários:
1 – Fonte do Kernel: No caso vou usar o kernel 2.6.24
2 – Fonte do iptables: Vou usar a versão 1.4.0
http://www.netfilter.org
3 – Patch Layer 7 e Protocolos Layer7
http://sourceforge.net/projects/l7-filter/
Aqui são dois pacotes que estão nas opcões: l7-filter kernel version e Protocol definitions
— Aplicar o patch layer7 no kernel e recompila-lo:
Crie um diretório chamado layer7 dentro de root e guardes os pacotes ali:
# cd /root
# mkdir layer7
# cd layer7
Descompacte o pacote netfilter-layer7-v2.17.tar.gz
# tar xzvf netfilter-layer7-v2.17.tar.gz
Descompacte o fonte do kernel no diretório /usr/src e aplique o patch:
# cd /usr/src
# tar xjvf linux-2.6.24
# cd linux-2.6.24
# patch -p1 < /root/layer7/netfilter-layer7-v2.17/kernel-2.6.22-2.6.24-layer7-2.17.patch
Com o patch aplicado, para compilarmos o kernel, precisamos ter o pacote libncurses5-dev instalado:
# aptitude install libncurses5-dev!– @page { margin: 0.79in } P { margin-bottom: 0.08in } –>
Agora podemos entrar no menu de gerenciamento do kernel:
# make menuconfig
Vou colocar aqui as opções que tem que ser selecionadas para o nosso iptables e o patch layer7 funcionar.
Networking –>
Networking options –>
[*] Network packet filtering framework (Netfilter) –>
[*] Bridged IP/ARP packets filtering
Core Netfilter Configuration —>
<M> Netfilter netlink interface
<M> Netfilter NFQUEUE over NFNETLINK interface
<M> Netfilter LOG over NFNETLINK interface
<M> Netfilter connection tracking support
-*- Connection tracking flow accounting
-*- Connection mark tracking support
[*] Connection tracking security mark support
[*] Connection tracking events (EXPERIMENTAL)
<M> SCTP protocol connection tracking support (EXPERIMENTAL)
<M> UDP-Lite protocol connection tracking support (EXPERIMENTAL)
<M> Amanda backup protocol support
<M> FTP protocol support
<M> H.323 protocol support (EXPERIMENTAL)
<M> IRC protocol support
<M> NetBIOS name service protocol support (EXPERIMENTAL)
<M> PPtP protocol support
<M> SANE protocol support (EXPERIMENTAL)
<M> SIP protocol support (EXPERIMENTAL)
<M> TFTP protocol support
<M> Connection tracking netlink interface (EXPERIMENTAL)
{M} Netfilter Xtables support (required for ip_tables)
<M> “CLASSIFY” target support
<M> “CONNMARK” target support
<M> “DSCP” target support
<M> “MARK” target support
<M> “NFQUEUE” target Support
<M> “NFLOG” target support
<M> “NOTRACK” target support
<M> “TRACE” target support
<M> “SECMARK” target support
<M> “CONNSECMARK” target support
<M> “TCPMSS” target support
<M> “comment” match support
<M> “connbytes” per-connection counter match support
<M> “connlimit” match support”
<M> “connmark” connection mark match support
<M> “conntrack” connection tracking match support
<M> “DCCP” protocol match support
<M> “DSCP” match support
<M> “ESP” match support
<M> “helper” match support
<M> “length” match support
<M> “limit” match support
<M> “mac” address match support
<M> “mark” match support
<M> IPsec “policy” match support
<M> Multiple port match support
<M> “physdev” match support
<M> “pkttype” packet type match support
<M> “quota” match support
<M> “realm” match support
<M> “sctp” protocol match support (EXPERIMENTAL)
<M> “state” match support
<M> “layer7” match support
[ ] Layer 7 debugging output
<M> “statistic” match support
<M> “string” match support
<M> “tcpmss” match support
<M> “time” match support
<M> “u32” match support
<M> “hashlimit” match support
IP: Netfilter Configuration —>
<M> IPv4 connection tracking support (required for NAT)
…… (Tem mais opções antes)
<M> Full NAT
<M> MASQUERADE target support
<M> REDIRECT target support
<M> NETMAP target support
<M> SAME target support (OBSOLETE)
<M> Basic SNMP-ALG support (EXPERIMENTAL)
Salve as configurações do Kernel e vamos iniciar a compilação:
# make
# make modules_install
Em seguida copiar a nossa nova imagem do kernel para o boot e gerar a imagem initrd.
# cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.24
# mkinitramfs -o /boot/initrd.img-2.6.24 /lib/modules/2.6.24
E configurar no Grub:
# vi /boot/grub/menu.lst
title Debian kernel 2.6.24
root (hd0,0)
kernel /boot/vmlinuz-2.6.24 root=/dev/sda1 ro vga=792
initrd /boot/initrd.img-2.6.24
savedefault
Após isso podemos reinicializar a máquina com o nosso novo Kernel para continuarmos com o iptables
# init 6
Depois de reinicializar já com o novo Kernel, vamos descompactar o fonte do iptables e aplicar o patch do layer7
# cd /root/layer7
# tar xjvf iptables-1.4.0.tar.bz2
# cd iptables-1.4.0
# patch -p1 < /root/layer7/netfilter-layer7-v2.17/iptables-1.4-for-kernel-2.6.20forward-layer7-2.17.patch
# chmod 755 extension/.layer7-test
E em seguida aconselho a remover a versão antiga do iptalbes e compilar a nova versão:
# aptitude purge iptables
# make KERNEL_DIR=/usr/src/linux-2.6.24 BINDIR=/sbin LIBDIR=/lib
# make install KERNEL_DIR=/usr/src/linux-2.6.24 BINDIR=/sbin LIBDIR=/lib
Verifique se o iptables está funcionando;
# iptables -n -L
Veja que a biblioteca do layer7 já está em /lib/iptables:
# ls -l /lib/iptables/*layer7*
Para finalizar, instale os pacotes de protocolos do layer 7:
# cd /root/layer7
# tar xzvf l7-protocols-2008-01-16.tar.gz
# cd l7-protocols-2008-01-16
# make install
# ls /etc/l7-protocols/protocols
— Aplicando algumas regras com o layer7:
Bloquear Protocolos P2P
# iptables -I INPUT -m layer7 –l7proto fasttrack -j DROP
Bloquear Msn Messenger:
# iptables -A FORWARD -m layer7 –l7proto msnmessenger -j DROP
Visualize as regras:
# iptables -n -L
Agora é só usar a imaginação com todos os protocolos que o layer7 possuí.
Espero que ajude
Abraços