在Debian etch上 为内核添加netfilter-layer7-v2 ,ipp2p-0.8.2模块

1.
在Debian etch上
为内核添加netfilter-layer7-v2 ipp2p-0.8.2模块


说明:

1>
当前系统内核为:2.6.18-6-486,32位系统
2>
本次安装选择内核为:2.6.24,iptables为:1.4.0
1.1
软件下载:cd /usr/src/L7/
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.tar.gz
wget http://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
wget http://www.sfr-fresh.com/unix/privat/netfilter-layer7-v2.19.tar.gz
wget http://www.sfr-fresh.com/unix/privat/l7-protocols-2008-04-23.tar.gz
wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080717.tar.bz2
wget http://ipp2p.org/downloads/ipp2p-0.8.2.tar.gz
wget http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/net-firewall/ipp2p/files/ipp2p-0.8.2-kernel-2.6.22.patch
wget
http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/net-firewall/ipp2p/files/ipp2p-0.8.2-iptables-1.4.0.patch


1.2
安装编译环境和依赖包:apt-get install debhelper kernel-package fakeroot libncurses5-dev build-essential
apt-get install linux-headers-`uname -r`
1.3
编译内核:1.3.1
解压我们要安装的包:cd /usr/src/L7/
tar xzvf *.gz
tar xjvf *.bz2
ln -s /usr/src/L7/linux-2.6.24 /usr/src/linux
ln -s /usr/src/L7/iptables-1.4.0 /usr/src/iptables
1.3.2
添加内核补丁1>打external patch补丁
cd /usr/src/L7/patch-o-matic-ng-20080717
export KERNEL_DIR=/usr/src/linux IPTABLES_DIR=/usr/src/iptables
下载geoipconnlimitipp2pexternal patch
./runme download
往内核和iptables打我们需要的external patch补丁
./runme connlimit
./runme geoip
./runme ipp2p
./runme time
./runme u32

以上都选y后回车即可
2>kerneliptablesl7补丁:
cd /usr/src/linux
patch -p1 < /usr/src/L7/netfilter-layer7-v2.19/for_older_kernels/kernel-2.6.22-2.6.24-layer7-2.18.patch
cd /usr/src/iptables
patch -p1 < /usr/src/L7/netfilter-layer7-v2.19/iptables-1.4-for-kernel-2.6.20forward-layer7-2.19.patch
3>选择要编译的内核模块参数:
cd /usr/src/linux
#make mrproper
以系统原有的内核配置为蓝本,只需添加新的模块就可以
cp /boot/config-2.6.18-6-486 /usr/src/linux/.config
#make menuconfig:
<1>
Networking –> Networking options –> Network packet filtering framework (Netfilter) –> Core netfilter configuration

<M>
"layer7" match support
x x



  • Layer 7 debugging output

    <2>
    Networking –> Networking options –> Network packet filtering framework (Netfilter) –> Core netfilter configuration
    {M} Netfilter Xtables support (required for ip_tables)
    <M>
    "time" match support

    <M>
    "u32" match support

    <M>
    "geoip" match support

    <M>

    Connections/IP limit match support

    <3>
    Networking –> Networking options –> Network packet filtering framework -> IP: Netfilter Configuration :
    <M> IPv4 connection tracking support (required for NAT)
    <4>

    Networking –> Networking options –> Network packet filtering framework ->
    IP: Netfilter Configuration :

    <M> IP tables support (required for filtering/masq/NAT)
    <M> IPP2P match support
    <M>
    Full NAT

    注意:该处的time,u32,geoip,connlimit不要选了,它们已归属Netfilter Xtables support
    了,如果在 IP tables support下选择了它们编译时就会报错,我在这儿吃了大亏.另外如果你没有以你原来系统的内核配置文件为基础,则要仔细选择你需要的其它内核模块,应为2.6.24好多模块默认是不编译的,比如 Full NAT,以及Serial ATA (prod) and Parallel ATA驱动默认都不编译,如果你的硬盘是sata硬盘,则编译安装内核后,重新启动后就找不到root 文件系统了.



    保存内核配置文件后就开始编译吧:
    #make-kpkg clean
    #make-kpkg --revision layer7 --append-to-version .20080822 --initrd binary-arch
    编译完成后在/usr/src/L7/目录下生成:
    linux-image-2.6.24.20080822_layer7_i386.deb
    linux-headers-2.6.24.20080822_layer7_i386.deb
    安装新生成的内核包:
    dpkg –i linux-image-2.6.24.20080822_layer7_i386.de
    安装新生成的内核头文件:
    dpkg –i linux-headers-2.6.24.20080822_layer7_i386.deb
    重起机器后,在新的系统环境下编译安装iptables

    4>补充一些其他编译内核的方法:
    <1>只编译内核的部分模块,对于测试我们选择的内核参数是否正确很有帮助:
    make mrproper
    make menuconfig
    make modules_prepare
    只编译net/ipv4/netfiler的文件
    make M=net/ipv4/netfilter
    <2>已原有的内核参数配置文件为基础,添加新的内核参数:
    #make mrproper
    #cp /boot/config-2.6.18-6-486 /usr/src/linux/.config
    # make oldconfig
    Make oldconfig会自动对比之前的kernel config,根据之前版本的配置生成一个kernel config,这样方便我们在编译新核心的时候,无须在从头修改所有的核心设置,就是不用执行make menuconfig了
    生成debian的deb安装包的方法如下:
    #make-kpkg clean
    #make-kpkg --revision layer7 --append-to-version .20080822 --initrd binary-arch
    如果我们不生成debian安装包,直接编译安装如下:
    make mrproper
    make menuconfig
    make bzImage
    make modules
    make modules_install
    make install

    好了内核编译就说这么多吧!
    1.4
    编译iptables:重起机器后,在新的系统环境下编译安装iptables:
    cd /usr/src/iptables
    chmod 775 /usr/src/iptables/extensions/.layer7-test
    make KERNEL_DIR=/usr/src/linux BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/man
    发现编译进入了死循环,原来它发现需要的系统命令的md5的检验和不对了。原因在于我们给iptable打补丁时用的是内核为:2.6.18下的系统命令,而现在是2.6.24的了,所以我把打了补丁的iptabls删除,然后解压iptables-1.4.0.tar.bz2得到原始的源码,然后重复一下步骤:
    1>

    ln -s /usr/src/L7/iptables-1.4.0 /usr/src/iptables

    cd /usr/src/L7/patch-o-matic-ng-20080717
    export KERNEL_DIR=/usr/src/linux IPTABLES_DIR=/usr/src/iptables
    ./runme connlimit
    ./runme geoip
    ./runme ipp2p
    ./runme time
    ./runme u32
    cd /usr/src/iptables
    patch -p1 < /usr/src/L7/netfilter-layer7-v2.19/iptables-1.4-for-kernel-2.6.20forward-layer7-

    现在再编译:
    make KERNEL_DIR=/usr/src/linux BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/man
    编译成功!
    安装:
    make install KERNEL_DIR=/usr/src/linux BINDIR=/sbin LIBDIR=/lib

    1.5
    升级ipp2pipp2p-0.8.2cd /usr/src/L7
    cp -a ipp2p-0.8.2 ipp2p-0.8.2.orig
    cd ipp2p-0.8.2
    patch -p1 <../ipp2p-0.8.2-kernel-2.6.22.patch
    patch -p1 <../ipp2p-0.8.2-iptables-1.4.0.patch


    #make
    cp libipt_ipp2p.so
    /lib/iptables/

    cp ipt_ipp2p.ko /lib/modules/2.6.24.20080822/kernel/net/netfilter/
    1.6
    安装L7-protocols
    cd l7-protocols-2008-04-23
    #make install
    depmod可检测模块的相依性,供modprobe在安装模块时使用:
    depmod –a

    1.7
    测试:
    iptables -A FORWARD -m ipp2p --ipp2p -j DROP
    iptables -A INPUT -i $EXTIF -p tcp --syn -m connlimit --connlimit-above 15 -j DROP
    iptables -t mangle -I POSTROUTING -m layer7 --l7proto msnmessenger -j DROP
    iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 8:00 --timestop 12:00 -j DROP
    iptables -A FORWARD -m layer7 --l7proto msnmessenger -j ACCEPT
    iptables -A FORWARD -m layer7 --l7proto msn-filetransfer -j ACCEPT
    iptables -A FORWARD -m layer7 --l7proto worldofwarcraft -j ACCEPT
    iptables -A FORWARD -m layer7 --l7proto ftp -j ACCEPT

    以上测试都通过,但time的—days参数使用不了,报如下错误:
    Unknown arg `--days'
    如执行:
    iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 13:30 --timestop 21:00 --days Sun,Mon,Tue,Wed,Thu,Fri,Sat -j DROP
    就会报上面的错误,但只要去掉--days Sun,Mon,Tue,Wed,Thu,Fri,Sat就没有问题。


  • posted @ 2009-07-01 21:26  Dragon.Spirit  阅读(405)  评论(0编辑  收藏  举报