netfilter/iptables turbinado com layer7

Layer7 é um excelente plugin para o netfilter/iptables que trabalha na camada de aplicação, dando maior flexibilidade ao firewall. Este é um tutorial para aplicação do patch no kernel e no iptables.

baixar fontes do kernel (http://kernel.org)

baixar fontes do layer7 e os protocolos (http://sourceforge.net/projects/l7-filter)

baixar fontes do iptables (http://www.netfilter.org)
ftp://ftp.netfilter.org/pub/iptables/
descompactar kernel em /usr/src

descompactar layer7 e protocolos em /usr/src/layer7

aplicar patch do layer7:
cd /usr/src/linux
patch -p1 < /usr/src/layer7/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch

configurar o kernel: make menuconfig

habilitar as opções: (copiado descaradamente do blog do César Domingos)
Networking –>
Networking options –>
[*] Network packet filtering framework (Netfilter) –>
[*] Bridged IP/ARP packets filtering
Core Netfilter Configuration —>
Netfilter netlink interface
Netfilter NFQUEUE over NFNETLINK interface
Netfilter LOG over NFNETLINK interface
Netfilter connection tracking support
-*- Connection tracking flow accounting
-*- Connection mark tracking support
[*] Connection tracking security mark support
[*] Connection tracking events (EXPERIMENTAL)
SCTP protocol connection tracking support (EXPERIMENTAL)
UDP-Lite protocol connection tracking support (EXPERIMENTAL)
Amanda backup protocol support
FTP protocol support
H.323 protocol support (EXPERIMENTAL)
IRC protocol support
NetBIOS name service protocol support (EXPERIMENTAL)
PPtP protocol support
SANE protocol support (EXPERIMENTAL)
SIP protocol support (EXPERIMENTAL)
TFTP protocol support
Connection tracking netlink interface (EXPERIMENTAL)
{M} Netfilter Xtables support (required for ip_tables)
“CLASSIFY” target support
“CONNMARK” target support
“DSCP” target support
“MARK” target support
“NFQUEUE” target Support
“NFLOG” target support
“NOTRACK” target support
“TRACE” target support
“SECMARK” target support
“CONNSECMARK” target support
“TCPMSS” target support
“comment” match support
“connbytes” per-connection counter match support
“connlimit” match support”
“connmark” connection mark match support
“conntrack” connection tracking match support
“DCCP” protocol match support
“DSCP” match support
“ESP” match support
“helper” match support
“length” match support
“limit” match support
“mac” address match support
“mark” match support
IPsec “policy” match support
Multiple port match support
“physdev” match support
“pkttype” packet type match support
“quota” match support
“realm” match support
“sctp” protocol match support (EXPERIMENTAL)
“state” match support
“layer7″ match support
[ ] Layer 7 debugging output
“statistic” match support
“string” match support
“tcpmss” match support
“time” match support
“u32″ match support
“hashlimit” match support

IP: Netfilter Configuration —>
IPv4 connection tracking support (required for NAT)
…… (Tem mais opções antes)
Full NAT
MASQUERADE target support
REDIRECT target support
NETMAP target support
SAME target support (OBSOLETE)
Basic SNMP-ALG support (EXPERIMENTAL)

Criar pacote .deb para instalar o kernel:
make-kpkg --revision=1 --append-to-version=-hbueno kernel_image

Criar ram drive para não dar pau na inicialização:
make-kpkg --append-to-version=“-hbueno” --initrd --us --uc kernel_image

Instalar o kernel:
dpkg -i linux-image-2.6.23.12-hbueno_1_i386.deb

Reinicie a máquina com o novo kernel

Decompactar fonte do iptables e entrar no diretório descompactado em /usr/src/layer7
Aplicar patch do layer7 no iptables:
patch -p1 < /usr/src/layer7/netfilter-layer7-v2.17/iptables-1.4-for-kernel-2.6.20forward-layer7-2.17.pa
chmod 755 extension/.layer7-test
make KERNEL_DIR=/usr/src/linux
make install KERNEL_DIR=/usr/src/linux

A instalação do layer7 no iptables está finalizada. Vamos agora instalar os protocolos.
cd /usr/src/layer7/l7-protocols-xxxx
make install

Exemplo de regra para testar:
iptables -A FORWARD -m layer7 --l7proto bittorrent -j DROP