Sie sind auf Seite 1von 7

L7-Filter Configuration::: Kernel Space:

Download the source code for from Download the L7-patch(netfilter-layer7-v2.22.tar.gz ) for kernel space from Check for the appropriate patch in that directory. Check "Patch" command is working or not. If not install patch. Go to linux source code directory and apply patch. patch -p1 < name of the patch(kernel-2.6.25-2.6.28-layer72.22.patch) Building the Kernel. make menuconfig Enable the options "Prompt for development and/or incomplete code/drivers" (under "Code maturity level options") "Network packet filtering framework" (Networking Networking support Networking Options) "Netfilter Xtables support" (on the same screen) "Netfilter connection tracking support" (... Network packet filtering framework Core Netfilter Configuration), select "Layer 3 Independent Connection tracking" "Connection tracking flow accounting" (on the same screen) And finally, "Layer 7 match support" Optional but highly recommended: Lots of other Netfilter options, notably "FTP support" and other matches. If you don't know what you're doing, go ahead and enable all of them. Compile and install the kernel.

After reboot ...

Check for these modules nf_conntrack_ipv4, ,nf_defrag_ipv4, nf_conntrack_netlink, nfnetlink_queue, xt_layer7, nf_conntrack, nf_conntrack_ftp, nf_conntrack_ftp and insert these modules Check this for value 1. /proc/sys/net/netfilter/nf_conntrack_acct if not change that one to one echo "1" > /proc/sys/net/netfilter/nf_conntrack_acct

Applying IP-Tables patch.

/----------------------------------------------------------***** iptables patches/files ***** - iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.{c,man} Use these files if you are compiling iptables 1.4.3 or later against Linux 2.6.20 or later. - for_older_iptables/ Use these files if you are using an older version of iptables or Linux. Note that not all combinations are supported. This includes, but is not limited to: -- Compiling iptables 1.4.x against Linux 2.6.19.x or earlier. -- iptables 1.4.1, period.

General notes: - You do NOT need to recompile iptables if you change your running kernel version across the 2.6.20 boundary and you already have a working iptables. - You DO need to recompile iptables if you switch from a kernel patched with l7-filter <= v2.10 to one patched with l7-filter >= v2.11.


Check for iptables version in your system. Download the respective iptables source code from Now go to the kernel patch netfilter-layer7-v2.22 directory Check for the appropriate patch. Here Iam using 2.6.28 kernel I applied patches like this Copy the files under the directory netfilter-layer7-v2.22/ iptables-1.4.3forward-for-kernel-2.6.20forward to iptables source code/extensions. Compile and install the iptables. Next we need to download the protocol definitions archive from the L7-filter project page at sourceforge, l7-protocols-2006-06-03.tar.gz?download. Next, we need to copy the pattern files (.pat) from the archive to the /etc/l7-protocols folder

Testing the Kernel space patch::

Checking wheather the Kernel Space L7-filter is working or not. Apply these rules. iptables -A INPUT -m layer7 --l7proto http iptables -A OUTPUT -m layer7 --l7proto http now download any thing from net using http protocol like wget check for the size of file on disk. Commands for checking stastics iptables -L INPUT -n -v iptables -L OUTPUT -n -v Command for flushing iptables iptables -F

command to clear the accounting information iptables -Z Cross check the size with no of bytes recieved through http protocol. if both are same ...our l7-kernel patch is working fine. We can use the same process for checking ftp -protocol also. Download some file through ftp and cross check their size with the bytes transfered through ftp.

L7-filter user-space:
First of all need to download l7-filter-userspace-0.11.tar.gz. from l7-filter-userspace - ClearFoundation Extract it to some directory called "l7_filter". It depends on some other modules like libnetfilter_queue libnfnetlink libnetfilter_conntrack . so Download the above packages and extract them to "l7-filter directory". go to libnfnetlink-1.0.0 then ./configure make make install go to libnetfilter_conntrack-1.0.0 then ./configure make make install go to libnetfilter_queue-1.0.1

./configure make make install go to l7-filter-userspace-0.11 ./configure make make install This gives some errors. Modifications made: //Changed illegal cast from char* to unsigned char*, changed "data" variable in l7-queue.cpp //changes to be made to the following files ....l7conntrack.cpp,l7-conntrack.h,l7queue.cpp(

./configure make make install While running getting some problem with shared library for that needs to set the lib path like export LD_LIBRARY_PATH=/usr/local/lib we need to download the protocol definitions archive from the L7-filter project page at sourceforge, l7-protocols-2006-06-03.tar.gz?download. Next, we need to copy the pattern files (.pat) from the archive to the /etc/l7-protocols folder. Apply these rules iptables -A INPUT -j NFQUEUE --queue-num 2

iptables -A OUTPUT -j NFQUEUE --queue-num 2

OPTIONS:: "----------------------------------------------------------Syntax: l7-filter -f configuration_file [options]\n"

Options are: -q queuenumber\tListen to the specified Netfilter queue -v\t\tBe verbose. Mutiple -v options increase the verbosity -s\t\tBe silent except in the case of warnings and errors -b bytes\tStore up to this many bytes of data per connection -n packets\tExamine up to this many packets per connection -p path\t\tLook for patterns in path instead of /etc/l7-protocols -m mask\t\tOnly pay look at and set the given bits of marks -c\t\tClobber existing marks instead of passing them unmodified -d\t\tAllow configurations that are probably ill-advised -z\t\tRun as daemon

Queue Valid numbers are 0-6553 ---------------------------------------------------------------" Run l7-filer:: l7-filter -vv -f sample-l7-filter.conf -q 2 Whatever the packets that INPUT and OUPUT chain encounter must be queued to user space queue number-2. Commands for checking statistics iptables -L INPUT -n -v iptables -L OUTPUT -n -v

After this flush the iptables iptables -F iptables -Z

Kill the l7-filter process.

Now apply the rules for matching the protocols. iptables -t mangle -A PREROUTING -j NFQUEUE --queue-num 2 iptables -t mangle -A POSTROUTING -j NFQUEUE --queue-num 2 iptables -A INPUT -m mark --mark 18 iptables -A OUTPUT -m mark --mark 18 Again run the user-space l7-filter process. l7-filter -vv -f sample-l7-filter.conf -q 2 Now check the statistics iptables -L INPUT -n -v iptables -L OUTPUT -n -v Output shows the number of packets match with the mark 18(http protocol mark) in the user space queue number -2.