Professional Documents
Culture Documents
L7 Filer
L7 Filer
Download the source code for 2.6.28.10 from kernel.org Download the L7-patch(netfilter-layer7-v2.22.tar.gz ) for kernel space from http://l7-filter.clearfoundation.com/downloads/start Check for the appropriate patch in that directory. Check "Patch" command is working or not. If not install patch. Go to linux source code directory and apply patch. patch -p1 < name of the patch(kernel-2.6.25-2.6.28-layer72.22.patch) Building the Kernel. make menuconfig Enable the options "Prompt for development and/or incomplete code/drivers" (under "Code maturity level options") "Network packet filtering framework" (Networking Networking support Networking Options) "Netfilter Xtables support" (on the same screen) "Netfilter connection tracking support" (... Network packet filtering framework Core Netfilter Configuration), select "Layer 3 Independent Connection tracking" "Connection tracking flow accounting" (on the same screen) And finally, "Layer 7 match support" Optional but highly recommended: Lots of other Netfilter options, notably "FTP support" and other matches. If you don't know what you're doing, go ahead and enable all of them. Compile and install the kernel.
Check for these modules nf_conntrack_ipv4, ,nf_defrag_ipv4, nf_conntrack_netlink, nfnetlink_queue, xt_layer7, nf_conntrack, nf_conntrack_ftp, nf_conntrack_ftp and insert these modules Check this for value 1. /proc/sys/net/netfilter/nf_conntrack_acct if not change that one to one echo "1" > /proc/sys/net/netfilter/nf_conntrack_acct
General notes: - You do NOT need to recompile iptables if you change your running kernel version across the 2.6.20 boundary and you already have a working iptables. - You DO need to recompile iptables if you switch from a kernel patched with l7-filter <= v2.10 to one patched with l7-filter >= v2.11.
--------------------------------------------------------/
Check for iptables version in your system. Download the respective iptables source code from netfilter.org. Now go to the kernel patch netfilter-layer7-v2.22 directory Check for the appropriate patch. Here Iam using 2.6.28 kernel I applied patches like this Copy the files under the directory netfilter-layer7-v2.22/ iptables-1.4.3forward-for-kernel-2.6.20forward to iptables source code/extensions. Compile and install the iptables. Next we need to download the protocol definitions archive from the L7-filter project page at sourceforge, http://prdownloads.sourceforge.net/l7-filter/ l7-protocols-2006-06-03.tar.gz?download. Next, we need to copy the pattern files (.pat) from the archive to the /etc/l7-protocols folder
command to clear the accounting information iptables -Z Cross check the size with no of bytes recieved through http protocol. if both are same ...our l7-kernel patch is working fine. We can use the same process for checking ftp -protocol also. Download some file through ftp and cross check their size with the bytes transfered through ftp.
L7-filter user-space:
First of all need to download l7-filter-userspace-0.11.tar.gz. from l7-filter-userspace - ClearFoundation Extract it to some directory called "l7_filter". It depends on some other modules like libnetfilter_queue libnfnetlink libnetfilter_conntrack . so Download the above packages and extract them to "l7-filter directory". go to libnfnetlink-1.0.0 then ./configure make make install go to libnetfilter_conntrack-1.0.0 then ./configure make make install go to libnetfilter_queue-1.0.1
./configure make make install go to l7-filter-userspace-0.11 ./configure make make install This gives some errors. Modifications made: //Changed illegal cast from char* to unsigned char*, changed "data" variable in l7-queue.cpp //changes to be made to the following files ....l7conntrack.cpp,l7-conntrack.h,l7queue.cpp(http://marc.info/?l=l7-filterdevelopers&m=127696031719506&q=raw)
./configure make make install While running getting some problem with shared library libnetfilter_conntrack.so.3 for that needs to set the lib path like export LD_LIBRARY_PATH=/usr/local/lib we need to download the protocol definitions archive from the L7-filter project page at sourceforge, http://prdownloads.sourceforge.net/l7-filter/ l7-protocols-2006-06-03.tar.gz?download. Next, we need to copy the pattern files (.pat) from the archive to the /etc/l7-protocols folder. Apply these rules iptables -A INPUT -j NFQUEUE --queue-num 2
Queue Valid numbers are 0-6553 ---------------------------------------------------------------" Run l7-filer:: l7-filter -vv -f sample-l7-filter.conf -q 2 Whatever the packets that INPUT and OUPUT chain encounter must be queued to user space queue number-2. Commands for checking statistics iptables -L INPUT -n -v iptables -L OUTPUT -n -v
Now apply the rules for matching the protocols. iptables -t mangle -A PREROUTING -j NFQUEUE --queue-num 2 iptables -t mangle -A POSTROUTING -j NFQUEUE --queue-num 2 iptables -A INPUT -m mark --mark 18 iptables -A OUTPUT -m mark --mark 18 Again run the user-space l7-filter process. l7-filter -vv -f sample-l7-filter.conf -q 2 Now check the statistics iptables -L INPUT -n -v iptables -L OUTPUT -n -v Output shows the number of packets match with the mark 18(http protocol mark) in the user space queue number -2.