P2P filter

Fra SemarkIT
Skift til: Navigation, Søgning

Indholdsfortegnelse

The Real Way

Download and Install Packages:

apt-get install kernel-package ncurses-dev bzip2 module-init-tools initramfs-tools procps fakeroot

Download and Extracting Packages:

cd /usr/src
wget http://iptables.org/projects/iptables/files/iptables-1.4.5.tar.bz2
wget -c http://enterprise.bih.harvard.edu/pub/tarpit-updates/tarpit-2.6.26.patch
wget -c http://enterprise.bih.harvard.edu/pub/tarpit-updates/iptables-1.4.2-tarpit.diff
wget -c http://www.linuximq.net/patchs/linux-2.6.26.8-imq-test2.diff
wget -c http://www.linuximq.net/patchs/iptables-1.4.4-imq.diff
wget -c http://ignum.dl.sourceforge.net/sourceforge/xtables-addons/xtables-addons-1.18.tar.bz2
wget -c http://ignum.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.22.tar.gz
wget -c http://ignum.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2009-05-28.tar.gz
wget -c http://ignum.dl.sourceforge.net/sourceforge/l7-filter/l7-filter-userspace-0.11.tar.gz
wget -c http://netfilter.org/projects/libnfnetlink/files/libnfnetlink-1.0.0.tar.bz2
wget -c http://netfilter.org/projects/libnetfilter_log/files/libnetfilter_log-0.0.16.tar.bz2
wget -c http://netfilter.org/projects/libnetfilter_queue/files/libnetfilter_queue-0.0.17.tar.bz2
wget -c http://netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-0.0.101.tar.bz2
wget -c http://netfilter.org/projects/conntrack-tools/files/conntrack-tools-0.9.14.tar.bz2
# for archive in *.bz2; do tar -jxf $archive;done
# for archive in *.gz; do tar -zxf $archive;done

32-bit

apt-get source linux-image-2.6.26-2-xen-686 netfilter-extensions-source

64-bit

apt-get source linux-image-2.6.26-2-amd64 netfilter-extensions-source iptables
gunzip linux-2.6_2.6.26-21lenny4.diff.gz
gunzip netfilter-extensions_20080719+debian-1.diff.gz

Creating symbolic links:

ln -s linux-2.6-2.6.26 linux
ln -s iptables-1.4.5 iptables
ln -s xtables-addons-1.18 xtables-addons
ln -s netfilter-extensions-20080719+debian/ netfilter-extensions

Patching Kernel and Kernel Compile:

Kernel patches

cd /usr/src/linux/
patch -p1 -NE < ../linux-2.6_2.6.26-21lenny4.diff
patch -p1 -NE < ../linux-2.6.26.8-imq-test2.diff
patch -p1 -NE < ../tarpit-2.6.26.patch
patch -p1 -NE < ../netfilter-layer7-v2.21/kernel-2.6.25-2.6.28-layer7-2.21.patch

Compile the kernel

cd /usr/src/linux
cp /boot/config-XXXX ./.config 
make menuconfig
		Networking options  --->
		...
		...
		[*] Network packet filtering framework (Netfilter)  --->
	           Core Netfilter Configuration  --->
			 Netfilter connection tracking support
			...
			...
			 "layer7" match support

Multi-Core CPU

export CONCURRENCY_LEVEL=X (X = antallet af core)
make-kpkg clean
make-kpkg --initrd kernel_image --append-to-version=-xen-l7 --mkimage kernel_headers
cd ..
dpkg -i *.deb
cat /boot/grub/menu.lst
Reboot

iptables patches & Install

cd /usr/src/iprables/
patch -p1 -NE < ../iptables-1.4.4-imq.diff
patch -p1 -NE < ../iptables-1.4.2-tarpit.diff
cd /usr/src/iptables/extensions
cp ../../netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.* .
sed -i 's/exit_error(/xtables_error(/' libxt_layer7.c
cd ..
cd /usr/src/linux/include/asm/
wget -c http://www.semarkit.dk/linux/bitsperlong.h
cd /usr/src/iptables/
./configure --with-ksource=/usr/src/linux \
--prefix=/usr --with-xtlibdir=/lib/xtables --libdir=/lib --enable-libipq --enable-devel
make && make install
cd /usr/src/l7-protocols-2009-05-28/
make install

[Start of | Not testet]

/*
cd ../libnfnetlink-1.0.0
./configure --prefix=/usr --libdir=/lib
make && make install

cd ../libnetfilter_queue-0.0.17
./configure --prefix=/usr --libdir=/lib
make && make install

cd ../l7-filter-userspace-0.11
./configure && make && make install
*/

[End of | Not testet]

Xtables-addons compile:

cd /usr/src/xtables-addons
./configure  --with-xtables=/lib  --prefix=/usr \
--mandir=/usr/share/man --infodir=/usr/share/info --libexecdir=/lib  \
--with-ksource=/usr/src/linux --includedir=/usr/include/
make && make install

Testing the Installation:

iptables -j TARPIT -h
iptables -m ipp2p  -h
iptables -m layer7 -h

Make you rules:

# Quote of Mario Mariani, senior vice president of media and access at Tiscali
#
# The peer-to-peer sites are impossible to fight. In any given network,
# peer-to-peer traffic is between 30 and 60 percent of total traffic.
# We technically cannot control such traffic."

# Marking
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT

# p2p block
iptables -t mangle -A PREROUTING -m ipp2p --bit --edk --kazaa --gnu --dc --apple --winmx --soul --ares --xdcc -j MARK --set-mark 1

# Layer7
iptables -t mangle -A PREROUTING -m layer7 --l7dir /etc/l7-protocols/protocols/ --l7proto bittorrent -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m layer7 --l7dir /etc/l7-protocols/protocols/ --l7proto edonkey -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m layer7 --l7dir /etc/l7-protocols/protocols/ --l7proto gnutella -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m layer7 --l7dir /etc/l7-protocols/protocols/ --l7proto directconnect -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m layer7 --l7dir /etc/l7-protocols/protocols/ --l7proto fasttrack -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m layer7 --l7dir /etc/l7-protocols/protocols/ --l7proto soulseek -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m layer7 --l7dir /etc/l7-protocols/protocols/ --l7proto ares -j MARK --set-mark 1

# Dropper mark
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
iptables -t mangle -A POSTROUTING -m mark --mark 1 -j DROP

See if its working:

iptables -t mangle -L

With byte-counter

iptables -t mangle -L -n -v


The old ogly way

Log på som root

su
cd ~
mkdir src && cd src/

Tjek kernel version

uname -r

Installere nødvendige pakker

apt-get install linux-kernel-headers g++ iptables-dev
apt-get install linux-source-(kernel version) - (på min 2.6.18)
apt-get install linux-headers-(kernel version) - (på min 2.6.18-486)
apt-get source iptables - (husk at have aktiveret src-repo i /etc/apt/source.list)

Opret link til iptables source

ln -s /root/src/iptables-1.3.6.0debian1/ /usr/src/iptables-1.3.6
ln -s /usr/src/linux-source-2.6.18/ /usr/src/linux

Hent ipp2p

wget -c http://www.ipp2p.org/downloads/ipp2p-0.8.2.tar.gz - (hent evt. den nyeste version på http://www.ipp2p.org)
tar -zxf ipp2p-0.8.2.tar.gz && cd ipp2p-0.8.2/

Rediger nu Makefilen

vi Makefile (eller en editor efter eget valg)
  • find linje 67 og udskift linjen fra:
ld -shared -o libipt_ipp2p.so libipt_ipp2p.o 

til 

$(CC) -shared -o libipt_ipp2p.so libipt_ipp2p.o

Installer ipp2p

make 

Kopier modulet til iptables

cp libipt_ipp2p.so /lib/iptables 

Test

iptables -m ipp2p --help

Kernel moduler skal aktiveres

insmod ipt_ipp2p.ko (kernel 2.6.x)
insmod ipt_ipp2p.o  (kernel 2.4.x)
depmod -a

Test om de er aktive

lsmod | grep ipp2p

skal ca se ud som dette

ipt_ipp2p               6912  0
x_tables               12932  2 ipt_ipp2p,ip_tables

Block bit-torrent

iptables -A FORWARD -m ipp2p --bit --edk --kazaa --gnu -j DROP

Fejl finding

  • Opleves på en Debian 64-bit kernel, har prøvet med 2.6.17-*-amd64 og 2.6.18-*-amd64
  • Hvis der er problemer med modulet - og fejlen i /var/log/messeges er noget ligende:
  • kernel: ip_tables: ipp2p match: invalid size 16 != 8
  • Prøv da at hente følgende patch og kom ned i ~/src/ipp2p-0.8.2/
cd ~/src/ipp2p-0.8.2/
wget -c http://gentoo.mirror.solnet.ch/net-firewall/ipp2p/files/ipp2p-0.8.2-matchsize.patch

patch -p1 < ipp2p-0.8.2-matchsize.patch

nu skal du bare recompile ipp2p fra punktet make

Personlige værktøjer
Navnerum

Varianter
Handlinger
Navigation
Værktøjer