Tuesday, January 25, 2011

ipp2p blocking using layer7 filter and ipp2p module

So, I saw this feature in some linux site but I have done some changes :)

What we do when we need to block some torrent trackers that eat the traffic. We use Proxy or QoS or we compile ipp2p. But most interesting is ipp2p with l7 filter. It allows to filter applications on layer 7 of OSI model.

This works for kernel 2.6.30 or greater but not tested on the last (Debian).
First we need to do is :

1) aptitude install module-assistant 
2) m-a prepare
Then INSTALL some things 

3)  aptitude install kernel-package quilt autoconf automake libtool libncurses5-dev pkg-config checkinstall build-essential zlib1g-dev iptables-dev screen

then go to /usr/src/
and execute:
4) 
wget http://ufpr.dl.sourceforge.net/sourceforge/xtables-addons/xtables-addons-1.17.tar.bz2
wget http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.21.tar.gz
wget http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2009-05-28.tar.gz
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.30.1.tar.bz2   /*here you can download newer or just use the current but on 2.6.29.14 have some problem - works but ....
wget http://iptables.org/projects/iptables/files/iptables-1.4.4.tar.bz2

5) 
tar -jvxf xtables-addons-1.17.tar.bz2
tar -zvxf netfilter-layer7-v2.21.tar.gz
tar -zvxf l7-protocols-2009-05-28.tar.gz
tar -jvxf linux-2.6.30.1.tar.bz2
tar -jvxf iptables-1.4.4.tar.bz2

Then make some links 
6)
ln -s xtables-addons-1.17 xtables-addons
ln -s linux-2.6.*.* linux
ln -s iptables-1.4.4 iptables

then this is very important to be done:
7) 
cd /usr/src/linux
patch -p1 < ../netfilter-layer7-v2.21/kernel-2.6.25-2.6.28-layer7-2.21.patch

8)
make menuconfig
-*- Networking support  --->
     Networking options  --->
[*] Network packet filtering framework (Netfilter)  --->
       Core Netfilter Configuration  --->
<M> Netfilter connection tracking support
<M> "layer7" match support

then it`s time for compilation, but my advise is to make it in screen

screen
9) make-kpkg --append-to-version=-l7 --initrd kernel-image

10) make-kpkg --append-to-version=-l7 --initrd kernel-image kernel-headers kernel-source

11) reboot 

 Now time for iptables compilation

12) 
cd /usr/src/iptables/extensions
cp ../../netfilter-layer7-v2.21/iptables-1.4.1.1-for-kernel-2.6.20forward/libxt_layer7.* .
sed -i 's/exit_error(/xtables_error(/' libxt_layer7.c  

Next we compile iptables 

13)  
cd /usr/src/iptables
./configure --with-ksource=/usr/src/linux --prefix=/usr --with-xtlibdir=/lib/xtables --libdir=/lib --enable-libipq --enable-devel
make
checkinstall
 
Installation of layer7 filter

14)
cd /usr/src/l7-protocols-2009-05-28
make install 

Compile xtables addons :) 

15)
cd /usr/src/xtables-addons
./configure  --with-xtables=/lib  --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --libexecdir=/lib  --with-ksource=/usr/src/linux --includedir=/usr/include/
make
checkinstall

If everything is fine without errors we can check the working Modules:
iptables -m ipp2p  --help
iptables -m layer7 --help

With this Modules you can filter a lot of applications like bittorent, skype, skypetoskype, edonkey and so on :) 
Good Luck  
Posted by at No comments:
Subscribe to: Comments (Atom)