Linux下主机充当防火墙的巧妙应用之iptables!

Linux下主机充当防火墙的巧妙应用之iptables!

实验综合拓扑图:

注意事项：防火墙由Red Hat Linux 5.4 版本的机器充当，eth0 使用Host-only (vmware 1)，eth1 使用Bridge(本地连接),eth2(vmware 2)

前期工作：

iptables 仅能过滤网络层的内容，例如协议、端口等等

如果想要过滤应用层的，需要打上七层协议的补丁包！还需内核支持！

操作步骤如下：

一、重新编译内核

1、合并kernel＋layer7补丁

[root@gjp99 ~]# ll

total 48336

-rw------- 1 root root 960 Aug 2 21:30 anaconda-ks.cfg

drwxr-xr-x 2 root root 4096 Aug 2 21:41 Desktop

-rw-r--r-- 1 root root 35556 Aug 2 21:30 install.log

-rw-r--r-- 1 root root 4062 Aug 2 21:30 install.log.syslog

-rw-r--r-- 1 root root 435891 Aug 3 13:55 iptables-1.4.2.tar.bz2

-rw-r--r-- 1 root root 128196 Aug 3 13:55 l7-protocols-2008-10-04.tar.gz

-rw-r--r-- 1 root rootAug 3 13:55 linux-9.tar.bz2

-rw-r--r-- 1 root root 174790 Aug 3 13:55 netfilter-layer7-v2.20.tar.gz

[root@gjp99 ~]# cd /usr/src/

[root@gjp99 src]# ll

total 24

drwxr-xr-x 3 root root 4096 Aug 2 21:25 kernels

drwxrwxr-x 21 root root 4096 Oct 23 2008 linux-9

drwxr-xr-x 4 1000 1000 4096 Aug 22 2008 netfilter-layer7-v2.20

drwxr-xr-x 7 root root 4096 Aug 2 21:27 redhat

[root@gjp99 src]# cd linux-9/

[root@gjp99 linux-9]# patch -p1 < /usr/src/netfilter-layer7-v2.20/kernel-2.6.25-layer7-2.20.patch

patching file net/netfilter/Kconfig

patching file net/netfilter/Makefile

patching file net/netfilter/xt_layer7.c

patching file net/netfilter/regexp/regexp.c

patching file net/netfilter/regexp/regexp.h

patching file net/netfilter/regexp/regmagic.h

patching file net/netfilter/regexp/regsub.c

patching file net/netfilter/nf_conntrack_core.c

Hunk #1 succeeded at 208 (offset -2 lines).

patching file net/netfilter/nf_conntrack_standalone.c

patching file include/net/netfilter/nf_conntrack.h

patching file include/linux/netfilter/xt_layer7.h

2、配置新内核

shell> cp /boot/config-2.6.18-8.el5 .config //偷个懒，沿用旧的内核配置

shell> make menuconfig

//配置内核时，在“Networking ---> Networking Options ---> Network Packet filtering framework (Netfilter) ”处主要注意两个地方：

1)