最近老大要求封qq 而且是封部分人使用,本来打算封腾讯登陆服务器的,但是无法封bt工具,找了一下资料。
以下部分为转载:
流程:
打上layer-7补丁
升级内核至2.6.19.7
升级iptables至1.3.7
适用环境:透过NAT共享上网的方式
步骤:
一,下载所需要的软件包:
1,下载新内核linux-2.6.19.7
wget
http://www.kernel.org/pub/linux/ ... ux-2.6.19.7.tar.bz2
2,下载iptables1.3.7
wget
http://www.netfilter.org/project ... ables-1.3.7.tar.bz2
3,下载Layer-7补丁,模块协议:
http://sourceforge.net/project/showfiles.php?group_id=80085
l7-protocols-2007-01-14.tar.gz
netfilter-layer7-v2.9.tar.gz
二,配置好内核选项:
1.把源码都放在/usr/src下
tar -jvf linux-2.6.19.7.tar.bz2 #解压
cd linux-2.6.19.7
2.配置内核源码:
make menuconfig
(内核配置参照2.6内核编译的说明文档,论坛很多的)
3.新内核加进了Proxy Server经常用到几个功能:
Core Netfilter configuration
(2.6.19.7内核netfilter的string,comment,quota,iprange等模块已集成了)
ppp (point-to-point protocol) support
PPP MPPE compression (encryption) #微软加密协议支持,做pptp vpn用得着哦
三,L7补丁:
1,安装l7协议:
tar -zxvf l7-protocols-2007-01-14.tar.gz
cd l7-protocols-2007-01-14
make install
2.L7内核支持补丁:
cd /usr/src/linux-2.6.19.7
patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch
3,make menuconfig进去
把Layer 7 match support选上
四,编译内核:
make
make modules_install
make install
reboot选2.6.19.7内核启动
五,升级iptables:
cd /usr/src/iptables-1.3.7
#打上iptables的Layer7补丁
patch -p1 < ../netfilter-layer7-v2.9/iptables-layer7-2.9.patch
chmod +x extensions/.layer7-test
export KERNEL_DIR=/usr/src/linux-2.6.20
export IPTABLES_DIR=/usr/src/iptables-1.3.7
make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
六,测试
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
1,用string模块封QQ的DNS:
#封tencent
iptables -I FORWARD -p udp --dport 53 -m string --string "tencent" --algo bm -j DROP
#封.qq.com,717103636F6D这段数据包特征可用嗅探器获取,
#如果直接用string封.qq.com,但是String模块不支持(估计是字符串匹配的问题)
#封qq的话很多wqq,qqxx这样的域名都不能用了所以封.qq.com是最佳做法
iptables -I FORWARD -p udp --dport 53 -m string --hex-string "|717103636F6D|" --algo bm -j DROP
此方法可以使用hosts文件和代理的方式绕过。
2,彻底封杀QQ,分四步分别从udp,tcp,http代理,socks代理方式:
#用L7自带的QQ协议封杀通过TCP出去的QQ通信
iptables -I FORWARD -p tcp -m multiport --dport 80,443 -m layer7 --l7proto qq -j DROP
#封QQ的UDP 8000端口的通信
iptables -I FORWARD -p udp --dport 8000 -j DROP
#封Socks代理
iptables -I FORWARD -p tcp -m layer7 --l7proto socks -j DROP
#封QQ通过Http代理出去(网页代理功能正常):
#新增一个过滤CONNECT模式的L7协议:
cd /etc/l7-protocols/protocols
#新建一文件httpagent.pat,内容如下:
# The HttpAgent Connect Action
httpagent
^/x43/x4F/x4E/x4E.+/x0D/x0A$
iptables -I FORWARD -p tcp -m layer7 --l7proto httpagent -j DROP
3,用L7封Msn:
#封MSN
iptables -I FORWARD -m layer7 --l7proto msnmessenger -j DROP
参考文章:
http://www.chinaunix.net/jh/4/853647.html
http://bbs.chinaunix.net/viewthread.php?tid=505370
http://bbs.chinaunix.net/viewthread.php?tid=484867
http://linux.chinaunix.net/bbs/viewthread.php?tid=885123本文出自 51CTO.COM技术博客
###########################下面是公司的示例###################
#!/bin/sh
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X
iptables -t nat -Z
iptables -Z
echo "1">/proc/sys/net/ipv4/ip_forward
# DHZG port 5555 8888
# MSN Port 1863
# QQ port 8000
# patrix port 7612 7619-7622 20000 20001
# feng ling huo san test port 15000-15002 --->to 2008.8.13
# Rohan 22100
# TianYuChuanShuo port 30002
# tianlongbabu 1231 ---> end 2008.7.5
# Manager port 9196 6495
# ffmpeg update port 3690
# monster trail Port 8036:8359 9203 --->end 2008.7.30
#QQ domain sz.tencent.com sz2-sz9.tencent.com
## tcpconn.tencent.com tcpconn2-tcpconn6.tencent.com
## http.tencent.com http2.tencent.com
## allow ip_file connect QQ /etc/rc.d/QQ_allow.txt
allow_ports="53 80 443 22 5555 8888 22100 1863 8000 7612:7622 20000 20001 30002 9196 9612 6495 15000:15002 1231 3690 8036:8359 9203"
forward_ports="53 80 443"
#ChinaJoy FTP 219.238.254.7
allow_d="219.238.254.7 222.73.27.0/25 61.152.183.135 61.152.183.136 61.152.183.137"
#officeip=
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -p udp --dport 161 -j ACCEPT
#for Port in $allow_ports;do
#iptables -A INPUT -i eth0 -p tcp --dport $Port -j ACCEPT
#iptables -A INPUT -i eth0 -p udp --dport $Port -j ACCEPT
#done
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -o eth1 -j MASQUERADE
#################
### BT & p2p ####
#################
iptables -A FORWARD -m layer7 --l7proto bittorrent -j DROP
iptables -A FORWARD -m layer7 --l7proto 100bao -j DROP
iptables -A FORWARD -m layer7 --l7proto applejuice -j DROP
iptables -A FORWARD -m layer7 --l7proto ares -j DROP
#iptables -A FORWARD -m layer7 --l7proto ciscovpn -j DROP
iptables -A FORWARD -m layer7 --l7proto directconnect -j DROP
iptables -A FORWARD -m layer7 --l7proto edonkey -j DROP
iptables -A FORWARD -m layer7 --l7proto fasttrack -j DROP
iptables -A FORWARD -m layer7 --l7proto freenet -j DROP
#iptables -A FORWARD -m layer7 --l7proto ftp -j DROP
iptables -A FORWARD -m layer7 --l7proto gnucleuslan -j DROP
iptables -A FORWARD -m layer7 --l7proto gnutella -j DROP
iptables -A FORWARD -m layer7 --l7proto goboogy -j DROP
iptables -A FORWARD -m layer7 --l7proto hotline -j DROP
iptables -A FORWARD -m layer7 --l7proto imesh -j DROP
iptables -A FORWARD -m layer7 --l7proto kugoo -j DROP
iptables -A FORWARD -m layer7 --l7proto mute -j DROP
iptables -A FORWARD -m layer7 --l7proto napster -j DROP
iptables -A FORWARD -m layer7 --l7proto openft -j DROP
iptables -A FORWARD -m layer7 --l7proto poco -j DROP
iptables -A FORWARD -m layer7 --l7proto socks -j DROP
iptables -A FORWARD -m layer7 --l7proto soribada -j DROP
iptables -A FORWARD -m layer7 --l7proto soulseek -j DROP
iptables -A FORWARD -m layer7 --l7proto tesla -j DROP
iptables -A FORWARD -m layer7 --l7proto thecircle -j DROP
iptables -A FORWARD -m layer7 --l7proto xunlei -j DROP
##QQ bind ip##
iptables -A FORWARD -m layer7 --l7proto httpagent -j DROP
##chedn hong quan##
iptables -A FORWARD -s 172.16.1.57 -m layer7 --l7proto qq -j DROP
##shi yuadn kai##
iptables -A FORWARD -s 172.16.1.192 -m layer7 --l7proto qq -j DROP
##xu bddin###
iptables -A FORWARD -s 172.16.1.128 -m layer7 --l7proto qq -j DROP
###################################################################
iptables -A FORWARD -p udp -s 172.16.1.128 --dport 8000 -j DROP
iptables -A FORWARD -p udp -s 172.16.1.57 --dport 8000 -j DROP
iptables -A FORWARD -p udp -s 172.16.1.192 --dport 8000 -j DROP
##################################################################
for Port in $allow_ports;do
iptables -A FORWARD -p tcp --dport $Port -j ACCEPT
iptables -A FORWARD -p udp --dport $Port -j ACCEPT
done
for Ds in $allow_d;do
iptables -A FORWARD -d $Ds -j ACCEPT
done
iptables -A FORWARD -s 172.16.33.0/24 -j ACCEPT
iptables -A FORWARD -s 172.16.4.0/24 -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
#iptables -A FORWARD -j ACCEPT
#iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
web讯龙是通过squid 屏蔽了my.xunlei.com 这个域名。希望能给大家带来帮助,上面的规则有些乱,还有部分有待精简!!
[
本帖最后由 leohuangfu 于 2008-7-1 17:52 编辑 ]