在iptables上添加ipp2p模块需要:iptables ≥ 1.4.3、内核≥ 2.6.29.
在编译ipp2p这个扩展的时候我被CentOS的2.6.32-573.3.1.el6.centos.plus.x86_64这个内核坑了,这个内核是yum update的时候安装上去的,最后迫不得已还把自己内核直接升到了4.2.0
这里如果有遇到是2.6.32-573.3.1.el6.centos.plus.x86_64内核的建议直接先升级内核吧。
编译4.2.0内核
[[email protected] ~]# curl -Lk https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.5.7.tar.xz|xz -d|tar -x -C /usr/src/ && \ cd /usr/src/linux-4.5.7/ [[email protected] ~]# cp /boot/config-`uname -r` .config [[email protected] ~]# sh -c 'yes "" | make oldconfig' [[email protected] ~]# make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` bzImage && \ make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` modules && \ make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` modules_install && \ make install
不编译内核方法 (这里采用yum安装我自己制作的内核方式,本来这个内核是我用来在跑Docker的因为内核启用了aufs)
CentOS 6
[[email protected] ~]# curl -Lk https://mirrors.dwhd.org/kernel-ml-aufs/kernel-ml-auf.repo >/etc/yum.repos.d/kernel-ml-aufs.repo [[email protected] ~]# yum -y remove kernel-headers [[email protected] ~]# yum -y install kernel-ml-aufs kernel-ml-aufs-headers kernel-ml-aufs-devel
CentOS 7
[[email protected] ~]# curl -Lk https://mirrors.dwhd.org/kernel-ml-aufs/kernel-ml-auf.repo >/etc/yum.repos.d/kernel-ml-aufs.repo [[email protected] ~]# yum -y remove kernel-headers kernel-tools kernel-tools-libs [[email protected] ~]# yum -y install kernel-ml-aufs kernel-ml-aufs-headers kernel-ml-aufs-devel kernel-ml-aufs-tools-libs-devel perf
CentOS 6修改启动项
[[email protected] ~]# awk '/^(default|title)/' /boot/grub/grub.conf default=0 title CentOS (4.7.0-1.el6.x86_64) 这是0 title CentOS (4.6.4-1.el6.x86_64) 这是1 title CentOS 6 (2.6.32-642.1.1.el6.centos.plus.x86_64) 这是2 [[email protected] ~]# sed -ri 's/(default=).*/\10/' /boot/grub/grub.conf #将0设置为启动 [[email protected] ~]# sed -i '/\[main\]/a exclude=kernel*' /etc/yum.conf [[email protected] ~]# reboot
CentOS 7修改启动项
[[email protected]_Proxy_black_list ~]# awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg CentOS Linux (4.7.0-1.el7.centos.x86_64) 7 (Core) 这是0 CentOS Linux (3.10.0-327.el7.x86_64) 7 (Core) 这是1 CentOS Linux (0-rescue-010c1463b1194b16b6c51858f166a64a) 7 (Core) 这是2 [[email protected]_Proxy_black_list ~]# grub2-set-default 0 #将0设置为启动 [[email protected]_Proxy_black_list ~]# sed -i '/\[main\]/a exclude=kernel*' /etc/yum.conf [[email protected]_Proxy_black_list ~]# reboot
安装ipp2p扩展
[[email protected] ~]# yum clean all && yum makecache [[email protected] ~]# yum install gcc gcc-c++ make automake unzip zip xz kernel-devel iptables-devel perl-Text-CSV_XS -y [[email protected] ~]# curl -Lk https://sourceforge.net/projects/xtables-addons/files/Xtables-addons/xtables-addons-2.13.tar.xz|xz -d|tar x -C /usr/src/ && cd /usr/src/xtables-addons-2.13/ && ./configure && make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` && make install && mkdir -p /usr/share/xt_geoip && cd /tmp [[email protected] /tmp]# echo 'export PATH=/usr/local/libexec/xtables-addons:$PATH' >/etc/profile.d/xtables-addons.sh && \ . /etc/profile.d/xtables-addons.sh && \ xt_geoip_dl && \ xt_geoip_build -D /usr/share/xt_geoip *.csv && \ ls -lh --full-time /usr/share/xt_geoip/ 总用量 24K drwxr-xr-x 2 root root 12K 2016-07-25 23:27:12.458669496 +0800 BE drwxr-xr-x 2 root root 12K 2016-07-25 23:27:12.458669496 +0800 LE [[email protected] /tmp]# rm -rf GeoIP* && cd
来看看ipp2p的用法格式
[[email protected] ~]# iptables -m ipp2p --help | sed -n -e '/ipp2p/,//p' ipp2p v0.10 match options: --edk [tcp,udp] All known eDonkey/eMule/Overnet packets --dc [tcp] All known Direct Connect packets --kazaa [tcp,udp] All known KaZaA packets --gnu [tcp,udp] All known Gnutella packets --bit [tcp,udp] All known BitTorrent packets --apple [tcp] All known AppleJuice packets --winmx [tcp] All known WinMX --soul [tcp] All known SoulSeek --ares [tcp] All known Ares EXPERIMENTAL protocols: --mute [tcp] All known Mute packets --waste [tcp] All known Waste packets --xdcc [tcp] All known XDCC packets (only xdcc login)
来看看geoip的用法
[[email protected] ~]# iptables -m geoip --help| sed -n -e '/geoip/,//p' geoip match options: [!] --src-cc, --source-country country[,country...] Match packet coming from (one of) the specified country(ies) [!] --dst-cc, --destination-country country[,country...] Match packet going to (one of) the specified country(ies) NOTE: The country is inputed by its ISO3166 code.
ipp2p扩展的具体用法演示
##下面的是封IPv4出本机的P2P [[email protected] ~]# iptables -t mangle -I OUTPUT -p tcp -m ipp2p --ares --soul --winmx --apple --dc -j DROP [[email protected] ~]# iptables -t mangle -I OUTPUT -m ipp2p --edk --kazaa --bit --gnu -j DROP ##下面是封进入本机的P2P [[email protected] ~]# iptables -t mangle -I INPUT -m ipp2p --edk --kazaa --bit --gnu -j DROP [[email protected] ~]# iptables -t mangle -I INPUT -p tcp -m ipp2p --ares --soul --winmx --apple --dc -j DROP [[email protected] ~]# iptables -t mangle -L INPUT -nvx --line-numbers Chain INPUT (policy ACCEPT 70 packets, 5245 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 -m ipp2p --dc --apple --soul --winmx --ares 2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -m ipp2p --edk --gnu --kazaa --bit ##下面的是封禁JP IPv4的来访 [[email protected] ~]# iptables -t filter -I INPUT -m geoip --src-cc JP -j DROP
[[email protected] ~]# iptables -t mangle -L OUTPUT -nvx && iptables -t filter -L INPUT -nvx Chain OUTPUT (policy ACCEPT 12559 packets, 3858834 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -m ipp2p --edk --gnu --kazaa --bit 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 -m ipp2p --dc --apple --soul --winmx --ares Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -m geoip --source-country JP
您可以选择一种方式赞助本站
支付宝扫一扫赞助
微信钱包扫描赞助
赏