Linux之iptables添加扩展模块实现封P2P、封国家IP

  • A+
所属分类:Linux  Linux中级

在iptables上添加ipp2p模块需要:iptables ≥ 1.4.3、内核≥ 2.6.29.

在编译ipp2p这个扩展的时候我被CentOS的2.6.32-573.3.1.el6.centos.plus.x86_64这个内核坑了,这个内核是yum update的时候安装上去的,最后迫不得已还把自己内核直接升到了4.2.0

这里如果有遇到是2.6.32-573.3.1.el6.centos.plus.x86_64内核的建议直接先升级内核吧。

编译4.2.0内核

[root@LookBack-server-OL02 ~]# curl -Lk https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.5.7.tar.xz|xz -d|tar -x -C /usr/src/ && \
cd /usr/src/linux-4.5.7/
[root@LookBack-server-OL02 ~]# cp /boot/config-`uname -r` .config
[root@LookBack-server-OL02 ~]# sh -c 'yes "" | make oldconfig'
[root@LookBack-server-OL02 ~]# make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` bzImage && \
make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` modules && \
make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` modules_install && \
make install

不编译内核方法 (这里采用yum安装我自己制作的内核方式,本来这个内核是我用来在跑Docker的因为内核启用了aufs)
CentOS 6

[root@LookBack-server-OL02 ~]# curl -Lk https://mirrors.dwhd.org/kernel-ml-aufs/kernel-ml-auf.repo >/etc/yum.repos.d/kernel-ml-aufs.repo
[root@LookBack-server-OL02 ~]# yum -y remove kernel-headers
[root@LookBack-server-OL02 ~]# yum -y install kernel-ml-aufs kernel-ml-aufs-headers kernel-ml-aufs-devel

CentOS 7

[root@LookBack-server-OL02 ~]# curl -Lk https://mirrors.dwhd.org/kernel-ml-aufs/kernel-ml-auf.repo >/etc/yum.repos.d/kernel-ml-aufs.repo
[root@LookBack-server-OL02 ~]# yum -y remove kernel-headers kernel-tools kernel-tools-libs
[root@LookBack-server-OL02 ~]# yum -y install kernel-ml-aufs kernel-ml-aufs-headers kernel-ml-aufs-devel kernel-ml-aufs-tools-libs-devel perf

CentOS 6修改启动项

[root@LookBack-server-OL02 ~]# awk '/^(default|title)/' /boot/grub/grub.conf
default=0
title CentOS (4.7.0-1.el6.x86_64)                                   这是0
title CentOS (4.6.4-1.el6.x86_64)                                   这是1
title CentOS 6 (2.6.32-642.1.1.el6.centos.plus.x86_64)              这是2
[root@LookBack-server-OL02 ~]# sed -ri 's/(default=).*/\10/' /boot/grub/grub.conf #将0设置为启动
[root@LookBack-server-OL02 ~]# sed -i '/\[main\]/a exclude=kernel*' /etc/yum.conf
[root@LookBack-server-OL02 ~]# reboot

CentOS 7修改启动项

[root@RACK_Proxy_black_list ~]# awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg
CentOS Linux (4.7.0-1.el7.centos.x86_64) 7 (Core)                    这是0
CentOS Linux (3.10.0-327.el7.x86_64) 7 (Core)                        这是1
CentOS Linux (0-rescue-010c1463b1194b16b6c51858f166a64a) 7 (Core)    这是2
[root@RACK_Proxy_black_list ~]# grub2-set-default 0         #将0设置为启动
[root@RACK_Proxy_black_list ~]# sed -i '/\[main\]/a exclude=kernel*' /etc/yum.conf
[root@RACK_Proxy_black_list ~]# reboot

安装ipp2p扩展

[root@LookBack-server-OL02 ~]# yum clean all && yum makecache
[root@LookBack-server-OL02 ~]# yum install gcc gcc-c++ make automake unzip zip xz kernel-devel iptables-devel perl-Text-CSV_XS -y
[root@LookBack-server-OL02 ~]# curl -Lk https://sourceforge.net/projects/xtables-addons/files/Xtables-addons/xtables-addons-2.12.tar.xz|xz -d|tar x -C /usr/src/ && cd /usr/src/xtables-addons-2.12/ && ./configure && make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` && make install && mkdir -p /usr/share/xt_geoip && cd /tmp
[root@LookBack-server-OL02 /tmp]# echo 'export PATH=/usr/local/libexec/xtables-addons:$PATH' >/etc/profile.d/xtables-addons.sh && \
. /etc/profile.d/xtables-addons.sh && \
xt_geoip_dl && \
xt_geoip_build -D /usr/share/xt_geoip *.csv && \
ls -lh --full-time /usr/share/xt_geoip/
总用量 24K
drwxr-xr-x 2 root root 12K 2016-07-25 23:27:12.458669496 +0800 BE
drwxr-xr-x 2 root root 12K 2016-07-25 23:27:12.458669496 +0800 LE
[root@LookBack-server-OL02 /tmp]# rm -rf GeoIP* && cd 

来看看ipp2p的用法格式

[root@LookBack-server-OL02 ~]# iptables -m ipp2p --help | sed -n -e '/ipp2p/,//p'
ipp2p v0.10 match options:
  --edk    [tcp,udp]  All known eDonkey/eMule/Overnet packets
  --dc     [tcp]      All known Direct Connect packets
  --kazaa  [tcp,udp]  All known KaZaA packets
  --gnu    [tcp,udp]  All known Gnutella packets
  --bit    [tcp,udp]  All known BitTorrent packets
  --apple  [tcp]      All known AppleJuice packets
  --winmx  [tcp]      All known WinMX
  --soul   [tcp]      All known SoulSeek
  --ares   [tcp]      All known Ares

EXPERIMENTAL protocols:
  --mute   [tcp]      All known Mute packets
  --waste  [tcp]      All known Waste packets
  --xdcc   [tcp]      All known XDCC packets (only xdcc login)

来看看geoip的用法

[root@LookBack-server-OL02 ~]# iptables -m geoip --help| sed -n -e '/geoip/,//p'
geoip match options:
[!] --src-cc, --source-country country[,country...]
        Match packet coming from (one of) the specified country(ies)
[!] --dst-cc, --destination-country country[,country...]
        Match packet going to (one of) the specified country(ies)

NOTE: The country is inputed by its ISO3166 code. 

ipp2p扩展的具体用法演示

##下面的是封IPv4出本机的P2P
[root@LookBack-server-OL02 ~]# iptables -t mangle -I OUTPUT -p tcp -m ipp2p --ares --soul --winmx --apple --dc -j DROP 
[root@LookBack-server-OL02 ~]# iptables -t mangle -I OUTPUT -m ipp2p --edk --kazaa --bit --gnu -j DROP
##下面是封进入本机的P2P
[root@LookBack-server-OL03 ~]# iptables -t mangle -I INPUT -m ipp2p --edk --kazaa --bit --gnu -j DROP
[root@LookBack-server-OL03 ~]# iptables -t mangle -I INPUT -p tcp -m ipp2p --ares --soul --winmx --apple --dc -j DROP
[root@LookBack-server-OL03 ~]# iptables -t mangle -L INPUT -nvx --line-numbers 
Chain INPUT (policy ACCEPT 70 packets, 5245 bytes)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            -m ipp2p  --dc  --apple  --soul  --winmx  --ares 
2           0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m ipp2p  --edk  --gnu  --kazaa  --bit 
##下面的是封禁JP IPv4的来访
[root@LookBack-server-OL02 ~]# iptables -t filter -I INPUT -m geoip --src-cc JP -j DROP
[root@LookBack-server-OL02 ~]# iptables -t mangle -L OUTPUT -nvx && iptables -t filter -L INPUT -nvx
Chain OUTPUT (policy ACCEPT 12559 packets, 3858834 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m ipp2p  --edk  --gnu  --kazaa  --bit 
       0        0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            -m ipp2p  --dc  --apple  --soul  --winmx  --ares 
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country JP 
lookback

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: