linux iptables_linux利用iptables添加扩展模块实现封P2P、封国家IP

【www.bbyears.com--linux】

在iptables上添加ipp2p模块需要：iptables ≥ 1.4.3、内核≥ 2.6.29.
在编译ipp2p这个扩展的时候我被CentOS的2.6.32-573.3.1.el6.centos.plus.x86_64这个内核坑了，这个内核是yum update的时候安装上去的，最后迫不得已还把自己内核直接升到了4.2.0

这里如果有遇到是2.6.32-573.3.1.el6.centos.plus.x86_64内核的建议直接先升级内核吧。
编译4.2.0内核

[root@LookBack-server-OL02 ~]# wget http://mirrors.dwhd.org/Kernel/v4.x/linux-4.2.tar.xz
[root@LookBack-server-OL02 ~]# tar xf linux-4.2.tar.xz -C /usr/src/
[root@LookBack-server-OL02 ~]# cd /usr/src/linux-4.2/
[root@LookBack-server-OL02 ~]# cp /boot/config-`uname -r` .config
[root@LookBack-server-OL02 ~]# sh -c "yes "" | make oldconfig"
[root@LookBack-server-OL02 ~]# make -j `awk "/processor/{a++}END{print a}" /proc/cpuinfo` bzImage
[root@LookBack-server-OL02 ~]# make -j `awk "/processor/{a++}END{print a}" /proc/cpuinfo` modules
[root@LookBack-server-OL02 ~]# make -j `awk "/processor/{a++}END{print a}" /proc/cpuinfo` modules_install
[root@LookBack-server-OL02 ~]# make install
[root@LookBack-server-OL02 ~]# sed -ri "s/(default=).*/\10/" /boot/grub/grub.conf
[root@LookBack-server-OL02 ~]# reboot

安装ipp2p扩展

[root@LookBack-server-OL02 ~]# yum install -y http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
[root@LookBack-server-OL02 ~]# yum clean all && yum makecache
[root@LookBack-server-OL02 ~]# yum install gcc gcc-c++ make automake unzip zip xz kernel-devel iptables-devel perl-Text-CSV_XS -y
[root@LookBack-server-OL02 ~]# wget http://sourceforge.net/projects/xtables-addons/files/Xtables-addons/xtables-addons-2.10.tar.xz
[root@LookBack-server-OL02 ~]# tar xf xtables-addons-2.10.tar.xz
[root@LookBack-server-OL02 ~]# cd xtables-addons-2.10/
[root@LookBack-server-OL02 ~/xtables-addons-2.10]# ./configure
[root@LookBack-server-OL02 ~/xtables-addons-2.10]# make -j `awk "/processor/{a++}END{print a}" /proc/cpuinfo` && make install && cd geoip/
[root@LookBack-server-OL02 ~/xtables-addons-2.10/geoip]# ./xt_geoip_dl
[root@LookBack-server-OL02 ~/xtables-addons-2.10/geoip]# ./xt_geoip_build GeoIPv6.csv
[root@LookBack-server-OL02 ~/xtables-addons-2.10/geoip]# ./xt_geoip_build GeoIPCountryWhois.csv
[root@LookBack-server-OL02 ~/xtables-addons-2.10/geoip]# mkdir -p /usr/share/xt_geoip/
[root@LookBack-server-OL02 ~/xtables-addons-2.10/geoip]# cp -a BE LE /usr/share/xt_geoip/
来看看ipp2p的用法格式

[root@LookBack-server-OL02 ~]# iptables -m ipp2p --help | sed -n -e "/ipp2p/,//p"
ipp2p v0.10 match options:
  --edk    [tcp,udp]  All known eDonkey/eMule/Overnet packets
  --dc     [tcp]      All known Direct Connect packets
  --kazaa  [tcp,udp]  All known KaZaA packets
  --gnu    [tcp,udp]  All known Gnutella packets
  --bit    [tcp,udp]  All known BitTorrent packets
  --apple  [tcp]      All known AppleJuice packets
  --winmx  [tcp]      All known WinMX
  --soul   [tcp]      All known SoulSeek
  --ares   [tcp]      All known Ares
 
EXPERIMENTAL protocols:
  --mute   [tcp]      All known Mute packets
  --waste  [tcp]      All known Waste packets
  --xdcc   [tcp]      All known XDCC packets (only xdcc login)

ipp2p扩展的具体用法演示

##下面的是封IPv4出本机的P2P
[root@LookBack-server-OL02 ~]# iptables -t mangle -I OUTPUT -p tcp -m ipp2p --ares --soul --winmx --apple --dc -j DROP
[root@LookBack-server-OL02 ~]# iptables -t mangle -I OUTPUT -m ipp2p --edk --kazaa --bit --gnu -j DROP
##下面是封进入本机的P2P
[root@LookBack-server-OL03 ~]# iptables -t mangle -I INPUT -m ipp2p --edk --kazaa --bit --gnu -j DROP
[root@LookBack-server-OL03 ~]# iptables -t mangle -I INPUT -p tcp -m ipp2p --ares --soul --winmx --apple --dc -j DROP
[root@LookBack-server-OL03 ~]# iptables -t mangle -L INPUT -nvx --line-numbers
Chain INPUT (policy ACCEPT 70 packets, 5245 bytes)
num      pkts      bytes target     prot opt in     out     source               destination        
1           0        0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            -m ipp2p  --dc  --apple  --soul  --winmx  --ares
2           0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m ipp2p  --edk  --gnu  --kazaa  --bit
##下面的是封禁JP IPv4的来访

[root@LookBack-server-OL02 ~]# iptables -t filter -I INPUT -m geoip --src-cc JP -j DROP

[root@LookBack-server-OL02 ~]# iptables -t mangle -L OUTPUT -nvx && iptables -t filter -L INPUT -nvx
Chain OUTPUT (policy ACCEPT 12559 packets, 3858834 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m ipp2p  --edk  --gnu  --kazaa  --bit
       0        0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            -m ipp2p  --dc  --apple  --soul  --winmx  --ares
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country JP

本文来源：http://www.bbyears.com/caozuoxitong/92539.html