编译内核和iptables及安装l7proto
一、环境介绍
操作系统:Redhat5.8_64bit
需要软件包:
linux-2.6.28.10.tar.gz
netfilter-layer7-v2.22.tar.gz
l7-protocols-2009-05-28.tar.gz
iptables-1.4.6.tar.bz2
安装步骤:
1)、给内核打补丁,并重新编译内核
2)、给iptables源码打补丁,并重新编译iptables
3)、安装l7proto
1、给内核打补丁并重新编译内核
[root@localhost ~]# uname -r //Redhat5.8自带内核版本是2.6.18
2.6.18-308.el5
# tar zxvf linux-2.6.28.10.tar.gz -C /usr/src //解压linux-2.6.28
# tar zxvf netfilter-layer7-v2.22.tar.gz -C /usr/src //解压netfilter-layer7
# cd /usr/src/
# ln -s linux-2.6.28 linux
# cd /usr/src/linux/
# patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file include/net/netfilter/nf_conntrack.h
patching file include/linux/netfilter/xt_layer7.h
# cp /boot/config-2.6.18-308.el5 /usr/src/linux/.config
# make menuconfig
提示:make menuconfig之前确保下面开发环境安装好了:
Development Libraries
Development Tools
执行:make menuconfig如下错误提示:
scripts/kconfig/mconf arch/x86/Kconfig
.config:1365:warning: symbol value 'm' invalid for FIXED_PHY
.config:1671:warning: symbol value 'm' invalid for ISDN
.config:2789:warning: symbol value 'm' invalid for RTC_INTF_SYSFS
.config:2790:warning: symbol value 'm' invalid for RTC_INTF_PROC
.config:2791:warning: symbol value 'm' invalid for RTC_INTF_DEV
.config:2813:warning: symbol value 'm' invalid for DMA_ENGINE
Your display is too small to run Menuconfig!
It must be at least 19 lines by 80 columns.
make[1]: *** [menuconfig] Error 1
make: *** [menuconfig] Error 2
原因:终端窗口大小了,导致的。
General setup ---> ()Local version - append to kernel release -->输入:-layer7 -->OK --> Exit
Processor type and features ---> Processor family (Generic-x86-64) ---> (X) Core 2/newer Xeon
Networking support → Networking Options →Network packet filtering framework →Core Netfilter Configuration
<M> Netfilter connection tracking support
<M> “layer7” match support
<M> “string” match support
<M> “time” match support
<M> “iprange” match support
<M> FTP protocol support
<M> Connection tracking netlink interface
<M> “connlimit” match support
<M> “state” match support
<M> “conntrack” connection match support
<M> “mac” address match support
<M> "multiport" Multiple port match support
Networking support → Networking Options →Network packet filtering framework → IP: Netfilter Configuration
<M> IPv4 connection tracking support (required for NAT)
<M> Full NAT
<M> MASQUERADE target support
<M> NETMAP target support
<M> REDIRECT target support
# screen //防止make时候中断
# make
# make modules_install
# make install
2、编译新版本iptables
# cp /etc/init.d/iptables ~/iptables
# cp /etc/sysconfig/iptables-config ~/
# cp /etc/sysconfig/iptables ~/iptables.rules
# service iptables stop
# chkconfig iptables off
# rpm -e iptables-ipv6 iptables iptstate --nodeps
# tar jxvf iptables-1.4.6.tar.bz2 –C /usr/src
# cd /usr/src/iptables-1.4.6
# cp ../netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.* ./extensions/
# ./configure --prefix=/usr --with-ksource=/usr/src/linux
# make
# make install
# which iptables
/usr/sbin/iptables
# vim ~/iptables -->修改如下内容
if [ ! -x /usr/sbin/$IPTABLES ]; then
echo -n $"/usr/sbin/$IPTABLES does not exist."; warning; echo
exit 0
fi
# cp ~/iptables /etc/init.d/
# chkconfig --add iptables
# cp ~/iptables-configs /etc/sysconfig/
# service iptables start
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_nat_ftp ip_conntrac[ OK ]
3、安装l7-protocols
# tar zxvf l7-protocols-2009-05-28.tar.gz
# cd l7-protocols-2009-05-28
# make install
mkdir -p /etc/l7-protocols
cp -R * /etc/l7-protocols
# service iptables restart