在iptables上添加ipp2p模块需要:iptables ≥ 1.4.3、内核≥ 2.6.29.

在编译ipp2p这个扩展的时候我被CentOS的2.6.32-573.3.1.el6.centos.plus.x86_64这个内核坑了,这个内核是yum update的时候安装上去的,最后迫不得已还把自己内核直接升到了4.2.0

这里如果有遇到是2.6.32-573.3.1.el6.centos.plus.x86_64内核的建议直接先升级内核吧。

编译4.2.0内核

[root@LookBack-server-OL02 ~]# wget http://mirrors.dwhd.org/Kernel/v4.x/linux-4.2.tar.xz
[root@LookBack-server-OL02 ~]# tar xf linux-4.2.tar.xz -C /usr/src/
[root@LookBack-server-OL02 ~]# cd /usr/src/linux-4.2/
[root@LookBack-server-OL02 ~]# cp /boot/config-`uname -r` .config
[root@LookBack-server-OL02 ~]# sh -c 'yes "" | make oldconfig'
[root@LookBack-server-OL02 ~]# make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` bzImage
[root@LookBack-server-OL02 ~]# make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` modules
[root@LookBack-server-OL02 ~]# make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` modules_install
[root@LookBack-server-OL02 ~]# make install
[root@LookBack-server-OL02 ~]# sed -ri 's/(default=).*/10/' /boot/grub/grub.conf
[root@LookBack-server-OL02 ~]# reboot

安装ipp2p扩展

[root@LookBack-server-OL02 ~]# rpm -i http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm
[root@LookBack-server-OL02 ~]# yum clean all && yum makecache
[root@LookBack-server-OL02 ~]# yum install gcc gcc-c++ make automake unzip zip xz kernel-devel-`uname -r` iptables-devel perl-Text-CSV_XS -y
[root@LookBack-server-OL02 ~]# wget http://sourceforge.net/projects/xtables-addons/files/Xtables-addons/xtables-addons-2.8.tar.xz
[root@LookBack-server-OL02 ~]# tar xf xtables-addons-2.8.tar.xz
[root@LookBack-server-OL02 ~]# cd xtables-addons-2.8/
[root@LookBack-server-OL02 ~/xtables-addons-2.8]# ./configure 
[root@LookBack-server-OL02 ~/xtables-addons-2.8]# make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` && make install && cd geoip/
[root@LookBack-server-OL02 ~/xtables-addons-2.8/geoip]# ./xt_geoip_dl
[root@LookBack-server-OL02 ~/xtables-addons-2.8/geoip]# ./xt_geoip_build GeoIPCountryWhois.csv
[root@LookBack-server-OL02 ~/xtables-addons-2.8/geoip]# ./xt_geoip_build GeoIPv6.csv
[root@LookBack-server-OL02 ~/xtables-addons-2.8/geoip]# mkdir -p /usr/share/xt_geoip/
[root@LookBack-server-OL02 ~/xtables-addons-2.8/geoip]# cp -a BE LE /usr/share/xt_geoip/

来看看ipp2p的用法格式

[root@LookBack-server-OL02 ~]# iptables -m ipp2p --help | sed -n -e '/ipp2p/,//p'
ipp2p v0.10 match options:
  --edk    [tcp,udp]  All known eDonkey/eMule/Overnet packets
  --dc     [tcp]      All known Direct Connect packets
  --kazaa  [tcp,udp]  All known KaZaA packets
  --gnu    [tcp,udp]  All known Gnutella packets
  --bit    [tcp,udp]  All known BitTorrent packets
  --apple  [tcp]      All known AppleJuice packets
  --winmx  [tcp]      All known WinMX
  --soul   [tcp]      All known SoulSeek
  --ares   [tcp]      All known Ares
 
EXPERIMENTAL protocols:
  --mute   [tcp]      All known Mute packets
  --waste  [tcp]      All known Waste packets
  --xdcc   [tcp]      All known XDCC packets (only xdcc login)

ipp2p扩展的具体用法演示

##下面的是封IPv4出本机的P2P
[root@LookBack-server-OL02 ~]# iptables -t mangle -I OUTPUT -p tcp -m ipp2p --ares --soul --winmx --apple --dc -j DROP 
[root@LookBack-server-OL02 ~]# iptables -t mangle -I OUTPUT -m ipp2p --edk --kazaa --bit --gnu -j DROP
##下面是封进入本机的P2P
[root@LookBack-server-OL03 ~]# iptables -t mangle -I INPUT -m ipp2p --edk --kazaa --bit --gnu -j DROP
[root@LookBack-server-OL03 ~]# iptables -t mangle -I INPUT -p tcp -m ipp2p --ares --soul --winmx --apple --dc -j DROP
[root@LookBack-server-OL03 ~]# iptables -t mangle -L INPUT -nvx --line-numbers 
Chain INPUT (policy ACCEPT 70 packets, 5245 bytes)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            -m ipp2p  --dc  --apple  --soul  --winmx  --ares 
2           0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m ipp2p  --edk  --gnu  --kazaa  --bit 
##下面的是封禁JP IPv4的来访
[root@LookBack-server-OL02 ~]# iptables -t filter -I INPUT -m geoip --src-cc JP -j DROP
[root@LookBack-server-OL02 ~]# iptables -t mangle -L OUTPUT -nvx && iptables -t filter -L INPUT -nvx
Chain OUTPUT (policy ACCEPT 12559 packets, 3858834 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m ipp2p  --edk  --gnu  --kazaa  --bit 
       0        0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            -m ipp2p  --dc  --apple  --soul  --winmx  --ares 
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country JP
声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。