- 浏览: 1305162 次
- 性别:
- 来自: 广州
文章分类
- 全部博客 (351)
- Java General (37)
- .net General (2)
- Linux Toy (55)
- Oracle (81)
- Mysql (11)
- Programer Career (12)
- Oh, my living ! (2)
- Shell Script (8)
- Web Service (0)
- Linux Server (22)
- Php/Python/Perl (3P) (2)
- Javascript General (5)
- Saleforce Apex Dev (2)
- Web General (5)
- Xen & VM tech. (17)
- PSP (13)
- OpenSolaris (34)
- php (1)
- RAI/flex/action script (16)
- asterisk/CTI (7)
- 交互设计 (6)
- English (3)
- Lucene (1)
最新评论
-
GuolinLee:
markmark
JVM调优总结 -Xms -Xmx -Xmn -Xss -
di1984HIT:
写的太好啊。
JVM调优总结 -Xms -Xmx -Xmn -Xss -
javajdbc:
javajdbc 写道
JVM调优总结 -Xms -Xmx -Xmn -Xss -
javajdbc:
...
JVM调优总结 -Xms -Xmx -Xmn -Xss -
alvin198761:
非常感谢,国外的被封杀了,你这里还有一份
How to Convert An Image-Based Guest To An LVM-Based Guest
How to userspace l7 filter on Ubuntu
L7-filter is a classifier for Linux's Netfilter
that identifies packets based on application layer data. It can classify packets as Kazaa, HTTP
, Jabber, Citrix, Bittorrent, FTP
, Gnucleus, eDonkey2000, etc., regardless of port. It complements existing classifiers that match on IP
address, port numbers and so on. L7 filter is usefull if you want to
limit or monitor different network protocols in your network. This
article assumes that you have the basic knowledge how to use the
terminal and set up a linux router.
This how to describes the step by step installation of Userspace L7
filter on Ubuntu Linux.
Installation
1. Method:
Add my PPA to you repository
deb http://ppa.launchpad.net/kuscsik/ubuntu hardy main deb-src http://ppa.launchpad.net/kuscsik/ubuntu hardy main
and install l7-filter-userspace
l7-protocols
2. Method:
- Add the universe repositories to your sources list.
- Install some necessary packages
sudo apt-get install g++ build-essential
sudo apt-get install libnetfilter-conntrack-dev libnetfilter-conntrack1 libnetfilter-queue-dev libnetfilter-queue1
- Download the source package of userspace l7 filter and the archive of the protocol definitions .
- Unpack the protocol definitions and install it by
sudo make install
- Unpack the userspace l7 filter, compile and install it
tar -xzf l7-filter-userspace-v0.4.tar.gz
cd l7-filter-userspace-v0.4/
sudo ./configure
sudo make
- Load a necessary kernel module and add to the automatically loaded modules
sudo modprobe ip_conntrack_netlink
sudo bash -c "echo ip_conntrack_netlink >> /etc/modules"
Testing
Let assume that you have a Ubuntu server with two network devices with
WAN device eth0
and LAN device eth1
. With iptables we redirect forwarded packages to the userspace
sudo iptables -A FORWARD -j NFQUEUE --queue-num 0
Create a l7 config file in your favorite editor
sudo vi /etc/l7_filter.conf
and add some protocols
ssh 5
bittorrent 6
The list of all supported protocols can be found here
.
From the config we can read that l7 filter will assign the mark 5 to
the packets of ssh protocol and it will sign with mark 6 the bittorrent
packets.
Start l7 filter in debuging mode
l7-filter -vv -f /etc/l7_filter.conf
On
your LAN client run a bittorrent session or make an ssh connection to
an external server. If everything goes fine l7-filter will recognize
your traffic and inform you trough the standard output.
Usage
Now, we are able to mark the connections. The next step is to set up the traffic control. For this you can use the HTB packet sheduller.
[to be improved...]
You can set up the start of l7-filter automatically by adding a line to /etc/rc.local
nohup /usr/local/bin/l7-filter -f /etc/l7-filter.conf &
Warning!
This
is a dangerous solution on a production server. If the program
terminates unexpectedly your users will be cut off from the internet.
You should set up some kind of monitoring for the l7-filter process.
You
will notice, that the filter uses significant amount of system
resources. You can save some computation time and memory by improving
the forwarding rule.
For example, if you plan to shape the outgoing
peer-to-peer connections it is a good idea to add some port specific
selection to the userspace redirection rule
sudo iptables -A FORWARD -i eth0 -p tcp --dport 1024: -j NFQUEUE --queue-num 0
which will pass to the filter only the packets targeting higher ports than 1024.
I will improve this article, so please subscribe to the feed. If
you have any question or comments don't hesitate to drop me a message.
Please read the home page of Layer 7 Userspace
http://l7-filter.sourceforge.net/HOWTO-userspace
Especially the section why it is a bad idea to use the packet filtering for service blocking.
发表评论
-
扩大虚拟机硬盘空间的方法
2010-11-18 07:53 2106虚拟机是Xen,但同样适用于KVM. 虚拟机硬盘格式为raw. ... -
挂载虚拟机镜像文件里的 LVM 逻辑分区
2010-10-08 10:52 2267如果按照 “在 CentOS ... -
apache 设置中的两个指令 EnableMMAP/EnableSendfile
2010-06-29 21:18 13965apache 中的目录为 windows 共享文件夹时,出 ... -
squid server
2010-03-25 23:01 1509For fine control you may need t ... -
lvm on xen
2010-03-25 22:18 1487Moving a Xen Guest into an LVM ... -
apache 的模块安装
2010-01-23 13:18 3672Apache HTTP服务器是一个模块化的软件,管理员可以通过 ... -
redmine & ruby 在ubuntu 上的安装笔记
2009-12-05 11:07 2477edmine & ruby 在ubuntu 上的安装笔 ... -
两台linux完美实现双机热备
2009-11-12 21:39 5820一直想做基于linux的双机热备,一直没有时间和机会。一直以 ... -
windows 无盘机,更新主机名.
2009-11-11 22:03 1340同用一个镜像的无盘机,开机后更新主机名. 写个run. ... -
如何用ssh挂载远程目录
2008-10-30 11:09 1617如何用ssh挂载远程目录 ... -
Ubuntu 中 apache2+tomcat+mod_jk
2008-09-05 07:45 23271. 分别下载jdk和tomcat, 不建议使用源里的包,因为 ... -
Virtual Hosting With Proftpd And MySQL (Incl. Quot
2008-07-07 17:48 1757This document describes how ... -
Differences Between NFS and iSCSI
2008-06-27 09:44 1377NFS and iSCSI provide funda ... -
Ssh 无密码登录的怪问题
2008-06-23 14:21 1782今天为做Oracle RAC 做ssh的免密码登陆,出现也这个 ... -
dovecot + postfix + postfixadmin 建立mail服务器中的几个事项
2008-05-27 22:48 13685我是新手! 第一次建 ... -
在UBUNTU里安装SquirrelMail邮件服务器
2008-05-27 10:24 2542我没有在UBUNTU里安装过S ... -
查看 apache2 安装了哪些模块
2008-05-26 15:23 5287root@ubuntu-idc:/# apache2ctl - ... -
使用mod_cband管理Apache 2带宽和流量
2008-02-28 22:24 1899About the module mod_cband is ... -
Apache 1.3 基于IP限制带宽
2008-02-28 14:17 1751安装步聚: /usr/local/apache/bin/ ... -
ruby on rails应用性能优化之道
2008-01-24 11:54 3549JavaEye网站从2006年9月11 ...
相关推荐
linux下的l7源代码,研究这方面的可要多看,我是菜鸟
应用层的filter代码,基于netfilter的
L7-filter is a classifier for Linux s Netfilter that identifies packets based on application layer data. It can classify packets as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000,...
DPI分类使用,可以对流量进行分类处理,并且得到正确的分类结果
gluster fs server 安装依赖用到的rpm 包!!!!!!!!!!
How to get sys_call_table Simple sys_call_table hook Inline hook Patching system_call Abuse Debug Registers Real Rootkit Rootkit based non-LKM Using /dev/kmem and kmalloc ...
MALI 400 Android应用驱动
You will discover how to detect and disinfect kernel-mode rootkits, and move on to analyze static code. Finally, you will be walked through complex userspace memory infection analysis. This book ...
You will discover how to detect and disinfect kernel-mode rootkits, and move on to analyze static code. Finally, you will be walked through complex userspace memory infection analysis., This book ...
离线安装包,亲测可用
GSO training, ASAP2 training about how to enable sriov, how to use ovs in userspace, kernel and eswitch
离线安装包,亲测可用
官方离线安装包,测试可用。使用rpm -ivh [rpm完整包名] 进行安装
离线安装包,亲测可用
loadmap to be passed to userspace.
XXXXXX(No Dereference on Userspace Pointers) 指定的用户层内存访问函数(Transfer Functions) 用户层指针多线程共享(Shared Userspace Pointer Across Threads) 为什么要“二次获取”(Why Double-Fetch?) “二次...
introduce what is libgpiod and how to use them in c/c++/python
libusb is an open source library that allows you to communicate with USB devices from userspace. For more info, see the libusb homepage. This documentation is aimed at application developers wishing ...
Hans J. Koch的论文<<Userspace I/O drivers in a realtime context>>,灰常值得学习!看了之后才知道UIO是什么,怎么运行之类的详细信息!
You will discover how to detect and disinfect kernel-mode rootkits, and move on to analyze static code. Finally, you will be walked through complex userspace memory infection analysis. This book ...