Firewall com Iptables e Layer 7 Filter - HOWTO

Configurando o repositório

root@debian:~# vi /etc/apt/sources.list

#
deb ftp://ftp.br.debian.org/debian lenny main contrib non-free
deb-src ftp://ftp.br.debian.org/debian lenny main contrib non-free

deb http://volatile.debian.org/debian-volatile lenny/volatile main contrib non-free
deb-src http://volatile.debian.org/debian-volatile lenny/volatile main contrib non-free

deb http://security.debian.org/ lenny/updates main contrib non-free
deb-src http://security.debian.org/ lenny/updates main contrib non-free

deb ftp://ftp.br.debian.org/debian lenny-proposed-updates main contrib non-free
deb-src ftp://ftp.br.debian.org/debian lenny-proposed-updates main contrib non-free

Atualizando a lista de pacotes

root@debian:~# aptitude update

Instalando os fontes do kernel

root@debian:~# aptitude install linux-source-2.6.26 kernel-package libncurses5-dev

Descompactando o kernel source que foi baixado:

root@debian:~# cd /usr/src
root@debian:/usr/src# tar xjvf linux-source-2.6.26.tar.bz2

Baixando os pacotes necessários

• iptables-1.4.3.tar.bz2 (ftp://ftp.netfilter.org/pub/iptables/files/)
• l7-protocols-2008-12-18.tar.gz (http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/)
• netfilter-layer7-v2.21.tar.gz (http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/)
• patch-o-matic-ng-20090426.tar.bz2 (ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/)

Se preferir, poderá utilizar o wget para isso.

root@debian:/usr/src# wget -c http://iptables.org/projects/iptables/files/iptables-1.4.3.tar.bz2
root@debian:/usr/src# wget -c http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2008-12-18.tar.gz
root@debian:/usr/src# wget -c http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.21.tar.gz
root@debian:/usr/src# wget -c ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20090426.tar.bz2

Descompactando os pacotes

root@debian:/usr/src# tar xjvf iptables-1.4.3.tar.bz2
root@debian:/usr/src# tar xzvf l7-protocols-2008-12-18.tar.gz
root@debian:/usr/src# tar xzvf netfilter-layer7-v2.21.tar.gz
root@debian:/usr/src# tar xjvf patch-o-matic-ng-20090426.tar.bz2

Aplicando o patch no kernel

root@debian:/usr/src# cd linux-source-2.6.26
root@debian:/usr/src/linux-source-2.6.26# patch -p1 < ../netfilter-layer7-v2.21/kernel-2.6.25-2.6.28-layer7-2.21.patch
root@debian:/usr/src/linux-source-2.6.26# cp /boot/config-2.6.26-2-686 .config

Habilitando as opções do kernel

root@debian:/usr/src/linux-source-2.6.26# make menuconfig

(-layer7) Local version - append to kernel release Networking ---> Networking options ---> [*] Network packet filtering (replaces ipchains) ---> IP: Netfilter Configuration ---> Layer 7 match support (EXPERIMENTAL) [*] Layer 7 debugging output -->

Marcada as opções, podemos sair do menu salvando as configurações.

Compilando o kernel

root@debian:/usr/src/linux-source-2.6.26# make-kpkg clean
root@debian:/usr/src/linux-source-2.6.26# make-kpkg --initrd --us --uc kernel_image

Esse é o comando que faz a mágica.

1. - -initrd: indica que junto com o kernel deve ser criado um arquivo “initrd”.
2. - -us e - -uc: são opções pra criação do pacote pra não tentar assinar com gpg o pacote, nem criar changelog
3. “kernel_image”: é a ação que o make-kpkg vai executar. Com essa ação, ele cria um pacote Debian com a imagem do kernel.

Recompilando o Iptables

root@debian:~# cd /usr/src/iptables-1.4.3
root@debian:/usr/src/iptables-1.4.3# patch -p1 < ../netfilter-layer7-v2.21/iptables-1.4-for-kernel-2.6.20forward-layer7-2.21.patch
root@debian:/usr/src/iptables-1.4.3# chmod +x extensions/.layer7-test
root@debian:/usr/src/iptables-1.4.3# ./configure
root@debian:/usr/src/iptables-1.4.3# make KERNELDIR=/usr/src/linux-source-2.6.26
root@debian:/usr/src/iptables-1.4.3# make install KERNELDIR=/usr/src/linux-source-2.6.26
root@debian:/usr/src/iptables-1.4.3# cd /sbin
root@debian:/sbin# mv iptables iptables.OLD
root@debian:/sbin# ln -s /usr/local/sbin/iptables

Configurando o l7-protocols

root@debian:/sbin# cd /usr/src/l7-protocols-2008-12-18
root@debian:/usr/src/l7-protocols-2008-10-04# make install

Por fim, execute um script de firewall com o suporte a layer7 para realizar os bloqueios necessários. Um exemplo de script de firewall pode ser obtido em http://downloads.fabriciovc.eti.br/iptables/

Voltar