Firewall com Iptables e Layer 7 Filter - HOWTO
Configurando o repositório
root@debian:~# vi /etc/apt/sources.list # deb ftp://ftp.br.debian.org/debian lenny main contrib non-free deb-src ftp://ftp.br.debian.org/debian lenny main contrib non-free deb http://volatile.debian.org/debian-volatile lenny/volatile main contrib non-free deb-src http://volatile.debian.org/debian-volatile lenny/volatile main contrib non-free deb http://security.debian.org/ lenny/updates main contrib non-free deb-src http://security.debian.org/ lenny/updates main contrib non-free deb ftp://ftp.br.debian.org/debian lenny-proposed-updates main contrib non-free deb-src ftp://ftp.br.debian.org/debian lenny-proposed-updates main contrib non-free
Atualizando a lista de pacotes
root@debian:~# aptitude update
Instalando os fontes do kernel
root@debian:~# aptitude install linux-source-2.6.26 kernel-package libncurses5-dev
Descompactando o kernel source que foi baixado:
root@debian:~# cd /usr/src root@debian:/usr/src# tar xjvf linux-source-2.6.26.tar.bz2
Baixando os pacotes necessários
- iptables-1.4.3.tar.bz2 (ftp://ftp.netfilter.org/pub/iptables/files/)
- l7-protocols-2008-12-18.tar.gz (http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/)
- netfilter-layer7-v2.21.tar.gz (http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/)
- patch-o-matic-ng-20090426.tar.bz2 (ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/)
Se preferir, poderá utilizar o wget para isso.
root@debian:/usr/src# wget -c http://iptables.org/projects/iptables/files/iptables-1.4.3.tar.bz2 root@debian:/usr/src# wget -c http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2008-12-18.tar.gz root@debian:/usr/src# wget -c http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.21.tar.gz root@debian:/usr/src# wget -c ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20090426.tar.bz2
Descompactando os pacotes
root@debian:/usr/src# tar xjvf iptables-1.4.3.tar.bz2 root@debian:/usr/src# tar xzvf l7-protocols-2008-12-18.tar.gz root@debian:/usr/src# tar xzvf netfilter-layer7-v2.21.tar.gz root@debian:/usr/src# tar xjvf patch-o-matic-ng-20090426.tar.bz2
Aplicando o patch no kernel
root@debian:/usr/src# cd linux-source-2.6.26 root@debian:/usr/src/linux-source-2.6.26# patch -p1 < ../netfilter-layer7-v2.21/kernel-2.6.25-2.6.28-layer7-2.21.patch root@debian:/usr/src/linux-source-2.6.26# cp /boot/config-2.6.26-2-686 .config
Habilitando as opções do kernel
root@debian:/usr/src/linux-source-2.6.26# make menuconfig
(-layer7) Local version - append to kernel release
Networking --->
Networking options --->
[*] Network packet filtering (replaces ipchains) --->
IP: Netfilter Configuration --->
Marcada as opções, podemos sair do menu salvando as configurações.
Compilando o kernel
root@debian:/usr/src/linux-source-2.6.26# make-kpkg clean root@debian:/usr/src/linux-source-2.6.26# make-kpkg --initrd --us --uc kernel_image
Esse é o comando que faz a mágica.
- - -initrd: indica que junto com o kernel deve ser criado um arquivo “initrd”.
- - -us e - -uc: são opções pra criação do pacote pra não tentar assinar com gpg o pacote, nem criar changelog
- “kernel_image”: é a ação que o make-kpkg vai executar. Com essa ação, ele cria um pacote Debian com a imagem do kernel.
Recompilando o Iptables
root@debian:~# cd /usr/src/iptables-1.4.3 root@debian:/usr/src/iptables-1.4.3# patch -p1 < ../netfilter-layer7-v2.21/iptables-1.4-for-kernel-2.6.20forward-layer7-2.21.patch root@debian:/usr/src/iptables-1.4.3# chmod +x extensions/.layer7-test root@debian:/usr/src/iptables-1.4.3# ./configure root@debian:/usr/src/iptables-1.4.3# make KERNELDIR=/usr/src/linux-source-2.6.26 root@debian:/usr/src/iptables-1.4.3# make install KERNELDIR=/usr/src/linux-source-2.6.26 root@debian:/usr/src/iptables-1.4.3# cd /sbin root@debian:/sbin# mv iptables iptables.OLD root@debian:/sbin# ln -s /usr/local/sbin/iptables
Configurando o l7-protocols
root@debian:/sbin# cd /usr/src/l7-protocols-2008-12-18 root@debian:/usr/src/l7-protocols-2008-10-04# make install
Por fim, execute um script de firewall com o suporte a layer7 para realizar os bloqueios necessários. Um exemplo de script de firewall pode ser obtido em http://downloads.fabriciovc.eti.br/iptables/