- 浏览: 1320951 次
- 性别:
- 来自: 广州
文章分类
- 全部博客 (351)
- Java General (37)
- .net General (2)
- Linux Toy (55)
- Oracle (81)
- Mysql (11)
- Programer Career (12)
- Oh, my living ! (2)
- Shell Script (8)
- Web Service (0)
- Linux Server (22)
- Php/Python/Perl (3P) (2)
- Javascript General (5)
- Saleforce Apex Dev (2)
- Web General (5)
- Xen & VM tech. (17)
- PSP (13)
- OpenSolaris (34)
- php (1)
- RAI/flex/action script (16)
- asterisk/CTI (7)
- 交互设计 (6)
- English (3)
- Lucene (1)
最新评论
-
GuolinLee:
markmark
JVM调优总结 -Xms -Xmx -Xmn -Xss -
di1984HIT:
写的太好啊。
JVM调优总结 -Xms -Xmx -Xmn -Xss -
javajdbc:
javajdbc 写道
JVM调优总结 -Xms -Xmx -Xmn -Xss -
javajdbc:
...
JVM调优总结 -Xms -Xmx -Xmn -Xss -
alvin198761:
非常感谢,国外的被封杀了,你这里还有一份
How to Convert An Image-Based Guest To An LVM-Based Guest
How to userspace l7 filter on Ubuntu
L7-filter is a classifier for Linux's Netfilter
that identifies packets based on application layer data. It can classify packets as Kazaa, HTTP
, Jabber, Citrix, Bittorrent, FTP
, Gnucleus, eDonkey2000, etc., regardless of port. It complements existing classifiers that match on IP
address, port numbers and so on. L7 filter is usefull if you want to
limit or monitor different network protocols in your network. This
article assumes that you have the basic knowledge how to use the
terminal and set up a linux router.
This how to describes the step by step installation of Userspace L7
filter on Ubuntu Linux.
Installation
1. Method:
Add my PPA to you repository
deb http://ppa.launchpad.net/kuscsik/ubuntu hardy main deb-src http://ppa.launchpad.net/kuscsik/ubuntu hardy main
and install l7-filter-userspace
l7-protocols
2. Method:
- Add the universe repositories to your sources list.
- Install some necessary packages
sudo apt-get install g++ build-essential
sudo apt-get install libnetfilter-conntrack-dev libnetfilter-conntrack1 libnetfilter-queue-dev libnetfilter-queue1
- Download the source package of userspace l7 filter and the archive of the protocol definitions .
- Unpack the protocol definitions and install it by
sudo make install
- Unpack the userspace l7 filter, compile and install it
tar -xzf l7-filter-userspace-v0.4.tar.gz
cd l7-filter-userspace-v0.4/
sudo ./configure
sudo make
- Load a necessary kernel module and add to the automatically loaded modules
sudo modprobe ip_conntrack_netlink
sudo bash -c "echo ip_conntrack_netlink >> /etc/modules"
Testing
Let assume that you have a Ubuntu server with two network devices with
WAN device eth0
and LAN device eth1
. With iptables we redirect forwarded packages to the userspace
sudo iptables -A FORWARD -j NFQUEUE --queue-num 0
Create a l7 config file in your favorite editor
sudo vi /etc/l7_filter.conf
and add some protocols
ssh 5
bittorrent 6
The list of all supported protocols can be found here
.
From the config we can read that l7 filter will assign the mark 5 to
the packets of ssh protocol and it will sign with mark 6 the bittorrent
packets.
Start l7 filter in debuging mode
l7-filter -vv -f /etc/l7_filter.conf
On
your LAN client run a bittorrent session or make an ssh connection to
an external server. If everything goes fine l7-filter will recognize
your traffic and inform you trough the standard output.
Usage
Now, we are able to mark the connections. The next step is to set up the traffic control. For this you can use the HTB packet sheduller.
[to be improved...]
You can set up the start of l7-filter automatically by adding a line to /etc/rc.local
nohup /usr/local/bin/l7-filter -f /etc/l7-filter.conf &
Warning!
This
is a dangerous solution on a production server. If the program
terminates unexpectedly your users will be cut off from the internet.
You should set up some kind of monitoring for the l7-filter process.
You
will notice, that the filter uses significant amount of system
resources. You can save some computation time and memory by improving
the forwarding rule.
For example, if you plan to shape the outgoing
peer-to-peer connections it is a good idea to add some port specific
selection to the userspace redirection rule
sudo iptables -A FORWARD -i eth0 -p tcp --dport 1024: -j NFQUEUE --queue-num 0
which will pass to the filter only the packets targeting higher ports than 1024.
I will improve this article, so please subscribe to the feed. If
you have any question or comments don't hesitate to drop me a message.
Please read the home page of Layer 7 Userspace
http://l7-filter.sourceforge.net/HOWTO-userspace
Especially the section why it is a bad idea to use the packet filtering for service blocking.
发表评论
-
扩大虚拟机硬盘空间的方法
2010-11-18 07:53 2151虚拟机是Xen,但同样适用于KVM. 虚拟机硬盘格式为raw. ... -
挂载虚拟机镜像文件里的 LVM 逻辑分区
2010-10-08 10:52 2340如果按照 “在 CentOS ... -
apache 设置中的两个指令 EnableMMAP/EnableSendfile
2010-06-29 21:18 14035apache 中的目录为 windows 共享文件夹时,出 ... -
squid server
2010-03-25 23:01 1553For fine control you may need t ... -
lvm on xen
2010-03-25 22:18 1532Moving a Xen Guest into an LVM ... -
apache 的模块安装
2010-01-23 13:18 3715Apache HTTP服务器是一个模块化的软件,管理员可以通过 ... -
redmine & ruby 在ubuntu 上的安装笔记
2009-12-05 11:07 2515edmine & ruby 在ubuntu 上的安装笔 ... -
两台linux完美实现双机热备
2009-11-12 21:39 5882一直想做基于linux的双机热备,一直没有时间和机会。一直以 ... -
windows 无盘机,更新主机名.
2009-11-11 22:03 1376同用一个镜像的无盘机,开机后更新主机名. 写个run. ... -
如何用ssh挂载远程目录
2008-10-30 11:09 1659如何用ssh挂载远程目录 ... -
Ubuntu 中 apache2+tomcat+mod_jk
2008-09-05 07:45 23661. 分别下载jdk和tomcat, 不建议使用源里的包,因为 ... -
Virtual Hosting With Proftpd And MySQL (Incl. Quot
2008-07-07 17:48 1806This document describes how ... -
Differences Between NFS and iSCSI
2008-06-27 09:44 1413NFS and iSCSI provide funda ... -
Ssh 无密码登录的怪问题
2008-06-23 14:21 1807今天为做Oracle RAC 做ssh的免密码登陆,出现也这个 ... -
dovecot + postfix + postfixadmin 建立mail服务器中的几个事项
2008-05-27 22:48 13739我是新手! 第一次建 ... -
在UBUNTU里安装SquirrelMail邮件服务器
2008-05-27 10:24 2587我没有在UBUNTU里安装过S ... -
查看 apache2 安装了哪些模块
2008-05-26 15:23 5335root@ubuntu-idc:/# apache2ctl - ... -
使用mod_cband管理Apache 2带宽和流量
2008-02-28 22:24 1940About the module mod_cband is ... -
Apache 1.3 基于IP限制带宽
2008-02-28 14:17 1786安装步聚: /usr/local/apache/bin/ ... -
ruby on rails应用性能优化之道
2008-01-24 11:54 3607JavaEye网站从2006年9月11 ...
相关推荐
标题中的“Ubuntu Linux下安全读写NTFS分区格式文件”是指在Ubuntu Linux操作系统中,如何安全地对使用NTFS文件系统的硬盘分区进行读取和写入操作。NTFS(New Technology File System)是Windows操作系统主要使用的...
linux下的l7源代码,研究这方面的可要多看,我是菜鸟
应用层的filter代码,基于netfilter的
L7-filter is a classifier for Linux s Netfilter that identifies packets based on application layer data. It can classify packets as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000,...
- 选择一个用户空间策略(如`userspace`)。 - 编辑`/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor`文件,设置为所选策略。 ##### 4.6 加载内核模块 - 使用`/etc/modules-load.d/cpufreq.conf`配置文件...
DPI分类使用,可以对流量进行分类处理,并且得到正确的分类结果
gluster fs server 安装依赖用到的rpm 包!!!!!!!!!!
离线安装包,亲测可用
离线安装包,亲测可用
MALI 400 Android应用驱动
You will discover how to detect and disinfect kernel-mode rootkits, and move on to analyze static code. Finally, you will be walked through complex userspace memory infection analysis. This book ...
You will discover how to detect and disinfect kernel-mode rootkits, and move on to analyze static code. Finally, you will be walked through complex userspace memory infection analysis., This book ...
官方离线安装包,测试可用。使用rpm -ivh [rpm完整包名] 进行安装
GSO training, ASAP2 training about how to enable sriov, how to use ovs in userspace, kernel and eswitch
离线安装包,亲测可用
官方离线安装包,测试可用。使用rpm -ivh [rpm完整包名] 进行安装
离线安装包,亲测可用
Additionally, he maintains the udev and hotplug userspace programs and contributes to Linux Journal magazine. #### Key Topics Covered in the Book 1. **Overview of Linux Kernel Architecture**: - ...
《dm-log-userspace-base.rar_The Base》是一个开源项目,遵循GNU Lesser General Public License(LGPL)v2.13.6版。这个压缩包主要包含了一个名为`dm-log-userspace-base.c`的源代码文件,它揭示了与Linux设备驱动...
libusb is an open source library that allows you to communicate with USB devices from userspace. For more info, see the libusb homepage. This documentation is aimed at application developers wishing ...