How To Set Up A Linux Layer 7 Packet Classifier On CentOS 5.1

Introduction

This tutorial will walk you through setting up a Linux layer 7 packet classifier on CentOS 5.1, this can easily be adapted to any other Linux distribution out there.

L7-filter is a classifier for the Linux Netfilter that identifies packets based on patterns in application layer data. This allows correct classification of P2P traffics.
It can classify packets such as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, etc., that uses unpredictable ports as well as standard protocols running on non-standard ports. It complements existing classifiers that match on IP address, port numbers and so on. http://l7-filter.sourceforge.net/

 

1) Download required packages

1.1) Download L7-filter kernel

wget http://downloads.sourceforge.net/l7-filter/netfilter-layer7-v2.19.tar.gz

 

1.2) Download L7-filter userspace

wget http://downloads.sourceforge.net/l7-filter/l7-filter-userspace-0.7.tar.gz

 

1.3) Download L7-filter Protocol definitions

wget http://downloads.sourceforge.net/l7-filter/l7-protocols-2008-04-23.tar.gz

Important Note: Always download the latest version of L7-filter from http://sourceforge.net/project/showfiles.php?group_id=80085

 

1.4) Download Linux Iptables 1.4.0

wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.0.tar.bz2

 

1.5) Download Linux Kernel 2.6.26

wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.26.tar.bz2

 

2) Install L7-filter

Open a terminal and do

tar -xvf linux-2.6.26.tar.bz2

tar -xvf netfilter-layer7-v2.19.tar.gz

 

2.1) Apply patch to Linux kernel source

cd linux-2.6.26
patch -p1 < ../netfilter-layer7-v2.19/kernel-2.6.25-layer7-2.19.patch

 

2.2) Apply patch & install iptables 1.4.0

tar -xvf iptables-1.4.0.tar.bz2
cd iptables-1.4.0
patch -p1 < ../netfilter-layer7-v2.19/iptables-1.4-for-kernel-2.6.20forward-layer7-2.19.patch
chmod +x extensions/.layer7-test
make KERNEL_DIR=~/linux-2.6.26
make install KERNEL_DIR=~/linux-2.6.26

 

3) Installing protocol definitions

tar -xvf l7-protocols-2008-04-23.tar.gz
cd l7-protocols-2008-04-23
mkdir /etc/l7-protocols
cp protocols/* /etc/l7-protocols

 

4) Compiling & installing new linux kernel

cd linux-2.6.26
make menuconfig
make all
make modules_install
make install

Important Note:- You must enable the following options (these are correct for Linux 2.6.26, but they tend to move around a lot, so you may have to go hunting if you have a different kernel version):

* "Network packet filtering framework(Netfilter)" (Networking ? Networking option)
* "Netfilter connection tracking support" (... ? Network packet filtering framework(Netfilter) ? Core Netfilter Configuration)
* "Connection tracking flow accounting" (on the same screen)
* Finally, "Layer 7 match support"
* Optional but highly recommended: Lots of other Netfilter options, notably "FTP support" and other matches. If you don't know what you're doing, go ahead and enable all of them.

 

5) Check GRUB setting

vim /etc/grub.conf

It must look like this:

default=0
timeout=3
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.26)
        root (hd0,0)
        kernel /vmlinuz-2.6.26 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
        initrd /initrd-2.6.26.img
title CentOS (2.6.18-53.el5)
        root (hd0,0)
        kernel /vmlinuz-2.6.18-53.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
        initrd /initrd-2.6.18-53.el5.img

 

6) Finally

Well we are done, restart the system and enjoy.

restart

 

7) Test l7-filter

iptables -m layer7 --help

Have fun!

Share this page:

8 Comment(s)