1. Mudah dipahami oleh linux user pemula
2. Mudah dimengerti jika menggunakan bahasa Indonesia
Latar Belakang
Pembuatan tutorial ini dilatarbelakangi karena banyaknya permintaan dari penggemar masterpop3, mengenai bagaimana cara memblok traffic p2p. Permintaan kebanyakan berasal dari pemilik/pengelola warnet, operator jaringan, admin jaringan , yang menginginkan di jaringan mereka tidak terganggu oleh program/traffic p2p yang diakibatkan oleh salah satu usernya yang bisa mengganggu traffic seluruh networknya.
Pendahuluan
Setelah googling sana sini akhirnya dapet kata kunci untuk solusi di atas yaitu menggunakan ‘layer7′ module iptables, selanjutnya kita sebut L7-filter.
L7-filter adalah module untuk Linux Netfilter (iptables) yang mengidentifikasi paket yang berada di application layer data (lapisan data aplikasi). Paket data yang masuk dalam layer ini bisa berupa Kazza, HTTP, Jabber, Citrik, Bittorent, FTP, Gnutella, eDonkey, eMule, Limewire, dll, tanpa memperhatikan source/destination port. Ini bisa menjadi pelengkap yang sempurna yang bisa digabungkan dengan kesesuaian IP address , port number, dll.
Feature L7-filter
* Patches for Linux 2.4 and 2.6
* Support for TCP, UDP and ICMP over IPv4
* Uses Netfilter’s connection tracking of FTP, IRC, etc
* Examines data across multiple packets
* Number of packets examined tunable on the fly through /proc
* Number of bytes examined tunable at module load time
* Distinguishes between new connections (those still being tested) and old unidentified connections
* Gives access to both Netfilter and QoS (rate limiting) features
* With the Netfilter “helper” match, you can distinguish between parent and child connections (e.g. ftp command/data)
Tujuan :
Implementasi L7-filter saya buat dengan tujuan sebagai berikut :
1. cara memblok traffic p2p dengan iptables
2. membatasi penggunaan traffic p2p dengan QoS (seperti cbq/htb)
Catatan: tidak semua user yang ingin dibatasi oleh penggunaan L7-filter ini, jadi kembali kepada keputusan anda sebagai pemegang kekuasaan jaringan. Jika menginginkan seperti tujuan yang saya sebutkan, mari kita lanjutkan projek kita.
Installasi
Saatnya kita obrak-abrik PC Linux kita. Pertama siapkan peralatan.
Peralatan yang dibutuhkan adalah :
1. source kernel 2.6 atau kernel 2.4 download dari kernel.org
2. source iptables dari netfilter.org
3. paket patch l7-filter kernel version (netfilter-layer7-vX.Y.tar.gz)
4. paket file Protocol definitions (l7-protocols-YYYY-MM-DD.tar.gz)
Kernel Patch
Dalam ujicoba ini saya menggunakan kernel 2.6.18 di fedora-6. langkah-langkahnya sebagai berikut :
1. download kernel 2.6.18 dari kernel.org
~]# mkdir /download
~]# cd /download
~]# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.18.tar.bz2
~]# tar xjf linux-2.6.18.tar.bz2 -C /usr/src/
~]# ln -s /usr/src/linux-2.6.18 /usr/src/linux
2. download l7-filter kernel version
~]# cd /download3. Patch kernel dengan Layer7 patch
~]# wget http://optusnet.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.7.tar.gz
~]# tar xzf netfilter-layer7-v2.7.tar.gz
~]# cd /usr/src/linux
~]# patch -p1 < /download/netfilter-layer7-v2.7/kernel-2.6.18-layer7-2.7.patch
patching file include/linux/netfilter_ipv4/ip_conntrack.h
patching file include/linux/netfilter_ipv4/ipt_layer7.h
patching file net/ipv4/netfilter/Kconfig
patching file net/ipv4/netfilter/Makefile
patching file net/ipv4/netfilter/ip_conntrack_core.c
patching file net/ipv4/netfilter/ip_conntrack_standalone.c
patching file net/ipv4/netfilter/ipt_layer7.c
patching file net/ipv4/netfilter/regexp/regexp.c
patching file net/ipv4/netfilter/regexp/regexp.h
patching file net/ipv4/netfilter/regexp/regmagic.h
patching file net/ipv4/netfilter/regexp/regsub.c
4. Saatnya Kompile dan Install Kernel
~]# make menuconfig
- Prompt for development and/or incomplete code/drivers” (under “Code maturity level options”)
- “Network packet filtering” (Networking ? Networking support ? Networking Options)
- “Netfilter Xtables support” (Network packet filtering ? Core Netfilter Configuration)
- “Connection tracking” (… ? Network packet filtering ? IP: Netfilter Configuration ? Connection tracking)
- “Connection tracking flow accounting” and “IP tables support” (on the same screen)
- And finally, “Layer 7 match support”
- Selanjutnya anda diberi kekuasaan untuk memilih mana yang diaktifkan sebagai module dan mana yang dimasukan dalam kernel (built-in)
Beberapa user melaporkan terjadinya kernel crash ketika menggunakan SMP dengan l7-filter. Dan ada juga yang melaporkan SMP System mereka berjalan normal.
Jika anda punya Multi-CPU Machine, sebaiknya di test dulu sebelum digunakan di server produktif.
~]# makeIptables Patch
~]# make modules_install install
Download source iptables dari netfilter.org
~]# cd /download
~]# wget http://netfilter.org/projects/iptables/files/iptables-1.3.5.tar.bz2
~]# tar xjf iptables-1.3.5.tar.bz2
~]# cd iptables-1.3.5
~]# patch -p1 < /download/netfilter-layer7-v2.7/iptables-layer7-2.7.patch
patching file extensions/.layer7-test
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
~]# chmod +x extensions/.layer7-test
Sebelum melakukan perintah ‘make’ , pastikan anda sudah memeriksa dan menyesuaikan PREFIX dir installasi iptables di file ‘Makefile’.
~]# vi MakefileUntuk melakukan patch iptables , anda harus sudah mengkompile dan menginstall kernel source.
PREFIX:=/usr
LIBDIR:=/lib
BINDIR:=/sbin
MANDIR:=/usr/share/man
INCDIR:=$(PREFIX)/include
~]# make KERNEL_DIR=/usr/src/linux
~]# make install KERNEL_DIR=/usr/src/linux
Protocol Definitions (Pattern Files)
Saatnya memasang file protocol definisi untuk layer7-filter module.
Download file Protocol definitions
~]# cd /download‘make install’ di atas hanya mengkopi file paket protocol ke dir /etc/l7-protocols
~]# wget http://optusnet.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2006-12-12.tar.gz
~]# tar xzf l7-protocols-2006-12-12.tar.gz
~]# cd l7-protocols-2006-12-12
~]# make install
~]# mkdir -p /etc/l7-protocols
~]# cp -R * /etc/l7-protocols
Setelah semuanya sudah terinstall , reboot PC Linux anda.
Setting iptables blok p2p
Himbauan dari situs resminya sih katanya disarankan jangan di blok, kita tanya kenapa ?
Saya Quote aja yah :
Blocking ?
Don’t. Here’s why:
- l7-filter matching isn’t foolproof: there may be both false positives (one protocol can look like another) and false negatives (applications can do obscure things that we didn’t count on). Patterns that are known to regularly generate false positives are marked “overmatching” on the protocols page, but others may also do so occasionally.
- Almost every type of Internet traffic has legitimate uses. For instance, P2P protocols, while widely used to violate copyright, are also an efficient way to distribute open source software and legally free music.
- Programs can respond to being blocked by port-hopping, switching between TCP and UDP, opening a new connection for every trivial operation, using encryption, or employing other evasion tactics. Trying to block such protocols has consequences on two levels:
- In the case of port/protocol-hopping, you make it harder for yourself to identify protocols that already act this way.
- You encourage programmers to include these “features” in new programs, making it harder for everyone in the future. For example: In early 2006, Bittorrent started moving towards end-to-end encryption because many networks were either blocking it or severely restricting its bandwidth.
- l7-filter patterns are not generally designed with blocking in mind. We consider a protocol to be well identified if the identification is useful for controlling its bandwidth. This means, for instance, that for P2P applications, we do not focus on catching connections that are not downloads.
- Blocking with l7-filter provides no security, since any reasonably determined person can easily circumvent it.
Instead of dropping packets you don’t like, we recommend using Linux QoS to restrict their bandwidth usage. See the next section. If you insist on using l7-filter to drop packets, make sure you have investigated other options first, such as the features of your HTTP proxy (useful for worms).
Cara Setting Iptables untuk Blok traffic p2p
Caranya kita cegat lewat table mangle di chain PREROUTING .
iptables -t mangle -A PREROUTING -m layer7 --l7proto 100bao -j DROPEmule p2p termasuk ke dalam proto edonkey.
iptables -t mangle -A PREROUTING -m layer7 --l7proto applejuice -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto ares -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto bittorrent -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto directconnect -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto edonkey -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto fasttrack -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto freenet -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto gnucleuslan -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto gnutella -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto goboogy -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto hotline -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto imesh -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto kugoo -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto mute -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto napster -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto openft -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto poco -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto soribada -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto soulseek -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto tesla -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto thecircle -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto xunlei -j DROP
Kazaa p2p termasuk ke dalam proto fasttrack
LimeWire p2p termasuk ke dalam proto gnutella
Jika DAP (Download Accelerator Plus) ingin di blok juga :
iptables -t mangle -A PREROUTING -m layer7 --l7proto http-dap -j DROP
Blok Fresh Download :
iptables -t mangle -A PREROUTING -m layer7 --l7proto http-freshdownload -j DROPBlok p2p AudioGalaxy :
iptables -t mangle -A PREROUTING -m layer7 --l7proto audiogalaxy -j DROP
Dan Jika anda ingin memblok file RPM (File paketnya Redhat/FC, Suse) :
iptables -t mangle -A PREROUTING -m layer7 --l7proto rpm -j DROP
Blok juga traffic sebangsa Malware :
iptables -t mangle -A PREROUTING -m layer7 --l7proto code_red -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto nimda -j DROP
Selengkapnya lihat di file protocol definition :
http://l7-filter.sourceforge.net/protocols
Melihat statistik rule blok p2p
Ketik: ~]# watch iptables -t mangle -L -vPembatasan Bandwidth traffic p2p
Every 2.0s: iptables -t mangle -L -v Thu Dec 14 21:29:46 2006
Chain PREROUTING (policy ACCEPT 83 packets, 5657 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere LAYER7 l7proto 100bao
10 8091 DROP all -- any any anywhere anywhere LAYER7 l7proto fasttrack
48 12091 DROP all -- any any anywhere anywhere LAYER7 l7proto gnutella
Untuk membatasi bandwidth traffic p2p bisa digabung dengan QoS cbq atau htb , dengan cara di mangling (Rule MARK):
Contoh :
iptables -t mangle -A PREROUTING -m layer7 --l7proto edonkey -j MARK --set-mark 0x3
Selanjutnya pasang di file cbq atau htb dengan parameter MARK=3.
0 comments:
Post a Comment