-
Notifications
You must be signed in to change notification settings - Fork 2
Netfilter userland plugin for L7 URL filtering (school project, not for real-life use!)
License
zdianjiang/netfilter_url_l7_filtering
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
An url-based http/ftp filtering extension for NetFilter. Licensing: This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. It is based on code from the following projects: libnetfilter-queue (svn-r7519), released under GPLv2 license libnetfilter-conntrack (svn-r7519), released under GPLv2 license l7-filter (userspace-0.4), released under GPLv2 license google-perftools (0.79), released under modified BSD license google-psvm (1.0), released under Apache License 2.0 boost library, released under Boost Software License All third-party code used in this program is either licensed in GPLv2 by the author, or released with a GPLv2-compatible license. Authors: This program was written by S. Jacob, J. Whitbeck and V. Zanotti as part of an university project at TELECOM ParisTech (http://www.enst.fr/). Purpose: This program offers url filtering capabilities for http and ftp connections. Based on the NFQUEUE netfilter mechanism, it can intercept, parse, and classify http and ftp connections using user-defined rules. Although the classifier will resist to many bypass tricks (such as packet fragmentation), it was not designed to handle tcp packet re-ordering, and bypass by using HTTP's KeepAlive connections. Dependencies: libnetfilter-queue (http://www.netfilter.org/projects/libnetfilter_queue/) libnetfilter-conntrack (http://www.netfilter.org/projects/libnetfilter_conntrack/) in-kernel support for nf_conntrack, nfnetlink, nfnetlink_queue, and nf_conntrack_netlink kernel >= 2.6.18 google-gflags (http://code.google.com/p/google-gflags/) Boost regex library How to install dependencies on Debian: apt-get libnetfilter-conntrack-dev libnetfilter-queue-dev libboost-regex-dev wget http://google-gflags.googlecode.com/files/libgoogle-gflags-dev_0.8-1_i386.deb wget http://google-gflags.googlecode.com/files/libgoogle-gflags0_0.8-1_i386.deb dpkg -i libgoogle-gflags-dev_0.8-1_i386.deb libgoogle-gflags0_0.8-1_i386.deb How to install dependencies on Fedora Core: yum install libnetfilter_conntrack-devel libnetfilter_queue-devel boost-devel wget http://google-gflags.googlecode.com/files/gflags-devel-0.8-1.i386.rpm wget http://google-gflags.googlecode.com/files/gflags-0.8-1.i386.rpm yum --nogpgcheck localinstall gflags-devel-0.8-1.i386.rpm gflags-0.8-1.i386.rpm How to install dependencies on Gentoo: echo "dev-cpp/gflags ~amd64" >> /etc/portage/package.keywords emerge -va net-libs/libnetfilter_queue net-libs/libnetfilter_conntrack dev-cpp/gflags dev-libs/boost Urlfilter configuration / usage: Basically, it should be used as "urlfilter --rules <path/to/the/rules>". Rules are each written on their own line; lines starting with "#" are comments. The basic rule format is: mark=<mark> proto=<ftp|http> [method=<method> | method_re=<method regex>] [url=<url regex> | url_maxsize=<size>] Where: - regex are standard unix regex (ex: ^.*\.pdf^ to match pdf urls); - method is the method used in the protocol (GET/POST/PUT/...); - when url_maxsize is used, urls whose size is above this size will be marked; - mark is the NFQUEUE mark that will be put on packets, for later use by iptables (cf. infra). See rules.example for examples of rules. Netfilter/iptable configuration example: A basic iptables configuration could be: # Redirects all packets to and from port 80 to the urlfilter. iptables -A FORWARD -m tcp -p tcp --dport 80 -j NFQUEUE --queue-num 0 iptables -A FORWARD -m tcp -p tcp --sport 80 -j NFQUEUE --queue-num 0 # Matches mark on post-filter (let us suppose that 0-2 is no match, # 3 is url above 255 chars, and 4 is url ending with .pdf). # We have to use a chain downstream to the initial matching rule # (mangle/POSTROUTING is after filter/FORWARD). iptables -t mangle -A POSTROUTING -m mark --mark 3 -j LOG --log-prefix "Url too long " iptables -t mangle -A POSTROUTING -m mark --mark 4 -j REJECT
About
Netfilter userland plugin for L7 URL filtering (school project, not for real-life use!)
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published