zdianjiang / netfilter_url_l7_filtering Goto Github PK

An url-based http/ftp filtering extension for NetFilter.

Licensing:
  This program is free software: you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation, either version 2 of the License, or
  (at your option) any later version.

  It is based on code from the following projects:
    libnetfilter-queue (svn-r7519), released under GPLv2 license
    libnetfilter-conntrack (svn-r7519), released under GPLv2 license
    l7-filter (userspace-0.4), released under GPLv2 license
    google-perftools (0.79), released under modified BSD license
    google-psvm (1.0), released under Apache License 2.0
    boost library, released under Boost Software License

  All third-party code used in this program is either licensed in GPLv2 by the
  author, or released with a GPLv2-compatible license.

Authors:
  This program was written by S. Jacob, J. Whitbeck and V. Zanotti as part of
  an university project at TELECOM ParisTech (http://www.enst.fr/).

Purpose:
  This program offers url filtering capabilities for http and ftp connections.
  Based on the NFQUEUE netfilter mechanism, it can intercept, parse, and
  classify http and ftp connections using user-defined rules.

  Although the classifier will resist to many bypass tricks (such as packet
  fragmentation), it was not designed to handle tcp packet re-ordering, and
  bypass by using HTTP's KeepAlive connections.

Dependencies:
  libnetfilter-queue (http://www.netfilter.org/projects/libnetfilter_queue/)
  libnetfilter-conntrack (http://www.netfilter.org/projects/libnetfilter_conntrack/)
  in-kernel support for nf_conntrack, nfnetlink, nfnetlink_queue, and nf_conntrack_netlink
  kernel >= 2.6.18
  google-gflags (http://code.google.com/p/google-gflags/)
  Boost regex library

  How to install dependencies on Debian:
    apt-get libnetfilter-conntrack-dev libnetfilter-queue-dev libboost-regex-dev
    wget http://google-gflags.googlecode.com/files/libgoogle-gflags-dev_0.8-1_i386.deb
    wget http://google-gflags.googlecode.com/files/libgoogle-gflags0_0.8-1_i386.deb
    dpkg -i libgoogle-gflags-dev_0.8-1_i386.deb libgoogle-gflags0_0.8-1_i386.deb

  How to install dependencies on Fedora Core:
    yum install libnetfilter_conntrack-devel libnetfilter_queue-devel boost-devel
    wget http://google-gflags.googlecode.com/files/gflags-devel-0.8-1.i386.rpm
    wget http://google-gflags.googlecode.com/files/gflags-0.8-1.i386.rpm
    yum --nogpgcheck localinstall gflags-devel-0.8-1.i386.rpm gflags-0.8-1.i386.rpm

  How to install dependencies on Gentoo:
    echo "dev-cpp/gflags ~amd64" >> /etc/portage/package.keywords
    emerge -va net-libs/libnetfilter_queue net-libs/libnetfilter_conntrack dev-cpp/gflags dev-libs/boost

Urlfilter configuration / usage:
  Basically, it should be used as "urlfilter --rules <path/to/the/rules>".
  Rules are each written on their own line; lines starting with "#" are comments.
  The basic rule format is:
    mark=<mark> proto=<ftp|http> [method=<method> | method_re=<method regex>] [url=<url regex> | url_maxsize=<size>]

  Where:
    - regex are standard unix regex (ex: ^.*\.pdf^ to match pdf urls);
    - method is the method used in the protocol (GET/POST/PUT/...);
    - when url_maxsize is used, urls whose size is above this size will be marked;
    - mark is the NFQUEUE mark that will be put on packets, for later use by iptables (cf. infra).

  See rules.example for examples of rules.

Netfilter/iptable configuration example:
  A basic iptables configuration could be:
    # Redirects all packets to and from port 80 to the urlfilter.
    iptables -A FORWARD -m tcp -p tcp --dport 80 -j NFQUEUE --queue-num 0
    iptables -A FORWARD -m tcp -p tcp --sport 80 -j NFQUEUE --queue-num 0

    # Matches mark on post-filter (let us suppose that 0-2 is no match,
    # 3 is url above 255 chars, and 4 is url ending with .pdf).
    # We have to use a chain downstream to the initial matching rule
    # (mangle/POSTROUTING is after filter/FORWARD).
    iptables -t mangle -A POSTROUTING -m mark --mark 3 -j LOG --log-prefix "Url too long "
    iptables -t mangle -A POSTROUTING -m mark --mark 4 -j REJECT