周海汉 /文
下载源码:
xxx@yyy:~/svn checkout http://scholarzhang.googlecode.com/svn/trunk/ scholarzhang-read-only
环境
xxx@yyy:~/scholarzhang-read-only/west-chamber$ iptables –version
iptables v1.4.4
xxx@yyy:~/scholarzhang-read-only/west-chamber$ uname -a
Linux zhh64 2.6.31-20-generic #58-Ubuntu SMP Fri Mar 12 04:38:19 UTC 2010 x86_64 GNU/Linux
编译:
需要下载安装autoconf,automake,libtool
xxx@yyy:~/scholarzhang-read-only/west-chamber$ ./autogen.sh
./autogen.sh: line 3: autoreconf:找不到命令
xxx@yyy:~/scholarzhang-read-only/west-chamber$ autoconf
程序“autoconf”已包含在下列软件包中:
- autoconf
- autoconf2.13
请尝试:sudo apt-get install <选定的软件包> autoconf: command not found xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo apt-get install autoconf xxx@yyy:~/scholarzhang-read-only/west-chamber$ ./autogen.sh Can't exec "libtoolize": 没有那个文件或目录 at /usr/bin/autoreconf line 190. Use of uninitialized value $libtoolize in pattern match (m//) at /usr/bin/autoreconf line 190. configure.ac:9: error: possibly undefined macro: AC_DISABLE_STATIC If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. configure.ac:10: error: possibly undefined macro: AC_PROG_LIBTOOL autoreconf: /usr/bin/autoconf failed with exit status: 1选定的软件包>
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo apt-get install libtool
将会安装下列额外的软件包:
libltdl-dev
建议安装的软件包:
libtool-doc gfortran fortran95-compiler gcj
下列【新】软件包将被安装:
libltdl-dev libtool
xxx@yyy:~/scholarzhang-read-only/west-chamber$ ./autogen.sh
libtoolize: putting auxiliary files in .'.
libtoolize: copying file
./config.guess’
libtoolize: copying file ./config.sub'
libtoolize: copying file
./install-sh’
libtoolize: copying file ./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR,
m4’.
libtoolize: copying file m4/libtool.m4'
libtoolize: copying file
m4/ltoptions.m4’
libtoolize: copying file m4/ltsugar.m4'
libtoolize: copying file
m4/ltversion.m4’
libtoolize: copying file m4/lt~obsolete.m4'
configure.ac:8: installing
./compile’
configure.ac:6: installing ./missing'
extensions/ipset/Makefile.am: installing
./depcomp’
configure不加参数,没有看到报错。make和make install也没看到错误。但在增加iptables时发现没有ZHANG这条规则
xxx@yyy:~/scholarzhang-read-only/west-chamber$ ./configure
…
checking for libxtables… configure: error: Package requirements (xtables >= 1.4.3) were not met:
No package ‘xtables’ found
Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.
Alternatively, you may set the environment variables libxtables_CFLAGS
and libxtables_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo apt-cache search xtables
iptables-dev - iptables development files
xtables-addons-common - Userspace components of xtables-addons
xtables-addons-source - Source for the xtables-addons driver
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo apt-get install iptables-dev
xxx@yyy:~/scholarzhang-read-only/west-chamber$ ./configure
xxx@yyy:~/scholarzhang-read-only/west-chamber$ make
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo make install
无报错
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo ipset -R
-N YOUTUBE nethash –hashsize 50 –probes 1
-A YOUTUBE 64.15.112.0/20
-A YOUTUBE 82.129.37.0/24
-A YOUTUBE 208.65.152.0/22
-A YOUTUBE 208.117.224.0/19
-A YOUTUBE 213.146.171.0/24
COMMIT
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo ipset -R
-N NOCLIP setlist –size 4
-A NOCLIP GOOGLE
-A NOCLIP YOUTUBE
COMMIT
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo iptables
-A INPUT
-p tcp –sport 80 –tcp-flags FIN,SYN,RST,ACK SYN,ACK
-m state –state ESTABLISHED
-m set –match-set NOCLIP src
-j ZHANG
-m comment –comment “client-side connection obfuscation”
iptables v1.4.4: Couldn’t load target `ZHANG’:/lib/xtables/libipt_ZHANG.so: cannot open shared object file: No such file or directory
根据INSTALL说明重新configure
xxx@yyy:~/scholarzhang-read-only/west-chamber$ ./configure CFLAGS=”” –prefix=/usr –libexecdir=/lib
xxx@yyy:~/scholarzhang-read-only/west-chamber$ make
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo make install
没有报错。
检查一下安装生成的文件,都存在:
xxx@yyy:~/scholarzhang-read-only/west-chamber$ ls /lib/xtables/ -tl
总用量 1272
-rwxr-xr-x 1 root root 13605 2010-03-31 10:24 libipset_setlist.so
-rwxr-xr-x 1 root root 13367 2010-03-31 10:24 libipset_portmap.so
-rwxr-xr-x 1 root root 13606 2010-03-31 10:24 libipset_nethash.so
-rwxr-xr-x 1 root root 13895 2010-03-31 10:24 libipset_macipmap.so
-rwxr-xr-x 1 root root 13657 2010-03-31 10:24 libipset_iptreemap.so
-rwxr-xr-x 1 root root 13578 2010-03-31 10:24 libipset_iptree.so
-rwxr-xr-x 1 root root 18127 2010-03-31 10:24 libipset_ipportnethash.so
-rwxr-xr-x 1 root root 17955 2010-03-31 10:24 libipset_ipportiphash.so
-rwxr-xr-x 1 root root 13833 2010-03-31 10:24 libipset_ipporthash.so
-rwxr-xr-x 1 root root 13610 2010-03-31 10:24 libipset_ipmap.so
-rwxr-xr-x 1 root root 13404 2010-03-31 10:24 libipset_iphash.so
-rwxr-xr-x 1 root root 8308 2010-03-31 10:24 libxt_gfw.so
-rwxr-xr-x 1 root root 8324 2010-03-31 10:24 libxt_ZHANG.so
-rwxr-xr-x 1 root root 8314 2010-03-31 10:24 libxt_CUI.so
再根据USAGE来配置:
1.ZHANG 客户端连接混乱
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo iptables -A INPUT -p tcp –sport 80 –tcp-flags FIN,SYN,RST,ACK SYN,ACK -m state –state ESTABLISHED -m set –match-set NOCLIP src -j ZHANG -m comment –comment “client-side connection obfuscation”
2.CUI 服务器端连接混乱
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo iptables -A INPUT -p tcp –dport 80 –tcp-flags FIN,SYN,RST,ACK SYN -m state –state NEW -m set –match-set CHINA src -j CUI -m comment –comment “server-side connection obfuscation”
iptables v1.4.4: Set CHINA doesn’t exist.
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo ipset -R < ./examples/CHINA
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo iptables -A INPUT -p tcp –dport 80 –tcp-flags FIN,SYN,RST,ACK SYN -m state –state NEW -m set –match-set CHINA src -j CUI -m comment –comment “server-side connection obfuscation”
3.记录gfw reset到syslog
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo iptables -A INPUT -p tcp –sport 80 -m state –state ESTABLISHED -m gfw -j LOG –log-level info –log-prefix “gfw: “ -m comment –comment “log gfw tcp resets”
4.反GFW DNS劫持
可以直接修改/etc/resolve.conf
增加nameserver 8.8.8.8
或修改dhclient.conf:
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo vi /etc/dhcp3/dhclient.conf
找到prepend domain-name-servers,去掉注释,并将8.8.8.8等墙外dns放在后面
让dhclient生效:ifconfig eth0 down; ifconfig eth0 up
保存iptables成果:
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo iptables-save > /etc/iptables.up.rules
bash: /etc/iptables.up.rules: 权限不够
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo -s
root@zhh64:~/scholarzhang-read-only/west-chamber# iptables-save > /etc/iptables.up.rules
root@zhh64:~/scholarzhang-read-only/west-chamber# exit
exit
xxx@yyy:~/scholarzhang-read-only/west-chamber$ sudo vi /etc/network/interfaces
增加:
pre-up iptables-restore < /etc/iptables.up.rules
这样重启系统后防火墙还能生效。
检测:
xxx@yyy:~/scholarzhang-read-only/west-chamber$ host -tA twitter.com
twitter.com has address 93.46.8.89
如非注明转载, 均为原创. 本站遵循知识共享CC协议,转载请注明来源