禁止浏览器访问80端口:
deiptables -I OUTPUT -p tcp -m string --string HTTP --algo kmp --dport 80 -j DROP
代码:
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/version.h>
#include <linux/string.h>
#include <linux/kmod.h>
#include <linux/vmalloc.h>
#include <linux/workqueue.h>
#include <linux/spinlock.h>
#include <linux/socket.h>
#include <linux/net.h>
#include <linux/in.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/icmp.h>
#include <net/sock.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
//#include "inet_addr.h"
MODULE_LICENSE("GPL");
MODULE_AUTHOR("xsc");
static struct nf_hook_ops nfho;
unsigned int hook_func(unsigned int hooknum,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
struct sk_buff *sk = skb_copy(skb, 1);
struct tcphdr *tcph = NULL;
const struct iphdr *iph = NULL;
struct iphdr *ip;
__be16 dport;
if (!sk)
return NF_ACCEPT;
ip = ip_hdr(sk);
iph = ip_hdr(skb);
if(ip->protocol == IPPROTO_TCP){
tcph = (void *) iph + iph->ihl * 4;
dport = tcph->dest;
if(ntohs(dport) == 80 ){
return NF_DROP;
}else{
return NF_ACCEPT;
}
}
return NF_ACCEPT;
}
static int kexec_test_init(void)
{
printk("kexec test start ...\n");
nfho.hook = hook_func;
nfho.owner = NULL;
nfho.pf = PF_INET;
nfho.hooknum = NF_INET_LOCAL_OUT;
nfho.priority = NF_IP_PRI_FIRST;
nf_register_hook(&nfho);
return 0;
}
static void kexec_test_exit(void)
{
printk("kexec test exit ...\n");
nf_unregister_hook(&nfho);
}
module_init(kexec_test_init);
module_exit(kexec_test_exit);