禁止浏览器访问80端口:
deiptables -I OUTPUT -p tcp -m string --string HTTP --algo kmp --dport 80 -j DROP
代码:
#include <linux/kernel.h> #include <linux/init.h> #include <linux/module.h> #include <linux/version.h> #include <linux/string.h> #include <linux/kmod.h> #include <linux/vmalloc.h> #include <linux/workqueue.h> #include <linux/spinlock.h> #include <linux/socket.h> #include <linux/net.h> #include <linux/in.h> #include <linux/skbuff.h> #include <linux/ip.h> #include <linux/tcp.h> #include <linux/netfilter.h> #include <linux/netfilter_ipv4.h> #include <linux/icmp.h> #include <net/sock.h> #include <asm/uaccess.h> #include <asm/unistd.h> //#include "inet_addr.h" MODULE_LICENSE("GPL"); MODULE_AUTHOR("xsc"); static struct nf_hook_ops nfho; unsigned int hook_func(unsigned int hooknum, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { struct sk_buff *sk = skb_copy(skb, 1); struct tcphdr *tcph = NULL; const struct iphdr *iph = NULL; struct iphdr *ip; __be16 dport; if (!sk) return NF_ACCEPT; ip = ip_hdr(sk); iph = ip_hdr(skb); if(ip->protocol == IPPROTO_TCP){ tcph = (void *) iph + iph->ihl * 4; dport = tcph->dest; if(ntohs(dport) == 80 ){ return NF_DROP; }else{ return NF_ACCEPT; } } return NF_ACCEPT; } static int kexec_test_init(void) { printk("kexec test start ...\n"); nfho.hook = hook_func; nfho.owner = NULL; nfho.pf = PF_INET; nfho.hooknum = NF_INET_LOCAL_OUT; nfho.priority = NF_IP_PRI_FIRST; nf_register_hook(&nfho); return 0; } static void kexec_test_exit(void) { printk("kexec test exit ...\n"); nf_unregister_hook(&nfho); } module_init(kexec_test_init); module_exit(kexec_test_exit);