Защищено: Open Source UTM

Это содержимое защищено паролем. Для его просмотра введите, пожалуйста, пароль:

Squid+Clamav+SSLBump

Для связки Squid и Clamav будем использовать icap сервер c-icap.
Установка Squid+c-icap+squidclamav
Поскольку squid «из коробки» не поддерживает ssl-bump, придется пересобирать.
1. Устанавливаем необходимые пакеты

aptitude install c-icap libicapapi-dev apache2 gcc make libssl-dev
apt-get -t trusty-backports install clamav-daemon
freshclam

2. Собираем Squid

cd /usr/src
wget http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.8.tar.gz
tar -xzvf squid-3.4.8.tar.gz
cd squid-3.4.8
./configure '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' '--enable-ssl' '--enable-ssl-crtd' '--with-openssl'
make
make install

3. Собираем SquidClamav

cd /usr/src
wget http://heanet.dl.sourceforge.net/project/squidclamav/squidclamav/6.11/squidclamav-6.11.tar.gz
tar -xzvf squidclamav-6.11.tar.gz
cd squidclamav-6.11
./configure
make
make install
chown nobody /var/log/squid/

4. Настраиваем цепочку
В файл squid.conf добавляем следующие строчки

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all
request_header_access Accept-Encoding allow  all
cache_effective_user nobody

5. Настройка Squidclamav

cp /etc/c-icap/squidclamav.conf /etc/
Меняем строчку 
redirect ........
Можно поиграться с dnslookup, размерами и типами объектов, которые надо проверять. 

6. Настройка c-icap

/etc/c-icap/c-icap.conf
Добавляем строчку
Service squidclamav squidclamav.so

/etc/default/c-icap
START=yes

service c-icap start

7. Настройка Apache

a2enmod cgi
sudo service apache2 restart
cp /usr/local/libexec/squidclamav/clwarn.cgi /usr/lib/cgi-bin/ 

8. Настройка SSLBump
Генерируем сертификат

cd /etc/squid
openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout squidCA.pem -out squidCA.pem
chown nobody /etc/squid/squidCA.pem
chmod 400 /etc/squid/squidCA.pem
/usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db
chown -R nobody /var/lib/ssl_db

Добавляем в конфиг сквида

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squidCA.pem
always_direct allow all
ssl_bump client-first all
sslproxy_cert_error deny all

Экспортируем сертификат CA для рабочих станций

cd /etc/squid
openssl x509 -in squidCA.pem -outform DER -out squidCA.der

После чего импортируем squidCA.der на машины пользователей
Для запуска сквида используем команду

squid -f /etc/squid/squid.conf

Snort+Barnyard2+Snorby

Snort — IDS система, в версии 2.9.7 добавили возможность распознавания приложений.
Barnyard2 — Утилита для запихивания логов в Mysql.
Snoorby — Система анализа логов.

Установка Snort
1. Устанавливаем необходимые пакеты

aptitude install make gcc libnetfilter-queue-dev libnetfilter-queue1 flex bison libpcap-dev libdnet-dev libdumbnet-dev libluajit-5.1-2 libluajit-5.1-common libluajit-5.1-dev luajit libpcre3-dev zlibc zlib1g-dev libssl-dev

2. Устанавливаем Snort

cd /usr/src
wget http://huntertelecom.ru/files/snort/snort-2.9.7.0_beta.tar.gz
wget http://huntertelecom.ru/files/snort/daq-2.0.3.tar.gz
tar xvfz snort-2.9.7.0_beta.tar.gz
tar xvfz daq-2.0.3.tar.gz
cd daq-2.0.3
./configure
make
make install
cd ../snort-2.9.7.0_beta
./configure --prefix=/usr/local/snort --enable-sourcefire --enable-open-appid
make
make install

3. Настройка Snort.
Добавляем пользователя snort

useradd snort

Устанавливаем OpenAppID

wget http://huntertelecom.ru/files/snort/snort-openappid.2014-05-30.205-0.tgz
tar -xzf snort-openappid.2014-05-30.205-0.tgz -C /usr/local/snort

Далее следует поправить файл с настройками и загрузить правила. Все есть в архиве.
В файле настроек необходимо изменить:

#dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules

preprocessor appid: app_stats_filename appstats-u2.log, \
   app_stats_period 60, \
   app_detector_dir /usr/local/snort

output unified2: filename snort.log, limit 128, appid_event_types

Распаковываем архив с настройками и правилами в /etc

wget http://huntertelecom.ru/files/snort/snort_conf.tar.gz
cd /usr/src
tar xzvf snort_conf.tar.gz -C /etc
chown -R snort:snort /etc/snort
ln -s /usr/local/snort/bin/snort /bin/

Установка Snorby
Для того, чтобы Snorby собрался без ошибок необходимо иметь как минимум 1 Гб СВОБОДНОЙ оперативной памяти.
1. Устанавливаем необходимые пакеты

aptitude install ruby ruby1.9.1-dev imagemagick libmagickwand-dev wkhtmltopdf gcc g++ build-essential libssl-dev libreadline-gplv2-dev zlib1g-dev linux-headers-generic libsqlite3-dev libxslt1-dev libxml2-dev libmysqlclient-dev libmysql++-dev apache2 passenger git mysql-client mysql-server graphviz default-jre-headless
mkdir /usr/local/src/ruby
cd /usr/local/src/ruby
gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail text-format sqlite3 rack-mount rails 
gem install rake -v=0.9.2

2. Проверяем

ruby -v
rails -v

3. Скачиваем исходники Snorby (тут или git)

cd /var/www/
git clone http://github.com/Snorby/snorby.git
cd ./snorby
mv ./config/snorby_config.yml.example ./config/snorby_config.yml
mv ./config/database.yml.example ./config/database.yml
#изменяем конфиг
sed -i s/"\/usr\/local\/bin\/wkhtmltopdf"/"\/usr\/bin\/wkhtmltopdf"/g /var/www/snorby/config/snorby_config.yml
#В database.yml вписываем параметры для подключения к бд
bundle install --deployment
rake snorby:setup

4. Настраиваем Apache

vi /etc/apache2/sites-available/snorby

Добавляем

        ServerAdmin admin@server.ru
        ServerName snorby.server.ru
        DocumentRoot /var/www/snorby/public

        <Directory "/var/www/snorby/public">
                AllowOverride all
                Order deny,allow
                Allow from all
                Options -MultiViews

Перезапускаем

service apache2 restart

Установка Barnyard2 (скачать)

cd /usr/src 
wget https://github.com/firnsy/barnyard2/archive/master.tar.gz
tar -zxf master.tar.gz
cd barnyard2-*
autoreconf -fvi -I ./m4
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
make
make install
В файл /usr/local/etc/barnyard2.conf добавляем
output database: log, mysql, user= password= dbname=snorby host=localhost

Запуск

snort -q -u snort -g snort -c /etc/snort/snort.conf -D -i ethX
barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort/ -n --disable-alert-on-each-packet-in-stream -f snort.log -C /etc/snort/classification.config -D -u snort -g snort

nDPI+IMQ+iptables-addons

nDPI — модуль ядра Linux для классификации трафика по типам   с помощью iptables. Для пресборки ядра необходимо порядка 10 Gb свободного места

1) Ставим необходимые пакеты

sudo aptitude install make gcc libncurses5-dev fakeroot kernel-package iptables-dev pkg-config dh-make dh-autoreconf linuxdoc-tools dh-autoreconf dkms bzr libnfnetlink-dev libnetfilter-conntrack-dev libnetfilter-conntrack3

2. Скачиваем необходимые пакеты ( kernel imq nDPI )

cd /usr/src
wget https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.14.5.tar.xz
wget http://devel.aanet.ru/ndpi/linux-imqmq-3.13.3.patch.xz
wget http://devel.aanet.ru/ndpi/nDPI-1.5.1.r8369_v0.tar.gz
tar xvJf linux-3.14.5.tar.xz
tar -xvzf nDPI-1.5.1.r8369_v0.tar.gz

3. Накладываем патчи

ln -s /usr/src/linux-3.14.5 /usr/src/linux  
cd /usr/src/linux  
xz -dc ../linux-imqmq-3.13.3.patch.xz | patch -p1 
patch -p1 <../nDPI-1.5.1.r8369_v0/ndpi-netfilter/kernel-patch/v3.14.5.diff

4. Конфигурируем ядро

sudo make menuconfig
Device Drivers; Network Device Support;
 [M] IMQ (intermediate queueing device) support
Networking Supportt; Networking Options; Network Packet Filtering Framework (Netfilter); Core Netfilter Configuration → "IMQ" Target Support

5. Правим CONFIG_NF_CONNTRACK_CUSTOM

vi ./.config
Находим строчку NF_CONNTRACK_CUSTOM. Она должна иметь вид
CONFIG_NF_CONNTRACK_CUSTOM=2

Пропатченное и настроенное ядро можно взять здесь

6. Начинаем установку. Вместо X ставим кол — во ядер процессора + 1

CONCURRENCY_LEVEL=X time fakeroot make-kpkg --initrd --append-to-version=+ndpi+imq kernel-image kernel-headers
sudo dpkg -i ../*.deb
sudo reboot

7. Накладываем патч IMQ на iptables (патч)

cd /usr/src
wget https://raw.githubusercontent.com/imq/linuximq/master/iptables/iptables-1.4.12-IMQ-test4.diff
sudo apt-get source iptables   
cd /usr/src/iptables-*  
sudo patch -p1 < ../iptables-1.4.12-IMQ-test4.diff  
sudo dpkg-buildpackage -rfakeroot -uc -b   
sudo dpkg -i ../iptables_*.deb

8. Собираем xtables-addons (скачать)

cd /usr/src/
wget http://optimate.dl.sourceforge.net/project/xtables-addons/Xtables-addons/2.6/xtables-addons-2.6.tar.xz
tar xvJf xtables-addons-2.6.tar.xz
cd xtables-addons-2.6
./configure
make
make install

9. Cобираем iptables-extension и ядерный модуль (находясь в ndpi-netfilter)

cd /usr/src/nDPI-1.5.1.r8369_v0/ndpi-netfilter/
make
make install
make modules_install
Для i386 делаем
ln -s /usr/local/lib/xtables/libxt_ndpi.so /lib/xtables/

10. Проверяем

iptables -m ndpi --help

 

Что мы получаем?
1) Возможность шейпировать ВХОДЯЩИЙ трафик.
Пример (int — внешний интерфейс)

modprobe imq
ip link set imq0 up
int="imq0"
tc qdisc del dev $int root > /dev/null 2>&1
DL=4Mbit
tc qdisc add dev $int root handle 1: htb
tc class add dev $int parent 1: classid 1:1 htb rate 95Mbit ceil 95Mbit
tc class add dev $int parent 1:1 classid 1:10 htb rate 5kbit ceil $DL prio 1
tc qdisc add dev $int parent 1:10 handle 10: sfq perturb 10
tc filter add dev $int parent 10: protocol ip handle 1 flow hash keys dst divisor 1024
tc filter add dev $int parent 1: protocol ip handle 1 fw flowid 1:10
iptables -t mangle -A PREROUTING -i eth3 -j IMQ
iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t mangle -I PREROUTING -i eth3 -j MARK --set-mark 1

В данном примере входящий интернет канал ограничивается на 4 Mbit и делется поровну между хостами, а не соединениями.

2) Возможность классифицировать трафик
Поддерживаются следующие типы:

--unknown          (0x0) Match for unknown protocol packets.
--ftp_control      (0x1) Match for ftp_control protocol packets.
--mail_pop         (0x2) Match for mail_pop protocol packets.
--mail_smtp        (0x3) Match for mail_smtp protocol packets.
--mail_imap        (0x4) Match for mail_imap protocol packets.
--dns              (0x5) Match for dns protocol packets.
--ipp              (0x6) Match for ipp protocol packets.
--http             (0x7) Match for http protocol packets.
--mdns             (0x8) Match for mdns protocol packets.
--ntp              (0x9) Match for ntp protocol packets.
--netbios          (0xa) Match for netbios protocol packets.
--nfs              (0xb) Match for nfs protocol packets.
--ssdp             (0xc) Match for ssdp protocol packets.
--bgp              (0xd) Match for bgp protocol packets.
--snmp             (0xe) Match for snmp protocol packets.
--xdmcp            (0xf) Match for xdmcp protocol packets.
--smb              (0x10) Match for smb protocol packets.
--syslog           (0x11) Match for syslog protocol packets.
--dhcp             (0x12) Match for dhcp protocol packets.
--postgres         (0x13) Match for postgres protocol packets.
--mysql            (0x14) Match for mysql protocol packets.
--tds              (0x15) Match for tds protocol packets.
--direct_download_link (0x16) Match for direct_download_link protocol packets.
--mail_pops        (0x17) Match for mail_pops protocol packets.
--applejuice       (0x18) Match for applejuice protocol packets.
--directconnect    (0x19) Match for directconnect protocol packets.
--socrates         (0x1a) Match for socrates protocol packets.
--winmx            (0x1b) Match for winmx protocol packets.
--vmware           (0x1c) Match for vmware protocol packets.
--mail_smtps       (0x1d) Match for mail_smtps protocol packets.
--filetopia        (0x1e) Match for filetopia protocol packets.
--imesh            (0x1f) Match for imesh protocol packets.
--kontiki          (0x20) Match for kontiki protocol packets.
--openft           (0x21) Match for openft protocol packets.
--fasttrack        (0x22) Match for fasttrack protocol packets.
--gnutella         (0x23) Match for gnutella protocol packets.
--edonkey          (0x24) Match for edonkey protocol packets.
--bittorrent       (0x25) Match for bittorrent protocol packets.
--epp              (0x26) Match for epp protocol packets.
--avi              (0x27) Match for avi protocol packets.
--flash            (0x28) Match for flash protocol packets.
--ogg              (0x29) Match for ogg protocol packets.
--mpeg             (0x2a) Match for mpeg protocol packets.
--quicktime        (0x2b) Match for quicktime protocol packets.
--realmedia        (0x2c) Match for realmedia protocol packets.
--windowsmedia     (0x2d) Match for windowsmedia protocol packets.
--mms              (0x2e) Match for mms protocol packets.
--xbox             (0x2f) Match for xbox protocol packets.
--qq               (0x30) Match for qq protocol packets.
--move             (0x31) Match for move protocol packets.
--rtsp             (0x32) Match for rtsp protocol packets.
--mail_imaps       (0x33) Match for mail_imaps protocol packets.
--icecast          (0x34) Match for icecast protocol packets.
--pplive           (0x35) Match for pplive protocol packets.
--ppstream         (0x36) Match for ppstream protocol packets.
--zattoo           (0x37) Match for zattoo protocol packets.
--shoutcast        (0x38) Match for shoutcast protocol packets.
--sopcast          (0x39) Match for sopcast protocol packets.
--tvants           (0x3a) Match for tvants protocol packets.
--tvuplayer        (0x3b) Match for tvuplayer protocol packets.
--http_app_veohtv  (0x3c) Match for http_app_veohtv protocol packets.
--qqlive           (0x3d) Match for qqlive protocol packets.
--qqlive           (0x3d) Match for qqlive protocol packets.
--thunder          (0x3e) Match for thunder protocol packets.
--soulseek         (0x3f) Match for soulseek protocol packets.
--ssl_no_cert      (0x40) Match for ssl_no_cert protocol packets.
--irc              (0x41) Match for irc protocol packets.
--ayiya            (0x42) Match for ayiya protocol packets.
--unencryped_jabber (0x43) Match for unencryped_jabber protocol packets.
--msn              (0x44) Match for msn protocol packets.
--oscar            (0x45) Match for oscar protocol packets.
--yahoo            (0x46) Match for yahoo protocol packets.
--battlefield      (0x47) Match for battlefield protocol packets.
--quake            (0x48) Match for quake protocol packets.
--ip_vrrp          (0x49) Match for ip_vrrp protocol packets.
--steam            (0x4a) Match for steam protocol packets.
--halflife2        (0x4b) Match for halflife2 protocol packets.
--worldofwarcraft  (0x4c) Match for worldofwarcraft protocol packets.
--telnet           (0x4d) Match for telnet protocol packets.
--stun             (0x4e) Match for stun protocol packets.
--ip_ipsec         (0x4f) Match for ip_ipsec protocol packets.
--ip_gre           (0x50) Match for ip_gre protocol packets.
--ip_icmp          (0x51) Match for ip_icmp protocol packets.
--ip_igmp          (0x52) Match for ip_igmp protocol packets.
--ip_egp           (0x53) Match for ip_egp protocol packets.
--ip_sctp          (0x54) Match for ip_sctp protocol packets.
--ip_ospf          (0x55) Match for ip_ospf protocol packets.
--ip_ip_in_ip      (0x56) Match for ip_ip_in_ip protocol packets.
--rtp              (0x57) Match for rtp protocol packets.
--rdp              (0x58) Match for rdp protocol packets.
--vnc              (0x59) Match for vnc protocol packets.
--pcanywhere       (0x5a) Match for pcanywhere protocol packets.
--ssl              (0x5b) Match for ssl protocol packets.
--ssh              (0x5c) Match for ssh protocol packets.
--usenet           (0x5d) Match for usenet protocol packets.
--mgcp             (0x5e) Match for mgcp protocol packets.
--iax              (0x5f) Match for iax protocol packets.
--tftp             (0x60) Match for tftp protocol packets.
--afp              (0x61) Match for afp protocol packets.
--stealthnet       (0x62) Match for stealthnet protocol packets.
--aimini           (0x63) Match for aimini protocol packets.
--sip              (0x64) Match for sip protocol packets.
--truphone         (0x65) Match for truphone protocol packets.
--ip_icmpv6        (0x66) Match for ip_icmpv6 protocol packets.
--dhcpv6           (0x67) Match for dhcpv6 protocol packets.
--armagetron       (0x68) Match for armagetron protocol packets.
--crossfire        (0x69) Match for crossfire protocol packets.
--dofus            (0x6a) Match for dofus protocol packets.
--fiesta           (0x6b) Match for fiesta protocol packets.
--florensia        (0x6c) Match for florensia protocol packets.
--guildwars        (0x6d) Match for guildwars protocol packets.
--http_app_activesync (0x6e) Match for http_app_activesync protocol packets.
--kerberos         (0x6f) Match for kerberos protocol packets.
--ldap             (0x70) Match for ldap protocol packets.
--maplestory       (0x71) Match for maplestory protocol packets.
--mssql            (0x72) Match for mssql protocol packets.
--pptp             (0x73) Match for pptp protocol packets.
--warcraft3        (0x74) Match for warcraft3 protocol packets.
--world_of_kung_fu (0x75) Match for world_of_kung_fu protocol packets.
--meebo            (0x76) Match for meebo protocol packets.
--facebook         (0x77) Match for facebook protocol packets.
--twitter          (0x78) Match for twitter protocol packets.
--dropbox          (0x79) Match for dropbox protocol packets.
--gmail            (0x7a) Match for gmail protocol packets.
--google_maps      (0x7b) Match for google_maps protocol packets.
--youtube          (0x7c) Match for youtube protocol packets.
--skype            (0x7d) Match for skype protocol packets.
--google           (0x7e) Match for google protocol packets.
--dcerpc           (0x7f) Match for dcerpc protocol packets.
--netflow          (0x80) Match for netflow protocol packets.
--sflow            (0x81) Match for sflow protocol packets.
--http_connect     (0x82) Match for http_connect protocol packets.
--http_proxy       (0x83) Match for http_proxy protocol packets.
--citrix           (0x84) Match for citrix protocol packets.
--netflix          (0x85) Match for netflix protocol packets.
--lastfm           (0x86) Match for lastfm protocol packets.
--grooveshark      (0x87) Match for grooveshark protocol packets.
--skyfile_prepaid  (0x88) Match for skyfile_prepaid protocol packets.
--skyfile_rudics   (0x89) Match for skyfile_rudics protocol packets.
--skyfile_postpaid (0x8a) Match for skyfile_postpaid protocol packets.
--citrix_online    (0x8b) Match for citrix_online protocol packets.
--apple            (0x8c) Match for apple protocol packets.
--webex            (0x8d) Match for webex protocol packets.
--whatsapp         (0x8e) Match for whatsapp protocol packets.
--apple_icloud     (0x8f) Match for apple_icloud protocol packets.
--viber            (0x90) Match for viber protocol packets.
--apple_itunes     (0x91) Match for apple_itunes protocol packets.
--radius           (0x92) Match for radius protocol packets.
--windows_update   (0x93) Match for windows_update protocol packets.
--teamviewer       (0x94) Match for teamviewer protocol packets.
--tuenti           (0x95) Match for tuenti protocol packets.
--lotus_notes      (0x96) Match for lotus_notes protocol packets.
--sap              (0x97) Match for sap protocol packets.
--gtp              (0x98) Match for gtp protocol packets.
--upnp             (0x99) Match for upnp protocol packets.
--llmnr            (0x9a) Match for llmnr protocol packets.
--remote_scan      (0x9b) Match for remote_scan protocol packets.
--spotify          (0x9c) Match for spotify protocol packets.
--webm             (0x9d) Match for webm protocol packets.
--h323             (0x9e) Match for h323 protocol packets.
--openvpn          (0x9f) Match for openvpn protocol packets.
--noe              (0xa0) Match for noe protocol packets.
--ciscovpn         (0xa1) Match for ciscovpn protocol packets.
--teamspeak        (0xa2) Match for teamspeak protocol packets.
--tor              (0xa3) Match for tor protocol packets.
--skinny           (0xa4) Match for skinny protocol packets.
--rtcp             (0xa5) Match for rtcp protocol packets.
--rsync            (0xa6) Match for rsync protocol packets.
--oracle           (0xa7) Match for oracle protocol packets.
--corba            (0xa8) Match for corba protocol packets.
--ubuntuone        (0xa9) Match for ubuntuone protocol packets.
--whois_das        (0xaa) Match for whois_das protocol packets.
--collectd         (0xab) Match for collectd protocol packets.
--socks5           (0xac) Match for socks5 protocol packets.
--socks4           (0xad) Match for socks4 protocol packets.
--rtmp             (0xae) Match for rtmp protocol packets.
--ftp_data         (0xaf) Match for ftp_data protocol packets.
--wikipedia        (0xb0) Match for wikipedia protocol packets.
--zmq              (0xb1) Match for zmq protocol packets.
--amazon           (0xb2) Match for amazon protocol packets.
--ebay             (0xb3) Match for ebay protocol packets.
--cnn              (0xb4) Match for cnn protocol packets.
--megaco           (0xb5) Match for megaco protocol packets.
--redis            (0xb6) Match for redis protocol packets.
--pando            (0xb7) Match for pando protocol packets.
--vhua             (0xb8) Match for vhua protocol packets.

Пример

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m ndpi --proto dropbox -j DROP
iptables -A FORWARD -m ndpi --proto dns -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 80 -m ndpi --proto http -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 443 -m ndpi --proto ssl -j ACCEPT
iptables -A FORWARD -m ndpi --proto ssh -j ACCEPT

3. Возможность отбиваться от портскана

# для 32х битной убунты 
ln -s /usr/local/lib/xtables/libxt_psd.so /lib/xtables/
# Добавляем правило
iptables -A INPUT -m psd --psd-weight-threshold 21 --psd-delay-threshold 300 --psd-lo-ports-weight 3 --psd-hi-ports-weight 1 -j DROP