The Design And Implementation Of The Netfilter-Based Content Filtering System

Conventional firewall permits the users to define a set of rules, in order to allow legitimate network traffic to flow in and flow out of the system. According to the rules, the firewall checks the header of the packet to determine which packet to reject and which packet to accept, but it can only filter five tuple of IP packet. It can’t filter the bad contents which are hidden in the payloads of the packet. Although after the Linux 2.6.14 kernel, Linux firewall supports for matching strings which are present in IP packets. The string module can only match strings to achieve the function of content filtering by way of BM and KMP algorithm. KMP and BM algorithms both are exact string matching algorithms. They can achieve a simply exact match, but can do nothing to those attacks which are deliberately hidden and disguised in the payload of the IP packets. The efficiency and effectiveness also need to be further improved.This paper presented a content filtering system, which was based on Netfilter framework. The content filtering system can solve the problem of traditional firewall and can filter the bad contents which were hidden in the payloads of the packet. The system was deployed in network environments in transparent bridge mode. It was placed between the switch and the router to filter the packets which flowed in and flowed out of the LAN, in order to protect internal hosts and servers within the LAN.The system was designed to realize the filtering of the application layer protocol HTTP and DNS. For HTTP protocol, the system mainly provided the functions of URL filtering and Web content filtering. In order to achieve the good effect, the system used the appropriate rules for the different network protocols while regular expression matching. Especially for URL filtering, it was based on the conventional filtering and increased the function of filtering parameters of the URL which had parameters.In this paper, the system used the Linux Netfilter mechanism for packet capturing and analysising and provided a set of rules which are user-defined to match packets. The content filtering system can filter the packets which contain bad information and build a safe and effective network enviroment.Experiments on the system which was designed in this paper have been carried out, the results of the experiments prove that the content filtering system can meet system design requirement and filter the bad information.