RHEL 5.2 kenel 2.6.18 iptable 添加模块
来源:互联网 发布:硬盘安装mac os x 编辑:程序博客网 时间:2024/05/21 10:21
RHEL 5.2 kenel 2.6.18 iptable 添加模块
好多朋友没做出来,我又试了一边,没问题哦...
5楼增加了我这次做的过程.
另外说明一下..安装系统的时候选包,把开发包,开发工具选上,包的个数默认就可以
1.内核版本检查
[root@seker SRPMS]# uname -a
Linux seker 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux
RPM 源码包下载 要选择和OS内核一致的. 地址 http://rpmfind.net/linux/sourceforge/l/li/linux-ntfs/
2.下载对应源码包
[root@seker SRPMS]# ls
kernel-2.6.18-92.el5.src.rpm
[root@seker SRPMS]# pwd
/usr/src/redhat/SRPMS
3.解开rpm源码包
[root@seker SRPMS]# useradd mockbuild
[root@seker SRPMS]# rpm -ivh kernel-2.6.18-92.el5.src.rpm
1:kernel ################ [100%]
[root@seker SRPMS]#
[root@seker SPECS]# pwd
/usr/src/redhat/SPECS
[root@seker SPECS]# ls
kernel-2.6.spec
[root@seker SPECS]# rpmbuild -bp --target=$(uname -m) ./kernel-2.6.spec
Building target platforms: i686
Building for target i686
.....
+ exit 0
[root@seker kernel-2.6.18]# pwd
/usr/src/redhat/BUILD/kernel-2.6.18
[root@seker kernel-2.6.18]# ls
config Config.mk linux-2.6.18.i686 vanilla xen
4.将内核源代码cp到 /usr/src目录
[root@seker kernel-2.6.18]# cp -a linux-2.6.18.i686/ /usr/src/
[root@seker kernel-2.6.18]# cd /usr/src/linux-2.6.18.i686
5.修改makefile头与OS上的内核相同
[root@seker linux-2.6.18.i686]# head -n4 Makefile
VERSION = 2
PATCHLEVEL = 6
SUBLEVEL = 18
EXTRAVERSION = -92.el5
[root@seker linux-2.6.18.i686]# uname -r
2.6.18-92.el5
6.下载各种软件
[root@seker src]# wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080918.tar.bz2
[root@seker src]# wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.3.8.tar.bz2
[root@seker src]# wget http://downloads.sourceforge.net/l7-filter/l7-protocols-2008-04-23.tar.gz
[root@seker src]# wget http://ie.archive.ubuntu.com/sourceforge/l/l7/l7-filter/netfilter-layer7-v2.9.tar.gz
7.解压软件包
[root@seker src]# tar jxvf patch-o-matic-ng-20080918.tar.bz2
[root@seker src]# tar jxvf iptables-1.3.8.tar.bz2
[root@seker src]# tar zxvf l7-protocols-2008-04-23.tar.gz
[root@seker src]# tar zxvf ipp2p-0.99.15.tar.gz
[root@seker src]# tar zxvf netfilter-layer7-v2.9.tar.gz
8.设置环境变量.下载补丁
[root@seker patch-o-matic-ng-20080918]# export KERNEL_DIR=/usr/src/linux-2.6.18.i686/
[root@seker patch-o-matic-ng-20080918]# export IPTABLES_DIR=/usr/src/iptables-1.3.8/
[root@seker patch-o-matic-ng-20080918]# export KERNEL_SRC=/usr/src/linux-2.6.18.i686/
[root@seker patch-o-matic-ng-20080918]# export IPTABLES_SRC=/usr/src/iptables-1.3.8/
[root@seker patch-o-matic-ng-20080918]#
[root@seker patch-o-matic-ng-20080918]# ./runme --download
.....
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
Excellent! Source trees are ready for compilation.
自带的IPP2P不要安装..我们用最新的.到这里下载.
http://linux.chinaunix.net/bbs/thread-914377-1-2.html
[root@seker patch-o-matic-ng-20080918]# ./runme time
[root@seker patch-o-matic-ng-20080918]# ./runme connlimit
9.安装l7
[root@seker linux-2.6.18.i686]# patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch
[root@seker iptables-1.3.8]# patch -p1 < /usr/src/netfilter-layer7-v2.9/iptables-layer7-2.9.patch
[root@seker iptables-1.3.8]# chmod +x extensions/.layer7-test
10.编辑内核选上新添加的模块
[root@seker linux-2.6.18.i686]# make menuconfig
Networking --->
Networking options --->
[*] Network packet filtering (replaces ipchains) --->
IP: Netfilter Configuration --->
<M> Layer 7 match support (EXPERIMENTAL)
<M> TIME match support
<M> Connections/IP limit match support
[root@seker linux-2.6.18.i686]# make modules_prepare
11.备份原来的Makefile,里面包含了原始的编译信息,直接编译会无法通过
[root@seker linux-2.6.18.i686]# mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.bak
创建新的Makefile
[root@seker linux-2.6.18.i686]# vi net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o
obj-m := ipt_time.o
obj-m := ipt_layer7.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) M=$(PWD) modules
然后编译该模块,如果不能一次全部编译,每次在net/ipv4/netfilter/Makefile中只加一个模块,一次次编
译得出 ipt_*.ko文件.
[root@seker linux-2.6.18.i686]# make M=net/ipv4/netfilter/
LD net/ipv4/netfilter/built-in.o
CC [M] net/ipv4/netfilter/ipt_connlimit.o
CC net/ipv4/netfilter/ipt_connlimit.mod.o
LD [M] net/ipv4/netfilter/ipt_connlimit.ko
CC net/ipv4/netfilter/ipt_time.mod.o
LD [M] net/ipv4/netfilter/ipt_time.ko
12.cp新编译的模块到老内核
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_time.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_layer7.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
[root@seker linux-2.6.18.i686]# chmod 755 /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/*.ko
13.安装IPP2P
[root@seker ipp2p-0.99.15]# make
[root@seker ipp2p-0.99.15]# make install
cp ipt_ipp2p.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
cp libipt_ipp2p.so /lib/iptables/
depmod -a
[root@seker ipp2p-0.99.15]#
14.安装新的IPTABLE
[root@seker iptables-1.3.8]# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
这步成功会有 cp *.so 的日志..
[code]
[root@seker iptables-1.3.8]# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
....
cp extensions/libipt_limit.so /lib/iptables/libipt_limit.so
....
cp extensions/libipt_layer7.so /lib/iptables/libipt_layer7.so
....
cp extensions/libipt_time.so /lib/iptables/libipt_time.so
....
rm libiptc/libip6tc.o libipq/libipq.o libiptc/libip4tc.o
[root@seker iptables-1.3.8]#
[/code]
15.加载模块
[root@seker iptables-1.3.8]# modprobe ipt_connlimit
[root@seker iptables-1.3.8]# modprobe ipt_time
[root@seker iptables-1.3.8]# modprobe ipt_ipp2p
[root@seker iptables-1.3.8]# modprobe ipt_layer7
[root@seker iptables-1.3.8]#
[root@seker iptables-1.3.8]# lsmod |grep x_tables
x_tables 17349 7
ipt_layer7,ipt_iprange,ipt_ipp2p,ipt_time,ipt_connlimit,xt_tcpudp,ip_tables
[root@seker iptables-1.3.8]#
16.测试layer7,time,ip2p2..
[root@seker iptables-1.3.8]# iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 8:00 --timestop 17:30 --days
Mon,Tue,Wed,Thu,Fri -m iprange --src-range 192.168.1.5-192.168.1.239 -m ipp2p --ipp2p -m ipp2p --xunlei -j DROP
如果time有问题 加个下面的附件里.ko .so (我没测试过,不保证可以在你的系统上使用)
http://linux.chinaunix.net/bbs/attachment.php?aid=214364
[root@seker iptables-1.3.8]#
从解开压缩包后开始,前面的参考帖子.
[root@seker src]# ls
backup kernels netfilter-layer7-v2.9.tar.gz
ipp2p-0.99.15 l7-protocols-2008-04-23 patch-o-matic-ng-20080918
ipp2p-0.99.15.tar.gz l7-protocols-2008-04-23.tar.gz patch-o-matic-ng-20080918.tar.bz2
iptables-1.3.8 linux-2.6.18.i686 redhat
iptables-1.3.8.tar.bz2 netfilter-layer7-v2.9
[root@seker src]# export KERNEL_DIR=/usr/src/linux-2.6.18.i686/
[root@seker src]# export IPTABLES_DIR=/usr/src/iptables-1.3.8/
[root@seker src]# cd patch-o-matic-ng-20080918
[root@seker patch-o-matic-ng-20080918]# ls
Netfilter_POM.pm patchlets README runme
patch2pom pom2patch README.newpatches sources.list
[root@seker patch-o-matic-ng-20080918]# ./runme --download
Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
./patchlets/ipv4options exists and is not external
./patchlets/TARPIT exists and is not external
Successfully downloaded external patch ACCOUNT
Successfully downloaded external patch pknock
Loading patchlet definitions......................... done
Excellent! Source trees are ready for compilation.
下载完毕
安装模块
[root@seker patch-o-matic-ng-20080918]# ./runme time
Loading patchlet definitions......................... done
Welcome to Patch-o-matic ($Revision$)!
Kernel: 2.6.18, /usr/src/linux-2.6.18.i686/
Iptables: 1.3.8, /usr/src/iptables-1.3.8/
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing time... not applied
The time patch:
Author: Fabrice MARIE <[email]fabrice@netfilter.org[/email]>
Status: Works within it's limitations
This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
This match allows you to filter based on the packet arrival time/date
(arrival time/date at the machine which the netfilter is running on) or
departure time/date (for locally generated packets).
Supported options are:
[ --timestart value ]
Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).
[ --timestop value ]
Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).
[ --days listofdays ]
Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)
[ --datestart date ]
Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
h,m,s start from 0 ; default to 1970)
[ --datestop date ]
Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
h,m,s start from 0 ; default to 2037)
Example:
-A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
to Friday.
-A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon --date-stop 2010
will match the packets (locally generated) that have a departure timestamp
in the range 8:00->18:00 on Monday only, until 2010
NOTE: the time match does not track changes in daylight savings time
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
Excellent! Source trees are ready for compilation.
[root@seker patch-o-matic-ng-20080918]# ./runme connlimit
Loading patchlet definitions......................... done
Welcome to Patch-o-matic ($Revision$)!
Kernel: 2.6.18, /usr/src/linux-2.6.18.i686/
Iptables: 1.3.8, /usr/src/iptables-1.3.8/
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing connlimit... not applied
The connlimit patch:
Author: Gerd Knorr <[email]kraxel@bytesex.org[/email]>
Status: ItWorksForMe[tm]
This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).
Examples:
# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 /
--connlimit-mask 24 -j REJECT
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
Excellent! Source trees are ready for compilation.
[root@seker patch-o-matic-ng-20080918]# cd ../linux-2.6.18.i686/
[root@seker linux-2.6.18.i686]# patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch
patching file include/linux/netfilter_ipv4/ip_conntrack.h
patching file include/linux/netfilter_ipv4/ipt_layer7.h
patching file net/ipv4/netfilter/Kconfig
patching file net/ipv4/netfilter/Makefile
Hunk #1 succeeded at 66 (offset 3 lines).
patching file net/ipv4/netfilter/ip_conntrack_core.c
Hunk #1 succeeded at 338 (offset 1 line).
patching file net/ipv4/netfilter/ip_conntrack_standalone.c
Hunk #1 succeeded at 193 (offset 1 line).
patching file net/ipv4/netfilter/ipt_layer7.c
patching file net/ipv4/netfilter/regexp/regexp.c
patching file net/ipv4/netfilter/regexp/regexp.h
patching file net/ipv4/netfilter/regexp/regmagic.h
patching file net/ipv4/netfilter/regexp/regsub.c
[root@seker linux-2.6.18.i686]# cd ../iptables-1.3.8
[root@seker iptables-1.3.8]# patch -p1 < /usr/src/netfilter-layer7-v2.9/iptables-layer7-2.9.patch
patching file extensions/.layer7-test
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
[root@seker iptables-1.3.8]# chmod +x extensions/.layer7-test
[root@seker iptables-1.3.8]#
[root@seker iptables-1.3.8]# cd ../linux-2.6.18.i686/
[root@seker linux-2.6.18.i686]# make menuconfig
scripts/kconfig/mconf arch/i386/Kconfig
#
# configuration written to .config
#
*** End of Linux kernel configuration.
*** Execute 'make' to build the kernel or try 'make help'.
[root@seker linux-2.6.18.i686]# make modules_prepare
scripts/kconfig/conf -s arch/i386/Kconfig
CHK include/linux/version.h
UPD include/linux/version.h
CHK include/linux/utsrelease.h
UPD include/linux/utsrelease.h
SYMLINK include/asm -> include/asm-i386
CC arch/i386/kernel/asm-offsets.s
GEN include/asm-i386/asm-offsets.h
HOSTCC scripts/genksyms/genksyms.o
SHIPPED scripts/genksyms/lex.c
SHIPPED scripts/genksyms/parse.h
SHIPPED scripts/genksyms/keywords.c
HOSTCC scripts/genksyms/lex.o
SHIPPED scripts/genksyms/parse.c
HOSTCC scripts/genksyms/parse.o
HOSTLD scripts/genksyms/genksyms
CC scripts/mod/empty.o
HOSTCC scripts/mod/mk_elfconfig
MKELF scripts/mod/elfconfig.h
HOSTCC scripts/mod/file2alias.o
HOSTCC scripts/mod/modpost.o
HOSTCC scripts/mod/sumversion.o
HOSTLD scripts/mod/modpost
HOSTCC scripts/kallsyms
HOSTCC scripts/pnmtologo
HOSTCC scripts/conmakehash
[root@seker linux-2.6.18.i686]#
[root@seker linux-2.6.18.i686]# mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.bak
[root@seker linux-2.6.18.i686]# vi net/ipv4/netfilter/Makefile
[root@seker linux-2.6.18.i686]# cat net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o
obj-m := ipt_time.o
obj-m := ipt_layer7.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) M=$(PWD) modules
[root@seker linux-2.6.18.i686]#
[root@seker linux-2.6.18.i686]# make M=net/ipv4/netfilter/
WARNING: Symbol version dump /usr/src/linux-2.6.18.i686/Module.symvers
is missing; modules will have no dependencies and modversions.
LD net/ipv4/netfilter/built-in.o
CC [M] net/ipv4/netfilter/ipt_layer7.o
Building modules, stage 2.
MODPOST
CC net/ipv4/netfilter/ipt_layer7.mod.o
LD [M] net/ipv4/netfilter/ipt_layer7.ko
[root@seker linux-2.6.18.i686]# vi net/ipv4/netfilter/Makefile
[root@seker linux-2.6.18.i686]# cat net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o
obj-m := ipt_time.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) M=$(PWD) modules
[root@seker linux-2.6.18.i686]#
[root@seker linux-2.6.18.i686]# make M=net/ipv4/netfilter/
WARNING: Symbol version dump /usr/src/linux-2.6.18.i686/Module.symvers
is missing; modules will have no dependencies and modversions.
CC [M] net/ipv4/netfilter/ipt_time.o
Building modules, stage 2.
MODPOST
CC net/ipv4/netfilter/ipt_time.mod.o
LD [M] net/ipv4/netfilter/ipt_time.ko
[root@seker linux-2.6.18.i686]# vi net/ipv4/netfilter/Makefile
[root@seker linux-2.6.18.i686]# cat net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) M=$(PWD) modules
[root@seker linux-2.6.18.i686]#
[root@seker linux-2.6.18.i686]# make M=net/ipv4/netfilter/
WARNING: Symbol version dump /usr/src/linux-2.6.18.i686/Module.symvers
is missing; modules will have no dependencies and modversions.
CC [M] net/ipv4/netfilter/ipt_connlimit.o
Building modules, stage 2.
MODPOST
CC net/ipv4/netfilter/ipt_connlimit.mod.o
LD [M] net/ipv4/netfilter/ipt_connlimit.ko
[root@seker linux-2.6.18.i686]#
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_layer7.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_time.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
cp:是否覆盖“/lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko”? y
[root@seker linux-2.6.18.i686]# chmod 755 /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/*.ko
[root@seker linux-2.6.18.i686]# cd ..
[root@seker src]# ls
backup kernels netfilter-layer7-v2.9.tar.gz
ipp2p-0.99.15 l7-protocols-2008-04-23 patch-o-matic-ng-20080918
ipp2p-0.99.15.tar.gz l7-protocols-2008-04-23.tar.gz patch-o-matic-ng-20080918.tar.bz2
iptables-1.3.8 linux-2.6.18.i686 redhat
iptables-1.3.8.tar.bz2 netfilter-layer7-v2.9
[root@seker src]# cd ipp2p-0.99.15
[root@seker ipp2p-0.99.15]# make
make -C /lib/modules/2.6.18-92.el5/build M=/usr/src/ipp2p-0.99.15 modules
make[1]: Entering directory `/usr/src/kernels/2.6.18-92.el5-i686'
CC [M] /usr/src/ipp2p-0.99.15/ipt_ipp2p.o
Building modules, stage 2.
MODPOST
CC /usr/src/ipp2p-0.99.15/ipt_ipp2p.mod.o
LD [M] /usr/src/ipp2p-0.99.15/ipt_ipp2p.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.18-92.el5-i686'
gcc -O3 -Wall -DIPTABLES_VERSION=/"1.3.8/" -I/usr/src/iptables-1.3.8/include -fPIC -c libipt_ipp2p.c
gcc -shared -o libipt_ipp2p.so libipt_ipp2p.o
[root@seker ipp2p-0.99.15]# make install
cp ipt_ipp2p.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
cp libipt_ipp2p.so /lib/iptables/
depmod -a
[root@seker ipp2p-0.99.15]# cd /lib/modules/2.6.18-92.el5/
[root@seker 2.6.18-92.el5]# depmod -a
[root@seker 2.6.18-92.el5]# cd -
/usr/src/ipp2p-0.99.15
[root@seker ipp2p-0.99.15]# cd ../iptables-1.3.8
[root@seker iptables-1.3.8]#
[root@seker iptables-1.3.8]# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
....
cp extensions/libipt_limit.so /lib/iptables/libipt_limit.so
....
cp extensions/libipt_layer7.so /lib/iptables/libipt_layer7.so
....
cp extensions/libipt_time.so /lib/iptables/libipt_time.so
....
rm libiptc/libip6tc.o libipq/libipq.o libiptc/libip4tc.o
[root@seker iptables-1.3.8]#
测试过程:
[root@seker iptables-1.3.8]# modprobe ipt_connlimit
[root@seker iptables-1.3.8]# modprobe ipt_time
[root@seker iptables-1.3.8]# modprobe ipt_ipp2p
[root@seker iptables-1.3.8]# modprobe ipt_layer7
[root@seker iptables-1.3.8]# lsmod | grep x_table
x_tables 17349 6 ipt_layer7,ipt_ipp2p,ipt_time,ipt_connlimit,xt_tcpudp,ip_tables
[root@seker iptables-1.3.8]#
[root@seker iptables-1.3.8]# iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 8:00 --timestop 17:30 --days
Mon,Tue,Wed,Thu,Fri -m iprange --src-range 192.168.1.5-192.168.1.239 -m ipp2p --ipp2p -m ipp2p --xunlei -j DROP
[root@seker iptables-1.3.8]# iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 8:00 --timestop 17:30 --days
Mon,Tue,Wed,Thu,Fri -m iprange --src-range 192.168.1.5-192.168.1.239 -m ipp2p --ipp2p -m ipp2p --xunlei -j DROP
[root@seker iptables-1.3.8]#
[root@seker iptables-1.3.8]# iptables -I FORWARD -s 192.168.1.15 -p tcp --syn --dport 80 -m connlimit --connlimit-above 3 --
connlimit-mask 24 -j DROP
[root@seker iptables-1.3.8]# iptables -xvL
Chain INPUT (policy ACCEPT 7783 packets, 1163810 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any 192.168.1.15 anywhere tcp dpt:http
flags:FIN,SYN,RST,ACK/SYN #conn/24 > 3
0 0 DROP all -- any any anywhere anywhere LAYER7 l7proto qq TIME from 8:0
to 17:30 on Mon,Tue,Wed,Thu,Fri source IP range 192.168.1.5-192.168.1.239 ipp2p v0.99.15 --ipp2p ipp2p v0.99.15 --xunlei
0 0 DROP all -- any any anywhere anywhere LAYER7 l7proto qq TIME from 8:0
to 17:30 on Mon,Tue,Wed,Thu,Fri source IP range 192.168.1.5-192.168.1.239 ipp2p v0.99.15 --ipp2p ipp2p v0.99.15 --xunlei
Chain OUTPUT (policy ACCEPT 5793 packets, 1041904 bytes)
pkts bytes target prot opt in out source destination
[root@seker iptables-1.3.8]#
[/code]
- RHEL 5.2 kenel 2.6.18 iptable 添加模块
- IPTable
- iptable
- iptable
- iptable
- iptable
- iptable
- iptable
- iptable
- iptable
- Iptable
- iptable
- iptable
- iptable
- iptable
- IPTABLE
- iptable
- iptable规则查看,添加,删除和修改
- IUSR_用户(Internet来宾账号)
- 快速浏览Silverlight3 Beta: 在多个Silverlight应用间传递信息
- 数组、集合的接口和枚举介绍
- 互联网侏罗纪【简德斋,2010.2.22】(陈礼彬转)
- C#多线程应用探讨
- RHEL 5.2 kenel 2.6.18 iptable 添加模块
- javascript 获得汉字拼音的第一个字母
- Android手机全攻略 ---part1
- C语言中的复数
- EInsurance项目小结
- Mapping
- treelist学习总结 --拖拽事件
- magento -- 推荐插件 -- Shop by manufacturer/brand/character/etc
- C++ typedef使用方法总结
