iptables添加connlimit模块

来源：互联网发布：淘宝网舞蹈衣服编辑：程序博客网时间：2024/05/20 00:52

iptables添加connlimit模块

LINUX学习笔记 2008-05-16 21:05:00 阅读275 评论0 字号：大中小订阅

系统:CentOS 5.1 内核:2.6.18-53.1.19.el5( yum 升到此内核)
内核源码路径: /usr/src/kernels/2.6.18-53.1.19.el5-i686
下载下面两东东：

iptables-1.4.0.tar.bz2

wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080214.tar.bz2

patch-o-matic-ng-20080214.tar.bz2

wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2

放到/usr/src下,

#tar -jxvf iptables-1.4.0.tar.bz2

#mv iptables-1.4.0 iptables (后面用得上)

#tar -jxvf patch-o-matic-ng-20080214.tar.bz2

#cd patch-o-matic-ng-20080214

提示新加入了connlimit的选项，问是否需要编译进入内核的时候，输入“m”，编译为模块。

#make modules_prepare

#mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.orig ####备份原来的Makefile，里面包含了原始的编译信息，直接编译会无法通过。

创建新的Makefile

#vi net/ipv4/netfilter/Makefile

obj-m := ipt_connlimit.o

KDIR := /lib/modules/$(shell uname -r)/build

PWD := $(shell pwd)

default:

$(MAKE) -C $(KDIR) M=$(PWD) modules

然后编译该模块：
#make M=net/ipv4/netfilter/

# make M=net/ipv4/netfilter/
LD net/ipv4/netfilter/built-in.o
CC [M] net/ipv4/netfilter/ipt_connlimit.o
Building modules, stage 2.
MODPOST
CC net/ipv4/netfilter/ipt_connlimit.mod.o
LD [M] net/ipv4/netfilter/ipt_connlimit.ko
将生成的ko模块copy到目标地址，并设置权限
#cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-53.1.19.el5/kernel/net/ipv4/netfilter/
#chmod 744 /lib/modules/
2.6.18-53.1.19.el5
/kernel/net/ipv4/netfilter/ipt_connlimit.ko

或者 insmod ipt_connlimit.ko

到这里，模块编译完成。

测试并应用新的模块

用depmod –a 测试connlimit模块是否兼容

# depmod –a

加载connlimit模块

#modprobe ipt_connlimit

# lsmod |grep ip

ipt_connlimit 7680 0(会有这行出现)

OK，模块已经可以正常使用了

例：iptables -A INPUT -i eth0 -p tcp --sport 80 --syn -m connlimit --connlimit-above 15 -j DROP

下载connlimit模块

#./runme --download

Successfully downloaded external patch geoip

Successfully downloaded external patch condition

Successfully downloaded external patch IPMARK

Successfully downloaded external patch ROUTE

Successfully downloaded external patch connlimit

Successfully downloaded external patch ipp2p

Successfully downloaded external patch time

./patchlets/ipv4options exists and is not external

./patchlets/TARPIT exists and is not external

Successfully downloaded external patch ACCOUNT

Successfully downloaded external patch pknock

Loading patchlet definitions......................... done

Excellent! Source trees are ready for compilation

应用connlimit补丁到内核：

#./runme connlimit

Loading patchlet definitions......................... done

Welcome to Patch-o-matic ($Revision: 6736 $)!

Kernel: 2.6.18, /usr/src/kernels/2.6.18-53.1.6.el5/

Iptables: 1.4.0, /root/iptables-1.4.0

Each patch is a new feature: many have minimal impact, some do not.

Almost every one has bugs, so don't apply what you don't need!

-------------------------------------------------------

Already applied:

Testing connlimit... not applied

The connlimit patch:

Author: Gerd Knorr <kraxel@bytesex.org>

Status: ItWorksForMe[tm]

This adds an iptables match which allows you to restrict the

number of parallel TCP connections to a server per client IP address

(or address block).

Examples:

# allow 2 telnet connections per client host

iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

# you can also match the other way around:

iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized

# network (24 bit netmask)

iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 /

--connlimit-mask 24 -j REJECT

-----------------------------------------------------------------

Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y !!! 此处填y !!!

Excellent! Source trees are ready for compilation.

iptables添加connlimit模块