iptables添加connlimit模块
来源:互联网 发布:淘宝网舞蹈衣服 编辑:程序博客网 时间:2024/05/20 00:52
iptables添加connlimit模块
LINUX学习笔记 2008-05-16 21:05:00 阅读275 评论0 字号:大中小 订阅
内核源码路径: /usr/src/kernels/2.6.18-53.1.19.el5-i686
下载下面两东东:
iptables-1.4.0.tar.bz2
wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080214.tar.bz2
patch-o-matic-ng-20080214.tar.bz2
wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
放到/usr/src下,
#tar -jxvf iptables-1.4.0.tar.bz2
#mv iptables-1.4.0 iptables (后面用得上)
#tar -jxvf patch-o-matic-ng-20080214.tar.bz2
#cd patch-o-matic-ng-20080214
提示新加入了connlimit的选项,问是否需要编译进入内核的时候,输入“m”,编译为模块。
#make modules_prepare
#mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.orig ####备份原来的Makefile,里面包含了原始的编译信息,直接编译会无法通过。
创建新的Makefile
#vi net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) M=$(PWD) modules
然后编译该模块:
#make M=net/ipv4/netfilter/
# make M=net/ipv4/netfilter/
LD net/ipv4/netfilter/built-in.o
CC [M] net/ipv4/netfilter/ipt_connlimit.o
Building modules, stage 2.
MODPOST
CC net/ipv4/netfilter/ipt_connlimit.mod.o
LD [M] net/ipv4/netfilter/ipt_connlimit.ko
将生成的ko模块copy到目标地址,并设置权限
#cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-53.1.19.el5/kernel/net/ipv4/netfilter/
#chmod 744 /lib/modules/2.6.18-53.1.19.el5
/kernel/net/ipv4/netfilter/ipt_connlimit.ko
或者 insmod ipt_connlimit.ko
2.6.18-53.1.19.el5
到这里,模块编译完成。
测试并应用新的模块
用depmod –a 测试connlimit模块是否兼容
# depmod –a
加载connlimit模块
#modprobe ipt_connlimit
# lsmod |grep ip
ipt_connlimit 7680 0(会有这行出现)
OK,模块已经可以正常使用了
例:iptables -A INPUT -i eth0 -p tcp --sport 80 --syn -m connlimit --connlimit-above 15 -j DROP
下载connlimit模块
#./runme --download
Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
./patchlets/ipv4options exists and is not external
./patchlets/TARPIT exists and is not external
Successfully downloaded external patch ACCOUNT
Successfully downloaded external patch pknock
Loading patchlet definitions......................... done
Excellent! Source trees are ready for compilation
应用connlimit补丁到内核:
#./runme connlimit
Loading patchlet definitions......................... done
Welcome to Patch-o-matic ($Revision: 6736 $)!
Kernel: 2.6.18, /usr/src/kernels/2.6.18-53.1.6.el5/
Iptables: 1.4.0, /root/iptables-1.4.0
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing connlimit... not applied
The connlimit patch:
Author: Gerd Knorr <kraxel@bytesex.org>
Status: ItWorksForMe[tm]
This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).
Examples:
# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 /
--connlimit-mask 24 -j REJECT
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y !!! 此处填y !!!
Excellent! Source trees are ready for compilation.
开始编译模块:
#cd /usr/src/kernels/2.6.18-53.1.19.el5-i686
#make oldconfig
HOSTCC scripts/kconfig/conf.o
HOSTCC scripts/kconfig/kxgettext.o
HOSTCC scripts/kconfig/mconf.o
HOSTCC scripts/kconfig/zconf.tab.o
HOSTLD scripts/kconfig/conf
scripts/kconfig/conf -o arch/i386/Kconfig
*
* Linux Kernel Configuration
*
*
* Code maturity level options
*
Prompt for development and/or incomplete code/drivers (EXPERIMENTAL) [Y/n/?] y
…………………………………………………………………………………………………………
省略大量输出
…………………………………………………………………………………………………………
* ARP tables support (IP_NF_ARPTABLES) [M/n/?] m
ARP packet filtering (IP_NF_ARPFILTER) [M/n/?] m
ARP payload mangling (IP_NF_ARP_MANGLE) [M/n/?] m
Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW) m !!! 此处填m !!!
*
* IPv6: Netfilter Configuration (EXPERIMENTAL)
*
IP6 Userspace queueing via NETLINK (OBSOLETE) (IP6_NF_QUEUE) [M/n/?] m
…………………………………………………………………………………………………………
省略大量输出
…………………………………………………………………………………………………………
* General setup
*
#
# configuration written to .config
- iptables添加connlimit模块
- iptables模块介绍:connlimit
- Centos5.3编译内核增加connlimit模块并升级Iptables
- iptables利用connlimit模块限制同一IP连接数
- iptables添加模块
- iptables 添加time 模块
- RHEL5.1/RHEL5不编译内核增加connlimit模块
- RHEL5.1/RHEL5不编译内核增加connlimit模块
- iptables出错18446744073709551615和2.6.23以后使用connlimit的方法
- iptables整体模块结构图
- 备忘:iptables length模块
- iptables-extensions拓展模块
- Iptables模块recent应用
- Iptables模块recent应用
- 在2.6内核下不编译内核给iptables添加模块
- iptables添加删除规则
- iptables防火墙添加规则
- centos iptables 添加端口
- Web服务器控件和HTML控件的区别与联系
- List 逆序
- 数据库设计
- 数据库设计
- 数据库设计
- iptables添加connlimit模块
- Jive学习
- Android requires compiler compliance level 5.0. Please fix project properties.错误
- Java日期处理
- 扩展Spring框架 VMware推动Java迈向云时代
- 过滤器之Ip过滤器
- ttt
- VC中CTime来限制使用时间
- 如何学好C++