ubuntu 7.10 server下添加iptables connlimit模块
忙了一天多,终于添加成功了 connlimit模块,真不容易啊!闲话少说,说一下我配置的经过.
刚开始,按照 所提供的方法,进行安装,下了多个版本的patch-o-matic-ng,都是2005和2006年的,最新的版本不没有 connlimit模块.
执行 ./runme connlimit的时候会出现错误
unable to find ladd slot in src /tmp/pom-14753/net/ipv4/netfilter/Makefile (./patchlets/connlimit/linux-2.6.11/./net/ipv4/netfilter/Makefile.ladd)
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]
实在不明白是怎么回事,网上找了半天也没有找到解决办法,索性选择 f 强制安装
执行linux源码文件夹里执行
make menuconfig
依次选择性
Networking --->
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
IP: Netfilter Configuration --->
再列表的最下面能看到新加的模块了
Connections/IP limit match support
选择 M, 保存.
执行 make net/ipv4/netfilter/ipt_connlimit.ko
会提示有三个头文件找不到, 然后有一堆的错误
CHK include/linux/version.h
CHK include/linux/utsrelease.h
CALL scripts/checksyscalls.sh
CC [M] net/ipv4/netfilter/ipt_connlimit.o
net/ipv4/netfilter/ipt_connlimit.c:16:47: error: linux/netfilter_ipv4/ip_conntrack.h: No such file or directory
net/ipv4/netfilter/ipt_connlimit.c:17:52: error: linux/netfilter_ipv4/ip_conntrack_core.h: No such file or directory
net/ipv4/netfilter/ipt_connlimit.c:18:51: error: linux/netfilter_ipv4/ip_conntrack_tcp.h: No such file or directory
我从网上找了别的内核版本对应的三个同名字的头文件,结果又会出其它的错误,看来是内核版本不同的问题
经过搜索, 在发现一个用于解决问题的方法,相关的步骤如下
Proposed solution:
1. download patch-o-matic-ng snapshot from
2. download iptables from ... similar place :-)
3. download connlimit patch from .
4. unpack connlimit:
tar xzvf connlimit to unpacked patch-o-matic/patchlets/
5. modify "info" file in patchlets/connlimit directory, so it looks like this:
Title: iptables connlimit match
Author: Gerd Knorr
Status: ItWorksForMe[tm]
Repository: extra
Requires: linux > 2.6.0
6. cd ../.. back to patch-o-matic top and configure by
./runme extra
7. select connlimit option to Y
8. go to Linux directory and make menuconfig to make sure that the new connlimit module is going to be compiled (CONFIG_IP_NF_MATCH_CONNLIMIT=m)
9. compile Linux kernel
我借鉴他提供的方法进行安装,终于成功了
1. 下载了最新的 patch-o-matic-ng-20080415.tar.bz2, connlimit.gz, iptables-1.4.0.tar.bz2, 都保存到了/usr/src目录下;
 |
| 文件: |
connlimit.gz |
| 大小: |
5KB |
| 下载: |
下载 | |
2. 安装linux-source
apt-get install linux-source-2.6.22
3. 解压文件,建立符号连接方便操作
cd /usr/src
tar xvf linux-source-2.6.22.tar.bz2
tar xvf patch-o-matic-ng-20080415.tar.bz2
tar xvf connlimit.gz
tar xvf iptables-1.4.0.tar.bz2
ln -s iptables-1.4.0 iptables
ln -s linux-source-2.6.22 linux
4. 编译
mv connlimit patch-o-matic-ng-20080415/patchlets/
cd patch-o-matic-ng-20080415
./runme connlimit
#直接按两次回车
#在提示Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] 时候选择 y
cd ../linux
make menuconfig
make menuconfig
依次选择性
Networking --->
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
IP: Netfilter Configuration --->
再列表的最下面能看到新加的模块了
Connections/IP limit match support
选择 M, 保存
执行
make net/ipv4/netfilter/ipt_connlimit.ko
没有再提示错误
5.更新你的modules.dep
cp /usr/src/linux/net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.22-14-server/kernel/net/ipv4/netfilter/
depmod -a
执行 modprobe ipt_connlimit不再报错了,哈哈
/sbin/iptables -A INPUT -s 192.186.1.0/24 -p tcp --syn -m connlimit --connlimit-above 15 -j DROP
查看一下,呵呵
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 192.186.1.0/24 anywhere tcp flags:FIN,SYN,RST,ACK/SYN #conn/0 <= 36
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
终于好了,哈哈
阅读(3095) | 评论(0) | 转发(0) |
