Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1754075
  • 博文数量: 293
  • 博客积分: 10574
  • 博客等级: 上将
  • 技术积分: 5085
  • 用 户 组: 普通用户
  • 注册时间: 2006-12-22 17:00
文章分类

全部博文(293)

文章存档

2011年(27)

2010年(84)

2009年(62)

2008年(120)

我的朋友

分类: LINUX

2008-08-21 15:25:15

------------RHEL5,connlimit模块编译成功------------
mkdir -p /linlan/iptables
cd /linlan/iptables
#wget
#wget
wget
wget
tar xjvf iptables-1.4.0.tar.bz2
tar xjvf patch-o-matic-ng-20080214.tar.bz2
cd /linlan/iptables/patch-o-matic-ng-20080214
#下载connlimit模块
KERNEL_DIR=/usr/src/kernels/2.6.18-8.el5-i686/  IPTABLES_DIR=/linlan/iptables/iptables-1.4.0 ./runme –download
#应用connlimit补丁到内核
KERNEL_DIR=/usr/src/kernels/2.6.18-8.el5-i686 IPTABLES_DIR=/linlan/iptables/iptables-1.4.0 ./runme connlimit
##########################################################
——————————————————-
Already applied:
Testing connlimit… not applied
The connlimit patch:
   Author: Gerd Knorr <>
   Status: ItWorksForMe[tm]
This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).
Examples:
# allow 2 telnet connections per client host
iptables -p tcp –syn –dport 23 -m connlimit –connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -p tcp –syn –dport 23 -m connlimit ! –connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp –syn –dport 80 -m connlimit –connlimit-above 16 \
        –connlimit-mask 24 -j REJECT
—————————————————————–
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
##########################################################
#开始编译模块
cd /usr/src/kernels/2.6.18-8.el5-i686
make oldconfig
##########################################################
      raw table support (required for NOTRACK/TRACE) (IP_NF_RAW) [M/n/?] m
    ARP tables support (IP_NF_ARPTABLES) [M/n/?] m
      ARP packet filtering (IP_NF_ARPFILTER) [M/n/?] m
      ARP payload mangling (IP_NF_ARP_MANGLE) [M/n/?] m
    Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW) m
##########################################################
#示新加入了connlimit的选项,问是否需要编译进入内核的时候,输入“m”,编译为模块。
make modules_prepare
mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.orig
#创建新的Makefile
vi net/ipv4/netfilter/Makefile
##########################################################
obj-m := ipt_connlimit.o
KDIR  := /lib/modules/$(shell uname -r)/build
PWD   := $(shell pwd)
default:
    $(MAKE) -C $(KDIR) M=$(PWD) module
##########################################################
#编译该模块
make M=net/ipv4/netfilter/
cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-8.el5/kernel/net/ipv4/netfilter/
chmod 744 /lib/modules/2.6.18-8.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko
depmod
depmod -a
modprobe ipt_connlimit
lsmod |grep ip
iptables -A INPUT -p tcp -s 192.168.1.10 -m connlimit –connlimit-above 3 -j DROP
iptables -A INPUT -p tcp –dport 80 -m connlimit –connlimit-above 2 -j DROP
##########################################################
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
DROP       tcp  –  192.168.1.10         anywhere            #conn/32 > 3
DROP       tcp  –  anywhere             anywhere            tcp dpt:http #conn/32 > 2
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination       
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
##########################################################
iptables -A INPUT -p icmp -s 0.0.0.0/0 -m connlimit –connlimit-above 2 -j DROP
完成.

本文来自: E点废墟() 详细出处参考:
阅读(1067) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~