全部博文(293)
分类: LINUX
2010-02-24 02:10:19
系统环境和相关软件包
操作系统:Red Hat Enterprise Linux Server release 5 (2.6.18-53.el5)
内核源码路径:/usr/src/kernels/2.6.18-53.el5-i686
iptables-1.4.0.tar.bz2
patch-o-matic-ng-20080214.tar.bz2
原有环境简略
[root@raid5 ~]# iptables
iptables v1.3.5: no command specified
Try `iptables -h' or 'iptables --help' for more information.
[root@raid5 ~]# cd /usr/src/kernels/2.6.18-53.el5-i686/
[root@raid5 2.6.18-53.el5-i686]# ls
arch
block
crypto
drivers
编译过程:
[root@raid5 2.6.18-53.el5-i686]# cd /root/
[root@raid5 ~]# ls
anaconda-ks.cfg
获取安装包并解压(/root目录内)
[root@raid5 ~]# wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-
20080214.tar.bz2
09:57:18 (58.8 KB/s) - `patch-o-matic-ng-20080214.tar.bz2' saved [137661]
[root@raid5 ~]# wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
09:57:33 (106 KB/s) - `iptables-1.4.0.tar.bz2' saved [181610]
[root@raid5 ~]# tar xjf iptables-1.4.0.tar.bz2
[root@raid5 ~]# tar xjf patch-o-matic-ng-20080214.tar.bz2
下载connlimit模块
[root@raid5 ~]# cd /root/patch-o-matic-ng-20080214
下面的命令可以直接用
#KERNEL_DIR=/usr/src/kernels/2.6.18-53.el5-i686/
来运行或者在安装过程中自己定义都可以
[root@raid5 patch-o-matic-ng-20080214]# ./runme -download
Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
./patchlets/ipv4options exists and is not external
./patchlets/TARPIT exists and is not external
Successfully downloaded external patch ACCOUNT
Successfully downloaded external patch pknock
Hey! KERNEL_DIR is not set.
Where is your kernel source directory? [/usr/src/linux] /usr/src/kernels/2.6.18-53.el5-i686
Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables] /root/iptables-1.4.0
Loading patchlet definitions......................... done
Excellent! Source trees are ready for compilation.
应用connlimit补丁到内核
[root@raid5 patch-o-matic-ng-20080214]# KERNEL_DIR=/usr/src/kernels/2.6.18-53.el5-i686
IPTABLES_DIR=/root/iptables-1.4.0 ./runme connlimit
Loading patchlet definitions......................... done
Welcome to Patch-o-matic ($Revision: 6736 $)!
Kernel:
Iptables: 1.4.0, /root/iptables-1.4.0
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing connlimit... not applied
The connlimit patch:
This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).
Examples:
# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
Excellent! Source trees are ready for compilation.
编译内核
[root@raid5 patch-o-matic-ng-20080214]# cd /usr/src/kernels/2.6.18-53.el5-i686/
[root@raid5 2.6.18-53.el5-i686]# make oldconfig
scripts/kconfig/conf -o arch/i386/Kconfig
*
* Linux Kernel Configuration
*
*
* Code maturity level options
*
Prompt for development and/or incomplete code/drivers (EXPERIMENTAL) [Y/n/?] y
*
* General setup
*
Local version - append to kernel release (LOCALVERSION) []
Automatically append version information to the version string (LOCALVERSION_AUTO) [N/y/?] n
Support for paging of anonymous memory (swap) (SWAP) [Y/n/?] y
System V IPC (SYSVIPC) [Y/n/?] y
POSIX Message Queues (POSIX_MQUEUE) [Y/n/?] y
BSD Process Accounting (BSD_PROCESS_ACCT) [Y/n/?] y
Export task/process statistics through netlink (EXPERIMENTAL) (TASKSTATS) [Y/n/?] y
Auditing support (AUDIT) [Y/n/?] y
Kernel .config support (IKCONFIG) [N/y/?] n
省略大量输出
Packet mangling (IP_NF_MANGLE) [M/n/?] m
再省略大量输出
*
* Hardware crypto devices
*
Support for VIA PadLock ACE (CRYPTO_DEV_PADLOCK) [M/n/y/?] m
*
* Library routines
*
CRC-CCITT functions (CRC_CCITT) [M/y/?] m
CRC16 functions (CRC16) [M/n/y/?] m
CRC32 functions (CRC32) [Y/?] y
CRC32c (Castagnoli, et al) Cyclic Redundancy-Check (LIBCRC32C) [Y/?] y
#
# configuration written to .config
上面操作的说明:
提示新加入了connlimit的选项,问是否需要编译进入内核的时候,输入“m”,编译为模块。
[root@raid5 2.6.18-53.el5-i686]# make modules_prepare
scripts/kconfig/conf -s arch/i386/Kconfig
备份原来的Makefile,里面包含了原始的编译信息,直接编译会无法通过
[root@raid5 2.6.18-53.el5-i686]# mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.bak
创建新的Makefile
[root@raid5 2.6.18-53.el5-i686]# vi net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o
KDIR
PWD
default:
然后编译该模块
[root@raid5 2.6.18-53.el5-i686]# make M=net/ipv4/netfilter/
将生成的ko模块copy到目标地址,并设置相应权限
[root@raid5 2.6.18-53.el5-i686]# cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-
53.el5/kernel/net/ipv4/netfilter/
[root@raid5 2.6.18-53.el5-i686]# chmod 744 /lib/modules/2.6.18-53.el5/kernel/net/ipv4/netfilter/
至此,模块编译完成
测试并应用模块
[root@raid5 2.6.18-53.el5-i686]# depmod -a
加载connlimit模块
[root@raid5 2.6.18-53.el5-i686]# modprobe ipt_connlimit
查看是否加载成功
[root@raid5 2.6.18-53.el5-i686]# lsmod |grep ip
ipt_connlimit
x_tables
ip_conntrack
nfnetlink
dm_multipath
dm_mod
ipv6
[root@raid5 2.6.18-53.el5-i686]#
[root@raid5 2.6.18-53.el5-i686]# iptables -A INPUT -s 192.168.1.147 -m connlimit --connlimit-above 3
-j DROP
iptables: Unknown error 4294967295
[root@raid5 2.6.18-53.el5-i686]# iptables -A INPUT -p tcp -m tcp -s 192.168.1.147 -m connlimit --
connlimit-above 3 -j DROP
[root@raid5 2.6.18-53.el5-i686]# iptables-save
# Generated by iptables-save v1.3.5 on Wed Feb 20 10:26:54 2008
*filter
:INPUT ACCEPT [216:17824]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [119:12828]
-A INPUT -s 192.168.1.147 -p tcp -m tcp -m connlimit --connlimit-above 3 --connlimit-mask 32 -j DROP
COMMIT
# Completed on Wed Feb 20 10:26:54 2008
[root@raid5 2.6.18-53.el5-i686]# iptables-save > /etc/sysconfig/iptables
[root@raid5 2.6.18-53.el5-i686]# /etc/init.d/iptables start
[root@raid5 2.6.18-53.el5-i686]# iptables -vnL
Chain INPUT (policy ACCEPT 388 packets, 41987 bytes)
3
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
Chain OUTPUT (policy ACCEPT 62 packets, 6024 bytes)