Chinaunix首页 | 论坛 | 博客

里尼克斯炸酱面

首页 |  博文目录 |  关于我

里尼克斯炸酱面

  • 博客访问: 38759
  • 博文数量: 13
  • 博客积分: 1400
  • 博客等级: 上尉
  • 技术积分: 190
  • 用 户 组: 普通用户
  • 注册时间: 2008-03-13 18:16
文章分类

全部博文(13)

文章存档

2011年(1)

2008年(12)

我的朋友
最近访客
推荐博文
相关博文
IPTABLES加载connlimit模块抵挡DDOS

分类: LINUX

2008-03-13 18:34:57

          
文件: ipt_connlimit.rar
大小: 52KB
下载: 下载
       CENTOS5不编译内核增加connlimit模块
                      系统环境和相关软件包

操作系统:CENTOS5 (YUM升级过内核) iptables v1.3.5

内核源码路径:/usr/src/kernels/2.6.18-53.1.6.el5

iptables-1.4.0.tar.bz2     

wget

patch-o-matic-ng-20080214.tar.bz2      

wget

 

编译过程

获取安装包并解压(/root目录内)

#wget

#wget

#tar xjf iptables-1.4.0.tar.bz2

#tar xjf patch-o-matic-ng-20080214.tar.bz2

#cd /root/patch-o-matic-ng-20080214

 

下载connlimit模块

#./runme --download

Successfully downloaded external patch geoip

Successfully downloaded external patch condition

Successfully downloaded external patch IPMARK

Successfully downloaded external patch ROUTE

Successfully downloaded external patch connlimit

Successfully downloaded external patch ipp2p

Successfully downloaded external patch time

./patchlets/ipv4options exists and is not external

./patchlets/TARPIT exists and is not external

Successfully downloaded external patch ACCOUNT

Successfully downloaded external patch pknock

Loading patchlet definitions......................... done

Excellent! Source trees are ready for compilation.

 

应用connlimit补丁到内核:

 

#./runme connlimit

 

Loading patchlet definitions......................... done

Welcome to Patch-o-matic ($Revision: 6736 $)!

 

Kernel:   2.6.18, /usr/src/kernels/2.6.18-53.1.6.el5/

Iptables: 1.4.0, /root/iptables-1.4.0

Each patch is a new feature: many have minimal impact, some do not.

Almost every one has bugs, so don't apply what you don't need!

-------------------------------------------------------

Already applied:

Testing connlimit... not applied

The connlimit patch:

   Author: Gerd Knorr

   Status: ItWorksForMe[tm]

 

This adds an iptables match which allows you to restrict the

number of parallel TCP connections to a server per client IP address

(or address block).

 

Examples:

 

# allow 2 telnet connections per client host

iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

 

# you can also match the other way around:

iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT

 

# limit the nr of parallel http requests to 16 per class C sized

# network (24 bit netmask)

iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \

        --connlimit-mask 24 -j REJECT

-----------------------------------------------------------------

Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y !!!  此处填y  !!!

 

Excellent! Source trees are ready for compilation.

 

开始编译模块:

#cd /usr/src/kernels/2.6.18-53.1.6.el5

#make oldconfig

HOSTCC  scripts/kconfig/conf.o

  HOSTCC  scripts/kconfig/kxgettext.o

  HOSTCC  scripts/kconfig/mconf.o

  HOSTCC  scripts/kconfig/zconf.tab.o

  HOSTLD  scripts/kconfig/conf

scripts/kconfig/conf -o arch/i386/Kconfig

*

* Linux Kernel Configuration

*

*

* Code maturity level options

*

Prompt for development and/or incomplete code/drivers (EXPERIMENTAL) [Y/n/?] y

…………………………………………………………………………………………………………

                                 省略大量输出

…………………………………………………………………………………………………………

*    ARP tables support (IP_NF_ARPTABLES) [M/n/?] m

      ARP packet filtering (IP_NF_ARPFILTER) [M/n/?] m

      ARP payload mangling (IP_NF_ARP_MANGLE) [M/n/?] m

    Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW) m     !!!  此处填m  !!!

    *

    * IPv6: Netfilter Configuration (EXPERIMENTAL)

    *

    IP6 Userspace queueing via NETLINK (OBSOLETE) (IP6_NF_QUEUE) [M/n/?] m

…………………………………………………………………………………………………………

                                 省略大量输出

…………………………………………………………………………………………………………

 

* General setup

*

#

# configuration written to .config

 

提示新加入了connlimit的选项,问是否需要编译进入内核的时候,输入“m”,编译为模块。

#make modules_prepare 

#mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.orig      ####备份原来的Makefile,里面包含了原始的编译信息,直接编译会无法通过。

 

创建新的Makefile

#vi net/ipv4/netfilter/Makefile

obj-m := ipt_connlimit.o

 

KDIR  := /lib/modules/$(shell uname -r)/build

PWD   := $(shell pwd)

 

default:

    $(MAKE) -C $(KDIR) M=$(PWD) modules

 

然后编译该模块:

#make M=net/ipv4/netfilter/

 

# make M=net/ipv4/netfilter/

  LD      net/ipv4/netfilter/built-in.o

  CC [M]  net/ipv4/netfilter/ipt_connlimit.o

  Building modules, stage 2.

  MODPOST

  CC      net/ipv4/netfilter/ipt_connlimit.mod.o

  LD [M]  net/ipv4/netfilter/ipt_connlimit.ko

将生成的ko模块copy到目标地址,并设置权限

#cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-53.1.6.el5/kernel/net/ipv4/netfilter/

#chmod 744 /lib/modules/2.6.18-53.1.6.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko

 

到这里,模块编译完成。

 

测试并应用新的模块

depmod –a 测试connlimit模块是否兼容

# depmod –a

加载connlimit模块

#modprobe ipt_connlimit

# lsmod |grep ip

ipt_connlimit           7680  0

ip_conntrack           53153  1 ipt_connlimit

nfnetlink              10713  1 ip_conntrack

ipv6                  251137  12

ipt_REJECT              9537  0

x_tables               17349  3 ipt_connlimit,ipt_REJECT,xt_tcpudp

 

OK,模块已经可以正常使用了

下面测试一下:

修改/etc/sysconfig/iptables在合适的位置加入一行:

-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.10.41 -m connlimit --connlimit-above 3 -j DROP

重新启动iptables.

#services iptables restart

查看策略是否应用成功

[root@connlimit 2.6.18-8.el5-i686]# iptables -L -n

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

 

Chain RH-Firewall-1-INPUT (2 references)

target     prot opt source               destination

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255

ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0

ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0

ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631

DROP       tcp  --  192.168.10.41        0.0.0.0/0           tcp #conn/32 > 3

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22

REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

完成!!!!!!!!!!!!!!

附件为编译好ipt_connlimit.ko,内核源码路径:/usr/src/kernels/2.6.18-53.1.6.el5,解压后

 

#cp ipt_connlimit.ko /lib/modules/ 2.6.18-53.1.6.el5/kernel/net/ipv4/netfilter/

 

#chmod 744 /lib/modules/2.6.18-8.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko

就可以使用了。

比如:

 

iptables -A INPUT -i eth0 -p tcp --sport 80  --syn -m connlimit --connlimit-above 15 -j DROP

阅读(2115) | 评论(0) | 转发(0) |
0

上一篇:没有了

下一篇:CENTOS5安全的VSFTP设置

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6