分类: LINUX
2008-03-13 18:34:57
![]() |
|
操作系统:CENTOS5 (YUM升级过内核) iptables v1.3.5
内核源码路径:/usr/src/kernels/2.6.18-53.1.6.el5
iptables-1.4.0.tar.bz2
wget
patch-o-matic-ng-20080214.tar.bz2
wget
#wget
#wget
#tar xjf iptables-1.4.0.tar.bz2
#tar xjf patch-o-matic-ng-20080214.tar.bz2
#cd /root/patch-o-matic-ng-20080214
下载connlimit模块
#./runme --download
Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
./patchlets/ipv4options exists and is not external
./patchlets/TARPIT exists and is not external
Successfully downloaded external patch ACCOUNT
Successfully downloaded external patch pknock
Loading patchlet definitions......................... done
Excellent! Source trees are ready for compilation.
应用connlimit补丁到内核:
#./runme connlimit
Loading patchlet definitions......................... done
Welcome to Patch-o-matic ($Revision: 6736 $)!
Kernel: 2.6.18, /usr/src/kernels/2.6.18-53.1.6.el5/
Iptables: 1.4.0, /root/iptables-1.4.0
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing connlimit... not applied
The connlimit patch:
Author: Gerd Knorr
Status: ItWorksForMe[tm]
This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).
Examples:
# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
--connlimit-mask 24 -j REJECT
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y !!! 此处填y !!!
Excellent! Source trees are ready for compilation.
然后编译该模块:
#make M=net/ipv4/netfilter/
# make M=net/ipv4/netfilter/
LD net/ipv4/netfilter/built-in.o
CC [M] net/ipv4/netfilter/ipt_connlimit.o
Building modules, stage 2.
MODPOST
CC net/ipv4/netfilter/ipt_connlimit.mod.o
LD [M] net/ipv4/netfilter/ipt_connlimit.ko
将生成的ko模块copy到目标地址,并设置权限
#cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-53.1.6.el5/kernel/net/ipv4/netfilter/
#chmod 744 /lib/modules/2.6.18-53.1.6.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko
到这里,模块编译完成。
用depmod –a 测试connlimit模块是否兼容
# depmod –a
加载connlimit模块
#modprobe ipt_connlimit
# lsmod |grep ip
ipt_connlimit 7680 0
ip_conntrack 53153 1 ipt_connlimit
nfnetlink 10713 1 ip_conntrack
ipv6 251137 12
ipt_REJECT 9537 0
x_tables 17349 3 ipt_connlimit,ipt_REJECT,xt_tcpudp
OK,模块已经可以正常使用了
下面测试一下:
修改/etc/sysconfig/iptables在合适的位置加入一行:
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.10.41 -m connlimit --connlimit-above 3 -j DROP |
重新启动iptables.
#services iptables restart |
查看策略是否应用成功
[root@connlimit 2.6.18-8.el5-i686]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 DROP tcp -- 192.168.10.41 0.0.0.0/0 tcp #conn/32 > 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited |
完成!!!!!!!!!!!!!!
附件为编译好ipt_connlimit.ko,内核源码路径:/usr/src/kernels/2.6.18-53.1.6.el5,解压后
#cp ipt_connlimit.ko /lib/modules/ 2.6.18-53.1.6.el5/kernel/net/ipv4/netfilter/
#chmod 744 /lib/modules/2.6.18-8.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko
就可以使用了。
比如:
iptables -A INPUT -i eth0 -p tcp --sport 80 --syn -m connlimit --connlimit-above 15 -j DROP