Chinaunix首页 | 论坛 | 博客
  • 博客访问: 2517877
  • 博文数量: 540
  • 博客积分: 11289
  • 博客等级: 上将
  • 技术积分: 6160
  • 用 户 组: 普通用户
  • 注册时间: 2008-02-11 20:27
个人简介

潜龙勿用,见龙在田

文章分类

全部博文(540)

文章存档

2018年(2)

2013年(5)

2012年(24)

2011年(104)

2010年(60)

2009年(217)

2008年(128)

分类: LINUX

2011-07-24 10:08:42

Iptables Limits Connections Per IP


How do I restrict the number of connections used by a single IP address to my server for port 80 and 25 using iptables?

You need to use the connlimit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).

This is useful to protect your server or vps box against flooding, spamming or content scraping.

Syntax

The syntax is as follows:

/sbin/iptables -A INPUT -p tcp --syn --dport $port -m connlimit --connlimit-above N -j REJECT --reject-with tcp-reset
# save the changes see iptables-save man page, the following is redhat and friends specific command
service iptables save

Example: Limit SSH Connections Per IP / Host

Only allow 3 ssg connections per client host:

/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT # save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save

Example: Limit HTTP Connections Per IP / Host

Only allow 20 http connections per IP (MaxClients is set to 60 in httpd.conf):

WARNING! Please note that large proxy servers may legitimately create a large number of connections to your server. You can skip those ips using
/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
# save the changes see iptables-save man page, the following is redhat and friends specific command
service iptables save

Skip proxy server IP 1.2.3.4 from this kind of limitations:

/sbin/iptables -A INPUT -p tcp --syn --dport 80 -d ! 1.2.3.4 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset

Example: Class C Limitations

In this example, limit the parallel http requests to 20 per class C sized network (24 bit netmask)

/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j REJECT --reject-with tcp-reset # save the changes see iptables-save man page service iptables save

Example: Limit Connections Per Second

The following example will drop incoming connections if IP make more than 10 connection attempts to port 80 within 100 seconds (add rules to your iptables shell script)

#!/bin/bash IPT=/sbin/iptables # Max connection in seconds SECONDS=100 # Max connections per IP BLOCKCOUNT=10 # .... # .. # default action can be DROP or REJECT DACTION="DROP" $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} # .... # ..

How Do I Test My Firewall Working?

Use the following shell script to connect to your web server hosted at 202.1.2.3:

#!/bin/bash ip="202.1.2.3" port="80" for i in {1..100} do # do nothing just connect and exit echo "exit" | nc ${ip} ${port}; done
==========================================

IPTABLES加载connlimit模块抵挡DDOS(抵挡DDoS?做梦吧)


编译过程
获取安装包并解压(/root目录内)
#wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080214.tar.bz2
#wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
#tar xjf iptables-1.4.0.tar.bz2
#tar xjf patch-o-matic-ng-20080214.tar.bz2
#cd /root/patch-o-matic-ng-20080214

下载connlimit模块
#./runme –download
Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
./patchlets/ipv4options exists and is not external
./patchlets/TARPIT exists and is not external
Successfully downloaded external patch ACCOUNT
Successfully downloaded external patch pknock
Loading patchlet definitions……………………. done
Excellent! Source trees are ready for compilation.

应用connlimit补丁到内核:

#./runme connlimit

Loading patchlet definitions……………………. done
Welcome to Patch-o-matic ($Revision: 6736 $)!

Kernel:   2.6.18, /usr/src/kernels/2.6.18-53.1.6.el5/
Iptables: 1.4.0, /root/iptables-1.4.0
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don’t apply what you don’t need!
——————————————————-
Already applied:
Testing connlimit… not applied
The connlimit patch:
   Author: Gerd Knorr
   Status: ItWorksForMe[tm]

This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).

Examples:

# allow 2 telnet connections per client host
iptables -p tcp –syn –dport 23 -m connlimit –connlimit-above 2 -j REJECT

# you can also match the other way around:
iptables -p tcp –syn –dport 23 -m connlimit ! –connlimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp –syn –dport 80 -m connlimit –connlimit-above 16 \
        –connlimit-mask 24 -j REJECT
—————————————————————–
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y !!! 此处填y !!!

Excellent! Source trees are ready for compilation.

开始编译模块:
#cd /usr/src/kernels/2.6.18-53.1.6.el5
#make oldconfig
HOSTCC scripts/kconfig/conf.o
HOSTCC scripts/kconfig/kxgettext.o
HOSTCC scripts/kconfig/mconf.o
HOSTCC scripts/kconfig/zconf.tab.o
HOSTLD scripts/kconfig/conf
scripts/kconfig/conf -o arch/i386/Kconfig
*
* Linux Kernel Configuration
*
*
* Code maturity level options
*
Prompt for development and/or incomplete code/drivers (EXPERIMENTAL) [Y/n/?] y
…………………………………………………………………………………………………………
                                 省略大量输出
…………………………………………………………………………………………………………
*    ARP tables support (IP_NF_ARPTABLES) [M/n/?] m
      ARP packet filtering (IP_NF_ARPFILTER) [M/n/?] m
      ARP payload mangling (IP_NF_ARP_MANGLE) [M/n/?] m
    Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW) m     !!! 此处填m !!!
    *
    * IPv6: Netfilter Configuration (EXPERIMENTAL)
    *
    IP6 Userspace queueing via NETLINK (OBSOLETE) (IP6_NF_QUEUE) [M/n/?] m
…………………………………………………………………………………………………………
                                 省略大量输出
…………………………………………………………………………………………………………

* General setup
*
#
# configuration written to .config

提示新加入了connlimit的选项,问是否需要编译进入内核的时候,输入“m”,编译为模块。
#make modules_prepare
#mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.orig      ####备份原来的Makefile,里面包含了原始的编译信息,直接编译会无法通过。

创建新的Makefile
#vi net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o

KDIR := /lib/modules/$(shell uname -r)/build
PWD   := $(shell pwd)

default:
    $(MAKE) -C $(KDIR) M=$(PWD) modules

然后编译该模块:
#make M=net/ipv4/netfilter/

# make M=net/ipv4/netfilter/
LD      net/ipv4/netfilter/built-in.o
CC [M] net/ipv4/netfilter/ipt_connlimit.o
Building modules, stage 2.
MODPOST
CC      net/ipv4/netfilter/ipt_connlimit.mod.o
LD [M] net/ipv4/netfilter/ipt_connlimit.ko
将生成的ko模块copy到目标地址,并设置权限
#cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-53.1.6.el5/kernel/net/ipv4/netfilter/
#chmod 744 /lib/modules/2.6.18-53.1.6.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko

到这里,模块编译完成。

测试并应用新的模块
用depmod –a 测试connlimit模块是否兼容
# depmod –a
加载connlimit模块
#modprobe ipt_connlimit
# lsmod |grep ip
ipt_connlimit           7680 0
ip_conntrack           53153 1 ipt_connlimit
nfnetlink              10713 1 ip_conntrack
ipv6                  251137 12
ipt_REJECT              9537 0
x_tables               17349 3 ipt_connlimit,ipt_REJECT,xt_tcpudp
OK,模块已经可以正常使用了
下面测试一下:
修改/etc/sysconfig/iptables在合适的位置加入一行:
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.10.41 -m connlimit –connlimit-above 3 -j DROP
重新启动iptables.
#services iptables restart
查看策略是否应用成功
[root@connlimit 2.6.18-8.el5-i686]# iptables -L -n
DROP       tcp — 192.168.10.41        0.0.0.0/0           tcp #conn/32 > 3
完成!!!!!!!!!!!!!!
附件为编译好ipt_connlimit.ko,内核源码路径:/usr/src/kernels/2.6.18-53.1.6.el5,解压后
#cp ipt_connlimit.ko /lib/modules/ 2.6.18-53.1.6.el5/kernel/net/ipv4/netfilter/
#chmod 744 /lib/modules/2.6.18-8.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko
就可以使用了。
比如:
iptables -A INPUT -p tcp -s all –sport 80 -m connlimit –connlimit-above 10 -j DROP






阅读(727) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~