登录  
 加关注
查看详情
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

飞哥的技术博客

世上无难事,只怕有心人!

 
 
 

日志

 
 
 
 

为iptables增加connlimit模块 - 自由自在  

2009-06-04 10:47:41|  分类: Linux |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

为iptables增加connlimit模块

从下载对应的connlimit模块安装包.
安装后iptables支持connlimit.
iptables -I INPUT -p tcp -m connlimit --connlimit-above 4 -j REJECT
iptables -L
成功说明模块应用成功.

2. 编译内核
: 该方法目前因http://people.netfilter.org/网站问题没法使用patch-o-matic-ng下载扩展模块, 因此没法应用补丁到内核. 曾在1月3日下载编译过, 但这两天一直提示出错, 不知该网站被HX了还是网站本身的原因.

下载安装包并解压
# wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080214.tar.bz2
# wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
# tar xjf iptables-1.4.0.tar.bz2
# tar xjf patch-o-matic-ng-20080214.tar.bz2

下载connlimit模块
# cd /.../patch-o-matic-ng-20080214
#KERNEL_DIR=/usr/src/kernels/2.6.18-53.el5-i686/ PTABLES_DIR=/root/iptables-1.4.0 ./runme -download
Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
./patchlets/ipv4options exists and is not external
./patchlets/TARPIT exists and is not external
Successfully downloaded external patch ACCOUNT
Successfully downloaded external patch pknock
Hey! KERNEL_DIR is not set.
Where is your kernel source directory? [/usr/src/linux] /usr/src/kernels/2.6.18-53.el5-i686
Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables] /root/iptables-1.4.0
Loading patchlet definitions......................... done

Excellent! Source trees are ready for compilation.

应用connlimit补丁到内核
# KERNEL_DIR=/usr/src/kernels/2.6.18-53.el5-i686 IPTABLES_DIR=/root/iptables-1.4.0 ./runme connlimit
Loading patchlet definitions......................... done
......
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]
Excellent! Source trees are ready for compilation.
应用补丁这里选择y.

编译内核
# cd /usr/src/kernels/2.6.18-53.el5-i686/
# make oldconfig 
  HOSTCC  scripts/kconfig/conf.o
  HOSTCC  scripts/kconfig/kxgettext.o
  HOSTCC  scripts/kconfig/mconf.o
  HOSTCC  scripts/kconfig/zconf.tab.o
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf -o arch/i386/Kconfig
*
* Linux Kernel Configuration
*
......

    ARP payload mangling (IP_NF_ARP_MANGLE) [M/n/?] m
    Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW) m
......
提示新加入了connlimit的选项, 问是否需要编译进入内核的时候, 入"m"编译为模块.
(: 这里也可使用#make menuconfig, 在出现的窗体中选择内核参数Networking-->Networking options --->Network packet filtering(replaces ipchains)--->IP: Netfilter Configuration --->Connections/IP limit match support 选为模块或编译进内核, 如果你找不到这一项, 那么刚才打补丁没有成功)

# make modules_prepare
scripts/kconfig/conf -s arch/i386/Kconfig
  CHK     include/linux/version.h
  CHK     include/linux/utsrelease.h
  HOSTCC  scripts/genksyms/genksyms.o
  HOSTCC  scripts/genksyms/lex.o
  HOSTCC  scripts/genksyms/parse.o
  HOSTLD  scripts/genksyms/genksyms
  CC      scripts/mod/empty.o
  MKELF   scripts/mod/elfconfig.h
  HOSTCC  scripts/mod/file2alias.o
  HOSTCC  scripts/mod/modpost.o
  HOSTCC  scripts/mod/sumversion.o
  HOSTLD  scripts/mod/modpost

备份原来的Makefile, 里面包含了原始的编译信息, 直接编译会无法通过
# mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.bak

创建新的Makefile
# vi net/ipv4/netfilter/Makefile

obj-m := ipt_connlimit.o

KDIR  := /lib/modules/$(shell uname -r)/build
PWD   := $(shell pwd)

default:
    $(MAKE) -C $(KDIR) M=$(PWD) modules

编译该模块
# make M=net/ipv4/netfilter/
  LD      net/ipv4/netfilter/built-in.o
  CC [M]  net/ipv4/netfilter/ipt_connlimit.o
  Building modules, stage 2.
  MODPOST
  CC      net/ipv4/netfilter/ipt_connlimit.mod.o
  LD [M]  net/ipv4/netfilter/ipt_connlimit.ko

将生成的ko模块copy到目标地址并设置相应权限
# cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-

53.el5/kernel/net/ipv4/netfilter/
# chmod 744 /lib/modules/2.6.18-53.el5/kernel/net/ipv4/netfilter/
模块编译完成

测试并应用模块
# depmod -a
加载connlimit模块
# modprobe ipt_connlimit
查看是否加载成功
# lsmod |grep ip
ipt_connlimit           7680  0
x_tables               17349  1 ipt_connlimit
ip_conntrack           53025  1 ipt_connlimit
nfnetlink              10713  1 ip_conntrack
dm_multipath           21577  0
dm_mod                 58457  2 dm_mirror,dm_multipath
ipv6                  251393  16
# iptables -A INPUT -p tcp -m tcp -s 192.168.1.147 -m connlimit --connlimit-above 3 -j DROP
# iptables -L

  评论这张
 
阅读(1219)| 评论(0)

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018