概述
iptables添加connlimit模块
LINUX学习笔记 2008-05-16 21:05:00 阅读275 评论0 字号:大中小 订阅
内核源码路径: /usr/src/kernels/2.6.18-53.1.19.el5-i686
下载下面两东东:
iptables-1.4.0.tar.bz2
wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080214.tar.bz2
patch-o-matic-ng-20080214.tar.bz2
wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
放到/usr/src下,
#tar -jxvf iptables-1.4.0.tar.bz2
#mv iptables-1.4.0 iptables (后面用得上)
#tar -jxvf patch-o-matic-ng-20080214.tar.bz2
#cd patch-o-matic-ng-20080214
提示新加入了connlimit的选项,问是否需要编译进入内核的时候,输入“m”,编译为模块。
#make modules_prepare
#mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.orig ####备份原来的Makefile,里面包含了原始的编译信息,直接编译会无法通过。
创建新的Makefile
#vi net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) M=$(PWD) modules
然后编译该模块:
#make M=net/ipv4/netfilter/
# make M=net/ipv4/netfilter/
LD net/ipv4/netfilter/built-in.o
CC [M] net/ipv4/netfilter/ipt_connlimit.o
Building modules, stage 2.
MODPOST
CC net/ipv4/netfilter/ipt_connlimit.mod.o
LD [M] net/ipv4/netfilter/ipt_connlimit.ko
将生成的ko模块copy到目标地址,并设置权限
#cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-53.1.19.el5/kernel/net/ipv4/netfilter/
#chmod 744 /lib/modules/
2.6.18-53.1.19.el5
/kernel/net/ipv4/netfilter/ipt_connlimit.ko
或者 insmod ipt_connlimit.ko
到这里,模块编译完成。
测试并应用新的模块
用depmod –a 测试connlimit模块是否兼容
# depmod –a
加载connlimit模块
#modprobe ipt_connlimit
# lsmod |grep ip
ipt_connlimit 7680 0(会有这行出现)
OK,模块已经可以正常使用了
例:iptables -A INPUT -i eth0 -p tcp --sport 80 --syn -m connlimit --connlimit-above 15 -j DROP
下载connlimit模块
#./runme --download
Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
./patchlets/ipv4options exists and is not external
./patchlets/TARPIT exists and is not external
Successfully downloaded external patch ACCOUNT
Successfully downloaded external patch pknock
Loading patchlet definitions......................... done
Excellent! Source trees are ready for compilation
应用connlimit补丁到内核:
#./runme connlimit
Loading patchlet definitions......................... done
Welcome to Patch-o-matic ($Revision: 6736 $)!
Kernel: 2.6.18, /usr/src/kernels/2.6.18-53.1.6.el5/
Iptables: 1.4.0, /root/iptables-1.4.0
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing connlimit... not applied
The connlimit patch:
Author: Gerd Knorr <kraxel@bytesex.org>
Status: ItWorksForMe[tm]
This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).
Examples:
# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 /
--connlimit-mask 24 -j REJECT
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y !!! 此处填y !!!
Excellent! Source trees are ready for compilation.
开始编译模块:
#cd /usr/src/kernels/2.6.18-53.1.19.el5-i686
#make oldconfig
HOSTCC scripts/kconfig/conf.o
HOSTCC scripts/kconfig/kxgettext.o
HOSTCC scripts/kconfig/mconf.o
HOSTCC scripts/kconfig/zconf.tab.o
HOSTLD scripts/kconfig/conf
scripts/kconfig/conf -o arch/i386/Kconfig
*
* Linux Kernel Configuration
*
*
* Code maturity level options
*
Prompt for development and/or incomplete code/drivers (EXPERIMENTAL) [Y/n/?] y
…………………………………………………………………………………………………………
省略大量输出
…………………………………………………………………………………………………………
* ARP tables support (IP_NF_ARPTABLES) [M/n/?] m
ARP packet filtering (IP_NF_ARPFILTER) [M/n/?] m
ARP payload mangling (IP_NF_ARP_MANGLE) [M/n/?] m
Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW) m !!! 此处填m !!!
*
* IPv6: Netfilter Configuration (EXPERIMENTAL)
*
IP6 Userspace queueing via NETLINK (OBSOLETE) (IP6_NF_QUEUE) [M/n/?] m
…………………………………………………………………………………………………………
省略大量输出
…………………………………………………………………………………………………………
* General setup
*
#
# configuration written to .config
最后
以上就是小巧灰狼为你收集整理的iptables添加connlimit模块测试并应用新的模块的全部内容,希望文章能够帮你解决iptables添加connlimit模块测试并应用新的模块所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
发表评论 取消回复