------------RHEL5,connlimit模块编译成功------------
mkdir -p /linlan/iptables
cd /linlan/iptables
#wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080214.tar.bz2
#wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
wget http://v.xok.cc/linux/software/iptables/patch-o-matic-ng-20080214.tar.bz2
wget http://v.xok.cc/linux/software/iptables/iptables-1.4.0.tar.bz2
tar xjvf iptables-1.4.0.tar.bz2
tar xjvf patch-o-matic-ng-20080214.tar.bz2
cd /linlan/iptables/patch-o-matic-ng-20080214
#下载connlimit模块
KERNEL_DIR=/usr/src/kernels/2.6.18-8.el5-i686/ IPTABLES_DIR=/linlan/iptables/iptables-1.4.0 ./runme –download
#应用connlimit补丁到内核
KERNEL_DIR=/usr/src/kernels/2.6.18-8.el5-i686 IPTABLES_DIR=/linlan/iptables/iptables-1.4.0 ./runme connlimit
##########################################################
——————————————————-
Already applied:
Testing connlimit… not applied
The connlimit patch:
Author: Gerd Knorr <kraxel@bytesex.org>
Status: ItWorksForMe[tm]
This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).
Examples:
# allow 2 telnet connections per client host
iptables -p tcp –syn –dport 23 -m connlimit –connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -p tcp –syn –dport 23 -m connlimit ! –connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp –syn –dport 80 -m connlimit –connlimit-above 16 \
–connlimit-mask 24 -j REJECT
—————————————————————–
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
##########################################################
#开始编译模块
cd /usr/src/kernels/2.6.18-8.el5-i686
make oldconfig
##########################################################
raw table support (required for NOTRACK/TRACE) (IP_NF_RAW) [M/n/?] m
ARP tables support (IP_NF_ARPTABLES) [M/n/?] m
ARP packet filtering (IP_NF_ARPFILTER) [M/n/?] m
ARP payload mangling (IP_NF_ARP_MANGLE) [M/n/?] m
Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW) m
##########################################################
#示新加入了connlimit的选项,问是否需要编译进入内核的时候,输入“m”,编译为模块。
make modules_prepare
mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.orig
#创建新的Makefile
vi net/ipv4/netfilter/Makefile
##########################################################
obj-m := ipt_connlimit.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) M=$(PWD) module
##########################################################
#编译该模块
make M=net/ipv4/netfilter/
cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-8.el5/kernel/net/ipv4/netfilter/
chmod 744 /lib/modules/2.6.18-8.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko
depmod
depmod -a
modprobe ipt_connlimit
lsmod |grep ip
iptables -A INPUT -p tcp -s 192.168.1.10 -m connlimit –connlimit-above 3 -j DROP
iptables -A INPUT -p tcp –dport 80 -m connlimit –connlimit-above 2 -j DROP
##########################################################
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp – 192.168.1.10 anywhere #conn/32 > 3
DROP tcp – anywhere anywhere tcp dpt:http #conn/32 > 2
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
##########################################################
iptables -A INPUT -p icmp -s 0.0.0.0/0 -m connlimit –connlimit-above 2 -j DROP
完成.
