iptables添加新模块支持

HEL5,connlimit模块编译成功－－－－－－－－－－－－

mkdir -p /linlan/iptables
cd /linlan/iptables

#wget
#wget

wget http://v.xok.cc/linux/software/iptables/patch-o-matic-ng-20080214.tar.bz2
wget http://v.xok.cc/linux/software/iptables/iptables-1.4.0.tar.bz2

tar xjvf iptables-1.4.0.tar.bz2
tar xjvf patch-o-matic-ng-20080214.tar.bz2
cd /linlan/iptables/patch-o-matic-ng-20080214

#下载connlimit模块

KERNEL_DIR=/usr/src/kernels/2.6.18-8.el5-i686/  IPTABLES_DIR=/linlan/iptables/iptables-1.4.0 ./runme –download

#应用connlimit补丁到内核

KERNEL_DIR=/usr/src/kernels/2.6.18-8.el5-i686 IPTABLES_DIR=/linlan/iptables/iptables-1.4.0 ./runme connlimit

##########################################################
——————————————————-
Already applied:
Testing connlimit… not applied
The connlimit patch:
   Author: Gerd Knorr <>
   Status: ItWorksForMe[tm]

This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).

Examples:

# allow 2 telnet connections per client host
iptables -p tcp –syn –dport 23 -m connlimit –connlimit-above 2 -j REJECT

# you can also match the other way around:
iptables -p tcp –syn –dport 23 -m connlimit ! –connlimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp –syn –dport 80 -m connlimit –connlimit-above 16 \
        –connlimit-mask 24 -j REJECT
—————————————————————–
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
##########################################################

#开始编译模块

cd /usr/src/kernels/2.6.18-8.el5-i686

make oldconfig

##########################################################
      raw table support (required for NOTRACK/TRACE) (IP_NF_RAW) [M/n/?] m
    ARP tables support (IP_NF_ARPTABLES) [M/n/?] m
      ARP packet filtering (IP_NF_ARPFILTER) [M/n/?] m
      ARP payload mangling (IP_NF_ARP_MANGLE) [M/n/?] m
    Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW) m

##########################################################
#示新加入了connlimit的选项，问是否需要编译进入内核的时候，输入“m”，编译为模块。

make modules_prepare

mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.orig

#创建新的Makefile

vi net/ipv4/netfilter/Makefile

##########################################################
obj-m := ipt_connlimit.o

KDIR  := /lib/modules/$(shell uname -r)/build
PWD   := $(shell pwd)

default:
    $(MAKE) -C $(KDIR) M=$(PWD) module
##########################################################

#编译该模块

make M=net/ipv4/netfilter/

cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-8.el5/kernel/net/ipv4/netfilter/
chmod 744 /lib/modules/2.6.18-8.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko

depmod
depmod -a

modprobe ipt_connlimit

lsmod |grep ip

iptables -A INPUT -p tcp -s 192.168.1.10 -m connlimit –connlimit-above 3 -j Drop
iptables -A INPUT -p tcp –dport 80 -m connlimit –connlimit-above 2 -j Drop

##########################################################
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
Drop       tcp  –  192.168.1.10         anywhere            #conn/32 > 3
Drop       tcp  –  anywhere             anywhere            tcp dpt:http #conn/32 > 2

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
##########################################################

iptables -A INPUT -p icmp -s 0.0.0.0/0 -m connlimit –connlimit-above 2 -j Drop

完成.