[root@102 ~]# rpm -qa|grep kernel
kernel-devel-2.6.18-164.el5Ҫõļ
[root@102 ~]# tar jxvf /mnt/yuanwenjian/iptables-1.4.4.tar.bz2 -C /usr/src [root@102 iptables-1.4.5]# cd /usr/src/iptables-1.4.4
[root@102 iptables-1.4.4]# ./configure [root@102 iptables-1.4.4]# ls Makefile Makefile
[root@102 iptables-1.4.4]# tar jxvf /mnt/yuanwenjian/iptables/patch-o-matic-ng-20091123.tar.bz2 -C /usr/src
[root@102 iptables-1.4.4]# cd /usr/src/patch-o-matic-ng-20091123/ [root@102 patch-o-matic-ng-20091123]# ./runme --download Successfully downloaded external patch geoip Successfully downloaded external patch condition Successfully downloaded external patch IPMARK Successfully downloaded external patch ROUTE Successfully downloaded external patch connlimit Successfully downloaded external patch ipp2p Successfully downloaded external patch time
Successfully downloaded external patch ipv4options Successfully downloaded external patch TARPIT Successfully downloaded external patch ACCOUNT Successfully downloaded external patch pknock Hey! KERNEL_DIR is not set.
Where is your kernel source directory? [/usr/src/linux] /usr/src/kernels/2.6.18-164.el5-i686/ Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables] /usr/src/iptables-1.4.4/ Loading patchlet definitions........... done
Excellent! Source trees are ready for compilation.
[root@102 patch-o-matic-ng-20091123]# ./runme connlimit Hey! KERNEL_DIR is not set.
Where is your kernel source directory? [/usr/src/linux] /usr/src/kernels/2.6.18-164.el5-i686/ Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables] /usr/src/iptables-1.4.4 Loading patchlet definitions........... done Welcome to Patch-o-matic ($Revision$)!
Kernel: 2.6.18, /usr/src/kernels/2.6.18-164.el5-i686/ Iptables: ..2, /usr/src/iptables-1.4.4
Each patch is a new feature: many have minimal impact, some do not. Almost every one has bugs, so don't apply what you don't need! ------------------------------------------------------- Already applied:
Testing connlimit... not applied The connlimit patch:
Author: Gerd Knorr
This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address (or address block).
Examples:
# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized # network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \\ --connlimit-mask 24 -j REJECT
----------------------------------------------------------------- Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
Excellent! Source trees are ready for compilation.
[root@102 patch-o-matic-ng-20091123]# cd /usr/src/kernels/2.6.18-164.el5-i686/ [root@102 2.6.18-164.el5-i686]# make oldconfig
Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW)m
[root@102 2.6.18-164.el5-i686]# make modules_prepare [root@102 2.6.18-164.el5-i686]# mv net/ipv ipv4/ ipv6/
[root@102 2.6.18-164.el5-i686]# mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.bak [root@102 2.6.18-164.el5-i686]# vim net/ipv4/netfilter/Makefile [root@102 2.6.18-164.el5-i686]# cat net/ipv4/netfilter/Makefile obj-m := ipt_connlimit.o
KDIR := /lib/modules/${shell uname -r}/build
PWD := $(shell pwd)
default := $(MAKE) -C $(KDIR) M=$(PWD)/modules
[root@102 2.6.18-164.el5-i686]# make M=net/ipv4/netfilter LD net/ipv4/netfilter/built-in.o
CC [M] net/ipv4/netfilter/ipt_connlimit.o Building modules, stage 2. MODPOST
CC net/ipv4/netfilter/ipt_connlimit.mod
LD [M] net/ipv4/netfilter/ipt_connlimit.ko һҪļ
[root@102 2.6.18-164.el5-i686]# chmod 744 /lib/modules/2.6.18-164.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko [root@102 2.6.18-164.el5-i686]# ll !$
ll /lib/modules/2.6.18-164.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko -rwxr--r-- 1 root root 146419 Dec 7 10:02 /lib/modules/2.6.18-164.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko
[root@102 2.6.18-164.el5-i686]# depmod -a
[root@102 2.6.18-164.el5-i686]# modprobe ipt_connlimit [root@102 2.6.18-164.el5-i686]# lsmod|grep ipt ipt_connlimit 7680 0
x_tables 17349 1 ipt_connlimit ip_conntrack 53281 1 ipt_connlimit ÿһipҪ10ӡ
[root@102 2.6.18-164.el5-i686]# /etc/init.d/iptables restart
Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_netbios_n[ OK ] Httpdÿһipṩ10ӡ
[root@102 2.6.18-164.el5-i686]# iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 10 -j DROP
recentƵλʱҪûṩķȥˡ
[root@102 2.6.18-164.el5-i686]# iptables -A INPUT -p tcp --dport 1023 -m state --state NEW -m recent --name ipssh --update --seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset
[root@102 2.6.18-164.el5-i686]# iptables -A INPUT -p tcp --dport 1023 -m state --state NEW -m recent --name ipssh --set -j ACCEPT
