centos不编译内核增加connlimit模块
时间:2010-10-11 来源:pk-feiyang
centos不编译内核增加connlimit模块
操作系统:centos 5.4
内核源码路径:/usr/src/kernels/2.6.18-194.11.3.el5-i686
iptables-1.4.0.tar.bz2 #下载点:www.netfilter.org——其实我们仅需要他的源码而已。
patch-o-matic-ng-20080214.tar.bz2 #下载点:www.kernel.org——我down的是最新的包。
编译过程
获取安装包并解压(/root目录内)
#wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080214.tar.bz2
#wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
#tar xjf iptables-1.4.0.tar.bz2
#tar xjf patch-o-matic-ng-20080214.tar.bz2
#cd /root/patch-o-matic-ng-20080214
下载connlimit模块
|
[root@monitor patch-o-matic-ng-20080214]# KERNEL_DIR=/usr/src/kernels/2.6.18-194.11.3.el5-i686 IPTABLES_DIR=/root/iptables/iptables-1.4.0/ ./runme --download Successfully downloaded external patch geoip Successfully downloaded external patch condition Successfully downloaded external patch IPMARK Successfully downloaded external patch ROUTE Successfully downloaded external patch connlimit Successfully downloaded external patch ipp2p Successfully downloaded external patch time ./patchlets/ipv4options exists and is not external ./patchlets/TARPIT exists and is not external Successfully downloaded external patch ACCOUNT Successfully downloaded external patch pknock Loading patchlet definitions......................... done
Excellent! Source trees are ready for compilation. |
应用connlimit补丁到内核
#KERNEL_DIR=/usr/src/kernels/2.6.18-194.11.3.el5-i686 IPTABLES_DIR=/root/iptables/iptables-1.4.0/ ./runme connlimit
|
[root@monitor patch-o-matic-ng-20080214]# KERNEL_DIR=/usr/src/kernels/2.6.18-194.11.3.el5-i686 IPTABLES_DIR=/root/iptables/iptables-1.4.0/ ./runme connlimit Loading patchlet definitions......................... done Welcome to Patch-o-matic ($Revision: 6736 $)!
Kernel: 2.6.18, /usr/src/kernels/2.6.18-8.el5-i686/ Iptables: 1.4.0, /root/iptables-1.4.0 Each patch is a new feature: many have minimal impact, some do not. Almost every one has bugs, so don't apply what you don't need! ------------------------------------------------------- Already applied: Testing connlimit... not applied The connlimit patch: Author: Gerd Knorr <[email protected]> Status: ItWorksForMe[tm]
This adds an iptables match which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).
Examples:
# allow 2 telnet connections per client host iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
# you can also match the other way around: iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized # network (24 bit netmask) iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \ --connlimit-mask 24 -j REJECT ----------------------------------------------------------------- Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
Excellent! Source trees are ready for compilation. |
开始编译模块
#cd /usr/src/kernels/2.6.18-194.11.3.el5-i686
#make oldconfig
|
[root@monitor 2.6.18-194.11.3.el5-i686]# make oldconfig HOSTCC scripts/kconfig/conf.o HOSTCC scripts/kconfig/kxgettext.o HOSTCC scripts/kconfig/mconf.o HOSTCC scripts/kconfig/zconf.tab.o HOSTLD scripts/kconfig/conf scripts/kconfig/conf -o arch/i386/Kconfig * * Linux Kernel Configuration * * * Code maturity level options * Prompt for development and/or incomplete code/drivers (EXPERIMENTAL) [Y/n/?] y ………………………………………………………………………………………………………… 省略大量输出 ………………………………………………………………………………………………………… * ARP tables support (IP_NF_ARPTABLES) [M/n/?] m ARP packet filtering (IP_NF_ARPFILTER) [M/n/?] m ARP payload mangling (IP_NF_ARP_MANGLE) [M/n/?] m Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW) m * * IPv6: Netfilter Configuration (EXPERIMENTAL) * IP6 Userspace queueing via NETLINK (OBSOLETE) (IP6_NF_QUEUE) [M/n/?] m ………………………………………………………………………………………………………… 省略大量输出 …………………………………………………………………………………………………………
* General setup * # # configuration written to .config # |
提示新加入了connlimit的选项,问是否需要编译进入内核的时候,输入“m”,编译为模块。
#make modules_prepare ####这步是干吗的???我不知道,也没有细究,老实执行了。
#mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.orig ####备份原来的Makefile,里面包含了原始的编译信息,直接编译会无法通过。
创建新的Makefile
|
#vi net/ipv4/netfilter/Makefile |
|
obj-m := ipt_connlimit.o
KDIR := /lib/modules/$(shell uname -r)/build PWD := $(shell pwd)
default: $(MAKE) -C $(KDIR) M=$(PWD) modules
|
然后编译该模块:
#make M=net/ipv4/netfilter/
|
[root@connlimit 2.6.18-8.el5-i686]# make M=net/ipv4/netfilter/ LD net/ipv4/netfilter/built-in.o CC [M] net/ipv4/netfilter/ipt_connlimit.o Building modules, stage 2. MODPOST CC net/ipv4/netfilter/ipt_connlimit.mod.o LD [M] net/ipv4/netfilter/ipt_connlimit.ko |
在这可能会报一些库的错误,缺什么只需找到那个库复制过去就ok了
cp /opt/iptables/patch-o-matic-ng-20080214/patchlets/connlimit/linux-2.6/net/ipv4/netfilter/ipt_connlimit.c net/ipv4/netfilter/
cp /opt/iptables/patch-o-matic-ng-20080214/patchlets/connlimit/linux-2.6/include/linux/netfilter_ipv4/ipt_connlimit.h net/ipv4/netfilter/
将生成的ko模块copy到目标地址,并设置权限
|
#cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-164.el5/kernel/net/ipv4/netfilter/ #chmod 744 /lib/modules/2.6.18-164.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko |
到这里,模块编译完成。
测试并应用新的模块
用depmod –a 测试connlimit模块是否兼容
|
# depmod –a |
加载connlimit模块
|
#modprobe ipt_connlimit |
查看是否加载成功
|
[root@monitor 2.6.18-164.el5]# lsmod |grep ip ipt_connlimit 7680 0 ip_conntrack 53153 1 ipt_connlimit nfnetlink 10713 1 ip_conntrack ipv6 251137 12 ipt_REJECT 9537 0 x_tables 17349 3 ipt_connlimit,ipt_REJECT,xt_tcpudp |
OK,模块已经可以正常使用了
下面测试一下:
修改/etc/sysconfig/iptables在合适的位置加入一行:
|
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 0.0.0.0/0 -m connlimit --connlimit-above 3 -j DROP |
重新启动iptables.
|
#services iptables restart |
查看策略是否应用成功
|
[[email protected]]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp #conn/32 > 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited |
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
unable to find ladd slot in src /tmp/pom-17129/net/ipv4/netfilter/Makefile (./patchlets/connlimit/linux-2.6/./net/ipv4/netfilter/Makefile.ladd)
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]
直接回车也可!1
相关阅读 更多 +
