RHEL5.1/RHEL5不编译内核增加connlimit模块
系统环境和相关软件包
操作系统:Red Hat Enterprise Linux Server release 5 (2.6.18-53.el5)
内核源码路径:/usr/src/kernels/2.6.18-53.el5-i686
iptables-1.4.0.tar.bz2 #下载点:[url]www.netfilter.org[/url]――其实我们仅需要他的源码而已。
patch-o-matic-ng-20080214.tar.bz2 #下载点:[url]www.kernel.org[/url]――
原有环境简略
[root@raid5 ~]# iptables
iptables v1.3.5: no command specified
Try `iptables -h' or 'iptables --help' for more information.
[root@raid5 ~]# cd /usr/src/kernels/2.6.18-53.el5-i686/
[root@raid5 2.6.18-53.el5-i686]# ls
arch fs kabi_whitelist mm scripts usr
block include kernel Module.kabi security
crypto init lib Module.symvers sound
drivers ipc Makefile net symsets-2.6.18-53.el5.tar.gz
编译过程:
[root@raid5 2.6.18-53.el5-i686]# cd /root/
[root@raid5 ~]# ls
anaconda-ks.cfg Desktop install.log install.log.syslog
获取安装包并解压(/root目录内)
[root@raid5 ~]# wget [url]ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-[/url]
20080214.tar.bz2
09:57:18 (58.8 KB/s) - `patch-o-matic-ng-20080214.tar.bz2' saved [137661]
[root@raid5 ~]# wget [url]ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2[/url]
09:57:33 (106 KB/s) - `iptables-1.4.0.tar.bz2' saved [181610]
[root@raid5 ~]# tar xjf iptables-1.4.0.tar.bz2
[root@raid5 ~]# tar xjf patch-o-matic-ng-20080214.tar.bz2
下载connlimit模块
[root@raid5 ~]# cd /root/patch-o-matic-ng-20080214
下面的命令可以直接用
#KERNEL_DIR=/usr/src/kernels/2.6.18-53.el5-i686/ IPTABLES_DIR=/root/iptables-1.4.0 ./runme --download
来运行或者在安装过程中自己定义都可以
[root@raid5 patch-o-matic-ng-20080214]# ./runme -download
Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
./patchlets/ipv4options exists and is not external
./patchlets/TARPIT exists and is not external
Successfully downloaded external patch ACCOUNT
Successfully downloaded external patch pknock
Hey! KERNEL_DIR is not set.
Where is your kernel source directory? [/usr/src/linux] /usr/src/kernels/2.6.18-53.el5-i686
Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables] /root/iptables-1.4.0
Loading patchlet definitions......................... done
Excellent! Source trees are ready for compilation.
应用connlimit补丁到内核
[root@raid5 patch-o-matic-ng-20080214]# KERNEL_DIR=/usr/src/kernels/2.6.18-53.el5-i686
IPTABLES_DIR=/root/iptables-1.4.0 ./runme connlimit
Loading patchlet definitions......................... done
Welcome to Patch-o-matic ($Revision: 6736 $)!
Kernel: 2.6.18, /usr/src/kernels/2.6.18-53.el5-i686
Iptables: 1.4.0, /root/iptables-1.4.0
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing connlimit... not applied
The connlimit patch:
Author: Gerd Knorr <
[email protected]>
Status: ItWorksForMe[tm]
This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).
Examples:
# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
--connlimit-mask 24 -j REJECT
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
Excellent! Source trees are ready for compilation.
编译内核
[root@raid5 patch-o-matic-ng-20080214]# cd /usr/src/kernels/2.6.18-53.el5-i686/
[root@raid5 2.6.18-53.el5-i686]# make oldconfig
HOSTCC scripts/kconfig/conf.o
HOSTCC scripts/kconfig/kxgettext.o
HOSTCC scripts/kconfig/mconf.o
HOSTCC scripts/kconfig/zconf.tab.o
HOSTLD scripts/kconfig/conf
scripts/kconfig/conf -o arch/i386/Kconfig
*
* Linux Kernel Configuration
*
*
* Code maturity level options
*
Prompt for development and/or incomplete code/drivers (EXPERIMENTAL) [Y/n/?] y
*
* General setup
*
Local version - append to kernel release (LOCALVERSION) []
Automatically append version information to the version string (LOCALVERSION_AUTO) [N/y/?] n
Support for paging of anonymous memory (swap) (SWAP) [Y/n/?] y
System V IPC (SYSVIPC) [Y/n/?] y
POSIX Message Queues (POSIX_MQUEUE) [Y/n/?] y
BSD Process Accounting (BSD_PROCESS_ACCT) [Y/n/?] y
BSD Process Accounting version 3 file format (BSD_PROCESS_ACCT_V3) [N/y/?] n
Export task/process statistics through netlink (EXPERIMENTAL) (TASKSTATS) [Y/n/?] y
Enable per-task delay accounting (EXPERIMENTAL) (TASK_DELAY_ACCT) [Y/n/?] y
Auditing support (AUDIT) [Y/n/?] y
Enable system-call auditing support (AUDITSYSCALL) [Y/n/?] y
Kernel .config support (IKCONFIG) [N/y/?] n
省略大量输出
Packet mangling (IP_NF_MANGLE) [M/n/?] m
TOS target support (IP_NF_TARGET_TOS) [M/n/?] m
ECN target support (IP_NF_TARGET_ECN) [M/n/?] m
DSCP target support (IP_NF_TARGET_DSCP) [M/n/?] m
TTL target support (IP_NF_TARGET_TTL) [M/n/?] m
CLUSTERIP target support (EXPERIMENTAL) (IP_NF_TARGET_CLUSTERIP) [M/n/?] m
raw table support (required for NOTRACK/TRACE) (IP_NF_RAW) [M/n/?] m
ARP tables support (IP_NF_ARPTABLES) [M/n/?] m
ARP packet filtering (IP_NF_ARPFILTER) [M/n/?] m
ARP payload mangling (IP_NF_ARP_MANGLE) [M/n/?] m
Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW) m
再省略大量输出
*
* Hardware crypto devices
*
Support for VIA PadLock ACE (CRYPTO_DEV_PADLOCK) [M/n/y/?] m
Support for AES in VIA PadLock (CRYPTO_DEV_PADLOCK_AES) [Y/n/?] y
*
* Library routines
*
CRC-CCITT functions (CRC_CCITT) [M/y/?] m
CRC16 functions (CRC16) [M/n/y/?] m
CRC32 functions (CRC32) [Y/?] y
CRC32c (Castagnoli, et al) Cyclic Redundancy-Check (LIBCRC32C) [Y/?] y
#
# configuration written to .config
上面操作的说明:
提示新加入了connlimit的选项,问是否需要编译进入内核的时候,输入“m”,编译为模块。
[root@raid5 2.6.18-53.el5-i686]# make modules_prepare
scripts/kconfig/conf -s arch/i386/Kconfig
CHK include/linux/version.h
CHK include/linux/utsrelease.h
HOSTCC scripts/genksyms/genksyms.o
HOSTCC scripts/genksyms/lex.o
HOSTCC scripts/genksyms/parse.o
HOSTLD scripts/genksyms/genksyms
CC scripts/mod/empty.o
MKELF scripts/mod/elfconfig.h
HOSTCC scripts/mod/file2alias.o
HOSTCC scripts/mod/modpost.o
HOSTCC scripts/mod/sumversion.o
HOSTLD scripts/mod/modpost
备份原来的Makefile,里面包含了原始的编译信息,直接编译会无法通过
[root@raid5 2.6.18-53.el5-i686]# mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.bak
创建新的Makefile
[root@raid5 2.6.18-53.el5-i686]# vi net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) M=$(PWD) modules
然后编译该模块
[root@raid5 2.6.18-53.el5-i686]# make M=net/ipv4/netfilter/
LD net/ipv4/netfilter/built-in.o
CC [M] net/ipv4/netfilter/ipt_connlimit.o
Building modules, stage 2.
MODPOST
CC net/ipv4/netfilter/ipt_connlimit.mod.o
LD [M] net/ipv4/netfilter/ipt_connlimit.ko
将生成的ko模块copy到目标地址,并设置相应权限
[root@raid5 2.6.18-53.el5-i686]# cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-
53.el5/kernel/net/ipv4/netfilter/
[root@raid5 2.6.18-53.el5-i686]# chmod 744 /lib/modules/2.6.18-53.el5/kernel/net/ipv4/netfilter/
至此,模块编译完成
测试并应用模块
[root@raid5 2.6.18-53.el5-i686]# depmod -a
加载connlimit模块
[root@raid5 2.6.18-53.el5-i686]# modprobe ipt_connlimit
查看是否加载成功
[root@raid5 2.6.18-53.el5-i686]# lsmod |grep ip
ipt_connlimit 7680 0
x_tables 17349 1 ipt_connlimit
ip_conntrack 53025 1 ipt_connlimit
nfnetlink 10713 1 ip_conntrack
dm_multipath 21577 0
dm_mod 58457 2 dm_mirror,dm_multipath
ipv6 251393 16
[root@raid5 2.6.18-53.el5-i686]#
[root@raid5 2.6.18-53.el5-i686]# iptables -A INPUT -s 192.168.1.147 -m connlimit --connlimit-above 3
-j DROP
iptables: Unknown error 4294967295
[root@raid5 2.6.18-53.el5-i686]# iptables -A INPUT -p tcp -m tcp -s 192.168.1.147 -m connlimit --
connlimit-above 3 -j DROP
[root@raid5 2.6.18-53.el5-i686]# iptables-save
# Generated by iptables-save v1.3.5 on Wed Feb 20 10:26:54 2008
*filter
:INPUT ACCEPT [216:17824]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [119:12828]
-A INPUT -s 192.168.1.147 -p tcp -m tcp -m connlimit --connlimit-above 3 --connlimit-mask 32 -j DROP
COMMIT
# Completed on Wed Feb 20 10:26:54 2008
[root@raid5 2.6.18-53.el5-i686]# iptables-save > /etc/sysconfig/iptables
[root@raid5 2.6.18-53.el5-i686]# /etc/init.d/iptables start
[root@raid5 2.6.18-53.el5-i686]# iptables -vnL
Chain INPUT (policy ACCEPT 388 packets, 41987 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.1.147 0.0.0.0/0 tcp #conn/32 >
3
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 62 packets, 6024 bytes)
pkts bytes target prot opt in out source destination