Centos5.3编译内核增加connlimit模块并升级Iptables

系统环境和相关软件包

操作系统：centos5.3  2.6.18-128.el5

内核源码路径：/usr/src/kernels/2.6.18-128.el5-i686

iptables-1.4.0.tar.bz2   

wget http://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2

 

此过程曾尝试使用iptables的1.4.5版本,但失败了,只能用回1.4.0版本

 

patch-o-matic-ng-20091010.tar.bz2

wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20091010.tar.bz2

 

解压文件:

tar xjf iptables-1.4.0.tar.bz2
tar xjf patch-o-matic-ng-20091010.tar.bz2

 

升级iptables:

cd iptables-1.4.0
make KERNEL_DIR=/usr/src/kernels/2.6.18-128.el5-i686
make install KERNEL_DIR=/usr/src/kernels/2.6.18-128.el5-i686
service iptables stop
cp /usr/local/sbin/iptables /sbin/iptables
cd..

 

进入目录:

cd patch-o-matic-ng-20091010

 

下载模块:

KERNEL_DIR=/usr/src/kernels/2.6.18-128.el5-i686/  IPTABLES_DIR=/root/iptables-1.4.0/ ./runme --download

屏幕显示

Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
Successfully downloaded external patch ipv4options
Successfully downloaded external patch TARPIT
Successfully downloaded external patch ACCOUNT
Successfully downloaded external patch pknock
Loading patchlet definitions........... done

Excellent! Source trees are ready for compilation.

 

 

应用模块到内核:

KERNEL_DIR=/usr/src/kernels/2.6.18-128.el5-i686/ IPTABLES_DIR=/root/iptables-1.4.0 ./runme connlimit

屏幕显示

Loading patchlet definitions........... done
Welcome to Patch-o-matic ($Revision$)!

Kernel:   2.6.18, /usr/src/kernels/2.6.18-128.el5-i686/
Iptables: 1.4.0, /root/iptables-1.4.0
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing connlimit... not applied
The connlimit patch:
   Author: Gerd Knorr <[email protected]>
   Status: ItWorksForMe[tm]

This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).

Examples:

# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 /
        --connlimit-mask 24 -j REJECT
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y    ( 这里要输入Y)

 

Excellent! Source trees are ready for compilation.

 

编译内核:

cd /usr/src/kernels/2.6.18-128.el5-i686/

make oldconfig

 

屏幕输入省略，但会停住在

Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW)

此时输入 m 回车即可。

 

make modules_prepare

 

备份原来的Makefile
mv net/ipv4/netfilter/Makefile  net/ipv4/netfilter/Makefile.bak

 

创建新的Makefile
nano net/ipv4/netfilter/Makefile
内容如下:
obj-m := ipt_connlimit.o
KDIR  := /lib/modules/$(shell uname -r)/build
PWD   := $(shell pwd)
default:
    $(MAKE) -C $(KDIR) M=$(PWD) modules
保存退出。

编译模块:

make M=net/ipv4/netfilter/

 

屏幕输出

  LD      net/ipv4/netfilter/built-in.o
  CC [M]  net/ipv4/netfilter/ipt_connlimit.o
  Building modules, stage 2.
  MODPOST
  CC      net/ipv4/netfilter/ipt_connlimit.mod.o
  LD [M]  net/ipv4/netfilter/ipt_connlimit.ko

将生成的ko模块拷贝到/lib/modules/2.6.18-53.el5/kernel/net/ipv4/netfilter/，
并设置相应权限
cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-53.el5/kernel/net/ipv4/netfilter/
chmod 744 /lib/modules/2.6.18-53.el5/kernel/net/ipv4/netfilter/

 

编译完成。

 

测试并应用模块
depmod -a
加载connlimit模块
modprobe ipt_connlimit
检查是否加载成功
lsmod |grep ip
屏幕应该输出:
ipt_connlimit           7680  0
x_tables               17349  1 ipt_connlimit
ip_conntrack           53025  1 ipt_connlimit
nfnetlink              10713  1 ip_conntrack
dm_multipath           21577  0
dm_mod                 58457  2 dm_mirror,dm_multipath
ipv6                  251393  16

看到有ipt_connlimit，至些，整个过程已完成。

 

附防CC攻击的iptables规则

nano /etc/sysconfig/iptables

加入:

-A RH-Firewall-1-INPUT -p tcp -m tcp -m connlimit --dport 80 -j REJECT  --connlimit-above 50
-A RH-Firewall-1-INPUT -p tcp -m tcp -m recent --dport 80 -j REJECT  --name BAD_HTTP_ACCESS --update --seconds 60  --hitcount 30

-A RH-Firewall-1-INPUT -p tcp -m tcp -m recent --dport 80 -j ACCEPT  --name BAD_HTTP_ACCESS --set