RHEL 5.2 kenel 2.6.18 iptable 添加模块

RHEL 5.2 kenel 2.6.18 iptable 添加模块

好多朋友没做出来,我又试了一边,没问题哦...
5楼增加了我这次做的过程.
另外说明一下..安装系统的时候选包,把开发包,开发工具选上,包的个数默认就可以

1.内核版本检查
[root@seker SRPMS]# uname -a
Linux seker 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux

RPM 源码包下载 要选择和OS内核一致的. 地址 http://rpmfind.net/linux/sourceforge/l/li/linux-ntfs/

2.下载对应源码包
[root@seker SRPMS]# ls
kernel-2.6.18-92.el5.src.rpm
[root@seker SRPMS]# pwd
/usr/src/redhat/SRPMS

3.解开rpm源码包
[root@seker SRPMS]# useradd mockbuild
[root@seker SRPMS]# rpm -ivh kernel-2.6.18-92.el5.src.rpm
   1:kernel                 ################ [100%]
[root@seker SRPMS]#
[root@seker SPECS]# pwd
/usr/src/redhat/SPECS
[root@seker SPECS]# ls
kernel-2.6.spec
[root@seker SPECS]# rpmbuild -bp --target=$(uname -m) ./kernel-2.6.spec
Building target platforms: i686
Building for target i686
.....
+ exit 0
[root@seker kernel-2.6.18]# pwd
/usr/src/redhat/BUILD/kernel-2.6.18
[root@seker kernel-2.6.18]# ls
config  Config.mk  linux-2.6.18.i686  vanilla  xen

4.将内核源代码cp到 /usr/src目录
[root@seker kernel-2.6.18]#  cp -a linux-2.6.18.i686/ /usr/src/
[root@seker kernel-2.6.18]#  cd /usr/src/linux-2.6.18.i686

5.修改makefile头与OS上的内核相同
[root@seker linux-2.6.18.i686]# head -n4 Makefile
VERSION = 2
PATCHLEVEL = 6
SUBLEVEL = 18
EXTRAVERSION = -92.el5
[root@seker linux-2.6.18.i686]# uname -r
2.6.18-92.el5

6.下载各种软件
[root@seker src]# wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080918.tar.bz2
[root@seker src]# wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.3.8.tar.bz2
[root@seker src]# wget http://downloads.sourceforge.net/l7-filter/l7-protocols-2008-04-23.tar.gz
[root@seker src]# wget http://ie.archive.ubuntu.com/sourceforge/l/l7/l7-filter/netfilter-layer7-v2.9.tar.gz

7.解压软件包
[root@seker src]# tar jxvf patch-o-matic-ng-20080918.tar.bz2
[root@seker src]# tar jxvf iptables-1.3.8.tar.bz2
[root@seker src]# tar zxvf l7-protocols-2008-04-23.tar.gz
[root@seker src]# tar zxvf ipp2p-0.99.15.tar.gz
[root@seker src]# tar zxvf netfilter-layer7-v2.9.tar.gz

8.设置环境变量.下载补丁
[root@seker patch-o-matic-ng-20080918]# export KERNEL_DIR=/usr/src/linux-2.6.18.i686/
[root@seker patch-o-matic-ng-20080918]# export IPTABLES_DIR=/usr/src/iptables-1.3.8/
[root@seker patch-o-matic-ng-20080918]# export KERNEL_SRC=/usr/src/linux-2.6.18.i686/
[root@seker patch-o-matic-ng-20080918]# export IPTABLES_SRC=/usr/src/iptables-1.3.8/
[root@seker patch-o-matic-ng-20080918]#
[root@seker patch-o-matic-ng-20080918]# ./runme --download
.....
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
Excellent! Source trees are ready for compilation.

自带的IPP2P不要安装..我们用最新的.到这里下载.
http://linux.chinaunix.net/bbs/thread-914377-1-2.html

[root@seker patch-o-matic-ng-20080918]# ./runme time
[root@seker patch-o-matic-ng-20080918]# ./runme connlimit

9.安装l7
[root@seker linux-2.6.18.i686]# patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch
[root@seker iptables-1.3.8]# patch -p1 < /usr/src/netfilter-layer7-v2.9/iptables-layer7-2.9.patch
[root@seker iptables-1.3.8]# chmod +x extensions/.layer7-test

10.编辑内核选上新添加的模块
[root@seker linux-2.6.18.i686]# make menuconfig
  Networking  --->  
    Networking options  --->
        [*] Network packet filtering (replaces ipchains)  --->
                IP: Netfilter Configuration  --->
                    <M> Layer 7 match support (EXPERIMENTAL)
                    <M> TIME match support
                    <M> Connections/IP limit match support

[root@seker linux-2.6.18.i686]# make modules_prepare

11.备份原来的Makefile，里面包含了原始的编译信息，直接编译会无法通过
[root@seker linux-2.6.18.i686]# mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.bak
创建新的Makefile
[root@seker linux-2.6.18.i686]# vi net/ipv4/netfilter/Makefile

obj-m := ipt_connlimit.o
obj-m := ipt_time.o
obj-m := ipt_layer7.o

KDIR := /lib/modules/$(shell uname -r)/build
PWD   := $(shell pwd)

default:
    $(MAKE) -C $(KDIR) M=$(PWD) modules

然后编译该模块,如果不能一次全部编译,每次在net/ipv4/netfilter/Makefile中只加一个模块,一次次编

译得出 ipt_*.ko文件.
[root@seker linux-2.6.18.i686]# make M=net/ipv4/netfilter/
LD      net/ipv4/netfilter/built-in.o
CC [M] net/ipv4/netfilter/ipt_connlimit.o
CC      net/ipv4/netfilter/ipt_connlimit.mod.o
LD [M] net/ipv4/netfilter/ipt_connlimit.ko
  CC      net/ipv4/netfilter/ipt_time.mod.o
  LD [M]  net/ipv4/netfilter/ipt_time.ko

12.cp新编译的模块到老内核
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_time.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_layer7.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
[root@seker linux-2.6.18.i686]# chmod 755 /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/*.ko

13.安装IPP2P
[root@seker ipp2p-0.99.15]# make
[root@seker ipp2p-0.99.15]# make install
cp ipt_ipp2p.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
cp libipt_ipp2p.so /lib/iptables/
depmod -a
[root@seker ipp2p-0.99.15]#

14.安装新的IPTABLE
[root@seker iptables-1.3.8]# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install

这步成功会有 cp *.so 的日志..

[code]

[root@seker iptables-1.3.8]# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
....
cp extensions/libipt_limit.so /lib/iptables/libipt_limit.so
....
cp extensions/libipt_layer7.so /lib/iptables/libipt_layer7.so
....
cp extensions/libipt_time.so /lib/iptables/libipt_time.so
....
rm libiptc/libip6tc.o libipq/libipq.o libiptc/libip4tc.o
[root@seker iptables-1.3.8]#

[/code]

15.加载模块
[root@seker iptables-1.3.8]# modprobe ipt_connlimit
[root@seker iptables-1.3.8]# modprobe ipt_time
[root@seker iptables-1.3.8]# modprobe ipt_ipp2p
[root@seker iptables-1.3.8]# modprobe ipt_layer7
[root@seker iptables-1.3.8]#
[root@seker iptables-1.3.8]# lsmod |grep x_tables
x_tables               17349  7

ipt_layer7,ipt_iprange,ipt_ipp2p,ipt_time,ipt_connlimit,xt_tcpudp,ip_tables
[root@seker iptables-1.3.8]#

16.测试layer7,time,ip2p2..
[root@seker iptables-1.3.8]# iptables -A FORWARD -m layer7 --l7proto qq  -m time --timestart 8:00 --timestop 17:30 --days

Mon,Tue,Wed,Thu,Fri -m iprange --src-range 192.168.1.5-192.168.1.239 -m ipp2p --ipp2p -m ipp2p --xunlei -j DROP

如果time有问题 加个下面的附件里.ko .so (我没测试过,不保证可以在你的系统上使用)
http://linux.chinaunix.net/bbs/attachment.php?aid=214364
[root@seker iptables-1.3.8]#

 

 

从解开压缩包后开始,前面的参考帖子.
[root@seker src]# ls
backup                  kernels                         netfilter-layer7-v2.9.tar.gz
ipp2p-0.99.15           l7-protocols-2008-04-23         patch-o-matic-ng-20080918
ipp2p-0.99.15.tar.gz    l7-protocols-2008-04-23.tar.gz  patch-o-matic-ng-20080918.tar.bz2
iptables-1.3.8          linux-2.6.18.i686               redhat
iptables-1.3.8.tar.bz2  netfilter-layer7-v2.9
[root@seker src]# export KERNEL_DIR=/usr/src/linux-2.6.18.i686/
[root@seker src]# export IPTABLES_DIR=/usr/src/iptables-1.3.8/
[root@seker src]# cd patch-o-matic-ng-20080918
[root@seker patch-o-matic-ng-20080918]# ls
Netfilter_POM.pm  patchlets  README             runme
patch2pom         pom2patch  README.newpatches  sources.list
[root@seker patch-o-matic-ng-20080918]# ./runme --download
Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
./patchlets/ipv4options exists and is not external
./patchlets/TARPIT exists and is not external
Successfully downloaded external patch ACCOUNT
Successfully downloaded external patch pknock
Loading patchlet definitions......................... done

Excellent! Source trees are ready for compilation.

下载完毕

安装模块
[root@seker patch-o-matic-ng-20080918]# ./runme time
Loading patchlet definitions......................... done
Welcome to Patch-o-matic ($Revision$)!

Kernel:   2.6.18, /usr/src/linux-2.6.18.i686/
Iptables: 1.3.8, /usr/src/iptables-1.3.8/
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing time... not applied
The time patch:
   Author: Fabrice MARIE <[email][email protected][/email]>
   Status: Works within it's limitations

This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
This match allows you to filter based on the packet arrival time/date
(arrival time/date at the machine which the netfilter is running on) or
departure time/date (for locally generated packets).

Supported options are:
[ --timestart value ]
    Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).

[ --timestop  value ]
    Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).

[ --days listofdays ]
    Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)

[ --datestart date ]
    Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
    h,m,s start from 0 ; default to 1970)

[ --datestop date ]
    Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
    h,m,s start from 0 ; default to 2037)

Example:
  -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
  will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
  to Friday.

  -A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon --date-stop 2010
  will match the packets (locally generated) that have a departure timestamp
  in the range 8:00->18:00 on Monday only, until 2010

NOTE: the time match does not track changes in daylight savings time
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y

Excellent! Source trees are ready for compilation.

[root@seker patch-o-matic-ng-20080918]# ./runme connlimit
Loading patchlet definitions......................... done
Welcome to Patch-o-matic ($Revision$)!

Kernel:   2.6.18, /usr/src/linux-2.6.18.i686/
Iptables: 1.3.8, /usr/src/iptables-1.3.8/
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing connlimit... not applied
The connlimit patch:
   Author: Gerd Knorr <[email][email protected][/email]>
   Status: ItWorksForMe[tm]

This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).

Examples:

# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 /
        --connlimit-mask 24 -j REJECT
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y

Excellent! Source trees are ready for compilation.

[root@seker patch-o-matic-ng-20080918]# cd ../linux-2.6.18.i686/
[root@seker linux-2.6.18.i686]# patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch
patching file include/linux/netfilter_ipv4/ip_conntrack.h
patching file include/linux/netfilter_ipv4/ipt_layer7.h
patching file net/ipv4/netfilter/Kconfig
patching file net/ipv4/netfilter/Makefile
Hunk #1 succeeded at 66 (offset 3 lines).
patching file net/ipv4/netfilter/ip_conntrack_core.c
Hunk #1 succeeded at 338 (offset 1 line).
patching file net/ipv4/netfilter/ip_conntrack_standalone.c
Hunk #1 succeeded at 193 (offset 1 line).
patching file net/ipv4/netfilter/ipt_layer7.c
patching file net/ipv4/netfilter/regexp/regexp.c
patching file net/ipv4/netfilter/regexp/regexp.h
patching file net/ipv4/netfilter/regexp/regmagic.h
patching file net/ipv4/netfilter/regexp/regsub.c
[root@seker linux-2.6.18.i686]# cd ../iptables-1.3.8
[root@seker iptables-1.3.8]# patch -p1 < /usr/src/netfilter-layer7-v2.9/iptables-layer7-2.9.patch
patching file extensions/.layer7-test
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
[root@seker iptables-1.3.8]# chmod +x extensions/.layer7-test
[root@seker iptables-1.3.8]#

[root@seker iptables-1.3.8]# cd ../linux-2.6.18.i686/
[root@seker linux-2.6.18.i686]# make menuconfig
scripts/kconfig/mconf arch/i386/Kconfig
#
# configuration written to .config
#

*** End of Linux kernel configuration.
*** Execute 'make' to build the kernel or try 'make help'.

[root@seker linux-2.6.18.i686]# make modules_prepare
scripts/kconfig/conf -s arch/i386/Kconfig
  CHK     include/linux/version.h
  UPD     include/linux/version.h
  CHK     include/linux/utsrelease.h
  UPD     include/linux/utsrelease.h
  SYMLINK include/asm -> include/asm-i386
  CC      arch/i386/kernel/asm-offsets.s
  GEN     include/asm-i386/asm-offsets.h
  HOSTCC  scripts/genksyms/genksyms.o
  SHIPPED scripts/genksyms/lex.c
  SHIPPED scripts/genksyms/parse.h
  SHIPPED scripts/genksyms/keywords.c
  HOSTCC  scripts/genksyms/lex.o
  SHIPPED scripts/genksyms/parse.c
  HOSTCC  scripts/genksyms/parse.o
  HOSTLD  scripts/genksyms/genksyms
  CC      scripts/mod/empty.o
  HOSTCC  scripts/mod/mk_elfconfig
  MKELF   scripts/mod/elfconfig.h
  HOSTCC  scripts/mod/file2alias.o
  HOSTCC  scripts/mod/modpost.o
  HOSTCC  scripts/mod/sumversion.o
  HOSTLD  scripts/mod/modpost
  HOSTCC  scripts/kallsyms
  HOSTCC  scripts/pnmtologo
  HOSTCC  scripts/conmakehash
[root@seker linux-2.6.18.i686]#

[root@seker linux-2.6.18.i686]# mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.bak
[root@seker linux-2.6.18.i686]# vi net/ipv4/netfilter/Makefile
[root@seker linux-2.6.18.i686]# cat net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o
obj-m := ipt_time.o
obj-m := ipt_layer7.o

KDIR := /lib/modules/$(shell uname -r)/build
PWD   := $(shell pwd)

default:
    $(MAKE) -C $(KDIR) M=$(PWD) modules
[root@seker linux-2.6.18.i686]#
[root@seker linux-2.6.18.i686]# make M=net/ipv4/netfilter/

  WARNING: Symbol version dump /usr/src/linux-2.6.18.i686/Module.symvers
           is missing; modules will have no dependencies and modversions.

  LD      net/ipv4/netfilter/built-in.o
  CC [M]  net/ipv4/netfilter/ipt_layer7.o
  Building modules, stage 2.
  MODPOST
  CC      net/ipv4/netfilter/ipt_layer7.mod.o
  LD [M]  net/ipv4/netfilter/ipt_layer7.ko
[root@seker linux-2.6.18.i686]# vi net/ipv4/netfilter/Makefile
[root@seker linux-2.6.18.i686]# cat net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o
obj-m := ipt_time.o

KDIR := /lib/modules/$(shell uname -r)/build
PWD   := $(shell pwd)

default:
    $(MAKE) -C $(KDIR) M=$(PWD) modules
[root@seker linux-2.6.18.i686]#
[root@seker linux-2.6.18.i686]# make M=net/ipv4/netfilter/

  WARNING: Symbol version dump /usr/src/linux-2.6.18.i686/Module.symvers
           is missing; modules will have no dependencies and modversions.

  CC [M]  net/ipv4/netfilter/ipt_time.o
  Building modules, stage 2.
  MODPOST
  CC      net/ipv4/netfilter/ipt_time.mod.o
  LD [M]  net/ipv4/netfilter/ipt_time.ko
[root@seker linux-2.6.18.i686]# vi net/ipv4/netfilter/Makefile
[root@seker linux-2.6.18.i686]# cat net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o

KDIR := /lib/modules/$(shell uname -r)/build
PWD   := $(shell pwd)

default:
    $(MAKE) -C $(KDIR) M=$(PWD) modules
[root@seker linux-2.6.18.i686]#
[root@seker linux-2.6.18.i686]# make M=net/ipv4/netfilter/

  WARNING: Symbol version dump /usr/src/linux-2.6.18.i686/Module.symvers
           is missing; modules will have no dependencies and modversions.

  CC [M]  net/ipv4/netfilter/ipt_connlimit.o
  Building modules, stage 2.
  MODPOST
  CC      net/ipv4/netfilter/ipt_connlimit.mod.o
  LD [M]  net/ipv4/netfilter/ipt_connlimit.ko
[root@seker linux-2.6.18.i686]#

[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_layer7.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_time.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
cp：是否覆盖“/lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko”? y
[root@seker linux-2.6.18.i686]# chmod 755 /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/*.ko
[root@seker linux-2.6.18.i686]# cd ..
[root@seker src]# ls
backup                  kernels                         netfilter-layer7-v2.9.tar.gz
ipp2p-0.99.15           l7-protocols-2008-04-23         patch-o-matic-ng-20080918
ipp2p-0.99.15.tar.gz    l7-protocols-2008-04-23.tar.gz  patch-o-matic-ng-20080918.tar.bz2
iptables-1.3.8          linux-2.6.18.i686               redhat
iptables-1.3.8.tar.bz2  netfilter-layer7-v2.9
[root@seker src]# cd ipp2p-0.99.15
[root@seker ipp2p-0.99.15]# make
make -C /lib/modules/2.6.18-92.el5/build M=/usr/src/ipp2p-0.99.15 modules
make[1]: Entering directory `/usr/src/kernels/2.6.18-92.el5-i686'
  CC [M]  /usr/src/ipp2p-0.99.15/ipt_ipp2p.o
  Building modules, stage 2.
  MODPOST
  CC      /usr/src/ipp2p-0.99.15/ipt_ipp2p.mod.o
  LD [M]  /usr/src/ipp2p-0.99.15/ipt_ipp2p.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.18-92.el5-i686'
gcc -O3 -Wall -DIPTABLES_VERSION=/"1.3.8/" -I/usr/src/iptables-1.3.8/include -fPIC -c libipt_ipp2p.c
gcc -shared -o libipt_ipp2p.so libipt_ipp2p.o
[root@seker ipp2p-0.99.15]# make install
cp ipt_ipp2p.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
cp libipt_ipp2p.so /lib/iptables/
depmod -a
[root@seker ipp2p-0.99.15]# cd /lib/modules/2.6.18-92.el5/
[root@seker 2.6.18-92.el5]# depmod -a
[root@seker 2.6.18-92.el5]# cd -
/usr/src/ipp2p-0.99.15
[root@seker ipp2p-0.99.15]# cd ../iptables-1.3.8
[root@seker iptables-1.3.8]#
[root@seker iptables-1.3.8]# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
....
cp extensions/libipt_limit.so /lib/iptables/libipt_limit.so
....
cp extensions/libipt_layer7.so /lib/iptables/libipt_layer7.so
....
cp extensions/libipt_time.so /lib/iptables/libipt_time.so
....
rm libiptc/libip6tc.o libipq/libipq.o libiptc/libip4tc.o
[root@seker iptables-1.3.8]#

测试过程:
[root@seker iptables-1.3.8]# modprobe ipt_connlimit
[root@seker iptables-1.3.8]# modprobe ipt_time
[root@seker iptables-1.3.8]# modprobe ipt_ipp2p
[root@seker iptables-1.3.8]# modprobe ipt_layer7
[root@seker iptables-1.3.8]# lsmod | grep x_table
x_tables               17349  6 ipt_layer7,ipt_ipp2p,ipt_time,ipt_connlimit,xt_tcpudp,ip_tables
[root@seker iptables-1.3.8]#
[root@seker iptables-1.3.8]# iptables -A FORWARD -m layer7 --l7proto qq  -m time --timestart 8:00 --timestop 17:30 --days

Mon,Tue,Wed,Thu,Fri -m iprange --src-range 192.168.1.5-192.168.1.239 -m ipp2p --ipp2p -m ipp2p --xunlei -j DROP
[root@seker iptables-1.3.8]# iptables -A FORWARD -m layer7 --l7proto qq  -m time --timestart 8:00 --timestop 17:30 --days

Mon,Tue,Wed,Thu,Fri -m iprange --src-range 192.168.1.5-192.168.1.239 -m ipp2p --ipp2p -m ipp2p --xunlei -j DROP
[root@seker iptables-1.3.8]#
[root@seker iptables-1.3.8]# iptables -I FORWARD -s 192.168.1.15 -p tcp --syn --dport 80 -m connlimit --connlimit-above 3 --

connlimit-mask 24 -j DROP
[root@seker iptables-1.3.8]# iptables -xvL
Chain INPUT (policy ACCEPT 7783 packets, 1163810 bytes)
    pkts      bytes target     prot opt in     out     source               destination        

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
       0        0 DROP       tcp  --  any    any     192.168.1.15         anywhere            tcp dpt:http

flags:FIN,SYN,RST,ACK/SYN #conn/24 > 3
       0        0 DROP       all  --  any    any     anywhere             anywhere            LAYER7 l7proto qq TIME from 8:0

to 17:30 on Mon,Tue,Wed,Thu,Fri source IP range 192.168.1.5-192.168.1.239 ipp2p v0.99.15 --ipp2p ipp2p v0.99.15 --xunlei
       0        0 DROP       all  --  any    any     anywhere             anywhere            LAYER7 l7proto qq TIME from 8:0

to 17:30 on Mon,Tue,Wed,Thu,Fri source IP range 192.168.1.5-192.168.1.239 ipp2p v0.99.15 --ipp2p ipp2p v0.99.15 --xunlei

Chain OUTPUT (policy ACCEPT 5793 packets, 1041904 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
[root@seker iptables-1.3.8]#

[/code]