歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux基礎 >> 關於Linux

Linux限制單IP對端口的連接數量

在iptables裡面是可以對端口的連接IP的數量做限制的,這就需要用到iptables的connlimit模塊,當然,需要注意的是你所限制的數量,因為可能有網吧用戶訪問,默認是沒有安裝的,所以首先需要對模塊進行安裝,以下是全部的安裝步驟:

下載安裝包並解壓


# wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080214.tar.bz2
# wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
# tar xjf iptables-1.4.0.tar.bz2
# tar xjf patch-o-matic-ng-20080214.tar.bz2
下載connlimit模塊


# cd /…/patch-o-matic-ng-20080214
#KERNEL_DIR=/usr/src/kernels/2.6.18-128.el5-x86_64/ IPTABLES_DIR=/usr/iptablestest/iptables-1.4.0 ./runme -download
Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
./patchlets/ipv4options exists and is not external
./patchlets/TARPIT exists and is not external
Successfully downloaded external patch ACCOUNT
Successfully downloaded external patch pknock
Hey! KERNEL_DIR is not set.
Where is your kernel source directory? [/usr/src/linux] /usr/src/kernels/2.6.18-128.el5-x86_64
Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables] /usr/iptablestest/iptables-1.4.0
Loading patchlet definitions……………………. done

Excellent! Source trees are ready for compilation.
應用connlimit補丁到內核


# KERNEL_DIR=/usr/src/kernels/2.6.18-128.el5-x86_64 IPTABLES_DIR=/usr/iptablestest/iptables-1.4.0 ./runme connlimit
Loading patchlet definitions……………………. done
……
—————————————————————–
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
Excellent! Source trees are ready for compilation.
應用補丁這裡選擇y.

編譯內核


# cd /usr/src/kernels/2.6.18-128.el5-x86_64/
# make oldconfig
HOSTCC scripts/kconfig/conf.o
HOSTCC scripts/kconfig/kxgettext.o
HOSTCC scripts/kconfig/mconf.o
HOSTCC scripts/kconfig/zconf.tab.o
HOSTLD scripts/kconfig/conf
scripts/kconfig/conf -o arch/i386/Kconfig
*
* Linux Kernel Configuration
*
……

ARP payload mangling (IP_NF_ARP_MANGLE) [M/n/?] m
Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW) m
……
提示新加入了connlimit的選項, 問是否需要編譯進入內核的時候, 入”m”編譯為模塊.
(注: 這裡也可使用#make menuconfig, 在出現的窗體中選擇內核參數Networking–>Networking options —>Network packet filtering(replaces ipchains)—>IP: Netfilter Configuration —>Connections/IP limit match support 選為模塊或編譯進內核, 如果你找不到這一項, 那麼剛才打補丁沒有成功)


# make modules_prepare
scripts/kconfig/conf -s arch/i386/Kconfig
CHK include/linux/version.h
CHK include/linux/utsrelease.h
HOSTCC scripts/genksyms/genksyms.o
HOSTCC scripts/genksyms/lex.o
HOSTCC scripts/genksyms/parse.o
HOSTLD scripts/genksyms/genksyms
CC scripts/mod/empty.o
MKELF scripts/mod/elfconfig.h
HOSTCC scripts/mod/file2alias.o
HOSTCC scripts/mod/modpost.o
HOSTCC scripts/mod/sumversion.o
HOSTLD scripts/mod/modpost
備份原來的Makefile, 裡面包含了原始的編譯信息, 直接編譯會無法通過


# mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.bak

創建新的Makefile
<pre lang="bash">
# vi net/ipv4/netfilter/Makefile

obj-m := ipt_connlimit.o

KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)

default:
$(MAKE) -C $(KDIR) M=$(PWD) modules
編譯該模塊


# make M=net/ipv4/netfilter/
LD net/ipv4/netfilter/built-in.o
CC [M] net/ipv4/netfilter/ipt_connlimit.o
Building modules, stage 2.
MODPOST
CC net/ipv4/netfilter/ipt_connlimit.mod.o
LD [M] net/ipv4/netfilter/ipt_connlimit.ko
將生成的ko模塊copy到目標地址並設置相應權限


# cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-128.el5/kernel/net/ipv4/netfilter/
# chmod 744 /lib/modules/2.6.18-128.el5/kernel/net/ipv4/netfilter/
模塊編譯完成

測試並應用模塊


# depmod -a
加載connlimit模塊


# modprobe ipt_connlimit
查看是否加載成功

Copyright © Linux教程網 All Rights Reserved