²»±àÒëÄں˼ÓÔØconnlimitÄ£¿é
|
#exportÿKERNEL_DIR=/usr/src/kernels/
#./runme --download
Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
./patchlets/ipv4options exists and is not external
./patchlets/TARPIT exists and is not external
Successfully downloaded external patch ACCOUNT
Successfully downloaded external patch pknock
Loading patchlet definitions......................... done
Excellent! Source trees are ready for compilation.
|
|
#export KERNEL_DIR=/usr/src/kernels/
#export IPTABLES_DIR=/root/iptables-
#./runme connlimit
Loading patchlet definitions......................... done
Welcome to Patch-o-matic ($Revision: 6736 $)!
Kernel:
Iptables:
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing connlimit... not applied
The connlimit patch:
Author: Gerd Knorr <kraxel@bytesex.org>
Status: ItWorksForMe[tm]
This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).
Examples:
# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
--connlimit-mask 24 -j REJECT
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
Excellent! Source trees are ready for compilation.
|
|
[root@connlimit
HOSTCC scripts/kconfig/conf.o
HOSTCC scripts/kconfig/kxgettext.o
HOSTCC scripts/kconfig/mconf.o
HOSTCC scripts/kconfig/zconf.tab.o
HOSTLD scripts/kconfig/conf
scripts/kconfig/conf -o arch/i386/Kconfig
*
* Linux Kernel Configuration
*
*
* Code maturity level options
*
Prompt for development and/or incomplete code/drivers (EXPERIMENTAL) [Y/n/?] y
…………………………………………………………………………………………………………
Ê¡ÂÔ´óÁ¿Êä³ö
…………………………………………………………………………………………………………
* ARP tables support (IP_NF_ARPTABLES) [M/n/?] m
ARP packet filtering (IP_NF_ARPFILTER) [M/n/?] m
ARP payload mangling (IP_NF_ARP_MANGLE) [M/n/?] m
Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW) m
*
* IPv6: Netfilter Configuration (EXPERIMENTAL)
*
IP6 Userspace queueing via NETLINK (OBSOLETE) (IP6_NF_QUEUE) [M/n/?] m
…………………………………………………………………………………………………………
Ê¡ÂÔ´óÁ¿Êä³ö
…………………………………………………………………………………………………………
* General setup
*
#
# configuration written to .config
#
|
|
#vi net/ipv4/netfilter/Makefile
|
|
obj-m := ipt_connlimit.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) M=$(PWD) modules
|
|
[root@connlimit
LD net/ipv4/netfilter/built-in.o
CC [M] net/ipv4/netfilter/ipt_connlimit.o
Building modules, stage 2.
MODPOST
CC net/ipv4/netfilter/ipt_connlimit.mod.o
LD [M] net/ipv4/netfilter/ipt_connlimit.ko
|
|
#cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/
#chmod 744 /lib/modules/
|
|
# depmod –a
|
|
#modprobe ipt_connlimit
|
|
[root@connlimit
ipt_connlimit 7680 0
ip_conntrack 53153 1 ipt_connlimit
nfnetlink 10713 1 ip_conntrack
ipv6 251137 12
ipt_REJECT 9537 0
x_tables 17349 3 ipt_connlimit,ipt_REJECT,xt_tcpudp
|
|
[root@connlimit
|
 |
 |
 djyou¡¢win_linux |
2ÈË |
ÁËÕâƪÎÄÕ |
ÉçÇø£º
WARNING: Symbol version dump /usr/src/linux-2.6.18.i686/Module.symvers
is missing; modules will have no dependencies and modversions.
make[1]: *** ûÓйæÔò¿ÉÒÔ´´½¨¡°net/ipv4/netfilter/ipt_connlimit.o¡±ÐèÒªµÄÄ¿±ê¡°net/ipv4/netfilter/ipt_connlimit.c¡±¡£ Í£Ö¹¡£
make: *** [_module_net/ipv4/netfilter] ´íÎó 2
°´ÕÕÄãµÄÎĵµÎªÊ²Ã´³öÏÖÕâ¸öÇé¿öàÅ£¿