今天遭遇到了DOS(不是DDOS,因为就是只有一个IP的fin_wait1状态最高的时候达到900多个),服务器本来就不好,时间一长,RAM全部占满,就靠SWAPFile在支撑,Load达到50几,服务无比缓慢,老是跟着那家伙更换封锁IP,我才没那个闲工夫
想加connlimit的规则,不行,iptables 报 Unknown error 4294967295,当时使用的版本是iptable 1.3.5,貌似已经配了connlimit模块
[bash]locate libipt_connlimit.so
/lib/iptables/libipt_connlimit.so
[/bash]
看来是内核不支持了,从网上查阅资料得知,从内核2.6.23开始,connlimit模块是进入内核的标配了,我现在使用的2.6.18自然不支持了
现在有两个选择
1.重新编译内核,工程量巨大
2.把connlimit编译成ko的内核模块,免去编译内核之苦
我选择了后者
内核比较老,选择patch-o-matic-ng的时候也保守一点,选择了这个
[bash]wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080214.tar.bz2[bash]
#iptables自然选择1.4.4的源码了
#据说也是标配connlimit模块的
[bash]wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2[/bash]
看一下我的内核版本
[bash]uname -r
2.6.18-194.3.1.el5[/bash]
然后tar jxvf把他们解压缩
[bash]cd ~/patch-o-matic-ng-20080214
KERNEL_DIR=/usr/src/kernels/2.6.18-194.3.1.el5-i686/ IPTABLES_DIR=~/iptables-1.4.0 ./runme --download[/bash]
下载模块
输出:
......................
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
......................
Successfully downloaded external patch pknock
Loading patchlet definitions....................... doneExcellent! Source trees are ready for compilation.
应用connlimit补丁到内核源代码
[bash]cd ~/patch-o-matic-ng-20080214
KERNEL_DIR=/usr/src/kernels/2.6.18-194.3.1.el5-i686/ IPTABLES_DIR=~/iptables-1.4.0 ./runme connlimit
[/bash]
输出:
Welcome to Patch-o-matic ($Revision: 6736 $)!
Kernel: 2.6.18, /usr/src/kernels/2.6.18-194.3.1.el5-i686/
Iptables: 1.4.0, /root/iptables-1.4.0
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing connlimit... not applied
The connlimit patch:
Author: Gerd Knorr
Status: ItWorksForMe[tm]This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).Examples:
# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
--connlimit-mask 24 -j REJECT
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
如果出现
unable to find ladd slot in src /tmp/pom-13609/net/ipv4/netfilter/Makefile (./patchlets/connlimit/linux-2.6/./net/ipv4/netfilter/Makefile.ladd)
说明makefile非法,重新下载更新内核源代码
Welcome to Patch-o-matic ($Revision: 6736 $)!
Kernel: 2.6.18, /usr/src/kernels/2.6.18-194.3.1.el5-i686/
Iptables: 1.4.0, /root/iptables-1.4.0
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing connlimit... Reverse Test passed - assuming already applied.Excellent! Source trees are ready for compilation.
如果你这时候diff一下就能看到差别
/usr/src/kernels/2.6.18-194.3.1.el5-i686/net/ipv4/netfilter/Makefile多了一行
61d60
< obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o
切换到内核目录
tips:切换到当前内核源代码目录的快捷方式
[bash]cd /usr/src/kernels/uname -r
-i686/[/bash]
也可以直接切换
[bash]cd /usr/src/kernels/2.6.18-194.3.1.el5-i686/
#更新配置文件
make oldconfig[/bash]
输出:
..............................
Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW) m
..............................
#
# configuration written to .config
这里选择m,编译成内核模块
[bash]make modules_prepare[/bash]
准备编译内核模块
我可不想直接编译整个内核
修改Makefile,只编译一个模块即可
[bash]cp net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.bak
cat /dev/null >net/ipv4/netfilter/Makefile
nano net/ipv4/netfilter/Makefile
[/bash]
清空内容输入如下内容
obj-m := ipt_connlimit.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)default:
$(MAKE) -C $(KDIR) M=$(PWD) modules
然后
[bash]make M=net/ipv4/netfilter/[/bash]
输出:
CC [M] net/ipv4/netfilter/ipt_connlimit.o
Building modules, stage 2.
MODPOST
CC net/ipv4/netfilter/ipt_connlimit.mod.o
LD [M] net/ipv4/netfilter/ipt_connlimit.ko
那个ipt_connlimit.ko就是我们要的内核模块了
拷贝到内核模块目录
[bash]cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/uname -r
/kernel/net/ipv4/netfilter/
#确保是 root 744权限
#应用模块
depmod -a
#加载模块
modprobe ipt_connlimit
#如果不出现FATAL: Module ipt_connlimit not found,就是加载OK了
#我们可以测试是否加载成功
lsmod |grep -c ipt_connlimit
[/bash]
下面就可以开始家规则了
顺彼岸提一句,不要忘记恢复那个makfile
[bash]cp net/ipv4/netfilter/Makefile.bak net/ipv4/netfilter/Makefile.bak[/bash]
好大的表情
;-)
test