- 论坛徽章:
- 0
|
- 从解开压缩包后开始,前面的参考帖子.
- [root@seker src]# ls
- backup kernels netfilter-layer7-v2.9.tar.gz
- ipp2p-0.99.15 l7-protocols-2008-04-23 patch-o-matic-ng-20080918
- ipp2p-0.99.15.tar.gz l7-protocols-2008-04-23.tar.gz patch-o-matic-ng-20080918.tar.bz2
- iptables-1.3.8 linux-2.6.18.i686 redhat
- iptables-1.3.8.tar.bz2 netfilter-layer7-v2.9
- [root@seker src]# export KERNEL_DIR=/usr/src/linux-2.6.18.i686/
- [root@seker src]# export IPTABLES_DIR=/usr/src/iptables-1.3.8/
- [root@seker src]# cd patch-o-matic-ng-20080918
- [root@seker patch-o-matic-ng-20080918]# ls
- Netfilter_POM.pm patchlets README runme
- patch2pom pom2patch README.newpatches sources.list
- [root@seker patch-o-matic-ng-20080918]# ./runme --download
- Successfully downloaded external patch geoip
- Successfully downloaded external patch condition
- Successfully downloaded external patch IPMARK
- Successfully downloaded external patch ROUTE
- Successfully downloaded external patch connlimit
- Successfully downloaded external patch ipp2p
- Successfully downloaded external patch time
- ./patchlets/ipv4options exists and is not external
- ./patchlets/TARPIT exists and is not external
- Successfully downloaded external patch ACCOUNT
- Successfully downloaded external patch pknock
- Loading patchlet definitions......................... done
- Excellent! Source trees are ready for compilation.
- 下载完毕
- 安装模块
- [root@seker patch-o-matic-ng-20080918]# ./runme time
- Loading patchlet definitions......................... done
- Welcome to Patch-o-matic ($Revision$)!
- Kernel: 2.6.18, /usr/src/linux-2.6.18.i686/
- Iptables: 1.3.8, /usr/src/iptables-1.3.8/
- Each patch is a new feature: many have minimal impact, some do not.
- Almost every one has bugs, so don't apply what you don't need!
- -------------------------------------------------------
- Already applied:
- Testing time... not applied
- The time patch:
- Author: Fabrice MARIE <[email]fabrice@netfilter.org[/email]>
- Status: Works within it's limitations
- This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
- This match allows you to filter based on the packet arrival time/date
- (arrival time/date at the machine which the netfilter is running on) or
- departure time/date (for locally generated packets).
- Supported options are:
- [ --timestart value ]
- Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).
- [ --timestop value ]
- Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).
- [ --days listofdays ]
- Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)
- [ --datestart date ]
- Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
- h,m,s start from 0 ; default to 1970)
- [ --datestop date ]
- Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
- h,m,s start from 0 ; default to 2037)
- Example:
- -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
- will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
- to Friday.
- -A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon --date-stop 2010
- will match the packets (locally generated) that have a departure timestamp
- in the range 8:00->18:00 on Monday only, until 2010
- NOTE: the time match does not track changes in daylight savings time
- -----------------------------------------------------------------
- Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
- Excellent! Source trees are ready for compilation.
- [root@seker patch-o-matic-ng-20080918]# ./runme connlimit
- Loading patchlet definitions......................... done
- Welcome to Patch-o-matic ($Revision$)!
- Kernel: 2.6.18, /usr/src/linux-2.6.18.i686/
- Iptables: 1.3.8, /usr/src/iptables-1.3.8/
- Each patch is a new feature: many have minimal impact, some do not.
- Almost every one has bugs, so don't apply what you don't need!
- -------------------------------------------------------
- Already applied:
- Testing connlimit... not applied
- The connlimit patch:
- Author: Gerd Knorr <[email]kraxel@bytesex.org[/email]>
- Status: ItWorksForMe[tm]
- This adds an iptables match which allows you to restrict the
- number of parallel TCP connections to a server per client IP address
- (or address block).
- Examples:
- # allow 2 telnet connections per client host
- iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
- # you can also match the other way around:
- iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
- # limit the nr of parallel http requests to 16 per class C sized
- # network (24 bit netmask)
- iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
- --connlimit-mask 24 -j REJECT
- -----------------------------------------------------------------
- Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
- Excellent! Source trees are ready for compilation.
- [root@seker patch-o-matic-ng-20080918]# cd ../linux-2.6.18.i686/
- [root@seker linux-2.6.18.i686]# patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch
- patching file include/linux/netfilter_ipv4/ip_conntrack.h
- patching file include/linux/netfilter_ipv4/ipt_layer7.h
- patching file net/ipv4/netfilter/Kconfig
- patching file net/ipv4/netfilter/Makefile
- Hunk #1 succeeded at 66 (offset 3 lines).
- patching file net/ipv4/netfilter/ip_conntrack_core.c
- Hunk #1 succeeded at 338 (offset 1 line).
- patching file net/ipv4/netfilter/ip_conntrack_standalone.c
- Hunk #1 succeeded at 193 (offset 1 line).
- patching file net/ipv4/netfilter/ipt_layer7.c
- patching file net/ipv4/netfilter/regexp/regexp.c
- patching file net/ipv4/netfilter/regexp/regexp.h
- patching file net/ipv4/netfilter/regexp/regmagic.h
- patching file net/ipv4/netfilter/regexp/regsub.c
- [root@seker linux-2.6.18.i686]# cd ../iptables-1.3.8
- [root@seker iptables-1.3.8]# patch -p1 < /usr/src/netfilter-layer7-v2.9/iptables-layer7-2.9.patch
- patching file extensions/.layer7-test
- patching file extensions/libipt_layer7.c
- patching file extensions/libipt_layer7.man
- [root@seker iptables-1.3.8]# chmod +x extensions/.layer7-test
- [root@seker iptables-1.3.8]#
- [root@seker iptables-1.3.8]# cd ../linux-2.6.18.i686/
- [root@seker linux-2.6.18.i686]# make menuconfig
- scripts/kconfig/mconf arch/i386/Kconfig
- #
- # configuration written to .config
- #
- *** End of Linux kernel configuration.
- *** Execute 'make' to build the kernel or try 'make help'.
- [root@seker linux-2.6.18.i686]# make modules_prepare
- scripts/kconfig/conf -s arch/i386/Kconfig
- CHK include/linux/version.h
- UPD include/linux/version.h
- CHK include/linux/utsrelease.h
- UPD include/linux/utsrelease.h
- SYMLINK include/asm -> include/asm-i386
- CC arch/i386/kernel/asm-offsets.s
- GEN include/asm-i386/asm-offsets.h
- HOSTCC scripts/genksyms/genksyms.o
- SHIPPED scripts/genksyms/lex.c
- SHIPPED scripts/genksyms/parse.h
- SHIPPED scripts/genksyms/keywords.c
- HOSTCC scripts/genksyms/lex.o
- SHIPPED scripts/genksyms/parse.c
- HOSTCC scripts/genksyms/parse.o
- HOSTLD scripts/genksyms/genksyms
- CC scripts/mod/empty.o
- HOSTCC scripts/mod/mk_elfconfig
- MKELF scripts/mod/elfconfig.h
- HOSTCC scripts/mod/file2alias.o
- HOSTCC scripts/mod/modpost.o
- HOSTCC scripts/mod/sumversion.o
- HOSTLD scripts/mod/modpost
- HOSTCC scripts/kallsyms
- HOSTCC scripts/pnmtologo
- HOSTCC scripts/conmakehash
- [root@seker linux-2.6.18.i686]#
- [root@seker linux-2.6.18.i686]# mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.bak
- [root@seker linux-2.6.18.i686]# vi net/ipv4/netfilter/Makefile
- [root@seker linux-2.6.18.i686]# cat net/ipv4/netfilter/Makefile
- obj-m := ipt_connlimit.o
- obj-m := ipt_time.o
- obj-m := ipt_layer7.o
- KDIR := /lib/modules/$(shell uname -r)/build
- PWD := $(shell pwd)
- default:
- $(MAKE) -C $(KDIR) M=$(PWD) modules
- [root@seker linux-2.6.18.i686]#
- [root@seker linux-2.6.18.i686]# make M=net/ipv4/netfilter/
- WARNING: Symbol version dump /usr/src/linux-2.6.18.i686/Module.symvers
- is missing; modules will have no dependencies and modversions.
- LD net/ipv4/netfilter/built-in.o
- CC [M] net/ipv4/netfilter/ipt_layer7.o
- Building modules, stage 2.
- MODPOST
- CC net/ipv4/netfilter/ipt_layer7.mod.o
- LD [M] net/ipv4/netfilter/ipt_layer7.ko
- [root@seker linux-2.6.18.i686]# vi net/ipv4/netfilter/Makefile
- [root@seker linux-2.6.18.i686]# cat net/ipv4/netfilter/Makefile
- obj-m := ipt_connlimit.o
- obj-m := ipt_time.o
- KDIR := /lib/modules/$(shell uname -r)/build
- PWD := $(shell pwd)
- default:
- $(MAKE) -C $(KDIR) M=$(PWD) modules
- [root@seker linux-2.6.18.i686]#
- [root@seker linux-2.6.18.i686]# make M=net/ipv4/netfilter/
- WARNING: Symbol version dump /usr/src/linux-2.6.18.i686/Module.symvers
- is missing; modules will have no dependencies and modversions.
- CC [M] net/ipv4/netfilter/ipt_time.o
- Building modules, stage 2.
- MODPOST
- CC net/ipv4/netfilter/ipt_time.mod.o
- LD [M] net/ipv4/netfilter/ipt_time.ko
- [root@seker linux-2.6.18.i686]# vi net/ipv4/netfilter/Makefile
- [root@seker linux-2.6.18.i686]# cat net/ipv4/netfilter/Makefile
- obj-m := ipt_connlimit.o
- KDIR := /lib/modules/$(shell uname -r)/build
- PWD := $(shell pwd)
- default:
- $(MAKE) -C $(KDIR) M=$(PWD) modules
- [root@seker linux-2.6.18.i686]#
- [root@seker linux-2.6.18.i686]# make M=net/ipv4/netfilter/
- WARNING: Symbol version dump /usr/src/linux-2.6.18.i686/Module.symvers
- is missing; modules will have no dependencies and modversions.
- CC [M] net/ipv4/netfilter/ipt_connlimit.o
- Building modules, stage 2.
- MODPOST
- CC net/ipv4/netfilter/ipt_connlimit.mod.o
- LD [M] net/ipv4/netfilter/ipt_connlimit.ko
- [root@seker linux-2.6.18.i686]#
- [root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_layer7.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
- [root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_time.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
- [root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
- cp:是否覆盖“/lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko”? y
- [root@seker linux-2.6.18.i686]# chmod 755 /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/*.ko
- [root@seker linux-2.6.18.i686]# cd ..
- [root@seker src]# ls
- backup kernels netfilter-layer7-v2.9.tar.gz
- ipp2p-0.99.15 l7-protocols-2008-04-23 patch-o-matic-ng-20080918
- ipp2p-0.99.15.tar.gz l7-protocols-2008-04-23.tar.gz patch-o-matic-ng-20080918.tar.bz2
- iptables-1.3.8 linux-2.6.18.i686 redhat
- iptables-1.3.8.tar.bz2 netfilter-layer7-v2.9
- [root@seker src]# cd ipp2p-0.99.15
- [root@seker ipp2p-0.99.15]# make
- make -C /lib/modules/2.6.18-92.el5/build M=/usr/src/ipp2p-0.99.15 modules
- make[1]: Entering directory `/usr/src/kernels/2.6.18-92.el5-i686'
- CC [M] /usr/src/ipp2p-0.99.15/ipt_ipp2p.o
- Building modules, stage 2.
- MODPOST
- CC /usr/src/ipp2p-0.99.15/ipt_ipp2p.mod.o
- LD [M] /usr/src/ipp2p-0.99.15/ipt_ipp2p.ko
- make[1]: Leaving directory `/usr/src/kernels/2.6.18-92.el5-i686'
- gcc -O3 -Wall -DIPTABLES_VERSION=\"1.3.8\" -I/usr/src/iptables-1.3.8/include -fPIC -c libipt_ipp2p.c
- gcc -shared -o libipt_ipp2p.so libipt_ipp2p.o
- [root@seker ipp2p-0.99.15]# make install
- cp ipt_ipp2p.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
- cp libipt_ipp2p.so /lib/iptables/
- depmod -a
- [root@seker ipp2p-0.99.15]# cd /lib/modules/2.6.18-92.el5/
- [root@seker 2.6.18-92.el5]# depmod -a
- [root@seker 2.6.18-92.el5]# cd -
- /usr/src/ipp2p-0.99.15
- [root@seker ipp2p-0.99.15]# cd ../iptables-1.3.8
- [root@seker iptables-1.3.8]#
- [root@seker iptables-1.3.8]# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
- ....
- cp extensions/libipt_limit.so /lib/iptables/libipt_limit.so
- ....
- cp extensions/libipt_layer7.so /lib/iptables/libipt_layer7.so
- ....
- cp extensions/libipt_time.so /lib/iptables/libipt_time.so
- ....
- rm libiptc/libip6tc.o libipq/libipq.o libiptc/libip4tc.o
- [root@seker iptables-1.3.8]#
- 测试过程:
- [root@seker iptables-1.3.8]# modprobe ipt_connlimit
- [root@seker iptables-1.3.8]# modprobe ipt_time
- [root@seker iptables-1.3.8]# modprobe ipt_ipp2p
- [root@seker iptables-1.3.8]# modprobe ipt_layer7
- [root@seker iptables-1.3.8]# lsmod | grep x_table
- x_tables 17349 6 ipt_layer7,ipt_ipp2p,ipt_time,ipt_connlimit,xt_tcpudp,ip_tables
- [root@seker iptables-1.3.8]#
- [root@seker iptables-1.3.8]# iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 8:00 --timestop 17:30 --days Mon,Tue,Wed,Thu,Fri -m iprange --src-range 192.168.1.5-192.168.1.239 -m ipp2p --ipp2p -m ipp2p --xunlei -j DROP
- [root@seker iptables-1.3.8]# iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 8:00 --timestop 17:30 --days Mon,Tue,Wed,Thu,Fri -m iprange --src-range 192.168.1.5-192.168.1.239 -m ipp2p --ipp2p -m ipp2p --xunlei -j DROP
- [root@seker iptables-1.3.8]#
- [root@seker iptables-1.3.8]# iptables -I FORWARD -s 192.168.1.15 -p tcp --syn --dport 80 -m connlimit --connlimit-above 3 --connlimit-mask 24 -j DROP
- [root@seker iptables-1.3.8]# iptables -xvL
- Chain INPUT (policy ACCEPT 7783 packets, 1163810 bytes)
- pkts bytes target prot opt in out source destination
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 DROP tcp -- any any 192.168.1.15 anywhere tcp dpt:http flags:FIN,SYN,RST,ACK/SYN #conn/24 > 3
- 0 0 DROP all -- any any anywhere anywhere LAYER7 l7proto qq TIME from 8:0 to 17:30 on Mon,Tue,Wed,Thu,Fri source IP range 192.168.1.5-192.168.1.239 ipp2p v0.99.15 --ipp2p ipp2p v0.99.15 --xunlei
- 0 0 DROP all -- any any anywhere anywhere LAYER7 l7proto qq TIME from 8:0 to 17:30 on Mon,Tue,Wed,Thu,Fri source IP range 192.168.1.5-192.168.1.239 ipp2p v0.99.15 --ipp2p ipp2p v0.99.15 --xunlei
- Chain OUTPUT (policy ACCEPT 5793 packets, 1041904 bytes)
- pkts bytes target prot opt in out source destination
- [root@seker iptables-1.3.8]#
复制代码
[ 本帖最后由 Seker 于 2008-9-27 16:17 编辑 ] |
|