
平台论坛博客文库

› 论坛 › 操作系统 › Linux系统管理 › centos AS 3.8/AS 4.4,/RHEL 5.2 三种版本为iptables添 ...

12 3 4 5 6 / 6 页下一页

RHEL 5.2 三种版本为iptables添加模块. 过程在5楼 [复制链接]

Seker

稍有积蓄

论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2008-09-20 17:33 |只看该作者 |倒序浏览

RHEL 5.2 kenel 2.6.18 iptable 添加模块

好多朋友没做出来,我又试了一边,没问题哦...
5楼增加了我这次做的过程.
另外说明一下..安装系统的时候选包,把开发包,开发工具选上,包的个数默认就可以

1.内核版本检查
[root@seker SRPMS]# uname -a
Linux seker 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux

RPM 源码包下载要选择和OS内核一致的. 地址 http://rpmfind.net/linux/sourceforge/l/li/linux-ntfs/

2.下载对应源码包
[root@seker SRPMS]# ls
kernel-2.6.18-92.el5.src.rpm
[root@seker SRPMS]# pwd
/usr/src/redhat/SRPMS

3.解开rpm源码包
[root@seker SRPMS]# useradd mockbuild
[root@seker SRPMS]# rpm -ivh kernel-2.6.18-92.el5.src.rpm
1:kernel                ################ [100%]
[root@seker SRPMS]#
[root@seker SPECS]# pwd
/usr/src/redhat/SPECS
[root@seker SPECS]# ls
kernel-2.6.spec
[root@seker SPECS]# rpmbuild -bp --target=$(uname -m) ./kernel-2.6.spec
Building target platforms: i686
Building for target i686
.....
+ exit 0
[root@seker kernel-2.6.18]# pwd
/usr/src/redhat/BUILD/kernel-2.6.18
[root@seker kernel-2.6.18]# ls
config  Config.mk  linux-2.6.18.i686  vanilla  xen

4.将内核源代码cp到 /usr/src目录
[root@seker kernel-2.6.18]#  cp -a linux-2.6.18.i686/ /usr/src/
[root@seker kernel-2.6.18]#  cd /usr/src/linux-2.6.18.i686

5.修改makefile头与OS上的内核相同
[root@seker linux-2.6.18.i686]# head -n4 Makefile
VERSION = 2
PATCHLEVEL = 6
SUBLEVEL = 18
EXTRAVERSION = -92.el5
[root@seker linux-2.6.18.i686]# uname -r
2.6.18-92.el5

6.下载各种软件
[root@seker src]# wget http://ftp.netfilter.org/pub/pat ... ng-20080918.tar.bz2
[root@seker src]# wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.3.8.tar.bz2
[root@seker src]# wget http://downloads.sourceforge.net ... s-2008-04-23.tar.gz
[root@seker src]# wget http://ie.archive.ubuntu.com/sou ... -layer7-v2.9.tar.gz

7.解压软件包
[root@seker src]# tar jxvf patch-o-matic-ng-20080918.tar.bz2
[root@seker src]# tar jxvf iptables-1.3.8.tar.bz2
[root@seker src]# tar zxvf l7-protocols-2008-04-23.tar.gz
[root@seker src]# tar zxvf ipp2p-0.99.15.tar.gz
[root@seker src]# tar zxvf netfilter-layer7-v2.9.tar.gz

8.设置环境变量.下载补丁
[root@seker patch-o-matic-ng-20080918]# export KERNEL_DIR=/usr/src/linux-2.6.18.i686/
[root@seker patch-o-matic-ng-20080918]# export IPTABLES_DIR=/usr/src/iptables-1.3.8/
[root@seker patch-o-matic-ng-20080918]# export KERNEL_SRC=/usr/src/linux-2.6.18.i686/
[root@seker patch-o-matic-ng-20080918]# export IPTABLES_SRC=/usr/src/iptables-1.3.8/
[root@seker patch-o-matic-ng-20080918]#
[root@seker patch-o-matic-ng-20080918]# ./runme --download
.....
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
Excellent! Source trees are ready for compilation.

自带的IPP2P不要安装..我们用最新的.到这里下载.
http://linux.chinaunix.net/bbs/thread-914377-1-2.html

[root@seker patch-o-matic-ng-20080918]# ./runme time
[root@seker patch-o-matic-ng-20080918]# ./runme connlimit

9.安装l7
[root@seker linux-2.6.18.i686]# patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch
[root@seker iptables-1.3.8]# patch -p1 < /usr/src/netfilter-layer7-v2.9/iptables-layer7-2.9.patch
[root@seker iptables-1.3.8]# chmod +x extensions/.layer7-test

10.编辑内核选上新添加的模块
[root@seker linux-2.6.18.i686]# make menuconfig
  Networking  --->
Networking options  --->

Network packet filtering (replaces ipchains)  --->
IP: Netfilter Configuration  --->
      <M> Layer 7 match support (EXPERIMENTAL)
      <M> TIME match support
      <M> Connections/IP limit match support

[root@seker linux-2.6.18.i686]# make modules_prepare

11.备份原来的Makefile，里面包含了原始的编译信息，直接编译会无法通过
[root@seker linux-2.6.18.i686]# mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.bak
创建新的Makefile
[root@seker linux-2.6.18.i686]# vi net/ipv4/netfilter/Makefile

obj-m := ipt_connlimit.o
obj-m := ipt_time.o
obj-m := ipt_layer7.o

KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)

default:
$(MAKE) -C $(KDIR) M=$(PWD) modules

然后编译该模块,如果不能一次全部编译,每次在net/ipv4/netfilter/Makefile中只加一个模块,一次次编

译得出 ipt_*.ko文件.
[root@seker linux-2.6.18.i686]# make M=net/ipv4/netfilter/
LD    net/ipv4/netfilter/built-in.o
CC [M] net/ipv4/netfilter/ipt_connlimit.o
CC    net/ipv4/netfilter/ipt_connlimit.mod.o
LD [M] net/ipv4/netfilter/ipt_connlimit.ko
  CC    net/ipv4/netfilter/ipt_time.mod.o
  LD [M]  net/ipv4/netfilter/ipt_time.ko

12.cp新编译的模块到老内核
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_time.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_layer7.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
[root@seker linux-2.6.18.i686]# chmod 755 /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/*.ko

13.安装IPP2P
[root@seker ipp2p-0.99.15]# make
[root@seker ipp2p-0.99.15]# make install
cp ipt_ipp2p.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
cp libipt_ipp2p.so /lib/iptables/
depmod -a
[root@seker ipp2p-0.99.15]#

14.安装新的IPTABLE
[root@seker iptables-1.3.8]# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install

这步成功会有 cp *.so 的日志..

[root@seker iptables-1.3.8]# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
....
cp extensions/libipt_limit.so /lib/iptables/libipt_limit.so
....
cp extensions/libipt_layer7.so /lib/iptables/libipt_layer7.so
....
cp extensions/libipt_time.so /lib/iptables/libipt_time.so
....
rm libiptc/libip6tc.o libipq/libipq.o libiptc/libip4tc.o
[root@seker iptables-1.3.8]#

复制代码

15.加载模块
[root@seker iptables-1.3.8]# modprobe ipt_connlimit
[root@seker iptables-1.3.8]# modprobe ipt_time
[root@seker iptables-1.3.8]# modprobe ipt_ipp2p
[root@seker iptables-1.3.8]# modprobe ipt_layer7
[root@seker iptables-1.3.8]#
[root@seker iptables-1.3.8]# lsmod |grep x_tables
x_tables             17349  7

ipt_layer7,ipt_iprange,ipt_ipp2p,ipt_time,ipt_connlimit,xt_tcpudp,ip_tables
[root@seker iptables-1.3.8]#

16.测试layer7,time,ip2p2..
[root@seker iptables-1.3.8]# iptables -A FORWARD -m layer7 --l7proto qq  -m time --timestart 8:00 --timestop 17:30 --days Mon,Tue,Wed,Thu,Fri -m iprange --src-range 192.168.1.5-192.168.1.239 -m ipp2p --ipp2p -m ipp2p --xunlei -j DROP

如果time有问题加个下面的附件里.ko .so (我没测试过,不保证可以在你的系统上使用)
http://linux.chinaunix.net/bbs/attachment.php?aid=214364
[root@seker iptables-1.3.8]#

CENTOS4.4  kernel 2.6.9  IPTABLES添加模块

1、系统安装CentOS4.4 Linux 2.6.9-42.EL默认内核
安装时选包：vi编辑器 DHCP DNS 开发工具（里面的图形支持库就不要选啦，其他三项都选，以免以后安

装软件缺东少西的）防火墙选择不安装。关闭SELINUX 配好网卡IP 开始安装系统

删掉没用的sendmail 等RPM包
# rpm -qa | grep sendmail
# service sendmail stop
# rpm -e --nodeps sendmail
# rpm -qa | grep kernel
把 kernel-smp*.rpm 和 kernel-smp-devel*.rpm 这两个包卸掉
# rpm -e --nodeps kernel-smp
# rpm -e --nodeps kernel-smp-devel
查看grub.conf 启动项就变成一项啦否则系统默认启动项是SMP多处理器的，我的机器只有一个CPU，所以就卸掉啦。
# cat /boot/grub.conf
default=1
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS-4 i386-up (2.6.9-42.EL)
            root (hd0,0)
            kernel /vmlinuz-2.6.9-42.EL ro root=LABEL=/ rhgb quiet
            initrd /initrd-2.6.9-42.EL.img

重新启动系统使上面的更改都全部生效主要是使 uname –r 结果以CPU个数匹配其他修改其实可以重
新启动服务就可以完成的 service XXX restart
关闭防火墙的命令： # service iptables stop
OK 以上步骤都是在主机上做的，以后的我们就到终端SSH上去啦。

远程用SSH登陆到这台主机
修改字符集
locale 查看一下当前字符集
默认字符集是LANG="zh_CN.UTF-8"
因为我选的中文安装，因为我是用Xshell这个SSH工具登陆的
在某一目录使用 cd lskdj 就是一个不存在的目录就看到乱码啦
解决方法：
# cp /etc/sysconfig/i18n /etc/sysconfig/i18n.bak
修改前做好备份
# vi /etc/sysconfig/i18n
      将此文件里的默认内容全部删除然后加入下面这几行
            LANG="zh_CN.GB18030"
                     LANGUAGE="zh_CN.GB18030:zh_CN.GB2312:zh_CN"
                     SUPPORTED="zh_CN.GB18030:zh_CN:zh"
                     SYSFONT="lat0-sun16"
                     SYSFONTACM="8859-15"
      保存退出
然后重新用SSH登陆再用locale 命令查看一下
OK 罗嗦到此为止。开工

TFTP上传所需软件包到 /usr/src/ 目录下
ipp2p-0.8.2.tar.gz
patch-o-matic-ng-20060509
iptables-1.3.5.tar.bz2
l7-protocols-2006-10-18.tar.gz
kernel-2.6.9-42.EL.src.rpm
netfilter-layer7-v2.6.tar.gz
这里说一下因为ipp2p0.8.2不支持iptabls1.3.6 所以选用1.3.5
patch-o-matic-ng-20060509 这个补丁包里面的模块是我自己选的
在 patchlets/ 目录下把自己需要的模块留下其他删除既可
这个配置文件要保留patchlets/config
另外需要注意一点20060509这个包里的 time模块在2.6下编译时是出错的，但在2.4内核上编译就没问题

，你可以用20050801 这个包内的time模块来安装或者你就直接用这个补丁包来安装也一样，只要你找到

自己用的模块将模块放在patchlets/ 里即可
L7的就没什么说的啦都是最新的
kernel-2.6.9-42.EL.src.rpm 这个内核源码包你可以去网上下或在光盘里找

解开所有压缩包
# tar zxvf ipp2p-0.8.2.tar.gz
# tar zxvf l7-protocols-2006-10-18.tar.gz
# tar zxvf netfilter-layer7-v2.6.tar.gz
# tar xvjf iptables-1.3.5.tar.bz2
修正rpm包安装key警告问题
# rpm --import /usr/share/doc/centos-release-4/RPM-GPG-KEY*
建立内核源码包安装所需用户
# useradd  buildsvn
安装源码包考一份内核到 /usr/src/linux-2.6.9做编译使用，如果编译失败可以删除后再考新的所以

不建议做软连接操作
# rpm -ivh kernel-2.6.9-42.EL.src.rpm
# cd /usr/src/redhat/SPECS
# rpmbuild -bp --target=i686 kernel-2.6.spec
# cp -a /usr/src/redhat/BUILD/kernel-2.6.9/linux-2.6.9 /usr/src
修改拷贝的内核与当前系统内核版本一致（很重要，否则编译出来的模块不能被当前内核使用）
# cd /usrs/src/linux-2.6.9
# vi Makefile
修改 EXTRAVERSION = -prep
该成EXTRAVERSION = -42.EL
保持跟uname -r 的版本一致检测一下
# uname -r
2.6.9-42.EL
# head -n4 Makefile
VERSION = 2
PATCHLEVEL = 6
SUBLEVEL = 9
EXTRAVERSION = -42.EL

# make mrproper
该命令确保源代码目录下没有不正确的.o文件以及文件的互相依赖。
# make menuconfig
直接保存退出，生成 .config 文件。

为内核打补丁并添加模块
# cd  /usr/src/patch-o-matic-ng-20060509
设置内核和iptables的环境变量
# export KERNEL_DIR=/usr/src/linux-2.6.9
# export IPTABLES_DIR=/usr/src/iptables-1.3.5
添加模块

# ./runme time
# ./runme ipp2p
# ./runme iprange（已经自带）
其实你若明确了 patchlets/ 下的模块后
可以用 ./runme xxxx 随意字符然后它会自动到patchlets/ 下检测每一个模块提示你

添加Layer-7模块
# cd /usr/src/linux-2.6.9
# patch -p1 < /usr/src/netfilter-layer7-v2.6/for_older_kernels/kernel-2.6.9-2.6.10-layer7-

1.2.patch
# cd /usr/src/iptables-1.3.5
# patch -p1 < /usr/src/netfilter-layer7-v2.6/iptables-layer7-2.6.patch
# chmod +x extensions/.layer7-test
l7-filter模块加入完成

为内核选择新添加的模块
# cd /usr/src/linux-2.6.9
# make menuconfig
路径：Device Drivers  --->
         Networking support  --->
               Networking options  --->
                  Network packet filtering (replaces ipchains)  --->
                     IP: Netfilter Configuration  --->
新加入的模块都在这里选中新加入的模块
<M> Layer 7 match support (EXPERIMENTAL)
[ ]    Layer 7 debugging output (NEW) （这个debug 就不要选啦）
(2048)  Buffer size for application layer data (NEW)
保存退出

编译netfilter模块
　# cd /usr/src/linux-2.6.9
　# make modules_prepare
  # make M=net/ipv4/netfilter
编译完成netfilter模块后拷贝编译完成的模块到当前系统netfilter中
# \cp -f /usr/src/linux-2.6.9/net/ipv4/netfilter/*.ko /lib/modules/2.6.9-

42.EL/kernel/net/ipv4/netfilter/
# chmod +x /lib/modules/2.6.9-42.EL/kernel/net/ipv4/netfilter/*.ko
# depmod -a
安装l7协议
# cd /usr/src/l7-protocols-2006-10-18
# make install
安装新的 iptables
（这个注释不明白是什么意思）
# vi /usr/src/linux-2.6.9/include/linux/config.h
用 // 把下面的中间三行注释掉

#include <linux/autoconf.h>
//#if !defined (__KERNEL__) && !defined(__KERNGLUE__)
//#error including kernel header in userspace; use the glibc headers instead!
//#endif
#endif
保存退出

# cd /usr/src/iptables-1.3.5
# export KERNEL_DIR=/usr/src/linux-2.6.9
# export IPTABLES_DIR=/usr/src/iptables-1.3.5
保证有这两个环境变量存在（前面我们已经做过，可用 echo $ KERNEL_DIR和echo $ IPTABLES_DIR 查看

目录设置是否正确）然后安装
# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
更新ipp2p模块,使他支持更多的协议
# cd /usr/src/ipp2p-0.8.2
# make
备份原模块 # cp /lib/iptables/libipt_ipp2p.so /
# cp /usr/src/ipp2p-0.8.2/libipt_ipp2p.so /lib/iptables

安装白金写的域名模块
[root@ES-vcmres patchlets]# cd domain-0.0.2/
[root@ES-vcmres domain-0.0.2]# ls
ChangeLog  ipt_domain.c  ipt_domain.o    libipt_domain.o Makefile
INSTALL ipt_domain.h  libipt_domain.c  libipt_domain.so  tags

[root@ES-vcmres domain-0.0.2]# make
make -C /lib/modules/2.6.9-42.EL/build SUBDIRS=/usr/src/patch-o-matic-ng-

20060509/patchlets/domain-0.0.2 modules
make[1]: Entering directory `/usr/src/kernels/2.6.9-42.EL-i686'
  CC [M]  /usr/src/patch-o-matic-ng-20060509/patchlets/domain-0.0.2/ipt_domain.o
  Building modules, stage 2.
  MODPOST
  CC    /usr/src/patch-o-matic-ng-20060509/patchlets/domain-0.0.2/ipt_domain.mod.o
  LD [M]  /usr/src/patch-o-matic-ng-20060509/patchlets/domain-0.0.2/ipt_domain.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.9-42.EL-i686'

[root@ES-vcmres domain-0.0.2]# make install
cp -rf libipt_domain.so /lib/iptables/
cp -rf ipt_domain.ko /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/
depmod -a

安装白金写的多IP模块
[root@ES-vcmres patchlets]# cd multiip/
[root@ES-vcmres multiip]# ls
INSTALL       ipt_multiip.h  libipt_multiip.c  libipt_multiip.so
ipt_multiip.c  ipt_multiip.o  libipt_multiip.o  Makefile

[root@ES-vcmres multiip]# make
make -C /lib/modules/2.6.9-42.EL/build SUBDIRS=/usr/src/patch-o-matic-ng-
........
[root@ES-vcmres multiip]# make install
cp -rf libipt_multiip.so /lib/iptables/
cp -rf ipt_multiip.ko /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/
[root@ES-vcmres multiip]# depmod -a

安装结束
测试
1、查看 iptables版本
# iptables –V
iptables v1.3.5
查看 ipp2p 版本
# iptables -m ipp2p -h | grep IPP2P
IPP2P v0.8.2 options:
2、IPP2P range
# iptables -A FORWARD -m iprange --src-range 192.168.1.2-192.168.1.254 -m ipp2p --ipp2p -j

DROP
3、layer 7 ,time ,iprange
# iptables -A FORWARD -m layer7 --l7proto qq  -m time --timestart 8:00 --timestop 17:30 --

days Mon,Tue,Wed,Thu,Fri -m iprange --src-range 192.168.1.5-192.168.1.239 -j DROP

3、白金写的域名和多IP模块测试
# iptables -A FORWARD -m domain --name "sohu.com" -j DROP
# iptables -A FORWARD -m multiip --sip 192.168.1.3,192.168.1.8,192.168.1.33 -j DROP
#

CentOS 3.8 kernel 2.4.21 Iptables添加模块

1. 安装系统。
因只做网关用，所以选包比较少，只选了编辑器里的VI，和网络里的DHCP，以及开发工具中的内核和原始

开发工具。仅此而已。
进入系统用uname –r 命令会看到2.4.21-47.Elsmp ，默认是多处理器，而我的网关是一个CPU的，所以

卸掉没用的包
# service sendmail stop
# rpm -e --nodeps kernel-smp
# rpm -e --nodeps kernel-smp-devel
# rpm -e --nodeps sendmial
修改SSH启用root登陆 vi /etc/ssh/sshd.config  启用PermitRootLogin yes
重新启动系统开始配置
# uname -r (查看当前版本)
2.4.21-47.EL
可以cd  /usr/src 查看是否有这个目录2.4.21-47.EL 和软链 linux_2.4
b. 或者查是否安装了源码包
# rpm -qa|grep kernel
kernel-source-2.4.21-47.EL
如果没有安装,可以在光盘中拷贝过来或安装  rpm -ivh kernel-source-2.4.21-47.i386.rpm. 安装后会

在/usr/src/出现linux-2.4连接和linux-2.4.21-47.EL目录.

二.安装说明
处理内核源码.
删除原有的软连接 cp副本来做如果做错以后可以从新cp 再重新做
# cp -a linux-2.4.21-47.EL/ ./linux-2.4
# cd /usr/src/linux-2.4
# vi Makefile
EXTRAVERSION = -47.EL
EXTRAVERSION = -47.ELcustom 注释这个改成上面的
# head -n4 Makefile
仔细检查一下版本与 uname -r
# make mrproper
# make menuconfig 直接保存退出
给netfilter打补丁

# cd /usr/src/patch-o-matic-ng-20060509
KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.5 ./runme time
KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.5 ./runme connlimit
KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.5 ./runme iprange
KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.5 ./runme ipp2p

加入l7-filter 模块
# cd /usr/src/linux-2.4
# patch -p1 < /usr/src/netfilter-layer7-v2.6/kernel-2.4-layer7-2.6.patch
# cd /usr/src/iptables-1.3.5
# patch -p1 < /usr/src/netfilter-layer7-v2.6/iptables-layer7-2.6.patch
# chmod +x extensions/.layer7-test
l7-filter安装结束

# cd /usr/src/linux-2.4
# make menuconfig
确认
Prompt for development and/or incomplete code/drivers要选中
然后进入Networking options
再进入IP:Netfilter Configuration 把其想要的选中为模块"M"
保存退出，给netfilter打补丁完成

编译netfilter,
# cd /usr/src/linux-2.4
# make dep
# make modules SUBDIRS=net/ipv4/netfilter

应用新的模块
# \cp -f /usr/src/linux-2.4/net/ipv4/netfilter/*.o /lib/modules/2.4.21-

47.EL/kernel/net/ipv4/netfilter/

更新modules.dep
# depmod -a
当出现错误时可以把出错的删除.
例如：rm -rf /lib/modules/2.4.21-47.EL/kernel/net/ipv4/netfilter/ipchains_core.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-

47.EL/kernel/net/ipv4/netfilter/ipchains_core.o
depmod: *** Unresolved symbols in /lib/modules/2.4.21-

47.EL/kernel/net/ipv4/netfilter/ipfwadm_core.o
直到再执行 depmod -a 不在出错

编译安装新的iptables
# cd /usr/src/iptables-1.3.5
# export KERNEL_DIR=/usr/src/linux-2.4
# export IPTABLES_DIR=/usr/src/iptables-1.3.5
# chmod +x extensions/.ipp2p-test
# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install

安装l7-filter协议：
cd /usr/src/l7-protocols-2006-10-18
make install

更新ipp2p模块,使他支持更多的协议
# cd /usr/src/ipp2p-0.8.2
# make
备份 # cp /lib/iptables/libipt_ipp2p.so /
# cp /usr/src/ipp2p-0.8.2/libipt_ipp2p.so /lib/iptables/
# make && make install
# make && make install
# depmod -a

修正modprobe ip_nat_ftp 加载出错
A：先删除 /lib/modules/2.4.21-47.EL/kernel/net/ipv4/netfilter/ip_nat_core.o
修改/lib/modules/2.4.21-47.EL/modules.dep，找到 ip_nat_ftp行，删除含有 ip_nat_core 的

行，/lib/modules/2.4.21-47.EL/kernel/net/ipv4/ip_nat_core.o
然后再depmod -a，发现有错误，
继续删除发生错误的文件，直到depmod -a，没有错误为止

测试是否成功：
1、查看 iptables版本
# iptables -V
iptables v1.3.5

查看 ipp2p 版本
# iptables -m ipp2p -h | grep IPP2P
IPP2P v0.8.2 options:

2、IPP2P range
# iptables -A FORWARD -m iprange --src-range 192.168.1.2-192.168.1.254 -m ipp2p --ipp2p -j

DROP

3、layer 7 ,time ,iprange
# iptables -A FORWARD -m layer7 --l7proto qq  -m time --timestart 8:00 --timestop 17:30 --

days Mon,Tue,Wed,Thu,Fri -m iprange --src-range 192.168.1.5-192.168.1.239 -j DROP

测试多IP
iptables -A FORWARD -m multiip --sip 192.168.1.3,192.168.1.8,192.168.1.33 -j DROP

4、connlimit
# iptables -I FORWARD -s 192.168.1.15 -p tcp --syn --dport 80 -m connlimit --connlimit-above

3 --connlimit-mask 24 -j DROP

5、测试域名
iptables -A FORWARD -m domain --name "sohu.com" -j DROP

[ 本帖最后由 Seker 于 2009-4-27 22:45 编辑 ]

ko.zip

281.64 KB, 下载次数: 600

so.zip

18.22 KB, 下载次数: 197

文库|博客

hc_ttcm

丰衣足食

论坛徽章:: 1

2楼 [报告]

发表于 2008-09-20 18:07 |只看该作者

标记下

学习了

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

剑次狼

大富大贵

论坛徽章:: 0

3楼 [报告]

发表于 2008-09-20 19:52 |只看该作者

不错比较详细。LZ辛苦了

9esu

白手起家

论坛徽章:: 0

4楼 [报告]

发表于 2008-09-21 07:40 |只看该作者

能说说kernel-2.6.18-92.el5.src.rpm在哪下载吗?给个地址！
http://www.kernel.org/pub/linux/kernel/v2.6/里面就没有rpm的啊！

Seker

稍有积蓄

论坛徽章:: 0

5楼 [报告]

发表于 2008-09-22 11:18 |只看该作者

从解开压缩包后开始,前面的参考帖子.
[root@seker src]# ls
backup kernels netfilter-layer7-v2.9.tar.gz
ipp2p-0.99.15 l7-protocols-2008-04-23 patch-o-matic-ng-20080918
ipp2p-0.99.15.tar.gz l7-protocols-2008-04-23.tar.gz patch-o-matic-ng-20080918.tar.bz2
iptables-1.3.8 linux-2.6.18.i686 redhat
iptables-1.3.8.tar.bz2 netfilter-layer7-v2.9
[root@seker src]# export KERNEL_DIR=/usr/src/linux-2.6.18.i686/
[root@seker src]# export IPTABLES_DIR=/usr/src/iptables-1.3.8/
[root@seker src]# cd patch-o-matic-ng-20080918
[root@seker patch-o-matic-ng-20080918]# ls
Netfilter_POM.pm patchlets README runme
patch2pom pom2patch README.newpatches sources.list
[root@seker patch-o-matic-ng-20080918]# ./runme --download
Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
./patchlets/ipv4options exists and is not external
./patchlets/TARPIT exists and is not external
Successfully downloaded external patch ACCOUNT
Successfully downloaded external patch pknock
Loading patchlet definitions......................... done
Excellent! Source trees are ready for compilation.
下载完毕
安装模块
[root@seker patch-o-matic-ng-20080918]# ./runme time
Loading patchlet definitions......................... done
Welcome to Patch-o-matic ($Revision$)!
Kernel: 2.6.18, /usr/src/linux-2.6.18.i686/
Iptables: 1.3.8, /usr/src/iptables-1.3.8/
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing time... not applied
The time patch:
Author: Fabrice MARIE <[email]fabrice@netfilter.org[/email]>
Status: Works within it's limitations
This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
This match allows you to filter based on the packet arrival time/date
(arrival time/date at the machine which the netfilter is running on) or
departure time/date (for locally generated packets).
Supported options are:
[ --timestart value ]
Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).
[ --timestop value ]
Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).
[ --days listofdays ]
Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)
[ --datestart date ]
Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
h,m,s start from 0 ; default to 1970)
[ --datestop date ]
Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
h,m,s start from 0 ; default to 2037)
Example:
-A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
to Friday.
-A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon --date-stop 2010
will match the packets (locally generated) that have a departure timestamp
in the range 8:00->18:00 on Monday only, until 2010
NOTE: the time match does not track changes in daylight savings time
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
Excellent! Source trees are ready for compilation.
[root@seker patch-o-matic-ng-20080918]# ./runme connlimit
Loading patchlet definitions......................... done
Welcome to Patch-o-matic ($Revision$)!
Kernel: 2.6.18, /usr/src/linux-2.6.18.i686/
Iptables: 1.3.8, /usr/src/iptables-1.3.8/
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing connlimit... not applied
The connlimit patch:
Author: Gerd Knorr <[email]kraxel@bytesex.org[/email]>
Status: ItWorksForMe[tm]
This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).
Examples:
# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
--connlimit-mask 24 -j REJECT
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
Excellent! Source trees are ready for compilation.
[root@seker patch-o-matic-ng-20080918]# cd ../linux-2.6.18.i686/
[root@seker linux-2.6.18.i686]# patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch
patching file include/linux/netfilter_ipv4/ip_conntrack.h
patching file include/linux/netfilter_ipv4/ipt_layer7.h
patching file net/ipv4/netfilter/Kconfig
patching file net/ipv4/netfilter/Makefile
Hunk #1 succeeded at 66 (offset 3 lines).
patching file net/ipv4/netfilter/ip_conntrack_core.c
Hunk #1 succeeded at 338 (offset 1 line).
patching file net/ipv4/netfilter/ip_conntrack_standalone.c
Hunk #1 succeeded at 193 (offset 1 line).
patching file net/ipv4/netfilter/ipt_layer7.c
patching file net/ipv4/netfilter/regexp/regexp.c
patching file net/ipv4/netfilter/regexp/regexp.h
patching file net/ipv4/netfilter/regexp/regmagic.h
patching file net/ipv4/netfilter/regexp/regsub.c
[root@seker linux-2.6.18.i686]# cd ../iptables-1.3.8
[root@seker iptables-1.3.8]# patch -p1 < /usr/src/netfilter-layer7-v2.9/iptables-layer7-2.9.patch
patching file extensions/.layer7-test
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
[root@seker iptables-1.3.8]# chmod +x extensions/.layer7-test
[root@seker iptables-1.3.8]#
[root@seker iptables-1.3.8]# cd ../linux-2.6.18.i686/
[root@seker linux-2.6.18.i686]# make menuconfig
scripts/kconfig/mconf arch/i386/Kconfig
#
# configuration written to .config
#
*** End of Linux kernel configuration.
*** Execute 'make' to build the kernel or try 'make help'.
[root@seker linux-2.6.18.i686]# make modules_prepare
scripts/kconfig/conf -s arch/i386/Kconfig
CHK include/linux/version.h
UPD include/linux/version.h
CHK include/linux/utsrelease.h
UPD include/linux/utsrelease.h
SYMLINK include/asm -> include/asm-i386
CC arch/i386/kernel/asm-offsets.s
GEN include/asm-i386/asm-offsets.h
HOSTCC scripts/genksyms/genksyms.o
SHIPPED scripts/genksyms/lex.c
SHIPPED scripts/genksyms/parse.h
SHIPPED scripts/genksyms/keywords.c
HOSTCC scripts/genksyms/lex.o
SHIPPED scripts/genksyms/parse.c
HOSTCC scripts/genksyms/parse.o
HOSTLD scripts/genksyms/genksyms
CC scripts/mod/empty.o
HOSTCC scripts/mod/mk_elfconfig
MKELF scripts/mod/elfconfig.h
HOSTCC scripts/mod/file2alias.o
HOSTCC scripts/mod/modpost.o
HOSTCC scripts/mod/sumversion.o
HOSTLD scripts/mod/modpost
HOSTCC scripts/kallsyms
HOSTCC scripts/pnmtologo
HOSTCC scripts/conmakehash
[root@seker linux-2.6.18.i686]#
[root@seker linux-2.6.18.i686]# mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.bak
[root@seker linux-2.6.18.i686]# vi net/ipv4/netfilter/Makefile
[root@seker linux-2.6.18.i686]# cat net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o
obj-m := ipt_time.o
obj-m := ipt_layer7.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) M=$(PWD) modules
[root@seker linux-2.6.18.i686]#
[root@seker linux-2.6.18.i686]# make M=net/ipv4/netfilter/
WARNING: Symbol version dump /usr/src/linux-2.6.18.i686/Module.symvers
is missing; modules will have no dependencies and modversions.
LD net/ipv4/netfilter/built-in.o
CC [M] net/ipv4/netfilter/ipt_layer7.o
Building modules, stage 2.
MODPOST
CC net/ipv4/netfilter/ipt_layer7.mod.o
LD [M] net/ipv4/netfilter/ipt_layer7.ko
[root@seker linux-2.6.18.i686]# vi net/ipv4/netfilter/Makefile
[root@seker linux-2.6.18.i686]# cat net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o
obj-m := ipt_time.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) M=$(PWD) modules
[root@seker linux-2.6.18.i686]#
[root@seker linux-2.6.18.i686]# make M=net/ipv4/netfilter/
WARNING: Symbol version dump /usr/src/linux-2.6.18.i686/Module.symvers
is missing; modules will have no dependencies and modversions.
CC [M] net/ipv4/netfilter/ipt_time.o
Building modules, stage 2.
MODPOST
CC net/ipv4/netfilter/ipt_time.mod.o
LD [M] net/ipv4/netfilter/ipt_time.ko
[root@seker linux-2.6.18.i686]# vi net/ipv4/netfilter/Makefile
[root@seker linux-2.6.18.i686]# cat net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) M=$(PWD) modules
[root@seker linux-2.6.18.i686]#
[root@seker linux-2.6.18.i686]# make M=net/ipv4/netfilter/
WARNING: Symbol version dump /usr/src/linux-2.6.18.i686/Module.symvers
is missing; modules will have no dependencies and modversions.
CC [M] net/ipv4/netfilter/ipt_connlimit.o
Building modules, stage 2.
MODPOST
CC net/ipv4/netfilter/ipt_connlimit.mod.o
LD [M] net/ipv4/netfilter/ipt_connlimit.ko
[root@seker linux-2.6.18.i686]#
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_layer7.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_time.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
[root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
cp：是否覆盖“/lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko”? y
[root@seker linux-2.6.18.i686]# chmod 755 /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/*.ko
[root@seker linux-2.6.18.i686]# cd ..
[root@seker src]# ls
backup kernels netfilter-layer7-v2.9.tar.gz
ipp2p-0.99.15 l7-protocols-2008-04-23 patch-o-matic-ng-20080918
ipp2p-0.99.15.tar.gz l7-protocols-2008-04-23.tar.gz patch-o-matic-ng-20080918.tar.bz2
iptables-1.3.8 linux-2.6.18.i686 redhat
iptables-1.3.8.tar.bz2 netfilter-layer7-v2.9
[root@seker src]# cd ipp2p-0.99.15
[root@seker ipp2p-0.99.15]# make
make -C /lib/modules/2.6.18-92.el5/build M=/usr/src/ipp2p-0.99.15 modules
make[1]: Entering directory `/usr/src/kernels/2.6.18-92.el5-i686'
CC [M] /usr/src/ipp2p-0.99.15/ipt_ipp2p.o
Building modules, stage 2.
MODPOST
CC /usr/src/ipp2p-0.99.15/ipt_ipp2p.mod.o
LD [M] /usr/src/ipp2p-0.99.15/ipt_ipp2p.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.18-92.el5-i686'
gcc -O3 -Wall -DIPTABLES_VERSION=\"1.3.8\" -I/usr/src/iptables-1.3.8/include -fPIC -c libipt_ipp2p.c
gcc -shared -o libipt_ipp2p.so libipt_ipp2p.o
[root@seker ipp2p-0.99.15]# make install
cp ipt_ipp2p.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
cp libipt_ipp2p.so /lib/iptables/
depmod -a
[root@seker ipp2p-0.99.15]# cd /lib/modules/2.6.18-92.el5/
[root@seker 2.6.18-92.el5]# depmod -a
[root@seker 2.6.18-92.el5]# cd -
/usr/src/ipp2p-0.99.15
[root@seker ipp2p-0.99.15]# cd ../iptables-1.3.8
[root@seker iptables-1.3.8]#
[root@seker iptables-1.3.8]# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
....
cp extensions/libipt_limit.so /lib/iptables/libipt_limit.so
....
cp extensions/libipt_layer7.so /lib/iptables/libipt_layer7.so
....
cp extensions/libipt_time.so /lib/iptables/libipt_time.so
....
rm libiptc/libip6tc.o libipq/libipq.o libiptc/libip4tc.o
[root@seker iptables-1.3.8]#
测试过程:
[root@seker iptables-1.3.8]# modprobe ipt_connlimit
[root@seker iptables-1.3.8]# modprobe ipt_time
[root@seker iptables-1.3.8]# modprobe ipt_ipp2p
[root@seker iptables-1.3.8]# modprobe ipt_layer7
[root@seker iptables-1.3.8]# lsmod | grep x_table
x_tables 17349 6 ipt_layer7,ipt_ipp2p,ipt_time,ipt_connlimit,xt_tcpudp,ip_tables
[root@seker iptables-1.3.8]#
[root@seker iptables-1.3.8]# iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 8:00 --timestop 17:30 --days Mon,Tue,Wed,Thu,Fri -m iprange --src-range 192.168.1.5-192.168.1.239 -m ipp2p --ipp2p -m ipp2p --xunlei -j DROP
[root@seker iptables-1.3.8]# iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 8:00 --timestop 17:30 --days Mon,Tue,Wed,Thu,Fri -m iprange --src-range 192.168.1.5-192.168.1.239 -m ipp2p --ipp2p -m ipp2p --xunlei -j DROP
[root@seker iptables-1.3.8]#
[root@seker iptables-1.3.8]# iptables -I FORWARD -s 192.168.1.15 -p tcp --syn --dport 80 -m connlimit --connlimit-above 3 --connlimit-mask 24 -j DROP
[root@seker iptables-1.3.8]# iptables -xvL
Chain INPUT (policy ACCEPT 7783 packets, 1163810 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any 192.168.1.15 anywhere tcp dpt:http flags:FIN,SYN,RST,ACK/SYN #conn/24 > 3
0 0 DROP all -- any any anywhere anywhere LAYER7 l7proto qq TIME from 8:0 to 17:30 on Mon,Tue,Wed,Thu,Fri source IP range 192.168.1.5-192.168.1.239 ipp2p v0.99.15 --ipp2p ipp2p v0.99.15 --xunlei
0 0 DROP all -- any any anywhere anywhere LAYER7 l7proto qq TIME from 8:0 to 17:30 on Mon,Tue,Wed,Thu,Fri source IP range 192.168.1.5-192.168.1.239 ipp2p v0.99.15 --ipp2p ipp2p v0.99.15 --xunlei
Chain OUTPUT (policy ACCEPT 5793 packets, 1041904 bytes)
pkts bytes target prot opt in out source destination
[root@seker iptables-1.3.8]#

复制代码

[ 本帖最后由 Seker 于 2008-9-27 16:17 编辑 ]

hc_ttcm

丰衣足食

论坛徽章:: 1

6楼 [报告]

发表于 2008-09-22 15:17 |只看该作者

报告楼主
[root@seker SPECS]# rpmbuild -bp --target=$(uname -m) ./kernel-2.6.spec
命令错误
运行 rpmbuild -bp --target=i686 ./kernel-2.6.spec
OK

chenyx

版主

论坛徽章:: 381

7楼 [报告]

发表于 2008-09-22 22:13 |只看该作者

不错,LZ辛苦,收藏先

root0

白手起家

论坛徽章:: 0

8楼 [报告]

发表于 2008-09-23 17:02 |只看该作者

好文章 !
详细!!

参照rhel 5.2的,在centos 5.2编译成功

10.编辑内核选上新添加的模块
[root@seker iptables-1.3.8]# make menuconfig
Networking --->
Networking options --->
指出一个小小的错误.路径应该是内核路径.

iptables运行没问题,就是time不能匹配秒.
楼主共享的,运行后,iptables -L看不到时间.

gearfox

白手起家

论坛徽章:: 0

9楼 [报告]

发表于 2008-09-24 13:57 |只看该作者

楼主你太棒了

这个文章收藏了。。。。。。

gearfox

白手起家

论坛徽章:: 0

10楼 [报告]

发表于 2008-09-24 15:36 |只看该作者

我运行
rpmbuild -bp --target=$(uname -m) ./kernel-2.6.spec
或者
rpmbuild -bp --target=i686 ./kernel-2.6.spec
都会出现
Building target platforms: i686
Building for target i686
error: Failed build dependencies:
redhat-rpm-config is needed by kernel-2.6.18-92.1.10.el5.i686

因为我当时yum update系统内核到kernel-2.6.18-92.1.10.el5.i686
下载的rpm包也是kernel-2.6.18-92.1.10.el5.i686的

为什么会出现这个错误呢？该怎么排错呢？

12 3 4 5 6 / 6 页下一页

返回列表

Chinaunix › 论坛 › 操作系统 › Linux系统管理 › centos AS 3.8/AS 4.4,/RHEL 5.2 三种版本为iptables添 ...