为CentOS 5的2.6.18内核编译connlimit模块


今天遭遇到了DOS(不是DDOS,因为就是只有一个IP的fin_wait1状态最高的时候达到900多个),服务器本来就不好,时间一长,RAM全部占满,就靠SWAPFile在支撑,Load达到50几,服务无比缓慢,老是跟着那家伙更换封锁IP,我才没那个闲工夫
想加connlimit的规则,不行,iptables 报 Unknown error 4294967295,当时使用的版本是iptable 1.3.5,貌似已经配了connlimit模块

看来是内核不支持了,从网上查阅资料得知,从内核2.6.23开始,connlimit模块是进入内核的标配了,我现在使用的2.6.18自然不支持了
现在有两个选择

1.重新编译内核,工程量巨大
2.把connlimit编译成ko的内核模块,免去编译内核之苦

我选择了后者

内核比较老,选择patch-o-matic-ng的时候也保守一点,选择了这个

看一下我的内核版本

然后tar jxvf把他们解压缩

下载模块
输出:

......................
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
......................
Successfully downloaded external patch pknock
Loading patchlet definitions....................... done

Excellent! Source trees are ready for compilation.

应用connlimit补丁到内核源代码

输出:

Welcome to Patch-o-matic ($Revision: 6736 $)!

Kernel: 2.6.18, /usr/src/kernels/2.6.18-194.3.1.el5-i686/
Iptables: 1.4.0, /root/iptables-1.4.0
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing connlimit... not applied
The connlimit patch:
Author: Gerd Knorr
Status: ItWorksForMe[tm]

This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).

Examples:

# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
--connlimit-mask 24 -j REJECT
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y

如果出现

unable to find ladd slot in src /tmp/pom-13609/net/ipv4/netfilter/Makefile (./patchlets/connlimit/linux-2.6/./net/ipv4/netfilter/Makefile.ladd)

说明makefile非法,重新下载更新内核源代码

Welcome to Patch-o-matic ($Revision: 6736 $)!

Kernel: 2.6.18, /usr/src/kernels/2.6.18-194.3.1.el5-i686/
Iptables: 1.4.0, /root/iptables-1.4.0
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing connlimit... Reverse Test passed - assuming already applied.

Excellent! Source trees are ready for compilation.

如果你这时候diff一下就能看到差别
/usr/src/kernels/2.6.18-194.3.1.el5-i686/net/ipv4/netfilter/Makefile多了一行

61d60
< obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o

切换到内核目录
tips:切换到当前内核源代码目录的快捷方式

也可以直接切换

输出:

..............................
Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW) m
..............................
#
# configuration written to .config

这里选择m,编译成内核模块

准备编译内核模块
我可不想直接编译整个内核
修改Makefile,只编译一个模块即可

清空内容输入如下内容

obj-m := ipt_connlimit.o

KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)

default:
$(MAKE) -C $(KDIR) M=$(PWD) modules

然后

输出:

CC [M] net/ipv4/netfilter/ipt_connlimit.o
Building modules, stage 2.
MODPOST
CC net/ipv4/netfilter/ipt_connlimit.mod.o
LD [M] net/ipv4/netfilter/ipt_connlimit.ko

那个ipt_connlimit.ko就是我们要的内核模块了
拷贝到内核模块目录

下面就可以开始家规则了
顺彼岸提一句,不要忘记恢复那个makfile

Author Info :
  • From:为CentOS 5的2.6.18内核编译connlimit模块
  • URL:http://blog.ihipop.info/2010/06/1288.html
  • Please Reserve This Link,Thanks!
  • 《为CentOS 5的2.6.18内核编译connlimit模块》有6个想法

    发表评论

    电子邮件地址不会被公开。 必填项已用*标注