Added the connlimit module when rhel5.1/rhel5 does not compile the kernel.

Added the connlimit module when rhel5.1/rhel5 does not compile the kernel.

System environment and related software packages
Operating System: Red Hat Enterprise Linux Server Release 5 (2.6.18-53. EL5)
Kernel source code path:/usr/src/kernels/2.6.18-53. el5-i686
Iptables-1.4.0.tar.bz2 # download point: www.netfilter.org -- In fact we only need his source code.
Patch-o-matic-ng-20080214.tar.bz2 # download point: www.kernel.org --

Simple Environment
[Root @ RAID5 ~] # Iptables
Iptables v1.3.5: no command specified
Try 'iptables-H' or 'iptables -- help' for more information.
[Root @ RAID5 ~] # Cd/usr/src/kernels/2.6.18-53. el5-i686/
[Root @ RAID5 2.6.18-53. el5-i686] # ls
Arch FS kabi_whitelist mm scripts USR
Block include kernel module. KABI Security
Crypto init lib module. symvers sound
Drivers IPC makefile net symsets-2.6.18-53.el5.tar.gz

Compilation process:

[Root @ RAID5 2.6.18-53. el5-i686] # cd/root/
[Root @ RAID5 ~] # Ls
Anaconda-ks.cfg desktop install. Log install. log. Syslog

Obtain the installation package and decompress it (in the/root directory)
[Root @ RAID5 ~] # Wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-

20080214.tar.bz2
09:57:18 (58.8 kb/s)-'patch-o-matic-ng-20080214.tar.bz2 'saved [137661]

[Root @ RAID5 ~] # Wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
09:57:33 (106 kb/s)-'iptables-1.4.0.tar.bz2 'saved [181610]

[Root @ RAID5 ~] # Tar xjf iptables-1.4.0.tar.bz2
[Root @ RAID5 ~] # Tar xjf patch-o-matic-ng-20080214.tar.bz2

Download the connlimit Module

[Root @ RAID5 ~] # Patch-o-matic-ng-20080214/CD/root

The following command can be used directly
# Kernel_dir =/usr/src/kernels/2.6.18-53. el5-i686/iptables_dir =/root/iptables-1.4.0./runme -- Download

Or you can define them during installation.

[Root @ RAID5 patch-o-matic-ng-20080214] #./runme-Download
Successfully downloaded external patch geoip
Successfully downloaded external patch Condition
Successfully downloaded external patch ipmark
Successfully downloaded external patch route
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
./Patchlets/ipv4options exists and is not external
./Patchlets/tarpit exists and is not external
Successfully downloaded external patch account
Successfully downloaded external patch pknock
Hey! Kernel_dir is not set.
Where is your kernel source directory? [/Usr/src/Linux]/usr/src/kernels/2.6.18-53. el5-i686
Hey! Iptables_dir is not set.
Where is your iptables source code directory? [/Usr/src/iptables]/root/iptables-1.4.0
Loading patchlet definitions...

Excellent! Source trees are ready for compilatio

// Patch-o-matic-ng-20060725 patch

Directly patching reports an error, You need to modify the/usr/src/patch-o-matic-ng-20060725/patchlets/connlimit/linux-2.6.11/NET/IPv4/netfiltermakefile. Ladd file

OBJ-$ (config_ip_nf_match_state) + = ipt_state.o
Change
OBJ-$ (config_ip_nf_match_tos) + = ipt_tos.o

 

Apply the connlimit patch to the kernel
[Root @ RAID5 patch-o-matic-ng-20080214] # kernel_dir =/usr/src/kernels/2.6.18-53. el5-i686

Iptables_dir =/root/iptables-1.4.0./runme connlimit
Loading patchlet definitions...

Welcome to patch-o-matic ($ revision: 6736 $ )!

Kernel: 2.6.18,/usr/src/kernels/2.6.18-53. el5-i686
Iptables: 1.4.0,/root/iptables-1.4.0
Each patch is a new feature: Invalid have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing connlimit... not applied
The connlimit patch:
Author: ADH Knorr <kraxel@bytesex.org>
Status: itworksforme [Tm]

This adds an iptables match which allows you to restrict
Number of parallel TCP connections to a server per client IP Address
(Or address block ).

Examples:

# Allow 2 Telnet connections per client host
Iptables-p tcp -- syn -- dport 23-M connlimit -- connlimit-abve 2-J reject

# You can also match the other way around:
Iptables-p tcp -- syn -- dport 23-M connlimit! -- Connlimit-above 2-J accept

# Limit the NR of parallel HTTP requests to 16 per class C sized
# Network (24 bit netmask)
Iptables-p tcp -- syn -- dport 80-M connlimit -- connlimit-abve 16/
-- Connlimit-mask 24-J reject
-----------------------------------------------------------------
Do you want to apply this patch [N/y/T/f/A/R/B/W/Q/?] Y
Excellent! Source trees are ready for compilation.

 

 

Compile the kernel
[Root @ RAID5 patch-o-matic-ng-20080214] # cd/usr/src/kernels/2.6.18-53. el5-i686/

 

[Root @ RAID5 2.6.18-53. el5-i686] # Make oldconfig
Hostcc scripts/kconfig/CONF. o
Hostcc scripts/kconfig/kxgettext. o
Hostcc scripts/kconfig/mconf. o
Hostcc scripts/kconfig/zconf. Tab. o
Hostld scripts/kconfig/Conf
Scripts/kconfig/conf-o arch/i386/kconfig
*
* Linux Kernel configuration
*
*
* Code maturity level options
*
Prompt for development and/or incomplete code/drivers (experimental) [Y/n/?] Y
*
* General setup
*
Local version-append to kernel release (localversion) []
Automatically append version information to the version string (localversion_auto) [N/y/?] N
Support for paging of anonymous memory (SWAP) [Y/n/?] Y
System v ipc (sysvipc) [Y/n/?] Y
POSIX message queues (posix_mqueue) [Y/n/?] Y
BSD process accounting (bsd_process_acct) [Y/n/?] Y
BSD process accounting version 3 File Format (bsd_process_acct_v3) [N/y/?] N
Export task/process statistics through Netlink (experimental) (taskstats) [Y/n/?] Y
Enable per-task delay accounting (experimental) (task_delay_acct) [Y/n/?] Y
Auditing support (Audit) [Y/n/?] Y
Enable System-call auditing support (auditsyscall) [Y/n/?] Y
Kernel. config support (ikconfig) [N/y/?] N

Omitted large amount of output

 

Packet mangling (ip_nf_mangle) [M/N/?] M
ToS target support (ip_nf_target_tos) [M/N/?] M
ECN target support (ip_nf_target_ecn) [M/N/?] M
Dscp target support (ip_nf_target_dscp) [M/N/?] M
TTL target support (ip_nf_target_ttl) [M/N/?] M
Clusterip target support (experimental) (ip_nf_target_clusterip) [M/N/?] M
Raw table support (required for notrack/Trace) (ip_nf_raw) [M/N/?] M
ARP tables support (ip_nf_arptables) [M/N/?] M
ARP packet filtering (ip_nf_arpfilter) [M/N/?] M
ARP payload mangling (ip_nf_arp_mangle) [M/N/?] M
Connections/IP limit match support (ip_nf_match_connlimit) [N/m/?] (New) m

A large amount of output is omitted.
*
* Hardware crypto Devices
*
Support for via padlock ACE (crypto_dev_padlock) [M/N/y/?] M
Support for AES in Via padlock (crypto_dev_padlock_aes) [Y/n/?] Y
*
* Library Routines
*
CRC-CCITT funtions (crc_ccitt) [m/y/?] M
Crc16 functions (crc16) [M/N/y/?] M
CRC32 functions (CRC32) [Y/?] Y
Crc32c (castagnoli, et al) Cyclic Redundancy-check (libcrc32c) [Y/?] Y
#
# Configuration written to. config

The preceding operations are described as follows:
Prompt that the connlimit option is added, and ask if "M" is required to be compiled into the kernel and compiled into a module.

[Root @ RAID5 2.6.18-53. el5-i686] # Make modules_prepare
Scripts/kconfig/conf-s ARCH/i386/kconfig
Chk include/Linux/version. h
Chk include/Linux/utsrelease. h
Hostcc scripts/genksyms. o
Hostcc scripts/genksyms/lex. o
Hostcc scripts/genksyms/parse. o
Hostld scripts/genksyms
CC scripts/MoD/empty. o
Mkelf scripts/MoD/elfconfig. h
Hostcc scripts/MoD/file2alias. o
Hostcc scripts/MoD/modpost. o
Hostcc scripts/MoD/sumversion. o
Hostld scripts/MoD/modpost

Back up the original makefile, which contains the original compilation information.
[Root @ RAID5 2.6.18-53. el5-i686] # mv net/IPv4/Netfilter/makefile net/IPv4/Netfilter/makefile. Bak
Create a new makefile
[Root @ RAID5 2.6.18-53. el5-i686] # vi net/IPv4/Netfilter/makefile

OBJ-M: = ipt_connlimit.o

Kdir: =/lib/modules/$ (shell uname-R)/build
PWD: = $ (shell PWD)

Default:
$ (Make)-C $ (kdir) M = $ (PWD) Modules

Then compile the module
[Root @ RAID5 2.6.18-53. el5-i686] # Make M = net/IPv4/Netfilter/
LD net/IPv4/Netfilter/built-in.o
CC [m] net/IPv4/Netfilter/ipt_connlimit.o
Building modules, stage 2.
Modpost
CC net/IPv4/Netfilter/ipt_connlimit.mod.o
LD [m] net/IPv4/Netfilter/ipt_connlimit.ko

Copy the generated Ko module to the target address and set the corresponding permissions.
[Root @ RAID5 2.6.18-53. el5-i686] # cp net/IPv4/Netfilter/ipt_connlimit.ko/lib/modules/2.6.18-

53. EL5/kernel/NET/IPv4/Netfilter/
[Root @ RAID5 2.6.18-53. el5-i686] # chmod 744/lib/modules/2.6.18-53. EL5/kernel/NET/IPv4/Netfilter/
At this point, the module compilation is complete.

 

Test and apply the module
[Root @ RAID5 2.6.18-53. el5-i686] # depmod-
Load the connlimit Module
[Root @ RAID5 2.6.18-53. el5-i686] # modprobe ipt_connlimit
Check whether the load is successful
[Root @ RAID5 2.6.18-53. el5-i686] # lsmod | grep IP
Ipt_connlimit 7680 0
X_tables 17349 1 ipt_connlimit
Ip_conntrack 53025 1 ipt_connlimit
Nfnetlink 10713 1 ip_conntrack
Dm_multipath 21577 0
Dm_mod 58457 2 dm_mirror, dm_multipath
IPv6 251393 16
[Root @ RAID5 2.6.18-53. el5-i686] #
[Root @ RAID5 2.6.18-53. el5-i686] # iptables-A input-s 192.168.1.147-M connlimit -- connlimit-above 3

-J Drop
Iptables: Unknown error 4294967295
[Root @ RAID5 2.6.18-53. el5-i686] # iptables-A input-p tcp-m tcp-s 192.168.1.147-M connlimit --

Connlimit-above 3-J Drop

[Root @ RAID5 2.6.18-53. el5-i686] # iptables-save
# Generated by iptables-save v1.3.5 on Wed Feb 20 10:26:54 2008
* Filter
: Input accept [216: 17824]
: Forward accept [0: 0]
: Output accept [119: 12828]
-A input-s 192.168.1.147-p tcp-M connlimit -- connlimit-above 3 -- connlimit-mask 32-J Drop
Commit
# Completed on Wed Feb 20 10:26:54 2008
[Root @ RAID5 2.6.18-53. el5-i686] # iptables-save>/etc/sysconfig/iptables
[Root @ RAID5 2.6.18-53. el5-i686] #/etc/init. d/iptables start

[Root @ RAID5 2.6.18-53. el5-i686] # iptables-vnl
Chain input (Policy accept 388 packets, 41987 bytes)
Pkts bytes target prot opt in out source destination
0 0 drop TCP -- ** 192.168.1.147 0.0.0.0/0 TCP # Conn/32>

3

Chain forward (Policy accept 0 packets, 0 bytes)
Pkts bytes target prot opt in out source destination

Chain output (Policy accept 62 packets, 6024 bytes)
Pkts bytes target prot opt in out source destination