Today, the high volume of servers, IP from China, and is not normal access to the IP, resulting in PHP-FPM CPU 100%, the site is very slow to open, has already used iptables limit the number of connections, but because the same IP connection number is not reached, so there is no way to limit, Only the use of shielding a region IP method, Xtables-addons is such a module, only need to compile this module, and do not have to compile the system kernel, you can work with iptables, to filter the IP of a region.
The first step, check the system iptables version, xtables-addons to be consistent with the iptables version, such as Iptables is 1.4.7, you need to correspond to the xtables-addons 1.47
# Uname-r
2.6.32-358.18.1.el6.x86_64
# iptables-v
Iptables v1.4.7
Then download the Xtables-addons 1.47.
In addition, you need to close selinux, edit/etc/selinux/config, modify to Disabled, and make it effective: Echo 0 >/selinux/enforce.
Step two, install the Perl-text-csv_xs dependency pack
# yum Install gcc gcc-c++ make automake unzip zip xz kernel-devel-' uname-r ' iptables-devel
# RPM-UVH http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
# yum-y Install Perl-text-csv_xs
Step three, download and compile the Xtables-addons module
# wget Http://sourceforge.net/projects/xtables-addons/files/Xtables-addons/1.47/xtables-addons-1.47.tar.xz/download
# Tar XF xtables-addons-1.47.tar.xz
# CD xtables-addons-1.47
#./configure
# make
# make Install
If you encounter an error in./configure, configure:error:Package requirements (xtables >= 1.4.5) were not met:no Package ' xtables ' found:
Checking for a bsd-compatible install .../usr/bin/install-c
Checking whether build environment is sane ... yes
Checking for a thread-safe mkdir-p .../bin/mkdir-p
Checking for gawk ... gawk
Checking whether make sets $ (make) ... yes
Checking whether make supports nested variables ... yes
Checking for gcc ... gcc
Checking whether the C compiler works ... yes
Checking for C compiler default output file name ... a.out
Checking for suffix of executables ...
Checking whether we are cross compiling ... no
Checking for suffix of object files ... o
Checking whether we are using the GNU C compiler ... yes
Checking whether GCC accepts-g ... yes
Checking for GCC option to accept ISO C89 ... none needed
Checking for style, include used by make ... Gnu
Checking dependency style of gcc ... gcc3
Checking whether GCC and cc understand-c and-o together ... yes
Checking for ar ... Ar
Checking the archiver (AR) interface ... ar
Checking build system Type ... X86_64-unknown-linux-gnu
Checking host system Type ... X86_64-unknown-linux-gnu
Checking to print strings ... printf
Checking for a sed this does not truncate output .../bin/sed
Checking for grep, handles long lines and-e .../bin/grep
Checking for egrep .../bin/grep-e
Checking for fgrep .../bin/grep-f
Checking for LD used by gcc .../usr/bin/ld
Checking if the linker (/USR/BIN/LD) is GNU ld ... Yes
Checking for bsd-or ms-compatible name Lister (nm) .../usr/bin/nm-b
Checking the name Lister (/usr/bin/nm-b) interface ... BSD NM
Checking whether Ln-s works ... yes
Checking the maximum length of command line arguments ... 1966080
Checking whether the shell understands some XSI constructs ... yes
Checking whether the shell understands "+ +" ... yes
Checking how to convert X86_64-unknown-linux-gnu file names to X86_64-UNKNOWN-LINUX-GNU format ... func_convert_file_noop
Checking how to convert X86_64-unknown-linux-gnu file names to toolchain format ... func_convert_file_noop
Checking for/usr/bin/ld option to reload object files ...-r
Checking for objdump ... objdump
Checking to recognize dependent libraries ... Pass_all
Checking for dlltool ... no
Checking to associate Runtime and link libraries ... printf%sn
Checking for archiver @FILE support ... @
Checking for strip ... strip
Checking for ranlib ... ranlib
Checking command to Parse/usr/bin/nm-b output from GCC object ... ok
Checking for sysroot ... no
Checking for MT ... No
Checking If:is a manifest tool ... no
Checking to run the C preprocessor ... gcc-e
Checking for ANSI C header files ... yes
Checking for sys/types.h ... yes
Checking for sys/stat.h ... yes
Checking for stdlib.h ... yes
Checking for string.h ... yes
Checking for memory.h ... yes
Checking for strings.h ... yes
Checking for inttypes.h ... yes
Checking for stdint.h ... yes
Checking for unistd.h ... yes
Checking for dlfcn.h ... yes
Checking for objdir .... Libs
Checking if gcc supports-fno-rtti-fno-exceptions ... no
Checking for GCC option to produce PIC ...-fpic-dpic
Checking if gcc PIC flag-fpic-dpic works ... yes
Checking if gcc static flag-static works ... no
Checking if GCC supports-c-o file.o ... yes
Checking if GCC supports-c-o file.o ... (cached) Yes
Checking whether the GCC linker (/usr/bin/ld-m elf_x86_64) supports shared libraries ... yes
Checking WHETHER-LC should is explicitly linked in ... No
Checking dynamic linker characteristics ... Gnu/linux ld.so
Checking how to hardcode the library paths into programs ... immediate
Checking whether stripping libraries is possible ... yes
Checking if Libtool supports shared libraries ... yes
Checking whether to build shared libraries ... yes
Checking whether to build static libraries ... no
Checking linux/netfilter/x_tables.h usability ... yes.
Checking Linux/netfilter/x_tables.h presence ... yes.
Checking for linux/netfilter/x_tables.h ... yes
Checking for pkg-config .../usr/bin/pkg-config
Checking Pkg-config is at least version 0.9.0 ... Yes
Checking for libxtables ... no
Configure:error:Package requirements (Xtables >= 1.4.5) were not met:
No package ' xtables ' found
Consider adjusting the PKG_CONFIG_PATH environment variable if you
Installed software in a non-standard prefix.
Alternatively, you may set the environment variables Libxtables_cflags
and libxtables_libs to avoid the need to call Pkg-config.
The Pkg-config man page is for more details.
Please install Iptables Development Kit Iptables-devel:
# yum-y Install Iptables-devel
The fourth step, download and install the GeoIP module, you can download the CSV version to http://geolite.maxmind.com/download/geoip/database/, You can also use the script XT_GEOIP_DL under the GeoIP directory in the xtables-addons directory to download:
# CD geoip/
#./XT_GEOIP_DL
GeoIPv6.csv.gz and Geoipcountrycsv.zip will be downloaded and uncompressed to get the IP library files geoipv6.csv and geoipcountrywhois.csv, followed by the use of XT_GEOIP_ Build Compile Database:
# mkdir-p/usr/share/xt_geoip/#创建数据库文件默认存放位置
#./xt_geoip_build-d/usr/share/xt_geoip *.csv #编译数据库文件
When finished, two directories will be generated and LE, and the files saved under the directory are respectively. Iv6 and. Iv4.
The fifth step, add filter rules, shielding China IP:
# iptables-i input-m GeoIP--src-cc cn-j DROP # Note that this will mask all port access
# iptables-i input-p tcp-m tcp--dport 80-m geoip--src-cc cn-j DROP #只屏蔽80端口访问
At this point, the Chinese region has been unable to access the site, you can Save: Service iptables Save