connlimit function :


  connlimit Module allows you to restrict each client IP Number of concurrent connections for , Each IP Number of simultaneous connections to a server .


  connlimit The module can limit the network use of intranet users , For servers, you can limit each IP Number of connections initiated .


 


connlimit parameter :


  –connlimit-above n    # Limit to


  –connlimit-mask n     # Mask for this group of hosts , The default is connlimit-mask 32 , Each IP.




system :centos 5.4 32 position


  Required packages :iptables-1.3.8.tar.bz2 linux-2.6.18.tar.bz2 patch-o-matic-ng-20080214.tar.bz2 ( this 3 I will give you all )




1. preparation


yum -y install gcc* make wget ncurses-devel ncurses bzip2


Another important thing is


If your system is installed iptables, Then first iptables Stop it , Avoid later problems


services iptables stop


And then 3 Package (s) decompressed to /usr/src Directory


tar jxf iptables-1.3.8.tar.bz2 -C /usr/src/


tar jxf patch-o-matic-ng-20080214.tar.bz2 -C /usr/src/


tar jxf linux-2.6.18.tar.bz2 -C /usr/src/


Initialize kernel


cd /usr/src/linux-2.6.18/


uname -r


2.6.18-164.el5


vi Makefile change EXTRAVERSION =-164.el5


Click to view the original picture


set up patch-o-matic-ng-20080214 Environment variables needed :


export KERNEL_DIR=/usr/src/linux-2.6.18


export KERNEL_SRC=/usr/src/linux-2.6.18


export IPTABLES_SRC=/usr/src/iptables-1.3.8/


export IPTABLES_DIR=/usr/src/iptables-1.3.8/


Let's talk about it here , If you don't set this up 4 Of environment variables , Later, you will add patches and modules to the kernel, which is very annoying , Why do you say that , Let's see an example :


KERNEL_DIR=/usr/src/linux-2.6.18 IPTABLES_DIR=/usr/src/iptables-1.3.8 ./runme time


Is it very troublesome , So it's better to add .




2. Patch and add modules to the kernel


cd /usr/src/patch-o-matic-ng-20080214/


./runme --download


./runme connlimit


You can see connlimit Modules have been added to the kernel , But it's not over .


Click to view the original picture




3. Edit kernel profile , Select the newly added module


cd ../linux-2.6.18/


make menuconfig


There are a lot of operations in this step , I won't take a screenshot .


In the kernel configuration interface, select


Networking --->


Networking options --->


Network packet filtering (replaces ipchains) --->


IP: Netfilter Configuration --->


<M> Connections/IP limit match support




4. Compiling kernel modules


make modules_prepare


modify net/ipv4/netfilter/Makefile, Compile only connlimit modular , Backup first net/ipv4/netfilter/Makefile file


mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.bak


newly build net/ipv4/netfilter/Makefile file , And add the following


vi net/ipv4/netfilter/Makefile


obj-m := ipt_connlimit.o




KDIR := /lib/modules/$(shell uname -r)/build


PWD := $(shell pwd)




default:


$(MAKE) -C $(KDIR) M=$(PWD) modules




Finally, compile the kernel module


make M=net/ipv4/netfilter/




5. Will be compiled ipt_connlimit.ko Copy the kernel module to the current kernel module directory , And load the kernel module


cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-164.el5/kernel/net/ipv4/netfilter/


Add executable permissions for kernel modules


chmod +x /lib/modules/2.6.18-164.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko


depmod -a


modprobe ipt_connlimit


function lsmod | grep x_tables The following prompt appears , The kernel module is loaded successfully


x_tables               17349  7 ipt_connlimit,ipt_REJECT,xt_state,ip_tables,ip6t_REJECT,xt_tcpudp,ip6_tables




6. test ipt_connlimit modular


iptables -I INPUT -p tcp --dport 22 -m connlimit --connlimit-above 5 -j REJECT


service iptables save


service iptables start


 


example :


Limit the same IP Most at the same time 100 individual http connect


iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j REJECT


or


iptables -I INPUT -p tcp --syn --dport 80 -m connlimit ! --connlimit-above 100 -j ACCEPT


Only groups are allowed C class IP meanwhile 100 individual http connect


iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 --connlimit-mask 24 -j REJECT


Only each IP meanwhile 5 individual 80 Port forwarding , Discard over


iptables -I FORWARD -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 -j DROP


Limit IP At most at the same time 100 individual http connect


iptables -A INPUT -s 222.222.222.222 -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j REJECT


Limit every IP At a certain time ( such as 60 second ) Allow new builds up to 100 individual http Number of connections


iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60 --hitcount 100 -j REJECT


iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --set -j ACCEPT




iptables -A INPUT ! -s 127.0.0.1/32 -p tcp -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j LOG --log-prefix "connlimit "


iptables -A INPUT ! -s 127.0.0.1/32 -p tcp -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable


iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j LOG --log-prefix "connlimit "


iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable