connlimit function:


  connlimit Module allows you to restrict each clientIP Number of concurrent connections for, Namely eachIP Number of simultaneous connections to a server.


  connlimit The module can limit the network use of intranet users, For servers, you can limit eachIP Number of connections initiated.


 


connlimit parameter:


  –connlimit-above n    # Limit to


  –connlimit-mask n     # Mask for this group of hosts, The default isconnlimit-mask 32 , Namely eachIP.




system:centos 5.4 32 position


  Required packages:iptables-1.3.8.tar.bz2 linux-2.6.18.tar.bz2 patch-o-matic-ng-20080214.tar.bz2 ( this3 I will give you all)




1. Preparation


yum -y install gcc* make wget ncurses-devel ncurses bzip2


Another important thing is


If your system is installediptables, First, then.iptables Stop it, Avoid later problems


services iptables stop


Then put3 Package (s) decompressed to/usr/src Directory


tar jxf iptables-1.3.8.tar.bz2 -C /usr/src/


tar jxf patch-o-matic-ng-20080214.tar.bz2 -C /usr/src/


tar jxf linux-2.6.18.tar.bz2 -C /usr/src/


Initialize kernel


cd /usr/src/linux-2.6.18/


uname -r


2.6.18-164.el5


vi Makefile changeEXTRAVERSION =-164.el5


Click to view the original picture


Set uppatch-o-matic-ng-20080214 Environment variables needed:


export KERNEL_DIR=/usr/src/linux-2.6.18


export KERNEL_SRC=/usr/src/linux-2.6.18


export IPTABLES_SRC=/usr/src/iptables-1.3.8/


export IPTABLES_DIR=/usr/src/iptables-1.3.8/


Here we say, If you don't set this up4 Of environment variables, Later, you will add patches and modules to the kernel, which is very annoying, Why do you say that, Let's see an example:


KERNEL_DIR=/usr/src/linux-2.6.18 IPTABLES_DIR=/usr/src/iptables-1.3.8 ./runme time


Is it very troublesome, So it's better to add.




2. Patch and add modules to the kernel


cd /usr/src/patch-o-matic-ng-20080214/


./runme --download


./runme connlimit


Can seeconnlimit Modules have been added to the kernel, But it's not over.


Click to view the original picture




3. Edit kernel profile, Select the newly added module


cd ../linux-2.6.18/


make menuconfig


There are a lot of operations in this step, I won't take a screenshot.


In the kernel configuration interface, select


Networking --->


Networking options --->


Network packet filtering (replaces ipchains) --->


IP: Netfilter Configuration --->


<M> Connections/IP limit match support




4. Compiling kernel modules


make modules_prepare


modifynet/ipv4/netfilter/Makefile, Compile onlyconnlimit Modular, First, backup.net/ipv4/netfilter/Makefile file


mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.bak


Newly build net/ipv4/netfilter/Makefile file, And add the following


vi net/ipv4/netfilter/Makefile


obj-m := ipt_connlimit.o




KDIR := /lib/modules/$(shell uname -r)/build


PWD := $(shell pwd)




default:


$(MAKE) -C $(KDIR) M=$(PWD) modules




Finally, compile the kernel module


make M=net/ipv4/netfilter/




5. Will be compiledipt_connlimit.ko Copy the kernel module to the current kernel module directory, And load the kernel module


cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-164.el5/kernel/net/ipv4/netfilter/


Add executable permissions for kernel modules


chmod +x /lib/modules/2.6.18-164.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko


depmod -a


modprobe ipt_connlimit


Functionlsmod | grep x_tables The following prompt appears, Description: the kernel module is loaded successfully


x_tables               17349  7 ipt_connlimit,ipt_REJECT,xt_state,ip_tables,ip6t_REJECT,xt_tcpudp,ip6_tables




6. testipt_connlimit Modular


iptables -I INPUT -p tcp --dport 22 -m connlimit --connlimit-above 5 -j REJECT


service iptables save


service iptables start


 


Example:


Limit the sameIP At the most time100 individualhttp Connect


iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j REJECT


or


iptables -I INPUT -p tcp --syn --dport 80 -m connlimit ! --connlimit-above 100 -j ACCEPT


Only groups are allowedC classIP meanwhile100 individualhttp Connect


iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 --connlimit-mask 24 -j REJECT


Only eachIP meanwhile5 individual80 Port forwarding, Discard over


iptables -I FORWARD -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 -j DROP


Restrict oneIP Most simultaneous100 individualhttp Connect


iptables -A INPUT -s 222.222.222.222 -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j REJECT


Every restrictionIP At a certain time( such as60 second) Allow new builds up to100 individualhttp Connection number


iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60 --hitcount 100 -j REJECT


iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --set -j ACCEPT




iptables -A INPUT ! -s 127.0.0.1/32 -p tcp -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j LOG --log-prefix "connlimit "


iptables -A INPUT ! -s 127.0.0.1/32 -p tcp -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable


iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j LOG --log-prefix "connlimit "


iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable