RH AS 3 IPTABLES扩展功能的增加模块

由 小毅 在 04-09-2004 19:10 发表:

RH AS 3 IPTABLES扩展功能的增加模块

小弟最近搞学校的网关.在应用IPTABLES需要到其中的扩展功能.这些功能需要下载内核补丁.重新编译才能应用..

为了大家方便.我把三个常用功能编译成模块.放上来供大家使用:这三个模块名:TTL connlimit time.

具体说明如下:

> quote: > > * * * > > TTL:可以改变ping返回的TTL值
>
>
>
> Author: Harald Welte

  1<laforge@gnumonks.org>   
  2&gt;    
  3&gt;  Status: Stable, needs new checksum handling   
  4&gt;    
  5&gt;    
  6&gt;    
  7&gt;    
  8&gt;    
  9&gt;  This adds an iptables TTL manipulation target, which enables the user   
 10&gt;    
 11&gt;  to set the TTL value of an IP packet or to increment / decrement it   
 12&gt;    
 13&gt;  by a given value.   
 14&gt;    
 15&gt;    
 16&gt;    
 17&gt;  Examples:   
 18&gt;    
 19&gt;    
 20&gt;    
 21&gt;  iptables -t mangle -A OUTPUT -o eth0 -j TTL --ttl-set 128   
 22&gt;    
 23&gt;    
 24&gt;    
 25&gt;    
 26&gt;    
 27&gt;  connlimit:限制同一IP的并发线程数.    
 28&gt;    
 29&gt;  Author: Gerd Knorr <kraxel@bytesex.org>   
 30&gt;    
 31&gt;  Status: ItWorksForMe[tm]   
 32&gt;    
 33&gt;    
 34&gt;    
 35&gt;    
 36&gt;    
 37&gt;  This adds an iptables match which allows you to restrict the   
 38&gt;    
 39&gt;  number of parallel TCP connections to a server per client IP address   
 40&gt;    
 41&gt;  (or address block).   
 42&gt;    
 43&gt;    
 44&gt;    
 45&gt;  Examples:   
 46&gt;    
 47&gt;    
 48&gt;    
 49&gt;  # allow 2 telnet connections per client host   
 50&gt;    
 51&gt;  iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT   
 52&gt;    
 53&gt;    
 54&gt;    
 55&gt;  # you can also match the other way around:   
 56&gt;    
 57&gt;  iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT   
 58&gt;    
 59&gt;    
 60&gt;    
 61&gt;  # limit the nr of parallel http requests to 16 per class C sized   
 62&gt;    
 63&gt;  # network (24 bit netmask)   
 64&gt;    
 65&gt;  iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \   
 66&gt;    
 67&gt;  \--connlimit-mask 24 -j REJECT   
 68&gt;    
 69&gt;    
 70&gt;    
 71&gt;    
 72&gt;    
 73&gt;  time:时间定时功能   
 74&gt;    
 75&gt;    
 76&gt;    
 77&gt;  Author: Fabrice MARIE <fabrice@netfilter.org>   
 78&gt;    
 79&gt;  Status: It Works For Me.   
 80&gt;    
 81&gt;    
 82&gt;    
 83&gt;  This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.   
 84&gt;    
 85&gt;  This match allows you to filter based on the packet arrival time   
 86&gt;    
 87&gt;  (arrival time at the machine which the netfilter is running on) or   
 88&gt;    
 89&gt;  departure time (for locally generated packets).   
 90&gt;    
 91&gt;    
 92&gt;    
 93&gt;  Supported options are:   
 94&gt;    
 95&gt;  \--timestart HH:MM   
 96&gt;    
 97&gt;  The starting point of the time match frame.   
 98&gt;    
 99&gt;    
100&gt;    
101&gt;  \--timestop HH:MM   
102&gt;    
103&gt;  The stopping point of the time match frame   
104&gt;    
105&gt;    
106&gt;    
107&gt;  \--days Tue,Mon...   
108&gt;    
109&gt;  Days of the week to match separated by a coma, no space   
110&gt;    
111&gt;  (one of Sun,Mon,Tue,Wed,Thu,Fri,Sat)   
112&gt;    
113&gt;    
114&gt;    
115&gt;  Example:   
116&gt;    
117&gt;  -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri   
118&gt;    
119&gt;  will match packets that have an arrival timestamp in the range 8:00-&gt;18:00 from Monday   
120&gt;    
121&gt;  to Friday.   
122&gt;    
123&gt;    
124&gt;    
125&gt;  -A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon   
126&gt;    
127&gt;  will match the packets (locally generated) that have a departure timestamp   
128&gt;    
129&gt;  in the range 8:00-&gt;18:00 on Monday only. 
130&gt; 
131&gt; * * *
132
133  
134  
135  
136  
137  
138  
139下面的附件是针对iptables1.2.9的模块文件....   
140  
141rh as 3自带的是1.2.8版本.你需要升级iptables1.2.9或者重新编译1.2.8版本.加入timeconnlimitlib库才能用..   
142  
143  
144  
145  
146  
147下载解压后运行modadd就可以了... 
148
149  
150
151
152* * *
153
154  
155_ 小毅  04-09-2004 19:13 发表:_   
156  
157
158
159****
160
161  
162  
163
164
165下面的附件是针对iptables1.2.8版本的模块文件!!   
166  
167  
168  
169只有TTL  iplimit模块...iplimit的功能和用法与connlimit是一样的.只是iptables1.2.8lib库只有libiplimit.so,没有connlimit timelib....   
170  
171  
172  
173  
174  
175下载解压后运行modadd即可 
176
177  
178
179
180* * *
181
182  
183_ 小毅  04-09-2004 19:32 发表:_   
184  
185
186
187**还有一个支持netmeeting语音的模块h323-conntrack-nat**
188
189  
190  
191
192
193介绍:   
194  
195  
196  
197
198
199&gt; quote: 
200&gt; 
201&gt; * * *
202&gt; 
203&gt;   
204&gt;    
205&gt;  h323-conntrack-nat:支持netmeeting语音的模块    
206&gt;    
207&gt;  Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>   
208&gt;    
209&gt;  Status: Alpha   
210&gt;    
211&gt;    
212&gt;    
213&gt;    
214&gt;    
215&gt;    
216&gt;    
217&gt;  This adds CONFIG_IP_NF_H323: H.323/netmeeting support module for netfilter   
218&gt;    
219&gt;  connection tracking and NAT. H.323 uses/relies on the following data streams:   
220&gt;    
221&gt;    
222&gt;    
223&gt;  Port Description   
224&gt;    
225&gt;  389 Internet Locator Server (TCP)   
226&gt;    
227&gt;  522 User Location Server (TCP)   
228&gt;    
229&gt;  1503 T.120 Protocol (TCP)   
230&gt;    
231&gt;  1720 H.323 (H.225 call setup, TCP)   
232&gt;    
233&gt;  1731 Audio call control (TCP)   
234&gt;    
235&gt;  Dynamic H.245 call control (TCP)   
236&gt;    
237&gt;  Dynamic RTCP/RTP streaming (UDP)   
238&gt;    
239&gt;    
240&gt;    
241&gt;  The H.323 conntrack/NAT modules support the connection tracking/NATing of   
242&gt;    
243&gt;  the data streams requested on the dynamic ports. The helpers use the   
244&gt;    
245&gt;  search/rep</kadlec@blackhole.kfki.hu></fabrice@netfilter.org></kraxel@bytesex.org></laforge@gnumonks.org>
Published At
Categories with 服务器类
Tagged with
comments powered by Disqus