Centos6下iptables配置Xtables-Addons和GeoIP屏蔽某个国家ip

SEO研究中心 SEO研究中心提供免费SEO公开课

今天服务器上流量猛增,ip都来自于中国,而且是非正常访问的ip,导致php-fpm耗CPU 100%,网站打开非常慢,本来已经使用iptables限制连接数,但由于同一ip的连接数达不到,所以没办法进行限制,只能采用屏蔽某个地区ip的方法了,Xtables-Addons就是这样的模块,只需要编译此模块,而不必编译系统内核,就可以和iptables一起工作,达到过滤某个地区的ip.

第一步:检查系统iptables版本,Xtables-Addons要与iptables版本一致,例如iptables是1.4.7,就需要对应在的Xtables-Addons 1.47.

  1. #uname-r
  2. 2.6.32-358.18.1.el6.x86_64
  3. #iptables-V
  4. iptablesv1.4.7

那么就要下载Xtables-Addons 1.47了,另外需要关闭selinux,编辑/etc/selinux/config,修改为disabled,并使其生效:echo 0 > /selinux/enforce.

第二步:安装perl-Text-CSV_XS依赖包

  1. #yuminstallgccgcc-c++makeautomakeunzipzipxzkernel-devel-`uname-r`iptables-devel
  2. #rpm-Uvhhttp://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
  3. #yum-yinstallperl-Text-CSV_XS

第三步:下载和编译xtables-addons模块

  1. #wgethttp://sourceforge.net/projects/xtables-addons/files/Xtables-addons/1.47/xtables-addons-1.47.tar.xz/download
  2. #tarxfxtables-addons-1.47.tar.xz
  3. #cdxtables-addons-1.47
  4. #./configure
  5. #make
  6. #makeinstall

假如在./configure时遇到错误,configure: error: Package requirements (xtables >= 1.4.5) were not met:No package 'xtables' found:

  1. checkingforaBSD-compatibleinstall.../usr/bin/install-c
  2. checkingwhetherbuildenvironmentissane...yes
  3. checkingforathread-safemkdir-p.../bin/mkdir-p
  4. checkingforgawk...gawk
  5. checkingwhethermakesets$(MAKE)...yes
  6. checkingwhethermakesupportsnestedvariables...yes
  7. checkingforgcc...gcc
  8. checkingwhethertheCcompilerworks...yes
  9. checkingforCcompilerdefaultoutputfilename...a.out
  10. checkingforsuffixofexecutables...
  11. checkingwhetherwearecrosscompiling...no
  12. checkingforsuffixofobjectfiles...o
  13. checkingwhetherweareusingtheGNUCcompiler...yes
  14. checkingwhethergccaccepts-g...yes
  15. checkingforgccoptiontoacceptISOC89...noneneeded
  16. checkingforstyleofincludeusedbymake...GNU
  17. checkingdependencystyleofgcc...gcc3
  18. checkingwhethergccandccunderstand-cand-otogether...yes
  19. checkingforar...ar
  20. checkingthearchiver(ar)interface...ar
  21. checkingbuildsystemtype...x86_64-unknown-linux-gnu
  22. checkinghostsystemtype...x86_64-unknown-linux-gnu
  23. checkinghowtoprintstrings...printf
  24. checkingforasedthatdoesnottruncateoutput.../bin/sed
  25. checkingforgrepthathandleslonglinesand-e.../bin/grep
  26. checkingforegrep.../bin/grep-E
  27. checkingforfgrep.../bin/grep-F
  28. checkingforldusedbygcc.../usr/bin/ld
  29. checkingifthelinker(/usr/bin/ld)isGNUld...yes
  30. checkingforBSD-orMS-compatiblenamelister(nm).../usr/bin/nm-B
  31. checkingthenamelister(/usr/bin/nm-B)interface...BSDnm
  32. checkingwhetherln-sworks...yes
  33. checkingthemaximumlengthofcommandlinearguments...1966080
  34. checkingwhethertheshellunderstandssomeXSIconstructs...yes
  35. checkingwhethertheshellunderstands"+="...yes
  36. checkinghowtoconvertx86_64-unknown-linux-gnufilenamestox86_64-unknown-linux-gnuformat...func_convert_file_noop
  37. checkinghowtoconvertx86_64-unknown-linux-gnufilenamestotoolchainformat...func_convert_file_noop
  38. checkingfor/usr/bin/ldoptiontoreloadobjectfiles...-r
  39. checkingforobjdump...objdump
  40. checkinghowtorecognizedependentlibraries...pass_all
  41. checkingfordlltool...no
  42. checkinghowtoassociateruntimeandlinklibraries...printf%sn
  43. checkingforarchiver@FILEsupport...@
  44. checkingforstrip...strip
  45. checkingforranlib...ranlib
  46. checkingcommandtoparse/usr/bin/nm-Boutputfromgccobject...ok
  47. checkingforsysroot...no
  48. checkingformt...no
  49. checkingif:isamanifesttool...no
  50. checkinghowtoruntheCpreprocessor...gcc-E
  51. checkingforANSICheaderfiles...yes
  52. checkingforsys/types.h...yes
  53. checkingforsys/stat.h...yes
  54. checkingforstdlib.h...yes
  55. checkingforstring.h...yes
  56. checkingformemory.h...yes
  57. checkingforstrings.h...yes
  58. checkingforinttypes.h...yes
  59. checkingforstdint.h...yes
  60. checkingforunistd.h...yes
  61. checkingfordlfcn.h...yes
  62. checkingforobjdir....libs
  63. checkingifgccsupports-fno-rtti-fno-exceptions...no
  64. checkingforgccoptiontoproducePIC...-fPIC-DPIC
  65. checkingifgccPICflag-fPIC-DPICworks...yes
  66. checkingifgccstaticflag-staticworks...no
  67. checkingifgccsupports-c-ofile.o...yes
  68. checkingifgccsupports-c-ofile.o...(cached)yes
  69. checkingwhetherthegcclinker(/usr/bin/ld-melf_x86_64)supportssharedlibraries...yes
  70. checkingwhether-lcshouldbeexplicitlylinkedin...no
  71. checkingdynamiclinkercharacteristics...GNU/Linuxld.so
  72. checkinghowtohardcodelibrarypathsintoprograms...immediate
  73. checkingwhetherstrippinglibrariesispossible...yes
  74. checkingiflibtoolsupportssharedlibraries...yes
  75. checkingwhethertobuildsharedlibraries...yes
  76. checkingwhethertobuildstaticlibraries...no
  77. checkinglinux/netfilter/x_tables.husability...yes
  78. checkinglinux/netfilter/x_tables.hpresence...yes
  79. checkingforlinux/netfilter/x_tables.h...yes
  80. checkingforpkg-config.../usr/bin/pkg-config
  81. checkingpkg-configisatleastversion0.9.0...yes
  82. checkingforlibxtables...no
  83. configure:error:Packagerequirements(xtables>=1.4.5)werenotmet:--phpfensi.com
  84. Nopackage'xtables'found
  85. ConsideradjustingthePKG_CONFIG_PATHenvironmentvariableifyou
  86. installedsoftwareinanon-standardprefix.
  87. Alternatively,youmaysettheenvironmentvariableslibxtables_CFLAGS
  88. andlibxtables_LIBStoavoidtheneedtocallpkg-config.
  89. Seethepkg-configmanpageformoredetails.

请安装iptables开发包iptables-devel:# yum -y install iptables-devel

第四步:下载和安装GeoIP模块,你可以到http://geolite.maxmind.com/download/geoip/database/下载CSV版本,也可以使用xtables-addons目录下geoip目录下的脚本xt_geoip_dl来下载:

# cd geoip/

# ./xt_geoip_dl

将会下载GeoIPv6.csv.gz和GeoIPCountryCSV.zip,并解压缩,得到ip库文件GeoIPv6.csv和GeoIPCountryWhois.csv,接下来就是使用xt_geoip_build编译数据库:

# mkdir -p /usr/share/xt_geoip/ #创建数据库文件默认存放位置

# ./xt_geoip_build -D /usr/share/xt_geoip *.csv #编译数据库文件

完成后,将会生成两个目录BE和LE,目录下保存的文件分别有.iv6和.iv4.

第五步:添加过滤规则,屏蔽中国地区ip:

# iptables -I INPUT -m geoip --src-cc CN -j DROP #注意,这将屏蔽所有端口访问

# iptables -I INPUT -p tcp -m tcp --dport 80 -m geoip --src-cc CN -j DROP

#只屏蔽80端口访问

此时,中国地区已经无法访问网站了,可以保存了:service iptables save

相关广告
  • Centos6下iptables配置Xtables-Addons和GeoIP屏蔽某个国家ip Centos6下iptables配置Xtables-Addons和GeoIP屏蔽某个国家ip Centos6下iptables配置Xtables-Addons和GeoIP屏蔽某个国家ip
相关阅读

Centos6下iptables配置Xtables-Addons和GeoIP屏蔽某个国家ip

2019/10/10 17:46:43 | 谷歌SEO算法 | SEO工具