今天服务器上流量猛增,ip都来自于中国,而且是非正常访问的ip,导致php-fpm耗CPU 100%,网站打开非常慢,本来已经使用iptables限制连接数,但由于同一ip的连接数达不到,所以没办法进行限制,只能采用屏蔽某个地区ip的方法了,Xtables-Addons就是这样的模块,只需要编译此模块,而不必编译系统内核,就可以和iptables一起工作,达到过滤某个地区的ip.
第一步:检查系统iptables版本,Xtables-Addons要与iptables版本一致,例如iptables是1.4.7,就需要对应在的Xtables-Addons 1.47.
- #uname-r
- 2.6.32-358.18.1.el6.x86_64
- #iptables-V
- iptablesv1.4.7
那么就要下载Xtables-Addons 1.47了,另外需要关闭selinux,编辑/etc/selinux/config,修改为disabled,并使其生效:echo 0 > /selinux/enforce.
第二步:安装perl-Text-CSV_XS依赖包
- #yuminstallgccgcc-c++makeautomakeunzipzipxzkernel-devel-`uname-r`iptables-devel
- #rpm-Uvhhttp://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
- #yum-yinstallperl-Text-CSV_XS
第三步:下载和编译xtables-addons模块
- #wgethttp://sourceforge.net/projects/xtables-addons/files/Xtables-addons/1.47/xtables-addons-1.47.tar.xz/download
- #tarxfxtables-addons-1.47.tar.xz
- #cdxtables-addons-1.47
- #./configure
- #make
- #makeinstall
假如在./configure时遇到错误,configure: error: Package requirements (xtables >= 1.4.5) were not met:No package 'xtables' found:
- checkingforaBSD-compatibleinstall.../usr/bin/install-c
- checkingwhetherbuildenvironmentissane...yes
- checkingforathread-safemkdir-p.../bin/mkdir-p
- checkingforgawk...gawk
- checkingwhethermakesets$(MAKE)...yes
- checkingwhethermakesupportsnestedvariables...yes
- checkingforgcc...gcc
- checkingwhethertheCcompilerworks...yes
- checkingforCcompilerdefaultoutputfilename...a.out
- checkingforsuffixofexecutables...
- checkingwhetherwearecrosscompiling...no
- checkingforsuffixofobjectfiles...o
- checkingwhetherweareusingtheGNUCcompiler...yes
- checkingwhethergccaccepts-g...yes
- checkingforgccoptiontoacceptISOC89...noneneeded
- checkingforstyleofincludeusedbymake...GNU
- checkingdependencystyleofgcc...gcc3
- checkingwhethergccandccunderstand-cand-otogether...yes
- checkingforar...ar
- checkingthearchiver(ar)interface...ar
- checkingbuildsystemtype...x86_64-unknown-linux-gnu
- checkinghostsystemtype...x86_64-unknown-linux-gnu
- checkinghowtoprintstrings...printf
- checkingforasedthatdoesnottruncateoutput.../bin/sed
- checkingforgrepthathandleslonglinesand-e.../bin/grep
- checkingforegrep.../bin/grep-E
- checkingforfgrep.../bin/grep-F
- checkingforldusedbygcc.../usr/bin/ld
- checkingifthelinker(/usr/bin/ld)isGNUld...yes
- checkingforBSD-orMS-compatiblenamelister(nm).../usr/bin/nm-B
- checkingthenamelister(/usr/bin/nm-B)interface...BSDnm
- checkingwhetherln-sworks...yes
- checkingthemaximumlengthofcommandlinearguments...1966080
- checkingwhethertheshellunderstandssomeXSIconstructs...yes
- checkingwhethertheshellunderstands"+="...yes
- checkinghowtoconvertx86_64-unknown-linux-gnufilenamestox86_64-unknown-linux-gnuformat...func_convert_file_noop
- checkinghowtoconvertx86_64-unknown-linux-gnufilenamestotoolchainformat...func_convert_file_noop
- checkingfor/usr/bin/ldoptiontoreloadobjectfiles...-r
- checkingforobjdump...objdump
- checkinghowtorecognizedependentlibraries...pass_all
- checkingfordlltool...no
- checkinghowtoassociateruntimeandlinklibraries...printf%sn
- checkingforarchiver@FILEsupport...@
- checkingforstrip...strip
- checkingforranlib...ranlib
- checkingcommandtoparse/usr/bin/nm-Boutputfromgccobject...ok
- checkingforsysroot...no
- checkingformt...no
- checkingif:isamanifesttool...no
- checkinghowtoruntheCpreprocessor...gcc-E
- checkingforANSICheaderfiles...yes
- checkingforsys/types.h...yes
- checkingforsys/stat.h...yes
- checkingforstdlib.h...yes
- checkingforstring.h...yes
- checkingformemory.h...yes
- checkingforstrings.h...yes
- checkingforinttypes.h...yes
- checkingforstdint.h...yes
- checkingforunistd.h...yes
- checkingfordlfcn.h...yes
- checkingforobjdir....libs
- checkingifgccsupports-fno-rtti-fno-exceptions...no
- checkingforgccoptiontoproducePIC...-fPIC-DPIC
- checkingifgccPICflag-fPIC-DPICworks...yes
- checkingifgccstaticflag-staticworks...no
- checkingifgccsupports-c-ofile.o...yes
- checkingifgccsupports-c-ofile.o...(cached)yes
- checkingwhetherthegcclinker(/usr/bin/ld-melf_x86_64)supportssharedlibraries...yes
- checkingwhether-lcshouldbeexplicitlylinkedin...no
- checkingdynamiclinkercharacteristics...GNU/Linuxld.so
- checkinghowtohardcodelibrarypathsintoprograms...immediate
- checkingwhetherstrippinglibrariesispossible...yes
- checkingiflibtoolsupportssharedlibraries...yes
- checkingwhethertobuildsharedlibraries...yes
- checkingwhethertobuildstaticlibraries...no
- checkinglinux/netfilter/x_tables.husability...yes
- checkinglinux/netfilter/x_tables.hpresence...yes
- checkingforlinux/netfilter/x_tables.h...yes
- checkingforpkg-config.../usr/bin/pkg-config
- checkingpkg-configisatleastversion0.9.0...yes
- checkingforlibxtables...no
- configure:error:Packagerequirements(xtables>=1.4.5)werenotmet:--phpfensi.com
- Nopackage'xtables'found
- ConsideradjustingthePKG_CONFIG_PATHenvironmentvariableifyou
- installedsoftwareinanon-standardprefix.
- Alternatively,youmaysettheenvironmentvariableslibxtables_CFLAGS
- andlibxtables_LIBStoavoidtheneedtocallpkg-config.
- Seethepkg-configmanpageformoredetails.
请安装iptables开发包iptables-devel:# yum -y install iptables-devel
第四步:下载和安装GeoIP模块,你可以到http://geolite.maxmind.com/download/geoip/database/下载CSV版本,也可以使用xtables-addons目录下geoip目录下的脚本xt_geoip_dl来下载:
# cd geoip/
# ./xt_geoip_dl
将会下载GeoIPv6.csv.gz和GeoIPCountryCSV.zip,并解压缩,得到ip库文件GeoIPv6.csv和GeoIPCountryWhois.csv,接下来就是使用xt_geoip_build编译数据库:
# mkdir -p /usr/share/xt_geoip/ #创建数据库文件默认存放位置
# ./xt_geoip_build -D /usr/share/xt_geoip *.csv #编译数据库文件
完成后,将会生成两个目录BE和LE,目录下保存的文件分别有.iv6和.iv4.
第五步:添加过滤规则,屏蔽中国地区ip:
# iptables -I INPUT -m geoip --src-cc CN -j DROP #注意,这将屏蔽所有端口访问
# iptables -I INPUT -p tcp -m tcp --dport 80 -m geoip --src-cc CN -j DROP
#只屏蔽80端口访问
此时,中国地区已经无法访问网站了,可以保存了:service iptables save