RH AS 3 IPTABLES扩展功能的增加模块

小毅

小弟最近搞学校的网关.在应用IPTABLES需要到其中的扩展功能.这些功能需要下载内核补丁.重新编译才能应用..
为了大家方便.我把三个常用功能编译成模块.放上来供大家使用:这三个模块名:TTL connlimit time.
具体说明如下:

TTL:可以改变ping返回的TTL值

Author: Harald Welte <laforge@gnumonks.org>  
Status: Stable, needs new checksum handling


This adds an iptables TTL manipulation target, which enables the user
to set the TTL value of an IP packet or to increment / decrement it
by a given value.

Examples:

iptables -t mangle -A OUTPUT -o eth0 -j TTL --ttl-set 128


connlimit:限制同一IP的并发线程数.
Author: Gerd Knorr <kraxel@bytesex.org>  
Status: ItWorksForMe[tm]


This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).

Examples:

# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
        --connlimit-mask 24 -j REJECT


time:时间定时功能

Author: Fabrice MARIE <fabrice@netfilter.org>  
Status: It Works For Me.

This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
This match allows you to filter based on the packet arrival time
(arrival time at the machine which the netfilter is running on) or
departure time (for locally generated packets).

Supported options are:
--timestart HH:MM
  The starting point of the time match frame.

--timestop HH:MM
  The stopping point of the time match frame

--days Tue,Mon...
  Days of the week to match separated by a coma, no space
  (one of Sun,Mon,Tue,Wed,Thu,Fri,Sat)

Example:
  -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
  will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
  to Friday.

  -A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon
  will match the packets (locally generated) that have a departure timestamp
  in the range 8:00->18:00 on Monday only.

下面的附件是针对iptables1.2.9的模块文件....
rh as 3自带的是1.2.8版本.你需要升级iptables1.2.9或者重新编译1.2.8版本.加入time和connlimit的lib库才能用..


下载解压后运行modadd就可以了...

小毅

下面的附件是针对iptables1.2.8版本的模块文件!!

只有TTL 和 iplimit模块...iplimit的功能和用法与connlimit是一样的.只是iptables1.2.8的lib库只有libiplimit.so,没有connlimit 和time的lib库....


下载解压后运行modadd即可

小毅

介绍:

h323-conntrack-nat:支持netmeeting语音的模块
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>  
Status: Alpha



This adds CONFIG_IP_NF_H323: H.323/netmeeting support module for netfilter
connection tracking and NAT. H.323 uses/relies on the following data streams:

        Port                Description
        389                 Internet Locator Server (TCP)
        522                User Location Server (TCP)
        1503                 T.120 Protocol (TCP)
        1720                H.323 (H.225 call setup, TCP)
        1731                Audio call control (TCP)
        Dynamic                H.245 call control (TCP)
        Dynamic                RTCP/RTP streaming (UDP)

The H.323 conntrack/NAT modules support the connection tracking/NATing of
the data streams requested on the dynamic ports. The helpers use the
search/replace hack from the ip_masq_h323.c module for the 2.2 kernel
series.

At the very minimum, H.323/netmeeting (video/audio) is functional by letting
trough the 1720 port and loading these H.323 module(s).

The H.323 conntrack/NAT modules do not support

- H.245 tunnelling
- H.225 RAS (gatekeepers)

还没编译,呵呵..谁有兴趣!

小毅

没人要呀!!??
晕~~~

Jedia

感谢！

Snoopy

我还没想要使用到呢,嘻嘻

faint

这些东西都可以自己编译。就像自己编译内核一样!

hzbiz

我要，如何把一台主机设定为网关SERVER？？
请指教，谢谢！

lovellh

我想限定TLL=127我应怎样做设定

pencil

太好啦,我一直在找netmeeting的补丁