Centos6下iptables配置Xtables-Addons和GeoIP屏蔽某個國家ip

 下面來為各位介紹一個Centos6下iptables配置Xtables-Addons和GeoIP屏蔽某個國家ip例子，希望文章對各位有幫助．

今天服務器上流量猛增，ip都來自於中國，而且是非正常訪問的ip，導致php-fpm耗CPU 100%，網站打開非常慢，本來已經使用iptables限制連接數，但由於同一ip的連接數達不到，所以沒辦法進行限制，只能采用屏蔽某個地區ip的方法了，Xtables-Addons就是這樣的模塊，只需要編譯此模塊，而不必編譯系統內核，就可以和iptables一起工作，達到過濾某個地區的ip。

第一步，檢查系統iptables版本，Xtables-Addons要與iptables版本一致，例如iptables是1.4.7，就需要對應在的Xtables-Addons 1.47
# uname -r
2.6.32-358.18.1.el6.x86_64
# iptables -V
iptables v1.4.7

那麼就要下載Xtables-Addons 1.47了。

另外需要關閉selinux，編輯/etc/selinux/config，修改為disabled，並使其生效：echo 0 > /selinux/enforce。

第二步，安裝perl-Text-CSV_XS依賴包
# yum install gcc gcc-c++ make automake unzip zip xz kernel-devel-`uname -r` iptables-devel
# rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
# yum -y install perl-Text-CSV_XS

第三步，下載和編譯xtables-addons模塊
# wget http://sourceforge.net/projects/xtables-addons/files/Xtables-addons/1.47/xtables-addons-1.47.tar.xz/download
# tar xf xtables-addons-1.47.tar.xz
# cd xtables-addons-1.47
# ./configure
# make
# make install

假如在./configure時遇到錯誤，configure: error: Package requirements (xtables >= 1.4.5) were not met: No package 'xtables' found：
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking whether gcc and cc understand -c and -o together... yes
checking for ar... ar
checking the archiver (ar) interface... ar
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /bin/sed
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for fgrep... /bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1966080
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %sn
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for mt... no
checking if : is a manifest tool... no
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking linux/netfilter/x_tables.h usability... yes
checking linux/netfilter/x_tables.h presence... yes
checking for linux/netfilter/x_tables.h... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for libxtables... no
configure: error: Package requirements (xtables >= 1.4.5) were not met:
 
No package 'xtables' found
 
Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.
 
Alternatively, you may set the environment variables libxtables_CFLAGS
and libxtables_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.
請安裝iptables開發包iptables-devel：
# yum -y install iptables-devel

第四步，下載和安裝GeoIP模塊，你可以到http://geolite.maxmind.com/download/geoip/database/下載CSV版本，也可以使用xtables-addons目錄下geoip目錄下的腳本xt_geoip_dl來下載：
# cd geoip/
# ./xt_geoip_dl

將會下載GeoIPv6.csv.gz和GeoIPCountryCSV.zip，並解壓縮，得到ip庫文件GeoIPv6.csv和GeoIPCountryWhois.csv，接下來就是使用xt_geoip_build編譯數據庫：
# mkdir -p /usr/share/xt_geoip/                    #創建數據庫文件默認存放位置
# ./xt_geoip_build -D /usr/share/xt_geoip *.csv    #編譯數據庫文件

完成後，將會生成兩個目錄BE和LE，目錄下保存的文件分別有.iv6和.iv4。

第五步，添加過濾規則，屏蔽中國地區ip：
# iptables -I INPUT -m geoip --src-cc CN -j DROP   ＃注意，這將屏蔽所有端口訪問
# iptables -I INPUT -p tcp -m tcp --dport 80 -m geoip --src-cc CN -j DROP    #只屏蔽80端口訪問

此時，中國地區已經無法訪問網站了，可以保存了：service iptables save