1.内核版本检查
[root@seker SRPMS]# uname -a
Linux seker 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux

RPM 源码包下载 要选择和OS内核一致的. 地址 [url]http://rpmfind.net/linux/sourceforge/l/li/linux-ntfs/[/url]

2.下载对应源码包
[root@seker SRPMS]# ls
kernel-2.6.18-92.el5.src.rpm
[root@seker SRPMS]# pwd
/usr/src/redhat/SRPMS

3.解开rpm源码包
[root@seker SRPMS]# useradd mockbuild
[root@seker SRPMS]# rpm -ivh kernel-2.6.18-92.el5.src.rpm
   1:kernel                 ################ [100%]
[root@seker SRPMS]#
[root@seker SPECS]# pwd
/usr/src/redhat/SPECS
[root@seker SPECS]# ls
kernel-2.6.spec
[root@seker SPECS]# rpmbuild -bp --target=$(uname -m) ./kernel-2.6.spec
Building target platforms: i686
Building for target i686
.....
+ exit 0
[root@seker kernel-2.6.18]# pwd
/usr/src/redhat/BUILD/kernel-2.6.18
[root@seker kernel-2.6.18]# ls
config  Config.mk  linux-2.6.18.i686  vanilla  xen

4.将内核源代码cp到 /usr/src目录
[root@seker kernel-2.6.18]#  cp -a linux-2.6.18.i686/ /usr/src/
[root@seker kernel-2.6.18]#  cd /usr/src/linux-2.6.18.i686

5.修改makefile头与OS上的内核相同
[root@seker linux-2.6.18.i686]# head -n4 Makefile
VERSION = 2
PATCHLEVEL = 6
SUBLEVEL = 18
EXTRAVERSION = -92.el5
[root@seker linux-2.6.18.i686]# uname -r
2.6.18-92.el5

6.下载各种软件
[root@seker src]# wget [url]http://ftp.netfilter.org/pub/pat[/url] ... ng-20080918.tar.bz2
[root@seker src]# wget [url]ftp://ftp.netfilter.org/pub/iptables/iptables-1.3.8.tar.bz2[/url]
[root@seker src]# wget [url]http://downloads.sourceforge.net[/url] ... s-2008-04-23.tar.gz
[root@seker src]# wget [url]http://ie.archive.ubuntu.com/sou[/url] ... -layer7-v2.9.tar.gz

7.解压软件包
[root@seker src]# tar jxvf patch-o-matic-ng-20080918.tar.bz2
[root@seker src]# tar jxvf iptables-1.3.8.tar.bz2
[root@seker src]# tar zxvf l7-protocols-2008-04-23.tar.gz
[root@seker src]# tar zxvf ipp2p-0.99.15.tar.gz
[root@seker src]# tar zxvf netfilter-layer7-v2.9.tar.gz

8.设置环境变量.下载补丁
[root@seker patch-o-matic-ng-20080918]# export KERNEL_DIR=/usr/src/linux-2.6.18.i686/
[root@seker patch-o-matic-ng-20080918]# export IPTABLES_DIR=/usr/src/iptables-1.3.8/
[root@seker patch-o-matic-ng-20080918]# export KERNEL_SRC=/usr/src/linux-2.6.18.i686/
[root@seker patch-o-matic-ng-20080918]# export IPTABLES_SRC=/usr/src/iptables-1.3.8/
[root@seker patch-o-matic-ng-20080918]#
[root@seker patch-o-matic-ng-20080918]# ./runme --download
.....
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
Excellent! Source trees are ready for compilation.

自带的IPP2P不要安装..我们用最新的.到这里下载.
[url]http://linux.chinaunix.net/bbs/thread-914377-1-2.html[/url]

[root@seker patch-o-matic-ng-20080918]# ./runme time
[root@seker patch-o-matic-ng-20080918]# ./runme connlimit

9.安装l7
[root@seker linux-2.6.18.i686]# patch -p1 < /usr/src/netfilter-layer7-v2.9/kernel-2.6.18-2.6.19-layer7-2.9.patch
[root@seker iptables-1.3.8]# patch -p1 < /usr/src/netfilter-layer7-v2.9/iptables-layer7-2.9.patch
[root@seker iptables-1.3.8]# chmod +x extensions/.layer7-test

10.编辑内核选上新添加的模块
[root@seker linux-2.6.18.i686]# make menuconfig
  Networking  --->   
    Networking options  --->
       
  • Network packet filtering (replaces ipchains)  --->
                    IP: Netfilter Configuration  --->
                        <M> Layer 7 match support (EXPERIMENTAL)
                        <M> TIME match support
                        <M> Connections/IP limit match support

    [root@seker linux-2.6.18.i686]# make modules_prepare

    11.备份原来的Makefile,里面包含了原始的编译信息,直接编译会无法通过
    [root@seker linux-2.6.18.i686]# mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.bak
    创建新的Makefile
    [root@seker linux-2.6.18.i686]# vi net/ipv4/netfilter/Makefile

    obj-m := ipt_connlimit.o
    obj-m := ipt_time.o
    obj-m := ipt_layer7.o

    KDIR := /lib/modules/$(shell uname -r)/build
    PWD   := $(shell pwd)

    default:
        $(MAKE) -C $(KDIR) M=$(PWD) modules

    然后编译该模块,如果不能一次全部编译,每次在net/ipv4/netfilter/Makefile中只加一个模块,一次次编

    译得出 ipt_*.ko文件.
    [root@seker linux-2.6.18.i686]# make M=net/ipv4/netfilter/
    LD      net/ipv4/netfilter/built-in.o
    CC [M] net/ipv4/netfilter/ipt_connlimit.o
    CC      net/ipv4/netfilter/ipt_connlimit.mod.o
    LD [M] net/ipv4/netfilter/ipt_connlimit.ko
      CC      net/ipv4/netfilter/ipt_time.mod.o
      LD [M]  net/ipv4/netfilter/ipt_time.ko

    12.cp新编译的模块到老内核
    [root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_time.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
    [root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_layer7.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
    [root@seker linux-2.6.18.i686]# cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
    [root@seker linux-2.6.18.i686]# chmod 755 /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/*.ko

    13.安装IPP2P
    [root@seker ipp2p-0.99.15]# make
    [root@seker ipp2p-0.99.15]# make install
    cp ipt_ipp2p.ko /lib/modules/2.6.18-92.el5/kernel/net/ipv4/netfilter/
    cp libipt_ipp2p.so /lib/iptables/
    depmod -a
    [root@seker ipp2p-0.99.15]#

    14.安装新的IPTABLE
    [root@seker iptables-1.3.8]# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install

    这步成功会有 cp *.so 的日志..
     
    [root@seker iptables-1.3.8]# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
    ....
    cp extensions/libipt_limit.so /lib/iptables/libipt_limit.so
    ....
    cp extensions/libipt_layer7.so /lib/iptables/libipt_layer7.so
    ....
    cp extensions/libipt_time.so /lib/iptables/libipt_time.so
    ....
    rm libiptc/libip6tc.o libipq/libipq.o libiptc/libip4tc.o
    [root@seker iptables-1.3.8]#

    15.加载模块
    [root@seker iptables-1.3.8]# modprobe ipt_connlimit
    [root@seker iptables-1.3.8]# modprobe ipt_time
    [root@seker iptables-1.3.8]# modprobe ipt_ipp2p
    [root@seker iptables-1.3.8]# modprobe ipt_layer7
    [root@seker iptables-1.3.8]#
    [root@seker iptables-1.3.8]# lsmod |grep x_tables
    x_tables               17349  7

    ipt_layer7,ipt_iprange,ipt_ipp2p,ipt_time,ipt_connlimit,xt_tcpudp,ip_tables
    [root@seker iptables-1.3.8]#

    16.测试layer7,time,ip2p2..
    [root@seker iptables-1.3.8]# iptables -A FORWARD -m layer7 --l7proto qq  -m time --timestart 8:00 --timestop 17:30 --days Mon,Tue,Wed,Thu,Fri -m iprange --src-range 192.168.1.5-192.168.1.239 -m ipp2p --ipp2p -m ipp2p --xunlei -j DROP

    如果time有问题 加个下面的附件里.ko .so (我没测试过,不保证可以在你的系统上使用)
    [url]http://linux.chinaunix.net/bbs/attachment.php?aid=214364[/url]