etc se linux config,编辑/etc/selinux/config

下面来为各位介绍一个Centos6下iptables配置Xtables-Addons和GeoIP屏蔽某个国家ip例子，希望文章对各位有帮助．

今天服务器上流量猛增，ip都来自于中国，而且是非正常访问的ip，导致php-fpm耗CPU 100%，网站打开非常慢，本来已经使用iptables限制连接数，但由于同一ip的连接数达不到，所以没办法进行限制，只能采用屏蔽某个地区ip的方法了，Xtables-Addons就是这样的模块，只需要编译此模块，而不必编译系统内核，就可以和iptables一起工作，达到过滤某个地区的ip。

第一步，检查系统iptables版本，Xtables-Addons要与iptables版本一致，例如iptables是1.4.7，就需要对应在的Xtables-Addons 1.47

# uname -r

2.6.32-358.18.1.el6.x86_64

# iptables -V

iptables v1.4.7

那么就要下载Xtables-Addons 1.47了。

另外需要关闭selinux，编辑/etc/selinux/config，修改为disabled，并使其生效：echo 0 > /selinux/enforce。

第二步，安装perl-Text-CSV_XS依赖包

# yum install gcc gcc-c++ make automake unzip zip xz kernel-devel-`uname -r` iptables-devel

# rpm -Uvh

# yum -y install perl-Text-CSV_XS

第三步，下载和编译xtables-addons模块

# wget

# tar xf xtables-addons-1.47.tar.xz

# cd xtables-addons-1.47

# ./configure

# make

# make install

假如在./configure时遇到错误，configure: error: Package requirements (xtables >= 1.4.5) were not met: No package 'xtables' found：

checking for a BSD-compatible install... /usr/bin/install -c

checking whether build environment is sane... yes

checking for a thread-safe mkdir -p... /bin/mkdir -p

checking for gawk... gawk

checking whether make sets $(MAKE)... yes

checking whether make supports nested variables... yes

checking for gcc... gcc

checking whether the C compiler works... yes

checking for C compiler default output file name... a.out

checking for suffix of executables...

checking whether we are cross compiling... no

checking for suffix of object files... o

checking whether we are using the GNU C compiler... yes

checking whether gcc accepts -g... yes

checking for gcc option to accept ISO C89... none needed

checking for style of include used by make... GNU

checking dependency style of gcc... gcc3

checking whether gcc and cc understand -c and -o together... yes

checking for ar... ar

checking the archiver (ar) interface... ar

checking build system type... x86_64-unknown-linux-gnu

checking host system type... x86_64-unknown-linux-gnu

checking how to print strings... printf

checking for a sed that does not truncate output... /bin/sed

checking for grep that handles long lines and -e... /bin/grep

checking for egrep... /bin/grep -E

checking for fgrep... /bin/grep -F

checking for ld used by gcc... /usr/bin/ld

checking if the linker (/usr/bin/ld) is GNU ld... yes

checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B

checking the name lister (/usr/bin/nm -B) interface... BSD nm

checking whether ln -s works... yes

checking the maximum length of command line arguments... 1966080

checking whether the shell understands some XSI constructs... yes

checking whether the shell understands "+="... yes

checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop

checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop

checking for /usr/bin/ld option to reload object files... -r

checking for objdump... objdump

checking how to recognize dependent libraries... pass_all

checking for dlltool... no

checking how to associate runtime and link libraries... printf %sn

checking for archiver @FILE support... @

checking for strip... strip

checking for ranlib... ranlib

checking command to parse /usr/bin/nm -B output from gcc object... ok

checking for sysroot... no

checking for mt... no

checking if : is a manifest tool... no

checking how to run the C preprocessor... gcc -E

checking for ANSI C header files... yes

checking for sys/types.h... yes

checking for sys/stat.h... yes

checking for stdlib.h... yes

checking for string.h... yes

checking for memory.h... yes

checking for strings.h... yes

checking for inttypes.h... yes

checking for stdint.h... yes

checking for unistd.h... yes

checking for dlfcn.h... yes

checking for objdir... .libs

checking if gcc supports -fno-rtti -fno-exceptions... no

checking for gcc option to produce PIC... -fPIC -DPIC

checking if gcc PIC flag -fPIC -DPIC works... yes

checking if gcc static flag -static works... no

checking if gcc supports -c -o file.o... yes

checking if gcc supports -c -o file.o... (cached) yes

checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes

checking whether -lc should be explicitly linked in... no

checking dynamic linker characteristics... GNU/Linux ld.so

checking how to hardcode library paths into programs... immediate

checking whether stripping libraries is possible... yes

checking if libtool supports shared libraries... yes

checking whether to build shared libraries... yes

checking whether to build static libraries... no

checking linux/netfilter/x_tables.h usability... yes

checking linux/netfilter/x_tables.h presence... yes

checking for linux/netfilter/x_tables.h... yes

checking for pkg-config... /usr/bin/pkg-config

checking pkg-config is at least version 0.9.0... yes

checking for libxtables... no

configure: error: Package requirements (xtables >= 1.4.5) were not met:

No package 'xtables' found

Consider adjusting the PKG_CONFIG_PATH environment variable if you

installed software in a non-standard prefix.

Alternatively, you may set the environment variables libxtables_CFLAGS

and libxtables_LIBS to avoid the need to call pkg-config.

See the pkg-config man page for more details.

请安装iptables开发包iptables-devel：

# yum -y install iptables-devel