Υڡ Υڡ ܼ

3. ÂÔþÎÌäÂê

3.1 NAT: X dropping untracked packet Y Z aaa.aaa.aaa.aaa -> 224.bbb.bbb.bbb

ÎáÃÏÞëÁãÈÑÃÈ NAT ÆÖëòÄÌëÝË NAT ÎÉËèêÎϵìëâÎÇÎÈíÍçóÄÉÀÉô ÞëÁãÈÑÃÈòÞèÍýÇÊÎøÇ ÞëÁãÈÇëÊéÊ ÞÏÞëÁãÈòÞÃÉÍפÈÊÊé ÊÎèËÆÀµ:

iptables -t mangle -I PREROUTING -j DROP -d 224.0.0.0/8

3.2 NAT: X dropping untracked packet Y Z aaa.aaa.aaa.aaa -> bbb.bbb.bbb.bbb

syslog óëËÊÎáÃɵìÞ:

NAT: X dropping untracked packet Y Z aaa.aaa.aaa.aaa -> bbb.bbb.bbb.bbb

ÎáÃÏNAT ÎÉËèêɵìÞ NAT òÔËÏÍúÊÍçóÄÉÀ׾ðÊóÊÈÊÎÇ ÑÃÈòÇËþÆëÎÇÍçóÄÉÀÉô conntrack ðÊóòèÄêÇÊÃÑÃÈÙÆËÂФÎáÃɵìÞ

ÍéìëÍýÍÈÆÏ:

ÑÃÈÎâÃÈÜÙÊíòèêÊé(ÄÞê êâÈץíÖäãËóÑÃÈÀȵÊé) ÊÎëëòÍøÍÑÆÀµ:

iptables -t mangle -A PREROUTING -j LOG -m state --state INVALID

ÇÑÃÈÏÕëÆÖëËÅþÃëÁËNAT ÎÉËèÃÆÇËþµìÆÞÎÇÎëëò mangle ÆÖëËÀßÄêÊÆÏÊêÞó

3.3 netfilter òLinux òÖêÃËëÉÈÁÈßçïÆÈ ÈÇÊóÇ

ÄÞêÁÊÆáÕëòÃÛïÇÍ ÁÇÀéÍÇÍ ÄÇÇÖêÃÎÉÏnetfilter òÞàÉáÄÌÎÍÃÈïÃòóÆÞÎÇ

ûÂÎÖêÃÎÉòÂåÂØëâÎòñÆëÍÞ http://www.math.leidenuniv.nl/~buytenh/bridge/ òÍÀµ

ÖêÃóÕëεÝÈÏ ÈóïËÂÅÈßʵìÆëÈËÃíÕÀµ

3.4 IRC âåëDCC RESUME òèÍýÇÞó

ÇÍìÏÈÊËÜÅöÎÈÇNAT âåëÀÇÏ èÍýÇÞóNAT ÈÇÕëòÍøÍÑìС ìÏÞÞ

3.5 ÊôÎÉìËÂФë SNAT ÏÉÎèËÆîëÎÇ

netfilter ÏÇëÂêÑÃÈËêòÃÊèËÅØáÞ ÇÎÇæÎÈíËêÖÈÆÎÞóê SNAT ÜÃÎÇØåËëÃíëÝÈ 1234 ÈÖÇÍçóòìçnetfilter ÜÃÏ IP ÉìÀËêòÃÝÈÈÖæÏÎÞÞËÆÞ

SNAT ÍÑÎ IP ÉììÄÊìçÃÆÁµÝÈÈÖæ ÇÊÌÎÍçóòÈÆþËnetfilter Ï IP ÉìÈÝÈÈÖæÎÎÊýËêòÃÊÆÏÊéÊÊêÞ

ÈÍÑÄÇÊ IP ÉììÄÊåëÊé Îìçâ IP ÉôËêòÃëÀÇßÞ

3.6 ip_conntrack: maximum limit of XXX entries exceeded

Îáà syslog ÎÃæËëÎ˵ÉÕéÍøÍÑÎÄÇÏ Éäé conntrack ÇÙÊÊôÎóÈêòýÃÆÊèÇ ÇÕëÈÇÏÍçóÄÉÀÉôÎèÍýÇëÆþÀÜÂôËÏ ëìÄêÎåÂêÞ ÎôÏÍøÍÑÎÆàÎáâêµÎåÂËÍêÞ (áâê 64MB Çé 4096 Ä128MB Çé 8192 Ä ...)

ÄÉÀפëÍçóÎôÎåÂòÁýäÈÏÊÃËÇÞ ÄÉÀפëÍçóôÒÈÄêswap ÇÊÍëáâêòÌó 350 ХÈÈòËìÊ

åÂòÎã 8192 ËÁýäËÏÊÎèËÆþÎÏÆÀµ:

echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max

3.7 2.2.x ÏÍëÎÈË 'ipchains -L -M' ÇäÃèË ÄÉÀפµìÆë / ÞìɵìÆëÍçóòÙÆ êÈÃפëÊýËÏêÞ

proc ÕëÆàÃæË/proc/net/ip_conntrack ÈÌÁÎÕëêÞÊÎèËìС ÎÕëòÎÏÆÉÇÞ

cat /proc/net/ip_conntrack

3.8 ÍúÊÙÆÎ IP ÆÖëòìÍëÊýËÏêÞ

ÍúÊÙÆÎ IP ÆÖëÏÊÎèËÆêÈɵìÞ

cat /proc/net/ip_tables_names

3.9 iptables-1.2 Î iptables-save ä iptables-restore Ç Segmentation Fault ФëèËÊêÞ

ûÃÎÎХÇÇëÀÂäËÇÎ CVS Î 1.2.1 ÊßÎ iptables ËÃץìÉÆÀµ

3.10 iptables -L ÈëÈëëÎÉËÂçÊÑþÖêÞ

ìÏ iptables IP ÉìËèË DNS òÔÃÆëáÇ Æëë 2 ÄÎÉìéÀµìÞÎÇÇÎìç ëëËèË 2 ó DNS ÆþêÞ

ÌäÂêÈÊëÎÏץéÙÈ IP Éì(10.x.x.x ä 192.168.x.x ÊÉ) òÈÃÆëìçÇDNS ÏÛÈÌòòèÇàÈÞ àÈÎçפÍøÍÑÎëëÃÈËèÃÆÏ ÈÆâÄþÖËÊëâìÞó

DNS εÕúòÔïÊèËëËÏ-n (numeric)ץçóòÆþìÆ iptables òÈÀµ

3.11 LOG ÃÈËèëóëØÎíÎÏòßáµëËÏ ÉìФèÇ

syslogd òÅÀÚËÀßÄêÊÆÏÊêÞó - LOG ÃÈÏץéêÆÃÍ warning(4) ÇÕêÆÃÍ kern ÎíóòÔÞ ÕêÆÃÍÈץéêÆÃÍËÄÆÎÜÙÏ syslogd.conf Î man ÚòÈÆÀµ

ÇÕëÈÇÏץéêÆÃÍ debug(7) èêÅÍפÊÍëÎáÃÙÆóëËÁéìÞ ÎÃÍò 7 é 4 ÞÇåìСóëåË LOG áÃɵìëÈÏêÞó

ëÈÂÎÅÍפÊáÃâóëËɵìÊ ÊëâÃÎìÞóµòÄÆÀµ (syslog ÕëËÏÆÁÞó)

3.12 squid È iptables òÈÃÆÆáץíòÃÛëËÏ ÉìФèÇç

ÞÂèìËÅöÁÊéÅÀÚÊ DNAT REDIRECT ÎëëÉÍפÈÊêÞ squid NAT ÜÃÈÎåÇÆÊéREDIRECT ÎßÈÃÆÀµ Îã:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.22.33:3128

Îåsquid òÀµÀßÄêÊÆÏÊêÞó æÇÄóÇëðÊóÏÂéìÆÞÎÇ ËÜðÊóËÄÆÏsquid ÎÉåáóÈòÈÀµ

Squid 2.3 ÇÎ squid.conf ËÊÎèÊÀßÄêÉÍפÇ:

http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy  on
httpd_accel_uses_host_header on
Squid 2.4 ËÊëȵéËÀßÄêÔÉÍפËÊêÞ:

httpd_accel_single_host off

3.13 LOG ÃÈÏÉÎèËÈÎÇ LOG È DROP òÎÊýÈÈÏÇÞ

LOG ÃÈÏïæëÖÎÊÃÈפÇ ÄÞêìÏÑÃÈëëËÅçÆâÇÎÞó LOG ÃÈòÍøÍÑëÈÑÃÈÏíóµì ëëÅçÎÎëëËúÑìÞ

ÇÏíòèêÆþËÇËþëËÏÉìФèÎÇç ÇâÊÃÊÎÏÆóÄÎëëòÞàÁóòÄéëÈÇ:

iptables -N logdrop
iptables -A logdrop -j LOG
iptables -A logdrop -j DROP

åÑÃÈòí˵ÏÆéÇËþìçÏ "-j logdrop" òÈÀÇßÞ


Υڡ Υڡ ܼ