Shulou(Shulou.com)06/01 Report--

1. Selinux is closed in production. According to the environment, the iptables is closed in the internal network and enabled in the external network. In the case of large concurrency, iptables is not enabled.

2. / var/log/messages kernel:nf_conntrack:table full,dropping packet appears because of slow business access

Optimization:

Net.nf_conntrack_max = 25000000

Net.netfilter.nf_conntrack_max = 25000000

# Table pool enlargement

Net.netfilter.nf_conntrack_tcp_timeout_established = 180

Net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120

Net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60

Net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

# reduce the timeout

3. Netfilter / iptables is a firewall based on packet filtering. Security is much more powerful than the older generation of ipfwadm and ipchains.

Work on the second, third and fourth floors. If you recompile the kernel, you can also support seven layers of control.

4. Container: a relationship that contains or belongs to

Netfilter / iptables is the container for the table. (filter, NAT, mangle, raw)

Iptanles tables is a container for chains

(INPUT (in), OUTPUT (out), FORWARD (forwarding), PREROUTING (pre-routing), POSTROUTING (exit route)

Chins: is a container for policy (rules).

5. FILTER table (default): the one who is really responsible for the host firewall (filtering packets flowing into the host)

INPUT: responsible for filtering all packets whose destination address is local address

OUTPUT: processes all packets whose source address is native

FORWARD: responsible for forwarding packets that flow through the host; lvs NAT mode (net.ipv4.ip_forward=0)

6. NAT table: responsible for network address translation, that is, source and destination ip address and port translation. Generally used for local shared Internet access or special port conversion.

OUTPUT: change the destination address of the packet sent by the host.

PREROUTING: executes rules before the packet arrives at the firewall to determine the route, which changes the destination address and current port of the packet

POSTROUTING: executes rules to change the source address and source port of a packet before it makes routing decisions when it leaves the firewall.

7. Firewalls are filtered layer by layer, and are actually matched from top to bottom and from front to back according to the order of configuration rules.

If the rule is matched, that is, it is clear whether the table name is blocked or passed, the packet will not match the new rule downwards.

If all rules do not clearly indicate whether to block or pass, that is, there is no matching rule, match down until the match defaults

Whether the rules are clearly blocked or passed.

The default rule of the firewall is that all rules will not be executed until they have been executed.

8. Work flow chart of iptables.

FILTER = > MANGLE

INPUT kernel OUTPUT

∧ ∨

∧ NAT

MANGLE OUTPUT

INPUT ∨

∧ FILTER OUTPUT

∧ ∨

MANGLE= > NAT = > MANGLE= > FILTER= > MANGLE=---- > NAT

PREROUTING PREROUTING FORWORD FORWARD FORWARD POSTROUTING POSTROUTING

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.