發表文章

目前顯示的是 十月 4, 2012的文章

利用hping工具來清除ESTABLISHED狀態conntrack

通過過濾ip_conntrack表得到ESTABLISHED狀態過多的ip,用hping工具將這些ip從表中清理掉...
下載:http://www.hping.org/download.html

  安裝: ./configure;make;make install
  hping清理IP conntrack script:(此script修改連結狀態為closed)

    #!/bin/sh
      if [ -z $1 ] ; then
              echo "NO INPUT IP"
              exit
      fi
      grep -E "^tcp .{10,25}ESTABLISHED src=$1 " /proc/net/ip_conntrack | while read line; do
      S_IP=`echo $line | awk '{print substr($5,5)}'`
      S_SOCK=`echo $line | awk '{print substr($7,7)}'`
      D_IP=`echo $line | awk '{print substr($6,5)}'`
      D_SOCK=`echo $line | awk '{print substr($8,7)}'`
      echo "$S_IP:$S_SOCK $D_IP:$D_SOCK"
      hping2 $D_IP -R -s $S_SOCK -p $D_SOCK -a $S_IP -k -c 1 > /home/huaying/1.log 2>&1 &
      done




實際上還是用 conntrack tool 去 flush table比較快 @_@"

Linux NAT 優化設定

#echo "1024 65000" > /proc/sys/net/ipv4/ip_local_port_range
  #echo "100 1200 128 512 15 5000 500 1884 2">/proc/sys/vm/bdflush
  #echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  #echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  #echo "1048576" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
  #echo "1" > /proc/sys/net/ipv4/ip_forward
  #echo "268435456" >/proc/sys/kernel/shmall
  #echo "536870912" >/proc/sys/kernel/shmmax
  #echo "600" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
  #echo "1024" > /proc/sys/net/ipv4/neigh/default/gc_thresh1
  #echo "2048" > /proc/sys/net/ipv4/neigh/default/gc_thresh2
  #echo "4096" > /proc/sys/net/ipv4/neigh/default/gc_thresh3
  #echo "52428800" > /proc/sys/net/ipv4/route/max_size
  #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
  …