-
-
Save rainly/329669b343ab087471f5 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 一.积累大量TIME_WAIT连接无法接受新请求: | |
| 比较安全的设置是/etc/sysctl.conf: | |
| net.ipv4.tcp_timestamps=1 | |
| net.ipv4.tcp_tw_recycle=0 | |
| net.ipv4.tcp_tw_reuse=1 | |
| sysctl net.ipv4.tcp_max_tw_buckets=10000 | |
| 参考: http://nick.txtcc.com/index.php/linux/1162 | |
| 二.启动iptables一两个小时后出现大量丢包: | |
| /var/log/messages出现大量nf_conntrack: table full, dropping packet. | |
| 如果不需要做端口转发之类而只是一个web server可以移除nf_conntrack模块: | |
| 1.remove any reference to the state module in iptables. So, no rules like | |
| -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # maybe in "/etc/sysconfig/iptables" | |
| the state module requires the nf_conntrack (ip_conntrack) module | |
| 2.remove the following line (if it exists) in /etc/sysconfig/iptables-config | |
| IPTABLES_MODULES="ip_conntrack_netbios_ns" | |
| That module requires ip_conntrack which we are trying to ditch. | |
| 3.reload iptables without your state rules. | |
| sudo iptables -F | |
| # add your real rules | |
| 4.drop the modules. I had to use: | |
| sudo modprobe -r xt_NOTRACK nf_conntrack_netbios_ns nf_conntrack_ipv4 xt_state | |
| sudo modprobe -r nf_conntrack | |
| 5.confirm you don't have a reference to /proc/net/nf_conntrack | |
| 持久化禁用, 加入: | |
| /etc/modprobe.d/blacklist.conf | |
| 先 | |
| service iptables stop | |
| 再 | |
| sudo modprobe -r xt_state | |
| #查看依赖nf_conntrack的模块: | |
| lsmod | grep nf_conntrack |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment