Bonjou tout moun, non mwen se Sasha, mwen mennen tès backend nan FunCorp. Nou menm, tankou anpil lòt moun, te aplike yon achitekti sèvis oryante. Sou yon bò, sa senplifye travay la, paske... Li pi fasil pou teste chak sèvis separeman, men nan lòt men an, gen yon bezwen teste entèraksyon sèvis youn ak lòt, ki souvan rive sou rezo a.
Nan atik sa a, mwen pral pale sou de sèvis piblik ki ka itilize yo tcheke senaryo debaz ki dekri operasyon an nan yon aplikasyon an prezans pwoblèm rezo.
Simulation pwoblèm rezo
Tipikman, lojisyèl teste sou sèvè tès yo ak yon bon koneksyon entènèt. Nan anviwònman pwodiksyon piman bouk, bagay yo ka pa tèlman lis, kidonk pafwa ou bezwen teste pwogram nan kondisyon koneksyon pòv yo. Sou Linux, sèvis piblik la pral ede ak travay la nan similye kondisyon sa yo tc.
tc(abre. soti nan Kontwòl Trafik) pèmèt ou konfigirasyon transmisyon pake rezo nan sistèm nan. Sèvis piblik sa a gen gwo kapasite, ou ka li plis sou yo . Isit la mwen pral konsidere sèlman kèk nan yo: nou enterese nan orè trafik, pou ki nou itilize qdisk, epi kòm nou bezwen imite yon rezo enstab, nou pral itilize qdisc san klas .
Ann lanse yon sèvè eko sou sèvè a (mwen te itilize ):
ncat -l 127.0.0.1 12345 -k -c 'xargs -n1 -i echo "Response: {}"'
Yo nan lòd yo montre an detay tout timestamps yo nan chak etap nan entèraksyon ant kliyan an ak sèvè a, mwen te ekri yon senp script Python ki voye yon demann. Tès sou sèvè eko nou an.
Kòd sous kliyan
#!/bin/python
import socket
import time
HOST = '127.0.0.1'
PORT = 12345
BUFFER_SIZE = 1024
MESSAGE = "Testn"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
t1 = time.time()
print "[time before connection: %.5f]" % t1
s.connect((HOST, PORT))
print "[time after connection, before sending: %.5f]" % time.time()
s.send(MESSAGE)
print "[time after sending, before receiving: %.5f]" % time.time()
data = s.recv(BUFFER_SIZE)
print "[time after receiving, before closing: %.5f]" % time.time()
s.close()
t2 = time.time()
print "[time after closing: %.5f]" % t2
print "[total duration: %.5f]" % (t2 - t1)
print data
Ann lanse li epi gade trafik la sou koòdone a lo ak pò 12345:
[user@host ~]# python client.py
[time before connection: 1578652979.44837]
[time after connection, before sending: 1578652979.44889]
[time after sending, before receiving: 1578652979.44894]
[time after receiving, before closing: 1578652979.45922]
[time after closing: 1578652979.45928]
[total duration: 0.01091]
Response: Test
Depotwa trafik
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:42:59.448601 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [S], seq 3383332866, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 0,nop,wscale 7], length 0
10:42:59.448612 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [S.], seq 2584700178, ack 3383332867, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 606325685,nop,wscale 7], length 0
10:42:59.448622 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.448923 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 5
10:42:59.448930 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [.], ack 6, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.459118 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 606325696 ecr 606325685], length 14
10:42:59.459213 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.459268 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.460184 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 606325697 ecr 606325696], length 0
10:42:59.460196 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 606325697 ecr 606325697], length 0
Tout bagay se estanda: yon lanmen twa-fason, PSH/ACK ak ACK an repons de fwa - sa a se echanj demann ak repons ant kliyan an ak sèvè a, ak FIN/ACK ak ACK de fwa - ranpli koneksyon an.
Pake reta
Koulye a, ann mete reta a 500 milisgond:
tc qdisc add dev lo root netem delay 500ms
Nou lanse kliyan an epi wè ke script la kounye a kouri pou 2 segonn:
[user@host ~]# ./client.py
[time before connection: 1578662612.71044]
[time after connection, before sending: 1578662613.71059]
[time after sending, before receiving: 1578662613.71065]
[time after receiving, before closing: 1578662614.72011]
[time after closing: 1578662614.72019]
[total duration: 2.00974]
Response: Test
Ki sa ki nan trafik la? Ann gade:
Depotwa trafik
13:23:33.210520 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [S], seq 1720950927, win 43690, options [mss 65495,sackOK,TS val 615958947 ecr 0,nop,wscale 7], length 0
13:23:33.710554 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [S.], seq 1801168125, ack 1720950928, win 43690, options [mss 65495,sackOK,TS val 615959447 ecr 615958947,nop,wscale 7], length 0
13:23:34.210590 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 0
13:23:34.210657 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 5
13:23:34.710680 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [.], ack 6, win 342, options [nop,nop,TS val 615960447 ecr 615959947], length 0
13:23:34.719371 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 615960456 ecr 615959947], length 14
13:23:35.220106 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.220188 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.720994 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 615961457 ecr 615960957], length 0
13:23:36.221025 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 615961957 ecr 615961457], length 0
Ou ka wè ke lag espere nan mwatye yon segonn te parèt nan entèraksyon ki genyen ant kliyan an ak sèvè a. Sistèm nan konpòte pi plis enteresan si lag la pi gwo: nwayo a kòmanse voye kèk pake TCP. Ann chanje reta a nan 1 segonn epi gade nan trafik la (mwen pa pral montre pwodiksyon kliyan an, gen 4 segonn yo espere nan dire total):
tc qdisc change dev lo root netem delay 1s
Depotwa trafik
13:29:07.709981 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616292946 ecr 0,nop,wscale 7], length 0
13:29:08.710018 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616293946 ecr 616292946,nop,wscale 7], length 0
13:29:08.711094 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616293948 ecr 0,nop,wscale 7], length 0
13:29:09.710048 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616294946 ecr 616293946], length 0
13:29:09.710152 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 616294947 ecr 616293946], length 5
13:29:09.711120 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616294948 ecr 616292946,nop,wscale 7], length 0
13:29:10.710173 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [.], ack 6, win 342, options [nop,nop,TS val 616295947 ecr 616294947], length 0
13:29:10.711140 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616295948 ecr 616293946], length 0
13:29:10.714782 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 616295951 ecr 616294947], length 14
13:29:11.714819 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:11.714893 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:12.715562 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 616297952 ecr 616296951], length 0
13:29:13.715596 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 616298952 ecr 616297952], length 0
Li ka wè ke kliyan an voye yon pake SYN de fwa, ak sèvè a voye yon SYN / ACK de fwa.
Anplis yon valè konstan, reta a ka mete nan yon devyasyon, yon fonksyon distribisyon, ak yon korelasyon (ak valè a pou pake anvan an). Sa a se fè jan sa a:
tc qdisc change dev lo root netem delay 500ms 400ms 50 distribution normal
Isit la nou te mete reta a ant 100 ak 900 milisgond, valè yo pral chwazi dapre yon distribisyon nòmal epi pral gen yon korelasyon 50% ak valè reta pou pake anvan an.
Ou ka remake ke nan premye kòmand mwen te itilize ajouteak lè sa a chanje. Siyifikasyon kòmandman sa yo evidan, se konsa mwen pral jis ajoute ke gen plis nan, ki ka itilize pou retire konfigirasyon an.
Pèt pake
Ann eseye kounye a fè pèt pake. Jan yo ka wè nan dokiman an, sa ka fè nan twa fason: pèdi pake owaza ak kèk pwobabilite, lè l sèvi avèk yon chèn Markov nan 2, 3 oswa 4 eta yo kalkile pèt pake, oswa lè l sèvi avèk modèl Elliott-Gilbert. Nan atik la mwen pral konsidere premye (pi senp ak pi evidan) metòd la, epi ou ka li sou lòt moun .
Ann fè pèt 50% nan pake ak yon korelasyon 25%:
tc qdisc add dev lo root netem loss 50% 25%
Malerezman, tcpdump pa yo pral kapab byen klè montre nou pèt la nan pake, nou pral sèlman asime ke li vrèman travay. Ak tan an ogmante ak enstab kouri nan script la pral ede nou verifye sa a. kliyan.py (kapab ranpli imedyatman, oswa petèt nan 20 segonn), osi byen ke yon kantite ogmante nan pake retransmèt:
[user@host ~]# netstat -s | grep retransmited; sleep 10; netstat -s | grep retransmited
17147 segments retransmited
17185 segments retransmited
Ajoute bri nan pake yo
Anplis de sa nan pèt pake, ou ka simulation domaj pake: bri ap parèt nan yon pozisyon pake o aza. Ann fè pake domaj ak yon pwobabilite 50% epi san korelasyon:
tc qdisc change dev lo root netem corrupt 50%
Nou kouri script kliyan an (pa gen anyen ki enteresan la, men li te pran 2 segonn pou konplete), gade trafik la:
Depotwa trafik
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:20:54.812434 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [S], seq 2023663770, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 0,nop,wscale 7], length 0
10:20:54.812449 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [S.], seq 2104268044, ack 2023663771, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 1037001049,nop,wscale 7], length 0
10:20:54.812458 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 0
10:20:54.812509 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 5
10:20:55.013093 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001250 ecr 1037001049], length 5
10:20:55.013122 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [.], ack 6, win 342, options [nop,nop,TS val 1037001250 ecr 1037001250], length 0
10:20:55.014681 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 1037001251 ecr 1037001250], length 14
10:20:55.014745 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 15, win 340, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.014823 IP 127.0.0.1.43666 > 127.0.0.5.12345: Flags [F.], seq 2023663776, ack 2104268059, win 342, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.214088 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,unknown-65 0x0a3dcf62eb3d,[bad opt]>
10:20:55.416087 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 1037001653 ecr 1037001251], length 0
10:20:55.416804 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:55.416818 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 343, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:56.147086 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0
10:20:56.147101 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0
Li ka wè ke kèk pake yo te voye repete epi gen yon pake ki gen metadata kase: opsyon [non,enkoni-65 0x0a3dcf62eb3d,[move opt]>. Men, bagay prensipal la se ke nan fen a tout bagay te travay kòrèkteman - TCP fè fas ak travay li yo.
Pake repetisyon
Ki lòt bagay ou ka fè ak netèm? Pou egzanp, simulation sitiyasyon an ranvèse nan pèt pake-pake repetisyon. Kòmandman sa a pran 2 agiman tou: pwobabilite ak korelasyon.
tc qdisc change dev lo root netem duplicate 50% 25%
Chanje lòd pakè yo
Ou ka melanje sache yo nan de fason.
Nan premye a, kèk pake yo voye imedyatman, rès la ak yon reta espesifye. Egzanp nan dokiman an:
tc qdisc change dev lo root netem delay 10ms reorder 25% 50%
Avèk yon pwobabilite 25% (ak yon korelasyon 50%) pake a pral voye imedyatman, rès la pral voye ak yon reta nan 10 milisgond.
Dezyèm metòd la se lè chak pake Nyèm voye imedyatman ak yon pwobabilite bay (ak korelasyon), ak rès la ak yon reta bay yo. Egzanp nan dokiman an:
tc qdisc change dev lo root netem delay 10ms reorder 25% 50% gap 5
Chak senkyèm pake gen yon chans 25% pou yo voye yo san reta.
Chanje Bandwidth
Anjeneral tout kote yo refere a , men avèk èd la netèm Ou ka chanje tou Pleasant koòdone:
tc qdisc change dev lo root netem rate 56kbit
Ekip sa a pral fè vwayaj alantou lokalost kòm douloure tankou navige sou entènèt la atravè yon modèm dial-up. Anplis de tabli vitès la, ou kapab tou imite modèl pwotokòl kouch lyen an: mete anlè a pou pake a, gwosè selil la, ak anlè a pou selil la. Pou egzanp, sa a ka simulation ak bitrate 56 kbit / sec:
tc qdisc change dev lo root netem rate 56kbit 0 48 5
Simulation delè koneksyon
Yon lòt pwen enpòtan nan plan tès la lè aksepte lojisyèl se timeouts. Sa a enpòtan paske nan sistèm distribiye yo, lè youn nan sèvis yo enfim, lòt yo dwe tounen vin jwenn lòt yo nan tan oswa retounen yon erè bay kliyan an, epi nan okenn ka yo ta dwe tou senpleman pann, ap tann pou yon repons oswa yon koneksyon. yo dwe etabli.
Gen plizyè fason pou fè sa: pou egzanp, sèvi ak yon mock ki pa reponn, oswa konekte nan pwosesis la lè l sèvi avèk yon debugger, mete yon breakpoint nan bon kote epi sispann pwosesis la (sa a se pwobableman fason ki pi perverti). Men, youn nan pi evidan an se pò pare-feu oswa gen tout pouvwa a. Li pral ede nou ak sa a .
Pou demonstrasyon, nou pral firewall pò 12345 epi kouri script kliyan nou an. Ou ka pare-feu pake sortan nan pò sa a nan moun k la oswa pake fèk ap rantre nan reseptè a. Nan egzanp mwen yo, pake fèk ap rantre yo pral firewall (nou itilize chèn INPUT ak opsyon an --dport). Pakè sa yo kapab DROP, REJECT oswa REJECT ak drapo TCP RST la, oswa ak hôte ICMP inaccessible (an reyalite, konpòtman an default se icmp-port-inaccessible, epi gen tou opòtinite pou voye yon repons icmp-net-inaccessible, icmp-proto-inaccessible, icmp-net-entèdi и icmp-host-entèdi).
Gout
Si gen yon règ ak DROP, pake yo pral tou senpleman "disparèt".
iptables -A INPUT -p tcp --dport 12345 -j DROP
Nou lanse kliyan an epi wè ke li jele nan etap nan konekte ak sèvè a. Ann gade trafik la:
Depotwa trafik
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:28:20.213506 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203046450 ecr 0,nop,wscale 7], length 0
08:28:21.215086 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203047452 ecr 0,nop,wscale 7], length 0
08:28:23.219092 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203049456 ecr 0,nop,wscale 7], length 0
08:28:27.227087 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203053464 ecr 0,nop,wscale 7], length 0
08:28:35.235102 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203061472 ecr 0,nop,wscale 7], length 0
Li ka wè ke kliyan an voye pake SYN ak yon tan eksponansyèl ogmante. Se konsa, nou jwenn yon ti ensèk nan kliyan an: ou bezwen sèvi ak metòd la settimeout()limite tan kliyan an ap eseye konekte ak sèvè a.
Nou imedyatman retire règ la:
iptables -D INPUT -p tcp --dport 12345 -j DROPOu ka efase tout règ nan yon fwa:
iptables -F
Si w ap itilize Docker epi ou bezwen firewall tout trafik ki ale nan veso a, Lè sa a, ou ka fè li jan sa a:
iptables -I DOCKER-USER -p tcp -d CONTAINER_IP -j DROP
REYEJE
Koulye a, ann ajoute yon règ menm jan an, men ak REJECT:
iptables -A INPUT -p tcp --dport 12345 -j REJECT
Kliyan an soti apre yon segonn ak yon erè [Errno 111] Koneksyon refize. Ann gade trafik ICMP la:
[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:45:32.871414 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68
08:45:33.873097 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68
Li ka wè ke kliyan an te resevwa de fwa pò inaccessible ak Lè sa a, te fini ak yon erè.
REJETE ak tcp-reset
Ann eseye ajoute opsyon a --rejete-ak tcp-reset:
iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
Nan ka sa a, kliyan an imedyatman sòti ak yon erè, paske premye demann lan te resevwa yon pake RST:
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
09:02:52.766175 IP 127.0.0.1.60658 > 127.0.0.1.12345: Flags [S], seq 1889460883, win 43690, options [mss 65495,sackOK,TS val 1205119003 ecr 0,nop,wscale 7], length 0
09:02:52.766184 IP 127.0.0.1.12345 > 127.0.0.1.60658: Flags [R.], seq 0, ack 1889460884, win 0, length 0
REJETE ak icmp-host-unreachable
Ann eseye yon lòt opsyon pou itilize REJECT:
iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-host-unreachable
Kliyan an soti apre yon segonn ak yon erè [Errno 113] Pa gen wout pou òganize, nou wè nan trafik ICMP ICMP lame 127.0.0.1 inaccessible.
Ou ka eseye tou lòt paramèt REJECT yo, epi mwen pral konsantre sou sa yo :)
Simulation delè demann
Yon lòt sitiyasyon se lè kliyan an te kapab konekte ak sèvè a, men li pa ka voye yon demann ba li. Ki jan yo filtre pake pou ke filtraj pa kòmanse imedyatman? Si w gade trafik nenpòt kominikasyon ant kliyan an ak sèvè a, w ap remake ke lè w ap etabli yon koneksyon, yo itilize sèlman drapo SYN ak ACK, men lè w ap fè echanj done, dènye pake demann lan ap genyen drapo PSH la. Li enstale otomatikman pou evite tanpon. Ou ka itilize enfòmasyon sa yo pou kreye yon filtè: li pral pèmèt tout pake eksepte sa yo ki gen drapo PSH la. Kidonk, koneksyon an pral etabli, men kliyan an pa pral kapab voye done sou sèvè a.
Gout
Pou DROP kòmandman an ta sanble sa a:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j DROP
Lanse kliyan an epi gade trafik la:
Depotwa trafik
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:02:47.549498 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [S], seq 2166014137, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 0,nop,wscale 7], length 0
10:02:47.549510 IP 127.0.0.1.12345 > 127.0.0.1.49594: Flags [S.], seq 2341799088, ack 2166014138, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 1208713786,nop,wscale 7], length 0
10:02:47.549520 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 0
10:02:47.549568 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 5
10:02:47.750084 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713987 ecr 1208713786], length 5
10:02:47.951088 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714188 ecr 1208713786], length 5
10:02:48.354089 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714591 ecr 1208713786], length 5
Nou wè ke koneksyon an etabli epi kliyan an pa ka voye done sou sèvè a.
REYEJE
Nan ka sa a konpòtman an pral menm: kliyan an pa pral kapab voye demann lan, men li pral resevwa ICMP 127.0.0.1 tcp pò 12345 inaccessible epi ogmante tan ki genyen ant re-soumèt demann yon fason eksponansyèl. Kòmandman an sanble sa a:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT
REJETE ak tcp-reset
Kòmandman an sanble sa a:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT --reject-with tcp-reset
Nou deja konnen sa lè w ap itilize --rejete-ak tcp-reset kliyan an pral resevwa yon pake RST an repons, kidonk konpòtman an ka prevwa: resevwa yon pake RST pandan koneksyon an etabli vle di priz la fèmen san atann sou lòt bò a, ki vle di kliyan an ta dwe resevwa. Koneksyon reset pa kanmarad. Ann kouri script nou an epi asire w ke sa a. Men sa trafik la pral sanble:
Depotwa trafik
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:22:14.186269 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [S], seq 2615137531, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 0,nop,wscale 7], length 0
10:22:14.186284 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [S.], seq 3999904809, ack 2615137532, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 1209880423,nop,wscale 7], length 0
10:22:14.186293 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 0
10:22:14.186338 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 5
10:22:14.186344 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [R], seq 3999904810, win 0, length 0
REJETE ak icmp-host-unreachable
Mwen panse ke li deja evidan pou tout moun ki sa kòmandman an pral sanble :) Konpòtman kliyan an nan ka sa a pral yon ti kras diferan de sa ki gen yon REJÈ senp: kliyan an pa pral ogmante tan ki genyen ant tantativ pou voye pake a.
[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:29:56.149202 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.349107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.549117 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.750125 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.951130 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.152107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.353115 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
Sòti
Li pa nesesè pou ekri yon mok pou teste entèraksyon yon sèvis ak yon kliyan oswa sèvè kwoke; pafwa li ase pou itilize sèvis piblik estanda yo jwenn nan Linux.
Sèvis piblik yo diskite nan atik la gen menm plis kapasite pase sa yo te dekri, kidonk, ou ka vini ak kèk nan opsyon pwòp ou yo pou itilize yo. Pèsonèlman, mwen toujou gen ase nan sa mwen te ekri sou (an reyalite, menm mwens). Si ou itilize sèvis piblik sa yo oswa menm jan an nan tès nan konpayi ou, tanpri ekri ki jan egzakteman. Si ou pa, Lè sa a, mwen espere lojisyèl ou a ap vin pi bon si ou deside teste li nan kondisyon nan pwoblèm rezo lè l sèvi avèk metòd yo sijere.
Sous: www.habr.com