Talofa tagata uma, o loʻu igoa o Sasha, ou te taʻitaʻia suʻega pito i tua i FunCorp. O matou, pei o le tele o isi, ua faʻatinoina se fausaga faʻavae auaunaga. I le tasi itu, e faafaigofieina ai le galuega, aua... E sili atu ona faigofie le faʻataʻitaʻiina o auʻaunaga taʻitasi, ae i le isi itu, e manaʻomia le suʻeina o fegalegaleaiga o auaunaga ma le tasi, lea e masani ona tupu i luga o le upega tafailagi.
I totonu o lenei tusiga, o le a ou talanoa e uiga i mea aoga e lua e mafai ona faʻaogaina e siaki ai faʻamatalaga autu e faʻamatalaina ai le faʻaogaina o se talosaga i le i ai o faʻafitauli fesoʻotaʻiga.
Fa'ata'ita'iga fa'afitauli feso'ota'iga
E masani lava, o lo'o fa'ata'ita'iina le polokalame i su'ega su'ega ma se feso'ota'iga Initaneti lelei. I totonu o siosiomaga gaosiga faigata, o mea atonu e le faigofie tele, o nisi taimi e te manaʻomia le suʻeina o polokalame i tulaga le lelei o fesoʻotaʻiga. I luga o Linux, o le aoga o le a fesoasoani i le galuega o le faʻataʻitaʻiina o ia tulaga tc.
tc(abbr. mai le Pulea Ta'avale) faʻatagaina oe e faʻapipiʻi le tuʻuina atu o pusa fesoʻotaʻiga i totonu o le polokalama. O lenei faʻaoga e iai le tele o gafatia, e mafai ona e faitau atili e uiga ia i latou . O iinei o le a ou mafaufau ai na o ni nai mea: matou te fiafia i le faʻatulagaina o taʻavale, lea matou te faʻaaogaina qdisc, ma talu ai tatou te manaʻomia le faʻataʻitaʻiina o se fesoʻotaʻiga le mautonu, o le a tatou faʻaogaina le qdisc leai se vasega .
Sei o tatou faʻalauiloa se faʻaumau echo i luga o le 'auʻaunaga (na ou faʻaaogaina ):
ncat -l 127.0.0.1 12345 -k -c 'xargs -n1 -i echo "Response: {}"'
Ina ia mafai ona faʻaalia auiliiliga uma taimi faʻailoga i laʻasaga taʻitasi o fegalegaleaiga i le va o le kalani ma le 'auʻaunaga, na ou tusia se tusitusiga Python faigofie e tuʻuina atu se talosaga. suʻega i le matou server echo.
Client source code
#!/bin/python
import socket
import time
HOST = '127.0.0.1'
PORT = 12345
BUFFER_SIZE = 1024
MESSAGE = "Testn"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
t1 = time.time()
print "[time before connection: %.5f]" % t1
s.connect((HOST, PORT))
print "[time after connection, before sending: %.5f]" % time.time()
s.send(MESSAGE)
print "[time after sending, before receiving: %.5f]" % time.time()
data = s.recv(BUFFER_SIZE)
print "[time after receiving, before closing: %.5f]" % time.time()
s.close()
t2 = time.time()
print "[time after closing: %.5f]" % t2
print "[total duration: %.5f]" % (t2 - t1)
print data
Se'i o tatou fa'alauiloa ma va'ava'ai i le fe'avea'i i luga o le fa'aoga lo ma le port 12345:
[user@host ~]# python client.py
[time before connection: 1578652979.44837]
[time after connection, before sending: 1578652979.44889]
[time after sending, before receiving: 1578652979.44894]
[time after receiving, before closing: 1578652979.45922]
[time after closing: 1578652979.45928]
[total duration: 0.01091]
Response: Test
Lafoa'i taavale
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:42:59.448601 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [S], seq 3383332866, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 0,nop,wscale 7], length 0
10:42:59.448612 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [S.], seq 2584700178, ack 3383332867, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 606325685,nop,wscale 7], length 0
10:42:59.448622 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.448923 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 5
10:42:59.448930 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [.], ack 6, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.459118 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 606325696 ecr 606325685], length 14
10:42:59.459213 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.459268 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.460184 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 606325697 ecr 606325696], length 0
10:42:59.460196 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 606325697 ecr 606325697], length 0
O mea uma lava e faʻataʻitaʻiina: o se faʻataʻitaʻiga lima-tolu, PSH / ACK ma ACK i le tali faalua - o le fesuiaiga lea o le talosaga ma le tali i le va o le kalani ma le server, ma le FIN / ACK ma le ACK faalua - faʻamaeʻaina le fesoʻotaʻiga.
Fa'atuai o pusa
Ia tatou seti le tuai ile 500 milliseconds:
tc qdisc add dev lo root netem delay 500ms
Matou te faʻalauiloaina le kalani ma vaʻai o loʻo faʻagasolo nei le tusitusiga mo le 2 sekone:
[user@host ~]# ./client.py
[time before connection: 1578662612.71044]
[time after connection, before sending: 1578662613.71059]
[time after sending, before receiving: 1578662613.71065]
[time after receiving, before closing: 1578662614.72011]
[time after closing: 1578662614.72019]
[total duration: 2.00974]
Response: Test
O le a le mea o lo'o i totonu o le ta'avale? Se'i tatou va'ai:
Lafoa'i taavale
13:23:33.210520 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [S], seq 1720950927, win 43690, options [mss 65495,sackOK,TS val 615958947 ecr 0,nop,wscale 7], length 0
13:23:33.710554 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [S.], seq 1801168125, ack 1720950928, win 43690, options [mss 65495,sackOK,TS val 615959447 ecr 615958947,nop,wscale 7], length 0
13:23:34.210590 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 0
13:23:34.210657 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 5
13:23:34.710680 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [.], ack 6, win 342, options [nop,nop,TS val 615960447 ecr 615959947], length 0
13:23:34.719371 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 615960456 ecr 615959947], length 14
13:23:35.220106 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.220188 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.720994 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 615961457 ecr 615960957], length 0
13:23:36.221025 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 615961957 ecr 615961457], length 0
E mafai ona e vaʻaia o le faʻamoemoeina o le afa sekone na faʻaalia i le fegalegaleaiga i le va o le kalani ma le server. E sili atu le manaia o le faiga pe a sili atu le tuai: o le fatu e amata ona toe auina atu nisi o pepa TCP. Sei o tatou sui le tuai i le 1 sekone ma vaʻavaʻai i le feoaiga (Ou te le faʻaalia le gaioiga a le kalani, o loʻo i ai le 4 sekone i le aofaʻi atoa):
tc qdisc change dev lo root netem delay 1s
Lafoa'i taavale
13:29:07.709981 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616292946 ecr 0,nop,wscale 7], length 0
13:29:08.710018 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616293946 ecr 616292946,nop,wscale 7], length 0
13:29:08.711094 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616293948 ecr 0,nop,wscale 7], length 0
13:29:09.710048 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616294946 ecr 616293946], length 0
13:29:09.710152 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 616294947 ecr 616293946], length 5
13:29:09.711120 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616294948 ecr 616292946,nop,wscale 7], length 0
13:29:10.710173 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [.], ack 6, win 342, options [nop,nop,TS val 616295947 ecr 616294947], length 0
13:29:10.711140 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616295948 ecr 616293946], length 0
13:29:10.714782 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 616295951 ecr 616294947], length 14
13:29:11.714819 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:11.714893 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:12.715562 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 616297952 ecr 616296951], length 0
13:29:13.715596 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 616298952 ecr 616297952], length 0
E mafai ona va'aia na lafo faalua e le kalani le SYN, ae fa'alua ona lafo e le 'au'aunaga le SYN/ACK.
I le faaopoopo atu i se tau faifaipea, o le tuai e mafai ona seti i se faʻasese, se galuega faʻasoa, ma se faʻasalalauga (faʻatasi ai ma le tau mo le pusa muamua). E faia lenei mea e pei ona taua i lalo:
tc qdisc change dev lo root netem delay 500ms 400ms 50 distribution normal
O iinei ua matou setiina le tuai i le va o le 100 ma le 900 milliseconds, o tau o le a filifilia e tusa ai ma se tufatufa masani ma o le ai ai se 50% faʻamaopoopo ma le tuai tau mo le pusa muamua.
Atonu na e matauina i le poloaiga muamua na ou faaaogaina faʻaopoopoona sosoo ai lea liuga. O le uiga o nei poloaiga e manino lava, o lea o le a na ona ou faʻaopopoina e iai isi mea del, lea e mafai ona faʻaaogaina e aveese ai le faʻatulagaga.
Pa'u leiloa
Se'i o tatou taumafai nei e fai packet loss. E pei ona mafai ona vaʻaia mai faʻamaumauga, e mafai ona faia lenei mea i ni auala se tolu: leiloa faʻailoga faʻatasi ma se mea e ono tupu, e faʻaaoga ai se filifili Markov o 2, 3 poʻo 4 setete e faʻatatau ai le gau o pepa, poʻo le faʻaaogaina o le Elliott-Gilbert model. I le tusiga o le a ou mafaufau i le auala muamua (sili ona faigofie ma sili ona manino), ma e mafai ona e faitau e uiga i isi .
Sei o tatou faia le leiloa o le 50% o afifi ma se faʻamaopoopoina o le 25%:
tc qdisc add dev lo root netem loss 50% 25%
Ae paga lea, tcpdump o le a le mafai ona faʻaalia manino mai ia i matou le leiloa o afifi, matou te manatu e aoga moni lava. Ma o le faʻateleina ma le le mautu taimi taʻavale o le tusitusiga o le a fesoasoani ia i matou e faʻamaonia lenei mea. client.py (e mafai ona faʻamaeʻa vave, pe atonu ile 20 sekone), faʻapea foʻi ma le faʻaopoopoina o le numera o pepa toe faʻasalalau:
[user@host ~]# netstat -s | grep retransmited; sleep 10; netstat -s | grep retransmited
17147 segments retransmited
17185 segments retransmited
Fa'aopoopoina le pisapisao i taga
I le faaopoopo atu i le leiloa o le pepa, e mafai ona e faʻataʻitaʻiina le faʻaleagaina o pepa: o le a aliali mai le pisa i se tulaga faʻafuaseʻi. Se'i o tatou faia le fa'aleagaina o pepa i se 50% le avanoa ma e aunoa ma se fa'amaopoopo:
tc qdisc change dev lo root netem corrupt 50%
Matou te faʻatautaia le tusitusiga a le kalani (leai se mea manaia iina, ae na manaʻomia le 2 sekone e faʻamaeʻa ai), vaʻai i le auala:
Lafoa'i taavale
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:20:54.812434 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [S], seq 2023663770, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 0,nop,wscale 7], length 0
10:20:54.812449 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [S.], seq 2104268044, ack 2023663771, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 1037001049,nop,wscale 7], length 0
10:20:54.812458 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 0
10:20:54.812509 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 5
10:20:55.013093 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001250 ecr 1037001049], length 5
10:20:55.013122 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [.], ack 6, win 342, options [nop,nop,TS val 1037001250 ecr 1037001250], length 0
10:20:55.014681 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 1037001251 ecr 1037001250], length 14
10:20:55.014745 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 15, win 340, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.014823 IP 127.0.0.1.43666 > 127.0.0.5.12345: Flags [F.], seq 2023663776, ack 2104268059, win 342, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.214088 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,unknown-65 0x0a3dcf62eb3d,[bad opt]>
10:20:55.416087 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 1037001653 ecr 1037001251], length 0
10:20:55.416804 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:55.416818 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 343, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:56.147086 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0
10:20:56.147101 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0
E mafai ona vaʻaia o nisi o pepa na lafo faʻafia ma e tasi le pepa e malepe metadata: filifiliga [leai,le iloa-65 0x0a3dcf62eb3d,[leaga opt]>. Ae o le mea autu o le iʻuga e saʻo mea uma - na faʻatautaia e TCP lana galuega.
Fa'aluaina pepa
O le a se isi mea e mafai ona e faia netem? Mo se fa'ata'ita'iga, fa'ata'ita'i le tulaga fa'afeagai o le fa'aletonu o le afifi—fa'aluaina o le pepa. O lenei fa'atonuga e mana'omia ai fo'i fa'aupuga e 2: avanoa ma fa'atasi.
tc qdisc change dev lo root netem duplicate 50% 25%
Suia le faasologa o afifi
E mafai ona e fa'afefiloi taga i ni auala se lua.
I le muamua, o nisi o afifi e lafo vave, o le isi ma se faʻatuai faʻamaonia. Fa'ata'ita'iga mai fa'amaumauga:
tc qdisc change dev lo root netem delay 10ms reorder 25% 50%
Faatasi ai ma se avanoa o le 25% (ma le faʻamaopoopoina o le 50%) o le a lafoina vave le afifi, o le isi mea o le a lafoina ma le tuai o 10 milliseconds.
O le auala lona lua o le taimi lava e auina atu ai pepa Nth uma ma se avanoa (ma le faʻamaopoopoina), ma le isi faʻatasi ma se faʻatuai. Fa'ata'ita'iga mai fa'amaumauga:
tc qdisc change dev lo root netem delay 10ms reorder 25% 50% gap 5
O afifi uma lona lima e iai le 25% avanoa e lafo mai ai e aunoa ma le faatuai.
Suia Bandwidth
E masani lava i soo se mea latou te faasino i ai , ae faatasi ai ma le fesoasoani netem E mafai foi ona e suia le bandwidth interface:
tc qdisc change dev lo root netem rate 56kbit
O lenei 'au o le a faia ni savaliga solo localhost e tiga lava e pei o le faase'e i luga ole Initaneti e ala ile modem dial-up. E le gata i le fa'atulagaina o le bitrate, e mafai fo'i ona e fa'ata'ita'i i le fa'ata'ita'iga o le fa'asologa o feso'ota'iga: seti le pito i luga mo le taga, le tele o le sela, ma le pito i luga mo le sela. Mo se faʻataʻitaʻiga, e mafai ona faʻataʻitaʻiina lenei mea ma le bitrate 56 kbit/sec:
tc qdisc change dev lo root netem rate 56kbit 0 48 5
Fa'ata'ita'i taimi feso'ota'iga
O le isi itu taua i le fuafuaga o su'ega pe a talia le polokalame o le fa'agata. E taua tele lenei mea aua i le tufatufaina atu, pe a le atoatoa se tasi o auʻaunaga, o isi e tatau ona toe foʻi i tua i isi i le taimi pe toe faʻafoʻi se mea sese i le kalani, ma e leai se tulaga e tatau ona latou tautau, faʻatali mo se tali poʻo se fesoʻotaʻiga. e faatuina.
E tele auala e fai ai lenei mea: mo se faʻataʻitaʻiga, faʻaaoga se tauemuga e le tali mai, pe faʻafesoʻotaʻi i le faagasologa e faʻaaoga ai se debugger, tuʻu se vaeluaga i le nofoaga saʻo ma taofi le gaioiga (atonu o le auala sili lea ona faʻafefe). Ae o se tasi o mea e sili ona manino o le firewall ports poʻo 'au. O le a fesoasoani ia i tatou i lenei mea .
Mo faʻataʻitaʻiga, matou te faʻapipiʻiina le laupepa 12345 ma faʻatautaia le matou tagata faʻatau. E mafai ona e fa'aulu atu pa puipui i lenei uafu i le tagata e auina atu po'o pepa o lo'o sau i le tali. I aʻu faʻataʻitaʻiga, o pepa ulufale mai o le a faʻapipiʻiina (matou te faʻaogaina le INPUT filifili ma le filifiliga --dport). O ia pepa e mafai ona DROP, REJECT poʻo REJECT i le TCP fuʻa RST, poʻo le ICMP talimalo e le mafai ona maua (o le mea moni, o le amio le lelei o le icmp-port-e le mafai ona aapa atu, ma o loʻo i ai foi le avanoa e lafo ai se tali icmp-net-e le mafai ona maua, icmp-proto-unreachable, icmp-net-fa'asaina и icmp-host-fa'asaina).
TULU
Afai ei ai se tulafono faʻatasi ma le DROP, o paʻu o le a naʻo le " mou ese".
iptables -A INPUT -p tcp --dport 12345 -j DROP
Matou te faʻalauiloaina le kalani ma vaʻai o loʻo malolo i le tulaga o le fesoʻotaʻi i le server. Se'i o tatou va'ai i le ta'avale:
Lafoa'i taavale
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:28:20.213506 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203046450 ecr 0,nop,wscale 7], length 0
08:28:21.215086 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203047452 ecr 0,nop,wscale 7], length 0
08:28:23.219092 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203049456 ecr 0,nop,wscale 7], length 0
08:28:27.227087 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203053464 ecr 0,nop,wscale 7], length 0
08:28:35.235102 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203061472 ecr 0,nop,wscale 7], length 0
E mafai ona va'aia o lo'o tu'uina atu e le kalani ia pepa SYN fa'atasi ai ma se taimi fa'atuputeleina fa'ateleina. O lea na matou maua ai se tamai pusa i le kalani: e tatau ona e faʻaogaina le metotia seti le taimi()e fa'atapula'a le taimi o le a taumafai ai le kalani e fa'afeso'ota'i ile server.
Matou te aveese vave le tulafono:
iptables -D INPUT -p tcp --dport 12345 -j DROPE mafai ona e tape uma tulafono i le taimi e tasi:
iptables -F
Afai o loʻo e faʻaaogaina Docker ma e te manaʻomia le faʻamalama uma o feoaiga i luga o le koneteina, ona mafai lea ona e faia e pei ona taua i lalo:
iptables -I DOCKER-USER -p tcp -d CONTAINER_IP -j DROP
TETEE
Sei o tatou faʻaopoopoina se tulafono faʻapena, ae faʻatasi ma le REJECT:
iptables -A INPUT -p tcp --dport 12345 -j REJECT
E alu ese le kalani pe a uma le sekone ma se mea sese [Errno 111] Ua teena le sootaga. Sei o tatou vaʻai i le ICMP fefaʻatauaiga:
[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:45:32.871414 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68
08:45:33.873097 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68
E mafai ona iloa e faalua ona maua e le kalani ua le mafai ona aapa atu i ai ona faaiu ai lea i se mea sese.
TETE'E ma le tcp-reset
Sei o tatou taumafai e faaopoopo le filifiliga --teena-fa'atasi ai ma tcp-reset:
iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
I lenei tulaga, e vave alu ese le kalani ma se mea sese, ona o le talosaga muamua na maua se pusa RST:
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
09:02:52.766175 IP 127.0.0.1.60658 > 127.0.0.1.12345: Flags [S], seq 1889460883, win 43690, options [mss 65495,sackOK,TS val 1205119003 ecr 0,nop,wscale 7], length 0
09:02:52.766184 IP 127.0.0.1.12345 > 127.0.0.1.60658: Flags [R.], seq 0, ack 1889460884, win 0, length 0
TETE'E ma le icmp-host-unreachable
Se'i o tatou taumafai se isi filifiliga mo le fa'aogaina o le REJECT:
iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-host-unreachable
E alu ese le kalani pe a uma le sekone ma se mea sese [Errno 113] Leai se auala e talimalo ai, matou te vaʻai i fefaʻatauaiga ICMP ICMP talimalo 127.0.0.1 e le mafai ona maua.
E mafai foʻi ona e faʻataʻitaʻiina isi vaega REJECT, ma o le a ou taulai atu i nei :)
Fa'ata'ita'i ole taimi ole talosaga
O le isi tulaga o le taimi na mafai ai e le kalani ona faʻafesoʻotaʻi i le server, ae le mafai ona lafo se talosaga i ai. E fa'afefea ona fa'amama pepa ina ia aua ne'i vave amata le fa'amama? Afai e te vaʻavaʻai i le feʻaveaʻi o soʻo se fesoʻotaʻiga i le va o le kalani ma le 'auʻaunaga, o le a e maitauina pe a faʻatūina se fesoʻotaʻiga, e naʻo le SYN ma le ACK fuʻa e faʻaaogaina, ae pe a fesuiaʻi faʻamatalaga, o le pepa talosaga mulimuli o le a aofia ai le fuʻa PSH. E fa'apipi'i otometi e aloese ai mai le pa'u. E mafai ona e fa'aogaina lenei fa'amatalaga e fai ai se faamama: o le a fa'atagaina uma pepa se'i vagana ai mea o lo'o iai le fu'a PSH. O le mea lea, o le a faʻavaeina le fesoʻotaʻiga, ae o le a le mafai e le kalani ona tuʻuina atu faʻamatalaga i le server.
TULU
Mo DROP o le poloaiga e pei o lenei:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j DROP
Tatala le kalani ma matamata i le feoaiga:
Lafoa'i taavale
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:02:47.549498 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [S], seq 2166014137, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 0,nop,wscale 7], length 0
10:02:47.549510 IP 127.0.0.1.12345 > 127.0.0.1.49594: Flags [S.], seq 2341799088, ack 2166014138, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 1208713786,nop,wscale 7], length 0
10:02:47.549520 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 0
10:02:47.549568 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 5
10:02:47.750084 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713987 ecr 1208713786], length 5
10:02:47.951088 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714188 ecr 1208713786], length 5
10:02:48.354089 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714591 ecr 1208713786], length 5
Matou te vaʻai ua faʻamautuina le fesoʻotaʻiga ma e le mafai e le kalani ona tuʻuina atu faʻamatalaga i le server.
TETEE
I lenei tulaga o le a tutusa le amio: o le a le mafai e le kalani ona lafo le talosaga, ae o le a maua ICMP 127.0.0.1 tcp port 12345 e le mafai ona maua ma fa'ateleina le taimi i le va o talosaga toe tu'uina atu fa'atele. O le poloaiga e pei o lenei:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT
TETE'E ma le tcp-reset
O le poloaiga e pei o lenei:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT --reject-with tcp-reset
Ua uma ona tatou iloa pe a faʻaaogaina --teena-fa'atasi ai ma tcp-reset o le a maua e le kalani se pepa RST e tali atu ai, o lea e mafai ai ona vavalo le amio: mauaina o se pepa RST aʻo faʻamauina le fesoʻotaʻiga o lona uiga ua tapunia faʻafuaseʻi le socket i le isi itu, o lona uiga e tatau ona maua e le kalani. Toe setiina e le tupulaga. Sei o tatou fa'agasolo a tatou tusitusiga ma fa'amautinoa le mea lea. Ma o le mea lea o le a foliga mai ai le auala:
Lafoa'i taavale
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:22:14.186269 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [S], seq 2615137531, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 0,nop,wscale 7], length 0
10:22:14.186284 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [S.], seq 3999904809, ack 2615137532, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 1209880423,nop,wscale 7], length 0
10:22:14.186293 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 0
10:22:14.186338 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 5
10:22:14.186344 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [R], seq 3999904810, win 0, length 0
TETE'E ma le icmp-host-unreachable
Ou te manatu ua uma ona iloa e tagata uma le foliga o le poloaiga :) O le amio a le tagata o tausia i lenei tulaga o le a fai si ese teisi mai lena ma se TULAGA faigofie: o le a le faʻateleina e le kalani le taimi i le va o taumafaiga e toe auina atu le pepa.
[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:29:56.149202 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.349107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.549117 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.750125 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.951130 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.152107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.353115 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
iʻuga
E le manaʻomia le tusia o se faʻataʻitaʻiga e faʻataʻitaʻi ai le fegalegaleaiga o se auaunaga ma se tagata faʻatau tautau poʻo se 'auʻaunaga; o nisi taimi e lava le faʻaogaina o faʻaoga masani o loʻo maua i Linux.
O mea aoga o loʻo talanoaina i le tusiga e sili atu le gafatia nai lo le faʻamatalaina, o lea e mafai ai ona e faia ni au lava filifiliga mo le faʻaaogaina. Ia te aʻu lava ia, e masani lava ona lava mea na ou tusia e uiga i ai (o le mea moni, e oʻo lava i le itiiti). Afai e te fa'aogaina nei mea po'o fa'aoga tutusa i su'ega i lau kamupani, fa'amolemole tusi pe fa'apefea. Afai e leai, ou te faʻamoemoe o le a sili atu lau polokalama pe afai e te filifili e faʻataʻitaʻi i tulaga o faʻafitauli fesoʻotaʻiga e faʻaaoga ai metotia fautuaina.
puna: www.habr.com