Lumelang bohle, lebitso la ka ke Sasha, ke etella pele liteko tsa morao-rao ho FunCorp. Rona, joalo ka ba bang ba bangata, re kentse tšebetsong meralo e shebaneng le lits'ebeletso. Ka lehlakoreng le leng, sena se nolofatsa mosebetsi, hobane ... Ho bonolo ho lekola tšebeletso e 'ngoe le e' ngoe ka thoko, empa ka lehlakoreng le leng, ho na le tlhokahalo ea ho hlahloba tšebelisano ea litšebeletso le tse ling, tse atisang ho hlaha holim'a marang-rang.
Sehloohong sena, ke tla bua ka lisebelisoa tse peli tse ka sebelisoang ho hlahloba maemo a motheo a hlalosang ts'ebetso ea kopo ka pel'a mathata a marang-rang.
Ho etsisa mathata a marang-rang
Ka tloaelo, software e lekoa ho li-server tsa liteko tse nang le khokahano e ntle ea Marang-rang. Libakeng tse thata tsa tlhahiso, lintho li kanna tsa se be boreleli, kahoo ka linako tse ling u hloka ho lekola mananeo maemong a mabe a khokahano. Ho Linux, sesebelisoa se tla thusa ka mosebetsi oa ho etsisa maemo a joalo tc.
tc(abbr. ho tsoa ho Taolo ea Sephethephethe) eu lumella hore u lokise phetiso ea lipakete tsa marang-rang tsamaisong. Sesebelisoa sena se na le bokhoni bo boholo, o ka bala haholoanyane ka bona . Mona ke tla nahana ka tse 'maloa feela tsa tsona: re thahasella kemiso ea sephethephethe, eo re e sebelisang qdisc, 'me kaha re hloka ho etsisa marang-rang a sa tsitsang, re tla sebelisa classless qdisc .
Ha re hlahise seva sa echo ho seva (ke sebelisitse ):
ncat -l 127.0.0.1 12345 -k -c 'xargs -n1 -i echo "Response: {}"'
Bakeng sa ho bonts'a ka botlalo litempe tsa linako mohatong o mong le o mong oa tšebelisano lipakeng tsa moreki le seva, ke ngotse script e bonolo ea Python e romellang kopo. mamella teko ho seva sa rona sa echo.
Khoutu ea mohloli oa bareki
#!/bin/python
import socket
import time
HOST = '127.0.0.1'
PORT = 12345
BUFFER_SIZE = 1024
MESSAGE = "Testn"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
t1 = time.time()
print "[time before connection: %.5f]" % t1
s.connect((HOST, PORT))
print "[time after connection, before sending: %.5f]" % time.time()
s.send(MESSAGE)
print "[time after sending, before receiving: %.5f]" % time.time()
data = s.recv(BUFFER_SIZE)
print "[time after receiving, before closing: %.5f]" % time.time()
s.close()
t2 = time.time()
print "[time after closing: %.5f]" % t2
print "[total duration: %.5f]" % (t2 - t1)
print data
A re ke re qala e le sheba sephethephethe ka segokanyimmediamentsi sa sebolokigolo lo le boema-kepe 12345:
[user@host ~]# python client.py
[time before connection: 1578652979.44837]
[time after connection, before sending: 1578652979.44889]
[time after sending, before receiving: 1578652979.44894]
[time after receiving, before closing: 1578652979.45922]
[time after closing: 1578652979.45928]
[total duration: 0.01091]
Response: Test
Thotobolo ya sephethephethe
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:42:59.448601 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [S], seq 3383332866, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 0,nop,wscale 7], length 0
10:42:59.448612 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [S.], seq 2584700178, ack 3383332867, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 606325685,nop,wscale 7], length 0
10:42:59.448622 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.448923 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 5
10:42:59.448930 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [.], ack 6, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.459118 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 606325696 ecr 606325685], length 14
10:42:59.459213 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.459268 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.460184 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 606325697 ecr 606325696], length 0
10:42:59.460196 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 606325697 ecr 606325697], length 0
Ntho e 'ngoe le e' ngoe e tloaelehile: ho ts'oarana ka letsoho ka litsela tse tharo, PSH / ACK le ACK ka karabo habeli - ena ke phapanyetsano ea kopo le karabo pakeng tsa mofani le seva, le FIN / ACK le ACK habeli - ho tlatsa khokahanyo.
Pakete e lieha
Joale ha re beheng tieho ho 500 milliseconds:
tc qdisc add dev lo root netem delay 500ms
Re qala moreki mme re bone hore sengoloa joale se sebetsa metsotsoana ea 2:
[user@host ~]# ./client.py
[time before connection: 1578662612.71044]
[time after connection, before sending: 1578662613.71059]
[time after sending, before receiving: 1578662613.71065]
[time after receiving, before closing: 1578662614.72011]
[time after closing: 1578662614.72019]
[total duration: 2.00974]
Response: Test
Sephethephethe se na le eng? Ha re shebeng:
Thotobolo ya sephethephethe
13:23:33.210520 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [S], seq 1720950927, win 43690, options [mss 65495,sackOK,TS val 615958947 ecr 0,nop,wscale 7], length 0
13:23:33.710554 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [S.], seq 1801168125, ack 1720950928, win 43690, options [mss 65495,sackOK,TS val 615959447 ecr 615958947,nop,wscale 7], length 0
13:23:34.210590 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 0
13:23:34.210657 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 5
13:23:34.710680 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [.], ack 6, win 342, options [nop,nop,TS val 615960447 ecr 615959947], length 0
13:23:34.719371 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 615960456 ecr 615959947], length 14
13:23:35.220106 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.220188 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.720994 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 615961457 ecr 615960957], length 0
13:23:36.221025 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 615961957 ecr 615961457], length 0
U ka bona hore sekhahla se lebelletsoeng sa halofo ea motsotsoana se hlahile tšebelisanong lipakeng tsa moreki le seva. Sistimi e sebetsa ka mokhoa o khahlisang haholo haeba lag e le kholoanyane: kernel e qala ho romella lipakete tse ling tsa TCP. Ha re fetoleng tieho ho motsotsoana oa 1 mme re shebe sephethephethe (Nke ke ka bontša tlhahiso ea moreki, ho na le metsotsoana e 4 e lebelletsoeng ka nako eohle):
tc qdisc change dev lo root netem delay 1s
Thotobolo ya sephethephethe
13:29:07.709981 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616292946 ecr 0,nop,wscale 7], length 0
13:29:08.710018 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616293946 ecr 616292946,nop,wscale 7], length 0
13:29:08.711094 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616293948 ecr 0,nop,wscale 7], length 0
13:29:09.710048 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616294946 ecr 616293946], length 0
13:29:09.710152 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 616294947 ecr 616293946], length 5
13:29:09.711120 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616294948 ecr 616292946,nop,wscale 7], length 0
13:29:10.710173 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [.], ack 6, win 342, options [nop,nop,TS val 616295947 ecr 616294947], length 0
13:29:10.711140 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616295948 ecr 616293946], length 0
13:29:10.714782 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 616295951 ecr 616294947], length 14
13:29:11.714819 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:11.714893 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:12.715562 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 616297952 ecr 616296951], length 0
13:29:13.715596 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 616298952 ecr 616297952], length 0
Ho ka bonoa hore moreki o rometse pakete ea SYN habeli, mme seva e rometse SYN/ACK habeli.
Ho phaella ho boleng bo sa feleng, ho lieha ho ka behoa ho kheloha, mosebetsi oa ho aba, le ho hokahanya (ka boleng ba pakete e fetileng). Sena se etsoa ka tsela e latelang:
tc qdisc change dev lo root netem delay 500ms 400ms 50 distribution normal
Mona re behile tieho lipakeng tsa 100 le 900 milliseconds, boleng bo tla khethoa ho latela kabo e tloaelehileng mme ho tla ba le khokahano ea 50% le boleng ba ho lieha ho pakete e fetileng.
Mohlomong u hlokometse hore taelong ea pele eo ke e sebelisitseng eketsa, eaba fetola. Moelelo oa litaelo tsena o hlakile, kahoo ke tla eketsa feela hore ho na le tse ling Lak, e ka sebelisoang ho tlosa tlhophiso.
Tahlehelo ea Pakete
Ha re leke hona joale ho etsa tahlehelo ea pakete. Joalokaha ho ka bonoa litokomaneng, sena se ka etsoa ka litsela tse tharo: ho lahleheloa ke lipakete ka mokhoa o sa reroang ka monyetla o itseng, ho sebelisa ketane ea Markov ea 2, 3 kapa 4 e bolela ho bala tahlehelo ea pakete, kapa ho sebelisa mohlala oa Elliott-Gilbert. Sehloohong seo ke tla hlahloba mokhoa oa pele (o bonolo le o hlakileng ka ho fetisisa), 'me u ka bala ka ba bang .
Ha re etse tahlehelo ea 50% ea lipakete tse nang le khokahano ea 25%:
tc qdisc add dev lo root netem loss 50% 25%
Ka bomalimabe, tcpdump e ke ke ea khona ho re bontša ka ho hlaka tahlehelo ea lipakete, re tla nka feela hore e hlile e sebetsa. 'Me nako e ntseng e eketseha le e sa tsitsang ea script e tla re thusa ho netefatsa sena. client.py (e ka phethoa hang-hang, kapa mohlomong ka metsotsoana e 20), hammoho le palo e eketsehileng ea lipakete tse fetisitsoeng:
[user@host ~]# netstat -s | grep retransmited; sleep 10; netstat -s | grep retransmited
17147 segments retransmited
17185 segments retransmited
Ho eketsa lerata lipaketeng
Ntle le tahlehelo ea pakete, o ka etsisa tšenyo ea pakete: lerata le tla hlaha sebakeng se sa reroang sa pakete. Ha re etseng tšenyo ea pakete ka monyetla oa 50% ntle le khokahano:
tc qdisc change dev lo root netem corrupt 50%
Re tsamaisa sengoloa sa bareki (ha ho letho le khahlisang moo, empa ho nkile metsotsoana e 2 ho qeta), sheba sephethephethe:
Thotobolo ya sephethephethe
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:20:54.812434 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [S], seq 2023663770, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 0,nop,wscale 7], length 0
10:20:54.812449 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [S.], seq 2104268044, ack 2023663771, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 1037001049,nop,wscale 7], length 0
10:20:54.812458 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 0
10:20:54.812509 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 5
10:20:55.013093 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001250 ecr 1037001049], length 5
10:20:55.013122 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [.], ack 6, win 342, options [nop,nop,TS val 1037001250 ecr 1037001250], length 0
10:20:55.014681 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 1037001251 ecr 1037001250], length 14
10:20:55.014745 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 15, win 340, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.014823 IP 127.0.0.1.43666 > 127.0.0.5.12345: Flags [F.], seq 2023663776, ack 2104268059, win 342, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.214088 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,unknown-65 0x0a3dcf62eb3d,[bad opt]>
10:20:55.416087 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 1037001653 ecr 1037001251], length 0
10:20:55.416804 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:55.416818 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 343, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:56.147086 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0
10:20:56.147101 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0
Hoa bonahala hore lipakete tse ling li rometsoe khafetsa mme ho na le pakete e le 'ngoe e nang le metadata e robehileng: dikgetho [nop, unknown-65 0x0a3dcf62eb3d,[bad opt]>. Empa ntho e ka sehloohong ke hore qetellong ntho e 'ngoe le e' ngoe e ne e sebetsa hantle - TCP e sebetsane le mosebetsi oa eona.
Phetiso ea pakete
Ke eng hape eo u ka e etsang netem? Ka mohlala, etsisa boemo bo ka morao ba tahlehelo ea pakete—e leng phetiso ea pakete. Taelo ena e boetse e nka likhang tse 2: monyetla le khokahano.
tc qdisc change dev lo root netem duplicate 50% 25%
Ho fetola tatellano ea liphutheloana
O ka kopanya mekotla ka litsela tse peli.
Ntlha ea pele, lipakete tse ling li romeloa hang-hang, tse ling ka ho lieha ho itseng. Mohlala ho tsoa litokomaneng:
tc qdisc change dev lo root netem delay 10ms reorder 25% 50%
Ka monyetla oa 25% (le ho hokahanya ha 50%) pakete e tla romelloa hang-hang, tse ling kaofela li tla romelloa ka ho lieha ha 10 milliseconds.
Mokhoa oa bobeli ke ha pakete e 'ngoe le e' ngoe ea Nth e romelloa hang-hang ka monyetla o fanoeng (le khokahano), 'me e meng ka tieho e fanoeng. Mohlala ho tsoa litokomaneng:
tc qdisc change dev lo root netem delay 10ms reorder 25% 50% gap 5
Sephutheloana se seng le se seng sa bohlano se na le monyetla oa 25% oa ho romelloa ntle le tieho.
Ho Fetola Bandwidth
Hangata hohle moo ba buang ka teng , empa ka thuso netem U ka boela ua fetola bandwidth ea interface:
tc qdisc change dev lo root netem rate 56kbit
Sehlopha sena se tla etsa maeto ho pota-pota Localhost ho bohloko joalo ka ho phenyekolla Marang-rang ka modem ea ho daela. Ntle le ho beha bitrate, o ka etsisa mohlala oa protocol ea sehokelo: beha hlooho ea pakete, boholo ba sele, le bokaholimo ba sele. Ka mohlala, sena se ka etsisoa le bitrate 56 kbit/sec:
tc qdisc change dev lo root netem rate 56kbit 0 48 5
Ketsiso ea nako ea khokahano
Ntlha e 'ngoe ea bohlokoa morerong oa teko ha u amohela software ke nako ea nako. Sena ke sa bohlokoa hobane lits'ebetsong tse ajoang, ha e 'ngoe ea lits'ebeletso e holofetse, tse ling li tlameha ho khutlela ho tse ling ka nako kapa li khutlisetse phoso ho moreki,' me ha ho joalo ba lokela ho fanyeha feela, ba emetse karabo kapa khokahano. ho theoa.
Ho na le litsela tse 'maloa tsa ho etsa sena: mohlala, sebelisa soma e sa arabeleng, kapa u ikopanye le ts'ebetso u sebelisa debugger, beha sebaka sa ho senya sebakeng se nepahetseng 'me u emise mokhoa ona (mohlomong ena ke tsela e sothehileng ka ho fetisisa). Empa e 'ngoe ea tse hlakileng ka ho fetesisa ke li-firewall port kapa mabotho. E tla re thusa ka sena .
Bakeng sa pontšo, re tla kenya firewall port 12345 mme re tsamaise sengoloa sa bareki ba rona. U ka kenya lipakete tsa firewall tse tsoang boema-kepeng bona ho motho ea romelloang kapa liphutheloana tse kenang ho moamoheli. Mehlala ea ka, lipakete tse kenang li tla koaheloa ka mollo (re sebelisa ketane ea INPUT le khetho --dport). Lipakete tse joalo li ka ba DROP, REJECT kapa REJECT ka folakha ea TCP RST, kapa ka moamoheli oa ICMP a ke keng a fihleloa (ha e le hantle, boitšoaro bo sa feleng ke icmp-port-ha e fihlellehe, hape ho na le monyetla oa ho romela karabo icmp-net-ha e fihlellehe, icmp-proto-sa fihlellehe, icmp-net-thibeloed и icmp-host-hibited).
KHOTHA
Haeba ho na le molao o nang le DROP, lipakete li tla "nyamela".
iptables -A INPUT -p tcp --dport 12345 -j DROP
Re qala moreki mme re bona hore e hoama sethaleng sa ho hokela seva. Ha re shebe sephethephethe:
Thotobolo ya sephethephethe
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:28:20.213506 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203046450 ecr 0,nop,wscale 7], length 0
08:28:21.215086 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203047452 ecr 0,nop,wscale 7], length 0
08:28:23.219092 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203049456 ecr 0,nop,wscale 7], length 0
08:28:27.227087 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203053464 ecr 0,nop,wscale 7], length 0
08:28:35.235102 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203061472 ecr 0,nop,wscale 7], length 0
Hoa bonahala hore moreki o romella lipakete tsa SYN ka nako ea nako e ntseng e eketseha haholo. Kahoo re fumane kokoanyana e nyane ho moreki: o hloka ho sebelisa mokhoa settimeout()ho fokotsa nako eo mofani a tla leka ho hokela ho seva.
Re tlosa molao hang-hang:
iptables -D INPUT -p tcp --dport 12345 -j DROPO ka hlakola melao eohle ka nako e le 'ngoe:
iptables -F
Haeba u sebelisa Docker 'me u hloka ho thibela sephethephethe sohle se eang setšeng, u ka se etsa ka tsela e latelang:
iptables -I DOCKER-USER -p tcp -d CONTAINER_IP -j DROP
QHOBELA
Joale ha re kenye molao o ts'oanang, empa ka REJECT:
iptables -A INPUT -p tcp --dport 12345 -j REJECT
Moreki o tsoa ka mor'a motsotsoana ka phoso [Errno 111] Khokahano e hanne. Ha re shebeng sephethephethe sa ICMP:
[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:45:32.871414 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68
08:45:33.873097 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68
Ho ka bonoa hore moreki o amohetse habeli boemakepe bo sa fihlelleheng ebe e qetella ka phoso.
KHANYA ka tcp-reset
Ha re leke ho eketsa khetho -- hana-ka tcp-reset:
iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
Tabeng ena, moreki o tsoa hang-hang ka phoso, hobane kopo ea pele e fumane pakete ea RST:
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
09:02:52.766175 IP 127.0.0.1.60658 > 127.0.0.1.12345: Flags [S], seq 1889460883, win 43690, options [mss 65495,sackOK,TS val 1205119003 ecr 0,nop,wscale 7], length 0
09:02:52.766184 IP 127.0.0.1.12345 > 127.0.0.1.60658: Flags [R.], seq 0, ack 1889460884, win 0, length 0
LATELA ka icmp-host-e sa fihlelleheng
Ha re leke khetho e 'ngoe ea ho sebelisa REJECT:
iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-host-unreachable
Moreki o tsoa ka mor'a motsotsoana ka phoso [Errno 113] Ha ho na tsela ea ho amohela baeti, re bona sephethephethe sa ICMP ICMP e amohelang 127.0.0.1 e sa fihlellehe.
U ka leka le liparamente tse ling tsa REJECT, 'me ke tla tsepamisa maikutlo ho tsona :)
Ketsiso ea nako ea kopo
Boemo bo bong ke ha moreki a khonne ho hokela seva, empa a sitoa ho romela kopo ho eona. Mokhoa oa ho sefa lipakete e le hore ho sefa ho se ke ha qala hang-hang? Haeba u sheba sephethephethe sa puisano leha e le efe pakeng tsa mofani le seva, u tla hlokomela hore ha u theha khokahanyo, ho sebelisoa lifolakha tsa SYN le ACK feela, empa ha u fapanyetsana data, pakete ea ho qetela ea kopo e tla ba le folakha ea PSH. E instola ka tsela e iketsang ho qoba buffering. U ka sebelisa tlhahisoleseling ena ho theha sefahla: se tla lumella lipakete tsohle ntle le tse nang le folakha ea PSH. Kahoo, khokahano e tla thehoa, empa mofani a ke ke a khona ho romela data ho seva.
KHOTHA
Bakeng sa DROP taelo e ne e tla shebahala tjena:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j DROP
Qala moreki 'me u shebe sephethephethe:
Thotobolo ya sephethephethe
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:02:47.549498 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [S], seq 2166014137, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 0,nop,wscale 7], length 0
10:02:47.549510 IP 127.0.0.1.12345 > 127.0.0.1.49594: Flags [S.], seq 2341799088, ack 2166014138, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 1208713786,nop,wscale 7], length 0
10:02:47.549520 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 0
10:02:47.549568 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 5
10:02:47.750084 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713987 ecr 1208713786], length 5
10:02:47.951088 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714188 ecr 1208713786], length 5
10:02:48.354089 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714591 ecr 1208713786], length 5
Rea bona hore khokahano e thehiloe mme moreki ha a khone ho romella data ho seva.
QHOBELA
Tabeng ena boitšoaro bo tla tšoana: mofani a ke ke a khona ho romela kopo, empa o tla amohela ICMP 127.0.0.1 tcp port 12345 e sa fihlelleheng le ho eketsa nako lipakeng tsa likopo tse romelloang hape ka sekhahla. Taelo e shebahala tjena:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT
KHANYA ka tcp-reset
Taelo e shebahala tjena:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT --reject-with tcp-reset
Re se re tseba seo ha re se sebelisa -- hana-ka tcp-reset mofani o tla fumana pakete ea RST ka karabo, kahoo boitšoaro bo ka boleloa esale pele: ho fumana pakete ea RST ha ho ntse ho etsoa khokahanyo ho bolela hore sokete e koetsoe ka mokhoa o sa lebelloang ka lehlakoreng le leng, ho bolelang hore mofani o lokela ho fumana. Khokahano e entsoe bocha ke lithaka. Ha re tsamaise script ea rona mme re netefatse sena. 'Me sena ke kamoo sephethephethe se tla shebahala kateng:
Thotobolo ya sephethephethe
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:22:14.186269 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [S], seq 2615137531, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 0,nop,wscale 7], length 0
10:22:14.186284 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [S.], seq 3999904809, ack 2615137532, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 1209880423,nop,wscale 7], length 0
10:22:14.186293 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 0
10:22:14.186338 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 5
10:22:14.186344 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [R], seq 3999904810, win 0, length 0
LATELA ka icmp-host-e sa fihlelleheng
Ke nahana hore e se e ntse e totobala ho motho e mong le e mong hore na taelo e tla shebahala joang :) Boitšoaro ba mofani tabeng ena bo tla fapana hanyenyane le ka KHALLO e bonolo: mofani a ke ke a eketsa nako ea nako pakeng tsa boiteko ba ho romela pakete hape.
[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:29:56.149202 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.349107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.549117 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.750125 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.951130 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.152107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.353115 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
fihlela qeto e
Ha ho hlokahale ho ngola soma ho leka tšebelisano ea ts'ebeletso le moreki ea fanyehiloeng kapa seva; ka linako tse ling ho lekane ho sebelisa lisebelisoa tse tloaelehileng tse fumanehang Linux.
Lisebelisoa tse boletsoeng sehloohong sena li na le bokhoni bo bongata ho feta bo hlalositsoeng, kahoo u ka tla le tse ling tsa likhetho tsa hau tsa ho li sebelisa. Ka bonna, ke lula ke e-na le lintho tse lekaneng tseo ke li ngotseng (ha e le hantle, le ka tlaase ho moo). Haeba u sebelisa lisebelisoa tsena kapa tse tšoanang ho etsa liteko k'hamphaning ea hau, ka kopo ngola hore na hantle hakae. Haeba ho se joalo, ke tšepa hore software ea hau e tla ntlafala ha u etsa qeto ea ho e leka maemong a mathata a marang-rang u sebelisa mekhoa e khothaletsoang.
Source: www.habr.com