Hammaga salom, mening ismim Sasha, men FunCorp-da test sinovlarini o'tkazaman. Biz, boshqalar kabi, xizmatga yo'naltirilgan arxitekturani amalga oshirdik. Bu bir tomondan ishni osonlashtiradi, chunki... Har bir xizmatni alohida sinab ko'rish osonroq, lekin boshqa tomondan, ko'pincha tarmoq orqali sodir bo'ladigan xizmatlarning bir-biri bilan o'zaro ta'sirini sinab ko'rish zarurati mavjud.
Ushbu maqolada men tarmoq muammolari mavjud bo'lganda dasturning ishlashini tavsiflovchi asosiy stsenariylarni tekshirish uchun ishlatilishi mumkin bo'lgan ikkita yordamchi dastur haqida gapiraman.
Tarmoq muammolarini simulyatsiya qilish
Odatda, dasturiy ta'minot yaxshi Internet aloqasi bo'lgan test serverlarida sinovdan o'tkaziladi. Qattiq ishlab chiqarish muhitida ishlar unchalik silliq bo'lmasligi mumkin, shuning uchun ba'zida yomon ulanish sharoitida dasturlarni sinab ko'rishingiz kerak. Linuxda yordamchi dastur bunday sharoitlarni simulyatsiya qilish vazifasini bajarishga yordam beradi tc.
tc(abbr. Yo'l harakati nazoratidan) tizimda tarmoq paketlarini uzatishni sozlash imkonini beradi. Ushbu yordamchi dastur ajoyib imkoniyatlarga ega, ular haqida ko'proq o'qishingiz mumkin . Bu erda men ulardan faqat bir nechtasini ko'rib chiqaman: biz foydalanadigan trafikni rejalashtirishga qiziqamiz qdisk, va biz beqaror tarmoqni taqlid qilishimiz kerakligi sababli, biz sinfsiz qdisc dan foydalanamiz .
Serverda echo serverni ishga tushiramiz (men ):
ncat -l 127.0.0.1 12345 -k -c 'xargs -n1 -i echo "Response: {}"'
Mijoz va server o'rtasidagi o'zaro aloqaning har bir bosqichida barcha vaqt belgilarini batafsil ko'rsatish uchun men so'rov yuboradigan oddiy Python skriptini yozdim. sinov echo serverimizga.
Mijoz manba kodi
#!/bin/python
import socket
import time
HOST = '127.0.0.1'
PORT = 12345
BUFFER_SIZE = 1024
MESSAGE = "Testn"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
t1 = time.time()
print "[time before connection: %.5f]" % t1
s.connect((HOST, PORT))
print "[time after connection, before sending: %.5f]" % time.time()
s.send(MESSAGE)
print "[time after sending, before receiving: %.5f]" % time.time()
data = s.recv(BUFFER_SIZE)
print "[time after receiving, before closing: %.5f]" % time.time()
s.close()
t2 = time.time()
print "[time after closing: %.5f]" % t2
print "[total duration: %.5f]" % (t2 - t1)
print data
Keling, uni ishga tushiramiz va interfeysdagi trafikni ko'rib chiqamiz lo va port 12345:
[user@host ~]# python client.py
[time before connection: 1578652979.44837]
[time after connection, before sending: 1578652979.44889]
[time after sending, before receiving: 1578652979.44894]
[time after receiving, before closing: 1578652979.45922]
[time after closing: 1578652979.45928]
[total duration: 0.01091]
Response: Test
Trafik axlatxonasi
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:42:59.448601 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [S], seq 3383332866, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 0,nop,wscale 7], length 0
10:42:59.448612 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [S.], seq 2584700178, ack 3383332867, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 606325685,nop,wscale 7], length 0
10:42:59.448622 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.448923 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 5
10:42:59.448930 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [.], ack 6, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.459118 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 606325696 ecr 606325685], length 14
10:42:59.459213 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.459268 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.460184 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 606325697 ecr 606325696], length 0
10:42:59.460196 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 606325697 ecr 606325697], length 0
Hammasi standart: uch tomonlama qo'l siqish, ikki marta javoban PSH/ACK va ACK - bu mijoz va server o'rtasida so'rov va javob almashinuvi, FIN/ACK va ACK ikki marta - ulanishni yakunlash.
Paket kechikishi
Endi kechikishni 500 millisekundga o'rnatamiz:
tc qdisc add dev lo root netem delay 500ms
Biz mijozni ishga tushiramiz va skript endi 2 soniya davomida ishlashini ko'ramiz:
[user@host ~]# ./client.py
[time before connection: 1578662612.71044]
[time after connection, before sending: 1578662613.71059]
[time after sending, before receiving: 1578662613.71065]
[time after receiving, before closing: 1578662614.72011]
[time after closing: 1578662614.72019]
[total duration: 2.00974]
Response: Test
Trafikda nima bor? Keling, qaraylik:
Trafik axlatxonasi
13:23:33.210520 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [S], seq 1720950927, win 43690, options [mss 65495,sackOK,TS val 615958947 ecr 0,nop,wscale 7], length 0
13:23:33.710554 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [S.], seq 1801168125, ack 1720950928, win 43690, options [mss 65495,sackOK,TS val 615959447 ecr 615958947,nop,wscale 7], length 0
13:23:34.210590 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 0
13:23:34.210657 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 5
13:23:34.710680 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [.], ack 6, win 342, options [nop,nop,TS val 615960447 ecr 615959947], length 0
13:23:34.719371 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 615960456 ecr 615959947], length 14
13:23:35.220106 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.220188 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.720994 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 615961457 ecr 615960957], length 0
13:23:36.221025 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 615961957 ecr 615961457], length 0
Mijoz va server o'rtasidagi o'zaro aloqada kutilgan yarim soniyalik kechikish paydo bo'lganini ko'rishingiz mumkin. Agar kechikish kattaroq bo'lsa, tizim o'zini ancha qiziqroq tutadi: yadro ba'zi TCP paketlarini qayta yuborishni boshlaydi. Kechikishni 1 soniyaga o'zgartiramiz va trafikni ko'rib chiqamiz (men mijozning chiqishini ko'rsatmayman, umumiy davomiylik uchun kutilgan 4 soniya bor):
tc qdisc change dev lo root netem delay 1s
Trafik axlatxonasi
13:29:07.709981 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616292946 ecr 0,nop,wscale 7], length 0
13:29:08.710018 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616293946 ecr 616292946,nop,wscale 7], length 0
13:29:08.711094 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616293948 ecr 0,nop,wscale 7], length 0
13:29:09.710048 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616294946 ecr 616293946], length 0
13:29:09.710152 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 616294947 ecr 616293946], length 5
13:29:09.711120 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616294948 ecr 616292946,nop,wscale 7], length 0
13:29:10.710173 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [.], ack 6, win 342, options [nop,nop,TS val 616295947 ecr 616294947], length 0
13:29:10.711140 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616295948 ecr 616293946], length 0
13:29:10.714782 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 616295951 ecr 616294947], length 14
13:29:11.714819 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:11.714893 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:12.715562 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 616297952 ecr 616296951], length 0
13:29:13.715596 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 616298952 ecr 616297952], length 0
Ko'rinib turibdiki, mijoz SYN paketini ikki marta yuborgan va server ikki marta SYN/ACK yuborgan.
Doimiy qiymatdan tashqari, kechikish og'ish, tarqatish funktsiyasi va korrelyatsiya (oldingi paket uchun qiymat bilan) o'rnatilishi mumkin. Bu quyidagicha amalga oshiriladi:
tc qdisc change dev lo root netem delay 500ms 400ms 50 distribution normal
Bu erda biz kechikishni 100 dan 900 millisekundgacha o'rnatdik, qiymatlar normal taqsimotga ko'ra tanlanadi va oldingi paket uchun kechikish qiymati bilan 50% korrelyatsiya bo'ladi.
Men foydalangan birinchi buyruqda buni payqagan bo'lishingiz mumkin qo'shishva keyin o'zgarish. Ushbu buyruqlarning ma'nosi aniq, shuning uchun men yana ko'p narsalarni qo'shaman del, bu konfiguratsiyani olib tashlash uchun ishlatilishi mumkin.
Paket yo'qolishi
Keling, paketlarni yo'qotishga harakat qilaylik. Hujjatlardan ko'rinib turibdiki, buni uchta usulda amalga oshirish mumkin: paketlarni tasodifiy ravishda qandaydir ehtimollik bilan yo'qotish, paketlarni yo'qotishni hisoblash uchun 2, 3 yoki 4 holatdan iborat Markov zanjiridan foydalanish yoki Elliott-Gilbert modelidan foydalanish. Maqolada men birinchi (eng oddiy va eng aniq) usulni ko'rib chiqaman va siz boshqalar haqida o'qishingiz mumkin .
50% korrelyatsiya bilan paketlarning 25% ni yo'qotamiz:
tc qdisc add dev lo root netem loss 50% 25%
Afsuski, tcpdump bizga paketlarning yo'qolishini aniq ko'rsata olmaydi, biz faqat u haqiqatan ham ishlaydi deb taxmin qilamiz. Va skriptning ko'paygan va beqaror ishlash vaqti buni tekshirishga yordam beradi. client.py (bir zumda yoki 20 soniya ichida bajarilishi mumkin), shuningdek qayta uzatiladigan paketlar soni ko'payadi:
[user@host ~]# netstat -s | grep retransmited; sleep 10; netstat -s | grep retransmited
17147 segments retransmited
17185 segments retransmited
Paketlarga shovqin qo'shish
Paket yo'qolishiga qo'shimcha ravishda siz paketning shikastlanishini simulyatsiya qilishingiz mumkin: tasodifiy paket holatida shovqin paydo bo'ladi. Keling, 50% ehtimollik bilan va korrelyatsiyasiz paketga zarar yetkazamiz:
tc qdisc change dev lo root netem corrupt 50%
Biz mijoz skriptini ishga tushiramiz (u erda qiziq narsa yo'q, lekin uni bajarish uchun 2 soniya kerak bo'ldi), trafikni ko'ring:
Trafik axlatxonasi
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:20:54.812434 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [S], seq 2023663770, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 0,nop,wscale 7], length 0
10:20:54.812449 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [S.], seq 2104268044, ack 2023663771, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 1037001049,nop,wscale 7], length 0
10:20:54.812458 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 0
10:20:54.812509 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 5
10:20:55.013093 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001250 ecr 1037001049], length 5
10:20:55.013122 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [.], ack 6, win 342, options [nop,nop,TS val 1037001250 ecr 1037001250], length 0
10:20:55.014681 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 1037001251 ecr 1037001250], length 14
10:20:55.014745 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 15, win 340, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.014823 IP 127.0.0.1.43666 > 127.0.0.5.12345: Flags [F.], seq 2023663776, ack 2104268059, win 342, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.214088 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,unknown-65 0x0a3dcf62eb3d,[bad opt]>
10:20:55.416087 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 1037001653 ecr 1037001251], length 0
10:20:55.416804 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:55.416818 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 343, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:56.147086 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0
10:20:56.147101 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0
Ko'rinib turibdiki, ba'zi paketlar qayta-qayta yuborilgan va metadata buzilgan bitta paket mavjud: variantlar [nop,noma'lum-65 0x0a3dcf62eb3d,[bad opt]>. Ammo asosiysi, oxir-oqibat hamma narsa to'g'ri ishladi - TCP o'z vazifasini bajardi.
Paketlarni takrorlash
Yana nima qilish mumkin netem? Misol uchun, paket yo'qolishining teskari holatini - paketlarni takrorlashni simulyatsiya qiling. Bu buyruq 2 ta argumentni ham oladi: ehtimollik va korrelyatsiya.
tc qdisc change dev lo root netem duplicate 50% 25%
Paketlar tartibini o'zgartirish
Siz sumkalarni ikki usulda aralashtirishingiz mumkin.
Birinchisida, ba'zi paketlar darhol yuboriladi, qolganlari belgilangan kechikish bilan. Hujjatlardan misol:
tc qdisc change dev lo root netem delay 10ms reorder 25% 50%
25% ehtimollik bilan (va 50% korrelyatsiya bilan) paket darhol yuboriladi, qolganlari 10 millisekundlik kechikish bilan yuboriladi.
Ikkinchi usul - har bir N-paket ma'lum bir ehtimollik (va korrelyatsiya) bilan bir zumda, qolganlari esa ma'lum kechikish bilan yuboriladi. Hujjatlardan misol:
tc qdisc change dev lo root netem delay 10ms reorder 25% 50% gap 5
Har beshinchi paketni kechiktirmasdan yuborish imkoniyati 25% ga etadi.
Tarmoqli kengligini o'zgartirish
Odatda hamma joyda ular murojaat qilishadi , lekin yordam bilan netem Bundan tashqari, interfeysning tarmoqli kengligini o'zgartirishingiz mumkin:
tc qdisc change dev lo root netem rate 56kbit
Bu jamoa atrofida sayohatlar qiladi localhost dial-up modem orqali Internetda kezish kabi og'riqli. Bit tezligini o'rnatishdan tashqari, siz havola qatlami protokoli modelini ham taqlid qilishingiz mumkin: paket uchun qo'shimcha xarajatlarni, hujayra o'lchamini va hujayra uchun qo'shimcha xarajatlarni o'rnating. Masalan, buni simulyatsiya qilish mumkin va bit tezligi 56 kbit/s:
tc qdisc change dev lo root netem rate 56kbit 0 48 5
Simulyatsiya ulanish vaqti tugashi
Dasturiy ta'minotni qabul qilishda sinov rejasidagi yana bir muhim nuqta - bu kutish vaqti. Bu juda muhim, chunki taqsimlangan tizimlarda xizmatlardan biri o'chirilgan bo'lsa, qolganlari o'z vaqtida boshqalarga qaytishi yoki mijozga xatoni qaytarishi kerak va hech qanday holatda javob yoki ulanishni kutmasdan osib qo'ymaslik kerak. tashkil etilishi kerak.
Buning bir necha yo'li mavjud: masalan, javob bermaydigan masxaradan foydalaning yoki tuzatuvchi yordamida jarayonga ulaning, to'xtash nuqtasini to'g'ri joyga qo'ying va jarayonni to'xtating (bu, ehtimol, eng buzuq yo'ldir). Lekin eng aniqlaridan biri bu portlar yoki xostlarni himoya qilishdir. Bu bizga yordam beradi .
Namoyish uchun biz 12345-sonli xavfsizlik devorini o'rnatamiz va mijoz skriptini ishga tushiramiz. Siz jo'natuvchida ushbu portga chiquvchi paketlarni yoki qabul qiluvchida kiruvchi paketlarni himoya devori bilan o'rnatishingiz mumkin. Mening misollarimda kiruvchi paketlar xavfsizlik devori bilan o'rnatiladi (biz INPUT zanjiri va opsiyadan foydalanamiz. --dport). Bunday paketlar RST TCP bayrog'i bilan yoki ICMP xostiga ulanib bo'lmaydigan (aslida standart xatti-harakat) bilan TO'CHIRISH, REJECT yoki REJECT bo'lishi mumkin. icmp portiga etib bo'lmaydi, shuningdek, javob yuborish imkoniyati ham mavjud icmp-net-ga kirish mumkin emas, icmp-proto-olib bo'lmaydi, icmp-net-taqiqlangan ΠΈ icmp-host-taqiqlangan).
YO'Q
Agar DROP bilan qoida mavjud bo'lsa, paketlar shunchaki "yo'qoladi".
iptables -A INPUT -p tcp --dport 12345 -j DROP
Biz mijozni ishga tushiramiz va u serverga ulanish bosqichida muzlashini ko'ramiz. Keling, trafikni ko'rib chiqaylik:
Trafik axlatxonasi
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:28:20.213506 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203046450 ecr 0,nop,wscale 7], length 0
08:28:21.215086 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203047452 ecr 0,nop,wscale 7], length 0
08:28:23.219092 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203049456 ecr 0,nop,wscale 7], length 0
08:28:27.227087 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203053464 ecr 0,nop,wscale 7], length 0
08:28:35.235102 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203061472 ecr 0,nop,wscale 7], length 0
Ko'rinib turibdiki, mijoz SYN paketlarini eksponent ravishda o'sib borayotgan vaqt tugashi bilan yuboradi. Shunday qilib, biz mijozda kichik xato topdik: siz usuldan foydalanishingiz kerak settimeout()mijoz serverga ulanishga harakat qiladigan vaqtni cheklash uchun.
Biz darhol qoidani olib tashlaymiz:
iptables -D INPUT -p tcp --dport 12345 -j DROPSiz bir vaqtning o'zida barcha qoidalarni o'chirishingiz mumkin:
iptables -F
Agar siz Docker dan foydalanayotgan bo'lsangiz va konteynerga boradigan barcha trafikni xavfsizlik devori bilan o'rnatishingiz kerak bo'lsa, buni quyidagicha qilishingiz mumkin:
iptables -I DOCKER-USER -p tcp -d CONTAINER_IP -j DROP
REJI
Keling, shunga o'xshash qoidani qo'shamiz, lekin REJECT bilan:
iptables -A INPUT -p tcp --dport 12345 -j REJECT
Mijoz bir soniyadan keyin xato bilan chiqib ketadi [Xato 111] Ulanish rad etildi. Keling, ICMP trafigini ko'rib chiqaylik:
[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:45:32.871414 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68
08:45:33.873097 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68
Ko'rinib turibdiki, mijoz ikki marta olgan portga etib bo'lmaydi va keyin xato bilan yakunlandi.
tcp-reset bilan RED
Variantni qo'shishga harakat qilaylik --reject-tcp-reset bilan:
iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
Bunday holda, mijoz darhol xato bilan chiqadi, chunki birinchi so'rov RST paketini oldi:
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
09:02:52.766175 IP 127.0.0.1.60658 > 127.0.0.1.12345: Flags [S], seq 1889460883, win 43690, options [mss 65495,sackOK,TS val 1205119003 ecr 0,nop,wscale 7], length 0
09:02:52.766184 IP 127.0.0.1.12345 > 127.0.0.1.60658: Flags [R.], seq 0, ack 1889460884, win 0, length 0
ICmp-host-unreachable bilan RED
REJECT dan foydalanishning boshqa variantini sinab ko'raylik:
iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-host-unreachable
Mijoz bir soniyadan keyin xato bilan chiqib ketadi [Errno 113] Xostga marshrut yo'q, biz ICMP trafigida ko'ramiz ICMP xostiga 127.0.0.1 kirish imkoni yo'q.
Siz boshqa REJECT parametrlarini ham sinab ko'rishingiz mumkin va men ularga e'tibor qarataman :)
Simulyatsiya so'rovi vaqti tugashi
Yana bir holat - mijoz serverga ulanishi mumkin edi, lekin unga so'rov yubora olmaydi. Filtrlash darhol boshlanmasligi uchun paketlarni qanday filtrlash kerak? Agar siz mijoz va server o'rtasidagi har qanday aloqa trafigini ko'rsangiz, ulanishni o'rnatishda faqat SYN va ACK bayroqlari qo'llanilishini, lekin ma'lumotlarni almashishda oxirgi so'rov paketida PSH bayrog'i bo'lishini ko'rasiz. Buferlashni oldini olish uchun u avtomatik ravishda o'rnatiladi. Ushbu ma'lumotdan filtr yaratish uchun foydalanishingiz mumkin: u PSH bayrog'ini o'z ichiga olgan paketlardan tashqari barcha paketlarga ruxsat beradi. Shunday qilib, ulanish o'rnatiladi, lekin mijoz serverga ma'lumot yubora olmaydi.
YO'Q
DROP uchun buyruq quyidagicha ko'rinadi:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j DROP
Mijozni ishga tushiring va trafikni kuzating:
Trafik axlatxonasi
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:02:47.549498 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [S], seq 2166014137, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 0,nop,wscale 7], length 0
10:02:47.549510 IP 127.0.0.1.12345 > 127.0.0.1.49594: Flags [S.], seq 2341799088, ack 2166014138, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 1208713786,nop,wscale 7], length 0
10:02:47.549520 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 0
10:02:47.549568 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 5
10:02:47.750084 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713987 ecr 1208713786], length 5
10:02:47.951088 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714188 ecr 1208713786], length 5
10:02:48.354089 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714591 ecr 1208713786], length 5
Ulanish o'rnatilganligini va mijoz serverga ma'lumotlarni yubora olmasligini ko'ramiz.
REJI
Bunday holda xatti-harakatlar bir xil bo'ladi: mijoz so'rovni yubora olmaydi, lekin qabul qiladi ICMP 127.0.0.1 tcp port 12345 bilan bogβlanib boβlmaydi va so'rovni qayta yuborish orasidagi vaqtni eksponent ravishda oshiring. Buyruq shunday ko'rinadi:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT
tcp-reset bilan RED
Buyruq shunday ko'rinadi:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT --reject-with tcp-reset
Foydalanishda biz buni allaqachon bilamiz --reject-tcp-reset bilan mijoz javob sifatida RST paketini oladi, shuning uchun xatti-harakatni bashorat qilish mumkin: ulanish o'rnatilganda RST paketini qabul qilish rozetkaning boshqa tomondan kutilmaganda yopilishini anglatadi, ya'ni mijoz qabul qilishi kerak Ulanish tengdosh tomonidan tiklandi. Keling, skriptimizni ishga tushiramiz va bunga ishonch hosil qilamiz. Va trafik quyidagicha ko'rinadi:
Trafik axlatxonasi
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:22:14.186269 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [S], seq 2615137531, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 0,nop,wscale 7], length 0
10:22:14.186284 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [S.], seq 3999904809, ack 2615137532, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 1209880423,nop,wscale 7], length 0
10:22:14.186293 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 0
10:22:14.186338 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 5
10:22:14.186344 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [R], seq 3999904810, win 0, length 0
ICmp-host-unreachable bilan RED
Menimcha, buyruq qanday ko'rinishda bo'lishi hammaga ayon bo'ldi :) Bu holatda mijozning xatti-harakati oddiy REJECTdan biroz farq qiladi: mijoz paketni qayta yuborishga urinishlar orasidagi vaqtni oshirmaydi.
[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:29:56.149202 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.349107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.549117 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.750125 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.951130 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.152107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.353115 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
xulosa
Xizmatning osilgan mijoz yoki server bilan o'zaro ta'sirini sinab ko'rish uchun masxara yozish shart emas, ba'zan Linuxda joylashgan standart yordamchi dasturlardan foydalanish kifoya.
Maqolada muhokama qilingan yordam dasturlari tavsiflanganidan ko'ra ko'proq imkoniyatlarga ega, shuning uchun siz ulardan foydalanishning ba'zi variantlarini o'ylab topishingiz mumkin. Shaxsan men har doim yozganlarim etarli (aslida, hatto kamroq). Agar siz ushbu yoki shunga o'xshash yordamchi dasturlarni o'z kompaniyangizda sinovdan o'tkazishda foydalansangiz, qanday qilib aniqligini yozing. Agar yo'q bo'lsa, taklif qilingan usullardan foydalangan holda tarmoq muammolari sharoitida uni sinab ko'rishga qaror qilsangiz, dasturiy ta'minotingiz yaxshilanadi deb umid qilaman.
Manba: www.habr.com