ProHoster > Блог > Ukuphatha > Umzila osheshayo kanye ne-NAT ku Linux

Umzila osheshayo kanye ne-NAT ku Linux

Njengoba amakheli e-IPv4 encipha, opharetha abaningi bezingcingo babhekene nesidingo sokuhlinzeka amakhasimende abo ngokufinyelela kwenethiwekhi besebenzisa ukuhumusha ikheli. Kulesi sihloko ngizokutshela ukuthi ungakuthola kanjani ukusebenza kwe-Carrier Grade NAT kumaseva wempahla.

Umlando omncane

Isihloko sokukhathala kwesikhala sekheli le-IPv4 asisemusha. Ngesinye isikhathi, kwavela uhlu lwabalindile ku-RIPE, kwase kuba ukushintshana lapho amakheli athengiswa khona futhi kwaphothulwa izivumelwano zokuwaqashisa. Kancane kancane, opharetha bezingcingo baqala ukuhlinzeka ngezinsizakalo zokufinyelela ku-inthanethi besebenzisa ikheli nokuhumusha ngembobo. Abanye abakwazanga ukuthola amakheli anele ukuze bakhiphe ikheli “elimhlophe” kumuntu ngamunye obhalisile, kuyilapho abanye baqala ukonga imali ngokwenqaba ukuthenga amakheli emakethe yesibili. Abakhiqizi bemishini yenethiwekhi basekela lo mbono, ngoba lokhu kusebenza ngokuvamile kudinga amamojula esandiso engeziwe noma amalayisense. Isibonelo, kulayini weJuniper wamarutha e-MX (ngaphandle kwe-MX104 ne-MX204 yakamuva), ungenza i-NAPT ekhadini lesevisi elihlukile le-MS-MIC, i-Cisco ASR1k idinga ilayisense ye-CGN, i-Cisco ASR9k idinga imojuli ehlukile ye-A9K-ISM-100 kanye nelayisensi ye-A9K-CGN -LIC kuye. Ngokuvamile, injabulo ibiza imali eningi.

I-IPTables

Ukusetshenziswa kwe-NAT akudingi izinsizakusebenza zekhompyutha ezikhethekile; ingaphathwa ngabaprosesa abajwayelekile, njengalabo abatholakala kunoma iyiphi i-router yasekhaya. Esikalini se-telecom operator, lo msebenzi ungafezwa kusetshenziswa amaseva empahla asebenzisa i-FreeBSD (ipfw/pf) noma i-GNU/Linux (i-iptables). Ngeke sibheke i-FreeBSD, njengoba ngayeka ukusebenzisa leyo OS kudala, ngakho-ke masinamathele ku-GNU/Linux.

Ukunika amandla ukuhunyushwa kwekheli akunzima neze. Okokuqala udinga ukubhalisa umthetho kuma-iptables kuthebula le-nat:

iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -j SNAT --to <pool_start_addr>-<pool_end_addr> --persistent

Isistimu yokusebenza izolayisha imojuli ye-nf_contrack, ezoqapha konke ukuxhumana okusebenzayo futhi yenze ukuguqulwa okudingekayo. Kukhona ubuqili abambalwa lapha. Okokuqala, njengoba sikhuluma nge-NAT esikalini se-telecom opharetha, kuyadingeka ukulungisa isikhathi sokuvala, ngoba ngamavelu azenzakalelayo usayizi wetafula lokuhumusha uzokhula ngokushesha abe amanani ayinhlekelele. Ngezansi isibonelo sezilungiselelo engizisebenzise kumaseva ami:

net.ipv4.ip_forward = 1
net.ipv4.ip_local_port_range = 8192 65535

net.netfilter.nf_conntrack_generic_timeout = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 45
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 60
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_events_retry_timeout = 15
net.netfilter.nf_conntrack_checksum=0

Okwesibili, njengoba usayizi ozenzakalelayo wethebula lokuhumusha ayakhelwe ukusebenza ngaphansi kwemibandela ye-telecom opharetha, udinga ukukhuliswa:

net.netfilter.nf_conntrack_max = 3145728

Kudingeka futhi ukukhulisa inani lamabhakede etafula le-hashi eligcina konke ukusakazwa (lokhu kuyinketho kumojula ye-nf_conntrack):

options nf_conntrack hashsize=1572864

Ngemva kwalokhu kulungiswa okulula, kutholakala umklamo osebenza ngokugcwele ongasakaza inani elikhulu lamakheli amaklayenti echibini lamakheli angaphandle. Kodwa-ke, ukusebenza kwalesi sixazululo kushiya okuningi okungafiseleka. Emizamweni yami yokuqala yokusebenzisa i-GNU/Linux Nge-NAT (cishe ngo-2013), ngakwazi ukuthola ukusebenza okungu-7Gbit/s ku-0.8Mpps kuseva eyodwa (Xeon E5-1650v2). Kusukela ngaleso sikhathi, inethiwekhi ye-GNU kernel stack/Linux Kwenziwe ukulungiswa okuningi, futhi ukusebenza kweseva eyodwa kuhadiwe efanayo kwanda kwafinyelela cishe ku-18-19 Gbit/s ku-1.8-1.9 Mpps (lawa kwakungamanani aphezulu), kodwa isidingo sethrafikhi esiphathwa yiseva eyodwa sakhula ngokushesha okukhulu. Ekugcineni, izinhlelo zokulinganisela umthwalo zakhiwe kumaseva ahlukene, kodwa konke lokhu kwandisa ubunzima bokusetha, ukunakekela, kanye nokugcina ikhwalithi yezinsizakalo ezinikezwayo.

Amathebula we-NFT

Kulezi zinsuku, inkambiso yemfashini ku-software "izikhwama ezishintshayo" ukusetshenziswa kwe-DPDK ne-XDP. Kubhalwe izindatshana eziningi ngalesi sihloko, izinkulumo eziningi ezahlukene zenziwe, futhi kuvela imikhiqizo yokuthengisa (isibonelo, i-SKAT evela kuVasExperts). Kodwa uma kubhekwa izinsiza zokuhlela ezilinganiselwe zabasebenza ngocingo, kuyinkinga kakhulu ukudala noma yimuphi “umkhiqizo” ngokusekelwe kulezi zinhlaka uwedwa. Kuzoba nzima kakhulu ukusebenzisa isisombululo esinjalo esikhathini esizayo; ikakhulukazi, amathuluzi okuxilonga kuzodingeka athuthukiswe. Isibonelo, i-tcpdump ejwayelekile ene-DPDK ngeke isebenze kanjalo nje, futhi ngeke “ibone” amaphakethe abuyiselwe ezintanjeni kusetshenziswa i-XDP. Phakathi kwayo yonke inkulumo mayelana nobuchwepheshe obusha bokudlulisela amaphakethe esikhaleni somsebenzisi, awazange anakwe imibiko и izindatshana U-Pablo Neira Ayuso, umnakekeli we-iptables, mayelana nokuthuthukiswa kokulayishwa kokugeleza kuma-nftables. Ake sihlolisise lo mshini.

Umqondo oyinhloko ukuthi uma i-router idlulise amaphakethe kusuka kuseshini eyodwa kuzo zombili izinkomba zokugeleza (iseshini ye-TCP ingene kusimo ESImisiwe), khona-ke asikho isidingo sokudlulisa amaphakethe alandelayo ale seshini kuyo yonke imithetho ye-firewall, ngoba konke lokhu kuhlola kusazophela lapho iphakethe lidluliselwa phambili kumzila. Futhi empeleni asikho isidingo sokukhetha umzila - sesiyazi kakade ukuthi iyiphi i-interface nokuthi yimuphi umsingathi okudingeka sithumele amaphakethe phakathi kwale seshini. Okusele ukugcina lolu lwazi futhi ulusebenzisele umzila kusenesikhathi sokucutshungulwa kwephakethe. Lapho wenza i-NAT, kuyadingeka ukuthi ngaphezu kwalokho ugcine ulwazi mayelana nezinguquko kumakheli nezimbobo ezihunyushwe yimojula ye-nf_conntrack. Yebo, yiqiniso, kulokhu amaphoyisa ahlukahlukene kanye nolunye ulwazi kanye nemithetho yezibalo kuma-iptables ayeke ukusebenza, kodwa ngaphakathi kohlaka lomsebenzi wokuma okuhlukile we-NAT noma, isibonelo, umngcele, lokhu akubalulekile kangako, ngoba izinsizakalo asatshalaliswa phakathi kwamadivaysi.

Ukucushwa

Ukuze sisebenzise lo msebenzi sidinga:

  • Sebenzisa i-kernel entsha. Naphezu kokuthi ukusebenza ngokwayo kuvele ku-kernel 4.16, isikhathi eside "yayiluhlaza" futhi ibangela ukwethuka kwe-kernel. Yonke into yazinza ngoDisemba 2019, lapho kukhishwa ama-LTS kernels 4.19.90 kanye no-5.4.5.
  • Bhala kabusha imithetho ye-iptables ngefomethi ye-nfttables usebenzisa inguqulo yakamuva yama-nfttables. Isebenza ncamashi kunguqulo 0.9.0

Uma yonke into ngomgomo icacile ngephuzu lokuqala, into esemqoka ukungakhohlwa ukufaka imojuli ekucushweni ngesikhathi somhlangano (CONFIG_NFT_FLOW_OFFLOAD=m), khona-ke iphuzu lesibili lidinga incazelo. imithetho ye-nftables ichazwa ngokuhluke ngokuphelele kunama-iptables. Imibhalo wembula cishe wonke amaphuzu, kukhona futhi ekhethekile abaguquli imithetho kusuka ku-iptables kuya ku-nfttables. Ngakho-ke, ngizonikeza kuphela isibonelo sokusetha i-NAT nokugeleza kokulayisha. Inganekwane encane isibonelo: , - lezi yizindawo zenethiwekhi okudlula kuzo ithrafikhi; empeleni kungaba ngaphezulu kokubili kwakho. , — ikheli lokuqala nelokugcina lohlu lwamakheli “amhlophe”.

Ukucushwa kwe-NAT kulula kakhulu:

#! /usr/sbin/nft -f

table nat {
        chain postrouting {
                type nat hook postrouting priority 100;
                oif <o_if> snat to <pool_addr_start>-<pool_addr_end> persistent
        }
}

Ngokulayishwa kokugeleza kuyinkimbinkimbi, kodwa kuyaqondakala:

#! /usr/sbin/nft -f

table inet filter {
        flowtable fastnat {
                hook ingress priority 0
                devices = { <i_if>, <o_if> }
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
                ip protocol { tcp , udp } flow offload @fastnat;
        }
}

Lokho, empeleni, isethi yonke. Manje yonke ithrafikhi ye-TCP/UDP izowela etafuleni le-fastnat futhi icutshungulwe ngokushesha okukhulu.

Imiphumela

Ukuze ngicacise ukuthi lokhu kushesha kangakanani, ngizonamathisela isithombe-skrini somthwalo kumaseva amabili angempela, anehadiwe efanayo (i-Xeon E5-1650v2), elungiselelwe ngendlela efanayo, kusetshenziswa umongo ofanayo. Linux, kodwa ukwenza i-NAT kuma-iptables (NAT4) kanye naku-nftables (NAT5).

Umzila osheshayo kanye ne-NAT ku Linux

Ayikho igrafu yamaphakethe ngomzuzwana kusithombe-skrini, kodwa kuphrofayela yokulayisha yalezi ziphakeli isilinganiso sosayizi wephakethe singamabhayithi angu-800, ngakho amanani afinyelela ku-1.5Mpps. Njengoba ubona, iseva enama-nftables inokugcinwa okukhulu kokusebenza. Okwamanje, le seva isebenza kuze kufike ku-30Gbit/s ku-3Mpps futhi iyakwazi ngokusobala ukuhlangabezana nomkhawulo wenethiwekhi ebonakalayo engu-40Gbps, kuyilapho inezinsiza zamahhala ze-CPU.

Ngethemba ukuthi le nto izoba usizo konjiniyela benethiwekhi abazama ukuthuthukisa ukusebenza kwamaseva abo.

Source: www.habr.com

Thenga ukusingathwa okuthembekile kwamasayithi anokuvikelwa kwe-DDoS, amaseva e-VPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekile ngokuvikelwa kwe-DDoS, amaseva e-VPS VDS | ProHoster