标签:iptables
背景说明:
iptables的contrack模块,因为业务量大,而导致drop packet的状况,现针对线上机器进行灰度,灰度的原则是:没有使用iptable,则将其禁用并修改hash表,如果有使用iptables,则直接修改hash表即可。
脚本内容:
#!/bin/bash
iptables_init="/etc/init.d/iptables"
date=`date +%F`
#将5.9和6.3系统的iptables相关的模块禁用,包括conntrack,filter表,nat表,mangle表
function disable_modules_5.9() {
cat >/etc/modprobe.d/kugou.conf <<EOF
install nfnetlink /bin/true
install ip_conntrack /bin/true
install xt_conntrack /bin/true
install ip6_tables /bin/true
install ip6table_filter /bin/true
install iptable_filter /bin/true
install ebtables /bin/true
install ebtable_nat /bin/true
install ip_nat /bin/true
install iptable_nat /bin/true
install iptable_mangle /bin/true
install ip6table_mangle /bin/true
EOF
sed -i ‘s/^[[:space:]]*//g‘ /etc/modprobe.d/kugou.conf
}
function disable_modules_6.3() {
cat >/etc/modprobe.d/kugou.conf <<EOF
install nfnetlink /bin/true
install nf_conntrack /bin/true
install nf_defrag_ipv4 /bin/true
install nf_conntrack_ipv4 /bin/true
install ip6_tables /bin/true
install ip6table_filter /bin/true
install iptable_filter /bin/true
install ebtable_nat /bin/true
install ebtables /bin/true
install nf_nat /bin/true
install iptable_nat /bin/true
install iptable_mangle /bin/true
install ip6table_mangle /bin/true
EOF
sed -i ‘s/^[[:space:]]*//g‘ /etc/modprobe.d/kugou.conf
}
#调整5.9和6.3系统的内核bucket参数,包括conntrack支持最大的数目和会话超时时间
function setup_bucket_5.9() {
cp ${iptables_init} /root/iptables-${date}
sed -i ‘/\<ip_conntrack_max\>/ d‘ ${iptables_init}
sed -i ‘/\<ip_conntrack_tcp_timeout_syn_recv\>/ d‘ ${iptables_init }
sed -i ‘/\<ip_conntrack_tcp_timeout_established\>/ d‘ ${iptables_init}
sed -i ‘/touch $VAR_SUBSYS_IPTABLES/ i\ echo 1048576 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max‘ ${iptables_init}
sed -i ‘/touch $VAR_SUBSYS_IPTABLES/ i\ echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv‘ ${iptables_init}
sed -i ‘/touch $VAR_SUBSYS_IPTABLES/ i\ echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established‘ ${iptables_init}
echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv
echo 1048576 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
}
function setup_bucket_6.3() {
cp ${iptables_init} /root/iptables-${date}
sed -i ‘/\<nf_conntrack_max\>/ d‘ ${iptables_init}
sed -i ‘/\<nf_conntrack_tcp_timeout_established\>/ d‘ ${iptables_init}
sed -i "/touch $VAR_SUBSYS_IPTABLES/ i\ echo 655350 > /proc/sys/net/nf_conntrack_max" ${iptables_init}
sed -i "/touch $VAR_SUBSYS_IPTABLES/ i\ echo 655350 > /proc/sys/net/netfilter/nf_conntrack_max" ${iptables_init}
sed -i "/touch $VAR_SUBSYS_IPTABLES/ i\ echo 60 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established" ${iptables_init}
echo 1048576 > /proc/sys/net/nf_conntrack_max
echo 1048576 > /proc/sys/net/netfilter/nf_conntrack_max
echo 60 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
}
#禁用iptables客户端
function disable_iptables_client() {
if [ -e /sbin/iptables ];then
mv /sbin/iptables /sbin/selbatpi
else
echo "iptables客户端已经设置好"
fi
}
function warn_logs() {
if [ -e /usr/bin/curl ];then
curl http://10.1.2.128/iptables_on >/dev/null
fi
}
#功能调用,对于已经开启iptables的机器,调整bucket参数,告警上报;对于未开启的iptables的机器,则调整bucket参数,禁用模块,禁用iptables客户端
function main() {
cp ${iptables_init} ${date}-iptables
osversion=`awk ‘{print $3}‘ /etc/redhat-release`
case ${osversion} in
5.[0-9])
if [ `lsmod |grep iptables | wc -l` -eq 0 ];then
disable_modules_5.9
disable_iptables_client
else
warn_logs
fi
setup_bucket_5.9
;;
6.[0-6])
if [ `lsmod |grep iptables | wc -l` -eq 0 ];then
disable_modules_6.3
disable_iptables_client
else
warn_logs
fi
setup_bucket_6.3
;;
*)
echo "当前操作系统版本不支持,对应的版本为:${osversion}"
exit 1
;;
esac
}
main本文出自 “Happy实验室” 博客,请务必保留此出处http://happylab.blog.51cto.com/1730296/1731967
标签:iptables
原文地址:http://happylab.blog.51cto.com/1730296/1731967
