Unix Like, 操作系统, 网络

Fix Ubuntu policy-based route with fwmark not work

近期发现Ubuntu基于ip rule add fwmark … lookup …所做的策略路由无法正常使用，而Debian正常。抓包的特征就是，出网数据包能应用到策略路由，也能抓到回应的数据包，但回应的数据包被内核丢弃，不会送达user space。

而ip rule add from … lookup …则正常。

查找资料得知是rp_filter的影响（见此：https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt），继而发现Ubuntu的/etc/sysctl.d是有以下这个文件的：

~# cat /etc/sysctl.d/10-network-security.conf
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks.
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

# Turn on SYN-flood protections.  Starting with 2.6.26, there is no loss
# of TCP functionality/features under normal conditions.  When flood
# protections kick in under high unanswered-SYN load, the system
# should remain more stable, with a trade off of some loss of TCP
# functionality/features (e.g. TCP Window scaling).
net.ipv4.tcp_syncookies=1

~# cat /etc/sysctl.d/10-network-security.conf

# Turn on Source Address Verification in all interfaces to

# prevent some spoofing attacks.

net.ipv4.conf.default.rp_filter=1

net.ipv4.conf.all.rp_filter=1

# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss

# of TCP functionality/features under normal conditions. When flood

# protections kick in under high unanswered-SYN load, the system

# should remain more stable, with a trade off of some loss of TCP

# functionality/features (e.g. TCP Window scaling).

net.ipv4.tcp_syncookies=1

编辑/etc/sysctl.d/10-network-security.conf，把net.ipv4.conf.default.rp_filter以及net.ipv4.conf.all.rp_filter改成2，然后应用：

~# sysctl --system
...
* Applying /etc/sysctl.d/10-network-security.conf ...
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
net.ipv4.tcp_syncookies = 1
...

~# sysctl --system

...

* Applying /etc/sysctl.d/10-network-security.conf ...

net.ipv4.conf.default.rp_filter = 2

net.ipv4.conf.all.rp_filter = 2

net.ipv4.tcp_syncookies = 1

...

Tags: fwmark, IPTABLES, Policy-based, ROUTE, rp_filter, ubuntu

You might also like:

未分类

PPTP自动安装配置Shell Script For Ubuntu/Debian

呵呵，不解释…… 使用方法：

wget http://soft.yzs.me/pptpd.sh;sh pptpd.sh

1	wget http://soft.yzs.me/pptpd.sh;sh pptpd.sh

执行后会自动列出你服务器的网卡的IP，挑一个外网的：

===========================
Which IP is your server IP:
IP:42.51.133.125                                                   #这里输入你服务器的外网的IP地址
===========================
Server IP:42.51.133.125
===========================
===========================
eth0      Link encap:Ethernet  HWaddr 00:16:3e:4e:25:11  
          inet addr:42.51.133.125  Bcast:42.51.133.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe4e:2511/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1285668 errors:0 dropped:6798 overruns:0 frame:0
          TX packets:133636 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:229411554 (229.4 MB)  TX bytes:12212001 (12.2 MB)
          Interrupt:32 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:702 (702.0 B)  TX bytes:702 (702.0 B)

Please input the netdriver of your server:
Net Driver:eth0                                                    #这里输入你刚刚输入的那个IP地址属于哪个网卡(上面已经列出来了)
===========================
Net Driver:eth0
===========================
Please input the username of PPTP:
Username:vpn                                                       #这里输入连接的用户名
===========================
PPTP Username:vpn
===========================
Please input the password of PPTP:
Password:vpn                                                       #这里输入连接的密码
===========================
PPTP Password:vpn
===========================
Press any key to continue.                                         #按任意键继续

此处省略几万字……

===========================

Which IP is your server IP:

IP:42.51.133.125 #这里输入你服务器的外网的IP地址

===========================

Server IP:42.51.133.125

===========================

eth0 Link encap:Ethernet HWaddr 00:16:3e:4e:25:11

inet addr:42.51.133.125 Bcast:42.51.133.255 Mask:255.255.255.0

inet6 addr: fe80::216:3eff:fe4e:2511/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:1285668 errors:0 dropped:6798 overruns:0 frame:0

TX packets:133636 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:229411554 (229.4 MB) TX bytes:12212001 (12.2 MB)

Interrupt:32

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:8 errors:0 dropped:0 overruns:0 frame:0

TX packets:8 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:702 (702.0 B) TX bytes:702 (702.0 B)

Please input the netdriver of your server:

Net Driver:eth0 #这里输入你刚刚输入的那个IP地址属于哪个网卡(上面已经列出来了)

===========================

Net Driver:eth0

===========================

Please input the username of PPTP:

Username:vpn #这里输入连接的用户名

===========================

PPTP Username:vpn

===========================

Please input the password of PPTP:

Password:vpn #这里输入连接的密码

===========================

PPTP Password:vpn

===========================

Press any key to continue. #按任意键继续

此处省略几万字……

这是添加连接的账号和密码的Shell Script:

wget http://soft.yzs.me/pptpd-adduser.sh

1	wget http://soft.yzs.me/pptpd-adduser.sh

添加账号，就执行：

sh pptpd-adduser.sh

1	sh pptpd-adduser.sh

输入账号密码即可…… Good luck……

解决硬盘安装Ubuntu 12.04.1 Server提示“无法挂载你的安装光盘”或“找不到ISO”

最近入手了个KVM的VPS，SolusVM面板，提供VNC。虽然VPS提供了模板安装系统，但是默认是把30GB都给了/，太不尽人意了。况且我也喜欢原版的系统。于是打算动手安装上去。我使用的是硬盘安装的方法，但是安装的时候，却提示“无法挂载你的安装光盘”，经过我的一个晚上的折腾，终于找到解决办法了！首先，到模板处安装个Windows Server 2008，然后安装个WinPE，用DiskGenius调整C盘的大小，释放1GB空间出来，放Ubuntu的ISO用，并且格式化为FAT32格式，注意一定要FAT32格式，不然会提示找不到ISO！回到Win2008，下载好Ubuntu的ISO，还 […]

VPN下路由表的编辑，实现部分IP直连

平常在Windows下使用VPN，各位都会发现，所有出网的数据包都通过VPN了。虽然这样可以访问某些被“禁止访问”的网站，但访问国内的网站，速度却慢了。事实上，连接VPN后，Windows会自动把系统的默认网关改为VPN的，因此数据包都通过了VPN服务器。既然如此，我们再对路由表进行操作，添加一些对国内IP生效的路由规则，那样就能实现访问国外网站时通过VPN，访问国内网站时直连。 Windows下对路由表进行操作的命令是route，route的用法如下：

route ADD 目标IP MASK 子网掩码  网关 METRIC 跃点数 IF 网络接口
route CHANGE 目标IP MASK 子网掩码 网关 METRIC 跃点数 IF 网络接口
route DELETE 目标IP

route ADD 目标IP MASK 子网掩码网关 METRIC 跃点数 IF 网络接口

route CHANGE 目标IP MASK 子网掩码网关 METRIC 跃点数 IF 网络接口

route DELETE 目标IP

上面分别是添加路由，更改路由，以及删除路由的用法。首先连接VPN，让W […]

解决使用iptables转发FTP端口后提示无法读取目录列表(MLSD)

几天前把拉斯维加斯服务器的数据转移到了香港的服务器，想到有些人可能没那么快知道，就使用iptables进行端口转发，实现FTP连接到拉斯维加斯服务器的IP，最后是到达香港的FTP服务器。这实现不难，首先修改配置，实现开机就打开内核转发：

vim /etc/sysctl.conf

1	vim /etc/sysctl.conf

把默认的：

net.ipv4.ip_forward = 0

1	net.ipv4.ip_forward = 0

改成：

net.ipv4.ip_forward = 1

1	net.ipv4.ip_forward = 1

如图：然后执行：

echo 1 > /proc/sys/net/ipv4/ip_forward

1	echo 1 > /proc/sys/net/ipv4/ip_forward

打开内核转发功能。使用下面两条命令添加转 […]