Linux内核参数用途记录

作者:李佶澳  更新时间:2018/11/26 16:14:00

  技巧    linux  toolsbox    刷新

目录

说明

这里记录一下实际工作中遇到的一些内核参数,每了解一个参数,就过来记录一笔。

怎样获取Linux kernel相关的知识?Linux内核文档汇总中收集了一些文档。

rp_filter

ip-sysctl.txt中对rp_filter参数有说明:

rp_filter - INTEGER
	0 - No source validation.
	1 - Strict mode as defined in RFC3704 Strict Reverse Path
	    Each incoming packet is tested against the FIB and if the interface
	    is not the best reverse path the packet check will fail.
	    By default failed packets are discarded.
	2 - Loose mode as defined in RFC3704 Loose Reverse Path
	    Each incoming packet's source address is also tested against the FIB
	    and if the source address is not reachable via any interface
	    the packet check will fail.
	
	Current recommended practice in RFC3704 is to enable strict mode
	to prevent IP spoofing from DDos attacks. If using asymmetric routing
	or other complicated routing, then loose mode is recommended.
	
	The max value from conf/{all,interface}/rp_filter is used
	when doing source validation on the {interface}.
	
	Default value is 0. Note that some distributions enable it
	in startup scripts.

RFC2827(Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing)和RFC3704(Ingress Filtering for Multihomed Networks)设置了一些包过滤规则,可以抵御“伪造源IP”方式的DOS攻击。

RFC2827中给出了一个用伪造源IP的方式进行DOS攻击的示意图:

host <----- router <--- Internet <----- router <-- attacker

         TCP/SYN
     <---------------------------------------------
           Source: 192.168.0.4/32
SYN/ACK
no route
         TCP/SYN
     <---------------------------------------------
           Source: 10.0.0.13/32
SYN/ACK
no route
         TCP/SYN
     <---------------------------------------------
           Source: 172.16.0.2/32
SYN/ACK
no route

[etc.]

对于这种类型的攻击,如果源IP是伪造的、不可达,那么这种类型的报文可以在接收的时候,直接丢弃,不进入TCP握手过程。 但是如果伪造的源头IP是真实存在的IP,那么就不能简单地丢弃,这样会使正常的访问也受影响。

RFC2827提出的一种方法是,网络设备收到转发报文后,检查报文的源IP是否是正确,如果不是就丢弃,从源头上遏止伪造源IP的报文。

RFC3704中提出了多种实现方法,考虑到了多个网络段的情况。

Ingress Access Lists方法是直接配置过滤规则,每次收到报文时,检查源IP。

Strict Reverse Path Forwarding方法是到转发表Forwarding Information Base(FIB)中找到向源IP发送报文时使用的网卡,如果和收到报文的网卡是同一个网卡就放行,否则丢弃。

Feasible Path Reverse Path Forwarding是对Strict Reverse Path Forwarding的扩展,Strict Reverse Path Forwarding中只考虑最佳路由,这种方法会同时考虑其它发送报文的路径,更合理、宽松一些。

Loose Reverse Path Forwarding方法只检查是否存在到源IP的路由,只要存在路由就放行,即使是default路由。

Loose Reverse Path Forwarding Ignoring Default Routes方法也是只检查到源IP的路由,但是不考虑默认路由。

arp_filter

ip-systctl.txt对apr_filter参数有说明:

arp_filter - BOOLEAN
	1 - Allows you to have multiple network interfaces on the same
	subnet, and have the ARPs for each interface be answered
	based on whether or not the kernel would route a packet from
	the ARP'd IP out that interface (therefore you must use source
	based routing for this to work). In other words it allows control
	of which cards (usually 1) will respond to an arp request.
	
	0 - (default) The kernel can respond to arp requests with addresses
	from other interfaces. This may seem wrong but it usually makes
	sense, because it increases the chance of successful communication.
	IP addresses are owned by the complete host on Linux, not by
	particular interfaces. Only for more complex setups like load-
	balancing, does this behaviour cause problems.
	
	arp_filter for the interface will be enabled if at least one of
	conf/{all,interface}/arp_filter is set to TRUE,
	it will be disabled otherwise

当一台机器有多个位于同一个网段中的网卡,每个网卡都有各自IP,是否允许把一个网卡的MAC地址作为对另一个网卡的ARP请求的回应。

设置为0,表示允许,这样子就是其中一个网卡故障的了,报文可以被另一块网卡接收。

参考

  1. 怎样获取Linux kernel相关的知识?Linux内核文档汇总
  2. ip-sysctl.txt

站长微信(朋友圈有精华,一般不闲聊)

推荐阅读

Copyright @2011-2019 All rights reserved. 转载请添加原文连接,合作请加微信lijiaocn或者发送邮件: [email protected],备注网站合作

友情链接:  李佶澳的博客  小鸟笔记  软件手册  编程手册  运营手册  爱马影视  网络课程  奇技淫巧  课程文档  精选文章  发现知识星球  百度搜索 谷歌搜索