标签归档:sysctl

sysctl.conf文件参数rp_filter

系统:Centos6

影响:

路径:/etc/sysctl.conf

rp_filter – INTEGER 0 – No source validation.
1 – Strict mode as defined in RFC3704 Strict Reverse Path Each incoming packet is tested against the FIB and if theinterface is not the best reverse path the packet check will fail.By default failed packets are discarded.
2 – Loose mode as defined in RFC3704 Loose Reverse Path Each incoming packet’s source address is also tested against theFIB and if the source address is not reachable via any interface the packet check will fail.Current recommended practice in RFC3704 is to enable strictmode to prevent IP spoofing from DDos attacks. If using asymmetricrouting or other complicated routing, then loose mode is recommended.

The max value from conf/{all,interface}/rp_filter is used when doing source validation on the {interface}.

Default value is 0. Note that some distributions enable it in startup scripts.
—–

Red Hat are (correctly) setting rp_filter to 1, strictmode.  In this case a packet coming in eth0 willhave its source address routed out on the same interface that itcame in on (because that’s the default route). However, a packet coming in on eth1 will have it source addressrouted out on a different interface to the one it came in on and itwill be discarded.  Silently.

This is basically asymmetric routing and is quite possibly not whatyou want anyway (it messes up TCP flow control) so there are twoways to fix this: stick with asymmetric routing and permit it orfix the asymmetric routing.

The first one is easiest: in /etc/sysctl.conf change rp_filter=1 torp_filter=2).  You’ll need to load that andrestart the network.  It’s probably easiest toreboot 🙂 to be sure.  I suspect that it was notrestarting enough things that prevented this change from workingbefore.

The second one may be simple as simple as adding those routes thatshould go out on eth1 to the routing table or running some routingdaemon.  It depends on your network topology,basically.  This would be the preferred solutionif it’s practicable.

reverse-pathfiltering,反向过滤技术,系统在接收到一个IP包后,检查该IP是不是合乎要求,不合要求的IP包会被系统丢弃。该技术就称为rpfilter。怎么样的包才算不合要求呢?例如,用户在A网口上收到一个IP包,检查其IP为B。然后考查:对于B这个IP,在发送时应该用哪个网口,“如果在不应该接收到该包的网口上接收到该IP包,则认为该IP包是hacker行为”。

解决方法:

系统配置文件
1. /etc/sysctl.conf
把 net.ipv4.conf.all.rp_filter和net.ipv4.conf.default.rp_filter设为0即可
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0

net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0

net.ipv4.conf.lo.rp_filter = 0

系统启动后,会自动加载这个配置文件,内核会使用这个变量

2. 命令行
显示一个内核变量 sysctl net.ipv4.conf.all.rp_filter
设置一个内核变量 sysctl -w net.ipv4.conf.all.rp_filter=0
设置完后,会更新内核(实时的内存)中的变量的值,但不会修改sysctl.conf的值

3. 使用/proc文件系统
查看 cat /proc/sys/net/ipv4/conf/all/rp_filter
设置 echo “0”>/proc/sys/net/ipv4/conf/all/rp_filter

sysctl常用命令

sysctl -a 查看所有参数

sysctl -p 加载配置文件

sysctl对Linux内核/网络的设置说明

通过/etc/sysctl.conf控制和配置Linux内核及网络设置。

#忽略icmp ping广播包,应开启,避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1

# 开启SYN洪水攻击保护,表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭
net.ipv4.tcp_syncookies = 1

# 开启并记录欺骗,源路由和重定向包
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# 处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# reverse-pathfiltering 反向路径过滤,系统收到一个ip包后,会反查该ip包的ip是否与它们到达的网络接口匹配,若不匹配则丢弃。是防ip包欺骗策略。

# The rp_filter can reject incoming packets if their sourceaddress doesn’t match the network interface that they’re arrivingon, which helps to prevent IP spoofing. Turning this on, however,has its consequences: If your host has several IP addresses ondifferent interfaces, or if your single interface has multiple IPaddresses on it, you’ll find that your kernel may end up rejectingvalid traffic. It’s also important to note that even if you do notenable the rp_filter, protection against broadcast spoofing isalways on. Also, the protection it provides is only against spoofedinternal addresses; external addresses can still be spoofed.. Bydefault, it is disabled.
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

#关闭重定向。如果主机所在的网络有多个路由器,你将其中一个设为缺省网关,但该网关在收到你的ip包时,发现该ip包必须经过另外一个路由器,于是该网关就給你的主机发一个“重定向”的icmp包,告诉主机把包转发到另外一个路由器。1表示主机接受这样的重定向包,0表示忽略;linux默认是1,可以设位0以消除隐患。
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

#禁止数据包转发,不做路由器功能。所谓转发即当主机拥有多网卡时,其中一块收到数据包,根据数据包的目的ip地址将包发往本机另一网卡,该网卡根据路由表继续发送数据包。这通常就是路由器所要实现的功能。

#对比网关:内网主机向公网发送数据包时,由于目的主机跟源主机不在同一网段,所以数据包暂时发往内网默认网关处理,而本网段的主机对此数据包不做任何回应。由于源主机ip是私有的,禁止在公网使用,所以必须将数据包的源发送地址修改成公网上的可用ip,这就是网关收到数据包之后首先要做的工作–ip转换。然后网关再把数据包发往目的主机。目的主机收到数据包之后,只认为这是网关发送的请求,并不知道内网主机的存在,也没必要知道,目的主机处理完请求,把回应信息发还给网关。网关收到后,将目的主机发还的数据包的目的ip地址修改为发出请求的内网主机的ip地址,并将其发给内网主机。这就是网关的第二个工作–数据包的路由转发。内网的主机只要查看数据包的目的ip与发送请求的源主机ip地址相同,就会回应,这就完成了一次请求。 net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# 开启execshield,execshield 主要用于随机化堆栈地址,避免被exploit 程序修改恶意地址,而导致执行攻击程序。
kernel.exec-shield = 1
kernel.randomize_va_space = 1

# IPv6设置
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1

# 增加系统文件描述符限制
fs.file-max = 65535

# 允许更多的PIDs (减少滚动翻转问题);
may break some programs 32768
kernel.pid_max = 65536

# 增加系统IP端口限制 n
et.ipv4.ip_local_port_range = 2000 65000

# 增加TCP最大缓冲区大小
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608

# 增加Linux自动调整TCP缓冲区限制

# 最小,默认和最大可使用的字节数

# 最大值不低于4MB,如果你使用非常高的BDP路径可以设置得更高

# Tcp窗口等
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1