也談LINUX做NAT的情況!

caocheng

我做的幾臺(tái)linux NAT一直都運(yùn)行正常! 有RHEL 4 u2的,還有debian 的,光TCP并發(fā)連接數(shù)正常就在8000左右,但一直運(yùn)行穩(wěn)定!
前幾天發(fā)現(xiàn)一個(gè)IP打開了800個(gè)UDP,真是要命! 不過CPU一直正常!
這臺(tái)是debian 的
19:41:51 up 15 days, 11:18,  1 user,  load average: 0.00, 0.00, 0.00
以前是一臺(tái)服務(wù)器做的,后來我說太浪費(fèi)了,還是換成破電腦,年代老點(diǎn)的,這樣更穩(wěn)定,15天前換成破PC也運(yùn)行了到現(xiàn)在了,也一直正常,CPU非常差的,我都沒注意是什么的! 網(wǎng)絡(luò)里什么人都有,當(dāng)然也有BT的!

router:/proc/net# grep EST ip_conntrack -c
6967
router:/proc/net#


這里現(xiàn)在晚上的TCP已經(jīng)建立的連接數(shù)!
下面是iptables的配置
# Generated by iptables-save v1.3.3 on Sun Feb 26 19:45:59 2006
*mangle
REROUTING ACCEPT [5320379739:2286753298905]
:INPUT ACCEPT [75123333:6060099854]
:FORWARD ACCEPT [5244702060:2280335550156]
:OUTPUT ACCEPT [42816389:4488908993]
OSTROUTING ACCEPT [5288179256:2284835533618]
COMMIT
# Completed on Sun Feb 26 19:45:59 2006
# Generated by iptables-save v1.3.3 on Sun Feb 26 19:45:59 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [42784943:4486138534]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -s 221.226.0.0/255.255.0.0 -p tcp -m tcp --dport 20:22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 2531 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sun Feb 26 19:45:59 2006
# Generated by iptables-save v1.3.3 on Sun Feb 26 19:45:59 2006
*nat
REROUTING ACCEPT [117047011:9006940994]
OSTROUTING ACCEPT [198924:10001059]
:OUTPUT ACCEPT [2241:157861]
-A PREROUTING -p tcp -m tcp --dport 2531 -j DNAT --to-destination 192.168.0.243:2531
-A POSTROUTING -s 192.168.0.0/255.255.254.0 -o eth1 -j MASQUERADE
COMMIT
# Completed on Sun Feb 26 19:45:59 2006


以前一段時(shí)間經(jīng)常會(huì)有人不停的用FTP,SSH不停的登錄試密碼,呵呵

有什么問題,可以一起交流!!
我QQ: 20754739

xiaoyi1982

你的NAT帶了多少人？帶寬多少？

caocheng

100M的帶寬,有好幾家,大概400人左右! 主要是簡單,那Iptables本是RHEL上的,我復(fù)制到debian下,也沒改!

做NAT,現(xiàn)在的CPU太輕松了,一直是0, 下次要換個(gè)更低配置的!  要不還是很浪費(fèi)

[ 本帖最后由 caocheng 于 2006-2-26 20:34 編輯 ]