Intereting Posts
聚集索引重build似乎什么都不做
如何在telnet到HP设备后恢复(xterm | gnome-terminal)包装?
Windows Server 2008 R2上的群集MSDTC返回“无存储可用”
Exchange升级 – GAL不会加载
Truecrypt – 磁盘停止读/写定期(Ubuntu)
nginx / php-fpm – 405错误提交电子邮件联系表单
安全 – 与其他用户运行应用程序
SQL Server使用CPU太多
不能移动到它自己的子目录
如何使用2 ELB(ALB)+自动缩放相同的目标组的实例
为域中的所有工作站安装SSL证书
使用Rsnapshot恢复备份
如何模拟高线速?
可以在多个客户端上闲置的NFS挂载影响性能
Microsoft Security Essentials上次定义更新的时间戳
iptables计数器在NAT表和状态不新
我到处读到在nat表中进行stream量过滤是危险的,因为只有在状态为“NEW”的连接(稍后的数据包绕过表)时才会查询nat表。
这是否意味着nat表计数器只会为每个连接的第一个数据包增加?
如果我需要可靠的交通信息,那么我应该使用表格RAW的链式PREROUTING吗?
- LVS / IP_VS负载平衡网关
- iptables正在用scp复制文件时用错误的号码标记数据包
- 多个NodeJS应用程序转发到端口80
- iptables端口转发指定ip
- 将日志从/var/log/kern.logredirect到iptables日志的单独日志文件
如果服务器是一个网关 – 你应该使用FORWARD链
安装iptables
# iptables -I FORWARD -p tcp -d 92.48.119.223 --dport 80 -j ACCEPT # iptables -I FORWARD -p tcp -s 92.48.119.223 --sport 80 -j ACCEPT 我们将下载一个简单的文件
# curl -I http://mirror.centos.org/centos/6.7/os/x86_64/images/boot.iso HTTP/1.1 200 OK Date: Thu, 17 Mar 2016 18:17:53 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Tue, 04 Aug 2015 21:41:08 GMT ETag: "2800ae-e600000-51c8324d84500" Accept-Ranges: bytes Content-Length: 241172480 Connection: close Content-Type: application/octet-stream
下载文件
# wget http://mirror.centos.org/centos/6.7/os/x86_64/images/boot.iso --2016-03-17 20:18:14-- http://mirror.centos.org/centos/6.7/os/x86_64/images/boot.iso Resolving mirror.centos.org (mirror.centos.org)... 92.48.119.223 Connecting to mirror.centos.org (mirror.centos.org)|92.48.119.223|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 241172480 (230M) [application/octet-stream] Saving to: `boot.iso' 100%[======================================================================>] 241,172,480 9.67M/s in 25s 2016-03-17 20:18:39 (9.26 MB/s) - `boot.iso' saved [241172480/241172480]
检查规则
# iptables -L FORWARD -n -v -x Chain FORWARD (policy ACCEPT 6 packets, 408 bytes) pkts bytes target prot opt in out source destination 33478 1756965 ACCEPT tcp -- * * 0.0.0.0/0 92.48.119.223 tcp dpt:80 27818 244733384 ACCEPT tcp -- * * 92.48.119.223 0.0.0.0/0 tcp spt:80
244733384是你在找什么。
244733384 - 241172480 = 3560904 ~ 3,4 Mb
这是tcp / ip + http的开销
这是否意味着nat表计数器只会为每个连接的第一个数据包增加?
是的,它确实。 然后它使用连接跟踪
# lsmod | grep conn nf_conntrack_ipv4 9154 3 iptable_nat,nf_nat nf_conntrack 79206 3 iptable_nat,nf_nat,nf_conntrack_ipv4 nf_defrag_ipv4 1483 1 nf_conntrack_ipv4
这个想法是用iptables来做的。 非常轻量级(没有代理源代码修改,我们让内核计数数据包,而不是自己做)。
正如你之前所说 – 你有5-50个客户端,所以你可以尝试通过iptables和-j LOG操作进行记帐
configurationrsyslog
# cat /etc/rsyslog.d/accounting.conf :msg, contains, "CLIENT-192.168.88.87-IN" /var/log/accounting/client-192.168.88.87.log :msg, contains, "CLIENT-192.168.88.87-OUT" /var/log/accounting/client-192.168.88.87.log :msg, contains, "CLIENT" ~
configurationiptables
# iptables -t mangle -I OUTPUT -s 192.168.88.87 ! -d 192.168.0.0/16 -j LOG --log-prefix "CLIENT-192.168.88.87-OUT " # iptables -t mangle -I INPUT ! -s 192.168.0.0/16 -d 192.168.88.87 -j LOG --log-prefix "CLIENT-192.168.88.87-IN "
检查一切工作,因为它应该
# ping -c 1 8.8.4.4 PING 8.8.4.4 (8.8.4.4) 56(84) bytes of data. 64 bytes from 8.8.4.4: icmp_seq=1 ttl=50 time=43.1 ms --- 8.8.4.4 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 43ms rtt min/avg/max/mdev = 43.114/43.114/43.114/0.000 ms # iptables -t mangle -L INPUT -nvx Chain INPUT (policy ACCEPT 1256 packets, 116836 bytes) pkts bytes target prot opt in out source destination 1 84 LOG all -- * * !192.168.0.0/16 192.168.88.87 LOG flags 0 level 4 prefix `CLIENT-192.168.88.87-IN ' # iptables -t mangle -L OUTPUT -nvx Chain OUTPUT (policy ACCEPT 304 packets, 91325 bytes) pkts bytes target prot opt in out source destination 1 84 LOG all -- * * 192.168.88.87 !192.168.0.0/16 LOG flags 0 level 4 prefix `CLIENT-192.168.88.87-OUT ' # cat /var/log/accounting/client-192.168.88.87.log Mar 21 09:12:22 ci kernel: CLIENT-192.168.88.87-OUT IN= OUT=eth0 SRC=192.168.88.87 DST=8.8.4.4 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=38520 SEQ=1 Mar 21 09:12:22 ci kernel: CLIENT-192.168.88.87-IN IN=eth0 OUT= MAC=08:00:27:eb:c9:fc:4c:5e:0c:51:b7:d4:08:00 SRC=8.8.4.4 DST=192.168.88.87 LEN=84 TOS=0x04 PREC=0x00 TTL=50 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=38520 SEQ=1
做一些真正的testing
# wget https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2 --2016-03-21 09:14:35-- https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2 Resolving bitbucket.org... 104.192.143.2, 104.192.143.3, 104.192.143.1 Connecting to bitbucket.org|104.192.143.2|:443... connected. HTTP request sent, awaiting response... 302 FOUND ... Resolving bbuseruploads.s3.amazonaws.com... 54.231.49.250 Connecting to bbuseruploads.s3.amazonaws.com|54.231.49.250|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 23415665 (22M) [application/x-tar] Saving to: “phantomjs-2.1.1-linux-x86_64.tar.bz2” 100%[==============================================================================================>] 23,415,665 3.78M/s in 6.7s 2016-03-21 09:14:43 (3.31 MB/s) - “phantomjs-2.1.1-linux-x86_64.tar.bz2” saved [23415665/23415665]
从输出中可以看到 – 客户端已经下载了〜22.33 Mb
23415665 (bytes) / 1024 (Kbytes) / 1024 (Mbytes) ~ 22,33 Mb
现在我们可以通过日志文件来计算
# cat client-192.168.88.87.log | grep CLIENT-192.168.88.87-IN | grep SRC=54.231.49.250 | grep 'SPT=443' | awk '{print $12}' | cut -d '=' -f 2 | awk '{SUM+=$1;} END{printf "%.2f Mb",SUM/1048576}' 22.75 Mb
当然,你可以混合和过滤sport / dport / dest ip等,并得到你想要的任何统计