查看路由与添加删除静态路由

静态路由可以细化,定制网络运行方式。很多时候网络走不通,也要加静态路由,指定包的转发。

显示当前的路由表

root@agent-test:~# ip route show
default via 192.168.198.2 dev eth0 
192.168.198.0/24 dev eth0  proto kernel  scope link  src 192.168.198.137

内核的路由表

root@agent-test:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         localhost       0.0.0.0         UG    0      0        0 eth0
192.168.198.0   *               255.255.255.0   U     0      0        0 eth0

内核的路由表,全部使用数字方式显示

root@agent-test:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.198.2   0.0.0.0         UG    0      0        0 eth0
192.168.198.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0

添加路由,格式为 ip route add {目标网络} via {ip地址} dev {设备},如192.168.3.0/24的网络从192.168.1.254走

ip route add 192.168.3.0/24 via 192.168.1.254 dev eth0

旧命令格式为

route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.254 dev eth1

以上命令立即生效,重启失效。永久静态路由

如CentOS下

#vi /etc/sysconfig/network-scripts/route-eth0

既可以如下添加一行

10.0.0.0/8 via 10.9.38.65

也可以按这种格式

ADDRESS0=192.168.0.62
NETMASK0=255.255.255.255
GATEWAY0=192.168.8.51
ADDRESS1=192.168.0.71
NETMASK1=255.255.255.255
GATEWAY1=192.168.8.51
ADDRESS2=192.168.1.0
NETMASK2=255.255.255.0
GATEWAY2=192.168.8.28

重启网络后生效

在Debian下,找到对应的interface,编辑/etc/network/interface

auto eth0
iface eth0 inet static
address 10.9.38.76
netmask 255.255.255.240
network 10.9.38.64
broadcast 10.9.38.79
### static routing ###
post-up route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.9.38.65
pre-down route del -net 10.0.0.0 netmask 255.0.0.0 gw 10.9.38.65

在启动eth0时,添加一条路由,关闭时删掉对应路由即可。

除了路由的添加删除,可以使用ip route replace改变已有路由的属性。如

ip route replace default via 192.168.8.33 dev eth0

关于默认路由,在CentOS中,既可以在/etc/sysconfig/networ-scripts/ifcfg-eth0中指定gateway,也可以在/etc/sysconfig/network中指定gateway,也可以在上面的ip route add default via 192.168.8.1 dev eth0。

osx添加与删除静态路由

sudo route -n add -net 10.10.1.0/24 10.10.1.2
sudo route -n delete -net 10.10.1.0/24 10.10.1.2

mysql绑定多个ip地址

my.cnf中有选项bind-address=127.0.0.1,是说mysql server监听的是本地发来的请求,如果是任意主机都可以请求,则写为0.0.0.0,但是这样又不太安全。监听某ip,指定此ip地址即可,但是要保证mysql的user中有允许此ip访问,否则不能对数据库操作。那么是否可以在配置里只规定几个ip呢?

简单直接回答:不可能

请参考:http://dev.mysql.com/doc/refman/5.1/en/server-options.html#option_mysqld_bind-address

The MySQL server listens on a single network socket for TCP/IP connections. This socket is bound to a single address, but it is possible for an address to map onto multiple network interfaces. The default address is 0.0.0.0. To specify an address explicitly, use the –bind-address=addr option at server startup, where addr is an IPv4 address or a host name. If addr is a host name, the server resolves the name to an IPv4 address and binds to that address. The server treats different types of addresses as follows:

If the address is 0.0.0.0, the server accepts TCP/IP connections on all server host IPv4 interfaces.
If the address is a “regular” IPv4 address (such as 127.0.0.1), the server accepts TCP/IP connections only for that particular IPv4 address.

但是有此需求,就会到访问控制,那么使用防火墙iptables可实现此效果

mysql-server为192.168.1.3,只允许192.168.1.4,  192.168.1.5,  192.168.1.6来访问3306端口

在my.cnf中

bind-address = 0.0.0.0

在访问3306端口的主机中,只允许192.168.1.4-6,其他ip一律DROP掉

/sbin/iptables -A INPUT -p tcp -s 192.168.1.4 --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 192.168.1.5 --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 192.168.1.6 --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

/sbin/iptables -A INPUT -p tcp --dport 3306 ! -s 192.168.1.4 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 3306 ! -s 192.168.1.5 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 3306 ! -s 192.168.1.6 -j DROP

保存防火墙规则

service iptables save

查看INPUT链包含3306的规则

echo -e "target prot opt source destination\n$(iptables -L INPUT -n | grep 3306)"

这样就实现了mysql只允许指定ip访问。

参考:

http://www.cyberciti.biz/faq/unix-linux-mysqld-server-bind-to-more-than-one-ip-address/

使用iperf测试网络的性能

准备工作:

安装epel源

rpm -ivh http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm

更新本地cache安装iperf

yum makecache -y
yum install iperf -y

 

测试工作:

192.168.0.244为server端,192.168.0.236为client端

在server端和client端可以查看到传输的情况,还可以通过ifstat, iptraf查看网卡的流量

TCP测试

server(0.244): iperf -s -i 1

-s 服务器模式

-i 报告显示间隔秒数

client(0.236): iperf -t 20 -i 1 -c 192.168.0.244

-t 测试用时的秒数

-c 客户端模式,后面接要连接的服务器

服务端显示:

 

————————————————————

Server listening on TCP port 5001

TCP window size: 32.0 KByte (default)

————————————————————

[ 4] local 192.168.0.244 port 5001 connected with 192.168.0.236 port 54921

[ ID] Interval Transfer Bandwidth

[ 4] 0.0- 1.0 sec 112 MBytes 938 Mbits/sec

[ 4] 1.0- 2.0 sec 112 MBytes 942 Mbits/sec

[ 4] 2.0- 3.0 sec 112 MBytes 942 Mbits/sec

[ 4] 3.0- 4.0 sec 112 MBytes 941 Mbits/sec

[ 4] 4.0- 5.0 sec 112 MBytes 942 Mbits/sec

[ 4] 5.0- 6.0 sec 112 MBytes 942 Mbits/sec

[ 4] 6.0- 7.0 sec 112 MBytes 942 Mbits/sec

[ 4] 7.0- 8.0 sec 112 MBytes 941 Mbits/sec

[ 4] 8.0- 9.0 sec 112 MBytes 942 Mbits/sec

[ 4] 9.0-10.0 sec 112 MBytes 942 Mbits/sec

[ 4] 10.0-11.0 sec 112 MBytes 942 Mbits/sec

[ 4] 11.0-12.0 sec 112 MBytes 941 Mbits/sec

[ 4] 12.0-13.0 sec 112 MBytes 942 Mbits/sec

[ 4] 13.0-14.0 sec 112 MBytes 942 Mbits/sec

[ 4] 14.0-15.0 sec 112 MBytes 942 Mbits/sec

[ 4] 15.0-16.0 sec 112 MBytes 941 Mbits/sec

[ 4] 16.0-17.0 sec 112 MBytes 941 Mbits/sec

[ 4] 17.0-18.0 sec 112 MBytes 941 Mbits/sec

[ 4] 18.0-19.0 sec 112 MBytes 942 Mbits/sec

[ 4] 19.0-20.0 sec 112 MBytes 942 Mbits/sec

[ 4] 0.0-20.0 sec 2.20 GBytes 941 Mbits/sec

 

客户端显示:

————————————————————

Client connecting to 192.168.0.244, TCP port 5001

TCP window size: 23.2 KByte (default)

————————————————————

[ 3] local 192.168.0.236 port 54921 connected with 192.168.0.244 port 5001

[ ID] Interval Transfer Bandwidth

[ 3] 0.0- 1.0 sec 115 MBytes 965 Mbits/sec

[ 3] 1.0- 2.0 sec 112 MBytes 937 Mbits/sec

[ 3] 2.0- 3.0 sec 113 MBytes 946 Mbits/sec

[ 3] 3.0- 4.0 sec 113 MBytes 946 Mbits/sec

[ 3] 4.0- 5.0 sec 112 MBytes 935 Mbits/sec

[ 3] 5.0- 6.0 sec 113 MBytes 946 Mbits/sec

[ 3] 6.0- 7.0 sec 112 MBytes 935 Mbits/sec

[ 3] 7.0- 8.0 sec 113 MBytes 946 Mbits/sec

[ 3] 8.0- 9.0 sec 113 MBytes 946 Mbits/sec

[ 3] 9.0-10.0 sec 111 MBytes 934 Mbits/sec

[ 3] 10.0-11.0 sec 113 MBytes 946 Mbits/sec

[ 3] 11.0-12.0 sec 111 MBytes 934 Mbits/sec

[ 3] 12.0-13.0 sec 113 MBytes 945 Mbits/sec

[ 3] 13.0-14.0 sec 113 MBytes 945 Mbits/sec

[ 3] 14.0-15.0 sec 113 MBytes 946 Mbits/sec

[ 3] 15.0-16.0 sec 111 MBytes 931 Mbits/sec

[ 3] 16.0-17.0 sec 113 MBytes 948 Mbits/sec

[ 3] 17.0-18.0 sec 111 MBytes 934 Mbits/sec

[ 3] 18.0-19.0 sec 113 MBytes 945 Mbits/sec

[ 3] 19.0-20.0 sec 113 MBytes 948 Mbits/sec

[ 3] 0.0-20.0 sec 2.20 GBytes 942 Mbits/sec

UDP 测试

 

server(0.244): iperf -u -s -i 1

client(0.236): iperf -t 20 -i 1 -u -b 1000M -c 192.168.0.244

 

-u 使用udp协议

-b 后面接每秒带宽发送量(udp下适用)

 

服务器显示

————————————————————

Server listening on UDP port 5001

Receiving 1470 byte datagrams

UDP buffer size: 224 KByte (default)

————————————————————

[ 3] local 192.168.0.244 port 5001 connected with 192.168.0.236 port 34489

[ ID] Interval Transfer Bandwidth Jitter Lost/Total Datagrams

[ 3] 0.0- 1.0 sec 128 KBytes 1.05 Mbits/sec 0.013 ms 0/ 89 (0%)

[ 3] 1.0- 2.0 sec 128 KBytes 1.05 Mbits/sec 0.010 ms 0/ 89 (0%)

[ 3] 2.0- 3.0 sec 128 KBytes 1.05 Mbits/sec 0.015 ms 0/ 89 (0%)

[ 3] 3.0- 4.0 sec 128 KBytes 1.05 Mbits/sec 0.012 ms 0/ 89 (0%)

[ 3] 4.0- 5.0 sec 128 KBytes 1.05 Mbits/sec 0.008 ms 0/ 89 (0%)

[ 3] 5.0- 6.0 sec 129 KBytes 1.06 Mbits/sec 0.008 ms 0/ 90 (0%)

[ 3] 6.0- 7.0 sec 128 KBytes 1.05 Mbits/sec 0.009 ms 0/ 89 (0%)

[ 3] 7.0- 8.0 sec 128 KBytes 1.05 Mbits/sec 0.019 ms 0/ 89 (0%)

[ 3] 8.0- 9.0 sec 128 KBytes 1.05 Mbits/sec 0.011 ms 0/ 89 (0%)

[ 3] 9.0-10.0 sec 128 KBytes 1.05 Mbits/sec 0.009 ms 0/ 89 (0%)

[ 3] 10.0-11.0 sec 128 KBytes 1.05 Mbits/sec 0.014 ms 0/ 89 (0%)

[ 3] 11.0-12.0 sec 129 KBytes 1.06 Mbits/sec 0.014 ms 0/ 90 (0%)

[ 3] 12.0-13.0 sec 128 KBytes 1.05 Mbits/sec 0.009 ms 0/ 89 (0%)

[ 3] 13.0-14.0 sec 128 KBytes 1.05 Mbits/sec 0.017 ms 0/ 89 (0%)

[ 3] 14.0-15.0 sec 128 KBytes 1.05 Mbits/sec 0.016 ms 0/ 89 (0%)

[ 3] 15.0-16.0 sec 128 KBytes 1.05 Mbits/sec 0.011 ms 0/ 89 (0%)

[ 3] 16.0-17.0 sec 128 KBytes 1.05 Mbits/sec 0.012 ms 0/ 89 (0%)

[ 3] 17.0-18.0 sec 129 KBytes 1.06 Mbits/sec 0.017 ms 0/ 90 (0%)

[ 3] 18.0-19.0 sec 128 KBytes 1.05 Mbits/sec 0.018 ms 0/ 89 (0%)

[ 3] 19.0-20.0 sec 128 KBytes 1.05 Mbits/sec 0.012 ms 0/ 89 (0%)

[ 3] 0.0-20.0 sec 2.50 MBytes 1.05 Mbits/sec 0.013 ms 0/ 1785 (0%)

 

客户端显示

————————————————————

Client connecting to 192.168.0.244, UDP port 5001

Sending 1470 byte datagrams

UDP buffer size: 224 KByte (default)

————————————————————

[ 3] local 192.168.0.236 port 34489 connected with 192.168.0.244 port 5001

[ ID] Interval Transfer Bandwidth

[ 3] 0.0- 1.0 sec 129 KBytes 1.06 Mbits/sec

[ 3] 1.0- 2.0 sec 128 KBytes 1.05 Mbits/sec

[ 3] 2.0- 3.0 sec 128 KBytes 1.05 Mbits/sec

[ 3] 3.0- 4.0 sec 128 KBytes 1.05 Mbits/sec

[ 3] 4.0- 5.0 sec 128 KBytes 1.05 Mbits/sec

[ 3] 5.0- 6.0 sec 128 KBytes 1.05 Mbits/sec

[ 3] 6.0- 7.0 sec 129 KBytes 1.06 Mbits/sec

[ 3] 7.0- 8.0 sec 128 KBytes 1.05 Mbits/sec

[ 3] 8.0- 9.0 sec 128 KBytes 1.05 Mbits/sec

[ 3] 9.0-10.0 sec 128 KBytes 1.05 Mbits/sec

[ 3] 10.0-11.0 sec 128 KBytes 1.05 Mbits/sec

[ 3] 11.0-12.0 sec 128 KBytes 1.05 Mbits/sec

[ 3] 12.0-13.0 sec 129 KBytes 1.06 Mbits/sec

[ 3] 13.0-14.0 sec 128 KBytes 1.05 Mbits/sec

[ 3] 14.0-15.0 sec 128 KBytes 1.05 Mbits/sec

[ 3] 15.0-16.0 sec 128 KBytes 1.05 Mbits/sec

[ 3] 16.0-17.0 sec 128 KBytes 1.05 Mbits/sec

[ 3] 17.0-18.0 sec 128 KBytes 1.05 Mbits/sec

[ 3] 18.0-19.0 sec 129 KBytes 1.06 Mbits/sec

[ 3] 19.0-20.0 sec 128 KBytes 1.05 Mbits/sec

[ 3] 0.0-20.0 sec 2.50 MBytes 1.05 Mbits/sec

[ 3] Sent 1785 datagrams

[ 3] Server Report:

[ 3] 0.0-20.0 sec 2.50 MBytes 1.05 Mbits/sec 0.013 ms 0/ 1785 (0%)

使用openssl创建CSR文件

在申请正规的ssl证书之前,需要先在本机生成CSR文件
Login to your server via your terminal client (ssh). At the prompt, type:

登陆ssh,在提示符下输入命令:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

where server is the name of your server.
这里是server.csr,自己根据自己情况命名。

This will begin the process of generating two files: the Private-Key file for the decryption of your SSL Certificate, and a certificate signing request (CSR) file used to apply for your SSL Certificate. This command will prompt for the following X.509 attributes of the certificate:

这将生成两个文件,一个是私钥文件用于解密你的SSL证书,还有就是用于申请SSL的证书签名请求CSR文件。

在生成过程中有如下提示:
Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corportation or XY and Z Corportation.
Organizational Unit (OU): This field is the name of the department or organization unit making the request.
Common Name (CN): The Common Name is the Host + Domain Name. It looks like “www.company.com” or “company.com”.
Please do not enter your email address, challenge password or an optional company name when generating the CSR.

在生成CSR过程中,请不要填写email,强密码和备用公司名

最后将生成server.csr

如果要自认证证书 server.crt

openssl x509 -req -in server.csr -signkey server.key -out server.crt

计算 crt 的 finger print

SHA-256
openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt] 
 
SHA-1
openssl x509 -noout -fingerprint -sha1 -inform pem -in [certificate-file.crt]

MD5
openssl x509 -noout -fingerprint -md5 -inform pem -in [certificate-file.crt] 

iptables的表和链

iptables包含4个表,5个链

其中表是按照对数据包的操作区分的,链是按照不同的Hook点来区分的,表和链实际上是netfilter的两个维度

4个表:filter, nat, mangle, raw,默认表是filter(没有指定表的时候就是filter表)。表的处理优先级:raw>mangle>nat>filter

filter:一般的过滤功能
nat:用于nat功能(端口映射,地址映射等)
mangle:用于对特定数据包的修改
raw:有限级最高,设置raw时一般是为了不再让iptables做数据包的链接跟踪处理,提高性能

5个链:PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

PREROUTING:数据包进入路由表之前
INPUT:通过路由表后目的地为本机
FORWARDING:通过路由表后,目的地不为本机
OUTPUT:由本机产生,向外转发
POSTROUTIONG:发送到网卡接口之前