linux iptables ip_conntrack: table full CentOS 7 iptables

来源：互联网发布：大连软件交易会编辑：程序博客网时间：2024/05/18 20:52

CentOS 7 默认使用firewalld来管理iptables规则，由于防火墙规则变动的情况很少，动不动态变得无所谓了。但是习惯是魔鬼，跟之前不一样，总是感觉不太习惯。systemctl disable firewalldyum remove firewalld -y使用下面的办法来恢复原来的习惯,同时解决iptables开机启动的问题。yum install iptables-services -ysystemctl enable iptables这样的话，iptables服务会开机启动，自动从/etc/sysconfig/iptables 文件导入规则。为了让/etc/init.d/iptables save 这条命令生效，需要这么做cp /usr/libexec/iptables/iptables.init /etc/init.d/iptables/etc/init.d/iptables save而chkconfig iptables 命令会自动重定向到sytemctl enable iptables--------------------------------------分割线 --------------------------------------iptables使用范例详解 http://www.linuxidc.com/Linux/2014-03/99159.htmiptables—包过滤（网络层）防火墙 http://www.linuxidc.com/Linux/2013-08/88423.htmLinux防火墙iptables详细教程 http://www.linuxidc.com/Linux/2013-07/87045.htmiptables+L7+Squid实现完善的软件防火墙 http://www.linuxidc.com/Linux/2013-05/84802.htmiptables的备份、恢复及防火墙脚本的基本使用 http://www.linuxidc.com/Linux/2013-08/88535.htmLinux下防火墙iptables用法规则详解 http://www.linuxidc.com/Linux/2012-08/67952.htm--------------------------------------分割线 --------------------------------------更多CentOS相关信息见CentOS 专题页面 http://www.linuxidc.com/topicnews.aspx?tid=14本文永久更新链接地址：http://www.linuxidc.com/Linux/2014-11/109592.htm

service iptables status 查看iptables状态service iptables restart iptables服务重启service iptables stop iptables服务禁用

</pre><pre class="reply-text mb10" id="content-662957502" name="code" style="white-space: pre-wrap; word-wrap: break-word; color: rgb(51, 51, 51); font-size: 14px; line-height: 26px; background-color: rgb(255, 255, 255);">/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

<p style="font-family: 微软雅黑; border: 0px; margin-top: 0px; margin-bottom: 24px; padding-top: 0px; padding-bottom: 0px; vertical-align: baseline; color: rgb(51, 51, 51); font-size: 14px; line-height: 24px; widows: auto;">解决办法如其所述，对ip_conntrack的两个参数进行设置即可，不过在centos上，需要这样设置：</p><div style="font-family: 微软雅黑; border: 0px; margin: 0px; padding: 0px; vertical-align: baseline; color: rgb(51, 51, 51); font-size: 14px; line-height: 24px; widows: auto;"><div id="highlighter_766110" class="syntaxhighlighter  shell" style="border: 0px; padding: 1px 0px; vertical-align: baseline; width: 640px; margin: 1em 0px !important; position: relative !important; overflow: auto !important; font-size: 1em !important;"><table border="0" cellpadding="0" cellspacing="0" style="border: 1px solid rgb(231, 231, 231); margin: 0px -1px 24px 0px; border-collapse: collapse; border-spacing: 0px; width: 640px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; padding: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><tbody style="border: 0px !important; margin: 0px !important; padding: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><tr style="border: 0px !important; margin: 0px !important; padding: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><td class="gutter" style="border-top-width: 1px; border-top-style: solid; border-top-color: rgb(231, 231, 231); padding: 6px 24px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border-right-width: 0px !important; border-bottom-width: 0px !important; border-left-width: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; color: rgb(175, 175, 175) !important; background-image: none !important;"><div class="line number1 index0 alt2" style="border-width: 0px 3px 0px 0px !important; border-right-style: solid !important; border-right-color: rgb(108, 226, 108) !important; margin: 0px !important; padding: 0px 0.5em 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;">1</div><div class="line number2 index1 alt1" style="border-width: 0px 3px 0px 0px !important; border-right-style: solid !important; border-right-color: rgb(108, 226, 108) !important; margin: 0px !important; padding: 0px 0.5em 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;">2</div><div class="line number3 index2 alt2" style="border-width: 0px 3px 0px 0px !important; border-right-style: solid !important; border-right-color: rgb(108, 226, 108) !important; margin: 0px !important; padding: 0px 0.5em 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;">3</div><div class="line number4 index3 alt1" style="border-width: 0px 3px 0px 0px !important; border-right-style: solid !important; border-right-color: rgb(108, 226, 108) !important; margin: 0px !important; padding: 0px 0.5em 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;">4</div><div class="line number5 index4 alt2" style="border-width: 0px 3px 0px 0px !important; border-right-style: solid !important; border-right-color: rgb(108, 226, 108) !important; margin: 0px !important; padding: 0px 0.5em 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;">5</div></td><td class="code" style="border-top-width: 1px; border-top-style: solid; border-top-color: rgb(231, 231, 231); padding: 6px 24px; width: 608px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border-right-width: 0px !important; border-bottom-width: 0px !important; border-left-width: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><div class="container" style="border: 0px !important; margin: 0px !important; padding: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: relative !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><div class="line number1 index0 alt2" style="border: 0px !important; margin: 0px !important; padding: 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;"><code class="shell functions" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; color: rgb(255, 20, 147) !important; background-image: none !important;">vi</code> <code class="shell plain" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; background-image: none !important;">/etc/sysctl</code><code class="shell plain" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; background-image: none !important;">.conf</code></div><div class="line number2 index1 alt1" style="border: 0px !important; margin: 0px !important; padding: 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;"><code class="shell plain" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; background-image: none !important;">net.ipv4.netfilter.ip_conntrack_max = 655350</code></div><div class="line number3 index2 alt2" style="border: 0px !important; margin: 0px !important; padding: 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;"><code class="shell plain" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; background-image: none !important;">net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 1200</code></div><div class="line number4 index3 alt1" style="border: 0px !important; margin: 0px !important; padding: 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;"><code class="shell comments" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; color: rgb(0, 130, 0) !important; background-image: none !important;">#默认超时时间为5天，作为一个主要提供HTTP服务的服务器来讲，完全可以设置得比较短</code></div><div class="line number5 index4 alt2" style="border: 0px !important; margin: 0px !important; padding: 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;"><code class="shell plain" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; background-image: none !important;">sysctl -p </code><code class="shell comments" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; color: rgb(0, 130, 0) !important; background-image: none !important;"># 让刚刚修改过的设置生效</code></div></div></td></tr></tbody></table></div></div><p style="font-family: 微软雅黑; border: 0px; margin-top: 0px; margin-bottom: 24px; padding-top: 0px; padding-bottom: 0px; vertical-align: baseline; color: rgb(51, 51, 51); font-size: 14px; line-height: 24px; widows: auto;">如果在执行sysctl -p 时提示错误 unknown key，那么表示内核版本比较高，参数名称已经改为</p><div style="font-family: 微软雅黑; border: 0px; margin: 0px; padding: 0px; vertical-align: baseline; color: rgb(51, 51, 51); font-size: 14px; line-height: 24px; widows: auto;"><div id="highlighter_323162" class="syntaxhighlighter  shell" style="border: 0px; padding: 1px 0px; vertical-align: baseline; width: 640px; margin: 1em 0px !important; position: relative !important; overflow: auto !important; font-size: 1em !important;"><table border="0" cellpadding="0" cellspacing="0" style="border: 1px solid rgb(231, 231, 231); margin: 0px -1px 24px 0px; border-collapse: collapse; border-spacing: 0px; width: 640px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; padding: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><tbody style="border: 0px !important; margin: 0px !important; padding: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><tr style="border: 0px !important; margin: 0px !important; padding: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><td class="gutter" style="border-top-width: 1px; border-top-style: solid; border-top-color: rgb(231, 231, 231); padding: 6px 24px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border-right-width: 0px !important; border-bottom-width: 0px !important; border-left-width: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; color: rgb(175, 175, 175) !important; background-image: none !important;"><div class="line number1 index0 alt2" style="border-width: 0px 3px 0px 0px !important; border-right-style: solid !important; border-right-color: rgb(108, 226, 108) !important; margin: 0px !important; padding: 0px 0.5em 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;">1</div><div class="line number2 index1 alt1" style="border-width: 0px 3px 0px 0px !important; border-right-style: solid !important; border-right-color: rgb(108, 226, 108) !important; margin: 0px !important; padding: 0px 0.5em 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;">2</div></td><td class="code" style="border-top-width: 1px; border-top-style: solid; border-top-color: rgb(231, 231, 231); padding: 6px 24px; width: 608px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border-right-width: 0px !important; border-bottom-width: 0px !important; border-left-width: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><div class="container" style="border: 0px !important; margin: 0px !important; padding: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: relative !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><div class="line number1 index0 alt2" style="border: 0px !important; margin: 0px !important; padding: 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;"><code class="shell plain" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; background-image: none !important;">net.netfilter.nf_conntrack_max = 655350</code></div><div class="line number2 index1 alt1" style="border: 0px !important; margin: 0px !important; padding: 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;"><code class="shell plain" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; background-image: none !important;">net.netfilter.nf_conntrack_tcp_timeout_established = 1200</code></div></div></td></tr></tbody></table></div></div><p style="font-family: 微软雅黑; border: 0px; margin-top: 0px; margin-bottom: 24px; padding-top: 0px; padding-bottom: 0px; vertical-align: baseline; color: rgb(51, 51, 51); font-size: 14px; line-height: 24px; widows: auto;">至于为什么会有这样的设置，这个设置的作用是什么，就要从NAT说起了。NAT（Network Address Translation，网络地址转换）是将IP数据报报头的IP地址转化成另外一个IP地址的过程，主要用来实现局域网内的机器访问公共网络（俗称外网）的功能。公共IP地址是指在因特网上全球唯一的IP地址，RFC 1918协议还为局域网预留出了三个IP不会在公网上进行分配的地址块：</p>

增加完以上内容后，通过sysctl -p 使配置生效。不过该方法有两个缺点：一是重启iptables后，ip_conntrack_max值又会变成65535默认值，需要重新sysctl -p ；另一个是该法治标不治本，在高并发时，很快又会悲剧重演。

方法二：使用RAW表，跳过记录法

首先先认识下什么是raw表？做什么用的？

iptables有5个链:PREROUTING，INPUT，FORWARD，OUTPUT，POSTROUTING，4个表:filter，nat，mangle，raw 。

4个表的优先级由高到低的顺序为:raw-->mangle-->nat-->filter

举例来说:如果PRROUTING链上，即有mangle表，也有nat表，那么先由mangle处理，然后由nat表处理。

RAW表只使用在PREROUTING链和OUTPUT链上，因为优先级最高，从而可以对收到的数据包在连接跟踪前进行处理。一但用户使用了RAW表，在某个链上，RAW表处理完后，将跳过NAT表和 ip_conntrack处理，即不再做地址转换和数据包的链接跟踪处理了。
RAW表可以 style="color:#E53333;">应用在那些不需要做nat的情况下，以提高性能。如大量访问的web服务器，可以让80端口不再让iptables做数据包的链接跟踪处理，以提高用户的访问速度。

具体操作方法如下：

1、修改/etc/sysconfig/iptables 文件中的-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED, UNTRACKED -j ACCEPT 行。增加红色字体中的部分，保存并restart iptables 。

2、运行下面的语句：

iptables -t raw -A PREROUTING -p tcp -m multiport --dports 80,3128 -j NOTRACKiptables -t raw -A PREROUTING -p tcp -m multiport --sports 80,3128 -j NOTRACKiptables -t raw -A OUTPUT -p tcp -m multiport --dports 80,3128 -j NOTRACKiptables -t raw -A OUTPUT -p tcp -m multiport --sports 80,3128 -j NOTRACK

如果只是一个端口，改为下面的语句：

iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -j NOTRACKiptables -t raw -A OUTPUT -p tcp -m tcp --sport 80 -j NOTRACKiptables -t raw -A PREROUTING -p tcp -m tcp --sport 80 -j NOTRACKiptables -t raw -A OUTPUT -p tcp -m tcp --dport 80 -j NOTRACK

注：第1步很重要，如果第1处没改，执行后面的语句会造成相应的端口不能访问。我使用该方法时，就因为没有执行第一步的操作，造成web访问不能使用。

方法三：移除模块法

[root@localhost log]# /sbin/lsmod | egrep 'ip_tables|conntrack'nf_conntrack_ipv6       8748  2nf_defrag_ipv6         12182  1 nf_conntrack_ipv6nf_conntrack           79453  2 nf_conntrack_ipv6,xt_stateipv6                  322541  209 ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6

执行上面的语句，不难发现state模块和nf_conntrack之间是有依赖关系的。所以想要卸载nf_conntrack模块的话，必须也要把state模块移除，不然，其会自动启用nf_conntrack模块。

操作方法如下：

1、先将/etc/sysconfig/iptables 中包含state的语句移除，并restart iptables 。

2、执行语句

modprobe -r xt_NOTRACK nf_conntrack_netbios_ns nf_conntrack_ipv4 xt_statemodprobe -r nf_conntrack

执行完查看/proc/net/ 下面如果没用了 nf_conntrack ，就证明模块移除成功了。

总结：

以上三种方法种，如果像web这样的操作访问量并发不大的情况下，建议通过第一种方法实现。因为nf_conntrack模块的作用不仅仅只用于记录状态，iptables还可以通过对该模块的使有达到动态过滤的作用。如我在用ab动测试的一台服务器上进行并发模拟时，在/var/log/message里发现如下的日志：

Apr 22 15:21:46 localhost kernel: possible SYN flooding on port 80. Sending cookies.Apr 22 15:22:46 localhost kernel: possible SYN flooding on port 80. Sending cookies.

而此时iptables会智能的将发动SYN flood攻击的IP暂时拒绝掉：

[root@localhost ~]# ab -c 500 -n 5000 "http://192.168.10.177/"This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/Copyright 2006 The Apache Software Foundation, http://www.apache.org/Benchmarking 192.168.10.177 (be patient)apr_socket_recv: Connection reset by peer (104)Total of 68 requests completed

如上所以，我用ab操作时，其就会收到apr_socket_recv 的错误提示。我在网上查询到其具体实现的原理如下：

传统的防火墙只能进行静态过滤，而 iptables 除了这个基本的功能之外还可以进行动态过滤，即可以对连接状态进行跟踪，通常称为 conntrack 。但这不意味着它只能对 TCP 这样的面向连接的协议有效，它还可以对 UDP， ICMP 这种无连接的协议进行跟踪，我们下面马上就会看到。

iptables 中的连接跟踪是通过 state 模块来实现的，是在PREROUTING 链中完成的，除了本地主机产生的数据包，它们是在 OUTPUT 链中完成。它把“连接”划分为四种状态：NEW， ESTABLISHED， RELATED 和 INVALID。连接跟踪当前的所有连接状态可以通过 /proc/net/nf_conntrack 来查看（注意，在一些稍微旧的 Linux 系统上是 /proc/net/ip_conntrack）。

当 conntrack 第一次看到相关的数据包时，就会把状态标记为 NEW ，比如 TCP 协议中收到第一个 SYN 数据包。当连接的双方都有数据包收发并且还将继续匹配到这些数据包时，连接状态就会变为 ESTABLISHED 。而 RELATED 状态是指一个新的连接，但这个连接和某个已知的连接有关系，比如 FTP 协议中的数据传输连接。INVALID 状态是说数据包和已知的任何连接都不匹配。

当然，仅仅利用iptables conntrack自动实现syn flood 等DDOS攻击时很弱的。而现成的动态过滤和DDOS防护的方法是很多的。比如netstat脚本实现，iptalbes限制每秒进行连接数，nginx/apache的连接数限制模块及fail2ban日志分析法………… ，所以在具有以上防护的情况下，非常推荐将web 、squid/varnish等应用所在的服务器配置为RAW方式。我在现网一台150M/S 的cache server上将80和3128两个端口全部NOTRACK之后，conntrack hash表由瞬满直线下降到只有几百条。

最后，最不推荐使用的第三种方法，因为第三种方法会将state模块也一块儿移除掉。

参考页面：

http://jaseywang.me/2012/08/16/%E8%A7%A3%E5%86%B3-nf_conntrack-table-full-dropping-packet-%E7%9A%84%E5%87%A0%E7%A7%8D%E6%80%9D%E8%B7%AF/

http://wiki.khnet.info/index.php/Conntrack_tuning

http://blog.zol.com.cn/2608/article_2607945.html

http://wangcong.org/articles/learning-iptables.cn.html

http://pc-freak.net/blog/resolving-nf_conntrack-table-full-dropping-packet-flood-message-in-dmesg-linux-kernel-log/

http://blog.csdn.net/dog250/article/details/7262619

0 0