net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 900
net.ipv4.netfilter.ip_conntrack_buckets = 1048576
net.ipv4.netfilter.ip_conntrack_count = 56567
net.ipv4.netfilter.ip_conntrack_max = 1048576
由于网络规模大,有几千台机器吧。高峰时期ip_conntrack_count 可以到20万。使用6个公网地址做SNAT.
/sbin/iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -j SNAT --to-source xxx.xxx.xxx.1-xxx.xxx.xxx.6
现在使用起来没有任何问题。使用中发现公网地址是随机的,浏览器刷新一次就会换一个。
统计/proc/net/ip_conntrack ,6个公网IP 利用均摊。
现在的问题是登陆论坛 邮箱等会不断提示未登陆,无法通过验证。估计是服务器端发现来源ip改变的缘故。
不知道能否给小弟些建议?
60000个端口,表示你可以向同一个ip地址同一个端口发起60000个连接,还不够吗?
你这种情况,请考虑使用iptables SAME target,不知道为什么这么重要的东西man里面没有
SAME v1.2.11 options:
--to -
Addresses to map source to.
May be specified more than
once for multiple ranges.
--nodst
Don't use destination-ip in
source selection
11.16. SAME target
The SAME target works almost in the same fashion as the SNAT target, but it still differs. Basically, the SAME target will try to always use the same outgoing IP address for all connections initiated by a single host on your network. For example, say you have one /24 network (192.168.1.0) and 3 IP addresses (10.5.6.7-9). Now, if 192.168.1.20 went out through the .7 address the first time, the firewall will try to keep that machine always going out through that IP address.
Option --to
Example iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j SAME --to 10.5.6.7-10.5.6.9
Explanation As you can see, the --to argument takes 2 IP addresses bound together by a - sign. These IP addresses, and all in between, are the IP addresses that we NAT to using the SAME algorithm.
Option --nodst
Example iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j SAME --to 10.5.6.7-10.5.6.9 --nodst
Explanation Under normal action, the SAME target is calculating the followup connections based on both destination and source IP addresses. Using the --nodst option, it uses only the source IP address to find out which outgoing IP the NAT function should use for the specific connection. Without this argument, it uses a combination of the destination and source IP address.
/sbin/iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -j SAME --to xxx.xxx.xxx.1-xxx.xxx.xxx.6
阅读(894) | 评论(0) | 转发(0) |