iptables 流量转发

需求：

把访问本机8060端口的流量，转发到另一个IP地址和端口 xxx.xxx.xxx.xxx:9060

/etc/sysctl.conf 添加：

net.ipv4.ip_forward = 1

保存退出后运行:

sysctl -p

命令：

/usr/sbin/iptables -t nat -I PREROUTING -p tcp --dport 8060 -j DNAT --to-destination xxx.xxx.xxx.xxx:9060
/usr/sbin/iptables -t nat -I POSTROUTING -j MASQUERADE

 

第二条用以下命令同样效果：

/usr/sbin/iptables -t nat -I POSTROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 9060 -j MASQUERADE
/usr/sbin/iptables -t nat -I POSTROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 9060 -j SNAT --to-source 10.71.10.15 阿里云ECS有内网IP，source不能用公网IP

注意：iptables服务要先安装和开启，INPUT链和FORWARD链也需要开放相应端口或者ACCEPT。如果流量转发失败，可用tcpdump排查

/usr/sbin/iptables -I FORWARD -s ip段1/掩码1 -d ip段2/掩码1 -j ACCEPT

/usr/sbin/iptables -I FORWARD -j ACCEPT

 

Linux本地端口重定向

把本地端口udp/514接收到的数据转发到udp/5140

iptables -t nat -I PREROUTING -i ens33 -p udp --dport 514 -j REDIRECT --to-port 5140

 

注：ens33为网卡名称

Linux主机pppoe拨号上网作为网关，部分网站打不开

echo 1 > /proc/sys/net/ipv4/ip_forward  # 或者修改 /etc/sysctl.conf
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452

 

参考：

https://v2ex.com/t/940431

https://blog.csdn.net/victory08/article/details/51454030

ntpd服务经常崩溃，开机不自动启动

 报错日志：

ntpd[1706]: 0.0.0.0 0617 07 panic_stop -26754 s; set clock manually within 1000 s.

 

解决方案：

停止chronyd服务

systemctl stop chronyd
systemctl disable chronyd

 

 或者直接改用chronyd

 

参考：

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_ntpd#s1-Disabling_chrony 

 

 

HTTP TRACE / TRACK Methods Allowed

1. vi /etc/httpd/conf/httpd.conf

2. Add line:

TraceEnable Off

3.  systemctl restart httpd

SNMP Agent Default Community Name (public)

1. vi /etc/snmp/snmpd.conf

2. Comment line:

#com2sec notConfigUser  default       public

3. systemctl restart snmpd

SSL Medium Strength Cipher Suites Supported (SWEET32)

1. vi /etc/httpd/conf.d/ssl.conf

2. Modify SSLCipherSuite SSLHonorCipherOrder

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

SSLHonorCipherOrder on

3. systemctl restart httpd

Linux 空闲自动登出

在 /etc/bashrc 末尾添加 TMOUT=120 （Timeout为2分钟）


参考：
https://unix.stackexchange.com/questions/117467/how-to-permanently-set-environmental-variables

CentOS check and install available security updates

1. To install the yum-security plugin

yum install yum-plugin-security

2. To list all available security updates without installing them

yum updateinfo list sec available

To get the count

yum updateinfo list sec available | wc -l

3. To install available security updates

yum -y update --security

To only install the packages that have a security errata use

yum update-minimal --security -y

To install a security update using a CVE reference

yum update --cve <CVE> (e.g. yum update --cve CVE-2008-0947)

Refer to:
https://access.redhat.com/solutions/10021
https://www.thegeekdiary.com/centos-rhel-6-how-to-list-or-install-only-security-updates-with-yum/

CentOS 配置源为 USTC

 CentOS 软件源：
https://mirrors.ustc.edu.cn/help/centos.html


EPEL 源：
http://mirrors.ustc.edu.cn/help/epel.html

Linux 开机启动服务

开机启动服务：

chkconfig --add test
chkconfig test on

查看开启的服务列表：

chkconfig --list

参考：https://www.thegeekstuff.com/2011/06/chkconfig-examples/
 

How to delete specific IPv6 rule of UFW

eg. ufw allow 22/tcp

echo y | ufw delete $(ufw status numbered | grep 22/tcp.*v6 | cut -c 2,3)

or script:

delv6=$(ufw status numbered | grep 22/tcp.*v6 | cut -c 3)
if [ -n "$delv6" ]; then
echo y | ufw delete $delv6
fi
unset delv6

How to install libsodium for ChaCha20

cd /etc

wget --no-check-certificate https://download.libsodium.org/libsodium/releases/LATEST.tar.gz

tar zxf LATEST.tar.gz

cd libsodium*

./configure

apt-get install make

make && make install

echo /usr/local/lib > /etc/ld.so.conf.d/usr_local_lib.conf

ldconfig

How to remove exim4

apt-get --purge remove exim4 exim4-base exim4-config exim4-daemon-light -y

How to install gevent

apt-get install build-essential python-dev -y
pip install gevent

关于 Dnsmasq 的配置问题 simple configuration about Dnsmasq

关于 /etc/dnsmasq.conf 文档

#resolv-file= 用来指定上游 DNS 服务器列表所在文件路径，默认注释掉，意思等同于 resolv-file=/etc/resolv.conf ，这里改为/etc/resolv.dnsmasq.conf

sed -i '1,$s/^#resolv-file=.*/resolv-file=\/etc\/resolv.dnsmasq.conf/' /etc/dnsmasq.conf

然后指定上游 DNS

echo "nameserver 8.8.8.8" >> /etc/resolv.dnsmasq.conf
echo "nameserver 8.8.4.4" >> /etc/resolv.dnsmasq.conf

对于 /etc/resolv.conf 只保留一条本地 DNS

echo "nameserver 127.0.0.1" > /etc/resolv.conf

#strict-order 若取消注释，用来表示严格按照 resolv-file 指定的文件中的顺序从上到下进行 DNS 解析，直到第一个成功解析成功为止

#no-resolv 若取消注释，则表示不读取 resolv-file 指定的文件，但取消的同时应该在此文档添加上游服务器地址，否则 DNS 查询会 refused ，比如添加一行上游服务器 server=8.8.8.8 

#no-dhcp-interface= 若取消注释并指定网卡名，则关闭此网卡的 DHCP功能，只启用 DNS 功能

sed -i '1,$s/^#no-dhcp-interface=.*/no-dhcp-interface=venet0/' /etc/dnsmasq.conf

这里有个问题，若 resolv-file= 不另外指定文件（即默认使用 /etc/resolv.conf ），并在 /etc/resolv.conf 追加一行 nameserver 127.0.0.1 ，这样就把上游服务器地址和本地 DNS 服务器地址放在同一文件，还是可以解析的，只是不知为何不会有循环问题，还有 DNS 优先级是怎样的？

参考：http://www.freeoa.net/osuport/servap/dnsmasq-use-intro-refer_2480.html