update

likujy2061 · Oct 19, 2016 · bae1197 · bae1197
1 parent 8f05e91
commit bae1197
Show file tree

Hide file tree

Showing 2 changed files with 135 additions and 0 deletions.
diff --git a/iptables/iptables_limit_b.sh b/iptables/iptables_limit_b.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+## Iptables 2016-09-28
+## http://www.aqzt.com
+## email: [email protected]
+## robert yu
+## centos 6
+## iptables 流量限制，可以通过调整--limit-burst 10值来控制流入 流出
+## --limit 1/s 表示每秒一次; 1/m 则为每分钟一次
+## --limit-burst 表示允许触发 limit 限制的最大次数 (预设 5)
+## --limit 2000/s --limit-burst 5   传送速度5.1MB/s
+## --limit 2400/s --limit-burst 4   传送速度6.1MB/s
+## --limit 2000/s --limit-burst 10     传送速度18.4MB/s
+## --limit 2500/sec --limit-burst 200  传送速度51.7MB/s
+## --limit 3000/sec --limit-burst 360  传送速度66.7MB/s
+
+/sbin/iptables -F
+
+/sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
+/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
+/sbin/iptables -A INPUT -s 192.168.1.111 -j ACCEPT
+/sbin/iptables -A INPUT -s 192.168.1.112 -j ACCEPT
+/sbin/iptables -A INPUT  -p tcp --dport 22  -j ACCEPT
+/sbin/iptables -A INPUT  -p tcp --dport 80  -j ACCEPT
+/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED  -m limit --limit 2500/sec --limit-burst 200 -j ACCEPT
+/sbin/iptables -A INPUT  -m limit --limit 2500/sec --limit-burst 200 -j ACCEPT 
+/sbin/iptables -A INPUT  -j DROP
+/sbin/iptables -A FORWARD  -m limit --limit 2500/sec --limit-burst 200 -j ACCEPT 
+/sbin/iptables -A FORWARD  -j DROP
+/sbin/iptables -A OUTPUT   -m limit --limit 2500/sec --limit-burst 200 -j ACCEPT 
+/sbin/iptables -A OUTPUT   -j DROP
+/sbin/iptables -A INPUT -j REJECT
+/sbin/iptables -A FORWARD -j REJECT
+/sbin/iptables -A OUTPUT -j ACCEPT
+
+/sbin/service iptables save
+echo ok
diff --git a/linux-init-script/sysctl_centos7_a.conf.sh b/linux-init-script/sysctl_centos7_a.conf.sh
@@ -0,0 +1,99 @@
+#!/bin/bash
+# centos7
+# 20161019
+# /etc/sysctl.conf
+cat >>/etc/sysctl.conf<<EOF
+#系统优化参数
+#关闭ipv6
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.default.disable_ipv6 = 1
+#决定检查过期多久邻居条目
+net.ipv4.neigh.default.gc_stale_time=120
+#使用arp_announce / arp_ignore解决ARP映射问题
+net.ipv4.conf.default.arp_announce = 2
+net.ipv4.conf.all.arp_announce=2
+net.ipv4.conf.lo.arp_announce=2
+# 避免放大攻击
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+# 开启恶意icmp错误消息保护
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+#关闭路由转发
+net.ipv4.ip_forward = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+#开启反向路径过滤
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+#处理无源路由的包
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+#关闭sysrq功能
+kernel.sysrq = 0
+#core文件名中添加pid作为扩展名
+kernel.core_uses_pid = 1
+# 开启SYN洪水攻击保护
+net.ipv4.tcp_syncookies = 1
+#修改消息队列长度
+kernel.msgmnb = 65536
+kernel.msgmax = 65536
+#设置最大内存共享段大小bytes
+kernel.shmmax = 68719476736
+kernel.shmall = 4294967296
+#timewait的数量，默认180000
+net.ipv4.tcp_max_tw_buckets = 6000
+net.ipv4.tcp_sack = 1
+net.ipv4.tcp_window_scaling = 1
+net.ipv4.tcp_rmem = 4096        87380   4194304
+net.ipv4.tcp_wmem = 4096        16384   4194304
+net.core.wmem_default = 8388608
+net.core.rmem_default = 8388608
+net.core.rmem_max = 16777216
+net.core.wmem_max = 16777216
+#每个网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目
+net.core.netdev_max_backlog = 262144
+#限制仅仅是为了防止简单的DoS 攻击
+net.ipv4.tcp_max_orphans = 3276800
+#未收到客户端确认信息的连接请求的最大值
+net.ipv4.tcp_max_syn_backlog = 262144
+net.ipv4.tcp_timestamps = 0
+#内核放弃建立连接之前发送SYNACK 包的数量
+net.ipv4.tcp_synack_retries = 1
+#内核放弃建立连接之前发送SYN 包的数量
+net.ipv4.tcp_syn_retries = 1
+#启用timewait 快速回收
+net.ipv4.tcp_tw_recycle = 1
+#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
+net.ipv4.tcp_tw_reuse = 1
+net.ipv4.tcp_mem = 94500000 915000000 927000000
+net.ipv4.tcp_fin_timeout = 1
+#当keepalive 起用的时候，TCP 发送keepalive 消息的频度。缺省是2 小时
+net.ipv4.tcp_keepalive_time = 1800
+net.ipv4.tcp_keepalive_probes = 3
+net.ipv4.tcp_keepalive_intvl = 15
+#允许系统打开的端口范围
+net.ipv4.ip_local_port_range = 1024    65000
+#修改防火墙表大小，默认65536
+net.netfilter.nf_conntrack_max=655350
+net.netfilter.nf_conntrack_tcp_timeout_established=1200
+# 确保无人能修改路由表
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+vm.swappiness = 10
+kernel.panic = 5
+fs.file-max = 165535
+# for high-latency network
+net.ipv4.tcp_congestion_control = hybla
+#maximize the available memory
+vm.overcommit_memory = 1
+vm.dirty_ratio = 1
+vm.swappiness = 10
+vm.vfs_cache_pressure = 110
+#vm.zone_reclaim_mode = 0
+
+#keep the IO performance steady
+vm.dirty_background_ratio = 1
+vm.dirty_writeback_centisecs = 100
+vm.dirty_expire_centisecs = 100
+EOF