linux iptables ip_conntrack: table full CentOS 7 iptables

CentOS 7 預設使用firewalld來管理iptables規則，由于防火牆規則變動的情況很少，動不動态變得無所謂了。但是習慣是魔鬼，跟之前不一樣，總是感覺不太習慣。


systemctl disable firewalld
yum remove firewalld -y


使用下面的辦法來恢複原來的習慣,同時解決iptables開機啟動的問題。


yum install iptables-services -y
systemctl enable iptables


這樣的話，iptables服務會開機啟動，自動從/etc/sysconfig/iptables 檔案導入規則。


為了讓/etc/init.d/iptables save 這條指令生效，需要這麼做


cp /usr/libexec/iptables/iptables.init /etc/init.d/iptables
/etc/init.d/iptables save


而chkconfig iptables 指令會自動重定向到sytemctl enable iptables


--------------------------------------分割線 --------------------------------------


iptables使用範例詳解 http://www.linuxidc.com/Linux/2014-03/99159.htm


iptables—包過濾（網絡層）防火牆 http://www.linuxidc.com/Linux/2013-08/88423.htm


Linux防火牆iptables詳細教程 http://www.linuxidc.com/Linux/2013-07/87045.htm


iptables+L7+Squid實作完善的軟體防火牆 http://www.linuxidc.com/Linux/2013-05/84802.htm


iptables的備份、恢複及防火牆腳本的基本使用 http://www.linuxidc.com/Linux/2013-08/88535.htm


Linux下防火牆iptables用法規則詳解 http://www.linuxidc.com/Linux/2012-08/67952.htm


--------------------------------------分割線 --------------------------------------


更多CentOS相關資訊見CentOS 專題頁面 http://www.linuxidc.com/topicnews.aspx?tid=14


本文永久更新連結位址：http://www.linuxidc.com/Linux/2014-11/109592.htm

service iptables status 檢視iptables狀态
service iptables restart iptables服務重新開機
service iptables stop iptables服務禁用

</pre><pre class="reply-text mb10" id="content-662957502" name="code" style="white-space: pre-wrap; word-wrap: break-word; color: rgb(51, 51, 51); font-size: 14px; line-height: 26px; background-color: rgb(255, 255, 255);">/

<p style="font-family: 微軟雅黑; border: 0px; margin-top: 0px; margin-bottom: 24px; padding-top: 0px; padding-bottom: 0px; vertical-align: baseline; color: rgb(51, 51, 51); font-size: 14px; line-height: 24px; widows: auto;">解決辦法如其所述，對ip_conntrack的兩個參數進行設定即可，不過在centos上，需要這樣設定：</p><div style="font-family: 微軟雅黑; border: 0px; margin: 0px; padding: 0px; vertical-align: baseline; color: rgb(51, 51, 51); font-size: 14px; line-height: 24px; widows: auto;"><div id="highlighter_766110" class="syntaxhighlighter  shell" style="border: 0px; padding: 1px 0px; vertical-align: baseline; width: 640px; margin: 1em 0px !important; position: relative !important; overflow: auto !important; font-size: 1em !important;"><table  cellpadding="0" cellspacing="0" style="border: 1px solid rgb(231, 231, 231); margin: 0px -1px 24px 0px; border-collapse: collapse; border-spacing: 0px; width: 640px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; padding: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><tbody style="border: 0px !important; margin: 0px !important; padding: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><tr style="border: 0px !important; margin: 0px !important; padding: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><td class="gutter" style="border-top-width: 1px; border-top-style: solid; border-top-color: rgb(231, 231, 231); padding: 6px 24px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border-right-width: 0px !important; border-bottom-width: 0px !important; border-left-width: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; color: rgb(175, 175, 175) !important; background-image: none !important;"><div class="line number1 index0 alt2" style="border-width: 0px 3px 0px 0px !important; border-right-style: solid !important; border-right-color: rgb(108, 226, 108) !important; margin: 0px !important; padding: 0px 0.5em 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;">1</div><div class="line number2 index1 alt1" style="border-width: 0px 3px 0px 0px !important; border-right-style: solid !important; border-right-color: rgb(108, 226, 108) !important; margin: 0px !important; padding: 0px 0.5em 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;">2</div><div class="line number3 index2 alt2" style="border-width: 0px 3px 0px 0px !important; border-right-style: solid !important; border-right-color: rgb(108, 226, 108) !important; margin: 0px !important; padding: 0px 0.5em 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;">3</div><div class="line number4 index3 alt1" style="border-width: 0px 3px 0px 0px !important; border-right-style: solid !important; border-right-color: rgb(108, 226, 108) !important; margin: 0px !important; padding: 0px 0.5em 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;">4</div><div class="line number5 index4 alt2" style="border-width: 0px 3px 0px 0px !important; border-right-style: solid !important; border-right-color: rgb(108, 226, 108) !important; margin: 0px !important; padding: 0px 0.5em 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;">5</div></td><td class="code" style="border-top-width: 1px; border-top-style: solid; border-top-color: rgb(231, 231, 231); padding: 6px 24px; width: 608px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border-right-width: 0px !important; border-bottom-width: 0px !important; border-left-width: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><div class="container" style="border: 0px !important; margin: 0px !important; padding: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: relative !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><div class="line number1 index0 alt2" style="border: 0px !important; margin: 0px !important; padding: 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;"><code class="shell functions" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; color: rgb(255, 20, 147) !important; background-image: none !important;">vi</code> <code class="shell plain" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; background-image: none !important;">/etc/sysctl</code><code class="shell plain" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; background-image: none !important;">.conf</code></div><div class="line number2 index1 alt1" style="border: 0px !important; margin: 0px !important; padding: 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;"><code class="shell plain" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; background-image: none !important;">net.ipv4.netfilter.ip_conntrack_max = 655350</code></div><div class="line number3 index2 alt2" style="border: 0px !important; margin: 0px !important; padding: 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;"><code class="shell plain" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; background-image: none !important;">net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 1200</code></div><div class="line number4 index3 alt1" style="border: 0px !important; margin: 0px !important; padding: 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;"><code class="shell comments" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; color: rgb(0, 130, 0) !important; background-image: none !important;">#預設逾時時間為5天，作為一個主要提供HTTP服務的伺服器來講，完全可以設定得比較短</code></div><div class="line number5 index4 alt2" style="border: 0px !important; margin: 0px !important; padding: 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;"><code class="shell plain" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; background-image: none !important;">sysctl -p </code><code class="shell comments" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; color: rgb(0, 130, 0) !important; background-image: none !important;"># 讓剛剛修改過的設定生效</code></div></div></td></tr></tbody></table></div></div><p style="font-family: 微軟雅黑; border: 0px; margin-top: 0px; margin-bottom: 24px; padding-top: 0px; padding-bottom: 0px; vertical-align: baseline; color: rgb(51, 51, 51); font-size: 14px; line-height: 24px; widows: auto;">如果在執行sysctl -p 時提示錯誤 unknown key，那麼表示核心版本比較高，參數名稱已經改為</p><div style="font-family: 微軟雅黑; border: 0px; margin: 0px; padding: 0px; vertical-align: baseline; color: rgb(51, 51, 51); font-size: 14px; line-height: 24px; widows: auto;"><div id="highlighter_323162" class="syntaxhighlighter  shell" style="border: 0px; padding: 1px 0px; vertical-align: baseline; width: 640px; margin: 1em 0px !important; position: relative !important; overflow: auto !important; font-size: 1em !important;"><table  cellpadding="0" cellspacing="0" style="border: 1px solid rgb(231, 231, 231); margin: 0px -1px 24px 0px; border-collapse: collapse; border-spacing: 0px; width: 640px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; padding: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><tbody style="border: 0px !important; margin: 0px !important; padding: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><tr style="border: 0px !important; margin: 0px !important; padding: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><td class="gutter" style="border-top-width: 1px; border-top-style: solid; border-top-color: rgb(231, 231, 231); padding: 6px 24px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border-right-width: 0px !important; border-bottom-width: 0px !important; border-left-width: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; color: rgb(175, 175, 175) !important; background-image: none !important;"><div class="line number1 index0 alt2" style="border-width: 0px 3px 0px 0px !important; border-right-style: solid !important; border-right-color: rgb(108, 226, 108) !important; margin: 0px !important; padding: 0px 0.5em 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;">1</div><div class="line number2 index1 alt1" style="border-width: 0px 3px 0px 0px !important; border-right-style: solid !important; border-right-color: rgb(108, 226, 108) !important; margin: 0px !important; padding: 0px 0.5em 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; text-align: right !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;">2</div></td><td class="code" style="border-top-width: 1px; border-top-style: solid; border-top-color: rgb(231, 231, 231); padding: 6px 24px; width: 608px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border-right-width: 0px !important; border-bottom-width: 0px !important; border-left-width: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><div class="container" style="border: 0px !important; margin: 0px !important; padding: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: relative !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; background-image: none !important;"><div class="line number1 index0 alt2" style="border: 0px !important; margin: 0px !important; padding: 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;"><code class="shell plain" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; background-image: none !important;">net.netfilter.nf_conntrack_max = 655350</code></div><div class="line number2 index1 alt1" style="border: 0px !important; margin: 0px !important; padding: 0px 1em !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; font-size: 1em !important; min-height: inherit !important; white-space: pre !important; background-image: none !important;"><code class="shell plain" style="padding: 0.2em 0px; font-size: 12px; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; border: 0px !important; margin: 0px !important; vertical-align: baseline !important; border-radius: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 1.1em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; width: auto !important; box-sizing: content-box !important; min-height: inherit !important; background-image: none !important;">net.netfilter.nf_conntrack_tcp_timeout_established = 1200</code></div></div></td></tr></tbody></table></div></div><p style="font-family: 微軟雅黑; border: 0px; margin-top: 0px; margin-bottom: 24px; padding-top: 0px; padding-bottom: 0px; vertical-align: baseline; color: rgb(51, 51, 51); font-size: 14px; line-height: 24px; widows: auto;">至于為什麼會有這樣的設定，這個設定的作用是什麼，就要從NAT說起了。NAT（Network Address Translation，網絡位址轉換）是将IP資料報報頭的IP位址轉化成另外一個IP位址的過程，主要用來實作區域網路内的機器通路公共網絡（俗稱外網）的功能。公共IP位址是指在網際網路上全球唯一的IP位址，RFC 1918協定還為區域網路預留出了三個IP不會在公網上進行配置設定的位址塊：</p>

增加完以上内容後，通過sysctl -p 使配置生效。不過該方法有兩個缺點：一是重新開機iptables後，ip_conntrack_max值又會變成65535預設值，需要重新sysctl -p ；另一個是該法治标不治本，在高并發時，很快又會悲劇重演。

方法二：使用RAW表，跳過記錄法

首先先認識下什麼是raw表？做什麼用的？

iptables有5個鍊:PREROUTING，INPUT，FORWARD，OUTPUT，POSTROUTING，4個表:filter，nat，mangle，raw 。

4個表的優先級由高到低的順序為:raw-->mangle-->nat-->filter

舉例來說:如果PRROUTING鍊上，即有mangle表，也有nat表，那麼先由mangle處理，然後由nat表處理。

RAW表隻使用在PREROUTING鍊和OUTPUT鍊上，因為優先級最高，進而可以對收到的資料包在連接配接跟蹤前進行處理。一但使用者使用了RAW表，在某個鍊上，RAW表處理完後，将跳過NAT表和 ip_conntrack處理，即不再做位址轉換和資料包的連結跟蹤處理了。

RAW表可以 style="color:#E53333;">應用在那些不需要做nat的情況下，以提高性能。如大量通路的web伺服器，可以讓80端口不再讓iptables做資料包的連結跟蹤處理，以提高使用者的通路速度。

具體操作方法如下：

1、修改/etc/sysconfig/iptables 檔案中的-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED, UNTRACKED -j ACCEPT 行。增加紅色字型中的部分，儲存并restart iptables 。

2、運作下面的語句：

iptables -t raw -A PREROUTING -p tcp -m multiport --dports 80,3128 -j NOTRACK
iptables -t raw -A PREROUTING -p tcp -m multiport --sports 80,3128 -j NOTRACK
iptables -t raw -A OUTPUT -p tcp -m multiport --dports 80,3128 -j NOTRACK
iptables -t raw -A OUTPUT -p tcp -m multiport --sports 80,3128 -j NOTRACK

如果隻是一個端口，改為下面的語句：

iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -j NOTRACK
iptables -t raw -A OUTPUT -p tcp -m tcp --sport 80 -j NOTRACK
iptables -t raw -A PREROUTING -p tcp -m tcp --sport 80 -j NOTRACK
iptables -t raw -A OUTPUT -p tcp -m tcp --dport 80 -j NOTRACK

注：第1步很重要，如果第1處沒改，執行後面的語句會造成相應的端口不能通路。我使用該方法時，就因為沒有執行第一步的操作，造成web通路不能使用。

方法三：移除子產品法

[[email protected] log]# /sbin/lsmod | egrep 'ip_tables|conntrack'
nf_conntrack_ipv6       8748  2
nf_defrag_ipv6         12182  1 nf_conntrack_ipv6
nf_conntrack           79453  2 nf_conntrack_ipv6,xt_state
ipv6                  322541  209 ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6

執行上面的語句，不難發現state子產品和nf_conntrack之間是有依賴關系的。是以想要解除安裝nf_conntrack子產品的話，必須也要把state子產品移除，不然，其會自動啟用nf_conntrack子產品。

操作方法如下：

1、先将/etc/sysconfig/iptables 中包含state的語句移除，并restart iptables 。

2、執行語句

modprobe -r xt_NOTRACK nf_conntrack_netbios_ns nf_conntrack_ipv4 xt_state
modprobe -r nf_conntrack

執行完檢視/proc/net/ 下面如果沒用了 nf_conntrack ，就證明子產品移除成功了。

總結：

以上三種方法種，如果像web這樣的操作通路量并發不大的情況下，建議通過第一種方法實作。因為nf_conntrack子產品的作用不僅僅隻用于記錄狀态，iptables還可以通過對該子產品的使有達到動态過濾的作用。如我在用ab動測試的一台伺服器上進行并發模拟時，在/var/log/message裡發現如下的日志：

Apr 22 15:21:46 localhost kernel: possible SYN flooding on port 80. Sending cookies.
Apr 22 15:22:46 localhost kernel: possible SYN flooding on port 80. Sending cookies.

而此時iptables會智能的将發動SYN flood攻擊的IP暫時拒絕掉：

[[email protected] ~]# ab -c 500 -n 5000 "http://192.168.10.177/"
This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright 2006 The Apache Software Foundation, http://www.apache.org/
Benchmarking 192.168.10.177 (be patient)
apr_socket_recv: Connection reset by peer (104)
Total of 68 requests completed

如上是以，我用ab操作時，其就會收到apr_socket_recv 的錯誤提示。我在網上查詢到其具體實作的原理如下：

傳統的防火牆隻能進行靜态過濾，而 iptables 除了這個基本的功能之外還可以進行動态過濾，即可以對連接配接狀态進行跟蹤，通常稱為 conntrack 。但這不意味着它隻能對 TCP 這樣的面向連接配接的協定有效，它還可以對 UDP， ICMP 這種無連接配接的協定進行跟蹤，我們下面馬上就會看到。

iptables 中的連接配接跟蹤是通過 state 子產品來實作的，是在PREROUTING 鍊中完成的，除了本地主機産生的資料包，它們是在 OUTPUT 鍊中完成。它把“連接配接”劃分為四種狀态：NEW， ESTABLISHED， RELATED 和 INVALID。連接配接跟蹤目前的所有連接配接狀态可以通過 /proc/net/nf_conntrack 來檢視（注意，在一些稍微舊的 Linux 系統上是 /proc/net/ip_conntrack）。

當 conntrack 第一次看到相關的資料包時，就會把狀态标記為 NEW ，比如 TCP 協定中收到第一個 SYN 資料包。當連接配接的雙方都有資料包收發并且還将繼續比對到這些資料包時，連接配接狀态就會變為 ESTABLISHED 。而 RELATED 狀态是指一個新的連接配接，但這個連接配接和某個已知的連接配接有關系，比如 FTP 協定中的資料傳輸連接配接。INVALID 狀态是說資料包和已知的任何連接配接都不比對。

當然，僅僅利用iptables conntrack自動實作syn flood 等DDOS攻擊時很弱的。而現成的動态過濾和DDOS防護的方法是很多的。比如netstat腳本實作，iptalbes限制每秒進行連接配接數，nginx/apache的連接配接數限制子產品及fail2ban日志分析法………… ，是以在具有以上防護的情況下，非常推薦将web 、squid/varnish等應用所在的伺服器配置為RAW方式。我在現網一台150M/S 的cache server上将80和3128兩個端口全部NOTRACK之後，conntrack hash表由瞬滿直線下降到隻有幾百條。

最後，最不推薦使用的第三種方法，因為第三種方法會将state子產品也一塊兒移除掉。

參考頁面：

http://jaseywang.me/2012/08/16/%E8%A7%A3%E5%86%B3-nf_conntrack-table-full-dropping-packet-%E7%9A%84%E5%87%A0%E7%A7%8D%E6%80%9D%E8%B7%AF/

http://wiki.khnet.info/index.php/Conntrack_tuning

http://blog.zol.com.cn/2608/article_2607945.html

http://wangcong.org/articles/learning-iptables.cn.html

http://pc-freak.net/blog/resolving-nf_conntrack-table-full-dropping-packet-flood-message-in-dmesg-linux-kernel-log/

http://blog.csdn.net/dog250/article/details/7262619

linux iptables ip_conntrack: table full CentOS 7 iptables

繼續閱讀

Linux技術幹貨—嵌入式Linux網絡接口設計詳細講解！

M2M平台

linux kernel README

linux提權輔助工具 – Linux_Exploit_Suggester

Docker從零建構php-nginx-alpine鏡像

IE打開UTF-8編碼的頁面出現空白頁的問題解決

神奇的Linux技術：BPF

Linux(Cent OS7.2)下啟動停止memcached方法及ps指令使用講解

使用autotools管理linux項目

GNU Autotools學習筆記

編譯uClinux時出錯，請大家幫忙

fedora4 下db2的安裝

GLib介紹

linux資源（Chinaunix）

kickstart自動化安裝centos6.8

k8s [kubelet-check] Initial timeout of 40s passed.解決方案解決方案