9.1 iptables 性能基础
性能影响因素
iptables 的性能受多个因素影响,理解这些因素是优化的基础:
1. 规则数量和复杂度
# 规则数量对性能的影响
# 每个数据包都需要遍历规则链,规则越多,处理时间越长
# 查看当前规则数量
iptables -L | grep -c "^Chain\|^target"
# 查看各链的规则数量
for chain in INPUT OUTPUT FORWARD; do
count=$(iptables -L $chain --line-numbers | tail -n +3 | wc -l)
echo "$chain chain: $count rules"
done
# 查看 NAT 表规则数量
for chain in PREROUTING POSTROUTING OUTPUT; do
count=$(iptables -t nat -L $chain --line-numbers 2>/dev/null | tail -n +3 | wc -l)
echo "NAT $chain chain: $count rules"
done
2. 规则匹配顺序
# 规则匹配是从上到下进行的,常用规则应该放在前面
# 错误示例:常用规则在后面
iptables -A INPUT -s 10.0.0.0/8 -j DROP # 很少匹配
iptables -A INPUT -s 172.16.0.0/12 -j DROP # 很少匹配
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT # 经常匹配,但在后面
# 正确示例:常用规则在前面
iptables -I INPUT 1 -s 192.168.1.0/24 -j ACCEPT # 经常匹配,放在前面
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
3. 匹配条件的效率
# 不同匹配条件的性能差异
# 高效的匹配条件(按性能排序)
# 1. 接口匹配(最快)
iptables -A INPUT -i eth0 -j ACCEPT
# 2. IP 地址匹配
iptables -A INPUT -s 192.168.1.1 -j ACCEPT
# 3. 协议匹配
iptables -A INPUT -p tcp -j ACCEPT
# 4. 端口匹配
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# 5. 状态匹配(中等性能)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# 6. 字符串匹配(较慢)
iptables -A INPUT -m string --string "GET /admin" --algo bm -j DROP
# 7. 正则表达式匹配(最慢)
iptables -A INPUT -m string --string ".*admin.*" --algo bm -j DROP
性能测试和基准测试
1. 基本性能测试
#!/bin/bash
# iptables_performance_test.sh
# 测试规则处理性能
test_rule_performance() {
local rule_count=$1
echo "Testing performance with $rule_count rules..."
# 清空现有规则
iptables -F INPUT
# 添加测试规则
for i in $(seq 1 $rule_count); do
iptables -A INPUT -s 10.0.$((i/256)).$((i%256)) -j DROP
done
# 测试数据包处理时间
start_time=$(date +%s.%N)
# 发送测试数据包
for i in {1..1000}; do
ping -c 1 -W 1 192.168.1.1 >/dev/null 2>&1
done
end_time=$(date +%s.%N)
duration=$(echo "$end_time - $start_time" | bc)
echo "Time for 1000 packets with $rule_count rules: $duration seconds"
echo "Average time per packet: $(echo "$duration / 1000" | bc -l) seconds"
# 清理测试规则
iptables -F INPUT
}
# 测试不同规则数量的性能
for count in 10 50 100 500 1000; do
test_rule_performance $count
echo "---"
done
2. 连接跟踪性能测试
#!/bin/bash
# conntrack_performance_test.sh
# 测试连接跟踪性能
test_conntrack_performance() {
echo "=== Connection Tracking Performance Test ==="
# 当前连接数
current_connections=$(cat /proc/net/nf_conntrack | wc -l)
max_connections=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
echo "Current connections: $current_connections"
echo "Max connections: $max_connections"
echo "Usage: $(echo "scale=2; $current_connections * 100 / $max_connections" | bc)%"
# 连接跟踪统计
if [ -f /proc/net/stat/nf_conntrack ]; then
echo "\nConnection tracking statistics:"
cat /proc/net/stat/nf_conntrack
fi
# 测试新连接建立速度
echo "\nTesting new connection establishment speed..."
start_time=$(date +%s.%N)
# 建立多个并发连接
for i in {1..100}; do
(
nc -w 1 192.168.1.1 80 </dev/null >/dev/null 2>&1 &
)
done
wait
end_time=$(date +%s.%N)
duration=$(echo "$end_time - $start_time" | bc)
echo "Time to establish 100 connections: $duration seconds"
echo "Average time per connection: $(echo "$duration / 100" | bc -l) seconds"
}
test_conntrack_performance
3. 吞吐量测试
#!/bin/bash
# throughput_test.sh
# 网络吞吐量测试
test_throughput() {
local test_duration=30
echo "=== Network Throughput Test ==="
echo "Test duration: $test_duration seconds"
# 启动 iperf3 服务器(在另一台机器上)
# iperf3 -s
# 测试 TCP 吞吐量
echo "\nTesting TCP throughput..."
iperf3 -c 192.168.1.100 -t $test_duration -f M
# 测试 UDP 吞吐量
echo "\nTesting UDP throughput..."
iperf3 -c 192.168.1.100 -u -b 1G -t $test_duration -f M
# 测试并发连接
echo "\nTesting concurrent connections..."
iperf3 -c 192.168.1.100 -P 10 -t $test_duration -f M
}
# 在不同 iptables 配置下测试
echo "Testing with minimal iptables rules..."
iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
test_throughput
echo "\n\nTesting with complex iptables rules..."
# 添加复杂规则
source /etc/iptables/complex_rules.sh
test_throughput
9.2 规则优化策略
规则顺序优化
1. 基于频率的规则排序
#!/bin/bash
# optimize_rule_order.sh
# 分析规则匹配频率
analyze_rule_frequency() {
echo "=== Rule Frequency Analysis ==="
# 重置计数器
iptables -Z
# 等待一段时间收集数据
echo "Collecting data for 5 minutes..."
sleep 300
# 显示规则匹配统计
echo "\nRule matching statistics:"
iptables -L -n -v --line-numbers | grep -E "^[0-9]+" | \
sort -k1,1nr | head -20
echo "\nTop 10 most matched rules:"
iptables -L -n -v --line-numbers | grep -E "^[0-9]+" | \
awk '{print $1, $2, $NF}' | sort -k2,2nr | head -10
}
# 优化规则顺序
optimize_rules() {
echo "=== Optimizing Rule Order ==="
# 备份当前规则
iptables-save > /tmp/iptables_backup_$(date +%Y%m%d_%H%M%S).rules
# 常用规则应该放在前面
echo "Applying optimized rule order..."
# 清空 INPUT 链
iptables -F INPUT
# 1. 本地回环(最高优先级)
iptables -A INPUT -i lo -j ACCEPT
# 2. 已建立的连接(高优先级)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# 3. 内网访问(高优先级)
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
# 4. 常用服务端口(按使用频率排序)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # SSH
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # HTTP
iptables -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPS
# 5. 其他允许的端口
iptables -A INPUT -p tcp --dport 25 -j ACCEPT # SMTP
iptables -A INPUT -p tcp --dport 53 -j ACCEPT # DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT # DNS
# 6. ICMP(限制频率)
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
# 7. 安全规则(放在后面,因为匹配频率低)
iptables -A INPUT -m recent --name attackers --rcheck --seconds 3600 -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# 8. 日志记录(在拒绝之前)
iptables -A INPUT -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "[INPUT-DENIED]: "
# 9. 默认拒绝
iptables -A INPUT -j DROP
echo "Rule optimization completed."
}
# 执行分析和优化
analyze_rule_frequency
optimize_rules
2. 规则合并优化
#!/bin/bash
# merge_rules.sh
# 合并相似规则以提高性能
merge_similar_rules() {
echo "=== Merging Similar Rules ==="
# 备份当前规则
iptables-save > /tmp/iptables_before_merge.rules
# 示例:合并多个端口规则
echo "Merging port rules..."
# 删除单独的端口规则
iptables -D INPUT -p tcp --dport 80 -j ACCEPT 2>/dev/null
iptables -D INPUT -p tcp --dport 443 -j ACCEPT 2>/dev/null
iptables -D INPUT -p tcp --dport 8080 -j ACCEPT 2>/dev/null
iptables -D INPUT -p tcp --dport 8443 -j ACCEPT 2>/dev/null
# 使用 multiport 模块合并
iptables -I INPUT -p tcp -m multiport --dports 80,443,8080,8443 -j ACCEPT
# 合并 IP 范围规则
echo "Merging IP range rules..."
# 删除单独的 IP 规则
for ip in 192.168.1.{10..20}; do
iptables -D INPUT -s $ip -j ACCEPT 2>/dev/null
done
# 使用 IP 范围
iptables -I INPUT -m iprange --src-range 192.168.1.10-192.168.1.20 -j ACCEPT
# 合并协议规则
echo "Merging protocol rules..."
# 删除单独的协议规则
iptables -D INPUT -p tcp --dport 53 -j ACCEPT 2>/dev/null
iptables -D INPUT -p udp --dport 53 -j ACCEPT 2>/dev/null
# 合并为一条规则
iptables -I INPUT -p tcp -m multiport --dports 53 -j ACCEPT
iptables -I INPUT -p udp -m multiport --dports 53 -j ACCEPT
echo "Rule merging completed."
# 显示优化结果
echo "\nBefore optimization:"
wc -l /tmp/iptables_before_merge.rules
echo "After optimization:"
iptables-save | wc -l
}
merge_similar_rules
匹配条件优化
1. 使用高效的匹配模块
#!/bin/bash
# efficient_matching.sh
# 高效匹配条件的使用
setup_efficient_rules() {
echo "=== Setting up Efficient Matching Rules ==="
# 1. 使用接口匹配(最快)
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
# 2. 使用 IP 集合(ipset)进行大量 IP 匹配
# 创建 IP 集合
ipset create whitelist_ips hash:ip
ipset add whitelist_ips 192.168.1.10
ipset add whitelist_ips 192.168.1.20
ipset add whitelist_ips 192.168.1.30
# 使用 IP 集合匹配(比多条规则快)
iptables -A INPUT -m set --match-set whitelist_ips src -j ACCEPT
# 3. 使用 multiport 模块
iptables -A INPUT -p tcp -m multiport --dports 80,443,8080,8443 -j ACCEPT
# 4. 使用 iprange 模块
iptables -A INPUT -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
# 5. 优化状态匹配
# 使用 conntrack 而不是 state(更现代)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# 6. 使用 recent 模块进行动态匹配
iptables -A INPUT -m recent --name ssh_attempts --rcheck --seconds 60 --hitcount 3 -j DROP
iptables -A INPUT -p tcp --dport 22 -m recent --name ssh_attempts --set -j ACCEPT
echo "Efficient matching rules configured."
}
# 避免低效的匹配条件
avoid_inefficient_rules() {
echo "=== Avoiding Inefficient Matching ==="
# 避免使用字符串匹配(除非必要)
# 低效:
# iptables -A INPUT -m string --string "admin" --algo bm -j DROP
# 避免复杂的正则表达式
# 低效:
# iptables -A INPUT -m string --string ".*admin.*" --algo bm -j DROP
# 避免过于宽泛的匹配
# 低效:
# iptables -A INPUT -p tcp -j LOG
# 更好的方式:使用具体的匹配条件
iptables -A INPUT -p tcp --dport 80 -m string --string "GET /admin" --algo bm -j LOG --log-prefix "[ADMIN-ACCESS]: "
echo "Inefficient rule patterns avoided."
}
setup_efficient_rules
avoid_inefficient_rules
2. ipset 优化
#!/bin/bash
# ipset_optimization.sh
# 使用 ipset 优化大量 IP 地址匹配
setup_ipset_optimization() {
echo "=== Setting up ipset Optimization ==="
# 创建不同类型的 IP 集合
# 1. 黑名单 IP 集合
ipset create blacklist_ips hash:ip maxelem 1000000
# 添加恶意 IP(示例)
for ip in 1.2.3.4 5.6.7.8 9.10.11.12; do
ipset add blacklist_ips $ip
done
# 2. 白名单网络集合
ipset create whitelist_nets hash:net
ipset add whitelist_nets 192.168.0.0/16
ipset add whitelist_nets 10.0.0.0/8
ipset add whitelist_nets 172.16.0.0/12
# 3. 端口集合
ipset create allowed_ports bitmap:port range 1-65535
ipset add allowed_ports 22
ipset add allowed_ports 80
ipset add allowed_ports 443
ipset add allowed_ports 53
# 4. IP 和端口组合集合
ipset create admin_access hash:ip,port
ipset add admin_access 192.168.1.10,22
ipset add admin_access 192.168.1.20,22
# 应用 ipset 规则
iptables -I INPUT -m set --match-set blacklist_ips src -j DROP
iptables -I INPUT -m set --match-set whitelist_nets src -j ACCEPT
iptables -I INPUT -p tcp -m set --match-set allowed_ports dst -j ACCEPT
iptables -I INPUT -p tcp -m set --match-set admin_access src,dst -j ACCEPT
echo "ipset optimization configured."
}
# 动态更新 ipset
update_ipset_dynamic() {
echo "=== Dynamic ipset Updates ==="
# 从威胁情报源更新黑名单
update_blacklist() {
local temp_file=$(mktemp)
# 下载最新的恶意 IP 列表(示例)
curl -s "https://example.com/malicious-ips.txt" > $temp_file
# 清空现有黑名单
ipset flush blacklist_ips
# 添加新的恶意 IP
while read ip; do
if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
ipset add blacklist_ips $ip
fi
done < $temp_file
rm $temp_file
echo "Blacklist updated with $(ipset list blacklist_ips | grep -c '^[0-9]') IPs"
}
# 从日志中提取攻击 IP 并添加到黑名单
update_from_logs() {
local log_file="/var/log/iptables.log"
local threshold=10
# 分析最近1小时的攻击
grep "$(date -d '1 hour ago' '+%b %d %H')" $log_file | \
grep "DENIED" | grep -oE 'SRC=[0-9.]+' | cut -d= -f2 | \
sort | uniq -c | sort -nr | \
while read count ip; do
if [ $count -gt $threshold ]; then
ipset add blacklist_ips $ip 2>/dev/null
echo "Added $ip to blacklist (attack count: $count)"
fi
done
}
update_blacklist
update_from_logs
}
setup_ipset_optimization
update_ipset_dynamic
9.3 连接跟踪优化
连接跟踪参数调优
1. 基本参数优化
#!/bin/bash
# conntrack_tuning.sh
# 连接跟踪参数优化
optimize_conntrack_params() {
echo "=== Optimizing Connection Tracking Parameters ==="
# 1. 增加连接跟踪表大小
echo "Increasing connection tracking table size..."
# 计算推荐的连接跟踪表大小(基于内存)
total_mem_kb=$(grep MemTotal /proc/meminfo | awk '{print $2}')
total_mem_gb=$((total_mem_kb / 1024 / 1024))
# 每 GB 内存分配 65536 个连接
recommended_max=$((total_mem_gb * 65536))
# 设置最大连接数
echo $recommended_max > /proc/sys/net/netfilter/nf_conntrack_max
echo "net.netfilter.nf_conntrack_max = $recommended_max" >> /etc/sysctl.conf
# 2. 调整哈希表大小
echo "Adjusting hash table size..."
# 哈希表大小应该是最大连接数的 1/4 到 1/8
hash_size=$((recommended_max / 8))
# 设置哈希表大小(需要重新加载模块)
echo "options nf_conntrack hashsize=$hash_size" > /etc/modprobe.d/nf_conntrack.conf
# 3. 优化超时参数
echo "Optimizing timeout parameters..."
# TCP 连接超时
echo 3600 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
echo 60 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait
echo 30 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_close_wait
echo 30 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_fin_wait
# UDP 连接超时
echo 30 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout
echo 180 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream
# ICMP 超时
echo 30 > /proc/sys/net/netfilter/nf_conntrack_icmp_timeout
# 4. 启用 TCP 窗口缩放
echo 1 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
# 5. 禁用连接跟踪的确认机制(提高性能)
echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal
# 将设置写入 sysctl.conf
cat >> /etc/sysctl.conf << EOF
# Connection tracking optimization
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 30
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_tcp_loose = 1
net.netfilter.nf_conntrack_tcp_be_liberal = 0
EOF
echo "Connection tracking parameters optimized."
}
# 监控连接跟踪性能
monitor_conntrack_performance() {
echo "=== Connection Tracking Performance Monitor ==="
while true; do
current_connections=$(cat /proc/net/nf_conntrack | wc -l)
max_connections=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
usage_percent=$((current_connections * 100 / max_connections))
echo "$(date): Connections: $current_connections/$max_connections ($usage_percent%)"
# 如果使用率超过 80%,发出警告
if [ $usage_percent -gt 80 ]; then
echo "WARNING: Connection tracking table usage is high ($usage_percent%)"
# 可以在这里添加自动清理逻辑
cleanup_old_connections
fi
sleep 60
done
}
# 清理旧连接
cleanup_old_connections() {
echo "Cleaning up old connections..."
# 强制清理 TIME_WAIT 状态的连接
echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse
echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
# 减少 TIME_WAIT 超时时间
echo 30 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait
}
optimize_conntrack_params
2. 跳过连接跟踪
#!/bin/bash
# notrack_optimization.sh
# 对于不需要状态跟踪的流量,跳过连接跟踪以提高性能
setup_notrack_rules() {
echo "=== Setting up NOTRACK Rules ==="
# 1. 跳过本地回环流量的连接跟踪
iptables -t raw -A PREROUTING -i lo -j NOTRACK
iptables -t raw -A OUTPUT -o lo -j NOTRACK
# 2. 跳过内网流量的连接跟踪
iptables -t raw -A PREROUTING -s 192.168.0.0/16 -d 192.168.0.0/16 -j NOTRACK
iptables -t raw -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j NOTRACK
# 3. 跳过高流量静态内容的连接跟踪
iptables -t raw -A PREROUTING -p tcp --dport 80 -m string --string "GET /static/" --algo bm -j NOTRACK
iptables -t raw -A OUTPUT -p tcp --sport 80 -m string --string "HTTP/1.1 200 OK" --algo bm -j NOTRACK
# 4. 跳过 DNS 查询的连接跟踪
iptables -t raw -A PREROUTING -p udp --dport 53 -j NOTRACK
iptables -t raw -A OUTPUT -p udp --sport 53 -j NOTRACK
# 5. 跳过 NTP 流量的连接跟踪
iptables -t raw -A PREROUTING -p udp --dport 123 -j NOTRACK
iptables -t raw -A OUTPUT -p udp --sport 123 -j NOTRACK
# 6. 跳过大文件下载的连接跟踪
iptables -t raw -A PREROUTING -p tcp --dport 80 -m string --string "Content-Length: " --algo bm -m length --length 1000000: -j NOTRACK
echo "NOTRACK rules configured."
# 注意:使用 NOTRACK 后,相关的 filter 规则也需要调整
echo "Adjusting filter rules for NOTRACK traffic..."
# 允许 NOTRACK 流量通过
iptables -A INPUT -m state --state UNTRACKED -j ACCEPT
iptables -A FORWARD -m state --state UNTRACKED -j ACCEPT
iptables -A OUTPUT -m state --state UNTRACKED -j ACCEPT
}
# 监控 NOTRACK 效果
monitor_notrack_effect() {
echo "=== Monitoring NOTRACK Effect ==="
# 显示 raw 表统计
echo "Raw table statistics:"
iptables -t raw -L -n -v
echo "\nConnection tracking statistics:"
cat /proc/net/stat/nf_conntrack
echo "\nCurrent connection count:"
cat /proc/net/nf_conntrack | wc -l
}
setup_notrack_rules
monitor_notrack_effect
连接跟踪模块优化
1. 模块参数调优
#!/bin/bash
# conntrack_module_tuning.sh
# 连接跟踪模块参数调优
optimize_conntrack_modules() {
echo "=== Optimizing Connection Tracking Modules ==="
# 1. 调整 nf_conntrack 模块参数
echo "Configuring nf_conntrack module..."
# 创建模块配置文件
cat > /etc/modprobe.d/nf_conntrack.conf << EOF
# nf_conntrack module optimization
options nf_conntrack hashsize=32768
options nf_conntrack expect_hashsize=4096
EOF
# 2. 优化 TCP 连接跟踪
echo "Optimizing TCP connection tracking..."
cat > /etc/modprobe.d/nf_conntrack_tcp.conf << EOF
# TCP connection tracking optimization
options nf_conntrack_tcp tcp_timeouts=120,60,120,60,120,120,10,60,30,120
EOF
# 3. 优化 UDP 连接跟踪
echo "Optimizing UDP connection tracking..."
cat > /etc/modprobe.d/nf_conntrack_udp.conf << EOF
# UDP connection tracking optimization
options nf_conntrack_udp udp_timeouts=30,180
EOF
# 4. 禁用不需要的连接跟踪助手
echo "Disabling unnecessary connection tracking helpers..."
# 列出当前加载的助手模块
echo "Currently loaded helper modules:"
lsmod | grep nf_conntrack
# 禁用不需要的助手(根据实际需求调整)
cat > /etc/modprobe.d/nf_conntrack_helpers.conf << EOF
# Disable unnecessary connection tracking helpers
blacklist nf_conntrack_ftp
blacklist nf_conntrack_irc
blacklist nf_conntrack_sip
blacklist nf_conntrack_h323
blacklist nf_conntrack_pptp
blacklist nf_conntrack_amanda
blacklist nf_conntrack_tftp
EOF
echo "Module optimization configured. Reboot required for full effect."
}
# 动态调整连接跟踪参数
dynamic_conntrack_adjustment() {
echo "=== Dynamic Connection Tracking Adjustment ==="
while true; do
# 获取当前连接数和系统负载
current_connections=$(cat /proc/net/nf_conntrack | wc -l)
max_connections=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
load_avg=$(uptime | awk -F'load average:' '{print $2}' | awk '{print $1}' | tr -d ',')
usage_percent=$((current_connections * 100 / max_connections))
echo "$(date): Connections: $current_connections/$max_connections ($usage_percent%), Load: $load_avg"
# 根据负载动态调整超时时间
if (( $(echo "$load_avg > 2.0" | bc -l) )); then
# 高负载时减少超时时间
echo 1800 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
echo 30 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait
echo "Reduced timeouts due to high load"
elif (( $(echo "$load_avg < 0.5" | bc -l) )); then
# 低负载时恢复正常超时时间
echo 3600 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
echo 60 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait
echo "Restored normal timeouts due to low load"
fi
# 如果连接数过高,强制清理
if [ $usage_percent -gt 90 ]; then
echo "Emergency cleanup: connection usage > 90%"
# 强制清理 TIME_WAIT 连接
echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse
echo 15 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait
# 等待清理生效
sleep 30
# 恢复正常设置
echo 60 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait
fi
sleep 300 # 每5分钟检查一次
done
}
optimize_conntrack_modules
9.4 内核参数优化
网络栈优化
1. TCP 参数优化
#!/bin/bash
# tcp_optimization.sh
# TCP 参数优化
optimize_tcp_parameters() {
echo "=== Optimizing TCP Parameters ==="
# 备份原始配置
cp /etc/sysctl.conf /etc/sysctl.conf.backup.$(date +%Y%m%d)
# TCP 优化参数
cat >> /etc/sysctl.conf << EOF
# TCP Optimization for iptables performance
# TCP 缓冲区大小
net.core.rmem_default = 262144
net.core.rmem_max = 16777216
net.core.wmem_default = 262144
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 65536 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# TCP 连接优化
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_dsack = 1
# TCP 拥塞控制
net.ipv4.tcp_congestion_control = bbr
net.core.default_qdisc = fq
# TCP 连接回收
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_keepalive_probes = 7
net.ipv4.tcp_keepalive_intvl = 30
# TCP SYN 队列
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syn_retries = 3
# TCP 其他优化
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
net.ipv4.tcp_rfc1337 = 1
EOF
# 应用设置
sysctl -p
echo "TCP parameters optimized."
}
# 网络接口优化
optimize_network_interface() {
echo "=== Optimizing Network Interface ==="
# 获取主网络接口
primary_interface=$(ip route | grep default | awk '{print $5}' | head -1)
if [ -n "$primary_interface" ]; then
echo "Optimizing interface: $primary_interface"
# 增加接收队列大小
ethtool -G $primary_interface rx 4096 tx 4096 2>/dev/null
# 启用接收端缩放 (RSS)
ethtool -X $primary_interface equal 4 2>/dev/null
# 启用 TCP 分段卸载 (TSO)
ethtool -K $primary_interface tso on 2>/dev/null
# 启用通用分段卸载 (GSO)
ethtool -K $primary_interface gso on 2>/dev/null
# 启用通用接收卸载 (GRO)
ethtool -K $primary_interface gro on 2>/dev/null
# 启用接收校验和卸载
ethtool -K $primary_interface rx-checksumming on 2>/dev/null
# 启用发送校验和卸载
ethtool -K $primary_interface tx-checksumming on 2>/dev/null
echo "Interface $primary_interface optimized."
else
echo "Could not determine primary network interface."
fi
}
# 内存和缓冲区优化
optimize_memory_buffers() {
echo "=== Optimizing Memory and Buffers ==="
cat >> /etc/sysctl.conf << EOF
# Memory and buffer optimization
# 网络缓冲区
net.core.netdev_max_backlog = 5000
net.core.netdev_budget = 600
# Socket 缓冲区
net.core.optmem_max = 40960
net.core.somaxconn = 65535
# 文件描述符限制
fs.file-max = 1000000
# 虚拟内存优化
vm.swappiness = 10
vm.dirty_ratio = 15
vm.dirty_background_ratio = 5
# 内核内存分配
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.ip_no_pmtu_disc = 0
EOF
# 应用设置
sysctl -p
echo "Memory and buffer parameters optimized."
}
optimize_tcp_parameters
optimize_network_interface
optimize_memory_buffers
2. 防火墙专用优化
#!/bin/bash
# firewall_kernel_optimization.sh
# 防火墙专用内核优化
optimize_firewall_kernel() {
echo "=== Optimizing Kernel for Firewall Performance ==="
cat >> /etc/sysctl.conf << EOF
# Firewall-specific kernel optimization
# Netfilter 优化
net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 30
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_generic_timeout = 600
# 连接跟踪优化
net.netfilter.nf_conntrack_tcp_loose = 1
net.netfilter.nf_conntrack_tcp_be_liberal = 0
net.netfilter.nf_conntrack_tcp_max_retrans = 3
# 日志优化
net.netfilter.nf_log_all_netns = 0
# IP 转发优化
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
# ICMP 优化
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_ratelimit = 1000
net.ipv4.icmp_ratemask = 6168
# 路由优化
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# 源路由保护
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# 反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# 日志 Martian 包
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
EOF
# 应用设置
sysctl -p
echo "Firewall kernel parameters optimized."
}
# CPU 亲和性优化
optimize_cpu_affinity() {
echo "=== Optimizing CPU Affinity ==="
# 获取 CPU 核心数
cpu_cores=$(nproc)
echo "System has $cpu_cores CPU cores"
# 为网络中断设置 CPU 亲和性
for irq in $(grep eth /proc/interrupts | awk -F: '{print $1}'); do
# 将网络中断分散到不同的 CPU 核心
cpu_mask=$((1 << (irq % cpu_cores)))
echo $cpu_mask > /proc/irq/$irq/smp_affinity
echo "Set IRQ $irq affinity to CPU core $((irq % cpu_cores))"
done
# 为 iptables 相关进程设置 CPU 亲和性
if pgrep iptables > /dev/null; then
for pid in $(pgrep iptables); do
taskset -cp 0-$((cpu_cores-1)) $pid
echo "Set iptables process $pid affinity to all cores"
done
fi
}
# NUMA 优化
optimize_numa() {
echo "=== Optimizing NUMA Settings ==="
# 检查是否支持 NUMA
if [ -d /sys/devices/system/node/node1 ]; then
echo "NUMA system detected"
# 设置 NUMA 平衡
echo 1 > /proc/sys/kernel/numa_balancing
# 优化内存分配策略
echo "vm.zone_reclaim_mode = 0" >> /etc/sysctl.conf
sysctl -p
echo "NUMA optimization applied"
else
echo "Non-NUMA system, skipping NUMA optimization"
fi
}
optimize_firewall_kernel
optimize_cpu_affinity
optimize_numa
9.5 硬件优化
网卡优化
1. 网卡驱动和固件优化
#!/bin/bash
# network_hardware_optimization.sh
# 网卡硬件优化
optimize_network_hardware() {
echo "=== Optimizing Network Hardware ==="
# 获取所有网络接口
interfaces=$(ip link show | grep -E '^[0-9]+:' | awk -F': ' '{print $2}' | grep -v lo)
for interface in $interfaces; do
echo "Optimizing interface: $interface"
# 检查接口是否存在
if ! ip link show $interface >/dev/null 2>&1; then
echo "Interface $interface not found, skipping"
continue
fi
# 1. 优化环形缓冲区大小
echo " Optimizing ring buffer sizes..."
ethtool -g $interface 2>/dev/null | grep -q "RX:" && {
# 设置最大的环形缓冲区大小
max_rx=$(ethtool -g $interface | grep "RX:" | tail -1 | awk '{print $2}')
max_tx=$(ethtool -g $interface | grep "TX:" | tail -1 | awk '{print $2}')
if [ -n "$max_rx" ] && [ -n "$max_tx" ]; then
ethtool -G $interface rx $max_rx tx $max_tx 2>/dev/null
echo " Set RX buffer to $max_rx, TX buffer to $max_tx"
fi
}
# 2. 优化中断合并
echo " Optimizing interrupt coalescing..."
ethtool -C $interface rx-usecs 50 tx-usecs 50 2>/dev/null
ethtool -C $interface rx-frames 32 tx-frames 32 2>/dev/null
# 3. 启用硬件卸载功能
echo " Enabling hardware offload features..."
# TCP 分段卸载
ethtool -K $interface tso on 2>/dev/null
ethtool -K $interface gso on 2>/dev/null
ethtool -K $interface gro on 2>/dev/null
# 校验和卸载
ethtool -K $interface rx-checksumming on 2>/dev/null
ethtool -K $interface tx-checksumming on 2>/dev/null
# VLAN 卸载
ethtool -K $interface rxvlan on 2>/dev/null
ethtool -K $interface txvlan on 2>/dev/null
# 4. 优化接收端缩放 (RSS)
echo " Configuring RSS..."
# 获取 CPU 核心数
cpu_cores=$(nproc)
# 设置 RSS 队列数(不超过 CPU 核心数)
rss_queues=$(( cpu_cores > 8 ? 8 : cpu_cores ))
ethtool -L $interface combined $rss_queues 2>/dev/null
# 设置 RSS 哈希函数
ethtool -X $interface equal $rss_queues 2>/dev/null
# 5. 优化流控制
echo " Configuring flow control..."
ethtool -A $interface rx on tx on 2>/dev/null
echo " Interface $interface optimization completed"
done
}
# 中断优化
optimize_interrupts() {
echo "=== Optimizing Network Interrupts ==="
# 获取网络相关的中断
network_irqs=$(grep -E "eth|ens|enp" /proc/interrupts | awk -F: '{print $1}' | tr -d ' ')
if [ -z "$network_irqs" ]; then
echo "No network interrupts found"
return
fi
cpu_cores=$(nproc)
irq_count=0
for irq in $network_irqs; do
# 将中断分散到不同的 CPU 核心
target_cpu=$((irq_count % cpu_cores))
cpu_mask=$((1 << target_cpu))
echo $cpu_mask > /proc/irq/$irq/smp_affinity 2>/dev/null
echo "IRQ $irq assigned to CPU $target_cpu (mask: $cpu_mask)"
irq_count=$((irq_count + 1))
done
# 禁用 irqbalance 服务(避免冲突)
systemctl stop irqbalance 2>/dev/null
systemctl disable irqbalance 2>/dev/null
echo "Network interrupt optimization completed"
}
# 网卡队列优化
optimize_network_queues() {
echo "=== Optimizing Network Queues ==="
interfaces=$(ip link show | grep -E '^[0-9]+:' | awk -F': ' '{print $2}' | grep -v lo)
for interface in $interfaces; do
echo "Optimizing queues for $interface..."
# 检查多队列支持
if ethtool -l $interface >/dev/null 2>&1; then
# 获取当前队列配置
current_queues=$(ethtool -l $interface | grep "Combined:" | tail -1 | awk '{print $2}')
max_queues=$(ethtool -l $interface | grep "Combined:" | head -1 | awk '{print $2}')
echo " Current queues: $current_queues, Max queues: $max_queues"
# 设置队列数为 CPU 核心数(不超过最大值)
cpu_cores=$(nproc)
optimal_queues=$(( cpu_cores > max_queues ? max_queues : cpu_cores ))
if [ $optimal_queues -gt $current_queues ]; then
ethtool -L $interface combined $optimal_queues 2>/dev/null
echo " Set queues to $optimal_queues"
fi
fi
# 优化队列调度算法
if [ -d /sys/class/net/$interface/queues ]; then
for queue_dir in /sys/class/net/$interface/queues/tx-*; do
if [ -f $queue_dir/xps_cpus ]; then
# 设置 XPS (Transmit Packet Steering)
queue_num=$(basename $queue_dir | cut -d'-' -f2)
cpu_mask=$((1 << (queue_num % cpu_cores)))
printf "%x" $cpu_mask > $queue_dir/xps_cpus
fi
done
echo " XPS configured for $interface"
fi
done
}
optimize_network_hardware
optimize_interrupts
optimize_network_queues
2. 内存和 CPU 优化
#!/bin/bash
# cpu_memory_optimization.sh
# CPU 优化
optimize_cpu_performance() {
echo "=== Optimizing CPU Performance ==="
# 1. 设置 CPU 调度器
echo "Setting CPU governor to performance..."
for cpu in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do
if [ -f $cpu ]; then
echo performance > $cpu
fi
done
# 2. 禁用 CPU 节能功能
echo "Disabling CPU power saving features..."
# 禁用 C-states(深度睡眠状态)
for cpu in /sys/devices/system/cpu/cpu*/cpuidle/state*/disable; do
if [ -f $cpu ] && [[ $cpu =~ state[1-9] ]]; then
echo 1 > $cpu
fi
done
# 3. 设置 CPU 亲和性
echo "Configuring CPU affinity for network processes..."
# 为网络相关进程设置 CPU 亲和性
network_processes="ksoftirqd kworker"
for process in $network_processes; do
for pid in $(pgrep $process); do
# 将网络进程绑定到特定的 CPU 核心
taskset -cp 0-$(($(nproc)-1)) $pid 2>/dev/null
done
done
echo "CPU optimization completed"
}
# 内存优化
optimize_memory_performance() {
echo "=== Optimizing Memory Performance ==="
# 1. 优化内存分配
cat >> /etc/sysctl.conf << EOF
# Memory optimization for firewall performance
# 减少内存交换
vm.swappiness = 1
# 优化内存回收
vm.vfs_cache_pressure = 50
vm.dirty_ratio = 10
vm.dirty_background_ratio = 3
vm.dirty_expire_centisecs = 1500
vm.dirty_writeback_centisecs = 500
# 优化内存分配器
vm.min_free_kbytes = 65536
vm.zone_reclaim_mode = 0
# 优化透明大页
vm.nr_hugepages = 128
EOF
# 2. 配置大页内存
echo "Configuring huge pages..."
# 计算推荐的大页数量(总内存的 10%)
total_mem_kb=$(grep MemTotal /proc/meminfo | awk '{print $2}')
hugepage_size_kb=$(grep Hugepagesize /proc/meminfo | awk '{print $2}')
if [ $hugepage_size_kb -gt 0 ]; then
recommended_hugepages=$((total_mem_kb / hugepage_size_kb / 10))
echo $recommended_hugepages > /proc/sys/vm/nr_hugepages
echo "Configured $recommended_hugepages huge pages"
fi
# 3. 优化 NUMA 内存分配
if [ -d /sys/devices/system/node/node1 ]; then
echo "Optimizing NUMA memory allocation..."
# 禁用 NUMA 区域回收
echo 0 > /proc/sys/vm/zone_reclaim_mode
# 设置 NUMA 平衡
echo 1 > /proc/sys/kernel/numa_balancing
fi
# 应用设置
sysctl -p
echo "Memory optimization completed"
}
# 存储优化
optimize_storage_performance() {
echo "=== Optimizing Storage Performance ==="
# 1. 优化 I/O 调度器
echo "Configuring I/O scheduler..."
for disk in /sys/block/sd*; do
if [ -d $disk ]; then
disk_name=$(basename $disk)
# 对于 SSD,使用 noop 或 deadline
# 对于 HDD,使用 cfq
if [ -f $disk/queue/rotational ]; then
is_rotational=$(cat $disk/queue/rotational)
if [ $is_rotational -eq 0 ]; then
# SSD
echo deadline > $disk/queue/scheduler 2>/dev/null
echo "Set deadline scheduler for SSD $disk_name"
else
# HDD
echo cfq > $disk/queue/scheduler 2>/dev/null
echo "Set cfq scheduler for HDD $disk_name"
fi
fi
# 优化队列深度
echo 32 > $disk/queue/nr_requests 2>/dev/null
# 优化预读
echo 4096 > $disk/queue/read_ahead_kb 2>/dev/null
fi
done
# 2. 优化文件系统挂载选项
echo "Optimizing filesystem mount options..."
# 检查根文件系统
root_fs=$(df / | tail -1 | awk '{print $1}')
root_fstype=$(mount | grep "$root_fs" | awk '{print $5}')
echo "Root filesystem: $root_fs ($root_fstype)"
# 为不同文件系统提供优化建议
case $root_fstype in
ext4)
echo "Recommended ext4 mount options: noatime,data=writeback,barrier=0,nobh"
;;
xfs)
echo "Recommended XFS mount options: noatime,largeio,inode64,swalloc"
;;
btrfs)
echo "Recommended Btrfs mount options: noatime,compress=lzo,ssd"
;;
esac
echo "Storage optimization completed"
}
optimize_cpu_performance
optimize_memory_performance
optimize_storage_performance
9.6 性能监控和调试
实时性能监控
1. 系统性能监控脚本
#!/bin/bash
# iptables_performance_monitor.sh
# 实时监控 iptables 性能
monitor_iptables_performance() {
echo "=== iptables Performance Monitor ==="
echo "Press Ctrl+C to stop monitoring"
echo ""
# 创建监控日志文件
log_file="/var/log/iptables_performance_$(date +%Y%m%d_%H%M%S).log"
# 监控循环
while true; do
timestamp=$(date '+%Y-%m-%d %H:%M:%S')
# 1. 连接跟踪统计
current_connections=$(cat /proc/net/nf_conntrack | wc -l)
max_connections=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
usage_percent=$((current_connections * 100 / max_connections))
# 2. 系统负载
load_avg=$(uptime | awk -F'load average:' '{print $2}' | awk '{print $1}' | tr -d ',')
# 3. 内存使用
mem_info=$(free -m | grep '^Mem:')
mem_total=$(echo $mem_info | awk '{print $2}')
mem_used=$(echo $mem_info | awk '{print $3}')
mem_percent=$((mem_used * 100 / mem_total))
# 4. CPU 使用率
cpu_usage=$(top -bn1 | grep "Cpu(s)" | awk '{print $2}' | cut -d'%' -f1)
# 5. 网络统计
rx_packets=$(cat /proc/net/dev | grep eth0 | awk '{print $2}')
tx_packets=$(cat /proc/net/dev | grep eth0 | awk '{print $10}')
# 6. iptables 规则统计
total_rules=$(iptables-save | grep -c '^-A')
# 显示监控信息
printf "\r\033[K%s | Conn: %d/%d (%d%%) | Load: %s | CPU: %s%% | Mem: %d%% | Rules: %d" \
"$timestamp" "$current_connections" "$max_connections" "$usage_percent" \
"$load_avg" "$cpu_usage" "$mem_percent" "$total_rules"
# 记录到日志文件
echo "$timestamp,connections,$current_connections,$max_connections,$usage_percent,load,$load_avg,cpu,$cpu_usage,memory,$mem_percent,rules,$total_rules" >> $log_file
# 检查告警条件
if [ $usage_percent -gt 80 ]; then
echo "\nWARNING: Connection tracking usage > 80%" | tee -a $log_file
fi
if (( $(echo "$load_avg > 2.0" | bc -l) )); then
echo "\nWARNING: System load > 2.0" | tee -a $log_file
fi
if [ $mem_percent -gt 80 ]; then
echo "\nWARNING: Memory usage > 80%" | tee -a $log_file
fi
sleep 5
done
}
# 详细性能分析
detailed_performance_analysis() {
echo "=== Detailed Performance Analysis ==="
# 1. 规则匹配统计
echo "\n1. Rule Matching Statistics:"
iptables -L -n -v --line-numbers | head -20
# 2. 连接跟踪详细信息
echo "\n2. Connection Tracking Details:"
echo "Current connections: $(cat /proc/net/nf_conntrack | wc -l)"
echo "Max connections: $(cat /proc/sys/net/netfilter/nf_conntrack_max)"
if [ -f /proc/net/stat/nf_conntrack ]; then
echo "\nConnection tracking statistics:"
cat /proc/net/stat/nf_conntrack
fi
# 3. 网络接口统计
echo "\n3. Network Interface Statistics:"
cat /proc/net/dev | head -3
# 4. 中断统计
echo "\n4. Network Interrupt Statistics:"
grep -E "eth|ens|enp" /proc/interrupts | head -5
# 5. 内存使用详情
echo "\n5. Memory Usage Details:"
free -h
echo "\nSlab memory usage:"
grep -E "nf_conntrack|ip_conntrack" /proc/slabinfo
# 6. CPU 使用详情
echo "\n6. CPU Usage Details:"
mpstat 1 1 | tail -1
# 7. 磁盘 I/O 统计
echo "\n7. Disk I/O Statistics:"
iostat -x 1 1 | tail -5
}
monitor_iptables_performance &
MONITOR_PID=$!
# 捕获中断信号
trap "kill $MONITOR_PID; detailed_performance_analysis; exit" INT
# 等待监控进程
wait $MONITOR_PID
2. 性能瓶颈分析
#!/bin/bash
# performance_bottleneck_analysis.sh
# 性能瓶颈分析
analyze_performance_bottlenecks() {
echo "=== Performance Bottleneck Analysis ==="
# 1. CPU 瓶颈分析
echo "\n1. CPU Bottleneck Analysis:"
# 检查 CPU 使用率
cpu_usage=$(top -bn1 | grep "Cpu(s)" | awk '{print $2}' | cut -d'%' -f1)
echo "Current CPU usage: $cpu_usage%"
# 检查软中断 CPU 使用率
softirq_usage=$(top -bn1 | grep "Cpu(s)" | awk '{print $6}' | cut -d'%' -f1)
echo "Soft IRQ CPU usage: $softirq_usage%"
if (( $(echo "$softirq_usage > 20" | bc -l) )); then
echo "WARNING: High soft IRQ usage detected - possible network bottleneck"
# 分析网络中断分布
echo "\nNetwork interrupt distribution:"
grep -E "eth|ens|enp" /proc/interrupts
fi
# 2. 内存瓶颈分析
echo "\n2. Memory Bottleneck Analysis:"
# 检查内存使用
mem_info=$(free -m | grep '^Mem:')
mem_total=$(echo $mem_info | awk '{print $2}')
mem_available=$(echo $mem_info | awk '{print $7}')
mem_usage_percent=$(((mem_total - mem_available) * 100 / mem_total))
echo "Memory usage: $mem_usage_percent%"
if [ $mem_usage_percent -gt 80 ]; then
echo "WARNING: High memory usage detected"
# 分析内存使用详情
echo "\nTop memory consumers:"
ps aux --sort=-%mem | head -10
# 检查 slab 内存使用
echo "\nSlab memory usage (top 10):"
sort -k3 -nr /proc/slabinfo | head -10
fi
# 3. 网络瓶颈分析
echo "\n3. Network Bottleneck Analysis:"
# 检查网络接口统计
for interface in $(ip link show | grep -E '^[0-9]+:' | awk -F': ' '{print $2}' | grep -v lo); do
echo "\nInterface: $interface"
# 获取接口统计
rx_errors=$(cat /sys/class/net/$interface/statistics/rx_errors)
tx_errors=$(cat /sys/class/net/$interface/statistics/tx_errors)
rx_dropped=$(cat /sys/class/net/$interface/statistics/rx_dropped)
tx_dropped=$(cat /sys/class/net/$interface/statistics/tx_dropped)
echo " RX errors: $rx_errors, TX errors: $tx_errors"
echo " RX dropped: $rx_dropped, TX dropped: $tx_dropped"
if [ $rx_errors -gt 0 ] || [ $tx_errors -gt 0 ]; then
echo " WARNING: Network errors detected on $interface"
fi
if [ $rx_dropped -gt 0 ] || [ $tx_dropped -gt 0 ]; then
echo " WARNING: Packet drops detected on $interface"
fi
done
# 4. 连接跟踪瓶颈分析
echo "\n4. Connection Tracking Bottleneck Analysis:"
current_connections=$(cat /proc/net/nf_conntrack | wc -l)
max_connections=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
usage_percent=$((current_connections * 100 / max_connections))
echo "Connection tracking usage: $usage_percent%"
if [ $usage_percent -gt 80 ]; then
echo "WARNING: High connection tracking usage"
# 分析连接状态分布
echo "\nConnection state distribution:"
awk '{print $4}' /proc/net/nf_conntrack | sort | uniq -c | sort -nr
# 分析连接协议分布
echo "\nConnection protocol distribution:"
awk '{print $1}' /proc/net/nf_conntrack | sort | uniq -c | sort -nr
fi
# 5. 磁盘 I/O 瓶颈分析
echo "\n5. Disk I/O Bottleneck Analysis:"
# 检查磁盘使用率
disk_usage=$(iostat -x 1 1 | tail -1 | awk '{print $10}')
if (( $(echo "$disk_usage > 80" | bc -l) )); then
echo "WARNING: High disk utilization detected"
# 显示磁盘 I/O 详情
echo "\nDisk I/O details:"
iostat -x 1 1
fi
}
# 性能优化建议
generate_optimization_recommendations() {
echo "\n=== Performance Optimization Recommendations ==="
# 基于分析结果生成建议
cpu_usage=$(top -bn1 | grep "Cpu(s)" | awk '{print $2}' | cut -d'%' -f1)
mem_usage=$(free | grep '^Mem:' | awk '{printf "%.0f", $3/$2*100}')
conn_usage=$(( $(cat /proc/net/nf_conntrack | wc -l) * 100 / $(cat /proc/sys/net/netfilter/nf_conntrack_max) ))
echo "\nCurrent system status:"
echo " CPU usage: $cpu_usage%"
echo " Memory usage: $mem_usage%"
echo " Connection tracking usage: $conn_usage%"
echo "\nRecommendations:"
if (( $(echo "$cpu_usage > 70" | bc -l) )); then
echo " - Consider CPU optimization:"
echo " * Enable CPU performance governor"
echo " * Optimize rule order to reduce processing"
echo " * Use ipset for large IP lists"
echo " * Consider hardware upgrade"
fi
if [ $mem_usage -gt 70 ]; then
echo " - Consider memory optimization:"
echo " * Increase system memory"
echo " * Optimize connection tracking timeouts"
echo " * Use NOTRACK for high-volume traffic"
fi
if [ $conn_usage -gt 70 ]; then
echo " - Consider connection tracking optimization:"
echo " * Increase nf_conntrack_max"
echo " * Reduce connection timeouts"
echo " * Use NOTRACK for stateless traffic"
echo " * Implement connection limiting"
fi
# 规则数量检查
total_rules=$(iptables-save | grep -c '^-A')
if [ $total_rules -gt 1000 ]; then
echo " - Consider rule optimization:"
echo " * Merge similar rules using multiport"
echo " * Use ipset for large IP/port lists"
echo " * Reorder rules by frequency"
echo " * Remove unused rules"
fi
}
analyze_performance_bottlenecks
generate_optimization_recommendations
故障排除和调试
1. 常见性能问题排查
#!/bin/bash
# performance_troubleshooting.sh
# 常见性能问题排查
troubleshoot_common_issues() {
echo "=== Common Performance Issues Troubleshooting ==="
# 1. 连接跟踪表满的问题
echo "\n1. Checking connection tracking table overflow:"
current_connections=$(cat /proc/net/nf_conntrack | wc -l)
max_connections=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
usage_percent=$((current_connections * 100 / max_connections))
echo "Connection tracking usage: $usage_percent%"
if [ $usage_percent -gt 90 ]; then
echo "CRITICAL: Connection tracking table near full!"
echo "Solutions:"
echo " - Increase nf_conntrack_max"
echo " - Reduce connection timeouts"
echo " - Use NOTRACK for high-volume traffic"
echo " - Implement rate limiting"
# 显示连接分布
echo "\nTop connection sources:"
awk '{print $6}' /proc/net/nf_conntrack | cut -d'=' -f2 | sort | uniq -c | sort -nr | head -10
fi
# 2. 规则匹配效率问题
echo "\n2. Checking rule matching efficiency:"
# 重置计数器
iptables -Z
echo "Collecting rule statistics for 60 seconds..."
sleep 60
# 分析规则匹配频率
echo "\nRule matching frequency (top 10):"
iptables -L -n -v --line-numbers | grep -E "^[0-9]+" | \
awk '{print $1, $2, $NF}' | sort -k2,2nr | head -10
# 检查是否有从未匹配的规则
echo "\nRules with zero matches:"
iptables -L -n -v --line-numbers | grep -E "^[0-9]+" | \
awk '$2 == 0 {print "Line " $1 ": " $NF}'
# 3. 内存泄漏检查
echo "\n3. Checking for memory leaks:"
# 检查 slab 内存使用
echo "Netfilter slab memory usage:"
grep -E "nf_conntrack|ip_conntrack" /proc/slabinfo | \
awk '{printf "%-20s: %8s objects, %8s KB\n", $1, $3, $3*$4/1024}'
# 检查内存增长趋势
echo "\nMemory usage trend (monitoring for 5 minutes):"
for i in {1..5}; do
mem_used=$(free -m | grep '^Mem:' | awk '{print $3}')
echo "$(date '+%H:%M:%S'): $mem_used MB"
sleep 60
done
# 4. CPU 使用率异常检查
echo "\n4. Checking CPU usage anomalies:"
# 检查软中断 CPU 使用率
softirq_usage=$(top -bn1 | grep "Cpu(s)" | awk '{print $6}' | cut -d'%' -f1)
echo "Soft IRQ CPU usage: $softirq_usage%"
if (( $(echo "$softirq_usage > 30" | bc -l) )); then
echo "WARNING: High soft IRQ usage detected"
# 分析软中断分布
echo "\nSoft IRQ distribution:"
cat /proc/softirqs | head -1
cat /proc/softirqs | grep -E "NET_RX|NET_TX"
fi
# 5. 网络接口问题检查
echo "\n5. Checking network interface issues:"
for interface in $(ip link show | grep -E '^[0-9]+:' | awk -F': ' '{print $2}' | grep -v lo); do
echo "\nInterface: $interface"
# 检查接口错误
rx_errors=$(cat /sys/class/net/$interface/statistics/rx_errors)
tx_errors=$(cat /sys/class/net/$interface/statistics/tx_errors)
collisions=$(cat /sys/class/net/$interface/statistics/collisions)
if [ $rx_errors -gt 0 ] || [ $tx_errors -gt 0 ] || [ $collisions -gt 0 ]; then
echo " Issues detected:"
echo " RX errors: $rx_errors"
echo " TX errors: $tx_errors"
echo " Collisions: $collisions"
else
echo " No issues detected"
fi
# 检查接口队列状态
if [ -d /sys/class/net/$interface/queues ]; then
queue_count=$(ls /sys/class/net/$interface/queues/tx-* 2>/dev/null | wc -l)
echo " TX queues: $queue_count"
fi
done
}
# 性能调试工具
performance_debugging_tools() {
echo "\n=== Performance Debugging Tools ==="
# 1. 实时连接跟踪监控
echo "\n1. Real-time connection tracking monitor:"
echo "Command: watch -n 1 'cat /proc/net/nf_conntrack | wc -l'"
# 2. 规则匹配统计
echo "\n2. Rule matching statistics:"
echo "Command: watch -n 5 'iptables -L -n -v | head -20'"
# 3. 网络流量监控
echo "\n3. Network traffic monitoring:"
echo "Commands:"
echo " - iftop -i eth0"
echo " - nethogs"
echo " - ss -tuln"
# 4. 系统性能监控
echo "\n4. System performance monitoring:"
echo "Commands:"
echo " - htop"
echo " - iotop"
echo " - vmstat 1"
echo " - iostat -x 1"
# 5. 网络数据包分析
echo "\n5. Network packet analysis:"
echo "Commands:"
echo " - tcpdump -i eth0 -n"
echo " - wireshark"
echo " - tshark -i eth0"
# 6. 连接跟踪调试
echo "\n6. Connection tracking debugging:"
echo "Commands:"
echo " - conntrack -L"
echo " - conntrack -S"
echo " - cat /proc/net/stat/nf_conntrack"
}
# 自动化性能检查
automated_performance_check() {
echo "\n=== Automated Performance Check ==="
# 创建性能报告
report_file="/tmp/iptables_performance_report_$(date +%Y%m%d_%H%M%S).txt"
{
echo "iptables Performance Report"
echo "Generated: $(date)"
echo "========================================"
echo "\n1. System Information:"
uname -a
echo "CPU cores: $(nproc)"
echo "Total memory: $(free -h | grep '^Mem:' | awk '{print $2}')"
echo "\n2. iptables Configuration:"
echo "Total rules: $(iptables-save | grep -c '^-A')"
echo "Filter table rules: $(iptables -t filter -S | grep -c '^-A')"
echo "NAT table rules: $(iptables -t nat -S | grep -c '^-A')"
echo "Mangle table rules: $(iptables -t mangle -S | grep -c '^-A')"
echo "Raw table rules: $(iptables -t raw -S | grep -c '^-A')"
echo "\n3. Connection Tracking:"
echo "Current connections: $(cat /proc/net/nf_conntrack | wc -l)"
echo "Max connections: $(cat /proc/sys/net/netfilter/nf_conntrack_max)"
echo "Usage: $(( $(cat /proc/net/nf_conntrack | wc -l) * 100 / $(cat /proc/sys/net/netfilter/nf_conntrack_max) ))%"
echo "\n4. System Performance:"
echo "Load average: $(uptime | awk -F'load average:' '{print $2}')"
echo "CPU usage: $(top -bn1 | grep 'Cpu(s)' | awk '{print $2}')"
echo "Memory usage: $(free | grep '^Mem:' | awk '{printf "%.1f%%", $3/$2*100}')"
echo "\n5. Network Interfaces:"
ip link show | grep -E '^[0-9]+:' | awk -F': ' '{print $2}'
echo "\n6. Kernel Parameters:"
echo "nf_conntrack_max: $(cat /proc/sys/net/netfilter/nf_conntrack_max)"
echo "tcp_timeout_established: $(cat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established)"
echo "udp_timeout: $(cat /proc/sys/net/netfilter/nf_conntrack_udp_timeout)"
} > $report_file
echo "Performance report saved to: $report_file"
# 生成性能评分
score=100
# 连接跟踪使用率扣分
conn_usage=$(( $(cat /proc/net/nf_conntrack | wc -l) * 100 / $(cat /proc/sys/net/netfilter/nf_conntrack_max) ))
if [ $conn_usage -gt 80 ]; then
score=$((score - 20))
elif [ $conn_usage -gt 60 ]; then
score=$((score - 10))
fi
# CPU 使用率扣分
cpu_usage=$(top -bn1 | grep "Cpu(s)" | awk '{print $2}' | cut -d'%' -f1)
if (( $(echo "$cpu_usage > 80" | bc -l) )); then
score=$((score - 20))
elif (( $(echo "$cpu_usage > 60" | bc -l) )); then
score=$((score - 10))
fi
# 内存使用率扣分
mem_usage=$(free | grep '^Mem:' | awk '{printf "%.0f", $3/$2*100}')
if [ $mem_usage -gt 80 ]; then
score=$((score - 15))
elif [ $mem_usage -gt 60 ]; then
score=$((score - 5))
fi
# 规则数量扣分
total_rules=$(iptables-save | grep -c '^-A')
if [ $total_rules -gt 1000 ]; then
score=$((score - 15))
elif [ $total_rules -gt 500 ]; then
score=$((score - 5))
fi
echo "\nPerformance Score: $score/100"
if [ $score -ge 80 ]; then
echo "Status: Excellent"
elif [ $score -ge 60 ]; then
echo "Status: Good"
elif [ $score -ge 40 ]; then
echo "Status: Fair - Optimization recommended"
else
echo "Status: Poor - Immediate optimization required"
fi
}
troubleshoot_common_issues
performance_debugging_tools
automated_performance_check
9.7 本章小结
性能优化要点回顾
本章详细介绍了 iptables 的性能优化和调优方法,主要包括以下几个方面:
1. 性能影响因素
- 规则数量和复杂度:规则越多,处理时间越长
- 规则匹配顺序:常用规则应放在前面
- 匹配条件效率:不同匹配条件的性能差异很大
- 连接跟踪开销:状态跟踪会消耗大量资源
2. 规则优化策略
- 基于频率排序:将高频匹配的规则放在前面
- 规则合并:使用 multiport、iprange 等模块合并相似规则
- 使用 ipset:对大量 IP 地址进行高效匹配
- 避免低效匹配:减少字符串匹配和正则表达式的使用
3. 连接跟踪优化
- 参数调优:优化连接跟踪表大小和超时时间
- 跳过连接跟踪:对不需要状态跟踪的流量使用 NOTRACK
- 模块优化:禁用不需要的连接跟踪助手模块
4. 内核参数优化
- TCP 参数:优化 TCP 缓冲区、拥塞控制等
- 网络栈参数:优化网络接口、中断处理等
- 防火墙专用参数:针对防火墙场景的特殊优化
5. 硬件优化
- 网卡优化:启用硬件卸载功能、优化队列配置
- CPU 优化:设置性能模式、优化中断亲和性
- 内存优化:配置大页内存、优化 NUMA 设置
6. 性能监控和调试
- 实时监控:监控连接跟踪、系统负载等关键指标
- 瓶颈分析:识别 CPU、内存、网络等性能瓶颈
- 故障排除:解决常见的性能问题
最佳实践建议
规则设计原则
- 将最常匹配的规则放在前面
- 使用具体的匹配条件,避免过于宽泛的规则
- 定期清理不再使用的规则
连接跟踪管理
- 根据实际需求调整连接跟踪表大小
- 对高流量的静态内容使用 NOTRACK
- 合理设置连接超时时间
系统调优
- 定期监控系统性能指标
- 根据负载情况动态调整参数
- 使用自动化脚本进行性能检查
硬件配置
- 选择支持硬件卸载的网卡
- 配置足够的内存和 CPU 资源
- 优化网络中断分布
性能优化检查清单
- [ ] 分析规则匹配频率,优化规则顺序
- [ ] 合并相似规则,减少规则总数
- [ ] 使用 ipset 替代大量单独的 IP 规则
- [ ] 配置合适的连接跟踪参数
- [ ] 对高流量应用使用 NOTRACK
- [ ] 优化内核网络参数
- [ ] 启用网卡硬件卸载功能
- [ ] 配置 CPU 性能模式
- [ ] 设置性能监控和告警
- [ ] 定期进行性能评估和调优
下一章预告
下一章我们将学习 iptables 的安全配置,包括: - 安全策略设计 - 攻击防护配置 - 安全审计和日志分析 - 安全事件响应 - 合规性配置
通过学习安全配置,您将能够构建更加安全可靠的防火墙系统。
练习
理论练习
- 性能分析题
- 分析以下规则配置的性能问题:
bash iptables -A INPUT -m string --string "admin" --algo bm -j DROP iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT2. 优化方案题 - 为一个有 1000 条规则的防火墙设计性能优化方案 3. 参数调优题 - 计算一个 8GB 内存服务器的最佳连接跟踪参数 ### 实践练习 1. 性能测试 - 使用本章提供的脚本测试当前系统的 iptables 性能 - 记录测试结果并分析性能瓶颈 2. 规则优化 - 优化现有的 iptables 规则配置 - 对比优化前后的性能差异 3. 监控配置 - 配置 iptables 性能监控系统 - 设置性能告警阈值 ### 思考题 1. 在什么情况下应该使用 NOTRACK?使用 NOTRACK 有什么注意事项? 2. 如何平衡防火墙的安全性和性能? 3. 对于高并发的 Web 服务器,应该如何优化 iptables 配置? 4. 连接跟踪表满了会发生什么?如何预防和解决这个问题? 5. 在虚拟化环境中,iptables 性能优化有什么特殊考虑?
- 分析以下规则配置的性能问题:
