网络相关
IPv4:
0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 255.255.255.255/32
IPv6:
::/128 ::1/128 ::ffff:0:0/96 ::ffff:0:0:0/96 64:ff9b::/96 100::/64 2001::/32 2001:20::/28 2001:db8::/32 2002::/16 fc00::/7 fe80::/10 ff00::/8
0x01 Installation
git clone --depth 1 https://github.com/heiher/nginx cd nginx git clone --depth 1 https://github.com/heiher/nginx-dav-ext-module ./auto/configure --prefix=/opt/nginx \ --with-compat \ --with-file-aio \ --with-http_addition_module \ --with-http_auth_request_module \ --with-http_dav_module \ --with-http_degradation_module \ --with-http_flv_module \ --with-http_geoip_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_mp4_module \ --with-http_realip_module \ --with-http_secure_link_module \ --with-http_slice_module \ --with-http_ssl_module \ --with-http_stub_status_module \ --with-http_sub_module \ --with-http_v2_module \ --with-pcre-jit \ --with-threads \ --add-module=nginx-dav-ext-module make sudo make install |
0x02 Configuration
Main: /opt/nginx/conf/nginx.conf:
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
dav_ext_lock_zone zone=foo:10m;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
auth_basic Restricted;
auth_basic_user_file htpasswd;
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND PROPPATCH OPTIONS LOCK UNLOCK;
dav_ext_lock zone=foo;
dav_access user:rw group:rw all:r;
client_max_body_size 0;
create_full_put_path on;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
} |
Auth: /opt/nginx/conf/htpasswd:
htpasswd -b -c /opt/nginx/conf/htpasswd YOUR_USERNAME YOUR_PASSWORD |
Start, Stop and Reload:
# Start sudo /opt/nginx/sbin/nginx # Stop sudo /opt/nginx/sbin/nginx -s stop # Reload sudo /opt/nginx/sbin/nginx -s reload |
0x03 Clients
Nautils
Windows 10
Fix authentication and file size limits, open regedit and modify:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters\ BasicAuthLevel = 2 FileSizeLimitInBytes = 0xffffffff |
Over!
| Tagged packet | Untagged packet | |||
|---|---|---|---|---|
| IN | OUT | IN | OUT | |
| Tagged Port | Unmodified | Unmodified | Tag by PVID | Tag by PVID |
| Untagged Port | Drop | Untag | Tag by PVID | Unmodified |
Over!
Network setup is performed by systemd.networkd. e.g.
/etc/systemd/network/tun0.network
[Match] Name=tun0 [Network] Address=fc00::2/126 [Route] Destination=::/0
Over!
This is a transparent proxy per app based on iptables + network classifier cgroup on Linux, and it’s more general than proxychains.
Build and install tproxy
git clone --recursive https://github.com/heiher/hev-socks5-tproxy cd hev-socks5-tproxy make sudo cp bin/hev-socks5-tproxy /usr/local/bin/ sudo cp conf/main.ini /usr/local/etc/hev-socks5-tproxy.conf |
Install systemd serivce
# /etc/systemd/system/hev-socks5-tproxy.service [Unit] Description=HevSocks5TProxy [Service] User=nobody ExecStart=/usr/local/bin/hev-socks5-tproxy /usr/local/etc/hev-socks5-tproxy.conf KillMode=process Restart=always LimitNOFILE=65536 [Install] WantedBy=multi-user.target |
Install tproxy wrapper
#!/bin/bash # /usr/local/bin/tproxy NET_CLS_DIR="/sys/fs/cgroup/net_cls/tproxy" NET_CLS_ID=88 TP_TCP_PORT=1088 TP_DNS_PORT=5300 if [ ! -e ${NET_CLS_DIR} ]; then sudo sh -c "mkdir -p ${NET_CLS_DIR}; \ chmod 0666 ${NET_CLS_DIR}/cgroup.procs; \ echo ${NET_CLS_ID} > ${NET_CLS_DIR}/net_cls.classid; \ iptables -t nat -D OUTPUT -p tcp \ -m cgroup --cgroup ${NET_CLS_ID} \ -j REDIRECT --to-ports ${TP_TCP_PORT}; \ iptables -t nat -D OUTPUT -p udp --dport 53 \ -m cgroup --cgroup ${NET_CLS_ID} \ -j REDIRECT --to-ports ${TP_DNS_PORT}; \ ip6tables -t nat -D OUTPUT -p tcp \ -m cgroup --cgroup ${NET_CLS_ID} \ -j REDIRECT --to-ports ${TP_TCP_PORT}; \ ip6tables -t nat -D OUTPUT -p udp --dport 53 \ -m cgroup --cgroup ${NET_CLS_ID} \ -j REDIRECT --to-ports ${TP_DNS_PORT}; \ iptables -t nat -I OUTPUT -p tcp \ -m cgroup --cgroup ${NET_CLS_ID} \ -j REDIRECT --to-ports ${TP_TCP_PORT}; \ iptables -t nat -I OUTPUT -p udp --dport 53 \ -m cgroup --cgroup ${NET_CLS_ID} \ -j REDIRECT --to-ports ${TP_DNS_PORT}; \ ip6tables -t nat -I OUTPUT -p tcp \ -m cgroup --cgroup ${NET_CLS_ID} \ -j REDIRECT --to-ports ${TP_TCP_PORT}; \ ip6tables -t nat -I OUTPUT -p udp --dport 53 \ -m cgroup --cgroup ${NET_CLS_ID} \ -j REDIRECT --to-ports ${TP_DNS_PORT};" 2>&1 2> /dev/null fi echo $$ > ${NET_CLS_DIR}/cgroup.procs exec "$@" |
How to use?
tproxy COMMAND # For example tproxy wget http://xxx.com/xxx tproxy makepkg |
Over!
FSH是一个通过服务器中转方式实现私有网络间Linux主机互访的方案,支持:
1. Shell终端
2. TCP端口转发
源代码
https://gitlab.com/hev/hev-fsh
编译及使用说明
README.md
Over!
Dual network connections
eth0:
Address: 192.168.0.2
NetMask: 255.255.255.0
Gateway: 192.168.0.1
eth1:
Address: 192.168.1.2
NetMask: 255.255.255.0
Gateway: 192.168.1.1
Routing policy
* Transmit via eth0 when source address is 192.168.0.2
* Transmit via eth1 when source address is 192.168.1.2
Commands
# eth0 ifconfig eth0 192.168.0.2/24 up ip rule add from 192.168.0.2 table 251 ip route add default via 192.168.0.1 dev eth0 src 192.168.0.2 table 251 # eth1 ifconfig eth1 192.168.1.2/24 up ip rule add from 192.168.1.2 table 252 ip route add default via 192.168.1.1 dev eth1 src 192.168.1.2 table 252 |
Over!
Configuring Bonding Manually via Sysfs ------------------------------------------ Starting with version 3.0.0, Channel Bonding may be configured via the sysfs interface. This interface allows dynamic configuration of all bonds in the system without unloading the module. It also allows for adding and removing bonds at runtime. Ifenslave is no longer required, though it is still supported. Use of the sysfs interface allows you to use multiple bonds with different configurations without having to reload the module. It also allows you to use multiple, differently configured bonds when bonding is compiled into the kernel. You must have the sysfs filesystem mounted to configure bonding this way. The examples in this document assume that you are using the standard mount point for sysfs, e.g. /sys. If your sysfs filesystem is mounted elsewhere, you will need to adjust the example paths accordingly. Creating and Destroying Bonds ----------------------------- To add a new bond foo: # echo +foo > /sys/class/net/bonding_masters To remove an existing bond bar: # echo -bar > /sys/class/net/bonding_masters To show all existing bonds: # cat /sys/class/net/bonding_masters NOTE: due to 4K size limitation of sysfs files, this list may be truncated if you have more than a few hundred bonds. This is unlikely to occur under normal operating conditions. Adding and Removing Slaves -------------------------- Interfaces may be enslaved to a bond using the file /sys/class/net//bonding/slaves. The semantics for this file are the same as for the bonding_masters file. To enslave interface eth0 to bond bond0: # ifconfig bond0 up # echo +eth0 > /sys/class/net/bond0/bonding/slaves To free slave eth0 from bond bond0: # echo -eth0 > /sys/class/net/bond0/bonding/slaves When an interface is enslaved to a bond, symlinks between the two are created in the sysfs filesystem. In this case, you would get /sys/class/net/bond0/slave_eth0 pointing to /sys/class/net/eth0, and /sys/class/net/eth0/master pointing to /sys/class/net/bond0. This means that you can tell quickly whether or not an interface is enslaved by looking for the master symlink. Thus: # echo -eth0 > /sys/class/net/eth0/master/bonding/slaves will free eth0 from whatever bond it is enslaved to, regardless of the name of the bond interface. Changing a Bond's Configuration ------------------------------- Each bond may be configured individually by manipulating the files located in /sys/class/net/ /bonding The names of these files correspond directly with the command- line parameters described elsewhere in this file, and, with the exception of arp_ip_target, they accept the same values. To see the current setting, simply cat the appropriate file. A few examples will be given here; for specific usage guidelines for each parameter, see the appropriate section in this document. To configure bond0 for balance-alb mode: # ifconfig bond0 down # echo 6 > /sys/class/net/bond0/bonding/mode - or - # echo balance-alb > /sys/class/net/bond0/bonding/mode NOTE: The bond interface must be down before the mode can be changed. To enable MII monitoring on bond0 with a 1 second interval: # echo 1000 > /sys/class/net/bond0/bonding/miimon NOTE: If ARP monitoring is enabled, it will disabled when MII monitoring is enabled, and vice-versa. To add ARP targets: # echo +192.168.0.100 > /sys/class/net/bond0/bonding/arp_ip_target # echo +192.168.0.101 > /sys/class/net/bond0/bonding/arp_ip_target NOTE: up to 16 target addresses may be specified. To remove an ARP target: # echo -192.168.0.100 > /sys/class/net/bond0/bonding/arp_ip_target To configure the interval between learning packet transmits: # echo 12 > /sys/class/net/bond0/bonding/lp_interval NOTE: the lp_inteval is the number of seconds between instances where the bonding driver sends learning packets to each slaves peer switch. The default interval is 1 second. Example Configuration --------------------- We begin with the same example that is shown in section 3.3, executed with sysfs, and without using ifenslave. To make a simple bond of two e100 devices (presumed to be eth0 and eth1), and have it persist across reboots, edit the appropriate file (/etc/init.d/boot.local or /etc/rc.d/rc.local), and add the following: modprobe bonding modprobe e100 echo balance-alb > /sys/class/net/bond0/bonding/mode ifconfig bond0 192.168.1.1 netmask 255.255.255.0 up echo 100 > /sys/class/net/bond0/bonding/miimon echo +eth0 > /sys/class/net/bond0/bonding/slaves echo +eth1 > /sys/class/net/bond0/bonding/slaves To add a second bond, with two e1000 interfaces in active-backup mode, using ARP monitoring, add the following lines to your init script: modprobe e1000 echo +bond1 > /sys/class/net/bonding_masters echo active-backup > /sys/class/net/bond1/bonding/mode ifconfig bond1 192.168.2.1 netmask 255.255.255.0 up echo +192.168.2.100 /sys/class/net/bond1/bonding/arp_ip_target echo 2000 > /sys/class/net/bond1/bonding/arp_interval echo +eth2 > /sys/class/net/bond1/bonding/slaves echo +eth3 > /sys/class/net/bond1/bonding/slaves
See also: https://www.kernel.org/doc/Documentation/networking/bonding.txt
Over!
一有线局域网实时流媒体组播传输应用从 Windows 10 迁移至 Windows 7 平台后,迁移后传输质量下降明显。
对比实验发现在同一发送端的同一组播窗口中,运行在 Windows 7 系统上的接收端效果明显劣于 Windows 10 接收端。
分析接收端的收到的数据包发现,Windows 7 平台的接收端存在明显的丢包现象。于是排查了这两个方面:
1. Win7 网卡驱动较 Win10 较旧。
2. Socket 默认接收缓冲区是否太小。
针对第1点,在将 Win7 网卡驱动升级至最新后无明显改善。:(
针对第2点,显式设置了接收缓冲区为 1MB 后,接收质量得到明显改善。:)
Over!