SlideShare a Scribd company logo

[오픈소스컨설팅] Linux Network Troubleshooting

Download as PPTX, PDF
Open Source Consulting
Open Source Consulting

The document discusses Linux networking commands and tools. It provides examples of using ip commands to view and configure network interfaces, routes, neighbors, and rules. It also shows tcpdump for packet capture and nmap for port scanning. Firewalls are configured using iptables to allow traffic from a specific source to a web server port.

Software
1 of 45
Web Server vSwitch L4 Switch L3 Router Firewall Apache, Nginx, .. KVM Hypervisor OpenvSwitch, Linux Bridge iptables, nftables, bpf iproute, Quagga L2 Switch HAproxy, Nginx …
Layer Protocol Data Unit(PDU) TCP/IP Host layers 7 Application Data Resource 공유, 원격 파일 접근 등 고급 API 6 Presentation Network service와 app간 data 번역 인코딩 5 Session Communication session 관리 4 Transport Segment, Datagram Network point간 data segment 전송 Media layers 3 Network Packet 다중노드 network traffic control 2 Data link Frame 두 노드간의 data frame 전송 1 Physical Bit, Symbol 물리계층 raw bit를 전송 Linux에서 문제해결 가능한 계층
MAC, VLAN IP PORT HTTP, SSH, NTP 등
• iproute2 package(ip, ss, tc, bridge…) • iptables(nftables) • tcpdump • nmap • …
root@server1:~# ip -h Usage: ip [ OPTIONS ] OBJECT { COMMAND | help } ip [ -force ] -batch filename where OBJECT := { link | address | addrlabel | route | rule | neigh | ntable | tunnel | tuntap | maddress | mroute | mrule | monitor | xfrm | netns | l2tp | fou | macsec | tcp_metrics | token | netconf | ila | vrf | sr } OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] | -h[uman-readable] | -iec | -f[amily] { inet | inet6 | ipx | dnet | mpls | bridge | link } | -4 | -6 | -I | -D | -B | -0 | -l[oops] { maximum-addr-flush-attempts } | -br[ief] | -o[neline] | -t[imestamp] | -ts[hort] | -b[atch] [filename] | -rc[vbuf] [size] | -n[etns] name | -a[ll] | -c[olor]}
root@server1:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.21/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 10.2.2.21/24 brd 10.2.2.255 scope global ens4 valid_lft forever preferred_lft forever 4: ens5 inet 10.2.3.21/24 brd 10.2.3.255 scope global ens5 valid_lft forever preferred_lft forever 5: ens6 inet 10.2.4.21/24 brd 10.2.4.255 scope global ens6 valid_lft forever preferred_lft forever ipv4만 축약해서 address의 단축 커맨드
root@server1:~# ip neighbor 10.2.1.1 dev ens3 lladdr 52:54:51:98:db:95 REACHABLE 10.2.1.22 dev ens3 lladdr 52:54:00:23:8a:73 STALE
root@router1:~# ip link add link ens9 name ens9_v100 type vlan id 100 root@router1:~# ip -d link show ens9_v100 9: ens9_v100@ens9: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether 52:54:00:05:99:0b brd ff:ff:ff:ff:ff:ff promiscuity 0 vlan protocol 802.1Q id 100 <REORDER_HDR> addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 link 상태 detail 출력 MAC address VLAN ID ens9를 이용해서 vlan type의 sub interface를 만들고 VLAN ID100을 부여 함.
root@router1:~# ip route default via 10.2.1.1 dev ens3 proto static 1.1.1.0/24 dev ens4 proto kernel scope link src 1.1.1.1 2.2.2.0/24 dev ens5 proto kernel scope link src 2.2.2.1 5.5.5.0/25 via 2.2.2.13 dev ens5 metric 10 5.5.5.0/24 via 1.1.1.12 dev ens4 metric 10 10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.22 metric이 낮은것이 우선순위가 높음. metric이 생략된것은 0 default 값 0 모든 table에서 매치되지 않으면 default로 보낸다. defualt가 2개면 위에있는것이 우선순위가 높음. metric이 같다면 network(subnet)가 작을수록 우선순위가 높다. 5.5.5.0 ~ 128은 2.2.2.13으로 보내고, 5.5.5.129 ~ 255는 1.1.1.12로 보낸다.
root@router1:~# ip rule list 0: from all lookup local 32766: from all lookup main 32767: from all lookup default root@router1:~# 기본적으로 3개(local, main, defualt) 더 추가 가능함. ID가 낮은것이 우선순위가 높다. 보통 우리가 보는것은 main table
root@router1:~# ip route show table main default via 10.2.1.1 dev ens3 proto static 1.1.1.0/24 dev ens4 proto kernel scope link src 1.1.1.1 2.2.2.0/24 dev ens5 proto kernel scope link src 2.2.2.1 5.5.5.0/25 via 2.2.2.13 dev ens5 metric 10 5.5.5.0/24 via 1.1.1.12 dev ens4 metric 10 10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.22 root@server1:~# ip route show table local broadcast 10.2.1.0 dev ens3 proto kernel scope link src 10.2.1.21 local 10.2.1.21 dev ens3 proto kernel scope host src 10.2.1.21 broadcast 10.2.1.255 dev ens3 proto kernel scope link src 10.2.1.21 broadcast 10.2.2.0 dev ens4 proto kernel scope link src 10.2.2.21 local 10.2.2.21 dev ens4 proto kernel scope host src 10.2.2.21 broadcast 10.2.2.255 dev ens4 proto kernel scope link src 10.2.2.21 broadcast 10.2.3.0 dev ens5 proto kernel scope link src 10.2.3.21 local 10.2.3.21 dev ens5 proto kernel scope host src 10.2.3.21 broadcast 10.2.3.255 dev ens5 proto kernel scope link src 10.2.3.21 broadcast 10.2.4.0 dev ens6 proto kernel scope link src 10.2.4.21 local 10.2.4.21 dev ens6 proto kernel scope host src 10.2.4.21 broadcast 10.2.4.255 dev ens6 proto kernel scope link src 10.2.4.21 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
root@router1:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.22/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 2: ens3 inet 1.1.1.12/24 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 10.2.2.22/24 brd 10.2.2.255 scope global ens4 valid_lft forever preferred_lft forever 4: ens5 inet 10.2.3.22/24 brd 10.2.3.255 scope global ens5 valid_lft forever preferred_lft forever 5: ens6 inet 10.2.4.22/24 brd 10.2.4.255 scope global ens6 valid_lft forever preferred_lft forever root@router1:~# tcpdump –n -i ens3 icmp and host 10.2.1.21 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes 15:59:39.549512 IP 10.2.1.21 > 10.2.1.22: ICMP echo request, id 10793, seq 1, length 64 15:59:39.549673 IP 10.2.1.22 > 10.2.1.21: ICMP echo reply, id 10793, seq 1, length 64 15:59:40.563168 IP 10.2.1.21 > 10.2.1.22: ICMP echo request, id 10793, seq 2, length 64 15:59:40.563222 IP 10.2.1.22 > 10.2.1.21: ICMP echo reply, id 10793, seq 2, length 64 15:59:41.566570 IP 10.2.1.21 > 10.2.1.22: ICMP echo request, id 10793, seq 3, length 64 15:59:41.566631 IP 10.2.1.22 > 10.2.1.21: ICMP echo reply, id 10793, seq 3, length 64 no resolve IP나 port정보를 숫자 그대로 출력 interface 지정 “any”는 모든 interface expression protocol, host, port 등 원하는 표현식을 문법에 맞게 넣는다. router1은 10.2.1.22의 IP를 갖고 있다. tcpdump를 이용해서 traffic의 도달 여부를 알 수 있다.
root@server1:~# ss –ntpl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN0 128 127.0.0.53%lo:53 0.0.0.0:* users(“systemd-resolve”,pid=620,fd=13)) LISTEN0 128 0.0.0.0:22 0.0.0.0:* users(“sshd”,pid=911,fd=3)) LISTEN0 128 [::]:22 [::]:* users(“sshd”,pid=911,fd=4)) ---------------------------------------------------------------------------------------------------------------------- root@router1:~# nmap –p 22 10.2.1.21 Starting Nmap 7.60 ( https://nmap.org ) at 2021-04-01 16:33 KST Nmap scan report for server1 (10.2.1.21) Host is up (0.00035s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: 52:54:00:FE:C7:A2 (QEMU virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds netstat를 대체하는 tool n: no resolve t: tcp p: process 출력 l: listen 하는것만 출력 Network 탐색도구 Security / Port scanner 해당 address의 22번 포트만 탐색
root@server1:~# ss -ntpl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN0 128 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=620,fd=13)) LISTEN0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=911,fd=3)) LISTEN0 128 [::]:22 [::]:* users:(("sshd",pid=911,fd=4)) LISTEN0 128 *:80 *:* users:(("apache2",pid=11336,fd=4),("apache2",pid=11335,fd=4),("apache2",pid=11334,fd=4)) ---------------------------------------------------------------------------------------------------------------------- root@router1:~# curl 10.2.1.21 curl: (7) Failed to connect to 10.2.1.21 port 80: Connection refused root@router1:~# root@router1:~# nmap -p 80 10.2.1.21 Starting Nmap 7.60 ( https://nmap.org ) at 2021-04-01 16:42 KST Nmap scan report for server1 (10.2.1.21) Host is up (0.00050s latency). PORT STATE SERVICE 80/tcp filtered http MAC Address: 52:54:00:FE:C7:A2 (QEMU virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds Web server 기동 Web server 접근안됨.
root@server1:~# iptables -L INPUT -n --line Chain INPUT (policy ACCEPT) num target prot opt source destination 1 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable root@server1:~# iptables -I INPUT -m tcp -p tcp -s 10.2.1.22 --dport 80 -j ACCEPT root@server1:~# iptables -L INPUT -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 10.2.1.22 0.0.0.0/0 tcp dpt:80 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable -I(insert) chain의 가장 위에 넣는다. INPUT chain에 tcp module, tcp protocol의 source address가 10.2.1.22 destination port가 80 -j(jump) <target> action또는 특정 chain이 올 수 있다. 허용해준다. 위에서 부터 차례대로 검색한다. REJECT가 위에 있으면 먼저 적용됨. server1의 INPUT chain의 iptable 확인
root@router1:~# nmap -p 80 10.2.1.21 Starting Nmap 7.60 ( https://nmap.org ) at 2021-04-01 16:48 KST Nmap scan report for server1 (10.2.1.21) Host is up (0.00040s latency). PORT STATE SERVICE 80/tcp open http MAC Address: 52:54:00:FE:C7:A2 (QEMU virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds 열려 있음!
server1 server2 router1 router2
root@router1:~# ip a a 1.1.1.1/24 dev ens4 root@router1:~# ip l s up ens4 root@router1:~# ip a a 2.2.2.1/24 dev ens5 root@router1:~# ip l s up ens5 root@router1:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.22/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 1.1.1.1/24 scope global ens4 valid_lft forever preferred_lft forever 4: ens5 inet 2.2.2.1/24 scope global ens5 valid_lft forever preferred_lft forever root@router1:~# sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv4.conf.all.forwarding = 1 root@router1:~# iptables -I FORWARD -j REJECT root@router1:~# iptables -I FORWARD -p icmp -j ACCEPT root@router1:~# iptables -L FORWARD -n Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable ICMP를 제외한 모든 traffic REJECT
FORWARD OUTPUT INPUT POSTROUTING PREROUTING Traffic ROUTE Traffic 목적지가 local로 오는 traffic은 INPUT으로 목적지가 local이 아닌경우 FORWARD로 source가 local인 traffic은 output에서 시작
FORWARD OUTPUT INPUT POSTROUTING PREROUTING ROUTE filter table은 INPUT, FORWARD, OUPUT chain이 포함되어져 있다.
FORWARD OUTPUT INPUT POSTROUTING PREROUTING ROUTE nat table은 PREROUTING, INPUT, FORWARD, OUPUT, POSTROUTING 모든chain이 포함되어져 있다.
root@server1:~# ip a a 1.1.1.11/24 dev ens4 root@server1:~# ip l s up ens4 root@server1:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.21/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 1.1.1.11/24 scope global ens4 valid_lft forever preferred_lft forever root@server1:~# root@server1:~# ip r a 2.2.2.0/24 via 1.1.1.1 root@server1:~# ip r default via 10.2.1.1 dev ens3 proto static 1.1.1.0/24 dev ens4 proto kernel scope link src 1.1.1.11 2.2.2.0/24 via 1.1.1.1 dev ens4 10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.21 root@server2:~# ip a a 2.2.2.12/24 dev ens4 root@server2:~# ip l s up ens4 root@server2:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.23/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 2.2.2.12/24 scope global ens4 valid_lft forever preferred_lft forever root@server2:~# root@server2:~# ip r a 1.1.1.0/24 via 2.2.2.1 root@server2:~# ip r default via 10.2.1.1 dev ens3 proto static 1.1.1.0/24 via 2.2.2.1 dev ens4 2.2.2.0/24 dev ens4 proto kernel scope link src 2.2.2.12 10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.23 2.2.2.0/24 Traffic을 server1로 보내기 위함. 1.1.1.0/24 Traffic을 server1로 보내기 위함.
root@server1:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.21/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 1.1.1.11/24 scope global ens4 valid_lft forever preferred_lft forever root@server1:~# ping 2.2.2.12 PING 2.2.2.12 (2.2.2.12) 56(84) bytes of data. 64 bytes from 2.2.2.12: icmp_seq=1 ttl=63 time=1.71 ms 64 bytes from 2.2.2.12: icmp_seq=2 ttl=63 time=0.657 ms 64 bytes from 2.2.2.12: icmp_seq=3 ttl=63 time=0.806 ms ^C --- 2.2.2.12 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2019ms rtt min/avg/max/mdev = 0.657/1.060/1.719/0.470 ms root@server2:~# tcpdump -i ens4 icmp -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens4, link-type EN10MB (Ethernet), capture size 262144 bytes 19:09:22.942341 IP 1.1.1.11 > 2.2.2.12: ICMP echo request, id 12297, seq 10, length 64 19:09:22.942422 IP 2.2.2.12 > 1.1.1.11: ICMP echo reply, id 12297, seq 10, length 64 19:09:23.946357 IP 1.1.1.11 > 2.2.2.12: ICMP echo request, id 12297, seq 11, length 64 19:09:23.946423 IP 2.2.2.12 > 1.1.1.11: ICMP echo reply, id 12297, seq 11, length 64 ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel server1 -> server2로 ping server2에서 tcpdump로 network 연결 확인
root@server1:~# ssh 2.2.2.12 ssh: connect to host 2.2.2.12 port 22: Connection refused root@router1:~# iptables -I FORWARD -m conntrack -p tcp --ctstate ESTABLISH -j ACCEPT root@router1:~# iptables -I FORWARD -m conntrack -p tcp --dport 22 -s 1.1.1.11/32 -d 2.2.2.12/32 --ctstate NEW -j ACCEPT root@router1:~# iptables -L FORWARD -n Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 1.1.1.11 2.2.2.12 ctstate NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable root@server1:~# ssh 2.2.2.12 Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-136-generic x86_64) … Last login: Thu Apr 1 19:20:42 2021 from 1.1.1.11 root@server2:~# 2.2.2.12 tcp 22번 port 접근 안됨!! 이제 2.2.2.12 tcp 22번 port로 접근 잘 된다! ESTABLISH는 양방향 통신을 하는 packet, tcp의establish 와 syn/ack ,ack를 포함한다. 이 구문이 없을 시 항상 src, dest IP를 양방향으로 열어줘야 하는 불편함이있다. 자세한 사용법 # man iptables-extensions NEW는 tcp 3way handshaking 중 syn packet에 해당함.
server1 router1 router-H (Hypervisor) 1.1.1.11을 router1로 masquerade 10.2.1.22-> google.com 10.2.1.22를 router-H로 masquerade 192.168.0.35 -> google.com masquerade?(가면, 가장하다) SNAT(Source Network Address Translation)와 비슷하지만 masquerade는 특정 주소가 아닌 자기자신의 주소로 바꾼다. 1.1.1.11 -> google.com ipTIME 192.168.0.35를 ipTIME으로 SNAT 221.148.x.x -> google.com
root@server1:~# ip r default via 10.2.1.1 dev ens3 proto static 1.1.1.0/24 dev ens4 proto kernel scope link src 1.1.1.11 2.2.2.0/24 via 1.1.1.1 dev ens4 10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.21 root@server1:~# ip r d default root@server1:~# ip r a default via 1.1.1.1 root@server1:~# ip r default via 1.1.1.1 dev ens4 1.1.1.0/24 dev ens4 proto kernel scope link src 1.1.1.11 2.2.2.0/24 via 1.1.1.1 dev ens4 10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.21 root@server1:~# ping google.com -c 1 -w 1 PING google.com (172.217.31.174) 56(84) bytes of data. --- google.com ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms root@router1:~/iptables# iptables -t nat -I POSTROUTING -p all -s 1.1.1.11 -j MASQUERADE root@router1:~/iptables# iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 1.1.1.11 0.0.0.0/0 root@router1:~/iptables# server1 routing table 변경 route1 MASQUERADE 설정 외부로 통신 안됨.
root@router1:~/iptables# tcpdump -i any icmp -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 09:56:41.868313 IP 1.1.1.11 > 172.217.31.174: ICMP echo request, id 16806, seq 1, length 64 09:56:41.868507 IP 10.2.1.22 > 172.217.31.174: ICMP echo request, id 16806, seq 1, length 64 09:56:41.910354 IP 172.217.31.174 > 10.2.1.22: ICMP echo reply, id 16806, seq 1, length 64 09:56:41.910441 IP 172.217.31.174 > 1.1.1.11: ICMP echo reply, id 16806, seq 1, length 64 root@server1:~# ping google.com -c 1 -w 1 PING google.com (172.217.31.174) 56(84) bytes of data. 64 bytes from nrt12s22-in-f14.1e100.net (172.217.31.174): icmp_seq=1 ttl=112 time=42.4 ms --- google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 42.426/42.426/42.426/0.000 ms 외부로 통신 잘 됨. 1.1.1.11 -> google.com 1.1.1.11 -> 10.2.1.22로 SNAT 됨. 10.2.1.22는 router1의 외부 로연결 된 interface router1에서 packet dump
server1 router1 server2 2.2.2.12 -> 2.2.2.1:2222 2.2.2.12 -> 1.1.1.11:22 1.1.1.1 -> 1.1.1.11:22 2.2.2.12 -> 2.2.2.1:2222 외부에서 내부로 한번에 접근이 불가능 할 때 중간에 DNAT기능을 할 수 있는 router가 목적지 주소를 변경하여 보내준다. 보통 DNAT를 하는경우 DNAT 대상(server1)이 출발지(server2)를 한번에 찾아갈 수 없으므로 MASQUERADE도 같이 하여 출발지 주소도 변경시켜준다. 1.1.1.11:22 -> 1.1.1.1 1.1.1.11:22 -> 1.1.1.1 1.1.1.11:22 -> 2.2.2.12 2.2.2.1:2222 ->2.2.2.12 2.2.2.1:2222 ->2.2.2.12 1.1.1.1 -> 1.1.1.11:22 외부망 내부망 server2와 server1은 서로의 network을 몰라 통신을 하지 못하는 상태라고 가정 2.2.2.1:2222 -> 1.1.1.11:22 (PREROUTING chain DNAT) routing table을 거친 후 2.2.2.12 -> 1.1.1.1 (POSTROUTING chain SNAT)
root@router1:~# iptables -t nat -I PREROUTING -p tcp -d 2.2.2.1 --dport 2222 -j DNAT --to 1.1.1.11:22 root@router1:~# iptables -I FORWARD -m conntrack -p tcp -s 2.2.2.12 -d 1.1.1.11 --dport 22 --ctstate NEW -j ACCEPT root@router1:~# iptables -t nat -I POSTROUTING -m tcp -p tcp -s 2.2.2.12 -d 1.1.1.11 --dport 22 -j MASQUERADE Ingress traffic rule Forwarding traffic rule Egress Traffic rule syn/ack, ack, establish는 이미 앞에서 ACCEPT됨.
root@router1:~/iptables# tcpdump -i any host 1.1.1.1 and tcp or host 2.2.2.1 and tcp -n -v tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 11:05:22.373157 IP (tos 0x0, ttl 64, id 33928, offset 0, flags [DF], proto TCP (6), length 60) 2.2.2.12.43488 > 2.2.2.1.2222: Flags [S], cksum 0x083f (incorrect -> 0x3822), seq 616434668, win 64240, options [mss 1460,sackOK,TS val 3269093065 ecr 0,nop,wscale 7], length 0 11:05:22.373253 IP (tos 0x0, ttl 63, id 33928, offset 0, flags [DF], proto TCP (6), length 60) 1.1.1.1.43488 > 1.1.1.11.22: Flags [S], cksum 0x043c (incorrect -> 0x44bd), seq 616434668, win 64240, options [mss 1460,sackOK,TS val 3269093065 ecr 0,nop,wscale 7], length 0 11:05:22.373694 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 1.1.1.11.22 > 1.1.1.1.43488: Flags [S.], cksum 0x043c (incorrect -> 0x9a16), seq 2717858833, ack 616434669, win 65160, options [mss 1460,sackOK,TS val 3992181496 ecr 3269093065,nop,wscale 7], length 0 11:05:22.373716 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60) 2.2.2.1.2222 > 2.2.2.12.43488: Flags [S.], cksum 0x083f (incorrect -> 0x8d7b), seq 2717858833, ack 616434669, win 65160, options [mss 1460,sackOK,TS val 3992181496 ecr 3269093065,nop,wscale 7], length 0 root@server2:~# ssh 2.2.2.1 -p 2222 Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-136-generic x86_64) … Last login: Fri Apr 2 11:18:01 2021 from 1.1.1.1 root@server1:~# server2 -> router1:2222 server1 접근 source가 router1 SYN DNAT, SNAT 된 후 traffic server1로 부터 받은 SYN/ACK (. 은 ACK) DNAT, SNAT 원복
root@server1:~# ping 2.2.2.12 -c 2 -w 1 PING 2.2.2.12 (2.2.2.12) 56(84) bytes of data. 64 bytes from 2.2.2.12: icmp_seq=1 ttl=63 time=1.07 ms --- 2.2.2.12 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.077/1.077/1.077/0.000 ms root@router1:~/iptables# iptables -I FORWARD 4 -p icmp -s 1.1.1.11 -d 2.2.2.12 -j LOG --log-prefix “iptables ping log” root@router1:~/iptables# iptables -L FORWARD -n --line Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 2.2.2.12 1.1.1.11 ctstate NEW tcp dpt:22 2 ACCEPT tcp -- 1.1.1.11 2.2.2.12 ctstate NEW tcp dpt:22 3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED 4 LOG icmp -- 1.1.1.11 2.2.2.12 LOG flags 0 level 4 prefix "iptables ping log" 5 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 6 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable root@router1:~/iptables# journalctl -lf -- Logs begin at Mon 2021-01-18 10:39:02 KST. -- … Apr 02 15:45:02 router1 kernel: iptables ping logIN=ens4 OUT=ens5 MAC=52:54:00:d0:c2:3e:52:54:00:41:5a:41:08:00 SRC=1.1.1.11 DST=2.2.2.12 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=9219 DF PROTO=ICMP TYPE=8 CODE=0 ID=20001 SEQ=1 Apr 02 15:45:03 router1 kernel: iptables ping logIN=ens4 OUT=ens5 MAC=52:54:00:d0:c2:3e:52:54:00:41:5a:41:08:00 SRC=1.1.1.11 DST=2.2.2.12 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=9276 DF PROTO=ICMP TYPE=8 CODE=0 ID=20001 SEQ=2 반드시 debugging하려는 rule보다 먼저 적용 되어야 함. 해당 traffic이 들어오면 kernel log에 LOG를 남긴다. router1의 log server1 -> server2로 ping
root@server1:~# ping 2.2.2.12 -c 1 -w 1 PING 2.2.2.12 (2.2.2.12) 56(84) bytes of data. 64 bytes from 2.2.2.12: icmp_seq=1 ttl=63 time=0.952 ms --- 2.2.2.12 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.952/0.952/0.952/0.000 ms root@router1:~/iptables# iptables -t raw -I PREROUTING -p icmp -j TRACE root@router1:~/iptables# iptables -L PREROUTING -t raw -n Chain PREROUTING (policy ACCEPT) target prot opt source destination TRACE icmp -- 0.0.0.0/0 0.0.0.0/0 root@router1:~/iptables# journalctl -lf -- Logs begin at Mon 2021-01-18 10:39:02 KST. -- … Apr 05 13:25:47 router1 kernel: TRACE: raw:PREROUTING:policy:2 IN=ens4 OUT= MAC=52:54:00:d0:c2:3e:52:54:00:41:5a:41:08:00 SRC=1.1.1.11 DST=2.2.2.12 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=45071 DF PROTO=ICMP TYPE=8 CODE=0 ID=2763 SEQ=1 Apr 05 13:25:47 router1 kernel: TRACE: nat:PREROUTING:policy:2 IN=ens4 OUT= MAC=52:54:00:d0:c2:3e:52:54:00:41:5a:41:08:00 SRC=1.1.1.11 DST=2.2.2.12 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=45071 DF PROTO=ICMP TYPE=8 CODE=0 ID=2763 SEQ=1 Apr 05 13:25:47 router1 kernel: TRACE: filter:FORWARD:rule:4 IN=ens4 OUT=ens5 MAC=52:54:00:d0:c2:3e:52:54:00:41:5a:41:08:00 SRC=1.1.1.11 DST=2.2.2.12 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=45071 DF PROTO=ICMP TYPE=8 CODE=0 ID=2763 SEQ=1 Apr 05 13:25:47 router1 kernel: iptables ping logIN=ens4 OUT=ens5 MAC=52:54:00:d0:c2:3e:52:54:00:41:5a:41:08:00 SRC=1.1.1.11 DST=2.2.2.12 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=45071 DF PROTO=ICMP TYPE=8 CODE=0 ID=2763 SEQ=1 Apr 05 13:25:47 router1 kernel: TRACE: filter:FORWARD:rule:5 IN=ens4 OUT=ens5 MAC=52:54:00:d0:c2:3e:52:54:00:41:5a:41:08:00 SRC=1.1.1.11 DST=2.2.2.12 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=45071 DF PROTO=ICMP TYPE=8 CODE=0 ID=2763 SEQ=1 Apr 05 13:25:47 router1 kernel: TRACE: nat:POSTROUTING:policy:2 IN= OUT=ens5 SRC=1.1.1.11 DST=2.2.2.12 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=45071 DF PROTO=ICMP TYPE=8 CODE=0 ID=2763 SEQ=1 Apr 05 13:25:47 router1 kernel: TRACE: raw:PREROUTING:policy:2 IN=ens5 OUT= MAC=52:54:00:46:35:77:52:54:00:62:d2:7a:08:00 SRC=2.2.2.12 DST=1.1.1.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=36143 PROTO=ICMP TYPE=0 CODE=0 ID=2763 SEQ=1 Apr 05 13:25:47 router1 kernel: TRACE: filter:FORWARD:rule:5 IN=ens5 OUT=ens4 MAC=52:54:00:46:35:77:52:54:00:62:d2:7a:08:00 SRC=2.2.2.12 DST=1.1.1.11 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=36143 PROTO=ICMP TYPE=0 CODE=0 ID=2763 SEQ=1 FORWARD chain의 LOG target FORWARD chain의 ACCEPT target 해당 traffic의 자취를 kernel log에 남긴다. server1 -> server2 ping server2 -> server1 icmp reply server1 -> server2 icmp requst nat table PREROUTING 2번째 rule은 ACCEPT
root@server2:~# scp test.img 1.1.1.11: test.img 100% 100MB 92.8MB/s 00:01 root@server2:~# root@server2:~# root@server2:~# root@server2:~# scp test.img 1.1.1.11: test.img 10% 11MB 93.7KB/s 16:14 ETA^ root@router1:~# tc qdisc add dev ens4 root handle 1: htb default 30 root@router1:~# tc class add dev ens4 parent 1: classid 1:1 htb rate 100kbps root@router1:~# tc class add dev ens4 parent 1: classid 1:2 htb rate 100kbps root@router1:~# tc filter add dev ens4 protocol ip parent 1:0 prio 1 u32 match ip dst 2.2.2.12/32 flowid 1:1 root@router1:~# tc filter add dev ens4 protocol ip parent 1:0 prio 1 u32 match ip dst 1.1.1.11/32 flowid 1:2 Hierarchical Token Bucket Queue 100 kilobyte per second source 및 destination IP 적용 전 적용 후 Traffic Control tool Queue discipline root qdisc의 handle id 분류되지 않는 모든 traffic은 1:30 class에 할당 한다는 뜻
root@router2:~# nft list ruleset -a table inet filter { chain input { type filter hook input priority 0; policy accept; } chain forward { type filter hook forward priority 0; policy accept; } chain output { type filter hook output priority 0; policy accept; } } root@router2:~# apt install nftables root@router2:~# apt install iptables-nftables- compat nftable의 모든 ruleset 확인 “-a” 옵션은 handler number 표시 nftable은 kernel 3.13에서 release 됨. 이후 계속해서 기능추가가 되고 있음. Install nftables
root@router2:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.13/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 3.3.3.1/24 brd 3.3.3.255 scope global ens4 valid_lft forever preferred_lft forever 4: ens5 inet 4.4.4.1/24 brd 4.4.4.255 scope global ens5 valid_lft forever preferred_lft forever root@router2:~# sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv4.conf.all.forwarding = 1 router2를 만들어서 3.3.3.0/24, 4.4.4.0/24 대역을 routing 해준다.
root@server2:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.23/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 2.2.2.12/24 brd 2.2.2.255 scope global ens4 valid_lft forever preferred_lft forever 4: ens5 inet 4.4.4.12/24 brd 4.4.4.255 scope global ens5 valid_lft forever preferred_lft forever root@server2:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 2.2.2.1 0.0.0.0 UG 0 0 0 ens4 2.2.2.0 0.0.0.0 255.255.255.0 U 0 0 0 ens4 3.3.3.0 4.4.4.1 255.255.255.0 UG 0 0 0 ens5 4.4.4.0 0.0.0.0 255.255.255.0 U 0 0 0 ens5 10.2.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens3 root@server2:~# root@server1:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.21/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 1.1.1.11/24 brd 1.1.1.255 scope global ens4 valid_lft forever preferred_lft forever 4: ens5 inet 3.3.3.11/24 brd 3.3.3.255 scope global ens5 valid_lft forever preferred_lft forever root@server1:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 1.1.1.1 0.0.0.0 UG 0 0 0 ens4 1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens4 3.3.3.0 0.0.0.0 255.255.255.0 U 0 0 0 ens5 4.4.4.0 3.3.3.1 255.255.255.0 UG 0 0 0 ens5 10.2.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens3 root@server1:~# ping 4.4.4.12 -c 1 -w 1 PING 4.4.4.12 (4.4.4.12) 56(84) bytes of data. 64 bytes from 4.4.4.12: icmp_seq=1 ttl=63 time=0.948 ms --- 4.4.4.12 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.948/0.948/0.948/0.000 ms server1에서 4.4.4.0 대역은 router2로 route server2에서 3.3.3.0 대역은 router2로 route 3.3.3.11 -> 4.4.4.12 통신확인
root@router2:~# nft insert rule inet filter forward ip protocol icmp meta nftrace set 1 root@router2:~# nft add rule inet filter forward ip protocol icmp ip saddr 4.4.4.12 reject root@router2:~# nft list chain inet filter forward --handle table inet filter { chain forward { type filter hook forward priority 0; policy accept; ip protocol icmp nftrace set 1 # handle 22 ip protocol icmp ip saddr 4.4.4.12 reject # handle 12 } } insert는 rule을 맨 위에다 만든다. forward chain에 모든 icmp protocol (filter) nftrace를 enable (action) 위에서 부터 아래로 action이 적용됨. handle number는 순서와 상관없음. add는 rule을 맨 아래에다 만든다.
root@router2:~# nft monitor trace id 04dc34d9 inet filter forward packet: iif "ens4" oif "ens5" ether saddr 52:54:00:55:e8:8c ether daddr 52:54:00:ed:77:fb ip saddr 3.3.3.11 ip daddr 4.4.4.12 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 27291 ip length 84 icmp type echo-request icmp code 0 icmp id 4068 icmp sequence 1 trace id 04dc34d9 inet filter forward rule ip protocol icmp nftrace set 1 (verdict continue) trace id 04dc34d9 inet filter forward verdict continue trace id 04dc34d9 inet filter forward trace id ac853b00 inet filter forward packet: iif "ens5" oif "ens4" ether saddr 52:54:00:8e:e0:a4 ether daddr 52:54:00:b5:38:63 ip saddr 4.4.4.12 ip daddr 3.3.3.11 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 61905 ip length 84 icmp type echo-reply icmp code 0 icmp id 4068 icmp sequence 1 trace id ac853b00 inet filter forward rule ip protocol icmp nftrace set 1 (verdict continue) trace id ac853b00 inet filter forward rule ip protocol icmp ip saddr 4.4.4.12 reject (verdict drop) root@server1:~# ping 4.4.4.12 -c 1 -w 1 PING 4.4.4.12 (4.4.4.12) 56(84) bytes of data. --- 4.4.4.12 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms server1 -> server2로 ping!! “nft monitor”를 이용해서 nftrace enable된 package을 추적가능. icmp request는 통과됨 icmp reply는 reject됨 log가 iptables TRACE 보다 보기 편하다.
T. 02-516-0711 E. sales@osci.kr 서울시강남구테헤란로83길32,5층(삼성동,나라키움삼성동A빌딩) THANK YOU

Recommended

[OpenInfra Days Korea 2018] Day 2 - CEPH 운영자를 위한 Object Storage Performance T...
[OpenInfra Days Korea 2018] Day 2 - CEPH 운영자를 위한 Object Storage Performance T...[OpenInfra Days Korea 2018] Day 2 - CEPH 운영자를 위한 Object Storage Performance T...
[OpenInfra Days Korea 2018] Day 2 - CEPH 운영자를 위한 Object Storage Performance T...OpenStack Korea Community
 
Ceph Performance and Sizing Guide
Ceph Performance and Sizing GuideCeph Performance and Sizing Guide
Ceph Performance and Sizing GuideJose De La Rosa
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Weaveworks
 
How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchAll Things Open
 
Kubernetes introduction
Kubernetes introductionKubernetes introduction
Kubernetes introductionDongwon Kim
 
Let’s unbox Rancher 2.0 <v2.0.0>
Let’s unbox Rancher 2.0 <v2.0.0> Let’s unbox Rancher 2.0 <v2.0.0>
Let’s unbox Rancher 2.0 <v2.0.0> LINE Corporation
 
Ceph issue 해결 사례
Ceph issue 해결 사례Ceph issue 해결 사례
Ceph issue 해결 사례Open Source Consulting
 
Kubernetes
KubernetesKubernetes
Kuberneteserialc_w
 

Recommended

[OpenInfra Days Korea 2018] Day 2 - CEPH 운영자를 위한 Object Storage Performance T...
[OpenInfra Days Korea 2018] Day 2 - CEPH 운영자를 위한 Object Storage Performance T...[OpenInfra Days Korea 2018] Day 2 - CEPH 운영자를 위한 Object Storage Performance T...
[OpenInfra Days Korea 2018] Day 2 - CEPH 운영자를 위한 Object Storage Performance T...OpenStack Korea Community
 
Ceph Performance and Sizing Guide
Ceph Performance and Sizing GuideCeph Performance and Sizing Guide
Ceph Performance and Sizing GuideJose De La Rosa
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Weaveworks
 
How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchAll Things Open
 
Kubernetes introduction
Kubernetes introductionKubernetes introduction
Kubernetes introductionDongwon Kim
 
Let’s unbox Rancher 2.0 <v2.0.0>
Let’s unbox Rancher 2.0 <v2.0.0> Let’s unbox Rancher 2.0 <v2.0.0>
Let’s unbox Rancher 2.0 <v2.0.0> LINE Corporation
 
Ceph issue 해결 사례
Ceph issue 해결 사례Ceph issue 해결 사례
Ceph issue 해결 사례Open Source Consulting
 
Kubernetes
KubernetesKubernetes
Kuberneteserialc_w
 
eBPF - Observability In Deep
eBPF - Observability In DeepeBPF - Observability In Deep
eBPF - Observability In DeepMydbops
 
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...Vietnam Open Infrastructure User Group
 
[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화
[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화
[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화OpenStack Korea Community
 
Introduction to Kubernetes with demo
Introduction to Kubernetes with demoIntroduction to Kubernetes with demo
Introduction to Kubernetes with demoOpsta
 
Docker introduction
Docker introductionDocker introduction
Docker introductionPhuc Nguyen
 
Disaggregating Ceph using NVMeoF
Disaggregating Ceph using NVMeoFDisaggregating Ceph using NVMeoF
Disaggregating Ceph using NVMeoFShapeBlue
 
Unrevealed Story Behind Viettel Network Cloud Hotpot | Đặng Văn Đại, Hà Mạnh ...
Unrevealed Story Behind Viettel Network Cloud Hotpot | Đặng Văn Đại, Hà Mạnh ...Unrevealed Story Behind Viettel Network Cloud Hotpot | Đặng Văn Đại, Hà Mạnh ...
Unrevealed Story Behind Viettel Network Cloud Hotpot | Đặng Văn Đại, Hà Mạnh ...Vietnam Open Infrastructure User Group
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법Open Source Consulting
 
HDFS on Kubernetes—Lessons Learned with Kimoon Kim
HDFS on Kubernetes—Lessons Learned with Kimoon KimHDFS on Kubernetes—Lessons Learned with Kimoon Kim
HDFS on Kubernetes—Lessons Learned with Kimoon KimDatabricks
 
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요Jo Hoon
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetesDongwon Kim
 
Linux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownLinux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownScyllaDB
 
Ceph and Openstack in a Nutshell
Ceph and Openstack in a NutshellCeph and Openstack in a Nutshell
Ceph and Openstack in a NutshellKaran Singh
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...Databricks
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRBangladesh Network Operators Group
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기SeungYong Oh
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesJerry Jalava
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker, Inc.
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to KubernetesImesh Gunaratne
 
MPLS LAB Practice Vol.1.pdf
MPLS LAB Practice Vol.1.pdfMPLS LAB Practice Vol.1.pdf
MPLS LAB Practice Vol.1.pdfSupakornVisutthicho
 
Deeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay NetworksDeeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay NetworksDocker, Inc.
 

More Related Content

What's hot

eBPF - Observability In Deep
eBPF - Observability In DeepeBPF - Observability In Deep
eBPF - Observability In DeepMydbops
 
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...Vietnam Open Infrastructure User Group
 
[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화
[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화
[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화OpenStack Korea Community
 
Introduction to Kubernetes with demo
Introduction to Kubernetes with demoIntroduction to Kubernetes with demo
Introduction to Kubernetes with demoOpsta
 
Docker introduction
Docker introductionDocker introduction
Docker introductionPhuc Nguyen
 
Disaggregating Ceph using NVMeoF
Disaggregating Ceph using NVMeoFDisaggregating Ceph using NVMeoF
Disaggregating Ceph using NVMeoFShapeBlue
 
Unrevealed Story Behind Viettel Network Cloud Hotpot | Đặng Văn Đại, Hà Mạnh ...
Unrevealed Story Behind Viettel Network Cloud Hotpot | Đặng Văn Đại, Hà Mạnh ...Unrevealed Story Behind Viettel Network Cloud Hotpot | Đặng Văn Đại, Hà Mạnh ...
Unrevealed Story Behind Viettel Network Cloud Hotpot | Đặng Văn Đại, Hà Mạnh ...Vietnam Open Infrastructure User Group
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법Open Source Consulting
 
HDFS on Kubernetes—Lessons Learned with Kimoon Kim
HDFS on Kubernetes—Lessons Learned with Kimoon KimHDFS on Kubernetes—Lessons Learned with Kimoon Kim
HDFS on Kubernetes—Lessons Learned with Kimoon KimDatabricks
 
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요Jo Hoon
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetesDongwon Kim
 
Linux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownLinux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownScyllaDB
 
Ceph and Openstack in a Nutshell
Ceph and Openstack in a NutshellCeph and Openstack in a Nutshell
Ceph and Openstack in a NutshellKaran Singh
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...Databricks
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기SeungYong Oh
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesJerry Jalava
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker, Inc.
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to KubernetesImesh Gunaratne
 

What's hot (20)

eBPF - Observability In Deep
eBPF - Observability In DeepeBPF - Observability In Deep
eBPF - Observability In Deep
 
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
 
[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화
[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화
[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화
 
Introduction to Kubernetes with demo
Introduction to Kubernetes with demoIntroduction to Kubernetes with demo
Introduction to Kubernetes with demo
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Disaggregating Ceph using NVMeoF
Disaggregating Ceph using NVMeoFDisaggregating Ceph using NVMeoF
Disaggregating Ceph using NVMeoF
 
Unrevealed Story Behind Viettel Network Cloud Hotpot | Đặng Văn Đại, Hà Mạnh ...
Unrevealed Story Behind Viettel Network Cloud Hotpot | Đặng Văn Đại, Hà Mạnh ...Unrevealed Story Behind Viettel Network Cloud Hotpot | Đặng Văn Đại, Hà Mạnh ...
Unrevealed Story Behind Viettel Network Cloud Hotpot | Đặng Văn Đại, Hà Mạnh ...
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
 
HDFS on Kubernetes—Lessons Learned with Kimoon Kim
HDFS on Kubernetes—Lessons Learned with Kimoon KimHDFS on Kubernetes—Lessons Learned with Kimoon Kim
HDFS on Kubernetes—Lessons Learned with Kimoon Kim
 
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 
Linux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownLinux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance Showdown
 
Ceph and Openstack in a Nutshell
Ceph and Openstack in a NutshellCeph and Openstack in a Nutshell
Ceph and Openstack in a Nutshell
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRR
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in Kubernetes
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
 

Similar to [오픈소스컨설팅] Linux Network Troubleshooting

Deeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay NetworksDeeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay NetworksDocker, Inc.
 
AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)Amazon Web Services
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Sam Kim
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commandstmavroidis
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemSneha Inguva
 
(NET404) Making Every Packet Count
(NET404) Making Every Packet Count(NET404) Making Every Packet Count
(NET404) Making Every Packet CountAmazon Web Services
 
IP Routing, AWS, and Docker
IP Routing, AWS, and DockerIP Routing, AWS, and Docker
IP Routing, AWS, and DockerOpenDNS
 
OpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvrOpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvrSim Janghoon
 
Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_partlilliput12
 
Deeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay NetworksDeeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay NetworksLaurent Bernaille
 
SR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/StableSR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/Stablejuet-y
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)Security Date
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Maximilan Wilhelm
 
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/StableSR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stablejuet-y
 
Deep dive in container service discovery
Deep dive in container service discoveryDeep dive in container service discovery
Deep dive in container service discoveryDocker, Inc.
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponlaonap166
 

Similar to [오픈소스컨설팅] Linux Network Troubleshooting (20)

MPLS LAB Practice Vol.1.pdf
MPLS LAB Practice Vol.1.pdfMPLS LAB Practice Vol.1.pdf
MPLS LAB Practice Vol.1.pdf
 
Deeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay NetworksDeeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay Networks
 
הגדרת נתבי סיסקו 1.0
הגדרת נתבי סיסקו 1.0הגדרת נתבי סיסקו 1.0
הגדרת נתבי סיסקו 1.0
 
AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commands
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
 
(NET404) Making Every Packet Count
(NET404) Making Every Packet Count(NET404) Making Every Packet Count
(NET404) Making Every Packet Count
 
IP Routing, AWS, and Docker
IP Routing, AWS, and DockerIP Routing, AWS, and Docker
IP Routing, AWS, and Docker
 
OpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvrOpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvr
 
Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_part
 
Deeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay NetworksDeeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay Networks
 
SR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/StableSR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/Stable
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
 
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/StableSR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
 
Deep dive in container service discovery
Deep dive in container service discoveryDeep dive in container service discovery
Deep dive in container service discovery
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructions
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gpon
 

More from Open Source Consulting

클라우드 네이티브 전환 요소 및 성공적인 쿠버네티스 도입 전략
클라우드 네이티브 전환 요소 및 성공적인 쿠버네티스 도입 전략클라우드 네이티브 전환 요소 및 성공적인 쿠버네티스 도입 전략
클라우드 네이티브 전환 요소 및 성공적인 쿠버네티스 도입 전략Open Source Consulting
 
[기술 트렌드] Gartner 선정 10대 전략 기술
[기술 트렌드] Gartner 선정 10대 전략 기술[기술 트렌드] Gartner 선정 10대 전략 기술
[기술 트렌드] Gartner 선정 10대 전략 기술Open Source Consulting
 
[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf
[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf
[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdfOpen Source Consulting
 
쿠버네티스 기반 PaaS 솔루션 - Playce Kube를 소개합니다.
쿠버네티스 기반 PaaS 솔루션 - Playce Kube를 소개합니다.쿠버네티스 기반 PaaS 솔루션 - Playce Kube를 소개합니다.
쿠버네티스 기반 PaaS 솔루션 - Playce Kube를 소개합니다.Open Source Consulting
 
Life science에서 k-agile으로 일하기 : with SAFe(Scaled Agile) & Atlassian
Life science에서 k-agile으로 일하기 : with SAFe(Scaled Agile) & Atlassian Life science에서 k-agile으로 일하기 : with SAFe(Scaled Agile) & Atlassian
Life science에서 k-agile으로 일하기 : with SAFe(Scaled Agile) & Atlassian Open Source Consulting
 
초보자를 위한 네트워크/VLAN 기초
초보자를 위한 네트워크/VLAN 기초초보자를 위한 네트워크/VLAN 기초
초보자를 위한 네트워크/VLAN 기초Open Source Consulting
 
Atlassian cloud 제품을 이용한 DevOps 프로세스 구축: Jira Cloud, Bitbucket Cloud
Atlassian cloud 제품을 이용한 DevOps 프로세스 구축: Jira Cloud, Bitbucket CloudAtlassian cloud 제품을 이용한 DevOps 프로세스 구축: Jira Cloud, Bitbucket Cloud
Atlassian cloud 제품을 이용한 DevOps 프로세스 구축: Jira Cloud, Bitbucket CloudOpen Source Consulting
 
[웨비나] 클라우드 마이그레이션 수행 시 가장 많이 하는 질문 Top 10!
[웨비나] 클라우드 마이그레이션 수행 시 가장 많이 하는 질문 Top 10![웨비나] 클라우드 마이그레이션 수행 시 가장 많이 하는 질문 Top 10!
[웨비나] 클라우드 마이그레이션 수행 시 가장 많이 하는 질문 Top 10!Open Source Consulting
 
[오픈소스컨설팅] EFK Stack 소개와 설치 방법
[오픈소스컨설팅] EFK Stack 소개와 설치 방법[오픈소스컨설팅] EFK Stack 소개와 설치 방법
[오픈소스컨설팅] EFK Stack 소개와 설치 방법Open Source Consulting
 
[오픈소스컨설팅] SELinux : Stop Disabling SELinux
[오픈소스컨설팅] SELinux : Stop Disabling SELinux[오픈소스컨설팅] SELinux : Stop Disabling SELinux
[오픈소스컨설팅] SELinux : Stop Disabling SELinuxOpen Source Consulting
 
[오픈소스컨설팅] 서비스 메쉬(Service mesh)
[오픈소스컨설팅] 서비스 메쉬(Service mesh)[오픈소스컨설팅] 서비스 메쉬(Service mesh)
[오픈소스컨설팅] 서비스 메쉬(Service mesh)Open Source Consulting
 
[오픈소스컨설팅] ARM & OpenStack Community
[오픈소스컨설팅] ARM & OpenStack Community[오픈소스컨설팅] ARM & OpenStack Community
[오픈소스컨설팅] ARM & OpenStack CommunityOpen Source Consulting
 
[열린기술공방] Container기반의 DevOps - 클라우드 네이티브
[열린기술공방] Container기반의 DevOps - 클라우드 네이티브[열린기술공방] Container기반의 DevOps - 클라우드 네이티브
[열린기술공방] Container기반의 DevOps - 클라우드 네이티브Open Source Consulting
 
주 52시간 시대의 Agile_ 오픈소스컨설팅 한진규 이사
주 52시간 시대의 Agile_ 오픈소스컨설팅 한진규 이사주 52시간 시대의 Agile_ 오픈소스컨설팅 한진규 이사
주 52시간 시대의 Agile_ 오픈소스컨설팅 한진규 이사Open Source Consulting
 
[오픈소스컨설팅] jira service desk 201908
[오픈소스컨설팅] jira service desk 201908[오픈소스컨설팅] jira service desk 201908
[오픈소스컨설팅] jira service desk 201908Open Source Consulting
 
Community openstack & Ceph 기반 서비스 운영 해결 방안
Community openstack & Ceph 기반 서비스 운영 해결 방안Community openstack & Ceph 기반 서비스 운영 해결 방안
Community openstack & Ceph 기반 서비스 운영 해결 방안Open Source Consulting
 
Modern Incident Management with Atlassian (오픈소스컨설팅)
Modern Incident Management with Atlassian (오픈소스컨설팅)Modern Incident Management with Atlassian (오픈소스컨설팅)
Modern Incident Management with Atlassian (오픈소스컨설팅)Open Source Consulting
 

More from Open Source Consulting (20)

클라우드 네이티브 전환 요소 및 성공적인 쿠버네티스 도입 전략
클라우드 네이티브 전환 요소 및 성공적인 쿠버네티스 도입 전략클라우드 네이티브 전환 요소 및 성공적인 쿠버네티스 도입 전략
클라우드 네이티브 전환 요소 및 성공적인 쿠버네티스 도입 전략
 
[기술 트렌드] Gartner 선정 10대 전략 기술
[기술 트렌드] Gartner 선정 10대 전략 기술[기술 트렌드] Gartner 선정 10대 전략 기술
[기술 트렌드] Gartner 선정 10대 전략 기술
 
[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf
[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf
[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf
 
쿠버네티스 기반 PaaS 솔루션 - Playce Kube를 소개합니다.
쿠버네티스 기반 PaaS 솔루션 - Playce Kube를 소개합니다.쿠버네티스 기반 PaaS 솔루션 - Playce Kube를 소개합니다.
쿠버네티스 기반 PaaS 솔루션 - Playce Kube를 소개합니다.
 
Life science에서 k-agile으로 일하기 : with SAFe(Scaled Agile) & Atlassian
Life science에서 k-agile으로 일하기 : with SAFe(Scaled Agile) & Atlassian Life science에서 k-agile으로 일하기 : with SAFe(Scaled Agile) & Atlassian
Life science에서 k-agile으로 일하기 : with SAFe(Scaled Agile) & Atlassian
 
초보자를 위한 네트워크/VLAN 기초
초보자를 위한 네트워크/VLAN 기초초보자를 위한 네트워크/VLAN 기초
초보자를 위한 네트워크/VLAN 기초
 
Atlassian cloud 제품을 이용한 DevOps 프로세스 구축: Jira Cloud, Bitbucket Cloud
Atlassian cloud 제품을 이용한 DevOps 프로세스 구축: Jira Cloud, Bitbucket CloudAtlassian cloud 제품을 이용한 DevOps 프로세스 구축: Jira Cloud, Bitbucket Cloud
Atlassian cloud 제품을 이용한 DevOps 프로세스 구축: Jira Cloud, Bitbucket Cloud
 
[웨비나] 클라우드 마이그레이션 수행 시 가장 많이 하는 질문 Top 10!
[웨비나] 클라우드 마이그레이션 수행 시 가장 많이 하는 질문 Top 10![웨비나] 클라우드 마이그레이션 수행 시 가장 많이 하는 질문 Top 10!
[웨비나] 클라우드 마이그레이션 수행 시 가장 많이 하는 질문 Top 10!
 
[오픈소스컨설팅] EFK Stack 소개와 설치 방법
[오픈소스컨설팅] EFK Stack 소개와 설치 방법[오픈소스컨설팅] EFK Stack 소개와 설치 방법
[오픈소스컨설팅] EFK Stack 소개와 설치 방법
 
[오픈소스컨설팅] SELinux : Stop Disabling SELinux
[오픈소스컨설팅] SELinux : Stop Disabling SELinux[오픈소스컨설팅] SELinux : Stop Disabling SELinux
[오픈소스컨설팅] SELinux : Stop Disabling SELinux
 
[오픈소스컨설팅] 서비스 메쉬(Service mesh)
[오픈소스컨설팅] 서비스 메쉬(Service mesh)[오픈소스컨설팅] 서비스 메쉬(Service mesh)
[오픈소스컨설팅] 서비스 메쉬(Service mesh)
 
[오픈소스컨설팅] ARM & OpenStack Community
[오픈소스컨설팅] ARM & OpenStack Community[오픈소스컨설팅] ARM & OpenStack Community
[오픈소스컨설팅] ARM & OpenStack Community
 
Atlassian ITSM Case-study
Atlassian ITSM Case-studyAtlassian ITSM Case-study
Atlassian ITSM Case-study
 
[열린기술공방] Container기반의 DevOps - 클라우드 네이티브
[열린기술공방] Container기반의 DevOps - 클라우드 네이티브[열린기술공방] Container기반의 DevOps - 클라우드 네이티브
[열린기술공방] Container기반의 DevOps - 클라우드 네이티브
 
주 52시간 시대의 Agile_ 오픈소스컨설팅 한진규 이사
주 52시간 시대의 Agile_ 오픈소스컨설팅 한진규 이사주 52시간 시대의 Agile_ 오픈소스컨설팅 한진규 이사
주 52시간 시대의 Agile_ 오픈소스컨설팅 한진규 이사
 
Open infra and cloud native
Open infra and cloud nativeOpen infra and cloud native
Open infra and cloud native
 
[오픈소스컨설팅] jira service desk 201908
[오픈소스컨설팅] jira service desk 201908[오픈소스컨설팅] jira service desk 201908
[오픈소스컨설팅] jira service desk 201908
 
Community Openstack 구축 사례
Community Openstack 구축 사례Community Openstack 구축 사례
Community Openstack 구축 사례
 
Community openstack & Ceph 기반 서비스 운영 해결 방안
Community openstack & Ceph 기반 서비스 운영 해결 방안Community openstack & Ceph 기반 서비스 운영 해결 방안
Community openstack & Ceph 기반 서비스 운영 해결 방안
 
Modern Incident Management with Atlassian (오픈소스컨설팅)
Modern Incident Management with Atlassian (오픈소스컨설팅)Modern Incident Management with Atlassian (오픈소스컨설팅)
Modern Incident Management with Atlassian (오픈소스컨설팅)
 

Recently uploaded

Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 

Recently uploaded (20)

Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 

[오픈소스컨설팅] Linux Network Troubleshooting

  • 1.
  • 2.
  • 3.
  • 4. Web Server vSwitch L4 Switch L3 Router Firewall Apache, Nginx, .. KVM Hypervisor OpenvSwitch, Linux Bridge iptables, nftables, bpf iproute, Quagga L2 Switch HAproxy, Nginx …
  • 5. Layer Protocol Data Unit(PDU) TCP/IP Host layers 7 Application Data Resource 공유, 원격 파일 접근 등 고급 API 6 Presentation Network service와 app간 data 번역 인코딩 5 Session Communication session 관리 4 Transport Segment, Datagram Network point간 data segment 전송 Media layers 3 Network Packet 다중노드 network traffic control 2 Data link Frame 두 노드간의 data frame 전송 1 Physical Bit, Symbol 물리계층 raw bit를 전송 Linux에서 문제해결 가능한 계층
  • 7. • iproute2 package(ip, ss, tc, bridge…) • iptables(nftables) • tcpdump • nmap • …
  • 8.
  • 9. root@server1:~# ip -h Usage: ip [ OPTIONS ] OBJECT { COMMAND | help } ip [ -force ] -batch filename where OBJECT := { link | address | addrlabel | route | rule | neigh | ntable | tunnel | tuntap | maddress | mroute | mrule | monitor | xfrm | netns | l2tp | fou | macsec | tcp_metrics | token | netconf | ila | vrf | sr } OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] | -h[uman-readable] | -iec | -f[amily] { inet | inet6 | ipx | dnet | mpls | bridge | link } | -4 | -6 | -I | -D | -B | -0 | -l[oops] { maximum-addr-flush-attempts } | -br[ief] | -o[neline] | -t[imestamp] | -ts[hort] | -b[atch] [filename] | -rc[vbuf] [size] | -n[etns] name | -a[ll] | -c[olor]}
  • 10. root@server1:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.21/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 10.2.2.21/24 brd 10.2.2.255 scope global ens4 valid_lft forever preferred_lft forever 4: ens5 inet 10.2.3.21/24 brd 10.2.3.255 scope global ens5 valid_lft forever preferred_lft forever 5: ens6 inet 10.2.4.21/24 brd 10.2.4.255 scope global ens6 valid_lft forever preferred_lft forever ipv4만 축약해서 address의 단축 커맨드
  • 11. root@server1:~# ip neighbor 10.2.1.1 dev ens3 lladdr 52:54:51:98:db:95 REACHABLE 10.2.1.22 dev ens3 lladdr 52:54:00:23:8a:73 STALE
  • 12. root@router1:~# ip link add link ens9 name ens9_v100 type vlan id 100 root@router1:~# ip -d link show ens9_v100 9: ens9_v100@ens9: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether 52:54:00:05:99:0b brd ff:ff:ff:ff:ff:ff promiscuity 0 vlan protocol 802.1Q id 100 <REORDER_HDR> addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 link 상태 detail 출력 MAC address VLAN ID ens9를 이용해서 vlan type의 sub interface를 만들고 VLAN ID100을 부여 함.
  • 13. root@router1:~# ip route default via 10.2.1.1 dev ens3 proto static 1.1.1.0/24 dev ens4 proto kernel scope link src 1.1.1.1 2.2.2.0/24 dev ens5 proto kernel scope link src 2.2.2.1 5.5.5.0/25 via 2.2.2.13 dev ens5 metric 10 5.5.5.0/24 via 1.1.1.12 dev ens4 metric 10 10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.22 metric이 낮은것이 우선순위가 높음. metric이 생략된것은 0 default 값 0 모든 table에서 매치되지 않으면 default로 보낸다. defualt가 2개면 위에있는것이 우선순위가 높음. metric이 같다면 network(subnet)가 작을수록 우선순위가 높다. 5.5.5.0 ~ 128은 2.2.2.13으로 보내고, 5.5.5.129 ~ 255는 1.1.1.12로 보낸다.
  • 14. root@router1:~# ip rule list 0: from all lookup local 32766: from all lookup main 32767: from all lookup default root@router1:~# 기본적으로 3개(local, main, defualt) 더 추가 가능함. ID가 낮은것이 우선순위가 높다. 보통 우리가 보는것은 main table
  • 15. root@router1:~# ip route show table main default via 10.2.1.1 dev ens3 proto static 1.1.1.0/24 dev ens4 proto kernel scope link src 1.1.1.1 2.2.2.0/24 dev ens5 proto kernel scope link src 2.2.2.1 5.5.5.0/25 via 2.2.2.13 dev ens5 metric 10 5.5.5.0/24 via 1.1.1.12 dev ens4 metric 10 10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.22 root@server1:~# ip route show table local broadcast 10.2.1.0 dev ens3 proto kernel scope link src 10.2.1.21 local 10.2.1.21 dev ens3 proto kernel scope host src 10.2.1.21 broadcast 10.2.1.255 dev ens3 proto kernel scope link src 10.2.1.21 broadcast 10.2.2.0 dev ens4 proto kernel scope link src 10.2.2.21 local 10.2.2.21 dev ens4 proto kernel scope host src 10.2.2.21 broadcast 10.2.2.255 dev ens4 proto kernel scope link src 10.2.2.21 broadcast 10.2.3.0 dev ens5 proto kernel scope link src 10.2.3.21 local 10.2.3.21 dev ens5 proto kernel scope host src 10.2.3.21 broadcast 10.2.3.255 dev ens5 proto kernel scope link src 10.2.3.21 broadcast 10.2.4.0 dev ens6 proto kernel scope link src 10.2.4.21 local 10.2.4.21 dev ens6 proto kernel scope host src 10.2.4.21 broadcast 10.2.4.255 dev ens6 proto kernel scope link src 10.2.4.21 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
  • 16.
  • 17. root@router1:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.22/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 2: ens3 inet 1.1.1.12/24 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 10.2.2.22/24 brd 10.2.2.255 scope global ens4 valid_lft forever preferred_lft forever 4: ens5 inet 10.2.3.22/24 brd 10.2.3.255 scope global ens5 valid_lft forever preferred_lft forever 5: ens6 inet 10.2.4.22/24 brd 10.2.4.255 scope global ens6 valid_lft forever preferred_lft forever root@router1:~# tcpdump –n -i ens3 icmp and host 10.2.1.21 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes 15:59:39.549512 IP 10.2.1.21 > 10.2.1.22: ICMP echo request, id 10793, seq 1, length 64 15:59:39.549673 IP 10.2.1.22 > 10.2.1.21: ICMP echo reply, id 10793, seq 1, length 64 15:59:40.563168 IP 10.2.1.21 > 10.2.1.22: ICMP echo request, id 10793, seq 2, length 64 15:59:40.563222 IP 10.2.1.22 > 10.2.1.21: ICMP echo reply, id 10793, seq 2, length 64 15:59:41.566570 IP 10.2.1.21 > 10.2.1.22: ICMP echo request, id 10793, seq 3, length 64 15:59:41.566631 IP 10.2.1.22 > 10.2.1.21: ICMP echo reply, id 10793, seq 3, length 64 no resolve IP나 port정보를 숫자 그대로 출력 interface 지정 “any”는 모든 interface expression protocol, host, port 등 원하는 표현식을 문법에 맞게 넣는다. router1은 10.2.1.22의 IP를 갖고 있다. tcpdump를 이용해서 traffic의 도달 여부를 알 수 있다.
  • 18. root@server1:~# ss –ntpl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN0 128 127.0.0.53%lo:53 0.0.0.0:* users(“systemd-resolve”,pid=620,fd=13)) LISTEN0 128 0.0.0.0:22 0.0.0.0:* users(“sshd”,pid=911,fd=3)) LISTEN0 128 [::]:22 [::]:* users(“sshd”,pid=911,fd=4)) ---------------------------------------------------------------------------------------------------------------------- root@router1:~# nmap –p 22 10.2.1.21 Starting Nmap 7.60 ( https://nmap.org ) at 2021-04-01 16:33 KST Nmap scan report for server1 (10.2.1.21) Host is up (0.00035s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: 52:54:00:FE:C7:A2 (QEMU virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds netstat를 대체하는 tool n: no resolve t: tcp p: process 출력 l: listen 하는것만 출력 Network 탐색도구 Security / Port scanner 해당 address의 22번 포트만 탐색
  • 19. root@server1:~# ss -ntpl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN0 128 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=620,fd=13)) LISTEN0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=911,fd=3)) LISTEN0 128 [::]:22 [::]:* users:(("sshd",pid=911,fd=4)) LISTEN0 128 *:80 *:* users:(("apache2",pid=11336,fd=4),("apache2",pid=11335,fd=4),("apache2",pid=11334,fd=4)) ---------------------------------------------------------------------------------------------------------------------- root@router1:~# curl 10.2.1.21 curl: (7) Failed to connect to 10.2.1.21 port 80: Connection refused root@router1:~# root@router1:~# nmap -p 80 10.2.1.21 Starting Nmap 7.60 ( https://nmap.org ) at 2021-04-01 16:42 KST Nmap scan report for server1 (10.2.1.21) Host is up (0.00050s latency). PORT STATE SERVICE 80/tcp filtered http MAC Address: 52:54:00:FE:C7:A2 (QEMU virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds Web server 기동 Web server 접근안됨.
  • 20. root@server1:~# iptables -L INPUT -n --line Chain INPUT (policy ACCEPT) num target prot opt source destination 1 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable root@server1:~# iptables -I INPUT -m tcp -p tcp -s 10.2.1.22 --dport 80 -j ACCEPT root@server1:~# iptables -L INPUT -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 10.2.1.22 0.0.0.0/0 tcp dpt:80 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable -I(insert) chain의 가장 위에 넣는다. INPUT chain에 tcp module, tcp protocol의 source address가 10.2.1.22 destination port가 80 -j(jump) <target> action또는 특정 chain이 올 수 있다. 허용해준다. 위에서 부터 차례대로 검색한다. REJECT가 위에 있으면 먼저 적용됨. server1의 INPUT chain의 iptable 확인
  • 21. root@router1:~# nmap -p 80 10.2.1.21 Starting Nmap 7.60 ( https://nmap.org ) at 2021-04-01 16:48 KST Nmap scan report for server1 (10.2.1.21) Host is up (0.00040s latency). PORT STATE SERVICE 80/tcp open http MAC Address: 52:54:00:FE:C7:A2 (QEMU virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds 열려 있음!
  • 22.
  • 24. root@router1:~# ip a a 1.1.1.1/24 dev ens4 root@router1:~# ip l s up ens4 root@router1:~# ip a a 2.2.2.1/24 dev ens5 root@router1:~# ip l s up ens5 root@router1:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.22/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 1.1.1.1/24 scope global ens4 valid_lft forever preferred_lft forever 4: ens5 inet 2.2.2.1/24 scope global ens5 valid_lft forever preferred_lft forever root@router1:~# sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv4.conf.all.forwarding = 1 root@router1:~# iptables -I FORWARD -j REJECT root@router1:~# iptables -I FORWARD -p icmp -j ACCEPT root@router1:~# iptables -L FORWARD -n Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable ICMP를 제외한 모든 traffic REJECT
  • 25. FORWARD OUTPUT INPUT POSTROUTING PREROUTING Traffic ROUTE Traffic 목적지가 local로 오는 traffic은 INPUT으로 목적지가 local이 아닌경우 FORWARD로 source가 local인 traffic은 output에서 시작
  • 27. FORWARD OUTPUT INPUT POSTROUTING PREROUTING ROUTE nat table은 PREROUTING, INPUT, FORWARD, OUPUT, POSTROUTING 모든chain이 포함되어져 있다.
  • 28. root@server1:~# ip a a 1.1.1.11/24 dev ens4 root@server1:~# ip l s up ens4 root@server1:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.21/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 1.1.1.11/24 scope global ens4 valid_lft forever preferred_lft forever root@server1:~# root@server1:~# ip r a 2.2.2.0/24 via 1.1.1.1 root@server1:~# ip r default via 10.2.1.1 dev ens3 proto static 1.1.1.0/24 dev ens4 proto kernel scope link src 1.1.1.11 2.2.2.0/24 via 1.1.1.1 dev ens4 10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.21 root@server2:~# ip a a 2.2.2.12/24 dev ens4 root@server2:~# ip l s up ens4 root@server2:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.23/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 2.2.2.12/24 scope global ens4 valid_lft forever preferred_lft forever root@server2:~# root@server2:~# ip r a 1.1.1.0/24 via 2.2.2.1 root@server2:~# ip r default via 10.2.1.1 dev ens3 proto static 1.1.1.0/24 via 2.2.2.1 dev ens4 2.2.2.0/24 dev ens4 proto kernel scope link src 2.2.2.12 10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.23 2.2.2.0/24 Traffic을 server1로 보내기 위함. 1.1.1.0/24 Traffic을 server1로 보내기 위함.
  • 29. root@server1:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.21/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 1.1.1.11/24 scope global ens4 valid_lft forever preferred_lft forever root@server1:~# ping 2.2.2.12 PING 2.2.2.12 (2.2.2.12) 56(84) bytes of data. 64 bytes from 2.2.2.12: icmp_seq=1 ttl=63 time=1.71 ms 64 bytes from 2.2.2.12: icmp_seq=2 ttl=63 time=0.657 ms 64 bytes from 2.2.2.12: icmp_seq=3 ttl=63 time=0.806 ms ^C --- 2.2.2.12 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2019ms rtt min/avg/max/mdev = 0.657/1.060/1.719/0.470 ms root@server2:~# tcpdump -i ens4 icmp -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens4, link-type EN10MB (Ethernet), capture size 262144 bytes 19:09:22.942341 IP 1.1.1.11 > 2.2.2.12: ICMP echo request, id 12297, seq 10, length 64 19:09:22.942422 IP 2.2.2.12 > 1.1.1.11: ICMP echo reply, id 12297, seq 10, length 64 19:09:23.946357 IP 1.1.1.11 > 2.2.2.12: ICMP echo request, id 12297, seq 11, length 64 19:09:23.946423 IP 2.2.2.12 > 1.1.1.11: ICMP echo reply, id 12297, seq 11, length 64 ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel server1 -> server2로 ping server2에서 tcpdump로 network 연결 확인
  • 30. root@server1:~# ssh 2.2.2.12 ssh: connect to host 2.2.2.12 port 22: Connection refused root@router1:~# iptables -I FORWARD -m conntrack -p tcp --ctstate ESTABLISH -j ACCEPT root@router1:~# iptables -I FORWARD -m conntrack -p tcp --dport 22 -s 1.1.1.11/32 -d 2.2.2.12/32 --ctstate NEW -j ACCEPT root@router1:~# iptables -L FORWARD -n Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 1.1.1.11 2.2.2.12 ctstate NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable root@server1:~# ssh 2.2.2.12 Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-136-generic x86_64) … Last login: Thu Apr 1 19:20:42 2021 from 1.1.1.11 root@server2:~# 2.2.2.12 tcp 22번 port 접근 안됨!! 이제 2.2.2.12 tcp 22번 port로 접근 잘 된다! ESTABLISH는 양방향 통신을 하는 packet, tcp의establish 와 syn/ack ,ack를 포함한다. 이 구문이 없을 시 항상 src, dest IP를 양방향으로 열어줘야 하는 불편함이있다. 자세한 사용법 # man iptables-extensions NEW는 tcp 3way handshaking 중 syn packet에 해당함.
  • 31. server1 router1 router-H (Hypervisor) 1.1.1.11을 router1로 masquerade 10.2.1.22-> google.com 10.2.1.22를 router-H로 masquerade 192.168.0.35 -> google.com masquerade?(가면, 가장하다) SNAT(Source Network Address Translation)와 비슷하지만 masquerade는 특정 주소가 아닌 자기자신의 주소로 바꾼다. 1.1.1.11 -> google.com ipTIME 192.168.0.35를 ipTIME으로 SNAT 221.148.x.x -> google.com
  • 32. root@server1:~# ip r default via 10.2.1.1 dev ens3 proto static 1.1.1.0/24 dev ens4 proto kernel scope link src 1.1.1.11 2.2.2.0/24 via 1.1.1.1 dev ens4 10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.21 root@server1:~# ip r d default root@server1:~# ip r a default via 1.1.1.1 root@server1:~# ip r default via 1.1.1.1 dev ens4 1.1.1.0/24 dev ens4 proto kernel scope link src 1.1.1.11 2.2.2.0/24 via 1.1.1.1 dev ens4 10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.21 root@server1:~# ping google.com -c 1 -w 1 PING google.com (172.217.31.174) 56(84) bytes of data. --- google.com ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms root@router1:~/iptables# iptables -t nat -I POSTROUTING -p all -s 1.1.1.11 -j MASQUERADE root@router1:~/iptables# iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 1.1.1.11 0.0.0.0/0 root@router1:~/iptables# server1 routing table 변경 route1 MASQUERADE 설정 외부로 통신 안됨.
  • 33. root@router1:~/iptables# tcpdump -i any icmp -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 09:56:41.868313 IP 1.1.1.11 > 172.217.31.174: ICMP echo request, id 16806, seq 1, length 64 09:56:41.868507 IP 10.2.1.22 > 172.217.31.174: ICMP echo request, id 16806, seq 1, length 64 09:56:41.910354 IP 172.217.31.174 > 10.2.1.22: ICMP echo reply, id 16806, seq 1, length 64 09:56:41.910441 IP 172.217.31.174 > 1.1.1.11: ICMP echo reply, id 16806, seq 1, length 64 root@server1:~# ping google.com -c 1 -w 1 PING google.com (172.217.31.174) 56(84) bytes of data. 64 bytes from nrt12s22-in-f14.1e100.net (172.217.31.174): icmp_seq=1 ttl=112 time=42.4 ms --- google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 42.426/42.426/42.426/0.000 ms 외부로 통신 잘 됨. 1.1.1.11 -> google.com 1.1.1.11 -> 10.2.1.22로 SNAT 됨. 10.2.1.22는 router1의 외부 로연결 된 interface router1에서 packet dump
  • 34. server1 router1 server2 2.2.2.12 -> 2.2.2.1:2222 2.2.2.12 -> 1.1.1.11:22 1.1.1.1 -> 1.1.1.11:22 2.2.2.12 -> 2.2.2.1:2222 외부에서 내부로 한번에 접근이 불가능 할 때 중간에 DNAT기능을 할 수 있는 router가 목적지 주소를 변경하여 보내준다. 보통 DNAT를 하는경우 DNAT 대상(server1)이 출발지(server2)를 한번에 찾아갈 수 없으므로 MASQUERADE도 같이 하여 출발지 주소도 변경시켜준다. 1.1.1.11:22 -> 1.1.1.1 1.1.1.11:22 -> 1.1.1.1 1.1.1.11:22 -> 2.2.2.12 2.2.2.1:2222 ->2.2.2.12 2.2.2.1:2222 ->2.2.2.12 1.1.1.1 -> 1.1.1.11:22 외부망 내부망 server2와 server1은 서로의 network을 몰라 통신을 하지 못하는 상태라고 가정 2.2.2.1:2222 -> 1.1.1.11:22 (PREROUTING chain DNAT) routing table을 거친 후 2.2.2.12 -> 1.1.1.1 (POSTROUTING chain SNAT)
  • 35. root@router1:~# iptables -t nat -I PREROUTING -p tcp -d 2.2.2.1 --dport 2222 -j DNAT --to 1.1.1.11:22 root@router1:~# iptables -I FORWARD -m conntrack -p tcp -s 2.2.2.12 -d 1.1.1.11 --dport 22 --ctstate NEW -j ACCEPT root@router1:~# iptables -t nat -I POSTROUTING -m tcp -p tcp -s 2.2.2.12 -d 1.1.1.11 --dport 22 -j MASQUERADE Ingress traffic rule Forwarding traffic rule Egress Traffic rule syn/ack, ack, establish는 이미 앞에서 ACCEPT됨.
  • 36. root@router1:~/iptables# tcpdump -i any host 1.1.1.1 and tcp or host 2.2.2.1 and tcp -n -v tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 11:05:22.373157 IP (tos 0x0, ttl 64, id 33928, offset 0, flags [DF], proto TCP (6), length 60) 2.2.2.12.43488 > 2.2.2.1.2222: Flags [S], cksum 0x083f (incorrect -> 0x3822), seq 616434668, win 64240, options [mss 1460,sackOK,TS val 3269093065 ecr 0,nop,wscale 7], length 0 11:05:22.373253 IP (tos 0x0, ttl 63, id 33928, offset 0, flags [DF], proto TCP (6), length 60) 1.1.1.1.43488 > 1.1.1.11.22: Flags [S], cksum 0x043c (incorrect -> 0x44bd), seq 616434668, win 64240, options [mss 1460,sackOK,TS val 3269093065 ecr 0,nop,wscale 7], length 0 11:05:22.373694 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 1.1.1.11.22 > 1.1.1.1.43488: Flags [S.], cksum 0x043c (incorrect -> 0x9a16), seq 2717858833, ack 616434669, win 65160, options [mss 1460,sackOK,TS val 3992181496 ecr 3269093065,nop,wscale 7], length 0 11:05:22.373716 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60) 2.2.2.1.2222 > 2.2.2.12.43488: Flags [S.], cksum 0x083f (incorrect -> 0x8d7b), seq 2717858833, ack 616434669, win 65160, options [mss 1460,sackOK,TS val 3992181496 ecr 3269093065,nop,wscale 7], length 0 root@server2:~# ssh 2.2.2.1 -p 2222 Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-136-generic x86_64) … Last login: Fri Apr 2 11:18:01 2021 from 1.1.1.1 root@server1:~# server2 -> router1:2222 server1 접근 source가 router1 SYN DNAT, SNAT 된 후 traffic server1로 부터 받은 SYN/ACK (. 은 ACK) DNAT, SNAT 원복
  • 37. root@server1:~# ping 2.2.2.12 -c 2 -w 1 PING 2.2.2.12 (2.2.2.12) 56(84) bytes of data. 64 bytes from 2.2.2.12: icmp_seq=1 ttl=63 time=1.07 ms --- 2.2.2.12 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.077/1.077/1.077/0.000 ms root@router1:~/iptables# iptables -I FORWARD 4 -p icmp -s 1.1.1.11 -d 2.2.2.12 -j LOG --log-prefix “iptables ping log” root@router1:~/iptables# iptables -L FORWARD -n --line Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 2.2.2.12 1.1.1.11 ctstate NEW tcp dpt:22 2 ACCEPT tcp -- 1.1.1.11 2.2.2.12 ctstate NEW tcp dpt:22 3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED 4 LOG icmp -- 1.1.1.11 2.2.2.12 LOG flags 0 level 4 prefix "iptables ping log" 5 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 6 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable root@router1:~/iptables# journalctl -lf -- Logs begin at Mon 2021-01-18 10:39:02 KST. -- … Apr 02 15:45:02 router1 kernel: iptables ping logIN=ens4 OUT=ens5 MAC=52:54:00:d0:c2:3e:52:54:00:41:5a:41:08:00 SRC=1.1.1.11 DST=2.2.2.12 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=9219 DF PROTO=ICMP TYPE=8 CODE=0 ID=20001 SEQ=1 Apr 02 15:45:03 router1 kernel: iptables ping logIN=ens4 OUT=ens5 MAC=52:54:00:d0:c2:3e:52:54:00:41:5a:41:08:00 SRC=1.1.1.11 DST=2.2.2.12 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=9276 DF PROTO=ICMP TYPE=8 CODE=0 ID=20001 SEQ=2 반드시 debugging하려는 rule보다 먼저 적용 되어야 함. 해당 traffic이 들어오면 kernel log에 LOG를 남긴다. router1의 log server1 -> server2로 ping
  • 38. root@server1:~# ping 2.2.2.12 -c 1 -w 1 PING 2.2.2.12 (2.2.2.12) 56(84) bytes of data. 64 bytes from 2.2.2.12: icmp_seq=1 ttl=63 time=0.952 ms --- 2.2.2.12 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.952/0.952/0.952/0.000 ms root@router1:~/iptables# iptables -t raw -I PREROUTING -p icmp -j TRACE root@router1:~/iptables# iptables -L PREROUTING -t raw -n Chain PREROUTING (policy ACCEPT) target prot opt source destination TRACE icmp -- 0.0.0.0/0 0.0.0.0/0 root@router1:~/iptables# journalctl -lf -- Logs begin at Mon 2021-01-18 10:39:02 KST. -- … Apr 05 13:25:47 router1 kernel: TRACE: raw:PREROUTING:policy:2 IN=ens4 OUT= MAC=52:54:00:d0:c2:3e:52:54:00:41:5a:41:08:00 SRC=1.1.1.11 DST=2.2.2.12 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=45071 DF PROTO=ICMP TYPE=8 CODE=0 ID=2763 SEQ=1 Apr 05 13:25:47 router1 kernel: TRACE: nat:PREROUTING:policy:2 IN=ens4 OUT= MAC=52:54:00:d0:c2:3e:52:54:00:41:5a:41:08:00 SRC=1.1.1.11 DST=2.2.2.12 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=45071 DF PROTO=ICMP TYPE=8 CODE=0 ID=2763 SEQ=1 Apr 05 13:25:47 router1 kernel: TRACE: filter:FORWARD:rule:4 IN=ens4 OUT=ens5 MAC=52:54:00:d0:c2:3e:52:54:00:41:5a:41:08:00 SRC=1.1.1.11 DST=2.2.2.12 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=45071 DF PROTO=ICMP TYPE=8 CODE=0 ID=2763 SEQ=1 Apr 05 13:25:47 router1 kernel: iptables ping logIN=ens4 OUT=ens5 MAC=52:54:00:d0:c2:3e:52:54:00:41:5a:41:08:00 SRC=1.1.1.11 DST=2.2.2.12 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=45071 DF PROTO=ICMP TYPE=8 CODE=0 ID=2763 SEQ=1 Apr 05 13:25:47 router1 kernel: TRACE: filter:FORWARD:rule:5 IN=ens4 OUT=ens5 MAC=52:54:00:d0:c2:3e:52:54:00:41:5a:41:08:00 SRC=1.1.1.11 DST=2.2.2.12 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=45071 DF PROTO=ICMP TYPE=8 CODE=0 ID=2763 SEQ=1 Apr 05 13:25:47 router1 kernel: TRACE: nat:POSTROUTING:policy:2 IN= OUT=ens5 SRC=1.1.1.11 DST=2.2.2.12 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=45071 DF PROTO=ICMP TYPE=8 CODE=0 ID=2763 SEQ=1 Apr 05 13:25:47 router1 kernel: TRACE: raw:PREROUTING:policy:2 IN=ens5 OUT= MAC=52:54:00:46:35:77:52:54:00:62:d2:7a:08:00 SRC=2.2.2.12 DST=1.1.1.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=36143 PROTO=ICMP TYPE=0 CODE=0 ID=2763 SEQ=1 Apr 05 13:25:47 router1 kernel: TRACE: filter:FORWARD:rule:5 IN=ens5 OUT=ens4 MAC=52:54:00:46:35:77:52:54:00:62:d2:7a:08:00 SRC=2.2.2.12 DST=1.1.1.11 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=36143 PROTO=ICMP TYPE=0 CODE=0 ID=2763 SEQ=1 FORWARD chain의 LOG target FORWARD chain의 ACCEPT target 해당 traffic의 자취를 kernel log에 남긴다. server1 -> server2 ping server2 -> server1 icmp reply server1 -> server2 icmp requst nat table PREROUTING 2번째 rule은 ACCEPT
  • 39. root@server2:~# scp test.img 1.1.1.11: test.img 100% 100MB 92.8MB/s 00:01 root@server2:~# root@server2:~# root@server2:~# root@server2:~# scp test.img 1.1.1.11: test.img 10% 11MB 93.7KB/s 16:14 ETA^ root@router1:~# tc qdisc add dev ens4 root handle 1: htb default 30 root@router1:~# tc class add dev ens4 parent 1: classid 1:1 htb rate 100kbps root@router1:~# tc class add dev ens4 parent 1: classid 1:2 htb rate 100kbps root@router1:~# tc filter add dev ens4 protocol ip parent 1:0 prio 1 u32 match ip dst 2.2.2.12/32 flowid 1:1 root@router1:~# tc filter add dev ens4 protocol ip parent 1:0 prio 1 u32 match ip dst 1.1.1.11/32 flowid 1:2 Hierarchical Token Bucket Queue 100 kilobyte per second source 및 destination IP 적용 전 적용 후 Traffic Control tool Queue discipline root qdisc의 handle id 분류되지 않는 모든 traffic은 1:30 class에 할당 한다는 뜻
  • 40. root@router2:~# nft list ruleset -a table inet filter { chain input { type filter hook input priority 0; policy accept; } chain forward { type filter hook forward priority 0; policy accept; } chain output { type filter hook output priority 0; policy accept; } } root@router2:~# apt install nftables root@router2:~# apt install iptables-nftables- compat nftable의 모든 ruleset 확인 “-a” 옵션은 handler number 표시 nftable은 kernel 3.13에서 release 됨. 이후 계속해서 기능추가가 되고 있음. Install nftables
  • 41. root@router2:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.13/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 3.3.3.1/24 brd 3.3.3.255 scope global ens4 valid_lft forever preferred_lft forever 4: ens5 inet 4.4.4.1/24 brd 4.4.4.255 scope global ens5 valid_lft forever preferred_lft forever root@router2:~# sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv4.conf.all.forwarding = 1 router2를 만들어서 3.3.3.0/24, 4.4.4.0/24 대역을 routing 해준다.
  • 42. root@server2:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.23/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 2.2.2.12/24 brd 2.2.2.255 scope global ens4 valid_lft forever preferred_lft forever 4: ens5 inet 4.4.4.12/24 brd 4.4.4.255 scope global ens5 valid_lft forever preferred_lft forever root@server2:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 2.2.2.1 0.0.0.0 UG 0 0 0 ens4 2.2.2.0 0.0.0.0 255.255.255.0 U 0 0 0 ens4 3.3.3.0 4.4.4.1 255.255.255.0 UG 0 0 0 ens5 4.4.4.0 0.0.0.0 255.255.255.0 U 0 0 0 ens5 10.2.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens3 root@server2:~# root@server1:~# ip -4 -o a 1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3 inet 10.2.1.21/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever 3: ens4 inet 1.1.1.11/24 brd 1.1.1.255 scope global ens4 valid_lft forever preferred_lft forever 4: ens5 inet 3.3.3.11/24 brd 3.3.3.255 scope global ens5 valid_lft forever preferred_lft forever root@server1:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 1.1.1.1 0.0.0.0 UG 0 0 0 ens4 1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens4 3.3.3.0 0.0.0.0 255.255.255.0 U 0 0 0 ens5 4.4.4.0 3.3.3.1 255.255.255.0 UG 0 0 0 ens5 10.2.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens3 root@server1:~# ping 4.4.4.12 -c 1 -w 1 PING 4.4.4.12 (4.4.4.12) 56(84) bytes of data. 64 bytes from 4.4.4.12: icmp_seq=1 ttl=63 time=0.948 ms --- 4.4.4.12 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.948/0.948/0.948/0.000 ms server1에서 4.4.4.0 대역은 router2로 route server2에서 3.3.3.0 대역은 router2로 route 3.3.3.11 -> 4.4.4.12 통신확인
  • 43. root@router2:~# nft insert rule inet filter forward ip protocol icmp meta nftrace set 1 root@router2:~# nft add rule inet filter forward ip protocol icmp ip saddr 4.4.4.12 reject root@router2:~# nft list chain inet filter forward --handle table inet filter { chain forward { type filter hook forward priority 0; policy accept; ip protocol icmp nftrace set 1 # handle 22 ip protocol icmp ip saddr 4.4.4.12 reject # handle 12 } } insert는 rule을 맨 위에다 만든다. forward chain에 모든 icmp protocol (filter) nftrace를 enable (action) 위에서 부터 아래로 action이 적용됨. handle number는 순서와 상관없음. add는 rule을 맨 아래에다 만든다.
  • 44. root@router2:~# nft monitor trace id 04dc34d9 inet filter forward packet: iif "ens4" oif "ens5" ether saddr 52:54:00:55:e8:8c ether daddr 52:54:00:ed:77:fb ip saddr 3.3.3.11 ip daddr 4.4.4.12 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 27291 ip length 84 icmp type echo-request icmp code 0 icmp id 4068 icmp sequence 1 trace id 04dc34d9 inet filter forward rule ip protocol icmp nftrace set 1 (verdict continue) trace id 04dc34d9 inet filter forward verdict continue trace id 04dc34d9 inet filter forward trace id ac853b00 inet filter forward packet: iif "ens5" oif "ens4" ether saddr 52:54:00:8e:e0:a4 ether daddr 52:54:00:b5:38:63 ip saddr 4.4.4.12 ip daddr 3.3.3.11 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 61905 ip length 84 icmp type echo-reply icmp code 0 icmp id 4068 icmp sequence 1 trace id ac853b00 inet filter forward rule ip protocol icmp nftrace set 1 (verdict continue) trace id ac853b00 inet filter forward rule ip protocol icmp ip saddr 4.4.4.12 reject (verdict drop) root@server1:~# ping 4.4.4.12 -c 1 -w 1 PING 4.4.4.12 (4.4.4.12) 56(84) bytes of data. --- 4.4.4.12 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms server1 -> server2로 ping!! “nft monitor”를 이용해서 nftrace enable된 package을 추적가능. icmp request는 통과됨 icmp reply는 reject됨 log가 iptables TRACE 보다 보기 편하다.
  • 45. T. 02-516-0711 E. sales@osci.kr 서울시강남구테헤란로83길32,5층(삼성동,나라키움삼성동A빌딩) THANK YOU