這個問題其實不只是我想問的,也是一些其他人想問的。 我個人是從2016年開始因工作原因定居中國,然後生活至今,並且常穿梭於兩地之間。 個人來到中國以來,的確是意識到了一部分問題(例如政治,生活,言論方面需要注意的),但是關於這方面,個人也還想知道更多。
因此也懇請指點。
感謝大家啦 X )
@connectionviber
-
-
Linux伺服器「裝死」指南(適用於代理伺服器)
爲了在中國大陸正常上網,有很多人都搭建了自己的代理伺服器,可這隨之而來就產生了一種現象,那就是會經常 “被牆”。既然遲早都逃脫不了“被牆”的命運,那麼爲什麼我們不先人一步,讓伺服器“裝死”呢?沒錯,本文就來說說這點。
一句話說明白想要做的事情:用UDP翻牆,同時利用iptables做一些得當的設定,從而讓其產生“裝死”的效果。
UDP翻牆推薦:v2ray-core mkcp模式並設置seed 或者其他七層代理
iptables規則分享(如果使用的是centos,需要將相應的規則按實際需求修改後寫入相應的配置檔,如果是debian或者ubuntu,則需要安裝 iptables-persistent 這個 package 後,將配置檔寫入 /etc/iptables/rules.v4 或者rules.v6)
以下規則想要達到的是目的是:讓TCP完全無回應(白名單IP可訪問),讓UDP掃不出Port,讓ICMP沒回應(爲了防止連不上SSH,因此請將本機納入允許列表中或者直接通過VNC管理) 請務必按照實際需要另行按需修改!
IPv4:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] #基於效能考慮把這兩條排在最前 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i lo -j ACCEPT #允許的IP列表(請按照實際需要修改) -A INPUT -p tcp -s 173.245.48.0/20 -j ACCEPT -A INPUT -p tcp -s 103.21.244.0/22 -j ACCEPT -A INPUT -p tcp -s 103.22.200.0/22 -j ACCEPT -A INPUT -p tcp -s 103.31.4.0/22 -j ACCEPT -A INPUT -p tcp -s 141.101.64.0/18 -j ACCEPT -A INPUT -p tcp -s 108.162.192.0/18 -j ACCEPT -A INPUT -p tcp -s 190.93.240.0/20 -j ACCEPT -A INPUT -p tcp -s 188.114.96.0/20 -j ACCEPT -A INPUT -p tcp -s 197.234.240.0/22 -j ACCEPT -A INPUT -p tcp -s 198.41.128.0/17 -j ACCEPT -A INPUT -p tcp -s 162.158.0.0/15 -j ACCEPT -A INPUT -p tcp -s 104.16.0.0/13 -j ACCEPT -A INPUT -p tcp -s 104.24.0.0/14 -j ACCEPT -A INPUT -p tcp -s 172.64.0.0/13 -j ACCEPT -A INPUT -p tcp -s 131.0.72.0/22 -j ACCEPT #丟棄無效TCP數據(指白名單內的IP傳過來的) -A INPUT -m state --state INVALID -j DROP #丟棄不再白名單列表中的IP發來的TCP數據 -A INPUT -p tcp -j DROP #限制UDP翻牆所用的Port可接受的最大包大小(請按照實際情形修改,目的是爲了防止協議掃描) -A INPUT -p udp --dport 19001 -m length --length :1400 -j ACCEPT -A INPUT -p udp -j ACCEPT #不回應PING請求 -A INPUT -p icmp --icmp-type echo-request -j DROP -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #強制特殊情形下的MTU自適應 -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -p udp -j ACCEPT -A FORWARD -m state --state INVALID -j DROP -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A OUTPUT -p udp -j ACCEPT #防止對未Listen的TCP Port回應 refused 消息 -A OUTPUT -p tcp --tcp-flags ALL RST,ACK -j DROP -A OUTPUT -m state --state INVALID -j DROP #防止一般性Port Scan -A OUTPUT -p icmp --icmp-type port-unreachable -j DROP -A OUTPUT -p icmp --icmp-type host-unreachable -j DROP COMMITIPv6(部分內容與上述重複,因此不再做解釋):
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -s 2400:cb00::/32 -j ACCEPT -A INPUT -p tcp -s 2606:4700::/32 -j ACCEPT -A INPUT -p tcp -s 2803:f800::/32 -j ACCEPT -A INPUT -p tcp -s 2405:b500::/32 -j ACCEPT -A INPUT -p tcp -s 2405:8100::/32 -j ACCEPT -A INPUT -p tcp -s 2a06:98c0::/29 -j ACCEPT -A INPUT -p tcp -s 2c0f:f248::/32 -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A INPUT -p tcp -j DROP -A INPUT -p udp --dport 19001 -m length --length :1400 -j ACCEPT -A INPUT -p udp -j ACCEPT -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -p udp -j ACCEPT -A FORWARD -m state --state INVALID -j DROP -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A OUTPUT -p udp -j ACCEPT -A OUTPUT -p tcp --tcp-flags ALL RST,ACK -j DROP -A OUTPUT -m state --state INVALID -j DROP -A OUTPUT -p icmpv6 --icmpv6-type port-unreachable -j DROP COMMIT -
附一份經最佳化的用於網路代理伺服器的 sysctl.conf 設置檔
大家好,我是一位只看貼很久的網友了,從發現這個網站開始,像是打開了新世界的大門。真的非常感謝很多人慷慨的解答和分享。因此我也想希望能幫到各位,所以就分享一下一些自己的心得好了。
之前也看到很多人對於搭建代理伺服器這方面有許多的研究,但他們似乎都忽略了一個問題,那就是對作業系統本身的調優。因此我來分享一下自己在用的配置檔好了。我想也能幫助到有需要的人節省時間。(用了兩年時間測試,如果可以正確使用,能獲得很大的效能提升) 如果之前沒有專門修改過的話,可以直接Copy過去用。
適用平臺: KVM虛擬伺服器 物理伺服器 面向的硬體配置級別: 單核心 1GiB RAM或以下 適用的發行版:Debian Centos Ubuntu 適用的Kernel版本: 5.1以上
kernel.sysrq = 0 kernel.panic = 0 kernel.watchdog = 0 net.core.default_qdisc = cake net.core.netdev_max_backlog = 4096 net.core.rmem_max = 4000000 net.core.rmem_default = 4000000 net.core.wmem_max = 4000000 net.core.wmem_default = 4000000 net.core.somaxconn = 1048576 net.core.optmem_max = 40960 net.core.netdev_budget = 400 net.ipv4.tcp_congestion_control = bbr net.ipv4.tcp_keepalive_time = 600 net.ipv4.tcp_keepalive_intvl = 300 net.ipv4.tcp_keepalive_probes = 2 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_sack = 1 net.ipv4.tcp_comp_sack_nr = 0 net.ipv4.ip_no_pmtu_disc = 0 net.ipv4.tcp_mtu_probing = 1 net.ipv4.tcp_base_mss = 1024 net.ipv4.tcp_ecn = 1 net.ipv4.tcp_ecn_fallback = 1 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_fastopen = 0 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_tw_reuse = 2 net.ipv4.tcp_syn_retries = 3 net.ipv4.tcp_synack_retries = 3 net.ipv4.tcp_retries1 = 3 net.ipv4.tcp_retries2 = 3 net.ipv4.tcp_fin_timeout = 3 net.ipv4.tcp_max_tw_buckets = 32768 net.ipv4.ip_default_ttl = 255 net.ipv4.tcp_window_scaling = 1 net.ipv4.conf.all.rp_filter = 2 net.ipv4.conf.default.rp_filter = 2 net.ipv4.tcp_low_latency = 1 net.ipv4.ip_forward = 1 net.ipv4.ip_early_demux = 0 net.ipv4.tcp_no_metrics_save = 1 net.ipv4.tcp_orphan_retries = 2 net.ipv4.tcp_min_tso_segs = 2 net.ipv4.tcp_tso_win_divisor = 2 net.ipv4.tcp_moderate_rcvbuf = 1 net.ipv4.tcp_adv_win_scale = 2 net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.tcp_comp_sack_delay_ns = 1000000 net.ipv4.tcp_rfc1337 = 1 net.ipv4.tcp_early_demux = 0 net.ipv4.udp_early_demux = 0 net.ipv4.tcp_recovery = 1 net.ipv4.tcp_frto = 2 net.ipv4.tcp_min_rtt_wlen = 30 net.ipv4.tcp_reordering = 12 net.ipv4.tcp_max_reordering = 500 net.ipv4.ipfrag_time = 60 net.ipv4.ping_group_range= 0 10 net.ipv4.route.min_adv_mss = 1024 net.ipv4.route.gc_interval = 30 net.ipv4.route.gc_min_interval = 0 net.ipv4.route.gc_min_interval_ms = 200 net.ipv4.route.gc_thresh = -1 net.ipv4.route.gc_timeout = 200 net.ipv4.tcp_invalid_ratelimit = 100 net.ipv4.tcp_min_snd_mss = 48 net.ipv4.tcp_notsent_lowat = 16384 net.ipv4.tcp_thin_linear_timeouts = 1 net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.all.accept_ra = 2 net.ipv6.conf.all.proxy_ndp = 1 net.ipv6.conf.all.hop_limit = 128 net.ipv6.conf.default.hop_limit = 128 net.ipv6.route.min_adv_mss = 1024 net.ipv6.route.mtu_expires = 600 net.ipv6.ip6frag_time = 60 net.ipv6.route.gc_interval = 30 net.ipv6.route.gc_min_interval = 0 net.ipv6.route.gc_min_interval_ms = 200 net.ipv6.route.gc_thresh = -1 net.ipv6.route.gc_timeout = 200 vm.swappiness = 100 vm.vfs_cache_pressure = 200 vm.dirty_writeback_centisecs = 500 vm.dirty_expire_centisecs = 1000 vm.dirty_ratio = 4 vm.dirty_background_ratio = 2 vm.min_free_kbytes = 150000 vm.max_map_count = 262144 vm.page-cluster = 4 vm.zone_reclaim_mode = 2 vm.dirtytime_expire_seconds = 21600 vm.overcommit_memory = 0 vm.overcommit_ratio = 25 vm.extfrag_threshold = 10 vm.memory_failure_early_kill = 1 fs.aio-max-nr = 1048576 fs.lease-break-time = 10 net.nf_conntrack_max = 1048576 net.netfilter.nf_conntrack_buckets = 32768 net.netfilter.nf_conntrack_tcp_timeout_established = 1800 net.netfilter.nf_conntrack_sctp_timeout_established = 1800 net.netfilter.nf_conntrack_dccp_timeout_open = 1800 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30 net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 15 net.netfilter.nf_conntrack_frag6_low_thresh = 196608 net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 30