Linux performance optimization (6)-network configuration tool

一、ifconfig

1. Introduction to ifconfig

ifconfig can simply obtain network interface configuration information, and can also modify the configuration. The network card information configured with the ifconfig command will not exist after the machine restarts after the network card restarts.

2. Ifconfig command

ifconfig [-v] [-a] [-s] [interface]
ifconfig [-v] interface [aftype] options | address

up: Start the specified network device/network card.
down: Turn off the specified network device/network card. This parameter can effectively block the IP information flow through the specified interface. If we want to permanently close an interface, we also need to delete all the routing information of the interface from the core routing table.
arp: Set whether the specified network card supports ARP protocol.
-promisc: set whether to support the promiscuous mode of the network card, if you select this parameter, the network card will receive all the data packets sent to it in the network
-allmulti: set whether to support the multicast mode, if you select this parameter, the network card will receive all the data in the network Multicast packets
-a: display all interface information
-s: display summary information (similar to netstat -i)
add: configure an IPv6 address for the specified network card
del: delete the IPv6 address of the specified network card
mtu n: set the maximum transmission unit of the network card ( bytes)
netmask xxx: Set the subnet mask of the network card. The mask can be a 32-digit hexadecimal number prefixed with 0x, or it can be 4 decimal numbers separated by dots. If you do not plan to divide the network into subnets, you can ignore this option; if you want to use subnets, then please remember that every system in the network must have the same subnet mask.
tunel: Establish a tunnel
dstaddr: set a remote address to establish point-to-point communication
-broadcast address: set the broadcast protocol for the specified network card
-pointtopoint address: set the point-to-point communication protocol
for the network card multicast: set the multicast flag
for the network card address: set IPv4 for the network card Address
txqueuelen length: set the length of the transmission queue for the network card

3. Common commands of ifconfig

ifconfig
Display active network card information
ifconfig -a
Display all network card information
ifconfig eth0 192.168.1.100
Configure the IP address of the
ifconfig eth0 192.168.1.100 netmask 255.255.255.0
network card eth0 Configure the IP address and subnet mask of the network card eth0

ifconfig eth0:0 192.168.1.100 netmask 255.255.255.0 up
ifconfig eth0:1 192.168.2.100 netmask 255.255.255.0 up

Add multiple IP addresses to the
ifconfig eth0 del 192.168.1.100
network card eth0 Delete the IP address of the network card eth0
ifconfig eth0 hw ether 00:AA:BB:CC:DD:EE
Modify the MAC address of the
ifconfig eth0 up       
network
ifconfig eth0 down     
card eth Start the network card eth0 Turn off the network card eth
ifconfig eth0 reload   
Restart the network card eth0
ifconfig eth0 arp
Enable ARP
ifconfig eth0 -arp
Disable ARP
ifconfig eth0 mtu 1500
Set the MTU value of the eth network card
ifconfig eth0 allmulti
Enable the multicast function of the
ifconfig eth0 -allmulti
network card eth0 Disable the network card eth0 Multicast function

二、ethtool

1. Introduction to ethtool

Ethtool is a diagnosis and adjustment tool for Linux network drivers. It can obtain information about network devices, including connection status, driver version, PCI bus location, etc. The functions are as follows:
(1) Obtain identification and diagnostic information
(2) Obtain extended Device statistics
(3) Control the speed, duplex, auto-negotiation and flow control of the Ethernet device
(4) Control checksum offload and other hardware offload functions
(5) Control DMA ring size and interrupt control
(6) Control multiple queues Device's receiving queue selection
(7) To upgrade the firmware in the flash memory,
ethtool needs root privileges to execute.

2. The ethtool command

ethtool [ -a | -c | -g | -i | -d | -k | -r | -S |] ethX
ethtool [-A] ethX [autoneg on|off] [rx on|off] [tx on|off]
ethtool [-C] ethX [adaptive-rx on|off] [adaptive-tx on|off] [rx-usecs N] [rx-frames N] [rx-usecs-irq N] [rx-frames-irq N] [tx-usecs N] [tx-frames N] [tx-usecs-irq N] [tx-frames-irq N] [stats-block-usecs N][pkt-rate-low N][rx-usecs-low N] [rx-frames-low N] [tx-usecs-low N] [tx-frames-lowN] [pkt-rate-high N] [rx-usecs-high N] [rx-frames-high N] [tx-usecs-high N] [tx-frames-high N] [sample-interval N]
ethtool [-G] ethX [rx N] [rx-mini N] [rx-jumbo N] [tx N]
ethtool [-e] ethX [raw on|off] [offset N] [length N]
ethtool [-E] ethX [magic N] [offset N] [value N]
ethtool [-K] ethX [rx on|off] [tx on|off] [sg on|off] [tso on|off]
ethtool [-p] ethX [N]
ethtool [-t] ethX [offline|online]
ethtool [-s] ethX [speed 10|100|1000] [duplex half|full] [autoneg on|off] [port tp|aui|bnc|mii] [phyad N] [xcvr internal|external]
[wol p|u|m|b|a|g|s|d...] [sopass xx:yy:zz:aa:bb:cc] [msglvl N]

-a: Check the status of the receiving module RX, sending module TX and auto-negotiation module in the network card: on or off.
-A: Modify the status of receiving module RX, sending module TX and auto-negotiation module in the network card: on or off.
-c: View network card aggregation information
-C: Set network card aggregation information
-g: View network card RX/TX ring parameter information
-G: Modify network card RX/TX ring settings
-i: Display network card driver information, such as the name of the driver , Version, etc.
-d: Display register dump information, some network card drivers do not support it.
-e: Display EEPROM dump information, some network card drivers do not support it.
-E: Modify the EEPROM byte of the network card.
-k: Display the offload parameter status of the network card: on or off, including rx-checksumming, tx-checksumming, etc.
-K: Modify the status of the offload parameter of the network card.
-p: Used to distinguish the physical location of the network card corresponding to different ethX, the common method is to make the led on the network card port flash continuously; N indicates the duration of the flashing of the network card, in seconds.
-r: If the auto-negotiation module status is on, restart the auto-negotiation module.
-S: Display NIC- and driver-specific statistical parameters, such as the number of bytes received/sent by the network card, the number of broadcast packets received/sent, etc.
-t: Let the network card perform self-test, there are two modes: offline or online.
-s: Modify part of the configuration of the network card, including network card speed, simplex/full-duplex mode, mac address, etc.

3. Offload option

rx-checksumming: off|on      
The hardware checksum calculation on the receiving side, if it can be set to on, it means that the network card supports it.
tx-checksumming: off|on      
The hardware checksum calculation on the sending side, if it can be set to on, it means that the network card supports the
scatter-gather: off|on          
Scatter Gather function is one of the necessary conditions for the network card to support TSO.
tcp-segmentation-offload: off|on 
TSO is a technology that uses network cards to fragment TCP packets to reduce the load on the CPU. It is also called LSO (Large segment offload). TSO is for TCP and UFO is for UDP. If the hardware supports the TSO function, the hardware also needs to support the TCP check calculation and the Scatter Gather function.
On the network card that does not support TSO, the TCP layer will consider mss when sending data to the IP layer, so that the data sent down by TCP can be included in an IP packet without causing fragmentation. The mss is used by the network card when TCP initially establishes a connection. The MTU is determined and negotiated with the opposite end, so on a network card with MTU=1500, the data sent downward by TCP will not be greater than min(mss_local, mss_remote)-ip header-tcp header.
When the network card supports TSO, the TCP layer will gradually increase mss (always increase in integer multiples). When the TCP layer sends a large block of data downwards, only the TCP header is calculated, and the network card will restart itself after receiving the large data packet from the IP layer. Divide into several IP data packets, add IP headers, copy TCP headers and recalculate checksum and other related data, and transfer part of the CPU related processing work to the network card for processing.
udp-fragmentation-offload: off|on
UFO is a TSO-like technology provided by the network card to UDP.
generic-segmentation-offload: on
GSO delays data fragmentation as much as possible until it is sent to the network card driver. At this time, it will check whether the network card supports the fragmentation function (such as TSO, UFO), if it supports sending directly to the network card, if not, it will be fragmented and then sent to Network card. In this way, large data packets only need to go through the protocol stack once, instead of being divided into several data packets to go separately, which improves efficiency. Command: ethtool -K eth0 gso on | off
large-receive-offload: off
LRO aggregates multiple received TCP data into one large data packet, and then passes it to the network protocol stack for processing, so as to reduce the processing overhead of the upper layer protocol stack and improve the system's ability to receive TCP data packets.
generic-receive-offload: on
GRO, the basic idea is similar to LRO, it overcomes some shortcomings of LRO and is more versatile. Subsequent drivers all use the GRO interface instead of LRO.

4. Common commands of ethtool

ethtool ethX      
Query the basic settings of the
ethtool –i ethX   
ethX network port Query the relevant information of the 
ethtool –d ethX   
ethX network port Query the registration information of the
ethtool –r ethX   
ethX network port Reset the ethX network port to the adaptive mode
ethtool –S ethX   
query the statistics of the ethX network port receiving and sending packets
ethtool –s ethX [speed 10|100|1000] [duplex half|full] [autoneg on|off] [port tp|aui|bnc|mii]
Set the network port rate 10/100/1000M, the network port half/ Full duplex, whether the network port is auto-negotiation, network port type
ethtool -K eth0 tso on | off
setting TSO feature

Three, ip

1. Introduction to ip

ip is a powerful network configuration tool of the iproute2 software package, used to display or manipulate routes, network devices, policy routing and tunnels.

2. ip command

ip [OPTIONS] OBJECT COMMAND | help
(1) OBJECT subcommand
link: network device
address: protocol (IP or IPv6) address
addrlabel: label configuration for protocol address selection
neighbor: ARP or NDISC cache entry
route: routing table entry
rule: rule in the routing policy database
maddress: group Broadcast address
mroute: multicast routing cache entry
tunnel: IP tunnel
xfrm: IPSec protocol framework
(2) OPTIONS
-V, -Version: display command version information
-s, -stats, statistics: output detailed information
-h, -human,- human-readable: output readable statistics and suffix
-iec: print the human readable rate in IEC standard units (for example, 1K=1024)
-f,-family FAMILY: specify the protocol family, inet, inet6, ipx, dnet, link.
-4: Use IPv4 protocol
-6: Use IPv6 protocol-
0: link
-o,-oneline: output each record to one line, replace the newline character with the'\' character.
-r,-resolve: Use the system name resolver to print the DNS name instead of the host address.

3. Common commands for ip

ip link show
Display network interface information
ip link set eth0 up
Turn on the network card
ip link set eth0 down
Turn off the network card
ip link set eth0 promisc on
Turn on the mixed mode of the
ip link set eth0 promisc off
network card Turn off the mixed mode of the
ip link set eth0 txqueuelen 1200
network card Set the queue length of the
ip link set eth0 mtu 1400
network card Set the maximum transmission unit of the
ip addr show
network card Display the network card IP information
ip addr add 192.168.0.1/24 dev eth0
set the eth0 network card IP address 192.168.0.1
ip addr del 192.168.0.1/24 dev eth0
Delete the eth0 network card IP address
ip route show
display the system routing
ip route add default via 192.168.1.254
setting system default Route
ip route list
view routing information.
ip route add 192.168.4.0/24 via 192.168.0.254 dev eth0Set the gateway of the 192.168.4.0 network segment to 192.168.0.254, and
ip route add default via 192.168.0.254 dev eth0
set the default gateway of the eth0 interface to 192.168.0.254.
ip route del 192.168.4.0/24
Delete the gateway of the 192.168.4.0 network segment.
ip route del default
Delete the default route.
ip route delete 192.168.1.0/24 dev eth0
Delete the route.

Four, iptables

1. Introduction to iptables

Iptables is an excellent and completely free packet filtering-based firewall tool that comes with Unix and Linux systems. It has very powerful functions and very flexible use. It can finely control the data packets flowing in, out and flowing through the server.
Iptables is a service integrated in the linux 2.4 and 2.6 kernels, and works on the second, third and fourth layers of the OSI model.

2. iptables transmits data packets

(1) When a data packet enters the network card, it first enters the PREROUTING chain, and the kernel determines whether it needs to be forwarded according to the destination IP of the data packet. 
(2) If the data packet enters the machine, it will reach the INPUT chain. After the data packet arrives in the INPUT chain, any process will receive it. The program running on this machine can send data packets, which will pass through the OUTPUT chain and then reach the POTROUTING chain output. 
(3) If the data packet needs to be forwarded and the kernel allows it to be forwarded, the data packet will pass through the FORWARD chain and then reach the output of the POTROUTING chain.

3. iptables rule table

iptables has built-in filter table, nat table, mangle table and raw table, which are used to implement packet filtering, network address translation, packet reconstruction (modification) and data tracking respectively.
A chain is the path through which data packets are propagated. Each chain is a checklist among many rules, and each chain can have several rules. When a data packet arrives in a chain, iptables will start to check from the first rule in the chain to see if the data packet meets the conditions defined by the rule. If it is met, it will process the packet according to the method defined by the rule; otherwise, iptables will continue to check the next rule. If the packet does not meet any rule in the chain, iptables will process the packet according to the default policy defined in the chain.

4. iptables rule chain

INPUT: Apply the policy in the INPUT rule chain to packets entering the firewall.
OUTPUT: Apply the policy in the OUTPUT rule chain for outgoing packets.
FORWARD: Apply the policy in the FORWARD rule chain when forwarding packets.
PREROUTING: Apply before routing the packets Rules in the PREROUTING chain
: POSTROUTING: apply the rules in the POSTROUTING chain after routing data packets

5. iptables command

iptables [-t table] {-A|-C|-D} chain rule-specification
ip6tables [-t table] {-A|-C|-D} chain rule-specification
iptables [-t table] -I chain [rulenum] rule-specification
iptables [-t table] -R chain rulenum rule-specification
iptables [-t table] -D chain rulenum
iptables [-t table] -S [chain [rulenum]]
iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target
iptables [-t table] -E old-chain-name new-chain-name

-h: get help (help)
-A: add a new rule at the end of the specified chain
-D: delete a rule in the specified chain, you can delete it according to the rule number and content
-I: insert in the specified chain (Insert) a new rule, add in the first line by default
-R: modify, replace (replace) a rule in the specified chain, you can replace it according to the rule number and content
-L: list (list) all the specified chain Rules to view
-E: rename the user-defined chain without changing the chain itself
-F: flush (flush)
-N: create a user-defined rule chain
-X: delete the user-defined rule chain in the specified table
-P : Set the default policy of the specified chain (policy)
-Z: Clear the byte and packet counters of all chains in all tables
-n: Display the output results in numeric format (numeric)
-v: View the detailed information of the rule table (verbose ) Information-
V: view version (version)

6, ipatbles commonly used commands

iptables -D INPUT 1
Delete the first rule of the rule chain,
iptables -I INPUT -p icmp -j REJECT
deny ICMP protocol packets entering the firewall,
iptables -A FORWARD -p ! icmp -j ACCEPT
allow the firewall to forward all network packets except the ICMP protocol,
iptables -A FORWARD -s 192.168.1.11 -j REJECT 
refuse to forward packets from the 192.168.1.11 host, and
iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
forward packets from the 192.168.0.0/24 network segment

iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j DROP 
iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j DROP 
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

Discard the data packet whose source IP address is private address entering the firewall from eth1 network card

iptables -A INPUT -p tcp --dport 22 -s 202.13.0.0/16 -j ACCEPT 
iptables -A INPUT -p tcp --dport 22 -j DROP

Allow SSH login from the 202.13.0.0/16 network segment

iptables -A INPUT -p tcp --dport 20:1024 -j ACCEPT 
iptables -A OUTPUT -p tcp --sport 20:1024 -j ACCEPT

Allow open TCP port 20-1024 to provide application services

iptables -I INPUT -p icmp --icmp-type Echo-Request -j DROP 
iptables -I INPUT -p icmp --icmp-type Echo-Reply -j ACCEPT 
iptables -I INPUT -p icmp --icmp-type destination-Unreachable -j ACCEPT

Prohibit ping the firewall host from other hosts. Allow the firewall host to ping other hosts.
service iptables save
Save the firewall configuration to /etc/sysconfig/iptables.
iptables –F
Clear all rule chains in the
iptables –X
filter table. Delete user-defined chains in the filter table.