由 lijinshi112 在 09-18-2003 10:48 发表:
iptables overflow
我单位有近100个终端,通过redhat linux 8 iptables+squid上网,最近经常出现以下消息:
NET:1XXX suppressed.
Neighbour table overflow.
请教各位究竟是什么问题?QQQ!!!
由 lijinshi112 在 09-18-2003 11:11 发表:
**and my eth0 & iptables.conf **
[root@proxy0 root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.16.0.0/16 anywhere
ACCEPT all -- 172.17.0.0/16 anywhere
ACCEPT all -- 172.18.0.0/16 anywhere
ACCEPT all -- 172.19.0.0/16 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@proxy0 root]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:E0:18:BE:0B:84
inet addr:10.10.40.6 Bcast:10.10.40.7 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:980287 errors:0 dropped:0 overruns:0 frame:0
TX packets:2095936 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:431959448 (411.9 Mb) TX bytes:490654896 (467.9 Mb)
Interrupt:9 Base address:0xb000
eth1 Link encap:Ethernet HWaddr 00:50:FC:3C:9A:96
inet addr:172.19.255.254 Bcast:172.19.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:747530 errors:0 dropped:0 overruns:0 frame:0
TX packets:98659 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:73436660 (70.0 Mb) TX bytes:21136482 (20.1 Mb)
Interrupt:9 Base address:0xe000
eth1:0 Link encap:Ethernet HWaddr 00:50:FC:3C:9A:96
inet addr:172.18.255.254 Bcast:172.18.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:9 Base address:0xe000
eth2 Link encap:Ethernet HWaddr 00:00:E8:4D:25:91
inet addr:172.16.255.254 Bcast:172.16.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2346301 errors:0 dropped:0 overruns:0 frame:0
TX packets:724719 errors:6 dropped:0 overruns:0 carrier:4
collisions:0 txqueuelen:100
RX bytes:498869731 (475.7 Mb) TX bytes:397131865 (378.7 Mb)
Interrupt:9 Base address:0xc000
eth2:0 Link encap:Ethernet HWaddr 00:00:E8:4D:25:91
inet addr:172.17.255.254 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:9 Base address:0xc000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:22112 errors:0 dropped:0 overruns:0 frame:0
TX packets:22112 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1774090 (1.6 Mb) TX bytes:1774090 (1.6 Mb)
[root@proxy0 sysconfig]# cat iptables
Generated by iptables-save v1.2.6a on Thu Jul 10 10:53:02 2003
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.16.0.0/255.255.0.0 -o eth0 -j SNAT --to-source 10.10.40.6
-A POSTROUTING -s 172.17.0.0/255.255.0.0 -o eth0 -j SNAT --to-source 10.10.40.6
-A POSTROUTING -s 172.18.0.0/255.255.0.0 -o eth0 -j SNAT --to-source 10.10.40.6
-A POSTROUTING -s 172.19.0.0/255.255.0.0 -o eth0 -j SNAT --to-source 10.10.40.6
COMMIT
Completed on Thu Jul 10 10:53:02 2003
Generated by iptables-save v1.2.6a on Thu Jul 10 10:53:02 2003
*mangle
:PREROUTING ACCEPT [1143:105011]
:INPUT ACCEPT [1143:105011]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1161:106319]
:POSTROUTING ACCEPT [1161:106319]
COMMIT
Completed on Thu Jul 10 10:53:02 2003
Generated by iptables-save v1.2.6a on Thu Jul 10 10:53:02 2003
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -s 172.16.0.0/255.255.0.0 -j ACCEPT
-A FORWARD -s 172.17.0.0/255.255.0.0 -j ACCEPT
-A FORWARD -s 172.18.0.0/255.255.0.0 -j ACCEPT
-A FORWARD -s 172.19.0.0/255.255.0.0 -j ACCEPT
COMMIT
Completed on Thu Jul 10 10:53:02 2003
由 dragondk 在 09-18-2003 15:50 发表:
你的netmask太大了,你只有100台机器,用24位的netmask就可以的,否则不正常的arp会造成overflow的。我在 www.linuxaid.com.cn 有具体的回答,解决的方法就是使用ip/24,重新设置你的网络。
由 lijinshi112 在 09-18-2003 20:12 发表:
QQQ
QQQ!!!
由 cx6445 在 09-19-2003 16:31 发表:
怎么会和netmask有关系,我更大的netmask用着还没事呢
由 dragondk 在 09-19-2003 20:18 发表:
Neighbour table overflow 在正常情况下是指arp buffer overflow.arp buffer中只会缓存与接口在同一网络的mac地址, 当你的netmask不适当时,由于错误的软件或攻击会造成arp buffer中有很多未能正确解悉的地址,造成overflow.比如在双网卡的网关上,一个ip 10.0.0.1/16 一个 192.168.0.1/24.当192.168.0.x要求访问10.0.0.2-10.0.254.254的机器时,你应该可以想像有多少mac地址要缓存.如果一个攻击足够快的话,它肯定会使arp buffer overflow.你说呢.
另外不是