From ab0daa567cb0717109f12a628ab6321df6d707a3 Mon Sep 17 00:00:00 2001 From: iBug Date: Fri, 20 Sep 2024 02:45:58 +0800 Subject: [PATCH] gw-jp: Add sysctl net.nf_conntrack_max --- docs/services/gateway-jp.md | 18 +++++++++++++++++- docs/services/gateway-nic.md | 4 ++-- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/docs/services/gateway-jp.md b/docs/services/gateway-jp.md index 274683b0..25d7bb70 100644 --- a/docs/services/gateway-jp.md +++ b/docs/services/gateway-jp.md @@ -2,8 +2,24 @@ !!! info "This page is currently a stub." -## iptables +## Network configuration + +### iptables See [Gateway NIC](gateway-nic.md#iptables) Blacklists are also managed with `ipset`, see `/root/iptables`. + +### sysctl + +When first applying iptables rules, we experienced severe performance degradation. Dmesg was flooded with messages like this: + +```text +nf_conntrack: nf_conntrack: table full, dropping packet +``` + +So we increased this sysctl setting: + +```shell title="/etc/sysctl.d/00-ustclug.conf" +net.nf_conntrack_max = 262144 +``` diff --git a/docs/services/gateway-nic.md b/docs/services/gateway-nic.md index 9aa7a916..6b539778 100644 --- a/docs/services/gateway-nic.md +++ b/docs/services/gateway-nic.md @@ -307,7 +307,7 @@ PartOf=netfilter-persistent.service ### ustclug.org issue {#unregistered-domain-traffic} -To mitigate the issue of the complaints from ISPs and the regulation authorities caused by the gateways in USTCnet responding to the requests for `ustclug.org`, which is a unregistered domain in China MIIT, we make nginx listen on an alternative port 81/444 for HTTP and HTTPS respectively, to response to the requests for `lug.ustc.edu.cn` only, and rejecting the handshake for any other domain. +To mitigate the issue of the complaints from ISPs and the regulation authorities caused by the gateways in USTCnet responding to the requests for `ustclug.org`, which is a unregistered domain in China MIIT, we make nginx listen on an alternative port 81/444 for HTTP and HTTPS respectively, to respond to requests for `lug.ustc.edu.cn` only, and rejecting the handshake for any other domain. ``` title="/etc/nginx/sites-available/default" server { @@ -331,4 +331,4 @@ We use iptables to redirect any traffic from outside USTCnet whose destination i -A NGINX-REDIRECT -m set --match-set ustcnet src -j RETURN -A NGINX-REDIRECT -p tcp --dport 80 -j REDIRECT --to-port 81 -A NGINX-REDIRECT -p tcp --dport 443 -j REDIRECT --to-port 444 -``` \ No newline at end of file +```