Centos system initialization

Source: Internet
Author: User
Tags inif network function
Common Environment variables 1 # vi. bashrc2aliasworksrc & amp; #39; cd/usr/local/src; ls & amp; #39; 3 configuration takes effect 4 # source. bashrcyum pre-installs common server software 01 # vimlinux editor 02 # tool for automatically downloading files from wget networks... common Environment variables 1 # vi. bashrc2alias worksrc = 'CD/usr/local/src; LS' 3 configuration takes effect 4 # source. bashrcyum pre-installs common server software 01 # vim linux editor 02 # wget tool for automatically downloading files, supports downloading through the HTTP, HTTPS, and FTP protocols. 03 # crontab cron is a resident service that provides the timer function, allows users to execute preset commands or programs at specific times. As long as you edit the timer configuration file, you can use the timer function 04 # mlocate to quickly search for files based on the database, often use the updatedb command to update database 05 # ntp time synchronization service component 06 # SecureCRT sz/rz toolkit 07yum-y install vim wget gcc make crontabs mlocate ntp lrzsz gcc-c ++ autoconf; 08 #09 # sysstat: a software package that includes a set of tools for monitoring system performance and efficiency. these tools collect system performance data for us, such as CPU usage, hard disk, and network throughput data, the collection and analysis of these data helps us determine whether the system is running normally. it is a good assistant for improving the system running efficiency and running the server safely. 10 # dstat: used to replace vmstat, iostat, netstat, the tools for nfsstat and ifstat commands are an all-around color system information statistics tool 11 # screen: similar to nohup, which can connect multiple local or remote command line sessions at the same time, during the switchover, 12yum-y install sysstat dstat screen; 13 #14 # top is a common monitoring program in linux, htop is equivalent to its enhanced version. it displays different parameters in color and supports mouse operations 15 # installation supports component 16 wget http://ftp.gnu.org/pub/gnu/ncurses/ncurses-5.9.tar.gz17tar Xvfz ncurses-5.9.tar.gz18cd ncurses-5.919./configure20make21make install22 # install htop: Home http://sourceforge.net/projects/htop/files/htop/23wget http://sourceforge.net/projects/htop/files/htop/1.0.2/htop-1.0.2.tar.gz/download24tar Zxvf htop-1.0.2.tar.gz25cd htop-1.0.226. /configure27make28make install time and time zone settings view current time zone time 1 date-R synchronize clock 1 echo every 10 minutes "*/10 *****/usr/sbin/ntpdate 61.129.42.44> /home/ntp. log ">/var/spool/cron/root2service crond restart3/usr/sbin/ntpdate 61.129.42.44 replace the default time zone with Shanghai 1rm-rf/etc/localtime # delete the current default time zone 2ln- s/usr/share/zoneinfo/Asia/Shanghai/etc/localtime # replace the default time zone with the iptables configuration script of the Shanghai firewall. rule: set the most basic rules, including clearing fire prevention Wall rules, loading mode?, Set the acceptable service, etc.; iptables. deny: set to resist certain? Too many tasks? Mu? Why? /Div> iptables. allow: set to allow some auto? ?? ?? /Div> 001 [root @ www ~] # Mkdir-p/usr/local/iptables002 [root @ www ~] # Cd/usr/local/iptables003 [root @ www iptables] # vim iptables. rule004 #! /Bin/bash005 # What should I do first? What are your related parameters?? Gray ?? An error occurred! 006 EXTIF = "eth0" # This is the network interface that can be connected to the Public IP. 007 INIF = "eth1 "#? The connection interface of the acetylene LAN. If no? T is written as INIF = "" 008 INNET = "192.168.100.0/24" # if no? Acetylene customer? Too many tasks? Yi Pu Chuang INNET = "" 009 export extif inif INNET010 # first part, set for the firewall of the local machine! ######################################## #011 #1. first, set the core network function: 012 echo "1">/proc/sys/net/ipv4/tcp_syncookies # enable the DoS attack resistance mechanism of TCP Flooding, however, this setting is not suitable for hosts with a high loading host 013 echo "1">/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # cancel the ping broadcast response 014 # enable reverse path filtering, to comply with the IP packet and network interface settings, enable recording of problematic packets 015 for I in/proc/sys/net/ipv4/conf/*/{rp_filter, log_martians }; do016 echo "1" type = "codeph" text = "codeph"> $ i017 done018 # cancel the source route. this setting value can be canceled. cancel the re-declaration. Cancel the transfer and re-declaration path function 019 for I in/proc/sys/net/ipv4/conf/*/{accept_source_route, accept_redirects, \ 020send_redirects }; do021 echo "0"> $ i022 done023 #2. clear rules and settings? Lo and related configuration values: 024 PATH =/sbin:/usr/sbin:/bin:/usr/local/sbin: /usr/local/bin; export PATH025 # clear existing rules 026 iptables-F027 iptables-X028 iptables-Z029 # set the default policy 030 iptables-p input DROP031 iptables-p output limit iptables-p forward limit # Open lo034 iptables -a input-I lo-j ACCEPT035 # as long as the data packet is online successfully or the data packet associated with the sent request is passed through 036 iptables-A INPUT-m state -- state RELATED, ESTABLISHED-j ACCEPT0 37 #3. start the script mode of the additional firewall? 038 if [-f/usr/local/iptables. deny]; then039 sh/usr/local/iptables. deny040 fi041 if [-f/usr/local/iptables. allow]; then042 sh/usr/local/iptables. allow043 fi044 if [-f/usr/local/httpd-err/iptables. http]; then045 sh/usr/local/httpd-err/iptables. http046 fi047 #4. some types of ICMP packets are allowed to enter. we usually remove ICMP type 8 so that the remote host does not know whether the host exists, it will not respond to ping 048 AICMP = "0 3 3/4 4 11 12 14 16 18 "049 for tyicmp in $ AICMP050 do051 iptables-a input-I $ EXTIF-p icmp -- icmp-type $ tyicmp-j ACCEPT052 done053 #5. allow access to some services. please enable 054 iptables-a input-p TCP-I $ EXTIF -- dport 22 -- sport 1024 according to your environment: 65534-j ACCEPT # SSH055iptables-a input-p TCP-I $ EXTIF -- dport 80 -- sport 1024: 65534-j ACCEPT # WWW056 # iptables-a input-p TCP-I $ EXTIF -- dport 21 -- sport 1024: 65534-j ACCEPT # FTP057 # I Ptables-a input-p TCP-I $ EXTIF -- dport 25 -- sport 1024: 65534-j ACCEPT # SMTP058 # iptables-a input-p UDP-I $ EXTIF -- dport 53 -- sport 1024: 65534-j ACCEPT # DNS059 # iptables-a input-p TCP-I $ EXTIF -- dport 53 -- sport 1024: 65534-j ACCEPT # DNS060 # iptables-a input-p TCP-I $ EXTIF -- dport 110 -- sport 1024: 65534-j ACCEPT # POP3061 # iptables-a input-p TCP-I $ EXTIF -- dport 443 -- sport 102 4: 65534-j ACCEPT # HTTPS062 # Part 2: Firewall settings for backend hosts! ############################## 063 #1. load some useful modulus first? 064 modules = "ip_tables iptable_nat ip_nat_ftp ip_nat_irc sans regular" 066 for mod in $ modules067 do068 testmod = 'lsmod | grep "^ $ {mod}" | awk '{print $1 }' '069 if ["$ testmod" = ""]; then070 modprobe $ mod071 fi072 done073 #2. clear the NAT table rules! 074 iptables-F-t nat075 iptables-X-t nat076 iptables-Z-t nat077 iptables-t nat-p prerouting extends iptables-t nat-p postrouting ACCEPT079 iptables-t nat- p output ACCEPT080 #3. if yes? What is the "big data" copy (? Nic) open ?? A href =" http://www.2cto.com/net/router/ "Target =" _ blank "class =" keylink "> vro, and? IP sharer! 081 if ["$ INIF "! = ""]; Then082 iptables-a input-I $ INIF-j ACCEPT083 echo "1">/proc/sys/net/ipv4/ip_forward084 if ["$ INNET "! = ""]; Then085 for innet in $ INNET086 do087 iptables-t nat-a postrouting-s $ innet-o $ EXTIF-j MASQUERADE088 done089 fi090 fi091 # if your MSN cannot be connected, or some websites are OK, some websites are not OK, 092 # may be MTU problems, then you can change the following? One row? He canceled? Solution? Limit MTU range: 093 # iptables-a forward-p tcp-m tcp -- tcp-flags SYN, rst syn-m tcpmss \ 094 # -- mss 1400: 1536-j TCPMSS -- clamp-mss-to-pmtu095 #4. what is the backend LAN of the NAT server? Too many tasks? Ou? Too many? /Div> 096 # iptables-t nat-a prerouting-p tcp-I $ EXTIF -- dport 80 \ 097 #-j DNAT -- to-destination 192.168.1.210: 80 # WWW098 #5. special features, including Windows? What is the rule generated by the terminal desktop? 1.2.3.4099 # iptables-t nat-a prerouting-p tcp-s 1.2.3.4 -- dport 6000 \ 100 #-j DNAT -- to-destination 192.168.100.10101 # iptables-t nat-a prerouting-p tcp -s 1.2.3.4 -- sport 3389 \ 102 #-j DNAT -- to-destination 192.168.100.20103 #6. eventually? Some functions? Too many? Sang? /Div> 104/etc/init. d/iptables saveiptables. allow script setting 1 [root @ www iptables] # vim iptables. allow2 #! /Bin/bash3 # allow access to other networks or hosts on the machine! 4 iptables-a input-I $ EXTIF-s 140.116.44.0/24-j ACCEPTiptables. deny script setting 1 [root @ www iptables] # vim iptables. deny2 #! /Bin/bash3 # Block the host ip address or the entire network segment of the host 4 iptables-a input-I $ EXTIF-s 140.116.44.254-j DROP script permission setting 1 [root @ www iptables] # chmod 700 iptables. * START 1 [root @ www ~] # Vim/etc/rc. d/rc. local2 #1. firewall3/usr/local/iptables. the rule kernel optimization parameter Kernel depends on the software installed on the server and the implemented functions. the parameters are not static and will change to 01mv/etc/sysctl. conf/etc/sysctl. conf. 'date + "% Y-% m-% d _ % H-% M-% S" '02echo "net. ipv4.ip _ forward = 003net. ipv4.conf. default. rp_filter = statistics net. ipv4.conf. default. accept_source_route = 005net. ipv6.conf. all. disable_ipv6 = ipvnet. ipv6.conf. default. disable_ipv6 = Kernel kernel. sysrq = 008 kerne L. core_uses_pid = painet. ipv4.tcp _ syncookies = 110kernel. msgmnb = 6553611kernel. msgmax = 6553612kernel. shmmax = 6871947673613kernel. shmall = 429496729614net. ipv4.tcp _ max_tw_buckets = 600015net. ipv4.tcp _ sack = ipvnet. ipv4.tcp _ window_scaling = 017net. ipv4.tcp _ rmem = 4096 87380 1677721618net. ipv4.tcp _ wmem = 4096 16384 1677721619net. core. wmem_default = 838860820net. core. rmem_default = 838860821net. cor E. rmem_max = 1677721622net. core. wmem_max = 1677721623net. core. netdev_max_backlog = 26214w.net. core. somaxconn = 26214w.net. ipv4.tcp _ max_orphans = 327680026net. ipv4.tcp _ max_syn_backlog = 26214427net. ipv4.tcp _ timestamps = 028net. ipv4.tcp _ synack_retries = 129net. ipv4.tcp _ syn_retries = 130net. ipv4.tcp _ tw_recycle = javasnet. ipv4.tcp _ tw_reuse = 132net. ipv4.tcp _ mem = 94500000 915000000 92700000033net. ipv4. Tcp_fin_timeout = 1534net. ipv4.tcp _ keepalive_time = 3035vm. swappiness = 10 ">/etc/sysctl. conf36sysctl-p Summary: After a series of configuration above, most of the server initialization is complete. pay special attention to the firewall settings. Once the firewall settings are not properly handled, you may shut yourself out!
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.