求助 ab压力测试WEB服务器挂掉

bjbs_270

环境:centos 5.3+Apache (httpd)服务器防DDOS模块mod_evasive+iptables

Apache (httpd)服务器防DDOS模块mod_evasive安装参考
http://www.linuxsir.org/main/node/244

iptables规则

1. 
   
2. #more /etc/sysconfig/iptables
   
3. # Generated by iptables-save v1.3.5 on Tue May 26 13:54:14 2009
   
4. *nat
   
5. :PREROUTING ACCEPT [21:1246]
   
6. :POSTROUTING ACCEPT [1:92]
   
7. :OUTPUT ACCEPT [1:92]
   
8. COMMIT
   
9. # Completed on Tue May 26 13:54:14 2009
   
10. # Generated by iptables-save v1.3.5 on Tue May 26 13:54:14 2009
    
11. *mangle
    
12. :PREROUTING ACCEPT [29:1702]
    
13. :INPUT ACCEPT [28:1458]
    
14. :FORWARD ACCEPT [0:0]
    
15. :OUTPUT ACCEPT [27:3056]
    
16. :POSTROUTING ACCEPT [27:3056]
    
17. COMMIT
    
18. # Completed on Tue May 26 13:54:14 2009
    
19. # Generated by iptables-save v1.3.5 on Tue May 26 13:54:14 2009
    
20. *filter
    
21. :INPUT ACCEPT [0:0]
    
22. :FORWARD ACCEPT [0:0]
    
23. :OUTPUT ACCEPT [27:3056]
    
24. :RH-Firewall-1-INPUT - [0:0]
    
25. #-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    
26. -N syn-flood
    
27. -A FORWARD -p tcp --syn -j syn-flood
    
28. -A INPUT -p tcp --syn -j syn-flood
    
29. -A syn-flood -p tcp --syn -m limit --limit 3/s --limit-burst 1 -j ACCEPT
    
30. -A syn-flood -j DROP
    
31. -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
    
32. -A INPUT -p tcp --syn -m state --state NEW -j DROP
    
33. -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
    
34. -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
    
35. -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
    
36. #-A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 -j REJECT
    
37. -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 6
    
38. 0 --hitcount 30 -j REJECT
    
39. -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --set -j ACCEPT
    
40. 
    
41. -A INPUT -p tcp -m tcp --dport 2012 -j ACCEPT
    
42. -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
    
43. -A INPUT -j RH-Firewall-1-INPUT
    
44. -A FORWARD -j RH-Firewall-1-INPUT
    
45. -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    
46. -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
    
47. -A RH-Firewall-1-INPUT -p esp -j ACCEPT
    
48. -A RH-Firewall-1-INPUT -p ah -j ACCEPT
    
49. -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
    
50. -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
    
51. -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
    
52. -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
53. -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    
54. -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    
55. COMMIT
    
56. # Completed on Tue May 26 13:54:14 2009
    

复制代码

NND怎么就是封不住压力测试过来的数据

ab -n 1000 -c 100 http://www.mysite.com/file.php


想请教一下各位有什么地方不对的或是有什么好的方案吗!多谢了

kns1024wh

测试服务器的性能最好是要比测试的主机好一点