如何在 Vagrant 中将 Ubuntu 配置为路由器
How to configure Ubuntu as router in Vagrant
我正在尝试使用 Vagrant 配置一个简单的网络结构,如下图所示:
如您所见,我旨在模拟从 attacker 到 router 并达到 victim 的黑客攻击,但这对我正在努力解决的问题并不重要.
到目前为止,这是我的 Vagrantfile(VritualBox 用作提供程序):
Vagrant.configure("2") do |config|
config.vm.define "router" do |router|
router.vm.box = "hashicorp/bionic64"
router.vm.network "private_network", ip: "192.168.232.1"
router.vm.network "private_network", ip: "192.168.248.1"
router.vm.provision "shell", inline: <<-SHELL
sudo apt-get install traceroute
echo -e "\nnet.ipv4.ip_forward=1" >> /etc/sysctl.conf
SHELL
router.vm.provision :reload
end
config.vm.define "attacker" do |attacker|
attacker.vm.box = "hashicorp/bionic64"
attacker.vm.network "private_network", ip: "192.168.232.2"
attacker.vm.provision "shell",
inline: "sudo apt-get install traceroute"
attacker.vm.provision "shell",
run: "always",
inline: "sudo route add default gw 192.168.232.1"
end
config.vm.define "victim" do |victim|
victim.vm.box = "hashicorp/bionic64"
victim.vm.network "private_network", ip: "192.168.248.2"
victim.vm.provision "shell",
inline: "sudo apt-get install traceroute"
victim.vm.provision "shell",
run: "always",
inline: "sudo route add default gw 192.168.248.1"
end
end
请注意,我使用的是 vagrant-reload 插件,因此您必须在执行 vagrant up
之前安装它
vagrant plugin install vagrant-reload
Vagrantfile 的作用:
- 在
router 机器中将 net.ipv4.ip_forward 设置为 1
- 将默认网关 192.168.232.1 添加到
attacker 机器
- 将默认网关 192.168.248.1 添加到
victim 机器
只是为了确认启用 net.ipv4.ip_forward 对 router 有效:
$ cat /proc/sys/net/ipv4/ip_forward
1
不幸的是,我无法让它工作。当我尝试从 attacker 机器上 ping 192.168.248.2 时,我没有得到任何回应。 traceroute 的输出似乎正在通过 router 机器,但它卡在那里,永远不会到达 victim:
traceroute to 192.168.248.2 (192.168.248.2), 30 hops max, 60 byte packets
1 legion (192.168.232.1) 0.300 ms 0.454 ms 0.439 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
attacker 机器上 netstat -r 的输出:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default legion 0.0.0.0 UG 0 0 0 eth1
default _gateway 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
_gateway 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.232.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
我不知道为什么我添加的新网关被命名为 legion,但我认为它以某种方式从我的笔记本电脑主机名中获取(它是 Lenovo Legion,命名为 legion)。
victim 机器上 netstat -r 的输出:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default legion 0.0.0.0 UG 0 0 0 eth1
default _gateway 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
_gateway 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.248.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
router 机器上 netstat -r 的输出:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default _gateway 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
_gateway 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.232.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.248.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
attacker 机器上 ifconfig 的输出:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::a00:27ff:febb:1475 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:bb:14:75 txqueuelen 1000 (Ethernet)
RX packets 1271 bytes 129981 (129.9 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 926 bytes 141073 (141.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.232.2 netmask 255.255.255.0 broadcast 192.168.232.255
inet6 fe80::a00:27ff:fe5f:4829 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:5f:48:29 txqueuelen 1000 (Ethernet)
RX packets 20 bytes 1704 (1.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 137 bytes 10188 (10.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 16 bytes 1628 (1.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16 bytes 1628 (1.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ifconfig 在 victim 机器上的输出:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::a00:27ff:febb:1475 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:bb:14:75 txqueuelen 1000 (Ethernet)
RX packets 973 bytes 101812 (101.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 725 bytes 111966 (111.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.248.2 netmask 255.255.255.0 broadcast 192.168.248.255
inet6 fe80::a00:27ff:fe98:9693 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:98:96:93 txqueuelen 1000 (Ethernet)
RX packets 6 bytes 486 (486.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38 bytes 2812 (2.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 44 bytes 3574 (3.5 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 44 bytes 3574 (3.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ifconfig 在 router 机器上的输出:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::a00:27ff:febb:1475 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:bb:14:75 txqueuelen 1000 (Ethernet)
RX packets 1866 bytes 164707 (164.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1301 bytes 165459 (165.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.232.1 netmask 255.255.255.0 broadcast 192.168.232.255
inet6 fe80::a00:27ff:fe90:2720 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:90:27:20 txqueuelen 1000 (Ethernet)
RX packets 1 bytes 60 (60.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34 bytes 2466 (2.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.248.1 netmask 255.255.255.0 broadcast 192.168.248.255
inet6 fe80::a00:27ff:fe3b:238b prefixlen 64 scopeid 0x20<link>
ether 08:00:27:3b:23:8b txqueuelen 1000 (Ethernet)
RX packets 2 bytes 120 (120.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34 bytes 2466 (2.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 10 bytes 714 (714.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10 bytes 714 (714.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
您对这里可能出现的问题有什么想法吗?也许我遗漏了一些明显的东西。
您在 victim 和 attacker 上有一个名为 _gateway 的冗余默认网关。您应该删除它,只留下通过 eth1 接口连接到路由器的那个。
虽然 @thejazzroot 的回答清楚地指出了我问题的根本原因,但这并不是我必须做的所有事情才能使其正常工作。出于某种原因,我无法从 attacker ping victim(反之亦然),直到我从 router.
ping 了其中一台机器。
这很奇怪。为什么网络只有在机器相互 ping 后才能开始工作?现在我找到了答案:vagrant 在每个子网中自动为主机分配 .1 IP(所以在我的例子中是 192.168.232.1 和 192.168.248.1)。不幸的是,这些 IP 与我分配给 router VM 的 IP 完全相同,attacker/victim 机器已设置为它们的网关!因此,有 2 台机器分配了完全相同的 IP,似乎当从 router ping attacker/victim 时,它以某种方式选择了 router 而不是 legion .现在,legion 名称在 netstat -r.
输出中的来源也很有意义
TL;DR
我更改了两个子网中的 router IP,因为与 vagrant 自动分配给主机的 IP 发生冲突:
192.168.232.1 -> 192.168.232.10
192.168.248.1 -> 192.168.248.10
如果有人正在寻找完整的解决方案,我将在此处发布我最终的 Vagrantfile:
Vagrant.configure("2") do |config|
config.vm.define "attacker" do |attacker|
attacker.vm.box = "hashicorp/bionic64"
attacker.vm.network "private_network", ip: "192.168.232.2"
attacker.vm.provision "shell",
run: "always",
inline: <<-SHELL
ip route delete default
ip route add default via 192.168.232.1
SHELL
end
config.vm.define "victim" do |victim|
victim.vm.box = "hashicorp/bionic64"
victim.vm.network "private_network", ip: "192.168.248.2"
victim.vm.provision "shell",
run: "always",
inline: <<-SHELL
ip route delete default
ip route add default via 192.168.248.1
SHELL
end
config.vm.define "router" do |router|
router.vm.box = "hashicorp/bionic64"
router.vm.network "private_network", ip: "192.168.232.1"
router.vm.network "private_network", ip: "192.168.248.1"
router.vm.provision "shell",
inline: <<-SHELL
echo -e "\nnet.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
SHELL
end
end
我正在尝试使用 Vagrant 配置一个简单的网络结构,如下图所示:
如您所见,我旨在模拟从 attacker 到 router 并达到 victim 的黑客攻击,但这对我正在努力解决的问题并不重要.
到目前为止,这是我的 Vagrantfile(VritualBox 用作提供程序):
Vagrant.configure("2") do |config|
config.vm.define "router" do |router|
router.vm.box = "hashicorp/bionic64"
router.vm.network "private_network", ip: "192.168.232.1"
router.vm.network "private_network", ip: "192.168.248.1"
router.vm.provision "shell", inline: <<-SHELL
sudo apt-get install traceroute
echo -e "\nnet.ipv4.ip_forward=1" >> /etc/sysctl.conf
SHELL
router.vm.provision :reload
end
config.vm.define "attacker" do |attacker|
attacker.vm.box = "hashicorp/bionic64"
attacker.vm.network "private_network", ip: "192.168.232.2"
attacker.vm.provision "shell",
inline: "sudo apt-get install traceroute"
attacker.vm.provision "shell",
run: "always",
inline: "sudo route add default gw 192.168.232.1"
end
config.vm.define "victim" do |victim|
victim.vm.box = "hashicorp/bionic64"
victim.vm.network "private_network", ip: "192.168.248.2"
victim.vm.provision "shell",
inline: "sudo apt-get install traceroute"
victim.vm.provision "shell",
run: "always",
inline: "sudo route add default gw 192.168.248.1"
end
end
请注意,我使用的是 vagrant-reload 插件,因此您必须在执行 vagrant up
vagrant plugin install vagrant-reload
Vagrantfile 的作用:
- 在
router机器中将net.ipv4.ip_forward设置为1 - 将默认网关 192.168.232.1 添加到
attacker机器 - 将默认网关 192.168.248.1 添加到
victim机器
只是为了确认启用 net.ipv4.ip_forward 对 router 有效:
$ cat /proc/sys/net/ipv4/ip_forward
1
不幸的是,我无法让它工作。当我尝试从 attacker 机器上 ping 192.168.248.2 时,我没有得到任何回应。 traceroute 的输出似乎正在通过 router 机器,但它卡在那里,永远不会到达 victim:
traceroute to 192.168.248.2 (192.168.248.2), 30 hops max, 60 byte packets
1 legion (192.168.232.1) 0.300 ms 0.454 ms 0.439 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
attacker 机器上 netstat -r 的输出:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default legion 0.0.0.0 UG 0 0 0 eth1
default _gateway 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
_gateway 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.232.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
我不知道为什么我添加的新网关被命名为 legion,但我认为它以某种方式从我的笔记本电脑主机名中获取(它是 Lenovo Legion,命名为 legion)。
victim 机器上 netstat -r 的输出:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default legion 0.0.0.0 UG 0 0 0 eth1
default _gateway 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
_gateway 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.248.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
router 机器上 netstat -r 的输出:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default _gateway 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
_gateway 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.232.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.248.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
attacker 机器上 ifconfig 的输出:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::a00:27ff:febb:1475 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:bb:14:75 txqueuelen 1000 (Ethernet)
RX packets 1271 bytes 129981 (129.9 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 926 bytes 141073 (141.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.232.2 netmask 255.255.255.0 broadcast 192.168.232.255
inet6 fe80::a00:27ff:fe5f:4829 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:5f:48:29 txqueuelen 1000 (Ethernet)
RX packets 20 bytes 1704 (1.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 137 bytes 10188 (10.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 16 bytes 1628 (1.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16 bytes 1628 (1.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ifconfig 在 victim 机器上的输出:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::a00:27ff:febb:1475 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:bb:14:75 txqueuelen 1000 (Ethernet)
RX packets 973 bytes 101812 (101.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 725 bytes 111966 (111.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.248.2 netmask 255.255.255.0 broadcast 192.168.248.255
inet6 fe80::a00:27ff:fe98:9693 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:98:96:93 txqueuelen 1000 (Ethernet)
RX packets 6 bytes 486 (486.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38 bytes 2812 (2.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 44 bytes 3574 (3.5 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 44 bytes 3574 (3.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ifconfig 在 router 机器上的输出:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::a00:27ff:febb:1475 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:bb:14:75 txqueuelen 1000 (Ethernet)
RX packets 1866 bytes 164707 (164.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1301 bytes 165459 (165.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.232.1 netmask 255.255.255.0 broadcast 192.168.232.255
inet6 fe80::a00:27ff:fe90:2720 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:90:27:20 txqueuelen 1000 (Ethernet)
RX packets 1 bytes 60 (60.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34 bytes 2466 (2.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.248.1 netmask 255.255.255.0 broadcast 192.168.248.255
inet6 fe80::a00:27ff:fe3b:238b prefixlen 64 scopeid 0x20<link>
ether 08:00:27:3b:23:8b txqueuelen 1000 (Ethernet)
RX packets 2 bytes 120 (120.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34 bytes 2466 (2.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 10 bytes 714 (714.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10 bytes 714 (714.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
您对这里可能出现的问题有什么想法吗?也许我遗漏了一些明显的东西。
您在 victim 和 attacker 上有一个名为 _gateway 的冗余默认网关。您应该删除它,只留下通过 eth1 接口连接到路由器的那个。
虽然 @thejazzroot 的回答清楚地指出了我问题的根本原因,但这并不是我必须做的所有事情才能使其正常工作。出于某种原因,我无法从 attacker ping victim(反之亦然),直到我从 router.
这很奇怪。为什么网络只有在机器相互 ping 后才能开始工作?现在我找到了答案:vagrant 在每个子网中自动为主机分配 .1 IP(所以在我的例子中是 192.168.232.1 和 192.168.248.1)。不幸的是,这些 IP 与我分配给 router VM 的 IP 完全相同,attacker/victim 机器已设置为它们的网关!因此,有 2 台机器分配了完全相同的 IP,似乎当从 router ping attacker/victim 时,它以某种方式选择了 router 而不是 legion .现在,legion 名称在 netstat -r.
TL;DR
我更改了两个子网中的 router IP,因为与 vagrant 自动分配给主机的 IP 发生冲突:
192.168.232.1 -> 192.168.232.10
192.168.248.1 -> 192.168.248.10
如果有人正在寻找完整的解决方案,我将在此处发布我最终的 Vagrantfile:
Vagrant.configure("2") do |config|
config.vm.define "attacker" do |attacker|
attacker.vm.box = "hashicorp/bionic64"
attacker.vm.network "private_network", ip: "192.168.232.2"
attacker.vm.provision "shell",
run: "always",
inline: <<-SHELL
ip route delete default
ip route add default via 192.168.232.1
SHELL
end
config.vm.define "victim" do |victim|
victim.vm.box = "hashicorp/bionic64"
victim.vm.network "private_network", ip: "192.168.248.2"
victim.vm.provision "shell",
run: "always",
inline: <<-SHELL
ip route delete default
ip route add default via 192.168.248.1
SHELL
end
config.vm.define "router" do |router|
router.vm.box = "hashicorp/bionic64"
router.vm.network "private_network", ip: "192.168.232.1"
router.vm.network "private_network", ip: "192.168.248.1"
router.vm.provision "shell",
inline: <<-SHELL
echo -e "\nnet.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
SHELL
end
end