KB Platform
kb.erickguedes.com
Linux Avançado: Administração e Performance

Redes Avançadas

Aula 4 de 7

Bridges e VLANs

# Bridge (switch virtual)
ip link add br0 type bridge
ip link set eth0 master br0
ip link set tap0 master br0
ip addr add 192.168.1.1/24 dev br0
ip link set br0 up

# VLAN (802.1Q)
ip link add link eth0 name eth0.100 type vlan id 100
ip addr add 192.168.100.1/24 dev eth0.100
ip link set eth0.100 up

# Bonding (LACP)
ip link add bond0 type bond mode 802.3ad
ip link set eth0 master bond0
ip link set eth1 master bond0
ip addr add 192.168.1.10/24 dev bond0

Namespaces de Rede

# Isolamento completo de rede
ip netns add red
ip netns add blue
ip link add veth-red type veth peer name veth-blue

ip link set veth-red netns red
ip link set veth-blue netns blue

ip netns exec red ip addr add 10.0.0.1/24 dev veth-red
ip netns exec red ip link set veth-red up
ip netns exec blue ip addr add 10.0.0.2/24 dev veth-blue
ip netns exec blue ip link set veth-blue up

ip netns exec red ping 10.0.0.2

Tunnels e VPN

# WireGuard
wg genkey | tee privatekey | wg pubkey > publickey

# Configuração (/etc/wireguard/wg0.conf)
[Interface]
Address = 10.0.0.1/24
PrivateKey = <privatekey>
ListenPort = 51820

[Peer]
PublicKey = <peer_publickey>
Endpoint = peer.example.com:51820
AllowedIPs = 10.0.0.0/24

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Performance Tuning de Rede

# sysctl para redes
sysctl -w net.core.rmem_max=134217728
sysctl -w net.core.wmem_max=134217728
sysctl -w net.ipv4.tcp_rmem="4096 87380 134217728"
sysctl -w net.ipv4.tcp_wmem="4096 65536 134217728"
sysctl -w net.core.netdev_budget=600
sysctl -w net.ipv4.tcp_congestion_control=bbr

# ethtool — otimizar NIC
ethtool -K eth0 gro on gso on tso on
ethtool -C eth0 rx-usecs 0
ethtool -L eth0 combined 4

Nginx — Proxy Reverso

# Configuração mínima
server {
    listen 80;
    server_name app.exemplo.com;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    location /api/ {
        proxy_pass http://localhost:8080;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

Namespaces de rede são a base de containers (Docker, Podman). WireGuard é a VPN mais moderna e performática.