linux network optimize with sysctl
2010-08-16 10:08
316 查看
tcp_syncookies是一个开关,是否打开SYN
Cookie功能,该功能可以防止部分SYN攻击。tcp_synack_retries和tcp_syn_retries定义SYN的重试次数
Disabling the TCP options reduces the overhead of each TCP packet and
might
help to get the last few percent of performance out of the server. Be
aware that
disabling these options most likely decreases performance for
high-latency and
lossy links.
* net.ipv4.tcp_sack = 0
* net.ipv4.tcp_timestamps =
0
Increasing the TCP send and receive
buffers
will increase the performance a lot if (and only if) you have a lot of
large
files to send.
* net.ipv4.tcp_wmem = 4096 65536 524288
* net.core.wmem_max =
1048576
If you have a lot of large file uploads, increasing the receive
buffers will
help.
* net.ipv4.tcp_rmem = 4096 87380 524288
* net.core.rmem_max =
1048576
# These ensure that TIME_WAIT ports either get reused or closed
fast.
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_tw_recycle = 1
#
TCP
memory
net.core.rmem_max = 16777216
net.core.rmem_default =
16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn =
262144
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_orphans =
262144
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_synack_retries
=
2
net.ipv4.tcp_syn_retries = 2
# you shouldn’t be using conntrack on a heavily loaded server anyway,
but
these are
# suitably high for our uses, insuring that if conntrack
gets
turned on, the box doesn’t die
net.ipv4.ip_conntrack_max =
1048576
net.nf_conntrack_max = 1048576
# increase Linux autotuning TCP buffer limits
echo "4096 87380
8388608"
> /proc/sys/net/ipv4/tcp_rmem
echo "4096 65536 8388608" >
/proc/sys/net/ipv4/tcp_wmem
#echo 65536 > /proc/sys/fs/file-max # physical RAM * 256/4
echo "1024 65000" > /proc/sys/net/ipv4/ip_local_port_range
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 8192 >
/proc/sys/net/ipv4/tcp_max_syn_backlog
# Decrease the time default
value for
tcp_fin_timeout connection
#echo 30 >
/proc/sys/net/ipv4/tcp_fin_timeout
#echo 3 >
/proc/sys/net/ipv4/tcp_syn_retries
#echo 2 >
/proc/sys/net/ipv4/tcp_retries1
# Decrease the time default value for
tcp_keepalive_time connection
#echo 1800
>/proc/sys/net/ipv4/tcp_keepalive_time
# Turn off
tcp_window_scaling
echo 0 >/proc/sys/net/ipv4/tcp_window_scaling
#echo
"67108864" > /proc/sys/kernel/shmmax
# Turn off the tcp_sack
echo
0
>/proc/sys/net/ipv4/tcp_sack # This disables RFC2018 TCP Selective
Acknowledgements
#Turn off tcp_timestamps
echo 0
>/proc/sys/net/ipv4/tcp_timestamps # This disables RFC1323 TCP
timestamps
echo 5 > /proc/sys/kernel/panic # reboot 5 minutes
later then
kernel panic
the
third:
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_syncookies =
1
net.core.rmem_max = 16777216
net.core.wmem_max =
16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem
= 4096
65536 16777216
Lot of tuning
# Disables packet forwarding
net.ipv4.ip_forward = 0
# Enables
source
route verification
net.ipv4.conf.default.rp_filter = 1
# Disables
the
magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value
for
tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 25
#
Decrease the
time default value for tcp_keepalive_time
connection
net.ipv4.tcp_keepalive_time = 3600
# Turn on the
tcp_window_scaling
net.ipv4.tcp_window_scaling = 1
# Turn on the
tcp_sack
net.ipv4.tcp_sack = 1
# tcp_fack should be on because of
sack
net.ipv4.tcp_fack = 1
# Turn on the
tcp_timestamps
net.ipv4.tcp_timestamps = 1
# Enable TCP SYN Cookie
Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring
broadcasts
request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable ICMP
Redirect
Acceptance
net.ipv4.conf.all.accept_redirects = 0
# Enable bad
error
message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
#
Don’t
Log Spoofed Packets, Source Routed Packets, Redirect
Packets
net.ipv4.conf.all.log_martians = 0
# Make more local ports
available
net.ipv4.ip_local_port_range = 1024 65000
# Increase
maximum
amount of memory allocated to shm
kernel.shmmax = 1073741824
#
Improve
file system performance
vm.bdflush = 100 1200 128 512 15 5000 500
1884 2
#
This will increase the amount of memory available for socket
input/output
queues
net.ipv4.tcp_rmem = 4096 25165824 25165824
net.core.rmem_max
=
25165824
net.core.rmem_default = 25165824
net.ipv4.tcp_wmem = 4096
65536
25165824
net.core.wmem_max = 25165824
net.core.wmem_default =
65536
net.core.optmem_max = 25165824
# If you are feeling daring, you can also use these settings below,
otherwise
just remove them. (Should increase performance)
net.core.netdev_max_backlog = 2500
net.ipv4.tcp_tw_recycle =
1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_rmem = 4096 25165824 25165824
net.core.rmem_max =
25165824
net.core.rmem_default = 25165824
net.ipv4.tcp_wmem = 4096
65536
25165824
net.core.wmem_max = 25165824
net.core.wmem_default =
65536
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route
=
0
net.ipv4.conf.lo.accept_source_route =
0
net.ipv4.conf.eth0.accept_source_route =
0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route
verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter
=
1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter
= 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects
=
0
net.ipv4.conf.lo.accept_redirects =
0
net.ipv4.conf.eth0.accept_redirects =
0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect
Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians
=
0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route
=
0
net.ipv4.conf.lo.accept_source_route =
0
net.ipv4.conf.eth0.accept_source_route =
0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route
verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter
=
1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter
= 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects
=
0
net.ipv4.conf.lo.accept_redirects =
0
net.ipv4.conf.eth0.accept_redirects =
0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout
connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time
connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts
= 1
# Enable bad error message
Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect
Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively,
q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets
= 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384
65536
============================================================================
Cookie功能,该功能可以防止部分SYN攻击。tcp_synack_retries和tcp_syn_retries定义SYN的重试次数
Disabling the TCP options reduces the overhead of each TCP packet and
might
help to get the last few percent of performance out of the server. Be
aware that
disabling these options most likely decreases performance for
high-latency and
lossy links.
* net.ipv4.tcp_sack = 0
* net.ipv4.tcp_timestamps =
0
Increasing the TCP send and receive
buffers
will increase the performance a lot if (and only if) you have a lot of
large
files to send.
* net.ipv4.tcp_wmem = 4096 65536 524288
* net.core.wmem_max =
1048576
If you have a lot of large file uploads, increasing the receive
buffers will
help.
* net.ipv4.tcp_rmem = 4096 87380 524288
* net.core.rmem_max =
1048576
# These ensure that TIME_WAIT ports either get reused or closed
fast.
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_tw_recycle = 1
#
TCP
memory
net.core.rmem_max = 16777216
net.core.rmem_default =
16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn =
262144
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_orphans =
262144
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_synack_retries
=
2
net.ipv4.tcp_syn_retries = 2
# you shouldn’t be using conntrack on a heavily loaded server anyway,
but
these are
# suitably high for our uses, insuring that if conntrack
gets
turned on, the box doesn’t die
net.ipv4.ip_conntrack_max =
1048576
net.nf_conntrack_max = 1048576
# increase Linux TCP buffer limits echo 8388608 > /proc/sys/net/core/rmem_max echo 8388608 > /proc/sys/net/core/wmem_max
# increase Linux autotuning TCP buffer limits
echo "4096 87380
8388608"
> /proc/sys/net/ipv4/tcp_rmem
echo "4096 65536 8388608" >
/proc/sys/net/ipv4/tcp_wmem
#echo 65536 > /proc/sys/fs/file-max # physical RAM * 256/4
echo "1024 65000" > /proc/sys/net/ipv4/ip_local_port_range
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 8192 >
/proc/sys/net/ipv4/tcp_max_syn_backlog
# Decrease the time default
value for
tcp_fin_timeout connection
#echo 30 >
/proc/sys/net/ipv4/tcp_fin_timeout
#echo 3 >
/proc/sys/net/ipv4/tcp_syn_retries
#echo 2 >
/proc/sys/net/ipv4/tcp_retries1
# Decrease the time default value for
tcp_keepalive_time connection
#echo 1800
>/proc/sys/net/ipv4/tcp_keepalive_time
# Turn off
tcp_window_scaling
echo 0 >/proc/sys/net/ipv4/tcp_window_scaling
#echo
"67108864" > /proc/sys/kernel/shmmax
# Turn off the tcp_sack
echo
0
>/proc/sys/net/ipv4/tcp_sack # This disables RFC2018 TCP Selective
Acknowledgements
#Turn off tcp_timestamps
echo 0
>/proc/sys/net/ipv4/tcp_timestamps # This disables RFC1323 TCP
timestamps
echo 5 > /proc/sys/kernel/panic # reboot 5 minutes
later then
kernel panic
the
third:
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_syncookies =
1
net.core.rmem_max = 16777216
net.core.wmem_max =
16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem
= 4096
65536 16777216
Lot of tuning
# Disables packet forwarding
net.ipv4.ip_forward = 0
# Enables
source
route verification
net.ipv4.conf.default.rp_filter = 1
# Disables
the
magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value
for
tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 25
#
Decrease the
time default value for tcp_keepalive_time
connection
net.ipv4.tcp_keepalive_time = 3600
# Turn on the
tcp_window_scaling
net.ipv4.tcp_window_scaling = 1
# Turn on the
tcp_sack
net.ipv4.tcp_sack = 1
# tcp_fack should be on because of
sack
net.ipv4.tcp_fack = 1
# Turn on the
tcp_timestamps
net.ipv4.tcp_timestamps = 1
# Enable TCP SYN Cookie
Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring
broadcasts
request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable ICMP
Redirect
Acceptance
net.ipv4.conf.all.accept_redirects = 0
# Enable bad
error
message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
#
Don’t
Log Spoofed Packets, Source Routed Packets, Redirect
Packets
net.ipv4.conf.all.log_martians = 0
# Make more local ports
available
net.ipv4.ip_local_port_range = 1024 65000
# Increase
maximum
amount of memory allocated to shm
kernel.shmmax = 1073741824
#
Improve
file system performance
vm.bdflush = 100 1200 128 512 15 5000 500
1884 2
#
This will increase the amount of memory available for socket
input/output
queues
net.ipv4.tcp_rmem = 4096 25165824 25165824
net.core.rmem_max
=
25165824
net.core.rmem_default = 25165824
net.ipv4.tcp_wmem = 4096
65536
25165824
net.core.wmem_max = 25165824
net.core.wmem_default =
65536
net.core.optmem_max = 25165824
# If you are feeling daring, you can also use these settings below,
otherwise
just remove them. (Should increase performance)
net.core.netdev_max_backlog = 2500
net.ipv4.tcp_tw_recycle =
1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_rmem = 4096 25165824 25165824
net.core.rmem_max =
25165824
net.core.rmem_default = 25165824
net.ipv4.tcp_wmem = 4096
65536
25165824
net.core.wmem_max = 25165824
net.core.wmem_default =
65536
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route
=
0
net.ipv4.conf.lo.accept_source_route =
0
net.ipv4.conf.eth0.accept_source_route =
0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route
verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter
=
1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter
= 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects
=
0
net.ipv4.conf.lo.accept_redirects =
0
net.ipv4.conf.eth0.accept_redirects =
0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect
Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians
=
0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route
=
0
net.ipv4.conf.lo.accept_source_route =
0
net.ipv4.conf.eth0.accept_source_route =
0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route
verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter
=
1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter
= 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects
=
0
net.ipv4.conf.lo.accept_redirects =
0
net.ipv4.conf.eth0.accept_redirects =
0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout
connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time
connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts
= 1
# Enable bad error message
Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect
Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively,
q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets
= 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384
65536
============================================================================
相关文章推荐
- linux network optimize with sysctl
- linux network optimize with sysctl
- linux下基于SMP架构的多队列网卡的调优(Multi-queue network interfaces with SMP on Linux)
- 对《Guide To IP Layer Network Administration With Linux Version 0.4.4》的翻译
- Network Booting a Linux STB with PXE
- articles about network queue and linux sysctl parameters
- How to configure Virtual Network Computing (VNC) to work with Red Hat Enterprise Linux?
- How to Work with the Network from the Linux Terminal
- Guide to IP Layer Network Administration with Linux
- [转]linux下基于SMP架构的多队列网卡的调优(Multi-queue network interfaces with SMP on Linux)
- 《Guide To IP Layer Network Administration With Linux》各版本情况
- How to Sync Your Linux Server Time with Network Time Servers (NTP)
- 【操作系统】Linux性能监控——CPU、Memory、IO、Network
- Writing Network Device Drivers for Linux
- Tutorial on USB with Linux
- linux network api
- linux 启动network后报错:device eth0 does not seem to be present, delaying initialization
- How to check system status with basic Linux utilities.
- Booting with the Initial Ramdisk---linuxrc
- Lesson5 -Linux Network Configuration