vi /etc/sysctl.conf
编辑文件,加入以下内容:
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
然后执行/sbin/sysctl -p让参数生效。
net.ipv4.tcp_syncookies = 1表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭;
net.ipv4.tcp_tw_reuse = 1表示开启重用。允许将TIME-WAIT sockets重新用于新的TCP连接,默认为0,表示关闭;
net.ipv4.tcp_tw_recycle = 1表示开启TCP连接中TIME-WAIT sockets的快速回收,默认为0,表示关闭。
net.ipv4.tcp_fin_timeout修改系�y默认的TIMEOUT时间
修改之后,再用命令查看TIME_WAIT连接数
netstat -ae|grep “TIME_WAIT” |wc �Cl
kernel.shmall = 268435456
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 5000 65000
net.ipv4.tcp_mem = 786432 1048576 1572864
net.core.wmem_max = 873200
net.core.rmem_max = 873200
net.ipv4.tcp_wmem = 8192 436600 873200
net.ipv4.tcp_rmem = 32768 436600 873200
net.core.somaxconn = 256
net.core.netdev_max_backlog = 1000
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_keepalive_time = 500
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.conf.lo.arp_ignore = 0
net.ipv4.conf.lo.arp_announce = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_announce = 0
���解�:
net.ipv4.tcp_syncookies = 1
#表示�_��SYN Cookies。��出�FSYN等待�列溢出�r,�⒂�cookies�硖�理,可防�少量SYN攻�簦�默�J��0,表示�P�];
net.ipv4.tcp_tw_reuse = 1
#表示�_�⒅赜谩T试S��TIME-WAIT sockets重新用於新的TCP�B接,默�J��0,表示�P�];
net.ipv4.tcp_tw_recycle = 1
#表示�_��TCP�B接中TIME-WAIT sockets的快速回收,默�J��0,表示�P�]。
net.ipv4.tcp_fin_timeout = 30
#表示如果套接字由本端要求�P�],�@�����Q定了它保持在FIN-WAIT-2��B的�r�g。
net.ipv4.tcp_keepalive_time = 1200
#表示��keepalive起用的�r候,TCP�l送keepalive消息的�l度。缺省是2小�r,改��20分�。
net.ipv4.ip_local_port_range = 1024 65000
#表示用於向外�B接的端口���。缺省情�r下很小:32768到61000,改��1024到65000。
net.ipv4.tcp_max_tw_buckets = 5000
#表示系�y同�r保持TIME_WAIT套接字的最大�盗浚�如果超�^�@���底郑�
#TIME_WAIT套接字�⒘⒖瘫磺宄��K打印警告信息。默�J��180000,改��5000。
#��於Apache、Nginx等服��器,上�仔械��悼梢院芎玫�p少TIME_WAIT套接字�盗浚�
#但是��於Squid,效果�s不大。此���悼梢钥刂�TIME_WAIT套接字的最大�盗浚�避免Squid服�掌鞅淮罅康�TIME_WAIT套接字拖死。
----------------------------------------------------------------------------
Linux�群送ㄟ^/proc��M文件系�y向用��С�群诵畔�,用�粢部梢酝ㄟ^/proc文件系�y或通�^sysctl命令��B配置�群恕1热纾�如果我��想���NAT,除了加�d模�K、配置防火��外,�需要���群宿D�l功能。我��有三�N方法:
1. 直接��/proc文件系�y
# echo 1 > /proc/sys/net/ipv4/ip_forward
2. 利用sysctl命令
# sysctl -w net.ipv4.ip_forward=1
sysctl -a可以查看�群怂�有�С龅淖�量
3. ��/etc/sysctl.conf
添加如下一行,�@�酉到y每次��俞幔���量的值就是1
net.ipv4.ip_forward = 1
sysctl是procfs�件中的命令,��件包�提供了w, ps, vmstat, pgrep, pkill, top, slabtop等命令。
sysctl配置�c�@示在/proc/sys目�中的�群��担�可以用sysctl�碓O置或重新�O置��W功能,如IP�D�l、IP碎片去除以及源路由�z查等。用�糁恍枰���/etc/sysctl.conf文件,即可手工或自��绦杏�sysctl控制的功能。
命令格式:
sysctl [-n] [-e] -w variable=value
sysctl [-n] [-e] -p <filename> (default /etc/sysctl.conf)
sysctl [-n] [-e] -a
常用��档囊饬x:
-w �R�r改�某��指定��档闹担�如
sysctl -w net.ipv4.ip_forward=1
-a �@示所有的系�y���
-p �闹付ǖ奈募�加�d系�y��担�如不指定即��/etc/sysctl.conf中加�d
如果�H�H是想�R�r改�某��系�y��档闹担�可以用�煞N方法����F,例如想�⒂�IP路由�D�l功能:
1) #echo 1 > /proc/sys/net/ipv4/ip_forward
2) #sysctl -w net.ipv4.ip_forward=1
以上�煞N方法都可能立即�_�⒙酚晒δ埽�但如果系�y重��,或�绦辛�
# service network restart
命令,所�O置的值即���G失,如果想永久保留配置,可以修改/etc/sysctl.conf文件
�� net.ipv4.ip_forward=0改��net.ipv4.ip_forward=1
sysctl是一��允�S您改�正在�\行中的Linux系�y的接口。它包含一些 TCP/IP 堆�:吞��M�却嫦到y的高��x�, �@可以�有��的管理�T提高引人注目的系�y性能。用sysctl可以�x取�O置超�^五百��系�y�量。基於�@�c,sysctl(8) 提供���功能:�x取和修改系�y�O置。
查看所有可�x�量:
% sysctl -a
�x一��指定的�量,例如 kern.maxproc:
% sysctl kern.maxproc kern.maxproc: 1044
要�O置一��指定的�量,直接用 variable=value �@�拥恼Z法:
# sysctl kern.maxfiles=5000
kern.maxfiles: 2088 -> 5000
您可以使用sysctl修改系�y�量,也可以通�^��sysctl.conf文件�硇薷南到y�量。sysctl.conf 看起�砗芟� rc.conf。它用 variable=value 的形式�碓O定值。指定的值在系�y�M入多用�裟J街�後被�O定。�K不是所有的�量都可以在�@��模式下�O定。
sysctl �量的�O置通常是字符串、�底只蛘卟��型。 (布��型用 1 �肀硎�'yes',用 0 �肀硎�'no')。
sysctl -w kernel.sysrq=0
sysctl -w kernel.core_uses_pid=1
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_max_syn_backlog=2048
sysctl -w net.ipv4.tcp_fin_timeout=30
sysctl -w net.ipv4.tcp_synack_retries=2
sysctl -w net.ipv4.tcp_keepalive_time=3600
sysctl -w net.ipv4.tcp_window_scaling=1
sysctl -w net.ipv4.tcp_sack=1
配置sysctl
��此文件:
vi /etc/sysctl.conf
如果�文件�榭眨��t�入以下�热荩�否�t�根��情�r自己做�{整:
# Controls source route verification
# Default should work for all interfaces
net.ipv4.conf.default.rp_filter = 1
# net.ipv4.conf.all.rp_filter = 1
# net.ipv4.conf.lo.rp_filter = 1
# net.ipv4.conf.eth0.rp_filter = 1
# Disables IP source routing
# Default should work for all interfaces
net.ipv4.conf.default.accept_source_route = 0
# net.ipv4.conf.all.accept_source_route = 0
# net.ipv4.conf.lo.accept_source_route = 0
# net.ipv4.conf.eth0.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Increase maximum amount of memory allocated to shm
# Only uncomment if needed!
# kernel.shmmax = 67108864
# Disable ICMP Redirect Acceptance
# Default should work for all interfaces
net.ipv4.conf.default.accept_redirects = 0
# net.ipv4.conf.all.accept_redirects = 0
# net.ipv4.conf.lo.accept_redirects = 0
# net.ipv4.conf.eth0.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
# Default should work for all interfaces
net.ipv4.conf.default.log_martians = 1
# net.ipv4.conf.all.log_martians = 1
# net.ipv4.conf.lo.log_martians = 1
# net.ipv4.conf.eth0.log_martians = 1
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 25
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1200
# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1
# Turn on the tcp_sack
net.ipv4.tcp_sack = 1
# tcp_fack should be on because of sack
net.ipv4.tcp_fack = 1
# Turn on the tcp_timestamps
net.ipv4.tcp_timestamps = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Make more local ports available
# net.ipv4.ip_local_port_range = 1024 65000
# Set TCP Re-Ordering value in kernel to 『5′
net.ipv4.tcp_reordering = 5
# Lower syn retry rates
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 3
# Set Max SYN Backlog to 『2048′
net.ipv4.tcp_max_syn_backlog = 2048
# Various Settings
net.core.netdev_max_backlog = 1024
# Increase the maximum number of skb-heads to be cached
net.core.hot_list_length = 256
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 360000
# This will increase the amount of memory available for socket input/output queues
net.core.rmem_default = 65535
net.core.rmem_max = 8388608
net.ipv4.tcp_rmem = 4096 87380 8388608
net.core.wmem_default = 65535
net.core.wmem_max = 8388608
net.ipv4.tcp_wmem = 4096 65535 8388608
net.ipv4.tcp_mem = 8388608 8388608 8388608
net.core.optmem_max = 40960
如果希望屏蔽�e人 ping 你的主�C,�t加入以下代�a:
# Disable ping requests
net.ipv4.icmp_echo_ignore_all = 1
��完成後,��绦幸韵旅�令使��恿⒓瓷�效:
/sbin/sysctl -p
/sbin/sysctl -w net.ipv4.route.flush=1
我��常常在 Linux 的 /proc/sys 目�下,手�釉O定一些 kernel 的��祷蚴侵苯� echo 特定的值�o一�� proc下的��M�n案,俾利某些�n案之�_��,常�的例如�O定�_�C�r自���� IP Forwarding:
echo 「1」 > /proc/sys/net/ipv4/ip_forward
其��,在 Linux 我���可以用 sysctl command 便可以�易的去�z�、�O定或自�优渲� 特定的 kernel �O定。我��可以在系�y提示符�下�入「sysctl -a」,摘要如後:abi.defhandler_coff = 117440515
dev.raid.speed_limit_max = 100000
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.default.secure_redirects = 1
net.ipv4.conf.default.accept_redirects = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.neigh.lo.delay_first_probe_time = 5
net.ipv4.neigh.lo.base_reachable_time = 30
net.ipv4.icmp_ratelimit = 100
net.ipv4.inet_peer_gc_mintime = 10
net.ipv4.igmp_max_memberships = 20
net.ipv4.ip_no_pmtu_disc = 0
net.core.no_cong_thresh = 20
net.core.netdev_max_backlog = 300
net.core.rmem_default = 65535
net.core.wmem_max = 65535
vm.kswapd = 512 32 8
vm.overcommit_memory = 0
vm.bdflush = 30 64 64 256 500 3000 60 0 0
vm.freepages = 351 702 1053
kernel.sem = 250 32000 32 128
kernel.panic = 0
kernel.domainname = (none)
kernel.hostname = pc02.shinewave.com.tw
kernel.version = #1 Tue Oct 30 20:11:04 EST 2001
kernel.osrelease = 2.4.9-13
kernel.ostype = Linux
fs.dentry-state = 1611 969 45 0 0 0
fs.file-nr = 1121 73 8192
fs.inode-state = 1333 523 0 0 0 0 0
�纳鲜龅恼Z法我��大概可看出 sysctl 的表示法乃把目��Y��的「/」以「.」表示,一�右�拥倪B�Y下去。��然以echo 特定的值�o一�� proc下的��M�n案也是可以用 sysctl加以表示,例如:
#sysctl �Cw net.ipv4.ip_forward =」1」
或是直接在 /etc/sysctl.conf 增�h修改特定�n案的 0,1值亦可:
# Enables packet forwarding
net.ipv4.ip_forward = 1
# Enables source route verification
net.ipv4.conf.default.rp_filter = 1
# Disables the magic-sysrq key
kernel.sysrq = 0
��然如果考�] reboot 後仍有效, 直接在 /etc/sysctl.conf 增�h修改特定�n案的 0,1值才可使之保留�O定(以RedHat �槔�,每次�_�C系�y��俞�, init ���绦� /etc/rc.d/rc.sysinit,便��使用 /etc/sysctl.conf 的�A�O值去�绦� sysctl)。
相�P�⒖�n案:
/sbin/sysctl
/etc/sysctl.conf
sysctl 及sysctl.conf manpage
/usr/src/linux-x.y.z/Documentation/sysctl/*
/usr/share/doc/kernel-doc-x.y.z/sysctl/* (RedHat)
http://hi.baidu.com/caosicong/blog/item/0a592360d438cfda8db10d9b.html
http://hi.baidu.com/phpfamer/blog/item/932e276eb39c30de80cb4a3c.htmlsysctl配置�c�@示在/proc/sys目�中的�群��担�可以用sysctl�碓O置或重新�O置��W功能,如IP�D�l、IP碎片去除以及源路由�z查等。用�糁恍枰���/etc/sysctl.conf文件,即可手工或自��绦杏�sysctl控制的功能。
命令格式:
sysctl [-n] [-e] -w variable=value
sysctl [-n] [-e] -p <filename> (default /etc/sysctl.conf)
sysctl [-n] [-e] -a
常用��档囊饬x:
-w �R�r改�某��指定��档闹担�如
sysctl -w net.ipv4.ip_forward=1
-a �@示所有的系�y���
-p �闹付ǖ奈募�加�d系�y��担�如不指定即��/etc/sysctl.conf中加�d
如果�H�H是想�R�r改�某��系�y��档闹担�可以用�煞N方法����F,例如想�⒂�IP路由�D�l功能:
1) #echo 1 > /proc/sys/net/ipv4/ip_forward
2) #sysctl -w net.ipv4.ip_forward=1
以上�煞N方法都可能立即�_�⒙酚晒δ埽�但如果系�y重��,或�绦辛�
# service network restart
命令,所�O置的值即���G失,如果想永久保留配置,可以修改/etc/sysctl.conf文件
�� net.ipv4.ip_forward=0改��net.ipv4.ip_forward=1
Read more: Linux�p少TIME_WAIT�盗浚��群�sysctl命令��嫡{�� - Linux, Unix, FreeBSD - ��X系�y�� - �客��� - 台��forum,Taiwan���bbshttp://www.dk101.com/Discuz/viewthread.php?tid=193657#ixzz1RJojCxTC
(�W址�B回本文)