Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

/ proc/sys/net/ipv4/ how to configure Linux network parameters

2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >

Share

Shulou(Shulou.com)06/03 Report--

/ proc/sys/net/ipv4/ how to configure Linux network parameters, many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

1) / proc/sys/net/ipv4/ip_forward

This file indicates whether IP forwarding is turned on.

0, forbid 1, forward

Default setting: 0

2) / proc/sys/net/ipv4/ip_default_ttl

This file represents the life cycle (TimeTo Live) of a Datagram, that is, the maximum number of routers it passes.

Default: 64 increasing this value will degrade system performance.

3) / proc/sys/net/ipv4/ip_no_pmtu_disc

This file indicates that path MTU detection is turned off globally.

Default setting: 0

4) / proc/sys/net/ipv4/route/min_pmtu

This file represents the size of the minimum path MTU.

Default: 552

5) / proc/sys/net/ipv4/route/mtu_expires

This file represents how long PMTU information is cached (in seconds).

Default setting: 600 (seconds)

6) / proc/sys/net/ipv4/route/min_adv_mss

This file represents the smallest MSS (MaximumSegment Size) size, depending on the router MTU of the first hop.

Default: 256 (bytes)

IP Fragmentation

1) / proc/sys/net/ipv4/ipfrag_low_thresh

/ proc/sys/net/ipv4/ipfrag_low_thresh

The two files represent the lowest and highest memory allocation values for reorganizing IP segments, respectively. Once the maximum memory allocation value is reached, the other segments will be discarded until the minimum memory allocation value is reached.

Default: 196608 (ipfrag_low_thresh)

262144 (ipfrag_high_thresh)

2) / proc/sys/net/ipv4/ipfrag_time

This file represents how many seconds an IP segment remains in memory.

INET Peer Storage

1) / proc/sys/net/ipv4/inet_peer_threshold

INET peer memory has an appropriate value, and when the threshold is exceeded, the entry will be discarded. The threshold also determines survival.

The time and the interval between the passage of waste collection. The more entries, the lower the lifetime and the shorter the GC interval.

Default: 65664

2) / proc/sys/net/ipv4/inet_peer_minttl

The minimum survival time of the entry. There must be sufficient fragment lifetime on the recombination side. This is the lowest.

The survival period must ensure that the buffer pool volume is less than inet_peer_threshold. The value is in jiffies

Unit measurement.

Default: 120

3) / proc/sys/net/ipv4/inet_peer_maxttl

The maximum lifetime of the entry. After this period, if the buffer pool does not run out of pressure (for example, slow

The number of entries in the punch pool is very small), and unused entries will time out. This value is measured in jiffies.

Default setting: 600

4) / proc/sys/net/ipv4/inet_peer_gc_mintime

The shortest interval for the passage of waste collection (GC). This interval affects the high pressure of memory in the buffer pool. This value

Measured in jiffies.

Default: 10

5) / proc/sys/net/ipv4/inet_peer_gc_maxtime

The maximum interval through which waste collection (GC) passes, which affects the low pressure of memory in the buffer pool. This value

Measured in jiffies.

Default: 120

TCP Variables

1) / proc/sys/net/ipv4/tcp_syn_retries

This file indicates that the number of timeout retransmissions of TCP SYN connections initiated by the machine should not be higher than 255; this value is only for outgoing connections and is controlled by tcp_retries1 for incoming connections.

Default setting: 5

2) / proc/sys/net/ipv4/tcp_keepalive_probes

This file represents the maximum number of TCP keepalive detections before dropping the TCP connection. Stay connected only when

The SO_KEEPALIVE socket option is not sent until it is turned on.

Default setting: 9 (times)

3) / proc/sys/net/ipv4/tcp_keepalive_time

This file represents the number of seconds between never transmitting data again and sending a keep-alive signal to the connection.

Default: 7200 (2 hours)

4) / proc/sys/net/ipv4/tcp_keepalive_intvl

This file represents the frequency at which TCP probes are sent, multiplied by tcp_keepalive_probes to indicate when there is no corresponding TCP connection disconnected.

Default: 75 (seconds)

5) / proc/sys/net/ipv4/tcp_retries1

This file indicates the number of retransmissions before abandoning the response to an TCP connection request.

Default setting: 3

6) / proc/sys/net/ipv4/tcp_retries2

This file represents the number of times a TCP packet has been retransmitted before it was abandoned in the established communication state.

Default: 15

7) / proc/sys/net/ipv4/tcp_orphan_retries

How many retries must be made before the near-end discards the TCP connection. The default value is 7, which is equivalent to 50 seconds-

16 minutes, depending on RTO. If your system is a heavily loaded web server, you may need to

To lower this value, such sockets can consume a lot of resources. Additional reference

Tcp_max_orphans .

8) / proc/sys/net/ipv4/tcp_fin_timeout

For locally disconnected socket connections, the amount of time that the TCP remains in the FIN-WAIT-2 state. The other party may

The connection will be disconnected or the connection will not end or the unexpected process will die. The default value is 60 seconds. In the past

Version 2.2 of the kernel is 180 seconds. You can set this value, but be aware that if your machine is negative

With a heavily loaded web server, you may run the risk of memory being filled with a large number of invalid datagrams

FIN-WAIT-2 sockets is less dangerous than FIN-WAIT-1 because they only eat 1.5K at most.

, but they last longer. Also refer to tcp_max_orphans.

Default: 60 (seconds)

9) / proc/sys/net/ipv4/tcp_max_tw_buckets

The maximum number of timewaitsockets processed by the system at the same time. If it exceeds this number,

The time-wait socket is immediately cut and a warning message is displayed. The reason for setting this limit is pure

In order to defend against those simple DoS attacks, do not artificially lower this limit, but if

If the network condition needs to be more than the default, you can improve it (and perhaps more memory).

Default: 180000

10) / proc/sys/net/ipv4/tcp_tw_recyle

Turn on Fast TIME-WAITsockets Recycling. Please do not follow unless advised or requested by a technical expert

Meaning to modify this value.

Default setting: 0

11) / proc/sys/net/ipv4/tcp_tw_reuse

This file indicates whether to allow socket in the TIME-WAIT state to be reapplied for new TCP connections.

Default setting: 0

12) / proc/sys/net/ipv4/tcp_max_orphans

The maximum number of TCPsockets that the system can handle that does not belong to any process. If it exceeds this amount, then

Connections that do not belong to any process are immediately reset with a warning message. The reason for setting this

Just to resist those simple DoS attacks, don't rely on this or artificial health.

Lower this limit.

Default: 8192

13) / proc/sys/net/ipv4/tcp_abort_on_overflow

When the daemon is too busy to accept a new connection, it sends a reset message to the other party. The default value is false.

This means that when the cause of the overflow is due to an accidental burst, then the connection will resume its state. Only if you do.

This option is turned on only when the letter daemon is really unable to complete the connection request, which affects the use of the customer.

Default setting: 0

14) / proc/sys/net/ipv4/tcp_syncookies

This file indicates whether to open the TCP synchronization tab (syncookie), and the kernel must have the CONFIG_SYN_COOKIES entry open for compilation. Synchronization tags (syncookie) prevent a socket from overloading when there are too many attempts to connect to it.

Default setting: 0

15) / proc/sys/net/ipv4/tcp_stdurg

Use the host request interpretation function in the TCP urg pointer field. Most mainframes use old ones.

BSD explains that if you open it in Linux, you may not be able to communicate with them correctly.

Default setting: 0

16) / proc/sys/net/ipv4/tcp_max_syn_backlog

For those connection requests that have not yet been confirmed by the client, you need to save the maximum number in the queue. For

The default value is 1024 for systems that exceed 128Mb memory and 128for systems that are lower than 128Mb. If

The server is often overloaded, so you can try to increase this number. Warning! If you set this value to greater than

1024, it is best to modify the TCP_SYNQ_HSIZE in include/net/tcp.h to keep

TCP_SYNQ_HSIZE*16 0) or bytes-bytes/ 2 ^ (- tcp_adv_win_scale) (such as

If tcp_adv_win_scale128Mb 32768-610000), the system will ignore all messages sent to itself.

ICMP ECHO requests or those requests for broadcast addresses

Default: 1024

17) / proc/sys/net/ipv4/tcp_window_scaling

This file indicates whether the sliding window size of the set tcp/ip session is variable. The parameter value is a Boolean value, a value of 1 means variable, and a value of 0 means immutable. The window commonly used by tcp/ip can be up to 65535 bytes, which may be too small for high-speed networks. If this feature is enabled, the sliding window size of tcp/ip can be increased by several orders of magnitude, thus improving the ability of data transmission.

Default setting: 1

18) / proc/sys/net/ipv4/tcp_sack

This file indicates whether selective reply (SelectiveAcknowledgment) is enabled, which improves performance by selectively responding to messages received out of order (which allows the sender to send only missing segments); this option should be enabled (for WAN communications), but it will increase the footprint of CPU.

Default setting: 1

19) / proc/sys/net/ipv4/tcp_timestamps

This file indicates whether to enable the calculation of RTT in a more precise way than timeout resend (see RFC 1323); this option should be enabled for better performance.

Default setting: 1

20) / proc/sys/net/ipv4/tcp_fack

This file indicates whether to turn on FACK congestion avoidance and fast retransmission.

Default setting: 1

21) / proc/sys/net/ipv4/tcp_dsack

This file indicates whether to allow TCP to send "two identical" SACK.

Default setting: 1

22) / proc/sys/net/ipv4/tcp_ecn

This file indicates whether to turn on the direct congestion notification function of TCP.

Default setting: 0

23) / proc/sys/net/ipv4/tcp_reordering

This file represents the maximum number of datagrams reordered in the TCP stream.

Default setting: 3

24) / proc/sys/net/ipv4/tcp_retrans_collapse

This file indicates whether compatibility for some printers with bug is provided for their bug.

Default setting: 1

25) / proc/sys/net/ipv4/tcp_wmem

The file contains three integer values, namely: min,default,max

Min: the minimum memory value reserved for send buffering for TCP socket. It can be used by every TCP socket.

Default: the amount of memory reserved for sending buffers for TCP socket. By default, this value affects the value of default in net.core.wmem used by other protocols, which is generally lower than the value of default in net.core.wmem.

Max: set aside the maximum memory for send buffering for TCP socket. This value does not affect net.core.wmem_max, and today's selection of the parameter SO_SNDBUF is not affected by this value. The default value is 128K.

Default: 4096 16384131072

26) / proc/sys/net/ipv4/tcp_rmem

The file contains three integer values, namely: min,default,max

Min: set aside the amount of memory for receive buffering for TCPsocket, and TCPsocket will have at least this amount of memory for receive buffering even if memory is tight.

Default: the amount of memory reserved for receiving buffers for TCP socket, which by default affects the value of default in net.core.wmem used by other protocols. This value determines that the TCP window size is 65535 at the default values of tcp_adv_win_scale, tcp_app_win, and tcp_app_win.

Max: set aside the maximum memory for receiving buffers for TCP socket. This value does not affect the value of max in net.core.wmem, and today's selection of the parameter SO_SNDBUF is not affected by this value.

Default: 4096 87380174760

27) / proc/sys/net/ipv4/tcp_mem

The file contains three integer values, namely: low,pressure,high

Low: when TCP uses less than this value of memory pages, TCP does not consider freeing memory.

Pressure: when TCP uses more than this value of memory pages, TCP tries to stabilize its memory usage, enters pressure mode, and exits the pressure state when memory consumption is lower than the low value.

High: allows all tcpsockets to queue up the number of pages used to buffer datagrams.

In general, these values are calculated according to the amount of system memory when the system is started.

Default: 2457632768 49152

28) / proc/sys/net/ipv4/tcp_app_win

This file represents the number of windows reserved for max (window/ 2 ^ TCP _ app_win,mss) due to the application of buffering. A value of 0 means no buffering is required.

Default: 31

29) / proc/sys/net/ipv4/tcp_adv_win_scale

This file represents the calculation buffer cost bytes/ 2 ^ TCP _ adv_win_scale (if tcp_adv_win_scale >; 0) or bytes-bytes/ 2 ^ (- tcp_adv_win_scale) (if tcp_adv_win_scale).

Default setting: 2

IP Variables

1) / proc/sys/net/ipv4/ip_local_port_range

This file represents the local port number opened by the TCP/UDP protocol.

Default: 1024 4999

Recommended setting: 32768 61000

2) / proc/sys/net/ipv4/ip_nonlocal_bind

This file indicates whether the process is allowed to bind to a non-local address.

Default setting: 0

3) / proc/sys/net/ipv4/ip_dynaddr

This parameter is usually used in the case of dial-up connection, which enables the system to immediately change the source address of the ip packet to the ip address, and at the same time interrupt the original tcp conversation and reissue a syn request packet with a new address to start a new tcp conversation. When using ip spoofing, this parameter can immediately change the masquerade address to the new ip address. This file indicates whether dynamic addresses are allowed, if the value is not 0, it is allowed; if the value is greater than 1, the kernel records dynamic address rewriting information through log.

Default setting: 0

4) / proc/sys/net/ipv4/icmp_echo_ignore_all

/ proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

This file indicates whether the kernel ignores all ICMPECHO requests or broadcast and multicast requests.

0, respond to the request

1, ignore the request

Default setting: 0

Recommended setting: 1

5) / proc/sys/net/ipv4/icmp_ratelimit

6) / proc/sys/net/ipv4/icmp_ratemask

7) / proc/sys/net/ipv4/icmp_ignore_bogus_error_reponses

Some routers violate the RFC1122 standard by sending bogus responses to broadcast frames. This kind of violation

It is usually recorded in the system log as an alarm. If this option is set to True, the kernel will not

Record this warning message.

Default setting: 0

8) / proc/sys/net/ipv4/igmp_max_memberships

This file represents the maximum number of members in a multicast group.

Default: 20

Other Configuration

1) / proc/sys/net/ipv4/conf/*/accept_redirects

If there are two routers in the network segment where the host is located, you set one of them as the default gateway, but the gateway

When you receive your ip packet, you find that the ip packet must pass through another router, and this router will give it to you.

Send a so-called "redirect" icmp packet that tells you to forward the ip packet to another router. Parameter value is Boolean

Value, 1 means to receive such redirect icmp information, and 0 means to ignore it. Missing on the linux host acting as the router

The dart value is 0, and the default value is 1 on normal linux hosts. It is recommended to change it to 0 to eliminate security risks.

2) / proc/sys/net/ipv4/*/accept_source_route

Whether to accept ip packets containing source routing information. The parameter value is a Boolean value, 1 for acceptance and 0 for non-acceptance. In

The default value is 1 on the linux host acting as the gateway and 0 by default on the normal linux host. From the security angle

Starting from the degree, it is recommended to turn off this function.

3) / proc/sys/net/ipv4/*/secure_redirects

In fact, the so-called "security redirection" is to accept only "redirect" icmp packets from the gateway. This parameter is

Used to set the Security Redirect feature. Parameter value is a Boolean value, 1 means enabled, 0 indicates prohibited, default value

To enable.

4) / proc/sys/net/ipv4/*/proxy_arp

Sets whether to relay arp packets on the network. Parameter value is Boolean, 1 indicates relay, 0 indicates ignore

The default value is 0. This parameter is usually only useful for linux hosts acting as routers.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Development

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report