Significance and Application of Linux kernel Network Parameters

The Significance and Application of Linux kernel network parameters-Linux general technology-Linux programming and kernel information. The following is a detailed description. Abstract:

This article describes some kernel network parameters in the/proc/sys/net/ipv4/directory of the linux system, at the same time, I put forward my own opinions on how to improve the security and stability of the linux system by adjusting the network parameters of the linux kernel. This provides a reference for the system administrator to further enhance network security and system stability.

In linux, we can adjust the kernel network parameters in the/proc/sys/net/ipv4/directory according to different requirements. By reasonably configuring the kernel network parameters, this improves network security and system stability. Because there are few documents in this area, we cannot make a comprehensive introduction. Now a linux organization is working on writing this document. I believe that we will see a complete document in the near future. Next, let's take a look at some common kernel network parameters.

　　 Note:

1. Parameters with a parameter value with a rate cannot work on the loopback interface.

2. because the kernel defines the speed based on the internal clock in HZ, and the speed is usually 100 HZ, setting a parameter value of 100 indicates that one packet/second is allowed, if the value is 20, five packets are allowed per second.

3. All kernel network parameter configuration files are located in the/proc/sys/net/ipv4/directory.

　　 1. icmp-related Kernel configuration parameters

Overview: we usually use icmp packets to check whether other protocols (such as tcp and udp) on the target host are available. For example, an icmp packet containing "destination unreachable" is the most common icmp packet.

1. icmp_destunreach_rate: Set the response rate of the icmp packet whose content is "Destination Unreachable. The value must be an integer.

　　 Application instance:

Suppose there are two hosts, A and B. First, we execute the following ipchains Statement on host A: ipchains-A input-p icmp-j REJECT. The REJECT here is different from the DENY here. DENY will discard the qualified package as if it didn't receive the package, the REJECT will send a "Destination Unreachable" icmp request to the Request Host while dropping the package.

Ping host A on host B. At this time, we will find that the response speed of the "Destination Unreachable" icmp packet is very timely. Run the following command on host:

CODE: echo "1000">/proc/sys/net/ipv4/icmp_destunreach_rate