sysctl command and Linux kernel parameter tuning

   The SYSCTL command is used to configure and display kernel parameters in the/proc/sys directory. If you want to save the parameters for a long time, you can do so by editing the/etc/sysctl.conf file.    command format:  sysctl [-n] [-e]-W variable=value sysctl [-n] [-e]-P (default/etc/sysctl.conf)   Sysctl [-n] [-e]–a  the meaning of common parameters:  -w   Temporarily change the value of a specified parameter, such as         # sysctl-w Net.ipv4.ip_ Forward=1 -a   Display all system parameters  -p load system parameters from the specified file and load from the/etc/sysctl.conf file by default, such as: # echo 1 >/proc/sys/net/ipv4/ Ip_forward# Sysctl-w net.ipv4.ip_forward=1  Both methods may immediately turn on the routing function, but if the system restarts, or the      # service Network is executed Restart command, the value set is lost, if you want to permanently retain the configuration, you can modify the/etc/sysctl.conf file, change net.ipv4.ip_forward=0 to net.ipv4.ip_forward=1   Second, the Linux kernel parameter adjustment: The Linux kernel parameter adjustment has two ways   method one: Modifies the kernel parameter file content under the/proc, cannot use the editor to modify the kernel parameter file, the reason is because the kernel may change any of these files at any time, moreover, These kernel parameter files are virtual files that do not exist in practice and therefore cannot be edited using the editor, but instead use the echo command and redirect the output from the command line to the file selected under/proc. For example: Set the timeout_timewait parameter to 30 seconds: # echo >/proc/sys/net/ipv4/tcp_fin_timeout parameters are modified immediately, but after rebooting the system, the parameter reverts to the default value. Therefore, to permanently change the kernel parameters, you need to modify the/etc/sysctl.conf file   &nbSp Method Two. Modify the/etc/sysctl.conf file. Examine the sysctl.conf file, modify the value of the parameter if it already contains the parameter you want to modify, or add a parameter to the sysctl.conf file if there are no parameters to modify. such as:   net.ipv4.tcp_fin_timeout=30 save exit, you can restart the machine for the parameters to take effect, if you want to make the parameter immediately, you can also execute the following command:   # sysctl  -p   sysctl.conf file parameters set and description Proc/sys/net/core/wmem_max maximum socket write buffer, reference to the optimization value: 873200 /proc/sys/net/core/ rmem_max  maximum socket read buffer, reference to the optimized value: 873200/proc/sys/net/ipv4/tcp_wmem tcp write buffer, reference to the optimization value: 8192 436600 873200 /PROC/SYS/NET/IPV4/TCP_RMEM TCP read buffer, reference to the optimized value: 32768 436600 873200 /proc/sys/net/ipv4/tcp_ mem  also has 3 values, meaning:  net.ipv4.tcp_mem[0]: Below this value, TCP has no memory pressure.  net.ipv4.tcp_mem[1]: Under this value, enter the memory pressure stage .  NET.IPV4.TCP_MEM[2]: Above this value, TCP denies allocation socket.  the above-mentioned memory units are pages, not bytes. A reference to the optimization value is: 786432 1048576 1572864 /proc/sys/net/ core/netdev_max_backlog  Enter the maximum device queue for the package. The default is 300, which is too low for heavy-duty servers to be adjusted to 1000 /proc/sys/net/core/somaxconn  The default parameter of Listen (), the maximum number of pending requests. The default is 128. For busy servers, increasing this value helps network performance. Adjustable to 256. /proc/sys/net/core/optmem_max socket Maximum initialization value of buffer, default 10K&Nbsp;/proc/sys/net/ipv4/tcp_max_syn_backlog  Enter the maximum request queue for the SYN packet. Default 1024. For heavy-duty servers, adjustable to 2048 /proc/sys/net/ipv4/ Tcp_retries2 tcp failed retransmission number, default value 15, meaning to focus on 15 times to completely abandon. Reduce to 5 and release kernel resources as early as possible.  /proc/sys/net/ipv4/tcp_keepalive_time  /proc/sys/net/ipv4/tcp_keepalive_intvl /proc/sys/net/ipv4/tcp_keepalive_probes  These 3 parameters are associated with a TCP KeepAlive. The default value is:  tcp_keepalive_time = 7200 seconds (2 hours)  tcp_keepalive_probes = 9 tcp_keepalive_ INTVL = seconds  means that if a TCP connection has been idle for 2 hours, the kernel will not initiate probe. If probe 9 times (75 seconds) is unsuccessful, the kernel simply abandons it and considers the connection to be invalid. The above values are obviously too large for the server. Adjustable to:  /proc/sys/net/ipv4/tcp_keepalive_time 1800 /PROC/SYS/NET/IPV4/TCP_KEEPALIVE_INTVL 30 /proc/ Sys/net/ipv4/tcp_keepalive_probes 3 /proc/sys/net/ipv4/ip_local_port_range  A configuration of the specified port range, the default is 32768 61000, It's big enough. Net.ipv4.tcp_syncookies = 1  indicates that syn Cookies are turned on. When a SYN wait queue overflow occurs, cookies are enabled to protect against a small number of SYN attacks, the default is 0, and the  net.ipv4.tcp_tw_reuse = 1  means to turn on reuse. Allows time-wait sockets to be re-used for new TCP connections, which defaults to 0, which means close;  net.ipv4.tcp_tw_recycle = 1 Represents a quick recycle of time-wait sockets on a TCP connection, which defaults to 0, which means shutdown.  net.ipv4.tcp_fin_timeout = 30  means that if the socket is closed by the local side, this parameter determines how long it remains in the fin-wait-2 state.  net.ipv4.tcp_keepalive_time = 1200  indicates the frequency at which TCP sends keepalive messages when KeepAlive is employed. The default is 2 hours, which is changed to 20 minutes.  net.ipv4.ip_local_port_range = 65000  indicates the range of ports used for the outward connection. Small by default: 32768 to 61000, 1024 to 65000.  net.ipv4.tcp_max_syn_backlog = 8192  Indicates the length of the SYN queue, which defaults to 1024, and a larger queue length of 8192, which can accommodate more network connections waiting to be connected.  net.ipv4.tcp_max_tw_buckets = 5000  indicates that the system maintains the maximum number of time_wait sockets at the same time, and if this number is exceeded, the time_wait socket is immediately cleared and a warning message is printed. The default is 180000, which changes to 5000. For Apache, Nginx and other servers, the parameters of the last few lines can be a good way to reduce the number of time_wait sockets, but for squid, the effect is not small. This parameter controls the maximum number of time_wait sockets, preventing squid servers from being dragged to death by a large number of time_wait sockets. Nat on     linux and Iptables talk about Nat on Linux, and most people will mention iptables to you. The reason is because iptables is a very good interface for implementing NAT on Linux at present. It operates the network package directly and at the kernel level, and is highly efficient and stable. Here are some examples of NAT-related iptables instance commands that may be helpful for most implementations.   Here to illustrate, in order to save space, here the preparation of the command omitted, just list the core step command, so if you simply do not implement the function, it is likely because the preparation work is not done. If you are interested in the entire command details, you can go directly to my "How to make your Linux gateway more powerful" series of articles, which have detailed descriptions and descriptions of each script. # case 1: Implementing the Gateway's MASQuerade# Specific functions: Intranet network card is eth1, external network eth0, make the intranet designated this service to do gateway can access the external network  external= "eth0" internal= "eth1"  # this step to turn on IP forwarding support, This is the premise of a NAT implementation echo 1 >/proc/sys/net/ipv4/ip_forwardiptables-t nat-a postrouting-o $EXTERNAL-j masquerade# Case 2: Implementing the Gateway's simple end Port mapping # Specific functions: To achieve the external network through the Access Gateway IP:80, can directly reach a host in the private network 192.168.1.10:80 effect  local_ex_ip=11.22.33.44 #设定网关的外网卡ip, For multi-IP scenarios, refer to "How to make your Linux gateway more powerful" series article local_in_ip=192.168.1.1   #设定网关的内网卡ipINTERNAL = "eth1" #设定内网卡  # This step to turn on IP forwarding support , this is the premise of the NAT implementation echo 1 >/proc/sys/net/ipv4/ip_forward # load the required IP module, the following two are FTP-related modules, if there are other special needs, also need to add in Modprobe ip_ Conntrack_ftpmodprobe ip_nat_ftp # This step to achieve the target address to the gateway external ip:80 access to the target address is changed to 192.168.1.10:80iptables-t nat-a prerouting- D $LOCAL _ex_ip-p tcp--dport 80-j DNAT--to 192.168.1.10 # This step to change the destination address to 192.168.1.10:80 the source address of the packet to the gateway's own local IP. Here is 192.168.1.1iptables-t nat-a postrouting-d 192.168.1.10-p tcp--dport 80-j SNAT--to $LOCAL _in_ip # on the forward chain Add to 192.168.1.10:80 allow, otherwise cannot implement forwarding Iptables-a Forward-o $INTERNAL-D 192.168.1.10-p TCP--dpoRT 80-j accept # through the above important three sentences, the effect is that through the gateway extranet ip:80 access, all forwarded to the 192.168.1.10:80 port of the intranet, to achieve typical port mapping # special attention, All forwarded data is the source address is the gateway intranet IP packet, so 192.168.1.10 all access to see as if the gateway sent over, and not see the external ip# an important idea: the packet according to "Where to come, where to go" strategy to go, So don't worry about looking back data problem  # Now there is a problem, the gateway itself to access their own external network ip:80, is not to be NAT to 192.168.1.10, this is not a serious problem, but people are very uncomfortable, the solution is as follows: Iptables-t nat-a output-d $LOCAL _ex_ip-p tcp--dport 80-j DNAT--to 192.168.1.10 get NAT information and diagnostic errors in the system understand the meaning of the/proc directory in a Linux system,/proc is a special directory, The proc file system is a pseudo-file system that only exists in memory and does not occupy external memory space. It contains some parameters (variables) and status conditions for the current system. It provides an interface for accessing system kernel data in a file system./proc can learn some important information about the system, including disk usage, memory usage, hardware information, network usage and so on, many system monitoring tools (such as hotsanic) pass/ The proc directory obtains system data. On the other hand, through the direct operation of the parameters in the/proc can be implemented to regulate the kernel parameters, such as whether to allow IP forwarding, Syn-cookie Open, TCP time-out. How to get Parameters: the first: cat/proc/xxx/xxx, such as Cat/proc/sys/net/ipv4/conf/all/rp_filter second: Sysctl xxx.xxx.xxx, such as Sysctl Net.ipv4.conf.all.rp_filter How to change parameters: The first: Echo value >/proc/xxx/xxx, such as echo 1 >/proc/sys/net/ipv4/conf/all/rp_ Filter Second: sysctl [-W] variable=value, such as Sysctl [-W] net.ipv4.conf.all.rp_filter=1 above to set system parameters only forThe current system is valid, restart the system is gone, want to save, need to write to the/etc/sysctl.conf file by executing the man 5 proc can get some information about the proc directory to see the NAT situation in the system and NAT related system variables/proc/ Slabinfo: Kernel Cache usage statistics (Kernel Slab Allocator statistics)/proc/sys/net/ipv4/ip_conntrack_max: The maximum number of IPv4 connections supported by the system, Default 65536 (In fact this is also the theoretical maximum)/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established the time-out of the established TCP connection, default 432000, That is, 5 days and NAT-related state values/proc/net/ip_conntrack: The current pre-tracked connection status, the NAT translation table is here (for a Linux host with a gateway as its main function, most of the information is a NAT translation table)/proc/sys/ Net/ipv4/ip_local_port_range: Local open port range, this range also indirectly restricts NAT table size # 1. View the maximum number of connections supported by the current system cat/proc/sys/net/ipv4/ip_conntrack_max # value: Default 65536, and this value is related to your memory size, if the memory is 128M, this value is 8192 maximum, More than 1G of memory this value is the default 65536# effect: This value determines your ability to work as a NAT gateway, and all LAN connections through this gateway will occupy a connection, and if this value is too low, it will affect throughput  # 2. To view the TCP connection time-out cat/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established # value: Default 432000 (seconds), which is 5 days # Impact: This value is too large to cause some connections that may already be unused to reside in memory, consuming a lot of linked resources, which could lead to Nat ip_conntrack:table full problem # recommended: For NAT load relative to native NAT table size is very tense, You may want to consider narrowing this value to clear the connection as early as possible to ensure that there are available connection resources, and if you are not nervous, you do not have to modify  # 3. View NAT Table Usage (determine if the NAT table resource is tense) # execute the following command to view your gatewayThe NAT table case is cat/proc/net/ip_conntrack # 4. To view the range of local open ports cat/proc/sys/net/ipv4/ip_local_port_range# returns two values, minimum and maximum  # The following command helps you to clarify the size of the NAT table Wc-l/proc/net/ip_ conntrack# or grep ip_conntrack/proc/slabinfo | Grep-v Expect | awk ' {print $ ', ' $;} '  # The following commands help you to specify which NAT table entries are available, and if this value is large, it means that the NAT table resource is not tense grep ip_conntrack/proc/slabinfo | Grep-v Expect | awk ' {print $ ', ' $ $;} '  # The following commands help you to count the number of ports in the NAT table to occupy the most of the IP, it is likely these guys do some bt things, ah bt things:-) Cat/proc/net/ip_conntrack | Cut-d '-F 10 | cut-d ' = '-F 2 | Sort | uniq-c | Sort-nr | Head-n 10#, this command is a little flawed. cut-d '-F10 will cause statistical deviations due to some line shortages in the command output, here is a correct notation: cat/proc/net/ip_conntrack | Perl-pe s/^\ (. *?\) src/src/g | Cut-d '-f1 | cut-d ' = '-f2 | Sort | uniq-c | Sort-nr | Head-n 10

Sysctl command and Linux kernel parameter tuning