Significance and Application of Linux kernel Network Parameters

Abstract: This article describes some kernel network parameters in the/proc/sys/NET/IPv4/directory of the Linux system, at the same time, I put forward my own opinions on how to improve the security and stability of the Linux system by adjusting the network parameters of the Linux kernel. This provides a reference for the system administrator to further enhance network security and system stability.
　　
In Linux, we can adjust the kernel network parameters in the/proc/sys/NET/IPv4/directory according to different requirements. By reasonably configuring the kernel network parameters, this improves network security and system stability. Because there are few documents in this area, we cannot make a comprehensive introduction. Now a Linux organization is working on writing this document. I believe that we will see a complete document in the near future. Next, let's take a look at some common kernel network parameters.
　　
Note: 1. Parameters with a rate value cannot work on the loopback interface.
　　
2. because the kernel defines the speed based on the internal clock in Hz, and the speed is usually 100Hz, setting a parameter value of 100 indicates that one packet/second is allowed, if the value is 20, five packets are allowed per second.

Network Management Forum bbs_bitscn_com

　　
3. All kernel network parameter configuration files are located in the/proc/sys/NET/IPv4/directory.
　　
1. ICMP-related Kernel configuration parameters
　　
Overview: we usually use ICMP packets to check whether other protocols (such as TCP and UDP) on the target host are available. For example, an ICMP packet containing "Destination Unreachable" is the most common ICMP packet.
　　
1. icmp_destunreach_rate: Set the response rate of the ICMP packet whose content is "Destination Unreachable. The value must be an integer.
Application instance:
Assume there are two hosts, A and B. First, we execute the following ipchains Statement on host:
Ipchains-A input-p icmp-J reject
The reject here is different from the deny here. Deny will discard the qualified package as if it didn't receive the package, the reject will send a "Destination Unreachable" ICMP request to the Request Host while dropping the package.
Ping host a on host B. At this time, we will find that the response speed of the "Destination Unreachable" ICMP packet is very timely. Run the following command on host:
Echo \ "1000 \">/proc/sys/NET/IPv4/icmp_destunreach_rate
That is to say, the system responds to an "Destination Unreachable" ICMP packet every 10 seconds.
At this time, Ping host a from host B and you will find that the response speed of the "Destination Unreachable" ICMP packet has obviously slowed down. I'm curious to test it, the result is a response every 10 seconds. Network Management ujia u.bitscn.com
　　
2. icmp_echo_ignore_broadcasts: sets whether to respond to ICMP Echo Request broadcast. The value should be boolean.
Value. 0 indicates that the ICMP echo request is broadcast, and 1 indicates that the request is ignored.
Note: Windows does not respond to ICMP echo requests.
　　
Application instance:
In my redhat6.x and redhat7, the default value is 0. In this way, when a network address of the network segment where my server is located is pinged, all Linux servers will respond, in this way, the user can get the IP address of my server.
Echo \ "1 \">/proc/sys/NET/IPv4/icmp_echo_ignore_broadcasts
To disable this function. This prevents ICMP storms and network congestion.
　　
3. icmp_echoreply_rate: sets the response speed of the ICMP packet in which the system responds to the ICMP echo request. The value is
Integer.
Application instance:
Assume there are two hosts, A and B. First Ping host a on host B, we can see that the response is normal, and then run the command on host.
Echo \ "1000 \">/proc/sys/NET/IPv4/icmp_echoreply_rate
That is, an ICMP echo request packet is returned every 10 seconds. Then ping host a to see that the response speed has changed to 10 seconds.
It is best to adjust the value of this parameter reasonably to prevent ICMP storms.

Www.bitscn.com

　　
　
4. icmp_echo_ignore_all: sets whether the system ignores all ICMP echo requests. If a non-0 value is set, the system ignores all ICMP requests.
Echo Request. In fact, this is an extreme situation of icmp_echoreply_rate. The parameter value is a Boolean value. 1 indicates ignore, and 0 indicates response.
　　
5. icmp_paramprob_rate: when the system receives the corrupted IP address or TCP Header of the datagram, an ICMP packet containing the error message is sent to the source. This parameter is used to set the speed at which ICMP packets are sent to the source. Of course, IP or TCP Header errors are rare in general. The parameter value is an integer.
　　
6. icmp_timeexceed_rate: the datagram is on the network.
Time to live
Live) fields will decrease constantly. When the TTL is 0, the vro processing the datagram will discard the datagram and send a "Time to live" message to the source host.
Exceeded "ICMP packet. This parameter is used to set the sending speed of the ICMP packet. Of course, this is usually used as the Linux host of the router.
　　
Ii. IP-related Kernel configuration parameters
IP configuration parameters in Linux kernel network parameters are usually used to define or adjust some specific parameters of the IP package. In addition, some network features of the system are defined.

Network Management Alliance bitscn_com

　　
　
1. ip_default_ttl: Set the lifetime of the IP packet sent from the local machine. The parameter value is an integer and the range is 0 ~ 128. The default value is 64. In Windows, IP
The package survival time is usually 128. If your system often gets "time to live ",
Exceeded "ICMP response, you can increase the value of this parameter, but it cannot be too large, because if your routing loop, it will increase the system error time.
　　
　
2. ip_dynaddr
The address resends a SYN request packet to start a new TCP conversation. When IP spoofing is used, this parameter can immediately change the disguised IP address to a new IP address. The parameter value can be:
1: Enable this function
2: Enable this function in redundancy mode
0: disable this function.
　　
Application instance:
When you use ipchains to configure IP spoofing to drive a local area network to share a PPP connection to the Internet, sometimes the connection to a site fails at the beginning, and the connection can be refreshed and connected again, in this case, you can set the value of this parameter to 1, and immediately change the disguised IP address to a new IP address. Command:
Echo \ "1 \">/proc/sys/NET/IPv4/ip_dynaddr
　　
3. ip_forward: You can use this parameter to enable the packet forwarding function so that the system acts as a router. If the parameter value is 1, IP Forwarding is enabled. If the parameter value is 0, IP Forwarding is prohibited. Note: We can forward IP addresses on a single or dual-nic host. Www_bitscn_com
Application instance:
Suppose we use a Linux host with a dual-nic as the firewall, then we must execute the following command to enable the IP forwarding function:
Echo \ "1 \">/proc/sys/NET/IPv4/ip_forward
　　
4. ip_local_port_range: Set the port range used when the local system initiates a TCP or UDP connection request. Set the value to two integers. The default value is "1024 4999 ".
Application instance:
Echo \ "1450 6000 \">/proc/sys/NET/IPv4/ip_local_port_range
　　
Iii. TCP-related Kernel configuration parameters
The TCP configuration parameters can be used to control all aspects of the TCP session process.
　　
A) tcp_fin_timeout: When a TCP session ends, a first sends a fin to B.
　
Package. After obtaining the ACK confirmation package of B, A enters the fin wait2 state and waits for the fin package of B and sends ack confirmation package to B. This parameter is used to set a to enter the fin
Wait2 status: Wait for the timeout time of the FIN packet of the other party. If you do not receive the fin package from the other party after the time is reached, the session will be automatically released. The parameter value is an integer in seconds. The default value is 180 seconds.
　　
B) tcp_syn_retires: set the number of times a SYN connection request packet is sent again when a TCP session is established.
The parameter value is an integer smaller than 255 and the default value is 10. If your connection speed is fast, you can reduce this value to increase the system response time. Even for users with slow connection speed, the default value setting is large enough. China Network Management Forum bbs.bitscn.com
　　
3. tcp_window_scaling: sets whether the hop window size of TCP/IP sessions is variable. The parameter value is a Boolean value. If it is 1, it indicates variable. If it is 0, it indicates non-variable. TCP/IP usually uses a window of up to 65535 bytes. for high-speed networks, this value may be too small. If this function is enabled, the TCP/IP sliding window size can be increased by several orders of magnitude to improve the data transmission capability.
　　
Iv. kernel network parameters for Preventing IP spoofing attacks
Suppose there are the following scenarios:
　　
　　
1.1.1.1 2.2.2.2
　　
　　
　　
By default, the router forwards packets based on the destination address.
　
. As shown in, if the 2.2.2.2 interface (that is, the WAN Interface) of the router receives a package, the source address of the package is 1.1.1.100 (that is
Intranet address), although this is impossible or unreasonable, but due to the characteristics of the router, the router will still forward this illegal package to the Intranet. This allows hackers
The opportunity opens the door for IP spoofing attacks.
Fortunately, we can use the Linux kernel system parameter "reverse path filtering" to prevent this situation, this parameter is located in the rp_filter file in each subdirectory under/proc/sys/NET/IPv4/CONF. The parameter value is an integer. The possible values include: Network Administrator u.bitscn.com
2-Comprehensive reverse path filtering is recommended on edge routers. However, in a complex network environment, this value is not recommended if Static Routing or rip or OSPF routing protocols are used.
1-it is the default value of this parameter. It only filters reverse paths of directly connected networks.
0-no reverse path filtering.
　　
Application instance:
Create the following script named RP. Sh.
#/Bin/bash
For I in/proc/sys/NET/IPv4/CONF/*/rp_filter;
Do
Echo 2> $ I
Done
Then change the File Permission chmod 755 RP. Sh
Finally, execute./RP. Sh.
　　
5. kernel network parameters for each network interface
By using the kernel network parameters for each network interface, you can specify
Specify the network parameters of the response kernel. Network Management Alliance bitscn_com

Note: parameters in/proc/sys/NET/IPv4/CONF/All/apply to all network interfaces.
　　
1. accept_redirects: this parameter is located in the/proc/sys/NET/IPv4/CONF/dev/accept_redirects (Dev table
Shows the specific network interface). If there are two routers in the network segment of your host, you set one of them to the default gateway, however, when the gateway receives your IP packet, it finds that this IP packet must pass through another router. Then, this router will send you a so-called "Redirect" ICMP packet, tells you to forward an IP packet to another vro.