Here are some, very handy and kewl TCP Fine tunings, i guess i put this together from a few things… and, i would suggest reading my iptables article on here about maybe fine tuning that for anti icmp etc to but, you CAN achieve the same things with tuning the stack! So, we can even restrict our FS Open files, etc, thru the tcp/ip stack tuning, wich ill demonstrate a solid setup for here
##### Begin DoS Prevention ##### echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/ip_forward # the following two parametes will break at least emule and are way too low to make sense #echo 1024 > /proc/sys/net/ipv4/ipfrag_high_thresh #echo 512 > /proc/sys/net/ipv4/ipfrag_low_thresh echo 64000 > /proc/sys/net/ipv4/ipfrag_high_thresh echo 48000 > /proc/sys/net/ipv4/ipfrag_low_thresh echo 10 > /proc/sys/net/ipv4/ipfrag_time echo 5 > /proc/sys/net/ipv4/icmp_ratelimit echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo 1 > /proc/sys/net/ipv4/conf/eth0/log_martians echo 10 > /proc/sys/net/ipv4/neigh/eth0/locktime echo 0 > /proc/sys/net/ipv4/conf/eth0/proxy_arp echo 50 > /proc/sys/net/ipv4/neigh/eth0/gc_stale_time # The following entries secure the last bit and provide a # moderate protection against man-in-the-middle attacks. echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/secure_redirects echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 5 > /proc/sys/net/ipv4/igmp_max_memberships echo 2 > /proc/sys/net/ipv4/igmp_max_msf echo 1024 > /proc/sys/net/ipv4/tcp_max_orphans echo 2 > /proc/sys/net/ipv4/tcp_syn_retries echo 2 > /proc/sys/net/ipv4/tcp_synack_retries echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout echo 0 > /proc/sys/net/ipv4/route/redirect_number echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 61 > /proc/sys/net/ipv4/ip_default_ttl # DoS protection by tweaking the timeouts echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time echo "0" > /proc/sys/net/ipv4/tcp_window_scaling echo "0" > /proc/sys/net/ipv4/tcp_sack # We pretend to be a Checkpoint firewall on Windows XP
~ echo 4096 87380 4194304 >/proc/sys/net/ipv4/tcp_rmem echo 4096 87380 4194304 >/proc/sys/net/ipv4/tcp_wmem # Check network overload (explicit congestion notification) echo 1 > /proc/sys/net/ipv4/tcp_ecn # Change port range for outgoing traffic echo "1000 60000" > /proc/sys/net/ipv4/ip_local_port_range # Change default queue size # Modified for DD-WRT because of missing proc entries echo 4096 > /proc/sys/net/ipv4/ip_conntrack_max # shut some DoS stuff down echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # increase the SYN backlog queue echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog echo 0 > /proc/sys/net/ipv4/tcp_sack echo 0 > /proc/sys/net/ipv4/tcp_timestamps ## stop forks - reducing Open FS files here.. sweet! echo 64000 > /proc/sys/fs/file-max ulimit -n 64000 # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 1 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 # Controls the use of TCP syncookies net.ipv4.tcp_syncookies = 1 # Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 # Controls the maximum size of a message, in bytes kernel.msgmnb = 65535 # Controls the default maxmimum size of a mesage queue kernel.msgmax = 65535 # Controls the maximum shared segment size, in bytes kernel.shmmax = 68719476736 # Controls the maximum number of shared memory segments, in pages kernel.shmall = 4294967296 net.core.rmem_max = 33388608 net.core.wmem_max = 33388608 net.core.rmem_default = 33388608 net.core.wmem_default = 33388608 net.core.netdev_max_backlog = 20000 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_rmem = 8192 4194304 33388608 net.ipv4.tcp_wmem = 32768 4194304 33388608 net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_app_win = 0 net.ipv4.tcp_adv_win_scale = 4 net.ipv4.tcp_sack = 1 net.ipv4.tcp_ecn = 0 net.ipv4.igmp_max_memberships = 100 net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.tcp_no_metrics_save = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 kernel.core_pattern = /opt/corefiles/core.%h.%e.%p fs.suid_dumpable = 2 kernel.sem = 250 32000 32 256 kernel.msgmni = 512
Useful infο. Lucky me Ӏ discovеred your web sitе by aссіdent, and I am ѕhocked why thіs accident didn’t happened in advance! I bookmarked it.
I’ve read a few good stuff here. Certainly price bookmarking for revisiting. I wonder how a lot effort you put to create this type of excellent informative web site.
Helpful information. Fortunate me I discovered your web site by accident,
and I’m stunned why this coincidence did not took place in advance! I bookmarked it.
That is really attention-grabbing, You’re a very skilled blogger. I have joined your rss feed and look forward to seeking extra of your great post. Additionally, I have shared your website in my social networks
Excellent article. I definitely love this website.
Stick with it!
Hello there, just became aware of your blog through Google, and found that it’s really informative. I am going to watch out for brussels. I’ll appreciate if you continue this in future.
A lot of people will be benefited from your writing.
Cheers!