{"id":959,"date":"2012-08-03T11:28:41","date_gmt":"2012-08-03T03:28:41","guid":{"rendered":"http:\/\/rmohan.com\/?p=959"},"modified":"2012-08-03T13:14:51","modified_gmt":"2012-08-03T05:14:51","slug":"tcp-finetuning-on-linuxredhat-centos-debian","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=959","title":{"rendered":"TCP FineTuning on Linux\/RedHat-CentOS-Debian"},"content":{"rendered":"

Here are some, very handy and kewl TCP Fine tunings, i guess i put this together from a few things\u2026 and, i would suggest reading my iptables article on here about maybe fine tuning that for anti icmp etc to but, you CAN achieve the same things with tuning the stack! So, we can even restrict our FS Open files, etc, thru the tcp\/ip stack tuning, wich ill demonstrate a solid setup for here<\/p>\n

##### Begin DoS Prevention #####\r\necho 1 > \/proc\/sys\/net\/ipv4\/icmp_echo_ignore_all\r\necho 1 > \/proc\/sys\/net\/ipv4\/icmp_echo_ignore_broadcasts\r\necho 1 > \/proc\/sys\/net\/ipv4\/ip_forward\r\n\r\n# the following two parametes will break at least emule and are way too low to make sense\r\n#echo 1024 > \/proc\/sys\/net\/ipv4\/ipfrag_high_thresh\r\n#echo 512 > \/proc\/sys\/net\/ipv4\/ipfrag_low_thresh\r\necho 64000 > \/proc\/sys\/net\/ipv4\/ipfrag_high_thresh\r\necho 48000 > \/proc\/sys\/net\/ipv4\/ipfrag_low_thresh\r\n\r\necho 10 > \/proc\/sys\/net\/ipv4\/ipfrag_time\r\necho 5 > \/proc\/sys\/net\/ipv4\/icmp_ratelimit\r\necho 1 > \/proc\/sys\/net\/ipv4\/tcp_syncookies\r\necho 0 > \/proc\/sys\/net\/ipv4\/conf\/eth0\/accept_source_route\r\necho 0 > \/proc\/sys\/net\/ipv4\/conf\/eth0\/accept_redirects\r\necho 1 > \/proc\/sys\/net\/ipv4\/conf\/eth0\/log_martians\r\necho 10 > \/proc\/sys\/net\/ipv4\/neigh\/eth0\/locktime\r\necho 0 > \/proc\/sys\/net\/ipv4\/conf\/eth0\/proxy_arp\r\necho 50 > \/proc\/sys\/net\/ipv4\/neigh\/eth0\/gc_stale_time\r\n\r\n# The following entries secure the last bit and provide a\r\n# moderate protection against man-in-the-middle attacks.\r\necho 0 > \/proc\/sys\/net\/ipv4\/conf\/eth0\/send_redirects\r\necho 0 > \/proc\/sys\/net\/ipv4\/conf\/eth0\/secure_redirects\r\necho 1 > \/proc\/sys\/net\/ipv4\/icmp_ignore_bogus_error_responses\r\necho 5 > \/proc\/sys\/net\/ipv4\/igmp_max_memberships\r\necho 2 > \/proc\/sys\/net\/ipv4\/igmp_max_msf\r\necho 1024 > \/proc\/sys\/net\/ipv4\/tcp_max_orphans\r\necho 2 > \/proc\/sys\/net\/ipv4\/tcp_syn_retries\r\necho 2 > \/proc\/sys\/net\/ipv4\/tcp_synack_retries\r\necho 1 > \/proc\/sys\/net\/ipv4\/tcp_abort_on_overflow\r\necho 10 > \/proc\/sys\/net\/ipv4\/tcp_fin_timeout\r\necho 0 > \/proc\/sys\/net\/ipv4\/route\/redirect_number\r\necho 1 > \/proc\/sys\/net\/ipv4\/conf\/all\/rp_filter\r\necho 1 > \/proc\/sys\/net\/ipv4\/conf\/eth1\/rp_filter\r\necho 1 > \/proc\/sys\/net\/ipv4\/tcp_syncookies\r\necho 0 > \/proc\/sys\/net\/ipv4\/conf\/all\/accept_source_route\r\necho 61 > \/proc\/sys\/net\/ipv4\/ip_default_ttl\r\n\r\n# DoS protection by tweaking the timeouts\r\necho \"1800\" > \/proc\/sys\/net\/ipv4\/tcp_keepalive_time\r\necho \"0\" > \/proc\/sys\/net\/ipv4\/tcp_window_scaling\r\necho \"0\" > \/proc\/sys\/net\/ipv4\/tcp_sack\r\n\r\n# We pretend to be a Checkpoint firewall on Windows XP<\/pre>\n
\":P\"<\/p>\n
 ~\r\necho 4096 87380 4194304 >\/proc\/sys\/net\/ipv4\/tcp_rmem\r\necho 4096 87380 4194304 >\/proc\/sys\/net\/ipv4\/tcp_wmem\r\n\r\n# Check network overload (explicit congestion notification)\r\necho 1 > \/proc\/sys\/net\/ipv4\/tcp_ecn\r\n\r\n# Change port range for outgoing traffic\r\necho \"1000 60000\" > \/proc\/sys\/net\/ipv4\/ip_local_port_range\r\n\r\n# Change default queue size\r\n# Modified for DD-WRT because of missing proc entries\r\necho 4096 > \/proc\/sys\/net\/ipv4\/ip_conntrack_max\r\n\r\n# shut some DoS stuff down\r\necho 1 > \/proc\/sys\/net\/ipv4\/tcp_syncookies\r\necho 1 > \/proc\/sys\/net\/ipv4\/icmp_ignore_bogus_error_responses\r\necho 1 > \/proc\/sys\/net\/ipv4\/icmp_echo_ignore_broadcasts\r\n\r\n# increase the SYN backlog queue\r\necho 2048 > \/proc\/sys\/net\/ipv4\/tcp_max_syn_backlog\r\necho 0 > \/proc\/sys\/net\/ipv4\/tcp_sack\r\necho 0 > \/proc\/sys\/net\/ipv4\/tcp_timestamps\r\n\r\n## stop forks - reducing Open FS files here.. sweet!\r\n\u00a0echo 64000 > \/proc\/sys\/fs\/file-max\r\nulimit -n 64000\r\n\r\n# Kernel sysctl configuration file for Red Hat Linux\r\n#\r\n# For binary values, 0 is disabled, 1 is enabled.\u00a0 See sysctl(8) and\r\n# sysctl.conf(5) for more details.\r\n\r\n# Controls IP packet forwarding\r\nnet.ipv4.ip_forward = 0\r\n\r\n# Controls source route verification\r\nnet.ipv4.conf.default.rp_filter = 1\r\n\r\n# Do not accept source routing\r\nnet.ipv4.conf.default.accept_source_route = 0\r\n\r\n# Controls the System Request debugging functionality of the kernel\r\nkernel.sysrq = 1\r\n\r\n# Controls whether core dumps will append the PID to the core filename.\r\n# Useful for debugging multi-threaded applications.\r\nkernel.core_uses_pid = 1\r\n\r\n# Controls the use of TCP syncookies\r\nnet.ipv4.tcp_syncookies = 1\r\n\r\n# Disable netfilter on bridges.\r\nnet.bridge.bridge-nf-call-ip6tables = 0\r\nnet.bridge.bridge-nf-call-iptables = 0\r\nnet.bridge.bridge-nf-call-arptables = 0\r\n\r\n# Controls the maximum size of a message, in bytes\r\nkernel.msgmnb = 65535\r\n\r\n# Controls the default maxmimum size of a mesage queue\r\nkernel.msgmax = 65535\r\n\r\n# Controls the maximum shared segment size, in bytes\r\nkernel.shmmax = 68719476736\r\n\r\n# Controls the maximum number of shared memory segments, in pages\r\nkernel.shmall = 4294967296\r\nnet.core.rmem_max = 33388608\r\nnet.core.wmem_max = 33388608\r\nnet.core.rmem_default = 33388608\r\nnet.core.wmem_default = 33388608\r\nnet.core.netdev_max_backlog = 20000\r\nnet.ipv4.tcp_max_syn_backlog = 2048\r\nnet.ipv4.tcp_rmem = 8192 4194304 33388608\r\nnet.ipv4.tcp_wmem = 32768 4194304 33388608\r\nnet.ipv4.tcp_timestamps = 1\r\nnet.ipv4.tcp_window_scaling = 1\r\nnet.ipv4.tcp_app_win = 0\r\nnet.ipv4.tcp_adv_win_scale = 4\r\nnet.ipv4.tcp_sack = 1\r\nnet.ipv4.tcp_ecn = 0\r\nnet.ipv4.igmp_max_memberships = 100\r\nnet.ipv4.tcp_slow_start_after_idle = 0\r\nnet.ipv4.tcp_no_metrics_save = 1\r\nnet.ipv4.conf.all.rp_filter = 1\r\nnet.ipv4.conf.all.send_redirects = 0\r\nnet.ipv4.conf.default.send_redirects = 0\r\nnet.ipv4.conf.all.accept_redirects = 0\r\nnet.ipv4.conf.default.accept_redirects = 0\r\nkernel.core_pattern = \/opt\/corefiles\/core.%h.%e.%p\r\nfs.suid_dumpable = 2\r\nkernel.sem = 250 32000 32 256\r\nkernel.msgmni = 512<\/pre>\n","protected":false},"excerpt":{"rendered":"
Here are some, very handy and kewl TCP Fine tunings, i guess i put this together from a few things\u2026 and, i would suggest reading my iptables article on here about maybe fine tuning that for anti icmp etc to but, you CAN achieve the same things with tuning the stack! So, we can even […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/959"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=959"}],"version-history":[{"count":4,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/959\/revisions"}],"predecessor-version":[{"id":967,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/959\/revisions\/967"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=959"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}