centos内核网络优化

cat << "eof" >> /etc/security/limits.conf 
# ulimit优化
* soft nofile 65536
* hard nofile 65536
eof

cat << "eof" >> /etc/sysctl.conf
 
#关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
 
# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1
 
# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 11
 
#决定检查过期多久邻居条目
net.ipv4.neigh.default.gc_stale_time=120
 
#使用arp_announce / arp_ignore解决ARP映射问题
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_announce=2 # 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1 # 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
 
#处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
 
#core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1 
 
#修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536
 
#开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
 
#设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
 
#timewait的数量,默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
 
#每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目。
net.core.netdev_max_backlog = 32768
 
#记录的那些尚未收到客户端确认信息的连接请求的最大值。对于有128M内存的系统而言,缺省值是1024
net.ipv4.tcp_max_syn_backlog = 65536
 
#web应用中listen函数的backlog默认会给我们内核参数的net.core.somaxconn限制到128,而nginx定义的NGX_LISTEN_BACKLOG默认为511,所以有必要调整这个值。
net.core.somaxconn = 32768
 
#限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800
 
#未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
 
#内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1
 
#内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1
 
#启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1
 
#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
 
# 开启SYN洪水攻击保护(防范少量SYN攻击)
net.ipv4.tcp_syncookies = 1 
 
#允许系统打开的端口范围
net.ipv4.ip_local_port_range = 1024    65000
eof
sysctl -p
huan

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: