net.ipv4.tcp_mem = 768432 2097152 15242880
net.ipv4.tcp_wmem = 40960 163840 4194304
net.ipv4.tcp_rmem = 40960 873800 4194304
#net.core.somaxconn=6553600
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 524288000
net.core.wmem_max = 524288000
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=81920
net.ipv4.tcp_timestamps=0
net.ipv4.tcp_synack_retries=3
net.ipv4.tcp_syn_retries=3
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 20000 65000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.route.max_size = 5242880
kernel.sem=250 65536 100 2048
kernel.msgmnb = 4203520
kernel.msgmni = 64
kernel.msgmax = 65535
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
kernel.shmmni = 655360
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_no_metrics_save=1
kernel.core_uses_pid = 1
net.ipv4.conf.lo.arp_announce=2
net.ipv4.tcp_sack = 1
kernel.randomize_va_space=1
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
#net.ipv4.netfilter.ip_conntrack_max=1000000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=30
net.netfilter.nf_conntrack_tcp_timeout_time_wait=30
net.netfilter.nf_conntrack_tcp_timeout_close_wait=15
net.netfilter.nf_conntrack_tcp_timeout_established=300
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time=120
fs.file-max = 40000500
fs.nr_open = 40000500
kernel.perf_cpu_time_max_percent=60
kernel.perf_event_max_sample_rate=6250
kernel.sched_migration_cost_ns=5000000
net.core.optmem_max= 25165824
vm.max_map_count=262144
net.core.somaxconn = 65535
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_announce=2
使之以上生效:
systemctl -p
echo 262144 > /sys/module/nf_conntrack/parameters/hashsize
##内核优化
echo `ulimit -HSn 65536` >> /etc/profile
echo `ulimit -HSn 65536` >> /etc/rc.local
source /etc/profile
ZDWJ=`cat -n /etc/security/limits.conf | grep "# End of file" | awk '{print $1}'`
ZDWJ2=`echo "$[ ZDWJ + 1 ]"`
sed -i ''"$ZDWJ2"',100d' /etc/security/limits.conf
echo "
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535" >> /etc/security/limits.conf
说明:
net.ipv4.tcp_mem = 768432 2097152 15242880
net.ipv4.tcp_wmem = 40960 163840 4194304
net.ipv4.tcp_rmem = 40960 873800 4194304
#net.core.somaxconn=6553600
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 524288000
net.core.wmem_max = 524288000
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=81920
net.ipv4.tcp_timestamps=0
#参数的值决定了内核放弃链接之前发送SYN+ACK包的数量,该参数对应系统路径为:/proc/sys/net/ipv4/tcp_synack_retries,默认是2
net.ipv4.tcp_synack_retries=3
#表示内核放弃建立链接之前发送SYN包的数量,该参数对应系统路径为:/proc/sys/net/ipv4/tcp_syn_retries,默认是6
net.ipv4.tcp_syn_retries=3
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 20000 65000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.route.max_size = 5242880
kernel.sem=250 65536 100 2048
kernel.msgmnb = 4203520
kernel.msgmni = 64
kernel.msgmax = 65535
#设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
kernel.shmmni = 655360
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_no_metrics_save=1
~~~~~~~~~~~开启SYN洪水攻击保护~~~~~~~~~~
kernel.core_uses_pid = 1
net.ipv4.conf.lo.arp_announce=2
net.ipv4.tcp_sack = 1
kernel.randomize_va_space=1
###### 最大追踪连接数修改 调优 #####
net.nf_conntrack_max = 25000000 ---#
net.netfilter.nf_conntrack_max = 25000000 ---#
说明:
设置的值计算:
查看目前追踪连的接数(以上设置的值大于这个值)
[root@]# cat /proc/net/nf_conntrack | wc -l
2332
#临时生效
sysctl -w net.netfilter.nf_conntrack_max=25000000
sysctl -w net.nf_conntrack_max=25000000
#永久生效
#添加修改内核配置文件(/etc/sysctl.conf)
net.netfilter.nf_conntrack_max=1048576
net.nf_conntrack_max=1048576
#如果要马上应用配置文件里的设置:
sudo sysctl -p /etc/sysctl.conf
#### 响应时间调优 ######
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
#net.ipv4.netfilter.ip_conntrack_max=1000000
说明:
#临时生效
#主动方的最后1个状态。默认120秒
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_fin_wait=30
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_time_wait=30
#CLOSE_WAIT是被动方收到FIN发ACK,然后会转到LAST_ACK发FIN,除非程序写得有问题,正常来说这状态持续时间很短。#默认 60 秒
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_close_wait=15
#理论上不用这么长,不小于 net.ipv4.tcp_keepalive_time 就行了。默认 432000 秒(5天)
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=300
# 永久生效
# 修改内核配置文件(/etc/sysctl.conf)
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=30
net.netfilter.nf_conntrack_tcp_timeout_time_wait=30
net.netfilter.nf_conntrack_tcp_timeout_close_wait=15
net.netfilter.nf_conntrack_tcp_timeout_established=300
# 如果要马上应用配置文件里的设置:
sudo sysctl -p /etc/sysctl.conf
~~~~~~~~~~~ 避免放大攻击 ~~~~~~~~~~~~~~~~~~
net.ipv4.icmp_echo_ignore_broadcasts=1
#关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
#关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#关闭sysrq功能
kernel.sysrq = 0
#每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144
#限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800
#确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
vm.swappiness = 0
#决定检查过期多久邻居条目
net.ipv4.neigh.default.gc_stale_time=120
fs.file-max = 40000500
fs.nr_open = 40000500
kernel.perf_cpu_time_max_percent=60
kernel.perf_event_max_sample_rate=6250
kernel.sched_migration_cost_ns=5000000
net.core.optmem_max= 25165824
vm.max_map_count=262144
net.core.somaxconn = 65535
#使用arp_announce / arp_ignore解决ARP映射问题
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_announce=2
哈希表桶大小 调优
注:net.netfilter.nf_conntrack_buckets 不能直接改(报错)
复制代码
# 临时生效
echo 262144 > /sys/module/nf_conntrack/parameters/hashsize
说明:计算公式
Buckets(哈希表大小) = net.nf_conntrack_max/4 = ***(Byte字节)
学习地址:
https://www.cnblogs.com/xiangsikai/p/9525287.html
https://m.toutiaocdn.cn/item/6661421504380535300/?app=news_article×tamp=1555195944&req_id=201904140652230100210420817665564&group_id=6661421504380535300