Sysctl is a powerful tool that is used to dynamically modify the parameters of the kernel while the kernel is running. With the help of this command, you can modify the kernel parameters without recompiling the kernel or restarting the system.
The parameters that can be modified can be found in the /proc/sys directory. Therefore, procfs (a file system simulation capable of communicating with the kernel through a file system) is necessary for "sysctl". Only the root user can execute this command.
Use the sysctl command to modify the kernel parameters
Kernel parameters can be modified temporarily or permanently. The temporary modification of the kernel parameters is as follows:
Read the current kernel parameters:
[root@localhost ~]# sysctl -a
Use -w to temporarily modify the kernel parameters. For example, to prohibit other devices from pinging this machine:
[root@localhost ~]# sysctl -w net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_all = 1
The value "0" represents "off" and the value "1" represents "on". These changes are temporary, reset the parameters after restarting the system.
Permanently modify kernel parameters
Add parameters and values in the /etc/sysctl.conf file. For example, to prohibit other devices from pinging the machine, after modifying the sysctl.conf configuration file, you need to execute the sysctl -p command to load the sysctl settings from the file /etc/sysctl.conf . :
[root@localhost ~]# echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf
[root@localhost ~]# sysctl -p
net.ipv4.icmp_echo_ignore_all = 1
Several sysctl use cases
Control packet forwarding
Only enable IP packet forwarding on the server acting as the gateway. In other servers, this feature can be disabled.
[root@localhost ~]# echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
[root@localhost ~]# sysctl -p
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.ip_forward = 0
Disable swap partition
When using the kubernetes environment, you need to turn off the swap partition for performance considerations.
[root@localhost ~]# echo "vm.swappiness = 0" >> /etc/sysctl.conf
[root@localhost ~]# sysctl -p
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.ip_forward = 0
vm.swappiness = 0
SYN flood protection
To prevent SYN Flood attacks, you need to enable this option.
[root@localhost ~]# echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
[root@localhost ~]# sysctl -p
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.ip_forward = 0
vm.swappiness = 0
net.ipv4.tcp_syncookies = 1
The range of ports that the system is allowed to open
[root@localhost ~]# echo "net.ipv4.ip_local_port_range = 1024 65000" >> /etc/sysctl.conf
[root@localhost ~]# sysctl -p
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.ip_forward = 0
vm.swappiness = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.ip_local_port_range = 1024 65000
to sum up
Sysctl is a powerful tool that is used to dynamically modify the parameters of the kernel while the kernel is running. With the help of this command, you can modify the kernel parameters without recompiling the kernel or restarting the system.
https://www.jianshu.com/p/56bb23183639