核心調優參數
vm.swappiness = 10
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.route.gc_timeout = 100
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_tw_buckets = 6000
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_tw_buckets = 50000
# for iptables
net.ipv4.ip_conntrack_max = 6553600
net.ipv4.netfilter.ip_conntrack_max = 6553600
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 300
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
net.ipv4.neigh.default.gc_thresh1 = 10240
net.ipv4.neigh.default.gc_thresh2 = 40960
net.ipv4.neigh.default.gc_thresh3 = 81920
swappiness的值的大小對如何使用swap分區是有着很大的聯系的。swappiness=0的時候表示最大限度使用實體記憶體,然後才是 swap空間,swappiness=100的時候表示積極的使用swap分區,并且把記憶體上的資料及時的搬運到swap空間裡面。兩個極端,對于 centos linux 5的預設設定,這個值等于60,建議修改為10。
net.ipv4.tcp_syncookies = 1
#表示開啟SYN Cookies。當出現SYN等待隊列溢出時,啟用cookies來處理,可防範少量SYN攻擊,預設為0,表示關閉;
net.ipv4.tcp_tw_reuse = 1
#表示開啟重用。允許将TIME-WAIT sockets重新用于新的TCP連接配接,預設為0,表示關閉;
net.ipv4.tcp_tw_recycle = 1
#表示開啟TCP連接配接中TIME-WAIT sockets的快速回收,預設為0,表示關閉。
net.ipv4.tcp_fin_timeout = 30
#表示如果套接字由本端要求關閉,這個參數決定了它保持在FIN-WAIT-2狀态的時間。
net.ipv4.tcp_keepalive_time = 1200
#表示當keepalive起用的時候,TCP發送keepalive消息的頻度。預設是2小時,改為20分鐘。
net.ipv4.ip_local_port_range = 1024 65000
#表示用于向外連接配接的端口範圍。預設情況下很小:32768到61000,改為1024到65000。
net.ipv4.tcp_max_tw_buckets = 5000
#表示系統同時保持TIME_WAIT套接字的最大數量,如果超過這個數字,
#TIME_WAIT套接字将立刻被清除并列印警告資訊。預設為180000,改為5000。
#對于Apache、Nginx等伺服器,上幾行的參數可以很好地減少TIME_WAIT套接字數量,
#但是對于Squid,效果卻不大。此項參數可以控制TIME_WAIT套接字的最大數量,避免Squid伺服器被大量的TIME_WAIT套接字拖死。
net.ipv4.conf.eth1.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 0
rp_filter 的值的意義是:
814 rp_filter – INTEGER
815 0 – No source validation.
816 1 – Strict mode as defined in RFC3704 Strict Reverse Path
817 Each incoming packet is tested against the FIB and if the interface
818 is not the best reverse path the packet check will fail.
819 By default failed packets are discarded.
820 2 – Loose mode as defined in RFC3704 Loose Reverse Path
821 Each incoming packet’s source address is also tested against the FIB
822 and if the source address is not reachable via any interface
823 the packet check will fail.
0 就是對進來的包完全不作檢查,這樣有被dos 攻擊的風險。
1 就是嚴格檢查,隻要不是這個interface 的包,就不傳回。
2 就是不太嚴格,隻要本機配置了這個ip ,還是可以傳回的。
本文轉自dongfang_09859 51CTO部落格,原文連結:http://blog.51cto.com/hellosa/527705,如需轉載請自行聯系原作者