Linux內核經過/proc虛擬文件系統向用戶導出內核信息,用戶也能夠經過/proc文件系統或經過sysctl命令動態配置內核。好比,若是咱們想啓動NAT,除了加載模塊、配置防火牆外,還須要啓動內核轉發功能。咱們有三種方法:node
1. 直接寫/proc文件系統
# echo 1 > /proc/sys/net/ipv4/ip_forwardcookie
2. 利用sysctl命令
# sysctl -w net.ipv4.ip_forward=1
sysctl -a能夠查看內核全部導出的變量app
3. 編輯/etc/sysctl.conf
添加以下一行,這樣系統每次啓動後,該變量的值就是1
net.ipv4.ip_forward = 1dom
sysctl是procfs軟件中的命令,該軟件包還提供了w, ps, vmstat, pgrep, pkill, top, slabtop等命令。socket
sysctl配置與顯示在/proc/sys目錄中的內核參數.能夠用sysctl來設置或從新設置聯網功能,如IP轉發、IP碎片去除以及源路由檢查等。用戶只須要編輯/etc/sysctl.conf文件,便可手工或自動執行由sysctl控制的功能。tcp
命令格式: sysctl [-n] [-e] -w variable=value sysctl [-n] [-e] -p <filename> (default /etc/sysctl.conf) sysctl [-n] [-e] -a 經常使用參數的意義: -w 臨時改變某個指定參數的值,如 sysctl -w net.ipv4.ip_forward=1 -a 顯示全部的系統參數 -p 從指定的文件加載系統參數,如不指定即從/etc/sysctl.conf中加載 若是僅僅是想臨時改變某個系統參數的值,能夠用兩種方法來實現,例如想啓用IP路由轉發功能: 1) #echo 1 > /proc/sys/net/ipv4/ip_forward 2) #sysctl -w net.ipv4.ip_forward=1 以上兩種方法均可能當即開啓路由功能,但若是系統重啓,或執行了 # service network restart命令,所設置的值即會丟失,若是想永久保留配置,能夠修改/etc/sysctl.conf文件將 net.ipv4.ip_forward=0改成net.ipv4.ip_forward=1性能
sysctl是一個容許您改變正在運行中的Linux系統的接口。它包含一些 TCP/IP 堆棧和虛擬內存系統的高級選項, 這可讓有經驗的管理員提升引人注目的系統性能。用sysctl能夠讀取設置超過五百個系統變量。基於這點,sysctl(8) 提供兩個功能:讀取和修改系統設置。
查看全部可讀變量:
% sysctl -a
讀一個指定的變量,例如 kern.maxproc:
% sysctl kern.maxproc kern.maxproc: 1044
要設置一個指定的變量,直接用 variable=value 這樣的語法:
# sysctl kern.maxfiles=5000
kern.maxfiles: 2088 -> 5000
您 可使用sysctl修改系統變量,也能夠經過編輯sysctl.conf文件來修改系統變量。sysctl.conf 看起來很像 rc.conf。它用 variable=value 的形式來設定值。指定的值在系統進入多用戶模式以後被設定。並非全部的變量均可以在這個模式下設定。
sysctl 變量的設置一般是字符串、數字或者布爾型。 (布爾型用 1 來表示'yes',用 0 來表示'no')。spa
sysctl -w kernel.sysrq=0
sysctl -w kernel.core_uses_pid=1
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_max_syn_backlog=2048
sysctl -w net.ipv4.tcp_fin_timeout=30
sysctl -w net.ipv4.tcp_synack_retries=2
sysctl -w net.ipv4.tcp_keepalive_time=3600
sysctl -w net.ipv4.tcp_window_scaling=1
sysctl -w net.ipv4.tcp_sack=1.net
配置sysctldebug
編輯此文件:
vi /etc/sysctl.conf
若是該文件爲空,則輸入如下內容,不然請根據狀況本身作調整:
# Controls source route verification
# Default should work for all interfaces
net.ipv4.conf.default.rp_filter = 1
# net.ipv4.conf.all.rp_filter = 1
# net.ipv4.conf.lo.rp_filter = 1
# net.ipv4.conf.eth0.rp_filter = 1
# Disables IP source routing
# Default should work for all interfaces
net.ipv4.conf.default.accept_source_route = 0
# net.ipv4.conf.all.accept_source_route = 0
# net.ipv4.conf.lo.accept_source_route = 0
# net.ipv4.conf.eth0.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Increase maximum amount of memory allocated to shm
# Only uncomment if needed!
# kernel.shmmax = 67108864
# Disable ICMP Redirect Acceptance
# Default should work for all interfaces
net.ipv4.conf.default.accept_redirects = 0
# net.ipv4.conf.all.accept_redirects = 0
# net.ipv4.conf.lo.accept_redirects = 0
# net.ipv4.conf.eth0.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
# Default should work for all interfaces
net.ipv4.conf.default.log_martians = 1
# net.ipv4.conf.all.log_martians = 1
# net.ipv4.conf.lo.log_martians = 1
# net.ipv4.conf.eth0.log_martians = 1
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 25
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1200
# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1
# Turn on the tcp_sack
net.ipv4.tcp_sack = 1
# tcp_fack should be on because of sack
net.ipv4.tcp_fack = 1
# Turn on the tcp_timestamps
net.ipv4.tcp_timestamps = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Make more local ports available
# net.ipv4.ip_local_port_range = 1024 65000
# Set TCP Re-Ordering value in kernel to ‘5′
net.ipv4.tcp_reordering = 5
# Lower syn retry rates
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 3
# Set Max SYN Backlog to ‘2048′
net.ipv4.tcp_max_syn_backlog = 2048
# Various Settings
net.core.netdev_max_backlog = 1024
# Increase the maximum number of skb-heads to be cached
net.core.hot_list_length = 256
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 360000
# This will increase the amount of memory available for socket input/output queues
net.core.rmem_default = 65535
net.core.rmem_max = 8388608
net.ipv4.tcp_rmem = 4096 87380 8388608
net.core.wmem_default = 65535
net.core.wmem_max = 8388608
net.ipv4.tcp_wmem = 4096 65535 8388608
net.ipv4.tcp_mem = 8388608 8388608 8388608
net.core.optmem_max = 40960
若是但願屏蔽別人 ping 你的主機,則加入如下代碼:
# Disable ping requests
net.ipv4.icmp_echo_ignore_all = 1
編輯完成後,請執行如下命令使變更當即生效:
/sbin/sysctl -p
/sbin/sysctl -w net.ipv4.route.flush=1
咱們經常在 Linux 的 /proc/sys 目錄下,手動設定一些 kernel 的參數或是直接 echo 特定的值給一個 proc下的虛擬檔案,俾利某些檔案之開啓,常見的例如設定開機時自動啓動 IP Forwarding:
echo 「1」 > /proc/sys/net/ipv4/ip_forward
其實,在 Linux 咱們還能夠用 sysctl command 即可以簡易的去檢視、設定或自動配置 特定的 kernel 設定。咱們能夠在系統提示符號下輸入「sysctl -a」,摘要如後:abi.defhandler_coff = 117440515
dev.raid.speed_limit_max = 100000
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.default.secure_redirects = 1
net.ipv4.conf.default.accept_redirects = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.neigh.lo.delay_first_probe_time = 5
net.ipv4.neigh.lo.base_reachable_time = 30
net.ipv4.icmp_ratelimit = 100
net.ipv4.inet_peer_gc_mintime = 10
net.ipv4.igmp_max_memberships = 20
net.ipv4.ip_no_pmtu_disc = 0
net.core.no_cong_thresh = 20
net.core.netdev_max_backlog = 300
net.core.rmem_default = 65535
net.core.wmem_max = 65535
vm.kswapd = 512 32 8
vm.overcommit_memory = 0
vm.bdflush = 30 64 64 256 500 3000 60 0 0
vm.freepages = 351 702 1053
kernel.sem = 250 32000 32 128
kernel.panic = 0
kernel.domainname = (none)
kernel.hostname = pc02.shinewave.com.tw
kernel.version = #1 Tue Oct 30 20:11:04 EST 2001
kernel.osrelease = 2.4.9-13
kernel.ostype = Linux
fs.dentry-state = 1611 969 45 0 0 0
fs.file-nr = 1121 73 8192
fs.inode-state = 1333 523 0 0 0 0 0