Linux内核通过/proc虚拟文件系统向用户导出内核信息,用户也可以通过/proc文件系统或通过sysctl命令动态配置内核。比如,如果我们想启动NAT,除了加载模块、配置防火墙外,还需要启动内核转发功能。我们有三种方法:
1. 直接写/proc文件系统 # echo 1 > /proc/sys/net/ipv4/ip_forward
2. 利用sysctl命令 # sysctl -w net.ipv4.ip_forward=1 sysctl -a可以查看内核所有导出的变量
3. 编辑/etc/sysctl.conf 添加如下一行,这样系统每次启动后,该变量的值就是1 net.ipv4.ip_forward = 1
sysctl是procfs软件中的命令,该软件包还提供了w, ps, vmstat, pgrep, pkill, top, slabtop等命令。
sysctl配置与显示在/proc/sys目录中的内核参数.可以用sysctl来设置或重新设置联网功能,如IP转发、IP碎片去除以及源路由检查等。用户只需要编辑/etc/sysctl.conf文件,即可手工或自动执行由sysctl控制的功能。
命令格式: sysctl [-n] [-e] -w variable=value sysctl [-n] [-e] -p <filename> (default /etc/sysctl.conf) sysctl [-n] [-e] -a 常用参数的意义: -w 临时改变某个指定参数的值,如 sysctl -w net.ipv4.ip_forward=1 -a 显示所有的系统参数 -p 从指定的文件加载系统参数,如不指定即从/etc/sysctl.conf中加载 如果仅仅是想临时改变某个系统参数的值,可以用两种方法来实现,例如想启用IP路由转发功能: 1) #echo 1 > /proc/sys/net/ipv4/ip_forward 2) #sysctl -w net.ipv4.ip_forward=1 以上两种方法都可能立即开启路由功能,但如果系统重启,或执行了 # service network restart命令,所设置的值即会丢失,如果想永久保留配置,可以修改/etc/sysctl.conf文件将 net.ipv4.ip_forward=0改为net.ipv4.ip_forward=1
sysctl是一个允许您改变正在运行中的Linux系统的接口。它包含一些 TCP/IP 堆栈和虚拟内存系统的高级选项, 这可以让有经验的管理员提高引人注目的系统性能。用sysctl可以读取设置超过五百个系统变量。基于这点,sysctl(8) 提供两个功能:读取和修改系统设置。 查看所有可读变量: % sysctl -a 读一个指定的变量,例如 kern.maxproc: % sysctl kern.maxproc kern.maxproc: 1044 要设置一个指定的变量,直接用 variable=value 这样的语法: # sysctl kern.maxfiles=5000 kern.maxfiles: 2088 -> 5000 您可以使用sysctl修改系统变量,也可以通过编辑sysctl.conf文件来修改系统变量。sysctl.conf 看起来很像 rc.conf。它用 variable=value 的形式来设定值。指定的值在系统进入多用户模式之后被设定。并不是所有的变量都可以在这个模式下设定。 sysctl 变量的设置通常是字符串、数字或者布尔型。 (布尔型用 1 来表示'yes',用 0 来表示'no')。
sysctl -w kernel.sysrq=0 sysctl -w kernel.core_uses_pid=1 sysctl -w net.ipv4.conf.default.accept_redirects=0 sysctl -w net.ipv4.conf.default.accept_source_route=0 sysctl -w net.ipv4.conf.default.rp_filter=1 sysctl -w net.ipv4.tcp_syncookies=1 sysctl -w net.ipv4.tcp_max_syn_backlog=2048 sysctl -w net.ipv4.tcp_fin_timeout=30 sysctl -w net.ipv4.tcp_synack_retries=2 sysctl -w net.ipv4.tcp_keepalive_time=3600 sysctl -w net.ipv4.tcp_window_scaling=1 sysctl -w net.ipv4.tcp_sack=1
配置sysctl
编辑此文件:
vi /etc/sysctl.conf
如果该文件为空,则输入以下内容,否则请根据情况自己做调整:
# Controls source route verification # Default should work for all interfaces net.ipv4.conf.default.rp_filter = 1 # net.ipv4.conf.all.rp_filter = 1 # net.ipv4.conf.lo.rp_filter = 1 # net.ipv4.conf.eth0.rp_filter = 1
# Disables IP source routing # Default should work for all interfaces net.ipv4.conf.default.accept_source_route = 0 # net.ipv4.conf.all.accept_source_route = 0 # net.ipv4.conf.lo.accept_source_route = 0 # net.ipv4.conf.eth0.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1
# Increase maximum amount of memory allocated to shm # Only uncomment if needed! # kernel.shmmax = 67108864
# Disable ICMP Redirect Acceptance # Default should work for all interfaces net.ipv4.conf.default.accept_redirects = 0 # net.ipv4.conf.all.accept_redirects = 0 # net.ipv4.conf.lo.accept_redirects = 0 # net.ipv4.conf.eth0.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets # Default should work for all interfaces net.ipv4.conf.default.log_martians = 1 # net.ipv4.conf.all.log_martians = 1 # net.ipv4.conf.lo.log_martians = 1 # net.ipv4.conf.eth0.log_martians = 1
# Decrease the time default value for tcp_fin_timeout connection net.ipv4.tcp_fin_timeout = 25
# Decrease the time default value for tcp_keepalive_time connection net.ipv4.tcp_keepalive_time = 1200
# Turn on the tcp_window_scaling net.ipv4.tcp_window_scaling = 1
# Turn on the tcp_sack net.ipv4.tcp_sack = 1
# tcp_fack should be on because of sack net.ipv4.tcp_fack = 1
# Turn on the tcp_timestamps net.ipv4.tcp_timestamps = 1
# Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection net.ipv4.icmp_ignore_bogus_error_responses = 1
# Make more local ports available # net.ipv4.ip_local_port_range = 1024 65000
# Set TCP Re-Ordering value in kernel to ‘5′ net.ipv4.tcp_reordering = 5
# Lower syn retry rates net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 3
# Set Max SYN Backlog to ‘2048′ net.ipv4.tcp_max_syn_backlog = 2048
# Various Settings net.core.netdev_max_backlog = 1024
# Increase the maximum number of skb-heads to be cached net.core.hot_list_length = 256
# Increase the tcp-time-wait buckets pool size net.ipv4.tcp_max_tw_buckets = 360000
# This will increase the amount of memory available for socket input/output queues net.core.rmem_default = 65535 net.core.rmem_max = 8388608 net.ipv4.tcp_rmem = 4096 87380 8388608 net.core.wmem_default = 65535 net.core.wmem_max = 8388608 net.ipv4.tcp_wmem = 4096 65535 8388608 net.ipv4.tcp_mem = 8388608 8388608 8388608 net.core.optmem_max = 40960
如果希望屏蔽别人 ping 你的主机,则加入以下代码:
# Disable ping requests net.ipv4.icmp_echo_ignore_all = 1
编辑完成后,请执行以下命令使变动立即生效:
/sbin/sysctl -p /sbin/sysctl -w net.ipv4.route.flush=1
我们常常在 Linux 的 /proc/sys 目录下,手动设定一些 kernel 的参数或是直接 echo 特定的值给一个 proc下的虚拟档案,俾利某些档案之开启,常见的例如设定开机时自动启动 IP Forwarding: echo “1” > /proc/sys/net/ipv4/ip_forward
其实,在 Linux 我们还可以用 sysctl command 便可以简易的去检视、设定或自动配置 特定的 kernel 设定。我们可以在系统提示符号下输入「sysctl -a」,摘要如后:abi.defhandler_coff = 117440515
dev.raid.speed_limit_max = 100000
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.default.secure_redirects = 1
net.ipv4.conf.default.accept_redirects = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.neigh.lo.delay_first_probe_time = 5
net.ipv4.neigh.lo.base_reachable_time = 30
net.ipv4.icmp_ratelimit = 100
net.ipv4.inet_peer_gc_mintime = 10
net.ipv4.igmp_max_memberships = 20
net.ipv4.ip_no_pmtu_disc = 0
net.core.no_cong_thresh = 20
net.core.netdev_max_backlog = 300
net.core.rmem_default = 65535
net.core.wmem_max = 65535
vm.kswapd = 512 32 8
vm.overcommit_memory = 0
vm.bdflush = 30 64 64 256 500 3000 60 0 0
vm.freepages = 351 702 1053
kernel.sem = 250 32000 32 128
kernel.panic = 0
kernel.domainname = (none)
kernel.hostname = pc02.shinewave.com.tw
kernel.version = #1 Tue Oct 30 20:11:04 EST 2001
kernel.osrelease = 2.4.9-13
kernel.ostype = Linux
fs.dentry-state = 1611 969 45 0 0 0
fs.file-nr = 1121 73 8192
fs.inode-state = 1333 523 0 0 0 0 0