Skip to content

Instantly share code, notes, and snippets.

@mhahl
Created July 23, 2015 10:38
Show Gist options
  • Save mhahl/1999767c09d337d3e056 to your computer and use it in GitHub Desktop.
Save mhahl/1999767c09d337d3e056 to your computer and use it in GitHub Desktop.
Router sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Do accept source routing
net.ipv4.conf.default.accept_source_route = 1
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# Number of times SYNACKs for a passive TCP connection attempt will
# be retransmitted.
net.ipv4.tcp_synack_retries = 2
# Send redirects, if router, but this is just server
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.default.send_redirects = 1
# Accept packets with SRR option? No
net.ipv4.conf.all.accept_source_route = 1
net.ipv4.tcp_window_scaling = 1
# Accept Redirects? No, this is not router
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.secure_redirects = 1
# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 1
net.ipv4.conf.default.accept_redirects = 1
net.ipv4.conf.default.secure_redirects = 1
# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Prevent against the common 'syn flood attack'
net.ipv4.tcp_syncookies = 1
# Enable source validation by reversed path, as specified in RFC1812
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
# reuse/recycle time-wait sockets (this is often needed on busy servers)
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 360
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_timestamps = 1
# Disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
kernel.randomize_va_space = 2
# TCP and memory optimization (doesnt this increase buffer bloat!?)
# increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 87380 16777216
# increase Linux auto tuning TCP buffer limits
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
# Buffer bloat ftl
net.ipv4.tcp_ecn=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1
# increase system file descriptor limit
# increase system file descriptor limit
fs.file-max = 65535
# Allow for more PIDs
kernel.pid_max = 65536
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Help prevent TOCTOU vulnerabilities
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# drop RST packets for sockets in the time-wait state
net.ipv4.tcp_rfc1337 = 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment