Network Tuning Script
I use this script as a baseline to tune linux servers network connections, it makes a great starting point for cloud based servers and works well with multimedia streaming, it also includes a few security settings, but they should not effect the linux servers overall well being...
Works with most RedHat and Ubuntu based servers and for those of you that bore easily or are just in a hurry,
You can be download this script here
System Variables
##########################
#### System Variables ####
##########################
host=$(hostname)
os=$(grep PRETTY_NAME /etc/os-release | sed 's/PRETTY_NAME=//g' | tr -d '="' | awk '{print $1}' | tr '[:upper:]' '[:lower:]')
osv=$(grep VERSION_ID /etc/os-release | sed 's/VERSION_ID=//g' | tr -d '="' | awk -F. '{print $1}')Detect OS and OS Version
##################################
#### Detect OS and OS Version ####
##################################
if [ "${os}" = ubuntu ]; then
PAKMGR="apt-get -y"
elif [[ ${os} = centos || ${os} = redhat || ${os} = oracle || ${os} = rocky || ${os} = alma ]]; then
if [ "${osv}" = 7 ]; then
PAKMGR="yum -y"
fi
if [ "${osv}" = 8 ] || [ "${osv}" = 9 ]; then
PAKMGR="dnf -y"
fi
fi Check for bc and install it if it's not found
##########################################
#### Check to see if bc is Instaslled ####
##########################################
if ! command -v bc &> /dev/null; then
${PAKMGR} install bc
fiSetting memory variables, based on machine ram amount in bytes
##########################
#### Sysctl Variables ####
##########################
mem_bytes=$(awk '/MemTotal:/ { printf "%0.f",$2 * 1024}' /proc/meminfo)
shmmax=$(echo "$mem_bytes * 0.90" | bc | cut -f 1 -d '.')
shmall=$(("$mem_bytes" / $(getconf PAGE_SIZE)))
max_orphan=$(echo "$mem_bytes * 0.10 / 65536" | bc | cut -f 1 -d '.')
file_max=$(echo "$mem_bytes / 4194304 * 256" | bc | cut -f 1 -d '.')
max_tw=$((file_max * 2))
min_free=$(echo "($mem_bytes / 1024) * 0.01" | bc | cut -f 1 -d '.')Backup of the sysctl.conf file with date and time
############################
#### Update Sysctl.conf ####
############################
echo "#######################################"
echo "#### Updating sysctl for $host"
echo "#######################################"
cp -a -- "$sfile" "$sfile-$(date +"%m-%d-%y-%r")"Check to see if ssd was added to the command line
######################################
#### Check for ssd on commandline ####
######################################
if [ "$1" != "ssd" ]; then
vm_dirty_bg_ratio=5
vm_dirty_ratio=15
else
# This setup is generally ok for ssd and highmem servers
vm_dirty_bg_ratio=3
vm_dirty_ratio=5
fiCopying (appending) the changes to sysctl.conf file and activating the changes
>>$sfile cat << EOF
############################
#### Performance Tuning ####
############################
# Disable syncookies
# (syncookies are not RFC compliant and can use too many resources)
net.ipv4.tcp_syncookies = 0
# Basic TCP tuning
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syn_retries = 3
# RFC1337
net.ipv4.tcp_rfc1337 = 1
# Defines the local port range that is used by TCP and UDP
# to choose the local port
net.ipv4.ip_local_port_range = 1024 65535
# Log Martian Packets with impossible addresses
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
EOF
if [ -f /proc/sys/net/ipv4/inet_peer_gc_mintime ]; then
{
echo '# Minimum interval between garbage collection passes This interval is'
echo '# in effect under high memory pressure on the pool'
echo 'net.ipv4.inet_peer_gc_mintime = 5'
echo ''
} >> $sfile
fi
>>$sfile cat << EOF
# Disable Explicit Congestion Notification in TCP
net.ipv4.tcp_ecn = 0
# Enable window scaling as defined in RFC1323
net.ipv4.tcp_window_scaling = 1
# Enable timestamps (RFC1323)
net.ipv4.tcp_timestamps = 1
# Enable select acknowledgments
net.ipv4.tcp_sack = 1
# Enable FACK congestion avoidance and fast restransmission
net.ipv4.tcp_fack = 1
# Allows TCP to send "duplicate" SACKs
net.ipv4.tcp_dsack = 1
# Controls IP packet forwarding for router advertisements
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding=1
# Strict reverse path filtering
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter=1
EOF
if [ -f /proc/sys/net/ipv4/tcp_tw_recycle ]; then
{
echo '# Enable fast recycling TIME-WAIT sockets'
echo 'net.ipv4.tcp_tw_recycle = 1'
echo ''
} >> $sfile
fi
>>$sfile cat << EOF
# Max number of remembered connection requests
# TCP_SYNQ_HSIZE*16<=tcp_max_syn_backlog
# NOTE: Setting this too low may impact IP6 Sessions
net.ipv4.tcp_max_syn_backlog = 20000
# tells the kernel how many TCP sockets that are
# not attached to any user file handle to maintain
net.ipv4.tcp_max_orphans = $max_orphan
# How may times to retry before killing TCP connection,
# closed by the side
net.ipv4.tcp_orphan_retries = 1
# how long to keep sockets in the state FIN-WAIT-2
# if we were the one closing the socket
net.ipv4.tcp_fin_timeout = 20
# maximum number of sockets in TIME-WAIT to be held simultaneously
net.ipv4.tcp_max_tw_buckets = $max_tw
# don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
# increase Linux autotuning TCP buffer limits
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# increase TCP max buffer size
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 2500
net.core.somaxconn = 65000
vm.swappiness = 0
# You can monitor the kernel behavior with regard to the dirty
# pages by using grep -A 1 dirty /proc/vmstat
vm.dirty_background_ratio = $vm_dirty_bg_ratio
vm.dirty_ratio = $vm_dirty_ratio
# required free memory (set to 1% of physical ram)
vm.min_free_kbytes = $min_free
# system open file limit
fs.file-max = $file_max
# Core dump suidsafe
fs.suid_dumpable = 2
#( 3 4 1 3 for most webbased applications )
kernel.printk = 4 4 1 7
kernel.core_uses_pid = 1
kernel.sysrq = 0
kernel.msgmax = 65536
kernel.msgmnb = 65536
# Maximum shared segment size in bytes
kernel.shmmax = $shmmax
# Maximum number of shared memory segments in pages
kernel.shmall = $shmall
###########################
#### Security Settings ####
###########################
# Protect against worms and other automated attacks
EOF
if [ -f /proc/sys/kernel/exec-shield ]; then
echo 'kernel.exec-shield = 1' >> $sfile
fi
>>$sfile cat << EOF
kernel.randomize_va_space = 1
# Don't accept ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Don't send ICMP redirects (I'm not a router!)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Don't accept IP source route packets (I'm not a router)
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Ignoring ICMP broadcasts and ignore bogus responses
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Don’t accept routing preferences
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.all.accept_ra_rtr_pref = 0
# Don’t try to learn prefix information
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.all.accept_ra_pinfo = 0
# Don’t accept hop limits
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.all.accept_ra_defrtr = 0
EOF
sysctl -p
exit $? You can be download this script here
Comments