TCP tuning on RHEL 5

custangro · 06-03-2010, 06:26 PM

Hello,

We are currently migrating from Solaris 10 to RHEL 5...

We have TCP tuning variables on our Sun boxes that we would like to do on our RHEL boxes...

I have a script that runs on boot that does these values for me...

Code:

echo "Begin  TCP and IP tuning ..."

  # if netstat -s |grep tcpListenDrop is non-zero, this value is not high enough.
  #  the further from zero it is, the larger the change needed.
  #  I saw a web site with 8192 as the value for _both_ max_q and max_q0 values.
  /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024
  /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 2048

  /usr/sbin/ndd -set /dev/tcp tcp_rexmit_interval_min     1500
  /usr/sbin/ndd -set /dev/tcp tcp_rexmit_interval_initial 3000
  /usr/sbin/ndd -set /dev/tcp tcp_rexmit_interval_max    10000

  if [ `uname -r | cut -d"." -f2` -ge 9 ] ;then
    #Solaris 9 gets some bigger values (as recommended by Helios) ...
    /usr/sbin/ndd -set /dev/tcp tcp_cwnd_max  262144
    /usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat 131088
    /usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 131088
  else
    /usr/sbin/ndd -set /dev/tcp tcp_cwnd_max  262144
    /usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat 65536
    /usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 65536
  fi

  # This value tells how long to keep alive a connection. The default is 2 hours;
  #  this value is 300 seconds, 5 minutes. (prev version of this script was: 900000, i.e. 15 minutes)
  /usr/sbin/ndd -set /dev/tcp tcp_keepalive_interval 300000
  /usr/sbin/ndd -set /dev/tcp tcp_ip_abort_interval   60000

  # Per CERT "SMURF" advisory
  /usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast   0
  /usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0

  # Additional values, per CYMRU ...
  if [ -f ${trustednet} ] ; then
    echo "Trusted Network; CYMRU values skipped ..."
  else
    /usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
    /usr/sbin/ndd -set /dev/ip ip_send_redirects 0
    /usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60000
    /usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
  fi

  # Tuning value per MacroMedia (along with values in /etc/system)
  # specifically for use running both a web server and application server ...
  /usr/sbin/ndd -set /dev/tcp tcp_slow_start_initial 2
  #
  # This time_wait value was incorrectly named pre- Solaris 2.7
  thisos=`uname -r`
  thisos=`echo "${thisos} * 10" | bc | sed 's/\(.*\)\../\1/'`
  baseos=57
  #
  if [ ${thisos} -lt ${baseos} ] ;then
    /usr/sbin/ndd -set /dev/tcp tcp_close_wait_interval 60000
  else
    /usr/sbin/ndd -set /dev/tcp tcp_time_wait_interval 60000
  fi
  #

  # This is to prevent a bad guy from "guessing" the next TCP sequence number,
  #  allowing an intruder to intercept a connection. Setting to 2 makes the 
  #  next sequence number "random" instead of predictable increment.
  /usr/sbin/ndd -set /dev/tcp tcp_strong_iss 2
  #

  echo "Finish TCP and IP tuning ..."

How would I do that ^ on a RHEL box?

-C

paulsm4 · 06-03-2010, 06:50 PM

Hi -

You should be able to do much of the same thing by editing "/etc/sysctl.conf". Here are a couple of links:

http://fasterdata.es.net/TCP-tuning/linux.html

http://www.linuxtopia.org/online_boo...oc-sysctl.html