sysctl [-n] [-e] -w variable=value

 sysctl [-n] [-e] -p <filename> (default /etc/sysctl.conf)

sysctl [-n] [-e] -a

    常用参数的意义：

    -w   临时改变某个指定参数的值，如 sysctl -w net.ipv4.ip_forward=1

    -a   显示所有的系统参数

    -p   从指定的文件加载系统参数，如不指定即从/etc/sysctl.conf中加载

    如果仅仅是想临时改变某个系统参数的值，可以用两种方法来实现,例如想启用IP路由转发功能：

    1) #echo 1 > /proc/sys/net/ipv4/ip_forward

    2) #sysctl -w net.ipv4.ip_forward=1

    以上两种方法都可能立即开启路由功能，但如果系统重启，或执行了

    # service network restart

 使用命令，所设置的值即会丢失，如果想永久保留配置，可以修改/etc/sysctl.conf文件。将 net.ipv4.ip_forward=0改为net.ipv4.ip_forward=1

 etc/systcl:内核参数说明：

net.ipv4.ip_forward = 0 # 想启用IP路由转发功能

# Do not accept source routing

net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel

kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.

# Useful for debugging multi-threaded applications.

kernel.core_uses_pid = 1

# Disable netfilter on bridges.

#net.bridge.bridge-nf-call-ip6tables = 0

#net.bridge.bridge-nf-call-iptables = 0

#net.bridge.bridge-nf-call-arptables = 0

# Controls the default maxmimum size of a mesage queue

kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes

kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes

kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages

kernel.shmall = 4294967296

vm.swappiness = 0

net.ipv4.neigh.default.gc_stale_time=120

net.ipv4.conf.all.rp_filter=1

net.ipv4.conf.default.rp_filter=1

net.ipv4.conf.default.arp_announce = 2

net.ipv4.conf.all.arp_announce=2

#允许TIME-WAIT套接字数量的最大值。超过些数字，TIME-WAIT套接字将立刻被清除同时打印警告信息。默认是180000，过多的TIME-WAIT套接字会使webserver变慢 

net.ipv4.tcp_max_tw_buckets = 5000

#UDP和TCP连接中本地端口（不包括连接的远端）的取值范围
net.ipv4.ip_local_port_range = 1024　　61000

#解决TCP的SYN攻击。与性能无关

net.ipv4.tcp_syncookies = 1

#三次握手建立阶段SYN请求队列的最大长度，默认是1024。设置大一些可以在繁忙时将来不及处理的请求放入队列，而不至于丢失客户端的请求

net.ipv4.tcp_max_syn_backlog = 1024

net.ipv4.tcp_synack_retries = 2

net.ipv4.tcp_synack_retries = 1

net.ipv4.conf.lo.arp_announce=2

#表示进程（例如一个worker进程）可能同时打开的最大句柄数，直接限制最大并发连接数

fs.file-max=65535

#当keepalive启用时，TCP发送keepalive消息的频率。默认是2个小时。将其调小一些，可以更快的清除无用的连接.
net.ipv4.tcp_keepalive_time = 600

fs.inotify.max_user_instances = 8192

#当服务器主动关闭链接时，socket保持FN-WAIT-2状态的最大时间

net.ipv4.tcp_fin_timeout = 30

#1代表允许将状态为TIME-WAIT状态的socket连接重新用于新的TCP连接。对于服务器来说有意义，因为有大量的TIME-WAIT状态的连接

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.ip_local_port_range = 1024 65000

net.ipv4.route.gc_timeout = 100

net.ipv4.tcp_syn_retries = 1

net.core.somaxconn = 65535

#当网卡接收的数据包的速度大于内核处理的速度时，会有一个队列保存这些数据包。这个参数就是这个队列的最大值。

net.core.netdev_max_backlog = 262144

net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_max_orphans = 262144

#net.netfilter.nf_conntrack_max = 1048576

#net.netfilter.nf_conntrack_tcp_timeout_established = 1200

######Edited by wangzizhe#########################

# Avoid a smurf attack

net.ipv4.icmp_echo_ignore_broadcasts = 1

# Turn on protection for bad icmp error messages

net.ipv4.icmp_ignore_bogus_error_responses = 1

# Turn on and log spoofed, source routed, and redirect packets

net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.default.log_martians = 1

# No source routed packets here

net.ipv4.conf.all.accept_source_route = 0

#net.ipv4.conf.default.accept_source_route = 0

# Turn on reverse path filtering

#net.ipv4.conf.all.rp_filter = 1

#net.ipv4.conf.default.rp_filter = 1

# Make sure no one can alter the routing tables

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

# Don’t act as a router

#net.ipv4.ip_forward = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

# Turn on execshild

kernel.exec-shield = 1

kernel.randomize_va_space = 1

# Optimization for port usefor LBs

# Increase system file descriptor limit

#fs.file-max = 65535

# Allow for more PIDs (to reduce rollover problems); may break some programs 32768

kernel.pid_max = 65536

# Increase system IP port limits

#net.ipv4.ip_local_port_range = 2000 65000

#TCP接收/发送缓存（用于TCP接收滑动窗口）的最小值、默认值、最大值

net.ipv4.tcp_rmem = 4096 87380 8388608

net.ipv4.tcp_wmem = 4096 87380 8388608

# Increase Linux auto tuning TCP buffer limits

# min, default, and max number of bytes to use

# set max to at least 4MB, or higher if you use very high BDP paths

# Tcp Windows etc

#内核套接字接收/发送缓存区的最大值

net.core.rmem_max = 8388608

net.core.wmem_max = 8388608

#内核套接字接收/发送缓存区的默认值
net.core.rmem_default = 262144
net.core.wmem_default = 262144

#net.core.netdev_max_backlog = 5000

net.ipv4.tcp_window_scaling = 1