Changes to /etc/init.d/networking
I've made some changes to the networking init file. My primary goal was
to
increase network throughput and to increase system security as well. So
far I've made
some progress but have also ran into several questions that need some
anwsers.
I found the original /etc/init.d/networking script easy to follow and to
modify, so I kept it and simply edited it to provide me with what I
needed. I added
the following operations to the networking script.
icmpredirects () {
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
echo -n "Disabling ICMP Redirect Acceptance: "
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
echo "Done."
fi
}
sourceroute () {
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
echo -n "Disabling Source Routed Packets: "
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
echo "Done."
fi
}
logpackets () {
if [ -e /proc/sys/net/ipv4/conf/all/log_martians ] ; then
echo -n "Logging Spoofed Packets, Source Routed Packets, and
Redirected
Packets: "
for f in /proc/sys/net/ipv4/conf/*/log_martians ; do
echo 1 > $f
done
echo "Done."
fi
}
tcptweaks () {
echo -n "Performing TCP/IP enhancements: "
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 1 > /proc/sys/net/ipv4/tcp_sack
echo 1 > /proc/sys/net/ipv4/tcp_dsack
echo 1 > /proc/sys/net/ipv4/tcp_fack
echo 1 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/tcp_ecn
echo 5 > /proc/sys/net/ipv4/tcp_reordering
echo '8196 174760 349520' > /proc/sys/net/ipv4/tcp_rmem
echo '8196 32768 262140' > /proc/sys/net/ipv4/tcp_wmem
echo 262140 > /proc/sys/net/core/rmem_default
echo 262140 > /proc/sys/net/core/rmem_max
echo 131070 > /proc/sys/net/core/wmem_default
echo 131070 > /proc/sys/net/core/wmem_max
echo "Done."
}
icmpbroadcast () {
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] ; then
echo -n "Enable ICMP Broadcast Echo Protection: "
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "Done."
fi
}
With this script being as robust as it is, all you need to do is add the
following operations to the /etc/network/options file as stated under
the doopt
function and your singing.
What boogles me is a few TCP/IP parameters under the /proc filesystem.
Are
there any major settings that I missed? Is it recomended to play with
the ipfrag
settings of the kernel?
Also, I am currently experimenting with an IPTables script, would it be
recomended to write it to the /etc/network directory and have it
executed via the
networking init file?
Thanks
Stef
Reply to: