Browse Source

Enable syn cookies in a better way

Bob Mottram 11 years ago
parent
commit
0d0ddec282
1 changed files with 10 additions and 8 deletions
  1. 10
    8
      beaglebone.txt

+ 10
- 8
beaglebone.txt View File

@@ -1010,14 +1010,6 @@ Enter the following:
1010 1010
 #+BEGIN_SRC: bash
1011 1011
 #!/bin/bash
1012 1012
 
1013
-# Enable syn cookies
1014
-echo 1 > /proc/sys/net/ipv4/tcp_syncookies
1015
-
1016
-# Other settings
1017
-echo 1 > /proc/sys/net/ipv4/tcp_keepalive_probes
1018
-echo 2 > /proc/sys/net/ipv4/tcp_synack_retries
1019
-echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
1020
-
1021 1013
 # First of all delete any existing rules.
1022 1014
 # This means you're back to a known state:
1023 1015
 iptables -P INPUT ACCEPT
@@ -1168,6 +1160,7 @@ emacs /etc/sysctl.conf
1168 1160
 Uncomment or change the following:
1169 1161
 
1170 1162
 #+BEGIN_SRC: bash
1163
+net.ipv4.tcp_syncookies = 1
1171 1164
 net.ipv4.conf.all.accept_redirects = 0
1172 1165
 net.ipv6.conf.all.accept_redirects = 0
1173 1166
 net.ipv4.conf.all.send_redirects = 0
@@ -1184,9 +1177,18 @@ And append the following:
1184 1177
 #+BEGIN_SRC: bash
1185 1178
 # ignore pings
1186 1179
 net.ipv4.icmp_echo_ignore_all = 1
1180
+net.ipv6.icmp_echo_ignore_all = 1
1187 1181
 
1188 1182
 # disable ipv6
1189 1183
 net.ipv6.conf.all.disable_ipv6 = 1
1184
+
1185
+net.ipv4.tcp_synack_retries = 2
1186
+net.ipv4.tcp_syn_retries = 1
1187
+
1188
+# keepalive
1189
+net.ipv4.tcp_keepalive_probes = 9
1190
+net.ipv4.tcp_keepalive_intvl = 75
1191
+net.ipv4.tcp_keepalive_time = 7200
1190 1192
 #+END_SRC
1191 1193
 
1192 1194
 Save and exit.  It may be a good idea to reboot at this point and then log back into the BBB using ssh.  You can do a safe reboot of the system by typing: