sysctl

config security

Kernel parameter configuration

/etc/sysctl.d/99-custom.conf

Network Parameters

IP forwarding (net.ipv4.ip_forward)

Enable for router/NAT/Docker

TCP SYN cookies (net.ipv4.tcp_syncookies)

Protection against SYN flood attacks

Memory Parameters

Swappiness (vm.swappiness)

0-100: lower = prefer RAM, higher = prefer swap (server: 10)

Overcommit memory (vm.overcommit_memory)

Network Tuning

Socket listen backlog (net.core.somaxconn)

Max queued connections (high-traffic server: 4096+)

TCP SYN backlog (net.ipv4.tcp_max_syn_backlog)

Max pending SYN requests (high-traffic server: 4096+)

Local port range (net.ipv4.ip_local_port_range)

Range of ephemeral ports (default: 32768 60999)

TCP TIME-WAIT reuse (net.ipv4.tcp_tw_reuse)

Reuse TIME-WAIT sockets for outbound connections

FIN timeout (net.ipv4.tcp_fin_timeout)

Seconds to hold FIN-WAIT-2 state (default: 60)

Security Parameters

Accept ICMP redirects (net.ipv4.conf.all.accept_redirects)

Reverse path filtering (net.ipv4.conf.all.rp_filter)

Generated Config — /etc/sysctl.d/99-custom.conf

# Custom kernel parameters # Apply with: sudo sysctl -p /etc/sysctl.d/99-custom.conf # Network net.ipv4.ip_forward = 0 net.ipv4.tcp_syncookies = 1 net.core.somaxconn = 128 net.ipv4.tcp_max_syn_backlog = 128 net.ipv4.ip_local_port_range = 1024 65535 net.ipv4.tcp_tw_reuse = 0 net.ipv4.tcp_fin_timeout = 60 # Security net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.rp_filter = 1 # Memory vm.swappiness = 60 vm.overcommit_memory = 0